The GAO said the Tennessee Valley Authority, (TVA), which supplies power to almost 9 m Americans, “has not fully implemented appropriate security practices to protect the control systems used to operate its critical infrastructures, leaving them vulnerable to disruption.”
An underlying reason for these weaknesses is that TVA had not consistently implemented significant elements of its information security program, according to the GAO report.
The GAO found the TVA’s firewalls have been bypassed or are inadequately configured; passwords are not effective; intrusion-detection systems are not adequate and servers and work stations lack key patches and effective virus protection and that computers on TVA’s corporate network lacked security software updates.
TVA COO Bill McCollum said the agency is already addressing most of the security concerns highlighted by the GAO. In testimony before Congress, McCollum noted TVA recently tested the security of its computerized power controls with a third-party vendor and that the consultant team was unable to gain access to any of the targeted process control networks.
When asked why government investigators found that passwords, firewalls and other standard protections were either not in place or were inadequate, McCollum said security measures standards continue to evolve and be revised.
“From my perspective, TVA is moving as fast as possible to continue to improve the security of our systems and infrastructure,” he said, adding that the TVA had already been working to fix the problems when the GAO investigation happened.
According to McCollum, the TVA will tackle most of the problems by the end of the year. He said the TVA had already started to address 17 of the 19 issues raised by the GAO.
The report, which included 73 specific recommendations for security fixes, focused on 19 general recommendations.
The recommendations included setting up a formal, documented configuration management process for changes to software governing control systems at TVA hydroelectric and fossil facilities; categorizing and assessing the risk of all control systems and revising TVA information security policies and procedures to specifically mention their applicability to control systems.