Doug Wylie explains why the world’s dams are now primary targets for cyber attack.

On March 23, 2016, the United States Justice Department officially indicted seven Iranian hackers on "conspiracy to commit and aid and abet in computer hacking." The charges are related to the 2013 cyber breach at the Bowman Avenue Dam in Rye Brook, New York, located just 30 miles north of New York City. The cybersecurity community had suspected Iranian involvement for some time, and the Justice Department’s indictment confirmed that the United States shared those same suspicions, eventually connecting the adversaries to organizations closely tied to the Iranian Revolutionary Guard. Most importantly, the indictment represents the first time U.S. government has charged citizens of a nation state for a cyber attack that targeted critical infrastructure on American soil.

As an outcome of the Bowman Avenue Dam’s solid engineering practices, the intrusion did not have downstream effects; meaning physical damage or destruction did not take place. However, the indictment does charge that the hackers were able to "access information about the dam’s operations, including its water level, temperature and the sluice gate." If not for being caught early, the attackers could have gained additional levels of access that could have caused major problems at the time of the incident or for use in future attacks.

The Justice Department’s decision comes at a time when the world, not just America, is on high alert for cyber attacks targeting critical infrastructure. Earlier this year, Ukraine fell victim to the most public cyber attack against critical infrastructure since Stuxnet, a highly advanced and targeted attack on Iranian nuclear facilities in the mid 2000s. The confirmed attack in the Ukraine targeted the country’s power grid and left hundreds of thousands of people in the dark for hours. In addition, Japan is in the midst of fending off repeated cyber attacks against its nation’s critical infrastructure, including several advanced persistent threats (APTs) targeting its utility and energy companies. Just recently, Verizon Security Solutions unveiled a report in which a water treatment plant was severely compromised by cyber attack. While it is too early to make conclusions of any certainty, this report may validate rumors that water treatment plants are increasingly being attacked. In fact, the Environmental Protection (EPA) Agency in the US has recently taken interest in improving water sector security.

With vast amounts of evidence and recent events proving that cyber threats to critical infrastructure are proliferating worldwide, it’s important for dam owners and operators to understand the risks to operations, equipment and people; recognize the vulnerabilities that make dams attractive targets, and embrace solutions that can minimize and prevent attacks.

Classification of dams as critical infrastructure

Although dams vary significantly in size and functionality, each plays an important role in maintaining the efficiency and operations of everyday life. From power generation and water treatment to flood prevention and water storage, societies across the globe depend on dams.

Understanding the importance of dams and other critical infrastructure, U.S. President Barack Obama issued Executive Order 13636 in 2014 clarifying the definition of critical infrastructure to include the dams sector. Under this order, critical infrastructure was defined as any "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."

In addition, the US Department of Homeland Security (DHS) classifies the country’s almost 83,000 dams as one of 16 critical infrastructure sectors. The organization validates this distinction because:

"The Dams Sector delivers critical water retention and control services in the United States, including hydroelectric power generation, municipal and industrial water supplies, agricultural irrigation, sediment and flood control, river navigation for inland bulk shipping, industrial waste management, and recreation. Its key services support multiple critical infrastructure sectors and industries."

In Europe, France and Germany are pioneering the continent’s approach to protecting critical infrastructure from cyber attack. In 2015, the German Parliament passed regulation that would hold the owners and operators of critical infrastructure, including dams and reservoirs, accountable for maintaining strict cybersecurity standards. The regulation even went as far as to mandate penalties of up to €100,000 ($114,000 USD) for noncompliance. Just months earlier, France’s Network & Information Security Agency formulated what would become the European Union’s (EU) first mandatory critical infrastructure cybersecurity installation and maintenance requirements. Elsewhere around the world, countries like Australia and Japan have followed suit and enacted rules and regulations of their own; hoping to minimize the risk to their critical infrastructure before it’s too late.

Why are dams vulnerable to cyber attack?

Around the world, dams are aging and the equipment responsible for daily operations is deteriorating. In fact, a 2013 report by the American Society of Civil Engineers concluded that the average age of American dams was 52 years old. The report also recommended an investment of $21 billion per year to repair the aging infrastructure. In Iraq, the Mosul dam, arguably its most critical infrastructure, is reportedly on the verge of collapse, which could potentially kill a half million people or more from the unprecedented levels of floodwater that would flow.

Another major vulnerability for dams is spillway management. Operator instructions to open spillways are often very simple and are unconfirmed. For example, a command is issued to open all spillways immediately with no ramp and the operators in many dams will likely follow instructions trusting that there is a reason for the command. This has actually been a problem for a number of dams in the past resulting in fatalities and drowning, which are unfortunately goals for some of the most ruthless cyber attackers.
Today, the majority of dams are run by supervisory control and data acquisition (SCADA) systems, a type of industrial control system (ICS) used for remote monitoring of processes in which reliability and availability of service are of the utmost importance. When SCADA was first introduced in the 1960s, the systems were controlled manually and operators had to physically go to each facility to turn equipment on and off. The benefit of SCADA, however, was that it enabled automation to control processes, collect and store information, produce analytics and display real-time operational data.

Historically, Operational Technology (OT), like SCADA, was standalone and did not have interconnectivity. New technology, however, such as data-driven analytic applications and cross-platform communications, have been added to industrial systems to increase productivity and achieve greater levels of reliability. This has been done despite legacy systems not being designed to integrate with such advanced technologies.

