Cyber Incident Victim: Mount Desert Sewage Treatment Plant

In April 2021, the Mount Desert Sewage Treatment Plant in Maine experienced a ransomware attack. The incident occurred alongside a separate July 4th attack on Limestone's facility, though the two events were not explicitly linked. Mount Desert Town Manager Durlin Lunt Jr. confirmed no ransom payment was made to the attackers and stated no customer data or operational systems were compromised during the breach. While specific technical details about the attack vector or ransomware variant were not disclosed, officials characterized the event as part of an ongoing "arms race" between cybersecurity professionals and malicious actors. The attack demonstrated vulnerabilities in rural infrastructure despite the plant's smaller scale compared to urban facilities. Immediate operational disruptions were not detailed for Mount Desert, though the parallel Limestone incident caused temporary loss of alarm systems monitoring pump temperatures and tank levels. Both facilities maintained manual oversight capabilities during the incidents.

The Mount Desert incident highlighted systemic risks to critical infrastructure in rural communities with limited cybersecurity resources. Following these attacks, water and sewage operators across Aroostook County implemented unspecified security improvements to their computer systems. Officials emphasized the attacks served as a wake-up call for small municipalities, proving they require equivalent vigilance to larger urban centers. In Limestone's case, the compromised Windows 7 control computer—already scheduled for replacement—was permanently decommissioned after the July attack. Neither facility reported data exfiltration or long-term operational impairment. The coordinated timing of disclosure on April 30, 2021, aimed to raise awareness about ransomware threats to industrial control systems without causing public alarm about water safety or service continuity.