In further cyber espionage news, it has been revealed that the US Army Corps of Engineers’ National Inventory of Dams (NID) database has been the victim of a recent cyber espionage incident. The database holds sensitive information detailing the structure and vulnerabilities of more than eight thousand dams across the US. Attackers are likely to have accessed the data either to acquire privileged intellectual property regarding the dam’s construction and operation, but are more likely to have been conducting reconnaissance of vulnerabilities.
While no official suspect has been identified, unnamed US intelligence officials have indicated that the attack is again believed to have originated from China. Breaches of this nature are a concern, as it raises the potential for future cyber attacks against such installations. The destructive manipulation of machinery by cyber means was demonstrated in the 2010 Stuxnet malware attacks against Iranian nuclear processing facilities at Natanz. US officials have in the past identified hydroelectric plants as vulnerable to similar attacks, citing the instance of the 2009 accident at a Russian hydroelectric plant at Sayano–Shushenskaya (on that occasion a failure in automatic control systems caused by a fire resulted in a turbine explosion and extensive flooding, killing 75 people).
In a further incident demonstrating the potential vulnerability of physical installations to cyber attack, researchers in the US have demonstrated security failings in commonly used building management systems. These systems are used to manage and monitor a building’s mechanical and electrical components, including air-conditioning, plumbing and fire systems. In the test, the researchers were able to gain access to the system controlling Google’s office in Sydney, Australia.
The vulnerability was identified through the search engine Shodan, which claims to identify a infrastructure systems and devices across the world which are connected to the internet. Many of these have been found to have vulnerabilities, largely stemming either from poor security procedures, including the use of default passwords and usernames, or vulnerabilities within the operating software of the device.
While large scale cyber attacks against infrastructure are still very rare, sufficient incidents have been recorded to indicate the very real nature of the threat. Of note for companies is the case of an Australian jailed in 2001 after he was found to have hacked into a local sewerage management system and leaked millions of litres into the environment: the man in question was a disgruntled ex-employee. This remains perhaps the most concerning threat scenario.