Summary
Securing the control systems that regulate the nation's critical infrastructures is vital to ensuring our economic security and public health and safety. The Tennessee Valley Authority (TVA), a federal corporation and the nation's largest public power company, generates and distributes power in an area of about 80,000 square miles in the southeastern United States. GAO was asked to determine whether TVA has implemented appropriate information security practices to protect its control systems. To do this, GAO examined the security practices in place at several TVA facilities; analyzed the agency's information security policies, plans, and procedures against federal law and guidance; and interviewed agency officials who are responsible for overseeing TVA's control systems and their security.
TVA has not fully implemented appropriate security practices to secure the control systems and networks used to operate its critical infrastructures. Both its corporate network infrastructure and control systems networks and devices were vulnerable to disruption. The corporate network was interconnected with control systems networks GAO reviewed, thereby increasing the risk that security weaknesses on the corporate network could affect those control systems networks. On TVA's corporate network, certain individual workstations lacked key software patches and had inadequate security settings, and numerous network infrastructure protocols and devices had limited or ineffective security configurations. In addition, the intrusion detection system had significant limitations. On control systems networks, firewalls reviewed were either inadequately configured or had been bypassed, passwords were not effectively implemented, logging of certain activity was limited, configuration management policies for control systems software were inconsistently implemented, and servers and workstations lacked key patches and effective virus protection. In addition, physical security at multiple locations did not sufficiently protect critical control systems. As a result, systems that operate TVA's critical infrastructures are at increased risk of unauthorized modification or disruption by both internal and external threats. An underlying reason for these weaknesses is that TVA had not consistently implemented significant elements of its information security program. Although TVA had developed and implemented program activities related to contingency planning and incident response, it had not consistently implemented key activities related to developing an inventory of systems, assessing risk, developing policies and procedures, developing security plans, testing and monitoring the effectiveness of controls, completing appropriate training, and identifying and tracking remedial actions. For example, the agency lacked a complete inventory of its control systems and had not categorized all of its control systems according to risk, thereby limiting assurance that these systems were adequately protected. Agency officials stated that they plan to complete these risk assessments and related activities but have not established a completion date. Key information security policies and procedures were also in draft or under revision. Additionally, the agency's patch management process lacked a way to effectively prioritize vulnerabilities. TVA had only completed one system security plan, and another plan was under development. The agency had also tested the effectiveness of its control systems' security using outdated federal guidance, and many control systems had not been tested for security. In addition, only 25 percent of relevant agency staff had completed required role-based security training in fiscal year 2007. Furthermore, while the agency had developed a process to track remedial actions for information security, this process had not been implemented for the majority of its control systems. Until TVA fully implements these security program activities, it risks a disruption of its operations as a result of a cyber incident, which could impact its customers.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
Gregory C. Wilshusen
Government Accountability Office: Information Technology
(202) 512-6244
Recommendations for Executive Action
Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should establish a formal, documented configuration management process for changes to software governing control systems at TVA hydroelectric and fossil facilities.
Agency Affected: Tennessee Valley Authority
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should establish a patch management policy for all control systems.
Agency Affected: Tennessee Valley Authority
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should establish a complete and accurate inventory of agency information systems that includes each TVA control system either as a major application, or as a minor application to a general support system.
Agency Affected: Tennessee Valley Authority
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should categorize and assess the risk of all control systems.
Agency Affected: Tennessee Valley Authority
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should update the transmission control system risk assessment to include the risk associated with vulnerabilities identified during security testing and evaluations and self-assessments.
Agency Affected: Tennessee Valley Authority
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should revise TVA information security policies and procedures to specifically mention their applicability to control systems.
Agency Affected: Tennessee Valley Authority
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should ensure that any division-level information security policies and procedures established to address industry regulations or guidance are consistent with, refer to, and are fully integrated with TVA corporate security policy and federal guidance.
Agency Affected: Tennessee Valley Authority
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should revise the intergroup agreements between TVA's Transmission and Reliability Organization and its fossil and hydroelectric business units to explicitly define cyber security roles and responsibilities.
Agency Affected: Tennessee Valley Authority
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should revise TVA patch management policy to clarify its applicability to control systems and network infrastructure devices, provide guidance to prioritize vulnerabilities based on criticality of IT resources, and define situations where it would be appropriate to upgrade or downgrade a vulnerability's priority from that given by industry standard sources.
Agency Affected: Tennessee Valley Authority
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should finalize draft TVA physical security standards.
Agency Affected: Tennessee Valley Authority
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should complete system security plans that cover all control systems in accordance with National Institutes of Standards and Technology (NIST) guidance and include all information required by NIST in security plans, such as the Federal Information Processing Standard 199 category and the certification and accreditation status of connected systems.
Agency Affected: Tennessee Valley Authority
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should enforce a process to ensure that employees who do not complete required security awareness training cannot access control system-specific networks.
Agency Affected: Tennessee Valley Authority
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should ensure that all designated employees complete role-based security training and that this training includes relevant technical topics.
Agency Affected: Tennessee Valley Authority
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should develop and implement a TVA policy to ensure that periodic (at least annual) assessments of control effectiveness use NIST SP 800-53A for major applications and general support systems.
Agency Affected: Tennessee Valley Authority
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should perform assessments of control effectiveness following the methodology in NIST SP 800-53A.
Agency Affected: Tennessee Valley Authority
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should develop and implement remedial action plans for all control systems.
Agency Affected: Tennessee Valley Authority
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should include the results of inspector general assessments in the remedial action plan for the transmission control system.
Agency Affected: Tennessee Valley Authority
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should finalize the draft agencywide cyber incident response procedure.
Agency Affected: Tennessee Valley Authority
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve the implementation of information security program activities for the control systems governing TVA's critical infrastructures, the Chief Executive Officer of TVA should document backup procedures at all control system facilities.
Agency Affected: Tennessee Valley Authority
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
