Cyber security: Are you ready for federal interrogators?
Would you like to see your cyber security systems subjected to investigation by the federal government? Powerplants and distribution centers run by TVA experienced it firsthand, seeing their shortcomings published and discussed in a congressional committee.
The Tennessee Valley Authority (TVA) is the nation’s largest public utility, providing power to 8.7 million residents spread over 80,000 square miles in Tennessee and parts of adjoining states. The group operates fossil, nuclear, and hydroelectric generating plants. In May, the U.S. Government Accountability Office published a 62-page report with the stark title: “TVA Needs to Address Weaknesses in Control Systems and Networks.” ( Download the entire report .) Here are some statements from the opening summary:
“TVA has not fully implemented appropriate security practices to secure the control systems and networks used to operate its critical infrastructures. Both its corporate network infrastructure and control systems networks and devices were vulnerable to disruption. The corporate network was interconnected with control systems networks GAO reviewed, thereby increasing the risk that security weaknesses on the corporate network could affect those control systems networks. On TVA’s corporate network, certain individual workstations lacked key software patches and had inadequate security settings, and numerous network infrastructure protocols and devices had limited or ineffective security configurations. In addition, the intrusion detection system had significant limitations. On control systems networks, firewalls reviewed were either inadequately configured or had been bypassed, passwords were not effectively implemented, logging of certain activity was limited, configuration management policies for control systems software were inconsistently implemented, and servers and workstations lacked key patches and effective virus protection. In addition, physical security at multiple locations did not sufficiently protect critical control systems. As a result, systems that operate TVA’s critical infrastructures are at increased risk of unauthorized modification or disruption by both internal and external threats.
“An underlying reason for these weaknesses is that TVA had not consistently implemented significant elements of its information security program. Although TVA had developed and implemented program activities related to contingency planning and incident response, it had not consistently implemented key activities related to developing an inventory of systems, assessing risk, developing policies and procedures, developing security plans, testing and monitoring the effectiveness of controls, completing appropriate training, and identifying and tracking remedial actions. Until TVA fully implements these security program activities, it risks a disruption of its operations as a result of a cyber incident, which could impact its customers.”
A tough evaluation, certainly. In many respects, the items cited read like a checklist of things to avoid in any control system. Look at these points lifted directly from the paragraphs above:
The corporate network is interconnected with control systems;
Individual workstations lack key software patches;
Firewalls are either inadequately configured or have been bypassed;
Passwords are not effectively implemented; and,
Physical security at multiple locations does not sufficiently protect critical control systems.
The list goes on. These are some of the most basic cyber security concepts and should be part and parcel of any strategy. The question that many should ask is, “How well would our systems stand up to similar inspection?” That should be answered before you’re in the hot seat.
—Peter Welander, process industries editor, PWelander@cfemedia.com ,
Process & Advanced Control Monthly
Register here and scroll down to select your choice of free eNewsletters .