While U.S. water utilities have been identified as vulnerable to cyber attacks, the dams that generate hydropower within the U.S. are also vulnerable to such attacks. Some of that vulnerability is because most dams have never undergone a federal cybersecurity audit, and the software used at dams is widely used by government and industry, thereby undermining U.S. cyber defenses, says a U.S. senator who led a hearing on the issue.

Every critical infrastructure sector faces cyber threats, including the dams that generate hydropower, according to Senate Subcommittee on Water and Power Chairman Ron Wyden (D-Ore.). The threats of cyber attack are from “countries like China and Russia” as those countries “have the ability to shut down core functions of society, and even cause death by hacking critical infrastructure,” Wyden said at the subcommittee hearing held on April 10, 2024, that examined the “Federal and Non-Federal Role of Assessing Cyber Threats to, and Vulnerabilities of Critical Infrastructure in our Energy Sector.”

Despite being vulnerable to cyber attacks, over half of the 2500 dams licensed by the Federal Energy Regulatory Commission (FERC) have not undergone a cybersecurity audit, and there are no plans to conduct cybersecurity audits at those dams anytime soon. The senator said this is because, in part, FERC does not have the resources it needs to be an effective regulator of cybersecurity at private-sector-run dams.

Furthermore, FERC’s cybersecurity rules have not been updated since 2016, and existing rules are not specific enough and are primarily about paperwork and box-checking, Wyden said. In addition, there are no mandatory cybersecurity requirements for dams administered by on-site operators, and FERC’s cybersecurity rules only apply to dams that are remotely managed over the internet, which enables companies to save money by not requiring an operator on-site. Still, those cost savings for the dam operator have led to more significant cyber risks, Wyden said.

In addition, because computer software produced by Microsoft is widely used across the U.S. government and industry (including dams), cyber defenses are weakened, thereby creating a threat to national security, Wyden said. A central problem responsible for facilitating the cyber threat is “the U.S. doesn’t have a coordinated plan to deal with cybersecurity,” and the “cybersecurity of each part of our society is regulated differently, and some aren’t regulated at all. Some have rules, some have the honor system; this is not good enough,” said Wyden, who added, “No wonder there are broad parts of our government and society with awful cybersecurity, no effective rules, and no cyber safety regulator.”

Nonetheless, Wyden said while he cannot solve that bigger cybersecurity problem, he “can accelerate updating FERC’s cybersecurity standards, making sure those standards are effective, and apply to all dams, to protect the United States from this serious national security threat.”

However, Terry Turpin, the director of FERC’s Office of Energy Project, said the agency has been increasing cybersecurity at hydroelectric dams. This includes expanding FERC’s dam safety program in 2016 to include cybersecurity of the control systems used to manage the operation of the water control features, including flow bypass systems, reservoir level monitors, flow meters, piezometers, and embankment movement indicators.

Furthermore, FERC required dam licensees to implement security measures appropriate to each dam by the end of 2018, and submit a letter to FERC by Dec. 31, 2018, and each year thereafter, certifying compliance with both physical and cybersecurity requirements, Turpin said.

Dam licensees need to maintain documentation of vulnerability assessments, security practices, and network architecture at the facility site for review by FERC engineers during any dam safety inspection, said Turpin, who added that FERC has a cybersecurity review program that is focused on ensuring licensees have implemented appropriate measures for remotely operable physical features, such as spillway gates, and any instrumentation and digital controls needed for dam safety and for operational decisions regarding the safe flow and storage of water.

In addition, Virginia Wright, program manager for cyber-informed engineering at the Department of Energy’s Idaho National Laboratory (INL), testified that dams face cybersecurity threats similar to those affecting the overall energy sector; however, adversaries targeting dams seek impacts beyond just power outages. Those impacts include flooding, loss of navigation and water supply, and safety and economic effects on the facility and downstream communities, she said. 

Among the “challenges to cyber defense” at dams include the use of outdated equipment, often with hard-coded and default passwords, rural facility locations, smaller operators with few resources for cybersecurity, and the variability of hydropower facilities, according to Wright.

Furthermore, INL found the operational technology networks at smaller hydropower facilities lacked critical security protections and that many facilities allow remote access for maintenance and operational support, Wright said. Most operators did not have basic visibility into operational network traffic or the expertise and manpower to monitor networks for emerging threats and vulnerabilities. When surveyed, asset owners and operators described a need for threat and vulnerability information linked to their specific operational contexts and, where possible, to their assets.

However, the water sector may provide an instructive analog to guide the testing, training, and exercise facilities needed to allow scaled testing of the impacts of cyberattacks on hydropower facilities, according to Wright. “Like the hydropower subsector, the water sector is rapidly adopting digital tools while it also attempts to maintain aging and obsolete software and controls,” she said. 

INL’s Water Security Test Bed may serve to model the kinds of testing facilities needed for hydropower cybersecurity. Established in 2013 through a partnership between INL and the Environmental Protection Agency, the facility in INL’s Critical Infrastructure Test Range conducts research, development, and testing of national water security and other drinking-water distribution issues. “It can not only test, at or near full-scale, the impacts of cyberattack on water systems, but it also addresses biological and chemical vulnerabilities due to natural or accidental causes or malicious acts,” Wright said.

View the hearing.