The City of Piqua, Ohio, is dedicated to providing the highest level of service to its nearly 11,000 electric customers, applying regularly for the designation of Reliable Public Power Provider (RP3) by the American Public Power Association. Being recognized by the RP3 program demonstrates a utility’s commitment to excellence in reliability, safety, workforce development, and system improvement. To ensure best practice compliance within the cybersecurity portion of the RP3 application submitted in September 2020, the Piqua Power System hired the team from Hometown Connections, Inc., to perform a cybersecurity assessment.
Low-Cost Assessment Helps Small Utility Identify Cybersecurity Deficiencies, Priorities, Budget Needs
Currently, 274 of the nation’s more than 2,000 municipal utilities hold an RP3 designation. Piqua Power System is applying to renew its RP3 status for another three-year period, aiming to earn once again the Diamond Level designation, which is the program’s highest level of distinction. While there were physical and cybersecurity questions included in the early RP3 applications, the program expanded the cybersecurity portion in 2015 to make clear the urgent nature of cyber threats to municipal utilities large and small.
Ransomware Is Clear And Present Danger For All
It’s well documented that ransomware attacks on municipal governments are on the rise and can cost tens of millions of dollars to fix. Ransomware attacks infect computers with malicious software, downloaded by clicking on seemingly innocuous links in emails or other website pop-ups and leaving users locked out of their systems, with the demand of a ransom to be paid to restore computer functions.
These are not big city problems. Ransomware attacks are a growing plague for cities of all sizes. But cyber threats aren’t limited to ransomware. In December 2020, the U.S. government discovered that Russian government hackers breached the Treasury and Commerce departments, other U.S. government agencies, and technology, telecom, and oil and gas companies all over the globe. At U.S. utilities, disgruntled former employees and other bad actors have accessed outage management, 911, text messaging, and other services to send fraudulent messages to customers. Insurance providers are looking more closely at the controls and recovery systems utilities and cities have in place, as they evaluate their level of cybersecurity risk and potential insurance coverage options. For utilities, operations technology (metering, SCADA, GIS, outage management, etc.) can have different cybersecurity requirements than IT security. But municipalities must establish a single framework that addresses managing cyber risk across the enterprise.
Cybersecurity Snapshot Is Step One
As the services organization dedicated to enhancing the performance of community-owned utilities, Hometown Connections is supporting smaller systems lacking the resources to close cybersecurity gaps. Its low-cost Cybersecurity Assessment identifies shortcomings in cyber defenses and helps utilities develop strategies to resolve them. Through an alliance network organized by Hometown Connections, qualified personnel at American Municipal Power (AMP) and other joint action agencies conduct the assessments to provide:
- Program Evaluation
- Comparison of the client’s current technology architecture, policies, and controls with industry standard guidelines.
- Network Vulnerability Assessment
- Using vulnerability scanning tools to look for weaknesses in information systems on the client’s network.
- Phishing & Incident Response
- Using email security awareness tools to simulate phishing attacks and provide awareness training to staff.
- Performing an incident response tabletop exercise.
- Detailed Recommendations on how to:
- Address deficiencies
- Prioritize action items
- Budget for security improvements
- Report and Presentation
- For governing board and utility/city staff
Cybersecurity Assessment For Piqua Power System
“Our goal has always been to be the best at what we do,” said Ed Krieger, Piqua Power System Director. “We employ best practices in everything we do. We were the first of AMP’s 135 members to achieve a perfect Diamond score for our RP3 certification. For our latest RP3 application, we sought external help to conduct a thorough cyber security assessment, identify weaknesses, allocate sufficient remediation resources, and develop a list of priorities with a timeline. I reached out to Branndon Kelley, AMP’s Senior Vice President of Technology & Chief Information Officer and a member of the Hometown Connections Board of Directors. He suggested we arrange for his staff to conduct Hometown’s Cybersecurity Assessment in time for our system to complete our RP3 application.”
For the Hometown Connections Cybersecurity Assessment, officials from the city and power system participated throughout the process. In earlier years, Piqua Power System had engaged other companies to provide cybersecurity evaluations, but those efforts were not nearly as extensive or as thorough as Hometown’s and didn’t provide such a thorough list of actionable items. Ed Krieger explained, “AMP’s Manager of Cybersecurity did an impressive job managing the project virtually due to COVID-19 restrictions. He organized a series of video calls with the city IT director and one of his support staff, me, my assistant director, and two IT/SCADA employees in the power system. We reviewed budgets, policies and procedures. We worked together in a methodical way through the CIS and APPA Scorecard frameworks, giving us concrete action items to work through.”
Krieger added, “We learned a lot from conducting phishing exercises, running through various attack scenarios, and reviewing our incident response plans. I really valued the vulnerability assessment, which gave us a prioritized list of several hundred items for the city and the power system to address. The comprehensive list includes everything from identifying outdated operating systems and applications to smaller, easily corrected items, such as turning off the Wifi signal of a networked printer.”
Krieger acknowledges the advantage of having utility and city officials participate in the cybersecurity assessment. “It was enormously valuable for city and utility staff to work on this together,” Krieger said. “Every stakeholder participated in every video call. We didn’t need to wait for someone to get back to us with information. We had immediate access to the data and details to complete the cyber assessment.”
In terms of who conducted the assessment, Krieger took comfort in working with personnel from his joint action agency. “With AMP owned by its members, we are all on the same team,” Krieger said. “We were 100 percent comfortable exposing our vulnerabilities to the AMP staff and relying on them to help us move forward. When they presented their findings and report to key staff within the City, we trusted them.”
“This is not for the faint of heart,” Krieger noted. “As utility managers we are comfortable with the technologies needed to operate our systems, but Cybersecurity compliance is much more difficult to get your arms around. It takes patience to sit through five or six calls that last an hour each, answering hundreds of detailed questions. But today’s cyber threats require our attention each and every day. The Hometown Connections Cybersecurity Assessment provided a crystal clear snapshot of our defense posture, a prioritized list of action items based on industry standards and best practices, and an understanding of the personnel and budget resources we need for this effort. I highly recommend this process to my colleagues in public power. None of us have a moment to waste shoring up our cyber defenses.”
For More Information
Ed Krieger
Piqua Power System Director
City of Piqua, OH
937-778-2000
ekrieger@piquaoh.org
Susan Ryba
Executive Marketing Consultant
Hometown Connections, Inc.
301-602-4002
sryba@hometownconnections.com