The U.S. Bureau of Reclamation (USBR) operates five hydropower dams categorized as critical infrastructure by the U.S. Department of Homeland Security. Our evaluation focused on the USBR’s operational and technical practices for protecting two of these dams, and the related industrial control system (ICS) it relies on to remotely control operations including, generators, gates, and outlet valves.We found the ICS at low risk of compromise from external cyber threats as our analysis of computer network traffic showed that the ICS is isolated from the internet and from USBR’s business systems and our analysis of ICS computer memory did not detect hidden malware or other indicators of compromise. The USBR’s account management and personnel security practices, however, put the ICS and the infrastructure it operates at high risk from insider threats. Specifically, we found that the USBR:• Failed to limit the number of ICS users with system administrator access and had an extensive number of group accounts• Did not comply with password policies and failed to remove inactive system administrator accounts• Did not follow best practices recommending that personnel with elevated system privileges complete more rigorous background investigationsThese deficiencies occurred because USBR management failed to strengthen bureau risk management practices in response to rapidly escalating threats to critical infrastructure. An ICS breach could disrupt USBR operations and has the potential to adversely affect national security. We make five recommendations to help the USBR improve the security posture of its critical dams by mitigating insider threats to the ICS.
Report File
Date Issued
Submitting OIG
Department of the Interior OIG
Other Participating OIGs
Department of the Interior OIG
Agencies Reviewed/Investigated
Department of the Interior
Components
Bureau of Reclamation
Report Number
2017-ITA-023
Report Description
Report Type
Inspection / Evaluation
Number of Recommendations
5
Questioned Costs
$0
Funds for Better Use
$0