The Next Disruptive ICS Attacker: A Disgruntled Insider?

Often, the most critical threats come from within an organization itself. This is true for all sectors, but it is especially true for industrial control systems (ICS). Technicians in these environments already have access to plant controls and may have the deep knowledge of industrial processes needed to achieve specific goals. The damage caused by an insider may range from mild disruption to major disaster depending on what is attacked.

A Story of a Disgruntled Insider

This was the case in March 2000 when officials in Maroochy Shire (Queensland, Australia) discovered malfunctioning pumps and alarms within their new wastewater system. The engineering firm contracted for the installation confirmed that someone was attacking the plant using RF signals, so the plant hired private detectives to investigate. Their investigation ultimately ended with 49-year-old Vitek Boden being run off the road during a police chase. With him was a laptop containing specialized SCADA software and forensic evidence confirming that it was used at the time of the attacks against the water system.

Boden had worked for the engineering firm contracted by the Maroochy Shire to install a remote terminal unit (RTU) at each pumping station. After a disagreement with his employer, however, Boden had resigned from his site supervisor position and had applied to work directly for the plant. Maroochy Shire twice declined to hire him. It’s then that the disgruntled Boden used his knowledge of their SCADA controls to sabotage the plant. Boden used message spoofing to create system exceptions, resulting in millions of liters of untreated sewage water being released into waterways and local parks.

Ultimately, $50,000 was spent on clean-up efforts.

The fact that police were able to track Boden down is entirely thanks to the fact that he was attacking the system via RF. This meant that he needed to be physically present to attack the system, thus making it possible for him to be spotted by police during or after an attack. Police also could have triangulated the signal to find his location. There is typically no such luxury when dealing with attacks originating over IP interfaces where the attacker may be physically distant and connected by proxy.

An incident at a water treatment plant in Oldsmar, Florida earlier this year is also widely believed to have been an insider attack. Although the culprit has not been identified, it is known that they connected to a control system over the Internet using the TeamViewer remote access software. Once connected, the attacker attempted to add unsafe levels of sodium hydroxide to the water supply. Fortunately, the incident was quickly detected, as an engineer was there to observe the malicious activity and take measures to counteract it. The attacker’s mode of access (e.g., using a legitimate TeamViewer account) combined with their apparent knowledge of the human-machine interface (HMI) is this the type of elements that you’d see in an inside job.

As far as I know, there are no public reports identifying any solid evidence as to the origin or intent of this incident.

While insider threats can be very difficult to detect or predict, it may be possible to limit the potential damage by following best practices around access controls and authentication mechanisms. This includes basic steps like enforcing access controls so that insiders can only access what they need to do their job. Password hygiene is also critical for guarding against ex-insiders who may be disgruntled former employees. Requiring multi-factor authentication, forced password expiration, and strictly forbidding password sharing can make it far more difficult for a former employee to retain or regain access after their departure.

Read more in The Next Disruptive ICS Attacker Series:

The Next Disruptive ICS Attack: 3 Likely Sources for Major Disruptions