Backup and Recovery of Operational Technology - Gas Operations

View Report

Date Issued

Thursday, February 26, 2026

Submitting OIG

Tennessee Valley Authority OIG

Agencies Reviewed/Investigated

Tennessee Valley Authority

Report Number

2025-17557

Report Description

The Office of the Inspector General performed an audit to determine if the backup and recovery process for operational technology cyber assets at Tennessee Valley Authority (TVA) natural gas plants were (1) designed in accordance with federal guidance and (2) operating as defined by TVA policy. We determined TVA Generation’s backup and recovery procedure was designed in accordance with federal guidance for most areas. However, the (1) procedure did not align with federal guidance for encryption and (2) process was not operating as defined by TVA Generation’s procedure. Specifically, the National Institute of Standards and Technology recommends cryptographic mechanisms be implemented to prevent unauthorized disclosure and modification of data; however, encryption was not addressed in TVA Generation’s procedure. Additionally, none of the plants selected for testing had a documented backup and recovery plan as required by procedure.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 2 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	No	$0	$0
We recommend the Vice President, Generation Tech Support, revise Generation’s Standard Operating Procedure 12.871, Cyber Security – Backup and Recovery, to address encryption to align with federal guidance and communicate the standard operating procedure requirements to plant personnel.
2	No	$0	$0
We recommend the Vice President, Generation Tech Support, develop backup and recovery plans for each plant in accordance with Generation’s Standard Operating Procedure 12.871, Cyber Security – Backup and Recovery.