1 / 17

Object Oriented Programming and Software Engineering CIS016-2

Object Oriented Programming and Software Engineering CIS016-2. Week 3: Cybersecurity Case Study – Maroochy Water Breach. Sue Brandreth. Maroochy Shire. Maroochy Shire Sewage System. SCADA controlled system with 142 pumping stations over 1157 sq km installed in 1999

jgish
Download Presentation

Object Oriented Programming and Software Engineering CIS016-2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Object Oriented Programming and Software EngineeringCIS016-2 Week 3: Cybersecurity Case Study – Maroochy Water Breach Sue Brandreth

  2. Maroochy Shire

  3. Maroochy Shire Sewage System • SCADA controlled system with 142 pumping stations over 1157 sq km installed in 1999 • In 2000, the area sewage system had 47 unexpected faults causing extensive sewage spillage

  4. SCADA Setup

  5. SCADA Sewage Control • Special-purpose control computer at each station to control valves and alarms • Each system communicates with and is controlled by central control centre • Communications between pumping stations and control centre by radio, rather than wired network

  6. What Happened

  7. Technical Problems • Sewage pumps not operating when they should have been • Alarms failed to report problems to control centre • Communication difficulties between the control centre and pumping stations

  8. Insider Attack • Vitek Boden worked for Hunter Watertech (system suppliers) with responsibility for the Maroochy system installation. • He left in 1999 after disagreements with the company. • He tried to get a job with local Council but was refused.

  9. Revenge! • Boden was angry and decided to take revenge on both his previous employer and the Council by launching attacks on the SCADA control systems • He hoped that Hunter Watertech would be blamed for the failure • Insiders don’t have to work inside an organisation!

  10. What Happened?

  11. How it Happened • Boden stole a SCADA configuration program from his employers when he left and installed it on his own laptop • He also stole radio equipment and a control computer that could be used to impersonate a genuine machine at a pumping station • Insecure radio links were used to communicate with pumping stations and change their configurations

  12. Incident Timeline • Initially, the incidents were thought to have been caused by bugs in a newly installed system • However, analysis of communications suggested that the problems were being caused by deliberate interventions • Problems were always caused by a specific station ID

  13. Actions Taken • System was configured so that that ID was not used so messages from there had to be malicious • Boden as a disgruntled insider fell under suspicion and put under surveillance • Boden’s car was stopped after an incident and stolen hardware and radio system discovered

  14. Causes of the Problem • Installed SCADA system was completely insecure • No security requirements in contract with customer • Procedures at Hunter Watertech were inadequate to stop Boden stealing hardware and software • Insecure radio links were used for communications

  15. Causes of the Problem • Lack of monitoring and logging made detection more difficult • No staff training to recognise cyber attacks • No incident response plan in place at Maroochy Council

  16. Aftermath • On October 31, 2001 Vitek Boden was convicted of: • 26 counts of willfully using a computer to cause damage • 1 count of causing serious environment harm • Jailed for 2 years

  17. Finding Out More…. • Myths and Facts Behind Cyber Security of Industrial Control http://www.pimaweb.org/conference/april2003/pdfs/MythsAndFactsBehindCyberSecurity.pdf • Lessons Learned from the Maroochy Water Breach http://www.ifip.org/wcc2008/site/IFIPSampleChapter.pdf • Malicious Control System Cyber Security Attack Case Study–Maroochy Water Services, Australia http://csrc.nist.gov/groups/SMA/fisma/ics/documents/Maroochy-Water-Services-Case-Study_report.pdf

More Related