Public Power Daily Logo

Cybersecurity is for small utilities, too, lawyer tells public power audience

From the November 13, 2013 issue of Public Power Daily

Originally published November 13, 2013

By Jeannine Anderson
Cybersecurity needs to be a concern for small utilities as well as big ones, attorney Meg McNaul told APPA's Legal Seminar in Seattle in late October. 

Small utilities that are not part of the bulk electric system may be tempted to think they do not have to take action to protect themselves from cyber attacks, said McNaul, a partner with the law firm of Thompson Coburn LLP in Washington, D.C. They may have no "critical assets" or "critical cyber assets," as defined by federal regulators, and may not be subject to critical infrastructure protection (CIP) standards developed by the North American Electric Reliability Corp., she said.

Small utilities may think, "'No one is going to attack us,'" she said. Or, "'If something happened to our system, it would only impact us and not anyone else.'"  

However, if there is an attack, there may be outages and equipment may be damaged, she said. If someone is hurt because of the outages or damage, those rationales may not "sound like a good reason for why you didn't do anything" to try to protect against an attack, she said.

Distribution systems for smaller utilities use many of the same technologies that are used by large utilities, but may not have adopted the same protections, McNaul said. Smaller systems may be targeted precisely because they are seen as being easier to exploit, she said. "That is a reason to at least address a known vulnerability."

A single, high-profile cyber attack affecting one or more distribution systems, if not managed effectively, is likely to spur further legislative and regulatory actions, such as mandatory requirements for distribution systems, McNaul said.

Small utilities do not have all the resources available to large ones, such as a team of cyber experts, she noted. The tendency might be to think, "This is an IT problem," she said, but managers need to get involved in cybersecurity.

"If you are not doing anything on cybersecurity, I would encourage you to take baby steps," she said. Have a discussion at your utility and determine the scope of your cyber protection plan. A framework, such as NERC's CIP standards, or the standards developed by the National Institute of Standards and Technology, can be very helpful, she said.

Once you have a plan, "communicate to employees and convey that this is something important," she said. 

An excellent source of information is the Electricity Subsector Information Sharing and Analysis Center, operated by NERC, McNaul said. 

"Join ES-ISAC," she said. "It's a good place to start learning about threats and how they can affect you."

Earlier that day, also at the Legal Seminar, APPA President and CEO Mark Crisson encouraged attendees to sign up to receive information from ES-ISAC, which provides advisories and alerts on real-time threats, vulnerabilities and plans for the electricity sector. A plan for cyber and physical security is a key element of a utility's risk management strategy, he said. (See Public Power Daily, Oct. 24.) 


Be the first to rate this item!

Please Sign in to rate this.


  Add Your Comment

(1000 of 1000 characters remaining)

Senior Vice President, Publishing 
Jeanne Wickline LaBella

Editorial Director
Robert Varela

Editor, Public Power Daily
Jeannine Anderson

Communications Assistant
Fallon W. Forbush

Manager, Integrated Media 
David L. Blaylock

Integrated Media Editor 
Laura D’Alessandro