A federal grand jury has indicted a former employee of a contractor operating a California town's wastewater treatment facility, alleging that he remotely turned off critical systems and could have endangered public health and safety.
53-year-old Rambler Gallor of Tracy, California, held a full-time position at a Massachusetts company that was contracted by the town of Discovery Bay to operate its water treatment plant.
Gallor is said to have had an "instrumentation and control tech" role at the plant, which he did from July 2016 to December 2020.
However, according to the indictment, Gallor is alleged to have planted software that allowed him to gain remote access to systems on the computer network of Discovery Bay's Water Treatment facility from his personal computer.
Specifically, it is alleged that after resigning his position in January 2021. Gallo accessed the facility's computer system remotely and "transmitted a command to uninstall software that was the main hub of the facility’s computer network and that protected the entire water treatment system, including water pressure, filtration, and chemical levels."
A US Department of Justice press release gives no explanations or possible motive for Gallo's alleged actions.
However, if the claims are true, then it would suggest that once again an organisation has failed to control who has access to sensitive systems properly. When a member of staff or contractor either leaves the organisation or is assigned a different role within the company, it is essential that rights to systems that they should no longer be able to access are revoked.
My mind instantly went back to June 2021, when it was reported that malicious hackers had compromised a water treatment plant serving San Francisco Bay, having used a former employee's TeamViewer account to gain remote access.
Too often disgruntled current and former employees have been able to exploit their access privileges and cause damage that can be as bad as (or even worse) than that committed by conventional cybercriminals.
It is particularly important that proper access controls are put in place, and regularly evaluated, when it comes to critical infrastructure such as water treatment plants.
In October 2021, authorities warned that wastewater systems are being regularly targeted by ransomware gangs attempting to extort money by interrupting operations. The last thing they probably need is to be worrying about rogue former employees as well.
If convicted, Gallo faces a maximum statutory penalty of 10 years in prison and a fine of US $250,000.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.