Object Oriented Programming and Software Engineering CIS 016
Object Oriented Programming and Software Engineering CIS 016 -2 Week 3: Cybersecurity Case Study – Maroochy Water Breach Sue Brandreth 27/10/2021 1
Maroochy Shire 2 27/10/2021
Maroochy Shire Sewage System ¢ ¢ 3 SCADA controlled system with 142 pumping stations over 1157 sq km installed in 1999 In 2000, the area sewage system had 47 unexpected faults causing extensive sewage spillage 27/10/2021
SCADA Setup 4 27/10/2021
SCADA Sewage Control ¢ ¢ ¢ 5 Special-purpose control computer at each station to control valves and alarms Each system communicates with and is controlled by central control centre Communications between pumping stations and control centre by radio, rather than wired network 27/10/2021
What Happened 6 27/10/2021
Technical Problems ¢ ¢ ¢ 7 Sewage pumps not operating when they should have been Alarms failed to report problems to control centre Communication difficulties between the control centre and pumping stations 27/10/2021
Insider Attack ¢ ¢ ¢ 8 Vitek Boden worked for Hunter Watertech (system suppliers) with responsibility for the Maroochy system installation. He left in 1999 after disagreements with the company. He tried to get a job with local Council but was refused. 27/10/2021
Revenge! ¢ Boden was angry and decided to take revenge on both his previous employer and the Council by launching attacks on the SCADA control systems l ¢ 9 He hoped that Hunter Watertech would be blamed for the failure Insiders don’t have to work inside an organisation! 27/10/2021
What Happened? 10 27/10/2021
How it Happened ¢ ¢ ¢ 11 Boden stole a SCADA configuration program from his employers when he left and installed it on his own laptop He also stole radio equipment and a control computer that could be used to impersonate a genuine machine at a pumping station Insecure radio links were used to communicate with pumping stations and change their configurations 27/10/2021
Incident Timeline ¢ ¢ ¢ 12 Initially, the incidents were thought to have been caused by bugs in a newly installed system However, analysis of communications suggested that the problems were being caused by deliberate interventions Problems were always caused by a specific station ID 27/10/2021
Actions Taken ¢ ¢ ¢ 13 System was configured so that ID was not used so messages from there had to be malicious Boden as a disgruntled insider fell under suspicion and put under surveillance Boden’s car was stopped after an incident and stolen hardware and radio system discovered 27/10/2021
Causes of the Problem ¢ ¢ ¢ 14 Installed SCADA system was completely insecure l No security requirements in contract with customer Procedures at Hunter Watertech were inadequate to stop Boden stealing hardware and software Insecure radio links were used for communications 27/10/2021
Causes of the Problem ¢ ¢ ¢ 15 Lack of monitoring and logging made detection more difficult No staff training to recognise cyber attacks No incident response plan in place at Maroochy Council 27/10/2021
Aftermath ¢ On October 31, 2001 Vitek Boden was convicted of: l l ¢ 16 26 counts of willfully using a computer to cause damage 1 count of causing serious environment harm Jailed for 2 years 27/10/2021
Finding Out More…. Myths and Facts Behind Cyber Security of Industrial Control http: //www. pimaweb. org/conference/april 2003/pdfs/Myths. And Facts. Behind. Cyber. Security. pdf ¢ Lessons Learned from the Maroochy Water Breach http: //www. ifip. org/wcc 2008/site/IFIPSample. Chapter. pdf ¢ Malicious Control System Cyber Security Attack Case Study–Maroochy Water Services, Australia http: //csrc. nist. gov/groups/SMA/fisma/ics/documents/Marooch y-Water-Services-Case-Study_report. pdf ¢ 17 27/10/2021
- Slides: 17