New report points to cyber risks in TVA control systems

A federally owned utility company operating in seven southeastern states lacked functional internal information technology controls and failed to provide proper cybersecurity oversight of a system used to control a particular subset of dams and river systems, according to a recent report.

The Tennessee Valley Authority (TVA) Inspector General report found "inappropriate logical and physical access" and vulnerable versions of operating systems at dams that are a part of the utility's control system. TVA operates a network of dams that do not provide hydroelectric power but instead assist in flood control and management of the region's river system. 

The cybersecurity of TVA's hydroelectric dams is not covered in the report.

The report also said that, while the risk of a potential threat to the utility's river management system remained low due to physical controls that can limit water flow and other regional factors, "unauthorized access events pose a high reputational risk for TVA."

The IG report said that two different TVA teams took part in building, maintaining and operating the dam control system, "but there was no clear ownership of the system."

"Without clear ownership, the maintenance and operation of cybersecurity controls may not occur, increasing cybersecurity risks related to the control system," the report stated.

The specifics of the testing and findings were omitted from the report, “due to the sensitive nature of TVA’s cybersecurity," the OIG report states. TVA managers were briefed on the findings in April.

In response to the IG report, TVA said it agreed with the findings and committed to working with its software vendor to update its vulnerable software versions to achieve compliance with the latest standards. The utility also indicated it took action prior to the inspector general's completion of its report to address several issues and said it would provide clear ownership, roles and responsibilities into system documentation.