Ransomware Hits Maine Sewage Treatment Plants, Sounding The Alarm About Dangerous CyberSecurity Risks At America’s Many Small Critical Infrastructure Providers

Two recent ransomware attacks successfully breached computers at wastewater management plants in the US State of Maine, according to a statement by the state’s Department of Environmental Protection.

While the two cyberattacks, which hit facilities in the towns of Mount Desert and Limestone in the US’s most northeastern state, are believed to have posed no threat to human safety, they were far from benign, and have raised serious concerns about the potential danger to human life created by of cybersecurity vulnerabilities present in America’s decentralized critical infrastructure. Even if major essential service providers were to perfect their own cybersecurity operations, large numbers of smaller providers – sometimes functioning on just municipal scales – can still pose serious risks to life, health, safety, and property if they are not adequately protected against cyber threats. Furthermore, because there are not yet any uniform, nationwide, cyber-breach reporting requirements to which either municipalities or wastewater treatment facilities must adhere, nobody truly knows if we, the people of the United States, already have a serious problem. (There is currently legislation in progress in the US Congress that would create some basic, standard governance in this regard.)

While the Limestone Water and Sewer Department breach is alleged to have taken out a single computer running the long-obsolete Windows 7 operating system which was subsequently replaced with a newer machine (Click here to learn more about why you should not run long-obsolete operating systems), the Mount Desert Wastewater the attack apparently took various office computers offline for three days. Like the former attack, however, that breach did not impact any actual wastewater treatment processes, as the equipment that Mount Deseret Wastewater utilizes to perform such functions is, according to its superintendent, Ed Montague, “manually controlled with no automated inputs.”

Officials have said that operations at both facilities were fully recovered without paying any ransoms to cyber-criminals, and that no sensitive information was compromised as a result of the breaches.

Yet, the breaches are still of concern, and may foreshadow more sinister attacks in the future, as well as remind us that there may be ongoing, potentially dangerous, attacks about which we do not yet know.

Clearly, while we may have been lucky in Maine in July, unless we do a better job at protecting our critical infrastructure from cyberattacks, it is a matter of when, not if, we will suffer a much more dangerous breach.

As noted by Brian Kavanah, director of the Bureau of Water Quality at the Maine Department of Environmental Protection, cyberattacks on wastewater plants can wreak dangerous havoc by disabling pumps and other equipment or otherwise interrupting the treatment of sewage and other wastewater. Of course, as in most other environments, sensitive data could also be compromised and/or manipulated on computer systems used for managing operations. In short, according to Kavanah, “Cyberattacks on wastewater infrastructure can cause significant harm.”

Let us transform the two recent breaches in Maine into a nationwide wake up call about the dangers of cyberattacks at any of our huge number of smaller providers of critical infrastructure services – perhaps some of the funds that will be allocated as part of the new infrastructure improvement bill passed by Congress should be utilized to beef up cybersecurity for our existing critical infrastructure.