TVA: Vulnerable to Cyberattack

The GAO says the Tennessee Valley Authority must bolster its cybersecurity, citing risk that the power company's critical ops could be hacked

by Keith Epstein

Investigators have found numerous instances in which the nation's largest public power company, the Tennessee Valley Authority (TVE), is "vulnerable to disruption" by cyberintrusions. The concern: Hackers could seize control of critical operations in TVA's many electric plants—including those that are nuclear powered—as well as its transmission grid, flood control, and water systems.

A report by the Government Accountability Office (GAO), identified as 08-459SU and marked "for limited official use only," includes 73 specific recommendations for security fixes so sensitive they are to be withheld today when the GAO releases a public version with 19 general recommendations, all of which TVA agrees with.

The report's findings alarmed TVA's own executives. At a May 2 meeting with congressional investigators and U.S. Homeland Security Dept. officials, TVA urged GAO, the investigatory arm of Congress, to modify wording and make public few details rather than raise public concerns or risk providing a road map for hackers. The public version of the report, which was requested by Republicans and Democrats on congressional homeland security committees to follow up on previous concerns about cyberthreats, is to be released at a May 21 hearing at 2 p.m. ET.

TVA, which has 52 facilities, plays a significant underlying role in the economy of the southeastern U.S. Besides providing power in Tennessee, Mississippi, Kentucky, Alabama, Georgia, North Carolina, and Virginia, TVA manages one of the largest electricity transmission systems in North America and the fifth-largest river system in the U.S. Security experts say that, too, could be manipulated in ways that might cause flooding or affect water quality.

A Real Threat

Cybersecurity specialists and government officials, speaking anonymously for fear of the impact on their careers, say the threat is far from theoretical or confined to small nations such as Estonia. They say owners and operators of other U.S. and Western European utilities also are vulnerable to network break-ins by a variety of hackers, including some who may be acting on behalf of other governments.

In an unusual disclosure on Jan. 16, the CIA's top cybersecurity analyst cautioned government officials, engineers, and security managers in the oil and electricity industry that cyberintrusions into unidentified utilities located outside the U.S. had been followed by extortion demands, and in one case had caused a power outage in multiple overseas cities. "All involved intrusions through the Internet," the analyst, Tom Donahue, told attendees at a trade conference in New Orleans.

The Federal Energy Regulatory Commission quickly adopted new cybersecurity standards. The Nuclear Regulatory Commission expedited its work as well.

A recent BusinessWeek report detailed how cyberspies are targeting government and industry through sometimes surprisingly permeable computer networks. Some intrusions have been traced to nations such as China. The story also described attempts by the Bush Administration to secure tens of billions of dollars for cyberdefenses and offensive capability.