In a concerning incident this April, unidentified hackers managed to breach the control systems of the Lake Risevatnet dam located near the city of Svelgen in Southwest Norway. This cyberattack highlights how seemingly simple vulnerabilities can pose significant threats to essential services worldwide.

How the Attack Unfolded and Was Exploited

The core of this incident lay in a fundamental security oversight: a weak password. Officials suspect that the dam’s water valve was protected by an easily guessable password on its web-accessible control panel. This vulnerability allowed the attackers to bypass authentication controls and gain direct access to the operational technology (OT) environment of the dam.

Once inside, the hackers were able to force the dam’s water valve open fully. The valve remained in this unauthorised state for four hours before the dam’s owner, Breivika Eiendom, detected the activity on April 7. Norwegian authorities, including NSM (National Security Authority), NVE (Norwegian Water Resources and Energy Directorate), and Kripos (a special agency of the Norwegian Police Service), were alerted on April 10, and an investigation is currently underway.

The Impact and Broader Implications

While the immediate physical impact of this particular incident was fortunately limited, its implications for critical infrastructure security are profound:

• Limited Immediate Danger: According to the Norwegian energy news outlet, Energiteknikk, the hack did not pose a danger to the public. The water flow barely exceeded the dam’s minimum requirement, releasing an additional 497 litres per second. Officials noted that the riverbed could handle a much larger volume, up to 20,000 litres per second. It remains unclear if putting the valve at full capacity was intentional or not.
• Serving a Critical Lesson: Despite this specific facility primarily serving a fish farm and not being connected to Norway’s power grid, the incident serves as a critical security lesson for essential infrastructure globally.
• Highlighting Common Vulnerabilities: This attack underscores how easily basic security failures, especially weak credentials, can compromise vital systems. Such intrusions into vital infrastructure are not isolated. For instance, Israel faced similar cyberattacks on its irrigation and wastewater treatment systems in April 2023 and again in 2020, with authorities believing some were part of hacktivist campaigns that also exploited simple vulnerabilities. The 2016 Verizon DBIR report also noted a case where hackers modified chemical levels in a water treatment facility “at random”.
• Importance of Detection and Monitoring: The fact that the attack persisted for four hours undetected also indicates the crucial need for sufficient monitoring for critical infrastructure like dams.

Lessons for Critical Infrastructure Protection

This incident clearly demonstrates that robust cybersecurity practices are no longer optional but essential for protecting vital systems:

• Strong Passwords and Multi-Factor Authentication: The most obvious takeaway is the imperative for strong passwords and multi-factor authentication (MFA), which requires more than one way to prove identity. These are crucial for protecting essential services.
• Remote Access and Authentication: It also highlights that remote access, proper authentication, and clear ownership of cyber-physical interfaces should be standard security practices.
• Continuous Monitoring: Implementing effective monitoring systems is vital to detect and respond to unauthorised activity swiftly, mitigating potential damage.

In an increasingly connected world, the security of critical infrastructure, from dams to power grids and water treatment plants, hinges on addressing even the most basic vulnerabilities. The Norwegian dam incident serves as a clear and urgent call to action for organisations managing these essential services to bolster their cybersecurity defences.

Cybersplice offers solutions that can help protect against collateral damage and targeted attacks against Operational Technology, providing rapid visibility of OT networks using our Splicecloud platform. Cybersplice can also create a secure private sensor network via Splice-net, which is an encrypted overlay network that works on top of existing carrier infrastructure, offering secure, carrier-independent connectivity. Furthermore, Cybersplice provides an ICS Secure Access Edge that incorporates logical isolation, vulnerability shielding via an encrypted overlay network, passive node discovery, and secure remote access for operators and support partners.