This report started by identifying the knowledge problem that was at Maroochy Water Services when Vitek Boden successfully waged a cyber attack on the firm’s SCADA systems in 2000. The report then identifies the knowledge that the firm needed to manage, and the mode of delivering knowledge within the firm.
Other areas covered in the report include identifying the functionality of the system, existing knowledge, developing a knowledge blueprint, specifying the knowledge management team, determining how the system will be evaluated, reviewed and improved, and identifying appropriate policy changes in the firm. The conclusion reiterates the components needed for the firm to have an effective knowledge management system.
This report will address issues related to knowledge design and knowledge management system (KMS) components as applicable to Maroochy Water Services. Maroochy Water Services is a water and sewerage company in Queensland Australia. In 2000, Maroochy Water Services installed a SCADA system to manage fresh water and sewage plants. The system however came under a cyber attack from Vitek Boden.
Boden was a former employer Hunter Watertech – the firm that had sold the SCADA system to Maroochy Water Services. Boden’s attack was successful because he had explicit knowledge of the SCADA system obtained from his previous employer, while employees at Maroochy Water Services lacked simple knowledge on how best to respond when the SCADA system failed to work.
In short, the water and sewerage company did not possess the necessary knowledge to secure the SCADA system. This report will identify the knowledge that Maroochy Water Services needed in order to effectively manage the SCADA system.
Additionally, the report will identify the manner in which Maroochy Water Services would have designed ideas in order to match the stakeholders in its situation. The report is divided into several sections which include an introduction; definitions of terms – i.e. knowledge, knowledge management, knowledge systems design, and KMS; the discussion section; and the conclusion section.
The terms hereunder have different definitions in literature hence making it necessary to adopt some working definitions.
Knowledge: The actionable information that includes values, experiences, contextual information and insights, which enables a person to make predictions, engage in casual associations, and/or make predictive decisions (Abdullah &Selamat 2005). It is also defined as the “tested, evaluated and surviving structure of information…that is developed by a living system to help itself solve problems and which may help itself to adapt” (Firestone 2006, p.9).
Knowledge Management: The discipline which “promotes an integrated approach to identifying, capturing, evaluating, retrieving, and sharing all of an enterprise’s information assets” (Duhon1998, cited by Koenig 2012, p. 4).
Knowledge systems Design: A process of “defining the architecture, components, modules, interfaces and data to build a system to satisfy specified knowledge management requirements” (Williams 2011, p. 1).
Knowledge Management System (KMS): “a class of information system that is designed to organise and direct the flow of information and its conversion to knowledge, usually within a particular organisation of community” (Resnick 2004, p. 288).
Knowledge problem or opportunity at Maroochy Water Services
In assignment 1, it was established that Maroochy Water Services had no knowledge regarding the functioning of the SCADA system. In other words, the water and sewerage company did not have sufficient capacity to handle malfunctions of the SCADA system without involving its contractor.
Most of the lack of knowledge on Maroochy Water Services’ part is linked to its failure to understand the functions of the SCADA system completely before purchasing and installing it. In an ideal situation, an investigation of the strengths, weaknesses, opportunities and even threats posed by a SCADA system would have enabled Maroochy Water Services to appreciate the risks posed by the same, and hence take measures to effectively manage the risks.
According to Slay & Miller (2008), several cyber threats are possible on SCADA systems. They include: non-malicious internal attacks e.g. by employees who unknowingly issue wrong commands to the system; malicious internal attacks – the attack by Boden is an example of such; non-malicious external attacks – e.g. from students who want to prove the susceptibility of SCADA systems to hackers; and malicious external attacks –e.g. by terrorists.
The biggest knowledge problem in Maroochy Water Services at the time therefore appears to be that the company, and especially its management, were not aware of the aforementioned threats, and had not therefore prepared themselves to handle any risks emanating from the same threats. The desirable state of the company at that time was having an internal capacity to effectively and securely manage the SCADA system, even without the assistance of Hunter Watertech employees.
Knowledge that Maroochy Water Services needed to manage
The vital knowledge that Maroochy Water Services needed to manage pertains to securing its SCADA system from both internal and external threats. As indicated in assignment 1 however, Maroochy Water Services could not manage knowledge that it did not have. To manage knowledge, the water and sewerage firm needed to undergo five stages as indicated by Resnick (2004). They include: capturing, storing, interpreting, disseminating, and auditing knowledge (see diagram 1 below).
Diagram 1: knowledge Management components
Adopted from Resnick’s (2004) model of KM
Maroochy Water Services would have captured knowledge from industry sources in and outside Australia; from research papers written by scholars and experts who are knowledgeable about SCADA systems; and even from the contractor (Hunter Watertech) who sold and installed the system for the water and sewerage company. Ideally, Hunter Watertech should have been the first place sought knowledge about the SCADA system.
