NAVIGATING RISK A FOCUS ON CYBER SECURITY TVA OIG SEMiaNNUAL REPort 1 TVA Locations W.V. IL. R o i v i e Lovers Lane KENTUCKY h r Soccer Complex O Paradise Fossil Plant Shawnee Fossil Plant VIRGINIA Kentucky MISSOURI Marshall Dam & Lock Clear Creek Dam Combustion Turbine Duffield Primary School Beaver Creek Dam r e Ft. Patrick Henry Dam South Holston Dam v Boone Dam C i Doakes Wilbur Dam u Creek Dam John Sevier m Fossil Plant & Dam R Cumberland Watauga Fossil Plant b Adventure Gallatin Fossil Plant Dam ARK. Gleason e Morgan County i Combustion Turbine r Science Center &Combustion Turbine Buffalo Vocational Technical Norris Dam l Mountain a Cherokee p Nolichucky n School Dam d Bull Run Dam p Ijams Johnsonville R American Museum of Science and Energy Fossil i v Plant Nature Cocke County i Fossil Plant & e Douglas r Center Dam High School s Combustion Turbine Melton Kingston Fossil Plant Hill Dam s & Lock i Cedar Ft. Loudoun Dam & Lock TENNESSEEDam s Tellico NORTH Pin Oak Dam Great Falls Dam Dam s Beech Dam Redbud Dam Dollywood CAROLINA i Lagoon Dogwood Dam Watts Bar Watts Bar Pine Dam Dam & Lock M Creek Lost Creek Dam Nuclear Plant Combustion Sycamore Dam Fontana Dam Turbine Brownsville Normandy Dam Combustion Turbine BRIDGES Center R i v e r Apalachia Sequoyah Nuclear Plant Dam Tims Ford Dam Hiwassee Dam Allen Fossil Plant, Ocoee #1 Dam Combustion Turbines, & Methane Facility Chickamauga Dam & Lock Ocoee #2 Dam Chatuge Dam Pickwick Landing Dam & Lock Nickajack Dam & Lock Ocoee #3 Dam Nottely Dam Florence Water Raccoon Finley Stadium Southaven Widows Creek Mountain SOUTH Magnolia Treatment Facility Combined-Cycle Wheeler Dam Fossil Plant Pumped Blue Ridge Dam CAROLINA Plant Combined-Cycle & Lock Storage Plant Colbert Fossil Plant & Browns Ferry Bellefonte Plant CombustionTurbine Wilson Nuclear Plant Nuclear Plant Dam (UNDER CONSTRUCTION) & Lock University of Mississippi e Cedar Creek Dam Intramural Sports Complex e Guntersville b Little Bear Creek Dam g i Dam & Lock b Bear Creek Dam m y T e n n e s s e e o a Albertville T w - r e Diesel Generator GEORGIA e e t s a s Upper Bear Creek Dam W e n n MISSISSIPPI e T LEGEND Caledonia ALABAMA State Line TVA Combined-Cycle Plant Combined-Cycle Plant Water TVA Combustion Turbine Plant Power Service Area TVA Diesel Generator TVA Pumped-Storage Plant Mississippi TVA Watershed State TVA Customer Service Office University TVA Hydroelectric Dam TVA Non-Power Dam TVA Economic Development Office TVA Watershed Team Office TVA Coal-Fired Plant Green Power Switch® Solar Site TVA Nuclear Plant Kemper Green Power Switch® Wind Site Combustion TVA Nuclear Plant Turbine Under Construction Green Power Switch® Methane Site Meridian Diesel Generator 0 20 40 60 mi. Sept. 2011 N TVA POWER GENERATION FY 2012 (in millions of kilowatt hours) Natural gas Nonhydro and/or oil-fired renewable 12% resources <1% V Coal - 58,584 Coal 41% Hydroelectric V Nuclear - 55,244 9% V Hydroelectric - 12,817 V Natural gas and/or oil-fired - 16,650 Nuclear 38% V Nonhydro renewable resources - 25 Source: TVA FY 2012 Annual Report TABLE OF CONTENTS Navigating Risk: A Focus on Cyber Security Message from the Inspector General. ....................................4 Special Feature ....................................................7 Noteworthy Undertakings ........................................... 13 Executive Overview ................................................ 17 Organization..................................................... 20 Audits ......................................................... 27 Evaluations ...................................................... 39 Investigations .................................................... 43 Legislation and Regulations .......................................... 49 Appendices ..................................................... 50 Appendix 1 – Index of Reporting Requirements Under the Inspector General Act.... 51 Appendix 2 – Audit and Evaluation Reports Issued ......................... 52 Appendix 3 – Audit and Evaluation Reports Issued With Questioned and Unsupported Costs and Recommendations for Better Use of Funds.... 54 Appendix 4 – Audit and Evaluation Reports with Corrective Actions Pending....... 56 Appendix 5 – Investigative Referrals and Prosecutive Results .................. 60 Appendix 6 – Highlights ............................................ 61 Appendix 7 – Government Contractor Audit Findings ....................... 62 Appendix 8 – Peer Reviews of the TVA OIG............................... 63 Glossary ........................................................ 65 Abbreviations and Acronyms ......................................... 