For the first time in Maine, a ransomware hacker attacked two public wastewater plants

danielkuhnAugust 18, 2021

By Kate cough on the main monitor

The Environmental Protection Agency has warned municipal and water sector experts to be vigilant after two recent ransomware intrusions, which appear to be the first in Maine’s drainage system.

The attacks occurred in the limestone town of Aroostook County and the town of Mount Desert on Mount Desert Island, said Judy Bruñez, DEP’s wastewater technical assistance engineer.

“Both were fairly minor, with no threats to the general public, no breaches, no excursions, no threats to health and safety. It wasn’t like the Colonial Pipeline, but these small facilities were targeted. That was a concern for us, “says Bruenjes.

May, hacker Forced shutdown One of Colonial’s largest oil pipelines in the country.

Jim Leighton, director of the Limestone Water and Sewer Department, said the attack occurred on the weekend of July 4th on a computer running Windows 7, which was scheduled to be upgraded. Taxpayer and toll taxpayer information was not compromised, Layton said.

“We said enough about it, it’s not worth the ransom,” he continued. “I just needed to update.”

Ed Montague, director of Mount Desert Wastewater, said in an email: According to Montague, there were no ransom payments or personal information leaks, and the town and IT experts were notified.

State officials warn that the attack should be taken seriously. According to cybersecurity experts, hackers are often targeting small organizations with important infrastructure roles, and are increasing ransom demands accordingly.

“Cyberattacks on wastewater infrastructure can cause serious harm,” warned Brian Cabana, director of the DEP’s Water Quality Department. July 8 memo..

He said the attack could cause serious damage by disabling alarms, disabling pumps and equipment, interrupting treatment, and disclosing personal and financial information. rice field.

Attack pace increased “dramatically”

Attacks in Maine have increased dramatically in all sectors over the past year, said Scott Fossett, president of Gardiner-based company A Partner in Technology.

“No doubt, the pace has increased in the last 9-12 months,” says Fosset. “I’ve been in the industry for over 20 years, and this has rarely happened to companies in Maine. Now it can be in any business sector in Maine.”

Hackers are also targeting smaller and smaller organizations, said Derek Hussey, chief technology officer for the API.

“Two years ago, we rarely saw it in Maine. But now, especially in the last nine months, we’re seeing more. They’re targeting organizations with less than 10 people, and that’s it. We are adjusting the ransom accordingly. “

The news that businesses are paying ransom encourages hackers to continue to challenge. “They are making money with this,” Fosset said.

In 2018, the average ransomware payments across the country Approximately $ 7,000According to security company Coveware. That number soared in the second quarter of 2021 $ 137,000.. A recent attack on a water system with easily adjusted levels of lye in water in Florida has received a lot of attention, but it’s not what most hackers want.

“Their ultimate goal is to make money,” Hussey said. “They seem to be very good at determining the size of their business and being able to properly adjust that number in ransomware letters.”

In Maine, I saw hackers demanding only $ 1,200. “They are going to see a very small ransom, hoping that the company can afford it and expecting them to pay it.”

Backups can prevent data loss, but they do not always prevent ransom payments, as hackers can threaten to publish data if businesses and municipalities do not pay.

Fossett refused to reveal the percentage of corporate clients who paid the ransom to recover data or unlock the system. “As experts in this business, we don’t want to see our clients pay the ransom. That’s our goal.”

Even if the ransom is not paid, businesses and municipalities often pay for staff time spent recovering or reconstructing records.York Animal Hospital I was forced to spend hours manually re-entering inventory data After refusing to pay a $ 80,000 ransom that cleared the patient’s record for four years.

The scale of the problem is unknown

Under federal law, it is difficult to understand the scale of the problem, as individual businesses and municipalities do not need to be disclosed when they are infringed.

In an email, Daisy Mueller, Head of Infrastructure Protection at the Maine Emergency Management Agency, advocates that the agency does not request or request reports from local governments, but instead sends information to local law enforcement agencies. I said that I am doing it.

“However, agency partnerships with various critical infrastructure entities may result in reports of cyberattacks, which vary from month to month and range from zero to four reports on average.” Mueller writes.

MEMA’s role is to prepare for planning, training, and exercise, Mueller said. However, she added, “Consistent information sharing is important given the ever-changing context of cyber threats.”

Local governments are encouraged to report, but they do not need to, which can make federal investigations difficult, Mueller said.

“Without a quick report, we lose the opportunity to investigate,” said Richard Downing, Deputy Attorney General for the US Department of Justice. Senate Judiciary Committee Hearing last month. “Our ability to support other victims facing the same attack is diminished, and the government and Congress do not have a complete picture of the threats facing American companies. Congress is injured. You should enact a law that requires you to report. “

Such legislation is passing parliament. NS 2021 Cyber Incident Notification ActFederal agencies, federal contractors, and key infrastructure operators, introduced in late July by Senator Susan Collins (R-Main), Mark Warner (D-Virginia), and Marco Rubio (R-Florida), are homeland. You need to notify the Department of Security. The Department of Homeland Security’s cybersecurity and infrastructure security agencies are within 24 hours of discovery. This bill will give a limited immunity to companies moving forward.

Old software exposes municipality

Ransom is expensive and news, but in some towns it can be difficult to find time and money for software upgrades and training.

“They may not have the latest software. They are vulnerable,” Bruenjes said. “We are concerned about smaller systems.”

Most hacking attacks are done via email, Hassy said. “It can come from the web, but the security of the web browser is pretty decent right out of the box,” he added. “Email is definitely the place we see.”

According to Hussey, systems that are not properly patched or updated can be vulnerable. In the case of a recent attack, “one of them was a networked desktop computer and the other was a main computer with Windows 7 working with SCADA. [supervisory control and data acquisition] The system, “says Bruenjes. According to Layton, upgrading the system costs about $ 10,000.

“Training is lacking in many areas,” Hussey said. “I think it’s a challenge for them not only to budget, but also to find time to do it within the municipality.”

According to Bruenjes, there are no specific cybersecurity training requirements for anyone to obtain a wastewater operator license, but DEP and others offer continuous training. Various federal and state organizations are providing support to the community, and some of the funding for equipment and technology upgrades is available through the Cleanwater Revolving Fund.

Nick Rico, the wastewater manager at the Wells Sanitary District, has adopted a “belt and suspenders and a second belt” approach, working with consultants and crew using several backup and non-cloud-based SCADA systems. He said he was instructing the staff not to check. Email on a SCADA computer.

“I know my crew doesn’t use the internet on SCADA computers other than checking the weather,” Rico said.

“I like to use the onion analogy,” Fosset said. “Onions have layers … municipalities, especially wastewater and infrastructure companies, are currently big targets, so their onions must frankly be bigger than small nonprofits.”

If a hacker breaks into a wastewater treatment plant system, the worst result, a complete shutdown and flooding of homes and the environment, is “very unlikely,” Rico said.

“If ransomware attacks SCADA computers, they won’t communicate,” Rico said. Controls within the system for setting treatment levels “continue to be cheerful, regardless of recently received setting points.”

If the ransomware also attacks its individual control system, “I think everything will shut down,” Rico said.

“You think it’s always somewhere else,” Bruenjes said. “Then it happened here.”

This story was originally published by Main monitor.. Maine Monitor is a local journalism product published by the Maine Center for Public Interest Reporting, a non-partisan, non-profit civil news agency.