To ensure that the company obtained accurate information, Maroochy Water Services also needed to consult un-interested SCADA system analysts. Storing, interpreting, disseminating and auditing knowledge are in-house functions that Maroochy Water Services needed to handle, all the while ensuring that the knowledge that had been captured was handled or managed with caution.
As Resnick (2004) notes, knowledge needs to be presented to the right people, at the right place and time, and in an appropriate format. Such presentation enables learning, but is also of measurable benefits to a firm since it is able to control employees’ access to sensitive business knowledge.
Considering that insiders at Hunter Watertech (including Boden) were privy to the SCADA system, Maroochy Water Services would have sought alternative ways of storing knowledge by for example creating data models for use with the SCADA system and coding data a new in order to work with the new model.
The use of accuracy filters as indicated by Resnick (2004) would have also helped the water and sewerage provider to prevent the infiltration of erroneous data to the system especially from remote locations as was the case with Boden.
Categorising or structuring knowledge in KMS was a difficult yet not an impossible task in 2000, when the Boden cyber attack on the water and sewerage firm occurred. One of the ways that MSW would have categorised and /or structured its knowledge at the time include calibrating the system and including limitation and abilities as to how much command power different people have towards the system.
For example, Maroochy Water Services would have provided confidence descriptions for use in the system, which no one else outside the company would be privy to as suggested by Wise (2000). The foregoing would have meant that Boden, armed with his explicit knowledge obtained from his previous employer would not have succeeded in accessing the system.
Mode of delivery
The sources of knowledge for Maroochy Water Services are diverse as discussed elsewhere in this report. As such, it is clear that the knowledge source and target will not be co-located and/or available at the same. The foregoing means that there is a need for knowledge transfer to individual or groups in the water and sewerage firm.
Assuming that the source of knowledge is the organisation, i.e. Maroochy Water Services, applying the socialization, externalization, combination, and Internalisation (SECI) model as illustrated in figure 1 below would have several revelations.
Figure 1: The SECI model
Source: Rice and Rice (2005)
When the organisation is the source of knowledge – i.e. having acquired the same from external sources, it would appear that the most direct process of knowledge management would be through internalisation (i.e. the organisation shares the knowledge with groups and individuals in what is marked as ‘collective on the site’ in figure one above. As indicated, internalisation enables explicit knowledge to be turned into tacit knowledge.
The other direct mode of knowledge management would be through combination where the organisation shares knowledge with groups as illustrated in the quadrant marked as ‘systematic collaborative’ in figure 1 above. The foregoing is an ideal way of sharing explicit knowledge e.g. when training employees on how to use a system.
Indirect ways of knowledge management include socialisation whereby individual employees can be directed to share their knowledge about the system with another individual. Groups can also manage knowledge through externalisation where they share what they know with individuals.
Functions that SCADA system require to deliver the knowledge service
Although the case study by Abrams and Weiss (2000) does not give an illustration of the SCADA system in use at Maroochy Water Services at the time of the cyber attack, one gets the impression that the system looked like the illustration in figure 2 below
Figure 2: A SCADA system illustrated
Source: Shaw (2013)
As indicated in the figure 2 above, the central computer system communicates to numerous remote terminal units (RTUs). In Maroochy Water Services case, computers (installed with the right software) and a licensed radio were the main RTUs at work.
While the software, laptop and licensed radio allowed Boden to have administrative access to Maroochy Water Services’ SCADA system, the absence of a secret password or identification requirement by the water and sewerage firm made it easier for him to penetrate and issue misleading messages to the system. By using appropriate passwords internally – i.e. without exposing the same to employees of Hunter Watertech, Maroochy Water Services would reduce the risks external attacks.
Shaw (2013) also suggests the use of backup systems, which would be triggered by malfunctions in the SCADA primary site. In order to ensure safe operation of the SCADA processes, Maroochy Water Services needed to set up security measures, which could have included passwords and/or a backup system, but most importantly was the need to control and manage the knowledge by ensuring that the passwords were secure and were known to internal organisational employees only.
Existing knowledge assets or solutions that could have been leveraged to enhance SCADA
Although not explicitly stated in the case study, this report will take the assumption that the human capital in Maroochy Water Services had the potential to acquire the necessary knowledge needed to use passwords, or other security measures on the SCADA system.
Additionally, and assuming none of the employees had the technical knowhow to install password and other security measures on the system, the organisation, this report assumes, had the capacity to hire the expertise of a qualified person to install them.
Knowledge management blueprint
From Diagram 1, knowledge management system is positioned as the creation of a combination of factors which include system architecture, system functionality, KM strategies, cultural aspects of the workforce and the psychological aspects of the workforce.
Used in the Maroochy Water Services context, the blueprint underscores the importance of the firm having (or obtaining) a SCADA system that has proper functionality for the intended use. SCADA systems have increasingly gained popularity for use in the management of water and sewerage systems (Slay & Miller 2008). Maroochy Water Services was therefore right in the purchasing and installing the system.
