Ransomware Hits a Water Treatment Plant: What Critical Infrastructure Attacks Mean for Houston Businesses
Introduction
A ransomware attack hit a water treatment plant in Minot, North Dakota this week, forcing operators to run the facility manually for 16 hours while systems were restored. Water safety and pressure were maintained throughout — the physical treatment process continued — but the digital control systems that monitor and manage operations were knocked offline, leaving operators to manage everything by hand.
For Houston businesses — particularly those in energy, manufacturing, petrochemical, and healthcare — this isn't a story about a small-town water plant. It's a preview of what happens when ransomware crosses the IT/OT boundary and disrupts operational technology systems that control physical processes.
Why Critical Infrastructure Is Increasingly Targeted
Ransomware groups have learned that attacking operational technology creates dramatically more pressure to pay than attacking office systems. When email goes down, people are frustrated. When a production line stops, a pipeline shuts down, or medical equipment goes offline — the financial damage is measured in hundreds of thousands of dollars per hour, and the safety implications create urgency that no executive can ignore.
The Numbers Tell the Story
- 93% of UK critical infrastructure organizations experienced at least one successful cyberattack in the past 12 months
- Nation-state and hacktivist attacks on critical infrastructure doubled in the past year
- Healthcare, manufacturing, and energy remain the top three targeted sectors for ransomware globally
- The average dwell time before ransomware deployment in OT environments is longer than in IT — attackers spend more time mapping industrial systems before striking
Houston's Specific Exposure
Greater Houston's economy is built on industries that operate critical infrastructure:
- Energy: Refineries, pipelines, midstream operations along the Ship Channel and Energy Corridor — many running SCADA systems on legacy networks
- Manufacturing: Production facilities in Katy, Pasadena, and Deer Park with Industrial Control Systems (ICS) managing automated processes
- Healthcare: Texas Medical Center — the world's largest — with connected medical devices, building automation, and clinical systems
- Water and utilities: Municipal water treatment, wastewater processing, and power distribution systems serving 7+ million people
- Petrochemical: Chemical processing plants with safety instrumented systems (SIS) that prevent hazardous events
Every one of these environments has operational technology that was designed for reliability, not cybersecurity. Many run legacy systems — Windows XP, proprietary SCADA protocols, unpatched PLCs — that can't be updated without shutting down production.
How Ransomware Crosses from IT to OT
The Minot water plant attack follows the same pattern seen in Colonial Pipeline (2021), JBS Foods (2021), and dozens of less-publicized incidents: the ransomware enters through IT systems and then impacts operations — either by directly reaching OT networks or by forcing operators to shut down OT as a precaution.
The Typical Attack Path
- Initial access via IT: Phishing email, compromised VPN credentials, or exploited internet-facing service
- Lateral movement within IT: Attacker moves through the corporate network, escalates privileges, accesses domain controllers
- IT/OT boundary crossing: If the network isn't properly segmented, the attacker reaches OT systems — SCADA servers, HMIs, historians, engineering workstations
- Impact on operations: Either direct encryption of OT systems or — more commonly — the organization proactively shuts down OT to prevent the ransomware from spreading to safety-critical systems
In many cases, the ransomware never actually touches the OT systems. The organization shuts down operations voluntarily because they can't confirm the threat hasn't crossed the boundary. The uncertainty is what forces the shutdown — and the uncertainty exists because IT/OT segmentation wasn't strong enough to provide confidence.
What Houston Businesses with OT Environments Should Do
Network Segmentation: The Non-Negotiable Foundation
IT and OT networks must be architecturally separated — not just on different VLANs, but with firewalls, DMZs, and explicit allow-rules controlling every connection between them. The Purdue Model (ISA/IEC 62443) provides the reference architecture:
- Level 0-1 (Physical process + controllers): PLCs, RTUs, and safety systems — isolated from everything except the supervisory level above them
- Level 2 (Supervisory): HMIs, SCADA servers, engineering workstations — on a dedicated OT network
- Level 3 (Operations): Historians, MES systems — in a DMZ between IT and OT
- Level 4-5 (Enterprise IT): Corporate network, email, internet — fully separated from OT
If a ransomware attack encrypts your entire corporate IT network, your OT systems should continue operating independently because they have no network path to the compromised systems.
OT-Specific Monitoring
Traditional IT security tools (EDR, SIEM) don't understand OT protocols — Modbus, DNP3, OPC-UA, EtherNet/IP. You need OT-specific network monitoring that can detect anomalous commands, unauthorized connections, and configuration changes within industrial control networks. Tools like Claroty, Nozomi Networks, or Dragos provide this visibility.
Incident Response Plan That Covers OT
Your incident response plan must address the IT/OT question explicitly: under what conditions do you shut down operations? Who makes that decision? What are the manual operation procedures? How long can you operate manually? The Minot plant could operate manually for 16 hours. Can your facility?
Air-Gapped Backups for OT Configuration
PLC programs, HMI configurations, SCADA server images, and safety system settings need offline backups that ransomware cannot reach. If you have to rebuild your OT environment from scratch, how long does it take — and do you have the configuration data to do it?
The Convergence Problem
The reason these attacks keep succeeding is that IT and OT are converging — intentionally. Businesses want real-time production data in their ERP systems, remote monitoring of field equipment, cloud-based analytics on sensor data, and the ability for engineers to access control systems from home. Every one of these capabilities creates a pathway that ransomware can follow from IT into OT.
The solution isn't to stop converging — it's to converge securely. Every connection between IT and OT should be mediated through a secure DMZ, monitored by OT-aware security tools, and documented in your network architecture. The convenience of convergence cannot come at the cost of operational safety.
Protect Your Houston Operations
LayerLogix works with Houston manufacturing, energy, and healthcare organizations to implement IT/OT segmentation, deploy monitoring solutions, and build incident response plans that keep operations running when cyberattacks hit the IT side. If your business has industrial control systems, SCADA, or connected operational technology — your cybersecurity plan needs to account for the OT environment specifically.
Schedule an IT/OT security assessment. We'll evaluate your network segmentation, identify IT/OT boundary risks, and build a plan to keep your operations running even when attackers breach the corporate network. Call 713-571-2390.
Related: Oil & Gas IT Services | Manufacturing IT Services | Managed Detection & Response | Top Cyberthreats in 2026
Need Help With Cybersecurity?
LayerLogix provides expert cybersecurity solutions for businesses across Houston and nationwide.
Related Articles
Need Expert IT Support?
Let our team help your Houston business with enterprise-grade IT services and cybersecurity solutions.