GAO study says TVA vulnerable to cyber attack

May 22, 2008
Attack could potentially threaten electricity delivery to more than 8.5 million people

The Tennessee Valley Authority is unduly susceptible to cyber attacks of its power system, the Government Accountability Office said Wednesday.

GAO auditors said TVA's corporate computers and the network TVA uses to operate its power system are "vulnerable to disruption."

An attack on TVA's transmission network, one of the biggest in the world, could threaten electricity delivery to the 8.7 million people in the Tennessee Valley.

TVA's Internet-based supervisory control and data acquisition (SCADA) network that has helped improve the utility's power reliability against thunderstorms and accidents also opens the system to computer hackers, GAO said.

"TVA has not fully implemented appropriate security practices to protect the control systems used to operate its critical infrastructures," the GAO said in a 58-page report released today. "Firewalls reviewed were either inadequately configured or had been bypassed, passwords were not effectively implemented, logging of certain activity was limited...and servers and workstations lacked key patches and effective virus protection."

The GAO study is being released today as a Congressional subcommittee meets today to consider legislation to try to further protect America's electricity grid against potential cyber attacks by terrorists eager to disrupt the delivery of power.

In testimony prepared for the committee hearing, TVA Chief Operating Officer Bill McCollum Jr. said TVA is already addressing most of the security concerns highlighted by the GAO.

"TVA is committed to assuring that the infrastructure entrusted to our responsibility meets or exceeds the best accepted practices in government and in the electric utility industry," Mr. McCollum said.