The U.S. Bureau of Reclamation, a part of the Interior Department, operates more than 600 of the some 100,000 dams in the United States, five of which are considered part of the national critical infrastructure. This means that the incapacitation or destruction of either the Glen Canyon Dam in Arizona, the Shasta or Folsom Dams in California, the Hoover Dam in Nevada, or the Grand Coulee Dam in Washington State would, in the Department of Homeland Security’s words, “have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”
The Interior Department’s Inspector General released a report (pdf) this week stating that two of the dams’ industrial control systems, while seeming secure from being attacked remotely, operate “at high risk from insider threats.” The report, which does not identify the two dams in question due to security concerns, lists a number of rudimentary cybersecurity practices that were not being followed. These included limiting system administrator access to the control systems and conducting rigorous background checks on individuals’ granted system privileges.
Dams have been a national security concern (pdf) for years. The importance of the cybersecurity aspect was highlighted in 2016 when the Justice Department indicted seven Iranians for not only conducting cyberattacks against American banks, but trying to compromise the small Bowman Dam north of New York City in 2013. A successful cyberattack on a major dam like the Hoover Dam could be devastating to tens of millions of people.
The Inspector General report states that the two dams in question use industrial control computer systems to remotely control operations including generators, gates, and outlet valves. An examination of the control systems showed that there was no malware or other indicators of compromise detected. Furthermore, the IG’s inspectors found that the industrial control systems being used at the dams were being proactively assessed and protected in depth from cyber-intrusions, and were isolated from other general IT support systems and the Internet. Security measures also included restrictions on both inbound and outbound connections as well as implementing controls to prevent malware infections from thumb drives and other media.
However, while the technology-supported security practices appeared to be sound, the inspectors seemed troubled to find that the personnel security practices were nearly the opposite. They found “significant control weaknesses” in account management and personnel security practices which left the two dams open to compromise from insider attacks.
The inspectors discovered the number of industrial control system users with administrator access was not limited. For instance, while 13 employees in the dams’ operation centers had system administrator access, only five had administrator-related duties as defined in their position descriptions. This finding violated Interior Department cybersecurity policy directives, the report stated.
Yet the inspectors found that nine of 30 administrator accounts had not been used for more than a year, that 10 of the 30 administrator accounts had the same passwords for at least a year, and that seven of the 18 administrator group accounts hadn’t been used for at least a year as well.
The IG report made five straightforward recommendations to strengthen the account management and personnel security practices, such as limiting the number of individuals with administrator and other privileged accounts, removing user accounts when they are not needed, requiring passwords to be changed regularly, and so forth. Surprisingly, the Bureau of Reclamation contested each of the IG inspectors’ findings.
One can read through the disagreements in the IG report (pdf) itself which is redacted in places, but the sense I get is that the Bureau of Reclamation executives don’t think they have an insider threat risk, and that taking more rigorous steps to mitigate it will negatively affect the operations of its dams.
For instance, while the IG recommends limiting privileged system access to so many employees, the Bureau claims that it can’t reduce the number since it needs to operate 24/7. The IG rebutted this by pointing out that the hydroelectric dams operated by the TVA and U.S. Army Corps of Engineers had no trouble limiting privileged system accounts to a very small number of people.
The IG, to say the least, is not happy with the Bureau’s obstinacy against its recommendations, and considers the security issues raised in the report “unresolved.” The IG has referred the debate to the Assistant Secretary for Policy, Management, and Budget for resolution.
Perhaps as a coincidence, the Interior Department awarded a five-year, US $45 million contract to two companies this week, Booz Allen Hamilton and Spry Methods, to provide cybersecurity protection to the 600 dams the Bureau of Reclamation operates across 17 western states.
It will be interesting to see whether they will have more influence than the IG in getting the Bureau to take insider threat risks more seriously.