North Dakota Water Treatment Plant Reports March Ransomware Attack

What happened

A water treatment plant serving Minot, North Dakota was hit by a ransomware attack that was discovered on March 14. City officials said the affected server was unplugged after the incident was identified, and the plant switched to manual procedures for about 16 hours while staff carried out frequent on-site checks of water gauges. Officials said the water treatment plant and all facilities related to the city’s water system remained operational and safe at all times. Jennifer Kleen, the city’s public information officer, said there was no direct ask for money and no direct interaction beyond a letter shown on a screen. She also said all necessary local, state, and federal reports had been made, and that the letter is now in FBI custody as part of any investigation. 

Who is affected

The direct impact fell on the water treatment plant serving the city of Minot, which has a population of about 50,000. City officials said the water system remained operational and safe throughout the incident, and they did not report any disruption to water service or safety. 

Why CISOs should care

This incident matters because it shows that a ransomware event at a municipal water facility can force an immediate shift to manual operations even when core service remains intact. It also highlights the importance of fast containment and operational fallback procedures in environments where safety and pressure stability must be maintained continuously. 

3 practical actions

1. Validate manual fallback procedures: Ensure plant operators can safely maintain water quality and pressure through manual checks if digital systems or servers must be taken offline. 
2. Prioritize fast isolation of affected systems: Review whether teams can quickly disconnect compromised servers without interrupting critical public utility operations. 
3. Coordinate evidence handling with law enforcement: Make sure incident response plans account for preserving ransom notes or attacker messages when they may become part of an FBI investigation. 

For more news about disruptive intrusions affecting critical services and public infrastructure, click Cyberattack to read more.