U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Corporate Wi-Fi Security

Report Information

Date Issued
Report Number
2023-17434
Report Type
Audit
Description
The Office of the Inspector General performed an audit to determine if TVA’s security controls were appropriately configured to protect corporate Wi-Fi networks. Our scope was limited to Wi-Fi networks maintained by TVA’s Technology and Innovation organization. We determined TVA’s security controls related to overall architecture design and implementation were generally configured appropriately to protect corporate Wi Fi networks. However, we identified several areas that should be addressed to further improve the security of corporate Wi-Fi networks. Specifically, we identified:• Internal controls for specific types of attacks were ineffective.• Wireless software and hardware were unsupported by the manufacturer.• Data in transit (electronic transmission of information) was not properly secured.• Primary accounts improperly provided privileged user access.• Service account usage was not in accordance with TVA policy.• Baseline configuration management process was not designed or implemented properly.TVA management agreed with our recommendations.
Joint Report
Yes
Participating OIG
Tennessee Valley Authority OIG
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, update and implement internal controls to properly defend, detect, and respond to specific types of wireless attacks.

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, implement the planned project to upgrade software and hardware to supported versions.

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, take action to remediate both instances of insecure protocols in use where technically and operationally possible.

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, design and implement a process to identify and remediate primary user accounts that should not be included in privileged access groups.

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, identify and review service accounts used for wireless infrastructure to ensure all service accounts are appropriately secured where technically and operationally possible.