Information Security:

TVA Needs to Address Weaknesses in Control Systems and Networks

GAO-08-526: Published: May 21, 2008. Publicly Released: May 21, 2008.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Securing the control systems that regulate the nation's critical infrastructures is vital to ensuring our economic security and public health and safety. The Tennessee Valley Authority (TVA), a federal corporation and the nation's largest public power company, generates and distributes power in an area of about 80,000 square miles in the southeastern United States. GAO was asked to determine whether TVA has implemented appropriate information security practices to protect its control systems. To do this, GAO examined the security practices in place at several TVA facilities; analyzed the agency's information security policies, plans, and procedures against federal law and guidance; and interviewed agency officials who are responsible for overseeing TVA's control systems and their security.

TVA has not fully implemented appropriate security practices to secure the control systems and networks used to operate its critical infrastructures. Both its corporate network infrastructure and control systems networks and devices were vulnerable to disruption. The corporate network was interconnected with control systems networks GAO reviewed, thereby increasing the risk that security weaknesses on the corporate network could affect those control systems networks. On TVA's corporate network, certain individual workstations lacked key software patches and had inadequate security settings, and numerous network infrastructure protocols and devices had limited or ineffective security configurations. In addition, the intrusion detection system had significant limitations. On control systems networks, firewalls reviewed were either inadequately configured or had been bypassed, passwords were not effectively implemented, logging of certain activity was limited, configuration management policies for control systems software were inconsistently implemented, and servers and workstations lacked key patches and effective virus protection. In addition, physical security at multiple locations did not sufficiently protect critical control systems. As a result, systems that operate TVA's critical infrastructures are at increased risk of unauthorized modification or disruption by both internal and external threats. An underlying reason for these weaknesses is that TVA had not consistently implemented significant elements of its information security program. Although TVA had developed and implemented program activities related to contingency planning and incident response, it had not consistently implemented key activities related to developing an inventory of systems, assessing risk, developing policies and procedures, developing security plans, testing and monitoring the effectiveness of controls, completing appropriate training, and identifying and tracking remedial actions. For example, the agency lacked a complete inventory of its control systems and had not categorized all of its control systems according to risk, thereby limiting assurance that these systems were adequately protected. Agency officials stated that they plan to complete these risk assessments and related activities but have not established a completion date. Key information security policies and procedures were also in draft or under revision. Additionally, the agency's patch management process lacked a way to effectively prioritize vulnerabilities. TVA had only completed one system security plan, and another plan was under development. The agency had also tested the effectiveness of its control systems' security using outdated federal guidance, and many control systems had not been tested for security. In addition, only 25 percent of relevant agency staff had completed required role-based security training in fiscal year 2007. Furthermore, while the agency had developed a process to track remedial actions for information security, this process had not been implemented for the majority of its control systems. Until TVA fully implements these security program activities, it risks a disruption of its operations as a result of a cyber incident, which could impact its customers.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should document backup procedures at all control system facilities.

    Agency Affected: Tennessee Valley Authority

    Status: Closed - Implemented

    Comments: As of February 2011, we verified that there are backup or recovery procedures in place for control systems at the nuclear, hydroelectric and fossil facilities that we reviewed. . By establishing these procedures TVA increases its assurance that it will be able to respond appropriately in the case of a cyber or physical incident.

    Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should revise the intergroup agreements between TVA's Transmission and Reliability Organization and its fossil and hydroelectric business units to explicitly define cyber security roles and responsibilities.

    Agency Affected: Tennessee Valley Authority

    Status: Closed - Implemented

    Comments: In June 2009, we verified that TVA, in response to our recommendation, revised the intergroup agreements to include the cyber security roles and responsibilities of the fossil and hydroelectric business units. As a result, TVA has better assurance that security controls will be in place at individual plants to ensure that critical generation equipment may be able to start, safely shut down, or be controlled by the transmission control system when necessary.

    Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should ensure that any division-level information security policies and procedures established to address industry regulations or guidance are consistent with, refer to, and are fully integrated with TVA corporate security policy and federal guidance.

    Agency Affected: Tennessee Valley Authority

    Status: Closed - Implemented

    Comments: In June 2009, we verified that TVA and its business units followed our recommendation and developed policies that are consistent with both the agency-wide IT policy and federal guidance. As a result, TVA has improved its ability to apply IT security requirements consistently across the agency.

    Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should revise TVA information security policies and procedures to specifically mention their applicability to control systems.

    Agency Affected: Tennessee Valley Authority

    Status: Closed - Implemented

    Comments: In June 2009, we verified that TVA, in response to our recommendation, revised its information security policies and procedures to include control systems. As a result, TVA has better emphasized the importance of securing its control systems from compromise and disruption.

    Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should update the transmission control system risk assessment to include the risk associated with vulnerabilities identified during security testing and evaluations and self-assessments.

    Agency Affected: Tennessee Valley Authority

    Status: Closed - Implemented

    Comments: In June 2009, we verified that TVA, in response to our recommendation, updated the risk assessment report to include this information. As a result, TVA can make risk-based decisions on the security needs of its transmission control system.

    Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should categorize and assess the risk of all control systems.

    Agency Affected: Tennessee Valley Authority

    Status: Closed - Implemented

    Comments: In August 2012, we verified that TVA had categorized and assessed the risk of its control systems. As a result, TVA can better prevent the unauthorized access, use, disclosure, disruption, modification, or destruction of its control systems.

    Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should establish a complete and accurate inventory of agency information systems that includes each TVA control system either as a major application, or as a minor application to a general support system.

