Cybersecurity threats to hydropower dams have become more commonplace in recent years. In 2013 the controls at Bowman Dam in Rye New York were infiltrated and this, along with exploitation of programmable logic controllers in Pennsylvania and across the water and wastewater systems sector in late 2023, were attributed to Iranian government-affiliated cyber actors. In April 2023, Hydro Quebec’s website and customer app were made temporarily unavailable in an attack attributed to a Russian actor group unhappy with Canadian policies supporting Ukraine.
There have also been numerous other incidents worldwide such as in Norway where Norsk Hydro was forced to shut down facilities in 2019, leading to more than US$71 million in financial losses. Then, in Australia, water supplier Sunwater was targeted by a nine-month long security breach in 2021-2, and in May 2022 the Ethiopian Information Network Security Agency reported a cyber attack at the Grand Renaissance Ethiopian Dam had been thwarted before any data could be accessed.
Cost of cyber crime
With the above examples in mind, it’s hardly surprising that global estimates suggest that the cost of cybercrime will be in the region of US$8 trillion, with energy and utility companies continuing to be prime targets. Virginia Wright from the Idaho National Laboratory in the US explains why.
“According to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, cybersecurity threats to critical infrastructure are one of the most significant strategic risks for the US,” she said, adding that nation states are targeting critical infrastructure to gain access to control systems in the energy sector and maintain persistent access to networks to lay foundations for future operations.
Within the energy sector, key cyberthreats include ransomware, exploitation of remote access, supply-chain attacks, phishing, and malware. Impacts to energy entities from these adversarial techniques can range from loss of information, productivity, and revenue to sabotage of operational processes and damage to equipment or the environment.
Cyber threats targeting hydropower dams
Although the dam sector faces cybersecurity threats similar to those affecting the overall energy sector, those targeting dams seek impacts beyond power outages including flood, loss of navigation and water supplies, plus safety and economic impact to the facility and downstream communities. While the use of outdated equipment (often with hard-coded and default passwords), rural facility locations, smaller operators with few resources for cybersecurity, and the variability of hydropower facilities can cause unique challenges to cyber defence.
As a company that specialises in critical communications infrastructure, Ground Control says that the increased integration of Internet of Things (IoT) devices and sensors within the hydropower and dam sector has brought greater infrastructure complexity, creating more vulnerabilities and opportunites for cybersecurity threats to hydropower dams for several reasons:
- Increasing number of attack surfaces: Every device connected to the network becomes a potential target for attackers. The more there are, the further the range for potential attacks is increased.
- Device security: The substantial volume and often remote location of IoT devices increases the difficulty of keeping firmware and software up-to-date. Moreover, their physical dispersion can expose them to theft and tampering.
- Lack of standardisation: Different manufacturers exercise varying levels of security and a lack of standardisation can make it challenging to implement consistent security practices across all devices.
- Legacy systems: Many critical infrastructure systems still rely on older technology that may not have been designed with modern cybersecurity standards in mind.
- Interoperability challenges: Ensuring that different IoT devices and systems work together can be challenging. This can lead to security compromises to enable connectivity, potentially weakening overall security.
- Network visibility: Depending on the network’s connectivity and device location, a 360 view can be difficult to achieve and maintain, making it more difficult to detect and respond to cyber attacks.
- Data privacy: IoT devices often collect and transmit sensitive data. Inadequate data protection measures can lead to data breaches, compromising privacy and potentially providing valuable information to attackers.
Serious threats
As Senator Ron Wyden says, the seriousness of cyber threats to critical infrastructure has been clear for years in the US, but companies and agencies across federal government have been slow to respond to them.
“As the Chairman of the subcommittee responsible for dams, I don’t want to wake up to a news report about a small town in the Pacific Northwest getting wiped out because of a cyberattack against a private dam upriver,” he said, which probably explains why he chaired an Energy and Natural Resources subcommittee meeting on 10 April 2024 to discuss cybersecurity threats facing hydropower dams in the US.
