Russian hackers hijacked a Norwegian dam, opened literal and metaphorical floodgates
"The aim of this type of operation is to cause fear and chaos among the population. Russia has become more dangerous."
Russia-linked threat actors allegedly seized control of a Norwegian hydroelectric dam and caused a torrent of water to gush out unnoticed for several hours.
That's the claim from Norwegian Police Security Service (PST), which took the extraordinary step of attributing the cyberattack to Moscow.
In April, unidentified hackers opened up the floodgates and unleashed 500 litres (132 gallons) of water every second for four hours - the equivalent of about three Olympic swimming pools.
Beate Gangås, the head of PST, said: "Over the past year, we have seen a change in activity from pro-Russian cyber actors.
"The aim of this type of operation is to influence and to cause fear and chaos among the general population. Our Russian neighbour has become more dangerous."
The Russian embassy in Oslo slammed the claims as "unfounded and politically motivated".
It told Reuters: "It is obvious that the PST is unsuccessfully trying to substantiate the mythical threat of Russian sabotage against Norwegian infrastructure this year, which it itself invented."
Critical national infrastructure under threat?
Norway produces more than 90% of its power from hydroelectric dams, making these facilities an obvious target for enemy nations.
This time around, the damage was minimal because both the river and dam were well within their flood capacity.
But it's feared that the attack could open the metaphorical floodgates.
The incident clearly demonstrates the grave risk facing critical national infrastructure (CNI) across the Western world, showing that Russia or pretty much any hostile, skilled group potentially has the ability to take down the infrastructure which sustains billions of people.
Mike Hamilton, Field CISO at Lumifi Cyber and former CISO of the City of Seattle, said: "Attacks against the water sector are increasing, and it is a nation-state more than a criminal issue. Iranian actors are known to specifically target the operational technologies like programmable logic controllers that are used to open/close valves, monitor filtration and chemical injection, etc.
"Russians are equally capable. More broadly, all critical sectors are under increasing threats. China is reported to have a foothold in infrastructure and is prepared to pull that trigger at the time of their choosing."
The challenges in protecting utilities are familiar across cybersecurity.
"Utilities lack the resourcing to attract and retain qualified practitioners and are using more managed services to monitor networks and operational technologies as a means of minimising the impact of successful attacks," Hamilton added.
"Funding may come from federal grants like the state and local cybersecurity grant program, but there is, to date, no legislation to support this. Funding could also come from rate increases, and some public utility commissions are considering this."
How is the US addressing the risk to CNI?
In the US, states are now developing their own methods of securing water and waste treatment due to an executive order that passed responsibility for infrastructure protection and disaster management to state and local governments.
The state of Hawaii, for example, is using SLCGP (State and Local Cybersecurity Grant Program) funding and working with a non-profit called Pisces to monitor local governments, public utilities, and rural healthcare.
"New York has leaned into regulating its critical sectors much like the sector risk management agencies (like EPA for the water sector) to circumvent the federal regulatory whipsaw we’ve been seeing," Hamilton said.
"At the federal level, the Department of Energy is moving toward deploying OT monitoring in dam operations and training operators. The trend is a definite effort to monitor and aggregate events, and its being done mainly at the state level."
But will it be enough to stop enemy hackers from flooding critical systems with attacks which result in genuine disruption or even death?
We fear the answer is: probably not. But contact us on the address below to share your analysis if you think our pessimism is misplaced.
