The Tennessee Valley Authority, one of the rare American entities having such blunt audacity as to name itself an “authority,” is a federal government owned corporation that provides electric utilities to Tennessee and six neighboring states. From Knoxville, Tennessee, where its operations are headquartered the TVA serves 10 million consumers and collects $11 billion in revenues, around 10% of which remains as net revenue after expenses.
Many immediately think of hydroelectric power as being synonymous with the TVA’s operations. It also manages nuclear, solar, fossil fuel, and natural gas power production. In fact, the vast majority of its power comes through nuclear technologies with hydro lining up fourth in capacity production. Clearly, the TVA could be a poster child of critical infrastructure.
Southwest of TVA’s HQ, along the Tennessee-Georgia line in Chattanooga, 20 TVA employees operate its cybersecurity hub where 24-7-365 internet monitoring, among other strategies, help provide intelligence about security threats. Because it is a government agency, of sorts, as well as its being part of our critical infrastructure, there are concerted efforts beyond those 20 analysts to maintain security. This seems necessary for myriad reasons, and acutely because of some of TVA’s nuclear production. For example, its Watts Bar Nuclear Plant contributes material for our nuclear weapons as required by the U.S. National Nuclear Security Administration; that’s the by-product known as tritium, also known as hydrogen-3, for your curiosity’s sake.
I could dive deeper and continue explaining all the security risks inherent to the TVA, but we can just agree that it’s a serious target that requires the pinnacle of cybersecurity efforts. Despite TVA’s claim that its “transmission system achieved 99.999 percent reliability for the 20th year in a row”, the Government Accountability Office, and many others from the media and industry, concur that the TVA is “unduly susceptible to cyber attacks of its power system.”
Besides the nuclear power production and services, and the power-producing plants fired by coal, natural gas, or spun by the power of water at its dams, the TVA also manages so-called non-power dams. Its largest, the Normandy Dam on Tennessee’s Duck River, and other non-power dams, provide economic development, recreational water activities, and other non-power benefits to much of the TVA’s 80,000 square-mile purview, while at the same time, in a truly systems theoretical view non-power dams support power-producing dams and other TVA facilities.
In Tennessee alone, the TVA operates 19 of the more expected dams, those that produce hydroelectric power for its customers, and another 11 non-power dams. Non-power dams are integral to the overall operating spectrum of the TVA. They're interconnected, generally, just like you and I might find ourselves interconnected via the internet. Shared, networked communications of data is the de rigueur model of information technology. The TVA, again generally, falls in line with that model. Know that there are all sorts of backups, security systems, fail-safes, and other such intervening safeguards baked into the recipe, but at its base all of the countless TVA technological widgets are connected.
Why do I sometimes write about Russia’s state-sponsored hacking activities aimed at Ukraine? Why do I encourage you to spread the word to your family and friends about password best practices? Because these past 50 years of technological developments and innovation relied on the tenet that we are effectively connected to each other. The rub, as they say, can be found in the weakest link risks resulting.
Thus, if the TVA’s seemingly lighter duty, lesser important operations that may be presumed as part of non-power dams is at risk, then so too is its nuclear production facility, its solar and wind operations, the coal and gas plants … One unlocked door gives way to the entire system.
Logically, a hole in the security system at the TVA, even in its non-power dams sector, should be wildly concerning so far as critical infrastructure and national security are concerned. The TVA’s Office of the Inspector General claims great concern in this vein, as evidenced by its June 1, 2022, recommendation to “address identified vulnerabilities … and weaknesses” at TVA’s non-power dams.
The TVA’s OIG conducted an audit with inspectors going into the field between December of 2021 and this past April. A richly planned audit had been constructed that was meant to assess non-power dams’ security in terms of (1) access control; (2) technologies patching, such as when our phones or laptops get updated when security holes are filled; (3) managing the configurations of technologies, when IT experts set them up to survive attacks or threats, for example; and (4) risk and contingency planning. Without sound, up-to-date, security-aware approaches in these four areas there’s no hope of maintaining a secured environment surrounding these critical infrastructure components.
The OIG did not find hopeful results. Most alarmingly, to this reviewer of the report, was the fact that they found “no clear ownership” of the non-power dams’ control systems. No clear ownership?! That sounds like classic finger-pointing around the table when it all goes south. “Wasn’t our responsibility” echoes throughout the war room when no one owns the ultimate duty. Also, the software and operating systems were deemed vulnerable to attacks. Controls over IT security weren’t in place, or were ineffective and outdated. It was easy to gain access into the physical plants, and just peasy to get into the computer systems with poor password access controls.
In response, TVA’s management agreed with the OIG. Oh, good. They continued that the concerns will be addressed. Whew.
It’s 2022. Critical infrastructure threats have been levied successfully, and are continual. The TVA needs urgency of action. We, in the purview of the TVA and beyond, deserve serious management of these and all its facilities. The nuclear plants are only X-number of internet nodes away from Normandy, and for now at least I am not implicating beachheads by invoking the non-power dam’s name.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at edzugeresq@gmail.com.
