Forensic Analysis of Aqualectra's IT Infrastructure

05
Forensic Analysis of Aqualectras IT Infrastructure
To: Supervisory Board of Integrated Utility Holding N.V.

From: FTI Consulting, Inc.
Date: September 12, 2011
Table of Contents
Forensic Analysis of Aqualectras IF Infrastructure

Confidential Report
Preliminary Report - For Discussion Purposes Only
INTRODUCTION 4
Complete ICT System Analysis
1.
General 6
1.1 Critical Items
7
1.2 Unsatisfactory
8
2.
The Audit Process
2.1 Information Technology
2.1.1Administrator Access
Recommendation
2.1.2System Administrator
Recommendation
2.1.3Database Administrator
Recommendation
2.1.4Network Administrator
Recommendation
2.2
10
11
11
12
12
13
14
15
22
24
Aqualectra Network Infrastructure 24
Recommendation 25
2.2.1Internet Access
25
Recommendation 25
2.2.2SAN (Storage Area Network)
Recommendations29
2.2.3Server Room
29
2.2.4Security
29
Recommendation 30
2.2.4.1
RIF
31
2.2.4.2
Mundo Nobo 32
2.2.4.3
Nieuwe Haven
32
2.2.5Backup Procedures
33
Recommendations33
25
2.3
Disaster Recovery / Business Continuity Plan 34
2.4
Software Applications 36
Recommendations34
2.4.1Critical Systems
36
2.4.1.1
VIS2000
36
Recommendations37
2.4.1.2
Pagatinu
38
2.4.1.3
Decade
38
2.4.1.4
Infor/CAMMS
39
Recommendations39
2.4.1.5
SCADA
41
Recommendation 41
2.4.2ICT Monthly Budget Report
43
Page 2 of 44
BSD -

Confidential Report
BSD -
INTRODUCTION
FTI Consulting, Inc. (FTI) was retained by the supervisory board of Integrated
Utility Holding N.V. (Aqualectra or the Company, Client or the Board) to
perform a forensic analysis in order to detect any inefficiencies and or irregularities
within the operations of Aqualectra. FTIs work, to be performed under the direction
of the Client, was to deploy well-qualified staff appropriate to the tasks assigned by
the Client, including personnel such as IT experts, to perform such tasks as may
have been identified during the course of this Engagement with the understanding
that someone from FTI may be called upon by the Client to provide expert
testimony in the future. The Client and FTI will discuss and mutually agree on which
FTI professional would serve as an expert.
All professional conclusions are those of the FTI professionals working on this
matter.
Client will make available to FTI the documents, if necessary, for FTI to
complete the analysis. FTI performs all engagements in a legal and ethical manner
and adheres to all applicable privacy laws.
Complete ICT System Analysis

During this phase of the Engagement, FTI performs a complete system analysis of
the IT infrastructure as it relates to each system and location. This will include
overview of employees roles and their responsibilities for each application as
follows:
Identify all super users and administrators of the networks infrastructure, including:
Switches
Firewalls
Routers
Servers
All other network devices
Page 3 of 44

Confidential Report
BSD -
Identify the employees and their responsibilities in the following applications:
Infor
Decade financials
HRM Systems
VIS2000
SCADA
Mail server
Telephone Exchange
Complaint centers ( Klachten afdeling)
Other operating support systems
Conduct internal audits of the following systems and/or procedures:

1. Review the Disaster Recovery Plan and business contingency and continuity
for the ICT Department.
2. Identify all remote access systems.
3. Review backup procedures for each server and application.
4. Identify all vulnerable assets of Aqualectra.
5. Test login procedures for all DBA administrators of Oracle and SQL databases,
their passwords and/or secret access codes.
6. Identify the organizational structure needed for a basic IT operation.
7. Identify the networks infrastructure.
8. Review developments and current or future implementations.
9. Review all SLAs.
10.Identify the personnel within their positions and functions.
11.Obtain telephone and/or cell phone numbers and emails of all vital IT and
customer relations personnel.
This report summarizes our current findings and recommendations.
This report is based on our detailed Network Analysis Report and summarizes our
findings and, where applicable, recommendations. For ease of reference, this report
is divided into three main sections that cover the general information, our findings
and recommendations.
We have provided the Supervisory Board during our audits with various excerpts of
this report during the past couple of weeks.
Page 4 of 44

