Information Security: TVA Needs to Enhance Security of Critical  
Infrastructure Control Systems and Networks (21-MAY-08, 	 
GAO-08-775T).							 
                                                                 
The control systems that regulate the nation's critical 	 
infrastructures face risks of cyber threats, system		 
vulnerabilities, and potential attacks. Securing these systems is
therefore vital to ensuring national security, economic 	 
well-being, and public health and safety. While most critical	 
infrastructures are privately owned, the Tennessee Valley	 
Authority (TVA), a federal corporation and the nation's largest  
public power company, provides power and other services to a	 
large swath of the American Southeast. GAO was asked to testify  
on its public report being released today on the security	 
controls in place over TVA's critical infrastructure control	 
systems. In doing this work, GAO examined the security practices 
in place at TVA facilities; analyzed the agency's information	 
security policies, plans, and procedures in light of federal law 
and guidance; and interviewed agency officials responsible for	 
overseeing TVA's control systems and their security.		 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-08-775T					        
    ACCNO:   A82162						        
  TITLE:     Information Security: TVA Needs to Enhance Security of   
Critical Infrastructure Control Systems and Networks		 
     DATE:   05/21/2008 
  SUBJECT:   Anti-virus software				 
	     Computer networks					 
	     Computer security					 
	     Computer systems					 
	     Computer viruses					 
	     Critical infrastructure				 
	     Cyber security					 
	     Facility security					 
	     Firewalls						 
	     Independent regulatory commissions 		 
	     Industrial facilities				 
	     Information infrastructure 			 
	     Information management				 
	     Information security				 
	     Information security management			 
	     Information security regulations			 
	     Information systems				 
	     Internal controls					 
	     Intrusion detection systems			 
	     Passwords						 
	     Physical security					 
	     Policy evaluation					 
	     Program evaluation 				 
	     Program management 				 
	     Risk assessment					 
	     Security threats					 
	     System vulnerabilities				 
	     Systems evaluation 				 
	     Systems integrity					 
	     Systems management 				 
	     Systems monitoring 				 
	     Terrorism						 
	     Policies and procedures				 
	     Program implementation				 
	     GAO High Risk Series				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-08-775T

This is the accessible text file for GAO report number GAO-08-775T 
entitled 'Information Security: TVA Needs to Enhance Security of 
Critical Infrastructure Control Systems and Networks' which was 
released on May 21, 2008.

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to [email protected]. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Testimony before the Subcommittee on Emerging Threats, Cybersecurity, 
and Science and Technology, Committee on Homeland Security, House of 
Representatives: 

United States Government Accountability Office: 
GAO: 

For Release on Delivery:
Expected at 2:00 p.m. EDT: 
Wednesday, May 21, 2008: 

Information Security: 

TVA Needs to Enhance Security of Critical Infrastructure Control 
Systems and Networks: 

Statement of Gregory C. Wilshusen:
Director, Information Security Issues: 

Nabajyoti Barkakati: 
Acting Chief Technologist: 

GAO-08-775T: 

GAO Highlights: 

Highlights of GAO-08-775T, a testimony before the Subcommittee on 
Emerging Threats, Cybersecurity, and Science and Technology, Committee 
on Homeland Security, House of Representatives. 

Why GAO Did This Study: 

The control systems that regulate the nationï¿½s critical infrastructures 
face risks of cyber threats, system vulnerabilities, and potential 
attacks. Securing these systems is therefore vital to ensuring national 
security, economic well-being, and public health and safety. While most 
critical infrastructures are privately owned, the Tennessee Valley 
Authority (TVA), a federal corporation and the nationï¿½s largest public 
power company, provides power and other services to a large swath of 
the American Southeast. 

GAO was asked to testify on its public report being released today on 
the security controls in place over TVAï¿½s critical infrastructure 
control systems. In doing this work, GAO examined the security 
practices in place at TVA facilities; analyzed the agencyï¿½s information 
security policies, plans, and procedures in light of federal law and 
guidance; and interviewed agency officials responsible for overseeing 
TVAï¿½s control systems and their security. 

