mead cohen berger shevtsova garfinkle michta grygiel blankenhorn
Digital Age Warfare
Iranians Hack US Dam

Iranians hacked a dam not too far from New York City in 2013, according to new reporting from The Wall Street Journal on the breach, which remains classified. More:

Amid a mix of three-letter agencies, unclear Internet addresses and rules governing domestic surveillance, U.S. officials at first weren’t able to determine where the hackers had infiltrated, three of the people familiar with the incident said.

Hackers are believed to have gained access to the dam through a cellular modem, according to an unclassified Homeland Security summary of the case that doesn’t specify the type of infrastructure by name. Two people familiar with the incident said the summary refers to the Bowman Avenue Dam, a small structure used for flood control near Rye, N.Y.

The dam in question turned out to be fairly insignificant, in and of itself. But the larger problem it portends is very real. As fans of the movie The Dam Busters will recall, during the Second World War the Brits assembled a crack aviation team, armed with custom bombs, to demolish German dams in the Ruhr, flooding farmland and vital industrial sites and killing thousands. But now, you don’t need any of that: A computer operator can sit in an air-conditioned room in Tehran (or Moscow or Beijing) and open the floodgates remotely.

And as the Internet becomes more important economically and more and more pieces of infrastructure are connected to it, this kind of attack will likely play a bigger factor in national security debates. Unfortunately, right now our infrastructure is relatively poorly protected:

Many of the computers controlling industrial systems are old and predate the consumer Internet. In the early digital days, this was touted as a security advantage. But companies, against the advice of hacking gurus, increasingly brought them online in the past decade as a way to add “smarts” to U.S. infrastructure. Often, they are connected directly to office computer networks, which are notoriously easy to breach.[..]

The U.S. has more than 57,000 industrial-control systems connected to the Internet, more than any other country, according to researchers at Shodan, a search engine that catalogs each machine online. They range from office air-conditioning units to major pipelines and electrical-control systems.

Security experts say companies have done little to protect these systems from would-be hackers.

It’s sad to say, but the Internet, once seen as a kind of innocent paradise, is going to become as full of trouble and strife as everything else. The invisible arms race continues as countries (and criminal syndicates and terror organizations) all over the world are rushing to militarize cyberspace.

Meanwhile, in the U.S., a debate that’s often presented as a binary choice between privacy and security will have to become more nuanced. Americans have a long and honorable tradition of resisting overly intrusive government. But when Iranians are hacking into local flood controls, the public is also going to demand a government that can protect them. Figuring out how to balance those two imperatives will be key to policymaking in the 21st century.

[Update: The title and excerpt of this post originally referred to the hack as a “breach” and have been changed to clarify the electronic nature of the event]

Features Icon
Features
show comments
  • Jim__L

    Weaponizing the Internet of Things… The mind reels.

    • Andrew Allison

      Welcome to 21st Century warfare. Our infrastructure has been infiltrated on a massive, and frightening, scale. This very real threat appears to have been largely overlooked.

  • bottomfish

    Was there ever any real need to connect these control systems to the Internet?

    • Jim__L

      Is there ever any real need to connect these things to the phone network? It seems to me that that’s a good level of security to practice.

      • bottomfish

        Some means of transmitting information to and from the control equipment (located on the site) is needed,apparently.so that locks on a dam may be opened and closed from a remote location.

        • Jim__L

          Again, why is the connectivity *needed*? If a dam were in danger of being physically taken over by a squad of foreign operatives who would open the floodgates and destroy everything downstream, we’d pay for security guards. Why not cut connectivity, and pay for onsite operators to prevent a squad of foreign operatives from remotely taking over the dam and opening the floodgates to destroy everything downstream?

          The mania for applying new technology to everything is clearly not rational.

© The American Interest LLC 2005-2016 About Us Masthead Submissions Advertise Customer Service