A federal grand jury is indicting a 22-year-old guy over accusations that he tampered with a public water system. Dude allegedly hacked into a computer system that controls a rural water utility in Ellsworth County, Kansas, then messing with the virtual processes that affect procedures for cleaning and disinfecting drinking water.
On March 31, Wyatt Travnichek was charged with one count of tampering with a public water system and one count of reckless damage to a protected computer during unauthorized access. If convicted, he’ll face up to 25 years in prison and $500,000 in fines.
The story is pretty wild. Travnichek actually worked at the water district, which services more than 1,500 retail customers and 10 wholesale customers in eight Kansas counties, from January 2018 to January 2019. Part of his role was to virtually monitor its water plant after hours by remotely log into the district’s computer system, so in a sense he was just doing his old job.
The Department of Justice alleges that he logged on with the intention to harm, though thankfully, according to Cyberscoop, no one was harmed. According to the indictment, Travnichek “accessed a protected computer without authorization,” then remotely logged on and “performed activities that shut down processes at the facility which affect the facility’s cleaning and disinfecting procedures.”
“By illegally tampering with a public drinking water system, the defendant threatened the safety and health of an entire community,” Lance Ehrig, Special Agent in Charge of EPA’s Criminal Investigation Division in Kansas, said in a statement. “EPA and its law enforcement partners are committed to upholding the laws designed to protect our drinking water systems from harm or threat of harm. Today’s indictment sends a clear message that individuals who intentionally violate these laws will be vigorously prosecuted.”
What’s even more bonkers than this guy’s actions, though, was that he was able to carry them out. But it’s also hardly the only instance of critical utility infrastructure facing a cybersecurity breaches. In February, a hacker broke into the computer system for a water utility in Florida and tried to poison people by upping the water’s sodium hydroxide content to toxic levels. It later came out that the system didn’t have basic network protections—not even a firewall or strong password security. In December, when cyber intruders hacked numerous government agencies and tech companies, SolarWinds software, they also put malware onto several electric and oil companies’ computer systems. A report released Monday also shows that Connecticut’s energy, natural gas, and water utilities have seen an uptick in phishing and malware threats since the covid-19 pandemic began in early 2020.
This comes on top of the physical issues with U.S. infrastructure, of which there are many. Water systems are already under threat from pollution, poorly maintained pipes, and aging infrastructure. Climate change will only exacerbate many of these problems. Travnichek hasn’t yet been convicted of anything, but regardless, let’s hope water utilities learn from this and install some protective measures. Because frankly, we don’t need any more risks to drinking water.