Engr9742 Systems Engineering: Maroochy Water Assessment Answers

Answer:

Introduction

The illegal activity that involves a computer and network is termed as cyber crime. Moreover, the protection approaches taken for avoiding threats, disruption, misdirection and theft from computer system referred to cyber security. Amin et al. (2013) stated that controlling physical access where hardware of the computer system can be accessed for protection against harm is a common method for implementing cyber security. There are many methods for implementing cyber security- taking security measures, implementing secured architecture, designing vulnerability management, obtaining secured operating systems, formulating hardware protection mechanisms and implementing secure coding (Australia, C.E.R.T 2012).

According to the new Telstra study 2016, it is found that almost 60% of the Australian company suffered from security incident (Aic.gov.au 2017). According to another research it is also estimated that cyber security spending will exceed to $1 trillion from 2017 to 2021 (Zhang et al. 2012).  Each business have to incur a loss of $276,323 through a cyber attack in which on detection up to 53% can be recovered (Acsc.gov.au 2017). In this business assessment, the Maroochy Water Services is taken into consideration. One of the employees of the concerned organization stole the SCADA control system and radio equipments and control the entire system for taking revenge from the company. Thus, issues of cybercrime and the solution that is taken by the organization will be illustrates in the business report.

Discussion 

In Australia, the threat for cyber security raises significantly and between the month of 2015, July to 2016, June, CERT Australia has found that total of 14,804 cyber crime cases has been observed (Acsc.gov.au 2017). Expert also represented that the most targeted businesses of cyber attack are energy sectors (18.0% chances), banking and financial services (17.0%), communication sector (11.7%), transportation services (10.3%) and mining and resources (8.6%) (Acsc.gov.au 2017).

Image 1: CERT Australia report on highest number of compromised systems from cyber security

(Source: Acsc.gov.au 2017)

Hooper et al. (2013) depicts that more than 4,000 ransom ware attacks cases were witnessed since the beginning of the year 2016 and people also know about the risk of the most common internet fraud that is unknown links in emails. Lim et al. (2016) moreover stated that hackers are knowledgeable in computer programming languages so well that they identify lapse and lacunas of the existing system and steal important data. According to a survey it is also found that in previously, mobile devices had less than a 1% infection rate but in recent times organization suffered a breach because of mobile devices (Australia, C.E.R.T 2012). Thus, companies in recent times, adjust their security plans among which 31% of the organization are making changes to their security plan; while, 52% of the company have not taken any steps yet.

Different types of cyber security   

Protecting computer from virtual virus and computer adversity referred to as cyber security. The major area that is considered in cyber securities are application security, information security, disaster recovery and network security. Mariani (2014) also stated that the most common way to hack the system is blockage of communication channel so that no members of the organization able to control the server for protecting the data of the organization. In some cases, hackers install a malicious program in the existing program or delete the actual program that controls the operational functionalities of an organization. Application security encompasses to protection of applications from threats that highlights the aspects of application design, development, deployment, upgrade or maintenance. Companies uses techniques like input parameter validation, session management, auditing and logging, parameter manipulation & exception management and user/role authentication & authorization. Cunningham (2016) on the other hand depicted that cyber criminals exploit unauthorized products with exploit unauthorized products. In order to overcome the information breaches, company focuses on cryptography and authentication & authorization of user. Some company also use the platform of corporate cloud, where huge data are stored related to company’s crucial information. Moreover, the disaster recovery planning refers to a process that includes performing risk assessment, developing recovery strategies and establishing priorities in case when some cyber crime occurs. Lastly, company also value on network security that can be obtained through anti-virus and anti-spyware, intrusion prevention systems (IPS), intrusion prevention systems (IPS) and identify fast-spreading threats  (Hooper et al. 2013).

