TVA’s Internet Perimeter

We performed an audit of the Tennessee Valley Authority’s (TVA) Internet perimeter. Our objective was to identify cybersecurity weaknesses in TVA’s Internet perimeter through penetration testing. In summary, we identified some vulnerabilities in TVA’s internet perimeter. Specifically, we (1) downloaded files related to TVA’s disposal of coal ash that were marked as confidential, (2) accessed a Web site related to river operations that used weak authentication, and (3) found TVA’s password complexity requirements on a TVA publicly available Web site. We recommended TVA ensure (1) documents related to TVA’s disposal of coal ash for public release are properly reviewed and TVA information classification markings removed, (2) Web sites follow TVA policy for authentication, and (3) removal of TVA’s password complexity rules from TVA’s publicly accessible Web sites. TVA management provided actions they plan to take or have taken to address each of our recommendations.