FOLSOM DAM (CBS13) — Two dams designated as critical to U.S. security have increased risks of insider sabotage according to a blistering report by a federal inspector general.

The two dams were not named for security purposes, but they are among five operated by the U.S. Bureau of Reclamation.

The Folsom Dam is one of the five.

The U.S. Bureau of Reclamation Inspector General report details the critical infrastructure dams that rely on remotely controlled operations of generators, gates, and outlet valves.

The findings show lax account management and security practices at two of the remotely operated dams have elevated them to heightened risks from insider threats.

The report reads too many employees had system administrator access, and the dams controls:

“…had an extensive number of group accounts…”

“…did not comply with password policies…”


“…did not complete more rigorous background investigations…”

The report says a malicious insider could disrupt operations, and delete files.

“Reclamation takes the security of the national critical infrastructure as our very top priority, we have the best and brightest minds looking at that,” U.S. Bureau of Reclamation Spokesperson Erin Curtis said.

The U.S. Bureau of Reclamation did not concur with all the findings. The agency’s redacted responses were included in the report. It operates five critical infrastructure dams, including California’s Shasta and Folsom Dams.

Cindy Baker and her family live in Folsom and in the inundation zone if there was a dam failure.

“If it did fail,” Baker said, “certainly we would be in big trouble.”

Baker says despite the inspector general report, she’s not concerned for her city’s safety.

“I trust that the bureau is going to recheck maybe all of their policies, especially in this light,” Baker said.

It is alarming language in a critical report—risks of insider sabotage at several U.S. dams.

Now the cybersecurity threats have led to heightened scrutiny.

Next up, this report goes to the U.S Department of Interior to determine what cybersecurity changes could be on the way.