Ex-employee tampered with Kansas water plant, feds say, a sign of online vulnerability

Jonathan Shorman, Steve Vockrodt
·8 min read

Wyatt Travnichek was just entering his 20s, but he had a vital job.

After residents across eight central Kansas counties headed home for the night, Travnichek would keep watch — virtually — over the utility that supplied them with clean drinking water.

As a worker at the Post Rock Rural Water District, headquartered in Ellsworth, he was periodically responsible for monitoring the plant after hours by remotely logging into its computer system. His duties lasted until he resigned in January 2019, the circumstances of which are unclear.

Two months later, an unauthorized person gained remote access to the Post Rock system and shut down the facility’s cleaning and disinfecting procedures.

Earlier this month, federal prosecutors unveiled a grand jury indictment accusing Travnichek, now 22, of tampering with the Post Rock system. The indictment alleges he logged in remotely with the intent of harming the water district.

“By illegally tampering with a public drinking water system, the defendant threatened the safety and health of an entire community,” said Lance Ehrig, special agent in charge of the Environmental Protection Agency’s criminal investigation division in Kansas.

But the Post Rock case isn’t a bizarre fluke.

In February, the Florida city of Oldsmar, population 15,000, reported a hacker attempted to poison its water supply by remotely accessing its system and changing chemical levels. An employee was able to quickly reverse the hacker’s actions, but the incident triggered a new wave of national concern over water security.

A growing number of high-profile electronic break-ins and attempted hacks of water systems around the country are exposing the vulnerabilities of one of our most basic services — clean water. As water and other critical infrastructure become more plugged into the internet, their security shortcomings are drawing more attention from those who fear hackers and others will seize opportunities to wreak havoc.

The Board of Public Utilities, a city-owned electric and water utility serving most of Wyandotte County, frequently faces attempted hacks from outside, often coming from Asian countries, said spokesman David Melhaff.

“That’s kind of widely known among electric utilities,” he said.

No centralized database of attacks exists, but the Department of Homeland Security responded to 25 water cybersecurity incidents in 2015, according to a 2016 report prepared for the Department of Energy. The true number of attacks is almost certainly higher and growing.

Yet even as the cyberthreat looms, small water systems like Post Rock face daunting challenges in securing their computers, The Star found.

These small utilities often don’t have the resources to hire dedicated information technology staff. Employees juggle multiple roles, with cybersecurity just one in a long list of items to check on. And any significant financial investment — including for cybersecurity — may raise the prospect of higher rates.

“As far as cities having an IT person, I just don’t know of any our size,” said Bill Shroyer, assistant city administrator in Sabetha, in northern Kansas, and president of the Kansas Rural Water Association. “And if we did have an IT person, they better know how to repair pot holes, fix water leaks, pick up snow and everything else that we do.”

A Samsung phone

Kansas is home to nearly 1,000 water systems, ranging from tiny multi-family setups to sprawling metropolitan utilities. Post Rock, created in 1979 by a group of farmers, has grown into one of the largest rural water districts in the state by geographic size.

The district serves more than 1,500 customers and can deliver 1.1 million gallons of water a day — all of it drawn from Kanopolis Lake, an artificial lake spread across more than five square miles in Ellsworth County, just west of Salina.

The district was one of only four systems in the state with chlorine dioxide and chlorite monitoring breaches in 2019, according to the latest annual report from the Kansas Department of Health and Environment. Chlorine dioxide is used to disinfect water, and chlorite is a byproduct of that process.

Travnichek worked for Post Rock for a year — from January 2018 until January 2019. His tampering allegedly took place in March 2019. Travnichek’s attorney, a federal public defender, didn’t respond to a request for comment.

“There’s a lot of turnover in the people who are operating these systems,” said Elmer Ronnebaum, general manager of the Kansas Rural Water Association.

On March 27, 2019, Travnichek remotely logged into Post Rock’s computer system and “performed activities that shut down processes at the facility which affect the facility’s cleaning and disinfecting procedures,” according to the indictment.

