Download presentation
Presentation is loading. Please wait.
Published byIris Carroll Modified over 9 years ago
1
1 ● Plant Automation Security Review of Cyber Security Attack at Maroochy Water Services ● Bradley Yager ● National Business Development Manager – Telemetry Solutions ● Schneider Electric
2
2 What is a SCADA / Telemetry System IT and Business Systems ERP Asset Management Application Control Room SCADA Software Wide Area Network Wireless Communication Long Reach Radio Networks Remote Assets Field Devices Controllers Instrumentation Collect measurement and operational data from devices spread across geographically-dispersed assets, deliver the data over a wide area communication infrastructure to a central control room for supervision, monitoring, analysis and business decision-making. Analog or Digital Temperature Pressure Flow Level Humidity Moisture... RTU Remote RadioBase Radio SCADA Software Sensors network Enterprise IT
3
3 The Maroochy Incident
4
4 The Facts ●There were sustained attacks on the system over several months ●Severity of the attacks escalated over time ●Mainly Spurious alarms, intermittent faults, increased network congestion (denial of service), changing setpoints ●Issues often coincided with bad weather ●Were able to prove third party intrusion mid March, over a month and a half after attacks most likely started ●Attacker was not caught until 23 rd April, another month on
5
5 Cyber Battle ●Initially assumed breaking into pump stations, didn’t consider stolen equipment ●On 16 th March, were able to disable attackers device temporarily by using the same tactics ●Attempting to disable attackers device escalated the situation ●Was it the right thing to do?
6
6 Discussion Topics ●Security through obscurity – does the Maroochy incident suggest it does or doesn’t work? ●Nothing could be proved until everything was logged, but this alone was still not enough ●Malicious human interference was the last thing considered – at what point should it have been? ●Know your system, and know what is normal. This is the only way to detect the abnormal. ●Most people working on SCADA/Control Systems would be aware of ways to disrupt normal operation – how do you combat this? ●Utilities may conduct background checks, but do they force their contractors to do the same?
7
7 Court Proceedings ●Heard over 9 days ●Sacked his lawyer after first day ●Convicted on 26 charges including: ●Using a restricted computer without the consent of its controller thereby intending to cause detriment or damage ●Wilfully and unlawfully causing serious environmental harm ●Stealing
8
8 What is the correct Reaction? ●Even after we’d proven intrusion was occurring – how do you stop it? ●Modified protocol in use at each site Effectively rolled out new encrypted ‘key’ to each site, only known to a few people. ●This is a time consuming process, each site had to be physically visited. ●Only once this was complete did the hacking stop, weeks after it had been identified and initial action had been taken ●Have your strategy ready before, and act quickly in a considered way ●Have a close relationship with your product vendor ●Hacking isn’t always obvious, many intrusions go unnoticed – understand your system, and look for the abnormal
9
9 DNP3 Secure MasterOutstation Non-critical message Standard protocol response Critical Message Authentication response Authentication challenge Authenticate & perform operation Perform operation ●Non-critical messages operate as usual ●Critical messages are “challenged” ●Operation is only carried out if the challenge “passes” Secure method for assuring that only authorised devices are able to successfully request execution of critical commands such as setting outputs, transfer of files, or configuration changes
10
10 Conclusion ●Understand what is normal, so you can detect the abnormal ●Have detailed logging ●Have a prepared considered action plan, don’t be caught unawares ●Some helpful places: ●SCADA community of Interest – A working party of the IT Security Expert Advisory Group. Has more than 180 Industry and government representatives ●Forum of Australian SCADA Vendors – Involved in SCADA CoI Practitioner/Vendor Forums
11
11
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.