Hackers believed to be connected to Iran infiltrated the control system of a small dam outside New York City in 2013, according to a report in the Wall Street Journal.

The Bowman Avenue Dam in Rye Brook, about 20 miles northeast of the city, is small and used only for flood control. While the hackers could reportedly have released water from the dam, the amount of damage that would have resulted is limited. The dam sits across the Blind Brook, which flows into Long Island Sound a few miles away. Floodwaters would not have approached New York City, though some residential areas nearby could have been flooded.

The cyberattack appeared to be a simple probe of the dam’s control system vulnerabilities through a cellular modem. The attackers never actually took control of the dam.

However, investigators initially thought the attack involved a much larger dam in central Oregon, the Arthur R. Bowman dam near Bend. That dam impounds a large reservoir, and a successful attack on it could have caused widespread damage downstream. Details on the intrusion remain classified.

Power Plant Cyberattacks Grow

While the Bowman cyberattack was minor in scope, another report from the Associated Press (AP) notes that similar attacks by foreign hackers have successfully gained access to power plant control systems across the country on at least 12 occasions over the past decade.

One cyberattack described by the AP involved independent power producer Calpine in 2013. That intrusion resulted in the theft of network usernames, passwords, and power plant engineering drawings, as well as network architecture describing how plants communicate with the company’s central control systems.

A Calpine spokesman told the AP that the information was stolen from a third-party contractor and involved older records and diagrams. The AP report, however, said the intrusion would have allowed access to the plants’ gas turbine control systems, something that could conceivably allow the hackers to shut down the plant or cause damage to the turbines. An outside security firm discovered the attack, and Calpine was unaware of the intrusion until authorities notified it.

Vulnerabilities Widespread

Hackers believed to be connected to Russia, China, Iran, and other foreign nations have had the nation’s infrastructure under siege for a number of years. The Department of Homeland Security has repeatedly warned about malware attacks, and experts say many portions of the power sector are still woefully unprotected from attack. While progress has been made, a substantial portion remains highly vulnerable, especially smaller, lower-profile facilities like the Bowman Dam that have not been hardened against attack. According to reports, the dam uses an industry-standard control system.

The risks, while thought to be low in probability, are potentially enormous in scope. A report issued last year by Lloyd’s estimates that a sophisticated, large-scale cyberattack on the U.S. power grid could potentially destroy dozens of generating units, leave 93 million people without power for weeks, and result in nearly $250 billion dollars in economic damage.

—Thomas W. Overton, JD is a POWER associate editor (@thomas_overton, @POWERmagazine).