TVA Power Plants Vulnerable to Cyber Attacks, GAO Finds
Regulators Want Authority to Require Security Upgrades Industry-wide

By Brian Krebs
washingtonpost.com Staff Writer
Wednesday, May 21, 2008 12:01 AM

The Tennessee Valley Authority (TVA), the nation's largest public power company, is vulnerable to cyber attacks that could sabotage critical systems that provide electricity to more than 8.7 million people, according to a Government Accountability Office report to be released today.

The report was requested by a House Homeland Security panel on cyber security, which is expected to hear testimony today from the Federal Energy Regulatory Commission about gaining additional authority to require electric utilities to implement added cyber-security measures.

The GAO found that TVA's Internet-connected corporate network was linked with systems used to control power production, and that security weaknesses pervasive in the corporate side could be used by attackers to manipulate or destroy vital control systems. As a wholly owned federal corporation, TVA must meet the same computer security standards that govern computer practices and safeguards at federal agencies.

The GAO also warned that computers on TVA's corporate network lacked security software updates and anti-virus protection, and that firewalls and intrusion detection systems on the network were easily bypassed and failed to record suspicious activity.

"In addition, physical security at multiple locations did not sufficiently protect critical control systems," the GAO concluded. "As a result, systems that operate TVA's critical infrastructures are at increased risk of unauthorized modification or disruption by both internal and external threats."

The vulnerability of the nation's electrical grid to computer attack is due in part to steps taken by power companies to transfer control of generation and distribution equipment from internal networks to supervisory control and data acquisition, or SCADA, systems that can be accessed through the Internet or by phone lines, according to consultants and government reports.

The move to SCADA systems boosts efficiency at utilities because it allows workers to operate equipment remotely. But experts say it also exposes these once-closed systems to cyber attacks. So far, examples of hackers breaking into control systems to cause damage or outages are scarce. However, there's evidence that the threat of such damage makes control systems an alluring target for extortionists.

For example, earlier this year a CIA analyst said cyber attackers have hacked into the computer systems of utility companies outside the United States. In one case, it caused a power outage that affected multiple cities.

The TVA's power networks stretch across 80,000 square miles in the southeastern United States, including almost all of Tennessee and parts of Mississippi, Kentucky, Alabama, Georgia, North Carolina and Virginia. The TVA operates 11 coal-fired plants, eight combustion turbine plants, three nuclear plants and 29 hydroelectric dams.

TVA declined requests for comment on the report. But in a written response included in the GAO report, the TVA agreed with all 19 of the agency's recommended actions.

Jason Larson, a computer security expert who spent the past five years testing the security of SCADA systems at the Department of Energy and at Seattle-based IOActive Inc., said the GAO's findings also would apply to a large portion of the electric industry.

"This would hardly be an isolated report," Larson said.

Larson blames costs and time as the reasons for not locking down these complex networks. He said many plant operators consider it unlikely that an attacker would be able manipulate or damage control systems, as most of these systems run on obscure hardware powered by highly specialized communications standards.

"If you take a skilled hacker, he may be able to find serious security holes in software that nobody's ever discovered, but if you throw that same hacker into a control systems network, all of a sudden he's surrounded by custom protocols and embedded systems he's never seen before," Larson said.

Still, Larson said that "security-by-obscurity" defense is gradually eroding, as a number of utilities are upgrading from older, legacy systems to operating systems more familiar to the average hacker, such as Microsoft Windows and Linux.

Today's hearing, hosted by House Homeland Security Committee's Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, will also gauge the progress of the nation's power industry in addressing a particularly pervasive vulnerability, code-named "Aurora."

In a dramatic video-taped demonstration of the Aurora vulnerability recorded in 2006, engineers at Idaho National Labs showed how the weakness could be exploited to cause any spinning machine connected to the power grid -- such as a generator, pump or turbine -- to self-destruct. In many cases, the researchers found, the attack could be carried out via the Internet.

Shortly after that video was leaked to the news media last fall, the subcommittee held a hearing at which representatives from the North American Electric Reliability Corporation (NERC) claimed that it had conducted a survey of 133 power-plant owners, which showed that 94 percent of them had completed more than half of the work necessary to shore up their defenses against the Aurora vulnerability.

Follow-up correspondence between NERC and the subcommittee revealed that NERC did not begin to survey member companies until two days after that hearing.

NERC's chief executive Rick Sergel said if power companies have been slow to fix the Aurora vulnerability it is because they want to be sure the fix won't introduce new problems.

"We have been very careful to make sure we do no harm," Sergel said. "Unlike many other places where cyber plays a role, the power system is very complex, and things that work very effectively in other environments are not appropriate to bulk power systems."

The task of gauging the electric sector's true progress in mitigating the Aurora vulnerability has fallen to the Federal Energy Regulatory Commission. FERC Chairman Joseph Kelliher is expected to testify at today's hearing, and industry sources say Kelliher plans to ask Congress for additional regulatory authority to compel the electric industry to take emergency steps to shore up the cyber security posture of the electric grid. FERC declined to make anyone available to be interviewed for this story.

In January 2008, FERC approved eight mandatory reliability standards to protect bulk power systems against disruptions from cyber-security breaches. The agency has the authority to fine plants up to $1 million a day for violations of those standards, but the industry has until 2010 to demonstrate compliance with the new rules.

Security experts, however, contend that existing NERC standards contain loopholes and don't adequately protect critical power systems. For example, telecommunications equipment is excluded, even though there are documented cases of computer worms shutting off service from control systems to substations.

"We've got a whole bunch of utilities who claim they have no critical cyber assets, which means they don't have to do anything else to secure their current cyber systems," said Joe Weiss, managing partner at Applied Controlled Solutions, which tests SCADA system security. "We have very big electric utilities who claim they have just 10 cyber assets, when most companies have more critical relays like that in a single substation."

Weiss said he's interviewed security experts in the power industry who recognize the threat from cyber vulnerabilities like Aurora, but who claim they don't have the funding or the authority to do much about it.

"A lot of [companies] don't want to spend money on this because they think it's just another Y2K," Weiss said, referring to the hundreds of billions of dollars spent fixing the Year 2000 computer bug. "What these people are given is a mandate to go put together a paper showing the companies don't have anything critical to address."

View all comments that have been posted about this article.

© 2008 Washingtonpost.Newsweek Interactive