The American Public Power Association has released a Cybersecurity Scorecard, a free tool to help public power utilities assess cybersecurity risks and shore up their defenses. The Association has developed the scorecard under a cooperative agreement with the Department of Energy.
“Cybersecurity is critical for every electric utility, large or small. No one is immune from attack,” said Nathan Mitchell, Senior Director of Electric Reliability Standards and Security for the American Public Power Association. “However, utilities with limited resources need not feel overwhelmed. Cybersecurity is manageable when you have a plan and process in place,” he added.
Based on the DOE’s Electricity Subsector Cybersecurity Capability Maturity Model, the scorecard — at a basic level — allows public power utilities to start assessing their cybersecurity risks and vulnerabilities by completing a self-assessment comprising 14 questions. Based on their score, utilities get customized recommendations which they can use to build a cybersecurity action plan. Utilities that wish to use the scorecard at advanced levels will eventually be able to get in-depth third-party assessments and a roadmap to improve their cybersecurity.
“We designed the Cybersecurity Scorecard to help build a culture of cybersecurity at every utility,” explained Mitchell.
The Association piloted the Cybersecurity Scorecard in 2017 and early 2018. Some member utilities used the scorecard and provided feedback to help refine the product.
Chad Schow, IT Manager/Security Officer for Franklin Public Utility District in Pasco, Washington said, “Using the scorecard, I’ve been able to make a business case for a cybersecurity program and meet my initial objective: establishing a cybersecurity team. Creating awareness around cybersecurity is our challenge. In the future, it will be a strategic priority for our district, and the scorecard will be a key enabler in reminding stakeholders where we stand and where we still need to go.”