24 December 2015


December 21, 2015 ·
Iranian Hackers Infiltrated New York Dam In 2013; What Would It Really Take To Knock Out The U.S. Power Grid?

The Wall Street Journal is reporting this morning (December 21, 2015) that “Iranian hackers gained access to the control system of a small dam less than 20 miles from New York City in 2013. The breach came amid attacks by hackers linked to Iran’s government against the websites of U.S. banks; and, just a few years after American spies had damaged an Iranian nuclear facility with a sophisticated computer worm called Stuxnet,” Mr. Danny Yardon writes. Mr. Yardon did not caveat that last assertion that “American spies had damaged an Iranian nuclear facility.” While it is widely believed the U.S, and Israel were responsible for carrying out a joint cyber attack against Iran’s nuclear facility at Natanz; neither government has either officially acknowledged its alleged role. Having said that, Tehran no doubt believes the U.S. and Israel were responsible.

“The still classified dam intrusion illustrates a top concern for U.S. officials as they enter an age of digital state-on-state conflict,” Mr. Yardon writes. “America’s power grid, factories, pipelines, bridges, and dams — all prime targets for digital armies — are sitting largely unprotected on the Internet. And, unlike a traditional war, it is sometimes difficult to know whether or where an opponent has struck.” And, I might add…just who the opponent is. Attribution is still a major issue, “In the case of the dam [hack],” Mr. Yardon writes, “federal investigators initially thought the target might have been a much larger dam in Oregon.”

“Many of the computers controlling industrial systems are old and predate the consumer Internet,” the WSJ notes. “In the early digital days, this was touted as a security advantage. But, companies, against the advice of hacking gurus, increasingly brought them online in the past decade, as a way to add “smarts” to the U.S. infrastructure. Often, they are connected directly to office computer networks, which are notoriously easy to breach.”

“The U.S. has more than 57,000 industrial-control systems connected to the Internet, more than any other country,” according to researchers at Shodan, a search engine that catalogs each machine online. They range from office air-conditioning units, to major pipelines and electrical-control systems.”

“Security experts say companies have done little to protect these systems from would-be hackers.”
“Everything is being integrated, which is great, but, it’s not very secure,” said Cesar Cerrudo, an Argentine researcher and Chief Technology Officer at IOActive Labs, a security consulting firm. Mr. Cerrudo wowed the audience,’ Mr. Yardon wrote, “when he showed how he could manipulate traffic lights in major U.S. cities.”

“Most of the time,” Mr. Yardon notes, “the hackers appear to be probing systems, to see how laid out they are, and where they can get in,” according to investigators the WSJ spoke to. I would guess these hackers are also probing to see how long it takes before being discovered; and, they could also be implanting a stealth stay-behind. Once breached, you never can be 100 percent sure that your network ‘pipeline’ is clean.

“The 2013 incident at the New York dam was a wake up call for U.S. officials, demonstrating that Iran had greater digital-warfare capability than [previously] believed; and, could inflict real-world damage,” according to people familiar with the incident the WSJ noted. And, the 2013 dam breach “highlighted another challenge for America’s digital defenses; the fog of cyber war,” Mr. Yardon noted. “Amid a mix of three-letter agencies, unclear Internet addresses and rules governing domestic surveillance, U.S. officials at first — weren’t able to determine where the hackers infiltrated,” according to at least three people connected to the incident told the WSJ.

“Hackers are believed to have gained access to the dam through a cellular modem,” according to an unclassified Department of Homeland Security (DHS) summary of the case. “Two people familiar with the incident said the summary refers to the Bowman Avenue Dam, a small structure used for flood control near Rye, New York,’ Mr. Yardon wrote. “Investigators said the hackers didn’t take control of the dam; but, probed the system,” according to people familiar with the matter.
“U.S. intelligence agencies noticed the intrusion as they monitored computers they believed were linked to Iranian hackers targeting American firms,” the WSJ reported. “U.S. officials had linked these hackers to repeated disruptions at consumer-banking websites, including those of Capital One Financial Corp., PNC Financial Services Group, and Sun Trust Banks Inc.,” according to the WSJ. “Intelligence analysts then noticed that one of the machines was crawling the Internet, looking for vulnerable U.S. industrial-control systems; and, certain [specific] Internet addresses.. Analysts at the National Security Agency (NSA), relayed these addresses to counterparts at DHS,” Mr. Yardon wrote. “Eventually, investigators linked one address to a “Bowman” dam. But, there are 31 dams in the U.S. that include the word “Bowman’ in their name,” according to U.S. Army Corps of Engineers records.

