Cyber security: Are you ready for federal interrogators?

Would you like to see your cyber security systems analyzed and the results published?


Would you like to see your cyber security systems subjected to investigation by the federal government? Powerplants and distribution centers run by TVA experienced it firsthand, seeing their shortcomings published and discussed in a congressional committee.

The Tennessee Valley Authority (TVA) is the nation’s largest public utility, providing power to 8.7 million residents spread over 80,000 square miles in Tennessee and parts of adjoining states. The group operates fossil, nuclear, and hydroelectric generating plants. In May, the U.S. Government Accountability Office published a 62-page report with the stark title: “TVA Needs to Address Weaknesses in Control Systems and Networks.” ( Download the entire report .) Here are some statements from the opening summary:

“TVA has not fully implemented appropriate security practices to secure the control systems and networks used to operate its critical infrastructures. Both its corporate network infrastructure and control systems networks and devices were vulnerable to disruption. The corporate network was interconnected with control systems networks GAO reviewed, thereby increasing the risk that security weaknesses on the corporate network could affect those control systems networks. On TVA’s corporate network, certain individual workstations lacked key software patches and had inadequate security settings, and numerous network infrastructure protocols and devices had limited or ineffective security configurations. In addition, the intrusion detection system had significant limitations. On control systems networks, firewalls reviewed were either inadequately configured or had been bypassed, passwords were not effectively implemented, logging of certain activity was limited, configuration management policies for control systems software were inconsistently implemented, and servers and workstations lacked key patches and effective virus protection. In addition, physical security at multiple locations did not sufficiently protect critical control systems. As a result, systems that operate TVA’s critical infrastructures are at increased risk of unauthorized modification or disruption by both internal and external threats.

“An underlying reason for these weaknesses is that TVA had not consistently implemented significant elements of its information security program. Although TVA had developed and implemented program activities related to contingency planning and incident response, it had not consistently implemented key activities related to developing an inventory of systems, assessing risk, developing policies and procedures, developing security plans, testing and monitoring the effectiveness of controls, completing appropriate training, and identifying and tracking remedial actions. Until TVA fully implements these security program activities, it risks a disruption of its operations as a result of a cyber incident, which could impact its customers.”

A tough evaluation, certainly. In many respects, the items cited read like a checklist of things to avoid in any control system. Look at these points lifted directly from the paragraphs above:

  • The corporate network is interconnected with control systems;

  • Individual workstations lack key software patches;

  • Firewalls are either inadequately configured or have been bypassed;

  • Passwords are not effectively implemented; and,

  • Physical security at multiple locations does not sufficiently protect critical control systems.

The list goes on. These are some of the most basic cyber security concepts and should be part and parcel of any strategy. The question that many should ask is, “How well would our systems stand up to similar inspection?” That should be answered before you’re in the hot seat.

—Peter Welander, process industries editor, ,
Process & Advanced Control Monthly
Register here and scroll down to select your choice of free eNewsletters .

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Choosing controllers: PLCs, PACs, IPCs, DCS? What's best for your application?; Wireless trends; Design, integration; Manufacturing Day; Product Exclusive
Variable speed drives: Smooth, efficient, electrically quite motion control; Process control upgrades; Mobile intelligence; Product finalists: Vote now; Product Exclusives
Machine design tips: Pneumatic or electric; Software upgrades; Ethernet advantages; Additive manufacturing; Engineering Leaders; Product exclusives: PLC, HMI, IO
This article collection contains the 5 most referenced articles on improving the use of PID.
Learn how Industry 4.0 adds supply chain efficiency, optimizes pricing, improves quality, and more.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Cyber security cost-efficient for industrial control systems; Extracting full value from operational data; Managing cyber security risks
Drilling for Big Data: Managing the flow of information; Big data drilldown series: Challenge and opportunity; OT to IT: Creating a circle of improvement; Industry loses best workers, again
Pipeline vulnerabilities? Securing hydrocarbon transit; Predictive analytics hit the mainstream; Dirty pipelines decrease flow, production—pig your line; Ensuring pipeline physical and cyber security