Details of the indictment are extremely limited, but according to the charges, a former employee of the Post Rock Rural Water District (a.k.a., Ellsworth County Rural Water District No. 1) in Kansas performed unauthorized activities that shut down the processes which affect the facility’s cleaning and disinfecting procedures with intention to harm. The incident reportedly occurred on or about March 27, 2019 when the defendant knowingly accessed the Post Rock Rural Water District’s protected computer system without authorization.
Due to the nature of voluntary information sharing and the reticence of organizations to disclose incidents, this is the first known disclosure of this incident. However, since the Oldsmar, Florida Water Treatment Plant incident, there has been much public scrutiny on the cybersecurity of water and wastewater utilities, particularly the necessity for smaller utilities to bolster their cybersecurity controls. While attribution has yet to be disclosed (or discovered) in the Oldsmar incident, the method of attack in this incident appears similar to Oldsmar – unauthorized remote access.
While it is not fair to speculate on the security of the Post Rock Rural Water District’s remote access architecture, one facet stands out in this case – unauthorized access from a former employee, a threat categorized as an insider threat. WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities, #4 – Enforce User Access Controls discusses the importance of properly off-boarding separated employees to minimize damage that could be caused due to unauthorized access – physical or computer.
To protect company assets from unauthorized access, physical and computer access should be disabled as soon as it is no longer required:
- Terminated and voluntarily separated employees, vendors, contractors and consultants should have access revoked as soon as possible.
- Employees transferring into new roles will likely need to have unnecessary access removed.
- Follow a rigorous off-boarding procedure with human resources and contract managers, including IT and OT personnel.
- The off-boarding procedure should include an audit process to identify disabled and deleted accounts and to confirm appropriate access deprovisioning due to role transfers.
- The procedure should also incorporate a method to identify any shared accounts, like system administrator, development environment, application and vendor accounts.
For more on the indictment, visit Justice.gov or access the attached document.