What GAO Found: 

TVA had not fully implemented appropriate security practices to secure 
the control systems used to operate its critical infrastructures at 
facilities GAO reviewed. Multiple weaknesses within the TVA corporate 
network left it vulnerable to potential compromise of the 
confidentiality, integrity, and availability of network devices and the 
information transmitted by the network. For example, almost all of the 
workstations and servers that GAO examined on the corporate network 
lacked key security patches or had inadequate security settings. 
Furthermore, TVA did not adequately secure its control system networks 
and devices on these networks, leaving the control systems vulnerable 
to disruption by unauthorized individuals. Network interconnections 
provided opportunities for weaknesses on one network to potentially 
affect systems on other networks. For example, weaknesses in the 
separation of network segments could allow an individual who gained 
access to a computing device connected to a less secure portion of the 
network to compromise systems in a more secure portion of the network, 
such as the control systems. In addition, physical security at multiple 
locations that GAO reviewed did not sufficiently protect the control 
systems. For example, live network jacks connected to TVAï¿½s internal 
network at certain facilities GAO reviewed had not been adequately 
secured from unauthorized access. As a result, TVAï¿½s control systems 
were at increased risk of unauthorized modification or disruption by 
both internal and external threats. 

An underlying reason for these weaknesses was that TVA had not 
consistently implemented significant elements of its information 
security program. For example, the agency lacked a complete and 
accurate inventory of its control systems and had not categorized all 
of its control systems according to risk, limiting assurance that these 
systems are adequately protected. In addition, TVAï¿½s patch management 
process lacked a mechanism to effectively prioritize vulnerabilities. 
As a result, patches that were identified as critical, meaning they 
should be applied immediately to vulnerable systems, were not applied 
in a timely manner. 

Numerous opportunities exist for TVA to improve the security of its 
control systems. For example, TVA can strengthen logical access 
controls, improve physical security, and fully implement its 
information security program. If TVA does not take sufficient steps to 
secure its control systems and fully implement an information security 
program, it risks not being able to respond properly to a major 
disruption that is the result of an intended or unintended cyber 
incident. 

What GAO Recommends: 

In public and limited distribution reports being issued today, GAO is 
recommending that TVA take steps to improve implementation of the 
agencyï¿½s information security program and to correct specific security 
weaknesses identified at TVA facilities. 

In comments on drafts of GAOï¿½s reports, TVA provided information on 
steps it is taking to implement these recommendations. 

To view the full product, including the scope and methodology, click on 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-775T]. For more 
information, contact Gregory C. Wilshusen at (202) 512-6244 or 
[email protected] or Nabajyoti Barkakati at (202) 512-4499 or 
[email protected]. 

[End of section] 

Mr. Chairman and Members of the Subcommittee: 

Thank you for the opportunity to participate in today's hearing to 
discuss control systems security. We have previously reported and 
testified before this subcommittee that critical infrastructure control 
systems face increasing risks due to cyber threats, system 
vulnerabilities, and the serious potential impact of attacks as 
demonstrated by reported incidents.[Footnote 1] If control systems are 
not adequately secured, their vulnerabilities could be exploited, and 
our critical infrastructures could be disrupted or disabled, possibly 
resulting in loss of life, physical damage, or economic losses. 

The majority of our nation's critical infrastructures are owned by the 
private sector; however, the federal government owns and operates 
critical infrastructure facilities including ones used for energy, 
water treatment and distribution, and transportation. One such entity, 
the Tennessee Valley Authority (TVA)--a federal corporation and the 
nation's largest public power company--generates electricity using its 
52 fossil, hydro, and nuclear facilities, all of which use control 
systems. As a wholly-owned government corporation, TVA is to comply 
with the Federal Information Security Management Act of 2002[Footnote 
2] (FISMA) by developing a risk-based information security program and 
implementing appropriate information security controls for its computer 
systems. 

