The Cyber-Dam Breaks

Sensitive Army database of U.S. dams compromised; Chinese hackers suspected

Hoover Dam / AP
May 1, 2013

U.S. intelligence agencies traced a recent cyber intrusion into a sensitive infrastructure database to the Chinese government or military cyber warriors, according to U.S. officials.

The compromise of the U.S. Army Corps of Engineers’ National Inventory of Dams (NID) is raising new concerns that China is preparing to conduct a future cyber attack against the national electrical power grid, including the growing percentage of electricity produced by hydroelectric dams.

According to officials familiar with intelligence reports, the Corps of Engineers’ National Inventory of Dams was hacked by an unauthorized user believed to be from China, beginning in January and uncovered earlier this month.

The database contains sensitive information on vulnerabilities of every major dam in the United States. There are around 8,100 major dams across waterways in the United States.

Pete Pierce, a Corps of Engineers spokesman, confirmed the cyber incident but declined to provide details.

"The U.S. Army Corps of Engineers is aware that access to the National Inventory of Dams (NID), to include sensitive fields of information not generally available to the public, was given to an unauthorized individual in January 2013 who was subsequently determined to not to have proper level of access for the information," Pierce said in a statement.

"[U.S. Army Corps of Engineers] immediately revoked this user's access to the database upon learning that the individual was not, in fact, authorized full access to the NID," he said.

The Corps is continuing to bolster and review security protocols governing access to the database, he added.

The Corps’ dam database portal recently added a statement that said "usernames and passwords have changed to be compliant with recent security policy changes." The changes were initiated after the hacking incident.

The database categorizes U.S. dams by the number of people that would be killed if a dam fails. They include "significant" and "high" hazard levels.

Michelle Van Cleave, the former National Counterintelligence Executive, a senior counterintelligence policymaker, said the database compromise highlights the danger posed by hackers who are targeting critical U.S. infrastructure for future attacks.

"In the wrong hands, the Army Corps of Engineers’ database could be a cyber attack roadmap for a hostile state or terrorist group to disrupt power grids or target dams in this country," Van Cleave said in an email.

"You may ask yourself, why would anyone want to do that? You could ask the same question about why anyone would plant IEDs at the Boston Marathon."

Van Cleave said the intrusion appears to be part of an effort to collect "vulnerability and targeting data" for future cyber or military attacks.

"Alarm bells should be going off because we have next to no national security emergency preparedness planning in place to deal with contingencies like that," she said.

Gen. Keith Alexander, commander of the U.S. Cyber Command, warned in a 2011 speech that cyber attacks were escalating from causing disruptions to actual destructive strikes, including cyber attacks on hydroelectric dams.

Alexander provided what he said were indirect examples of two types of anticipated cyber attacks. The first was a cyber strike that could produce a cascading power failure like the August 2003 electrical power outage in the Northeast United States caused by a tree falling on a high-voltage power line

The second involved the catastrophic destruction of a water-driven electrical generator at Russia’s Sayano-Shushenskaya dam, near the far eastern city of Cheremushki, in August 2009. One of the dam’s 10 650-megawatt hydro turbine generators, weighing more than 1,000 tons, was mistakenly started by a computer operator 500 miles away.

As a result, the generator began spinning, rose 50 feet in the air, and exploded, killing 75 people and destroying eight of the remaining nine turbines at the dam.

"That’s our concern about what’s coming in cyberspace—a destructive element," said Alexander in the September 2011 speech on cyberwarfare. He is also the director of the National Security Agency, the electronic spying agency.

According to the Corps website, the dam inventory was created under a 1972 law and was updated in 1986 to require coordination between the Corps and the Federal Emergency Management Agency.

In 2002 and 2006 the law was updated further in recognition that dams are part of critical U.S. infrastructure and require protection.

Security analysts have said that critical infrastructure—electrical power grids, financial networks, transportation controls, and industrial control systems—are increasingly vulnerable to cyber attack because of computer networks used to run them.

The security lapse highlights the Obama administration’s failure to upgrade cyber security and protect infrastructure despite a recent executive order seeking to improve security.

The dam database compromise also comes amid plans by the administration to expand hydroelectric power in the Untied States, which is considered a "green" renewable energy source, by 15 percent through upgrading dams.

The Energy Department said in a recent report that upgrading dams could produce 12 gigawatts of electricity without carbon emissions, Bloomberg reported recently.

Energy officials analyzed 54,391 dams out of more than 80,000 dams that lack hydroelectric generators. Currently, some 2,500 dams produce hydroelectric power.

Increasing hydroelectric power would "help diversify our energy mix, create jobs and reduce carbon pollution nationwide," Energy Secretary Steven Chu said in a statement.

President Barack Obama has set a goal of producing 80 percent of U.S. electrical power from so-called clean energy systems by 2035.

The Energy Department report said that adding generators to existing dams would be faster and less expensive than building new dams.

Hydropower made up six percent of total U.S. electricity produced in 2011. More than half of all hydroelectric power is produced in Washington, Oregon, and California.