Dam cyber: Interior IG closes out audit of hydroelectric control systems

The Hoover Dam, operated by the U.S. Bureau of Reclamation. (Photo credit: Matel Hudovernik/Shutterstock.com)

The inspector general for the Department of the Interior has closed out an investigation into cybersecurity concerns surrounding hydroelectric dams.

In a partially redacted memo dated July 12, Jefferson Gilkeson, director of information technology audits for Interior OIG, informed the commissioner of the U.S. Bureau of Reclamation (USBR) that auditors have completed the second and final part of their report evaluating potential cybersecurity weaknesses associated with five hydroelectric dams managed and operated by the bureau.

The first part of that report, issued in June, found mixed results. Only two of the dams operated by USBR relied on industrial control systems that could, if penetrated, give an attacker remote control over generators, gates and outlet valves. Auditors found that those systems were not connected to the internet or other USBR systems and, in general, were at low risk for compromise.

However, they also found that officials failed to limit administrator access to those systems, didn't comply with best practices for password policies and did not institute more rigorous background checks for personnel with elevated privileges. Ultimately, OIG made five recommendations: implement "least privilege" policies around administrator access, eliminate group accounts that allow broad access to such systems, ensure user accounts are removed when no longer needed, implement better controls and beef up background checks for employees with the highest access.

In a partially redacted response, USBR Commissioner Brenda Burman pushed back, saying the bureau did not concur with three of the recommendations and partially concurred with the other two and that the bureau's security procedures followed guidance from the National Institute of Standards and Technology and the Office of Personnel Management.

According to the newly released memo, the second part of the report examined another industrial control system that provides "monitoring, alarming, and process control to ensure the safe and reliable operations of the water and power facilities."

The memo indicated that auditors were satisfied that there were not any additional security vulnerabilities associated with the system, noting that a review of network traffic and key computers failed to turn up any evidence of anomalies or indicators of compromise.