In our testimony today, we will summarize the results of our review of 
the security controls over TVA's critical infrastructure control 
systems. We are issuing two reports today, one publicly available and 
one with limited distribution, which provide additional details on the 
results of our review.[Footnote 3] Our objective was to determine 
whether TVA has effectively implemented appropriate information 
security practices for its control systems. In preparing for this 
testimony, we relied on our work supporting these reports, which 
discuss the details of our scope and methodology. The information in 
this testimony is specifically based on our public report, which has 
been reviewed for sensitivity by TVA. 

Our testimony is based on the work done for our reports from March 2007 
to May 2008. The work on which this testimony is based was conducted in 
accordance with generally accepted government auditing standards, which 
require that we plan and perform the audit to obtain sufficient, 
appropriate evidence to provide a reasonable basis for our findings and 
conclusions based on our audit objectives. We believe that the evidence 
obtained provides a reasonable basis for our findings and conclusions 
based on our audit objectives. 

Results in Brief: 

TVA had not fully implemented appropriate security practices to secure 
the control systems used to operate its critical infrastructures at 
facilities we reviewed. Specifically, network interconnections provided 
opportunities for weaknesses on one network to potentially affect 
systems on other networks. For example, weaknesses in the separation of 
network segments could allow an individual who gained access to a 
computing device connected to a less secure portion of the network to 
compromise systems in a more secure portion of the network, such as the 
control systems. In addition, physical security at multiple locations 
that we reviewed did not sufficiently protect the control systems. As a 
result, TVA's control systems were at increased risk of unauthorized 
modification or disruption by both internal and external threats. 

An underlying reason for these weaknesses was that TVA had not 
consistently implemented significant elements of its information 
security program. For example, the agency lacked a complete and 
accurate inventory of its control systems and it had not categorized 
all of its control systems according to risk, limiting assurance that 
these systems were adequately protected. In addition, TVA's patch 
management process lacked a mechanism to effectively prioritize 
vulnerabilities. Until TVA fully and consistently implements its 
information security program, it risks a disruption of its operations, 
which could impact both TVA and its customers. 

In the reports being issued today,[Footnote 4] we are making 19 
recommendations to the Chief Executive Officer of TVA to improve the 
implementation of its agencywide information security program and 73 
recommendations to correct specific information security weaknesses. 

In its comments on our reports, TVA concurred with all of our 
recommendations regarding its information security program and the 
majority of our recommendations regarding specific information security 
weaknesses and provided information on steps the agency was taking to 
implement our GAO recommendations. 

Background: 

Information security is a critical consideration for any organization 
that depends on information systems and computer networks to carry out 
its mission or business. Of particular importance is the security of 
information and systems supporting critical infrastructures--physical 
or virtual systems and assets so vital to the nation that their 
incapacitation or destruction would have a debilitating impact on 
national and economic security and on public health and safety. 
Although the majority of our nation's critical infrastructures are 
owned by the private sector, the federal government owns and operates 
key facilities that use control systems, including oil, gas, water, 
electricity, and nuclear facilities. In the electric power industry, 
control systems can be used to manage and control the generation, 
transmission, and distribution of electric power. For example, control 
systems can open and close circuit breakers and set thresholds for 
preventive shutdowns. 

Critical infrastructure control systems face increasing risks due to 
cyber threats, system vulnerabilities, and the potential impact of 
attacks as demonstrated by reported incidents.[Footnote 5] Control 
systems are more vulnerable to cyber threats and unintended incidents 
now than in the past for several reasons, including their increasing 
standardization and connectivity to other systems and the Internet. For 
example, in August 2006, two circulation pumps at Unit 3 of the Browns 
Ferry, Alabama, nuclear power plant operated by TVA failed, forcing the 
unit to be shut down manually. The failure of the pumps was traced to 
an unintended incident involving excessive traffic on the control 
system's network. 

