Iran Targets Flood Dams with Cyber

The Wall Street Journal reported today that Iran attacked the control system of a  flood dam outside of New York City back in 2013.  It is important to understand that there is a strategic lesson here that should shape the way the Iranian threat and the vulnerabilities of our society to critical infrastructure are understood.

1. Cyber is only one component of a warfare strategy and public safety is the target: Why target a flood control damn with a cyber attack?  To test and develop a capability to achieve conventional warfare capabilities through cyber attacks.  This fits into a pattern and ongoing efforts to develop an asymmetric capability en lieu of a conventional one.  The stated warfare doctrine of Iran is to destroy American society.  In warfare doctrine a menu of attack options and an ability to coordinate them is desirable. It has been known for some time that Iran has a capability to target critical U.S. infrastructure and has succeeded in infiltrating control systems for U.S. infrastructure.
2. Cyber threats can have real world consequences: Stop thinking of identity theft and economic warfare as something that will always be separate from kinetic warfare.  North Korea has already attempted to destroy hydroelectric plants in South Korea through cyber attacks.  These are not future threats.  NSA head Adm. Mike Rogers testified in 2014 that he believes that China already has the capability to shut down the U.S. electrical grid with cyber attacks.  You can debate whether the Chinese want such a strategic capability only to increase their stature in the world the way the U.S. once employed its nuclear, naval, and air force power projection.  A study of the more ambitious intentions of Chinese military leaders makes that debatable.  There are hostile actors now who are trying to achieve these capabilities who want to use them now.  They include, Iran, North Korea and ISIS.  They want to destroy facilities that effect public safety which include electrical power supply, water treatment and management, systems, emergency response assets, hospitals, transportation, etc.  The list goes on and hostile actors understand that all of our critical infrastructures have cyber vulnerabilities because they are overly reliant on the internet to manage them.
3. It is not just one threat: Don’t think of the cyber threat to infrastructure in isolation.  In early December 2015 both Dr. George Baker, professor emeritus of James Madison University and former CIA analyst Peter Pry were guests at the Dupont Summit, an infrastructure security event.  In a panel on next steps for protecting critical infrastructure from major catastrophic events they both had similar criticisms.  Dr. Baker, whose career at the Defense Threat Reduction Agency is somewhat legendary, concluded that the current piecemeal approach which treats cyber threats from nation states in isolation from physical attacks, nuclear strategy, asymmetric electromagnetic weaponry, and terrorism will never achieve practical mitigations in a timely manner that addresses the current threat environment.  Dr. Pry’s briefing detailed how hostile actors do not isolate cyber attacks from unattributed asymmetric attacks which could be coordinated between terrorist and nation states.  With examples from what is known about the warfare doctrines of Russia, Iran,  Al Qaeda, ISIS, and North Korea, Dr. Pry demonstrated that when we see things like Iran carrying out cyber attacks on a dam in New York, we are looking at a small component of complex strategic threat that targets the U.S. where it is weakest: its critical infrastructures.