• United States



by John P. Mello, Jr.

Army Corps database on dams compromised

May 01, 20134 mins
Critical InfrastructureData and Information SecurityData Center

Expert says breach aimed at collecting 'vulnerability and targeting data' for attacks, but another says simple engineering espionage more likely

Sensitive information about the more than 8,000 dams in the United States — including data on flaws in those structures — has been given to an unauthorized person.

The incident occurred in January, but did not come to light until Wednesday, when news of the breach was reported in The Washington Free Beacon.

The U.S. Army Corps of Engineers (USACE), which oversees the database, said in a statement that it is aware that access to the National Inventory of Dams (NID), including sensitive information not generally available to the public, was given to an unauthorized individual in January 2013.

The individual was subsequently determined to not to have the proper level of access for the information, the Corps said, and their access to the database was revoked.

However, most information contained in the database is publicly accessible, the Corps added.

Citing officials familiar with the intelligence reports on the incident, The Beacon reported that the unauthorized user is believed to be from China.

It said that the database includes vulnerability information on every major dam in the United States. It’s estimated that there are some 8,100 major dams in the nation.

The database also ranks dams by how many people would be killed if the dam fails.

Although the Corps has revoked the credentials of its unauthorized intruder, it’s likely that its system is still infected, said Ira Victor, a digital forensics analyst with Data Clone Labs.

“They make these breaches sound like a smash and grab,” Victor told CSO. “That notion is as outdated as a 486 PC.”

The days of protecting data behind perimeter defenses that act like the wall of a castle are over, he said. “The reality is that in many of these cases the attackers are in the network persistently.”

[Also see: Vulnerable terminal servers represent bigger security problem]

The Corps may also be surprised if it thinks revoking an intruder’s credentials is going to flush the problem from their systems, he added. “If an attacker gets into the network as far as this one seems to have gotten, they typically steal the entire credentials database,” Victor said.

The Corps seems to be aware of that risk and reportedly has changed all user names and passwords on the system.

In the Beacon report, a former advisor to the Executive Agent for Homeland Security, Michelle Van Cleave, said the breach was part of an effort to collect “vulnerability and targeting data” for future cyber or military attacks.

“In the wrong hands,” she told The Beacon, “the Army Corps of Engineers’ database could be a cyberattack roadmap for a hostile state or terrorist group to disrupt power grids or target dams in this country.”

Another security expert, however, said the consequences of the breach are not as dire as some would have the public believe.

“Because there are widespread attacks going on right now, there appears to be a large harvesting operation going on,” said Richard Stiennon, chief research analyst at IT-Harvest. “But I wouldn’t attach a lot of significance to this target.”

“When you lump it in with all the other things that are attacked constantly, it’s more indicative of just grabbing information because it’s there and the defenders aren’t aware they even have to defend it,” Stiennon said.

There are some things in the database that could have economic value to a nation-state — especially one like China without the sophisticated civil engineering capability of the United States. “The database would give a country the model of a mature resource management program for irrigation, power and recreation,” Stiennon said.

“That information is more valuable than using the data to identify attack targets,” he added.