TVA Power Plants Vulnerable to Cyber Attacks, GAO Finds

By Brian Krebs Staff Writer
Wednesday, May 21, 2008; 12:01 AM

The Tennessee Valley Authority (TVA), the nation's largest public power company, is vulnerable to cyber attacks that could sabotage critical systems that provide electricity to more than 8.7 million people, according to a Government Accountability Office report to be released today.

The report was requested by a House Homeland Security panel on cyber security, which is expected to hear testimony today from the Federal Energy Regulatory Commission about gaining additional authority to require electric utilities to implement added cyber-security measures.

The GAO found that TVA's Internet-connected corporate network was linked with systems used to control power production, and that security weaknesses pervasive in the corporate side could be used by attackers to manipulate or destroy vital control systems. As a wholly owned federal corporation, TVA must meet the same computer security standards that govern computer practices and safeguards at federal agencies.

The GAO also warned that computers on TVA's corporate network lacked security software updates and anti-virus protection, and that firewalls and intrusion detection systems on the network were easily bypassed and failed to record suspicious activity.

"In addition, physical security at multiple locations did not sufficiently protect critical control systems," the GAO concluded. "As a result, systems that operate TVA's critical infrastructures are at increased risk of unauthorized modification or disruption by both internal and external threats."

The vulnerability of the nation's electrical grid to computer attack is due in part to steps taken by power companies to transfer control of generation and distribution equipment from internal networks to supervisory control and data acquisition, or SCADA, systems that can be accessed through the Internet or by phone lines, according to consultants and government reports.

The move to SCADA systems boosts efficiency at utilities because it allows workers to operate equipment remotely. But experts say it also exposes these once-closed systems to cyber attacks. So far, examples of hackers breaking into control systems to cause damage or outages are scarce. However, there's evidence that the threat of such damage makes control systems an alluring target for extortionists.

For example, earlier this year a CIA analyst said cyber attackers have hacked into the computer systems of utility companies outside the United States. In one case, it caused a power outage that affected multiple cities.

The TVA's power networks stretch across 80,000 square miles in the southeastern United States, including almost all of Tennessee and parts of Mississippi, Kentucky, Alabama, Georgia, North Carolina and Virginia. The TVA operates 11 coal-fired plants, eight combustion turbine plants, three nuclear plants and 29 hydroelectric dams.

TVA declined requests for comment on the report. But in a written response included in the GAO report, the TVA agreed with all 19 of the agency's recommended actions.

Jason Larson, a computer security expert who spent the past five years testing the security of SCADA systems at the Department of Energy and at Seattle-based IOActive Inc., said the GAO's findings also would apply to a large portion of the electric industry.

"This would hardly be an isolated report," Larson said.

CONTINUED     1        >

© 2008 The Washington Post Company