In January 2019, Wyatt Travnichek left his job at the Post Rock Rural Water District, whose 1,800 miles of water-main pipe supply customers across eight counties in the dead center of Kansas. Two months later, prosecutors say, he logged back in to the facility’s computer system and proceeded to tamper with the processes it uses to clean and disinfect the drinking water.
When it comes to critical infrastructure security, the power grid attracts most of the public's attention—and understandably so. Threats to the power grid are real and scary; just ask anyone in Ukraine, which has experienced multiple large-scale blackouts effected by Russia’s Sandworm hackers. But the Post Rock incident, revealed in an indictment on Wednesday, is a sharp reminder that the water supply system presents just as devastating a target.
The indictment comes just two months after a still unknown hacker attempted to poison the water supply of Oldsmar, Florida, and it marks the third publicly disclosed attack on a water system that posed a direct risk to the health of a utility's customers. (In 2016, Verizon Security Solutions found that hackers had successfully changed the chemical levels at an unnamed utility.) Cyberattacks that could cause physical harm remain vanishingly rare, but the nation's water systems are an increasingly popular target. And experts say these systems largely aren't equipped to handle the threats.
“Everybody thinks about people taking down power to areas, because it’s something you're familiar with. Everyone’s been through a power outage. We also know how to survive them,” says Lesley Carhart, a principal threat analyst at Dragos, an industrial control system security firm. “We don’t think about water. That’s maybe one of the reasons why it’s so underfunded.”
The specifics of how Travnichek allegedly obtained access to Post Rock Rural Water District’s network after he left the utility remain unclear; the indictment says only that he “logged in remotely.” He’d had a remote login when he worked there, court documents say, for after-hours monitoring. But basic cybersecurity measures should have been enough to prevent a former employee from getting unauthorized access into the system, whether they simply used old credentials or even set up a more sophisticated backdoor into the system. Unfortunately, many water utilities lack even that much, especially in rural areas.
“Most water utilities are handled by municipalities, so they can be managed by very small towns on very small budgets. They operate on a shoestring,” says Carhart. “A lot of water utilities, especially municipal utilities, have maybe one IT person if they’re very lucky. They definitely don’t have a security person on staff, in most cases.” Neither Post Rock nor Travnichek's lawyer responded to a request for comment
When your job is to make sure that the computers work at a water utility, you understandably might prioritize the processes that safeguard the potable supply over implementing, say, federated identity measures that would prevent a former employee from popping back in.
Which is, unfortunately, something that happens more often than you might think. The Post Rock incident, as with Oldsmar and the unnamed intrusion Verizon spotted a few years back, have grabbed attention because they could have resulted in physical harm. But water utilities have experienced a slow but sustained onslaught over the past decade. In the first half of the 2010s, it was consistently among the most-targeted sectors, though still far behind critical manufacturing and energy. In 2015 , the US Industrial Control Systems Cyber Emergency Response Team fielded 25 cybersecurity incidents in the water and wastewater sector; in 2016, the last year for which data is available, it saw 18. A recent study published in the Journal of Environmental Engineering looked at 15 cyberattacks against water systems in some depth and found that they ran the gamut from data theft to cryptojacking to ransomware.
Troublingly, at least a third of the attackers in those cases were insiders. Water systems have complex interfaces; you can’t just push random buttons and expect a deleterious result. But someone who works there, or used to? That’s trouble. “Even individuals who left an organization, they can still be considered insiders. That is critical,” says Elisa Bertino, a computer scientist who heads Purdue University’s Cyber Space Security Lab and coauthored a recent paper in Electronics on insider threats. “Usually they have a lot of knowledge, and this knowledge allows them to create sabotage, destruction, and so forth.”
The threat to water systems is inextricably tied to the broader threats to critical infrastructure, which have surged in recent years, according to Brandon Hoffman, chief information security officer for the threat intelligence firm Intel 471. “Adversaries see that critical infrastructure is underfunded and undermanaged from a security perspective.”
Last year, Intel 471 found that a likely Iranian hacker was offering to sell network access to a water treatment plant in Florida over the messaging app Telegram. (They have not tied that activity it to the Oldsmar incident.) Hoffman expects water supply infrastructure to be an increasingly popular target, especially as incidents like Post Rock and Oldsmar highlight both the vulnerability of those plants and the amount of harm they can cause.
“It’s kind of a double-edged sword,” Hoffman says about the recent cases. “On the one hand, you want people to have awareness. On the other hand, success begets success. The more people that see it, the more people will want to target it.”
To the extent that there’s good news, basic cybersecurity protections would go a long way to prevent attacks by insiders and amateurs. (If a sophisticated state-sponsored hacker wants to break into your water treatment plant, that’s another story without a happy ending.) The question, though, is who’s going to pay for implementing them. While President Biden introduced a sweeping $2 trillion infrastructure bill this week, the White House’s detailed breakdown of priorities made no mention of cybersecurity. That’s not to say that whatever bill Congress eventually proposes won’t put resources toward shoring up those systems, but it should be a priority from the start.
“They need more resources. That needs to be codified. They need to be given more staff, more money, more tools, more intelligence. It’s a huge gap,” says Dragos’s Carhart. “The thing that really scares me is they just add some laws that require more box-checking for those people, and they don’t give them any more people and they don’t give them any more money." The more time beleaguered IT staff have to spend checking boxes for compliance, Carhart says, the less time they have to install patches, update their systems, and implement the other security basics so many of them lack.
The water supply is fundamental to people's health and safety. The Post Rock incident is yet another warning of the risk it faces and the potential consequences of continuing to ignore it.