The Tennessee Valley Authority (TVA) inspector general has reported that 115 TVA registered domains were found not meeting the Department of Homeland Security (DHS) standards for cybersecurity during an audit earlier this year. A memo published by the TVA Inspector General’s Office on May 29, 2019, reported that internal auditors also found that encryption requirements were inadequate on 20 TVA websites.
The review was part of an annual audit plan to ensure that the TVA was compliant with two federal directives that require website and email security controls. These controls had to comply with the Office of Management and Budget’s (OMB) memorandum M-15-13, Policy to Require Secure Connections across Federal Websites and Web Services, and DHS’s binding operational directive (BOD) 18-01, Enhance Email and Web Security, regarding website and email security practices.
According to David Wheeler, the assistant inspector general for audits and evaluations, the TVA was found not to be compliant with OMB A-15-13 and DHS BOD 18-01. “In addition, we found that TVA’s web site inventory was incomplete.” These findings were formally communicated to TVA management on March 26, 2019.
The fieldwork for the audit was carried out from November 2018 to March 2019. The team obtained and reviewed TVA’s website inventory from the TVA’s cybersecurity personnel and compared it to the population of identified publicly accessible websites, according to the memo from Wheeler. Internet domain listings were also collected. These findings were then scanned using tools to determine compliance with OMB A-15-13 and DHS BOD 18-01 requirements. Out of 116 domains, 115 did not meet requirements, with encryption requirements inadequate on 20 out of 55 TVA websites.
This left TVA emails and websites open to attacks, such as phishing. Research by IRONSCALES found that secure email gateways (SEG) failed to 99.5% of all nontrivial email spoofing attacks. A two-year analysis of more than 100,000 verified email spoofing attacks found that the most common spoofing techniques included sender name impersonations and domain look-alike attacks, bypassing SEG technology on a regular basis.
In his memo, Wheeler recommended that email security policies for domains needed to be updated to meet requirements, reviewing them on a periodic basis for compliance. He also wrote: “Update websites that were not compliant with OMB M-15-13 and DHS BOD-18-01 requirements, and review on a periodic basis for compliance” as well as review website inventory.
TVA management agreed with the audit findings and recommendations in this report, according to the memo.