The GAO says the Tennessee Valley Authority must bolster its cybersecurity, citing risk that the power company's critical ops could be hacked
Investigators have found numerous instances in which the nation's largest public power company, the Tennessee Valley Authority (TVE), is "vulnerable to disruption" by cyberintrusions. The concern: Hackers could seize control of critical operations in TVA's many electric plants—including those that are nuclear powered—as well as its transmission grid, flood control, and water systems.
A report by the Government Accountability Office (GAO), identified as 08-459SU and marked "for limited official use only," includes 73 specific recommendations for security fixes so sensitive they are to be withheld today when the GAO releases a public version with 19 general recommendations, all of which TVA agrees with.
The report's findings alarmed TVA's own executives. At a May 2 meeting with congressional investigators and U.S. Homeland Security Dept. officials, TVA urged GAO, the investigatory arm of Congress, to modify wording and make public few details rather than raise public concerns or risk providing a road map for hackers. The public version of the report, which was requested by Republicans and Democrats on congressional homeland security committees to follow up on previous concerns about cyberthreats, is to be released at a May 21 hearing at 2 p.m. ET.
TVA, which has 52 facilities, plays a significant underlying role in the economy of the southeastern U.S. Besides providing power in Tennessee, Mississippi, Kentucky, Alabama, Georgia, North Carolina, and Virginia, TVA manages one of the largest electricity transmission systems in North America and the fifth-largest river system in the U.S. Security experts say that, too, could be manipulated in ways that might cause flooding or affect water quality.
A Real Threat
Cybersecurity specialists and government officials, speaking anonymously for fear of the impact on their careers, say the threat is far from theoretical or confined to small nations such as Estonia. They say owners and operators of other U.S. and Western European utilities also are vulnerable to network break-ins by a variety of hackers, including some who may be acting on behalf of other governments.
In an unusual disclosure on Jan. 16, the CIA's top cybersecurity analyst cautioned government officials, engineers, and security managers in the oil and electricity industry that cyberintrusions into unidentified utilities located outside the U.S. had been followed by extortion demands, and in one case had caused a power outage in multiple overseas cities. "All involved intrusions through the Internet," the analyst, Tom Donahue, told attendees at a trade conference in New Orleans.
The Federal Energy Regulatory Commission quickly adopted new cybersecurity standards. The Nuclear Regulatory Commission expedited its work as well.
A recent BusinessWeek report detailed how cyberspies are targeting government and industry through sometimes surprisingly permeable computer networks. Some intrusions have been traced to nations such as China. The story also described attempts by the Bush Administration to secure tens of billions of dollars for cyberdefenses and offensive capability.
Disturbing Automated Control
Among concerns shared by defense and intelligence agencies, as well as public utilities, is what might result from an intrusion into networks controlling critical infrastructure. The nation's dams, water systems, factories, and electric grid are increasingly dependent on automated control systems. Computers open and close valves, control equipment, monitor sensors, and make sure power plants run safely. Often connected to open networks such as the Internet and corporate intranets, they are potentially accessible to outsiders.
An August, 2006, failure of two circulation pumps at a TVA nuclear plant in Browns Ferry, Ala., which required the utility to manually shut down the reactor, was traced to excessive traffic on the network operating the control system. While not attributed to hackers, the incident underscored the vulnerability of power plants to network problems.
"The Aurora Vulnerability"
Engineers working for the Homeland Security Dept. in 2006 demonstrated how a targeted cyberattack on a machine such as an electric utility's pump or generator could destroy the machine, ending its ability to generate power. The demonstration has proven so persuasive within government and cybersecurity circles that it has even acquired a name—"the Aurora vulnerability."
The vulnerability "can be exploited via the Internet if specific devices are made accessible online, which is occurring on a regular basis," according to a briefing memo distributed to members of a House subcommittee on emerging threats and cybersecurity in preparation for the hearing today.
Demonstration of the Aurora vulnerability prompted the Homeland Security Dept. to create a "tiger team" from six agencies, including the CIA and FBI. The team confirmed the vulnerability and urged immediate action, which led to greater attention to cybersecurity within the electric utility industry.
But not enough, the GAO report on TVA suggests. "TVA has not fully implemented appropriate security practices to protect the control systems used to operate its critical infrastructures," according to a draft of the report obtained by BusinessWeek. "Control systems networks and devices at individual facilities and plants reviewed were vulnerable to disruption."
Stepping Up Security
In a written response to the GAO, John Long Jr., a TVA executive vice-president, agreed with the report's findings and recommendations, saying the power company had already begun to address vulnerabilities. An outside team hired by TVA to perform "penetration testing" found "some weaknesses," according to Long. But by Apr. 14, the team reported good news: It had been "unable to gain access to any of the targeted Process Control Networks." Says Long: "Our actions clearly demonstrate TVA's commitment to assuring the security of its critical infrastructures and related information and control systems."
TVA's design makes it vulnerable to attack, the GAO draft report says. "An attacker who gained access to a less secure portion of a network such as the corporate network could potentially compromise equipment in a more secure portion of the network, including equipment that has access to control systems."
Even standard protections, such as the use of passwords, firewalls, and antivirus software were either not in place or inadequate, according to the GAO. Meanwhile, investigators found it was fairly easy to gain access to computer control rooms: 75% of people with TVA badges could get into the facilities. Warns the GAO: "If TVA does not take sufficient steps to secure its control systems and implement an information security program, it risks not being able to respond properly to a major disruption that is the result of an intended or unintended cyberincident."
Cybersecurity has been a growing concern among nuclear power plant operators in the U.S. and abroad. In April, 2007, the U.S. Nuclear Regulatory Commission finalized a rule that added "external cyberattack" to the events that power reactor licensees are required to prepare to defend against. In another sign of the seriousness of the threat, NRC officials say that beginning in 2009 they intend to start inspecting nuclear facilities for cybersecurity.