In an era where technological advancements propel operational efficiency, the hydropower and dams industry stands at a pivotal junction, poised between innovation and vulnerability. As our world becomes increasingly interconnected, this sector finds itself grappling with a multitude of cybersecurity threats that have the potential not only to disrupt power generation but also to compromise the safety and well-being of entire communities. By merging the insights of cybersecurity experts Phil Rouse and Marlene Ladendorff,, IWP&DC delves into the most pressing challenges, industry best practices, and crucial lessons learned, all aimed at fortifying the defenses of this indispensable critical infrastructure.
Diverse threats
At the forefront of this digital battleground loom the spectors of state-sponsored hacking and the exploits of profit-driven cybercriminals. Nation-states such as Russia, Iran, North Korea and China deploy sophisticated cyber intrusions to not only assess vulnerabilities but potentially destabilize economies and disrupt national security. Rouse paints a vivid picture of a world where hackers could manipulate intricate systems, disrupting water supply with the ability to create industrial accident type pollution, release of excessive water though malicious opening of sluice gates with the potential to cause reduction of generated power and flooding of a key industrial areas and draining of reservoirs supplying major towns and cities.
However, this digital theater isn’t limited to the grand stage of geopolitics. On a more covert front, hobby hackers are driven by profit, harnessing their technical prowess to extort organizations. Notable is the case of Colonial Pipeline, where ransomware attacks forced a payout of millions in cryptocurrency. This multifaceted threat landscape necessitates a holistic approach to cybersecurity, beginning with the convergence of operational technology (OT) and information technology (IT), a merger that promises seamless management while also laying bare the potential chinks in the digital armor. Ladendorff’s insights underscore the fact that the IT realm, often internet-facing, can inadvertently serve as a gateway for cyber adversaries to infiltrate the OT network, potentially compromising critical operations.
Best practices unveiled
Against this backdrop, engineers must orchestrate an intricate symphony of cybersecurity measures to ensure the security of their facilities. Ladendorff extols the value of comprehensive assessments to unveil vulnerabilities and prescribe tailored mitigation strategies. Rouse says that this crucial process encompasses:
- Strategic asset identification and risk assessment: The journey begins with identifying the most critical assets, followed by a meticulous evaluation of potential threats.
- Fortifying data and physical security: Encrypting data, enforcing stringent authentication protocols, and curbing physical access to sensitive zones form the bulwarks of cybersecurity.
- Cultivating cybersecurity savvy: The human element is a pivotal yet often underestimated factor in the cybersecurity equation. Integrating cybersecurity awareness, best practices, and reporting into the organizational culture is vital.
- Choreographing incident response: Preparing for the worst is a hallmark of resilience. Robust incident response strategies, encompassing containment, recovery, and thorough investigations, lay the groundwork for swift action in the face of a cyber onslaught.
- Evolving vigilance: Consistently assessing and enhancing security measures ensures that the defense mechanisms remain agile and adaptive.
Cognizance from crisis
There are many accounts of cyber incidents that have provided invaluable lessons. For example, Sunwater, a water supplier based in Queensland, was subjected to a protracted cybersecurity breach spanning nine months a few years ago. According to the Water 2021 report, the breach transpired between August 2020 and May 2021, involving unauthorized entry into the organization’s web server housing customer data. The report revealed that “threat actors” exploited a dated and more susceptible version of the system.
While the breach’s repercussions were notable, the hackers primarily deposited dubious files on a webserver to reroute visitor traffic to an online video platform. Fortunately, no financial or customer information was compromised. The report underscored the necessity for swift actions to address and rectify the ongoing security vulnerabilities within the information systems.
Key takeaways from the incident included recommendations to enhance security measures. These encompassed the imperative to update software, fortify passwords, and rigorously monitor both incoming and outgoing network traffic.
Similarly, Norsk Hydro’s tussle with LockerGoga ransomware showcased the power of resilience. A cyber intrusion stemmed from an employee unknowingly triggering an infected email three months prior, leading to a subsequent assault orchestrated by the LockerGoga ransomware group. This malicious software infiltrated Norsk Hydro’s computer systems, compelling the company to halt operations in numerous production facilities.
The aftermath of this ransomware attack reverberated widely, affecting 35,000 employees dispersed across 40 nations and inflicting financial losses approximating $71 million.
In response, Norsk Hydro garnered acclaim for its adept management of the crisis. Instead of succumbing to the ransom demand, the company chose to collaborate with Microsoft’s cybersecurity experts to facilitate the restoration of operations. Additionally, Norsk Hydro demonstrated a commitment to transparency by openly communicating the evolving situation.
Torstein Gimnes, the corporate information security officer at Norsk Hydro, emphasized the futility of paying ransoms as a solution, underlining the necessity of rebuilding compromised infrastructure to ensure its integrity. Noteworthy steps taken in the wake of the incident included an immediate shutdown of IT networks and servers to curtail further propagation, and engaging Microsoft’s cybersecurity team to leverage reliable backups for data restoration.
