Power plants rely on operational technology (OT) to ensure the plants can run without disruption. Due to the high risks associated with threat events against OT, we performed an audit of the Tennessee Valley Authority’s (TVA) OT cybersecurity at a combined cycle plant. Our objective was to determine if logical, physical, and general security controls were (1) appropriately designed to reduce cybersecurity risk and (2) operating effectively. We determined logical, physical, and some general controls were appropriately designed and operating effectively. However general security controls related to contingency planning, system inventory, system baselines, and cybersecurity monitoring needed improvement. Specifically, we identified:• Contingency plans were not documented. • OT inventory was incomplete.• System baselines were not in place.• Cybersecurity monitoring was incomplete.In addition, we determined a risk assessment had not been completed for the site’s OT systems.
Open Recommendations
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 1 | No | $0 | $0 | ||
| We recommend Senior Vice President, Power Operations, and the Vice President and Chief Information and Digital Officer, Technology and Innovation, develop a contingency plan for the operational technology at the site. | |||||
| 2 | No | $0 | $0 | ||
| We recommend Senior Vice President, Power Operations, and the Vice President and Chief Information and Digital Officer, Technology and Innovation, complete the ongoing inventory project for the operational technology at the site. | |||||
| 3 | No | $0 | $0 | ||
| We recommend Senior Vice President, Power Operations, and the Vice President and Chief Information and Digital Officer, Technology and Innovation, document and implement operational technology system baselines and monitor systems for changes. | |||||
| 4 | No | $0 | $0 | ||
| We recommend Senior Vice President, Power Operations, and the Vice President and Chief Information and Digital Officer, Technology and Innovation, design and implement cybersecurity monitoring, as appropriate, for the operational technology. | |||||
| 5 | No | $0 | $0 | ||
| We recommend Senior Vice President, Power Operations, and the Vice President and Chief Information and Digital Officer, Technology and Innovation, perform a risk assessment and update it as needed. | |||||
