The former employee of a Kansas-based water treatment facility is facing decades in prison after allegedly having broken into the plant’s computer systems two years ago.
Wyatt A. Travnichek, 22, is accused of gaining “unauthorized access” to the internal workings of the Ellsworth Rural Water District No. 1 on March 27, 2019, according to an indictment from the U.S. Department of Justice. Travnichek, who resigned from the plant not long before the incident, allegedly used that access to remotely disable the processes responsible for “cleaning and disinfecting” its water supply, the feds claim.
It’s unclear why Travnichek would want to do this but, nonetheless, he now faces two federal charges: Tampering with a Public Water System and Reckless Damage to a Protected Computer During Unauthorized Access. If convicted, he could be behind bars for up to 25 years.
While the indictment doesn’t give an exact accounting of how Travnichek supposedly disrupted the facility’s operations, all signs point to an abuse of its remote access control system—the software commonly used to monitor and manipulate operational systems from afar.
According to the indictment, Travnichek was employed with the water plant from January 2018 to January 2019 and his duties included “remotely logging into” the plant’s “computer system to monitor the plant after hours.” The incident, which occurred approximately three months after his resignation, involved “an unauthorized remote intrusion,” court documents say. The device used to “facilitate” that intrusion is described as having been a Samsung Galaxy S7 phone.
From these details, it really sounds like Travnichek accessed the plant’s remote access system via a program on his cellphone, abusing his former permissions to manipulate the plant’s operations. Most remote access software—like TeamViewer—comes with a mobile app, so that would have been a pretty straightforward vector by which to do it. Did the facility just forget to change the passwords and delete his account after he resigned? It’s not totally clear. When reached by phone Friday, an employee of the Ellsworth water facility confirmed that the incident had happened but could not provide any further information about it.
Another interesting element to this story is the fact that it took two years for charges to be brought. Why? If there really was unauthorized access and it came from a former employee, why did it take half of Donald Trump’s presidency to figure out who that employee was? It brings up a more disturbing question, which is: does this sort of thing happen frequently, and we just don’t hear about it? The story shares many similarities to the Oldsmar, Florida incident, wherein a still unidentified hacker similarly broke into the network of the city’s water treatment facility by abusing its remote access system and tried to poison the water supply.
Both stories highlight a growing issue in cybersecurity, which is security for critical infrastructure. With an increasing amount of focus being put on the ways in which hackers can penetrate industrial facilities and operational technology (think: dams and electrical grids, among many other possibilities), it might be a good time for legislators to figure out how to better invest in defenses for these systems—considering so many of them are run by underfunded state and local governments with not a whole lot of cash to burn.