GAO Report Rips TVA at “Implications of Cyber Vulnerabilities on the Resiliency and Security of the Electric Grid” Hearing

Scathing GAO testimony/findings from GAO's assessment of TVA cyber security should be of special interest for many electric utility organizations. TVA issues cited included problems stemming from lacking a corporate-level cyber security program and significant security posture weaknesses, unevenness in both operational and corporate network settings. All of which TVA’s COO (William R. McCollum, Jr.) reported significant focus and progress addressing with a strong commitment to continue improving.

The hearing is available for viewing (~90m) at C-SPAN Video Library: Security of the Electric Grid - May 21, 2008 (updated 1/23/2011)

In my opinion, looking hard at referenced NIST standards to further address specific cyber security topic areas makes sense for NERC CIPs as does looking at broader information security frameworks to help scope and tailor well governed corporate level programs based on recognized frameworks, .e.g. ISO 17799:2005 , COBIT, etc.

Anyone with a stake in cyber securing critical infrastructure will benefit from reviewing the hearing and a close study of the 62 page May 2008 GAO report "Information Security- TVA Needs to Address Weaknesses in Control Systems and Networks"

More:

• TVA Power Plants Vulnerable to Cyber Attacks, GAO Finds - Washington Post 5/21/2008
  Regulators Want Authority to Require Security Upgrades Industry-wide