Due to recent news coverage of a major cyber penetration of U.S. government agencies and corporations across the globe, cybersecurity is front and center for city governments and their municipal utility departments. Before reaching out to consultants prepared to help evaluate cyber vulnerabilities and design a protection program, each community-owned utility should gather a baseline of information about their cybersecurity status. This outline will help the utility and potential consultants focus more quickly on the issues to be addressed.
Answer These Cyber Status Questions First
By collecting the information below, utilities and city governments will be better prepared to begin discussions with external cybersecurity resources:
- Have you previously implemented a cybersecurity program?
- If yes, prepare a brief written summary.
- Are there multiple utilities in your municipal structure (e.g. electric, water, wastewater)?
- If yes, will your new cybersecurity program cover the delivery of all utility services?
- Will your new cybersecurity program cover all municipal departments—not just utility services?
- Will your cyber program be part of a broader Risk Management program?
- Have you/will you use a standards-based framework for your cybersecurity program?
- If yes, which one (g., National Institute of Standards and Technology (NIST) Cybersecurity Framework, North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)standards for bulk power system providers)
- Do you plan to evaluate your current technology architecture, policies, and controls according to industry guidelines?
- If yes, which one(s), e.g., NIST Cybersecurity Framework, Center for Internet Security (CIS) Controls, American Public Power Association Cybersecurity Scorecard?
- How would you rate your current cyber maturity (select one of the following that best describes your current status):
- Cybersecurity practices are not performed
- Cybersecurity practices are performed but may be ad hoc
- Cybersecurity practices are documented, roles and responsibilities are clearly established, adequate resources are provided to support the program, and standards or guidelines are used to guide implementation
- Cybersecurity practices are guided by policy and governance, practices are regularly reviewed for conformance, responsibilities and authorities are clearly established, and the personnel performing the practices have adequate skills and knowledge
- Have you implemented cybersecurity awareness training for your staff?
- Do you require assistance finding cybersecurity consulting support?
- If yes, learn about the cybersecurity solutions provided by Hometown Connections and its vendor partners.
Cybersecurity Consulting through Hometown Connections
As the services organization dedicated to enhancing the performance of community-owned utilities, Hometown Connections is supporting smaller systems lacking the resources to close their cybersecurity gaps. Its low-cost Cybersecurity Assessment identifies shortcomings in cyber defenses and helps utilities develop strategies to resolve them. Through an alliance network organized by Hometown Connections, qualified personnel at several joint action agencies conduct the assessments.
The Cybersecurity Assessment is one feature of the Hometown Connections Cybersecurity Management Program. Hometown is offering a comprehensive and cost-effective portfolio of cybersecurity solutions through a network of providers able to meet the cybersecurity needs of community-owned utilities and city governments.
AESI-US, Inc., a consulting services partner of Hometown Connections, provides the Cybersecurity Check Up service that includes a customized cybersecurity program survey; comprehensive review of policies, standards, and procedures; remote testing of high risk applications; and the full spectrum of cybersecurity services.
Marsh Wortham, the insurance partner of Hometown Connections, has developed a proprietary loss estimate calculator exclusively for members of the American Public Power Association. Marsh Wortham can input into its predictive model utility revenue and number of customers to estimate their cost of both a data breach (including ransomware) and business interruption loss following a cyber-attack. In addition, Marsh Wortham offers community-owned utilities innovative risk assurance options for breaches of customer and employee data and protects against risks not covered by property & casualty policies or TORT immunity statutes for municipal entities.
For More Information
To learn about the cybersecurity solutions available to community-owned utilities through Hometown Connections, send an email to firstname.lastname@example.org.