Federal prosecutors have charged a Kansas man with allegedly logging into a public water system computer system and tampering with the process of cleaning and disinfecting customers’ drinking water.
A lawsuit filed in the U.S. District Court for the District of Kansas said Wyatt A. Travnichek, 22, of Ellsworth County, Kansas, was an employee of Ellsworth County Rural Water District No. 1 from January 2018 to January 2019. Also known as the Post Rock Water District serves more than 1,500 retail customers and 10 wholesale customers in eight Kansas counties. Part of Wyatt’s responsibilities included logging into the water district’s computer system remotely to monitor the plant after hours.
Login with malicious intent
In late March 2019, Wednesday’s indictment read, Post Rock experienced a remote intrusion into its computer system, which resulted in the facility’s processes shutting down to ensure water is safe to drink.
“On or about March 27, 2019, the defendant, Wyatt Travnichek, in the District of Kansas, knowingly tampered with a public drinking water system, namely Ellsworth County Rural Water District No. 1,” prosecutors said. Notably, he logged into Post Rock Rural Water District’s computer system remotely and performed activities that shut down processes in the facility that affect the facility’s cleaning and disinfection procedures with the intent of harming the Ellsworth County Rural Water District No. 1.”
The allegations come seven weeks after authorities in Oldsmar, Florida said someone broke into the computer system of a municipal water treatment plant and attempted to poison drinking water for the municipality’s approximately 15,000 residents.
The intruder changed the level of sodium hydroxide in the water to 11,100 parts per million, a significant increase from the normal level of 100 ppm. Sodium hydroxide, more commonly known as lye, is used in small amounts to treat the acidity of water and remove metals. At higher levels, the caustic agent is toxic.
An operator at the water supply quickly discovered the change and reversed it. If the change had not been detected, the lye level would have increased to toxic levels. Even then, authorities said the facility had taken multiple measures to prevent the contaminated water from being made available to residents. Nevertheless, the incident highlighted the possibility that such break-ins could have fatal consequences.
Share passwords
An advisory from Massachusetts officials later said the Oldsmar facility was running an unsupported version of Windows with no firewall and sharing the same TeamViewer password with its employees. The employees used the remote software to access factory controls, a SCADA acronym for ‘supervisory control and data acquisition’ system.
Wednesday’s indictment did not say how Wyatt would have gained access to the Post Rock facility. His previous position as a facility worker who regularly logged into the water district’s computer system remotely leaves open the possibility that water officials there also failed to obtain credentials by failing to close Wyatt’s remote access account after he left. No one in the facility was available to answer questions for this post.
The indictment charges Wyatt with one count of tampering with a public water system and one count of reckless damage to a secure computer during unauthorized access. If convicted, he faces a maximum penalty of 25 years in prison and $500,000 in fines. Attempts to reach Wyatt for comment were unsuccessful.