Information Security: TVA Needs to Enhance Security of Critical Infrastructure Control Systems and Networks

The control systems that regulate the nation's critical infrastructures face risks of cyber threats, system vulnerabilities, and potential attacks. Securing these systems is therefore vital to ensuring national security, economic well-being, and public health and safety. While most critical infrastructures are privately owned, the Tennessee Valley Authority (TVA), a federal corporation and the nation's largest public power company, provides power and other services to a large swath of the American Southeast. GAO was asked to testify on its public report being released today on the security controls in place over TVA's critical infrastructure control systems. In doing this work, GAO examined the security practices in place at TVA facilities; analyzed the agency's information security policies, plans, and procedures in light of federal law and guidance; and interviewed agency officials responsible for overseeing TVA's control systems and their security.