To address this increasing threat to control systems governing critical 
infrastructures, both federal and private organizations have begun 
efforts to develop requirements, guidance, and best practices for 
securing those systems. For example, FISMA outlines a comprehensive 
risk-based approach to securing federal information systems, which 
include control systems. Federal organizations, including the National 
Institute of Standards and Technology (NIST), the Federal Energy 
Regulatory Commission (FERC), and the Nuclear Regulatory Commission 
(NRC), have used a risk-based approach to develop guidance and 
standards to secure control systems. NIST guidance has been developed 
that currently applies to federal agencies; however, much of the 
guidance and standards developed by FERC and NRC has not yet been 
finalized. Once implemented, FERC and NRC standards will apply to both 
public and private organizations that operate covered critical 
infrastructures. 

TVA Provides Power to the Southeastern United States: 

The TVA is a federal corporation and the nation's largest public power 
company. TVA's power service area includes almost all of Tennessee and 
parts of Mississippi, Kentucky, Alabama, Georgia, North Carolina, and 
Virginia. It operates 11 coal-fired fossil plants, 8 combustion turbine 
plants, 3 nuclear plants, and a hydroelectric system that includes 29 
hydroelectric dams and one pumped storage facility.[Footnote 6] TVA 
also owns and operates one of the largest transmission systems in North 
America. 

Control systems are essential to TVA's operation because it uses them 
to both generate and deliver power. To generate power, control systems 
are used within power plants to open and close valves, control 
equipment, monitor sensors, and ensure the safe and efficient operation 
of a generating unit. Many control systems networks connect with other 
agency networks to transmit system status information. To deliver 
power, TVA monitors the status of its own and surrounding transmission 
facilities from two operations centers. 

TVA Had Not Fully Implemented Appropriate Controls to Protect Control 
Systems from Unauthorized Access: 

TVA had not fully implemented appropriate security practices to secure 
the networks on which its control systems rely. Specifically, the 
interconnected corporate and control systems networks at certain 
facilities that we reviewed did not have sufficient information 
security safeguards in place to adequately protect control systems. In 
addition, TVA did not always implement controls adequate to restrict 
physical access to control system areas and to protect these systems-- 
and their operators--from fire damage or other hazards. As a result 
TVA, control systems were at increased risk of unauthorized 
modification or disruption by both internal and external threats. 

Weaknesses in TVA's Corporate Network Controls Placed Network Devices 
at Risk: 

Multiple weaknesses within the TVA corporate network left it vulnerable 
to potential compromise of the confidentiality, integrity, and 
availability of network devices and the information transmitted by the 
network. For example: 

* Almost all of the workstations and servers that we examined on the 
corporate network lacked key security patches or had inadequate 
security settings. 

* TVA had not effectively configured host firewall controls on laptop 
computers we reviewed, and one remote access system that we reviewed 
had not been securely configured. 

* Network services had been configured across lower and higher-security 
network segments, which could allow a malicious user to gain access to 
sensitive systems or modify or disrupt network traffic. 

* TVA's ability to use its intrusion detection system[Footnote 7] to 
effectively monitor its network was limited. 

Weaknesses in TVA Control Systems Networks Jeopardized the Security of 
its Control Systems: 

The access controls implemented by TVA did not adequately secure its 
control systems networks and devices, leaving the control systems 
vulnerable to disruption by unauthorized individuals. For example: 

* TVA had implemented firewalls to segment control systems networks 
from the corporate network. However, the configuration of certain 
firewalls limited their effectiveness. 

* The agency did not have effective passwords or other equivalent 
documented controls to restrict access to the control systems we 
reviewed. According to agency officials, passwords were not always 
technologically possible to implement, but in the cases we reviewed 
there were no documented compensating controls. 

* TVA had not installed current versions of patches for key 
applications on computers on control systems networks. In addition, the 
agencywide policy for patch management did not apply to individual 
plant-level control systems. 

