Cybersecurity for Energy Delivery Systems

Cyber and physical threats pose an ever-increasing threat to our businesses and communities. APPA is committed to helping the public power community improve their cybersecurity posture. As a part of this effort, in 2016 APPA entered into a 3-year cooperative agreement with the U.S. Department of Energy (DOE), providing APPA with up to $7.5 million to help public power utilities create stronger, more secure systems. This effort is known as the Cybersecurity for Energy Delivery Systems (CEDS) program.

View the video below for a brief introduction to the program.

Learn more about this program in our complete Project Management Plan.

Public power utilities, state associations, and joint action agencies can access the following resources and opportunities offered through this program.

Association members can access additional cybersecurity resources on our Cybersecurity and Preparedness page.

Assessment Tools and Training

The following tools and resources were developed to allow public power utilities to assess, benchmark, and improve their cybersecurity programs.

Cybersecurity Scorecard

This online self-assessment tool was developed to gauge your utility’s security posture. Based on the DOE Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2), the scorecard provides a starting point to address cyber risks. To date, over 330 public power utilities have taken the scorecard, with many utilities filling out the scorecard more than once to benchmark their cybersecurity improvements over time. A 10-part webinar series was also held to provide a deep dive into different aspects of the Scorecard and is available on the Scorecard microsite below.

For more information, view an overview of the scorecard platform or email [email protected].

Get started with your assessment.

On-site Cybersecurity Assessments

APPA partnered with Burns & McDonnell to conduct onsite vulnerability assessments for the public power community and to integrate processes and technologies to alert public power utilities of threats and vulnerabilities in their cyber and physical systems. 22 utilities were selected from a pool of applicants to receive a cybersecurity assessment and were given an individualized report by Burns & McDonnell on the findings. A final report using anonymized data from the assessments was written to provide insight on the state of cybersecurity in the public power community. 

Cybersecurity Training and Exercises

Throughout the three years of the program, 26 training engagements were held reaching over 225 people in the public power community. Training was provided by a number of subject matter experts from AESI, Energetics, N-Dimension, EnergySec, and others. DOE also provided a Cyber Strike workshop developed by Idaho National Labs at several events.

Two new training courses were developed using CEDS agreement funding:

  • Municipal Cyber Academy: The Fundamentals of Cybersecurity is a three-day course that focuses on the Cybersecurity Scorecard and the elements of the ES-C2M2. This course was developed in partnership with Kansas Power Pool and Custom Internet Services.
  • Intermediate Cyber Training for IT/OT Employees is a 2-3 day course developed in partnership with Dragos covering various topics including risk-based mitigation strategies, developing security plans, and network monitoring and response.

These courses are available through APPA's in-house training catalog.

In addition to tabletop exercises held as part of these training engagements, an exercise was developed as part of the Cyber Incident Response Playbook and has been included as one of the scenarios in the updated Emergency Preparedness Tabletop Exercise in a Box.

Cybersecurity Summit

To expand member outreach, APPA has started hosting an annual Cybersecurity Summit, now in its third year. The summit welcomed over 150 attendees in its first year and over 200 in its second year, gather leading subject matter experts as well as other cybersecurity professionals and offer training and networking opportunities to attendees. These summits continue to be held annually. 

A series of three regional Cybersecurity Summits was held in the summer of 2019 to reach smaller members and allow them to network with neighboring utilities. These summits were held in Orlando, Florida; Kearney, Nebraska; and Anaheim, California. 

Technology Deployment and Services

Cybersecurity Technology Assistance Program

Through the Cybersecurity Technology Assistance Program, APPA offered an 80% cost-share to utilities looking to implement cybersecurity technologies on their networks. Utilities that are also a member of APPA's Demonstrations of Energy & Efficiency Developments (DEED) R&D program were eligible to receive the remaining 20% through a research grant.

Information Sharing

Sharing cyber and physical security threat information with other utilities and our federal partners is crucial for the stability of our nation’s electric grid. APPA encourages our members to sign up for both E-ISAC and MS-ISAC to share information with fellow utilities and municipalities.

