Prime-time computer crime

Sholto Macpherson

The casualties suffered after a security breach at a large company are now pretty familiar – stolen business plans, lost customer financial information such as credit card and tax details, or sometimes encryption keys.

But ask Logica’s Ajoy Ghosh about securing infrastructure, and it’s clear the stakes are often higher – and sometimes smellier.

Witness the carnage wrought in 2000 by a disgruntled former employee of an integrator, Hunter Watertech, which installed computer control systems for Maroochydore Council’s sewage system.

The culprit, Vitek Boden, used remote radio transmissions to release hundreds of thousands of litres of raw sewage into public waterways, and then offered his services to the local council to clean up the mess.

The case was picked up by US cyberterrorism specialists as a rare known example of an attack on public infrastructure using a compromised digital control system.

Ghosh took a special interest in the case, beyond his role as head of the security division for Logica, a multinational with a number of infrastructure customers.

Ghosh’s particular interest is computer forensics, and he has served as an expert witness in several major trials, including the Boden case.

He is currently working on two others, one involving a large company and the other is a “serious criminal matter”.

Professional and legal considerations prevent him from giving more details on the current trials or the Boden case, which could still be reopened on appeal.

However, he said he finds the contrast in casework stimulating.

“It brings out what I like to call the bipolar nature of forensics. On one side we have the serious criminal cases, which from a computer forensic point of view are relatively short cases and we are often involved in the investigative aspect.”

Expert witnesses serve the court, but take instruction from the first party that approaches them, just like barristers.

Consequently Ghosh divides his time roughly equally between the prosecution and defence, and investigates matters on each side’s behalf.

This method of hiring experts has caused some controversy, such as in the C7 and HIH cases, where expert valuation witnesses were heavily criticised for biasing the evidence they submitted in favour of their hirers.

It is up to the jurors or judge to decide which expert witness is more credible.

The situation is to some extent inevitable, said Ghosh.

“I think it is unrealistic to expect an expert witness not to have at least some bias towards the person paying their bills.”

Things may be about to change. Australia’s Federal and Supreme courts are considering employing a single expert, approved by both sides, whose fee is paid for by the courts and then awarded in the costs to the losing side.

While he admits it would reduce bias, Ghosh is lukewarm on the idea.

“I think there are a lot of positives to it and it certainly takes away that perceived or potential bias. But I also think that the expert will have some difficulty in trying to answer questions from both sides.

“At the moment the way it works in any court case it’s not just about the evidence that you put before the court. There is a lot of strategic work that goes into deciding how you are going to run the case. And when you are only talking to one side of the case it is quite easy to help them.

“But I expect that when we start talking to both sides there is going to be enormous pressure on us to make sure that the strategy of each side is kept very separate. In practice, I’m not sure how we are going to do that.”

Ghosh has a long-term interest in computer forensics.

He has been teaching the subject for six years, first at the University of Technology, Sydney and lectures in e-crime at the Australian Graduate School of Policing in Manly.

Ghosh said computer forensics is the latest wave in what is “new and sexy” in IT security, no doubt in part because of the CSI Effect – the raised expectations among jury members and crime victims of the effectiveness of forensic evidence, a phenomenon confirmed by university studies and blamed on the spate of forensic-science TV shows.

Ghosh’s time in the courts and the classroom has helped him in selling the services of the computer forensics and litigation support team at Logica.

“If I can translate [computer forensics] to lawyers and law students, then I can explain it to anyone. What it does is give me the ability to translate what are often abstract technical concepts into something that not just lawyers but business decision-makers can understand.”

Logica has a large customer base in the government sector, and many of its government customers are asking for forensics. The latest contract is a major three-year security program with Sydney Water, which began three months ago and is where the Logica security team is currently spending most of its time.

The team covers the standard security consulting, including appropriate policies and standards, measuring compliance and penetration testing, identity and access management including biometrics, forensics and litigation support and managed security services.

The requirements of IT security don’t change, irrespective of whether a computer controls the opening of the sluices of a big dam or the opening and closing of bank accounts, said Ghosh.

