You would think that something as critical as a town or county’s drinking water supply would be well-protected — you know, like how America’s nuclear armament was isolated from the internet and even relied on eight-inch floppy disks until just recently? And yet we’ve now had two instances where someone was able to remotely log into a municipal water supply in a way that could have harmed people.
Remember the story of the Florida water treatment facility where someone was able to change the chemical levels? Something similar happened in March 2019 in Kansas’ Ellsworth County, too, where 22-year-old Wyatt Travnichek now stands accused of shutting down the region’s water cleaning system “with the intention of harming” it, according to a statement from the Department of Justice.
The wildest part is that in both cases, these municipalities left themselves wide open to tampering — they installed the remote access software themselves so employees could log in to monitor the systems! That’s what Travnichek was hired to do in Kansas, and authorities aren’t even accusing him of “hacking” the system in their indictment. He simply “logged in remotely” months after he left the job, began shutting things down, and is now facing up to 20 years in prison.
That sounds remarkably similar to what happened in Florida, where the water treatment plant never bothered to change the password or even remove an old piece of remote control software after they’d installed a newer one.
Maybe we should stop doing that. President Joe Biden is currently trying to push a $2 trillion infrastructure plan, including billions to deliver safe water and replace lead pipes, among other hazards. To keep the water safe, we also need to keep the water secure.
Cyberscoop spoke to a customer service rep at the Kansas water utility, who claimed the incident didn’t harm residents’ drinking water.