APPA offers three different cybersecurity courses through its Academy, including courses focused on cybersecurity fundamentals for public power utilities, cybersecurity training for management and boards, and intermediate-level training for IT/OT employees. A list of training options and contact information for APPA's Education department are available here.
In addition to these on-site training options, APPA often offers training courses at its annual Cybersecurity Summit, including the Cyber Strike workshop developed by Idaho National Laboratory.
This publication is designed to help utilities take the next step to improve their cybersecurity readiness based on identified needs and priorities in the Scorecard or other assessment tool. APPA has worked with a group of pilot members to develop the Cybersecurity Roadmap, which is available for download here.
Cyber Incident Response Playbook
The Public Power Cyber Incident Response Playbook walks through the steps and best practices a utility can follow in the event it experiences a cyber incident or attack. The Playbook can be downloaded here.
APPA maintains a Security listserv open to security cyber and physical security personnel at APPA member public power utilities. APPA security staff pass along curated alerts and invitations to webinars and security discussions from government partners and the list is open for peer discussion of threats and to share information and best practices. To join the listserv, please email [email protected].
Cybersecurity Defense Community
The Cybersecurity Defense Community (CDC) is APPA's working group on cybersecurity efforts, providing input on APPA cybersecurity resources, assisting with the planning of the Cybersecurity Summit, and advising APPA's work on its cybersecurity cooperative agreements. APPA is actively looking for new members at any maturity level to improve representation of the cybersecurity community at large. For more information or to join the CDC, please reach out to [email protected].
Axio360 for Public Power
The Axio360 for Public Power platform provides a convenient benchmarking tool for organizations to assess their IT and OT cybersecurity posture against the C2M2 framework, track tasks and action items for improvement, and access a real-time dashboard with assessment statistics. Pricing for this tool varies based on customer count and is available through the APPA product store here.
Information Sharing and Analysis Centers
The information sharing and analysis centers (ISACs) are central resources for receiving and sharing cybersecurity threat information within a sector. The public power community is served primarily by the Electricity Information Sharing and Analysis Center (E-ISAC) but APPA member utilities are also often eligible to join the Multi-State Information Sharing and Analysis Center (MS-ISAC) as well.
The E-ISAC keeps asset owners and operators informed about cyber and physical threats to the North American bulk power system through around-the-clock situational awareness and expert analysis. E-ISAC membership includes access to the secure online portal where members can voluntarily exchange information and receive access to the latest updates and alerts, including bulletins, white papers, webinars, and conferences. The E-ISAC is open to all electricity asset owners and operators and select government and cross-sector partners in North America. Joining the E-ISAC is free for eligible organizations, and users can request an account here.
The E-ISAC has published a one-page information sharing guide listing the types of information that should be shared with the ISAC and the best means of doing so. The guide is available here.
GridEx is a distributed play exercise that allows participants to remotely engage in a cyber and physical attack scenario on the North American electricity grid and other critical infrastructure. GridEx is run by the E-ISAC on a biennial basis with GridEx VI scheduled to be held on November 14-15, 2023. The exercise allows participants to demonstrate and practice how they would respond to and recover from a cyber and physical threat.
GridEx is open to electricity sector organizations but not the public or the media. Interested participants may sign up at the E-ISAC's website here.
The MS-ISAC is a voluntary effort developed designated by the Department of Homeland Security as the key resource for cyber threat prevention, protection, and response and recovery for state, local, tribal, and territorial (SLTT) governments. The MS-ISAC offers similar cybersecurity threat advisories, educational materials, and reports as the E-ISAC but is more focused on IT network monitoring and alerting. Membership is open to all SLTT government entities, including much of the public power community. Joining the MS-ISAC is free for eligible organizations, and users can request an account here.
Government agencies such as the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy's Office of Cybersecurity, Energy Security, and Emergency Response (CESER) have a variety of free cybersecurity resources available to private and public organizations.
The Cybersecurity Capability Maturity Model (C2M2) is a free self-assessment framework that enables organizations to measure the maturity of their cybersecurity capabilities. The current Version 2.1 assessment framework is available here. The C2M2 framework also serves as the basis of the Public Power Cybersecurity Scorecard, a self-assessment platform that allows organizations to measure their maturity against a range of security frameworks, compare results, and track progress over time.
CISA Cross-Sector Cybersecurity Performance Goals
In late 2022, CISA released the Cross-Sector Cybersecurity Performance Goals (CPGs), a set of voluntary baseline performance goals that are consistent across all critical infrastructure sectors. The CPGs are intended to help establish a common set of fundamental cybersecurity practices for critical infrastructure and especially help small- and medium-sized organizations kickstart their cybersecurity efforts. The CPGs supplement the NIST Cybersecurity Framework for organizations seeking assistance in prioritizing investment toward a limited number of high-impact security outcomes. Additional information about the goals is available here.
CISA Services Catalog
The CISA Services Catalog is an interactive guide to all of the services CISA offers to public and private organizations and is designed to enable users to quickly filter and find applicable services. The Catalog is available here.
CISA Cyber Essentials
CISA's Cyber Essentials is a guide for small businesses as well as state and local governments to implement cybersecurity practices by developing a culture of cyber readiness. The Cyber Essentials are further explained in the Cyber Essentials Toolkits, a series of modules designed to break the six elements of a culture of cyber readiness into actionable steps for IT and senior management to implement. The Cyber Essentials can be found here.
CISA Cybersecurity Evaluation Tool
CISA has released the Cybersecurity Evaluation Tool (CSET), a free program that guides network defenders through a step-by-step process to evaluate their cybersecurity practices. CSET is applicable to both IT and OT networks and enables users to perform a comprehensive evaluation of their cybersecurity posture using many recognized government and industry standards and recommendations. CSET recently added a new Ransomware Readiness Assessment (RRA) based on a set of tiered practices to help organizations assess how well they are equipped to defend and recover from a ransomware incident. The tool is available from CISA's GitHub page here.
CISA Cybersecurity and Physical Security Convergence Guide
The Cyber and Physical Security Convergence Guide was developed to highlight the benefits of a holistic security strategy that aligns both physical security and cybersecurity functions with organizational priorities. It describes the risks associated with siloed security functions and provides a flexible framework for aligning security functions. The guide is available here.
The Federal Bureau of Investigation (FBI) has released a guide on the best way to develop a relationship with the local FBI office including an overview of the FBI's response capabilities against malicious actors. The FBI has also published a Victim Engagement Incident Response Checklist highlighting the types of information that are helpful to the FBI in investigating cybersecurity incidents.
The National Institute of Standards and Technology (NIST) maintains the National Vulnerability Database (NVD), a repository of vulnerability management data including vulnerabilities, impact metrics, and misconfigurations. Vulnerabilities are given a severity score ranging from 1 (low) to 10 (critical) and additional information including links to mitigations are included. The NVD is available here.
US-CERT Vulnerability Database
The United States Computer Emergency Readiness Team (US-CERT), a organization within CISA, maintains a separate database of cybersecurity vulnerabilities and publishes threat alerts on a regular basis. The US-CERT database can be accessed here.
Email us to ask about other ways we can support your cybersecurity efforts and watch this page for more resources.
A variety of resources related to physical security can be found here.