170 likes | 191 Views
Object Oriented Programming and Software Engineering CIS016-2. Week 3: Cybersecurity Case Study – Maroochy Water Breach. Sue Brandreth. Maroochy Shire. Maroochy Shire Sewage System. SCADA controlled system with 142 pumping stations over 1157 sq km installed in 1999
E N D
Object Oriented Programming and Software EngineeringCIS016-2 Week 3: Cybersecurity Case Study – Maroochy Water Breach Sue Brandreth
Maroochy Shire Sewage System • SCADA controlled system with 142 pumping stations over 1157 sq km installed in 1999 • In 2000, the area sewage system had 47 unexpected faults causing extensive sewage spillage
SCADA Sewage Control • Special-purpose control computer at each station to control valves and alarms • Each system communicates with and is controlled by central control centre • Communications between pumping stations and control centre by radio, rather than wired network
Technical Problems • Sewage pumps not operating when they should have been • Alarms failed to report problems to control centre • Communication difficulties between the control centre and pumping stations
Insider Attack • Vitek Boden worked for Hunter Watertech (system suppliers) with responsibility for the Maroochy system installation. • He left in 1999 after disagreements with the company. • He tried to get a job with local Council but was refused.
Revenge! • Boden was angry and decided to take revenge on both his previous employer and the Council by launching attacks on the SCADA control systems • He hoped that Hunter Watertech would be blamed for the failure • Insiders don’t have to work inside an organisation!
How it Happened • Boden stole a SCADA configuration program from his employers when he left and installed it on his own laptop • He also stole radio equipment and a control computer that could be used to impersonate a genuine machine at a pumping station • Insecure radio links were used to communicate with pumping stations and change their configurations
Incident Timeline • Initially, the incidents were thought to have been caused by bugs in a newly installed system • However, analysis of communications suggested that the problems were being caused by deliberate interventions • Problems were always caused by a specific station ID
Actions Taken • System was configured so that that ID was not used so messages from there had to be malicious • Boden as a disgruntled insider fell under suspicion and put under surveillance • Boden’s car was stopped after an incident and stolen hardware and radio system discovered
Causes of the Problem • Installed SCADA system was completely insecure • No security requirements in contract with customer • Procedures at Hunter Watertech were inadequate to stop Boden stealing hardware and software • Insecure radio links were used for communications
Causes of the Problem • Lack of monitoring and logging made detection more difficult • No staff training to recognise cyber attacks • No incident response plan in place at Maroochy Council
Aftermath • On October 31, 2001 Vitek Boden was convicted of: • 26 counts of willfully using a computer to cause damage • 1 count of causing serious environment harm • Jailed for 2 years
Finding Out More…. • Myths and Facts Behind Cyber Security of Industrial Control http://www.pimaweb.org/conference/april2003/pdfs/MythsAndFactsBehindCyberSecurity.pdf • Lessons Learned from the Maroochy Water Breach http://www.ifip.org/wcc2008/site/IFIPSampleChapter.pdf • Malicious Control System Cyber Security Attack Case Study–Maroochy Water Services, Australia http://csrc.nist.gov/groups/SMA/fisma/ics/documents/Maroochy-Water-Services-Case-Study_report.pdf