Slashdot Mirror

← Back to Stories (view on slashdot.org)

TVA Security Lapses Could Endanger US Health, Economy

Posted by timothy on from the tva-flooded-my-grandmother's-birthplace dept.

coondoggie links to a Network World story about myriad security flaws (described in a report from the Governmental Accountability Office) at all levels of the Tennessee Valley Authority, the country's largest public power utility, excerpting: "The Tennessee Valley Authority (TVA) is a federal corporation that generates power using 52 fossil, hydro and nuclear facilities in an area of about 80,000 square miles and has not fully implemented appropriate security practices to protect the control systems used to operate its critical infrastructures, the GAO concluded. TVA's corporate network infrastructure and its control systems networks and devices at individual facilities and plants reviewed were vulnerable to disruptions that could endanger a good portion of the country's economic security and public health and safety, the GAO said." The TVA is hardly alone, though, when it comes to governmental computer security. Reader bc90021 points out the Federal Government's newly released Computer Security Report Card (prepared for Congressman Tom Davis), which "breaks down the agencies and assigns them all a grade. There are plenty of Fs, not the least of which is for the newly reconnected Department of the Interior."

5 of 46 comments (clear)

  1. Yeah, I live in Chattanooga... by tetrahedrassface · · Score: 4, Interesting
    And right beside Chickamauga dam is place that TVA insiders call "The Bunker". I have been in it, it has 4 or 5 (or more) floors underground ( I don't remember). Right after 9/11 I catered an event down in the bunker, no security whatsoever, and we got off on the bottom floor... it was nothing but racks of servers as far as I could see. It looked like something out of a movie. It is HUGE. We hopped onto the elevator came up two floors and got off on the correct floor. From there they can control everything in an emergency if they have to, except if some entity compromises their unsecured computers.

    More about "The Bunker" it has bedrooms, conference areas, and a whole slew control panels, and server farms. The employee that was with me and I left there and on the way back to my business we were like "If we were the bad guys we could have just caused major mayhem. Needless to say I returned again a couple of months later on a job and instead of just walking in, I got a M16 clad officer at the door. I would think their security is likely better now.. At least I *hope* it is.

    P.S. I hope they don't come after me for telling this.

    1. Re:Yeah, I live in Chattanooga... by jburton71 · · Score: 4, Interesting

      I lived in Chattanooga for about 12 years. Somewhere around 1998 or 1999 I visited the exact place you are talking about with a friend of mine (who was then and still is a TVA IT employee). I was just becoming interested in computers at the time and he told me that he would show me where the TVA kept "the brains" of their operation as he put it. Even at that time I questioned whether or not he could get me into this area and his reply was "nobody will know and even if they did nobody will care".

      I went back to Chattannoga to visit my old friend a couple of years ago. He had since moved up the govermental ladder and was more or less "in charge" of certain systems. During my visit he took me back to the place, on a Saturday. There was a single security guard on duty at the entrance. As we entered the guard didn't give us much notice as my friend swiped his ID card and entered a key code. I was holding my friend's laptop bag and the guard never asked to look at it or see it. For all he knew I could have been carrying in a brick of explosives. Once inside, I had access to pretty much any place in the "bunker" that I wanted to go, including various control panels, servers, etc.

      Short answer, no their security is not better than it was back then.
  2. This is not a new problem by HangingChad · · Score: 4, Interesting

    I had a large utility administration customer back in the early 90's. Back then I was constantly shocked (pun intentional) about how vulnerable our power distribution system really was. And the weakest links were frequently the most lightly protected. I even started drafting a novel about a small group of terrorists able to take down the power grid on the entire west coast for months and the effects on society of such an extended outage.

    Hopefully grid security is better now, but there's still a lot of lightly protected hardware that will remain difficult to harden.

    Ever since then I've kept a 4 Kw generator and extra gas, just in case. Even though I've only needed it a few times in all those years. Our power grid is surprisingly reliable. So much so we tend to take it for granted.

    --
    That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
  3. Criteria?? by Gogo0 · · Score: 2, Interesting

    What is the criteria for grading?

    I work in IA for the DoD, and there is a lot of stupid stuff that happens, but in the end, the number of minor security incidents is very low, and the number of SERIOUS security incidents is absolutely minuscule. Serious incidents are usually along the lines of information leakage, someone inside doing something stupid without malicious intent.

    my point being, this isnt a signal that these departments are insecure because they dont show WHAT theyre grading. are they counting serious incidents? minor ones? number of missed security deadlines? number of workstations with wsus errors? number of MWR personnel that clicked on an exercise phishing link? what??

    lots of directives in the government are lists of objectives with deadlines next to them created by a higher-up that doesnt understand any part of it. i am not discounting this "report" entirely, but iv seen this enough times to understand how little it could actually mean, especially considering there is no information provided.

    I wonder how much of a stink Tom Davis is going to raise in congress about it, or if he is going to look at it and understand that it tells him nothing.

  4. Re:Um - why? by Anonymous Coward · · Score: 1, Interesting

    My company provides software for utility companies (not control systems :-) ). I have to disagree with the statement that there was ZERO incentive to upgrade infrastructure. There is plenty of incentive. As always, the profit motive, well, motivates.

    An example: The industry has been moving, for years now, towards TOU rates (time of usage). This requires upgrading manually-read meters to meters that automatically upload their usage data. This saves utilities money in the long run because you don't have to send people out in trucks just to read meters. It saves the penny-conscious consumer money too -- win-win.