Moving forward, Norsk Hydro’s strategic focus encompassed bolstering security measures through comprehensive employee training, implementation of multi-factor authentication, regular updates, and the implementation of robust backup solutions.
Pioneering secure horizons
To safeguard the security of control systems, SCADA (Supervisory Control and Data Acquisition), and other vital components within hydropower and dam facilities, Marlene Ladendorff says engineers can employ a multi-faceted approach that combines physical and cybersecurity measures for optimal protection. The fusion of these controls offers a robust defense strategy. Physical security controls, including perimeter fortifications such as fences, CCTV surveillance, and locks, alongside access controls encompassing key-based, electronic, or biometric methods, contribute to safeguarding the facility. Cybersecurity measures, on the other hand, involve intricate network architecture designs, meticulous logical access control encompassing computer logins and passwords, and the establishment of comprehensive policies and procedures. By identifying the critical components within the facility, management can apply tailored controls to enhance the safety and security of these elements.
Phil Rouse points out that several key strategies can be implemented to ensure the integrity of hydropower and dam facilities:
- Network security: A dedicated system like TSAT, purposefully designed for SCADA applications, can provide unparalleled security.
- Operating system and software security: Keeping operating systems and software up to date is essential, as these updates often include critical security patches that shield against vulnerabilities.
- Continuous network monitoring: Detecting anomalies promptly enables proactive responses.
- Redundancy and backup: Implementing redundancy mitigates the risk of single points of failure, thereby enhancing system reliability and ensuring uninterrupted connectivity, even in the face of network disruptions.
- User Training: Regular training initiatives should be provided to staff, equipping them with knowledge about various risks and best practices to thwart potential threats.
“OT specific cybersecurity training is crucial to any critical infrastructure organization,” explains Ladendorff. “There are significant differences between IT and OT cybersecurity. A common understanding in cybersecurity practices is the fact that an organization is only as strong as its weakest link, and the weakest link in cybersecurity is people. OT cybersecurity training and awareness can strengthen personnel’s understanding of cyber threats and how to protect against them.”
Keeping up to date
Staying abreast of the latest cybersecurity threats and best practices is essential for the industry’s vigilance. The Cybersecurity & Infrastructure Security Agency (CISA) serves as a valuable resource, disseminating threat information via advisories and alerts available at (https://www.cisa.gov/topics/cyber-threats-and-advisories). Engaging in cyber security conferences and webinars offers another avenue for industry professionals to stay informed. Additionally, keeping a close watch on updates from vendors and suppliers is crucial, as they frequently provide information about vulnerabilities, patches, and security enhancements for their products. Monitoring blogs and pertinent publications is also recommended to remain in the loop. Rouse points out that perhaps the most invaluable recommendation lies in actively participating in knowledge-sharing initiatives with peers within the industry, recognizing that the exchange of insights is immeasurable in its contribution to overall cyber resilience.
Additional challenges
Engineers must be acutely attuned to additional cybersecurity challenges arising in the modern landscape, particularly with the increasing integration of Industrial Internet of Things (IIoT) into critical infrastructure like hydropower facilities. Several pertinent challenges demand vigilant attention:
- Expanded attack surfaces due to interconnected devices, offering more targets for cyberattacks.s.
- IoT device security complexities, especially remote updates, risking vulnerabilities and tampering.
- Essential communication security for wireless IoT devices using different protocols..
- Preserving data integrity and privacy to avoid flawed decision-making from compromised data.
- IoT network visibility challenges hindering quick response to potential cyber threats.
- Lack of standardization in security protocols among IoT device manufacturers, complicating consistent security practices..
Mitigating these challenges demands an astute grasp of the intricate interplay between IIoT integration and cybersecurity, enabling engineers to enact measures that bolster the resilience and safety of critical infrastructure operations.
Phil Rouse, Advisor to the Chief Executive Officer, developed the strategy for the group and was responsible for the early shaping of Ground Control. As a founding partner of Wireless Innovation, Phil orchestrated a highly successful investment round via Lyceum Capital (now Horizon Capital), culminating in the merger of three companies and propelling Ground Control to become one of the leaders in M2M and IoT communications. Ground Control specialises in satellite and cellular services, connecting people and things, especially in remote and hard-to-reach areas, with applications spanning the globe. With a background in Microwave Electronics in the Defence industry, then moving into the Telecommunications sector, he played a pivotal role in several successful business growth initiatives and leading an MBO in 2004 to create Wireless Innovation Ltd.
Marlene Ladendorff focuses on OT cybersecurity for critical infrastructure sectors, domestic and international. Her PhD dissertation studied the Effect of the North American Electric Reliability Corporation Critical Infrastructure Protection Standards on Bulk Electric System Reliability. She has been involved in cybersecurity for domestic nuclear power plants since 2008 when the Nuclear Regulatory Commission released rule 10 CFR 73.54, Protection of Digital Computer and Communication Systems and Networks. Marlene also worked in the United Arab Emirates during the construction of the new APR1400 digital nuclear power reactors.