The April compromise of a control system at a Norwegian dam and fish farm demonstrates the fragile nature of the technology guarding our critical infrastructure and how a routine exposure can disrupt or damage critical services we rely on.
In this case, attackers compromised a weak password and were able to manipulate valves at the Lake Risevatnet dam, opening them all the way, causing an increase in water discharge of 497 liters per second above the mandated minimum flow. The attack went undetected for four hours but did not cause physical damage or endanger public safety.
The breach underscores a key truth for security and risk leaders: it’s not always the sophisticated attacks that cause the most disruption; it’s the simple, overlooked exposures. Remote access, authentication hygiene, and clear ownership of cyber-physical systems should be routine agenda items, not reactive conversations. Incidents like this are not outliers; they’re reminders that foundational controls are the cornerstone of operational resilience.
Details of the Norwegian Dam Hack
The initial point of entry of the attack was a web-accessible control panel that managed the valve responsible for the dam’s minimum water flow. With that compromised, the attackers were able to bypass authentication controls and gain direct access to the operational technology (OT) environment.
Despite there being no threat to public safety from this particular event, this incident should serve as a wake-up call for critical infrastructure providers worldwide. In the U.S., for example, where more than 92,000 dams form a core part of critical infrastructure, the stakes could be much higher. This wasn’t a high-tech exploit—it was a case of insufficient access controls.
What happened at the Norwegian dam mirrors what can be observed in all kinds of critical facilities worldwide: internet-exposed devices in smart building control systems without modern protections. Today, more than 23,000 building automation connected systems can be found in a Shodan search and are vulnerable to similar compromises by any opportunist attacker. Imagine a scenario where an attacker can turn off the air conditioning during the summer months in a hospital. There can be real-world consequences from such a simple and exposed asset.
While not every exposure leads to an incident, the dam hack reinforces the value of proactively securing remotely accessible interfaces—especially in environments that were never designed with connectivity in mind.
Too little security to safeguard critical infrastructure can quickly result in disastrous consequences. Once an attacker gains access to a device such as a control valve, they could potentially move laterally throughout the OT environment and cause severe damage. And the fact that this attack persisted for four hours before being detected is another indicator of how crucial it is to deploy sufficient monitoring of critical infrastructure such as dams.
So, what can we learn from this incident? There are a number of conclusions we can draw from it.
OT Security Should Be Proactive, Not Reactive
Remote access, authentication hygiene, and clear ownership of cyber-physical interfaces should be routine checklist items, not reactive activities. Incidents such as the Lake Risevatnet breach are reminders that foundational controls are the cornerstone of operational resilience, and basic protection for them—beyond a simple password—are nothing short of essential.
Overlooked Exposures Can Be the Most Dangerous
It’s not always the sophisticated, coordinated attacks that can cause the most damage. It can often be the simplest oversights that end up being the culprit. In this case, a simple issue of a password being the only means of defense resulted in four scary hours that could’ve had far-reaching effects beyond just one lake.
Exposure Management Vital to Critical Infrastructure Protection
When it comes to OT security, not having basic protections is akin to leaving your front door unlocked. Security and risk management leaders should take note of this attack and the broad implications it carries. While not every exposure leads to an incident, the breach of Lake Risevatnet reinforces the value of proactively securing remote interfaces, especially in environments that were never designed with connectivity in mind.
Having an exposure management strategy in place can be the key to preventing an incident like the one at Lake Risevatnet. What’s more, given the complex nature of an OT environment, that strategy should ideally be impact-centric to the business at large, not just focused on protecting individual assets. Adopting this approach is nothing short of essential when protecting critical infrastructure in 2025 and beyond.
