Cyber-Attack Against the Bowman Avenue Dam

August 4, 2016

In 2013, hackers launched a cyber-attack against the Bowman Avenue Dam near Rye, NY (20 miles north of NYC). The attacker gained unauthorized access to the SCADA system and was able to obtain information on operations, including water levels, temperatures and the status of machinery. Due to the high risk of disaster, the U.S Federal Government conducted an in-depth investigation and eventually prosecuted seven hackers linked to the Iranian Government. Although no physical harm was reported, this case study exemplifies the great damage that could be inflicted by such an attack on critical infrastructure. Investigators have assessed that if the attackers were able to open the floodgate during a rain storm, they would have been able to flood the City of Rye, NY and possibly cause significant damage estimated at $80 million or more.

One of the alleged attackers, Hamid Firoozi, used a relatively simple technique known as “Google Dorking” to pinpoint anunprotected computer that controlled the infrastructure. Once identified, he used more advanced malicious tactics and techniques to hack into the Bowman Dam.

Several analysts have opined that the attack on the Bowman Dam could be considered a retaliatory Iranian attack on the U.S, following the latter’s supposed involvement in the Stuxnet attack on Iran’s uranium enrichment program (2010). The alleged intrusion into the dam was sophisticated, demonstrating that Iran had greater digital-warfare capabilities than believed at the time.

Main Security Deficiencies
The attacker managed to reach the OT system without being identified. In addition, he managed to access and manipulate the OT system without raising any suspicion. This highlights certain multi-level security gaps:

  • Deficient peripheral cyber defenses for industrial control systems, automation computers and Operational Technology (OT) at the dam. Sufficient perimeter control should have enabled the defender to restrict access to the OT for authorized personnel only. While that would be a critical first line of defense, it would still require further layers to assure security of the OT. 
  • Lack of effective real-time monitoring and responsiveness. While placing perimeter controls to prevent unauthorized access is essential, such a defense layer can go so far as to being able to prevent a more sophisticated penetration where a trusted party gets compromised (either via credential theft or simply malware that takes control of a trusted party). To mitigate such a risk, an intelligent monitoring system needs to be installed. Such a system should be able to examine normal OT behavioral patterns in the form of OT communications and alert/act upon any risky anomaly. Such a defense layer was obviously missing.
  • Lack of effective incident response measures. While strong perimeter and monitoring systems are a necessity, no security system can be considered complete without handling a scenario of an actual breach. The security team should have at their disposal a set of tools and measures to minimize the damage of a potential breach, in a way that will minimize the disruption of normal operations (shutting of the lights, might be an option, but this would mark a victory for the attacker) in the form of isolation of assets, connecting parties, etc.  

Hypothetical Scenario: What would have happened if Nation-E’s solution was deployed at the Bowman Avenue Dam?
An examination of this case study highlights that the Bowman Avenue Dam did not have adequate cyber protection for its critical infrastructure. Ostensibly, if Nation-E’s solution was deployed at these installations, the system administrator would have effective means to detect and thwart crucial steps in the cyber kill chain:

  • With Nation-E’s solution, the attack would have been discovered immediately, as the solution would have detected abnormal activity during the initial intrusion. Once the attack was detected, the system would have sent real-time alerts to the system administrator, who could activate defensive measures (e.g, asset isolation). 
  • The attackers would not have been able to gain unauthorized access to the SCADA system. The system would have shut the attacker out by activating a two-factor authentication process.