Skip to main content

Study finds TVA vulnerable to hacking

  • Story Highlights
  • A hacker could disrupt Tennessee Valley Authority system, causing blackouts
  • TVA supplies power to almost 9 million Americans
  • Congress was told 75 percent of utilities fixed problems to combat attacks
  • Representative: no clear picture of how vulnerable utilities are to cyber attacks
  • Next Article in U.S. »
From Jeanne Meserve
CNN Homeland Security Correspondent
Decrease font Decrease font
Enlarge font Enlarge font

WASHINGTON (CNN) -- The nation's largest publicly owned utility company may be vulnerable to cyber attacks, according to a new report.

In 2007 President Bush visited the Browns Ferry Nuclear Plant, operated by the Tennessee Valley Authority.

The Tennessee Valley Authority, which supplies power to almost 9 million Americans, "has not fully implemented appropriate security practices to protect the control systems used to operate its critical infrastructures," leaving them "vulnerable to disruption," the Government Accountability Office found.

Simply put, that means a skilled hacker could disrupt the system and cause a blackout.

Rep. James Langevin, a Rhode Island Democrat, fears the problem is much larger than just the TVA.

"If they are not secure, I don't have a great deal of confidence that the rest of our critical infrastructure on the electric grid is secure," he said.

The TVA operates 52 nuclear, hydroelectric and fossil-fuel facilities in the southeastern United States.

Among the government watchdog agency findings:

• The TVA's firewalls have been bypassed or are inadequately configured

• Passwords are not effective

• Servers and work stations lack key patches and effective virus protection

• Intrusion-detection systems are not adequate

• Some locations lack enough physical security around control systems.

The GAO recommends 73 steps to correct the problems in its report to Congress.

In September, CNN first aired dramatic footage of a government experiment demonstrating that a cyber attack could destroy electrical equipment.

The experiment, dubbed "Aurora," caused a generator to fall apart and grind to a halt after a computer attack on its control system. The test was conducted by scientists at the Idaho National Laboratory.

In October, the North American Electric Reliability Corp. told Congress that 75 percent of utilities had taken steps to mitigate the Aurora vulnerability, but Langevin said it now appears that Congress was misled.

A congressional audit of the electric reliability corporation's claim cast doubt on the assertion that most utilities were taking steps to fix the problem.

"It appears that they just made those numbers up," Langevin said. "It is not acceptable. It is outrageous."

He said the result is there is now no clear picture of how vulnerable utilities are to cyber attacks.

The electric reliability corporation -- a nongovernmental group that oversees the power system and comprises members of the industry and some consumers -- told CNN it regrets the confusion.

Experts told CNN that Cooper Industries is the only manufacturer of hardware that can close the Aurora vulnerability. The company estimated it would need to sell about 10,000 devices to fix the problem nationwide. It has sold just over 100, it told CNN.

Langevin said the federal government may need new powers to require utilities to take corrective actions to close cyber security gaps, and he will press to give those powers to the Federal Energy Regulatory Commission.

The congressman is chairing an Emerging Threats, Cybersecurity, and Science and Technology subcommittee hearing Wednesday afternoon.

Representatives of the TVA, the GAO, the federal commission and the electric reliability corporation are to appear before the subcommittee.

All About Tennessee Valley Authority

  • E-mail
  • Save
  • Print