Network Architecture - Hydro

Submitting OIG:

Report Description:

The Office of the Inspector General performed an audit of a TVA hydroelectric facility to determine if the network architecture and assets in use to support site business and operations were compliant with TVA policies, procedures, and identified best practices. We determined several areas of the network architecture and assets did not follow TVA policies, procedures, or identified best practices. Specifically, we identified the following issues: • Network redundancy was not implemented in accordance with identified best practices. • Network asset retirement was not implemented in accordance with Power Operations’ Standard Operating Procedure. • Power Operations’ location specific standard operating procedure did not require unique passwords in accordance with identified best practices. In addition, we identified the following internal control deficiencies significant to our audit objective: • Baseline configurations were not implemented in accordance with location specific Power Operations’ standard operating procedure. • Physical access permissions and controls were not implemented in accordance with identified best practices. TVA management agreed with our recommendations.

Date Issued:

Tuesday, May 14, 2024

Agency Reviewed / Investigated:

Tennessee Valley Authority

Submitting OIG-Specific Report Number:

2023-17419

Location(s):

Agency-Wide

Type of Report:

Audit

Questioned Costs:

Funds for Better Use:

Number of Recommendations:

Report updated under NDAA 5274:

View Document:

Attachment	Size
2023-17419.pdf	361.39 KB

Recommendation Number	Recommendation Status	Significant Recommendation
1	Open	No
We recommend the Senior Vice President, Power Operations, implement planned design changes to address network redundancy and implement additional changes to address single points of failure.
2	Open	No
We recommend the Senior Vice President, Power Operations, remove the decommissioned asset from the network and follow the operational technology asset inventory validation as required by Power Operations’ Standard Operating Procedure 12.862.
3	Open	No
We recommend the Senior Vice President, Power Operations, revise procedures to require unique passwords for assets, local accounts, and services.
4	Open	No
We recommend the Senior Vice President, Power Operations, create baseline configurations and implement a process to verify that baseline configurations are followed and maintained as required by Power Operations’ location specific standard operating procedure.
5	Open	No
We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, properly secure and control physical access to all business network assets at the hydroelectric facility in accordance with National Institute of Standards and Technology Special Publication 800-53.

Recommendation Number

Recommendation Status

Significant Recommendation

Additional Details

Open

We recommend the Senior Vice President, Power Operations, implement planned design changes to address network redundancy and implement additional changes to address single points of failure.

Open

We recommend the Senior Vice President, Power Operations, remove the decommissioned asset from the network and follow the operational technology asset inventory validation as required by Power Operations’ Standard Operating Procedure 12.862.

Open

We recommend the Senior Vice President, Power Operations, revise procedures to require unique passwords for assets, local accounts, and services.

Open

We recommend the Senior Vice President, Power Operations, create baseline configurations and implement a process to verify that baseline configurations are followed and maintained as required by Power Operations’ location specific standard operating procedure.