As our world becomes increasingly interconnected, the hydropower sector finds itself grappling with a multitude of cybersecurity threats. (Credit: Bjørnar Kibsgaard from Pixabay)

In an era where technological advancements propel operational efficiency, the hydropower and dams industry stands at a pivotal junction, poised between innovation and vulnerability. As our world becomes increasingly interconnected, this sector finds itself grappling with a multitude of cybersecurity threats that have the potential not only to disrupt power generation but also to compromise the safety and well-being of entire communities. By merging the insights of cybersecurity experts Phil Rouse, Founder of Ground Control, and Marlene Ladendorff, Principal Cybersecurity Consultant in Industrial Automation at Schneider Electric, this publication delves into the most pressing challenges, industry best practices, and crucial lessons learned, all aimed at fortifying the defenses of this indispensable critical infrastructure.

Unraveling the cybersecurity landscape and diverse threats

At the forefront of this digital battleground loom the spectors of state-sponsored hacking and the exploits of profit-driven cybercriminals. Nation-states such as Russia, Iran, North Korea and China deploy sophisticated cyber intrusions to not only assess vulnerabilities but potentially destabilize economies and disrupt national security. Rouse paints a vivid picture of a world where hackers could manipulate intricate systems, disrupting water supply with the ability to create industrial accident type pollution, release of excessive water though malicious opening of sluice gates with the potential to cause reduction of generated power and flooding of a key industrial areas and draining of reservoirs supplying major towns and cities.

However, this digital theater isn’t limited to the grand stage of geopolitics. On a more covert front, hobby hackers are driven by profit, harnessing their technical prowess to extort organizations. Notable is the case of Colonial Pipeline, where ransomware attacks forced a payout of millions in cryptocurrency. This multifaceted threat landscape necessitates a holistic approach to cybersecurity, beginning with the convergence of operational technology (OT) and information technology (IT), a merger that promises seamless management while also laying bare the potential chinks in the digital armor. Ladendorff’s insights underscore the fact that the IT realm, often internet-facing, can inadvertently serve as a gateway for cyber adversaries to infiltrate the OT network, potentially compromising critical operations.

The armour of cybersecurity: best practices unveiled

Against this backdrop, engineers must orchestrate an intricate symphony of cybersecurity measures to ensure the security of their facilities. Ladendorff extols the value of comprehensive assessments to unveil vulnerabilities and prescribe tailored mitigation strategies. Rouse says that this crucial process encompasses:

  • Strategic Asset Identification and Risk Assessment: The journey begins with identifying the most critical assets, followed by a meticulous evaluation of potential threats. This essential foundation serves as a bedrock for prioritizing resources.
  • Fortifying Data and Physical Security: Encrypting data, enforcing stringent authentication protocols, and curbing physical access to sensitive zones form the bulwarks of cybersecurity.
  • Cultivating Cybersecurity Savvy: The human element is a pivotal yet often underestimated factor in the cybersecurity equation. Ingraining cybersecurity awareness, best practices, and the importance of reporting into the organizational culture is essential.
  • Choreographing Incident Response: Preparing for the worst is a hallmark of resilience. Robust incident response strategies, encompassing containment, recovery, and thorough investigations, lay the groundwork for swift action in the face of a cyber onslaught.
  • Evolving Vigilance: The ever-evolving nature of cyber threats necessitates a proactive stance. Consistently assessing and enhancing security measures ensures that the defense mechanisms remain agile and adaptive.

Cognizance from crisis: extracting wisdom from incidents

There are many accounts of cyber incidents that have provided invaluable lessons. For example, Sunwater, a water supplier based in Queensland, was subjected to a protracted cybersecurity breach spanning nine months a few years ago. According to the Water 2021 report, the breach transpired between August 2020 and May 2021, involving unauthorized entry into the organization’s web server housing customer data. The report revealed that “threat actors” exploited a dated and more susceptible version of the system.

While the breach’s repercussions were notable, the hackers primarily deposited dubious files on a webserver to reroute visitor traffic to an online video platform. Fortunately, no financial or customer information was compromised. The report underscored the necessity for swift actions to address and rectify the ongoing security vulnerabilities within the information systems.

Key takeaways from the incident included recommendations to enhance security measures. These encompassed the imperative to update software, fortify passwords, and rigorously monitor both incoming and outgoing network traffic.

Similarly, Norsk Hydro’s tussle with LockerGoga ransomware showcased the power of resilience. A cyber intrusion stemmed from an employee unknowingly triggering an infected email three months prior, leading to a subsequent assault orchestrated by the LockerGoga ransomware group. This malicious software infiltrated Norsk Hydro’s computer systems, compelling the company to halt operations in numerous production facilities.

The aftermath of this ransomware attack reverberated widely, affecting 35,000 employees dispersed across 40 nations and inflicting financial losses approximating $71 million.

In response, Norsk Hydro garnered acclaim for its adept management of the crisis. Instead of succumbing to the ransom demand, the company chose to collaborate with Microsoft’s cybersecurity experts to facilitate the restoration of operations. Additionally, Norsk Hydro demonstrated a commitment to transparency by openly communicating the evolving situation.

Torstein Gimnes, the corporate information security officer at Norsk Hydro, emphasized the futility of paying ransoms as a solution, underlining the necessity of rebuilding compromised infrastructure to ensure its integrity. Noteworthy steps taken in the wake of the incident included an immediate shutdown of IT networks and servers to curtail further propagation, and engaging Microsoft’s cybersecurity team to leverage reliable backups for data restoration.

