Kitchen sink with running water

Federal prosecutors have indicted a Kansas man for allegedly logging into a computer system at a public water system and tampering with the process for cleaning and disinfecting customers’ drinking water.

An indictment filed in US District Court for the District of Kansas said Wyatt A. Travnichek, 22, of Ellsworth County, Kansas, was an employee from January 2018 to January 2019 at the Ellsworth County Rural Water District No. 1. Also known as the Post Rock Water District, the facility serves more than 1,500 retail customers and 10 wholesale customers in eight Kansas counties. Part of Wyatt’s responsibilities included remotely logging in to the water district’s computer system to monitor the plant after hours.

Logging in with harmful intent

In late March 2019, Wednesday’s indictment said, Post Rock experienced a remote intrusion to its computer system that resulted in the shutdown of the facility’s processes for ensuring water is safe to drink.

“On or about March 27, 2019, in the District of Kansas, the defendant, Wyatt Travnichek, knowingly tampered with a public drinking water system, namely the Ellsworth County Rural Water District No. 1,” prosecutors alleged. “To wit: he logged in remotely to Post Rock Rural Water District’s computer system and performed activities that shut down processes at the facility which affect the facility’s cleaning and disinfecting procedures with the intention of harming the Ellsworth County Rural Water District No. 1.”

The allegations come seven weeks after authorities in Oldsmar, Florida said someone broke into the computer system of a municipal water treatment plant and tried to poison drinking water for the municipality’s roughly 15,000 residents.

The intruder changed the level of sodium hydroxide in the water to 11,100 parts per million, a significant increase from the normal amount of 100 ppm. Better known as lye, sodium hydroxide is used in small amounts to treat the acidity of water and to remove metals. At higher levels, the corrosive is toxic.

An operator at the water facility quickly discovered the change and reversed it. Had the change not been detected, it would have raised the level of lye to toxic levels. Even then, the authorities said the facility had multiple measures in place to prevent the contaminated water from being made available to residents. Nonetheless, the incident underscored the potential for such intrusions to have fatal consequences.

Sharing passwords

An advisory from officials in Massachusetts later said that the Oldsmar facility used an unsupported version of Windows with no firewall and shared the same TeamViewer password among its employees. The employees used the remote software to access plant controls known as a SCADA—short for “supervisory control and data acquisition”—system.

Wednesday’s indictment didn’t say how Wyatt allegedly gained access to the Post Rock facility. His prior position as a facility employee who remotely logged in to the water district’s computer system on a regular basis leaves open the possibility that water officials there also failed to secure credentials by not closing Wyatt’s remote access account after he left. No one at the facility was available to take questions for this post.

The indictment charges Wyatt with one count of tampering with a public water system and one count of reckless damage to a protected computer during unauthorized access. If convicted, he faces a maximum sentence of 25 years in prison and $500,000 in fines. Attempts to reach Wyatt for comment weren’t successful.