Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security The Courts

Feds Say Man Broke Into Public Water System and Shut Down Safety Processes (arstechnica.com) 53

An anonymous reader quotes a report from Ars Technica: Federal prosecutors have indicted a Kansas man for allegedly logging into a computer system at a public water system and tampering with the process for cleaning and disinfecting customers' drinking water. An indictment filed in US District Court for the District of Kansas said Wyatt A. Travnichek, 22, of Ellsworth County, Kansas, was an employee from January 2018 to January 2019 at the Ellsworth County Rural Water District No. 1. Also known as the Post Rock Water District, the facility serves more than 1,500 retail customers and 10 wholesale customers in eight Kansas counties. Part of Wyatt's responsibilities included remotely logging in to the water district's computer system to monitor the plant after hours.

In late March 2019, Wednesday's indictment said, Post Rock experienced a remote intrusion to its computer system that resulted in the shutdown of the facility's processes for ensuring water is safe to drink. "On or about March 27, 2019, in the District of Kansas, the defendant, Wyatt Travnichek, knowingly tampered with a public drinking water system, namely the Ellsworth County Rural Water District No. 1," prosecutors alleged. "To wit: he logged in remotely to Post Rock Rural Water District's computer system and performed activities that shut down processes at the facility which affect the facility's cleaning and disinfecting procedures with the intention of harming the Ellsworth County Rural Water District No. 1." Wednesday's indictment didn't say how Wyatt allegedly gained access to the Post Rock facility.
"The indictment charges Wyatt with one count of tampering with a public water system and one count of reckless damage to a protected computer during unauthorized access," adds Ars. "If convicted, he faces a maximum sentence of 25 years in prison and $500,000 in fines."
This discussion has been archived. No new comments can be posted.

Feds Say Man Broke Into Public Water System and Shut Down Safety Processes

Comments Filter:
  • by Anonymous Coward
    I'm sure this was just a Libertarian with the purest and most patriotic of intentions striking a blow for de-regulation.
  • by Anon42Answer ( 6662006 ) on Thursday April 01, 2021 @07:06PM (#61226462)

    Standard security is to deactivate accounts and change passwords when an employee leave or is fired or resigns or is reassigned. Who is charged for the same charges for not deactivating account and not changing password for remote login?

    • Do you face criminal charges when you fail to follow a policy at work?

      • What if your work policies kept hundreds of thousands from getting sick, many from dying?

        • by dissy ( 172727 )

          What if your work policies kept hundreds of thousands from getting sick, many from dying?

          The same work place also has policies to provide for remote access over the Internet for normal standard operation.
          I suspect the majority of people dictating policy don't give a shit about keeping people from getting sick or dying.

          • by Bongo ( 13261 )

            What if your work policies kept hundreds of thousands from getting sick, many from dying?

            The same work place also has policies to provide for remote access over the Internet for normal standard operation.
            I suspect the majority of people dictating policy don't give a shit about keeping people from getting sick or dying.

            Yep -- that's why we are supposed to have layers of security, because even if a policy or a firewall failed, you'd have other layers to protect things -- and also why we don't dump all responsibility on an individual scapegoat, as with the airline industry, which is famously known for looking at the systemic problems, the ones which put people in a position to make terrible mistakes. This all sounds like someone wasn't around to do a risk analysis and just spot how easy it would be to blow up the Death Star

      • If it lead to the harm of others, then yes.

      • The staff and managers who failed to implement and follow thru should be charged with conspiracy.
        • Only if they took some concrete and coordinated action to further the plan to disable the safety systems. Even if they KNEW or suspected he'd do this, NOT doing something cannot constitute a conspiracy.

          Negligence, even in a strict liability sense, cannot sustain a conspiracy charge.

          The Kansas statute spells it out quite clearly:

          21-3302.âfConspiracy. (a) A conspiracy is an agreement with another person to commit a crime or to assist in committing a crime. No person may be convicted of a conspirac

        • by mccrew ( 62494 )
          More like negligence than conspiracy.
      • In Australia, Yes, criminal charges would apply. Most of us in positions of Trust sign our lives away for jobs, including official secrets Act. Unauthorized tampering is a crime. So said, not changing passwords would be a breach of Commonwealth security protocols, that has to be signed off every 3 months. Knowledge gained in the job, misused afterwards for personal gain is also an offense (Politicians and ministers have a separate wishy washy code of conduct). The person signing off would be guilty of forg
      • Do you face criminal charges when you fail to follow a policy at work?

        It depends on how regulated your industry is. If you run a auto paint shop and your employees decide it's easier to dump used chroming reagents into the storm drain than pack it up for pick up, then yeah that's employees failing to follow a policy at work and also criminal behavior.

    • by olsmeister ( 1488789 ) on Thursday April 01, 2021 @07:27PM (#61226538)
      Wait it's illegal to be inept at your job? Oh fuck oh fuck oh fuck oh fuck
      • Wait it's illegal to be inept at your job? Oh fuck oh fuck oh fuck oh fuck

        Relax. Congress can't hold us to a higher standard than themselves ...

      • Gonna be a buzzkill here (after getting a good laugh), but actually, kinda yes, sometimes. If your ineptitude crosses the line into negligence, there are circumstances in which you may be liable. Think about a dump truck driver who routinely fails to properly secure their load because they’re terrible at their job, eventually resulting in a car accident that kills someone as their load falls onto a neighboring vehicle.

        I don’t know that it’d be applicable here, but the idea isn’t too

    • If I remember this case correctly, they were using a shared TeamViewer account for remote access so, everyone had the same password.
      • So when an employee loses access (retirement, job change, fired, etc.), the password should be changed before the end of the day, and definitely within 24 hours. It's not rocket science.

