Cyber War Comes to the Suburbs

Federal investigators charged an Iranian hacker with breaking into the control system of the Bowman Avenue Dam in Rye...
Federal investigators charged an Iranian hacker with breaking into the control system of the Bowman Avenue Dam, in Rye, N.Y. The mystery is what he was after.Photograph by Seth Wenig / AP

The Bowman Avenue Dam, in Rye, New York, would seem an unlikely candidate for a new front in the cyber wars. Twenty-two feet tall, a hundred and twenty-two feet long, and sitting in the woods just up the street from Port Chester Middle School, the dam spans Blind Brook, a minor waterway that runs south through the city and empties into Long Island Sound. Built in the early nineteen-hundreds, the dam was updated most recently in June of 2013, when local officials gathered to commemorate the addition of a two-million-dollar sluice gate, which would help manage flooding in the nearby neighborhood of Indian Village. Speeches were given, and novelty scissors were wielded to cut through red, white, and blue ribbon.

Then, late last week, top officials at the Justice Department held a press conference to announce that they were filing criminal charges against a group of seven veteran Iranian hackers, including one who was rooting around in the dam’s operating system. The hackers allegedly worked for private companies with ties to the Iranian government and intelligence world, and they were accused of conducting a “coordinated campaign of cyber attacks” against targets in the United States. “These were no ordinary crimes, but calculated attacks by groups with ties to Iran’s Islamic Revolutionary Guard and designed specifically to harm America and its people,” U.S. Attorney Preet Bharara, of the Southern District of New York, said. Among the hackers’ alleged targets were major banks, the Nasdaq, and the New York Stock Exchange.

What exactly the Iranians wanted with the dam remains unclear, at least publicly. The story told in the federal indictment is straightforward, if silent on possible motives. Evidently a single hacker, Hamid Firoozi, was responsible for the intrusion. Several times between August 28th and September 18th of 2013, Firoozi allegedly obtained “unauthorized remote access” to the computer, housed in a basement room in Rye’s city hall, that controlled the dam’s “supervisory control and data acquisition” system. That access allowed Firoozi to see information about water levels, water temperature, and the status of the recently installed gate, designed to control water levels and flow rates. What Firoozi didn’t know, the government says, is that the gate didn’t work.

Concerns about the dam hack apparently went all the way up the White House. Was the hacker trying to gain control of the Bowman Avenue Dam? Did he arrive there by accident, perhaps while hunting for a more impressive Bowman dam, such as the two-hundred-and-forty-foot-tall Arthur R. Bowman Dam, in Oregon? Over the weekend, the Wall Street Journal reported that Firoozi had “stumbled” onto the dam in Rye while using a publicly available search process called “Google dorking.” According to sources who spoke with the Journal, Firoozi had been using the technique for months, applying specific search parameters to “scour websites connected to U.S. infrastructure sites for vulnerable hardware systems.”

Paulo Shakarian, a cyber-security fellow at New America and the co-author of “Introduction to Cyber-Warfare: A Multidisciplinary Approach,” told me that the strategy made sense. Computer systems that control physical mechanisms run specialized software and are connected to specialized hardware. These devices are made by only a few manufacturers, Shakarian said, which means that they’re easier for hackers to locate, and that exposed systems stand out more readily. A tool like Google dorking can simplify the process further. “You can do searches through the Internet to find signatures of these industrial control systems,” Shakarian said. The real work for a modern-day hacker lies in the preliminary research; once that’s done, the hacker writes a program and lets it run automatically for a period of time before checking the results. “It’s not like in old hacker movies, where you see the hacker up all night trying to get into a computer,” Shakarian said.

That the hacker was able to access the dam’s computer suggests that he knew what he was looking for. Once a hacker finds a target, Shakarian said, he must successfully communicate with it. “You can try talking to it like it’s an Internet server, you can try talking to it like an e-mail server, or you can try talking to it like it’s a computer at a nuclear power plant.” Understanding the computer’s response becomes critical to understanding what the computer does. That’s where the preliminary research again becomes important.

“Why Rye?” Shakarian asked. “Here’s the likely answer: that was what was available.” But still the question remained: what did the hacker want? Shakarian offered a few theories. “If I want to understand better about how to mess up an industrial control system in a cyber-war scenario, what better way than to look for something that’s exposed, that I can easily gain access to,” he said. “Or it just might be a guy that wants to screw around with this for a random reason.” The bigger threat, Shakarian said, comes once a hacker finds him or herself inside a system and starts to figure out its inner workings. “I get a feel for the response,” he said. “I could then write malware that automates that. And, if I could get that malware on industrial control systems for thousands of floodgates throughout the U.S., now I have something that’s like a ticking time bomb or a precision weapon that I could launch at will.”

But no amount of preliminary research can fully prepare a foreign cyber attacker for the workings of American small-city governance. The federal indictment notes that the hacker wasn’t able to actually control the Bowman Avenue Dam’s new sluice gate because the gate was manually disconnected at the time, for maintenance reasons. In fact, the gate was never fully operational. “There are still kinks, some monitoring issues," a local official told the Westmore News at the time of the ribbon-cutting ceremony. But Marcus Serrano, the current city manager of Rye, told me that the software necessary to control the gate remotely hadn’t yet been installed when the ceremony was held, in 2013, and it still hasn’t. The system is supposed to automatically monitor the water upstream and downstream but “we’re nowhere near that,” Serrano said. “We need to hire a hydraulic engineer to determine where the sensors should be located, and then do the calculations and figure out, if a rainstorm is expected, should the gates open or close.”

Like other local officials, Serrano has his own theories about the hack. “I think they were fishing,” he said. “They went in a couple times, looked around, and then they left and never came back. I guess they realized we’re not significant enough to hack into anymore.”