Confidential Report
BSD -
This review is a dynamic process and we reserve the right to amend our findings,
recommendations, opinions and report based on comments and/or information
received subsequent to this preliminary report.
Also, please note that this report is confidential and will be issued in final form only
to the Supervisory Board by FTI. FTI takes no responsibility for the dissemination of
any or all parts of this report to parties other than the Supervisory Board or any
consequences thereof.
1. General
FTI was contracted on August 4, 2011, to investigate concerns regarding the
Information Technology Department at Aqualectra. Our report findings address
critical and unsatisfactory issues regarding the internal Aqualectra Information
Technology Departments infrastructure. There are additional concerns regarding
the infrastructure, as well as various application concerns, both in contract (SLA)
and physical access that require immediate attention. These red flags will be
reviewed in the following audit report.
The initial investigation request needed to be slightly broadened in order to avoid
oversight of a parochial nature in that mere issues of network security might only be
addressed. The team found several unanswered questions regarding information
protection, privacy governance, and information integrity that needed to be asked.
The following taxonomy categorizes the findings into two areas impacting: Critical
(regulatory and compliance issues/high risk to business materiality); Unsatisfactory
(not as severe as critical, but needing to be addressed within the next six months);
1.1
Critical Items
The following critical points were identified during the audit of Aqualectras IT
infrastructure:
Page 5 of 44

Confidential Report
BSD -
Extreme dependency on outside key personnel leaves Aqualectra vulnerable

without redundancy. Further review of 2011 and 2012 budget will need to be
analyzed.
Employees on the network and remote access servers are never verified with
currently active employees.
Encryption levels used on the firewall is set to the lowest admissible level.
Outside consulting firms have full access to Aqualectras entire network

infrastructure, including SCADA. (Primarily Netpro)
The encryption key set on the firewall for the Radius servers can be hacked
using brute force attack.
Routers and the Firewalls IOS software are outdated and exposed to DOS
(Denial of Service) attacks.
Access list on the firewall is configured to allow any source from external
entities.
Password disciplines were inadequate and did not meet industry best practice
standards leading to potential security breaches on routers and firewalls.
SCADA network is connected to the entire Aqualectra backbone and

maintained by outside consultants.
There is no monitoring of a possible breach of security in the entire

Aqualectra network infrastructure.
There is no Business Continuity Plan/Disaster Recovery Plan in case of an

island disaster.
Page 6 of 44

Confidential Report
BSD -
The current recovery backup plan is outdated.
Vulnerabilities were discovered on Apache server 206.107.225.29.
Single exchange database for all mail users creates a risk for quick recovery
in case of failure. No redundancy.
No redundancy on main switches.
Critical equipment (Routers and Switches) used lacks redundancy.
1.2
Unsatisfactory
The following unsatisfactory points were identified during the audit of Aqualectras
IT infrastructure:
Staffing in key IT departments lack the proficiency to diagnose immediate

resolution of problems.
SAN is approaching End of Life by end of year with no support. Space is also
limited and will become critical by end of year.
There is no central reporting system; each system generates its own reports.
Oracle Databases on key revenue applications are out of service and not
supported.
Critical applications have no audit trail logging.
None of the critical applications interacts with other applications other than
batch files or scripts. INFOR and DECADE currently interact with each other
on some levels.
Page 7 of 44

Confidential Report
BSD -
Meter usage files collected with handheld recording devices are not
encrypted and accessible to everyone with access to the network directory.
Dependency on outside contractors reduces the level of control of the entire

Aqualectra infrastructure.
Segregation of duties and access to critical areas by personnel conflicts with

compliance and regulations of Aqualectra.
Assigned application owners are selected without any proper knowledge of

the application.
Physical controls and logical controls need to be verified and tested for
compliance.
There is a need to address issues regarding IT policies, procedures and

process for in-house servers, firewalls, access controls and databases.
Outdated key applications are maintained by outside consultants.
RIF server room is almost at full capacity and will be an issue for future
growth.
Three of the four critical applications do not have any interaction among
themselves other than manual entries made by employees.
There are no camera systems in any of the three server locations - RIF,
Mundo Nobo and Nieuwe Haven.
No access controls to Mundo Nobo and Nieuwe Haven server rooms.
Page 8 of 44

Confidential Report
BSD -
2. The Audit Process

One of the most important assets of an enterprise is its information. The integrity
and reliability of that information and the systems that generate it are crucial to an
enterprises success. The first step in order to determine the integrity and reliability
of Aqualectras most valuable assets is to identify those assets, determine their
value, risk and vulnerabilities, then isolate those that are critical to Aqualectras
business model.
We interviewed with over 15 key employees from various
departments and have highlighted the areas that need to be addressed:
2.1
Information Technology
The current Information Technology Department (hereafter as IT) consists of 16

employees divided between various departments.
Page 9 of 44
The IT manager, Mr. John Van

Confidential Report
BSD -
Varsseveld, has overall responsibilities for the IT Department. He reports directly to

Mr. Dieudonne Van der Veen, who is currently the Chief Financial Officer of
Aqualectra.
The departments are divided as Information Systems Advisor,
Helpdesk, Workstation Support, network administrator, Analyst (Functional and