Diagram 1: the knowledge management blueprint
Adapted from Abdullah and Selamat (2005)
The second vital component as indicated in the above blueprint is the system architecture, which refers to how the contents and the design of the SCADA system. The architecture contains such applications as repositories, infrastructure, technology, and applications. The software, laptops, and licensed radios all fall under the system architecture.
On it part, KM is an essential part of KMS because it enables users to most importantly understand the functionality and architectural aspects of the system, but also acquire, store, disseminate, use and audit knowledge in a manner that enhances the successful use of the system. On their part, psychological and cultural aspects of employees acknowledge the important role that human actors play in the successful operation of systems.
Psychological aspects affect the intention to learn and/or collaborate with others in an organisational setting, while cultural aspects affect the social capital, business intelligence, expertise, employee integration and communities in the work place (Abdullah & Selamat 2005).
In assembling all the five components that make up the knowledge management system as illustrated in the framework above, this report suggests that after verifying the SCADA system’s functionality and system architecture, the firm would have prioritised the acquisition of knowledge through KM strategies (with the exception of usage and auditing).
Such an approach would have ensured that by the time of purchasing and installing the SCADA system, the firm would have had scanned the psychological and cultural aspects present in its workforce and devised a strategy of developing the internal capacity needed to set up an appropriate KMS.
The Knowledge Management team
- SCADA system developers, i.e. Hunter Watertech (they won’t be privy to passwords and other security measures)
- Identified managers at Maroochy Water Services
- Identified Maroochy Water Services employees
Infrastructure requirements for supporting SCADA systems
- SCADA System computers (with security features such as firewall)
- Operator consoles
- Licensed radios
Evaluation, review and systems improvement
Prevalent changes in technology make it necessary to evaluate, review and improve the KMS whenever the need to do so arises. Specifically, the SCADA system will be reviewed regularly in order to ensure that its functionality and architecture are up to date. KM strategies will on the other hand be audited and their feasibility established. Psychological and cultural aspects will also be evaluated through employee evaluation and changes or reforms instituted where necessary.
To avoid a scenario where employees use explicit knowledge gained at Maroochy Water Services to interfere with the SCADA systems, new policies on handling work-place property will be established. Additionally, a non-disclosure agreement will be included in employment requiring employees to abstain from disclosing organisational information to third parties.
This report has established that in order for Maroochy Water Services to have a functional knowledge management system in relation to the SCADA system, the firm has to ensure that the system has the appropriate functionality and architecture. Additionally, the firm has to engage in successful knowledge management by acquiring, storing, disseminating, using and auditing knowledge. Additionally, the firm has to be considerate of the psychological and cultural aspects of its employees.
Specifically, the firm has to consider the effect that psychological factors have on knowledge management. Adopting an organisational culture that embraces effective knowledge management practices is also something that Maroochy Water Services needs to consider. Combined, the foregoing factors will enable the firm to have an efficient knowledge management system.
Abdullah, R & Selamat, M. H 2005, ‘A framework for knowledge management system implementation in collaborative environment for higher learning institution’, Journal of Knowledge Management Practice, < http://www.tlainc.com/articl83.htm>.
Abrams, M & Weiss, J 2008, Malicious control system cyber security attack case study- Maroochy Water Services, Australia, http://csrc.nist.gov/groups/SMA/fisma/ics/documents/Maroochy-Water-Services-Case-Study_report.pdf.
Firestone, J. M 2006, ‘What is knowledge’, In Riskonomics: reducing risk by killing your worst ideas, pp. 1-23, http://www.kmci.org/media/Whatknowledgeis%20%28non-fiction%20version%29.pdf
Koenig, M.E 2012, ‘What is KM? Knowledge management explained’, KM World Magazine, http://www.kmworld.com/Articles/Editorial/What-Is-…/What-is-KM-Knowledge-Management-Explained-82405.aspx.
Resnick, M.L 2004, ‘Management requirement for knowledge management systems in virtual organisations’, International Journal of Networking and Virtual Organisations, vol. 2, no.4, pp. 287-297.
Rice, J.L & Rice, B.S 2005, ‘The applicability of the SECI model to multi-organisational endeavours: an integrated review’, International Journal of Organisational Behaviours, vol.9, no.8, pp. 671-682
Shaw, W. T 2013, ‘SCADA system vulnerabilities to cyber attack’, Electric Energy Online, < http://www.electricenergyonline.com/?page=show_article&article=181>.
Slay, J & Miller, M 2008, ‘Lessons learned from the Maroochy water breach’, In E Goetz & Shenoi S (eds.), Critical infrastructure protection, Springer, Boston, MA, pp. 73-82.
Williams, D 2011, ‘Designing knowledge systems’, 1-3, < http://learnonline.canberra.edu.au/file.php/5881/Designing_a_knowledge_systems.pdf>
Wise, M.A 2000, ‘Individual operator compliance with a decision-support system’, Proceedings of the IEA 2000/HFES 2000 Congress, Human Factors and Ergonomics Society, Santa Monica, CA.