The US Department of Environmental Protection has issued a warning to water-system professionals and municipalities in the state of Maine after two recent ransomware attacks on its wastewater systems.
Attacks happened on two sites in Limestone and Mount Desert Island, a state Department of Environmental Protection engineer, Judy Bruenjes, reported.
“They were both fairly minor, there was no threat to the public, there was no violation, no excursion, no health and safety threat. It wasn’t like the Colonial pipeline, but it was a concern for us that these small facilities were being targeted,” Bruenjes said.
The incident occurred over the July 4 holiday, when a computer with Windows 7 that needed an update, said Jim Leighton, the Limestone plant’s superintendent. There was no evidence of any wrongdoing or loss of information.
Ed Montague, superintendent for Mount Desert Wastewater, said in an email: “The office computers were down for approximately three working days… Our treatment plants were not affected as they are manually controlled with no automated inputs.”
No ransom was paid, and no personal details were compromised, said Montague. The town’s IT professionals were involved to investigate the incident.
“Cyberattacks on wastewater infrastructure can cause significant harm,” said Brian Kavanah, director of the DEP’s Bureau of Water Quality.
Attacks can interfere with pumps and equipment can have serious effects on the community. They can also expose sensitive information and cause delays in water treatment.
Attacks in Maine have increased significantly in the past year, according to Scott Fossett, president of A Partner in Technology, a tech firm in the state.
“The pace is picking up, definitely, over the last nine to 12 months,” Fossett said. “I have been in this industry over 20 years, and it was few and far between that this was happening to Maine businesses. Now we’re seeing it could be any business sector in Maine.”
“Two years ago we saw very little in Maine. But now, especially in the past nine months, we’re seeing a lot more. They’re targeting organizations that are only 10 people or less and adjusting that ransom accordingly.”
In 2018, the average amount of money spent on recovery from ransomware in the US was around $7,000. In the second quarter of 2021, it had reached $137,000.