The indictment comes just two months after a still unknown hacker attempted to poison the water supply of Oldsmar, Florida , and it marks the third publicly disclosed attack on a water system that posed a direct risk to the health of a utility's customers. (In 2016, Verizon Security Solutions found that hackers had successfully changed the chemical levels at an unnamed utility.) Cyberattacks that could cause physical harm remain vanishingly rare, but the nation's water systems are an increasingly popular target. And experts say these systems largely aren't equipped to handle the threats.
“Everybody thinks about people taking down power to areas, because it’s something you're familiar with. Everyone’s been through a power outage. We also know how to survive them,” says Lesley Carhart, a principal threat analyst at Dragos, an industrial control system security firm. “We don’t think about water. That’s maybe one of the reasons why it’s so underfunded.”The specifics of how Travnichek allegedly obtained access to Post Rock Rural Water District’s network after he left the utility remain unclear; the indictment says only that he “logged in remotely.” He’d had a remote login when he worked there, court documents say, for after-hours monitoring. But basic cybersecurity measures should have been enough to prevent a former employee from getting unauthorized access into the system, whether they simply used old credentials or even set up a more sophisticated backdoor into the system. Unfortunately, many water utilities lack even that much, especially in rural areas.
Balneario Camboriu view from the bay with partial watershed © Timm Kroeger/TNC In the first rigorous, peer-reviewed study on water fund Return on Investment (ROI) for cities in Brazil’s Atlantic Forest, TNC scientists examine the Camboriú Water Fund and show that nature can be a cost-effective solution for improving urban water supplies and reducing treatment costs.
“Most water utilities are handled by municipalities, so they can be managed by very small towns on very small budgets. They operate on a shoestring,” says Carhart. “A lot of water utilities, especially municipal utilities, have maybe one IT person if they’re very lucky. They definitely don’t have a security person on staff, in most cases.” Neither Post Rock nor Travnichek's lawyer responded to a request for comment
When your job is to make sure that the computers work at a water utility, you understandably might prioritize the processes that safeguard the potable supply over implementing, say, federated identity measures that would prevent a former employee from popping back in.
Which is, unfortunately, something that happens more often than you might think. The Post Rock incident, as with Oldsmar and the unnamed intrusion Verizon spotted a few years back, have grabbed attention because they could have resulted in physical harm. But water utilities have experienced a slow but sustained onslaught over the past decade. In the first half of the 2010s, it was consistently among the most-targeted sectors, though still far behind critical manufacturing and energy. In 2015 , the US Industrial Control Systems Cyber Emergency Response Team fielded 25 cybersecurity incidents in the water and wastewater sector; in 2016, the last year for which data is available, it saw 18. A recent study published in the Journal of Environmental Engineering looked at 15 cyberattacks against water systems in some depth and found that they ran the gamut from data theft to cryptojacking to ransomware .