The Department of Justice (DoJ) has charged a former water treatment facility contractor for allegedly gaining unauthorized access to the computer network for the Discovery Bay, Calif.-based facility and uninstalling its main operational and monitoring system.
Rambler Gallo, 53, of Tracy, Calif., was a full-time employee of a private, unnamed Mass.-based company, which contracted with the Discovery Bay water treatment facility, from 2016 to 2020. This facility provides treatment for the water and wastewater systems for the town’s 15,000 residents. During his employment, Gallo was responsible for maintaining the instrumentation and systems used to control the electromechanical processes of the facility, according to the DoJ. Gallo during this time allegedly installed software on his personal computer and on the contractor company’s private internal network, which enabled him to gain remote access to the facility’s computer network.
“Then, in January of 2021, after Gallo had resigned from [the contractor company], he allegedly accessed the facility’s computer system remotely and transmitted a command to uninstall software that was the main hub of the facility’s computer network and that protected the entire water treatment system, including water pressure, filtration, and chemical levels,” according to the Friday DoJ release.
While further details about the unauthorized access were not released, Gallo was allegedly able to turn off the servers running those monitoring and operational systems, “causing a threat to public health and safety,” according to the DoJ.
Gallo is charged with one count of transmitting a program, information, code and command to cause damage to a protected computer and if convicted, he faces up to 10 years in prison and a fine of $250,000. While Gallo made his initial court appearance on Friday, his next appearance is scheduled for July 20 for further hearing on release conditions.
“While insider threats are not unique to water systems, this sector does face different challenges that impact its overall security.”
The cybersecurity risks inherent in water facilities have previously been a cause for concern. In 2021, a 22-year-old man pleaded guilty to accessing a Kansas public water system’s computers in 2019 in order to shut down the processes behind the facility’s cleaning and disinfecting procedures.
The indictment underscores the dangers that can stem from unauthorized access to public water plant systems that collect, treat and distribute water for drinking. Many water plant facilities grapple with a number of challenges that threaten the security of their systems, including constricted budgets and limited personnel. On top of all this, the facilities rely on industrial control systems that control processes like pumps used to move water; however, these systems leverage custom software that is rarely updated or is tethered to obsolete operating systems.
“While insider threats are not unique to water systems, this sector does face different challenges that impact its overall security,” said Marty Edwards, deputy CTO for OT and IoT with Tenable. “Water systems are on the small side compared to their oil and gas counterparts, which have more funds to invest in security and have more mature security programs. That said, your dollar has more spending power when you're early in the OT security journey. Water systems should capitalize on this opportunity to ensure these critical systems are protected.”
Edwards stressed that water facilities should develop a proactive cybersecurity strategy that includes monitoring known attack vectors, conducting frequent risk assessments of various assets and remediating vulnerabilities in a timely manner.
“For systems critical to the health and safety of citizens, monitoring for external and internal security risks is no longer optional, it is required,” he said. “A lot of attention is paid to external threat actors, but insiders have the potential to cause similar significant damage.”