Security and Resilience (Cyber and Physical)

8 steps to cyber readiness for public power


infographic on cyber readiness

8 steps to cyber readiness for public power

  1. Designate a cybersecurity lead. This person can help to establish cybersecurity protocols and manage information sharing.
  2. Assess your risk. Evaluate your utility’s cyber risks, vulnerabilities, resiliency, and capabilities with a tool such as the Public Power Cybersecurity Scorecard.
  3. Train staff. Anyone with access to the utility’s systems should be regularly trained — and get refreshers — on cyber threats and protocols.
  4. Educate local officials. Provide pre-incident outreach and education to local government officials.
  5. Monitor your networks. If you don’t have this capacity internally, look into appointing a third-party vendor to continuously scan your networks and alert you when action is required.
  6. Enroll in the Electricity Information Sharing and Analysis Center. The E-ISAC is a free service that keeps you alerted of threats and offers strategies to reduce vulnerabilities.
  7. Define an escalation protocol for cyber threats, including:
    • Levels of potential escalation.
    • Triggers for escalation.
    • When and how to notify and report threats.
    • When and how to involve top-level governance stakeholders.
    • How to report to state and federal government regulators and industry coordinating bodies.
    • What duties to delegate to staff.
  8. Report cyber threats appropriately. Let local government officials know about cyber threats and incidents without exposing sensitive information to other sources.

Tips for sharing sensitive information

  • Work with legal counsel to understand applicable federal, state, and local public meeting and sunshine laws.
  • Share sensitive information in closed-door meetings, in locations such as an Emergency Operations Center, or in a small, public safety context.
  • Identify elected officials and others with oversight roles with whom sensitive information can be safely shared.
  • Assume any information provided in an executive session will end up in the media and the public domain.
  • Only make public comments backed by a strategic media plan, and public relations staff or consultants.


When in doubt, or in need of help, contact the American Public Power Association at [email protected]