Ray Park from the SCADASEC mailing list made this comment on 5-Apr-2016:
Dams, other than major hydroelectric dams, are not a good target for hack attack. With most flood control and water reservoir dams, the only real control is the floodgates. We considered how to use that and the only thing we could come up with was to raise the floodgate to the maximum height, wait for sensors (sometimes cameras) to show the water had filled the dam to capacity, and then lower the floodgates as fast as the mechanism will allow. This would, of course, have to be done in a way that concealed the activity from the operators. If the attackers’ goal is to cause flooding, a dam failure while filling has achieved that goal (at the cost of long-term damage), and if the dam holds, the relatively sudden outflow of water should flood areas downstream or other dams.
Source: SCADASEC Posting 5-Apr-2016
Ray mentioned about the Taum Sauk dam failure in 2005. One interesting point to note – the Federal Energy Regulatory Commission fined Ameren $15 million pursuant to a settlement for the breach at Taum Sauk. This is the second highest fine ever levied by FERC, only outstripped by the fine and subsequent settlement against FPL regarding the 2008 Florida electricity blackout.
On December 14, 2005 at approximately 5:20 AM CST the northwest corner of the Taum Sauk Pumped Storage Project No. 2277 upper reservoir rim dike failed resulting in a release of the upper reservoir. The reservoir was reported to have drained in about ½ hour. Approximately 4,300 Acre-feet of storage was released. The breach flow passed into East Fork of Black River (the river upstream of the lower Taum Sauk Dam) through a State park and campground area and into the lower reservoir. The Lower Taum Sauk Dam was reported to be overtopped and did not sustain damage. Upon leaving the Lower Taum Sauk Dam area, the high flows proceeded downstream of the Black River to the town of Lesterville, MO, located about 3.5 miles downstream from the Lower Dam. The incremental rise in the river level was about 2 feet which remained within the banks of the river.
Source: Taum Sauk Pumped Storage (No. P-2277) Dam Breach Incident
The dam of the lower reservoir downstream, which by design is capable of holding much of the capacity of the upper reservoir, withstood the onslaught of water from the flood breach. By storing most of the deluge it spared several towns downstream, including Lesterville and Centerville, from the damaging flood. A voluntary evacuation order was issued for those areas, but there was no damage. The high water was stopped at Clearwater Lake, the dam of which was not damaged by the rising waters. The flood did sweep away the superintendent of Johnson’s Shut-In and Taum Sauk state parks and his family but they survived with injuries. Fortunately, no one was killed by this catastrophic failure. There is a key difference between a pumped storage and a flood control facility – the pumping of water guarantees filling up the reservoir with little notice by the operators.
We found one, real-world scenario that had a greater than zero probability that it would leave a major urban area with about 4 feet of flooding. This involved a series of dams on the same watershed upstream of the urban area. We discovered attacks that allowed remotely raising the floodgates on all of them (separate attacks for each location) and if either rain filled them quickly or the dam operators didn’t notice, the reservoirs would fill to maximum capacity. We observed that the dam operators were in a completely different geographic region and relied upon remote telemetry and cameras. We felt that both could be manipulated to cover the rising waters. Once all the dams were filled, we calculated that dropping the floodgates sequentially (it would be critical to time things so the upstream crest arrived just as the floodgate of the downstream dam was lowered) would flood the urban area. While the majority of the dams were of earthen construction, we did not feel comfortable predicting catastrophic failures due either to overtopping the dams or floodwater pressure from upstream.
Source: SCADASEC Posting 5-April-2016
For this form of remote control, the probability of manipulating data and control over devices to cover the rising waters, is very plausible. Once all of the dams are filled, dropping the floodgates in a sequential fashion (as the timing of events would be crucial such that the upstream crest arrived just as the floodgate of the downstream dam was lowered) would have a far greater flooding impact to the targeted suburban area(s). While the majority of many dams are of earthen construction, the reliability and accurately of predicting such catastrophic failures due either to overtopping the dams or floodwater pressure from upstream, would be very difficult.
As far as the NY flood control dam is concerned, it is unknown if it was intentionally an act of terrorism. In any circumstance, the impact would have been minimal.