ATLANTA—Electric cooperatives should employ the latest tools and practices to keep members safe from cyberattacks that are growing in number, sophistication and impact, co-op leaders and industry experts told PowerXchange attendees.

“Cyberattacks really do happen. It's not stuff that just happens in the movies," said NRECA Cybersecurity Director Carter Manucy, who led a March 10 panel discussion on “Navigating the Cybersecurity Landscape."

Statistics show the potential for ransomware attacks is rising exponentially, Manucy said. The Cybersecurity and Infrastructure Security Agency sent out 1,200 pre-attack ransomware notifications to potential victims in 2023. Notifications doubled in 2024.

“I'm part of the new normal," said Phillip Marshall, an information technology analyst at Delta-Montrose Electric Association who was hired after the Montrose-based co-op suffered a full-scale cyberattack on Nov. 7, 2021, that required four months to recover. “We lost 25 years of data in 18 minutes."

The only “silver lining" of the attack, he said, was that no personally identifiable information (PII) was stolen, and the co-op stayed connected to the electric grid. But slow data retrieval and member mistrust lingers.

Marshall encouraged board members to ask general managers and CEOs about their co-op's cybersecurity plan. CEOs, in turn, should ask their information technology and operational technology teams what resources they need and whether they are taking advantage of free cybersecurity assessments, exercises and tools from CISA and NRECA.

“We all have to change from, 'We've always done it this way' to, 'How can we be better?'" said Marshall. “Please ask questions. We don't want this to happen to anyone else."

Other key cybersecurity practices from the panel included:

• Patch management.
• Vulnerability maintenance.
• Multi-factor authorization (MFA) requirements for all, including contractors.
• CISA's free cyber assessments and penetration tests.
• NRECA's 20 Cyber Goals and other exercises and tools.

Meridian Cooperative CIO Greg Gray noted that threat actors target utilities at vulnerable times. He recommended co-ops have a business impact plan for what systems should be restored first after an attack and if they need a third-party solutions provider.

Scott Kaylor, senior manager business services at NISC, agreed, as cyber criminals have created a very active business that seeks system annihilation and big payouts.

“Threat actors will pile things on top of you, so ask your employees to be extra diligent on cyber when you have a disaster in your neck of the woods," he said.

Kaylor noted several “near misses" last year indicate co-ops' investment in cyber tools and NRECA's 20 Cyber Goals “have paid off." But since DMEA's attack, NISC has helped in recoveries from 31 attacks, with 11 occurring last year including eight when Hurricane Helene hit.

Edisto Electric Cooperative in Bamberg, South Carolina, was attacked at 3 a.m. last Sept. 26, 24 hours before Helene would devastate its physical infrastructure.

The co-op did not suffer PII exposure or total loss of data, but “the brute force" of the attack left the co-op without desktops and maps to start its hurricane recovery, said David Drumheller, Edisto's director of information technology.

Edisto has since hardened its system, from firewalls to network segmentation, and acquired cyber monitoring tools to be alerted to abnormal activity on its network.

“We are in a much stronger position than we were six months ago," Drumheller said, but he noted there should never be a point “where we think we're good." Despite installing defenses, threat actors quickly devise workarounds.

“Always be proactive," he said. “It's not if you'll face an attack, it is when."