Alleged Dam Hacking Raises Fears of Cyber Threats to Infrastructure

03_29_Bowman_Dam_cyber_attack
New York Governor Andrew Cuomo, pictured here in September 2015, said, following the cyberhacking of the Bowman Avenue Dam in Rye Brook, New York, that cybersecurity is a "top priority." Brendan McDermid/REUTERS

Alfred Hitchcock’s Saboteur (1942) involves a plot to blow up the Hoover Dam. Situated between Nevada and Arizona, the dam is made of concrete and is 726 feet tall and 1,244 feet wide. The Nazis also apparently planned to blow it up, history experts have said.

More recently, a hacker affiliated with the Iranian government allegedly targeted a much smaller dam—in Rye Brook, New York, about 30 miles north of Manhattan. The floodgate of the Bowman Avenue Dam is just 15 feet wide and two and a half feet tall, but cybersecurity experts say if the Iranians were able to access its control system, they could also likely get inside systems for more significant infrastructure, such as pipelines, mass transit systems and power grids.

The U.S. Justice Department unsealed an indictment last week that names seven Iranian nationals who are facing charges related to cyberattacks on 46 companies from 2011 to 2013. While many of the targets were major banks in the U.S., one of the hackers also allegedly tapped into the dam’s control system.

Hamid Firoozi, 34, is believed to done so between August 28 and September 18, 2013. The Supervisory Control and Data Acquisition system connects to the Internet through a cellular modem. He allegedly obtained water-level and temperature information, and would have been able to operate the floodgate remotely if it had been operating at the time.

Rye Brook is a village of 9,500 in the Town of Rye in Westchester County. Its mayor, Paul Rosenberg, tells Newsweek the hacker caused no damage because the structure was in “maintenance mode.”

“I’m getting a lot of questions in terms of what was the damage that really could have happened had this person actually been able to active the sluice gate dam,” Rosenberg says.

Had Firoozi been able to open the floodgate during a storm, he could have caused nearby homes and businesses to flood. “We’re not talking about the Hoover Dam here,” says Rosenberg. Still, recent flooding, such as in 2007, 2010 and 2011, caused “very, very significant damage to a lot of residences” and businesses. The 2007 flooding caused more than $80 million in damages to the nearby City of Rye, according to a Community Reconstruction Plan.

The alleged hacking incident has thrust the village and its unassuming dam into the national spotlight. “The infiltration of the Bowman Avenue Dam represents a frightening new frontier in cybercrime,” Manhattan U.S. Attorney Preet Bharara said in a statement last week. “We now live in a world where devastating attacks on our financial system, our infrastructure and our way of life can be launched from anywhere in the world, with a click of a mouse.”

“There’s a certain amount of disbelief,” says Sheri Jordan, director of the Rye Historical Society.

Rosenberg says he first learned of the hacking shortly after becoming mayor in 2013. As he previously told The New York Times, Rosenberg says someone involved in the investigation back then asked him not to discuss it. “I was under very strict orders,” he says. “I didn’t even tell my wife about it.”

The Wall Street Journal first reported on the hacking last December. A federal court grand jury in New York indicted the alleged hackers in January. The FBI has said they worked for two private security computer companies in Iran that operate on behalf of the Iranian government.

The dam dates to the first half of the 1900s, when it was used to create ice, according to a 2008 flood mitigation study. It collapsed in 1941 and was rebuilt. The dam sits on Blind Brook, which once powered mills—until the New York City reservoir system was put in place in the 1800s, says Jordan, the Historical Society director. The water flows into the Long Island Sound. The City of Rye owns and manages the dam.

Cybersecurity experts say that even if local flooding is the worst that could have happened if the hacker opened the floodgate, the incident shows how vulnerable infrastructure is to such threats.

“Iran is very technically capable of attacking our critical infrastructures,” says Joe Weiss, a cybersecurity expert who is a managing partner at Applied Control Solutions, a security consulting company, and a managing director at ISA99, a nonprofit international standards body. “When you’re connected to the Internet, you’ve got an awful lot of people who are looking for opportunities to attack things.”

Weiss says the control system for the Bowman Avenue Dam is likely similar to those for more significant structures. “The same identical problems that you talk about in power plants, refineries, pipelines, transportation, are the same identical ones that would be in a dam,” he says. “The same things are also in nuclear plants.”

Weiss maintains a database of “cyber incidents” involving control systems dating to the 1980s. Though not all of those 800 incidents were “malicious,” he says, they have led to some 1,000 deaths. Ten of the overall incidents involved dams.

“Often, hydro facilities are in the middle of nowhere and they are often unmanned, and so you need some sort of remote monitoring and remote control,” he says. “You can cause some very major problems.”

One such problem occurred at the Taum Sauk Hydroelectric Power Station in Missouri in 2005, when the failure of water-level gauges is believed to have caused water to overflow and part of a reservoir to collapse, which injured several people. The incident was the result of a control system failure, not a hacking or attack, but Weiss says: “Could you have done it that maliciously? Very easily.”

In recent years, the federal government has issued warnings about the vulnerability of infrastructure to cyberattacks. Responding to an executive order by President Barack Obama, the U.S. Department of Homeland Security launched what it calls the Critical Infrastructure Cyber Community Voluntary Program in 2014 “to help critical infrastructure sectors and organizations reduce and manage their cyber risk.”

Rye City Manager Marcus Serrano says the system for the dam in 2013 was “a standalone PC that had its own Internet connection to connect to the dam, and it wasn’t even functional at that point yet. It was just gathering water levels and keeping that on a spreadsheet.”

Mayor Rosenberg says it’s possible the Iranians chose the Bowman Avenue Dam because they mistook it for a more significant dam with a similar name. He also wonders if the hacking was “a dress rehearsal for something even bigger.”

Weiss, the cybersecurity expert, says it’s more likely that the hacker was searching for vulnerabilities and simply stumbled across the Rye Brook dam.

“There are people out there actively looking for anything that’s connected to the Internet. They don’t care what it is, they don’t care how big or how small,” he says. “When you connect systems to the Internet, you are basically putting this big red light up and saying ‘look at us.’ A bad guy may or may not even know what they’re attacking, nor do they care.”

Six of the Iranian defendants are each charged with one count of conspiracy to commit and aid and abet computer hacking, and they each face up to 10 years in prison. Firoozi faces that charge and an additional one for obtaining and aiding and abetting unauthorized access to a protected computer, which has an additional five-year maximum sentence.

In a statement, New York Governor Andrew Cuomo said he considers cybersecurity a “top priority” and said the state had implemented measures to improve it, including “through upgrades in outdated infrastructure.”

Earlier this year, hackers targeted a hospital in Los Angeles and held its computer system hostage for ransom. The hospital ended up paying the hackers $17,000. Cybersecurity experts said at the time that the payout could set a dangerous precedent.

Editor's Pick