[ISN] TVA Power Plants Vulnerable to Cyber Attacks, GAO Finds

From: InfoSec News (alerts@private)
Date: Thu May 22 2008 - 01:43:10 PDT


http://www.washingtonpost.com/wp-dyn/content/article/2008/05/20/AR2008052002354.html

By Brian Krebs
washingtonpost.com Staff Writer
May 21, 2008

The Tennessee Valley Authority (TVA), the nation's largest public power 
company, is vulnerable to cyber attacks that could sabotage critical 
systems that provide electricity to more than 8.7 million people, 
according to a Government Accountability Office report to be released 
today.

The report was requested by a House Homeland Security panel on cyber 
security, which is expected to hear testimony today from the Federal 
Energy Regulatory Commission about gaining additional authority to 
require electric utilities to implement added cyber-security measures.

The GAO found that TVA's Internet-connected corporate network was linked 
with systems used to control power production, and that security 
weaknesses pervasive in the corporate side could be used by attackers to 
manipulate or destroy vital control systems. As a wholly owned federal 
corporation, TVA must meet the same computer security standards that 
govern computer practices and safeguards at federal agencies.

The GAO also warned that computers on TVA's corporate network lacked 
security software updates and anti-virus protection, and that firewalls 
and intrusion detection systems on the network were easily bypassed and 
failed to record suspicious activity.

"In addition, physical security at multiple locations did not 
sufficiently protect critical control systems," the GAO concluded. "As a 
result, systems that operate TVA's critical infrastructures are at 
increased risk of unauthorized modification or disruption by both 
internal and external threats."

The vulnerability of the nation's electrical grid to computer attack is 
due in part to steps taken by power companies to transfer control of 
generation and distribution equipment from internal networks to 
supervisory control and data acquisition, or SCADA, systems that can be 
accessed through the Internet or by phone lines, according to 
consultants and government reports.

The move to SCADA systems boosts efficiency at utilities because it 
allows workers to operate equipment remotely. But experts say it also 
exposes these once-closed systems to cyber attacks. So far, examples of 
hackers breaking into control systems to cause damage or outages are 
scarce. However, there's evidence that the threat of such damage makes 
control systems an alluring target for extortionists.

[...]


_______________________________________________      
Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Thu May 22 2008 - 01:53:39 PDT