66 TVA OIG SEMiaNNUAL REPort 3 MEssaGE FROM THE InsPECTOR GENEraL I am pleased to present our report for the period April 1, 2012, through September 30, 2012. Once again our theme focuses on navigating risks faced by the Tennessee Valley Authority (TVA)—specifically, cyber security risk. Business leaders and government officials alike recognize the significant risk posed from cyber security threats that are constantly changing. As discussed in the feature article in this semiannual report, given what is at stake, it is imperative that agencies are agile enough to handle not only their identified historical threats, but any future threats as well. All of the work that we do in the in TVA’s plans to address In August 2012, TVA’s Chief Office of the Inspector General craft labor shortages and in Executive Officer (CEO), Tom (OIG) is aimed at reducing risks for the lessons learned process Kilgore, announced his intention TVA. Our accomplishments for this after a construction project is to retire by the end of this year semiannual period all reflect, in completed. after seven years with TVA. On one way or the other, how the OIG behalf of the OIG, I extend to Mr. has made TVA better by reducing V Reviews of the Financial Kilgore our appreciation for his risks. Our audit, evaluation, and Trading Program and Direct many contributions to TVA over the investigation activities resulted in Load Control Program which years, and we wish him well in almost $28 million in recoveries, identified needed improvements his retirement. fines/penalties, waste, potential to increase the effectiveness of savings, questioned costs, or the programs. Also, at the end of the year, two funds which could be put to of TVA’s Board members end their better use, as well as numerous V An evaluation of a project service. Bishop William Graves, recommendations to help TVA management system which who has served on the People and become better and recognize areas found TVA achieved some Performance, and Finance, Rates, where additional controls may project management capability and Portfolio committees, and be necessary to adequately but considerable opportunity for Marilyn Brown, who has served manage risks. Some of the improvement exists. as chair of the Nuclear Oversight highlights include: Committee as well as a member of V Investigations which resulted the External Relations Committee, V Reviews that identified areas in one individual convicted will rotate off as the 112th in which controls over (1) a in federal court; three others Congress ends. On behalf of the critical transmission asset sentenced federally on varying OIG, I want to extend my thanks needed improvement and charges, such as workers’ for their support of the OIG and (2) TVA’s privacy program compensation fraud, false service to TVA. were not effective. statements, and theft; and another indicted on state President Barack Obama has V Reviews that determined charges. nominated Marilyn Brown for improvements were needed an additional term on the Board 4 TVA OIG SEMiaNNUAL REPort Holston Reservoir along with four other individuals. transition under new leadership evaluations, and investigations Currently, it appears unlikely these with the appointment of a new to enable TVA leadership to individuals will be confirmed by the CEO and, hopefully, confirmation successfully lead TVA forward. Senate before the end of the year. of additional Board members. The OIG will work to promote TVA’s Finally, during the next semiannual mission by continuing to provide period, TVA will once again independent and objective audits, Richard W. Moore Inspector General TVA OIG SEMiaNNUAL REPort 5 NAVIGATING RISK A Focus on Cyber Security 6 TVA OIG SEMiaNNUAL REPort SPEciaL FEATURE Navigating Risk: A Focus on Cyber Security In our Fall 2011 semiannual report, we examined the intersection of federal agency and Inspector General (IG) responsibilities for assessing and dealing with risks to the agency. In this article, we focus on the role of the IG for one key risk area common to government, business, and individuals–cyber security. Like in many risk areas, the OIG can actually reinforce this mentality of an agency’s enterprise risk seeks to contribute to finding if it is primarily checking for management system. That solutions rather than just finding compliance with existing laws and assessment must be approached problems. Contributing to the regulations without encouraging with a particular mindset similar solution in the cyber security arena the agency to do a deep dive to the current mindset of federal means, among other things, that risk assessment. As a result, the law enforcement and intelligence the IG and his or her team: agency may spend more time agencies, post 9/11, in assessing (1) have the right mindset about and money than ever before, physical security threat levels. how severe the actual risk is for the but ultimately