A former employee of a rural central Kansas water system pleaded guilty Wednesday to remotely shutting down the plant in March 2019 after a federal prosecutor described how the man told investigators he was “so intoxicated” he didn’t remember anything.
The episode at the Post Rock Rural Water District in Ellsworth drew attention to the electronic weaknesses within critical infrastructure such as water treatment centers as authorities in Kansas and across the country steel themselves against a rising tide of hackers and cyberattacks.
But in the case of Wyatt Travnichek, the weakness was as simple as a shared pass code.
Travnichek, 22, pleaded guilty in federal court in Topeka to tampering with a public water system and reckless damage to a public computer during unauthorized access. He is set to spend a year in prison under a plea agreement. Formal sentencing is tentatively set for February.
Assistant U.S. Attorney Christine Kenney told Judge Toby Crouse that Post Rock, which supplies water for about 1,500 customers, relied on a shared GoToMyPC account to allow remote access to the system after hours. The system used a shared pass code to access software that controls the plant.
Travnichek, a 2017 high school graduate, had worked for the water district for a year until he resigned in January 2019. On March 27, 2019, an operator monitoring the plant saw it “had been shut down,” Kenney said. The operator’s remote access had also been terminated.
The operator drove to the plant to find a filter had been turned off and other controls changed. Investigators identified Travnichek through records linking his phone and the internet protocol, or IP, address of the device that had logged into the plant remotely.
“The defendant said he was so intoxicated he didn’t remember anything” about what happened that night, Kenney said Travnichek told investigators.
When Travnichek’s indictment came this spring, it was the latest in a series of worrying episodes across the country that exposed security challenges facing utilities, ranging from outright hacking to other weaknesses. A Florida city in February reported that a hacker attempted to poison its water supply, though an employee was able to quickly reverse what happened.
The incidents — including in Kansas — have only continued. Earlier this month, Pottawatomie County, near Manhattan, disclosed it had paid more than $71,000 to a hacker who threatened to make public data that was private. The ransom demand was negotiated down from $1 million.
Additionally, a report by state auditors released earlier this month found Kansas schools are unprepared for a cyberattack. Just last week in Missouri, the St. Louis Post-Dispatch reported the Social Security numbers of teachers could be found in publicly accessible website source code, prompting Gov. Mike Parson to threaten the newspaper with prosecution.
In July, Gov. Laura Kelly created a cybersecurity task force aimed at securing digital infrastructure. The group, which has been meeting in the months since, includes members who represent critical infrastructure such as health and power systems. A report is due to Kelly by December.
“We all know that the landscape, attack sophistication and frequency is continuing to increase. And we also know that those disruptions from cyberattacks are becoming significantly more disruptive,” Jeff Maxon, the state’s chief information security officer, said at an August task force meeting.
Few clues to Travnichek’s motivation were offered Wednesday beyond the statement that he was apparently intoxicated at the time of the incident. Dressed in a dark suit and yellow tie, he said “no comment” when he was approached by a reporter as he left the courtroom.
Lance Ehrig, special agent in charge of the Environmental Protection Agency’s criminal investigation division in Kansas, said previously that Travnichek “threatened the safety and health of an entire community.”
Many small utilities and agencies don’t have the resources to hire workers solely focused on cybersecurity. In turn, cybersecurity becomes yet another responsibility already-burdened employees must take on.
“For many of these communities to find someone who is versed in I.T. issues they have to go 80 to 100 miles. The resources just aren’t there,” said Elmer Ronnenbaum, general manager of the Kansas Rural Water Association.
Kansas has about 6,500 cybersecurity workers, according to Maxon, but roughly 2,500 openings. The gap points to a large need for additional professionals.
On Wednesday, the federal Cybersecurity Infrastructure and Security Agency announced it would provide $2 million to fund the development of workforce training programs focused in part on underserved communities in urban and rural areas.
“Addressing the cyber workforce shortage requires us to proactively seek out, find, and foster prospective talent from nontraditional places,” CISA Director Jen Easterly said in a statement.