US Army loses dam database

[Erica Absetz <erica () riskbasedsecurity com>]

http://freebeacon.com/the-cyber-dam-breaks/

BY: Bill Gertz
May 1, 2013 5:00 am

U.S. intelligence agencies traced a recent cyber intrusion into a sensitive
infrastructure database to the Chinese government or military cyber
warriors, according to U.S. officials.

The compromise of the U.S. Army Corps of Engineers¹ National Inventory of
Dams (NID) is raising new concerns that China is preparing to conduct a
future cyber attack against the national electrical power grid, including
the growing percentage of electricity produced by hydroelectric dams.

According to officials familiar with intelligence reports, the Corps of
Engineers¹ National Inventory of Dams was hacked by an unauthorized user
believed to be from China, beginning in January and uncovered earlier this
month.

The database contains sensitive information on vulnerabilities of every
major dam in the United States. There are around 8,100 major dams across
waterways in the United States.

Pete Pierce, a Corps of Engineers spokesman, confirmed the cyber incident
but declined to provide details.

³The U.S. Army Corps of Engineers is aware that access to the National
Inventory of Dams (NID), to include sensitive fields of information not
generally available to the public, was given to an unauthorized individual
in January 2013 who was subsequently determined to not to have proper level
of access for the information,² Pierce said in a statement.

³[U.S. Army Corps of Engineers] immediately revoked this user¹s access to
the database upon learning that the individual was not, in fact, authorized
full access to the NID,² he said.

The Corps is continuing to bolster and review security protocols governing
access to the database, he added.

The Corps¹ dam database portal recently added a statement that said
³usernames and passwords have changed to be compliant with recent security
policy changes.² The changes were initiated after the hacking incident.

The database categorizes U.S. dams by the number of people that would be
killed if a dam fails. They include ³significant² and ³high² hazard levels.

Michelle Van Cleave, the former National Counterintelligence Executive, a
senior counterintelligence policymaker, said the database compromise
highlights the danger posed by hackers who are targeting critical U.S.
infrastructure for future attacks.

³In the wrong hands, the Army Corps of Engineers¹ database could be a cyber
attack roadmap for a hostile state or terrorist group to disrupt power grids
or target dams in this country,² Van Cleave said in an email.

³You may ask yourself, why would anyone want to do that? You could ask the
same question about why anyone would plant IEDs at the Boston Marathon.²

Van Cleave said the intrusion appears to be part of an effort to collect
³vulnerability and targeting data² for future cyber or military attacks.

³Alarm bells should be going off because we have next to no national
security emergency preparedness planning in place to deal with contingencies
like that,² she said.

Gen. Keith Alexander, commander of the U.S. Cyber Command, warned in a 2011
speech that cyber attacks were escalating from causing disruptions to actual
destructive strikes, including cyber attacks on hydroelectric dams.

Alexander provided what he said were indirect examples of two types of
anticipated cyber attacks. The first was a cyber strike that could produce a
cascading power failure like the August 2003 electrical power outage in the
Northeast United States caused by a tree falling on a high-voltage power
line

The second involved the catastrophic destruction of a water-driven
electrical generator at Russia¹s Sayano-Shushenskaya dam, near the far
eastern city of Cheremushki, in August 2009. One of the dam¹s 10
650-megawatt hydro turbine generators, weighing more than 1,000 tons, was
mistakenly started by a computer operator 500 miles away.

As a result, the generator began spinning, rose 50 feet in the air, and
exploded, killing 75 people and destroying eight of the remaining nine
turbines at the dam.

³That¹s our concern about what¹s coming in cyberspace‹a destructive
element,² said Alexander in the September 2011 speech on cyberwarfare. He is
also the director of the National Security Agency, the electronic spying
agency.

According to the Corps website, the dam inventory was created under a 1972
law and was updated in 1986 to require coordination between the Corps and
the Federal Emergency Management Agency.

In 2002 and 2006 the law was updated further in recognition that dams are
part of critical U.S. infrastructure and require protection.

Security analysts have said that critical infrastructure‹electrical power
grids, financial networks, transportation controls, and industrial control
systems‹are increasingly vulnerable to cyber attack because of computer
networks used to run them.

The security lapse highlights the Obama administration¹s failure to upgrade
cyber security and protect infrastructure despite a recent executive order
seeking to improve security.

The dam database compromise also comes amid plans by the administration to
expand hydroelectric power in the Untied States, which is considered a
³green² renewable energy source, by 15 percent through upgrading dams.

The Energy Department said in a recent report that upgrading dams could
produce 12 gigawatts of electricity without carbon emissions, Bloomberg
reported recently.

Energy officials analyzed 54,391 dams out of more than 80,000 dams that lack
hydroelectric generators. Currently, some 2,500 dams produce hydroelectric
power.

Increasing hydroelectric power would ³help diversify our energy mix, create
jobs and reduce carbon pollution nationwide,² Energy Secretary Steven Chu
said in a statement.

President Barack Obama has set a goal of producing 80 percent of U.S.
electrical power from so-called clean energy systems by 2035.

The Energy Department report said that adding generators to existing dams
would be faster and less expensive than building new dams.

Hydropower made up six percent of total U.S. electricity produced in 2011.
More than half of all hydroelectric power is produced in Washington, Oregon,
and California.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.