U.S. Bureau of Reclamation Selected Hydropower Dams at Increased Risk from Insider Threats

The U.S. Bureau of Reclamation (USBR) operates five hydropower dams categorized as critical infrastructure by the U.S. Department of Homeland Security. Our evaluation focused on the USBR’s operational and technical practices for protecting two of these dams, and the related industrial control system (ICS) it relies on to remotely control operations including, generators, gates, and outlet valves.We found the ICS at low risk of compromise from external cyber threats as our analysis of computer network traffic showed that the ICS is isolated from the internet and from USBR’s business systems and our analysis of ICS computer memory did not detect hidden malware or other indicators of compromise. The USBR’s account management and personnel security practices, however, put the ICS and the infrastructure it operates at high risk from insider threats. Specifically, we found that the USBR:• Failed to limit the number of ICS users with system administrator access and had an extensive number of group accounts• Did not comply with password policies and failed to remove inactive system administrator accounts• Did not follow best practices recommending that personnel with elevated system privileges complete more rigorous background investigationsThese deficiencies occurred because USBR management failed to strengthen bureau risk management practices in response to rapidly escalating threats to critical infrastructure. An ICS breach could disrupt USBR operations and has the potential to adversely affect national security. We make five recommendations to help the USBR improve the security posture of its critical dams by mitigating insider threats to the ICS.