The Tennessee Valley Authority (TVA) – a federally-owned electric utility serving seven states with power generated from dams on the Tennessee River – is employing vulnerable versions of operating systems in its non-dam control system, according to an audit from TVA’s Office of Inspector General (OIG) which examines cybersecurity controls of that system.
In addition to uncovering vulnerable versions of operating systems and control system software, the audit also found “no clear ownership” of the non-power dam control system; inappropriate logical and physical access; and internal IT controls that were not operating effectively, or had not been designed and implemented.
“Prior to completion of our audit, TVA clarified the ownership of the control system and took actions to address the inappropriate logical and physical access,” wrote the OIG. “We recommend the Senior VP, Resource Management and Operations Services, update the non-power dam control system to address the identified vulnerabilities and information technology control weaknesses.”
TVA agreed with this recommendation and provided information on planned actions in the report.
The audit by the TVA OIG was conducted to determine if the cybersecurity controls of the non-power dam control system were operating effectively.
Objectives for the audit included:
- Gain an understanding of the control system and dams it controls;
- Review documentation related to the control system;
- Review logical access and physical access to the control system;
- Review vulnerability reports to identify risks;
- Observe control system operating systems and software; and
- Observe physical access controls for appropriateness.
“In discussions with TVA management, we identified various non-power dams operated by the control system under review,” wrote the OIG. “During those discussions, we determined that risks related to river management would be low based on their location, size, and existing physical controls that limit water flow adjustments.”
“However, unauthorized access events pose a high reputational risk for TVA,” the OIG said.