In January 2019, Wyatt Travnichek left his job at the Post Rock Rural Water District, whose 1,800 miles of water main pipe supply customers across eight counties in the dead center of Kansas. Two months later, prosecutors say, he logged back into the facility’s computer system, and proceeded to tamper with the processes it uses to clean and disinfect the drinking water.
When it comes to critical infrastructure security, the power grid attracts most of the public’s attention—and understandably so. Threats to the power grid are real and scary; just ask anyone in Ukraine, which has experienced multiple large-scale blackouts effected by Russia’s Sandworm hackers. But the Post Rock incident, revealed in an indictment on Wednesday, is a sharp reminder that the water supply system presents just as devastating a target.
The indictment comes just two months after a still unknown hacker attempted to poison the water supply of Oldsmar, Florida, and marks the third publicly disclosed attack on a water system that posed a direct risk to the health of a utility’s customers. (In 2016, Verizon Security Solutions found that hackers had successfully changed the chemical levels at an unnamed utility.) Cyberattacks that could cause physical harm remain vanishingly rare, but the nation’s water systems are an increasingly popular target. And experts say these systems largely aren’t equipped to handle the threats.
“Everybody thinks about people taking down power to areas because it’s something you’re familiar with. Everyone’s been through a power outage. We also know how to survive them,” says Lesley Carhart, a principal threat analyst at Dragos, an industrial control system security firm. “We don’t think about water. That’s maybe one of the reasons why it’s so underfunded.”
The specifics of how Travnichek allegedly obtained access to Post Rock Rural Water District’s network after he left the utility remain unclear; the indictment says only that he “logged in remotely.” He’d had a remote log-in when he worked there, court documents say, for after-hours monitoring. But basic cybersecurity measures should have been enough to prevent a former employee from getting unauthorized access into the system, whether they simply used old credentials or even set up a more sophisticated backdoor into the system. Unfortunately, many water utilities lack even that much, especially in rural areas.
“Most water utilities are handled by municipalities, so they can be managed by very small towns on very small budgets. They operate on a shoestring,” says Carhart. “A lot of water utilities, especially municipal utilities, have maybe one IT person if they’re very lucky. They definitely don’t have a security person on staff, in most cases.” Neither Post Rock nor Travnichek’s lawyer responded to a request for comment
When your job is to make sure that the computers work at a water utility, you understandably might prioritize the processes that safeguard the potable supply over implementing, say, federated identity measures that would prevent a former employee from popping back in.
Which is, unfortunately, something that happens more often than you might think. The Post Rock incident, as with Oldsmar and the unnamed intrusion Verizon spotted a few years back, have grabbed attention because they could have resulted in physical harm. But water utilities have experienced a slow but sustained onslaught over the past decade. In the first half of the 2010s, it was consistently among the most-targeted sectors, though still far behind critical manufacturing and energy. In 2015 alone, the US Industrial Control Systems Cyber Emergency Response Team fielded 25 cybersecurity incidents in the water and wastewater sector; in 2016, the last year for which data is available, it saw 18. A recent study published in the Journal of Environmental Engineering looked at 15 cyberattacks against water systems in some depth, and found that they ran the gamut from data theft to cryptojacking to ransomware.