U.S. intelligence agencies determined that Iranian hackers compromised the control system of the Bowman Avenue Dam, a small dam located less than 20 miles from New York City in 2013, the Wall Street Journal reports.
The breach was discovered when the intelligence agencies were monitoring computers they believed were linked to Iranian hackers targeting American companies such as Capital One, PNC Financial and SunTrust Bank.
In doing so, they noticed that one of the computers was searching the Internet for vulnerable U.S. industrial control systems.
Marcus Serrano, manager of the nearby city of Rye, New York, told the Journal that several FBI agents came to the city offices in 2013 and asked to speak to the city's IT manager regarding a hacking incident at the dam.
The hackers are believed to have breached the dam's control system via a cellular modem. They probed the system, but didn't take control of it, according to the Journal.
The Journal reports that the U.S. has over 57,000 industrial control systems connected to the Internet, more than any other country.
In late 2014, hackers gained access to a German iron plant and caused "massive damage to the whole system," Germany's Federal Office for Information Security (BSI) reported at the time.
Tripwire CTO Dwayne Melancon CTO told eSecurity Planet by email that there are several lessons to be learned from the breach. "When it comes to critical systems -- and particularly, critical infrastructure -- it pays to make attackers' lives more difficult," he said. "For example, implementing multi-factor authentication to prevent access using only a password is crucial."
"Additionally, organizations should segment their networks to limit the amount of sensitive information that can be accessed by a single account," Melancon said. "In particular, accounts with 'super powers' (such as creating new users, changing access permissions, or performing potentially harmful operations) should not only be tightly controlled, they should be aggressively monitored to look for unusual activity."
"In older systems, the amount of rigor possible might be limited due to the lack of security functionality in old applications," Melancon added. "In that case, organizations can often reduce risk by moving systems into a network segment that can only be accessed by a VPN, and multi-factor authentication can be added at the VPN."
Eric Lundbohm, chief marketing officer at iSheriff, said it's important to keep in mind that industrial control system breaches like these are potentially much more serious than any data breach. "While we certainly need to protect against all breaches, the downside of a major attack on our flood control system could inflict physical harm on people located in the flood path," he said. "It should be noted that there are similar risks for our water, electrical, traffic control and aviation systems."
"Much of the news and discussion has been about data stolen or compromised in an attack," Lundbohm added. "This type of breach is a more serious type of attack designed to do damage to our infrastructure. The level of security surrounding these systems must be reviewed and hardened as the potential cost of a breach is far higher."