The American Public Power Association
September 4, 2018
- Designate a cybersecurity lead. This person can help to establish cybersecurity protocols and manage information sharing.
- Assess your risk. Evaluate your utility’s cyber risks, vulnerabilities, resiliency, and capabilities with a tool such as the Public Power Cybersecurity Scorecard.
- Train staff. Anyone with access to the utility’s systems should be regularly trained — and get refreshers — on cyber threats and protocols.
- Educate local officials. Provide pre-incident outreach and education to local government officials.
- Monitor your networks. If you don’t have this capacity internally, look into appointing a third-party vendor to continuously scan your networks and alert you when action is required.
- Enroll in the Electricity Information Sharing and Analysis Center. The E-ISAC is a free service that keeps you alerted of threats and offers strategies to reduce vulnerabilities.
- Define an escalation protocol for cyber threats, including:
- Levels of potential escalation.
- Triggers for escalation.
- When and how to notify and report threats.
- When and how to involve top-level governance stakeholders.
- How to report to state and federal government regulators and industry coordinating bodies.
- What duties to delegate to staff.
- Report cyber threats appropriately. Let local government officials know about cyber threats and incidents without exposing sensitive information to other sources.
Tips for sharing sensitive information
- Work with legal counsel to understand applicable federal, state, and local public meeting and sunshine laws.
- Share sensitive information in closed-door meetings, in locations such as an Emergency Operations Center, or in a small, public safety context.
- Identify elected officials and others with oversight roles with whom sensitive information can be safely shared.
- Assume any information provided in an executive session will end up in the media and the public domain.
- Only make public comments backed by a strategic media plan, and public relations staff or consultants.
When in doubt, or in need of help, contact the American Public Power Association at Cybersecurity@PublicPower.org.