The vulnerability of rapidly modernizing hydropower infrastructure to cyber threats has drawn significant attention, prompting a recent subcommittee hearing in the United States to assess these risks. Suzanne Pritchard reports.
In recent years, cyber threats targeting hydropower facilities have grown increasingly frequent and severe. Incidents such as the infiltration of Bowman Dam’s controls in Rye, New York in 2013 and subsequent attacks on programmable logic controllers across Pennsylvania underscore the vulnerabilities facing the water and wastewater systems sector. These activities, attributed to Iranian government-affiliated actors, highlight the critical need for robust cybersecurity measures.
Similarly, a cyber incident in April 2023 disrupted Hydro Quebec’s services, an attack attributed to a Russian actor group dissatisfied with Canadian policies. These incidents are part of a broader global trend, including significant disruptions at Norsk Hydro in Norway, resulting in over $71 million in losses, and prolonged breaches at Australia’s Sunwater in 2021-2022. In Ethiopia, an attempted cyber attack on the Grand Renaissance Dam in May 2022 was successfully thwarted.
Given these developments, global estimates suggest that cybercrime could cost up to $8 trillion, with energy and utility sectors remaining prime targets. Virginia Wright from the Idaho National Laboratory highlighted that cybersecurity threats to critical infrastructure, including dams, pose substantial strategic risks for the US. Nation-states increasingly target energy sectors to compromise control systems and establish persistent network access for future operations.
While cyber threats affecting dams share similarities with those targeting broader energy infrastructure, the implications for dams extend beyond mere power outages. Potential impacts include floods, disruption of navigation and water supplies, as well as safety and economic repercussions for both facilities and downstream communities. Unique challenges such as outdated equipment with default passwords, remote locations, and limited cybersecurity resources further complicate defense strategies for hydropower facilities.
Ground Control, specializing in critical communications infrastructure, emphasizes that the integration of Internet of Things (IoT) devices and sensors has heightened infrastructure complexity. This integration expands attack surfaces, complicates device security management due to dispersed and often remote locations, and introduces interoperability challenges among various systems and manufacturers.
Senator Ron Wyden emphasized the urgent need for robust cybersecurity measures across dams and critical infrastructure. Chairing a subcommittee hearing on April 10, 2024, he underscored concerns about potential catastrophic consequences from cyberattacks on private dams. He criticized the Federal Energy Regulatory Commission (FERC) for inadequate cybersecurity oversight, pointing out that a majority of non-federal US power-generating dams lack cybersecurity audits.
Wyden noted that FERC’s cybersecurity rules, last updated in 2016, do not sufficiently address modern threats and primarily focus on procedural compliance rather than effective security practices. He called for immediate congressional action to enhance cybersecurity regulation across diverse sectors, highlighting the need for a unified national approach.
Terry Turpin from FERC’s Office of Energy Projects outlined the complex regulatory landscape where multiple entities oversee cybersecurity aspects of different components within hydropower facilities. He clarified that while North American Electric Reliability Corporation (NERC) oversees cybersecurity for generating equipment supporting the Bulk Electric System, other government agencies manage control systems for water storage and conveyance.
Virginia Wright proposed critical steps to address cybersecurity gaps in the energy sector, advocating for immediate actions such as enhancing engineering protections, conducting vulnerability assessments, and establishing robust incident response plans. She also recommended future initiatives to improve threat visibility, promote cybersecurity education programs, and streamline cybersecurity responsibilities across federal agencies.
As cybersecurity threats continue to evolve, ensuring comprehensive protection for critical infrastructure remains paramount. Wright stressed the imperative of proactive measures to mitigate vulnerabilities and safeguard against potential cyber threats.
Source: waterpowermagazine.com
