NASHVILLE, Tenn.—On a recent flight, Tim Lindahl noticed the passenger next to him had a bag with her company's name on it. So he started asking questions about the firm.
"By the end of the flight I knew what billing system they had, I knew what security system they had, I knew what their IT guy's name was—just about everything I needed if I were a hacker to get into their system," Lindahl said.
He's not a hacker. He's the general manager of Wheat Belt Public Power District in Sidney, Nebraska. But Lindahl told that story at an NRECA Annual Meeting forum to make a point.
"That person wasn't an IT person but was at senior staff level. So I think that's why people are so important, and the cybersecurity part really needs to start at the people part of the equation."
Ongoing education of all co-op employees about threats is just one piece of the cybersecurity puzzle that your co-op needs to be focusing on.
"Cybersecurity is something that's continuous. It's ever-changing. You need to always be addressing, thinking about it, planning for it," said Bridgette Bourge, NRECA legislative affairs director.
"Data, energy supply, credit card information—whatever you hold, you have a responsibility to protect it."
Are you prepared to deal with a ransomware attack? Barry Lawson offered this frightening—and all too real—scenario.
"Someone has locked up all of your business systems. Every computer, every laptop received a message on the screen that says, 'You're no longer able to use this. But if you pay us $5,000 in Bitcoin we'll give you the code to enter so that you will gain access to your systems again,'" said Lawson, NRECA senior director, regulatory affairs.
And then he spelled out the reality you're confronting.
"You've got no access to email, or your payment processing, or finance accounting systems. Your co-op needs to decide: Are you going to pay the ransom? Do you have plans in place? Do you have backups? How far back do your backups go?"
Lindahl offered the co-op manager's perspective.
"Say you were hit with ransomware the day before billing and it locked your billing system up. Say it takes you three weeks to get that back online. Do you have a month of cash lying around to survive on?" Lindahl asked. "Or do you have a plan in place that can address that should something like that happen?"
The answer to that last question had better be yes, according to RB Sloan, president and CEO of SEDC.
"There's less emotion, fewer decisions that have to be made on the spot by having that plan there—just in case," he said.
Sloan then asked the directors and CEOs in the room a pointed question: "How many of you have conducted a tabletop exercise? I know many of you will do it for safety. I would strongly suggest you need to be doing this for cyber just as well, because the contingencies are just as varied and numerous in this as it would be in safety."
SEDC offers tabletop exercises for its customers to help them understand the dynamics of cyberattacks, and Sloan said "it really prepares you, and makes you ask questions you would not have otherwise thought of."
"I know every one of you advertises on a routine basis that we have 99.99 percent service reliability," Sloan said. "How many of you think that your customer base would be willing to accept 99 percent security with their data? Anything less than 100 percent is not going to cut it."
Ed VanHoose, executive vice president and general manager of Flora, Illinois-based Clay Electric Cooperative, agreed that co-ops should be taking preventive measures.
"This takes some preplanning. You should be doing things now to help mitigate what's going to happen when something like this happens. I didn't say 'if,' I said 'when,'" VanHoose said. And to the co-op leaders in the room, he offered a sobering thought.
"The last thing that I want to do is to ever have to release a statement about our data being breached and there being identity theft for our members or for our employees."