The indictment indicates Travnichek used a Samsung phone “to commit or to facilitate the commission” of the offense. If convicted, he must turn over the phone.

A screenshot of the indictment against Wyatt Travnichek, alleging he tampered with the Post Rock Rural Water District.
A screenshot of the indictment against Wyatt Travnichek, alleging he tampered with the Post Rock Rural Water District.

While the incident took place more than two years ago, it’s become public at a time of heightened anxiety over water security. But almost no details have emerged beyond the indictment, leaving unanswered questions about how, exactly, an ex-employee was able to shut down cleaning and disinfecting at Post Rock’s plant.

Kayla Errebo, chair of Post Rock’s board, declined to comment. None of the board’s seven other members responded to requests for comment.

Supervisors at the utility also didn’t respond to requests for comment. According to the district’s website, Post Rock is currently searching for a general manager.

Security experts indicated the explanation could be as simple as Post Rock not revoking Travnichek’s electronic access after he quit, but the indictment doesn’t say.

“If this is indeed a case with an insider, of course an insider could possess the methods to use that remote access if you don’t have good policies,” said Marty Edwards, an expert on critical infrastructure at the cybersecurity firm Tenable. “When the individual is terminated, for example, from a job, you want to make sure you remove their credentialed access from these systems.”

Remote access can be a powerful tool for utility operators, allowing employees to keep an eye on systems as they go about other tasks. For departments stretched thin, the ability to check key data from a phone or laptop can prove invaluable to productivity.

“Of course, these days with COVID, the ability to work remotely … is very important. You can’t always send personnel to the facility,” Edwards said.

But remote access is also among the top five security gaps identified in water systems, according to the 2016 report for the Department of Energy. The report, produced by government officials and security consultants, also listed documented procedures and trained staff as shortfalls.

Help for smaller utilities

The vast number of water systems and their range in size have resulted in a hodgepodge of rules and policies on cybersecurity across the industry.

The largest operators may have sophisticated approaches. Melhaff said employees of the Wyandotte County BPU face restrictions for the internet sites and utility facilities they can access.

“It’s very limited and controlled where people badge in and out,” he said.

Regulators may struggle to get cybersecurity on the radar of some smaller utilities, however.

A 2018 water cybersecurity briefing document from the EPA spells out the challenge, noting that many water utilities, especially small systems, lack the resources for IT and security specialists to help them start a cybersecurity program.

“Utility personnel may believe that cyber-attacks do not present a risk to their systems or feel that they lack the technical capability to improve their cybersecurity,” the document says.

Mike Keegan, a regulatory analyst at the National Rural Water Association, said the federal government needs to measure what water systems are doing to secure themselves. The government doesn’t have a true assessment of what steps utilities are taking, he said.

Some of that is already happening. A 2018 federal law requires water systems that serve more than 3,300 people to complete a risk assessment and develop an emergency response plan. The plan must include strategies to improve cybersecurity.

Keegan called the assessment a “good exercise” because it gives systems leeway to use their own standards and encourages community involvement in cybersecurity. He warned against a flat federal standard on cybersecurity, saying there are thousands of regulations covering drinking water utilities, and more are coming out all the time.

“So to think you can just publish a Federal Register regulation and it can be metabolized at the local level is just missing what’s happening,” Keegan said. “People are busy and they need to know exactly what they need to do in their community.”

Katie Miller, director of technical services at Kansas Municipal Utilities, a statewide association of city-owned utilities, said there’s varying degrees of interest and understanding on cybersecurity issues among utilities. While smaller utilities don’t typically have dedicated security staff, the association can walk them through how to get in touch with experts who can help, she said.

Her group is also providing cybersecurity curriculum to its members and has held a couple training workshops with plans to hold more.

“They’ve focused on … like ‘What is cybersecurity? What do data breaches look like?’” Miller said.

The training, geared toward smaller utilities, focuses on cybersecurity basics, she said and includes a self-assessment component.

“Once they have that framework,” Miller said, “then it allows them to start to potentially prioritize, “OK, what is something manageable we can work toward in strengthening our cybersecurity?”

The Star’s Katie Bernard contributed reporting