Moving forward, Norsk Hydro’s strategic focus encompassed bolstering security measures through comprehensive employee training, implementation of multi-factor authentication, regular updates, and the implementation of robust backup solutions.

Pioneering secure horizons

To safeguard the security of control systems, SCADA (Supervisory Control and Data Acquisition), and other vital components within hydropower and dam facilities, Marlene Ladendorff says engineers can employ a multi-faceted approach that combines physical and cybersecurity measures for optimal protection. The fusion of these controls offers a robust defense strategy. Physical security controls, including perimeter fortifications such as fences, CCTV surveillance, and locks, alongside access controls encompassing key-based, electronic, or biometric methods, contribute to safeguarding the facility. Cybersecurity measures, on the other hand, involve intricate network architecture designs, meticulous logical access control encompassing computer logins and passwords, and the establishment of comprehensive policies and procedures. By identifying the critical components within the facility, management can apply tailored controls to enhance the safety and security of these elements.

Phil Rouse points out that several key strategies can be implemented to ensure the integrity of hydropower and dam facilities:

  • Network Security: A dedicated system like TSAT, purposefully designed for SCADA applications, can provide unparalleled security. Leveraging a private satellite network, TSAT establishes a direct communication channel between the central process control center and remote locations. This method stands as one of the most secure ways to transmit vital mission-critical data.
  • Operating System and Software Security: Keeping operating systems and software up to date is essential, as these updates often include critical security patches that shield against vulnerabilities.
  • Continuous Network Monitoring: The practice of continuous network monitoring allows for swift detection of anomalies and unusual activities, enabling proactive responses to potential threats.
  • Redundancy and Backup: Implementing redundancy mitigates the risk of single points of failure, thereby enhancing system reliability and ensuring uninterrupted connectivity, even in the face of network disruptions. Notably, a resilient satellite solution has proven remarkably reliable for a prominent client over 27 years, serving as their third-tier failover connectivity option.
  • User Training: Recognizing that cyber attacks frequently exploit human error, integrating cybersecurity into policies and procedures is paramount. Regular training initiatives should be provided to staff, equipping them with knowledge about various risks and best practices to thwart potential threats.

“OT specific cybersecurity training is crucial to any critical infrastructure organization,” explains Ladendorff. “There are significant differences between IT and OT cybersecurity.  A common understanding in cybersecurity practices is the fact that an organization is only as strong as its weakest link, and the weakest link in cybersecurity is people.  OT cybersecurity training and awareness can strengthen personnel’s understanding of cyber threats and how to protect against them.”

Keeping up to date

Staying abreast of the latest cybersecurity threats and best practices is essential for the industry’s vigilance. The Cybersecurity & Infrastructure Security Agency (CISA) serves as a valuable resource, disseminating threat information via advisories and alerts available at (https://www.cisa.gov/topics/cyber-threats-and-advisories). CISA is an authoritative source for up-to-date insights into ongoing cyber activities, including the identification of vulnerabilities in equipment and software. Engaging in cyber security conferences and webinars offers another avenue for industry professionals to stay informed. Additionally, keeping a close watch on updates from vendors and suppliers is crucial, as they frequently provide information about vulnerabilities, patches, and security enhancements for their products. Monitoring blogs and pertinent publications is also recommended to remain in the loop. Rouse points out that perhaps the most invaluable recommendation lies in actively participating in knowledge-sharing initiatives with peers within the industry, recognizing that the exchange of insights is immeasurable in its contribution to overall cyber resilience.

Additional challenges

Engineers must be acutely attuned to additional cybersecurity challenges arising in the modern landscape, particularly with the increasing integration of Industrial Internet of Things (IIoT) into critical infrastructure like hydropower facilities. These IIoT devices often wield wireless connectivity with equipment and processes, necessitating the implementation of dedicated operational technology (OT) cybersecurity controls to fortify their security and ensure the safety of operations.

Several pertinent challenges demand vigilant attention:

  • Expanding Attack Surfaces: The proliferation of interconnected devices amplifies the potential target landscape for malicious actors. Each device integrated into the network stands as a potential avenue for cyberattacks.
  • Device Security: The vast quantity of IoT devices, often stationed in remote locales, introduces complexities in maintaining up-to-date firmware and software. Such challenges can expose devices to vulnerabilities, leaving them susceptible to theft and physical tampering.
  • Communication Security: IoT devices predominantly engage in wireless communication, often utilizing disparate protocols. Establishing robust communication security becomes imperative to safeguard the integrity of data transmissions between devices and central control systems.
  • Data Integrity and Privacy: Ensuring the integrity and privacy of data harvested by IoT devices is paramount. Compromised or falsified data could engender flawed decision-making processes.
  • IoT Network Visibility: Achieving and sustaining a comprehensive 360-degree view of the network, depending on its complexity, can prove challenging. This lack of visibility can hinder the prompt detection and response to potential cyber assaults.
  • Lack of Standardization: Diverse manufacturers adhere to varying levels of security protocols for their IoT devices, resulting in a lack of uniformity. This absence of standardization poses hurdles in the consistent implementation of security practices across the entirety of these devices.

Mitigating these challenges demands an astute grasp of the intricate interplay between IIoT integration and cybersecurity, enabling engineers to enact measures that bolster the resilience and safety of critical infrastructure operations.

This article first appeared in International Water Power magazine.