Accountability unclear as cybersecurity for federal dams falls short

As geopolitical fallout from the Russian invasion of Ukraine creates new potential risk, cybersecurity officials within the federal government have publicly fretted about the vulnerability of U.S. critical infrastructure to retaliatory cyberattacks from Moscow or ransomware groups. Findings from a recent audit of cybersecurity controls for a dam control system underscore why they’re concerned.

A report from the Tennessee Valley Authority Inspector General concluded that the agency’s non-power dam control system found numerous security shortfalls and a lack of clarity who in the agency had ultimate ownership over securing access to the system.

Perhaps most concerningly, TVA officials told auditors there was no clear owner of the non-power dam control system, with two separate teams intimately involved in its design, maintenance and operation. However, neither was designated to be accountable for failures in cybersecurity planning, something that auditors said was corrected by TVA prior to the release of the report.

"Without clear ownership, the maintenance and operation of cybersecurity controls may not occur, increasing cybersecurity risks related to the control system,” wrote David P. Wheeler, assistant inspector general for TVA.

The audit, which took place between December 2021 and April 2022, identified numerous deficiencies in the way TVA officials secured their control system. Non-power dams under the TVA are run through a control system operated off-site and are used to adjust water flows.

Most of the technical details and recommendations for mitigation were omitted from the report to avoid tipping off attackers, but it does reveal some basic shortfalls that left the system exposed. The agency ran older versions of operating and control system software for the non-power dam control that were vulnerable to exploits, had “inappropriate” physical and logical access barriers, and operated in an environment where it was unclear who was responsible for cybersecurity.

“We found operation system and control system software vulnerabilities that could be used to gain inappropriate access to the non-power dam control system, allowing for adjustments to water flows that could potentially have a negative impact on river management,” auditors wrote.

Hacker accessed water treatment plant control systems

Last year, a malicious hacker was able to gain access to the control systems for a water treatment plant in Oldsmar, Florida, manipulating the system to increase the amount of lye, something that could have tainted the local water supply. While both relate to water control systems, auditors say the potential stakes for a compromise were not nearly as high in this case.

In discussions with TVA officials, they determined that “risks related to river management [from exploitation] would be low based on their location, size, and existing physical controls that limit water flow adjustments.”

Even still, an incident where an unauthorized party gained access still “poses a high reputational risk for TVA.”

While the inability to patch or update systems in a timely manner leaves assets exposed to potential cyberattacks, experts in industrial control system cybersecurity say many critical infrastructure entities don't always have the same freedom or luxury to temporarily shut down operations to update a system the way some private businesses do. Doing so might disrupt otherwise essential services like water or power, or introduce new software code that can wreak havoc on interoperability with other systems.

Mike Hamilton, chief information security officer for managed detection and response contractor Critical Insight and a former vice chair of the DHS State, Local, Tribal and Territorial Coordinating Council, told SC Media in April that when it comes to managing industrial control systems and operational technology, keeping things up and running usually takes precedence over security.

Many organizations still “do not care about security, do not care about privacy, do not care about anything other than availability.”

“Once you get something to work, do not touch it,” Hamilton told SC Media. “And that [mentality] just makes the legacy technology problem proliferate.”