maroochy water breach

Maroochy SCADA attack, 2013 Slide 1

Cybersecurity Case StudyMaroochy water breach

http://www.slideshare.net/sommervi/cs5032-case-study-maroochy-water-

breach


Maroochy Shire

Image credit: http://www.hinterlandtourism.com.au/attractions/the-maroochy-river/


Maroochy shire sewage system

• SCADA controlled system with 142 pumping stations over 1157 sq km installed in 1999

• In 2000, the area sewage system had 47 unexpected faults causing extensive sewage spillage


SCADA setup

Typical SCADA-controlled sewage system This is not the system that was attacked


SCADA sewage control

• Special-purpose control computer at each station to control valves and alarms

• Each system communicates with and is controlled by central control centre

• Communications between pumping stations and control centre by radio, rather than wired network


What happened

More than 1m litres of untreated sewage released into waterways and local parks


Technical problems

• Sewage pumps not operating when they should have been

• Alarms failed to report problems to control centre

• Communication difficulties between the control centre and pumping stations


Insider attack

• Vitek Boden worked for Hunter Watertech (system suppliers) with responsibility for the Maroochy system installation.

• He left in 1999 after disagreements with the company.

• He tried to get a job with local Council but was refused.


Revenge!

• Boden was angry and decided to take revenge on both his previous employer and the Council by launching attacks on the SCADA control systems

– He hoped that Hunter Watertech would be blamed for the failure

• Insiders don’t have to work inside an organisation!


What happened?

Image credit: http://www.pimaweb.org/conference/april2003/pdfs/MythsAndFactsBehindCyberSecurity.pdf


How it happened

• Boden stole a SCADA configuration program from his employers when he left and installed it on his own laptop

• He also stole radio equipment and a control computer that could be used to impersonate a genuine machine at a pumping station

• Insecure radio links were used to communicate with pumping stations and change their configurations


Incident timeline

• Initially, the incidents were thought to have been caused by bugs in a newly installed system

• However, analysis of communications suggested that the problems were being caused by deliberate interventions

• Problems were always caused by a specific station id


Actions taken

• System was configured so that that id was not used so messages from there had to be malicious

• Boden as a disgruntled insider fell under suspicion and put under surveillance

• Boden’s car was stopped after an incident and stolen hardware and radio system discovered


Causes of the problems

• Installed SCADA system was completely insecure

– No security requirements in contract with customer

• Procedures at Hunter Watertech were inadequate to stop Boden stealing hardware and software

• Insecure radio links were used for communications


Causes of the problems

• Lack of monitoring and logging made detection more difficult

• No staff training to recognise cyber attacks

• No incident response plan in place at Maroochy Council


Aftermath

• On October 31, 2001 Vitek Boden was convicted of:

– 26 counts of willfully using a computer to cause damage

– 1 count of causing serious environment harm

• Jailed for 2 years


Finding out more

http://www.pimaweb.org/conference/april2003/pdfs/MythsAndFactsBehindCyberSecurity.pdf

http://harbor2harbour.com/?p=144

http://www.ifip.org/wcc2008/site/IFIPSampleChapter.pdf

http://csrc.nist.gov/groups/SMA/fisma/ics/documents/Maroochy-Water-Services-Case-Study_report.pdf

maroochy water breach

Technology

maroochy scada attack

hunter watertech

maroochy

system

case

org conference april2003 pdfs mythsandfactsbehindcybersecurity

pdfhttp

pimaweb