On May 13, 2026, divers on a routine maintenance dive at the J.B. Converse Reservoir dam in Mobile, Alabama found a grenade-style improvised explosive device underwater. The reservoir is the drinking water supply for roughly 350,000 residents of Mobile County. MAWSS called in the Gulf Coast Regional Maritime Response and Render-Safe Team. The device was retrieved and detonated. No damage to the dam. No contamination.
MAWSS director Bud McCrory called it "an unprecedented threat." DHS was notified. No suspect has been identified.
Our top priority is keeping your drinking water safe. This is an unprecedented threat, and we are fortunate that this device was discovered before it could cause serious damage to our water supply or harm to individuals.Bud McCrory, MAWSS Director
Federally designated critical infrastructure. Placed deliberately. Authorities are publicly calling it an improvised explosive device, not stray ordnance.
This is not history, it is this week
Operators routinely discount the threat as old case studies. Aliquippa. Muleshoe. Oldsmar. The Converse Reservoir IED was yesterday, and the Iranian CyberAv3ngers cyber campaign that hit Aliquippa in 2023 is still running. CISA reissued AA23-335A in December 2024. Same target class, different vector, same calendar week.
Defending against the wrong timeline is the same as not defending.
The attack surface has four layers, not one
Most operators we assess are well-prepared on one layer and effectively blind on the others.
An adversary does not care which layer is your strongest. They look for the weakest.
Not the IED, the mindset
We are a cyber and ICS firm. We did not stop this attack. We are writing about it because of a way of thinking we keep hearing in the field:
- "The sheriff and the fence handle physical, so we only worry about cyber."
- "IT handles cyber, so operations focuses on physical reliability."
- "We are too small or too rural to be a target."
All three are wrong the same way. The attack surface is multi-layered, and the operators who get hurt are the ones who treat each layer as someone else's problem.
The question is not "are we protected against underwater IEDs." It is: do we know which layers are being defended, by whom, with what visibility? Most operators cannot answer that with confidence.
What to do this week
Three steps that cost nothing:
- Walk your perimeter the way you walk your network. Intakes, manholes, valve vaults, hatches. If a stranger cannot plug into your SCADA switch, do not let one access the raw water either.
- Assign a named owner to each layer of your attack surface. If neither cyber nor physical has one, no technology purchase fixes it.
- Subscribe to physical-security feeds (MS-ISAC, WaterISAC), not just cyber. The same target class shows up across both.
Converse staff did this right. Routine dive, escalate fast, agencies clean it up, no contamination, no harm. The reason no one was hurt on May 13 is that someone actually got in the water and looked.
If you are reading this thinking "we don't dive our intakes," that is the takeaway. Not the IED. The fact that someone looked.
- Explosive device found, detonated at Mobile water reservoir | Fox 10 News, May 13, 2026
- MAWSS: Routine dam dive turns up grenade-style IED lurking under reservoir | NBC 15, May 13, 2026
- Explosive device found at Big Creek Lake in Mobile, Alabama: what to know | WKRG, May 13, 2026
- "Unprecedented threat": Bomb discovered under water at Alabama dam | Blaze Media, May 14, 2026
- Explosive device found, detonated at Alabama dam was 'an unprecedented threat' | Maryland Coordination & Analysis Center, May 2026
- CISA AA23-335A: IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors | CISA, updated December 2024