Just days before Christmas, disturbing news came to light exposing the waning cybersecurity posture of US critical infrastructure. In 2013, Iranian hackers breached the Bowman Avenue Dam near Rye Brook, New York and gained control of the floodgates.
SOBH Cyber Jihad, in coordination with another Iran-associated hacker group, Parastoo, claimed responsibility for the intrusion. In what appears to be an unsophisticated attack, the digital intruders seemed to be “testing the waters,” since they cracked the network, but left the system intact.
According to Rye Brook Mayor Paul Rosenburg, the software used to manage the dam was “very common” and an “industry standard.”
While standing at the Bowman Avenue Dam on December 23, US Senator Charles E. Schumer (D-NY) stated, “Simply put, our country’s critical infrastructure is still far too vulnerable to hackers and we must do more — and fast — to ward off this metastasizing threat. Iran’s recently disclosed 2013 hack right here in New York on this dam shows that cities and sensitive industrial systems across New York and the nation are too vulnerable.”
The Senator further added, “Whether it’s a dam in Rye Brook, or our power grids, our financial institutions, our water systems, or our online networks, these parts of our infrastructure are at risk and are under assault like never before, and we need to do more about it. That is why I am urging the Department of Homeland Security (DHS) to fully investigate the Rye Brook hack and all the others like it that target our critical infrastructure. We must know where we are vulnerable and ramp up our security efforts. When it comes to fighting off the scourge of cyber attacks, we also must work arm-in-arm with state and local governments to prevent future hacks.”
While Senator Schumer makes excellent points regarding the nation’s critical infrastructure, the issue is not a new one and the government has made strides to protect infrastructure. Three bipartisan bills, the National Cybersecurity and Critical Infrastructure Protection Act of 2014 (HR 3696), the Critical Infrastructure Research and Development Advancement Act (HR 2952), and the Homeland Security Cybersecurity Boots-on-the-Ground Act (HR 3107), were passed by the House in 2014 to protect critical infrastructure from real-time cyber threats.
More recently, the Critical Infrastructure Protection Act (CIPA) was passed by the House Committee on Homeland Security in an effort to protect the nation from an electromagnetic pulse, which would render the electric grid inoperable. Though strides in the right direction have been made, legislation is only as effective as the implementation that follows.
The attack confirms the fears of many cyber experts: foreign hackers can access critical infrastructure through dated, Internet-accessible software. In 2013, the Russian hacking group known as “Energetic Bear,” or “Dragonfly,” shifted their malware campaign to targeting the US energy sector, according to researchers at California-based cybersecurity firm Crowdstrike. In January 2014, they released a Global Threat Report linking Energetic Bear and the Russian Federation.
Timeworn critical infrastructure is not the only problem contributing to the vulnerablility of critical infrastructure: even sophisticated federal information systems have become compromised. Shortly after an enormous breach of the Office of Personnel Management in June 2015, which compromised the personally identifiable information of 20 million federal workers, the Government Accountability Office released an audit report detailing the “persistent weakness” of 24 federal agencies.
Furthermore, earlier this year, Homeland Security Today reported that a recent survey revealed that the confidence global security executives have in their organization’s cyber preparedness may be unfounded. The executives did not make a connection between the escalation in cyberattacks in recent years and their own organization’s vulnerability. This overconfidence raises seriousconcerns that complacency may be opening these organizations up to serious security incidents.
More recently, it came to light that a December 23 blackout in war-torn Ukraine left hundreds of thousands without electricity—a blackout caused by a malicious cyber attack. Researchers at ESET, a Bratislava-based IT security company, identified the malware that infected multiple power authorities; their findings have been confirmed by Trend Micro and iSight Partners.
The malware toolkit used to infect Ukrainian power authorities, known as BlackEnergy, was used to access utility networks where it then placed a related piece of malware, KillDisk, onto desired systems. KillDisk then began to erase or overwrite system data, aiming to sabotage critical parts of industrial control computer’s hard drive.
The Ukrainian Security Service has accused Russia of the cyberattacks, and iSight says that Moscow-backed cyber group Sandworm is believed to be the perpetrator. According to Trend Micro, DHS believes the attacks were “sponsored by the Russian government.”
In 2014, Trend Micro published a report that said the United States Industrial Control System Cyber Emergency Response Team released an advisory warning to operators of industrial control systems informing them that human-machine interface software was under attack by hackers using BlackEnergy malware.
The report stated, “Such software is seen as a valuable target by hackers because it provides a visual overview of manufacturing and industrial control processes which are able to communicate with logic controllers and manage processes from a central, usually Windows-based, interface. Processes controlled by the software include manual functions like modifying temperature controls and turning pumps on and off for some of the country’s most critical infrastructure, such as wind turbines, power transmission grids and oil and gas pipelines.”
Homeland Security Today has reported several times on the increasingly dated critical infrastructure in the US. According to retired military intelligence officer Aden McGee, disrupting a nation’s critical infrastructure is a “fundamental principle of war.” McGee’s fears that “our critical assets are likely known to potential adversaries with interests in understanding our key capabilities” have been confirmed.
In this age of modern warfare, nation-state players attack without warning and with intangible tools of destruction.