* Although TVA had implemented antivirus software on its transmission 
control systems network, it had not consistently implemented antivirus 
software on other control systems we reviewed. 

Physical Security Did Not Sufficiently Protect Sensitive Control 
Systems: 

TVA had not consistently implemented physical security controls at 
several facilities that we reviewed. For example: 

* Live network jacks connected to TVA's internal network at certain 
facilities we reviewed had not been adequately secured from 
unauthorized access. 

* At one facility, sufficient emergency lighting was not available, a 
server room had no smoke detectors, and a control room contained a 
kitchen (a potential fire and water hazard). 

* The agency had not always ensured that access to sensitive computing 
and industrial control systems resources had been granted to only those 
who needed it to perform their jobs. At one facility, about 75 percent 
of facility badgeholders had access to a plant computer room, although 
the vast majority of these individuals did not need access. Officials 
stated that all of those with access had been through the required 
background investigation and training process. Nevertheless, an 
underlying principle for secure computer systems and data is that users 
should be granted only those access rights and permissions needed to 
perform their official duties. 

Information Security Management Program Was Not Consistently 
Implemented Across TVA's Critical Infrastructure: 

An underlying reason for TVA's information security control weaknesses 
was that it had not consistently implemented significant elements of 
its information security program, such as: documenting a complete 
inventory of systems; assessing risk of all systems identified; 
developing, documenting, and implementing information security policies 
and procedures; and documenting plans for security of control systems 
as well as for remedial actions to mitigate known vulnerabilities. As a 
result of not fully developing and implementing these elements of its 
information security program, TVA had limited assurance that its 
control systems were adequately protected from disruption or compromise 
from intentional attack or unintentional incident. 

TVA's Inventory of Systems Did Not Include Many Control Systems: 

TVA's inventory of systems did not include all of its control systems 
as required by agency policy. In its fiscal year 2007 FISMA submission, 
TVA included the transmission and the hydro automation control systems 
in its inventory. However, the plant control systems at its nuclear and 
fossil facilities had not been included in the inventory. At the 
conclusion of our review, agency officials stated they planned to 
develop a more complete and accurate system inventory by September 
2008. 

TVA Had Not Assessed Risks to Its Control Systems: 

TVA had not completed categorizing risk levels or assessing the risks 
to its control systems. FISMA mandates that agencies assess the risk 
and magnitude of harm that could result from the unauthorized access, 
use, disclosure disruption, modification, or destruction of their 
information and information systems. However, while the agency had 
categorized the transmission and hydro automation control systems as 
high-impact systems,[Footnote 8] its nuclear division and fossil 
business unit, which includes its coal and combustion turbine 
facilities, had not assigned risk levels to its control systems. TVA 
had also not completed risk assessments for the control systems at its 
hydroelectric, nuclear, coal, and combustion turbine facilities. 
According to TVA officials, the agency plans to complete the 
hydroelectric and nuclear control systems risk assessments by June 2008 
and they plan to complete the security categorization of remaining 
control systems throughout TVA by September 2008, except for fossil 
systems, for which no date has been set. 

Inconsistent Application of TVA's Policies and Procedures Contributed 
to Program Weaknesses: 

Several shortfalls in the development, documentation, and 
implementation of TVA's information security policies contributed to 
many of the inadequacies in TVA's security practices. For example: 

* TVA had not consistently applied agencywide information security 
policies to its control systems, and TVA business unit security 
policies were not always consistent with agencywide information 
security policies. 

* Cyber security responsibilities for interfaces between TVA's 
transmission control system and its hydroelectric and fossil generation 
units had not been documented. 

* Physical security standards for control system sites had not been 
finalized or were in draft form. 

