By Sue Kelly, President & CEO, American Public Power Association
If you’ve scanned the news lately, you’ve probably seen that cybersecurity is a hot topic — right up there with Ebola, immigration, and Taylor Swift’s dissing of Spotify. From financial institutions and credit card companies to retail outlets and the U.S. postal service, new threats — and safeguards — are evolving every day.
The electricity sector has long been aware of ever-present cyber and physical attack risks and the measures that must be put in place to safeguard our nation’s power grid against all forms of attack. This was very evident at the American Public Power Association’s first-ever Grid Security Summit that took place in early November in Arlington, Virginia.
The summit covered the gamut of grid security issues, from mutual aid to cybersecurity. There was great dialogue and exchange of information among attendees. Industry and government representatives gathered to discuss possible cyber and physical threats, natural or man-made, to our infrastructure and the best ways to tackle them together.
All of us who attended learned from each other and built upon our shared experiences to help the electric sector as a whole. One panel discussion featured representatives from investor-owned utilities, cooperative utilities, the Department of Energy, Department of Homeland Security, and, of course, public power utilities — talk about a public-private partnership!
If you run a utility, here are five important takeaways from the summit.
1. Information Sharing Legislation
Before the 113th Congress adjourns in December, APPA hopes the Senate will pass S. 2588, the Cybersecurity Information Sharing Act of 2014. The information sharing frameworks authorized in S. 2588 — and its companion bill HR 624, the Cyber Intelligence Sharing and Protection Act — will help utilities receive and exchange cyber threat information. Better information sharing will allow utilities to plan more comprehensively to defend against attacks and increase grid security.
2. Disaster Response and Mutual Aid
The summit attendees discussed the lessons learned from Superstorm Sandy in 2012, and how important it is for utilities to be prepared to respond to disasters and to have mutual aid arrangements in place — to get the lights back on as quickly as possible.
APPA has a new Public Power Mutual Aid Playbook to support public power utilities’ future disaster preparation and response efforts. Take this moment to download a copy of the playbook, review the procedures, and identify your regional network coordinators. And if you’re not already a member of APPA’s Mutual Aid Network, join today — email MutualAid@PublicPower.org.
3. Response and Mitigation Resources
There are many resources and activities that can help utilities combat security threats together. Two are especially important.
The Electricity Sector Information Sharing and Analysis Center (ES-ISAC) allows utilities to get early warnings about threats that others in the industry are seeing as well as updates from the Department of Homeland Security or other federal government departments. Utilities can also share threats they observe with the ES-ISAC, so the information can be broadcast to other utilities to put them on alert. Click here to join the ES-ISAC.
SpareConnect is a confidential, unified platform for the entire electric utility industry to communicate equipment needs in the event of an emergency or other non-routine failure. It provides decentralized access to points of contact at power companies so that, in an emergency, SpareConnect participants are able to connect quickly with other participants in affected voltage classes. To learn more and join, email firstname.lastname@example.org.
4. Who’s Who
ES-ISAC, ES-C2M2, ESCC, DOE, DHS, FEMA, SEWG, NIAC — it’s like alphabet soup. Who are the players in grid security? Who do you pay attention to? Who do you turn to when you need specific types of information, resources, or clearances? Start with an overview from our “Grid Security Who’s Who” infographic and then visit our Grid Security website in a couple of weeks for our Grid Security Dictionary, which will help clear up the various acronyms mentioned earlier.
5. Create a Culture of Security
Make grid security a part of your utility’s culture. Kevin Wailes, the Administrator & CEO of Lincoln Electric System in Nebraska and Vice Chair of the Electricity Subsector Coordinating Council, says we must give security as much importance as we do to safety. Teach employees to think twice before opening an email from an unknown sender. Let them know it’s as important as reviewing safety procedures before working in potentially dangerous areas. Plan drills and exercises on security, so you’re prepared to respond quickly if a physical or cyber attack is attempted.
Has your utility already fostered a culture of security? Do you have other security best practices at your organization? Please share your experiences! Send me an email and let’s keep the conversation going on this important area.