Maroochy SCADA attack, 2013 Slide 3Maroochy shire sewage system• SCADA controlled system with 142 pumpingstations over 1157 sq km installed in 1999• In 2000, the area sewage system had 47unexpected faults causing extensive sewagespillage
Maroochy SCADA attack, 2013 Slide 4SCADA setupTypical SCADA-controlled sewage systemThis is not the system that was attacked
Maroochy SCADA attack, 2013 Slide 5SCADA sewage control• Special-purpose control computer at eachstation to control valves and alarms• Each system communicates with and iscontrolled by central control centre• Communications between pumping stationsand control centre by radio, rather than wirednetwork
Maroochy SCADA attack, 2013 Slide 6What happenedMore than 1m litres of untreated sewage releasedinto waterways and local parks
Maroochy SCADA attack, 2013 Slide 7Technical problems• Sewage pumps not operating when theyshould have been• Alarms failed to report problems to controlcentre• Communication difficulties between thecontrol centre and pumping stations
Maroochy SCADA attack, 2013 Slide 8Insider attack• Vitek Boden worked for Hunter Watertech(system suppliers) with responsibility for theMaroochy system installation.• He left in 1999 after disagreements with thecompany.• He tried to get a job with local Council butwas refused.
Maroochy SCADA attack, 2013 Slide 9Revenge!• Boden was angry and decided to takerevenge on both his previous employer andthe Council by launching attacks on theSCADA control systems– He hoped that Hunter Watertech would be blamedfor the failure• Insiders don’t have to work inside anorganisation!
Maroochy SCADA attack, 2013 Slide 11How it happened• Boden stole a SCADA configuration programfrom his employers when he left and installedit on his own laptop• He also stole radio equipment and a controlcomputer that could be used to impersonate agenuine machine at a pumping station• Insecure radio links were used tocommunicate with pumping stations andchange their configurations
Maroochy SCADA attack, 2013 Slide 12Incident timeline• Initially, the incidents were thought to havebeen caused by bugs in a newly installedsystem• However, analysis of communicationssuggested that the problems were beingcaused by deliberate interventions• Problems were always caused by a specificstation id
Maroochy SCADA attack, 2013 Slide 13Actions taken• System was configured so that that id was notused so messages from there had to bemalicious• Boden as a disgruntled insider fell undersuspicion and put under surveillance• Boden’s car was stopped after an incidentand stolen hardware and radio systemdiscovered
Maroochy SCADA attack, 2013 Slide 14Causes of the problems• Installed SCADA system was completelyinsecure– No security requirements in contract withcustomer• Procedures at Hunter Watertech wereinadequate to stop Boden stealing hardwareand software• Insecure radio links were used forcommunications
Maroochy SCADA attack, 2013 Slide 15Causes of the problems• Lack of monitoring and logging madedetection more difficult• No staff training to recognise cyber attacks• No incident response plan in place atMaroochy Council
Maroochy SCADA attack, 2013 Slide 16Aftermath• On October 31, 2001 Vitek Boden wasconvicted of:– 26 counts of willfully using a computer to causedamage– 1 count of causing serious environment harm• Jailed for 2 years
Maroochy SCADA attack, 2013 Slide 17Finding out morehttp://www.pimaweb.org/conference/april2003/pdfs/MythsAndFactsBehindCyberSecurity.pdfhttp://harbor2harbour.com/?p=144http://www.ifip.org/wcc2008/site/IFIPSampleChapter.pdfhttp://csrc.nist.gov/groups/SMA/fisma/ics/documents/Maroochy-Water-Services-Case-Study_report.pdf
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.