Making good on the rumors to attribute the incident as a state-sponsored attack, the Department of Justice has indicted an Iranian national for hacking the Bowman Dam in New York.
The Bowman Avenue Dam is about 30 miles north of New York City in suburban Rye Brook, N.Y., and its chief job is flood control. A grand jury in the Southern District of New York has charged Hamid Firoozi, 34, with obtaining unauthorized access into the SCADA systems of the dam. Firoozi was working on behalf of the Iranian government as an employee of an Iran-based computer company.
He was allegedly able to penetrate its back office systems using off-the-shelf tools in an unsophisticated offensive. Between Aug. 28 and Sept. 18, 2013, Firoozi allegedly repeatedly obtained unauthorized access to the SCADA infrastructure, which allowed him to repeatedly obtain information regarding the status and operation of the dam, including information about the water levels, temperature and status of the sluice gate, which is responsible for controlling water levels and flow rates.
According to the indictment, although his access would normally have permitted Firoozi to remotely operate and manipulate the Bowman Dam’s sluice gate, Firoozi did not have that capability because the sluice gate had been manually disconnected for maintenance at the time of the intrusion.
Remediation for the Bowman Dam intrusion cost over $30,000. Firoozi faces 15 years in prison if convicted.
Barak Perelman, CEO of Indegy, told Infosecurity that industrial network security poses unique challenges because these systems were implemented before the cyber-threat existed.
“The main protection measure used was the ‘air gap,’ which separated between the industrial network and external-facing corporate network,” he said. “The problem is, an air gap is no longer a functional or operationally feasible option, which has exposed control systems to the external threats. Yet they remain without the necessary defenses needed to protect them.”
The single biggest challenge in securing operational networks is visibility, he added: “Primarily because they use completely different technologies than those found in IT networks, which are manufactured by specialist vendors like Siemens, Schneider Electric, Honeywell, GE, etc. They also use different communication protocols than IT products.”
Traditional network monitoring solutions only support standard protocols and therefore are limited to monitoring physical measurements and looking for anomalies. “They cannot capture changes made to the controllers, called PLCs, that manage the operating equipment used in water treatment, energy production and distribution, and manufacturing processes,” he said. “This represents a huge blind spot for facility operators, and often prevents them from detecting malicious or unintended activity before physical changes occur.”
A similar attack was dissected in the recent Verizon Data Breach Digest Report [PDF], whereby attackers breached the control systems of a water district and were able to manipulate valve and duct movements which manage the amount of chemicals used to treat the water in order to make it drinkable.
“The charges announced today respond directly to a cyber-assault on New York, its institutions and its infrastructure,” said US Attorney Preet Bharara of the Southern District of New York. “The infiltration of the Bowman Avenue dam represents a frightening new frontier in cybercrime. These were no ordinary crimes, but calculated attacks by groups with ties to Iran’s Islamic Revolutionary Guard and designed specifically to harm America and its people.”
The decision is part of a larger indictment of seven individuals (including Firoozi), who face computer hacking charges related to their involvement in an extensive campaign of over 176 days of distributed denial of service (DDoS) attacks. The seven were employed by two Iran-based computer companies, ITSecTeam (ITSEC) and Mersad Company (MERSAD), working for the Iranian government, including the Islamic Revolutionary Guard Corps.
Firoozi, Ahmad Fathi, 37; Amin Shokohi, 25; Sadegh Ahmadzadegan, aka Nitr0jen26, 23; Omid Ghaffarinia, aka PLuS, 25; Sina Keissar, 25; and Nader Saedi, aka Turk Server, 26, allegedly launched DDoS attacks against 46 victims, primarily in the US financial sector, between late 2011 and mid-2013. The attacks were launched from botnets that they built, and they were able to disable victim bank websites, prevent customers from accessing their accounts online and collectively cost the victims tens of millions of dollars in remediation costs.
The DDoS campaign began in approximately December 2011, and the attacks occurred only sporadically until September 2012, at which point they escalated in frequency to a near-weekly basis, between Tuesdays and Thursdays during normal business hours in the United States. On certain days during the campaign, victim computer servers were hit with as much as 140 gigabits of data per second and hundreds of thousands of customers were cut off from online access to their bank accounts.
For the purpose of carrying out the attacks, each group built and maintained their own botnets, which consisted of thousands of compromised computer systems owned by unwitting third parties that had been infected with the defendants’ malware, and subject to their remote command and control.
Firoozi was the network manager at ITSEC and, in that role, procured and managed computer servers that were used to coordinate and direct ITSEC’s portion of the DDoS campaign.
“Like past nation state-sponsored hackers, these defendants and their backers believed that they could attack our critical infrastructure without consequence, from behind a veil of cyber anonymity,” said Assistant Attorney General for National Security John P. Carlin. “This indictment once again shows there is no such veil—we can and will expose malicious cyber hackers engaging in unlawful acts that threaten our public safety and national security.”
The defendants each face a maximum sentence of 10 years in prison for conspiracy to commit and aid and abet computer hacking, with Firoozi facing an additional five for the dam incursion.
Photo © Stanislav Sokolov