Non-Power Dam Control System Cybersecurity

As part of our annual audit plan, we performed an audit of Tennessee Valley Authority’s (TVA) non-power dam control system cybersecurity. Our objective was to determine if the cybersecurity controls of TVA’s non-power dam control system were operating effectively. In summary, we found (1) no clear ownership of the non-power dam control system, (2) vulnerable versions of operating systems and control system software, (3) inappropriate logical and physical access, and (4) internal information technology controls were not operating effectively or had not been designed and implemented. Prior to completion of our audit, TVA clarified the ownership of the control system and took actions to address the inappropriate logical and physical access. We recommend the Senior Vice President, Resource Management and Operations Services, update the non power dam control system to address the identified vulnerabilities and information technology control weaknesses. TVA management agreed with our recommendation and provided information on planned actions.