Dam cyber: Interior IG closes out audit of hydroelectric control systems

By Matej Hudovernik shutterstock image ID 61844881 HOOVER DAM 

The Hoover Dam, operated by the U.S. Bureau of Reclamation. (Photo credit: Matel Hudovernik/

The inspector general for the Department of the Interior has closed out an investigation into cybersecurity concerns surrounding hydroelectric dams.

In a partially redacted memo dated July 12, Jefferson Gilkeson, director of information technology audits for Interior OIG, informed the commissioner of the U.S. Bureau of Reclamation (USBR) that auditors have completed the second and final part of their report evaluating potential cybersecurity weaknesses associated with five hydroelectric dams managed and operated by the bureau.

The first part of that report, issued in June, found mixed results. Only two of the dams operated by USBR relied on industrial control systems that could, if penetrated, give an attacker remote control over generators, gates and outlet valves. Auditors found that those systems were not connected to the internet or other USBR systems and, in general, were at low risk for compromise.

However, they also found that officials failed to limit administrator access to those systems, didn't comply with best practices for password policies and did not institute more rigorous background checks for personnel with elevated privileges. Ultimately, OIG made five recommendations: implement "least privilege" policies around administrator access, eliminate group accounts that allow broad access to such systems, ensure user accounts are removed when no longer needed, implement better controls and beef up background checks for employees with the highest access.

In a partially redacted response, USBR Commissioner Brenda Burman pushed back, saying the bureau did not concur with three of the recommendations and partially concurred with the other two and that the bureau's security procedures followed guidance from the National Institute of Standards and Technology and the Office of Personnel Management.

According to the newly released memo, the second part of the report examined another industrial control system that provides "monitoring, alarming, and process control to ensure the safe and reliable operations of the water and power facilities."

The memo indicated that auditors were satisfied that there were not any additional security vulnerabilities associated with the system, noting that a review of network traffic and key computers failed to turn up any evidence of anomalies or indicators of compromise.  

About the Author

Derek B. Johnson is a former senior staff writer at FCW.


  • Comment
    customer experience (garagestock/

    Leveraging the TMF to improve customer experience

    Focusing on customer experience as part of the Technology Modernization Fund investment strategy will enable agencies to improve service and build trust in government.

  • FCW Perspectives
    zero trust network

    Why zero trust is having a moment

    Improved technologies and growing threats have agencies actively pursuing dynamic and context-driven security.

Stay Connected