Sometimes the significance of critical infrastructure doesn’t hit home for people until they’re faced with the consequences of its failure. In 2005, the people in the Missouri Ozarks learned firsthand the value of information integrity and what can happen when efforts are not made to ensure the accuracy of data. Taum Sauk is a pumped-storage hydroelectric plant run by the AmerenUE electric company. Unlike most dams that produce electricity by harnessing the natural flow of water to move turbines, the Taum Sauk relied on two reservoirs at different elevations.Water was pumped from the lower reservoir to the upper reservoir when electricity was cheaper, and then water was allowed to flow down through turbines during peak times to generate electricity. To prevent erosion from water overtopping the upper reservoir, sensors were used to detect water levels to signal when pumping should cease. 

According to news reports and a Wikipedia summary of multiple sources, a combination of issues, including the failure to detect small leaks in the upper reservoir walls, the lack of an overflow spillway, and dislodgement of the gauge piping system that included piezometers, or sensors, designed to detect the water levels, led to the “Niagara Falls” style overflow of the reservoir walls that effectively washed out the upper reservoir. A Public Service Commission (PSC) Report concluded: 

“...the Commission can only conclude that the loss of the Taum Sauk plant was due to imprudence on the part of UE (Ameren's AmerenUE Subsidiary). UE was well-aware of the catastrophic results likely to occur if the UR (Upper Reservoir) was overtopped by over-pumping. UE knew, or should have known, that storing water against the parapet wall of a rockfill dam was “unprecedented.” UE knew, or should have known, that operating with a freeboard of only one or two feet left no margin for error and required particularly accurate control of the UR water level. Given that circumstance, UE’s decision to continue operating Taum Sauk after the discovery of the failure of the gauge piping anchoring system and the consequent unreliability of the piezometers upon which the UR control system was based is frankly beyond imprudent – it is reckless. UE also knew or should have known that the upper Warrick probes had been reset above the lowest point at the top of the UR." (PSC Report pp. 71-72) 

Notwithstanding the other causes, the immediate issue at the time of the incident was the fact that the electric company did not have an accurate reading of the water level of the reservoir, or to put it in information security terms, there was no data integrity. In this case, a hacker was not to blame but arguably the consequences might have been the same. While data integrity is important in most aspects of the enterprise, it is vitally important in areas like critical infrastructure where actions cannot be rolled back. In this situation, the Taum Sauk plant is expected to be back in service next year after a five year outage. That’s certainly not the same thing as rebuilding a database or re-imaging a computer. Nonetheless, the precautions taken to prevent cyber attack are often similar with redundancy and due diligence being significantly more critical. As we discuss critical infrastructure in the larger context of information security, let’s try to apply our expertise to multiple domains with a healthy appreciation for the risks we face with critical infrastructure.