The Maroochy Water Services Case 

One such case that is considered in this study is Maroochy Water Services in Queensland, Australia, where an employee stole the SCADA system and radio system. Amin et al. (2013) stated that Supervisory control and data acquisition (SCADA) systems are utilized by organization to monitor and control operations for the purpose of power distribution facilities, water distribution systems and sewage treatment plants. SCADA systems are utilized by Maroochy Water Services for gathering real-time data, monitoring the pipelines and control the entire process. Warren and Streeter (2013) also portrays that SCADA system is also used for public utilities along with the oil and gas pipelines, electrical power generation and transmission, chemical plants and refineries and water and sewage treatment plants. The concerned system is used for handling large geographical location and in this context also SCADA is used for such case of public utilities. It has three components- field devices, servers, and clients. Nicholson et al. (2012) illustrates that the field device includes include sensors and controllers that collect data from various sources regarding the water movements. The controllers used are programmable logic controllers (PLCs) and remote telemetry units (RTUs) and are interfaced with serial connections or Ethernet. Asghari et al. (2016) on the other hand depict that servers and clients refers for collecting and analyzing various field inputs and interacting with servers via terminals respectively. In case of Australia, due to remoteness of many of the utility plants and vastness of the country, Australian SCADA systems are complex in nature. The system is liable to control the water and sewage system by maintaining the temperature, current, power variables, fire alarms and load shedding systems Rjaibi et al. (2016.). In Maroochy Water Services Case, due to insecure SCADA system, the staffs of the organization lost their control over the system and more than 1million liter of untreated sewage was released to the local parks and waterways.

Cause of the adversity 

It is a general believe of the staffs that there might be some problems in their newly implemented system. The communication with the wastewater pumping stations link with their radio system was lost and the alarms that were implemented there for identification of any adversity in the initial stages were also not working.  Beasley et al. (2014) highlighted that the person actually liable for the cases is Vitek Boden staff of Maroochy Water Services. The person used a laptop and a radio transmitter and he also stole the SCADA system and controlled 150 sewage pumping stations. The system disabled the alarm fitted at four pumping stations. Some staffs of the concerned organization then noticed that the system is controlled by some intruder, who hacked the entire system. The reason was personal antagonism with the company for not securing the job in that organization. Mr. Boden has released one million liters of untreated sewage in a stormwater drain that flowed in the local parks, rivers and grounds of a Hyatt Regency hotel (Rid and Buchanan 2015). The adversity caused through this action was death in marine bodies, turning of creek water into black and unbearable stench for the community people. The evidence that found was the laptop had been reloaded with most of the waterline security software operating programs- PDS software file. The software is used by the officials to access the sewage system. Moreover, the two-way radio that was used for council’s communication system was also tuned into the frequencies of the repeater stations. These radio numbers were matched with the radios that was supplied to the company’s supplier named Hunter Watertech (Slay and Miller 2007). Lastly, the address of PDS Compact 500 was set to 004 that set off the alarm present at that water pipeline (Slay and Miller 2007).

The identified problem

Robert Stringfellow, responsible civil engineer during the time of adversity believed that the SCADA installation may cause some flaws through which the problem arise. The pump setting kept changing even after re-installing all the software and checking the system and thus it can be said that there was an external malicious entity that was entered through wireless equipment and infected he SCADA system. Abrams and Weiss (2008) also depict that even after high security system; it is very difficult to protect the system from insider attacks. The radio systems are not properly configured and also insecure and this gap was identified by the intruder. The security system was also not assessed properly in the SCADA system and this is the reason that the security staffs also overlook the small malicious changes that occurred. Lastly, the SCADA system also comprises of sophisticated logging mechanisms that contain thousands of codes and hence is impossible to evaluate on a daily basis. The staffs from the company also identified some of the Boden’s malicious activities which were addressed later and not the time of the incident was thrugh SP 800-53 controls (Amin et al. 2013). Mr. Boden created problem in the policy and procedures, personnel security, hardware and software. The problem is also presented in awareness and training, auditing, contingency planning, incidence response and information protection system (Rid and McBurney 2012). The organization does not have proper cyber security policies or procedures in place like “AC-18 Wireless Access Restrictions” that authorizes monitors, controls wireless access and establishes usage implementation and restrictions guidance.

