Cybersecurity Case Study Maroochy water breach

Maroochy Shire Image credit: http://www.hinterlandtourism.com.au/attractions/the-maroochy-river/

Maroochy shire sewage system SCADA controlled system with 142 pumping stations over 1157 sq km installed in 1999 In 2000, the area sewage system had 47 unexpected faults causing extensive sewage spillage

SCADA setup Typical SCADA-controlled sewage system This is not the system that was attacked

SCADA sewage control Special-purpose control computer at each station to control valves and alarms Each system communicates with and is controlled by central control centre Communications between pumping stations and control centre by radio, rather than wired network

What happened More than 1m litres of untreated sewage released into waterways and local parks

Technical problems Sewage pumps not operating when they should have been Alarms failed to report problems to control centre Communication difficulties between the control centre and pumping stations

Insider attack Vitek Boden worked for Hunter Watertech (system suppliers) with responsibility for the Maroochy system installation. He left in 1999 after disagreements with the company. He tried to get a job with local Council but was refused.

Revenge! Boden was angry and decided to take revenge on both his previous employer and the Council by launching attacks on the SCADA control systems He hoped that Hunter Watertech would be blamed for the failure Insiders don’t have to work inside an organisation!

What happened? Image credit: http://www.pimaweb.org/conference/april2003/pdfs/MythsAndFactsBehindCyberSecurity.pdf

How it happened Boden stole a SCADA configuration program from his employers when he left and installed it on his own laptop He also stole radio equipment and a control computer that could be used to impersonate a genuine machine at a pumping station Insecure radio links were used to communicate with pumping stations and change their configurations

Incident timeline Initially, the incidents were thought to have been caused by bugs in a newly installed system However, analysis of communications suggested that the problems were being caused by deliberate interventions Problems were always caused by a specific station id

Actions taken System was configured so that that id was not used so messages from there had to be malicious Boden as a disgruntled insider fell under suspicion and put under surveillance Boden’s car was stopped after an incident and stolen hardware and radio system discovered

Causes of the problems Installed SCADA system was completely insecure No security requirements in contract with customer Procedures at Hunter Watertech were inadequate to stop Boden stealing hardware and software Insecure radio links were used for communications

Causes of the problems Lack of monitoring and logging made detection more difficult No staff training to recognise cyber attacks No incident response plan in place at Maroochy Council

Aftermath On October 31, 2001 Vitek Boden was convicted of: 26 counts of willfully using a computer to cause damage 1 count of causing serious environment harm Jailed for 2 years

Finding out more http://www.pimaweb.org/conference/april2003/pdfs/MythsAndFactsBehindCyberSecurity.pdf http://harbor2harbour.com/?p=144 http://www.ifip.org/wcc2008/site/IFIPSampleChapter.pdf http://csrc.nist.gov/groups/SMA/fisma/ics/documents/Maroochy-Water-Services-Case-Study_report.pdf