Experts separate fact from hype in reports of Iranian hacking

Recent stories suggest that foreign hackers are making dangerous inroads into utilities, putting critical infrastructure at risk of devastating cyberattacks. Yet, experts say these breaches aren't cause for panic.

Relax, cyberwar isn't upon us. 

That's the reaction from many cybersecurity experts after recent reports of separate hacks involving Iranian hackers, a small dam outside Rye, N.Y., and the power producer Calpine Corp. 

While both of those incidents are serious, neither appears to have provided hackers the ability to cause any of the physical damage hinted at in the reports.

"The activity could be categorized as reconnaissance and targeting of infrastructure without any current impact or compromises," says Robert M. Lee, cofounder of Dragos Security, a company that specialized in industrial system security.

"It is still concerning but should not be overstated," says Mr. Lee, a former cyberwarfare operations officer with the US Air Force.

The Wall Street Journal reported Sunday that Iranian hackers in 2013 gained access to a computer system used to control the operations of the New York dam but didn't actually gain control of the facility.

Then, on Monday, the Associated Press reported on the theft of critical documents from Calpine, again purportedly by Iranian agents, that it grimly described as opening "a pathway into the networks running the United States power grid." The attackers had accessed so much critical information they could have used it to knock out power to millions of homes, according to the AP story.

Both reports use the incidents to highlight the vulnerability of the US to attacks on computers controlling core equipment in the utilities sector, nuclear power plants, water treatment facilities, dams, and other critical infrastructure.

Many organizations in these sectors have connected critical industrial control systems to the Internet in recent years, exposing systems to cyberthreats in the process. Security experts have long maintained that hackers who gained access to Internet-enabled control systems could cause damage to the underlying systems.

The prime example of this is Stuxnet, a digital weapon deployed to knock out hundreds of centrifuges at Iran's uranium enrichment facility in Natanz in 2010. Stuxnet was used to seize systems controlling centrifuges at the facility, forcing the machines to speed up and slow down to cause them to rattle and break down.  

The reported attacks on Calpine and the New York dam involved nothing as dramatic, said Lee.

In the case of Calpine, hackers accessed contractor networks that contained sensitive information about the company's operations, but the company's networks were not breached. "So the actors attributed to Iran never compromised the power grid," Lee stressed.

"In the New York dam case, it appears there was scanning and probing activity that took place but no actual infiltration," Lee added.

In the critical infrastructure sector, it's common for facilities to allow devices to connect to the Internet without a username or login. "It appears in this case, these actors accessed a publicly available device that should not have been connected to the Internet. But it does not appear they actually compromised or infiltrated any infrastructure or systems," Lee said.

There's little doubt that hackers in the Middle East are interested in US critical infrastructure targets, says Joe Weiss, managing director at Applied Control Systems and the author of several books on control system security.

"We know that because they have been attacking honeypots thinking they are attacking control systems," he says, referring to attacks on fake targets.

Still, says Mr. Weiss, it's important to keep the attacks in perspective. Many of the attacks are on the business network of critical infrastructure companies and not always on the control systems networks that actually control facilities, he says. What's more, much of the information needed to launch attacks against industrial control systems is already publicly available and, he says, hackers can obtain software kits on Dark Web marketplaces to launch attacks against exposed systems.

"People are making it look like the loss of information about control systems is like stealing from the Bank Of England," he says. However, much of the information that hackers are able to get is already openly available through other sources.

What's often lost in the discussion about threat to critical infrastructure is that risk isn't just about being connected to the Internet, says Weiss. For instance, he says, Stuxnet targeted systems that were not online.

Even though experts say that attacks on critical infrastructure doesn't mean the next step for hackers is being able to remotely manipulate control systems, Weiss says the Journal and AP stories still highlight the need to secure these systems. "The real question to ask is, Why aren’t the end-users doing a better job of cyber protecting these very critical systems?"