Critical Infrastructure Security
Hacks on Unregulated Dams Can Result in Mass Casualties, Experts and Lawmakers Warn
Could a hacker seize control of America’s dams, unleashing floods and chaos across vulnerable communities? Cybersecurity analysts and leading lawmakers warn it’s possible.
See Also: Transforming the vision for Public Sectors in Australia New Zealand
During an April hearing on cybersecurity threats to critical water infrastructure, Sen. Ron Wyden, D-Ore., used stunningly apocalyptic framing to raise his concerns.
“As the chairman of the subcommittee responsible for dams, I don’t want to wake up to a news report about a small town in the Pacific Northwest getting wiped out because of a cyberattack against a private dam upriver,” the senator said.
Influential voices in the cybersecurity field typically avoid alarmist scenarios, favoring practical, actionable responses to threats. But with the majority of dams under Federal Energy Regulatory Commission oversight not having undergone comprehensive cyber audits, and only four full-time employees tasked with overseeing 2,500 dams nationwide, experts agree with Wyden about the vulnerability of the sector to cyberattacks that could result in loss of human lives.
“Human life and safety are in play here,” Padriac O’Reilly, a water cyber risk advisor for the Defense Department and chief innovation officer of the cyber risk firm, CyberSaint, told Information Security Media Group. “Operational technology, population centers near dams, critical power generation capacity – all of these coupled with a lack of knowledge with respect to the maturity of cyber risk management adds up to a very concerning picture.”
Only 5% of the 91,827 dams in the United States fall under federal regulation, as reports reveal a growing crisis in dam infrastructure nationwide. The average dam is nearly 50 years old, and approximately 2,200 classified as “high-hazard” – meaning their failure could result in fatalities – remain in poor or unsatisfactory condition.
Despite the vast majority of U.S. dams being operated by the private sector, FERC has not updated its cybersecurity requirements for commercial dam operators since 2016. The Cybersecurity and Infrastructure Agency, which serves as the dams sector risk management agency, also refers to a dams sector-specific plan from 2015 as the latest strategic guidance to reduce risks, improve coordination and strengthen security.
Rex Booth, CISA’s former chief of cyber threat analysis and CISO of the identity management platform SailPoint, said the entire water industry is often considered to be “among the least secure sectors” in terms of cybersecurity.
Dam and water system operators across the U.S. “typically have corporate cultures centered around traditional engineering and operational technology, which often run orthogonal to the faster pace of IT and cybersecurity,” Booth told ISMG.
“The water sector desperately needs federal support to bring their baseline of cybersecurity up to par,” Booth said. “They simply don’t have the budgets or expertise to do it on their own, and there’s far too much on the line to ignore the risk.”
During the dam cybersecurity hearing, Wyden reported that FERC cited a lack of funding and staff as reasons it could not audit the remaining dams within the next decade. Additionally, Wyden noted that the commission’s cybersecurity rules only apply to dams that are remotely managed over the internet, allowing companies to save money by not requiring on-site operators.
“Those cost savings for the dam operator lead to significantly greater cyber risks,” Wyden said. “FERC doesn’t have the resources it needs to be an effective regulator of the cybersecurity of private-sector run dams.”
“That’s a problem Congress needs to address now,” he added.
FERC is in the process of developing new cybersecurity guidance for the dam sector expected to be completed within the next nine months, according to Terry Turpin, the head of the commission’s office of energy projects. Turpin testified to a Senate panel in April that the commission was reviewing a recent Department of Homeland Security report to help shape its forthcoming guidance for the sector. The report criticized Microsoft after Russian state hackers successfully penetrated the inboxes of senior executives for the global computing giant using an unsophisticated hacking technique (see: Microsoft’s Latest Hack Sparks Major Security Concerns).
Many dam operators currently use Microsoft products and applications, according to Turpin. As dam functionality modernizes, experts say the internet exposed services that touch operational technology across the sector will increasingly become attractive targets to nation state actors aiming to cause disruption or substantial harm.
“The cybersecurity of the dam sector is at risk from under-resourcing in both the utilities that own and operate the dams and the federal agency that oversees them,” Mark Montgomery, senior director of the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation, told ISMG. “This risk is increasing as dams modernize and introduce more automated systems and controls.”
National security experts have long called on the federal government to enforce cybersecurity mandates across critical infrastructure sectors the way it mandates safety in automobiles and airplanes. Some have also warned that an attack on national water dam infrastructure could threaten public health and safety while posing severe operational risks, including water contamination, data theft and system disruptions.
Operational disruptions caused by cyberattacks on U.S. dam infrastructure “can halt essential services, potentially leading to severe health emergencies or deaths,” said Ken Dunham, cyber threat director for the Qualys Threat Research Unit. “Furthermore, the lack of separation between operational and internet-based technologies in legacy systems increases the vulnerability of dams to cyberattacks.”
Wyden urged FERC to accelerate the development of its cybersecurity standards and called on Congress to address the lack of comprehensive cybersecurity regulations across critical infrastructure sectors “rather than playing whack-a-mole one industry or agency at a time.”
Until the federal government forcefully mandates minimum cybersecurity requirements for dam operators, the sector will remain “on a path of of escalation that ends in one of two ways,” according to Eric Noonan, a national security expert and ceo of the cybersecurity firm CyberSheath.
Option one involves the government mandating sweeping cybersecurity measures and funding FERC to enforce those mandates, Noonan said.
Option two?
“If the government doesn’t act then we will inevitably suffer a never-before-seen cyberattack … people will suffer or die,” he said. “We shouldn’t have to wait for that to happen.”