search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
Cyber security |


Above: Hydro Quebec was targeted by cyber criminals in April 2023 Editorial credit: T. Schneider / Shutterstock.com


for dams, I don’t want to wake up to a news report about a small town in the Pacific Northwest getting wiped out because of a cyberattack against a private dam upriver,” he said, which probably explains why he chaired an Energy and Natural Resources subcommittee meeting on 10 April 2024 to discuss cybersecurity threats facing hydropower dams in the US. At the hearing Wyden claimed that countries like China and Russia “present a significant national security concern, as they have the ability to shut down core functions of society, and even cause death, by hacking critical infrastructure”. He also was appalled to hear that the dams responsible for well over half of non-federal US power generation haven’t received a cybersecurity audit from the Federal Energy Regulatory Commission. “Currently there’s no plan to complete these missing audits anytime soon,” Wyden said. “FERC has told my staff that it does not have the ability to review the remaining dams within the next decade…and has just four cybersecurity experts to oversee 2500 dams. Today there are no minimum standards, no audits of a majority of dams, and bad cyber security. This is inviting cybersecurity trouble.” Wyden went to add that FERC cybersecurity rules only apply to dams that are remotely managed over the internet. This practice enables companies to save money by not requiring an operator on site but those cost savings for the dam operator lead to significantly greater cyber risks. In addition, FERC’s cybersecurity rules haven’t been updated since 2016 and, Wyden claims, they aren’t specific enough and are mostly about paperwork and box checking. “FERC doesn’t have the resources it needs to be an


effective regulator of cybersecurity at private sector run dams. That’s a problem Congress needs to address now,” he urged, adding that one of the main problems is that the US doesn’t have a coordinated plan to deal with cybersecurity as it is regulated in different ways, or not all, across each part of society. As Terry Turpin, Director of the Office of Energy


Projects at FERC explained, multiple entities do hold cybersecurity oversight responsibility for different components within a hydropower facility. For example, the North American Electric Reliability Corporation is responsible for setting and enforcing cybersecurity standards related to generating equipment and controls that support the Bulk Electric System. Alternatively, cybersecurity standards for the control systems related to the safe storage and conveyance of water at hydropower facilities typically falls under the purview of government agencies. For federal hydropower facilities (ie outside of FERC’s jurisdiction), the US Army Corps of Engineers, Bureau of Reclamation and Tennessee Valley Authority establish and implement cybersecurity standards for the facilities they own and operate, and the commission has no authority regarding them.


References


Water and Power Subcommittee Hearing to Examine the Federal and Non-Federal Role... (senate.gov)


Ensuring Cybersecurity in Hydropower and Dam Facilities | Ground Control


Wyden Statement on Cybersecurity Threats to Critical Water Infrastructure | U.S. Senator Ron Wyden of Oregon (senate.gov)


64 | May 2024 | www.waterpowermagazine.com


Recommendations To address some of the most-critical needs for


assessing cyberthreats and vulnerabilities of critical water infrastructure in the US energy sector, Virginia Wright said that Idaho National Laboratory has recommendations expressed in terms of when actions should be taken. These include:


Now:


Use capabilities like the Department of Energy’s Cyber-Informed Engineering to add engineering protection from the impact of cyberattacks on existing infrastructure within the hydropower fleet and in the designs for future hydropower infrastructure.


Support vulnerability assessments on commonly used technology within the hydroelectric fleet and develop forensic quick start guides to speed the acquisition of attack indicators when adversary activity is suspected. Develop hardening guidance to address well- known weaknesses in remote-communication infrastructure and default passwords in OT systems. Increase the pace and the financial support for threat hunting across the hydropower fleet and across all critical infrastructure. Ensure that all industry operators have a cybersecurity incident- response plan that addresses both IT and OT and that they exercise that plan at least annually, informed by threat scenarios provided by the Sector Risk Management Agencies.


Soon: Increase support for hydropower operators to gain visibility into traffic on their OT networks and the expertise to differentiate expected operations from adversary action. Work with states to explore the ability to using National Guard resources when concerns about imminent threat activity are heightened. Instantiate a hydropower-focused Operational Technology Fellowship programme through the department of Energy’s Waterpower Technologies Office, where participants would learn cybersecurity strategies and tactics that are used when targeting US hydroelectric infrastructure and how the government is countering these activities. Explore federally funded apprenticeships, focused on operational-technology threat-hunting and incident response to support smaller hydroelectric entities.


Someday: Explore programmes to incentivise cybersecurity practitioners to consider careers defending rural dam locations. Explore the overlapping cybersecurity responsibilities between different departments and agencies to eliminate redundancy and ensure that guidance is effectively targeted to the needs of the hydropower industry.


“We must ensure that all of our critical-infrastructure operators have the tools and expertise needed to prevent catastrophic impacts from cyberattack,” Wright commented saying that vulnerabilities need to be removed and protection added.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68  |  Page 69  |  Page 70  |  Page 71  |  Page 72  |  Page 73  |  Page 74  |  Page 75  |  Page 76  |  Page 77