New York dam hack underscores threat for connected utilities
The ability for hackers to penetrate the network at a small dam in New York reveals the risk of more utilities managing facilities via cell networks and the Internet.
Gerald Herbert/AP
Reports that Iranian hackers breached the computer network at a small, aging dam in Westchester County, N.Y., once again highlight how exposed manyÌýUS utilities are to even the simplest digital assaults.
But while the breachÌýÌýearlier this week set off alarms about hackers striking American public infrastructure, experts caution that the 2013 incident at the Bowman Avenue Dam outside Rye., N.Y., shouldn't beÌýinterpreted as evidence of a crippling cyberattack in the works.
Instead, many expertsÌýsay incidents such as the one in New York reveal thatÌýUS infrastructure operators haven't fully adapted to realities of connecting facilities toÌýcellular networks orÌýthe Internet, exposingÌýsystems to hackers who might be probing forÌýbigger security holes or on intelligence gathering missions.
"Because the dam was so tiny, I find it unlikely that it would have been targeted by IraniansÌýseeking to [harm] America,"Ìýsays Jason Healey, a senior research scholar at Columbia University's School of International and Public Affairs.
"This was probably them exploring, driven by curiosity," says Mr. Healey, who served asÌýWhite House director of critical infrastructure protection from 2003 to 2005. "These infrastructures are wide open."
According to the Journal, unnamed US officials said Iran hackers manipulated a cellular modem connection in 2013Ìýto probe the dam's supervisory control and data acquisition (SCADA) systems.ÌýAt the time, theÌýincident generated considerable attention within government circles, even reaching the White House.ÌýInitially,Ìýthere was confusion about where the breach occurred. There's a much largerÌýBowman Dam in Oregon.
To be sure,Ìýthe prospect of a significantÌýcyberattack on US infrastructure is a pressing concern within the private sector and the federal government. Compounding these worries, just days after the Journal story, the Associated PressÌýÌýof widespread intrusions into the networks of firms managing parts of the electrical grid.
But security experts say that many of the problems now afflicting critical infrastructure are a byproduct of public and private utilities' transition away from older,Ìýproprietary networks of radio, microwave and satellite technology for managing remote facilities to general purpose, third party networks and the Internet. Specifically:Ìýwithin the past five years, utilities have switched toÌý3G and 4G cellular networks operated by large carriers such Verizon and AT&T to manage remote facilities.
"It was about economics," says Mike Assante, the security lead for Industrial Control Systems and SCADA at the SANS Institute, a nonprofit that specializes in cybersecurity training.Ìý"Instead of you planning and putting down your own radio network, you can just go to Verizon and AT&T who already provide that infrastructure."
And in place of specializedÌýradio frequency, satellite or microwave equipment, utilities began relying onÌýmore common piece of technology: the cellular modem. The devices that can cost as little as $100 provides direct access to cellular networks and are now commonplace in theÌýindustrial control space.
Adoption of cellular modems alone hasn't necessarily made the infrastructure less secure.ÌýSecurity issues plagued radio frequency management systems, too. In fact, utilities often sent telemetry data in clear text or used weak encryption to protect transmissions.ÌýIn 2000, for instance, an Australian man working as a contractor for a firm called Hunter Watertech used radio equipment to issue unauthorized commands to sewage treatment facilities operated by the Maroochy Shire Council.ÌýÌýspilled 800,000 liters of raw sewage into local parks, rivers and the grounds of a Hyatt Regency Hotel.
But critical infrastructure's reliance on cellular networks has increased its visibility to would-be attackers.ÌýThose networks makeÌýit easier for would-be attackers to discover and target infrastructure using Web tools such asÌý, a search engine for nontraditional computing devices such as industrial control equipment.
For example, a Shodan search of Verizon's network for programmable logic controllers (PLCs) manufactured by Rockwell Automation, a common piece of industrial control equipment,Ìý. An identical search of AT&T’s networkÌý. Experts say that such a search may have been a first step for the hackers who targeted the Rye, N.Y., dam.ÌýÌý
"Usually the cellular modems just provide connectivity, so the vulnerable [industrial control system] component sitting behind it is still as vulnerable as ever," saidÌýBilly Rios, the founder ofÌý, an independent security research firm, in an e-mail.
While news of the New York dam incursion comes amidÌýÌýon US targets such as White House officials and growing concerns in general about foreign hacking, most experts say cybersecurity incidents involving utilities areÌýnow commonplace.ÌýWhat's more, recent evidence indicates that hackers are becoming more skilled at penetrating utilities' control systems.Ìý
For example,ÌýÌýpublished in 2014, the Department of Homeland Security said a "sophisticated threat actor" accessed the control system server of what was described as an "Internet-connected, control system operating a mechanical device."ÌýUpon investigation, DHS determined that the device was attached to the Internet via a cellular modem but was "directly Internet accessible and … not protected by a firewall or authentication access controls."
Despite its similarity to the Rye incident, an official with knowledge of both incidents who asked not to be named confirmed the attack described in the 2014 bulletin was different from the incident described by the Journal.
At the federal level, however, progress toward securing critical infrastructure has been slow, many experts say.
"We have a bit of time. But time is running out," says Mr. Assante of SANS Institute. "The more you allow people to get footholds on your network and learn from it, the more likely they are to graduate to more sophisticated and damaging attacks."
Ìý