In January 2019, Wyatt Travnichek quit his job with the Post Rock Rural Water District, which has 1,800 miles of mainline supplying customers in eight counties in neutral Kansas. Two months later, prosecutors say, he reconnected to the facility’s computer system and began tampering with the processes he uses to clean and disinfect drinking water.
When it comes to the security of critical infrastructure, the power grid attracts most of the public’s attention – and that’s understandable. The threats to the electricity grid are real and frightening; ask anyone in Ukraine, experienced several large-scale power outages carried out by Russia Sand worm pirates. But the Post Rock incident, revealed in a charge Wednesday, is a stark reminder that the water supply system presents an equally devastating target.
Indictment comes just two months after still-unknown hacker tried to poison the Oldsmar, Florida water supply, and marks the third publicly disclosed attack on a water system that posed a direct risk to the health of utility customers. (In 2016, Verizon Security Solutions discovered that hackers had successfully altered chemical levels at an unnamed utility.) Cyber attacks that could cause physical damage remain extremely rare, but the nation’s water systems are an increasingly popular target. And experts say these systems are largely not equipped to handle threats.
“Everyone thinks about the people who take power in certain areas because it’s something you know. Everyone went through a power outage. We also know how to survive it, ”says Lesley Carhart, senior threat analyst at Dragos, an industrial control systems security company. “We don’t think about water. This may be one of the reasons it is so underfunded. “
Details of how Travnichek allegedly obtained access to the Post Rock rural district network after leaving public service remain unclear; the indictment only says that he “connected remotely”. He had had a remote connection when he was working there, according to court documents, for after-hours monitoring. But basic cybersecurity measures should have been enough to prevent a former employee from gaining unauthorized access to the system, whether they were simply using old credentials or even setting up a more sophisticated backdoor in the system. Unfortunately, many water services are still in short supply, especially in rural areas.
“Most water services are run by municipalities, so they can be run by very small towns with very small budgets. They operate with minimal resources, ”says Carhart. “Many water utilities, especially municipal utilities, might have an IT specialist if they’re very lucky. In most cases, they certainly do not have security personnel. Neither Post Rock nor Travnichek’s lawyer responded to a request for comment
When your job is to make sure the computers are running in a water utility, you can naturally prioritize the processes that protect the drinking water supply rather than implementing, for example, federated identity measures that would prevent a former employee from returning.
Which, unfortunately, happens more often than you might think. The Post Rock incident, like Oldsmar and the unnamed intrusion Verizon spotted a few years ago, has gained attention because it could have resulted in physical damage. But water utilities have seen a slow but sustained attack over the past decade. During the first half of the 2010s, it was consistently among the most targeted industries, although still far behind critical manufacturing and energy. In 2015 alone, the United States Industrial Control Systems Cyber Emergency Response Team identified 25 cybersecurity incidents in the water and wastewater sector; in 2016, the latest year for which data are available, he saw 18. A recent study published in the Journal of Environmental Engineering took an in-depth look at 15 cyberattacks on water systems and found that they spanned the gamut from data theft to cryptojacking at ransomware.