BreachExchange mailing list archives
US Army loses dam database
From: Erica Absetz <erica () riskbasedsecurity com>
Date: Wed, 1 May 2013 14:32:17 -0400
http://freebeacon.com/the-cyber-dam-breaks/ BY: Bill Gertz May 1, 2013 5:00 am U.S. intelligence agencies traced a recent cyber intrusion into a sensitive infrastructure database to the Chinese government or military cyber warriors, according to U.S. officials. The compromise of the U.S. Army Corps of Engineers¹ National Inventory of Dams (NID) is raising new concerns that China is preparing to conduct a future cyber attack against the national electrical power grid, including the growing percentage of electricity produced by hydroelectric dams. According to officials familiar with intelligence reports, the Corps of Engineers¹ National Inventory of Dams was hacked by an unauthorized user believed to be from China, beginning in January and uncovered earlier this month. The database contains sensitive information on vulnerabilities of every major dam in the United States. There are around 8,100 major dams across waterways in the United States. Pete Pierce, a Corps of Engineers spokesman, confirmed the cyber incident but declined to provide details. ³The U.S. Army Corps of Engineers is aware that access to the National Inventory of Dams (NID), to include sensitive fields of information not generally available to the public, was given to an unauthorized individual in January 2013 who was subsequently determined to not to have proper level of access for the information,² Pierce said in a statement. ³[U.S. Army Corps of Engineers] immediately revoked this user¹s access to the database upon learning that the individual was not, in fact, authorized full access to the NID,² he said. The Corps is continuing to bolster and review security protocols governing access to the database, he added. The Corps¹ dam database portal recently added a statement that said ³usernames and passwords have changed to be compliant with recent security policy changes.² The changes were initiated after the hacking incident. The database categorizes U.S. dams by the number of people that would be killed if a dam fails. They include ³significant² and ³high² hazard levels. Michelle Van Cleave, the former National Counterintelligence Executive, a senior counterintelligence policymaker, said the database compromise highlights the danger posed by hackers who are targeting critical U.S. infrastructure for future attacks. ³In the wrong hands, the Army Corps of Engineers¹ database could be a cyber attack roadmap for a hostile state or terrorist group to disrupt power grids or target dams in this country,² Van Cleave said in an email. ³You may ask yourself, why would anyone want to do that? You could ask the same question about why anyone would plant IEDs at the Boston Marathon.² Van Cleave said the intrusion appears to be part of an effort to collect ³vulnerability and targeting data² for future cyber or military attacks. ³Alarm bells should be going off because we have next to no national security emergency preparedness planning in place to deal with contingencies like that,² she said. Gen. Keith Alexander, commander of the U.S. Cyber Command, warned in a 2011 speech that cyber attacks were escalating from causing disruptions to actual destructive strikes, including cyber attacks on hydroelectric dams. Alexander provided what he said were indirect examples of two types of anticipated cyber attacks. The first was a cyber strike that could produce a cascading power failure like the August 2003 electrical power outage in the Northeast United States caused by a tree falling on a high-voltage power line The second involved the catastrophic destruction of a water-driven electrical generator at Russia¹s Sayano-Shushenskaya dam, near the far eastern city of Cheremushki, in August 2009. One of the dam¹s 10 650-megawatt hydro turbine generators, weighing more than 1,000 tons, was mistakenly started by a computer operator 500 miles away. As a result, the generator began spinning, rose 50 feet in the air, and exploded, killing 75 people and destroying eight of the remaining nine turbines at the dam. ³That¹s our concern about what¹s coming in cyberspace‹a destructive element,² said Alexander in the September 2011 speech on cyberwarfare. He is also the director of the National Security Agency, the electronic spying agency. According to the Corps website, the dam inventory was created under a 1972 law and was updated in 1986 to require coordination between the Corps and the Federal Emergency Management Agency. In 2002 and 2006 the law was updated further in recognition that dams are part of critical U.S. infrastructure and require protection. Security analysts have said that critical infrastructure‹electrical power grids, financial networks, transportation controls, and industrial control systems‹are increasingly vulnerable to cyber attack because of computer networks used to run them. The security lapse highlights the Obama administration¹s failure to upgrade cyber security and protect infrastructure despite a recent executive order seeking to improve security. The dam database compromise also comes amid plans by the administration to expand hydroelectric power in the Untied States, which is considered a ³green² renewable energy source, by 15 percent through upgrading dams. The Energy Department said in a recent report that upgrading dams could produce 12 gigawatts of electricity without carbon emissions, Bloomberg reported recently. Energy officials analyzed 54,391 dams out of more than 80,000 dams that lack hydroelectric generators. Currently, some 2,500 dams produce hydroelectric power. Increasing hydroelectric power would ³help diversify our energy mix, create jobs and reduce carbon pollution nationwide,² Energy Secretary Steven Chu said in a statement. President Barack Obama has set a goal of producing 80 percent of U.S. electrical power from so-called clean energy systems by 2035. The Energy Department report said that adding generators to existing dams would be faster and less expensive than building new dams. Hydropower made up six percent of total U.S. electricity produced in 2011. More than half of all hydroelectric power is produced in Washington, Oregon, and California. _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges. Tenable Network Security (http://www.tenable.com/) Tenable Network Security provides a suite of solutions which unify real-time vulnerability, event and compliance monitoring into a single, role-based, interface for administrators, auditors and risk managers to evaluate, communicate and report needed information for effective decision making and systems management.
Current thread:
- US Army loses dam database Erica Absetz (May 01)