U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Network Architecture - Hydro

Report Information

Date Issued
Report Number
2023-17419
Report Type
Audit
Description
The Office of the Inspector General performed an audit of a TVA hydroelectric facility to determine if the network architecture and assets in use to support site business and operations were compliant with TVA policies, procedures, and identified best practices. We determined several areas of the network architecture and assets did not follow TVA policies, procedures, or identified best practices. Specifically, we identified the following issues:• Network redundancy was not implemented in accordance with identified best practices.• Network asset retirement was not implemented in accordance with Power Operations’ Standard Operating Procedure.• Power Operations’ location specific standard operating procedure did not require unique passwords in accordance with identified best practices.In addition, we identified the following internal control deficiencies significant to our audit objective:• Baseline configurations were not implemented in accordance with location specific Power Operations’ standard operating procedure.• Physical access permissions and controls were not implemented in accordance with identified best practices.TVA management agreed with our recommendations.
Joint Report
Yes
Participating OIG
Tennessee Valley Authority OIG
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

We recommend the Senior Vice President, Power Operations, implement planned design changes to address network redundancy and implement additional changes to address single points of failure.

We recommend the Senior Vice President, Power Operations, remove the decommissioned asset from the network and follow the operational technology asset inventory validation as required by Power Operations’ Standard Operating Procedure 12.862.

We recommend the Senior Vice President, Power Operations, revise procedures to require unique passwords for assets, local accounts, and services.

We recommend the Senior Vice President, Power Operations, create baseline configurations and implement a process to verify that baseline configurations are followed and maintained as required by Power Operations’ location specific standard operating procedure.

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, properly secure and control physical access to all business network assets at the hydroelectric facility in accordance with National Institute of Standards and Technology Special Publication 800-53.