As grid security and risk management continue to have increased focus within utilities, so has recognition increased that security is everyone’s job at a utility, not just a few specialists. Building a culture that places security at the forefront doesn’t happen overnight and requires investment in hardware and software that enhances a utility’s infrastructure and staff training that keeps its people refreshed on the latest policies and best practices.
Particularly for cybersecurity, where the types of threats to utilities continue to evolve and expand, constant vigilance from every level is essential. Reuters reported last autumn that the number of cyberattacks on U.S. utilities in 2024 was 70% higher than the number of attacks for the same months – January through August – in 2023.
The American Public Power Association has resources to increase proficiency and program maturity for utilities at any level of security readiness. Here’s a look at how two organizations are amping up protection of public power, from within and in helping other utilities boost their security posture.
Adding the Right Tools
Along with operating a 250-mile canal system that irrigates 150,000 acres of farmland, Turlock Irrigation District in California provides power to 240,000 people within a 662-square-mile area. TID has provided electricity to its region for over a century and was the first irrigation district in the state when it began operations in 1887.
Despite its long history, TID did not have a dedicated IT security department until 2024, when the public power utility engaged with APPA’s ICS CyberShield program, a multi-year effort with the Department of Energy to help utilities enhance their preparedness and to thwart bad actors.
Photo courtesy Turlock Irrigation District.
Part of the grant covered hardware that would strengthen the utility’s operational technology by providing more insight through monitoring capabilities, said William Wescott, IT security manager for TID. He and his colleague, Evan Sousa, are the two employees on the IT security team, and they have initially focused on protecting systems with technology and empowering others in the utility to help safeguard assets.
“We’ve added intrusion detection systems and a hard perimeter of firewalls,” said Sousa, TID’s security analyst. Cybersecurity intrusion detection systems monitor IT and OT systems for malicious activity and policy violations that could introduce risk. They track traffic and detect anomalies that may signal problems, such as unexpected commands or devices communicating at odd hours. Many also send alerts when known threats are detected, such as phishing or malware.
“These solutions give Evan and me the ability to train technicians who work in the field to help us monitor their assets,” Wescott said. The systems also have automated alerts. “Let’s say it was a denial-of-service attack,” he continued. “As soon as we start getting targeted by a specific identity and it meets a certain threshold, Evan and I will receive the notification and we’ll work with the asset owners to remediate the threat.”
Building the Basics
While larger public power entities like TID have dedicated staff focused on security, often small utilities have people wearing multiple hats who must handle this responsibility along with other important roles.
Energy Northwest, a joint operating agency serving 29 utility districts and municipalities in Washington state, used a grant from APPA’s Demonstration of Energy and Efficiency Developments program to support the creation of a modularized training program, Tailored Cybersecurity Training for Utilities. The training is a comprehensive set of materials that includes on-demand educational content, customizable templates, and opportunities for peer collaboration via virtual roundtables.
The templates give utilities with little cybersecurity expertise in-house a way to get started. They cover a wide variety of topics, procedures, and policies utilities can implement, and many have a short training video to explain how to use them.
Among the subjects covered is account management, which applies how and when staff members of the utility can access and operate certain equipment. “You don’t want to give every new employee access to everything,” said Josh Watt, who worked as a project manager on the training initiative. (Watt left Energy Northwest in October 2025). “You want to make sure that the access is specific to a person’s role and on a need-to-know basis. You also want to make sure that when people leave the organization, you remove their security clearance. It’s a matter of managing your user accounts with a mindset of risk and least privilege.”
Another template covers incident response. The template walks people through steps to take when a security threat occurs and how to document the activity. Watt called this template a how-to that outlines the process of “containing what happened, fixing it, and making sure it doesn’t happen again.”
Clean desk audits are offered in template form, too, and these cover much more than passwords on sticky notes tucked under an employee's keyboard. Energy Northwest experts have helped member utilities shore up cybersecurity programs with clean desk audits in the past, so Watt and his team had plenty of background in template writing.
He said clean desk audits generally occur at night, after everyone leaves. “You look for things like unlocked doors, unlocked key boxes, and unlocked gates,” he said. After the nighttime review, the Energy Northwest team goes back during work hours and looks for things like sensitive documents left unattended on desks. The templates contain checklists of things to look for, giving security newcomers an easy-to-follow guide.
The materials, podcasts, and videos create what Watt called “a kickstart for some utility that doesn’t already have a cybersecurity program in place.” He added, “It's not a comprehensive cybersecurity program, but for a small utility that is looking to create the program, to put some policies in place, it would help.” Larger organizations could likely benefit, too, because the materials offer a fresh look at policies and approaches from experts in the field. All of these materials are available to DEED members in the DEED Project Library.
Training the Team
Most experts agree that the weakest link in cybersecurity isn’t the hardware or software, it’s the people running the machines. Energy Northwest has offered phishing exercises and other training tools to its member utilities. TID is using training from the SANS Institute for the 10% of employees who receive NERC-CIP instruction, and they use a combination of homegrown and purchased modules for all other employees.
“All our users in the district receive the same annual training, regardless of title,” Sousa said. “From the general manager to technicians, analysts, engineers — everyone — it’s all the same.”
The approach is computer-based, filled with quizzes and somewhat gamified. “Everyone has email, so we try to focus on the most common surface attack vector,” he added. For instance, the team has a module on social engineering phishing, a type of attack that uses social ties — such as posing as a trusted entity like a bank or the company IT department — and manipulation or lies to trick people into revealing information or clicking links that lead to things like malware download.
“We’re also doing a USB watering hole test,” Wescott said. “We go around the district and set a USB somewhere to see if individuals are plugging those in. A lot of our users are skeptical when they find something like that. They’re reaching out to our help desk or asking IT to review it before they plug it into anything. Our process is working.”
Expanding Protection
Cybersecurity isn’t the only type of security that utilities must manage. “It’s essential our workers understand the physical threat, not just the cyber,” Wescott said. “Our utility has a lot of remote sites, and if an individual were to break in and gain access to some of the computer systems at a remote site, they could be on our operational technology network.”
Explaining the difference between IT and OT systems is part of the utility’s security training, Sousa said. He added that employees can unknowingly create exposure by plugging a laptop into the OT side or transferring data between one side to the other. “IT devices are configured to stay on their network. If an employee uses that same device to traverse the OT side, that could introduce unwanted risks,” he explained.
Another issue is added protection for aging equipment. The Energy Northwest team covered this in its training materials, noting that legacy operational technology and aging infrastructure face elevated security risks.
Watt pointed to the patches and updates that software and cell phone makers regularly issue for their products to shore up weaknesses and block threats. “Typically, they put out patches to service their largest user base, which is generally their most up-to-date products. If you are behind on software or technology, you could be subject to vulnerabilities,” he said, adding that attackers “look for older technologies and older computer languages out there because they know that they may not be patched.”
If keeping systems up-to-date and patched isn’t an option, another fix is putting current firewalls in front of the legacy systems, Watt said. Data diodes are an option, too. A data diode is a device that enforces one-way communication between two networks. Diodes allow things like logs and alarms to be exported to IT systems for analytics and monitoring, but they also prevent malware from getting into an OT network.
A final note on expanding protection is this: Get involved in the cybersecurity community.
Watt noted that annual conferences and other meetings are valuable, but he added that the program’s monthly roundtables kept information flowing.
“Technology changes day to day. Getting people together to talk through threats that are coming out, what they’re seeing, and how they’re handling it is the biggest benefit of this entire program.”
