[LINK] Maroochy Sewage Cyber-Terrorism [Was: GAO sees threats ...]

[Roger Clarke]

>GAO sees threats to industrial systems
>BY Dibya Sarkar
>Federal Computer Week
>Thursday, April 1, 2004
>http://www.fcw.com/fcw/articles/2004/0329/web-scada-03-30-04.asp
...
>... said Robert Dacey, GAO's director of information security 
>issues. "Control systems have already been subject toa number of 
>cyberattacks, including documented attacks on a sewage treatment 
>system in Australia in 1999   ...

The national security community really does have to flog very hard 
the rare instances of 'cyber-terrorism' that they can dredge up.

I just spent 15 minutes 'google-researching' this matter (something 
which I suspect few of the people who quote the case have done).

Firstly, some uses of the story.

Secondly, the facts.

Thirdly, an interpretation of the facts.


An [esteemed] academic spruiker (Dorothy Denning):
http://www.cs.georgetown.edu/~denning/cosc511/fall02/cyber-attack.ppt
"Brisbane hacker used radio transmissions to create raw sewage 
overflows on Sunshine coast in 2000"

A commercial spruiker:
http://www.toplayer.com/content/cm/news207.jsp
"Mr Spinney quoted an example: An Australian man was jailed two years 
for wilfully causing serious environmental damage when he hacked into 
a city's computer-controlled sewage system and releasing raw sewage 
into local creeks and parks"

A radio pundit:
http://www.webtalkguys.com/article-pipkin.shtml
"There was a case in Australia awhile back where a sewage disposal 
computer system was broken into. So they faced a sewage problem in 
the town until they could get the system restarted."

A DoD spruiker:
http://www.defence.gov.au/dmo/id/disc/2002synd/Vic_2002_Syndicate_1.pdf
"A major city's sewage system could also be a target, indeed a cyber 
attack in the Sunshine coast in Queensland occurred in March and 
April 2000 in which raw sewage was made to be pumped into the local 
water supply."

[It continues with the hilarious "The now disused Spotswood sewage 
pumping station in Melbourne was known to be a strategic target in 
wartime Australia".  So in WWII, the Japanese mini-subs in Sydney 
harbour were training, for their real target in Melbourne?  Or in the 
Korean War, the generals in the North had the time to find out where 
Melbourne was?  Or in the Vietnam era, the nasty little Vietcong were 
going to use their tunnelling ability to bob up in suburban 
Melbourne?]


Here's a more useful report:

Qld Enviromental Protection Newsletter:
http://www.epa.qld.gov.au/register/p00483ao.pdf
"In the Maroochy District Court last October [2000? 2001?], Vitek 
Boden was convicted and sentenced to prison for wilfully causing 
serious environmental harm after releasing hundreds of thousands of 
litres of raw sewage into a public area at Pacific Paradise north of 
Maroochydore in early 2000.

"Boden was also jailed for a total of two years on numerous charges 
of computer hacking and stealing. The sentences were to be served 
concurrently."


I can't find a report on the original case in the Maroochy District Court.

The appeal to the Qld Supreme Court on 10 May 02 is here:
http://www.austlii.edu.au/cgi-bin/disp.pl/au/cases/qld/QCA/2002/164.html
[5] The Crown case on the computer hacking offences was that between 
9 February 2000 and 23 April 2000 the appellant accessed computers 
controlling the Maroochy Shire Council's sewerage system, altering 
electronic data in respect of particular sewerage pumping stations 
and causing malfunctions in their operations
[8] [Boden], an engineer, had been employed by Hunter Watertech as 
its site supervisor on the project [to install Maroochy Shire 
Council's sewerage control system] for about two years.  [He didn't 
get a job with the Council, so he used his knowledge of the system to 
crack into it]
[11] [what Boden did was to gain] access to the system and [alter] 
data so that whatever function should have occurred at affected 
pumping stations did not occur or occurred in a different way. The 
central computer was unable to exercise proper control and, at great 
inconvenience and expense, technicians had to be mobilised throughout 
the system to correct faults at affected pumping stations. On the 
occasion the subject of count 45, a pumping station overflowed 
causing raw sewerage to escape.
[19] ... a strong circumstantial case ... [and no evidence was 
presented in defence, and the defendant sacked his lawyer]

[So:
(1)  it was in essence 'an inside job' (although performed after the
      person had left the project);
(2)  it was quite probably not specifically intended by the cracker
      (although the cracker's action was the proximate cause of the
      sewage overflow);
(3)  the motivation was revenge, not terrorism].

Boden had some minor wins in the appeal, but the sentence remained intact.

Boden had a few minutes before McHugh and Kirby on 25 Jun 03:
http://www.austlii.edu.au/cgi-bin/disp.pl/au/other/hca/transcripts/2002/B55/1.html

[The above suggests that Boden is both intelligent and daft. 
Doubtless that's enough to get you onto a terrorism watch-list these 
days.]

-- 
Roger Clarke              http://www.anu.edu.au/people/Roger.Clarke/
			            
Xamax Consultancy Pty Ltd, 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                 Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au            http://www.xamax.com.au/

Visiting Professor in the eCommerce Program, University of Hong Kong
Visiting Professor in the Baker Cyberspace Law & Policy Centre, U.N.S.W
Visiting Fellow in Computer Science, Australian National University