Technical), System Administrator and Database Administrator.
Below is a graph of how the departments are divided:
Our audit consisted of meeting with critical departments under the direction of the
IT manager for which we selected the following individuals to be interviewed:
System Administrator:
Database Administrator: Joep Koyen
Network Administrators: Moraima Matilda and Ludwin Henriette
Julius Griffith
2.1.1 Administrator Access

AN administrator is a local account or a local security group that has complete and
unrestricted access to create, delete, and modify files, folders, and settings on a
particular computer or server. This is in contrast to other types of user accounts that
are granted only specific permissions and levels of access. An administrator account
is used to make system-wide changes to a computer or server, such as:
Creating or deleting user accounts on the computer/server;

Page 10 of 44

Confidential Report
BSD -
Creating account passwords for other users on the computer/server;
Changing others' account names, pictures, passwords, and types/server.
Administrative rights are permissions granted by administrators to users allowing

them to make such changes. Without administrative rights, you cannot perform
many such system modifications, including installing software or changing network
settings.
Aqualectra does not maintain an administrator account, but the individuals listed
below are domain administrators who have complete access to the entire network,
just like an administrator. These users are:
Julius Griffith
Moraima Matilda
Ludwin Henriette
Secure Vault ( Sealed Envelope)
Passwords are changed every 60 days.

Recommendation
Evaluate the complete groups structure in the active directory to validate
administrative rights on the server. We have obtained group rights to the entire
server and will be able to validate against employee list.
2.1.2 System Administrator
In 2006, Julius Griffith, on behalf of his employer Deloitte, was hired by Aqualectra
as an ICT consultant. The following year, Griffith left his employment with Deloitte
and started his own IT consulting business under the company name Envision. In
2007, Aqualectra hired Envision and subsequently Griffith, as an outside
contractor, to assume responsibility for the following Information Technology
functions:
Page 11 of 44

Confidential Report
BSD -
Storage of Data (SAN)

Installation and administration of the servers hardware and software
(Windows or Linux)
Hardware component failures at the server level
Server software installations
SQL installations
System-wide backups of all servers and applications
Intranet administrator of SharePoint and departmental portals on SharePoint
File system administrator
Administrator of virtual servers.
Based upon our preliminary interviews and observations, we conclude Griffith to be

a detrimentally essential employee to Aqualectras IT operations. Griffith has
exclusive knowledge of specific IT functions and systems that currently make his
involvement in the companys day to day operation mandatory. Aqualectras daily IT
operations are highly vulnerable to any potential for Griffiths absence in the
organization. Should any unforeseen circumstances present themselves rendering
Griffith unavailable many if not most of Aqualectras IT operations have a high
susceptibility of rendering themselves greatly at risk. The entire Aqualectra server
infrastructure is dependent upon Griffith as its systems administrator having no
other capable individual on hand to provide back-up assistance should system
failures occur. At present there is no redundancy built into the IT infrastructure from
an employee perspective, by way of assistant or junior systems administrator to
provide redundancy to the Aqualectras IT operation in Griffiths absence.
Recommendation
FTI
highly
recommends
the
introduction
Administrator/Database administrator.
of
an
in-house
Junior
Systems
The position would be dual purpose in
nature to provide redundancy for both the Systems Administrator and the Database
Administrators job responsibilities.
The Junior Systems Administrator/Database
Page 12 of 44

Confidential Report
Administrator
would
immediately
be
cross
BSD -
trained
by
both
the
Systems
Administrator and Database Administrator and ultimately assume job overlapping

responsibilities in both areas.
By assuming job overlapping responsibilities this
person would immediately fulfill the redundancy need in the area of job
responsibilities for both the Systems Administrator and Database Administrator
ultimately remedying the systems responsibility back-up needed in these two areas.
2.1.3 Database Administrator
Joep Koyen is employed by Aqualectra through the outside consulting firm called
SQL Integrators. He has worked for SQL Integrators for 12 years, including four of
those years with Aqualectra. Koyen is mainly responsible for the administration of
the Oracle databases for the following key applications:
Vis2000
Infor
Decade
Online Systems and cash registers
Based upon our preliminary interviews and observations, we have determined that
Koyen is an essential employee to the Aqualectra organization.
He is also very
knowledgeable and respected by his peers, but is also a concern for the
organization. Like Griffith, Koyen is also considered a one man show and a
potential risk to the organization should anything happen to him.
The entire management of the Aqualectra database is controlled by one person.
Although it was mentioned that SQL Integrators can send another individual in case
something were to happen to Mr. Koyen, it has come to our attention that no one at
SQL Integrators is as knowledgeable as Koyen.
In fact, database changes or
modification came to a complete halt when Koyen took a leave of absence for two
months. During this time, no additions or enhancements to the system were done.
The management of the Aqualectra database is dependent solely on Koyen with no
assistant or backup to provide redundancy in his absence.
Page 13 of 44

