beebright - Fotolia

Man indicted in Kansas water facility breach

While the attempted tampering of a Kansas water facility occurred more than two years ago, the Justice Department this week indicted a 22-year-old former employee.

A Kansas man was charged with breaching a public water system and shutting down processes with "the intention of harming" the community.

The indictment, released Wednesday by the Department of Justice (DOJ), charged 22-year-old Wyatt A. Travnichek of Ellsworth County, Kan., with knowingly accessing the Ellsworth County Rural Water District's computer system without authorization and tampering with the public water system. The incident occurred on March 27, 2019, when Post Rock experienced an unauthorized remote intrusion resulting in the shutdown of the facility's processes.

According to the DOJ statement on the indictment, the intruder impacted cleaning and disinfecting procedures for the public water supply in the Ellsworth Rural Water District No. 1, also known as Post Rock Rural Water District. The DOJ claims Travnichek's actions were intended to cause harm.

Lance Ehrig, special agent in charge of the Environmental Protection Agency's criminal investigation division in Kansas, said that Travnichek's alleged actions threatened the safety and health of an entire community. "Today's indictment sends a clear message that individuals who intentionally violate these laws will be vigorously prosecuted."

Travnichek was an employee of the Post Rock Rural Water District from approximately January 2018 until his resignation in January 2019. Post Rock serves as the public water system, utilized by over 1,500 retail customers and 10 wholesale customers over eight Kansas counties. It's unclear what stopped the attempted attack on the water supply.

Part of Travnichek's job was to periodically log in remotely to the Post Rock computer system to monitor the plant after hours. The indictment claims Travnichek allegedly logged in remotely to the Post Rock systems in the breach, but it's unclear whether his own credentials were used or if access was obtained through other means.

"He logged in remotely to Post Rock Rural Water District's computer system and performed activities that shut down processes at the facility which affect the facility's cleaning and disinfecting procedures with the intention of harming the Ellsworth County Rural Water District No. 1," the indictment said.

An Ellsworth city official confirmed to SearchSecurity that Travnichek's father, Joe Travnichek, also works in the utilities sector as the superintendent for the city's water and sewer department. SearchSecurity contacted Joe Travnichek for comment, but he has not responded.

Attacks that impact critical infrastructure and industrial control system (ICS) security have become common enough that the Department of Homeland Security is making it a top priority, Alejandro Mayorkas, the U.S. Secretary of Homeland Security, revealed during an RSA conference webcast Wednesday. He referred to the recent attack on the Oldsmar, Fla., water treatment plant, which unsuccessfully attempted to poison the water supply.

Mayorkas said later this summer DHS will launch its third of 60-day "cyber sprints," which will focus on mobilizing action to improve the resilience of ICSes. "The cybersecurity incident at the water treatment facility last month was a powerful reminder of the substantial risks we need to address," he said.

In Oldsmar, the attacker gained control of a SCADA system inside the plant via TeamViewer and attempted to remotely raise the amount of sodium hydroxide in the water to dangerous levels. While safety controls were impacted in both breaches, neither public water supply was contaminated.

Dig Deeper on Security operations and management