Iranian hackers infiltrated computers of small dam in NY
WASHINGTON (Reuters) – Iranian hackers breached the control system of a dam near New York City in 2013, an infiltration that raised concerns about the security of the country’s infrastructure, the Wall Street Journal reported on Monday, citing former and current U.S. officials.
Two people familiar with the breach told the newspaper it occurred at the Bowman Avenue Dam in Rye, New York. The small structure about 20 miles from New York City is used for flood control.
The hackers gained access to the dam through a cellular modem, the Journal said, citing an unclassified Department of Homeland Security summary of the incident that did not specify the type of infrastructure.
The dam is a 20-foot-tall concrete slab across Blind Brook, about five miles from Long Island Sound.
“It’s very, very small,” Rye City Manager Marcus Serrano told the newspaper. He said FBI agents visited in 2013 to ask the city’s information-technology manager about a hacking incident.
The dam breach was difficult to pin down, and federal investigators at first thought the target was a much larger dam in Oregon, the Journal said.
The breach came as hackers linked to the Iranian government were attacking U.S. bank websites after American spies damaged an Iranian nuclear facility with the Stuxnet computer worm.
It illustrated concerns about many of the old computers controlling industrial systems, and the White House was notified of the infiltration, the Journal said.
The newspaper said the United States had more than 57,000 industrial control systems connected to the Internet, citing Shodan, a search engine that catalogs each machine.
Homeland Security spokesman S.Y. Lee would not confirm the breach to Reuters. He said the department’s 24-hour cybersecurity information-sharing hub and an emergency response team coordinate responses to threats to and vulnerabilities in critical infrastructure.
***
Cant Sleep, You are at Risk
In part from Wired: If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices.
The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Edward Snowden’s NSA leaks revealed the US government has its own national and international hacking to account for. And the Ponemon Institute says 110 million Americans saw their identities compromised in 2014. That’s one in two American adults.
The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
How Did We Get Here?
One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about.
Malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Network security seeks to protect those endpoints with firewalls, certificates, passwords, and the like, creating a secure perimeter to keep the whole system safe.
This wasn’t difficult in the early days of the Internet and online threats. But today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. As Ajay Arora, CEO of file security company Vera, notes, there is no perimeter anymore. It’s a dream of the past.
But the security paradigm remains focused on perimeter defense because, frankly, no one knows what else to do. To address threats, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats.
The CIA Triad
The information security community has a model to assess and respond to threats, at least as a starting point. It breaks information security into three essential components: confidentiality, integrity, and availability.
Confidentiality means protecting and keeping your secrets. Espionage and data theft are threats to confidentiality.
Availability means keeping your services running, and giving administrators access to key networks and controls. Denial of service and data deletion attacks threaten availability.
Integrity means assessing whether the software and critical data within your networks and systems are compromised with malicious or unauthorized code or bugs. Viruses and malware compromise the integrity of the systems they infect.
The Biggest Threat
Of these, integrity is the least understood and most nebulous. And what many people don’t realize is it’s the greatest threat to businesses and governments today.
Meanwhile, the cybersecurity industry remains overwhelmingly focused on confidentiality. Its mantra is “encrypt everything.” This is noble, and essential to good security. But without integrity protection, the keys that protect encrypted data are themselves vulnerable to malicious alteration. This is true even of authenticated encryption algorithms like AES-GCM.
In the bigger picture, as cybercrime evolves, it will become clear that loss of integrity is a bigger danger than loss of confidentiality. One merely has to compare different kinds of breaches to see the truth of this:
A confidentiality breach in your car means someone learns your driving habits. An integrity breach means they could take over your brakes. In a power grid, a confidentiality breach exposes system operating information. An integrity breach would compromise critical systems, risking failure or shutdown. And a confidentiality breach in the military would mean hackers could obtain data about sensitive systems. If they made an integrity beach, they could gain control over these weapons systems. Full details and actions you can take to protect yourself, go here.
