The threat to water supply is real, and it is getting worse
In January 2019, Wyatt Travnich left his job in the Post Rock Rural Water District to cover 1,800 miles of customer service in eight counties in Kansas. Two months later, the prosecutor said, he re-entered the facility’s computer system and began manipulating the processes he uses to clean and disinfect drinking water.
When it comes to critical infrastructure security, the power grid attracts the most attention from the people, and it’s understandable. The threats to the electricity grid are real and frightening; just ask anyone in Ukraine, which it has had many large-scale blackouts Made by Russia Sandworm hackers. Post Rock incident, revealed complaint on Wednesday, it reminds us that the water supply system is a destructive target.
The indictment comes two months after a hacker is still unknown He tried to poison the water supply in Oldsmar, Florida, and is a third public outcry against a water system that poses a direct risk to the health of customers of a public service. (In 2016, Verizon Security Solutions found that hackers named the chemical level without changing the level). Cyberattacks that can cause physical damage are rare, but the nation’s water systems are becoming increasingly popular. Experts say these systems are not largely there to deal with threats.
“Everyone thinks they’re taking people to power areas because it’s something you know. They’ve all had a power outage. We also know their survival,” says Lesley Carhart, chief threat analyst at Dragos Industrial Control Systems Security. “We don’t think about water. That’s probably one of the reasons we’re funding so little. “
After leaving the decision, Travnich has no details on how he allegedly got into the Post Rock Rural Water District network; the indictment only says it “started from a distance”. He had started a remote session when he worked there, according to court documents, for an overtime follow-up. But basic cybersecurity measures should be enough to prevent an unauthorized employee from gaining unauthorized access to the system, just use old credentials, or set up a more sophisticated back-end portal to the system. Unfortunately, many water services are also not so lacking, especially in rural areas.
“Most water services are managed by municipalities, so they can be managed by very small towns with very small budgets. They work on foot, ”says Carhart. “Many water services, especially municipal services, have an IT person who may be very lucky. They certainly don’t have a security person on staff, in most cases.” Neither Post Rock nor Travnich’s lawyers responded to a request for response
When your job is to make sure computers are running on usable water, it’s understandable that you can prioritize processes that protect your drinking water supply, say, federated identity measures that would prevent the re-entry of the former employee.
Unfortunately, this is something that happens more often than you think. The Post Rock incident, as it happened with Oldsmar and the unnamed intrusion that Verizon intercepted several years ago, has attracted attention because it can cause physical harm. But water companies have had a slow but sustained attack over the past decade. In the first half of the 2010s, it was consistently among the most targeted sectors, albeit lagging behind critical manufacturing and energy. In 2015, the U.S. Industrial Control Systems Emergency Response Team presented 25 cybersecurity incidents in the water and wastewater sector; In 2016, the last year available data, 18. recently examination published in Journal of Environmental Engineering he studied 15 cyberattacks against water systems in depth and started with data theft cryptoacking ra ransomware.