One Weak Password, Full Process Control: Inside Norway’s 2025 Dam Cyberattack

In April 2025, unidentified hackers breached the control system of a hydroelectric dam at Lake Risevatnet, southwest of Norway, and remotely opened one of the dam’s water discharge valves. The attackers set the valve to 100% capacity for approximately four hours, causing an increased outflow of 497 liters per second above normal. Although this figure was well within the dam’s safe design—its riverbed can handle up to 20,000 liters per second—the event exposed a severe operational risk: attackers had real-time control of physical processes, and safety depended on sheer luck and detection.

What Actually Happened?

The breach exploited a web-accessible Human-Machine Interface (HMI), a core dam control component, which was left protected only by a weak password. This credential weakness, combined with the HMI’s direct internet exposure, allowed remote attackers to command critical operations undetected for hours. Only after roughly four hours did operators spot the unauthorized change and restore the system.

Forensic investigation pointed to a Russian-Hacktivist Group, Z-PENTEST, with Telegram videos published as proof. Norwegian authorities (Kripos) were notified. No physical damage occurred, but only because the attackers did not push the process past safe boundaries.

This Incident Was Not Isolated

A 2024 Censys scan found 145,000+ ICS devices (including dams, water plants, and energy networks) exposed to the public internet. Of these, more than 48,000 were in the United States alone. Many devices—including HMIs, PLCs, and SCADA panels—are discoverable with simple scans, often still protected by default or easily guessed passwords.

Additional industrial research highlights:

• 60% of OT cyberattacks are attributed to state-affiliated actors, according to Rockwell/Cyentia.
• Energy is the most targeted sector, representing 39% of attacks; critical manufacturing and transport follow.
• 34% of OT breaches start with phishing or credential theft, and over 80% pivot from IT into OT environments.
• The number of reported ICS vulnerabilities jumped 41% in six months in 2021; 71% were rated severe, and over 90% could be exploited remotely with low complexity.
• In more than half of OT attacks, adversaries gained access to control SCADA, HMI, or PLCs, not just “view” data.

Professional experts have sounded the alarm: “Assuming air-gapped security is no longer viable. Remote access, vendor connections, and weak authentication are now the industry’s biggest blind spots.” Real-world attacks increasingly involve “Manipulation of Control”—changing setpoints, opening valves, or disrupting processes—and “Manipulation of View” (hiding malicious actions from operators).

How to Protect Industrial Operations From Similar Threats

The Norwegian incident underlines the need for technical, evidence-based controls, not just regulatory box-ticking. Current best practice, as identified by security frameworks and industry research, includes:

1. Immediately audit and harden all internet-facing assets: Remove all default and weak credentials, especially on HMIs and PLCs. Use complex, unique passwords and multi-factor authentication for remote access.
2. Map, segment, and monitor networks: Create strong boundaries between OT and IT. Limit vendor and third-party access; log all remote sessions and restrict connectivity to only what’s necessary for operations.
3. Continuously discover and inventory all assets: Automated OT risk management platforms, like Radiflow’s CIARA, can provide real-time mapping, risk scoring, and simulation of attack paths—something no manual checklist can achieve.
4. Baseline and monitor for anomalies: Implement detection tools that alert on abnormal command sequences, process parameter changes, and access attempts, especially on critical control interfaces.
5. Drill and prepare for incidents: Maintain and rehearse incident response plans for process manipulation, including procedures for immediate manual override of control systems.

With the EU’s NIS2 Directive and standards like IEC 62443/NIST CSF raising the bar, operators are now expected to demonstrate continuous risk management, not just occasional audits.

To Summarize

The Lake Risevatnet dam breach is a clear warning: attackers can—and do—gain operational control if basic cyber hygiene and risk management are not enforced. Numbers don’t lie: tens of thousands of critical assets remain exposed, vulnerabilities are increasing, and attack tactics are becoming more direct. Protecting infrastructure now means real-time visibility, technical vigilance, and adopting proven risk management automation—before an “almost” disaster becomes a real one.