A Public Power Perspective on Cybersecurity
Electricity is an essential element of every life powering homes, businesses and the national economy. In an increasingly digitized world, effectively managing cybersecurity has become critical to the reliability of the grid and the protection of data. While there are many forms of utility business models, public power systems often operate as part of a larger municipality, as a political subdivision of a state and frequently are formed to serve many smaller municipalities. Given these constructs and the realities of operating a public purpose business, the challenges can be unique.
Over the past fifteen or so years, the electric utility industry began moving to a more formal and regulated approach to the reliability and security of the grid. Reliability and security have always been the cornerstone of the industry, but management of the interconnected grid was maintained system by system with regional coordination. In 2007, the national electric reliability was established as a mandatory reliability and security organization to heighten the coordination of the nation’s interconnected bulk electrical networks and ensure best practice through a set of mandatory enforceable reliability standards.
Since that time, the industry, using the mandatory standards as the foundation, has built additional layers of voluntary best practice guidance and significantly expanded the focus on cybersecurity. As public power utilities, this required adaptations in our governance and communications to ensure that we maintained the public transparency and accountability balanced with the security of critical operational information and the reporting of identified risks. Active benchmarking also began to occur, industry coordination and collaboration with government increased and maturity models provided a roadmap to assess an organization’s cybersecurity readiness.
While cybersecurity readiness has grown significantly over the past several years, built upon this platform of mandatory and voluntary actions, the risks continue to evolve requiring continued engagement, assessment and timely actions to ensure that the security gains that have been achieved do not less effective over time. The recent pandemic-related increase in remote working is an example of a changing condition that introduces a new risk given the volume of data being exchanged via remote network access. Proprietary networks have given way to the internet of things with the promise that the number of connected and interactive devices will continue to grow over time.
Public power, like all utility business models, accept that core reliability is the price of entry in our industry and fundamental to everything we do. Cybersecurity has emerged as a significant risk that must be actively managed to ensure that reliability is maintained. We will continue to evolve our capabilities as new threats emerge, build upon our technical expertise and the expertise of the broader collaboration between industry and government and adapt our governance as public entities to ensure that we are secure, nimble and transparent.
–John Di Stasio, President, Large Public Power Council (LPPC)