As we saw throughout 2018, nation states continue to launch campaigns targeting the electricity sector and are looking for ways to access critical infrastructure. It is unlikely this threat will go away in 2019.
Indeed, the major bond rating agencies called out cybersecurity attacks as an increasing concern for public power in 2019.
Many public power utilities are working hard to keep their systems secure and well-monitored. However, with the start of the new year, now is a good time to take a fresh look at your practices and see where your utility stands and where you can strengthen your cybersecurity.
One way the American Public Power Association is helping make this task easier for you is through the Public Power Cybersecurity Scorecard, which we developed as part of the Association’s cooperative agreement with the Department of Energy.
The scorecard is more than an assessment tool. Utilities can assess their capabilities and make planned improvements through three stages. The scorecard is based on the DOE Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2).
Our initial efforts focused on a tool to assess to what extent utilities are engaged in the Level 1 practices, which are considered the basic elements of any utility security program. During pilots and demonstrations, utilities without extensive security backgrounds were able to implement all Stage 1 scorecard practices in less than a year. Stage 2 introduces additional capabilities as a new public power “target profile” of the ES-C2M2 and Stage 3 allows utilities to identify and select their mature practices that go beyond the target profile.
Utilities have used the scorecard platform to:
- Establish the state of their cybersecurity program;
- Benchmark cybersecurity capabilities across internal business units or objectives and with other public power utilities;
- Guide cybersecurity program improvement;
- Share knowledge and best practices with peer public power utilities;
- Prioritize investments to improve cybersecurity; and
- Communicate targets and priorities to both internal and external stakeholders.
When we launched the scorecard in April 2018, we envisioned the online platform to be a hub for Association members looking for training, improvement efforts, task tracking, and action items to guide their cybersecurity efforts to an improved state. The original goal was to engage 50 public power utilities to use the platform in 2018. In December 2018, the platform had more than 180 public power utilities using it.
This year, we expect to use the platform to provide:
- Resources and information to utilities on cybersecurity program development, risk management, and supply chain management.
- Guidance on cybersecurity workforce management, including recruitment and training insights, as well as guidance on how to leverage managed security providers.
- Templates for incident response documents, tabletop exercises, and training.
- Insights from onsite vulnerability assessments about best practices in logging and monitoring activities, and
- Training efforts on cybersecurity program and policy development, incident response, risk assessments, cybersecurity awareness, and information sharing.
If you have not tried the platform, I encourage you to use this service, which will continue to be available to you for free for the next year.
If you completed an initial self-assessment in 2018, why not take a fresh look and update your scores? The system is an easy way for you to set a target for 2019 and track your progress throughout the year.
The scorecard is designed specifically for small-to-medium-sized public power utilities who are just starting to evaluate their cybersecurity program. However, the scorecard platform can be useful for a utility of any size. The benefit of conducting a self-assessment is to provide the utility with a benchmark to start and track progress for addressing cyber risks.
As we enter the third year of the cooperative agreement between the Association and DOE, we appreciate any feedback on the scorecard and any other features we can incorporate that would support you on your cybersecurity journey.