New York's Little Dam Sends Super-Sized Warning of Cyber-Attacks

  • Alleged Iranian hacking of dam near Rye said to show dangers
  • Power grids, water-treatment plants called vulnerable in U.S.

The Bowman Avenue Dam is seen in Rye Brook, New York.

Photographer: Seth Wenig/AP

The 20-foot Bowman Avenue Dam on the outskirts of Rye, New York, is so inconsequential that many residents of the affluent commuter town didn’t even know it existed. But Iranian hackers did.

“It’s frightening,” Marilyn Weissman, the manager at Dusty Rose, a sportswear and lingerie store at the Rye Ridge Shopping Center, said when told that there’s a dam in the woods nearby -- and that the U.S. Justice Department says it was attacked by hackers tied to Iran’s Islamic Revolutionary Guard Corps. “You don’t know what will happen.”

A U.S. indictment unsealed last week accused a hacker based in Iran of gaining remote access to a computer controlling the flood-control structure for about three weeks beginning in 2013, while six other Iranians attacked U.S. banks and companies. Justice Department officials say no damage was done to the dam, about 20 miles (32 kilometers) north of New York City, simply because it was closed for maintenance at the time.

Yet the hacking of the 75-year-old dam that connects two ponds has brought fresh attention to long-ignored warnings from cybersecurity specialists and government officials that critical U.S. infrastructure -- from power grids and water treatment facilities to fuel distribution systems and chemical plants -- is vulnerable to online assault.

Same Vulnerabilities

“The New York dam attack didn’t surprise me because we’re in touch with many U.S. critical infrastructure companies that suffer from the same hacking vulnerabilities," said Barak Perelman, chief executive officer of the Israeli cybersecurity company Indegy Inc., which works with American companies. “The same industrial infrastructure that exists in the New York dam also exists in the Hoover Dam.”

There are about 75,000 dams and 6,000 electric utilities in the U.S., and potentially millions of Internet-connected devices that could be used to penetrate crucial computer networks, said Chris Blask, executive director of the Cyberspace Research Institute at Webster University based in St Louis.

Lack of Updates

"The vast majority of cyber devices in infrastructure do not get updated," said Blask, who also serves as chairman of the Industrial Control System Information Sharing and Analysis Center, an association of companies that own or operate vital computers. "The vulnerability of these systems to penetration is extremely high.”

Hackers from Iran, Russia and China have been found rooting around in computers that operate vital U.S. infrastructure, mainly in what appear to be extensive reconnaissance operations into how the systems work, said John Hultquist, director of cyber-espionage intelligence at iSight Partners.

The U.S. indictment says Iranian hacker Hamid Firoozi broke into the dam’s computer while the others named in the indictment launched cyber-attacks on about four dozen U.S. financial institutions and companies, including the New York Stock Exchange, Nasdaq, Bank of America Corp., JPMorgan Chase & Co. and AT&T Inc.

Stuxnet Virus

Other governments have responded to U.S. hacking allegations by denying wrongdoing and accusing the U.S. of its own incursions. Cybersecurity experts have said the U.S. and Israel were behind an attack that used the so-called Stuxnet virus starting in 2010 to disable operations at an Iranian nuclear enrichment plant and may have helped inspire the Iranians to retaliate by going after U.S. companies and the dam.

Although there hasn’t been a major attack that resulted in significant disruption to services in the U.S., signs are pointing toward such an event, according to national security officials and cybersecurity specialists.

Republican Senator Susan Collins of Maine said in October that a concerted cyber-attack on the nation’s critical infrastructure -- its power grid, air transportation network or banking system -- could cause “catastrophic harm in the form of more than $50 billion in economic damage, 2,500 fatalities or a sever degradation of our national security.”

However, Director of National Intelligence James Clapper told the House intelligence committee in September that a “Cyber Armageddon” isn’t as likely as a succession of smaller attacks. He said hackers are gaining access to critical infrastructure systems, "which might be quickly exploited for disruption if an adversary’s intent became hostile."

Hoover Dam

Hoover Dam, which is 726-feet tall and stores 10.1 million acre-feet of water for use in seven western states, hasn’t been compromised by hackers, said Peter Soeth, a spokesman for the U.S. Bureau of Reclamation. The dam also generates about 4 billion kilowatt-hours of electricity a year, enough power to serve 1.3 million people. No assets managed by the bureau have been compromised by hackers, Soeth said

“Our major industrial control systems can’t be accessed from the Internet,” he said. “We take a risk management approach based on the significance of the infrastructure and we make sure that all appropriate security controls are used.”

Ukraine Attack

In December, hackers in Ukraine showed the potential for an online attack to inflict real-world damage by disrupting power to tens of thousands of people. Destructive malware knocked out at least 30 of the country’s 135 power substations for about six hours. Ukrainian officials have said they believe the Russian government directed the attack in retaliation for hostilities in eastern Ukraine. Russia has denied any involvement.

After the U.S. indictment of the Iranians was released, the Department of Homeland Security declined to provide specific information about hacking threats but said it works with owners and operators of crucial facilities to help them secure their networks.

“Because the vast majority of critical infrastructure is owned and operated by private companies, reducing the risk to these vital systems requires a strong partnership between government and industry,” the department said in an e-mailed statement.

‘Hit-and-Miss’ Security

Blask said security at critical infrastructure sites across the U.S. is "hit-and-miss," although electric utilities probably have the best protections. He said he would be “shocked” if even 10 percent of all control systems were sufficiently secured.

Among the reasons are old systems that haven’t been updated and a lack of skilled cybersecurity expertise to make improvements, Blask said. He has called for installing simple sensors on industrial control devices to monitor for abnormal activity.

An earlier version of the malicious software used in the Ukraine attack, called BlackEnergy3, was found inside U.S. computer systems in 2014, Hultquist of iSight Partners said. U.S. officials and companies took steps to eradicate the malware from critical infrastructure, but it’s likely the hackers have been trying to return.

"These guys go back to the drawing board and try to refine their operations and start over," Hultquist said.

Before it's here, it's on the Bloomberg Terminal.