Confidential Report
BSD -
Recommendation
FTI
highly
recommends
the
introduction
of
an
in-house
Junior
Systems
Administrator/Database administrator. The position would be dual purpose in nature

to provide redundancy for both the Systems Administrator and the Database
Administrators job responsibilities. The Junior Systems Administrator/Database
Administrator
would
immediately
be
cross
trained
by
both
the
Systems
Administrator and Database Administrator and ultimately assume job overlapping

responsibilities in both areas. By assuming job overlapping responsibilities this
person would immediately fulfill the redundancy need in the area of job
responsibilities for both the Systems Administrator and Database Administrator
ultimately remedying the systems responsibility back-up needed in these two areas.
Page 14 of 44

Confidential Report
BSD -
The graphs below show the infrastructure of the Oracle databases for several
applications:
Page 15 of 44

Confidential Report
Page 16 of 44
BSD -

Confidential Report
Page 17 of 44
BSD -

Confidential Report
Page 18 of 44
BSD -

Confidential Report
Page 19 of 44
BSD -

Confidential Report
Page 20 of 44
BSD -

Confidential Report
Page 21 of 44
BSD -

Confidential Report
BSD -
2.1.4 Network Administrator

Based on our preliminary interviews and observations, we consider this department
one of the weakest departments in the entire IT structure of Aqualectra. The two
employees responsible for the Network Administration are Moraima Matilda and
Ludwin Henriette. These two individuals are responsible for addition of users to the
system, providing remote access, removal of users and configuration of all routers
and firewalls for the entire Aqualectra infrastructure.
During our observations, we noticed their dependency on NetPro (an outside
consulting company) for the administration of the routers and firewalls on a day-today basis. While we have not reviewed their current qualifications, it seems that
Matilda has a greater knowledge of the system than Henriette. In some instances,
we
observed
them
having
difficulties
troubleshooting
issues
and
properly
diagnosing the problems. Both of these users have administrative rights for the
entire network, as well as for all routers and firewalls.
This department manages the addition and deletion of users to the network.
However, we noticed that no one monitors or is held accountable for all users on the
network. If this department is never notified of any deletions from the system, the
user will be kept in the system with the same rights and access privileges until
notified. During our interviews we questioned the monitoring of the routers and
firewalls for possible penetrations. However, from the interviews it became obvious
that monitoring of the routers and firewalls for possible penetrations is nonexistent
for the entire Aqualectra network Infrastructure.
Page 22 of 44

Confidential Report
BSD -
A graph of the administration of the network by NetPro is provided below:
Page 23 of 44

Confidential Report
BSD -
Recommendation
The network administrators respective knowledge base should be evaluated to
determine the areas in which deficiencies exist.
The deficiencies should be
addressed by the network administrators participation in extensive specialized

training. Increasing the network administrators skill set will alleviate the excessive
daily use of the outside consultants Netpro. The role of Netpro should be limited
to major special projects and only under the direct supervision of the department
members.
It is further recommended that any outside consultants, inclusive of
Netpro, be provided with revocable credentials in an attempt to limit any potential

for compromising network security. Aqualectra should solely maintain the master
password.
Additionally, it is recommended all network alarms from routers and firewalls be
monitored on a daily basis.
facilitate notification.
Implementing network monitoring software may
Lastly, VPN access list should be reconciled periodically
against currently active employees of Aqualectra.

2.2
Aqualectra Network Infrastructure
The network has been built over many years into a collection of equipment
providing network services on a best effort basis. It is anticipated that the demands
being placed on the network by new business initiatives would force more and more
changes into the network and would demand service levels beyond the capabilities
of the current infrastructure. Inconsistent implementation over an extended period
of time allowed the network to develop into an unpredictable platform that is at risk
during any change or failure event.
Working in collaboration with the Network Support and Management team, our
Audit Team followed a defined process to discover all of the available relevant data.
The results from the data discovery exercise were then processed and analyzed for
all logical and physical network topology diagrams produced.
Page 24 of 44

Confidential Report
BSD -
Another major work stream was to examine the principles applied to the overall
network architecture and design templates and measures based on the industrys
known best practices. This exercise was also able to drive out the levels of network
resilience and determine how the architecture would cope with the business
continuity planning requirements.
Recommendation
Please refer to Network Analysis Report
2.2.1 Internet Access
The Internet connection for Aqualectra is provided by NetPro through wireless
connection and a redundant landline DSL provided by UTS.
The connection
provided by NetPro is a 6 MB wireless connection to the RIF office and a firewall has
been setup at the RIF location as a central point of entry. All VPN access into the
system is made through this connection and verified against the user ID and
password provided. Members of the VPN group are provided access to the internal
network.
Recommendation
Internet connection must be re-evaluated since the 6 MBs is insufficient with the
growth of Aqualectra. Further analysis must be made to determine whether a
wireless connection should be the redundant system instead of the main landline
connection. We are also concerned with the VPN access since the list of users is not
being verified against currently active employees.
2.2.2 SAN (Storage Area Network)
Aqualectra currently has three SAN environments and is monitored by EMC and by
local EMC support. One EMC, of CX500 13 Terabytes raw data, is located at the RIF
location and supports a CX300 located at Mundo Nobo and Nieuwe Haven. The
Page 25 of 44

