A recent Kansas utility worker has been charged with remotely meddling with a public water system’s cleaning procedures, highlighting the formidableness smaller utilities face in protecting against hackers.
Wyatt Travnichek, 22, was commissioned last month with remotely accessing the Post Rock Arcadian Water District’s systems in March 2019, about two months after he resign his job with the utility. He’s accused of shutting down the facility’s cleaning and sanitizing procedures.
When he worked for the utility, he would monitor the water equipment remotely by logging into its computer system, the Kansas City Falling star reports.
The federal indictment says Travnichek used a Samsung phone to delegate the offense. Post Rock utility officials declined to provide to a greater distance details. Travnichek’s attorney, a federal public defender, didn’t commiserate with to the Star’s request for comment.
No centralized database of hacker attacks on utilities subsists, but a 2016 report from the federal Department of Energy said the Determined of Homeland Security responded to 25 water cybersecurity incidents in 2015.
The Florida municipality of Oldsmar, population 15,000, reported in February that a hacker attacked to poison its water supply by remotely accessing its system and changing chemical flats. An employee was able to quickly reverse the hacker’s actions.
Small utilities such as Circulate Rock may not have the resources to hire dedicated information technology stave. Commonly their employees juggle multiple roles, including cybersecurity.
“As far as urban districts having an IT person, I just don’t know of any our size,” said Bill Shroyer, join city administrator in Sabetha, in northern Kansas, and president of the Kansas Georgic Water Association. “And if we did have an IT person, they better know how to condition pot holes, fix water leaks, pick up snow and everything else that we do.”
Care experts say the Post Rock case could be as simple as officials wanting to revoke Travnichek’s electronic access after he quit. The indictment doesn’t define how he accessed the system.
“If this is indeed a case with an insider, of assuredly an insider could possess the methods to use that remote access if you don’t pull someones leg good policies,” said Marty Edwards, an expert on critical infrastructure at the cybersecurity steady Tenable. “When the individual is terminated, for example, from a job, you want to fetch sure you remove their credentialed access from these processes.”
Related: U.S. Gov Warning on Water Supply Hack: Get Rid of Windows 7
Related: Butcher Exposes Vulnerability of Cash-Strapped US Water Plants
Related: Industry Counterbalances to U.S. Water Plant Hack: Feedback Friday