Hydropower infrastructure vulnerable to cyberattacks

Cybersecurity threats to hydropower dams are becoming more frequent and severe, with attacks linked to state-backed actors from Iran, Russia, and elsewhere causing concern worldwide.

Recent incidents, including a major cyberattack on Hydro Quebec in 2023 and a thwarted attempt at Ethiopia’s Grand Renaissance Dam, show how vulnerable critical infrastructure has become.

The integration of Internet of Things (IoT) devices has only heightened these risks, expanding attack surfaces and introducing new vulnerabilities through outdated systems, dispersed equipment, and inconsistent security standards.

In the United States, authorities are growing increasingly alarmed at the lack of coordinated cybersecurity oversight for dams. Senator Ron Wyden, chairing a subcommittee hearing in April 2024, warned that many non-federal hydropower dams have never been audited for cybersecurity.

With only four cybersecurity experts overseeing 2,500 dams, and with outdated rules that only apply to internet-managed sites, he criticised the Federal Energy Regulatory Commission (FERC) for lacking the capacity and tools to safeguard the sector effectively.

Experts from the Idaho National Laboratory and FERC agree that the fragmented regulatory landscape poses a major challenge. Different agencies oversee various parts of dam operations, with no unified framework in place.

Cyberattacks on dams can cause more than just blackouts—they can also trigger devastating floods, disrupt water supplies, and endanger lives.

Calls are growing for Congress to address this vulnerability by improving funding, updating regulations, and implementing a national strategy to protect critical hydropower infrastructure from increasingly sophisticated cyber threats.

For more information on these topics, visit diplomacy.edu.