Okay, mi gente, let’s talk. I want to tell you about something that happened up in Norway, something that should be a real wake-up call for all of us. It’s about a dam, the Lake Risevatnet hydroelectric dam. In April of this year, some bad actors, some cyber-bandidos, found a way into its control system.
Imagine this: for about four hours, they cranked a valve wide open, just because they could. Now, gracias a Dios, nothing terrible happened. The river could handle the extra water, and nobody’s home was flooded. But we were lucky, my friends. This was a warning shot. It was a classic case of a simple mistake leading to a potentially huge problema. They got in because of a weak password on a system connected to the internet. A password! Something so simple.
Let’s break down how these guys did it, so you can understand and protect yourself.
How the Bandidos Walked Right In
So, how did they pull this off? Did they use some super-secret, advanced hacker tool? No, amigo. It was much, much simpler than that.
Investigators say the attackers found the dam’s control panel just sitting there, exposed on the internet. And the key to the front door? It was a default password, or one so weak you could guess it with a little bit of effort. De verdad, that’s all it took. Once they logged in, ¡zas!, they were inside the Operational Technology (OT) network. That’s the brain of the dam, the system that controls the physical machinery.
From there, they had the power to send commands directly to the valves. They chose the “minimum flow” valve and opened it 100%. For four hours, nobody noticed. Think about that. The system was doing something it wasn’t supposed to, and no alarms went off, no one saw it. This is not good.
The experts say if the attackers had targeted the main floodgates instead, the water flow could have been hundreds of times stronger. That would not have been a small problem; that would have been a disaster. All because the digital door was left unlocked and nobody was watching the cameras.
This Isn’t a New Story, Familia
Mira, this kind of thing, it’s not new. I’ve seen it before. It’s a pattern. These Industrial Control Systems (ICS), the computers that run our power plants, our water treatment facilities, our factories, they are often old. They were built decades ago when the only worry was a physical-world problem, not a cyber one.
Remember the story from a water plant in the U.S. a few years back? In Oldsmar, Florida? An attacker got in through a remote access program and tried to pump a dangerous amount of lye into the water supply. How did he get in? An old computer and a weak password. Sound familiar? Claro.
And there are more stories like this. A dam in New York. Water systems in Israel. The hackers are always looking for the fácil way in, the easy target. They use tools like Shodan to scan the internet, looking for these exposed control panels. And créeme, they find thousands of them. It’s a huge risk, because once they get a foothold on one small part, they can often move through the whole network.
How We Fight Back: The Solución
Okay, so the problem is clear. What is the solución? How do we stop these bandidos? It’s not about magic, my friends. It’s about being smart and doing the basics right. The U.S. government’s own cybersecurity agency, CISA, gives us the roadmap. It’s simple, direct advice.
- Get Off the Public Internet! An industrial control system should never be directly connected to the public internet. It’s like leaving the keys to the power plant on the front porch. You need to put these systems behind a firewall or a VPN. Isolate them. Protect them.
- Strong Passwords, Por Favor! This is so important, I cannot say it enough. Get rid of the default passwords like “admin” or “12345.” Use long, unique passphrases. And wherever you can, use Multifactor Authentication (MFA). That little code sent to your phone? It’s one of the best defenses you have. A simple password being the only defense is a recipe for disaster.
- Lock Down Remote Access. If you need to access the system from the outside, it must be done through a secure, encrypted tunnel, like a VPN. And everyone who connects needs their own username and password, with MFA. No sharing accounts, entiendes? And when someone leaves the company, disable their access immediately.
- Build Digital Walls. You have to separate your main business network (the IT network) from your industrial control network (the OT network). This is called segmentation. If a hacker gets into your email system, you don’t want them to be able to jump right over to the controls for the factory floor.
- Watch Everything. You need to have monitoring in place. If a valve opens when it shouldn’t, an alarm should go off instantly. You also need to be ready to take back control manually. If the computers go crazy, your people need to know how to run the system safely by hand.
This isn’t just my advice; it’s what all the big security frameworks, like NIST and ISA/IEC 62443, will tell you.
The story of the Norwegian dam is a wake-up call. A simple, low-tech mistake almost caused a high-stakes catastrophe. We have to treat the security of our critical infrastructure with the seriousness it deserves. It starts with the basics, the foundational controls.
So let’s be smart. Let’s be vigilant. Let’s lock our digital doors so we can keep our communities, our water, and our power safe. Stay safe out there, mi gente.
Javiertech 
Leave a comment