Update - October 21, 2021
More details have been revealed about the former employee of the Post Rock Rural Water District (a.k.a., Ellsworth County Rural Water District No. 1) in Kansas who was indicted for unauthorized computer access with intent to harm, including an updated plea to guilty.
According to the defendant’s account, he doesn’t recall anything about the night of March 27, 2019, when he gained unauthorized access to the plant’s systems, due to his intoxication at the time. But what is more important, it has been confirmed that his unauthorized access was due to his use of shared credentials. Specifically, a shared GoToMyPC account to allow remote access to the system after hours and a shared pass code to access software that controls the plant – neither passwords of which were changed upon the defendant’s termination of employment.
Shared accounts are not recommended. However, if they are necessary, it is important to use them in the most secure method possible. More secure methods include employing multifactor authentication (MFA) wherever available and promptly changing shared passwords to prevent unauthorized access from staff who leave the organization or no longer need that access. This case also demonstrates the importance of implementing and executing effective “off-boarding” procedures to reduce the risk of unauthorized remote access from former employees, regardless of role or title. For more on this update, visit Kansas.com.
Original post - April 1, 2021
Details of the indictment are extremely limited, but according to the charges, a former employee of the Post Rock Rural Water District (a.k.a., Ellsworth County Rural Water District No. 1) in Kansas performed unauthorized activities that shut down the processes which affect the facility’s "cleaning" and disinfecting procedures with intention to harm. The incident reportedly occurred on or about March 27, 2019 when the defendant knowingly accessed the Post Rock Rural Water District’s protected computer system without authorization.
Due to the nature of voluntary information sharing and the reticence of organizations to disclose incidents, this is the first known disclosure of this incident. However, since the Oldsmar, Florida Water Treatment Plant incident, there has been much public scrutiny on the cybersecurity of water and wastewater utilities, particularly the necessity for smaller utilities to bolster their cybersecurity controls. While attribution has yet to be disclosed (or discovered) in the Oldsmar incident, the method of attack in this incident appears similar to Oldsmar – unauthorized remote access.
While it is not fair to speculate on the security of the Post Rock Rural Water District’s remote access architecture, one facet stands out in this case – unauthorized access from a former employee, a threat categorized as an insider threat. WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities, #4 – Enforce User Access Controls discusses the importance of properly off-boarding separated employees to minimize damage that could be caused due to unauthorized access – physical or computer.
To protect company assets from unauthorized access, physical and computer access should be disabled as soon as it is no longer required:
- Terminated and voluntarily separated employees, vendors, contractors and consultants should have access revoked as soon as possible.
- Employees transferring into new roles will likely need to have unnecessary access removed.
- Follow a rigorous off-boarding procedure with human resources and contract managers, including IT and OT personnel.
- The off-boarding procedure should include an audit process to identify disabled and deleted accounts and to confirm appropriate access deprovisioning due to role transfers.
- The procedure should also incorporate a method to identify any shared accounts, like system administrator, development environment, application and vendor accounts.
For more on the indictment, visit Justice.gov or access the attached document.