Power Generation Facility Cyber Security

The OIG audited cyber security at a power generation facility to determine (1) the adequacy of physical and environmental controls, logical security controls, network infrastructure controls, and general controls such as backup and recovery, change control, and incident response, and (2) compliance with the Maritime Transportation Security Act (MTSA). In summary, we found opportunities for improvement in the areas of (1) physical access and environmental controls, (2) logical access controls, (3) network infrastructure controls, and (4) general controls. Additionally, during our review of MTSA requirements, we found no issues with compliance. Lastly, we identified no control weaknesses during our testing of (1) a sample of business network laptops, desktops, and servers, (2) wireless access points, and (3) modems. TVA management generally agreed with our findings and recommendations.(Summary Only)