Incident: Dam Control Software Breached by Iranian Hackers in 2013

Published Date: 2015-12-22

Postmortem Analysis
Timeline 1. The software failure incident at the Bowman Avenue Dam near Rye Brook, New York, happened in 2013 as reported in Article 57274.
System The software failure incident reported in Article 57274 involved a breach of the Bowman Avenue Dam near Rye Brook, New York, by Iranian hackers in 2013. The incident highlighted vulnerabilities in the control system of the dam, which was managed by a piece of software that was described as "industry standard" and "very common" by Rye Brook Mayor Paul Rosenberg. The systems that failed in this software failure incident were: 1. Control system of the Bowman Avenue Dam near Rye Brook, New York [57274].
Responsible Organization 1. Iranian hackers were responsible for causing the software failure incident at the Bowman Avenue Dam near Rye Brook, New York in 2013 [57274].
Impacted Organization 1. The Bowman Avenue Dam near Rye Brook, New York was impacted by the software failure incident [57274].
Software Causes 1. Lack of sophistication in the dam's software system, making it vulnerable to hackers [57274] 2. Use of industry standard and common software in managing the dam, potentially with default passwords and settings left unchanged [57274] 3. Vulnerability of critical infrastructure software due to being old and retro-fitted, connected to the Internet [57274]
Non-software Causes 1. Lack of adequate cybersecurity measures in place to protect critical infrastructure [57274] 2. Vulnerabilities in the dam's control system that allowed hackers to gain access [57274] 3. Insufficient awareness and preparedness for potential cyberattacks on critical infrastructure [57274]
Impacts 1. The Iranian hackers breached a dam outside of New York in 2013, managing to gain control of the flood gates, although they were unable to access the full dam system [57274]. 2. The incident raised concerns about the vulnerability of critical infrastructure in the U.S. to cyberattacks, highlighting the fear that overseas hackers can easily exploit weaknesses in old infrastructure running on outdated software connected to the Internet [57274]. 3. The breach at the dam illustrated the potential risks associated with generic software vulnerabilities, default passwords, and settings that are not kept up to date, making it easier for hackers to exploit weaknesses in widely used software [57274]. 4. The incident underscored the need for a national cybersecurity strategy to protect individuals, businesses, and communities from cyber threats, especially in the face of state-sponsored cyberattacks like those from Iran [57274].
Preventions 1. Implementing stronger cybersecurity measures such as regular security assessments and penetration testing to identify vulnerabilities and weaknesses in the system [57274]. 2. Keeping software systems up to date with the latest security patches and updates to prevent exploitation of known vulnerabilities [57274]. 3. Enforcing strict password policies and avoiding the use of default passwords to enhance system security [57274]. 4. Providing cybersecurity training to employees to prevent successful spearphishing attacks that can lead to system compromises [57274].
Fixes 1. Implementing stronger cybersecurity measures to protect critical infrastructure systems from cyberattacks [57274]. 2. Regularly updating and patching software to address vulnerabilities and prevent unauthorized access [57274]. 3. Enhancing network security to prevent hackers from scanning and exploiting vulnerable systems [57274]. 4. Educating employees on cybersecurity best practices to prevent spearphishing attacks and other social engineering tactics [57274].
References 1. Former official familiar with the 2013 investigation into the attack [57274] 2. Rye Brook Mayor Paul Rosenberg [57274] 3. Department of Homeland Security [57274] 4. New York lawmakers, including Democratic Rep. Eliot Engel and Democratic Rep. Nita Lowey [57274] 5. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) [57274]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident having happened again at one_organization: The incident at the Bowman Avenue Dam near Rye Brook, New York, where Iranian hackers breached the dam's control system in 2013, was not a sophisticated intrusion but a test by the hackers to see what they could access. The dam is managed by a piece of software described as "industry standard" and "very common" [57274]. (b) The software failure incident having happened again at multiple_organization: The news article mentions that the incident at the Bowman Avenue Dam illustrates a long-standing fear among cyber experts that overseas hackers can easily breach critical infrastructure running on outdated software connected to the Internet. This fear extends to the susceptibility of the U.S. electrical grid and industrial control systems to attacks by terrorists or other nations. The article highlights that hackers can exploit vulnerabilities in generic software used across different entities, which may not be kept up to date, and users often keep default passwords and settings in place for convenience. This indicates a broader issue affecting multiple organizations and critical infrastructure systems [57274].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase is evident in the article as the breach of the Bowman Avenue Dam near Rye Brook, New York, occurred due to vulnerabilities in the dam's control system software. The hackers managed to gain control of the flood gates, indicating that the system design had weaknesses that allowed unauthorized access [57274]. (b) The software failure incident related to the operation phase is highlighted by the fact that the attackers were able to take control of the flood gates of the dam. This control was possible due to the vulnerabilities in the operation of the dam's software, which allowed the hackers to manipulate the water flow by accessing the flood gates [57274].
Boundary (Internal/External) within_system, outside_system (a) within_system: The software failure incident involving the breach of the dam outside of New York in 2013 was primarily due to contributing factors that originated from within the system. The breach allowed Iranian hackers to gain control of the flood gates of the Bowman Avenue Dam near Rye Brook, New York. The hackers were able to access the dam's control system, which was described as "industry standard" and "very common" software used to manage the dam's operations [57274]. (b) outside_system: The software failure incident was also influenced by contributing factors that originated from outside the system. Iranian hackers targeted the U.S. financial institutions during the same time frame as the breach of the dam, indicating external threats to the system's security. Additionally, the news highlighted the fear among cyber experts that overseas hackers can easily exploit vulnerabilities in critical infrastructure connected to the Internet, emphasizing the external risks posed by hackers scanning for vulnerable networks [57274].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in the article was primarily due to non-human actions, specifically a cyberattack by Iranian hackers who breached a dam outside of New York in 2013. The hackers managed to gain control of the flood gates of the Bowman Avenue Dam near Rye Brook, New York, by exploiting vulnerabilities in the software managing the dam [57274]. (b) Human actions also played a role in the software failure incident as the dam's software was described as "industry standard" and "very common" by Rye Brook Mayor Paul Rosenberg. Additionally, the incident highlighted concerns about the lack of updating software, keeping default passwords, and the overall vulnerability of critical infrastructure due to human decisions and actions [57274].
