U.S. dams lack the resources to strengthen their digital defenses, and the federal agency responsible for overseeing the sector is understaffed and slow to conduct cyber audits, experts said at a Congressional hearing Wednesday. I mentioned it at the meeting.
Experts told the Senate Energy and Natural Resources Subcommittee that U.S. dams, which account for more than 50% of private electricity generation, have not undergone cybersecurity audits by the Federal Energy Regulatory Commission, and that staff dedicated to the issue He said there were only four people.
“No one wants to wake up in the morning to the news that a small town in the Pacific Northwest has been destroyed by a cyberattack on a private dam upstream,” Oregon State President Ron Wyden said in his opening statement.
There are 91,827 dams of all sizes in the United States, but only 2,500 are non-federal dams with hydroelectric power under FERC's authority. Hydroelectric dams provide approximately 28% of the United States' renewable energy.
“Currently, there are no minimum standards, most dams do not have audits, and cybersecurity is inadequate. This is leading to cybersecurity problems in the Northwest,” Wyden said in his opening statement.
To make matters worse, FERC's cybersecurity requirements have not been updated since 2016. Terry Turpin, director of FERC's Office of Energy Projects, said the independent agency plans to update the requirements once it has final audited about 70% of the dams. 2025
But under pressure from Wyden, Turpin said the update was “achievable” within nine months.
Like many other critical infrastructure sectors, dams are undergoing modernization efforts. Many of them were built decades ago and lack digital systems that expose them to cybersecurity vulnerabilities, said Virginia Wright, cyber-informed engineering program manager at the Idaho National Laboratory. said to mean.
But Wright said the situation is expected to change as systems modernize and digital technologies are introduced, which could introduce new attack vectors if not properly protected, adding that many dams pointed out that there are few resources available to invest in cybersecurity.
Wright recommended that Congress support vulnerability assessments of U.S. hydropower plants and develop guidance for known weaknesses in hydropower digital systems.
Wright also argued that modernization is a “great opportunity” to use cyber-informed engineering methods that incorporate protection from the worst-case scenarios of cyber-physical attacks.
“Cyber-informed engineering challenges engineers who design and operate infrastructure systems to mitigate the worst outcomes that could occur even if an adversary were to penetrate digital defenses and take control of operational technology.” We are calling on them to develop engineering controls that can do this,” Wright said in his opening statement. .
Concerns about dam cybersecurity are not new. A 2021 report from the Department of Homeland Security's Office of Inspector General found that the Cybersecurity and Infrastructure Security Agency needs to do more to protect this area. CISA is the dam sector's risk management agency, but the report found little coordination, tracking, control or evaluation of CISA's work overseeing dams.
