Cyber security: Are you ready for federal interrogators?

Would you like to see your cyber security systems analyzed and the results published?


Would you like to see your cyber security systems subjected to investigation by the federal government? Powerplants and distribution centers run by TVA experienced it firsthand, seeing their shortcomings published and discussed in a congressional committee.

The Tennessee Valley Authority (TVA) is the nation’s largest public utility, providing power to 8.7 million residents spread over 80,000 square miles in Tennessee and parts of adjoining states. The group operates fossil, nuclear, and hydroelectric generating plants. In May, the U.S. Government Accountability Office published a 62-page report with the stark title: “TVA Needs to Address Weaknesses in Control Systems and Networks.” ( Download the entire report .) Here are some statements from the opening summary:

“TVA has not fully implemented appropriate security practices to secure the control systems and networks used to operate its critical infrastructures. Both its corporate network infrastructure and control systems networks and devices were vulnerable to disruption. The corporate network was interconnected with control systems networks GAO reviewed, thereby increasing the risk that security weaknesses on the corporate network could affect those control systems networks. On TVA’s corporate network, certain individual workstations lacked key software patches and had inadequate security settings, and numerous network infrastructure protocols and devices had limited or ineffective security configurations. In addition, the intrusion detection system had significant limitations. On control systems networks, firewalls reviewed were either inadequately configured or had been bypassed, passwords were not effectively implemented, logging of certain activity was limited, configuration management policies for control systems software were inconsistently implemented, and servers and workstations lacked key patches and effective virus protection. In addition, physical security at multiple locations did not sufficiently protect critical control systems. As a result, systems that operate TVA’s critical infrastructures are at increased risk of unauthorized modification or disruption by both internal and external threats.

“An underlying reason for these weaknesses is that TVA had not consistently implemented significant elements of its information security program. Although TVA had developed and implemented program activities related to contingency planning and incident response, it had not consistently implemented key activities related to developing an inventory of systems, assessing risk, developing policies and procedures, developing security plans, testing and monitoring the effectiveness of controls, completing appropriate training, and identifying and tracking remedial actions. Until TVA fully implements these security program activities, it risks a disruption of its operations as a result of a cyber incident, which could impact its customers.”

A tough evaluation, certainly. In many respects, the items cited read like a checklist of things to avoid in any control system. Look at these points lifted directly from the paragraphs above:

  • The corporate network is interconnected with control systems;

  • Individual workstations lack key software patches;

  • Firewalls are either inadequately configured or have been bypassed;

  • Passwords are not effectively implemented; and,

  • Physical security at multiple locations does not sufficiently protect critical control systems.

The list goes on. These are some of the most basic cyber security concepts and should be part and parcel of any strategy. The question that many should ask is, “How well would our systems stand up to similar inspection?” That should be answered before you’re in the hot seat.

—Peter Welander, process industries editor, ,
Process & Advanced Control Monthly
Register here and scroll down to select your choice of free eNewsletters .

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Controller programming; Safety networks; Enclosure design; Power quality; Safety integrity levels; Increasing process efficiency
Additive manufacturing benefits; HMI and sensor tips; System integrator advice; Innovations from the industry
Robotic safety, collaboration, standards; DCS migration tips; IT/OT convergence; 2017 Control Engineering Salary and Career Survey
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This article collection contains several articles on how automation and controls are helping human-machine interface (HMI) hardware and software advance.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me