Wired News is running a story titled “Feds: Hacker disabled offshore oil platforms leak-detection system”, where it is alleged that a 28-year-old IT contractor switched off leak-detection systems after a company refused to offer him a permanent position. The offshore oil platform belonged to Long Beach-based Pacific Energy Resources, Ltd. (PER).
Could a Policy failure have led to disabled leak-detection? (IMG:Shell)
The story is one that sparks fear into some, with comments such as this one that appeared with the Wired coverage:
“Well it doesn't take a rocket scientist to tell how this is extremely disturbing, and dangerous. What if the guy wasn't some disgruntled techie, but a terrorist? Hack in, disable the leak detection, then physically damage the pipelines, with plenty of time to avoid detection. Scary stuff…”
Fear sells security. Fear can sell anything. But should fear lead to an indictment for what, on paper, looks to be a classic breakdown on account management policy?
The Wired story is based on an indictment handed down by a federal grand jury in Los Angeles. According to the FBI, Mario Azar (28) is charged with “unauthorized impairment of a protected computer,” a charge that carries a maximum statutory penalty of 10 years in federal prison.
Azar was an IT consultant under contract with PER until May of 2008, at which time he left the company. Azar helped set up a computer system that PER used to communicate between its offices and its oil platforms. It was this system that housed the leak-detection Azar is said to have disabled.
During May and June of 2008, Azar illegally accessed the PER computer system and “caused damage by impairing the integrity and availability of data,” according to the indictment, which alleges Azar caused at least $5,000 USD in damage.
While PER temporarily lost use of its computer systems, the outage did not lead to any oil leaks or environmental harm, the company said, but would not comment further on the issue. Computer mails sent to PER were not returned.
However, neither the indictment, nor the Wired article, or the FBI information deals with another aspect to this story. PER’s IT policy regarding contracted staff and account access.
Azar was an ex-contractor. Why was his network access (assuming it was a VPN that allowed remote connections to the oil platform’s network) still available to him after his time with PER came to an end?
Last summer, The Tech Herald wrote about orphaned accounts, using survey data a vendor sent over. Symark, the vendor in question, surveyed over 800 IT, HR, and C-Level (CIO, CSO, CEO) executives about orphaned accounts.
While only 18 percent of the respondents said that orphans were a concern to password management, 68 percent of those same respondents were unaware of the total numbers or had more than 20 orphaned accounts on their networks.
If Azar did what the indictment charges him with, then it is likely the event could have been avoided if his access had been stripped when his contract ended.
However, the indictment is missing all of the details, including those needed to go to trial if needed. Yet, there is still the argument that ultimately this issue highlights PER’s lackluster policy enforcement.
Azar will be summoned to make his initial appearance in a U.S. District Court in Los Angeles on April 06 of 2009. At that time, we might learn more about the case. If we do, we'll update this story.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story