Security and Resilience (Cyber and Physical)

Keeping public power protected from cyber attacks

The threat of cyber attacks on critical infrastructure is a hot topic in the news right now, but cybersecurity has been on the radar of the American Public Power Association for several years.

We recently conducted a series of “table top” exercises with public power utilities across the country to jump start discussions among members on cybersecurity issues. The consistent feedback we heard from these workshops is the need for more guidance, more training, and for additional resources to help address the evolving threats.

There are many players involved in our nation’s cybersecurity efforts, from the Department of Homeland Security and the Federal Bureau of Investigation to the National Institute of Standards and Technology, the Federal Trade Commission, the Federal Energy Regulatory Commission (which oversees the North American Electric Reliability Corporation), and the Nuclear Regulatory Commission. However, the Department of Energy’s (DOE) Office of Electricity Delivery and Energy Reliability (OEDER) plays a unique role in informing, supporting, and guiding electric power grid cyber security efforts. DOE is the “sector specific agency” that the President has designated as the federal partner to work with the electric utility industry on cyber and physical security issues.  OEDER “gets” our industry and the challenges we face.  Among other things, OEDER helps to support the work of the Electricity Subsector Coordinating Council, a joint task force made up of electric utility industry CEOs and high-ranking federal officials who meet periodically to assess and address cyber and physical threats.

Another example of OEDER’s work is the three-year cooperative agreement inked with the Association last yearto help to improve the resiliency and cybersecurity infrastructure of public power utilities. This initiative is a large, complex multi-year project. The goal is to make it easier for public power utilities of all sizes to assess and improve their security posture, identify ways to meet their specific cybersecurity needs, and participate in efficient and effective cybersecurity information sharing.

With this critical support from DOE, the Association is developing and rolling out tools to allow public power utilities to evaluate their cybersecurity program capabilities and develop an actionable roadmap to improve their cyber postures. Specific tools being tested with pilot utilities include a streamlined version of the DOE’s Cybersecurity Capability Maturity Model for small utilities, evaluation of information sharing technology, and a detailed buyer’s guide of potential cybersecurity service providers.

Public power utilities serving as pilot participants are finding that these tools are helping them develop or bolster their cybersecurity programs and better communicate these complex topics to both internal and external stakeholders in terms these audiences can understand. As we look forward to year two of the cooperative agreement with DOE, we’re eager to share the tools and guidance we developed with a wider group of public power utilities and to get your feedback on how we can continue to refine and develop these materials to be most useful to you.

As congress prepares this year’s appropriations bill, we want to be sure appropriators recognize that DOE is the electric utility industry’s prime government partner in addressing cybersecurity. Recent reports of cyber attacks on nuclear power plants and grid operation system manufacturers should underscore the importance of  keeping OEDER’s dedicated focus on electric grid security and reliability.

We are also hopeful that the bill will allow our cooperative agreement with DOE to continue through its third year so we can continue to support public power utilities as they address increasing cyber threats. Rather than getting distracted by the headline du jour, we all need to buckle down and do the hard work of improving our cybersecurity postures and defenses every day.