Cybersecurity is for small utilities, too, lawyer tells public power audience
Originally published November 13, 2013
Cybersecurity needs to be a concern for small utilities as well as big ones, attorney Meg McNaul told APPA's Legal Seminar in Seattle in late October.
Small utilities that are not part of the bulk electric system may be tempted to think they do not have to take action to protect themselves from cyber attacks, said McNaul, a partner with the law firm of Thompson Coburn LLP in Washington, D.C. They may have no "critical assets" or "critical cyber assets," as defined by federal regulators, and may not be subject to critical infrastructure protection (CIP) standards developed by the North American Electric Reliability Corp., she said.
Small utilities may think, "'No one is going to attack us,'" she said. Or, "'If something happened to our system, it would only impact us and not anyone else.'"
However, if there is an attack, there may be outages and equipment may be damaged, she said. If someone is hurt because of the outages or damage, those rationales may not "sound like a good reason for why you didn't do anything" to try to protect against an attack, she said.
Distribution systems for smaller utilities use many of the same technologies that are used by large utilities, but may not have adopted the same protections, McNaul said. Smaller systems may be targeted precisely because they are seen as being easier to exploit, she said. "That is a reason to at least address a known vulnerability."
A single, high-profile cyber attack affecting one or more distribution systems, if not managed effectively, is likely to spur further legislative and regulatory actions, such as mandatory requirements for distribution systems, McNaul said.
Small utilities do not have all the resources available to large ones, such as a team of cyber experts, she noted. The tendency might be to think, "This is an IT problem," she said, but managers need to get involved in cybersecurity.
"If you are not doing anything on cybersecurity, I would encourage you to take baby steps," she said. Have a discussion at your utility and determine the scope of your cyber protection plan. A framework, such as NERC's CIP standards, or the standards developed by the National Institute of Standards and Technology, can be very helpful, she said.
Once you have a plan, "communicate to employees and convey that this is something important," she said.
An excellent source of information is the Electricity Subsector Information Sharing and Analysis Center, operated by NERC, McNaul said.
"Join ES-ISAC," she said. "It's a good place to start learning about threats and how they can affect you."
Earlier that day, also at the Legal Seminar, APPA President and CEO Mark Crisson encouraged attendees to sign up to receive information from ES-ISAC, which provides advisories and alerts on real-time threats, vulnerabilities and plans for the electricity sector. A plan for cyber and physical security is a key element of a utility's risk management strategy, he said. (See Public Power Daily, Oct. 24.)
Please Sign in to rate this.
Senior Vice President, Publishing
Jeanne Wickline LaBella
Editor, Public Power Daily
Fallon W. Forbush
Manager, Integrated Media
David L. Blaylock
Integrated Media Editor
- House bill designates municipal bonds as high-quality liquid asset
- California prices increasingly mimic ‘duck curve,’ EIA says
- Senate panel opposes sale of PMA assets, bolsters cybersecurity agreement
- NYPA power line project to boost reliability, facilitate renewables
- Palo Alto Utilities thermal microgrid project funded through DEED grant
- Officials urge public power utilities to be prepared for cyberattacks
- Public power utilities recognized for high customer satisfaction
- Lawmakers hear about capacity market flaws, rising grid costs
- Hamilton Utilities’ urban forestry program boosts safety, reliability
- Cyber Hygiene: Preventive Care to Avoid Electric System Decay