Water treatment plant in North Dakota suffered ransomware attack
A water treatment plant in northern North Dakota last month fell victim to a ransomware attack, forcing the facility’s operators to temporarily revert to reading gauges manually.
A spokesperson for the City of Minot, North Dakota, on Wednesday confirmed recent statements by officials claiming that the region’s water supply was “safe at all times” during the incident. According to a letter provided by the city to the FBI, seen by this publication, staff detected the ransomware on March 14, requiring “manual procedures” for about 16 hours, before a replacement server could be installed.
Jennifer Kleen, Minot’s communications and engagement manager, said ransomware was detected on the Minot Water Treatment Plant’s SCADA system, “which is kind of like a dashboard system. It brings all of those gauge readings to one spot.” Kleen said staff usually do manual gauge readings anyway, but that more frequent manual readings had been required while the facility’s supervisory control and data acquisition system was offline.
Minot’s water treatment facility serves the city, North Dakota’s fourth-most populous with roughly 50,000 people, and several other communities in a region called the Northwest Area Water Supply, for a total of about 80,000 water drinkers. (The Northwest Area Water Supply, or NAWS, has its own troubled history, facing lawsuits from the time construction of water pipelines began in 2002, until 2019 when an appeals court upheld a previous court’s ruling in favor of North Dakota. The disputes were brought by Manitoba, the Canadian province, which opposed details of interbasin water transfers that were to be performed in North Dakota, and the State of Missouri, which was concerned about depletions to its river system.)
According to the city’s letter, a note from those who’d installed the ransomware was found on the now-uninstalled SCADA server, but it did not contain a dollar figure, and the city did not pay any amount. When asked which ransomware outfit was responsible for the attack, Kleen said she didn’t know.
Kleen said that the city’s technical recovery is nearly complete: the plant is now using an old server to support its gauge readings while staff prepare a new server. The city’s letter notes that the incident has provided “opportunities for training exercises, improved communication, and preventative system design.” In a local TV news interview, Minot City Manager Tom Joyce said he wished he’d rallied a “crisis action team” — including the police chief, senior city executives and the city’s public information officer — sooner after discovering what had happened, “to ensure we’re all on the same page right away.”
Water utilities have been favorite targets of cyber campaigns led by China and Iran. A 2024 report from the Environmental Protection Agency’s Office of Inspector General identified dozens of water systems around the United States with vulnerabilities bearing varying levels of risk. An assessment of more than 1,000 drinking water systems, serving 193 million people, found 97 systems with critical- or high-risk vulnerabilities, and 211 systems with “medium” or “low” risk vulnerabilities, such as “having externally visible open portals.”
There have been efforts over the last several years, by the federal government and states, to urge utilities to strike sturdier cybersecurity postures. A bill that was making its way through Congress last month would help small and rural water utilities update their systems and comply with the latest cybersecurity standards. And New York last month introduced its own “first-in-nation” cybersecurity standards, along with funding to implement them, for water treatment facilities.
But in addition to New York being one of the only states to focus so heavily on the utilities cybersecurity, such upgrades can take months or years to complete — time they may not have, particularly after the United States and Israel initiated strikes on Iran. A group of information-sharing groups that included the Water Information Sharing and Analysis Center last month warned of a “highly volatile” threat environment that includes the possibility of “increased cyberattacks from Iranian state-sponsored actors, hacktivists, and cybercriminal groups aligned with Iran.”
