.png)
.png)
Prepare For the Worst with the Best in the Business
Experience capable, consistent, and easy-to-use business continuity management software.
In December 2022, more than 45,000 residents in North Carolina lost power after a coordinated attack on two substations. there was no warning and little time to respond. Could your organization’s continuity plan have handled that?
For utilities—electricity, gas, water—the stakes are too high for uncertainty. Continuity is no longer optional; it’s a public safety requirement. Yet many leaders still ask: “Is our plan good enough? Would it hold up under pressure?”
The problem is that the answer usually comes too late. Over just the past three years, physical attacks, cyber breaches, extreme weather, and new regulations have forced utilities to rethink what resilience really means. For directors and VPs responsible for business continuity, now is the moment to pressure-test your approach—before the next crisis does it for you."
How Compliance Pressure Is Changing the Way Utilities Plan
From ransomware to winter outages, regulators are responding to real-world failures with tougher requirements for utilities. Here's what’s changing—and what leaders need to do to stay ready..
Electric utilities: FERC/NERC's Cold-Weather Standards
Following widespread outages during Winter Storm Elliott in 2022, FERC and NERC mandated utilities to adopt stricter cold-weather readiness protocols under standards EOP-012-2 and EOP-011-4. These standards require electric providers to proactively demonstrate their ability to maintain service in extreme cold, with proof of fuel availability, equipment weatherization, employee training, and site-specific performance assessments.
Gas sector: TSA Cybersecurity Directives
In response to the Colonial Pipeline ransomware attack, the TSA issued a series of directives that now govern cybersecurity practices for pipeline operators and natural gas utilities. These include mandatory annual incident response drills, the segmentation of IT and OT networks, continuous monitoring, and submission of cybersecurity implementation plans. Operators must also conduct regular self-assessments and test critical recovery procedures under stress.
Water sector: EPA's Cyber Push (Even If Paused)
The EPA’s 2023 move to embed cybersecurity into water system inspections signaled a significant shift in expectations for the sector, despite legal setbacks. Even though the requirement was paused, it made clear that all water utilities, especially smaller ones, are expected to demonstrate basic cyber hygiene. That includes identifying vulnerabilities in operational technology, implementing multifactor authentication, and documenting response protocols.
State mandates: Pennsylvania's Annual BCP Testing
In Pennsylvania, public utility regulations now require the annual certification of comprehensive business continuity plans. These plans must cover physical, cyber, and emergency risks and be routinely updated and tested. The mandate reinforces the idea that resilience must be proactive, continuous, and provable.
If you're struggling to keep pace with evolving mandates or defend your program during audits, Compliance Confidence can help. This BCMMetrics module lets you assess your alignment with FERC, NERC, EPA, and other standards using a guided framework. You’ll get built-in benchmarking, automated reporting, and a clear picture of where your continuity program stands and where it needs attention.
Best Practices That Make Utility Companies Crisis-Ready
The difference between reacting to a crisis and executing a response plan lies in how you prepare. Top-performing utilities have learned that business continuity begins with how teams are trained, how systems are designed, and how risks are identified and mitigated. This section highlights the operational habits that define a continuity-minded organization.
The difference between reacting and responding is preparation. Leading utilities treat continuity as a daily practice—built into training, system design, and risk management. Here are the habits that define a crisis-ready organization.
Redundant systems: Backup Control and SCADA Sites
Leaders in the space maintain fully functional backup control centers and alternate SCADA facilities. These are not just theoretical plans, they're regularly tested environments that can go live in minutes.
Exercises and drills: From GridEx to Local Simulations
Top utilities participate in national simulations like GridEx and conduct their own regular tests. These range from cyber tabletop exercises to full recovery walk-throughs, ensuring muscle memory in the event of an actual emergency.
Mutual aid coordination: Staging Resources Before the Crisis Hits
Utilities that lead in resilience treat coordination as a discipline. Mutual aid agreements, regional relationships, and pre-positioned crews are a standard part of the continuity playbook. These strategies enable companies to scale their response rapidly without wasting time building a plan mid-crisis.
During Hurricane Ian, Florida's utility companies, supported by mutual aid from across the country, mobilized over 44,000 utility workers from 33 states to rapidly restore power. That speed came from mutual aid agreements, pre-positioned crews, and a tested coordination strategy.
Fuel assurance: Onsite and Contractual Strategies
Whether through on-site diesel storage or firm natural gas contracts, smart utilities plan for supply chain interruptions. They're not waiting until a freeze hits to figure out if the generators can run.
