Iranians hacked a dam not too far from New York City in 2013, according to new reporting from The Wall Street Journal on the breach, which remains classified. More:
Amid a mix of three-letter agencies, unclear Internet addresses and rules governing domestic surveillance, U.S. officials at first weren’t able to determine where the hackers had infiltrated, three of the people familiar with the incident said.
Hackers are believed to have gained access to the dam through a cellular modem, according to an unclassified Homeland Security summary of the case that doesn’t specify the type of infrastructure by name. Two people familiar with the incident said the summary refers to the Bowman Avenue Dam, a small structure used for flood control near Rye, N.Y.
The dam in question turned out to be fairly insignificant, in and of itself. But the larger problem it portends is very real. As fans of the movie The Dam Busters will recall, during the Second World War the Brits assembled a crack aviation team, armed with custom bombs, to demolish German dams in the Ruhr, flooding farmland and vital industrial sites and killing thousands. But now, you don’t need any of that: A computer operator can sit in an air-conditioned room in Tehran (or Moscow or Beijing) and open the floodgates remotely.
And as the Internet becomes more important economically and more and more pieces of infrastructure are connected to it, this kind of attack will likely play a bigger factor in national security debates. Unfortunately, right now our infrastructure is relatively poorly protected:
Many of the computers controlling industrial systems are old and predate the consumer Internet. In the early digital days, this was touted as a security advantage. But companies, against the advice of hacking gurus, increasingly brought them online in the past decade as a way to add “smarts” to U.S. infrastructure. Often, they are connected directly to office computer networks, which are notoriously easy to breach.[..]
The U.S. has more than 57,000 industrial-control systems connected to the Internet, more than any other country, according to researchers at Shodan, a search engine that catalogs each machine online. They range from office air-conditioning units to major pipelines and electrical-control systems.
Security experts say companies have done little to protect these systems from would-be hackers.
It’s sad to say, but the Internet, once seen as a kind of innocent paradise, is going to become as full of trouble and strife as everything else. The invisible arms race continues as countries (and criminal syndicates and terror organizations) all over the world are rushing to militarize cyberspace.
Meanwhile, in the U.S., a debate that’s often presented as a binary choice between privacy and security will have to become more nuanced. Americans have a long and honorable tradition of resisting overly intrusive government. But when Iranians are hacking into local flood controls, the public is also going to demand a government that can protect them. Figuring out how to balance those two imperatives will be key to policymaking in the 21st century.
[Update: The title and excerpt of this post originally referred to the hack as a “breach” and have been changed to clarify the electronic nature of the event]