        But, unfortunately people can't figure this out, so their will be more government regulation, audits, fines, etc., to enforce what are obvious procedures that need to be in place.

        • Looser gets into trouble. Some jobs have a security walker who looks for uncollected printouts, passwords on post-it notes or under the mouse pad, secret documents left unsecured, key in pen holder that opens up draws with the safe keys. Obviously the water works is piss poor, full of leaks,and managements mouths full off verbal diarrhea
      • by imidan ( 559239 )

        That was a water system in Florida.

        https://www.wired.com/story/oldsmar-florida-water-utility-hack/

    • Lonely girl looking for a partner for the entertainment! Only men 18 years older. I am waiting for you. ==>> https://lst.to/xo2ck [lst.to]
    • And the dumbass that connects Windows SCADA units directly to the Internet.

      An advisory from officials in Massachusetts later said that the Oldsmar facility used an unsupported version of Windows with no firewall and shared the same TeamViewer password among its employees

      Jezus tap-danching Christ, just who in their right minds uses Teamviewer running on Windows to control their SCADA units.
    • Standard security also does not connect SCADA systems to the Internet. If you need to monitor it, point a web cam at it and view that.

      • As someone who regularly logs in all over the country and makes changes to these type of systems on a daily basis, your idea is impractical and sounds ignorant. Most of my customers I deal with do not have the expertise to make changes to their own SCADA or DCS system and they rely upon the vendors like me to maintain and make changes to them. We do that through the internet quite often. However, the key is layers of security. For most of the stuff I do, I go through 3-4 different layerss to get to the
  • If some random lonely basement dweller* can do that, imagine what governments of the bigger countries can do.

    * Uh, did I just describe most Slahdotters there?

  • unsupported old windows and team viewer (Licensed the rightway)
    Also seems like an non server desktop window OS with software that can't run newer windows. Maybe the software can't run on server windows.

    It's got to have some kind of firewall as why not use RDP? And if it can run on an server can use RDP with LDAP log ins.

  • Need to get an good lawyer and do some discovery to prove that it was not some hacker useing stuff that needs windows updates to stop.
    Also with that TEAM VIEWER just about ANY ONE on the internet can get in with the ID and the fixed shared password.

  • $500,000 seems to be about the cost of hardware needed so they can update windows.
    No it's not getting an new $500-$900 pc It's the 500K SCADA hardware.

    • >It's the 500K SCADA hardware.

      Glorified microcontrollers with serial ports and relays for $500K.

      I should get into that business.

      • by jythie ( 914043 )
        Heh. Low volume and long boring support contracts where you maintain versions released decades ago. Not a fun business to be in.
        • Heh. Low volume and long boring support contracts where you maintain versions released decades ago. Not a fun business to be in.

          I'm not in business for fun. I'm in business for money. The fuck you thinkin'?

      • by kackle ( 910159 )
        I don't know where the $500,000 number comes from, but the PLCs are expensive, say, $2000 for one with dozens of I/O ports and a few communication ports. In comparison though, everything else electronic that one buys today is utter crap. These are usually physically rugged with metal housings, have a wide operating temperature range (like 167 degrees F. down to -40), are internally conformal-coated to handle high humidity and are designed to handle power surges.

        I once went on a repair call where a PL
  • Don't stop here. (Score:3, Insightful)

    by ZuckFucker ( 6110380 ) on Thursday April 01, 2021 @08:44PM (#61226720)
    Okay. Now prosecute the administrators for putting a critical system needlessly and insecurely on the Internet.
    • by v1 ( 525388 )

      Also, looks like he could have cut his prison term in half if he'd have just killed someone instead of hacking a computer.

      Gotta love our justice system's equity. When big business owns the lawmakers, you end up with harsher punishments for crimes that hurt the companies than for crimes that hurt the public.

      That, and as you pointed out, there probably won't be any repercussions for those that exercised criminal levels of computer negligence.

    • Okay. Now prosecute the customers for being unwilling to pay for continuous in-person monitoring.

  • I work at a larger system and I have been to smaller systems. Large systems have economies of scale and have spent the time and money on security: we have layers of it, VPN, 2FA, Firewalls between Business and SCADA control network for view only data. We have separate domain and users on SCADA domain, we have 'view' only access for almost everyone but inside operators and emergency access from the outside through layers and multiple logins. Even people with full control inside do not have VPN access. We
    • by sheph ( 955019 )
      It's a fair point. But how much does it cost to not connect to the Internet? Create individual accounts rather than a shared one? Activate the built in Windows Firewall or use a free client side firewall? I understand not being able upgrade but they didn't even do their due diligence with what they had.
      • How much does a night-time shift cost?
        No fancy tech... means less need for skilled IT staff to protect it all; no security or network tech either... The DOS box that ran the system for decades didn't likely need to be replaced...

      • Most companies will outsource a lot of their configuration changes to other parties such as the control system vendor. It's not practical to have everyone travel to a site just to make a small change. Our company does similar setups to the grandparent post with all the layers of security as well. We do allow full control over VPN, BUT we do go through 4 layers, 2 factor authentication, firewalls, 3 different sets of credentials, etc. Some safety critical items cannot be done by one person but require 2
    • by jythie ( 914043 )
      *nod* this is key in understanding these kinds of failures. People quickly ask 'but what was your security expert thinking!' with the response 'and what security person would that be?'. Usually these types of jerryrigged setups are thrown together by people who just need to get a job done and don't have the resources to hire a whole other person for the task.
  • c'mon now, that's just playing dirty.
  • Our town's water-'tower' was a hole in the ground on a hill with a broken lock.

    We went in and peed into the drinking water and then drank milk for the rest of the week until we forgot.

Put your Nose to the Grindstone! -- Amalgamated Plastic Surgeons and Toolmakers, Ltd.

Working...