TVPPA report:

This is the fifth article in a series that details some information in the Tennessee Valley Public Power Association’s assessment of the Holly Spring Electric Department, hereafter referred to as HSUD.

The report was issued in October.

Physical Security

A documented security policy, which included training, was not found, but security protocols could be discussed by employees.

Continuous fencing and walls acting as a security barrier around infrastructure was found to be present around substations and the warehouse was fenced.

Alarms and surveillance systems were found in the majority areas assessed. There were no alarms evidenced for protective purposes at substations.

Lighting appeared adequate and maintained around sensitive utility infrastructure.

Access cards and keys to company locks and doors appeared to be managed well for current and previous employees.

The company does require access cards for employees entering the main facilities. Visitors appeared to be identified as a routine practice at the main office entry to the main office.

Background checks of potential employees are supported by employee interviews. It was unsure how the results of background checks are used in concert with hiring practices. Additional screening of prospective employees for fiduciary positions were not evidenced during the assessment.

Cyber Security

HSUD’s cyber security is handled by Holly Springs Information Technology Department. Based on interviews, the city has no protocols in place for cyber security incidents, according to the report.

An inventory of critical cyber/information technology assets is maintained via the cyber asset tracking software. Cloud Security Alliance (CSA) handles cyber issues for HSUD in relation to Customer Information System and company emails. HSUD uses the city’s IT Department and CSA to monitor networks/assets for suspicious activities.

HSUD uses and relies on the city’s IT Department employee and on CSA to provide the methodology for information recovery and/or system performance.

Emergency contact information was not determined during the assessment to be in place for the Emergency contact information for cyber security incidents standard.

HSUD’s cyber security responsibilities are assigned to the city’s IT department director and staff.

A two-factor authentication was not evidenced during the assessment.

Membership in E-ISAC (Electricity-Information Sharing and Analysis Center) or a similar organization was not evidenced during the assessment.

EDITORS NOTE:Correction/ clarification: The South Reporter is clarifying a statement by Mayor Sharon Gipson printed in a front page article issued Dec. 7. Julia Wise, with the Tennessee Valley Authority, said TVA did not bill the Holly Springs Utility Department for $1,076,371 for work in the March and April storms or perform any work for those two months. Wise said TVA provided assistance with restoration work following the February storm but did not charge for the work. The figure cited could not be verified by TVA, Wise said.