Cybersecurity and Physical Security

Engaging management in cybersecurity

Power companies can’t afford to ignore cybersecurity. Unfortunately, convincing top management to focus on cybersecurity can be a challenge—particularly in smaller organizations that are starting a cybersecurity program from ground zero.

As the security officer for Franklin Public Utility District in Washington, I knew we needed a cybersecurity framework. I wanted something that was appropriate for a small organization starting with nothing, and would give us a path forward using best practices.

Being small doesn’t mean we get a pass on cybersecurity. If we’re going to meet our long-term goal—a strong cyber security program—then we need buy-in from upper management to ensure we will have adequate resources to support the program.

Using a framework that provides an objective benchmark, like the Public Power Cybersecurity Scorecard, can help.

The scorecard is based off of the Cybersecurity Capability Maturity Model (C2M2), which was developed by the U.S. Department of Energy to help power companies measure their cybersecurity capabilities. The C2M2 provides three maturity indicator levels (MILs) that are intended to describe an organization’s operational and risk management capabilities. A few colleagues and I attended a C2M2 workshop with the hope that by identifying our current maturity level, we could make a case for the resources needed to develop a cybersecurity program to upper management.

It took us nearly two days to complete the C2M2 assessment. As an organization that doesn’t have a full-time cybersecurity team, we found the C2M2 assessment to be incredibly resource-consuming and using the associated Excel toolkits to be painful. We felt frustrated spending the time and resources answering ‘not implemented’ to hundreds of questions.

Despite this experience, I knew the C2M2 had value and welcomed the opportunity to work with the American Public Power Association to develop the Public Power Cybersecurity Scorecard.

The scorecard is a more approachable assessment for smaller utility companies like Franklin PUD. The scorecard distills 51 practices for the first level of maturity in C2M2 into 14 questions that can be answered online by a single individual in less than 30 minutes.

After completing the scorecard questions online, a dashboard provides a snapshot of your assessment results, a target score, and highlights areas for improvement. You can compare your utility’s assessment to public power-specific benchmarks for organizations of your size.

Management doesn’t want to get into details. They just want to know how we’re doing. And that’s the value we saw from the scorecard online platform – being able to get a simple visual of our cyber maturity compared to our peers.

Using the scorecard, I’ve been able to make a business case for a cybersecurity program and meet my initial objective: establishing a cybersecurity team. The team, consisting of a handful of individuals from other departments, meets weekly. Our efforts are guided by the scorecard results. I’m proud to say that within less than a year, we reached MIL 1 – the initial level of maturity as identified by C2M2. We are no longer at “not implemented.”

My next step is to meet with the leadership team and commissioners on a quarterly basis to give them updates on our progress and future objectives. Creating awareness around cybersecurity is our challenge. In the future it will be a strategic priority for our district, and the scorecard will be a key enabler in reminding stakeholders where we stand and where we still need to go.

Take the scorecard assessment for your utility at