APPA piloted a partnership with ArmorText to roll out a secure information sharing platform through which to disseminate and discuss threat information. Selected applicants received ArmorText licenses to roll out to their security teams to enable secure information sharing internally, with other utilities using the ArmorText platform, and the E-ISAC.

APPA is also piloting a new Weekly Situation Report, which collects vulnerability and threat alerts from multiple sources and distills them into actionable digests. These reports are issued weekly and are freely available to members who sign up for APPA's Security List or are federated with APPA on ArmorText. Public power utilities interested in receiving the Weekly Situation Reports can email [email protected] for more information.

Cyber Asset Tracker

APPA began work on a Cyber Asset Tracker for utilities to map their OT networks and track potential vulnerabilities. The tracker allows utilities to arrange their OT networks on a map of their service territory, keep track of tasks, and automatically checks equipment model information against vulnerability databases, generating lists of potential vulnerabilities when matching equipment is detected. This tracker will be offered as a service once complete.

Shared Cybersecurity Analyst

In September 2019, APPA partnered with Kansas Power Pool (KPP) and Custom Internet Services to hire a cybersecurity analyst who would be tasked with assisting KPP's members in identifying cybersecurity priorities and improving cybersecurity posture. Many of these small utilities lack a dedicated cybersecurity staff and this project was intended to assess the interest in and usefulness of a shared cybersecurity analyst to provide these services. After sixth months of providing services, KPP members identified cybersecurity as the most valuable services offered to membership.

eReliability Tracker Subsidies

The reliability of delivering electricity is influenced by the maturity of a utility’s security program. Small public power utilities were provided subsidized eReliability Tracker (eRT) subscriptions through the cooperative agreement. APPA’s eRT Team has also integrated an Interruption Cost Estimate (ICE) calculator with the eRT platform which allows public power utilities to estimate the costs associated with a given cyber or physical attack. 

Publications and Resources

A variety of publications were developed under the CEDS agreement with the goal of providing concise and actionable guidance to public power utilities looking to improve their cybersecurity posture. 

Cybersecurity Roadmap

This publication is designed to help utilities take the next step to improve their cybersecurity readiness based on identified needs and priorities in the Scorecard or other assessment tool. APPA has worked with a group of pilot members to develop the Cybersecurity Roadmap, which is available for download here.

Public Power Cyber Incident Response Playbook

The Public Power Cyber Incident Response Playbook walks through the steps and best practices a utility can follow in the event it experiences a cyber incident or attack. The Playbook can be downloaded here.

Cybersecurity Procurement Needs

The Managed Cybersecurity Service Providers for Electric Utilities guide was developed to provide the public power community with a directory of cybersecurity service providers to assist public power utilities in finding the right service provider for their identified needs. The report lists service providers as well as the services each vendor offers.

Joint Action Agency Cybersecurity Services Plan

The Joint Action Agency Cybersecurity Services Plan lays out a framework for JAAs to offer cybersecurity services to members, identifying which services are most efficiently provided at the utility, JAA, and national level. As many small and medium-sized utilities lack the resources to handle all cybersecurity tasks in-house, offering cybersecurity services at the JAA level allows these utilities access to support they may not otherwise have.

Information Sharing Reports

Two information sharing reports have been developed to guide utilities in sharing information between each other and with non-expert audiences.

The Cybersecurity Information Sharing Report lays out guidance on collecting event logs and how to securely share them with cybersecurity service providers, the E-ISAC, and other utilities. Sharing threat information is crucial to building a stronger cybersecurity posture within the public power community as it allows utilities to respond to the wider threat picture.

The Cybersecurity Information Engagement Plan outlines methods for sharing and discussing cybersecurity information with non-expert audiences, such as other utility staff, leadership, government partners, and other utilities. 

Cyber Resiliency and Security Videos

This series of short, actionable videos were created to help educate utility staff, first responders, city officials, and other community stakeholders about security issues related to the electrical system.

For downloadable versions of these videos, please contact [email protected].

Watch this video to learn more about basic cybersecurity “hygiene” to ensure that your utility is #CyberReady.

This video explains the four steps of the cybersecurity risk cycle that a public power utility can use to manage risk and be #CyberReady.

This video explains why sharing information between public power utilities is vital to improving the security of the grid.