[image-caption title="IT%20Security%20Specialist%20Matt%20Shultz%20of%20the%20Federal%20Energy%20Regulatory%20Commission%20told%20attendees%20at%20NRECA%E2%80%99s%20Co-op%20Cyber%20Tech%20about%20a%20free%2C%20nonbinding%2C%20in-depth%20cybersecurity%20assessment%20the%20agency%20can%20perform%20at%20co-ops.%20(Photo%20By%3A%20Denny%20Gainer%2FNRECA)" description="%20" image="%2Fnews%2FPublishingImages%2Fcybertech-shultz.jpg" /]
A national expert on cyber defenses encouraged attendees of NRECA’s first cybersecurity conference to pursue a free, federally administered system assessment to help their electric cooperatives stay ahead of online threats.
“A voluntary assessment provides entities with a comprehensive understanding of their current cybersecurity posture benchmarked against best practices from industry and the federal government,” said IT Security Specialist Matt Shultz.
Shultz leads the Voluntary Cyber Architecture Assessment Program at the Federal Energy Regulatory Commission’s Office of Energy Infrastructure Security. He shared his insights at the 2022 Co-op Cyber Tech conference, which attracted 300 co-op representatives to Washington, D.C., on Nov. 8-9.
The FERC assessments are free and nonbinding but require two days of participation from subject matter experts from across the organization, including network administrators, IT managers and OT engineers.
“The opening and closing discussions should be attended by the C-suite,” he added.
The first day assesses a utility’s cybersecurity awareness and training, network architecture, remote access, data security and business continuity, among other facets.
The second day covers insider threat detection and the utility’s industrial control systems network in detail, from backup and restoration to monitoring and incident response.
“Adversaries are seeking to exploit known vulnerabilities,” Shultz said.
Shultz highlighted a type of cyberattack known as “credential stuffing,” where large numbers of logins and passwords are exposed through a breach on one website, then used in attempts to gain access to other accounts where the same or similar credentials are used.
“If passwords are only changed every 90 days, oftentimes they are not new and novel,” he said. To strengthen cyber defenses, Shultz recommended enforcing random, mandatory password resets.
Other practices to adopt, according to Shultz, include:
- Penetration testing
- Phishing-prevention training
- Incident-response playbooks
- Recurring background investigations
“Worst practices” include:
- Numerous elevated-privilege accounts
- Unsupported operating systems
- Insecure network hardware configurations
- No dedicated laptops for control system environment
More Co-op Cyber Tech Coverage: