The Norwegian Dam Cyberattack: OT Security Wake-Up Call

Summary

Remote access is essential to modern critical infrastructure.
It is also one of the most consequential risk concentrations in operational technology.

In early 2025, attackers linked to Russia remotely accessed the Lake Risevatnet hydropower dam in Norway and manipulated a discharge valve for hours before detection. The incident did not rely on advanced exploits or novel malware. It relied on exposed access and time.

The case reinforces a long-standing reality in OT environments:
remote access is unavoidable, but it is unforgiving when poorly governed.

By examining the incident through the lens of the SANS Five ICS Critical Controls, it becomes clear how established safeguards could have reduced both the likelihood of the intrusion and its operational impact.

Why remote access is still unavoidable in OT

Across critical infrastructure environments, remote access is not a design preference but an operational necessity.

In a country like Norway, conditions and the environment alone make remote access to critical systems like dam control unavoidable. Hydroelectric dams are buried deep in fjords, other facilities are found deep in the mountains or remote valleys.

Continuous onsite presence is neither practical nor safe.

Operators depend on remote access to support:

• Real-time monitoring of, and visibility into, water levels, gate positions, and alarms
• Emergency coordination during extreme weather events
• Vendor maintenance, troubleshooting, and firmware updates
• Regulatory oversight and environmental reporting

These requirements are not optional. They are foundational to safe operation.

The challenge here lies in the origins of many OT systems. Modern SCADA and OT systems were built to support these workflows, but many of their foundational assumptions date back to a time when these networks were not globally reachable. Encryption and authentication were minimal or absent because global connectivity was never assumed.

When those same systems are exposed directly online, legacy assumptions become liabilities. If an attacker can observe or interact with the traffic – whether through poorly configured firewalls, weak credentials, or direct internet exposure – they can often manipulate commands without needing sophisticated exploits. Public search engines like Shodan continue to show how common this exposure is and remains.

Automation improves efficiency, but it also increases the blast radius when remote access lacks compensating controls.

The Lake Risevatnet incident

In early 2025, Russian-linked attackers compromised the Lake Risevatnet dam and forced a discharge valve open, releasing hundreds of liters of water per second. They later shared screenshots and telemetry publicly via Telegram.

The significance of the incident lies not only in the access achieved, but in understanding the attack that was demonstrated. They clearly understood the dam’s operating logic.

Even more concerning was the delay in detection. Some four hours passed before operators recognized the manipulation.

For a sector long aware of the challenges of OT security, this incident underscored a simple truth: remote access remains one of the most consequential decisions an operator can make.

Applying the SANS Five ICS Critical Controls

The Norwegian dam incident is a textbook example of where the SANS Five ICS Cybersecurity Critical Controls, which were explicitly designed to address exactly these failure modes, would have altered both the likelihood and the impact of the attack. Each control highlights a specific opportunity where risk could have been reduced.

1. ICS Incident Response

The extended detection window (four hours) indicates a significant detection gap when it comes to incident response.

Effective application of the ICS control would include:

• Incident response procedures that explicitly address OT process deviations (unusual valve movements, unexplained setpoint changes, remote sessions activity outside normal hours), and go beyond just IT indicators
• Cross-functional drills involving hydropower engineers, cybersecurity teams, and emergency management authorities help reduce reaction time.
• Clear criteria for switching to local control or manual override must be rehearsed, not theoretical.

2. Defensible Architecture

Available reporting suggests attackers accessed an internet-reachable interface, bypassing segmentation and exposing control logic to external actors.

Effective application of the ICS control would include:

• Critical OT assets such as dam HMIs must sit behind an industrial DMZ, never on a directly routable public interface.
• Strictly enforced network zoning aligned with the Purdue Model reduces the pathways available to attackers.
• Asset inventories and configuration baselines allow operators to verify that no unauthorized services or administrative interfaces are exposed.

Remote access can coexist with strong segmentation. A defensible architecture doesn’t eliminate the need for remote access.

3. ICS Network & Visibility Monitoring

The Risevatnet intrusion went unnoticed while attackers issued unauthorized commands. Without visibility into OT traffic or process deviations, operators were effectively blind to the unfolding manipulation.

Effective application of the ICS control would include:

• Baselining normal command patterns, frequencies, and authorized sources.
• Alerting on deviations such as unusual timing, rapid command changes, or unexpected origins.
• Integrating OT telemetry into centralized monitoring to support correlation and context.

Visibility does not prevent all incidents. It reduces dwell time, which often determines impact.

4. Secure Remote Access

This was the decisive failure point in the Norwegian incident. An exposed interface protected by weak or guessable credentials gave attackers the foothold they needed.

Effective application of the ICS control would include:

• Brokered access through jump hosts or bastions within secured zones.
• Time-limited, MFA-protected, fully logged sessions.
• Consistent controls for internal users and third parties alike: temporary credentials, approval workflows, and continuous monitoring.

Remote access should enable operations without becoming the operational risk itself.

5. Key Vulnerability Management

The most significant vulnerability in this case was architectural rather than software-based.

Effective application of the ICS control would include:

• Treating public exposure of control interfaces as a critical condition.
• Elevating weak credentials and unencrypted protocols to high-risk status.
• Applying compensating controls when patching is not immediately feasible.

In OT, vulnerability severity is measured by physical consequence, not by scoring systems like CVSS.

The Path Forward for Critical Infrastructure Operators

The Lake Risevatnet attack did not depend on exceptional skill or tooling. It relied on predictable weaknesses that remain common across critical infrastructure sectors: exposed interfaces, weak credentials, and insufficient monitoring.

For operators across energy, water, transport, and manufacturing, the lesson is clear:
remote access should never be the weakness that brings down a critical process.

By implementing the SANS Five ICS Critical Controls (and by treating remote access as a privilege rather than a default) organizations can balance operational necessity with robust security.

FAQ