Hydropower facilities: vulnerability to cyber attacks

Cyber risk is no longer just an imagined scenario. It is viewed as a threat that is becoming increasingly real and prevalent. As the number of connected technologies such as PLCs and SCADA increase in control systems, so does the cyberattack exposure of those systems.

Indeed, cyber threats are viewed as a growing concern in the dams industry due to implications for public safety. Increasing vulnerability has been created due to facilities’ previously manually operated components becoming more complex and supplemented with remote capabilities. As the number of connected technologies in a facility’s control systems increases, so does the cyber attack exposure of those systems. Automation has its benefits, such as efficiency and capturing real-time data, but it does also create new risks.

Opening the flood gates

A new report by global professional services firm AON, in collaboration with Cyence Risks Analytics product team at Guidewire, focuses on a hypothetical attack by hackers on a US hydroelectric dam which compromises the facility’s control systems and floods the surrounding area; a scenario which could impact both businesses and homeowners.

According to the report entitled Silent Cyber Scenario: Opening the Flood Gates, the cyber security of critical infrastructure such as dams has become a focal point in recent years. Several examples of malware designed for industrial control systems have implicated the physical damage that could occur if these systems were compromised.

For example, in 2015 the Ukraine experienced widespread power outages lasting about six hours as a cyber attack compromised an industrial control system in the power grid; while in 2013 the control system at Bowman Avenue dam in the US was breached for about three weeks. The hacker obtained access to remote operation of the dam gates, which had fortunately been taken offline for maintenance.

In 2016, for the first time, the Industrial Control Systems Cyber Emergency Response Team in the US (ICS-CERT) included dams in its assessments along with other types of infrastructure such as chemical plants, manufacturing facilities, and wastewater treatment. According to the AON, report ICS-CERT performed 98 assessments in FY2016 and recorded 94 instances of weak boundary protection of the control system which could facilitate unauthorised access. There were also incidences of unnecessary services, devices and ports on control systems, as well as weak identification and authentication management.  

Furthermore, the report goes on to add, even larger and more significant dams may be at risk for unauthorised access. A 2018 report from the Office of the Inspector General highlighted poor security practices at two unnamed critical infrastructure dams operated by the US Bureau of Reclamation. Among other potential vulnerabilities, it was found that weak password policies and access control policies could potentially allow malicious actors to breach and operate the control systems.

Cyber scenario

In the scenario developed by Aon and Guidewire’s Cyence Risk Analytics team for its new report, a hacker seeks to create significant disruption in the US by opening the flood gates at a hydroelectric dam. If such a scenario were to occur it is likely to cause significant downstream flood damages, resulting in ‘silent cyber’ losses for insurers. Silent cyber risk is the potential for cyber perils to trigger losses on traditional insurance policies – such as property or casualty – where coverage is unintentional or unpriced. Silent cyber risk has even been described as a by-product of how businesses have embraced network connectivity and become increasingly resilient on technology.

Matt Honea, Director of Cyber at Guidewire, said: “We face a huge challenge today, securing not only all laptops and phones, but all network connected devices. These connected devices are automating human tasks by powering more equipment and processing systems. We bring focus to these dam scenarios to highlight concrete examples of an extreme cyber event.”

Aon and Guidewire analysed the potential impacts of the scenario at three dams, selected to reflect a small, medium and large exposure respectively. The key findings were that a cyberattack could cause:

Major impacts not only to dam operations but also to the resilience of local businesses and communities, with the highest economic loss estimated at US$56 billion.

Silent cyber exposure to insurers, with total insured losses of up to US$10 billion. By comparison, initial estimates of insured losses resulting from wind and storm surge damage from Hurricane Michael have ranged up to US$10 billion.

A significant protection gap that would impact homeowners and businesses if such an event were to occur, with only 12% insured in one scenario.

With their report Aon and Guidewire say their aim is to help insurers understand silent cyber risk. They say that businesses must consider the security risks that new technologies could introduce into their environment, including potential impacts on their clients and communities.

Jonathan Laux, Head of Cyber Analytics for Aon’s Reinsurance Solutions business, commented: “Insurers must consider how changing technologies can cause ‘established’ perils such as flood to morph into new risks, with resulting changes to frequency and severity. By using scenarios such as this one, insurers have the ability to stress test their portfolios against new and emerging perils created by cyber risk. With that knowledge, insurers can take steps to mitigate risk, through reinsurance as well as working with businesses to increase their resilience.”

In conclusion, the authors of the report adds that “we hope this whitepaper draws additional attention to the importance of closing the protection gap by which flood risk causes harm to society in the US and across the globe.”

ACKNOWLEDGEMENT

The above article was compiled from the report Silent Cyber Scenario: Opening the Flood Gates by AON and Guidewire. The authors are Matthew Honea, Dr. Yoshifumi Yamamoto, Jonathan Laux, Craig Guiliano and Dr. Megan Hart. October 2018.

Aon plc is a global professional services firm providing a broad range of risk, retirement and health solutions. www.aon.com