Confidential Report
BSD -
current RIF SAN is approximately 79.5% full. The detail of the storage of the SAN is
as follows, reported in GBs:
VIS2000
187
Infor
424
Oracle Test Database
400
Decade
224
Decos
235
File Servers
1,500
Virtual Servers
2,207
Mail
752
Total
5,928 GB
Page 26 of 44

Confidential Report
The following graphs show the storage of the SAN environments:
Page 27 of 44
BSD -

Confidential Report
Page 28 of 44
BSD -

Confidential Report
Recommendations
Page 29 of 44
BSD -

Confidential Report
BSD -
After preliminary review of the SAN infrastructure, we have determined the SAN
device must be purchased before December 2011. The current system is reaching
EOL with support terminating in December 2011.
While this purchase is necessary,
we do not foresee based on preliminary numbers provided to us for a critical need

immediately. Based on current estimates and no major storage needs arise, we
estimate storage space available for approximately 1 year at its current state. In
addition, the current SAN infrastructure has no physical redundancy.
2.2.3 Server Room
The RIF server room is located next to the ICT room on the third floor. Even though
technology changes tend to make hardware more space-efficient over time, the
ability to expand, either within the current footprint of the building or through
additions, should be available to accommodate possible growth as the room
evolves.
The server room located at the RIF location is small and close to
outgrowing Aqualectras computer needs in the future. The HVAC system installed in
the server room is a regular non-monitored temperature system that does not
regulate humidity vs. temperature.
2.2.4 Security
Keeping updated with service packs, patches, and locking down systems can only
provide limited security. Every security plan needs to address the physical security
of the hardware by housing and passing the data through the infrastructure.
Keeping up with service packs and patches from different vendors will not prevent
an individual from walking inside the server room and ruining and/or stealing the
hardware.
First, to establish security a strict policy should be implemented to allow access to
the server room to only those employees who need to be in or enter the room.
There are three individuals who have access to the server room, who are Julius
Griffith, Moraima Matilda and Ludwin Henriette. The server room at the RIF location
Page 30 of 44

Confidential Report
BSD -
is the only location protected by a keycard entry system. There are no camera
systems installed at any of the locations to monitor entry to the server rooms.
Recommendation
The RIF server room must be expanded or located within a computer room and/or
area that offer the potential for future expansion. Even though technology changes
tend to make hardware more space-efficient over time, the ability to expand, either
within the current footprint of the building or through additions, should be available
to accommodate possible growth as the room evolves.
Install at all three server locations - RIF, Mundo Nobo and Nieuwe Haven - a camera
system to detect entry into any of the three locations. Additionally, at the At Mundo
Nobo and Nieuwe Haven locations we recommend installing a card entry system
and removing the glass panel located next to entry door.
This is a security risk
since the glass can be broken and the server room accessed. Also, At the Nieuwe
Haven location, we did not find any power regulators or Uninterruptable Power
Supply systems. While we understand that the power obtained at this location is
uninterruptable, the sensitive equipment should be plugged in to a voltage
regulation system.
Likewise, another aspect of security is the installation of devices to protect the
investments made, such as fire detection and suppression systems and water
detection systems. The physical environment of the server rooms should be
rigorously controlled. Air conditioning is used to control the temperature and
humidity in the server room. ASHRAE's "Thermal Guidelines for Data Processing
Environments recommends a temperature range of 1624 C (6175 F) and
humidity range of 4055% with a maximum dew point of 15C as optimal for data
center conditions.
Page 31 of 44

Confidential Report
BSD -
2.2.4.1 RIF
The following pictures show the key access entry to the RIF server room location:
Page 32 of 44

Confidential Report
2.2.4.2 Mundo Nobo

The following pictures show the entrance to the Mundo Nobo location:
2.2.4.3 Nieuwe Haven

The following pictures show the entrance to the Nieuwe Haven location:
2.2.5 Backup Procedures

Page 33 of 44
BSD -

Confidential Report
BSD -
Aqualectra uses Symantec Backup Exec to backup all of its servers and the SAN
environment on a daily basis. Backups are run daily for all Oracle databases, SQL
Databases, Virtual machines, User Files, Exchange database, Intranet Groups and
Share drives. Operating systems and applications are backed up once a week. On
Sundays, a full backup is run at night. All Oracle databases are compressed and also
backed to another server in another location as a secondary backup to tape. All
backups are stored on HP LTO four tapes. Daily backups are stored on four tapes
and weekly backups are stored on 7-8 tapes. All tapes are encrypted and passwords
are maintained by the three local administrators mentioned before.
Backup rotations are as follows:
All backups are stored in a secured location
Daily backups are picked up every day by Panamericano
Yearly and monthly backups are maintained in a secured area
Recommendations
Yearly backups should be maintained and stored offsite with the daily backups.
Monthly backups should also be maintained and Two months should be kept onsite
in a secured location and the rest should be stored off site. We highly recommend
retrieving certain files from a subset of tapes to verify their integrity. Backup logs
need to be reviewed and checked so critical servers are never discarded or ignored.
Page 34 of 44

