Critical Infrastructure Security, Data Security, Threat Management, Identity
Accountability unclear as cybersecurity for federal dams falls short

An audit of a federally managed dam control system in Tennessee found it was running old, insecure software and the agency hadn't made anyone accountable for its cybersecurity. (Image credit: stockstudioX via Getty)
As geopolitical fallout from the Russian invasion of Ukraine creates new potential risk, cybersecurity officials within the federal government have publicly fretted about the vulnerability of U.S. critical infrastructure to retaliatory cyberattacks from Moscow or ransomware groups. Findings from a recent audit of cybersecurity controls for a dam control system underscore why they’re concerned.A report from the Tennessee Valley Authority Inspector General concluded that the agency’s non-power dam control system found numerous security shortfalls and a lack of clarity who in the agency had ultimate ownership over securing access to the system.Perhaps most concerningly, TVA officials told auditors there was no clear owner of the non-power dam control system, with two separate teams intimately involved in its design, maintenance and operation. However, neither was designated to be accountable for failures in cybersecurity planning, something that auditors said was corrected by TVA prior to the release of the report."Without clear ownership, the maintenance and operation of cybersecurity controls may not occur, increasing cybersecurity risks related to the control system,” wrote David P. Wheeler, assistant inspector general for TVA. The audit, which took place between December 2021 and April 2022, identified numerous deficiencies in the way TVA officials secured their control system. Non-power dams under the TVA are run through a control system operated off-site and are used to adjust water flows.Most of the technical details and recommendations for mitigation were omitted from the report to avoid tipping off attackers, but it does reveal some basic shortfalls that left the system exposed. The agency ran older versions of operating and control system software for the non-power dam control that were vulnerable to exploits, had “inappropriate” physical and logical access barriers, and operated in an environment where it was unclear who was responsible for cybersecurity.“We found operation system and control system software vulnerabilities that could be used to gain inappropriate access to the non-power dam control system, allowing for adjustments to water flows that could potentially have a negative impact on river management,” auditors wrote.
An In-Depth Guide to Identity
Get essential knowledge and practical strategies to fortify your identity security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds