How strong is your co-op's cybersecurity?

While employees at many electric co-ops are adding cybersecurity to their responsibilities, it can be difficult to know how durable their defenses are.

That's where a new toolkit from NRECA's Business & Technology Strategies group comes in. The three-part RC3 Cybersecurity Self-Assessment Do-It-Yourself Toolkit, crafted through research at co-ops, provides a way for co-op employees to understand their vulnerabilities.

"The self-assessment was eye-opening for the crew I brought in. Before we came to the meeting, they wondered, 'Why am I going?'" said Sandy Hendren, co-general manager of the 3,300-meter Scottsbluff, Nebraska-based Roosevelt Public Power District, which participated in the toolkit's development.

"Now, they realize that everything we do is internet-based—our billing, accounting, so much of our work—and it all has cybersecurity implications. Now, they understand just how important it is," Hendren said.

NRECA's Rural Cooperative Cybersecurity Capabilities (RC3) Program beta-tested the self-assessment model at 36 co-ops in 13 states. Over the course of two years, the RC3 team conducted two in-depth visits with each co-op to build the toolkit.

"Developing the Self-Assessment Toolkit included extensive cybersecurity training on topics ranging from methods used by ethical hackers to discussing third-party and supply-chain cybersecurity issues," said Cynthia Hsu, cybersecurity program manager for the Business & Technology Strategies group and head of the RC3 Program.

The process uncovered how cybersecurity can be strengthened when co-op staff recognize that many of their daily tasks are internet-based and that they have a responsibility to keep cyber threats at bay. Co-ops can facilitate cybersecurity by engaging all co-op staff with simulated phishing tests or other preparedness activities and discussing cybersecurity at safety meetings.

"By working intensively with the executive staff of the 36 co-ops, the RC3 Program was able to help build stronger awareness of the cybersecurity responsibilities for each job role," Hsu said. "In turn, co-op staff were able to identify potential cyber vulnerabilities and mitigation options."

Co-op staff who participated in the self-assessment testing remarked on the valuable lessons for ongoing cybersecurity at their workplace.

"Going into the process, we wondered, 'Do we really even need this?'" said Amber Hall, accounting and billing clerk at Pella Co-op Electric Association, which serves 3,000 members in Pella, Iowa. "After the self-assessment, we realized that an attack can happen to anybody, anytime, anywhere, whether you're big or small. We know we need to do more. We're rising to the occasion and working on how we can be more proactive."