RSS Alerts

Related Stories

  • Watt Matters - the Smart Grid and the Information Security Industry
    The IT and information security industries need to pay more attention to the electricity grid in the near future as more and more smart grids are set up with two-way communication systems. Simon Perry, principal associate analyst at Quocirca, explains why
  • Virtualization: virtually a commodity
    Virtualization is a welcome medicine for many of IT's irritating symptoms. But is there a risk that basic information security hygiene will suffer as a result? William Knight investigates
  • Trojans suspected of contributing to 2008 plane crash
    Reports are coming in that a Spanair plane crash in 2008, in which 154 people died, may have been caused by trojans and similar malware. If true, this could be one of the first links to malware causing a major loss of life.
  • Interview: Charles Palmer
    No shortage of attention has been paid to the topic of cybersecurity as of late, especially with respect to the role of government. All talk aside, what is being done to address the threats, and how real are they? Drew Amorosi sits down with Charles Palmer, the director of IBM’s Institute for Advanced Security, and learned that although the US may have cybersecurity challenges, the first step toward recovery is admitting that we have a problem
    Members' Content
  • New zero-day flaw hitting Windows users
    Hard on the heels of a raft of WinXP patches and updates on Tuesday of this week, it seems that a nasty USB-based zero-day flaw is hitting users of the popular operating system.

News

Largest US Power Company “Vulnerable To Hacking”

29 May 2008

The US Government Accountability Office (GAO) warned the nation’s largest public power company is vulnerable to computer hackers and terrorists ready to disrupt America’s power grid.

The GAO said the Tennessee Valley Authority, (TVA), which supplies power to almost 9 m Americans, “has not fully implemented appropriate security practices to protect the control systems used to operate its critical infrastructures, leaving them vulnerable to disruption.”

An underlying reason for these weaknesses is that TVA had not consistently implemented significant elements of its information security program, according to the GAO report.

The GAO found the TVA’s firewalls have been bypassed or are inadequately configured; passwords are not effective; intrusion-detection systems are not adequate and servers and work stations lack key patches and effective virus protection and that computers on TVA’s corporate network lacked security software updates.

TVA COO Bill McCollum said the agency is already addressing most of the security concerns highlighted by the GAO. In testimony before Congress, McCollum noted TVA recently tested the security of its computerized power controls with a third-party vendor and that the consultant team was unable to gain access to any of the targeted process control networks.

When asked why government investigators found that passwords, firewalls and other standard protections were either not in place or were inadequate, McCollum said security measures standards continue to evolve and be revised.

“From my perspective, TVA is moving as fast as possible to continue to improve the security of our systems and infrastructure,” he said, adding that the TVA had already been working to fix the problems when the GAO investigation happened.

According to McCollum, the TVA will tackle most of the problems by the end of the year. He said the TVA had already started to address 17 of the 19 issues raised by the GAO.

The report, which included 73 specific recommendations for security fixes, focused on 19 general recommendations.

The recommendations included setting up a formal, documented configuration management process for changes to software governing control systems at TVA hydroelectric and fossil facilities; categorizing and assessing the risk of all control systems and revising TVA information security policies and procedures to specifically mention their applicability to control systems.

 

This article is featured in:
Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water