Former Employee Indicted for Hacking Kansas Water Utility and Trying to Shut Down Key Systems

As if we didn’t have enough risks to drinking water to manage.
As if we didn’t have enough risks to drinking water to manage.
Photo: Tony Gutierrez (AP)

A federal grand jury is indicting a 22-year-old guy over accusations that he tampered with a public water system. Dude allegedly hacked into a computer system that controls a rural water utility in Ellsworth County, Kansas, then messing with the virtual processes that affect procedures for cleaning and disinfecting drinking water.

Advertisement

On March 31, Wyatt Travnichek was charged with one count of tampering with a public water system and one count of reckless damage to a protected computer during unauthorized access. If convicted, he’ll face up to 25 years in prison and $500,000 in fines.

The story is pretty wild. Travnichek actually worked at the water district, which services more than 1,500 retail customers and 10 wholesale customers in eight Kansas counties, from January 2018 to January 2019. Part of his role was to virtually monitor its water plant after hours by remotely log into the district’s computer system, so in a sense he was just doing his old job.

The Department of Justice alleges that he logged on with the intention to harm, though thankfully, according to Cyberscoop, no one was harmed. According to the indictment, Travnichek “accessed a protected computer without authorization,” then remotely logged on and “performed activities that shut down processes at the facility which affect the facility’s cleaning and disinfecting procedures.”

“By illegally tampering with a public drinking water system, the defendant threatened the safety and health of an entire community,” Lance Ehrig, Special Agent in Charge of EPA’s Criminal Investigation Division in Kansas, said in a statement. “EPA and its law enforcement partners are committed to upholding the laws designed to protect our drinking water systems from harm or threat of harm. Today’s indictment sends a clear message that individuals who intentionally violate these laws will be vigorously prosecuted.”

What’s even more bonkers than this guy’s actions, though, was that he was able to carry them out. But it’s also hardly the only instance of critical utility infrastructure facing a cybersecurity breaches. In February, a hacker broke into the computer system for a water utility in Florida and tried to poison people by upping the water’s sodium hydroxide content to toxic levels. It later came out that the system didn’t have basic network protections—not even a firewall or strong password security. In December, when cyber intruders hacked numerous government agencies and tech companies, SolarWinds software, they also put malware onto several electric and oil companies’ computer systems. A report released Monday also shows that Connecticut’s energy, natural gas, and water utilities have seen an uptick in phishing and malware threats since the covid-19 pandemic began in early 2020.

Advertisement

This comes on top of the physical issues with U.S. infrastructure, of which there are many. Water systems are already under threat from pollution, poorly maintained pipes, and aging infrastructure. Climate change will only exacerbate many of these problems. Travnichek hasn’t yet been convicted of anything, but regardless, let’s hope water utilities learn from this and install some protective measures. Because frankly, we don’t need any more risks to drinking water.

Earther staff writer. Blogs about energy, animals, why we shouldn't trust the private sector to solve the climate crisis, etc. Has an essay in the 2021 book The World We Need.

DISCUSSION

pedal-force
pedal-force

Did they fire him or otherwise cease their relationship with him and then fail to remove his access? That’s so dumb.

I work in this space as a consultant, on the electric utility side in large control systems like this, and you have 24 hours to remove access if someone leaves on good terms, and I think it just says "immediately" which is usually read to mean like an hour or two to finish the process, if they get fired or quit on bad terms. You have to vet people and pay them well and treat them well if you give them complete control over huge systems (like, millions of people's power with one button).