Microsoft report signals ‘great concern’ for dam cybersecurity, top FERC official says

The Bonneville Dam is one of several on the Columbia River's main branch on the Oregon-Washington border.

The Bonneville Dam is one of several on the Columbia River's main branch on the Oregon-Washington border. mikvivi/Getty Images

The company’s products are heavily used in the dam sector, the official said.

A DHS oversight report that faulted Microsoft for a slew of failures enabling a Chinese cyberespionage campaign last year presents a “great concern” for the dam sector, which relies heavily on Microsoft products, a top Federal Energy Regulatory Commission director told a Senate panel Wednesday.

FERC is poring over the report’s findings and will be using it to inform changes to forthcoming dam cybersecurity guidance, which can be reasonably completed within nine months, said Terry Turpin, who heads FERC’s office of energy projects, in testimony before a Senate subcommittee.

FERC licenses some 2,500 dams across the U.S. and the dams used for over half of the country’s non-federal power generation have not been given a cybersecurity audit, according to Ron Wyden, D-Ore. and chairman of the Energy and Natural Resources subcommittee, in opening remarks, who added the agency has just four staff overseeing dam cyber posture.

Microsoft products are widely used in the dam sector, Turpin confirmed to Wyden, though they did not discuss specific applications. The company has come under fire following last year’s incident in which Chinese hackers accessed the Microsoft email accounts of high-ranking U.S. officials, with critics accusing the software giant of selling insecure products managed under poor cybersecurity culture. The company, which has secured billions of dollars in federal contracts, has previously showcased management tools that can help estimate water usage volumes.

The agency has not updated its cyber requirements for commercial dam operators since 2016. It is still auditing dam systems for vulnerabilities and expects to wrap 70% of those by the end of next year, added Turpin. The auditing process aims to help operators carve out cybersecurity measures that can prevent hackers from burrowing into dam systems and redirecting or shuttering water flow controls.

National security officials have gone public about the need to thwart Chinese hackers trying to break into critical U.S. infrastructure. Officials are concerned that such infiltration could be used to disable U.S. energy supply chains and other critical services in the event of a conflict with China.

The Environmental Protection Agency and National Security Council last month urged states to stay alert for cyber threats targeting water sector infrastructure. The Treasury Department sanctioned Iranian cyber operatives in early February for supporting a Tehran-backed hacking group’s penetration into several states’ programmable logic controllers used for water treatment late last year, prompting mitigation advisories from officials.