Wednesday, January 06, 2016

Are Utilities In The US Ready For Cyber Attacks?

More often than not, it is necessary for me to let the information that comes to me rest for period of time before I can write about it.  In this case, I’m sharing real examples that are now two years old.

On Monday, on my LinkedIn page, I shared a fresh article called:

One of the comments made in reference to this post reads like this:

“This is very scary. I wonder if the power distribution companies in the USA are considering this possibility?

Utility A

I would like to say that this article was a shock to me.  It wasn’t a shock and here’s why.  A couple of years ago, I received a call from the top information security professional in a very large utility company.  He / She at the time was a Manager in title and the utility did not have a Chief Information Security Officer. 

This particular Manager came out of IT and had an Audit background rather than a deeply technical information security background.  During this call I also learned that this utility was in the process of hiring its first Chief Information Officer.

Utility B

Not long after this call I received an inbound call from a utility on the other side of the country.  In this case, it was a Human Resource representative on the other end of my phone.  She was fishing for information that particular day.  She wanted to know if I could help her company to find their first full-time information security professional.  They were thinking that a salary in the $100,000 to $120,000 range would be sufficient.

I did what I could to convince the HR person who called me that for $100,000 to $120,000 in their particular marketplace, they were going to get an Engineer and not an information security / cyber security professional who could build, implement and run a security program from the ground up.


Utility A’s human resource department shot down the idea of paying a search fee when the Information Security Manager asked for permission to use outside security-focused recruiting services.

Utility B’s human resource person never called again. I’m pretty sure she didn’t like hearing what she needed to know rather than what she wanted to hear.

Both of these examples occurred approximately 2 years ago.  

Are Utilities in the US facing real cyber risks?'s Security Recruiter Blog