December 25, 2024
Senate Energy Subcommittee Examines Cybersecurity Shortfalls at Dams
From left: FERC Office of Energy Projects Director Terry Turpin, Idaho National Laboratory Program Manager Virginia Wright and Edison Electric Institute Senior Vice President Scott Aaronson
From left: FERC Office of Energy Projects Director Terry Turpin, Idaho National Laboratory Program Manager Virginia Wright and Edison Electric Institute Senior Vice President Scott Aaronson | Senate ENR Committee
|
Most of the U.S.’ dams lack adequate cybersecurity protections, and FERC’s resources are too limited to develop them, senators heard in committee.

Most dams in the U.S. lack adequate cybersecurity protections, and FERC’s resources are too limited to develop them, senators heard in acommittee meeting April 10. 

Sen. Ron Wyden (D-Ore.), chair of the Senate Energy and Natural Resources Committee’s Water and Power Subcommittee, laid out the facts that FERC told his staff. 

“Today, the subcommittee is being told by the Federal Energy Regulatory Commission, which licenses 2,500 dams, that the dams responsible for well over half of the nonfederal power generation have not received a cybersecurity audit,” Wyden said. “And currently, there is no plan to complete these missing audits anytime soon.” 

The commission lacks the ability to complete those audits over the next decade because it has only four cybersecurity experts to oversee those thousands of dams, he added. Its rules have not been updated since 2016, and they are largely focused on “checking boxes,” Wyden said.

“FERC doesn’t have the resources it needs to be an effective regulator,” Wyden said. “This is a problem for the Congress to address. Now it’s time for Congress to step up. The seriousness of cyber threats to critical infrastructure has been clear for years.” 

Ideally, Congress would pass cybersecurity legislation universally covering the issue, but that is not within the ENR Committee’s purview, Wyden said. But it can address the shortfalls FERC has regarding hydroelectric dams. 

Hydropower dams are in nearly every state and on every major river system nationwide, with 100 GW overall and 57 GW owned by nonfederal parties including utilities, private companies, tribes and state governments, said Terry Turpin, director of FERC’s Office of Energy Projects. They are covered by NERC cybersecurity standards in effect since the end of 2018, and FERC staff audits dams when possible. 

“By the end of fiscal year 2024, staff of the security branch will have performed 271 physical security inspections and completed cybersecurity audits covering the owner-operators responsible for 37% of the installed nonfederal hydropower capacity,” Turpin said. “By the end of fiscal year ’25, we will have completed audits covering 70% of that installed generation capacity.” 

Fewer than 400 of the nation’s thousands of dams provide 90% of the country’s hydropower, but 87% of the fleet is over 30 years old with equipment that has exceeded its expected service life, said Virginia Wright, manager of Idaho National Laboratory’s Cyber-informed Engineering program. 

“Many of the remaining small- and medium-sized facilities are operated by entities with few resources to invest in vulnerability analysis and threat detection,” Wright said. “But they all face the same threat landscape.” 

Congress has allocated $753 million to improve existing hydroelectric facilities, but that means greater use of digital automation, which only will increase the digital risks the sector faces, she added. 

Wright agreed the federal government needs to step up its efforts but said that is not enough. Organizations also need to adopt cyber-informed engineering (CIE). 

“Cyber-informed engineering can be used to engineer out adversary opportunities and engineer in protections from sabotage in both existing and newly upgraded infrastructure,” Wright said. “While the federal government can provide financial resources and the expertise of the National Laboratories with their ready stockpile of capabilities, defending against ‘everything, everywhere, all at once’ will require everyone — both federal and nonfederal — to join forces.” 

CIE is a good concept that overlays with the Edison Electric Institute’s resilience goals, said Scott Aaronson, the organization’s senior vice president of security and preparedness. 

“There’s two ways you deter an adversary. The first is that the attack doesn’t have the intended impact,” Aaronson said. “So, an adversary attacks using cyber means, and we still maintain operations. The other way that you deter is that an attack has a consequence, which is the purview of our armed forces and intelligence community.” 

While the utility industry does not have any direct role in the latter deterrent, the military and intelligence rely on the grid like the rest of society, so ensuring the grid is resilient against cyberattacks is vital to preserving that capability, he added. 

CIP

Leave a Reply

Your email address will not be published. Required fields are marked *