Situation Report: DOJ Indictment Raises Specter, Yet Again, of Water System Cyber Vulnerabilities

This week the U.S. Department of Justice announced the indictment of 22-year old Wyatt A. Travnichek of Ellsworth County, Kansas for allegedly accessing the Ellsworth County Rural Water District’s computer system on or about March 27, 2019, remotely and illegally shutting down important processes involved in cleaning and disinfecting the water.

Lance Ehrig, Special Agent in Charge of U.S. Environmental Protection Agency (EPA) Criminal Investigation Division in Kansas, said “By illegally tampering with a public drinking water system, the defendant threatened the safety and health of an entire community.”  Ehrig continued, “EPA and its law enforcement partners are committed to upholding the laws designed to protect our drinking water systems from harm or threat of harm. Today’s indictment sends a clear message that individuals who intentionally violate these laws will be vigorously prosecuted.”

One of these laws is the Safe Drinking Water Act (SDWA), passed originally by Congress in 1974.  This law requires protections for drinking water and its sources, ranging from springs, reservoirs, lakes, rivers, and ground water wells that support more than 25 individuals, giving the EPA the authority to set protection and enforcement standards. States provide the most direct oversight of drinking water systems by applying to the US EPA for “primacy” – the authority to implement the provisions of the SDWA within their territorial boundaries. Most states have received primacy by demonstrating that they have adopted standards at least as stringent as the EPA’s.

Unfortunately, neither the federal mandates of the EPA or the regulations imposed by states may be presently enough to protect our water systems from cybersecurity incidents, particularly those targeting control systems.

Control Systems Cybersecurity expert, Joseph M. Weiss, notes that such incidents can occur either deliberately through malicious hacking, or unintentionally by intruders who do not understand what the systems they have accessed control. He notes there have been over 100 water/waste-water control system incidents which have occurred across the country, including one where a water utility, “inadvertently pumped water from a Superfund contaminated well site into a drinking water system.”

Weiss bemoans the lack of information sharing between government and industry with respect to identifying and mitigating control system cyber incidents in water and other critical infrastructures and says there are few efforts to identify and track such incidents, which is important for training future security experts. Weiss says, “Control system cyber security training and mitigation technologies should be based on real cases or extrapolation from real cases” which in turn requires a database of such incidents.

The Kansas water hack together with a similar incident which took place in Oldsmar, Florida in February– has raised the profile of the risk to water/wastewater systems.

These consequences and the publicity surrounding the case may serve as a deterrent to future would-be hackers, particularly given the steep penalties that could be imposed on Travnichek if he is found guilty: 25 years in prison and a fine of up to $500,000.

For foreign hackers however, there are many other tools that the U.S. Government can use to impose penalties, as suggested by the March 2020 Cyberspace Solarium Commission, which promoted a policy of “layered cyber-deterrence.”

Ultimately however, the best deterrent is a resilient infrastructure that is resistant to attack because all-hazards protections have been “baked in” to the design from the very beginning of product development to installation.  Because complete immunity from attack is difficult to achieve, it is important that critical infrastructure owners also plan for redundancy.

As we reported following the Oldsmar, Florida incident, the Kansas water facility hack likewise underscores the need for resilience, redundancy, and deterrence.