Transmission and Power Supply’s Management of Mac® Desktops and Laptops

As part of our annual audit planning, we completed a threat assessment to identify high risk cybersecurity threats that could potentially impact Tennessee Valley Authority (TVA). We determined the potential impact for system intrusion through misconfigurations or unpatched systems to be high. Therefore, we included an audit of TVA Transmission Operations and Power Supply (TOPS) organization’s management of Mac® desktops and laptops as part of our 2022 audit plan. In summary, we determined MacBooks® managed by TOPS followed TVA’s configuration management policy. However, we determined 3 of 15 MacBooks® did not follow TVA policy for patch management. Specifically, one MacBook® was obsolete, and two had inconsistent patching history. In addition, we identified a gap between TVA policy and a TOPS patch management work instruction. TVA management agreed with our findings and took action to (1) surplus one MacBook® we identified as obsolete and (2) update the TOPS work instruction to align with TVA policy.