Cybersecurity Resources

Association Resources

Cybersecurity Training

APPA offers three different cybersecurity courses through the APPA Academy, including courses focused on cybersecurity fundamentals for public power utilities, cybersecurity training for management and boards, and intermediate-level training for IT/OT employees. View the list of in-house training options and contact information.

In addition to these on-site training options, APPA often offers training courses at its Cybersecurity Summit, including the Cyber Strike workshop developed by Idaho National Laboratory.

Cybersecurity Roadmap

The Public Power Cybersecurity Roadmap is designed to help utilities take the next step to improve their cybersecurity readiness based on identified needs and priorities in the scorecard or other assessment tool.

Cyber Incident Response Playbook

The Public Power Cyber Incident Response Playbook walks through the steps and best practices a utility can follow in the event it experiences a cyber incident or attack.

Security Community Group

APPA maintains a security community group open to security cyber and physical security personnel at APPA member public power utilities. APPA security staff pass along curated alerts and invitations to webinars and security discussions from government partners and the list is open for peer discussion of threats and to share information and best practices. Request to join the group on APPA Engage. Should you have any difficulties accessing the platform, please email Cybersecurity@PublicPower.org.

Cybersecurity Defense Community

The Cybersecurity Defense Community (CDC) is APPA's working group on cybersecurity efforts, providing input on public power cybersecurity resources, assisting with the planning of the Cybersecurity Summit, and advising APPA's work on its cybersecurity cooperative agreements. APPA is actively looking for new members at any maturity level to improve representation of the cybersecurity community at large. For more information or to join the CDC, please reach out to Cybersecurity@PublicPower.org.

Information Sharing and Analysis Centers

The information sharing and analysis centers (ISACs) are central resources for receiving and sharing cybersecurity threat information within a sector. The public power community is served primarily by the Electricity Information Sharing and Analysis Center (E-ISAC) but APPA member utilities are also often eligible to join the Multi-State Information Sharing and Analysis Center (MS-ISAC) as well.

E-ISAC

The E-ISAC keeps asset owners and operators informed about cyber and physical threats to the North American bulk power system through around-the-clock situational awareness and expert analysis. E-ISAC membership includes access to the secure online portal where members can voluntarily exchange information and receive access to the latest updates and alerts, including bulletins, white papers, webinars, and conferences. The E-ISAC is open to all electricity asset owners and operators and select government and cross-sector partners in North America. Joining the E-ISAC is free for eligible organizations, and users can request an account here.

The E-ISAC published a one-page information sharing guide listing the types of information that should be shared with the ISAC and the best means of doing so.

GridEx

GridEx is a distributed play exercise that allows participants to remotely engage in a cyber and physical attack scenario on the North American electricity grid and other critical infrastructure. GridEx is run by the E-ISAC on a biennial basis with GridEx VI scheduled to be held on November 14-15, 2023. The exercise allows participants to demonstrate and practice how they would respond to and recover from a cyber and physical threat.

GridEx is open to electricity sector organizations but not the public or the media. Interested participants may sign up at the E-ISAC's website.

MS-ISAC

The MS-ISAC is a voluntary effort developed designated by the Department of Homeland Security as the key resource for cyber threat prevention, protection, and response and recovery for state, local, tribal, and territorial (SLTT) governments. The MS-ISAC offers similar cybersecurity threat advisories, educational materials, and reports as the E-ISAC but is more focused on IT network monitoring and alerting. Membership is open to all SLTT government entities, including much of the public power community. Joining the MS-ISAC is free for eligible organizations.

Government Resources

Government agencies such as the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy's Office of Cybersecurity, Energy Security, and Emergency Response (CESER) have a variety of free cybersecurity resources available to private and public organizations.

C2M2 Model

The Cybersecurity Capability Maturity Model (C2M2) is a free self-assessment framework that enables organizations to measure the maturity of their cybersecurity capabilities. The C2M2 framework also serves as the basis of the Public Power Cybersecurity Scorecard, a self-assessment platform that allows organizations to measure their maturity against a range of security frameworks, compare results, and track progress over time.

CISA Cross-Sector Cybersecurity Performance Goals

In late 2022, CISA released the Cross-Sector Cybersecurity Performance Goals (CPGs), a set of voluntary baseline performance goals that are consistent across all critical infrastructure sectors. The CPGs are intended to help establish a common set of fundamental cybersecurity practices for critical infrastructure and especially help small- and medium-sized organizations kickstart their cybersecurity efforts. The CPGs supplement the NIST Cybersecurity Framework for organizations seeking assistance in prioritizing investment toward a limited number of high-impact security outcomes.

CISA Services Catalog

The CISA Services Catalog is an interactive guide to all of the services CISA offers to public and private organizations and is designed to enable users to quickly filter and find applicable services.

CISA Cyber Essentials

CISA's Cyber Essentials is a guide for small businesses as well as state and local governments to implement cybersecurity practices by developing a culture of cyber readiness. The Cyber Essentials are further explained in the Cyber Essentials Toolkits, a series of modules designed to break the six elements of a culture of cyber readiness into actionable steps for IT and senior management to implement.

CISA Cybersecurity Evaluation Tool

CISA released the Cybersecurity Evaluation Tool (CSET), a free program that guides network defenders through a step-by-step process to evaluate their cybersecurity practices. CSET is applicable to both IT and OT networks and enables users to perform a comprehensive evaluation of their cybersecurity posture using many recognized government and industry standards and recommendations. CSET recently added a new Ransomware Readiness Assessment (RRA) based on a set of tiered practices to help organizations assess how well they are equipped to defend and recover from a ransomware incident.

CISA Cybersecurity and Physical Security Convergence Guide

The Cyber and Physical Security Convergence Guide was developed to highlight the benefits of a holistic security strategy that aligns both physical security and cybersecurity functions with organizational priorities. It describes the risks associated with siloed security functions and provides a flexible framework for aligning security functions.

FBI Resources

The Federal Bureau of Investigation released a guide on the best way to develop a relationship with the local FBI office including an overview of the FBI's response capabilities against malicious actors. The FBI also published a Victim Engagement Incident Response Checklist highlighting the types of information that are helpful to the FBI in investigating cybersecurity incidents.

NIST NVD

The National Institute of Standards and Technology (NIST) maintains the National Vulnerability Database (NVD), a repository of vulnerability management data including vulnerabilities, impact metrics, and misconfigurations. Vulnerabilities are given a severity score ranging from 1 (low) to 10 (critical) and additional information including links to mitigations are included.

US-CERT Vulnerability Database

The United States Computer Emergency Readiness Team (US-CERT), a organization within CISA, maintains a separate database of cybersecurity vulnerabilities and publishes threat alerts on a regular basis.