Officials in Maine recently disclosed that two rural wastewater systems were hit by ransomware attacks earlier this year.
The attacks, which affected plants in the towns of Limestone and Mount Desert Island, did not compromise taxpayer data or generate a public safety threat, local officials told The Maine Monitor. Officials also said no ransoms were paid, though some systems were upgraded.
But they acknowledged that cyberattacks against the towns — which occurred during a holiday in April in Mount Desert Island and on the Fourth of July in Limestone — could have overridden the plants’ alarms or disabled critical pumps and other equipment.
In a July 8 memo, a Maine water management director disclosed the attacks and warned of their danger.
“Unfortunately, this is real. It has happened in Maine and it is likely to happen again,” wrote Brian Kavanah, director of Maine’s Bureau of Water Quality. “It is imperative for facilities to take action to verify their systems are secure before becoming a victim of cyberattacks.”
Kavanah included directions for municipalities to seek American Rescue Plan funding to bolster their systems, along with resources for cybersecurity training for Maine water plant operators. Obtaining a wastewater operator license in Maine does not require any form of cybersecurity training, state officials told the Monitor.
In Mount Desert Island, officials said the attack took computers offline for three days, but treatment plants were not affected because they are controlled manually.
Officials in Limestone traced their attack to a computer running Windows 7 that was connected to the plant’s supervisory control and data acquisition system.
In February, a hacker broke into the computer system for a water treatment facility outside Tampa, Florida, changing its sodium hydroxide setting to a potentially dangerous level.