Dimension (Hardware/Software) software (a) The software failure incident reported in the articles is not attributed to hardware issues. The breach of the dam's control system by Iranian hackers was due to vulnerabilities in the software and not hardware-related factors. The hackers managed to gain control of the flood gates through the software system managing the dam, which was described as "industry standard" and "very common" software [57274]. (b) The software failure incident is directly linked to software vulnerabilities. The breach of the dam's control system by Iranian hackers was a result of exploiting weaknesses in the software used to manage the dam. The incident highlighted concerns about the susceptibility of critical infrastructure to cyberattacks due to outdated software, common weaknesses in generic software, and the presence of default passwords and settings [57274].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident related to the breach of the Bowman Avenue Dam near Rye Brook, New York, in 2013 was malicious in nature. Iranian hackers breached the dam's system, managing to get control of the flood gates as part of a cyberattack. The attack was described as a test by Iranian hackers to see what they could access, and it occurred during the same time frame that Iranian hackers were targeting U.S. financial institutions [57274]. The incident was not a sophisticated intrusion but was carried out by hackers looking for vulnerabilities to exploit. (b) The incident highlighted the vulnerability of critical infrastructure systems, such as the dam's management software, to cyberattacks. The software used to manage the dam was described as "industry standard" and "very common," indicating that the breach was not due to a specific flaw in the software but rather a result of generic software weaknesses that hackers could exploit. Additionally, the incident underscored the broader concern that outdated critical infrastructure running on retro-fitted software connected to the Internet is susceptible to cyber threats, highlighting the non-malicious aspect of the failure [57274].
Intent (Poor/Accidental Decisions) poor_decisions, accidental_decisions (a) The intent of the software failure incident related to poor decisions: - The breach of the Bowman Avenue Dam near Rye Brook, New York, by Iranian hackers in 2013 was not a sophisticated intrusion but rather a test by the hackers to see what they could access [57274]. - The incident highlighted the fear that overseas hackers can easily exploit vulnerabilities in old critical infrastructure running on outdated software connected to the Internet, indicating poor decisions in maintaining and securing critical infrastructure [57274]. (b) The intent of the software failure incident related to accidental decisions: - The breach of the dam by Iranian hackers was described as a test to see what they could access, suggesting that the intrusion may have been more exploratory or opportunistic rather than a deliberate targeted attack [57274]. - The incident also raised concerns about the susceptibility of U.S. critical infrastructure to cyberattacks due to generic software vulnerabilities and outdated systems, indicating accidental decisions in maintaining cybersecurity measures [57274].
Capability (Incompetence/Accidental) accidental (a) The software failure incident in the article was not due to development incompetence. The breach of the dam's software system by Iranian hackers was described as not a sophisticated intrusion but rather a test by the hackers to see what they could access. The software managing the dam was mentioned as "industry standard" and "very common" [57274]. (b) The software failure incident in the article was accidental. The breach of the dam's software system by Iranian hackers was not a deliberate act of incompetence but rather an opportunistic attack to test vulnerabilities. The incident was described as not a sophisticated intrusion, and the hackers were looking for any opportunity they could find to cause damage [57274].
Duration permanent (a) The software failure incident in the article is more of a permanent nature. The breach of the dam's software system by Iranian hackers in 2013 allowed them to take control of the flood gates, indicating a significant and lasting impact on the system [57274]. Additionally, the concerns raised by officials and experts about the vulnerability of critical infrastructure to cyberattacks suggest a long-term risk and potential for ongoing software failures in similar systems.
Behaviour other (a) crash: The software failure incident in the article did not involve a crash where the system lost state and did not perform any of its intended functions. The breach of the dam's software system by Iranian hackers did not result in the system completely failing to operate ([57274]). (b) omission: The incident did not involve the system omitting to perform its intended functions at an instance(s). The hackers were able to take control of the flood gates of the dam, indicating that the system was still functioning to some extent, albeit under unauthorized control ([57274]). (c) timing: The failure was not related to the system performing its intended functions correctly but too late or too early. The breach by Iranian hackers into the dam's software system was a deliberate intrusion to test what they could access, rather than a timing issue ([57274]). (d) value: The software failure incident did not involve the system performing its intended functions incorrectly. The hackers were able to take control of the flood gates, indicating that the system was functioning as intended but under unauthorized control ([57274]). (e) byzantine: The incident did not exhibit a byzantine behavior where the system behaved erroneously with inconsistent responses and interactions. The breach by Iranian hackers into the dam's software system was a deliberate attempt to gain control, rather than exhibiting inconsistent behavior ([57274]). (f) other: The software failure incident in the article involved unauthorized access and control of the dam's flood gates by Iranian hackers. This behavior could be categorized as a security breach or cyberattack, where the system's integrity was compromised by external actors ([57274]).