Patch Management Weaknesses Left TVA's Control Systems Vulnerable: 

Weaknesses in TVA's patch management process hampered the efforts of 
TVA personnel to identify, prioritize, and install critical software 
security patches to TVA systems in a timely manner. For a 15-month 
period, TVA documented its analysis of 351 reported vulnerabilities, 
while NIST's National Vulnerability Database[Footnote 9] reported about 
2,000 vulnerabilities rated as high or medium risk for the types of 
systems in operation at TVA for the same time period. In addition, upon 
release of a patch by the software vendor, the agency had difficulty in 
determining the patch's applicability to the software applications in 
use at the agency because it did not have a mechanism in place to 
provide timely access to software version and configuration information 
for the applications. Furthermore, TVA's written guidance on patch 
management provided only limited guidance on how to prioritize 
vulnerabilities. The guidance did not refer to the criticality of IT 
resources or specify situations in which it was acceptable to upgrade 
or downgrade a vulnerability's priority from that given by its vendors 
or third-party patch tracking services. For example, agency staff had 
reduced the priority of three vulnerabilities identified as critical or 
important by the vendor or a patch tracking service and did not provide 
sufficient documentation of the basis for this decision. As a result, 
patches that were identified as critical were not applied in a timely 
manner; in some cases, a patch was applied more than 6 months past TVA 
deadlines for installation. 

TVA Had Not Developed System Security and Remedial Action Plans for All 
Control Systems: 

TVA had not developed system security or remedial action plans for all 
control systems as required under federal law and guidance. Security 
plans document the system environment and the security controls 
selected by the agency to adequately protect the system. Remedial 
action plans document and track activities to implement missing 
controls such as missing system security plans and other corrective 
actions necessary to mitigate vulnerabilities in the system. Although 
TVA had developed system security and remedial action plans for its 
transmission control system, it had not done so for control systems at 
the hydroelectric, nuclear, or fossil facilities. According to agency 
officials, TVA plans to develop a system security plan for its 
hydroelectric automation and nuclear control systems by June 2008, but 
no time frame has been set to complete development of a security plan 
for control systems at fossil facilities. Until the agency documents 
security plans and implements a remediation process for all control 
systems, it will not have assurance that the proper controls will be 
applied to secure control systems or that known vulnerabilities will be 
properly mitigated. 

Opportunities Exist to Improve Security of TVA's Control Systems: 

Numerous opportunities exist for TVA to improve the security of its 
control systems. Specifically, strengthening logical access controls 
over agency networks can better protect the confidentiality, integrity, 
and availability of control systems from compromise by unauthorized 
individuals. In addition, fortifying physical access controls at its 
facilities can limit entry to TVA restricted areas to only authorized 
personnel, and enhancing environmental safeguards can mitigate losses 
due to fire or other hazards. Further, establishing an effective 
information security program can provide TVA with a solid foundation 
for ensuring the adequate protection of its control systems. 

Because of the interconnectivity between TVA's corporate network and 
certain control systems networks, we recommend that TVA implement 
effective patch management practices, securely configure its remote 
access system, and appropriately segregate specific network services. 
We also recommend that the agency take steps to improve the security of 
its control systems networks, such as implementing strong passwords or 
equivalent authentication mechanisms, implementing antivirus software, 
restricting firewall configuration settings, and implementing 
equivalent compensating controls when such steps cannot be taken. 

To prevent unauthorized physical access to restricted areas surrounding 
TVA's control systems, we recommend that the agency take steps to 
toughen barriers at points of entry to these facilities. In addition, 
to protect TVA's control systems operators and equipment from fire 
damage or other hazards, we also recommend that the agency improve 
environmental controls by enhancing fire suppression capabilities and 
physically separating cooking areas from system equipment areas. 

Finally, to improve the ability of TVA's information security program 
to effectively secure its control systems, we are recommending that the 
agency improve its configuration management process and enhance its 
patch management policy. We also recommend that TVA complete a 
comprehensive system inventory that identifies all control systems, 
perform risk assessments and security risk categorization of these 
systems, and document system security and remedial action plans for 
these systems. Further, we recommend improvements to agency information 
security policies. 

