A congressional hearing on Wednesday raised concerns about the cybersecurity risks of U.S. dams.
U.S. Sen. Ron Wyden of Oregon led the hearing and mentioned the lack of cybersecurity auditing of dams.
"Today the subcommittee is being told by the Federal Energy Regulatory Commission (FERC), which licenses 2,500 dams that the responsible dams for well over half the nonfederal power generation have not received a cybersecurity audit," he said.
Wyden also said that FERC had no plans in place to audit these dams and that FERC said that "they don't the ability to review the remaining dams within the next decade" because there are just four cybersecurity experts to oversee the dams.
During the hearing, it was revealed that "there are hydropower projects in nearly every state and on most major river systems of the U.S. with more than 100 GW (gigawatts) of electric generation capacity installed. Of this capacity, approximately 43 GW is supplied by facilities owned and operated by federal entities," according to Terri Taupin, director of the Office of Energy Projects, FERC.
MES Computing asked FERC for a response to Wyden's accusations and was directed to review Taupin's comments at the hearing, at which he and other industry experts were present. You can read his remarks here.
According to Taupin, FERC's responsibilities include "ensuring dam owners and operators understand the cybersecurity needed to protect their control system" and to make sure they are aware of "potential threats and vulnerabilities."
In addition, FERC "developed cybersecurity measures drawn from a risk-based, descriptive model approach," Taupin said. These measures include allowing dam operators and owners to implement "defense-in-depth strategy based on the unique risks and constraints they faced. This approach also allows the Commission's required measures to adapt to changes in the cybersecurity vulnerability and threat landscape."
These measures, Taupin said, were built on standards issued by the National Institute of Standards and Technology.
And by the end of the year, there will be 271 visible security inspections and completed cybersecurity audits of "non-federal hydropower capacity," he said. Furthermore, by 2025, FERC will have completed audits covering "70 percent of that installed generation capacity."
Sen. Wyden also voiced concerns about Microsoft software used by dam owners and operators. He pointed to the Department of Homeland Security review board's report that several senior government officials' emails were stolen from Microsoft servers.
Wyden asked Taupin if Microsoft software was widely used throughout dam infrastructure, something that Taupin confirmed. Wyden then asked how to ensure the software is safe to use based on DHS' findings.
Taupin said that the report is of "great concern" and that FERC was "going through it."
Microsoft addressed the comments in a statement to MES Computing: "We appreciate the work of the CSRB to investigate the impact of well-resourced nation state threat actors who operate continuously and without meaningful deterrence. As we announced in our Secure Future Initiative, recent events have demonstrated a need to adopt a new culture of engineering security in our own networks. While no organization is immune to cyberattack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks. Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries."
The hearing comes on the heels of recent concerns about the cybersecurity safety of the nation's infrastructure. President Joe Biden signed an executive order in February outlining a strategy to protect the nation's ports, waterfronts and vessels from cyberattacks.
Recently, FBI director Christopher Wray testified before a congressional committee that the Chinese government is targeting U.S. infrastructure, Reuters reported.
