The former employee of a Kansas-based water plant is facing decades in federal prison for allegedly having broken into its computer systems two years ago.
Wyatt A. Travnichek, 22, is accused of gaining unauthorized access to the internal workings of the Ellsworth Rural Water District No. 1 on March 27, 2019, according to an indictment from the U.S. Department of Justice. Travnichek, who resigned from the plant not long before the incident, allegedly used that access to remotely disable the processes responsible for cleaning and disinfecting its water supply, the feds claim.
Its unclear why Travnichek would want to dirty the water supply in this way but, nonetheless, he now faces two federal charges: Tampering with a Public Water System and Reckless Damage to a Protected Computer During Unauthorized Access. If convicted, he could be behind bars for up to 25 years.
While the indictment doesnt give an exact accounting of how Travnichek allegedly disrupted the facilitys operations, all signs point to an abuse of its remote access control systemthe software commonly used to monitor and manipulate operational systems from afar.
According to the indictment, Travnichek was employed with the water plant from January 2018 to January 2019 and his duties included remotely logging into the plants computer system to monitor the plant after hours. The hack, which occurred approximately three months after his resignation, involved an unauthorized remote intrusion, court documents say. The device used to facilitate that intrusion is described as having been a Samsung Galaxy S7 phone.
From these details, it really sounds like Travnichek accessed the plants remote access system via a program on his cellphone, abusing his former permissions to manipulate the plants operations. Most remote access softwarelike TeamViewercomes with a mobile app, so that would have been a pretty straightforward vector by which to do it. Did the facility just forget to change the passwords and delete his account after he resigned? Its not totally clear. When reached by phone Friday, an employee of the Ellsworth water facility confirmed that the incident had happened but could not provide any further information about it.
Another interesting element to this story is the fact that it took two years for charges to be brought in the case. Why? If there really was unauthorized access and it came from a former employee, why did it take half of Donald Trumps presidency to figure out who that employee was? It brings up a more disturbing question, which is: does this sort of thing happen frequently, and we just dont hear about it? The story shares many similarities to the Oldsmar, Florida incident, wherein a still unidentified hacker similarly broke into the network of the citys water treatment facility by abusing its remote access system and tried to poison the water supply.
Both stories highlight a growing issue in cybersecurity, which is security for critical infrastructure. With an increasing amount of focus being put on the ways in which hackers can penetrate industrial facilities and operational technology (think: dams and electrical grids, among many other possibilities), it might be a good time for legislators to figure out how to better invest in defenses for these systemsconsidering so many of them are run by underfunded state and local governments with not a whole lot of cash to burn.