Modern field guide to security and privacy

Experts separate fact from hype in reports of Iranian hacking

Recent stories suggest that foreign hackers are making dangerous inroads into utilities, putting critical infrastructure at risk of devastating cyberattacks. Yet, experts say these breaches aren't cause for panic.

An Iranian flag in front of the United Nations headquarters in Vienna.

Relax, cyberwar isn't upon us. 

That's the reaction from many cybersecurity experts after recent reports of separate hacks involving Iranian hackers, a small dam outside Rye, N.Y., and the power producer Calpine Corp. 

While both of those incidents are serious, neither appears to have provided hackers the ability to cause any of the physical damage hinted at in the reports.

"The activity could be categorized as reconnaissance and targeting of infrastructure without any current impact or compromises," says Robert M. Lee, cofounder of Dragos Security, a company that specialized in industrial system security.

"It is still concerning but should not be overstated," says Mr. Lee, a former cyberwarfare operations officer with the US Air Force.

The Wall Street Journal reported Sunday that Iranian hackers in 2013 gained access to a computer system used to control the operations of the New York dam but didn't actually gain control of the facility.

Then, on Monday, the Associated Press reported on the theft of critical documents from Calpine, again purportedly by Iranian agents, that it grimly described as opening "a pathway into the networks running the United States power grid." The attackers had accessed so much critical information they could have used it to knock out power to millions of homes, according to the AP story.

Both reports use the incidents to highlight the vulnerability of the US to attacks on computers controlling core equipment in the utilities sector, nuclear power plants, water treatment facilities, dams, and other critical infrastructure.

Many organizations in these sectors have connected critical industrial control systems to the Internet in recent years, exposing systems to cyberthreats in the process. Security experts have long maintained that hackers who gained access to Internet-enabled control systems could cause damage to the underlying systems.

The prime example of this is Stuxnet, a digital weapon deployed to knock out hundreds of centrifuges at Iran's uranium enrichment facility in Natanz in 2010. Stuxnet was used to seize systems controlling centrifuges at the facility, forcing the machines to speed up and slow down to cause them to rattle and break down.  

The reported attacks on Calpine and the New York dam involved nothing as dramatic, said Lee.

In the case of Calpine, hackers accessed contractor networks that contained sensitive information about the company's operations, but the company's networks were not breached. "So the actors attributed to Iran never compromised the power grid," Lee stressed.

"In the New York dam case, it appears there was scanning and probing activity that took place but no actual infiltration," Lee added.

In the critical infrastructure sector, it's common for facilities to allow devices to connect to the Internet without a username or login. "It appears in this case, these actors accessed a publicly available device that should not have been connected to the Internet. But it does not appear they actually compromised or infiltrated any infrastructure or systems," Lee said.

There's little doubt that hackers in the Middle East are interested in US critical infrastructure targets, says Joe Weiss, managing director at Applied Control Systems and the author of several books on control system security.

"We know that because they have been attacking honeypots thinking they are attacking control systems," he says, referring to attacks on fake targets.

Still, says Mr. Weiss, it's important to keep the attacks in perspective. Many of the attacks are on the business network of critical infrastructure companies and not always on the control systems networks that actually control facilities, he says. What's more, much of the information needed to launch attacks against industrial control systems is already publicly available and, he says, hackers can obtain software kits on Dark Web marketplaces to launch attacks against exposed systems.

"People are making it look like the loss of information about control systems is like stealing from the Bank Of England," he says. However, much of the information that hackers are able to get is already openly available through other sources.

What's often lost in the discussion about threat to critical infrastructure is that risk isn't just about being connected to the Internet, says Weiss. For instance, he says, Stuxnet targeted systems that were not online.

Even though experts say that attacks on critical infrastructure doesn't mean the next step for hackers is being able to remotely manipulate control systems, Weiss says the Journal and AP stories still highlight the need to secure these systems. "The real question to ask is, Why aren’t the end-users doing a better job of cyber protecting these very critical systems?"


You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Experts separate fact from hype in reports of Iranian hacking
Read this article in
QR Code to Subscription page
Start your subscription today