Backup and Recovery of Operational Technology - Gas Operations

Report Information

Date Issued

February 26, 2026

Report Number

2025-17557

Report Type

Audit

Description

The Office of the Inspector General performed an audit to determine if the backup and recovery process for operational technology cyber assets at Tennessee Valley Authority (TVA) natural gas plants were (1) designed in accordance with federal guidance and (2) operating as defined by TVA policy. We determined TVA Generation’s backup and recovery procedure was designed in accordance with federal guidance for most areas. However, the (1) procedure did not align with federal guidance for encryption and (2) process was not operating as defined by TVA Generation’s procedure. Specifically, the National Institute of Standards and Technology recommends cryptographic mechanisms be implemented to prevent unauthorized disclosure and modification of data; however, encryption was not addressed in TVA Generation’s procedure. Additionally, none of the plants selected for testing had a documented backup and recovery plan as required by procedure.

Joint Report

Agency Wide

Yes (agency-wide)

Questioned Costs

Funds for Better Use

Recommendations

We recommend the Vice President, Generation Tech Support, revise Generation’s Standard Operating Procedure 12.871, Cyber Security – Backup and Recovery, to address encryption to align with federal guidance and communicate the standard operating procedure requirements to plant personnel.

We recommend the Vice President, Generation Tech Support, develop backup and recovery plans for each plant in accordance with Generation’s Standard Operating Procedure 12.871, Cyber Security – Backup and Recovery.

Backup and Recovery of Operational Technology - Gas Operations

Report Information

Recommendations

1 - Open

2 - Open

EMAIL ALERT SERVICE