How to Troubleshoot Apps for the Modern Connected Worker
Maroochy water breach
1. Maroochy SCADA attack, 2013 Slide 1
Cybersecurity Case Study
Maroochy water breach
http://www.slideshare.net/sommervi/cs5032-
case-study-maroochy-water-breach
3. Maroochy SCADA attack, 2013 Slide 3
Maroochy shire sewage system
• SCADA controlled system with 142 pumping
stations over 1157 sq km installed in 1999
• In 2000, the area sewage system had 47
unexpected faults causing extensive sewage
spillage
4. Maroochy SCADA attack, 2013 Slide 4
SCADA setup
Typical SCADA-controlled sewage system
This is not the system that was attacked
5. Maroochy SCADA attack, 2013 Slide 5
SCADA sewage control
• Special-purpose control computer at each
station to control valves and alarms
• Each system communicates with and is
controlled by central control centre
• Communications between pumping stations
and control centre by radio, rather than wired
network
6. Maroochy SCADA attack, 2013 Slide 6
What happened
More than 1m litres of untreated sewage released
into waterways and local parks
7. Maroochy SCADA attack, 2013 Slide 7
Technical problems
• Sewage pumps not operating when they
should have been
• Alarms failed to report problems to control
centre
• Communication difficulties between the
control centre and pumping stations
8. Maroochy SCADA attack, 2013 Slide 8
Insider attack
• Vitek Boden worked for Hunter Watertech
(system suppliers) with responsibility for the
Maroochy system installation.
• He left in 1999 after disagreements with the
company.
• He tried to get a job with local Council but
was refused.
9. Maroochy SCADA attack, 2013 Slide 9
Revenge!
• Boden was angry and decided to take
revenge on both his previous employer and
the Council by launching attacks on the
SCADA control systems
– He hoped that Hunter Watertech would be blamed
for the failure
• Insiders don’t have to work inside an
organisation!
11. Maroochy SCADA attack, 2013 Slide 11
How it happened
• Boden stole a SCADA configuration program
from his employers when he left and installed
it on his own laptop
• He also stole radio equipment and a control
computer that could be used to impersonate a
genuine machine at a pumping station
• Insecure radio links were used to
communicate with pumping stations and
change their configurations
12. Maroochy SCADA attack, 2013 Slide 12
Incident timeline
• Initially, the incidents were thought to have
been caused by bugs in a newly installed
system
• However, analysis of communications
suggested that the problems were being
caused by deliberate interventions
• Problems were always caused by a specific
station id
13. Maroochy SCADA attack, 2013 Slide 13
Actions taken
• System was configured so that that id was not
used so messages from there had to be
malicious
• Boden as a disgruntled insider fell under
suspicion and put under surveillance
• Boden’s car was stopped after an incident
and stolen hardware and radio system
discovered
14. Maroochy SCADA attack, 2013 Slide 14
Causes of the problems
• Installed SCADA system was completely
insecure
– No security requirements in contract with
customer
• Procedures at Hunter Watertech were
inadequate to stop Boden stealing hardware
and software
• Insecure radio links were used for
communications
15. Maroochy SCADA attack, 2013 Slide 15
Causes of the problems
• Lack of monitoring and logging made
detection more difficult
• No staff training to recognise cyber attacks
• No incident response plan in place at
Maroochy Council
16. Maroochy SCADA attack, 2013 Slide 16
Aftermath
• On October 31, 2001 Vitek Boden was
convicted of:
– 26 counts of willfully using a computer to cause
damage
– 1 count of causing serious environment harm
• Jailed for 2 years
17. Maroochy SCADA attack, 2013 Slide 17
Finding out more
http://www.pimaweb.org/conference/april2
003/pdfs/MythsAndFactsBehindCyberSec
urity.pdf
http://harbor2harbour.com/?p=144
http://www.ifip.org/wcc2008/site/IFIPSampleChapter.p
df
http://csrc.nist.gov/groups/SMA/fisma/ics/documents/M
aroochy-Water-Services-Case-Study_report.pdf