Confidential Report
2.3
BSD -
Disaster Recovery / Business Continuity Plan
During our interviews and meetings with management and staff, we have found
Aqualectra does not have a Disaster Recovery Plan or a Business Continuity Plan. A
backup and Disaster Recovery Plan dating back to 2006 was provided to us,
however, the report does not reflect the logistics nor the procedures to be followed
if such disaster should occur at Aqualectra. In the report, there is no mention of
data being stored off the island in case of a disaster. In the current environment if a
disaster should occur to the island, all data would also be lost without possibility of
recovery since all the data is stored on the island.
A Disaster Recovery Plan (DRP) should define the resources, actions, tasks, and data
required to manage the business recovery process in the event of a business
interruption. The world is changing and organizations need to prepare for natural or
manmade disasters that could disrupt business processes. Customers and millions
of dollars could potentially be lost and never recovered if business processes are
disrupted, IT systems exceed their Recovery Time Objective (RTO), or data exceeds
the Recovery Point Objective (RPO).
The DRP is designed to assist in restoring the
business process within the stated disaster recovery.

The Business Continuity Plan resumes business processes and the Disaster
Recovery Plan resumes the IT systems. The objective of a DRP is to restore the
operability of systems that support mission-critical and critical business processes
to normal operation as quickly as possible. Business continuity planning integrates
the business resumption plan, occupant emergency plan, incident management
plan, continuity of operations plan, and disaster recovery plan.
Recommendations
The focus of a Disaster Recovery Plan (DRP) is to restore the operability of systems
that support mission-critical and critical business processes. The objective is for the
organization to return to normal operations as soon as possible. Since many
mission-critical
and
critical
business
processes
depend
on
technology
infrastructure consisting of applications, data, and IT hardware, the DRP should be

an IT focused plan. Aqualectra must develop a Disaster Recovery Plan for all
Page 35 of 44

Confidential Report
BSD -
applications. Restoration of systems does not necessarily imply technology

redundancy. The Aqualectra DRP may call for some procedures to be completed
manually. The decision to revert to manual procedures, rather than to build and
maintain an IT infrastructure is a cost-driven decision made by the organization.
Having a DRP in place reduces the risk that the length of time that a disruption in a
business process does not go beyond what has been determined to be acceptable
by management in the organization.
Page 36 of 44

Confidential Report
2.4
BSD -
Software Applications
2.4.1 Critical Systems

The following is a list of critical systems:
Vis2000-
Post paid application used for billing
Pagatinu-
Pre-Paid System used for all prepaid purchases
Infor-
Inventory and distribution system
Decade-
Financial system.
Aqualectra has two methods of selling electricity to consumers, through post paid
sales (VIS2000) and prepaid sales (Pagatinu).
2.4.1.1 VIS2000
The VIS2000 application was implemented in 2000. The application was developed
by Aqualectra with the assistance from the outside consultants SQL Integrators. The
program is written in Oracle with an Oracle database. This application is maintained
by the consultants SQL Integrators and Joep Koyen as the database administrator.
During our interviews with the IT staff at Aqualectra, a discussion of the database
structure of the VIS 2000 system let us to further investigate this matter. The VIS
2000 Oracle database, which stores all of the VIS 2000 data, is running with version
10.1 and is no longer supported or maintained by Oracle.
Recently the company encountered a problem with the index optimization of the
Oracle 10.1 database, which disabled the entire system for an entire day. This is a
major concern since the VIS 2000 system is extremely vital financially to the
organization and at any point in time this incident could happen again causing the
system to fail. It is our concern as to why the IT department has not upgraded to the
latest version of the Oracle database 11.xx that includes the latest patches and
Page 37 of 44

