What the April 2025 dam hack should teach every fish farm
In April 2025 a pro-Russian group opened a valve at a small Norwegian dam and left it open for about four hours. There was no clever exploit. The control panel was reachable from the open internet and it was protected by a weak password. That was the whole story. Someone found it, tried the obvious thing, and it worked.
Most coverage treated this as a dam story. It is not. It is a warning label for anyone running connected equipment on the coast, and that now includes almost every fish farm in the country.
Your site has more of these panels than that dam did
Walk a modern salmon site and count the things that talk to a network. Feeding systems. Oxygen sensors. Water-flow and pump control. Sea-lice dosing. Cameras. A remote gateway so someone can check the site from the mainland on a Sunday. A lot of it is older equipment that was never meant to face the internet, then got connected anyway because it was convenient.
The dam had one exposed system. A single site can have a dozen. Each one is a door, and the attacker in April did not pick a lock. He walked through a door that was left open.
Nobody targets you for being you
This is the part that trips people up. The instinct is to say we are too small to matter, we are not a bank, why would anyone bother. But the dam was not important either. It was found by a scanner that sweeps the internet looking for control panels with default logins, the same way a thief walks a street and pulls door handles. You do not get chosen. You get found.
The question is not whether someone wants to attack your farm. It is whether your farm is easy, and whether you would even know.
What actually goes wrong is boring, and expensive
Forget the movie version. The realistic bad day is a feeding line that stops, an oxygen setpoint that drifts, a valve that moves when it should not. Then a stressed stock, maybe a die-off, a very bad week, and phone calls you do not want to make: to your insurer, to a retailer, and possibly to NSM. The damage is operational and financial long before it is dramatic.
The timing is not a coincidence
PST called 2026 the most serious security situation since the war, and named the High North specifically. Norway's Digital Security Act has been in force since October 2025, with real fines attached. NIS2 is coming behind it, and it reaches into food and water supply. None of that is fear. It is a calendar. The operators who look at their exposure now have time to fix things calmly. The ones who wait will do it in a hurry, under pressure, and for more money.
What to check this week
You do not need a big platform to start. You need to close the obvious doors. In rough order:
- Find out what on your site is reachable from outside the local network. If you are not sure, assume something is.
- Kill default and shared passwords on anything with a login. This one fix would have stopped the dam attack.
- Keep the control network separate from the office and guest wifi. Flat networks turn one weak device into a whole-site problem.
- Write down what you actually have. You cannot protect a device you have never listed.
- Know who you call at two in the morning, before you need to.
That list will not make you bulletproof. Nothing does. But it moves you from wide open to a hard-enough target, which is most of the battle against opportunists.
Where we fit
Havvakt does exactly this, one site at a time. We come out, map what is connected, score the exposure the way a regulator would read it, and hand you a plain list of what to fix first and evidence you can show a board or an insurer. We are early, and we are honest about it. Right now we are looking for a small number of founding pilot sites in Troms and Finnmark to work with closely.
Want to be a pilot site?
Leave your email and we will get in touch. No sales pitch, just a conversation about your setup.
Prefer to read the pitch first? See how it works.
Written by Havvakt's founder. Full name and bio once Havvakt is full-time. For now, the work speaks first.