News reports often like to paint a picture of electric utilities at the mercy of cyber adversaries who can plunge the nation into darkness with a few strokes on their keyboards.
The threats are often exaggerated. It’s not that easy to bring down the grid. As Michael Daniel said, “It’s not Hollywood.” Nevertheless, the danger of a cyber attack on critical infrastructure is ever-present. And we as distribution utilities appear to be prime portals for hackers to get into the grid.
Like every industry, utilities are seeing increasing activity from adversaries looking to access our customer data, expose sensitive information, and infiltrate financial networks. And as managers of critical infrastructure, utilities also must monitor activity related to our industrial control systems.
Cybersecurity is keeping many of your public power colleagues, and certainly both of us, up at night. However, we also know to look beyond the hype. We know that utilities have done and continue to do a lot of work to shore up their defenses and protect the grid. Similarly, we see the commitment from a variety of federal government and industry partners to prioritize the security of critical infrastructure. Government and industry coalitions are offering a variety of resources to help utilities stay informed of cyber threats and build the capacity to respond to them. This commitment is even reflected in the development of this issue of Public Power Magazine, which offers the perspectives of high-profile topic experts, including former national cybersecurity coordinator Michael Daniel, cybersecurity wavemaker Rob Lee, and longtime cyber authority Peter Morin.
We are especially grateful that support from the Department of Energy has made it possible for the Association to develop dedicated cybersecurity resources for public power, from reports and training programs to the Public Power Cybersecurity Scorecard.
Just as threats will not go away, neither will our increased attention to cybersecurity. Utilities need to create and internalize a culture of security, similar to the culture they have created for safety and reliability. Public power entities of all sizes and types must make cybersecurity an organization wide priority, if they are not doing so already. We need to stay informed on the latest practices and technologies — both the ones that can help us and those that can hurt us.
Cybersecurity is not just a business need; your customers also expect it. If we are to be our community’s trusted energy advisor, then we must put in the effort to ensure our systems are secure and our customers’ data is protected.
No matter what size utility you run, you are neither immune to these threats nor alone in fighting back. Utilities are at varying places on their cybersecurity journeys, and there is no one-size-fits-all approach to managing risk from cyber threats. However, we all we need to use a common language, and help our customers understand what constitutes an “attack” versus a “threat” versus an “incident.” This will not only help mitigate some of the media hype, but will also help us all better discuss these topics and focus on managing the biggest concerns. When we all speak the same language, we can better work together to address the common challenges we face.