As far as cyber defense goes, it all boils down to risk management. "It's about not eliminating the risks but finding where your acceptable risk tolerance is and meeting it for your customers and your investors," he added.
"It's pretty hard to convince the PUCs and investors to pay for upgrades and increases in security budgets when someone can say, 'I don't see anything wrong. The lights are on,'" he said.
Clarke argued that not even a "Cyber Pearl Harbor" would likely change that attitude. "Even if there were some all out attack on a utility, and it took them down, the other utilities wouldn't take it to heart that it could happen to them," he said.
Sign up for CIO Asia eNewsletters.