Former water contractor employee tampers with water treatment systems, posing public health and safety threat

The U.S. Department of Justice (DOJ) announced Friday that a Tracy resident has been charged with computer attack on Discovery Bay Water Treatment facility’s critical infrastructure, allegedly affecting the town’s critical infrastructure—the systems controlling its water treatment facility. The resident is said to have intentionally uninstalled the main operational and monitoring system for the water treatment plant and then turned off the servers running those systems causing a threat to public health and safety.

A federal grand jury has indicted Tracy resident Rambler Gallo, U.S. Attorney Ismail J. Ramsey and Federal Bureau of Investigation (FBI) Special Agent in Charge Robert K. Tripp, announced in a DOJ Northern District of California press release. Assistant U.S. Attorney Cynthia Frey is prosecuting this case with assistance from Kathy Tat and Kevin Costello. The case is being investigated by the FBI.

“According to the indictment, filed June 27, 2023, and unsealed earlier today, prior to the attack on the Discovery Bay Water Treatment facility, Gallo, 53, of Tracy, Calif., was a full-time employee of a private Massachusetts-based company identified in the indictment as Company A,” the DOJ release identified. In January 2021, Gallo resigned from Company A and remotely accessed the facility’s computer system, allegedly uninstalling software protecting the water treatment system’s core components.

Company A contracted with Discovery Bay to operate the town’s wastewater treatment facility; the facility provides treatment for the water and wastewater systems for the town’s 15,000 residents. “During his employment with Company A, from July of 2016 until December of 2020, Gallo was the company’s ‘Instrumentation and Control Tech,’ with responsibility for maintaining the instrumentation and the computer systems used to control the electromechanical processes of the facility in Discovery Bay,” the DOJ disclosed.

The indictment alleges that while Gallo was employed with Company A, he installed software on his own personal computer and on Company A’s private internal network that allowed him to gain remote access to Discovery Bay’s Water Treatment facility computer network, according to the DOJ. Then, in January 2021, after Gallo had resigned from Company A, he allegedly accessed the facility’s computer system remotely and transmitted a command to uninstall software that was the main hub of the facility’s computer network and that protected the entire water treatment system, including water pressure, filtration, and chemical levels.

DOJ added that the indictment charges Gallo with one count of transmitting a program, information, code, and command to cause damage to a protected computer, in violation of 18 U.S.C. §§ 1030(a)(5)(A) and (c)(4)(B)(i). 

If convicted, Gallo faces a maximum statutory penalty of ten years in prison and a fine of US$250,000. In addition, as part of any sentence, the court may order an additional term of supervised release, additional assessments, and restitution, if appropriate. However, any sentence following conviction would be imposed by the court only after consideration of the U.S. Sentencing Guidelines and the federal statute governing imposition of a sentence, 18 U.S.C. § 3553.

The charges contained in an indictment are mere allegations. As in any criminal case, the defendant is presumed innocent unless and until proven guilty in a court of law.

Gallo made his initial federal court appearance this morning before U.S. Magistrate Judge Kandis A. Westmore. Gallo’s next appearance is scheduled for July 20, 2023 before Judge Westmore for further hearing on release conditions.

“The increased exposure of our water facilities to insider and third-party threats is evident through the latest incidents at the Discovery Bay water treatment facility in California and Oldsmar water treatment facility in Florida,” industrial cybersecurity expert Jay Smilyk, NanoLock’s general manager of Americas, wrote in an emailed statement. “The repercussions of such attacks are far-reaching, encompassing compromised water quality and the potential for poisoning, underscoring the urgent need for heightened security measures.”

Smilyk pointed out that given the ease with which outsiders, insiders, and employees can make changes to water systems and controllers, it is no longer an option to avoid protecting the controlling devices directly and only use static, network-based perimeters which detect outside threats, and don’t prevent unauthorized change and insider incidents.

“Comprehensive protection can only be achieved by using a device-level, zero-trust approach that protects against outsiders, third parties, insiders and human errors,” according to Smilyk. “Such an approach ensures that every access, change request, or update attempt to an Industrial Control System (ICS) is always authenticated and authorized, regardless of its origin. This is the only way to prevent malevolent, unauthorized or careless users from making changes to device configurations.” 

Regulatory focus is shifting from post-incident response to prevention-based cybersecurity, he added.

Recent attacks against the water infrastructure have included the South Staffs Water & Thames Water faced Cl0p ransomware gang that breached IT and OT (operational technology) systems at South Staffs Water in the UK last August, but in a strange mix-up attempts to double-extort Thames Water, elsewhere in the country. 

OT security company Waterfall Security Solutions said in a May report that neither water utility suffered OT consequences.

Earlier this year, an official at the Oldsmar water treatment facility, outside Tampa, Florida, announced that the 2021 remote access cybersecurity breach was not a hack at all. The incident has now been described as a case of an employee inadvertently clicking on the incorrect buttons before notifying his supervisors of his blunder. Al Braithwaite, former Oldsmar City Manager, described it as a ‘non-event’ that was resolved in two minutes, but said law enforcement and the media seized on the idea of a cyberattack and ‘ran with it,’ media reports have revealed. 

The Oldsmar incident resulted in a four-month FBI investigation, which Braithwaite said reached the same conclusion that employee error was to blame.

The U.S. Environmental Protection Agency (EPA) released in March a memorandum that calls for the evaluation of the cybersecurity of OT systems used by public water systems (PWSs), when conducting sanitary surveys or through other state programs. The memorandum explains various approaches to include cybersecurity in PWS sanitary surveys or other state programs to identify cybersecurity deficiencies as part of periodic sanitary surveys.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.