Responding to a recent report issued by Moody’s Investors Service, the American Public Power Association on Nov. 5 highlighted a variety of initiatives that APPA and public power utilities have undertaken to bolster cybersecurity.
In the Nov. 4 report, “Cybersecurity readiness depends on scale, business model and generation ownership,” Moody’s said that in order to see how well electric utilities are prepared to defend themselves from cyberattacks, it conducted a survey of global electric utilities and power companies from March through September of this year.
“The results reflect key differences across what is otherwise a largely homogeneous sector. All observations in this report are based on our survey results and do not represent a definitive assessment of cybersecurity readiness,” the rating agency noted.
Among other things, the report asserts that very large utilities exhibit better cyber governance, and risk management practices, than midsize and small utilities.
At the same time, Moody’s noted that not-for-profit utilities with total assets of less than $10 billion are more likely to have stand-alone cyber insurance “and derive greater coverage value from their policy than similarly sized, regulated peers.”
“Cybersecurity is a journey, not a destination and requires ongoing risk mitigation,” said Joy Ditto, President and CEO of APPA. “Public power utilities are constantly looking to up their grid security game and are doing so in a variety of ways,” she said.
“Every public power utility is different, and each takes a risk-based approach to grid security, which includes evaluating threats. They invest appropriately in personnel and measures to meet local needs and protect their varied assets and information,” she said.
Ditto noted that the Department of Energy (DOE) has recognized the importance of not-for-profit utilities investing in deploying solutions to cyber and cyber-physical threats. The DOE recently awarded $6 million to APPA to continue to develop operational technology (OT) solutions for its members.
In addition, many APPA members don’t have SCADA (industrial control) systems, which means that their OT systems are not susceptible to cyber-tampering.
Public power utilities also regularly exercise their incident response plans.
GridEx, which takes place every two years, allows utilities, government partners and other critical infrastructure participants to engage with local and regional first responders, exercise cross-sector impacts, improve unity of messages and communication, identify lessons learned and engage senior leadership.
The 2019 GridEx, which occurred in November 2019, marked the fifth such exercise. Public power participation increased 47%, from GridEx IV in 2017 to GridEx V.
APPA is encouraging its members to sign up for GridEx VI early and to participate, either as an active participant, or just to observe.
APPA’s RP3 survey includes questions about cybersecurity
In addition, APPA’s questions for its Reliable Public Power Provider (RP3) program includes several that touch upon cybersecurity.
APPA’s RP3 program recognizes utilities that demonstrate high proficiency in reliability, safety, workforce development, and system improvement. Utilities keep the RP3 designation for three years.
Alex Hofmann, APPA's Vice President for Technical and Operations Services, noted that the RP3 questions on cybersecurity serve as a proxy for a comprehensive cybersecurity survey and are reviewed by the 18 member RP3 panel.
The 114 designated RP3 utilities in 2019 answered as follows to these cybersecurity-related questions:
- Does your utility have a policy or procedure in place that covers both cyber event prevention and cyber response in the event of a cyber security incident? (Yes = 98%)
- Has your utility trained all relevant employees in cyber security awareness? (Yes = 96%)
- Does your utility conduct periodic cyber security assessments of its system, including identifying risks and potential mitigation actions? (Yes = 96%). This assessment involves looking at all cyber security risks including identifying gaps in cybersecurity policies and procedures, appropriate preventative measures, and technical issues such as security gaps in network connected devices.
Definition of utilities
The report defines the following types of utilities as responding to the survey:
- Privately owned regulated electric and gas utilities and transmission networks
- Privately owned unregulated electric utilities and private power generators
- Electric cooperatives
- Municipal electric utilities
- Joint action agencies
- Municipal wholesale generation
“This breakdown and the associated dataset do not tell a clear picture for several reasons,” said Sam Rozenberg, APPA’s Director of Security and Resilience.
For example, he pointed out that some municipal utilities fall into the state-owned bucket and many public power electric utilities fall into the regulated bucket, including those that are required to comply with North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) requirements.
Meanwhile, Rozenberg pointed out that, when determining a cybersecurity posture, public power utilities use a risk-based approach and therefore threats are taken into account when it comes to cybersecurity.
“Throughout the report, the data presented is intermixed to show the picture that government-owned utilities are weaker, without mentioning the threat level difference between them and larger utilities,” he said.
Rozenberg also noted that the report is based on an international survey of 115 utilities, but said it is unclear how many of the nation’s more than 2,000 public power utilities participated.
While 71 of the 115 surveyed utilities are “American,” the universe of U.S. electric utilities is more than 3,000, he noted.