Small Kansas water utility system hacking highlights risks
ELLSWORTH, Kan. (AP) — A former Kansas utility worker has been charged with remotely tampering with a public water system’s cleaning procedures, highlighting the difficulty smaller utilities face in protecting against hackers.
Wyatt Travnichek, 22, was charged last month with remotely accessing the Post Rock Rural Water District’s systems in March 2019, about two months after he quit his job with the utility. He’s accused of shutting down the facility’s cleaning and disinfecting procedures.
When he worked for the utility, he would monitor the water plant remotely by logging into its computer system, the Kansas City Star reports.
The federal indictment says Travnichek used a Samsung phone to commit the offense. Post Rock utility officials declined to provide further details. Travnichek’s attorney, a federal public defender, didn’t respond to the Star’s request for comment.
No centralized database of hacker attacks on utilities exists, but a 2016 report from the federal Department of Energy said the Department of Homeland Security responded to 25 water cybersecurity incidents in 2015.
The Florida city of Oldsmar, population 15,000, reported in February that a hacker attempted to poison its water supply by remotely accessing its system and changing chemical levels. An employee was able to quickly reverse the hacker’s actions.
Small utilities such as Post Rock may not have the resources to hire dedicated information technology staff. Commonly their employees juggle multiple roles, including cybersecurity.
“As far as cities having an IT person, I just don’t know of any our size,” said Bill Shroyer, assistant city administrator in Sabetha, in northern Kansas, and president of the Kansas Rural Water Association. “And if we did have an IT person, they better know how to repair pot holes, fix water leaks, pick up snow and everything else that we do.”
Security experts say the Post Rock case could be as simple as officials failing to revoke Travnichek’s electronic access after he quit. The indictment doesn’t specify how he accessed the system.
“If this is indeed a case with an insider, of course an insider could possess the methods to use that remote access if you don’t have good policies,” said Marty Edwards, an expert on critical infrastructure at the cybersecurity firm Tenable. “When the individual is terminated, for example, from a job, you want to make sure you remove their credentialed access from these systems.”