WSJ: Iranian Hackers Bust Into New York Dam

An aerial view of the Bowman Ave. Dam. Iranian hackers are believed to have compromised computer systems used to control the dam, according to the Wall Street Journal. Photo courtesy of Google Earth.
An aerial view of the Bowman Ave. Dam. Iranian hackers are believed to have compromised computer systems used to control the dam, according to the Wall Street Journal. Photo courtesy of Google Earth.

In-brief: The Wall Street Journal alleges that hackers with links to Iran may have compromised a small dam in Rye, New York. If true, the incident is just the latest evidence of information security vulnerabilities in U.S. critical infrastructure. 

Danny Yadron over at the Wall Street Journal has an interesting scoop this morning alleging that hackers associated with Iran probed computer systems used to control the operation of a small dam outside of New York City.

The report cites unnamed “former and current U.S. officials saying that the Bowman Avenue Dam in Rye, New York was the target of hackers who used a cellular modem connection to attack and “probe” the device. If true, the attack is just the latest evidence of efforts to probe or otherwise compromise critical infrastructure in the U.S.

Information on the 2013 attack has been classified. However, the Wall Street Journal pieced together a rough outline of the incident based on a public notice of the event and after speaking to unnamed officials.

According to the Journal’s report, the incident came to light in the course of U.S. government monitoring of computers they believed were linked to groups of hackers in Iran. The same groups had been linked to denial of service attacks and other incidents directed at U.S. financial firms like Capital One Financial, PNC Financial Services Group and SunTrust Banks, the Journal reported.

Reading between the lines, government or intelligence officials got wind of mention of a compromise of a “Bowman” dam, but weren’t able to determine which dam the attackers were referring to. There are, the Journal notes, 31 dams in the U.S. with the word “Bowman” in their name. (Who knew?)

Initial suspicion was that the hackers were targeting systems at the Arthur R. Bowman Dam in Oregon – a 245 foot tall earthen dam that is used for irrigation and flood prevention near Prineville Oregon.

More investigation revealed that the actual target was much smaller: the Bowman Avenue Dam in Rye, New York, which is used for flood control. According to this story, that dam was recently upgraded, adding a sluice gate and sensors that will automatically open and close the gate to prevent flooding downstream of the dam.

In a statement, the Department of Homeland Security refused to comment on the Wall Street Journal report, but said that it “continues to coordinate national efforts to strengthen the security and resilience of critical infrastructure.” “The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responds to cyber incidents, vulnerabilities and threats that can impact industrial control systems which operate critical infrastructure across the United States,” DHS said.

Attacks on critical infrastructure from state-sponsored “advanced persistent threat” (or APT) actors isn’t a new problem. In March, for example, a DHS report revealed that there were 245 incidents involving critical infrastructure in 2014. Amont those were cases of malicious software infections on control systems that were believed to be “air gapped” – or physically isolated from the Internet and the use of previously unknown or “zero day” vulnerabilities in industrial control system software.

In that report, DHS found 55% involved APT or sophisticated actors. Hactivists, malicious insiders and cyber criminals were behind other incidents. In many other cases, asset owners were unable to determine who or what was attacking them, the report said.

5 Comments

  1. The report talks about a cellular modem connection. Does that mean that a foreign agent was in close physical proximity to the dam to hijack the modem connection, or that the control system just happens to be connected to the internet over a cellular comms link?

    • I have no first (or second) hand knowledge of the specifics of this particular ‘hack’, but I strongly doubt it was a matter of close physical proximity.

      Not going into the (likely FUDdy) aspects of this article, but wanted to put my two cents in on the likelihood of it being a remote hack.

      • Well, if it is a remote attack, then the cellular modem statement is irrelevant to the story. Pretty much a yawner, as the line between IT and OT systems disappeared a decade ago, even if Utilities don’t acknowledge it. The Utility that I’m familiar with is getting about 300,000 probes a month, so no surprise here that China, Russia, Iran and ISIS are out taking advantage of our supreme ignorance compounded by inaction.

  2. Pingback: Arms deal: No amount of intimidation will force us to release Metuh – EFCC - scoop.ng

  3. Pingback: Hacker Charged In Breach Of New York Dam | The Security Ledger