Operational Technology Cybersecurity – Combined Cycle Plant

Submitting OIG:

Report Description:

Power plants rely on operational technology (OT) to ensure the plants can run without disruption. Due to the high risks associated with threat events against OT, we performed an audit of the Tennessee Valley Authority’s (TVA) OT cybersecurity at a combined cycle plant. Our objective was to determine if logical, physical, and general security controls were (1) appropriately designed to reduce cybersecurity risk and (2) operating effectively. We determined logical, physical, and some general controls were appropriately designed and operating effectively. However general security controls related to contingency planning, system inventory, system baselines, and cybersecurity monitoring needed improvement. Specifically, we identified: • Contingency plans were not documented. • OT inventory was incomplete. • System baselines were not in place. • Cybersecurity monitoring was incomplete. In addition, we determined a risk assessment had not been completed for the site’s OT systems.

Date Issued:

Monday, June 17, 2024

Agency Reviewed / Investigated:

Tennessee Valley Authority

Submitting OIG-Specific Report Number:

2023-17433

Location(s):

Agency-Wide

Type of Report:

Audit

Questioned Costs:

Funds for Better Use:

Number of Recommendations:

Report updated under NDAA 5274:

View Document:

Attachment	Size
2023-17433.pdf	320.54 KB

Recommendation Number	Recommendation Status	Significant Recommendation
1	Open	No
We recommend Senior Vice President, Power Operations, and the Vice President and Chief Information and Digital Officer, Technology and Innovation, develop a contingency plan for the operational technology at the site.
2	Open	No
We recommend Senior Vice President, Power Operations, and the Vice President and Chief Information and Digital Officer, Technology and Innovation, complete the ongoing inventory project for the operational technology at the site.
3	Open	No
We recommend Senior Vice President, Power Operations, and the Vice President and Chief Information and Digital Officer, Technology and Innovation, document and implement operational technology system baselines and monitor systems for changes.
4	Open	No
We recommend Senior Vice President, Power Operations, and the Vice President and Chief Information and Digital Officer, Technology and Innovation, design and implement cybersecurity monitoring, as appropriate, for the operational technology.
5	Open	No
We recommend Senior Vice President, Power Operations, and the Vice President and Chief Information and Digital Officer, Technology and Innovation, perform a risk assessment and update it as needed.

Recommendation Number

Recommendation Status

Significant Recommendation

Additional Details

Open

We recommend Senior Vice President, Power Operations, and the Vice President and Chief Information and Digital Officer, Technology and Innovation, develop a contingency plan for the operational technology at the site.

Open

We recommend Senior Vice President, Power Operations, and the Vice President and Chief Information and Digital Officer, Technology and Innovation, complete the ongoing inventory project for the operational technology at the site.

Open

We recommend Senior Vice President, Power Operations, and the Vice President and Chief Information and Digital Officer, Technology and Innovation, document and implement operational technology system baselines and monitor systems for changes.

Open

We recommend Senior Vice President, Power Operations, and the Vice President and Chief Information and Digital Officer, Technology and Innovation, design and implement cybersecurity monitoring, as appropriate, for the operational technology.