Public Power Magazine

Sponsored Advertising Feature
Cybersecurity: Start with a Strategy

From the July-August 2017 issue (Vol. 75, No. 4) of Public Power

Originally published July 1, 2017

By Elisa Wood
Contributing writer
July 1, 2017

 The recent WannaCry ransomware attack that crippled hospitals and other critical systems in 150 nations offers a fresh reminder of the importance of cybersecurity.

While large corporations can muster defensive cyber resources, how can public power utilities protect themselves, especially if they have little in-house expertise and constrained budgets?

It turns out they can accomplish a lot, as Steve Spano, president and chief operating officer of the nonprofit Center for Internet Security explains in the following Q&A. A retired U.S. Air Force brigadier general, Spano has worked in cybersecurity for three decades, first for the Department of Defense, and later at Amazon as general manager of defense and national security.

Q: How real is the cybersecurity threat to electric utilities?

A: Terrorists want a big PR return. The critical infrastructure that lets utilities provide broad support to the masses makes them lucrative targets. Public power utilities’ critical infrastructure can be a target because an attack has a cascading effect. Even small utilities are not immune from threats.

Q: Where do the threats come from? Is it mostly nation-states?

A: It’s not just from nation-states. There are thrill seekers, and those that want to make money — through ransomware attacks, for example — or the hacktivists who want to wreak havoc because they have an axe to grind. There are plenty of them out there. And they don’t need to be too technically savvy. Twenty to 30 years ago you needed a high-tech background to pull off a cyberattack. But over the years, technology has grown so user-friendly, all that the hacker needs is a connection to the internet. Those are the types who, day to day, are working to infect systems with malware. They just spray with hopes that someone will click on an infected email attachment, link, or website.

Q: What mistakes might public power utilities make that leave their systems vulnerable?

A: Lack of strategy. Executives do nothing because they believe cybersecurity is too complex. They tend to push the technical piece down to IT. Start talking about IT and ransomware and most executives’ eyes begin to glaze over.

We need to bridge the gap from ‘tech to exec’ so executives can talk about cybersecurity in the boardroom with the same business perspective they use to dissect financials. They need to be able to ask the right questions. The role of the leader is to address the strategic part of technology — the risk.

Consider the big corporate security breaches that have occurred, like at Target for instance. At the time, they did not have a chief information security officer. They do now.

Q: What are common misconceptions about cybersecurity?

A: You can’t just buy something to fix it. Again, you need a strategy. What security framework will you adopt to guide you? A framework will drive you to metrics: How well are we doing? How are we measuring it? What’s our success?

These are not deep technical questions. These are broad top-level questions that any senior leader should ask to assess the risk of a cyber breach. Assessing risk is a layered strategic approach from the top level down.

Q: What is CIS and how can it help?

A: Security is an evolving problem. You need to have a compliance and security framework that’s going to guide your public power utility for all your back-end servers and mobility devices. CIS — the Center for Internet Security — is a non-profit funded in part by the Department of Homeland Security to provide services for local entities — including public power utilities — in all 50 states, six territories, local government entities, and all tribal nations.

We offer some important tools to help utilities maintain security readiness. We do this through our Multi-State Information Sharing and Analysis Center, or MS-ISAC. Membership is free to U.S. state, local, tribal and territorial government entities.

MS-ISAC basically analyzes cyber threat information from a variety of sources and shares this information with its members as needed. Our advisories include important information about threats, vulnerabilities, exploits, attacks, and compromises. MS-ISAC also provides members with weekly threat reports, monthly situational awareness reports, and a monthly webcast. MS-ISAC members can also schedule a conference call to discuss cyber threat concerns.

In addition, we offer Albert to member organizations who need help with network monitoring — basic security and intrusion protection.

Q: Albert? Is he your best cybersecurity expert?

A: Well, sort of. Albert is one of our most popular services. It’s a unique security system that monitors all the traffic coming into your network and then issues threat alerts. This allows our member organizations to respond quickly when their data may be at risk.

Albert offers round-the-clock, 24/7 monitoring of a computer network. The monitor sends alerts to CIS; CIS tells the client what is happening, what the threat is, and remedial measures to take. Albert also generates a report so clients can see what is going on and remediate the threat.

We encourage public power utilities to contact us for more information about how these services can help them. Check out our website:

Note: The American Public Power Association encourages public power utilities to also sign up for the free Electricity Information Sharing and Analysis Center portal run by the North American Electric Reliability Corporation. The E-ISAC portal monitors threats specific to the nation’s electric grid and sends alerts to all subscribed utilities. Sign up at


Be the first to rate this item!

Please Sign in to rate this.


  Sign in to add a comment

Digital Edition [PDF]


Delia Patterson, Acting Senior Vice President, Avocacy & Communications and General Counsel
Meena Dayak, Vice President, Integrated Media & Communications
Paul Ciampoli, News Director
Susan Partain, Senior Editor & Content Strategist
Jeannine Anderson, News Editor
Laura D’Alessandro, Editorial Consultant
Robert Thomas, Art Director
Sharon Winfield, Lead Designer, Digital & Print
Sam Gonzales, Director, Digital & Social Media
David Blaylock, Senior Manager, Integrated Media & Communications
Tobias Sellier, Director, Media Relations & Communications
Maria Valatkaite, Integrated Media & Communications Coordinator




Advertising for American Public Power Association publications is managed by Naylor, LLC.

Public Power (ISSN 0033-3654) is published six times a year by the American Public Power Association, 2451 Crystal Drive, Suite 1000, Arlington, VA 22202-4804. ©Copyright, 2017, American Public Power Association. Opinions expressed in articles are not necessarily policies of the association. For permission to reprint articles, contact Periodical postage paid in Arlington, VA, and additional mailing offices.