Modern field guide to security and privacy

New York dam hack underscores threat for connected utilities

The ability for hackers to penetrate the network at a small dam in New York reveals the risk of more utilities managing facilities via cell networks and the Internet.

|
Gerald Herbert/AP

Reports that Iranian hackers breached the computer network at a small, aging dam in Westchester County, N.Y., once again highlight how exposed many US utilities are to even the simplest digital assaults.

But while the breach reported by The Wall Street Journal earlier this week set off alarms about hackers striking American public infrastructure, experts caution that the 2013 incident at the Bowman Avenue Dam outside Rye., N.Y., shouldn't be interpreted as evidence of a crippling cyberattack in the works.

Instead, many experts say incidents such as the one in New York reveal that US infrastructure operators haven't fully adapted to realities of connecting facilities to cellular networks or the Internet, exposing systems to hackers who might be probing for bigger security holes or on intelligence gathering missions.

"Because the dam was so tiny, I find it unlikely that it would have been targeted by Iranians seeking to [harm] America," says Jason Healey, a senior research scholar at Columbia University's School of International and Public Affairs.

"This was probably them exploring, driven by curiosity," says Mr. Healey, who served as White House director of critical infrastructure protection from 2003 to 2005. "These infrastructures are wide open."

According to the Journal, unnamed US officials said Iran hackers manipulated a cellular modem connection in 2013 to probe the dam's supervisory control and data acquisition (SCADA) systems. At the time, the incident generated considerable attention within government circles, even reaching the White House. Initially, there was confusion about where the breach occurred. There's a much larger Bowman Dam in Oregon.

To be sure, the prospect of a significant cyberattack on US infrastructure is a pressing concern within the private sector and the federal government. Compounding these worries, just days after the Journal story, the Associated Press documented evidence of widespread intrusions into the networks of firms managing parts of the electrical grid.

But security experts say that many of the problems now afflicting critical infrastructure are a byproduct of public and private utilities' transition away from older, proprietary networks of radio, microwave and satellite technology for managing remote facilities to general purpose, third party networks and the Internet. Specifically: within the past five years, utilities have switched to 3G and 4G cellular networks operated by large carriers such Verizon and AT&T to manage remote facilities.

"It was about economics," says Mike Assante, the security lead for Industrial Control Systems and SCADA at the SANS Institute, a nonprofit that specializes in cybersecurity training. "Instead of you planning and putting down your own radio network, you can just go to Verizon and AT&T who already provide that infrastructure."

And in place of specialized radio frequency, satellite or microwave equipment, utilities began relying on more common piece of technology: the cellular modem. The devices that can cost as little as $100 provides direct access to cellular networks and are now commonplace in the industrial control space.

Adoption of cellular modems alone hasn't necessarily made the infrastructure less secure. Security issues plagued radio frequency management systems, too. In fact, utilities often sent telemetry data in clear text or used weak encryption to protect transmissions. In 2000, for instance, an Australian man working as a contractor for a firm called Hunter Watertech used radio equipment to issue unauthorized commands to sewage treatment facilities operated by the Maroochy Shire Council. The attack spilled 800,000 liters of raw sewage into local parks, rivers and the grounds of a Hyatt Regency Hotel.

But critical infrastructure's reliance on cellular networks has increased its visibility to would-be attackers. Those networks make it easier for would-be attackers to discover and target infrastructure using Web tools such as Shodan, a search engine for nontraditional computing devices such as industrial control equipment.

For example, a Shodan search of Verizon's network for programmable logic controllers (PLCs) manufactured by Rockwell Automation, a common piece of industrial control equipment, returns information on 1,438 devices. An identical search of AT&T’s network returns information on another 305 devices. Experts say that such a search may have been a first step for the hackers who targeted the Rye, N.Y., dam.  

"Usually the cellular modems just provide connectivity, so the vulnerable [industrial control system] component sitting behind it is still as vulnerable as ever," said Billy Rios, the founder of WhiteScope, an independent security research firm, in an e-mail.

While news of the New York dam incursion comes amid other reports of Iranian cyberattacks on US targets such as White House officials and growing concerns in general about foreign hacking, most experts say cybersecurity incidents involving utilities are now commonplace. What's more, recent evidence indicates that hackers are becoming more skilled at penetrating utilities' control systems. 

For example, in a public report published in 2014, the Department of Homeland Security said a "sophisticated threat actor" accessed the control system server of what was described as an "Internet-connected, control system operating a mechanical device." Upon investigation, DHS determined that the device was attached to the Internet via a cellular modem but was "directly Internet accessible and … not protected by a firewall or authentication access controls."

Despite its similarity to the Rye incident, an official with knowledge of both incidents who asked not to be named confirmed the attack described in the 2014 bulletin was different from the incident described by the Journal.

At the federal level, however, progress toward securing critical infrastructure has been slow, many experts say.

"We have a bit of time. But time is running out," says Mr. Assante of SANS Institute. "The more you allow people to get footholds on your network and learn from it, the more likely they are to graduate to more sophisticated and damaging attacks."

 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to New York dam hack underscores threat for connected utilities
Read this article in
https://www.csmonitor.com/World/Passcode/2015/1223/New-York-dam-hack-underscores-threat-for-connected-utilities
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe