Amid Concerns Over Infrastructure Safety, Congress Questions Dam Cybersecurity

The hearing comes on the heels of President Biden’s executive order on waterway cybersecurity.

Samara Lynn
clock • 3 min read
Amid Concerns Over Infrastructure Safety, Congress Questions Dam Cybersecurity

A congressional hearing on Wednesday raised concerns about the cybersecurity risks of U.S. dams.

U.S. Sen. Ron Wyden of Oregon led the hearing and mentioned the lack of cybersecurity auditing of dams.

"Today the subcommittee is being told by the Federal Energy Regulatory Commission (FERC), which licenses 2,500 dams that the responsible dams for well over half the nonfederal power generation have not received a cybersecurity audit," he said.

Wyden also said that FERC had no plans in place to audit these dams and that FERC said that "they don't the ability to review the remaining dams within the next decade" because there are just four cybersecurity experts to oversee the dams.

During the hearing, it was revealed that "there are hydropower projects in nearly every state and on most major river systems of the U.S. with more than 100 GW (gigawatts) of electric generation capacity installed. Of this capacity, approximately 43 GW is supplied by facilities owned and operated by federal entities," according to Terri Taupin, director of the Office of Energy Projects, FERC.

MES Computing asked FERC for a response to Wyden's accusations and was directed to review Taupin's comments at the hearing, at which he and other industry experts were present. You can read his remarks here

According to Taupin, FERC's responsibilities include "ensuring dam owners and operators understand the cybersecurity needed to protect their control system" and to make sure they are aware of "potential threats and vulnerabilities."

In addition, FERC "developed cybersecurity measures drawn from a risk-based, descriptive model approach," Taupin said. These measures include allowing dam operators and owners to implement "defense-in-depth strategy based on the unique risks and constraints they faced. This approach also allows the Commission's required measures to adapt to changes in the cybersecurity vulnerability and threat landscape."

These measures, Taupin said, were built on standards issued by the National Institute of Standards and Technology.

And by the end of the year, there will be 271 visible security inspections and completed cybersecurity audits of "non-federal hydropower capacity," he said. Furthermore, by 2025, FERC will have completed audits covering "70 percent of that installed generation capacity."

Sen. Wyden also voiced concerns about Microsoft software used by dam owners and operators. He pointed to the Department of Homeland Security review board's report that several senior government officials' emails were stolen from Microsoft servers.

Wyden asked Taupin if Microsoft software was widely used throughout dam infrastructure, something that Taupin confirmed. Wyden then asked how to ensure the software is safe to use based on DHS' findings.

Taupin said that the report is of "great concern" and that FERC was "going through it."

Microsoft addressed the comments in a statement to MES Computing: "We appreciate the work of the CSRB to investigate the impact of well-resourced nation state threat actors who operate continuously and without meaningful deterrence. As we announced in our Secure Future Initiative, recent events have demonstrated a need to adopt a new culture of engineering security in our own networks. While no organization is immune to cyberattack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks. Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries."

The hearing comes on the heels of recent concerns about the cybersecurity safety of the nation's infrastructure. President Joe Biden signed an executive order in February outlining a strategy to protect the nation's ports, waterfronts and vessels from cyberattacks.

Recently, FBI director Christopher Wray testified before a congressional committee that the Chinese government is targeting U.S. infrastructure, Reuters reported.





You may also like
Leaked Documents Provide Glimpse Into Google's Search Secrets


'Over a decade we've been lied to,' says source

clock 05-29-2024 • 4 min read
Google Eyes HubSpot Acquisition To Challenge Microsoft

Cloud Computing

Microsoft's Dynamics products dominate the modern CRM sector

clock 05-28-2024 • 3 min read
5 AI Policy Templates You Can Use As A Framework

Artificial Intelligence

AI is something that many businesses are still working through. There are guidance and tools to help to create a framework for any business.

clock 05-24-2024 • 2 min read

More on Security

How Semperis Is Helping Detect 'Low And Slow' Cyberattacks And Why It's Targeting The Midmarket

How Semperis Is Helping Detect 'Low And Slow' Cyberattacks And Why It's Targeting The Midmarket

Semperis' VP of products, Darren Mar-Elia, breaks down how ML helps with identity-based security and why the new offering is a fit for midmarket organizations' cyber resilience strategies

Samara Lynn
clock 05-23-2024 • 7 min read
Microsoft Build 2024: CEO Nadella Declares 'A Golden Age Of Systems'

Microsoft Build 2024: CEO Nadella Declares 'A Golden Age Of Systems'

'I still remember distinctly the first time Win32 was discussed … .Net, Azure. These are moments that I’ve marked my life with. And it just feels like we’re, yet again, at a moment like that,' Microsoft CEO Satya Nadella said in his keynote at Build 2024....

Wade Tyler Millward
clock 05-22-2024 • 9 min read
Strata Announces 'Always-On' Identity Continuity

Strata Announces 'Always-On' Identity Continuity

Identity access and management continues to evolve

Samara Lynn
clock 05-21-2024 • 2 min read