For utility defense teams and critical infrastructure protectors, the baseline operational reality is clear: grid security requires constant, unified vigilance. Public power utilities face the complex challenge of defending interconnected physical assets, information technology (IT), and operational technology (OT) from increasingly coordinated digital threats.
Recognizing the need for a unified defensive front, the American Public Power Association (APPA) Board of Directors recently approved and launched its first-ever Cybersecurity Committee. This dedicated committee is designed to align and provide strategic direction for all of APPA's various cybersecurity programs, events, resources, and projects.
Here is a breakdown of what this milestone governance move means for APPA members, critical infrastructure protection, and the general public.
1. What is the new cybersecurity committee?
The APPA Cybersecurity Committee serves as a centralized strategic hub. Previously, public power utilities relied on an array of disconnected playbooks, working groups, and training programs. This new committee systematically orchestrates those resources under a single governance body to establish a more unified threat-response posture across the sector.
The committee's core mandate includes aligning and maximizing APPA's cornerstone initiatives:
-
The Cybersecurity Defense Community (CDC): APPA's primary working group tasked with updating utility resources and planning the annual Cybersecurity & Technology Summit.
-
Targeted documentation: Centralizing the deployment of the Public Power Cyber Incident Response Playbook and the Public Power Cybersecurity Roadmap.
-
Federal cooperative agreements: Advising on initiatives funded through APPA's Cyber Pathways program, which operates under a cooperative agreement with the Department of Energy's (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER).
2. Gamifying maturity: the cybersecurity accelerator program (CAP)
A primary program under the committee's strategic umbrella is the Cybersecurity Accelerator Program (CAP). Funded through the Cyber Pathways initiative, CAP helps public power utilities evaluate and dynamically improve the maturity of their cybersecurity programs across both IT and OT networks.
Rather than utilizing CAP as a pass/fail compliance audit, APPA uses a tiered designation structure to recognize utility maturity and establish clear defensive benchmarks:
-
CAP Designation Level Gold / Maturity Criteria: Utilities that successfully validate and demonstrate foundational, core cybersecurity practices across governance, risk management, and incident response.
-
Level Platinum / Maturity Criteria: Utilities that demonstrate advanced cybersecurity execution positioned well above core practices.
-
Level Diamond / Maturity Criteria: Utilities validating elite cybersecurity programs that operate above and beyond core practices.
The evaluation covers crucial areas like cybersecurity governance and training, structured incident containment, and grid risk prioritization. The program provides a practical roadmap, allowing less advanced utilities to look at CAP designees as blueprints for modeling their own internal defensive architectures.
3. What this means for the public power ecosystem
The launch of the Cybersecurity Committee and the scaling of the CAP initiative signal a major evolution in how public power approaches digital defense.
For APPA members and utility CISOs
For the personnel defending local utility perimeters, this means an end to siloed security planning. With the committee establishing a standardized baseline, member utilities can easily map their current capabilities against industry-vetted standards like the Cybersecurity Capability Maturity Model (C2M2) and CISA Cross-Sector Performance Goals. Furthermore, because the CAP application requires collaboration between executive leadership and technical subject matter experts, it bridges the historical gap between utility boards and IT/OT engineers.
For critical infrastructure security
Critical infrastructure is inherently interdependent. A cyber incident that compromises a small, municipal public power utility can rapidly scale, causing cascading telemetry failures into broader regional transmission networks. By building a cooperative defense ecosystem that includes small public power entities through programs like OT Insight (which deploys sensor technologies to smaller plants), the committee significantly raises the collective barrier to entry for adversarial threat actors targeting the North American bulk power system.
For the general public
For everyday consumers, this structural alignment translates directly into grid reliability and community resilience. Public power utilities serve millions of Americans. When an association aligns its defense strategies, upgrades its incident response playbooks, and audits its supply chain risks, it drastically reduces the likelihood of catastrophic, cyber-induced power outages that threaten public safety, local economic stability, and the continuous delivery of electricity.
"It is vital that public power utilities have access to the latest tools and information they need to successfully meet ever-evolving cybersecurity threats. The Committee will play a key role in helping APPA members make the most of the resources that APPA offers to them when it comes to cybersecurity vulnerabilities," said Scott Corwin, President and CEO of APPA.
Nick Lawler, General Manager at Littleton Electric Light & Water Department in Massachusetts, is serving as Committee chair, while Mike Willetts, Director of Training and Safety at the Minnesota Municipal Utilities Association, is serving as Vice Chair.
"It’s an honor to lead this Committee, and I am looking forward to working with Mike and the APPA team," said Lawler. "The Committee will work to ensure that APPA's cybersecurity efforts continue to effectively assist members as they tackle cybersecurity threats."
The APPA's Cybersecurity Accelerator Program helps public power utilities to assess and improve the maturity of their cybersecurity programs. This includes assessing both IT and OT cybersecurity posture, as well as the policies and practices that support electric system and grid security.
The CAP application form and guide can be found at the link above. Utilities must submit the application, including program checklists, supplemental information, and/or documentation as necessary, by June 30, 2026.