The proposed solution implemented by Maroochy Water Services

In this case, the Australian government, Information Technology and the Arts (DCITA) and Australian Department of Communications implemented security programs for enhancing the security of SCADA system. They have formulated “Trusted Information Sharing Network” for Critical Infrastructure Protection. Several security systems also comprises of firewalls, anti-virus and IDS which is associated with the corporate networks. The secured system is then connected through shared servers and resources (Wilson 2014).

Image 2: The proposed Maroochy SCADA system implement after cyber attack

(Source: Amin et al. 2013)

This system is further protected by another layer of firewall. The second firewall is located between DMZ and SCADA system so that traffic can be screened at the gateway. Mowbray (2013) also stated that if a staff has a direct access to the DMZ, the gateway with substantial security functionality should be implemented. This security functionality is activated in the boundary of SCADA system and DMZ. The prime reason for implementing the firewall system is that firewall eliminates direct connections from the Internet, controls traffic entering and restrict access from the corporate network. There were some other solutions also that were suggested by the personals like addressing protocol-level vulnerabilities, network management and administration.  

Conclusion 

Thus, it can be stated that Maroochy SCADA scam was one of the biggest cyber crime in Australian industry of the year 2000. It is also concluded that the SCADA system comprised of three radio frequencies and two monitoring stations. These systems comprises of operations of 142 sewage pumping stations. The fault that was found after the adversity were unexplained pump station alarms, unnecessary configuration settings, increased radio traffic, turning of alarms without pump station lockups, unexpected turning of pumps and no monitoring of the alarm in computer communication. It can also be said from the assessment that the civil engineer of the organization recommended the use of anti-virus and firewall protection for using appropriate use of encryption. Moreover, proper staff training, implementation of upgradeable SCADA systems, incorporation of security auditing and control. Thus, all organizations should also prepare a mitigation plan so that they can avoid cyber crime.  

Reference List 

Abrams, M. and Weiss, J., 2008. Malicious control system cyber security attack case study–Maroochy Water Services, Australia. McLean, VA: The MITRE Corporation.

Acsc.gov.au., 2017. ACSC Threat Report 2016. [online] Available at: https://www.acsc.gov.au/publications/ACSC_Threat_Report_2016 [Accessed 30 Oct. 2017].

Ahmad, R. and Yunos, Z., 2012. A dynamic cyber terrorism framework. International Journal of Computer Science and Information Security, 10(2), p.149.

Aic.gov.au., 2017. Australian Institute of Criminology - Cybercrime. [online] Available at: https://www.aic.gov.au/crime_types/in_focus/cybercrime.html [Accessed 30 Oct. 2017].

Amin, S., Litrico, X., Sastry, S. and Bayen, A.M., 2013. Cyber security of water SCADA systems—Part I: Analysis and experimentation of stealthy deception attacks. IEEE Transactions on Control Systems Technology, 21(5), pp.1963-1970.

Amin, S., Litrico, X., Sastry, S. and Bayen, A.M., 2013. Cyber security of water SCADA systems—Part I: Analysis and experimentation of stealthy deception attacks. IEEE Transactions on Control Systems Technology, 21(5), pp.1963-1970.

Australia, C.E.R.T., 2012. Cyber crime and security survey report. 2013-09-19)[2014-07-20]. https:? www. canberra. edu. au/cis/storage/Cyber% 20Crime% 20and% 20Security% 20Survey% 20Report% 202012.

Beasley, C., Zhong, X., Deng, J., Brooks, R. and Venayagamoorthy, G.K., 2014, October. A survey of electric power synchrophasor network cyber security. In Innovative Smart Grid Technologies Conference Europe (ISGT-Europe), 2014 IEEE PES (pp. 1-5). IEEE.

Cherdantseva, Y., Burnap, P., Blyth, A., Eden, P., Jones, K., Soulsby, H. and Stoddart, K., 2016. A review of cyber security risk assessment methods for SCADA systems. computers & security, 56, pp.1-27.

Clarke, R.A. and Knake, R.K., 2014. Cyber war. Tantor Media, Incorporated.

Collins, S. and McCombie, S., 2012. Stuxnet: the emergence of a new cyber weapon and its implications. Journal of Policing, Intelligence and Counter Terrorism, 7(1), pp.80-91.

Cunningham, D., 2016. Developing a Core List of Journals at the National Institute of Standards and Technology Research Library. Information Outlook.

Daryabar, F., Dehghantanha, A., Udzir, N.I. and bin Shamsuddin, S., 2012, June. Towards secure model for SCADA systems. In Cyber Security, Cyber Warfare and Digital Forensic (CyberSec), 2012 International Conference on (pp. 60-64). IEEE.

Dunn Cavelty, M., 2012. The militarisation of cyber security as a source of global tension.

Henrie, M., 2013. Cyber security risk management in the SCADA critical infrastructure environment. Engineering Management Journal, 25(2), pp.38-45.

Hooper, C., Martini, B. and Choo, K.K.R., 2013. Cloud computing and its implications for cybercrime investigations in Australia. Computer Law & Security Review, 29(2), pp.152-163.

Lim, D., Park, K., Choi, D. and Seo, J., 2016, November. Analysis on Attack Scenarios and Countermeasures for Self-driving Car and Its Infrastructures. In International Conference on Broadband and Wireless Computing,

Mariani, R., 2014. An Evaluation of the Cybersecurity Policies for the United States Health & Human Services Department. International Journal of Business and Social Research, 4(4), pp.1-7.

McGuire, M. and Dowling, S., 2013. Cyber crime: A review of the evidence. Summary of key findings and implications. Home Office Research report, 75.

Mowbray, T.J., 2013. Cybersecurity: Managing Systems, Conducting Testing, and Investigating Intrusions. John Wiley & Sons.

Nicholson, A., Webber, S., Dyer, S., Patel, T. and Janicke, H., 2012. SCADA security in the light of Cyber-Warfare. Computers & Security, 31(4), pp.418-436.

Piggin, R.S.H., 2012, October. Emerging good practice for cyber security of Industrial Control Systems and SCADA. In System Safety, incorporating the Cyber Security Conference 2012, 7th IET International Conference on (pp. 1-6). IET.

Piggin, R.S.H., 2013, June. Development of industrial cyber security standards: IEC 62443 for SCADA and Industrial Control System security. In Control and Automation 2013: Uniting Problems and Solutions, IET Conference on (pp. 1-6). IET.

Rid, T. and Buchanan, B., 2015. Attributing cyber attacks. Journal of Strategic Studies, 38(1-2), pp.4-37.

Rid, T. and McBurney, P., 2012. Cyber-weapons. the RUSI Journal, 157(1), pp.6-13.

Rid, T., 2012. Cyber war will not take place. Journal of strategic studies, 35(1), pp.5-32.

Rjaibi, N., Rabai, L.B.A. and Mili, A., 2016. The Mean Failure Cost Cybersecurity Model to Quantify Security in E-Learning Environments. In Developing Successful Strategies for Global Policies and Cyber Transparency in E-Learning (pp. 95-120). IGI Global.

Slay, J. and Miller, M., 2007. Lessons learned from the maroochy water breach. Critical infrastructure protection, pp.73-82.

Warren, P. and Streeter, M., 2013. Cyber crime & warfare: All that matters. Hachette UK.

Wilson, N., 2014. Australia's National Broadband Network–A cybersecure critical infrastructure?. Computer Law & Security Review, 30(6), pp.699-709.

Zhang, Y., Xiao, Y., Ghaboosi, K., Zhang, J. and Deng, H., 2012. A survey of cyber crimes. Security and Communication Networks, 5(4), pp.422-437.