IoT System Layer

Layer Option Rationale
Perception actuator, network_communication, embedded_software (a) sensor: The breach of the Bowman Avenue Dam near Rye Brook, New York, in 2013 involved Iranian hackers gaining control of the flood gates. This breach was not a sophisticated intrusion but a test by the hackers to see what they could access. The dam is managed by a piece of software that Mayor Paul Rosenberg described as "industry standard" and "very common" [57274]. (b) actuator: The Iranian hackers were able to take control of the flood gates of the dam, indicating a potential failure related to the actuator component of the cyber-physical system [57274]. (c) processing_unit: The incident did not specifically mention any failure related to the processing unit of the cyber-physical system [57274]. (d) network_communication: The hackers were able to breach the dam by exploiting vulnerabilities in the software used to manage the dam, which could be related to network communication errors or weaknesses in the network infrastructure [57274]. (e) embedded_software: The breach of the dam involved exploiting vulnerabilities in the software managing the dam, which could be related to errors or flaws in the embedded software used in the cyber-physical system [57274].
Communication unknown The software failure incident reported in the articles does not specifically mention whether the failure was related to the communication layer of the cyber physical system that failed. The incident primarily focused on Iranian hackers breaching a dam's control system, gaining access to the flood gates, and the concerns surrounding cybersecurity vulnerabilities in critical infrastructure systems. Therefore, it is unknown whether the failure was at the link_level or connectivity_level of the cyber physical system.
Application FALSE The software failure incident related to the breach of the Bowman Avenue Dam near Rye Brook, New York, in 2013 was not directly related to the application layer of the cyber physical system. The breach was caused by Iranian hackers who managed to gain control of the flood gates of the dam, indicating a breach at the control system level rather than the application layer. The incident was described as a test by the hackers to see what they could access, and they were able to take control of the flood gates but not the full dam system [57274]. Therefore, the failure was not specifically attributed to bugs, operating system errors, unhandled exceptions, or incorrect usage at the application layer.

Other Details

Category Option Rationale
Consequence no_consequence, theoretical_consequence (a) unknown (b) unknown (c) unknown (d) unknown (e) unknown (f) unknown (g) no_consequence (h) harm: The software failure incident did not result in any real observed consequences, but there were discussions about potential vulnerabilities and risks associated with cyberattacks on critical infrastructure, such as the dam breach incident [57274]. (i) theoretical_consequence: The articles discussed the fear of cyber experts regarding overseas hackers easily accessing critical infrastructure connected to the Internet, the concern of U.S. susceptibility to attacks on its electrical grid or industrial control systems, and the potential for hackers to install backdoors into computer networks for spying [57274].
Domain utilities (a) The failed system was related to the utilities industry, specifically the management of a dam to control water flow to prevent flooding downstream. The dam was managed by a piece of software that was described as "industry standard" and "very common" [57274]. (g) The incident involved a breach of a dam's control system, which falls under the utilities industry responsible for providing power, gas, steam, water, and sewage services [57274].

Sources

Back to List