Skip to content

Physical and Cybersecurity

Xcel Energy is committed to the security of customers, our assets and the nation’s critical infrastructure. We have built a robust security culture from a long history of partnership with public and private agencies to ensure the protection of the critical assets that deliver safe, reliable energy to our communities and to secure our customers’ information.

The electric power industry is the only critical infrastructure sector with mandatory and enforceable cybersecurity standards. We adhere to all government and regulatory requirements, including data privacy laws, and we’ve been proactive in partnering with government and private-sector leaders to identify vulnerabilities and secure our systems. Additionally, Xcel Energy Chairman, President and CEO Ben Fowke is a member of the National Infrastructure Advisory Council (NIAC) subcommittee on cybersecurity, which advises President Obama through the secretary of Homeland Security on the security of critical infrastructure sectors and their information systems.

Our physical and cybersecurity program plans and prepares for adverse events to ensure full, fast mitigation and recovery from any event that may occur. The program is built on a Defense-in-Depth methodology that provides multi-layered safeguards to ensure there are no single points of failure or weakness. Still, all utility industry security programs are based on risk management, not risk elimination. There is no solution that can make the grid completely safe and secure.

The responsibility of protecting our critical assets continues to evolve as new threats emerge, and we continually elevate our capabilities to prepare, prevent and respond to potential threats. Our investments in infrastructure, cyberassets and personnel reinforce our commitment to protecting customers, our assets and the nation’s critical infrastructure.

Utility IT Symposium

In October 2013, Xcel Energy hosted a symposium that brought together IT thought leaders from more than a dozen U.S. utilities, as well as representatives from energy industry associations and federal agencies. The first-of-its-kind, two-day Utility IT symposium featured briefings from the FBI and North American Electric Reliability Corporation (NERC), as well as in-depth conversations about the most pressing cyber security issues currently facing electric and gas utilities. Participants discussed their approaches to building dynamic defense plans for protecting the grid’s critical networks as attackers become more brazen and sophisticated. Events like this allow us to stay active with various industry and security working groups so we can detect, coordinate and react as efficiently and quickly as possible when the need arises.

GridEx II

In November 2013, Xcel Energy participated in a two-day international grid security exercise called GridEx II. The drill, conducted by NERC, was designed to validate the readiness of the electric industry’s response plans to possible attacks and to provide input for future improvements. GridEx uses best practices and other contributions from the Department of Homeland Security, the Federal Emergency Management Agency, and the National Institute of Standards and Technology. The exercise is designed to validate the readiness of the electricity sub-sector to respond to a cyber incident, strengthen utilities’ crisis response functions and provide input for internal security program improvements.

Regulation of Infrastructure and Information Security

As we go forward, we believe that infrastructure security and information security laws and regulations should focus on:

  • Harmonizing relevant requirements across state and federal agencies;
  • Establishing a clear reporting and federal agency responsibility structure in case of a cybersecurity event;
  • Sharing cybersecurity threats and vulnerabilities information between the federal government and the private sector;
  • Giving  the utility industry the tools and flexibility it needs to develop safeguards that are appropriate for each utility’s risk profile;
  • Strengthening cyber defenses while minimizing paperwork and ineffective compliance measures.

Learn more about public safety