Confidential Report
BSD -
support. There is no additional cost in licenses since the IT department has been
paying yearly maintenance fees for years now, which include free upgrades to the
newest Oracle licenses. An upgraded Version 10.2 has been available in the market
since July 2005.
Additionally, the system is encountering various other errors. This is taking an
additional amount of space on the SAN and the entire environment must be
continuously cleared manually. The Oracle administrators are concerned with the lack
of support from Oracle since this product is no longer supported. While we
understand that the VIS2000 core system is also outdated and must be replaced, it is
imperative to upgrade the database structure immediately to allow Aqualectra to
comfortably extend its research until the new system is implemented.
Meter reading is also entered into the VIS2000 system through batch files.
Once a
meter reader enters the usage information into their portable device, a text file is
created at the end of day and stored on the network. This file is Unencrypted.
Recommendations
We recommend further analysis with the current database administrator and VIS2000
developers to determine the effects of upgrading the database with a minimal impact
on the source code and related programs. The key problem we see in the upgrade is
that the scheduling program associated with the VIS2000 must also be updated.
Several scheduling programs have been reviewed, but no decision has been made
yet. Once we determine the impact this upgrade will have on the VIS2000 and related
applications, we can begin developing an implementation plan for the database
upgrade.
In addition to the upgrade of the database, we highly recommend
evaluating all the security and group rights in VIS2000. These rights are independent
of those from the network.
The Infor and decade databases have been already
upgraded by their respective outside companies.

Metered files collected should be encrypted each day and placed in a secure location
on the network.
Page 38 of 44

Confidential Report
BSD -
2.4.1.2 Pagatinu
Pagatinu is Aqualectras pre paid system for consumption purchases. Pagatinu is a
third party application created and maintained by Conlog. The application is also
supported by Conlog, which is located in South Africa. Clients can purchase amounts
of consumption from local branches, MCB Bank merchants and or various other
merchants throughout the island.
When a customer purchases credits through a point of sale system or any
participating merchant, it connects with the Pagatinu system and sends the terminal
number and the amount requested. Based on the terminal number, amount, date
and time, a 20 number algorithm is provided to the client from the Pagatinu system.
That number is entered into the clients terminal and the amount purchased is then
available for the client.
All sales through the Pagatinu system are reconciled with bank reports and then
sent to Decade (the financial system). There is no connectivity between the
Pagatinu system and any other system at Aqualectra. Every entry in VIS2000 is also
entered into Pagatinu. All financial information is provided to accounting through
reports.
2.4.1.3 Decade
Decade is the financial system utilized by Aqualectra for all of its financial,
accounting and General Ledger reporting.
The program is maintained by the
consultants SQL integrators and is also purchased through a third party vendor. The
critical applications like VIS2000 and Pagatinu have no interface with the Decade
system and financial information is entered manually through various spreadsheets
exported from Vis2000 or Pagatinu.
Page 39 of 44

Confidential Report
BSD -
The financial and accounting departments are provided with daily or monthly
spreadsheets listing single General Ledger and sales numbers to be entered
manually into the decade system. No account information of the client is maintained
in Decade.
On the other hand, Infor has an interface with Decade. When Infor produces
purchase orders, inventory, work orders, etc., the information is transferred to
Decade to maintain control of items purchased and items to be paid. Infor in the
only program that interacts with Decade through an automated interface system.
VIS2000 and Pagatinu send information monthly to accounting through various
spreadsheets and reports that are manually entered into system.
2.4.1.4 Infor/CAMMS
CAMMS Computerized Asset Maintenance and Management System handles assets,
work orders, inventory, purchase orders, etc.
Also a logistic and procurement
application made by third party company Infor.
The application uses an Oracle
Database supported and maintained by SQL Integrators Joep Koyen as the database
administrator.
The Infor application among other things is utilized for work orders,
purchase order and inventory control. The only interface between Infor and VIS2000
is just for work orders.
monitored.
Infor also controls all the maintenance of equipment and
Purchase orders are issued by Infor and matched against the invoice,
once approved, the request for payment is sent to Decade.
One of the concerns
about the system is the lack of processes between the distribution and production in
which each area works independently.
The system is very sophisticated, but the
individual employee processes are lack.

Recommendations
After a preliminary review of all four critical systems utilized by Aqualectra, there is
no single program centralizing all the information stored for vendor/customer. Once
a new customer has applied for Aqualectra service, the information is entered into
the VIS2000 system and a customer number is issued. If the client requests the
Pagatinu service, the same information is re-entered into the Pagatinu system.
Page 40 of 44

Confidential Report
BSD -
There is no correlation between these two systems. Both systems must be

maintained manually for the same client. In order to obtain detail information
pertaining to a certain client, the Aqualectra employees must access each system
separately and print separate reports.
All financial information is also manually
entered into the decade system from all other critical applications. Aqualectra must
focus on replacing the existing critical systems with a cross platform system
integrating all 4 critical systems into one application.
One of those applications
would be a CRM (Customer Relationship Management), is designed to reduce costs

and increase profitability by solidifying customer information.
A true CRM brings
together information from all data sources within an organization (and where
appropriate, from outside the organization) to give one, holistic view of each
customer in real time. This allows customer facing employees in such areas as
sales, customer support, and finance to make quick yet informed decisions.
Application owners and application managers are not well defined in the processes
of the applications. In some cases the application owners and application managers
are de-centralized and many decisions would be delayed due to lack of
documentation or knowledge.
We highly recommend evaluating all the security and group rights in VIS2000, Infor,
Decade and Pagatinu. These rights are independent of those from the network.
The following graph shows a summary of all databases and current versions
Page 41 of 44

