By Brian Krebs
washingtonpost.com Staff Writer
May 21, 2008
The Tennessee Valley Authority (TVA), the nation's largest public power
company, is vulnerable to cyber attacks that could sabotage critical
systems that provide electricity to more than 8.7 million people,
according to a Government Accountability Office report to be released
The report was requested by a House Homeland Security panel on cyber
security, which is expected to hear testimony today from the Federal
Energy Regulatory Commission about gaining additional authority to
require electric utilities to implement added cyber-security measures.
The GAO found that TVA's Internet-connected corporate network was linked
with systems used to control power production, and that security
weaknesses pervasive in the corporate side could be used by attackers to
manipulate or destroy vital control systems. As a wholly owned federal
corporation, TVA must meet the same computer security standards that
govern computer practices and safeguards at federal agencies.
The GAO also warned that computers on TVA's corporate network lacked
security software updates and anti-virus protection, and that firewalls
and intrusion detection systems on the network were easily bypassed and
failed to record suspicious activity.
"In addition, physical security at multiple locations did not
sufficiently protect critical control systems," the GAO concluded. "As a
result, systems that operate TVA's critical infrastructures are at
increased risk of unauthorized modification or disruption by both
internal and external threats."
The vulnerability of the nation's electrical grid to computer attack is
due in part to steps taken by power companies to transfer control of
generation and distribution equipment from internal networks to
supervisory control and data acquisition, or SCADA, systems that can be
accessed through the Internet or by phone lines, according to
consultants and government reports.
The move to SCADA systems boosts efficiency at utilities because it
allows workers to operate equipment remotely. But experts say it also
exposes these once-closed systems to cyber attacks. So far, examples of
hackers breaking into control systems to cause damage or outages are
scarce. However, there's evidence that the threat of such damage makes
control systems an alluring target for extortionists.
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com