Congress sounds alarm on lax dam cybersecurity
America’s dams lack the resources to beef up their digital defenses, and the federal agency charged with oversight of the sector is understaffed and behind on performing cyber audits, experts said during a congressional hearing Wednesday.
Experts told the Senate Energy and Natural Resources subcommittee that U.S. dams — which make up over 50% of private electricity generation — have not undergone cybersecurity audits by the Federal Energy Regulatory Commission, which only has four staffers dedicated to the issue.
“I don’t want to wake up to a news report about a small town in the Pacific Northwest getting wiped out because of a cyberattack against a private dam upriver,” Chairman Ron Wyden, D-Ore., said in his opening statement.
While there are 91,827 dams of varying sizes in the U.S., only 2,500 are under FERC’s authority as non-federal dams with hydropower. Hydroelectric dams provide about 28% of renewable energy in the United States.
“Today there are no minimum standards, no audits of a majority of dams and bad cybersecurity. This is inviting cybersecurity trouble in the Northwest,” Wyden said in his opening statement.
What’s worse, FERC’s cybersecurity requirements have not been updated since 2016. Terry Turpin, director of the office of energy projects at FERC, said that the independent agency plans on updating the requirements once they are through auditing around 70% of the dams by the end of fiscal year 2025.
Under pressure from Wyden, however, Turpin said that the update is “achievable” within nine months.
Like many other critical infrastructure sectors, dams are undergoing a modernization effort. Many were built decades ago, meaning that they lack the digital systems that would expose them to cybersecurity vulnerabilities, said Virginia Wright, cyber-informed engineering program manager at Idaho National Laboratory.
But that is expected to change as systems are modernized and adopt digital technology, which can introduce new vectors of attack if not secured properly, Wright said, noting that many dams have few resources to invest in cybersecurity.
Wright recommended that Congress support vulnerability assessments in the U.S. hydroelectric fleet and develop guidance for known weaknesses in digital systems for hydropower.
Wright also argued that modernization is an “excellent opportunity” to use cyber-informed engineering methods that would build in protections from the worst-case scenarios of a cyber-physical attack.
“Cyber-informed engineering asks the engineers who design and operate infrastructure systems to develop engineering controls, which can mitigate the worst consequences that could be caused, even if adversaries penetrate digital defenses and gain control of operational technology,” Wright said in her opening statement.
Concerns over dam cybersecurity are not new. A 2021 report from the Department of Homeland Security Office of Inspector General found that the Cybersecurity and Infrastructure Security Agency needs to do more to protect the sector. CISA is the sector risk management agency for dams, and the report found that there is little coordination, tracking, managing or evaluating of its work to oversee dams.
