The FBI confirmed on April 4 that it is actively investigating a ransomware attack that hit the water treatment plant in Minot, North Dakota on March 14, compromising the facility’s SCADA server and forcing operators to run the plant manually for 16 hours.

What Happened

On March 14, staff at the Minot Water Treatment Plant discovered ransomware on the server running the facility’s SCADA (Supervisory Control and Data Acquisition) system — the dashboard that aggregates gauge readings and monitors plant operations in real time. City Manager Tom Joyce confirmed that staff immediately unplugged the compromised server and switched to manual operations.

The plant serves approximately 80,000 people across Minot (North Dakota’s fourth-largest city at ~50,000 residents) and several surrounding communities through the Northwest Area Water Supply system.

A ransom note was found on the infected server, but it contained no dollar figure and no specific attribution. The note stated that the attacker had gained access to the system and suggested the city “tighten up your firewalls.” The city did not pay any ransom.

Technical Details

The attack targeted a single SCADA server responsible for centralizing sensor data and gauge readings from across the treatment plant. Key points:

  • Attack surface: The SCADA server was the specific target, not the broader OT network controlling water treatment processes directly.
  • Impact on operations: Water pressure and water safety were not compromised at any point. The SCADA system functions as a monitoring dashboard — losing it meant operators had to read gauges locally rather than from a central console.
  • Recovery timeline: 16 hours of manual operations until a backup server was brought online. The plant is currently running on an older backup server while staff prepare a permanent replacement.
  • No lateral movement reported: There is no public indication that the attacker moved beyond the SCADA server into process control systems or the broader city network.

The specific ransomware variant has not been publicly identified. The lack of a ransom demand amount and the advisory tone of the note (“tighten up your firewalls”) is atypical for financially-motivated ransomware operations and may suggest either an opportunistic compromise or a less sophisticated actor.

FBI Response

In its April 4 statement, the FBI said it has been working directly with the City of Minot and its IT staff since the incident was reported. The bureau emphasized that “the most critical threats to infrastructure come from our networks” and stressed that federal, state, and local partnerships are essential for detecting and dismantling cyber threats to critical infrastructure.

Why This Matters

This incident fits a pattern of increasing ransomware targeting against U.S. water and wastewater systems. CISA, the FBI, and the EPA have issued multiple joint advisories over the past two years warning that water utilities — often operating with limited IT budgets and legacy OT systems — are prime targets.

The relatively mild outcome here (no water safety impact, no ransom paid, quick manual failover) masks a real risk: many small and mid-size water utilities lack the redundancy Minot demonstrated. A SCADA compromise at a less-prepared facility could disrupt treatment processes or delay detection of water quality issues.

What To Do Now

If you operate water or wastewater SCADA systems:

  1. Segment SCADA networks from IT networks. The SCADA server should not be directly reachable from the corporate network or the internet. If your SCADA monitoring is on the same flat network as email and file shares, fix that first.
  2. Maintain offline backups of SCADA configurations. Minot recovered in 16 hours because they had a backup server. Test your backup restore procedure — don’t wait for an incident.
  3. Audit remote access. Disable any VPN or RDP access to OT/SCADA systems that isn’t strictly necessary. Where remote access is required, enforce MFA and session logging.
  4. Review firewall rules. The attacker’s own note called out firewall hygiene. Ensure inbound rules to SCADA segments follow a default-deny posture.
  5. Run CISA’s free assessments. The Cybersecurity and Infrastructure Security Agency offers no-cost vulnerability assessments specifically for water utilities through its Water and Wastewater Systems Sector program.

Sources