WASHINGTON — Iranian hackers breached a dam outside of New York in 2013, according to a former official, managing to get control of the flood gates.
The previously undisclosed cyberattack was first reported by The Wall Street Journal on Monday.
According to a former official familiar with the 2013 investigation into the attack, the hack of Bowman Avenue Dam near Rye Brook, New York, was not a sophisticated intrusion, but a test by Iranian hackers to see what they could access.
The breach occurred during the same time frame that Iranian hackers were targeting U.S. financial institutions.
The attackers were unable to get into the full dam system, but could take control of the flood gates. The incident remains classified, the official said.
Rye Brook Mayor Paul Rosenberg said the dam is used to control water flow when it rains to prevent flooding downstream. The dam is managed by a piece of software that Rosenberg told CNN was “industry standard” and “very common.”
He said he doubted the hackers could have wreaked heavy damage or that Rye was a substantial target, but it worries him that hackers are looking for any opportunity they can find to cause damage.
“I think one of the great things here is that the federal government stepped in and stopped what could have been something bad from happening,” Rosenberg said. “We appreciate that, but it makes me wonder about what would be potentially next, and that makes me concerned. I think in this day and age all municipalities needs to look at our infrastructure and see where are our soft targets, where should we be prepared.”
News of the attack illustrates what has long been a fear of cyber experts: that overseas hackers can easily get into pieces of old critical infrastructure running on retro-fitted software that is connected to the Internet. U.S. susceptibility to an attack on its electrical grid or industrial control systems by terrorists or other nations has been a concern of security experts, lawmakers and academics alike.
Hackers are often able to use tools to scan the Internet for networks that are vulnerable, and generic software makes that even easier. Software used across many different entities can often have the same weaknesses and may not be kept up to date, and users sometimes keep in place default passwords and settings for convenience.
To make matters worse, most of the critical infrastructure in the U.S. is privately owned, making it difficult for governments to harden the systems against attack.
The news also comes on the heels of another major breach — a flaw in software from computer network company Juniper Networks that would have allowed sophisticated hackers to install backdoors into computer networks potentially allowing them to spy on the encrypted communications of the U.S. government and private companies for the past three years.
The Department of Homeland Security would not comment on the dam intrusion, but did note in a statement that its cybersecurity center serves as a hub for monitoring and mitigating to attacks. DHS also maintains the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to respond to such attacks.
“The Department of Homeland Security continues to coordinate national efforts to strengthen the security and resilience of critical infrastructure, working with our federal and industry partners across the country to raise awareness about evolving threats and promote measures to reduce risks to systems we all rely on,” the department said.
New York lawmakers cited the news as an example of the need for greater attention on cybersecurity.
“Iran is the leading state sponsor of terrorism around the globe, so this sort of behavior is par for the course. An Iranian cyber-attack on a small dam in Rye is reason enough for concern, but when we look at other potential targets … it’s clear that we must do more to assess and address potential vulnerabilities to a cyberattack,” Democratic Rep. Eliot Engel said in a statement.
“Reports of Iranian hackers infiltrating the control system of a Rye dam in 2013 underscore the urgent need for a national cybersecurity strategy that protects individuals, businesses, and our communities,” said Democratic Rep. Nita Lowey. “I will continue working to ensure Iran — the number one state-sponsor of terrorism — is held accountable for its actions, and that my constituents in Westchester and Rockland, as well as all Americans, can live in safe and secure communities.”
According to ICS-CERT, in 2014 the team responded to 245 cyber incidents reported by critical infrastructure operators, 32% of which were in the energy sector and 27% of which were in critical manufacturing.
Many of the compromises were carried about by simple “spearphishing” attacks — where employees are duped into clicking a malicious link by an email.