In commenting on drafts of our reports, TVA concurred with all of our 
recommendations regarding its information security program and the 
majority of our recommendations regarding specific information security 
weaknesses. The agency agreed on the importance of protecting critical 
infrastructures and stated that it has taken several actions to 
strengthen information security for control systems, such as 
centralizing responsibility for cyber security within the agency. It 
also provided information on steps the agency was taking to implement 
certain GAO recommendations. 

In summary, TVA's power generation and transmission critical 
infrastructures are important to the economy of the southeastern United 
States and the safety, security, and welfare of millions of people. 
Control systems are essential to the operation of these 
infrastructures; however, multiple information security weaknesses 
exist in both the agency's corporate network and individual control 
systems networks and devices. An underlying cause for these weaknesses 
is that the agency had not consistently implemented its information 
security program throughout the agency. If TVA does not take sufficient 
steps to secure its control systems and implement an information 
security program, it risks not being able to respond properly to a 
major disruption that is the result of an intended or unintended cyber 
incident. 

Mr. Chairman, this concludes our statement. We would be happy to answer 
questions at this time. 

Contact and Staff Acknowledgments: 

If you have any questions regarding this testimony, please contact 
Gregory C. Wilshusen, Director, Information Security Issues, at (202) 
512-6244 or [email protected], or Nabajyoti Barkakati, Acting Chief 
Technologist, at (202) 512-4499 or [email protected]. 

Other key contributors to this testimony include Nancy DeFrancesco and 
Lon Chin (Assistant Directors); Angela Bell; Bruce Cain; Mark Canter; 
Heather Collins; West Coile; Kirk Daubenspeck; Neil Doherty; Vijay 
D'Souza; Nancy Glover; Sairah Ijaz; Myong Kim; Stephanie Lee; Lee 
McCracken; Duc Ngo; Sylvia Shanks; John Spence; and Chris Warweg. 

[End of section] 

Footnotes: 

[1] GAO, Critical Infrastructure Protection: Federal Efforts to Secure 
Control Systems Are Under Way, but Challenges Remain, [hyperlink, 
http://www.gao.gov/cgi-bin/getrpt?GAO-07-1036] (Washington, D.C.: 
September 2007) and GAO, Critical Infrastructure Protection: Multiple 
Efforts to Secure Control Systems Are Under Way, but Challenges Remain. 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-119T] (Washington, 
D.C.: October 2007). 

[2] FISMA was enacted as title III, E-Government Act of 2002, Pub. L. 
No. 107-347 (Dec.17, 2002). 

[3] GAO, Information Security: TVA Needs to Address Weaknesses in 
Control Systems and Networks, [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-08-459SU] and [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-08-526] (Washington, D.C.: May 2008). 

[4] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-526] and 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-459SU]. 

[5] See GAO, Critical Infrastructure Protection: Multiple Efforts to 
Secure Control Systems Are Under Way, but Challenges Remain, 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-1036] (Washington, 
D.C.: Sept. 10, 2007). 

[6] A pumped-storage plant uses two reservoirs, with one located at a 
much higher elevation than the other. During periods of low demand for 
electricity, such as nights and weekends, energy is stored by reversing 
the turbines and pumping water from the lower to the upper reservoir. 
The stored water can later be released to turn the turbines and 
generate electricity as it flows back into the lower reservoir. 

[7] An intrusion detection system detects inappropriate, incorrect, or 
anomalous activity that is aimed at disrupting the confidentiality, 
availability, or integrity of a protected network and its computer 
systems. 

[8] Federal Information Processing Standard 199 provides criteria for 
categorizing risk to systems as high, moderate, or low. 

[9] The National Vulnerability Database is the U.S. government 
repository of standards based vulnerability management data. This data 
enables automation of vulnerability management, security measurement, 
and compliance. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548: 

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: [email protected]: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, [email protected]: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, [email protected]: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: 

*** End of document. ***