Cybersecurity Summit

Monday, May 8

Pre-Summit Seminar

Please note you may only choose one of the following events, the pre-summit seminar or the tour, to register for as they take place concurrently.

8 am – 4 pm

DOE CyberStrike Workshop^FREE!
Get a hands-on, simulated demonstration of a cyberattack, drawing from elements of the 2015 and 2016 cyber incidents in Ukraine, but on the industrial control equipment you routinely encounter. This workshop, developed by the Department of Energy’s Office of Cybersecurity, Energy Security and Emergency Response, in collaboration with the Idaho National Laboratory, prepares critical energy sector owners and industrial control systems operators in the U.S. to respond to a cyber incident. The training involves a series of exercises that challenge participants to defend against a cyberattack using equipment they routinely encounter within operational technology networks. 

For entities interested in participating, it is encouraged that those who have separate IT and OT personnel to have at least one of each participate in the exercise if possible.

This event is only open to direct employees of electric utilities, joint action agencies, or state/regional associations; no outside counsel, consultants, or vendors may attend. Pre-registration required; limited to 50 people.

2 – 5 pm 

NREL Tour^FREE!
NREL’s Advanced Research on Energy Systems Cyber Range allows researchers to replicate cybersecurity scenarios as they would occur on real, complex energy systems. With supercomputing and advanced emulation capabilities, the cyber range makes it possible to build digital twins of real systems and connect the emulated environment to physical devices throughout NREL’s laboratories. NREL is building a new Energy Security Resilience Laboratory, which will be the lab’s operating center for secure and resilient energy systems. The new lab will provide a space for partners to visualize, emulate, and validate their solutions with the full power of ESIF assets and the limitless scale of virtual environments.

**NOTE**Bus will depart from the hotel at 1:30 pm MDT. Pre-registration required; limited to 25 people.

Tuesday, May 9

7:30 – 8:15 am 

Registration and Coffee

8:15 – 8:30 am

Welcome and Introductions

8:30 – 9:45 am 

Understanding the Changing Threat Landscape
Receive a briefing on the threat landscape for the electric sector as a whole and specific concerns facing public power entities. Get an inside perspective from the organizations seeing and analyzing the volume of threats against the industry, including representatives from the Multi-State Information Sharing and Analysis Center, Electricity Information Sharing and Analysis Center, and the Federal Bureau of Investigation (invited).

Casey Cannon, Analyst, Cyber Threat Intelligence, MS-ISAC; Tyler Tiller, ETAC Security Advisor, E-ISAC

9:45 – 10 am

Break with Sponsors

Choosing a Cybersecurity Framework 
Behind every successful cybersecurity program is a framework. However, there are dozens of models and standards to consider, as well as potential regulations. Get clear and useful guidance for navigating the maze of cybersecurity frameworks, from an overview of which frameworks are out there, which risks and environments each is designed to cover, and pros and cons of different selections. Discuss how to assess whether a multi-framework environment would be right for you, and how to get maximum value out of whichever path you choose.  

Eric Cardwell, Vice President, Professional Services, and John Fry, Director Cyber Risk Engineering, Axio 

11 – 11:15 am

Break with Sponsors

Exploring Options for Exercises and Cyber Incident Response 
A key piece of cyber incident response planning is exercising. There is value in participating in the large national exercises as well as smaller tabletop or regional exercises — not only to be prepared in the event of an incident, but also to forge relationships with other entities who can help. Learn more about how one utility partnered with the National Guard on a cyber exercise and how you can engage with your local unit for a similar activity, or leverage their resources to create your own exercise.  

Tim Pospisil, Nebraska Public Power District
 

12:30 am – 1:45 pm 

Sponsored Lunch with Exhibitors

1:45 – 3 pm 

Defending Against Ransomware
Ransomware strategies and mechanisms are ever evolving, but a constant threat. Get insight into the latest ploys of recent threats and review the steps you should consider taking to protect your community and employees. Discuss what problems you may encounter following an attack and how to respond and repair the systems and customer relationships affected by any attack.

