We performed an audit of the Tennessee Valley Authority’s (TVA) Internet perimeter. Our objective was to identify cybersecurity weaknesses in TVA’s Internet perimeter through penetration testing. In summary, we identified some vulnerabilities in TVA’s internet perimeter. Specifically, we (1) downloaded files related to TVA’s disposal of coal ash that were marked as confidential, (2) accessed a Web site related to river operations that used weak authentication, and (3) found TVA’s password complexity requirements on a TVA publicly available Web site. We recommended TVA ensure (1) documents related to TVA’s disposal of coal ash for public release are properly reviewed and TVA information classification markings removed, (2) Web sites follow TVA policy for authentication, and (3) removal of TVA’s password complexity rules from TVA’s publicly accessible Web sites. TVA management provided actions they plan to take or have taken to address each of our recommendations.
Report File
Date Issued
Submitting OIG
Tennessee Valley Authority OIG
Other Participating OIGs
Tennessee Valley Authority OIG
Agencies Reviewed/Investigated
Tennessee Valley Authority
Report Number
2020-15723
Report Description
Report Type
Audit
Agency Wide
Yes
Number of Recommendations
3
Questioned Costs
$0
Funds for Better Use
$0