Dam cyber: Interior IG closes out audit of hydroelectric control systems

By Matej Hudovernik shutterstock image ID 61844881 HOOVER DAM 

The Hoover Dam, operated by the U.S. Bureau of Reclamation. (Photo credit: Matel Hudovernik/

The inspector general for the Department of the Interior has closed out an investigation into cybersecurity concerns surrounding hydroelectric dams.

In a partially redacted memo dated July 12, Jefferson Gilkeson, director of information technology audits for Interior OIG, informed the commissioner of the U.S. Bureau of Reclamation (USBR) that auditors have completed the second and final part of their report evaluating potential cybersecurity weaknesses associated with five hydroelectric dams managed and operated by the bureau.

The first part of that report, issued in June, found mixed results. Only two of the dams operated by USBR relied on industrial control systems that could, if penetrated, give an attacker remote control over generators, gates and outlet valves. Auditors found that those systems were not connected to the internet or other USBR systems and, in general, were at low risk for compromise.

However, they also found that officials failed to limit administrator access to those systems, didn't comply with best practices for password policies and did not institute more rigorous background checks for personnel with elevated privileges. Ultimately, OIG made five recommendations: implement "least privilege" policies around administrator access, eliminate group accounts that allow broad access to such systems, ensure user accounts are removed when no longer needed, implement better controls and beef up background checks for employees with the highest access.

In a partially redacted response, USBR Commissioner Brenda Burman pushed back, saying the bureau did not concur with three of the recommendations and partially concurred with the other two and that the bureau's security procedures followed guidance from the National Institute of Standards and Technology and the Office of Personnel Management.

According to the newly released memo, the second part of the report examined another industrial control system that provides "monitoring, alarming, and process control to ensure the safe and reliable operations of the water and power facilities."

The memo indicated that auditors were satisfied that there were not any additional security vulnerabilities associated with the system, noting that a review of network traffic and key computers failed to turn up any evidence of anomalies or indicators of compromise.  

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.