Water infrastructure at risk: Lessons from the Norwegian dam attack

On April7, 2025, unknown attackers logged into the remote-control panel for the Risevatnet dam in Bremanger, Norway, and forced a discharge valve fully open, releasing maximum flow for roughly four hours. The intruders then posted a three-minute screen capture, watermarked with the name of a pro-Russian cybercriminal crew, on Telegram.

The spill caused no structural damage or downstream flooding, yet it triggered Norway’s first investigation under the new Penal Code §130, aimed at foreign influence operations. Investigators say the attackers most likely gained access through a weak password.

The incident is another reminder that attackers can reach the process layer (where pumps, valves, and other field devices move real water) long before traditional defenses raise an alarm. Once inside, they can alter operations at the physical level while remaining invisible to controls and alerts higher in the stack.

The process layer, referred to as Level Zero in the Purdue Model, is increasingly recognized as a critical target in OT cybersecurity. This article explores why that gap persists, and how utilities can gain real visibility into the physical layer to detect and respond before damage occurs.

An outdated IT cybersecurity playbook

Water utilities are under-resourced and over-exposed to risk.

Most plants still rely on aging PLCs, RTUs, and engineering workstations that were never designed to be connected. As these systems are increasingly networked for remote access and vendor support, they introduce new attack surfaces. Often without the architecture or safeguards needed to defend them.

Compounding that is the regulatory gap. While compliance with water-quality and safety standards is mandatory, cybersecurity remains optional. The result is that cyber security investments are often deferred.

Third, most utilities, especially small and mid-sized ones, lack dedicated OT-security professionals. The skills gap means many operators struggle to assess or mitigate cyber risk even as their systems grow more exposed.

The typical response to cyber threats remains narrowly focused on IT: stronger passwords, regular patching, multi-factor authentication, Intrusion Detection Systems, and network monitoring. All of these are important, but none are sufficient to stop sophisticated or state-sponsored attackers targeting critical infrastructure.

What is often missing is the ability to detect the physical expression of an OT cyberattack before it causes real-world impact.

The missing layer in OT cyber defense

In the Purdue Model, Level Zero refers to the process layer: physical pumps, valves, chemical-dosing skids, and the raw electrical signals - voltage, current, or 4–20 mA loops -that drive them.

Above that sit Levels 1 through 3: PLC logic, operator interfaces, SCADA servers, and plant historians. These upper layers manage and visualize control data and are typically protected by firewalls, segmentation, and endpoint security.

But none of those tools can confirm whether a pump actually started, a valve actually opened, or a chemical dose was delivered. That verification can only happen at Level Zero.

The Risevatnet breach makes this clear. Attackers remotely accessed the valve’s control interface using a weak password. The system showed the valve as open or closed, but there was no independent signal to confirm it. The breach was only discovered when a security guard, with no cyber background, noticed an unusual flow and physically checked the valve. That timing came down to luck. And luck is not a sustainable strategy.

How attackers exploit the Level Zero gap

This lack of process-layer visibility creates opportunities that attackers can exploit.

One method is direct command abuse. A malicious PLC command (whether introduced through malware or misused credentials) can drive a pump or dosing skid to maximum output, while the operator interface still displays the previous setpoint.

False-data injection is another tactic. In this case, sensor values are manipulated so the system appears to be operating normally, even as the actual process drifts out of bounds. Operators often detect this only after physical symptoms emerge, such as discolored water or abnormal flow.

Finally, ransomware, though typically an IT threat, has a growing footprint in OT. More than one-third of ransomware incidents in industrial settings also impact Operational Technology. In water utilities, that can leave pumps, motors, or valves in unknown or unsafe states - without any digital indication.

Why Level Zero must be part of the defense strategy

These risks do not require abandoning existing defenses. They require expanding them.

Traditional network tools are essential for detecting lateral movement, credential misuse, and suspicious network behavior. But they can only show what was commanded - not whether the physical equipment actually responded.

Level Zero monitoring addresses that gap. By independently measuring current, voltage, or flow (outside the SCADA loop) utilities can verify whether the physical action occurred. This provides a second source of truth, resistant to tampering or forgery.

When network and process data are viewed together, operators gain faster, more trustworthy alerts. They can also identify the affected asset more precisely, reducing incident response time and uncertainty.

Public policy is catching up

Process-layer monitoring is no longer just a best practice. It is beginning to appear in formal guidance.

The latest revision of NIST SP 800-82 recommends “separate Field I/O monitoring” for critical Level Zero assets, noting that unauthenticated sensors and actuators can be spoofed or replayed.

The EPA’s Water-Sector Cybersecurity Program places specific emphasis on securing OT systems that manage treatment and distribution processes, explicitly naming sensors and physical controls.

And in Norway where the incident occurred, the use of Penal Code §130 following the Risevatnet breach signals a broader shift: interference with physical infrastructure (even without damage) is now considered a matter of national security.

What water utility decision-makers can do now

Operators and managers at water utilities should reassess their cybersecurity priorities to include physical operations. Pumps, valves, and dosing skids may not sit on a network diagram, but they are the assets that matter most when an attack hits.

These assets can be equipped with out-of-band monitoring that independently tracks physical process signals - such as flow, pressure, or electrical current - without relying on the control software. By comparing this process-level data to what the system believes is happening, operators can detect when field devices are not behaving as expected. If the valve didn’t move or the pump didn’t start, the system flags the discrepancy.

Even in facilities without a formal Security Operations Center (SOC), this data can feed into shift reports, alert protocols, or incident-response workflows: ensuring faster recognition and more grounded decision-making.

Bremanger was lucky. The next town may not be.

The Risevatnet valve opened in daylight. A guard was nearby. No one was harmed. But that is not a defense model - it is a statistical fluke.

Water utilities now operate at the intersection of aging equipment, limited staffing, and increasing nation-state interest. Level Zero monitoring won’t prevent every attack, but it offers something most cybersecurity tools still can’t: a real-time view of what is actually happening in the physical process.

That is the difference between reading about a breach - and stopping it before it happens.

Sources

https://energiteknikk.net/2025/06/hackere-apnet-ve

https://www.gao.gov/assets/gao-24-106744.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf

https://www.cisa.gov/news-events/cybersecurity-advisories/