SCADA SYSTEMS – GLOBAL INCIDENTS Sewage Hacker - SCADA system of Maroochy Water Services in Australia beginning in January 2000, which saw millions of gallons of sewage spill into waterways, hotel grounds and canals around the Sunshine Coast suburb Trans-Siberian Pipeline USSR - spectacular trans-Siberian pipeline disaster in 1982 Nuclear Power Plant, US - California, The vulnerability was demonstrated by a January event at the shutdown Davis-Besse nuclear power plant. The worm infection increased data traffic in the site’s network, resulting in the plant’s Safety Parameter Display System and plant process computer being unavailable for several hours Power Grid, US - California, hackers broke into computer systems owned by California's primary electric power grid operator and remained undetected for 17 days Airport Hacker, US - Massachusetts, a computer hacker who disabled a key telephone company computer servicing the Worcester airport. As a result of a series of commands sent from the hacker's personal computer, vital services to the FAA control tower were disabled for six hours in March of 1997. In the course of his hacking, the defendant also electronically broke into a pharmacy computer and copied patient records.
STUXNET BACKGROUND Stuxnet is a Windows computer worm discovered in July 2010. Targets industrial software and equipment. Its speculated that stuxnet was specifically designed to damageIran nuclear facilities and widely believed stuxnet introduced delay in Iran's Bushehr Nuclear Power Plant startup The first to include a programmable logic controller (PLC) rootkit.
Security issues and mitigation techniques Security Information and Event Management systems Intrusion monitoring systems integrated with SIEM Implement “Extrusion Detection” Implement passive vulnerability scanners (PVS) on the control systems network
JUNIPER IDP SCADA SIGNATURES SCADA:DNP3:DISABLE-RESP - This signature detects attempts to stop unsolicited responses from devices. Attackers can prevent devices from sending alarms SCADA:DNP3:READ - This signature detects attempts by clients to read information from a Programmable Logic Controller (PLC). Attackers can use this information to plan future, more targeted attacks SCADA:DNP3:STOP - This signature detects attempts to stop a DNP3 server SCADA:DNP3:WARM-RESTART- This signature detects attempts to reinitialize a PLC or DNP3 server SCADA:MODBUS:LISTEN-ONLY -This signature detects attempts to force a Programmable Logic Controller (PLC) into listen-only mode, in which the PLC does not respond to request packets SCADA:MODBUS:DOS - This signature detects attempts to force a Programmable Logic Controller (PLC) to restart. The PLC is unavailable while powering on