Public power utilities would do well to leverage their collective partnership with the federal government to create a more resilient and secure electric grid that is prepared for cyber threats.
In June 2016, the American Public Power Association entered into a cooperative agreement with the Department of Energy for a three-year program with total funding of $7.5 million to improve the cyber and physical security posture of public power utilities. We are in the final year of funding, but this is not where the story ends.
The Association is developing a sustainable cybersecurity program for our members by creating tools and resources, defining best practices, and conducting training to create awareness and build a strong defense. We collaborate closely with our federal government partners to identify threats and develop useful resources to mitigate cyber risks.
With input from members, we created the Public Power Cybersecurity Scorecard — an online self-assessment tool. Based on the Department of Energy’s Electricity Subsector Cybersecurity Capability Maturity Model, or C2M2, the scorecard gives utilities a starting point to address cyber risks.
The scorecard has proved to be a useful tool for utilities to understand the characteristics of mature cybersecurity programs, processes, and tools. Initial results indicate that the early adopters are moving past the scorecard’s foundational practices and on to a full C2M2 assessment.
The goal is for all public power utilities to conduct this foundational assessment. The scorecard gives utilities of all sizes — even those with limited staff and resources — the capability to understand and improve their cybersecurity. This knowledge is essential to enhance grid security.
The Association is also developing a Cybersecurity Roadmap to Success. An advisory group of public power utilities has been established to identify how to address gaps revealed by the Cybersecurity Scorecard. The roadmap will provide strategies and tactics for public power utilities to make their systems cyber resilient. It will include templates for policies and procedures, incident response case studies, asset tracking methodologies, a procurement guide, and metrics to track improvement of cyber maturity.
Early in the program we identified a need for cybersecurity training tailored to the public power community. So, we partnered with experts to develop public power-focused trainings for executives and information and operations technology professionals.
For executive management, the trainings offer the tools to understand cybersecurity and help develop the capability to mitigate risk, make sound decisions, and work with internal and external audiences. For IT/OT personnel, the training sessions review specific security domains and provide information on the latest tools to design and implement a comprehensive cybersecurity program.
We have taken these sessions on the road to engage with small-to-medium public power utilities who cannot justify the travel costs for national conferences. Regional associations and utilities with training facilities host these training sessions, so this learning opportunity can be provided to a broad cross section of public power utilities.
A continued partnership
The Association is grateful for the financial support from DOE to accelerate cybersecurity in public power.
After the agreement period ends, we will continue to engage with our federal partners at the highest levels to advocate for cybersecurity solutions that are scalable for public power.
The Electricity Information Sharing and Analysis Center, or E-ISAC, continues to be our industry’s source for threat information sharing. The newly established Department of Homeland Security National Risk Management Center will serve as a focal point for federal cybersecurity resources.
Visit www.PublicPower.org/CEDS to access the full suite of resources available through our cooperative agreement.