Full Report
The Cheyenne Board of Public Utilities has identified Goat Systems LLC, a contractor working on Meta’s in-progress data center campus in the High Plains Business Park, as the source of a discharge that introduced the bacteria Cupriavidus gilardii into the city’s wastewater treatment system. Frank Strong, BOPU’s engineering and water resource division manager, told the…
Analysis Summary
# Incident Report: Unauthorized Bacterial Discharge at High Plains Business Park
## Executive Summary
The Cheyenne Board of Public Utilities (BOPU) identified a contractor, Goat Systems LLC, as the source of a biological discharge that introduced *Cupriavidus gilardii* bacteria into the municipal wastewater system. The incident occurred during "fill-and-flush" procedures at a Meta data center construction site, resulting in the suspension of the city’s reclaimed water program and a permanent ban on Meta’s discharge privileges. The outcome was a significant policy shift prohibiting wastewater discharges from data centers utilizing specific cooling and cleaning systems.
## Incident Details
- **Discovery Date:** February 2026
- **Incident Date:** Circa February 2026
- **Affected Organization:** Cheyenne Board of Public Utilities (BOPU)
- **Sector:** Water and Wastewater Systems / Critical Infrastructure
- **Geography:** Cheyenne, Wyoming, USA
## Timeline of Events
### Initial Access
- **Date/Time:** February 2026
- **Vector:** Physical/Industrial Process Discharge
- **Details:** Goat Systems LLC, a contractor for Meta, engaged in a "fill-and-flush" operation to clean construction debris, flux residue, and pipe scale from a closed-loop cooling system.
### Lateral Movement
- **N/A:** This was a biological/physical contamination incident rather than a network-based cyber intrusion. The "movement" involved the flow of contaminated water from the High Plains Business Park into the municipal wastewater treatment infrastructure.
### Data Exfiltration/Impact
- **Bacterial Contamination:** Introduction of *Cupriavidus gilardii* (a rare bacterium) into the city's treatment plant.
- **Service Disruption:** Disruption of the city's reclaimed water irrigation program.
### Detection & Response
- **Detection:** Discovered by BOPU staff during routine laboratory testing in February.
- **Response:** The BOPU launched an investigation that traced the source back to the Meta data center campus contractor. Discharge privileges for the site were permanently revoked.
## Attack Methodology
*Note: This incident involves a physical "insider" (contractor) negligence/process failure rather than a traditional cyber-attack lifecycle.*
- **Initial Access:** Authorized physical access to the wastewater utility via a contractor discharge agreement.
- **Persistence:** Ongoing "fill-and-flush" operations.
- **Impact:** Biological contamination and operational shutdown of reclaimed water services.
## Impact Assessment
- **Financial:** Unspecified, but involves costs related to testing, mitigation, and the suspension of the reclaimed water program.
- **Data Breach:** None.
- **Operational:** Temporary suspension of Cheyenne’s reclaimed water irrigation program; permanent termination of Meta’s discharge privileges.
- **Reputational:** Public scrutiny of Meta's environmental impact and contractor oversight in the Cheyenne region.
## Indicators of Compromise
- **Behavioral Indicators:** Identification of *Cupriavidus gilardii* during routine microbial assay of wastewater.
- **Process Indicators:** Discharge volumes and chemical/biological signatures inconsistent with standard municipal wastewater profiles.
## Response Actions
- **Containment:** Temporarily suspended the city’s reclaimed water irrigation program to prevent the spread of the bacteria.
- **Eradication:** Terminated Meta’s discharge privileges permanently.
- **Recovery:** Adopted a new policy prohibiting discharges from data centers using closed-loop cooling or fill-and-flush systems.
## Lessons Learned
- **Contractor Oversight:** Critical infrastructure owners must strictly monitor the industrial processes used by third-party contractors on large-scale construction sites.
- **Process Risks:** The "fill-and-flush" method for cooling systems poses a high risk of introducing rare biological contaminants into public systems.
- **Testing Efficacy:** Routine testing remains the most effective tool for early detection of environmental "breaches."
## Recommendations
- **Policy Revision:** Update utility service agreements to specifically name and prohibit high-risk industrial cleaning processes (like fill-and-flush).
- **Pre-treatment Requirements:** Require large-scale industrial or data center users to implement onsite pre-treatment or sterilization before discharging into municipal systems.
- **Onsite Audits:** Conduct periodic environmental audits of contractor activities at major development sites to ensure compliance with wastewater standards.