When people think of Rye Brook, New York, an idyllic hamlet in Westchester Country sometimes known as Tree City USA, they don’t generally picture international intrigue. That’s best left to its more cosmopolitan neighbor, Manhattan, located about 30 miles to the south. In 2013, however, the modest Bowman Avenue Dam in Rye Brook was targeted by seven Iranian hackers on behalf of the country’s Revolutionary Guard Corps in a far-reaching cyberattack on U.S. infrastructure targets.
That’s the what and where of the attack; the why is a little harder to figure. Here is what’s on the record: In 2013, Iranian hackers broke into the dam’s command and control center, theoretically giving them remote access, in a minor but frightening-in-its-implications attack on national critical infrastructure.
The U.S. Justice Department unsealed an indictment in 2016 that spoke to the breadth of the plan. The indictment charged seven Iranian nationals with cyberattacks on 46 companies between 2011 and 2013. The hackers, members of the Islamic Revolutionary Guards Corps, mainly targeted financial institutions and companies like the New York Stock Exchange and AT&T, using barrages of incoming emails designed to slow or shut down some of their computers. As a result, many major banks were hampered and countless customers were unable to access their online accounts.
According to the indictment, Hamid Firoozi is the man who infiltrated the Bowman Avenue Dam, accessing its supervisory control and data acquisition (SCADA) system via a cellular modem that connected the dam to the internet. Through this intrusion, Firoozi was able to gain remote access to information on “the status and operation of the dam, including information about the water levels and temperature, and the status of the sluice gate, which is responsible for controlling water levels and flow rates,” according to a Justice Department press release.
This could have been a major headache for local residents if not for a bit of serendipitous timing. During the cyberattack, the dam’s sluice gate had been manually taken offline for routine maintenance.
Still, the hackers were able to gain access, and the control system for this dam is likely similar to those used in other critical infrastructure sectors, ranging from power plants to oil refineries. This attack, even on so minor a target, was an example of the vulnerability of the U.S. infrastructure and a signal that foreign actors could operate critical systems remotely and potentially wreak havoc on the nation.
“The infiltration of the Bowman Avenue Dam represents a frightening new frontier in cybercrime,” then-Manhattan U.S. Attorney Preet Bharara said in a statement. “We now live in a world where devastating attacks on our financial system, our infrastructure and our way of life can be launched from anywhere in the world, with a click of a mouse.”
The Bowman Avenue Dam?
The Bowman Avenue Dam isn’t much to look at. With critical infrastructure increasingly under attack by criminal gangs and nation states alike, an attack on a major water and wastewater target could be extremely costly. The Hoover Dam on the Colorado River, for example, holds back Lake Mead, the largest reservoir in the U.S. when full, and is a major hydroelectric power generator. If a massive piece of national infrastructure like that were targeted, it could lead to property damage, injuries and loss of life.
The Bowman Avenue Dam is not one of those targets. Rye Brook is a village of just 9,500 residents and its dam’s flood gate is about 15 feet long and two and a half feet high — for reference, the Hoover Dam has four steel drum gates, each 100 feet long and 16 feet high. It’s primarily designed to keep the Blind Brook from flooding nearby homes and businesses. While an overflow could cause serious damage to the area, it would be far from a national incident.
“It’s ridiculous how little that dam is, how insignificant in the grand scheme of things,” said Paul Rosenberg, the village’s mayor in the New York Times. “We’re not talking about something vital to the infrastructure of the country.”
The Bowman Avenue Dam, which can be found in a scrappy thicket of brush and trees not far from Interstate 287, dates back to the early 1900s, when it was used to make ice for area residents. It collapsed in 1941 but was quickly rebuilt and has served the area ever since.
So the big question here is obvious: Why would a nation-state with significant resources bother going after a small, insignificant dam in suburban New York? There are several theories, none of which are settled.
It’s possible that hackers went after the Bowman Avenue Dam as a sort of practice run for a more impactful strike. If they could take down this minor government target, they might be able to learn what they need to know to set their sights on a more essential piece of critical infrastructure.
But the more compelling — and definitely more comical — theory is that this was a simple case of mistaken identity. The Bowman Avenue Dam in Purchase, New York, is 2,805 miles from the much more significant Arthur R. Bowman Dam in Prineville, Oregon. Aside from sharing the Bowman name, these two structures have very little in common.
The Arthur R. Bowman Dam, built in 1961 on the Crooked River, is 245 feet high, 800 feet long and holds 233,150 acre-feet of water. It’s possible the Iranians meant to target this dam as retaliation for the massive U.S.-Israeli Stuxnet cyberattack, which sidelined Iran’s nuclear centrifuges, but mistakenly hit Rye Brook instead.
The big picture
The main concern from the Bowman Avenue Dam attack had very little to do with the dam itself; it was more about what the attack meant for the world of cyber warfare. Cyberattacks on operational technology (OT) systems are much more complicated, and less prevalent, than attacks on information technology (IT). Lately, ransomware has been top of mind, with high-profile hits on everyone from Colonial Pipeline to global meat processor JBS. But most IT-based ransomware attacks are about encrypting files to extract money from the victim. They can certainly be damaging, and can even cause OT systems to be taken offline, as in the Colonial incident, but an OT attack on critical infrastructure could sow chaos and destabilize the nation. It’s the difference between criminal activity and terrorism.
A perfect example is the cyberattack on a water treatment plant in Oldsmar, Florida, earlier this year. An unknown hacker was able to access the computer controlling the chemicals used to treat drinking water for Oldsmar, home to around 15,000 people. This hacker was able to significantly raise the levels of sodium hydroxide, or lye, in the water. Luckily, the attack was detected and neutralized quickly, and little actual damage was done. A savvier actor, however, could have caused tremendous harm and loss of life.
“A real sophisticated attack on the OT systems is actually more difficult to orchestrate because the cyberattacks — for instance, ransomware attacks that are IT based — those are cyber criminals, and they’re really after your money,” said Albert Rooyakkers, CEO and CTO of Bedrock Automation. “They come from the IT environment. To do a sophisticated attack on an OT system, you have to have an understanding of the process. Like this attack in Florida, this operator or this person that was guilty of it, they understood what valve to tweak and what thing to do to the process to upset it. You see a lot of cyber vulnerabilities and cyberattacks, so many of them are IT-centric because so many of them are basically criminal actors.
“If it transitions, as a lot of people fear and concern for, from criminals to terrorists, where their intents are different, the damage will be far more severe because they’re not after the money, and they’re not going to get any money, either. If you create an OT attack or an OT event, virtually without exception, these processes, these infrastructures, whether it’s a chemical plant, water, wastewater treatment plant, you will damage infrastructure. You will damage the process. People could get hurt, and the damages and downtime and other things will be far in excess of what they typically get in a ransomware attack.”
For many years, the U.S. government has issued warnings about the country’s vulnerability to cyberattacks. Since assuming office, the Biden administration has urged private industry, which controls much of the national infrastructure, to harden its cyber defenses, and taken steps to strengthen the national cybersecurity posture.
This attack on Rye Brook, which occurred in 2013 but was not publicly reported until 2016, was one of the first of its kind on U.S. soil. While it did not inflict any real damage, it was a harbinger of the kind of cyber warfare nation-states will likely wage in the future and an indicator of just how vulnerable critical infrastructure is to a motivated opponent.