Originally published January 9, 2017
At the American Public Power Association, we are helping our member utilities develop and refine strategies to address cybersecurity threats. Earlier this year, we received funding from the U.S. Department of Energy’s Cybersecurity for Energy Delivery Systems program to help improve the grid’s resiliency and the industry’s ability to respond quickly and effectively to threats.
Over the next three years, the Association plans to use DOE funding to develop security tools, educational resources, guidelines and training on strategies that public power utilities can use to cultivate an improved cyber and physical security culture. Beginning in January 2017, we will be hosting in-person learning sessions to hear about member needs.
We all need to do everything we can to prepare, defend, and recover quickly if we are hit. Every one of us in the industry, regardless of business model or sector, needs to do our part. And while cybersecurity is fairly new, security methods are not. Our CEO Sue Kelly recently offered up four tried and true rules we can all use to shore up security.
Rule #1: Be aware.
The first rule of cybersecurity for electric utilities is to understand the nature of cyberthreats and to acknowledge that no one is immune from attack. The enemy is often unknown, but the threats are widespread. Today, sophisticated cyber attacks are directed not just at government and military installations or the infrastructure of large utilities. Hackers are waiting to get in wherever there are chinks in the armor — even of small utilities.
Rule #2: Take responsibility.
Every utility — whether it serves 500 customers or 5 million — must take cyberthreats seriously and commit to shoring up defenses. We need to nurture a culture of security within our ranks. Every one of our employees, vendors, and other stakeholders must help take responsibility for grid security.
Rule #3: Be prepared.
Utilities must continuously assess cyber vulnerabilities and test defense strategies through tabletop and other exercises. We must play out the impacts of a potential cyberattack and devise response and recovery measures. And we must work with our allies, experts, vendors, government and industry partners — including law enforcement and communication channels — because we can’t do this alone. The industry is working to develop a cyber mutual assistance program that should be a big help to all of us.
Rule #4: Work as a team.
Cybersecurity is as complex as the electric grid itself, touching every distribution point and every generation source and transmission system. Therefore, we all need to work together. Whether it’s alerting others maintaining the grid to potential threats, reporting a breach, or sharing expertise among the ranks, we need to make sure we are speaking the same language as our industry and government partners. The Electricity Subsector Coordinating Council brings electric utilities and key federal agencies together to work on cyber and physical security issues. And the North American Electric Reliability Corporation’s Electric Sector Information and Analysis Center is a forum the industry can use to monitor threats, share information, and prepare for potential future attacks.