Che Bhatia, Managing Director, Aon Cyber Solutions; Phil Kealy, Senior Consulting Leader – Incident Response, Mandiant, a Google Cloud company; Hafid Elabdellaoui, Oracle, VP, Cybersecurity – Oracle Energy and Water

3 – 3:30 pm

Break with Sponsors 

3:30 – 4:30 pm 

Zero Trust and the Smart Grid: Where Two Architectures Intersect
Get an introduction to two concepts established by the National Institute of Standards and Technology: Zero Trust Architecture and Guidelines for Smart Grid Cybersecurity. Understand the suggested strategy behind these concepts and learn how to integrate the practices into your cybersecurity program. Focus on how integrating these elements affects various roles and responsibilities, training and awareness protocols, and technical guidelines at public power utilities.

Jason Vigh, Principal Consultant – Industrial Cybersecurity, 1898 & Co., part of Burns & McDonnell 

Wednesday, May 10

7:30 – 8:30 am

Networking and Coffee

8:15 – 9 am

Managing the Nuances of IT/OT
It is challenging for IT and OT groups to secure their respective environments. In public power, this challenge is often compounded by differing views on how to apply cybersecurity policies and principles between the utility and its associated municipality. Learn how IT and OT groups can align with a common framework based while ensuring that the unique characteristics of each environment are addressed. Hear about ways to design and implement such a program, including governance, best practices, and procedures.

Doug Westlund, Senior Vice President and Principal Consultant, AESI-US, Inc.

9 – 9:15 am

Break with Sponsors 

9:15 – 10:15 am 

Mitigating Supply Chain Risk
Your vendors are not just providing a service or product, they are either partners or liabilities in your risk management program. Review how to adequately assess new vendors and mitigate the cybersecurity risk they pose to your organization, regardless of your size, including what tools can help you in the vetting and contracting process. 

Chris Poulin, Deputy CTO, Director of Technology and Strategy, BitSight; and Dave Sonheim, Chief of Cybersecurity - Supervisor Region 8, U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency

10:15 – 10:30 am

10:30 – 11:30 am

Getting Management and Board Buy-In
An effective cybersecurity program requires significant support in the form of time and money. Securing the necessary resources requires being able to effectively communicate the importance of the activities, systems, and supports to utility leaders and governing boards. Review strategies for making the case for investing in your cybersecurity program and discuss what resources utilities need to be successful.

Michael Fish, Senior Director, Cyber Security, Salt River Project, Phoenix, Arizona; Jared Price, Chief Information Officer, American Municipal Power, Inc. 

10:30 – 11:30 am

Your Cybersecurity Toolbox
Investing in cybersecurity isn’t all about having a robust budget for the latest gadgets — there are numerous low-cost or no-cost tools and resources available. Explore the various resources public power professionals can use to improve your cybersecurity posture and how you can utilize them.

Richard Condello, Utility Cybersecurity Deployment Manager, American Public Power Association; Cynthia Hsu, IT Cybersecurity Specialist, Office of Cybersecurity, Energy Security and Emergency Response, U.S. Department Energy; and Dustin Thorne, Cyber Security Manager, Lincoln Electric System, Nebraska

12:30 pm

10:30 – 11:30 am

Cyber Defense Community Meeting (includes a working lunch)
The monthly gathering of the Cybersecurity Defense Community, which provides input and feedback on APPA’s cybersecurity programs, cooperative agreements, cyber mutual aid, and publications and discusses industry/government cybersecurity proposals.

This meeting is limited to CDC members only. Eligible members interested in joining the CDC may reach out to [email protected] for more information.  

Before April 14

After April 14

Member

$845

$945

Nonmember

$1,690

$1,790

Number of registrants

Discount
(per person)

1-4

n/a

5-9

$50

10-14

$100

15-24

$150