Protecting US Dams From Cyberattacks

The U.S. Department of Interior’s Bureau of Reclamation earlier this month awarded a $45 million, five-year indefinite-delivery, indefinite-quantity contract for IT risk management services to two private companies. The two companies, Booz Allen Hamilton Holding Corp. (NYSE: BAH) and Spry Methods will provide technical and professional services to support the threat monitoring systems for more than 600 dams scattered across 17 western states and managed by the bureau.

The threat to the nation’s dam is both real and one that needs immediate attention. Real because an attack has already been successful against a dam near Rye Brook, New York, and immediate because it could happen again at any time threatening significant loss of life and property.

In 2016, an Iran-based group of hackers succeeded in gaining control of the Bowman Avenue Dam’s sluice gate, the device the controls water flow out of the dam. Fortunately, the attackers went after the wrong Bowman Dam.

The Bowman Dam in New York is out of service. Chances are the attackers meant to gain access to the control systems at the much larger Arthur Bowman Dam in Oregon.

Neither of the Bowman Dams generates electricity, but the inferred threat against hydroelectric dams and the U.S. electricity grid did manage to get people’s attention, at least to some degree. The recent $45 million contract spread over 600 dams for a period of five years amounts to average spending of $15,000 per year per dam.

Marty Edwards, the former director of the Department of Homeland Security’s Industrial Control Systems/Computer Emergency Response Teams (ICS/CERT) told

That is certainly a good start but ultimately cybersecurity is about hiring people. I would like to see either permanent civil servants or a standing program put in place to use contractors every year. Most likely the best approach is a combination of the two.

One might argue that the nation’s leaders haven’t gotten the message yet. Last month President Trump decided not to name a White House Cybersecurity Advisor to replace Rob Joyce who resigned in April. The task was given to new national security advisor John Bolton and the staff at the National Security Council (NSC).

The recent agreement between North Korea and the U.S. is all about nukes and does not mention cyberwarfare at all. That may have been necessary to get to any kind of agreement at all, but how well-prepared is the United States to counter a cyberattack by the North Koreans.

There is ample evidence that North Korea (the Democratic Peoples Republic of Korea or DPRK) uses cyberattacks to steal funds for the Kim regime. That is not the worst news. According to Crowdstrike’s annual threat report:

Given the geopolitical tension surrounding the North Korean nuclear program, DPRK-based adversaries are likely to continue malicious cyber activity against entities in South Korea, Japan and the U.S. Network access obtained via remote access tools … may be used to deploy wiper malware.

Given the gravity of a possible compromise to the U.S. energy sector, Falcon Intelligence has assessed that this specific targeting may represent DPRK posturing via cyber operations that could deliver destructive effects against the U.S. critical infrastructure, should a military conflict occur.

No cybersecurity coordinator and just $45 million over five years  is not an effective response to threats posed by government-sponsored attackers from two countries that are at odds with the United States and have a track record of cyberattacks.