“Officials feared that hackers had breached the systems at the Arthur R. Bowman Dam in Oregon, a 245-foot-tall earthen structure that irrigates local agriculture, and prevents flooding in Prineville, Oregon, population 9,200. The White House was notified of the discovery, on the belief that it was a new escalation in the ongoing digital conflict with Iran,” the journal said. Eventually, the digital trail led to the Bowman Dam near New York City.

What Would It Really Take To Knock Out The Power Grid
John Breeden II writing for NextGov and who’s article was posted in the October 30, 2015 online edition of DefenseOne.com, describes how difficult, or not — it is to take down the U.S. power grid. His concerns come in the wake of reports that the Islamic State is actively exploring and plotting to sabotage the U.S. power grid. In response to those reports, Mr. Breeden II says, U.S. officials downplayed the threat and claimed that “past attempts were unsuccessful; and, that terrorists have little capability to enact a major [terrorist] attack against a [U.S.] utility. But, Mr. Breeden II notes, “that [self-assurance and downplaying of the threat] misconception based on the two different types of networks found at most utilities.”

“Every utility, like every modern company of any shape or size, has an IT network. The IT network consists of everything from desktop computers, to email servers, to storage devices — and even, things like printers and webcams. “It’s what most people think of when they think of a computer network,” Mr. Breeden writes. “For utilities, their IT networks are just as vulnerable as anyone else. In fact Mr. Breeden says, some of the utility clients I have recently worked with, were seeing Advanced Persistent Threats (APTs) as far back as 2010.” I suspect these attacks and probes very likely pre-date 2010, but, I digress. “It is safe to say,” Mr. Breeden observes, “there have already been successful cyber attacks against U.S. utilities.”
“So, why hasn’t the lights gone out?” Mr. Breeden asks.
 “Because compromising an email server, or stealing personnel and customer records — while bad– won’t let an attacker stop the flow of water at a dam, or overload a substation,” Mr. Breeden contends. “For that to happen, they would need to tap into the second type of network in place at most utilizes, the one made up of operational technology.”

“Operational Technology, which is mostly called OT, consists of everything from industrial control systems to mechanical computers, and even electric valves, and switches. Many of our nation’s power plants were built decades ago, with some hydroelectric dams going back to the 1920s. Those plants have been haphazardly upgraded over the years; and today, contain a mix of modern technology working alongside some of the original equipment much more manual than automated,” Mr. Breeden wrote, which of course reduces the cyber threat.

“There is also an enormous number of proprietary OT devices used, that contain unique operating and management software, sometimes which is only specific to a single device. It really is a bit of a mess,” he says, “from an OT network management perspective, though that chaos has ironically kept utilities safe from cyber attacks.”

Thankfully, Mr. Breeden says “an attacker would need special training – with specific devices — to be able to attack the OT infrastructure. Even then,” he says, “compromising one device would never be enough to endanger a large portion of the utility grid. They might be able to turn the power off for a neighborhood or something small; but, even that is doubtful.”

“But, the protection offered by our hodgepodge OT network won’t last forever,” Mr. Breeden warns. “A lot of the OT isn’t yet networked, though utilities are doing everything they can these days to make the OT, more like IT. That way, they don’t have to send someone out in a truck to a remote substation, every time they need to flip a switch.”

“Even if the bad guys don’t yet have the capability to do any real harm to utilities, I only a matter of time,” Mr. Breeden warns.

But, the threat discussed by the Wall Street Journal today, with respect to the dam; and, Mr. Breeden’s article are missing one big glaring issue. Even if we had the right, and adequate cyber protections in place at all of our critical infrastructure facilities, one well placed small explosive could do as much, if not more damage than a digital attack. Many, if not most of our critical infrastructure is lightly protected, isolated, and often fairly easy — in too many cases — to access. We could spend ourselves into oblivion, and our systems would still be vulnerable. That’s why the best defense — is a good offense; and, we need to kill these Islamic State and al Qaeda, and others of their ilk — whenever, and wherever we can. V/R, RCP

No comments: