Critical infrastructure is increasingly under attack with major hits on oil pipelines, water treatment facilities and the food and beverage sector all occurring within the last year. Regardless of where the attackers enter from — and that’s often the information technology (IT) side — these assaults generally have real-world physical impacts, spilling over into operational technology (OT).
For example, in Oldsmar, Florida, a hacker was able to manually raise the levels of lye in the water supply. With the Colonial Pipeline, threat actors attacked the IT side, but it still resulted in a shutdown of the longest oil pipeline on the East Coast, causing runs at the gas pumps.
The groundwork for attacks like these was laid back in 2001, when an Australian man became the first known hacker to produce a successful cyberattack against critical infrastructure. Then-49-year-old Vitek Boden launched a sustained cyber assault against the Maroochy Shire, Queensland, Australia, sewage control, a computerized waste management system. He ultimately released 265,000 gallons of untreated sewage into local parks and rivers, causing serious damage to the local environment.
“Marine life died, the creek water turned black and the stench was unbearable for residents,” said Janelle Bryant of the Australian Environmental Protection Agency in The Register.
This hack was the first widely recognized example of a threat actor — in this case, an insider — maliciously attacking an industrial control system (ICS). It was also an insider attack, which can be more damaging because the attacker often has specialized knowledge and the ability to manipulate control systems.
The Maroochy Shire attack
Boden, it turns out, was exactly the kind of insider companies need to worry about. Boden was an engineer for Hunter Watertech, and Australian firm that installed supervisory control and data acquisition (SCADA) radio-controlled sewage equipment in the Maroochy Shire. After leaving the company under questionable circumstances, Boden applied for a job with the Maroochy Shire Council. When he didn’t get it, he decided to exact revenge on both companies.
“He packed his car with stolen radio equipment attached to a (possibly stolen) computer,” according to a case study on the event from MITRE.org. “He drove around the area on at least 46 occasions from February 28 to April 23, 2000, issuing radio commands to the sewage equipment he (probably) helped install. Boden caused 800,000 liters of raw sewage to spill out into local parks, rivers and even the grounds of a Hyatt Regency hotel.”
One of the things that makes an OT system harder to target than IT is that it generally takes specific, operational, insider knowledge of the ICS being manipulated. In other words, a threat actor would need to have some sense of how to use the equipment. Boden had that experience as a site supervisor on the Maroochy SCADA project for more than two years, making him particularly dangerous.
Boden was caught and arrested when he was pulled over for a traffic violation on April 23, and the officer noticed computer and radio equipment in his car. Boden had already been placed under surveillance by that point as a person of interest in the ongoing cyberattacks. It was eventually determined his laptop had been used at the time of the attacks, and his hard drive contained software for “accessing and controlling the sewage management system.” In Boden’s car, police discovered a PDS Compact 500 computer, later identified as belonging to Hunter Watertech, along with a personal laptop.
The ultimate insider
Maroochy is a rural area located about 65 miles from the Queensland capital of Brisbane and is known for its natural beauty. According to the MITRE report, Maroochy has 880 km of gravity sewers, treating about 35 million liters per day.
“Maroochy Water Services Sewerage SCADA System consists of 142 Sewage Pumping Stations with two Monitoring Computers utilizing three Radio Frequencies. Hunter Watertech Pty Ltd installed the ‘PDS Compact 500’ computer device at each pumping station capable of receiving instructions from a central control center, transmitting alarm signals and other data to the central computer and providing messages to stop and start the pumps at the pumping station,” according to the report.
Once Boden accessed the Maroochy Shire sewer system computers using software stolen from Hunter Watertech, he caused a series of problems. The pumps did not run when they should have, alarms failed to report to the central computer and communication was lost between the central computer and the pumping stations.
When a Hunter Watertech employee began investigating the disruptions, he discovered they pointed to human intervention, not system failure. In time, it became clear that the issues at the Maroochy sewage plants all ceased after Boden was arrested on April 23.
In November 2001, Boden was sentenced to two years in prison for using stolen wireless radio, SCADA controller and control software and was required to pay for the remediation of the damage he caused. The damage he caused was significant — he polluted residential areas and coastal waters and the clean-up efforts took days. He was convicted on 27 counts of using a restricted computer to cause detriment or damage, along with one count of willfully and unlawfully causing serious environmental harm.
Although it occurred more than two decades ago, this attack should have served as a stark wake-up call to the cyber dangers the world was about to face. In the intervening years, there have been attacks on gas pipelines, oil pipelines, dams, water/wastewater facilities, power grids and much more. While many of these attacks are being launched by outside organizations, nation-states and criminal gangs, the insider attack might still be the most frightening.
“You’re always going to have this human element, in every industry, in every business,” said Rick Peters, chief information security officer (CISO) of operational technology North America at Fortinet. “If I’m sitting at a private board having that conversation, the concern is always about insider behavior. One of the things that you’re seeing trend-wise today is the move toward behavioral analysis, at-speed behavior analysis, so that we can detect those kinds of behaviors using AI techniques, using the power of actionable intelligence, to recognize any change, any behavior that looks like an anomaly.”
Some of these attacks, of course, are caused unintentionally by employees doing something as innocuous as opening a phishing email, plugging in a memory stick or charging their personal phone on a work computer. But disgruntled employees with the knowledge — and, more important, the motivation — to carry out an attack are a different level of threat.
According to Peters, there has been a 400% increase in OT attacks in just the last year, as companies have shifted to work from home. Unfortunately, the insider threat still prevails, as was demonstrated by Vitek Boden more than two decades ago. These sorts of attacks can have lingering effects on much more than a company’s bottom line; they can also impact human health and safety and the sanctity of the environment.