Last year the US DoD released a report by one of its Defense Science Board teams and I've seen it referenced a number of times in recent weeks, especially in articles announcing our loss of the most sensitive systems design details on dozens of current and next generation weapons systems.
See if you think this excerpt from the executive summary would accurately describe the current state at the utility you work for, or regulate, or invest in, or power your home with:
[The conclusion that we must do much better on cyber defense] was developed upon several factors, including the success adversaries have had penetrating our networks; the relative ease that our Red Teams have in disrupting, or completely beating, our forces in exercises using exploits available on the Internet; and the weak cyber hygiene position of DoD networks and systems.If you think it might, then it's possible that you may find value in digging into the findings and recommendations within. I noticed this one on culture as being particularly relevant to our sector:
Individual and organizational cyber practices result in so many cyber security breaches that many experts believe that DoD networks can never be secure with the current cyber culture. The individual’s immersion in the civil sector cyber culture and the military’s focus on mission objective are the two most important contributors to DoD’s poor cyber culture. In the face of a threat that routinely exploits organizational and personal flaws, DoD leadership must develop a clear vision for the Department’s cyber culture.It's very likely your utility is not targeted nearly as much as are the DoD's networks and systems, but I'd still say this report has lots of applicability for the way we think and act.
URL for full report: