maroochy water breach
DESCRIPTION
Slides to accompany video. Describes cybersecurity case study of an attack on critical infrastructureTRANSCRIPT
Maroochy SCADA attack, 2013 Slide 1
Cybersecurity Case StudyMaroochy water breach
http://www.slideshare.net/sommervi/cs5032-case-study-maroochy-water-
breach
Maroochy SCADA attack, 2013 Slide 2
Maroochy Shire
Image credit: http://www.hinterlandtourism.com.au/attractions/the-maroochy-river/
Maroochy SCADA attack, 2013 Slide 3
Maroochy shire sewage system
• SCADA controlled system with 142 pumping stations over 1157 sq km installed in 1999
• In 2000, the area sewage system had 47 unexpected faults causing extensive sewage spillage
Maroochy SCADA attack, 2013 Slide 4
SCADA setup
Typical SCADA-controlled sewage system This is not the system that was attacked
Maroochy SCADA attack, 2013 Slide 5
SCADA sewage control
• Special-purpose control computer at each station to control valves and alarms
• Each system communicates with and is controlled by central control centre
• Communications between pumping stations and control centre by radio, rather than wired network
Maroochy SCADA attack, 2013 Slide 6
What happened
More than 1m litres of untreated sewage released into waterways and local parks
Maroochy SCADA attack, 2013 Slide 7
Technical problems
• Sewage pumps not operating when they should have been
• Alarms failed to report problems to control centre
• Communication difficulties between the control centre and pumping stations
Maroochy SCADA attack, 2013 Slide 8
Insider attack
• Vitek Boden worked for Hunter Watertech (system suppliers) with responsibility for the Maroochy system installation.
• He left in 1999 after disagreements with the company.
• He tried to get a job with local Council but was refused.
Maroochy SCADA attack, 2013 Slide 9
Revenge!
• Boden was angry and decided to take revenge on both his previous employer and the Council by launching attacks on the SCADA control systems
– He hoped that Hunter Watertech would be blamed for the failure
• Insiders don’t have to work inside an organisation!
Maroochy SCADA attack, 2013 Slide 10
What happened?
Image credit: http://www.pimaweb.org/conference/april2003/pdfs/MythsAndFactsBehindCyberSecurity.pdf
Maroochy SCADA attack, 2013 Slide 11
How it happened
• Boden stole a SCADA configuration program from his employers when he left and installed it on his own laptop
• He also stole radio equipment and a control computer that could be used to impersonate a genuine machine at a pumping station
• Insecure radio links were used to communicate with pumping stations and change their configurations
Maroochy SCADA attack, 2013 Slide 12
Incident timeline
• Initially, the incidents were thought to have been caused by bugs in a newly installed system
• However, analysis of communications suggested that the problems were being caused by deliberate interventions
• Problems were always caused by a specific station id
Maroochy SCADA attack, 2013 Slide 13
Actions taken
• System was configured so that that id was not used so messages from there had to be malicious
• Boden as a disgruntled insider fell under suspicion and put under surveillance
• Boden’s car was stopped after an incident and stolen hardware and radio system discovered
Maroochy SCADA attack, 2013 Slide 14
Causes of the problems
• Installed SCADA system was completely insecure
– No security requirements in contract with customer
• Procedures at Hunter Watertech were inadequate to stop Boden stealing hardware and software
• Insecure radio links were used for communications
Maroochy SCADA attack, 2013 Slide 15
Causes of the problems
• Lack of monitoring and logging made detection more difficult
• No staff training to recognise cyber attacks
• No incident response plan in place at Maroochy Council
Maroochy SCADA attack, 2013 Slide 16
Aftermath
• On October 31, 2001 Vitek Boden was convicted of:
– 26 counts of willfully using a computer to cause damage
– 1 count of causing serious environment harm
• Jailed for 2 years
Maroochy SCADA attack, 2013 Slide 17
Finding out more
http://www.pimaweb.org/conference/april2003/pdfs/MythsAndFactsBehindCyberSecurity.pdf
http://harbor2harbour.com/?p=144
http://www.ifip.org/wcc2008/site/IFIPSampleChapter.pdf
http://csrc.nist.gov/groups/SMA/fisma/ics/documents/Maroochy-Water-Services-Case-Study_report.pdf