New York dam hack underscores threat for connected utilities
The ability for hackers to penetrate the network at a small dam in New York reveals the risk of more utilities managing facilities via cell networks and the Internet.
Gerald Herbert/AP
Reports that Iranian hackers breached the computer network at a small, aging dam in Westchester County, N.Y., once again highlight how exposed many US utilities are to even the simplest digital assaults.
But while the breach reported by The Wall Street Journal earlier this week set off alarms about hackers striking American public infrastructure, experts caution that the 2013 incident at the Bowman Avenue Dam outside Rye., N.Y., shouldn't be interpreted as evidence of a crippling cyberattack in the works.
Instead, many experts say incidents such as the one in New York reveal that US infrastructure operators haven't fully adapted to realities of connecting facilities to cellular networks or the Internet, exposing systems to hackers who might be probing for bigger security holes or on intelligence gathering missions.
"Because the dam was so tiny, I find it unlikely that it would have been targeted by Iranians seeking to [harm] America," says Jason Healey, a senior research scholar at Columbia University's School of International and Public Affairs.
"This was probably them exploring, driven by curiosity," says Mr. Healey, who served as White House director of critical infrastructure protection from 2003 to 2005. "These infrastructures are wide open."
According to the Journal, unnamed US officials said Iran hackers manipulated a cellular modem connection in 2013 to probe the dam's supervisory control and data acquisition (SCADA) systems. At the time, the incident generated considerable attention within government circles, even reaching the White House. Initially, there was confusion about where the breach occurred. There's a much larger Bowman Dam in Oregon.
To be sure, the prospect of a significant cyberattack on US infrastructure is a pressing concern within the private sector and the federal government. Compounding these worries, just days after the Journal story, the Associated Press documented evidence of widespread intrusions into the networks of firms managing parts of the electrical grid.
But security experts say that many of the problems now afflicting critical infrastructure are a byproduct of public and private utilities' transition away from older, proprietary networks of radio, microwave and satellite technology for managing remote facilities to general purpose, third party networks and the Internet. Specifically: within the past five years, utilities have switched to 3G and 4G cellular networks operated by large carriers such Verizon and AT&T to manage remote facilities.
"It was about economics," says Mike Assante, the security lead for Industrial Control Systems and SCADA at the SANS Institute, a nonprofit that specializes in cybersecurity training. "Instead of you planning and putting down your own radio network, you can just go to Verizon and AT&T who already provide that infrastructure."
And in place of specialized radio frequency, satellite or microwave equipment, utilities began relying on more common piece of technology: the cellular modem. The devices that can cost as little as $100 provides direct access to cellular networks and are now commonplace in the industrial control space.
Adoption of cellular modems alone hasn't necessarily made the infrastructure less secure. Security issues plagued radio frequency management systems, too. In fact, utilities often sent telemetry data in clear text or used weak encryption to protect transmissions. In 2000, for instance, an Australian man working as a contractor for a firm called Hunter Watertech used radio equipment to issue unauthorized commands to sewage treatment facilities operated by the Maroochy Shire Council. The attack spilled 800,000 liters of raw sewage into local parks, rivers and the grounds of a Hyatt Regency Hotel.
But critical infrastructure's reliance on cellular networks has increased its visibility to would-be attackers. Those networks make it easier for would-be attackers to discover and target infrastructure using Web tools such as Shodan, a search engine for nontraditional computing devices such as industrial control equipment.
For example, a Shodan search of Verizon's network for programmable logic controllers (PLCs) manufactured by Rockwell Automation, a common piece of industrial control equipment, returns information on 1,438 devices. An identical search of AT&T’s network returns information on another 305 devices. Experts say that such a search may have been a first step for the hackers who targeted the Rye, N.Y., dam.
"Usually the cellular modems just provide connectivity, so the vulnerable [industrial control system] component sitting behind it is still as vulnerable as ever," said Billy Rios, the founder of WhiteScope, an independent security research firm, in an e-mail.
While news of the New York dam incursion comes amid other reports of Iranian cyberattacks on US targets such as White House officials and growing concerns in general about foreign hacking, most experts say cybersecurity incidents involving utilities are now commonplace. What's more, recent evidence indicates that hackers are becoming more skilled at penetrating utilities' control systems.
For example, in a public report published in 2014, the Department of Homeland Security said a "sophisticated threat actor" accessed the control system server of what was described as an "Internet-connected, control system operating a mechanical device." Upon investigation, DHS determined that the device was attached to the Internet via a cellular modem but was "directly Internet accessible and … not protected by a firewall or authentication access controls."
Despite its similarity to the Rye incident, an official with knowledge of both incidents who asked not to be named confirmed the attack described in the 2014 bulletin was different from the incident described by the Journal.
At the federal level, however, progress toward securing critical infrastructure has been slow, many experts say.
"We have a bit of time. But time is running out," says Mr. Assante of SANS Institute. "The more you allow people to get footholds on your network and learn from it, the more likely they are to graduate to more sophisticated and damaging attacks."