Two companies were awarded spots on a $45 million contract to secure the nation’s dams from cyberattacks: federal contracting giant Booz Allen Hamilton and Virginia-based small business Spry Methods.
The Interior Department’s Bureau of Reclamation awarded winners on its five-year indefinite-delivery, indefinite-quantity contract for IT risk management services on June 5. The contract covers technical and professional services in support of the bureau’s threat monitoring and mitigation programs; compliance with the Federal Information Security Management Act; security of dam industrial control systems, or ICS; and working with Reclamation’s information system security officer.
Reclamation can now issue task orders to Booz Allen Hamilton or Spry to provide these services to more than 600 dams under the bureau’s purview. Those dams are spread across 17 states in the western U.S.
“Over the last two years, Spry has been deeply involved in the security assessment and evaluations of numerous Reclamation systems,” including ICS security, Lori James, Spry’s chief cybersecurity officer, told Nextgov. “Spry is looking forward to our continued support of DOI and Reclamation specifically, where we can help streamline security requirements and produce efficient and useful methodologies that will become commonplace at DOI.”
Representatives from Booz confirmed the award but declined to comment further at this time.
The need to secure the nation’s dams is urgent because the threat is real.
In 2016, alleged Iranian hackers were able to leverage access to a dam’s accounting system to gain control over a sluice gate controlling water flow. Luckily, the hackers got the wrong dam, gaining access to the diminutive and then-out-of-service Bowman Avenue Dam in Rye Brook, New York, rather than the comparatively massive Arthur R. Bowman Dam in Oregon. But the episode demonstrates the need to secure this critical infrastructure or risk massive loss of life and property.
The larger Bowman Dam is one of the 600 managed by the Bureau of Reclamation.
“Hydroelectric facilities such as the ones operated by [Reclamation] can have a significant number of ICS/[operational technology] systems,” said Marty Edwards, managing director at Automation Federation and former director of Homeland Security’s ICS-CERT. Those systems “tend to be overlooked legacy types of installations that can be particularly challenging to bring up to date with modern cybersecurity standards.”
Edwards applauded Interior’s focus on critical infrastructure security as a good start but noted that $45 million spread across 600 sites comes out to approximately $75,000 per dam over five years.
“That is certainly a good start but ultimately cybersecurity is about hiring people,” he said. “I would like to see either permanent civil servants or a standing program put in place to use contractors every year. Most likely the best approach is a combination of the two.”