April 10, 2024

Wyden Statement on Cybersecurity Threats to Critical Water Infrastructure

At Energy & Natural Resources subcommittee hearing Wyden sounds alarm on cybersecurity threats posed to America’s dams

Video of Senator Wyden’s remarks can be found here

As prepared for delivery

Every critical infrastructure sector faces threats, including healthcare, pipelines, and water treatment plants. The dams that generate our hydropower are no exception.

Countries like China and Russia present a significant national security concern, as they have the ability to shut down core functions of society, and even cause death, by hacking critical infrastructure.

Today the subcommittee is being told by the Federal Energy Regulatory Commission, which licenses 2500 dams, that the dams responsible for well over half of the non-federal power generation haven’t received a cybersecurity audit.

And - Currently there’s no plan to complete these missing audits anytime soon. FERC has told my staff that it does not have the ability to review the remaining dams within the next decade. FERC has just four cybersecurity experts to oversee 2500 dams.

Today there are no minimum standards, no audits of a majority of dams, and bad cyber security. This is inviting cybersecurity trouble in the Northwest.

As the Chairman of the subcommittee responsible for dams, I don’t want to wake up to a news report about a small town in the Pacific Northwest getting wiped out because of a cyberattack against a private dam upriver.

FERC cybersecurity rules only apply to dams that are remotely managed over the internet. This practice enables companies to save money by not requiring an operator on site. But those cost savings for the dam operator lead to significantly greater cyber risks.

In addition, there are no mandatory cybersecurity requirements for dams only administered by on-site operators. To make matters worse, FERC’s cybersecurity rules haven’t been updated since 2016, aren’t specific enough and are mostly about paperwork and box checking.

FERC doesn’t have the resources it needs to be an effective regulator of the cybersecurity of private-sector run dams. That’s a problem Congress needs to address now.

Congress needs to step up here. The seriousness of cyber threats to critical infrastructure have been clear for years, companies and agencies across the federal government have been slow to respond to the cyber threats, which are the result of weak regulation, no audits, and no accountability. 

For example, last year, I asked the DHS Cyber Safety Review Board to look into the theft of senior government officials’ emails from Microsoft’s servers. DHS published the board’s report last week, which documented numerous cybersecurity problems that seriously undermine U.S. national security.  Microsoft’s software is used widely across the U.S. government and industry. Microsoft is undermining America’s cyber defenses and is creating a serious threat to national security.

One of the main problems is that the U.S. doesn’t have a coordinated plan to deal with cybersecurity. Cybersecurity of each part of our society is regulated in a different way, and some aren’t regulated at all. Some have rules, some have the honor system. This is not good enough, and so no wonder there are broad parts of our government and society with awful cybersecurity, no effective rules, and no cyber safety regulator.

Congress needs to address the cybersecurity problem broadly, rather than playing whack-a-mole one industry or agency at a time.

Unfortunately, I can’t solve that bigger problem in this subcommittee, but I can accelerate updating FERC’s cybersecurity standards, making sure those standards are effective, and apply to all dams, to protect the United States from this serious national security threat.

I look forward to hearing from these witnesses about the scope and scale of cybersecurity vulnerabilities in our hydroelectric systems so that Congress is equipped to develop targeted responses.