TVA: Vulnerable to Cyberattack

(page 2 of 2)

Disturbing Automated Control

Among concerns shared by defense and intelligence agencies, as well as public utilities, is what might result from an intrusion into networks controlling critical infrastructure. The nation's dams, water systems, factories, and electric grid are increasingly dependent on automated control systems. Computers open and close valves, control equipment, monitor sensors, and make sure power plants run safely. Often connected to open networks such as the Internet and corporate intranets, they are potentially accessible to outsiders.

An August, 2006, failure of two circulation pumps at a TVA nuclear plant in Browns Ferry, Ala., which required the utility to manually shut down the reactor, was traced to excessive traffic on the network operating the control system. While not attributed to hackers, the incident underscored the vulnerability of power plants to network problems.

"The Aurora Vulnerability"

Engineers working for the Homeland Security Dept. in 2006 demonstrated how a targeted cyberattack on a machine such as an electric utility's pump or generator could destroy the machine, ending its ability to generate power. The demonstration has proven so persuasive within government and cybersecurity circles that it has even acquired a name—"the Aurora vulnerability."

The vulnerability "can be exploited via the Internet if specific devices are made accessible online, which is occurring on a regular basis," according to a briefing memo distributed to members of a House subcommittee on emerging threats and cybersecurity in preparation for the hearing today.

Demonstration of the Aurora vulnerability prompted the Homeland Security Dept. to create a "tiger team" from six agencies, including the CIA and FBI. The team confirmed the vulnerability and urged immediate action, which led to greater attention to cybersecurity within the electric utility industry.

But not enough, the GAO report on TVA suggests. "TVA has not fully implemented appropriate security practices to protect the control systems used to operate its critical infrastructures," according to a draft of the report obtained by BusinessWeek. "Control systems networks and devices at individual facilities and plants reviewed were vulnerable to disruption."

Stepping Up Security

In a written response to the GAO, John Long Jr., a TVA executive vice-president, agreed with the report's findings and recommendations, saying the power company had already begun to address vulnerabilities. An outside team hired by TVA to perform "penetration testing" found "some weaknesses," according to Long. But by Apr. 14, the team reported good news: It had been "unable to gain access to any of the targeted Process Control Networks." Says Long: "Our actions clearly demonstrate TVA's commitment to assuring the security of its critical infrastructures and related information and control systems."

TVA's design makes it vulnerable to attack, the GAO draft report says. "An attacker who gained access to a less secure portion of a network such as the corporate network could potentially compromise equipment in a more secure portion of the network, including equipment that has access to control systems."

Even standard protections, such as the use of passwords, firewalls, and antivirus software were either not in place or inadequate, according to the GAO. Meanwhile, investigators found it was fairly easy to gain access to computer control rooms: 75% of people with TVA badges could get into the facilities. Warns the GAO: "If TVA does not take sufficient steps to secure its control systems and implement an information security program, it risks not being able to respond properly to a major disruption that is the result of an intended or unintended cyberincident."

Cybersecurity has been a growing concern among nuclear power plant operators in the U.S. and abroad. In April, 2007, the U.S. Nuclear Regulatory Commission finalized a rule that added "external cyberattack" to the events that power reactor licensees are required to prepare to defend against. In another sign of the seriousness of the threat, NRC officials say that beginning in 2009 they intend to start inspecting nuclear facilities for cybersecurity.

Epstein is a correspondent in BusinessWeek's Washington bureau.