“The technology is constant. What does change is the impacts of that technology to the business. And in different industries, from a threat perspective, the bad guys are looking to do different things. In some cases the threat is around fraud and financial details, in others it might be disrupting service, in others it might be extracting confidential data or business plans, or in others it might be items that do real world harm to people.”

One would hope that the security protecting the control systems for the country’s power stations, dams and airports would be pretty tight. Is it as good as the banks’?

Ghosh said infrastructure is like any industry; some departments do a better job than others. Remarkably, in his career Ghosh has found that sometimes security isn’t a top priority, even when it comes to banking.

Ghosh expressed his surprise to a bank manager in China that, for a business built on trust, security wasn’t at the top of the list.

The manager replied: “Ajoy, in Australia your major bank would be lucky if it services 20 million customers. In my bank, a single branch services 20 million customers.”

Obviously for that bank, security came after making sure the IT infrastructure could simply ensure that its customers were legitimately depositing and withdrawing their money.

Logica is hardly a small fish – the multinational is headquartered in Europe, listed on the London and Amsterdam exchanges and has 40,000 employees in 35 countries.

However, after years of battling the large and mid-tier SIs for market share, Ghosh said the company is seeing new competition from a new direction.

“In the past couple of years the management consultants have started to play very hard in this space. They are very successful in the security strategy and planning side of the business.

“In Australia the security market is still quite open with a reasonable amount of room for the players who are currently in it. So far, I don’t see any one of the consultancies as a particular threat. But of course it
would be nice not to have to compete so much.”

Ghosh sees Logica as having two advantages over the big consultants. The first is that Logica heavily outsources itself and so, as the cliché goes, eats its own dogfood which it serves its customers.

“It also means we have that hands-on day-to-day operational experience of running organisations securely,” adds Ghosh.

“A management consultancy wouldn’t, but another global outsourcer will.”

The second and more considerable advantage is experience. Logica works across several key sectors, including government, banking and utilities.

The best card the integrator can play is its work with the Defence Signals Directorate, the secretive agency which advises the federal government on information security.

Luckily for Logica, the increased competition comes at a time where the amount of work is increasing.

Scandals such as the HIH and OneTel collapses underlined the responsibility of directors to be familiar with all aspects of risk to a company’s bottom line, including network-based threats to company property.

Information security is now much better understood since the Australian Prudential Regulation Authority (APRA) included the topic as one of five areas of risk about which a board must inform themselves and sign off on every quarter.

Recent court action by the Australian Securities and Investments Commission and the Australian Competition and Consumer Commission against negligent directors has sharpened this awareness even further, especially in the 2000-plus seat market in which Logica operates.

“If we were having this conversation even two years ago, I would be telling you that I go into meetings with CIOs, COOs and CEOs, and I need to talk to them about the importance of doing it. Today I go into these meetings and they are telling me that it is important that they need to do it, and they are merely asking me how they can do it.”

The Federal Government’s promised infrastructure boom could give the Logica security team a new batch of clients, given its history in the water and electricity space.

The SI manufactures its own supervisory control and data acquisition (SCADA) equipment, the computer systems that monitor and control industrial processes.

“Much of that SCADA equipment is being transported from the water and electricity industry into the infrastructure industry. For example our major roads and tunnels, rail services, where they are using SCADA and telemetry. And certainly all the security issues that apply in water and electricity apply in those industries as well, as do many of the solutions.”

Malfunctioning SCADA equipment can create problems as bad or worse than a malevolent intruder. Ghosh points out the recent problems with the tunnel on Sydney’s M5 expressway, which closed for three hours in peak hour, causing gridlock all because of a “computer glitch”.

A furious Roads Minister Michael Daley threatened to withdraw the contract from the M5’s operator, Belfinger+Berger.

“My message to the CEO and the motorway company on behalf of the motorists is a very clear one: If you can’t run this motorway properly, we’ll find someone who can,” Daley told reporters.

But from the perspective of a computer forensics expert, the traffic mayhem had a silver lining.

“In future if a hacker does a similar sort of thing, we know what the consequences will be. And so do they [the M5 operators].”