Electric cooperatives have been building cybersecurity muscle thanks in part to a regimen embodied in the RC3 program.

Short for Rural Cooperative Cybersecurity Capabilities, RC3 ran for just under five years and produced a range of resources, including risk assessments, tabletop exercise toolkits, workshops and technical outreach.

Users ranging from generation and transmission co-ops serving nearly 2 million people to distribution co-ops with less than 4,000 members have lauded the program for helping improve their cybersecurity posture.

“RC3 is one of NRECA’s greatest additions to the program in the 20 years I’ve been in the co-op industry,” said Trina Zager-Brown, general counsel and manager of member services at White River Electric Association in Meeker, Colorado. “It has given structure and stature to how electric co-ops have recognized the importance of cybersecurity.”

RC3 began in 2016 with a $7.5 million grant from the Department of Energy to develop cybersecurity resources for small utilities. Cynthia Hsu, NRECA’s former principal for cybersecurity solutions, led the program and wrapped up its achievements in a final report in April.

“From the beginning, the RC3 team knew it had to build and encourage an infrastructure, an ecosystem, that would enable the program to scale beyond the cooperatives that were directly participating,” Hsu wrote. “The work these cooperatives are doing will ensure the RC3 program’s impact extends well beyond the period of performance and benefits a much larger audience than [it] could reach on its own.”

The Colorado Rural Electric Association used RC3 resources to create a Rural Electric Cyber Achievement Program and Cyber Force, a team of co-op staffers who facilitate tabletop exercises.

“NRECA, Cynthia and her team developed exercises that are sophisticated, top-level but still relevant for small co-ops,” said Zager-Brown, who is also the facilitator-coordinator for Cyber Force.

Marc Child, information security program manager at Great River Energy in Maple Grove, Minnesota, called out a voucher program arranged through RC3 that gives co-op participants access to prestigious SANS™ cybersecurity training.

“People who didn’t normally get selected for SANS courses got training,” he said. “The value of that voucher cannot be overstated.”

The Association of Illinois Electric Cooperatives now conducts RC3 self-assessments at member co-ops in a two-day process that identifies potential vulnerabilities across their networks.

“Several CFOs and operations managers have come up to me to say they were kind of hesitant to dedicate that time, but they were really glad they stuck it through,” said Dan Gerard, the statewide’s chief technology officer. “RC3 is applicable across all departments of a co-op. No department goes untouched by the assessment.”

Paul Hofman, vice president for information technology at Central Iowa Power Cooperative in Cedar Rapids, said one of RC3’s biggest impacts is helping co-op boards appreciate the need for allocating cybersecurity resources.

“A lot of directors didn’t grow up with cyber risks,” he said. “To help them understand, RC3 put meat on the bones of the need and how they can impact it.”

He said another benefit has been satisfying state governments that additional cybersecurity regulations for electric co-ops are not needed.

“RC3 is a big reason for the statewide to go to regulators and say, ‘We are being very proactive,’” Hofman said.

The final NRECA report notes that the RC3 team was “thrilled” to see co-ops taking independent efforts to further the program and listed several areas where additional work could be done.

“RC3 laid the groundwork,” Child said. “We need to keep it going.”

Explore NRECA’s resources on cybersecurity.