In the past 10 years, critical infrastructure has increasingly evolved into digital systems that are fundamentally able to be modified via changes to system logic or modification of system messages have replaced older legacy analog systems. While digital systems have added increased functionality and lower costs, they are fundamentally more subject to compromise than their analog predecessors.

Modern automation and control systems now connect to business networks and external systems to allow operators and suppliers to remotely control, monitor, and maintain every aspect of operations, ultimately improving productivity, enhancing performance and reducing costs. Communications technology is also used to tap into an extended global supply chain and more tightly couple manufacturing and infrastructure operations to the global marketplace.

While these advancements improve efficiency, they also create new attack surfaces, introduce complexities, and expose vulnerabilities for attackers to exploit. For terrorist organizations and nation-states like Iran and North Korea, the vulnerabilities in these systems are enticing motivation. For adversaries who are not entirely financially motivated, cyber attacks against critical infrastructure have the real possibility to cause damage, destruction and even physical harm.

With a clear motivation, the means to commit such cyber terrorism have become exponentially easier with the proliferation of connected infrastructure. Prior to the adoption of connected digital systems, an adversary would need to be physically on site in order to compromise a control system or rely on people to walk their attacks into production systems. Introducing interconnected systems and remote access technology provides someone with malicious intent the ability to gain access to networks from anywhere in the world, just like the Iranians accessed the Bowman Avenue Dam from thousands of miles away.

No dam is too small to attack

Dams around the globe come in all sizes, with most not being nearly as large as the Hoover Dam in Nevada or the Kielder Water Reservoir in England. Depending on the objective of the dam and its proximity to population, one might suppose that not all dams are created equal.

This assumption, although logical, doesn’t hold true for justifying a cyber attack. The consequences of attacking even the smallest dam could include massive public confidence breach and public fear, as well as significant environmental damage including loss of life. A major dam failure could result in a rapid water rise in short order that could impact river goers many miles downstream without warning.

Using the New York dam attack as an example, it had been widely reported that the event lacked the hallmarks of sophisticated threat actors, which is very likely why the breach was discovered so quickly. Also, the infiltration was apparently limited to the dam’s back office operations, not reaching critical system used to control water. Given the physical location of the dam, the apparent rapid discovery of the breach, and with no indications that an attack on the dam’s operations was imminent, why was this attack of any importance at all?

Let’s suppose that the Iranian hackers had intelligence that three of its five most prized targets were all using ICS made by Yokogawa Electric. Now, what if those same adversaries were able to find small, less "significant" infrastructure, such as a remote dam, that used the same Yokogawa Electric system, but on a smaller scale. With less oversight and security safeguards in that dam, the hackers could, in theory, practice techniques and discover the most critical vulnerabilities to exploit. This type of intelligence gathering would be invaluable to obtain before attacking primary targets.

Unfortunately, the specific motives behind reconnaissance activities that target critical infrastructure systems will likely continue to elude security experts. Indicators of compromise, essentially the digital breadcrumbs left behind after an event, are difficult to piece together and they alone rarely give clarity to the state of mind of an attacker. Nonetheless, it does reinforce the need for dam owners and operators to understand that all facilities are at risk.

Being prepared does not mean being scared

Cyber threats to critical infrastructure around the world will only get worse before they get better. Until old equipment can be replaced and vulnerabilities can be identified in legacy systems, the means, motive and opportunity for cyber criminals to attack critical infrastructure will outweigh any consequences of getting caught. With rules and regulations, standards and guidelines varying by industry and location, it’s all but impossible to create a framework for critical infrastructure security that is absolute. As such, here are three things dam owners and operators can do to limit risk and remain poised and prepared in the era of cyber attacks:

1. Report suspicious activity right away
Remember that little, innocuous back office attacks, such as the one at Bowman Avenue Dam, should not be minimized. Events like this are all worthy of attention. Such breaches can serve as early warning signs of unauthorized reconnaissance, attempts at data collection, and they can even perform as initial entry points into networks that could be the beachhead for eventually gaining access to even more critical networks and systems. In fact, Al-Qaeda is on record as far back as 2002 as wanting to organize attacks on dams.

2. Create a cybersecurity culture beyond compliance
Depending on where you are in the world, dams may be subject to government or industry regulations, rules, guidelines or standards. While most agree that compliance will help reduce security risk and improve reliability for critical infrastructure, there should be no mistaking these ‘laws’ as an absolute solution that eliminates all cyber risk. In fact, the unintended consequence of any regulation – whether industry or government initiated – is that it often leads some organizations to meet only the minimum requirements for compliance, inherently still leaving infrastructure vulnerable to attack. Instead, go beyond compliance, and create a culture within your organization that adequately prepares people, process and technology to combat cyber threats.

3. Gain situational awareness & visibility into control systems
Early detection and clear visibility into a dams control systems network are imperative. Automated monitoring of network communication and ensuring unusual patterns and events are brought to the surface and remediated are both a critical part of a comprehensive ICS cybersecurity solution – a solution that takes deliberate precautions and plans for how to identify, protect, detect, respond and recover from cyber incidents.
The world’s dams are invaluable to each and every countries way of life. Lets do everything we can to protect them from cyber attacks.

Doug Wylie is the vice president of product marketing at NexDefense, a leading provider of cybersecurity for industrial control systems. He is a certified cybersecurity practitioner with over 20 years in the industrial automation space.