1

●Plant Automation Security

Review of Cyber Security Attack at Maroochy Water Services

●Bradley Yager● National Business Development Manager – Telemetry Solutions● Schneider Electric

2

What is a SCADA / Telemetry System

Collect measurement and operational data from devices spread across geographically-dispersed assets, deliver the data over a wide area communication infrastructure to a central control room for supervision, monitoring, analysis and business decision-making.

Analog or DigitalTemperaturePressureFlowLevelHumidityMoisture...

RTURemote RadioBase Radio

SCADASoftware Sensors networkEnterprise IT

3

The Maroochy Incident

4

The Facts●There were sustained attacks on the system over several months●Severity of the attacks escalated over time●Mainly Spurious alarms, intermittent faults, increased network congestion

(denial of service), changing setpoints● Issues often coincided with bad weather●Were able to prove third party intrusion mid March, over a month and a half

after attacks most likely started

●Attacker was not caught until 23rd April, another month on

5

Cyber Battle

●Initially assumed breaking into pump stations, didn’t consider stolen equipment

●On 16th March, were able to disable attackers device temporarily by using the same tactics

●Attempting to disable attackers device escalated the situation●Was it the right thing to do?

6

Discussion Topics

●Security through obscurity – does the Maroochy incident suggest it does or doesn’t work?

●Nothing could be proved until everything was logged, but this alone was still not enough

●Malicious human interference was the last thing considered – at what point should it have been?

●Know your system, and know what is normal. This is the only way to detect the abnormal.

●Most people working on SCADA/Control Systems would be aware of ways to disrupt normal operation – how do you combat this?

●Utilities may conduct background checks, but do they force their contractors to do the same?

7

Court Proceedings

●Heard over 9 days●Sacked his lawyer after first day●Convicted on 26 charges including:

● Using a restricted computer without the consent of its controller thereby intending to cause detriment or damage

● Wilfully and unlawfully causing serious environmental harm

● Stealing

8

What is the correct Reaction?

●Even after we’d proven intrusion was occurring – how do you stop it?●Modified protocol in use at each site Effectively rolled out new

encrypted ‘key’ to each site, only known to a few people.●This is a time consuming process, each site had to be physically

visited.●Only once this was complete did the hacking stop, weeks after it had

been identified and initial action had been taken

●Have your strategy ready before, and act quickly in a considered way●Have a close relationship with your product vendor●Hacking isn’t always obvious, many intrusions go unnoticed –

understand your system, and look for the abnormal

9

DNP3 Secure

Master Outstation

Non-critical message

Standard protocol response

Standard protocol response

Critical Message

Authentication response

Authentication challenge

Authenticate & perform operation

Perform operation● Non-critical messages

operate as usual

● Critical messages are “challenged”

● Operation is only carried out if the challenge “passes”

Secure method for assuring that only authorised devices are able to successfully request execution of critical commands such as setting outputs, transfer of files, or configuration changes

10

Conclusion

●Understand what is normal, so you can detect the abnormal●Have detailed logging●Have a prepared considered action plan, don’t be caught unawares

●Some helpful places:● SCADA community of Interest – A working party of the IT Security Expert

Advisory Group. Has more than 180 Industry and government representatives

● Forum of Australian SCADA Vendors – Involved in SCADA CoI Practitioner/Vendor Forums

11