Building a Cyber-Aware Workforce in the Utility Sector

Given the frequency, breadth, and depth of attacks against our critical infrastructure, the importance of building a cyber-aware workforce in the utility sector cannot be emphasized enough. The statistics tell a sobering story: roughly 80–95% of all cyber-attacks link human error as either the direct or indirect cause. Cyber adversaries routinely exploit employee errors to gain network access, whether through spear-phishing emails, website browsing 'drive-by' attacks, and other 'unwitting insider' avenues. 

Why Human Error Matters: Real-World Consequences 

For utility sector employers, this is particularly critical due to the nature of critical infrastructure. While a cyber-attack or incident at any company is never a good thing, a critical infrastructure company being exploited can cause widespread disruption to society. 

Some highly impactful examples demonstrate this reality: 

• The cyber-attack on Ukraine’s power grid on December 23, 2015, started with a spear phishing campaign with malware loaded in an Excel attachment, ultimately disconnecting 30 substations and leaving approximately 225,000 customers without power for up to six hours [1]. 

• The Colonial Pipeline cyber-attack in May 2021 began with an email phishing campaign where attackers gained stolen credentials through an exposed VPN password, forcing a shutdown that disrupted fuel supplies across the entire East Coast [2]. 

The easiest way for attackers to gain access is having users do it for them. Technical solutions like firewalls, antimalware, and intrusion detection can reduce attack likelihood but cannot stop them entirely. These examples highlight one critical truth: the human element remains both the greatest vulnerability and the greatest opportunity in cybersecurity defense. 

The Bottom Line 

With cyber threats targeting utilities at increasing rates and the attack surface expanding through grid modernization, the sector cannot afford to underinvest in the human element. Training and awareness programs constitute the foundational defense layer in cybersecurity. Success requires moving beyond compliance to building an authentic cybersecurity culture where every employee, from executives to field technicians, understands their role in protecting the grid. Educated, engaged, and security-aware employees are the most cost-effective cybersecurity investment utilities can make. 

Building a Strong Cybersecurity Culture 

Establishing a strong culture of cybersecurity is essential for sustaining safe practices within electric utilities, where operational and information technology systems are deeply connected. To build this culture, a company might increase training frequency, provide methods of positive reinforcement, or incorporate contextual learning. 

This keeps cybersecurity top of mind and provides deeper engagement by the individual. Cybersecurity must be positioned as a leadership issue demanding oversight and investment that comes alongside growing risks. 

The Framework: Awareness and Training 

Rather than blindly clicking on links or opening attachments in emails—or clicking on that advertisement on a favorite sports website—a cyber-aware employee uses a critical eye to protect your network. Maybe they look at an unexpected email, notice the grammar is off, or the link has an odd domain, and instead of opening the attachment, they click the 'Report Phishing' button or forward the message to the security operations center’s (SOC) email address. And just like that—your network is defended. 

How is that culture of security built? There are two aspects of a culture change to a cyber-aware workforce: awareness and training. 

Awareness includes creating a program that ensures your employees understand that they are the company’s first line of defense. Your cyber awareness and training program should include executive involvement and visible championing, it should be relevant to the individual employee, and it should be maintained and up to date with current events and incidents, especially as adversarial tactics change and adapt. 

Executive involvement goes beyond sending an annual email reminder—leaders need to be visible to participants in the program itself. That means executives taking the same training courses as everyone else, participating in phishing drills (and yes, sometimes falling for them!), and publicly acknowledging when they report suspicious emails. When employees see their VP or CISO walk the walk, it sends a powerful message: cybersecurity isn’t just the IT department’s job; it’s everyone’s responsibility, from the C-suite to the field technicians. 

Training includes implementing both required training courses and active cybersecurity exercises, which could include phishing drills or training scenarios. Simulated phishing represents one of the most effective training approaches for utilities. These programs deliver realistic email templates to employees, tracking who clicks malicious links or provides sensitive information. 

Comprehensive training should include several components:  

• General cybersecurity training for all employees covering phishing recognition, password hygiene, physical security, and incident response 

• Incident response training for simulated cyber incidents where cross-functional teams practice response protocols, communication, and recovery procedures 

• Specialized training (for example, NERC CIP-level courses) covering compliance-related policies, or other specialized training for high-risk roles such as IT/OT staff, executives, contractors, and operations teams 

Every company should have an effective phishing awareness training program with engaging and relevant messages that look authentic but aren’t. Employees who report a phishing email should be supported by a Security Operations Center (SOC) team that responds appropriately. 

As cyber threats evolve, so must training approaches. Emerging trends include: 

• AI-powered personalized learning: Adaptive training that adjusts difficulty and content based on individual performance 

• Behavioral risk scoring: Dynamic assessments that identify high-risk users requiring additional training 

• Supply chain security training: Extending security awareness to third-party vendors and contractors 

Real-World Protection 

A cyber-aware employee would also be enabled and empowered to protect themselves from scams, fraudulent charges, damaged reputations, and other harm. An informed employee would recognize that text or email which appears to come from your CEO or CFO, urgently requesting that employee go online and purchase twenty-three $50 apple gift cards and send pictures of those codes is probably fraudulent. Of course, that text is going to claim that it needs to be "held confidential," and that the reimbursement to the employee's personal credit card would happen the next day or week. All of these should stand out as red flags, and the employee should report this attempt to your SOC ASAP!  

Addressing Unique Challenges in the Utility Sector 

Electric utilities face unique challenges in building a cybersecurity culture. There is a diverse group of employees working at the utility, from control room operators to field technicians to IT specialists, who all have varying degrees of knowledge and exposure to cybersecurity threats. Convergence of IT and OT, distributed operations, and legacy systems further complicate consistent training delivery and policy enforcement. Employees having constant pressure to maintain vigilance can lead to fatigue and fatalism. Smaller utilities often lack dedicated cybersecurity staff and must rely on employees wearing multiple hats. 

That said, electric utilities benefit significantly from sector-wide collaboration on training and threat intelligence. The "shared threat landscape" concept recognizes that many organizations face similar cyber risks, enabling collective defense strategies. Utilize shared resources from the NERC Regional Entities, APPA, NRECA, E-ISAC, DoE, and CISA. 

In the end, cybersecurity isn’t a department—it’s a shared mindset that protects our most critical systems. Our teams of cyber professionals at CI-Discern and GDS collectively bring hundreds of years of combined cybersecurity experience and can assist with evaluating your cyber awareness and training programs, identifying improvement strategies that any company could implement, regardless of their size or maturity level. GDS has specialized staff that keep up with current security trends and threats to better help keep you informed. Those plans could range from where to start an awareness program, how to fine-tune training strategies, how to increase phishing drill participation through advanced gamification concepts, or how to create effective training modules and foster a culture of compliance and security. 

For questions or to discuss further, reach out to the GDS Energy Reliability & Security Team and let us know how we can help. 

Authors: James Fernstermaker, GDS Associates & James Gibb, Ci-Discern