OT resilience: Segmentation and Manual Overrides
Operational technology systems are being designed with continuity in mind: segmented from IT networks, capable of offline operation, and always with manual override as a fallback.
Case in point: A regional utility company turned to BCMMetrics to overhaul a fragmented business continuity program spanning more than 20 locations. Plans were inconsistent, ownership was unclear, and updates lagged. By implementing BCMMetrics tools, they created standardized templates, defined clear responsibilities, and used dashboards to track readiness across sites. Within six months, they had not only improved plan quality but also built confidence at the executive level and reduced the administrative time spent managing BCPs.
3 Crises That Changed How Utilities Plan for Continuity
Here are three recent crises that redefined how utilities approach business continuity planning—and the lessons they revealed.
1. Moore County Substation Attack (2022)
Gunfire disabled two substations in North Carolina, cutting power to more than 45,000 customers for three days. The incident forced a nationwide reassessment of substation security and emergency grid reconfiguration plans.
What utilities should do: Treat physical security as a continuity issue. Reassess substation protections, implement access controls, and maintain spare critical equipment regionally. Include grid reconfiguration protocols and manual restart processes in your BCP.
2. Winter Storm Elliott (2022)
A blast of arctic air crippled energy systems across the Eastern U.S., triggering rolling blackouts in several states. It exposed weaknesses in cold-weather preparedness and underscored the critical need for utilities to align their operations with new cold-weather standards and to test those plans before the temperature drops.
What utilities should do: Reevaluate weatherization strategies across generation and distribution assets. Maintain on-site fuel reserves, cold-weather kits, and contingency staffing models. Run winter-readiness drills and document learnings in your annual business continuity plan review.
3. American Water Cyberattack (2023)
The cyberattack isolated parts of American Water's IT systems, but thanks to well-segmented networks, operational systems continued delivering water. It was a textbook case of how IT/OT separation can contain damage.
What utilities should do: Segment OT networks from IT, maintain offline backups, and create specific playbooks for ransomware or unauthorized access. Practice tabletop exercises that simulate IT outages and manual operation scenarios to prepare for potential disruptions.
Business Continuity Planning Needs to be Consistent
When American Water faced a cyberattack in 2023, their operational systems kept running. That outcome was the result of clear segmentation, contingency protocols, and practiced execution. It’s a sharp reminder that business continuity planning for utility companies requires enabling performance under pressure.
For VPs and Directors leading continuity efforts, the standard is rising, from regulators, customers, and internal stakeholders. Resilience doesn’t need to be complicated. It needs to be intentional, tested, and ready when it counts.
Improve Your Utility Company’s Business Continuity Management with BCMMetrics
BCMMetrics is purpose-built software, created by the experts at MHA Consulting with over two decades of real-world experience guiding critical infrastructure providers. Every tool is designed to reduce complexity, support compliance, and deliver results you can stand behind, especially under pressure.
We don’t overwhelm you with complexity. Our business continuity solutions help you:
- Benchmark and assess with tools like BIA On-Demand, which streamlines business impact analysis with structured questionnaires, simplified data entry, and automated RTO calculations so you can identify critical processes without the bottlenecks.
- Build and maintain plans with BCM Planner, a flexible editor that pulls real data from your BIA and streamlines the review and approval process, giving you centralized control over every recovery plan in your program.
- Manage and organize location-specific plans using BCM One, designed to centralize site-level documentation, contacts, and response strategies
- Track compliance and readiness in one place with Compliance Confidence, which helps assess alignment to industry standards, identify gaps, and generate reporting that satisfies internal and regulatory audits.
With BCMMetrics, your continuity program becomes easier to manage, faster to update, and more defensible under pressure. It’s built for people who want results, not just reports.
Book your free demo today.
Michael Herrera
Michael Herrera is the Chief Executive Officer (CEO) of MHA. In his role, Michael provides global leadership to the entire set of industry practices and horizontal capabilities within MHA. Under his leadership, MHA has become a leading provider of Business Continuity and Disaster Recovery services to organizations on a global level. He is also the founder of BCMMETRICS, a leading cloud based tool designed to assess business continuity compliance and residual risk. Michael is a well-known and sought after speaker on Business Continuity issues at local and national contingency planner chapter meetings and conferences. Prior to founding MHA, he was a Regional VP for Bank of America, where he was responsible for Business Continuity across the southwest region.
