A 22 Year Old Logged In and Compromised Kansas' Water System Remotely

A Kansas man allegedly logged into a Kansas public water system remotely via a home computer with the express intention of shutting down safety processes that make the water safe to drink, an Ars Technica report explains.

An indictment filed in US District Court for the District of Kansas described how Wyatt A. Travnichek, 22, of Ellsworth County, Kansas, is said to have logged into the system for the Ellsworth County Rural Water District No. 1, also known as the Post Rock Water District, to tamper with the facility's cleaning process.

Travnichek logged into the system in March 2019, at which point he was an ex-employee of the Post Rock Water District, having left his post at the facility in January of the same year.

His duties at the facility included remotely logging in to the water district's computer system to monitor the plant after hours.

The Post Rock Water District serves more than 1,500 retail customers and 10 wholesale customers in eight Kansas counties.  

Public systems and public health at risk from hackers

In late March 2019, the indictment explained, Post Rock experienced a remote intrusion to its computer system resulting in the shutdown of the facility’s water cleaning processes.

"On or about March 27, 2019, in the District of Kansas, the defendant, Wyatt Travnichek, knowingly tampered with a public drinking water system, namely the Ellsworth County Rural Water District No. 1," prosecutors alleged. "To wit: he logged in remotely to Post Rock Rural Water District’s computer system and performed activities that shut down processes at the facility which affect the facility’s cleaning and disinfecting procedures with the intention of harming the Ellsworth County Rural Water District No. 1."

The allegation comes only weeks after a hacker was caught trying to poison water in a treatment plant in Florida that serves approximately 15,000 residents.

The intruder changed the level of sodium hydroxide in the water — typically used in small non-toxic amounts to treat water acidity — to exceedingly high and dangerous levels.

Thankfully, in the Florida case, an operator quickly discovered the change and reversed it. The Florida treatment plant also said that it has various measures in place to prevent contaminated water from reaching the public on such an occasion.

Still, that incident, as well as the Kansas case, highlights the danger of hackers finding ways to potentially harm the public via public computer systems.

The Kansas indictment charges Wyatt with one count of tampering with a public water system and one count of reckless damage to a protected computer during unauthorized access. If convicted, he faces a maximum of 25 years in prison and $500,000 in fines.