GAO Report on TVA
A GAO report on TVA’s control system security is out. This report along with the Congressional hearings are going to be hot topics over the next days and weeks.
Unfortunately we will not have much to say on this because we have a fair amount of inside knowledge covered under NDA. TVA is a partner in Digital Bond’s Dept of Energy funded Bandolier and Portaledge projects. Even if we were able to write on this, most of the real interesting and important facets of this story are political issues rather than technical issues.
The House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology is in a hearing now to get testimony from NERC and FERC on the Aurora remediation actions and the NERC CIP regulations [which we will comment on], followed by GAO and TVA regarding the GAO report.
The Subcommittee chair has already laid down the gauntlet that NERC had better improve or it will need to be replaced and he has ‘little confidence’ in the industry to address security. FERC seems to have placated the chair.
Author: Dale Peterson
Posted: May 21st, 2008 under NERC CIP, US Government.
Comments: 4
Comments
Comment from Pacific NW PUD
Time: May 22, 2008, 10:10 pm
I wonder how many other electric utilities, especially smaller publicly owned ones are facing “political issues” too.
Public Utility Districts in the west where I am employed are lead by a locally elected commission who hires a General Manager who is only concerned with his/her salary and taking care of the commissioner’s pet projects. Most barely have firewalls on the corporate side and demoted non-computer types running the SCADA systems.
The common montra from management is “we don’t impact the BES” or “we are NOT spending $50,000 to prevent a $5,000 fine.”
At a recent conference I heard fellow computer techs asking the regional auditor to please levy some fines so management will take cybver security seriously.
FAT CHANCE!
The senior leadership will abandon ship right before the fine notices arrive.
I too believe that FERC needs to quit messing around, replace NERC with their own in-house experts and take over the audit process from the regional entities so that Congress’ intent to protect the BES can be finally realized.
Comment from Jake Brodsky
Time: May 27, 2008, 9:28 am
I know many water utilities in the same situation. And in fairness, I don’t know if the bandwidth exists at the executive level of large companies to deal with an issue like this.
There will have to be a major, world changing event before managers of most water utilities will take this issue seriously.
I’m betting that will happen in about three years.
Comment from CallBEFOREYouDig
Time: May 27, 2008, 8:11 pm
Of note, the FERC appears to be arguing for additional regulatory authority to bypass NERC on urgent cyber security issues:
http://ferc.gov/EventCalendar/Files/20080521140041-Cybersecurity%20testimony.pdf
Comment from Andy Cook
Time: June 24, 2008, 12:27 pm
I would be interested in hearing opinions on who might have the expertise to lead a team responsible for fixing the problems that TVA has been cited for, and the ability to lead the current and future development of TVA’s security infrastructure.
Write a comment