A recent report from the office of the U.S. Department of the Interior’s Inspector General indicates that several hydropower dams are vulnerable to internal threats. Specifically, an evaluation was conducted of five hydropower dams operated by the U.S. Bureau of Reclamation (USBR) and categorized as “critical infrastructure.”
The USBR is the second largest hydroelectric power producer in the United States, with its plants serving over 3.5 million homes. Acknowledging their breadth of service, cyber threats directed at them could cause wide-reaching effects. In particular, threats to the industrial control system (ICS) that control physical outcomes of the dams could “adversely affect national security.”
One key finding of the Inspector General’s evaluation was that these dams are not at significant risk of threats from external hacking. The remaining threats, identified as being high-risk, are noted as coming from internal sources; in other words, the biggest cyber threats to these hydroelectric dams are their employees and former employees.
Directly at fault for these vulnerabilities are the USBR’s practices of account management and personnel security, with primary issues relating to ICS system administrator access, password security and background checks. Even when the ICS is separated from the internet at large and the organization’s business systems, these types of internal threats continue to leave the ICS at significant security risk.
System Administrator Access
One major vulnerability for the dams’ ICS systems comes from the way their administrator access is controlled and monitored. The evaluation found that most of the USBR Operations Center’s 25 employees had access to at least one other ICS account that was not defined by their position; only five of the 13 employees with system administrator access had official ICS administration-related duties.
According to principles established by the National Institute for Standards and Technology (NIST), in order to maintain the highest possible level of internal security, the principle of “least privilege” should have been implemented (meaning that only employees with official related job duties should have such access).
In addition, the USBR had authorized nearly 20 ICS group accounts, each of which had system administrator access, and none of which were being monitored continually as mandated by NIST.
This could have allowed a malicious actor with group access to alter critical system programs and logs, enable access to the ICS, and install malware.
Another major threat uncovered by the office of the Inspector General was the failure of employees to change passwords every 60 days, as mandated by department policy. This is in keeping with standard practices of the American public, many of whom are undereducated about password security and who do not prioritize learning basic best practices of cyber security.
Of the 30 ICS administrator accounts evaluated, 10 had not changed their passwords for over a year. In addition, nine of the 30 ICS administrator accounts and seven of the 18 group accounts had not been used for at least a year. Failure to remove unused accounts can be an easy access point for breaches.
Part of the reason for the lack of consistent password changes was the use of many group accounts; coordinating among all users with access to the shared accounts proves challenging and accordingly is often neglected. To compound this problem, when employees left the organization, the passwords to their accounts, including those group accounts, were not changed, exposing additional vulnerabilities.
Another primary cause of risk to the ICS was the lack of sufficient background testing and personnel security practices. Of the 13 USBR employees with system administrator access, just 11 had completed a Tier 2 background investigation despite the fact that the USBR’s personnel security manual mandates that all employees with such access must complete at least that level.
In addition, once hired, users granted “privileged” administrator access to the ICS were not continually evaluated despite a requirement by the 2012 Federal Investigative Standards that mandated such evaluation.
Although several vulnerabilities to the USBR’s ICS security were found during the course of this investigation, a few important steps can help mitigate the risk to the organization moving forward. As outlined by the Office of the Inspector General:
- Limit the number of USBR employees with administrator access to the ICS based on needs for their specific positions.
- Remove all group accounts with administrator access to the ICS and ensure that no new unnecessary group accounts are created.
- Remove all accounts with access to the ICS when the employee leaves or when their position no longer mandates such access.
- Ensure that employees regularly change the passwords on their ICS accounts.
- Enhance background check procedures and provide follow-up evaluation on a regular basis.
If the USBR implements all of these steps, its security and that of the people it serves will increase substantially, and the safety of the nation’s dams will be ensured to the highest possible extent.
About the Author: Alex Haslam is a tech writer specializing in technology’s human connection — how it affects our lives, careers, and relationships, and how we can use it to keep ourselves and our data safe. She contributes regularly to several top-tier tech publications and is working to help increase tech literacy through writing about today’s technology in an accessible way.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.