The Maroochy Attack
The picturesque shire of Maroochy in Queensland is known for its stunning natural environment and also, less positively as one of the first examples of a cyber-terrorist attack on critical infrastructure.
In April 2000 the Sunshine Coast urban centre inexplicably drowned in raw sewage as millions of litres of effluent began spilling out into local parks, rivers and car parks.
Beautiful Maroochy Shire.
The stench was unbearable and had the potential to cause a health crisis for residents and the council scrambled to fix the problem.
Experts worked around the clock to figure out what was causing the sophisticated sewage system to malfunction. But they were met with dead ends. The system was in perfect working order.
Close monitoring and a forward-thinking analyst with an intuitive understanding of human behaviour eventually uncovered the problem. The system had been hacked remotely by a disgruntled employee operating out of his car. The employee had helped install the sewage system and when he was rejected for a job with the Maroochy Shire Council he decided to get revenge.
It took the experts a while to figure out that an exploit was occurring because they hadn’t seen it before. In fact, Maroochy Shire was witnessing one of the first critical infrastructure attacks in the world.
Internet of Things (IoT)
The greatest enabler of attacks on critical infrastructure and as such, one of the biggest areas of vulnerability is the Internet of Things (IoT).
A huge expansion of devices connected to the internet, many of them cheaply made without basic security features present an enormous vulnerability. Consider your Robot Vacuum which is connected to the internet and could easily be hacked and controlled by hackers. You might think why would they bother – but consider that the mapping feature of your robot shows the world both your floor plan and your patterns of life. Similar features of the polar heart rate monitor social platform indicated the locations of a number of sensitive military sites this year – identifying both the site locations, the officers at the sites and in some instances, the home locations of those officers. Consider how many of these officers, with their fondness of clever tech conveniences would also have robotic vacuums, and smart televisions. With these crumbs of information extremely damaging technical exploits are built.
On this section: Details of Sensitive Military Sites were made available through the Polar Heart Rate Monitor Social Media application – researchers were able to link users with their LinkedIn profiles and home addresses through the information volunteered by users.
The challenge for business, industry and governments is to secure critical infrastructure and achieve cyber resilience rapidly and effectively. IoT is the new frontier in cyber threat and the extent of our exposure is significant. As the range of attacks and motivations continue to surprise the only feasible strategy is to be both threat and tech agnostic and have a broad church of advanced threat intelligence collection and information sharing.
The global environment with regard to cyber security is similar to the days leading to World War One. All indications suggest war, strategies are being formed and alliances made but unfortunately opposing forces have been marshalling their resources for the last decade.
Robert S Mueller III’s famous but dated 2012 quote on the ‘types of companies’ reflects the challenge:
"There are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again." Robert S. Mueller, III Director Federal Bureau of Investigation.
John Chambers expands and refines this concept in his 2015 quote:
"There are two types of companies: those that have been hacked, and those who don't know they have been hacked." John Chambers, CEO CISCO Systems.
We are living in a world where the old norms of conflict are becoming increasingly difficult to enforce. As such, many nations find themselves not at a state of conventional war but not at conventional peace either. Hostile state actors are staging attacks using non-state actors wittingly or otherwise which gives them deniability in the international space. If hostile states can launch an attack on critical infrastructure in the US or Australia using non-state actors, it’s difficult to respond because the nature of attack is misattributed or un-attributable.
These measures short of war can sometimes be detected but not definitively attributed. We may be able to speculate on the authors of these types of attacks based on the code or malware used but it is all speculation and not enough to justify a declaration of war in the normative sense. It means hostile states are able to stage influence campaigns, guerrilla wars and asymmetric warfare on other states. And ironically the most vulnerable states are developed nations that have undergone a digital transformation. As the author of the attack is not known, motivations are similarly unclear. Some types of attack may be designed to reduce public confidence in governance through election interference or sabotage rather than achieve a large scale crisis event. The impact is more insidious but no less dangerous. Other types of attack may be difficult to fathom without insight into the broader context of the authors intent. Exploits of companies and businesses that are peripheral or adjacent to critical infrastructure will not be construed as an attack on critical infrastructure under current legislation – they may however be a key enabler of such an attack and crucial to attack planning.
It’s an ambiguous space where businesses and operators are the front line, the Field Marshalls are Captains of Industry, and the first sign of an attack is a sudden and inexplicable failure of a critical piece of infrastructure rather than troop movements across a border.
The skills needed to secure critical infrastructure
Securing critical infrastructure is therefore vital. And to do that a wide range of skills and an agnostic approach are required.
Technology is part of the solution - however the Security practice at Accenture is a great deal more than the application of technology. The practice brings hundreds of security cleared, experienced problem solvers with an appreciation of human behaviours, mastery of strategy and assessment and an approach guided by history and geopolitics as well as technology. Without these skills and approach it is not possible to authentically understand a particular security position and the unique threat environment a client is experiencing in the context of their market, their region and the global environment.
So if you’re an experienced hire or a graduate, if you’re a student of history and a keen follower of geo-politics and you’re interested in security this is what you can bring to our practice. And key to this is your ability to bring a different perspective or experience that will add value to our holistic approach.
Zoe with Sassy Frass.
Want to know more?
Martin, Steph and Ajay joined our 'On the Couch' session where they discussed Cyber Resilience, how it affects your day-to-day life and what skills we need to combat it. If you missed it, or want to re-watch then check out the recording here.