Maroochy SCADA attack, 2013 Slide 1

CNI Case StudyMaroochy water breach

Maroochy SCADA attack, 2013 Slide 2

Maroochy

• Local government area about 100km north of Brisbane, Australia

• In 2000, the area sewage system had 47 unexpected faults causing extensive sewage spillage

• SCADA controlled system with 142 pumping stations over 1157 sq km

Maroochy SCADA attack, 2013 Slide 3

What happened

• Pumps not operating when they should have been

• Alarms not reporting problems to control centre

• Communication failures between control centre and pumping stations

More than 1m litres of untreatedsewage released into waterways and local parks

Maroochy SCADA attack, 2013 Slide 4

SCADA setup

• Special-purpose control computer at each station to control valves and alarms

• Each system communicates with and is controlled by central control centre

• Communications between pumping stations and control centre by radio, rather than wired network

Automated operation

All electronics in single cabinet

Pumps etc. are underground

Maroochy SCADA attack, 2013 Slide 5

Insider attack

• Vitek Boden worked for Hunter Watertech (system suppliers) with responsibility for the Maroochy system installation. He left in 1999.

• He tried to get a job with local Council but was refused

• He then decided to get revenge on both his previous employer and the Council by launching attacks on the SCADA systems

• Insiders don’t have to work inside an organisation!

Maroochy SCADA attack, 2013 Slide 6

How it happened

• Boden stole a SCADA configuration program from his employers when he left and installed it on his own laptop

• He also stole a control computer that could be used to impersonate a genuine machine at a pumping station

• Insecure radio links were used to communicate with pumping stations and change their configurations

Image credit: http://www.pimaweb.org/conference/april2003/pdfs/MythsAndFactsBehindCyberSecurity.pdf

Maroochy SCADA attack, 2013 Slide 7

Incident timeline

• Initially, the incidents were thought to have been caused by bugs in a newly installed system

• However, analysis of communications suggested that the problems were being caused by deliberate interventions

• Problems were caused by a specific station id (14)

• System was configured so that that id was not used so messages from there had to be malicious

• Boden put under surveillance, car stopped and stolen hardware and radio system discovered

Maroochy SCADA attack, 2013 Slide 8

Causes of the problems

• Installed SCADA system was completely insecure

– No security requirements in contract with customer

• Procedures at Hunter Watertech were inadequate to stop Boden stealing hardware and software

• Insecure radio links were used for communications

• Lack of monitoring and logging made detection more difficult

• No staff training to recognise cyber attacks

• No incident response plan in place at Maroochy Council

Maroochy SCADA attack, 2013 Slide 9

Aftermath

• On October 31, 2001 Vitek Boden was convicted of:

– 26 counts of willfully using a computer to cause damage

– 1 count of causing serious environment harm

• Jailed for 2 years