On March 27, 2019, the Post Rock Water District in Ellsworth, Kansas experienced a cyber security breach that threatened drinking water safety. The hacker was former employee Wyatt Travnichek, 22, who had worked at the plant from January 2018 until January 2019. Though Travnichek resigned, he remotely accessed one of a Post Rock Water District computer to shut down the cleaning and disinfecting procedures that make water potable.
Travnichek was indicted on March 31, 2021 for tampering with a public water system and reckless damage to a protected computer which together carry a maximum sentence of 25 years and maximum fines of up to $500,000.
During his employment, Travnichek accessed a computer off hours for plant monitoring purposes. However, his credentials were not revoked at the time of his departure.
Post Rock Water District is a relatively small operation that, like its peers, would lack formidable IT resources. The company serves 1,500 residential and 10 wholesale customers.
State and federal law enforcement solve the case
The Kansas Bureau of Investigation, U.S. Environmental Protection Agency (EPA) and FBI jointly investigated the incident which led to Travnichek’s indictment. According to a statement by Lance Ehrig, special agent in charge of the EPA’s Criminal Investigation Division in Kansas, “EPA and its law enforcement partners are committed to upholding the laws designed to protect our drinking water systems from harm or threat of harm. Today’s indictment sends a clear message that individuals who intentionally violate these laws will be rigorously prosecuted.”
By making an example of Travnichek, the indictment is intended to dissuade others who are targeting water systems and other infrastructure. However, such actions are especially ineffective when the attacks are sponsored by a nation state.
Attacks on water treatment plants is a critical infrastructure security problem
In 2018, the U.S. Department of Homeland Security (DHS) and the FBI warned that the Russian government is specifically targeting the water sector and other critical infrastructure. That same year, the U.S. government formed the Cybersecurity and Infrastructure Security Agency (CISA) to make the nation’s critical infrastructure more resilient to cyber and physical threats.
Yet on February 5, 2021, a hacker attempted to adjust the sodium hydroxide (lye) levels in a Florida water treatment plant which is operated by the City of Oldsmar. In small quantities, sodium hydroxide helps sanitize water safely. However, in larger quantities it can be fatal.
In the Florida case, a hacker gained access to the computer controlling the chemical levels, similar to Travnichek. According to Sheriff Bob Gualtieri who spoke at a February 8 press conference, the still unknown hacker successfully increased the sodium hydroxide level from 100 ppm to 11,100 ppm. Fortunately, an operator witnessed the breach live and returned the chemical level to its appropriate setting, then reported the incident. The water was subsequently tested to validate its safety. A criminal investigation in cooperation with the FBI and the U.S. Secret Service has been initiated.
Meanwhile, the Biden Administration claimed to launch an “urgent initiative” to improve national cybersecurity which included a proposal to increase CISA’s budget by 30% as part of the COVID-19 relief package. The proposal was removed from the bill because some lawmakers failed to perceive a connection between CISA and the pandemic. However, bipartisan efforts may increase CISA’s funding through another bill or legislation, especially now that the Biden Administration has announced plans to retaliate against Russia for the SolarWinds attack and China is associated with the recent Microsoft Exchange attack.