Information Security: TVA Needs to Address Weaknesses in Control Systems and Networks
Highlights
Securing the control systems that regulate the nation's critical infrastructures is vital to ensuring our economic security and public health and safety. The Tennessee Valley Authority (TVA), a federal corporation and the nation's largest public power company, generates and distributes power in an area of about 80,000 square miles in the southeastern United States. GAO was asked to determine whether TVA has implemented appropriate information security practices to protect its control systems. To do this, GAO examined the security practices in place at several TVA facilities; analyzed the agency's information security policies, plans, and procedures against federal law and guidance; and interviewed agency officials who are responsible for overseeing TVA's control systems and their security.
Recommendations
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Tennessee Valley Authority | To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should establish a formal, documented configuration management process for changes to software governing control systems at TVA hydroelectric and fossil facilities. |
In June 2009, we verified that TVA had established formal documented configuration management processes for changes to software governing control systems at its hydroelectric and fossil facilities. As a result, decreased risk exists that unapproved changes to control systems can be made.
|
Tennessee Valley Authority | To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should establish a patch management policy for all control systems. |
In February 2011, we verified that TVA had established a patch management policy for all control systems. As a result, TVA has reduced the likelihood of unauthorized individuals gaining access to network resources or disrupting network operations by exploiting known vulnerabilities in its systems.
|
Tennessee Valley Authority | To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should establish a complete and accurate inventory of agency information systems that includes each TVA control system either as a major application, or as a minor application to a general support system. |
In February 2011, we verified that TVA developed inventories for the control systems at the nuclear, hydroelectric and fossil facilities we had reviewed. By establishing these inventories, TVA has better positioned itself to ensure that the appropriate security controls have been implemented to protect these systems
|
Tennessee Valley Authority | To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should categorize and assess the risk of all control systems. |
In August 2012, we verified that TVA had categorized and assessed the risk of its control systems. As a result, TVA can better prevent the unauthorized access, use, disclosure, disruption, modification, or destruction of its control systems.
|
Tennessee Valley Authority | To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should update the transmission control system risk assessment to include the risk associated with vulnerabilities identified during security testing and evaluations and self-assessments. |
In June 2009, we verified that TVA, in response to our recommendation, updated the risk assessment report to include this information. As a result, TVA can make risk-based decisions on the security needs of its transmission control system.
|
Tennessee Valley Authority | To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should revise TVA information security policies and procedures to specifically mention their applicability to control systems. |
In June 2009, we verified that TVA, in response to our recommendation, revised its information security policies and procedures to include control systems. As a result, TVA has better emphasized the importance of securing its control systems from compromise and disruption.
|
Tennessee Valley Authority | To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should ensure that any division-level information security policies and procedures established to address industry regulations or guidance are consistent with, refer to, and are fully integrated with TVA corporate security policy and federal guidance. |
In June 2009, we verified that TVA and its business units followed our recommendation and developed policies that are consistent with both the agency-wide IT policy and federal guidance. As a result, TVA has improved its ability to apply IT security requirements consistently across the agency.
|
Tennessee Valley Authority | To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should revise the intergroup agreements between TVA's Transmission and Reliability Organization and its fossil and hydroelectric business units to explicitly define cyber security roles and responsibilities. |
In June 2009, we verified that TVA, in response to our recommendation, revised the intergroup agreements to include the cyber security roles and responsibilities of the fossil and hydroelectric business units. As a result, TVA has better assurance that security controls will be in place at individual plants to ensure that critical generation equipment may be able to start, safely shut down, or be controlled by the transmission control system when necessary.
|
Tennessee Valley Authority | To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should revise TVA patch management policy to clarify its applicability to control systems and network infrastructure devices, provide guidance to prioritize vulnerabilities based on criticality of IT resources, and define situations where it would be appropriate to upgrade or downgrade a vulnerability's priority from that given by industry standard sources. |
In June 2009, we verified that TVA followed our recommendation and revised its patch management policy to clarify its applicability to control systems and infrastructure devices, provide guidance to prioritize vulnerabilities based on criticality of IT resources, and define situations where it would be appropriate to upgrade or downgrade a vulnerability's priority from that given by industry standard sources. As a result, TVA faces a decreased risk that critical systems may remain vulnerable to known vulnerabilities.
|
Tennessee Valley Authority | To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should finalize draft TVA physical security standards. |
In June 2009, we verified that TVA, in response to our recommendation, issued a finalized version of its physical security standards. As a result, TVA has provided clear and consistent physical security policy for all non-nuclear facilities.
|
Tennessee Valley Authority | To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should complete system security plans that cover all control systems in accordance with National Institutes of Standards and Technology (NIST) guidance and include all information required by NIST in security plans, such as the Federal Information Processing Standard 199 category and the certification and accreditation status of connected systems. |
In August 2012, we verified that TVA had completed system security plans for the control systems at the fossil and hydroelectric plants we reviewed and was in the process of complying with new regulations requiring the agency to complete the plans for the nuclear facility we reviewed. As a result, TVA has improved its ability to ensure the appropriate controls are in place to protect its control systems.
|
Tennessee Valley Authority | To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should enforce a process to ensure that employees who do not complete required security awareness training cannot access control system-specific networks. |
TVA, in response to our recommendation, implemented an automated email reminder beginning 45 days prior to an employee's training deadline. If the employee fails to complete the annual training, the employee's corporate network ID is to be disabled. As a result, TVA staff are aware of their roles and responsibilities to properly reduce information security risks.
|
Tennessee Valley Authority | To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should ensure that all designated employees complete role-based security training and that this training includes relevant technical topics. |
In July 2009, we verified that TVA had developed a process to ensure that designated employees complete role-based security training including appropriate technical topics.
|
Tennessee Valley Authority | To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should develop and implement a TVA policy to ensure that periodic (at least annual) assessments of control effectiveness use NIST SP 800-53A for major applications and general support systems. |
TVA has taken steps to address this recommendation but as of September 2012 has not yet fully addressed it.
|
Tennessee Valley Authority | To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should perform assessments of control effectiveness following the methodology in NIST SP 800-53A. |
We determined that TVA did not address this recommendation. The remedial action plans we received did not address all OMB required fields.
|
Tennessee Valley Authority | To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should develop and implement remedial action plans for all control systems. |
TVA has taken steps to address this recommendation but as of September 2012 has not yet fully addressed it.
|
Tennessee Valley Authority | To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should include the results of inspector general assessments in the remedial action plan for the transmission control system. |
In June 2009, we verified that TVA, in response to our recommendation, included the Inspector General's suggested remediations in the transmission control system plan of actions and milestones. As a result, TVA has better assurance that the proper resources will be applied to known vulnerabilities.
|
Tennessee Valley Authority | To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should finalize the draft agencywide cyber incident response procedure. |
In June 2009, we verified that TVA, in response to our recommendation, finalized the agency-wide cyber incident response procedure. As a result, TVA is better able to report and respond to incidents in an effective manner.
|
Tennessee Valley Authority | To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should document backup procedures at all control system facilities. |
As of February 2011, we verified that there are backup or recovery procedures in place for control systems at the nuclear, hydroelectric and fossil facilities that we reviewed. . By establishing these procedures TVA increases its assurance that it will be able to respond appropriately in the case of a cyber or physical incident.
|