An OT Security Breach on the Bowman Dam

Introduction

The Bowman Avenue Dam, located in Rye Brook, New York, is a critical piece of infrastructure, managing local water flow and providing flood control. Though relatively minor compared to other pieces of U.S. infrastructure, the Bowman Dam was targeted in a cyberattack in 2013 that exposed significant vulnerabilities in the nation’s critical infrastructure, particularly in Supervisory Control and Data Acquisition (SCADA) systems. SCADA systems are integral for monitoring and controlling industrial processes like water treatment, electricity generation, and dam management. The Bowman Dam cyberattack was one of the first clear demonstrations of the potential risks posed by cyberattacks on critical infrastructure.

Understanding the Threat Landscape

While the precise motivations of the attackers remained unclear, experts believed that the 2013 cyberattack on the Bowman Dam was likely attributed to state-sponsored hackers. The attack was believed to have served as a precursor, probing infrastructure vulnerabilities and setting the stage for larger-scale cyber operations in the future.

How the Attack Unfolded

The attackers exploited a cellular modem connection to remotely access the dam's SCADA system. This allowed them to retrieve critical operational data like water levels and sluice gate status but did not involve any manipulation of the dam's physical operations.

Methodology

1. Reconnaissance (Google Dorking): The attackers used Google Dorking to locate the exposed SCADA system, specifically targeting publicly accessible control systems or data.
2. Exploitation (Unauthorized Access): Once the system was located, the attackers exploited the exposed connection to gain access. The system lacked proper firewalls and authentication, making it vulnerable.
3. Data Collection: After gaining access, the attackers collected data on water levels, temperature, and the status of the sluice gate. They analyzed the system’s vulnerabilities without altering operations.
4. Duration of Attack: The attack lasted from August 28th to September 18th, 2013, during which the sluice gate was manually disconnected for maintenance. As a result, the attackers could not manipulate it.
5. Cyber Kill Chain Classification: The attack primarily involved the reconnaissance phase of the Cyber Kill Chain, where the attackers gathered intelligence rather than executing a direct attack on system operations.
6. No Immediate Harm: The attackers were unable to cause any direct harm, as the sluice gate was under manual control during their intrusion, and the system was only storing water level data.

The Aftermath

In October 2016, the breach was publicly reported by the FBI and the U.S. Department of Homeland Security (DHS). This disclosure brought national attention to the vulnerabilities in critical infrastructure systems, especially SCADA systems, underscoring the need for enhanced cybersecurity in industrial control systems.

Impact

If the sluice gate had been operational during the attack, the attackers could have manipulated the water flow, potentially causing catastrophic damage. This could have led to flooding in the surrounding area, threatening local infrastructure, property, and lives. Additionally, it could have caused structural damage to the dam itself or to downstream facilities, disrupting essential services like water supply and flood control.

Where the Security Failed

1. Inadequate Security Measures: The Bowman Dam's Internet connection via a cellular modem lacked proper security, with no firewalls or authentication protocols, making it vulnerable to remote attacks. Additionally, the SCADA system was not isolated from the Internet.
2. Lack of Cybersecurity Monitoring: The attack underscored the need for continuous monitoring and cybersecurity assessments of industrial control systems. Given the growing protocols, regular assessments were essential to preventing similar attacks in the future.

Key Takeaways

This cyberattack highlighted the need for improvements across people, processes, and technology to better safeguard critical infrastructure. The following lessons outline these key areas for enhancement.

People

• Cybersecurity Training: Personnel must be trained to identify vulnerabilities and understand the risks of remote access to SCADA systems. Regular training will help staff recognize potential security threats and respond swiftly to mitigate them.

Process

• Regular Security Audits: Periodic security audits and vulnerability assessments are essential to identify weaknesses in access controls, firewalls, and overall system security. Proactive audits can prevent unauthorized access and mitigate security risks.
• Incident Response Planning: A clear incident response plan ensures that any suspicious activity or breach is quickly detected and addressed. Having defined protocols in place will improve response times, even when the attack involves data gathering rather than system disruption.

Technology

• Network Segmentation: Critical systems like SCADA should be isolated from the public internet using network segmentation. This would prevent direct access to the system from external sources.
• Firewall and Authentication Controls: Implementing firewalls and strong authentication mechanisms is vital for protecting remote access. This would have blocked the hackers' unauthorized entry into the system.
• Secure Remote Access: Remote access policies should be implemented with technologies like Virtual Private Networks (VPNs) and Multi-Factor Authentication (2FA) to ensure secure connections. Continuous monitoring should also be in place to manage and restrict access to authorized personnel, safeguarding sensitive data such as water levels and sluice gate status against unauthorized access and data exfiltration.

Conclusion

The 2013 Bowman Dam SCADA attack illustrated the critical vulnerabilities in industrial control systems, particularly when they were exposed to the internet. While the attack did not cause immediate damage, it highlighted the need for robust cybersecurity measures to protect critical infrastructure. Moving forward, a proactive, adaptive security strategy was essential to safeguard vital systems against evolving cyber threats and ensure their resilience.

This case study is one of many that outlines the exposed risks and vulnerabilities inherent in any critical infrastructure system security. We need to take these examples, and learn from the mistakes, either intentional or unintentional. And implement better strategies to improve the security posture of critical infrastructures and OT environments. Critical infrastructure security is a real concern, as we've seen even a small dam can unleash a flood of trouble tomorrow!