    Agency Affected: Tennessee Valley Authority

    Status: Closed - Implemented

    Comments: In February 2011, we verified that TVA developed inventories for the control systems at the nuclear, hydroelectric and fossil facilities we had reviewed. By establishing these inventories, TVA has better positioned itself to ensure that the appropriate security controls have been implemented to protect these systems

    Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should establish a patch management policy for all control systems.

    Agency Affected: Tennessee Valley Authority

    Status: Closed - Implemented

    Comments: In February 2011, we verified that TVA had established a patch management policy for all control systems. As a result, TVA has reduced the likelihood of unauthorized individuals gaining access to network resources or disrupting network operations by exploiting known vulnerabilities in its systems.

    Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should establish a formal, documented configuration management process for changes to software governing control systems at TVA hydroelectric and fossil facilities.

    Agency Affected: Tennessee Valley Authority

    Status: Closed - Implemented

    Comments: In June 2009, we verified that TVA had established formal documented configuration management processes for changes to software governing control systems at its hydroelectric and fossil facilities. As a result, decreased risk exists that unapproved changes to control systems can be made.

    Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should revise TVA patch management policy to clarify its applicability to control systems and network infrastructure devices, provide guidance to prioritize vulnerabilities based on criticality of IT resources, and define situations where it would be appropriate to upgrade or downgrade a vulnerability's priority from that given by industry standard sources.

    Agency Affected: Tennessee Valley Authority

    Status: Closed - Implemented

    Comments: In June 2009, we verified that TVA followed our recommendation and revised its patch management policy to clarify its applicability to control systems and infrastructure devices, provide guidance to prioritize vulnerabilities based on criticality of IT resources, and define situations where it would be appropriate to upgrade or downgrade a vulnerability's priority from that given by industry standard sources. As a result, TVA faces a decreased risk that critical systems may remain vulnerable to known vulnerabilities.

    Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should finalize draft TVA physical security standards.

    Agency Affected: Tennessee Valley Authority

    Status: Closed - Implemented

    Comments: In June 2009, we verified that TVA, in response to our recommendation, issued a finalized version of its physical security standards. As a result, TVA has provided clear and consistent physical security policy for all non-nuclear facilities.

    Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should finalize the draft agencywide cyber incident response procedure.

    Agency Affected: Tennessee Valley Authority

    Status: Closed - Implemented

    Comments: In June 2009, we verified that TVA, in response to our recommendation, finalized the agency-wide cyber incident response procedure. As a result, TVA is better able to report and respond to incidents in an effective manner.

    Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should include the results of inspector general assessments in the remedial action plan for the transmission control system.

    Agency Affected: Tennessee Valley Authority

    Status: Closed - Implemented

    Comments: In June 2009, we verified that TVA, in response to our recommendation, included the Inspector General's suggested remediations in the transmission control system plan of actions and milestones. As a result, TVA has better assurance that the proper resources will be applied to known vulnerabilities.

    Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should develop and implement remedial action plans for all control systems.

    Agency Affected: Tennessee Valley Authority

    Status: Closed - Not Implemented

    Comments: TVA has taken steps to address this recommendation but as of September 2012 has not yet fully addressed it.

    Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should perform assessments of control effectiveness following the methodology in NIST SP 800-53A.

    Agency Affected: Tennessee Valley Authority

    Status: Closed - Not Implemented

    Comments: We determined that TVA did not address this recommendation. The remedial action plans we received did not address all OMB required fields.

    Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should develop and implement a TVA policy to ensure that periodic (at least annual) assessments of control effectiveness use NIST SP 800-53A for major applications and general support systems.

    Agency Affected: Tennessee Valley Authority

    Status: Closed - Not Implemented

    Comments: TVA has taken steps to address this recommendation but as of September 2012 has not yet fully addressed it.

    Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should ensure that all designated employees complete role-based security training and that this training includes relevant technical topics.

    Agency Affected: Tennessee Valley Authority

    Status: Closed - Implemented

    Comments: In July 2009, we verified that TVA had developed a process to ensure that designated employees complete role-based security training including appropriate technical topics.

    Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should enforce a process to ensure that employees who do not complete required security awareness training cannot access control system-specific networks.

    Agency Affected: Tennessee Valley Authority

    Status: Closed - Implemented

    Comments: TVA, in response to our recommendation, implemented an automated email reminder beginning 45 days prior to an employee's training deadline. If the employee fails to complete the annual training, the employee's corporate network ID is to be disabled. As a result, TVA staff are aware of their roles and responsibilities to properly reduce information security risks.

    Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should complete system security plans that cover all control systems in accordance with National Institutes of Standards and Technology (NIST) guidance and include all information required by NIST in security plans, such as the Federal Information Processing Standard 199 category and the certification and accreditation status of connected systems.

    Agency Affected: Tennessee Valley Authority

    Status: Closed - Implemented

    Comments: In August 2012, we verified that TVA had completed system security plans for the control systems at the fossil and hydroelectric plants we reviewed and was in the process of complying with new regulations requiring the agency to complete the plans for the nuclear facility we reviewed. As a result, TVA has improved its ability to ensure the appropriate controls are in place to protect its control systems.

    Jul 17, 2014

    Jun 25, 2014

    May 30, 2014

    Apr 17, 2014

    Apr 2, 2014

    Jan 28, 2014

    Jan 8, 2014

    Sep 26, 2013

    Feb 20, 2013

    Feb 1, 2013

    Looking for more? Browse all our products here