Largest US power company is a network security black hole

The Government Accountability Office today issued a searing indictment of the network security systems, or lack thereof, guarding the control systems that regulate the country’s largest public power company.

The Tennessee Valley Authority (TVA) is a federal corporation that generates power using 52 fossil, hydro and nuclear facilities in an area of about 80,000 square miles and has not fully implemented appropriate security practices to protect the control systems used to operate its critical infrastructures, the GAO concluded.

TVA’s corporate network infrastructure and its control systems networks and devices at individual facilities and plants reviewed were vulnerable to disruptions that could endanger a good portion of the country’s economic security and public health and safety, the GAO said.

Control system security is critical because such systems can be used to monitor processes—for example, the environmental conditions in a small office building—or to manage the complex activities of a municipal water system or a nuclear power plant. In the electric power industry, control systems can be used to manage and control the generation, transmission, and distribution of electric power. For example, control systems can open and close circuit breakers and set thresholds for preventive shutdowns, the GAO stated.

Specific issues the GAO found in an audit conducted audit between March 2007 and May 2008 included:   

·          On the corporate network, one remote access system we reviewed that was used for the network was not securely configured, and individual workstations we reviewed lacked key patches and had inadequate security settings for key programs. Further, network infrastructure protocols and devices provided limited protections.

·          The intrusion detection system that TVA used had significant limitations on its ability to effectively monitor the network. Although a network intrusion detection system was deployed by TVA to monitor network traffic, it could not effectively monitor certain data for key computer assets.

·          On control systems networks, firewalls were bypassed or inadequately configured, passwords were not effectively implemented, logging of certain activity was limited, configuration management policies for control systems software were not consistently  implemented, and servers and workstations lacked key patches and effective virus protection. In addition, physical security at multiple locations did not sufficiently protect critical control systems.

·          Interconnections between TVA’s control system networks and its corporate network increase the risk that security weaknesses on the corporate network could affect control systems networks. Although TVA used multiple network segments to separate more sensitive equipment, such as control systems, from the corporate network, weaknesses in the separation of these network segments could allow an attacker who gained access to a less secure portion of the interconnected network, such as the corporate network, to compromise equipment in a more secure portion of the interconnected network.

·          The agency lacked a complete inventory of its control systems and had not categorized all of its control systems according to risk, thereby limiting assurance that these systems were adequately protected. Agency officials stated that they plan to complete these risk assessments and related activities but have not established a completion date. Key information security policies and procedures were also in draft or under revision.

·          Only 25% of relevant agency staff had completed required role-based security training in fiscal year 2007. Furthermore, while the agency had developed a process to track remedial actions for information security, this process had not been implemented for the majority of its control systems. Until TVA fully implements these security program activities, it risks a disruption of its operations as a result of a cyber incident, which could impact its customers. 

To improve the TVA’s information security the GAO made 19 recommendations including:  setting up a formal, documented configuration management process for changes to software governing control systems at TVA hydroelectric and fossil facilities; set up a patch management policy for all control systems; establish a complete and accurate inventory of agency information systems that includes each TVA control system either as a major application, or as a minor application to a general support system;  categorize and assess the risk of all control systems; update the transmission control system risk assessment to include the risk associated with vulnerabilities identified during security testing and evaluations and self-assessments; and revise TVA information security policies and procedures to specifically mention their applicability to control systems.

In a separate report designated “Limited Official Use Only,” the GAO made 73 additional recommendations to correct specific information security weaknesses that were not made public.For its part the TVA agreed with most of the GAO assessments and said it has taken steps to strengthen information security for control systems, such as centralizing responsibility for cyber security within the agency.

The TVA Executive Vice President concurred with all 19 recommendations in this report and provided information on steps the agency was taking to implement the recommendations.

As part of its report, the GAO noted a number of specific examples of how dangerous disruptions of networked power control systems can be.   

·          Maroochy Shire sewage spill: In the spring of 2000, a former employee of an Australian organization that developed manufacturing software applied for a job with the local government, but was rejected. Over a 2-month period, this individual reportedly used a radio transmitter on as many as 46 occasions to remotely break into the controls of a sewage treatment system, ultimately releasing about 264,000 gallons of raw sewage into nearby rivers and parks. 

·          Davis-Besse power plant: The Nuclear Regulatory Commission confirmed that in January 2003, the Microsoft SQL Server worm known as Slammer infected a computer network at the idled Davis-Besse nuclear power plant in Oak Harbor, Ohio, disabling a safety monitoring system for nearly 5 hours and the plant’s process computer for about 6 hours. 

·          Northeast power blackout: In August 2003, failure of the alarm processor in the control system of FirstEnergy, an Ohio-based electric utility, prevented control room operators from having adequate awareness of critical changes to the electrical grid. This problem was compounded when the state estimating program at the Midwest Independent System Operator failed. When several key transmission lines in northern Ohio tripped due to contact with trees, they initiated a cascading failure of 508 generating units at 265 power plants across eight states and a Canadian province. 

·          Taum Sauk Water Storage Dam failure: In December 2005, the Taum Sauk Water Storage Dam, approximately 100 miles south of St. Louis, Missouri, suffered a catastrophic failure, releasing a billion gallons of water. According to the dam’s operator, the incident may have occurred because the gauges at the dam read differently than the gauges at the dam’s remote monitoring station. 

Layer 8 in a box

Check out these related stories: 

 US lacking secure national space strategy, GAO says

Advanced energy, nanotechnology and computing needed for US to compete 

Intellectual property protection needs a kick in the pants 

GAO shines harsh light on advanced energy technology research

Security lacking at most government agencies, GAO says

Unmanned aircraft pose myriad problems to US airspace, GAO reports