Confidential Report
BSD -
2.4.1.5 SCADA
The SCADA (Supervisory Control and Data Acquisition) is a system that collects data
from various sensors at the electrical and water plant and sends this data to a
central computer that then manages and controls the data. The SCADA software
runs on four servers, of which two are online and two are backup running on
Windows servers 2003. The information server collects information from the data
collectors and sent to the servers by 13 electrical and 15 water substations. Many of
the electrical components can be controlled by the SCADA server, but the water
collectors are only for monitoring purposes.
The SCADA network utilizes the same fiber ring as Aqualectra, but is protected by its
own firewall and router.
This network is controlled by NetPro and the network
administration. VNC and Net meeting are used by outside vendors to access the
system for maintenance and troubleshooting.
Recommendation
The SCADA network is in a highly sensitive environment where the electrical plants
can be controlled by the software. It is crucial that this network is isolated from the
rest of the organization and treated as such. Currently the network is also being
managed by the same company that provides 100% of the Aqualectra network
NetPro. It is our recommendation to evaluate this network thoroughly and provide
a vulnerability assessment on the entire SCADA network.
Page 42 of 44

Confidential Report
BSD -
The following table shows a summary of all applications and their respective
owners:
Page 43 of 44

Confidential Report
2.4.2 ICT Monthly Budget Report

The following graph shows a copy of the ITC monthly report:
Page 44 of 44
BSD -

Forensic Analysis of Aqualectra's IT Infrastructure

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Forensic Analysis of Aqualectra's IT Infrastructure

Diunggah oleh

Hak Cipta:

Format Tersedia

05

Forensic Analysis of Aqualectras IT Infrastructure

To: Supervisory Board of Integrated Utility Holding N.V.

Forensic Analysis of Aqualectras IF Infrastructure

Aqualectra Network Infrastructure 24

Disaster Recovery / Business Continuity Plan 34

Forensic Analysis of Aqualectras IF Infrastructure

Complete ICT System Analysis

Forensic Analysis of Aqualectras IF Infrastructure

Identify the employees and their responsibilities in the following applications:

Conduct internal audits of the following systems and/or procedures:

Forensic Analysis of Aqualectras IF Infrastructure

Forensic Analysis of Aqualectras IF Infrastructure

Extreme dependency on outside key personnel leaves Aqualectra vulnerable

Outside consulting firms have full access to Aqualectras entire network

SCADA network is connected to the entire Aqualectra backbone and

There is no monitoring of a possible breach of security in the entire

There is no Business Continuity Plan/Disaster Recovery Plan in case of an

Forensic Analysis of Aqualectras IF Infrastructure

The current recovery backup plan is outdated.

Vulnerabilities were discovered on Apache server 206.107.225.29.

No redundancy on main switches.

Critical equipment (Routers and Switches) used lacks redundancy.

Staffing in key IT departments lack the proficiency to diagnose immediate

Critical applications have no audit trail logging.

Forensic Analysis of Aqualectras IF Infrastructure

Dependency on outside contractors reduces the level of control of the entire

Segregation of duties and access to critical areas by personnel conflicts with

Assigned application owners are selected without any proper knowledge of

There is a need to address issues regarding IT policies, procedures and

Outdated key applications are maintained by outside consultants.

No access controls to Mundo Nobo and Nieuwe Haven server rooms.

Forensic Analysis of Aqualectras IF Infrastructure

2. The Audit Process

We interviewed with over 15 key employees from various

departments and have highlighted the areas that need to be addressed:

The current Information Technology Department (hereafter as IT) consists of 16

The IT manager, Mr. John Van

Forensic Analysis of Aqualectras IF Infrastructure

Varsseveld, has overall responsibilities for the IT Department. He reports directly to

The departments are divided as Information Systems Advisor,

Helpdesk, Workstation Support, network administrator, Analyst (Functional and

Database Administrator: Joep Koyen

Network Administrators: Moraima Matilda and Ludwin Henriette

2.1.1 Administrator Access

Creating or deleting user accounts on the computer/server;

Forensic Analysis of Aqualectras IF Infrastructure

Creating account passwords for other users on the computer/server;

Changing others' account names, pictures, passwords, and types/server.

Administrative rights are permissions granted by administrators to users allowing

Secure Vault ( Sealed Envelope)

Passwords are changed every 60 days.

Forensic Analysis of Aqualectras IF Infrastructure

Storage of Data (SAN)

Hardware component failures at the server level

Server software installations

System-wide backups of all servers and applications

Intranet administrator of SharePoint and departmental portals on SharePoint

File system administrator

Administrator of virtual servers.

Based upon our preliminary interviews and observations, we conclude Griffith to be

The position would be dual purpose in

The Junior Systems Administrator/Database