A former water plant worker in Kansas pleaded guilty on Wednesday to remotely shutting down the Post Rock Rural Water District in March 2019, acknowledging he was “so intoxicated” he didn’t even remember messing with the system.

Wyatt Travnichek, 22, pleaded guilty in Topeka federal court to tampering with a public water system and reckless damage to a public computer during unauthorized access. A plea agreement will see him spend a year in prison, though he won’t be formally sentenced until February.

The drunken Travnichek had only worked for the utility company for a year before he resigned in January 2019, but he didn’t need to be a computer expert to hack into the water system. The Post Rock plant that supplies water to 1,500 customers in rural Kansas relied on a shared GoToMyPC account to allow after-hours remote access — including a shared password for access to all plant control software.

Two months after his departure, Travnichek logged in while “so intoxicated he didn’t remember anything,” according to Assistant US Attorney Christine Kenney. He shut down major parts of the plant, terminating other employees’ remote access in the process. When an operator drove to the plant to investigate, the meddling was traced via IP address to Travnichek, though no one explained why he was still able to log in remotely months after quitting. 

While Travnichek may have briefly posed a genuine menace to the state’s water system, the US Commerce Department’s Bureau of Industry and Security has been ramping up fears of external cyber threats. 

It passed a rule on Wednesday requiring American companies to obtain a license to export cybersecurity tools capable of “surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it.” It is set to take effect in 90 days, though has apparently been under negotiation for years. 

Only countries “of national security or weapons of mass destruction concern” are targeted by the new rule – including Russia and China – though some of the worst cybersecurity intrusions in recent years have come from elsewhere.

A backdoor crafted by Israeli spyware company NSO Group, for example, rendered all iPhones vulnerable to the company’s Pegasus software for years until it was discovered and patched last month. Pegasus, which has reportedly been deployed against activists, journalists, political dissidents and political leaders, allows the user to remotely activate the camera and microphone of targeted devices, providing real-time surveillance capabilities of the individual in question.

The threat of cyberattacks has been foremost in agencies’ minds of late, even the reality (drunk former employee) doesn’t match up to the cinematic template of evil Chinese/Russian spies. Indeed, the Commerce Department’s new rule wouldn’t have helped protect the water treatment centers of rural Kansas from intoxicated ex-employees.

Think tanks like the Atlantic Council have helped gin up fear of such attacks, which are poorly understood by the general population and thus easy to exaggerate.

In 2017, the Washington Post, for instance, was forced to backtrack on a report that Russia had ‘hacked’ the Vermont power grid. The paper later admitted that the laptop on which malware had been found was not even attached to the power network and that authorities had no indications of Russian involvement. 

However, in another genuine incident in Pottawatomie County, Kansas, municipal authorities paid $71,000 in ransom to a hacker – which sounds like a lot of money, except that the hacker had originally demanded $1 million in return for keeping a cache of sensitive data private.

While security lapses at water plants are on the uptick, according to cybersecurity firm FireEye, even that firm has acknowledged most are ultimately nonthreatening. A February attack on an Oldsmar, Florida water treatment plant servicing some 15,000 people was described as “ham-handed” and “blatant” by experts who analyzed the hack. While the potential fallout would have seen the amount of caustic sodium hydroxide in the water increased by a factor of 100, a secondary chemical check system would have caught the alteration before it was unleashed on locals’ water supply. 

And while US intelligence agencies have demanded tighter cybersecurity controls, including an early-warning ‘cyberattack detection system’ designed to protect critical infrastructure from foreign intruders, such a setup would be next to useless against the attacks that are coming from “inside the house.

No comments:

Post a Comment