U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Non-Power Dam Control System Cybersecurity

Report Information

Date Issued
Report Number
2022-17340
Report Type
Audit
Description
As part of our annual audit plan, we performed an audit of Tennessee Valley Authority’s (TVA) non-power dam control system cybersecurity. Our objective was to determine if the cybersecurity controls of TVA’s non-power dam control system were operating effectively.In summary, we found (1) no clear ownership of the non-power dam control system, (2) vulnerable versions of operating systems and control system software, (3) inappropriate logical and physical access, and (4) internal information technology controls were not operating effectively or had not been designed and implemented. Prior to completion of our audit, TVA clarified the ownership of the control system and took actions to address the inappropriate logical and physical access. We recommend the Senior Vice President, Resource Management and Operations Services, update the non power dam control system to address the identified vulnerabilities and information technology control weaknesses. TVA management agreed with our recommendation and provided information on planned actions.
Joint Report
Yes
Participating OIG
Tennessee Valley Authority OIG
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0

Recommendations

We recommend the Senior Vice President, Resource Management and Operations Services, update the non-power dam control system servers to address identified vulnerabilities and internal control weaknesses.