sgmax

Protocols allowed by PDS Compact 500

4 posts in this topic

Hello,

I am studying the consequences of the Maroochy Shire water spill and it seems that the RTU attacked were HWT PDS Compact 500.

I have a hard time finding any specifications online and I would mainly like to know which protocol(s) can they communicate with (MODBUS, DNP3, etc).

Can anyone help me?

Thanks a lot in advance

Share this post


Link to post
Share on other sites

Is there information on the device about the manufacturer?  Never heard of them.

Share this post


Link to post
Share on other sites

Hello,

Thanks for your answer.

To the best of my knowledge this is their website: http://hwt.co.za/ however I can't find any mention of the RTU device inside.

I got some data from articles such as this one (see abstract): https://www.mysciencework.com/publication/show/4523ff6713963a0803e814deece75d78

It mentions DNP3 and I saw another speaking about MODBUS, thus I was wondering if these protocols were the only ones implemented on the device or if others were present (e.g.: OPC, probably not OPC-UA since it was in 2000).

Regards

Share this post


Link to post
Share on other sites

The PDS500 is an RTU, it was developed by Hunter Water Tech, that was a company that spun out of Hunter Water Corporation.  This was a popular thing to do here in Australia, and was also done by Melbourne Water with the Logica RTUs, and Mosaic SCADA.

The PDS500 (and the engineering arm of Hunter Water Tech) was then bought by Serck Controls, who then bought Control Microsystems (CMI).  The SCADAPack E-series is something of a 'progression' of the PDS500.  Serck were then bought up by Schneider.. hence this is now where the SCADAPack family lives.

As for the URL for 'Hunter Water Tech'... this is probably the closest (the water authority that still carries the name).

https://www.hunterwater.com.au/

 

The PDS500 really only supported Modbus and DNP3.  But the Maroochy Shire SEWER spills (they were not water) were not a protocol level exploit, but a basic network intrusion attack.

There was no 'real' security, it was security through obscurity.  You'd have to know the frequencies of the transmissions, and know what radios they were using (and have access to such a radio), then you'd need to know the protocol (DNP3) and what addresses were of interest (both DNP3 Node numbers, and DNP3 point numbers).

Of course the particular person that enacted the intrusions was a former engineer involved with the council, and so knew these details, and had access to such a radio.  Making it a relatively trivial attack.

The part that surprises me is that he was actually caught.  It would have been an incredibly difficult situation for Hunter Water Tech to identify the cause of the issues.

Most of the 'cybersecurity' postmortems that I've seen around the incident are really misplaced in my opinion.  Things like 'Hunter Water Tech had inadequate physical security, allowing Vitek to steal a PDS500'...  The real failure was that the entire network was secured through obscurity, not actual control measures.  There are still likely thousands of similar deployments within Australia that are STILL configured in exactly the same way.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now