As hurricane season approaches, most New Orleanians might feel safer behind the new $14.5-billion system of concrete floodwalls, monster pumping stations and towering surge barriers.
But six months ago, local authorities were put on notice all that security could be compromised by a determined computer hacker who could turn off pumping stations and leave flood gates open.
In December, the Lake Borgne Basin Levee District, which covers St. Bernard Parish, was victimized by ransomware, a takeover by hackers who demand payment to unlock information it has frozen on an entity’s computer system. The district eventually paid $1,400 to get the information back.
The agency said the attack did not affect pumping and floodgates operations because those are managed by systems not connected to the Web.
But one cyber security expert said that is a false sense of security.
Hackers have already shown the ability to invade even such stand-alone systems, including those used to operate dam floodgates.
“Stand-alone systems are more secure than something connected to the Web, but there have already been multiple instances of industrial operations being hacked,” said, Jason Larsen, a consultant with cyber-security firm IOActive.
“In fact, I was on a team consulting for the Department of Homeland Security to test systems at some dams in Western states, and we were able to hack into those operating systems – which are not on the Web.
“So, stand-alone doesn’t mean you’re safe. It still requires a very complete security program that is constantly monitored and updated for any breaches and emerging threats.”
Federal and local officials say they are following such a policy.
Ricky Boyett of the U.S. Army Corps of Engineers, which currently runs many of the area’s key pumping stations as well as floodgates on the perimeter storm surge walls, said the agency is not relying solely on the stand-alone nature of its remote operations programs.
“We have a cyber security program that, by Army regulations, is audited annually to be accredited,” he said. “It’s an outside group that comes in and checks everything from the security of the lines to making sure all of our cabinets are locked.”
The New Orleans Sewerage & Water Board runs interior drainage pumping stations and will assume operation of the outfalls canals when permanent pumps are installed. In an email reply, an agency spokeswoman reported the board is “using remote programs and confirms them manually, but operates the pumps directly by employees” a policy that will remain in place when it takes over the outfall stations.
She said that entire system is under a similar cyber-security program as described by the corps.
Larsen emphasized the efficacy of a cyber-security system for stand-alone operations was only as good as the auditing regime used to keep it updated, as well as checking for inadvertent in-house breaches.
“What often happens is you have engineers using the Web to work on something and he uses a [thumb] drive to copy some data, then later he uses that same drive in the stand-alone operation system,” he said. “If the thumb drive was infected, the hacker now has access to that stand-alone.”
Larsen also said industrial operations such as dams, pumping stations and floodgates make appealing targets because simply turning them off can cause tragedy.
“If you’re trying to blow up a chemical plant, you’ll need to get into a whole lot of different systems in that plant to make something happen,” he said. “It’s much less complicated to hack into the operations that just turn off a flood gate or a pumping station. And that could be devastating.”
Bob Turner, regional director of the Southeast Louisiana Flood Protection Authority-East which oversees the areas storm defenses, said he considered the Lake Borgne District incident an important warning.
“This is something we take very seriously and must keep on top of,” Turner said.
“I know I would never recommend putting operations of our controls on the Web specifically for that reason.
“But you read about these things almost every day, so we know we’re going to have to keep evolving to stay safe from that threat.