At the hearing Wyden claimed that countries like China and Russia “present a significant national security concern, as they have the ability to shut down core functions of society, and even cause death, by hacking critical infrastructure”. He also was appalled to hear that the dams responsible for well over half of non-federal US power generation haven’t received a cybersecurity audit from the Federal Energy Regulatory Commission.
“Currently there’s no plan to complete these missing audits anytime soon,” Wyden said. “FERC has told my staff that it does not have the ability to review the remaining dams within the next decade…and has just four cybersecurity experts to oversee 2500 dams. Today there are no minimum standards, no audits of a majority of dams, and bad cyber security. This is inviting cybersecurity trouble.”
FERC cybersecurity rules
Wyden went to add that FERC cybersecurity rules only apply to dams that are remotely managed over the internet. This practice enables companies to save money by not requiring an operator on site but those cost savings for the operator lead to significantly greater cybersecurity threats to hydropower dams. In addition, FERC’s cybersecurity rules haven’t been updated since 2016 and, Wyden claims, they aren’t specific enough and are mostly about paperwork and box checking.
“FERC doesn’t have the resources it needs to be an effective regulator of cybersecurity at private sector run dams. That’s a problem Congress needs to address now,” he urged, adding that one of the main problems is that the US doesn’t have a coordinated plan to deal with cybersecurity as it is regulated in different ways, or not all, across each part of society.
As Terry Turpin, Director of the Office of Energy Projects at FERC explained, multiple entities do hold cybersecurity oversight responsibility for different components within a hydropower facility. For example, the North American Electric Reliability Corporation is responsible for setting and enforcing cybersecurity standards related to generating equipment and controls that support the Bulk Electric System. Alternatively, cybersecurity standards for the control systems related to the safe storage and conveyance of water at hydropower facilities typically falls under the purview of government agencies. For federal hydropower facilities (ie outside of FERC’s jurisdiction), the US Army Corps of Engineers, Bureau of Reclamation and Tennessee Valley Authority establish and implement cybersecurity standards for the facilities they own and operate, and the commission has no authority regarding them.
Recommendations
To address some of the most-critical needs for assessing cyberthreats and vulnerabilities of critical water infrastructure in the US energy sector, Virginia Wright said that Idaho National Laboratory has recommendations expressed in terms of when actions should be taken. These include:
Now:
- Use capabilities like the Department of Energy’s Cyber-Informed Engineering to add engineering protection from the impact of cyberattacks on existing infrastructure within the hydropower fleet and in the designs for future hydropower infrastructure.
- Support vulnerability assessments on commonly used technology within the hydroelectric fleet and develop forensic quick start guides to speed the acquisition of attack indicators when adversary activity is suspected.
- Develop hardening guidance to address well-known weaknesses in remote-communication infrastructure and default passwords in OT systems.
- Increase the pace and the financial support for threat hunting across the hydropower fleet and across all critical infrastructure. Ensure that all industry operators have a cybersecurity incident-response plan that addresses both IT and OT and that they exercise that plan at least annually, informed by threat scenarios provided by the Sector Risk Management Agencies.
Soon:
- Increase support for hydropower operators to gain visibility into traffic on their OT networks and the expertise to differentiate expected operations from adversary action. Work with states to explore the ability to using National Guard resources when concerns about imminent threat activity are heightened.
- Instantiate a hydropower-focused Operational Technology Fellowship programme through the department of Energy’s Waterpower Technologies Office, where participants would learn cybersecurity strategies and tactics that are used when targeting US hydroelectric infrastructure and how the government is countering these activities.
- Explore federally funded apprenticeships, focused on operational-technology threat-hunting and incident response to support smaller hydroelectric entities.
Someday:
- Explore programmes to incentivise cybersecurity practitioners to consider careers defending rural dam locations.
- Explore the overlapping cybersecurity responsibilities between different departments and agencies to eliminate redundancy and ensure that guidance is effectively targeted to the needs of the hydropower industry.
“We must ensure that all of our critical-infrastructure operators have the tools and expertise needed to prevent catastrophic impacts from cyberattack,” Wright commented saying that vulnerabilities need to be removed and protection added.