KANSAS CITY, Mo.—When Drew Timmerman took on cybersecurity at La Plata Electric Association as vice president of IT, he wanted a program with a clear message: Protecting the cooperative from cyberthreats would require buy-in from everyone, including the board.
“A big part of the project was to put this in front of the board of directors and say, 'let's get the resources we need to get it done,'" he said.
At NRECA's Co-op Cyber Tech conference last week, Timmerman shared how LPEA went about building an inclusive cybersecurity program, in an effort to give guidance to other co-ops on overcoming internal obstacles and limited resources.
Motivated by a devasting cyberattack at a neighboring co-op and concerns for electric reliability and guarding member data, LPEA began by pondering how to align day-to-day business objectives with cybersecurity, how to create a plan that non-technical staff and the board can understand, and where best to spend cybersecurity funds.
“We wanted to be proactive," Timmerman said. “We wanted employee engagement."
The Durango, Colorado-based co-op hired cybersecurity consultants to help formulate a sustainable plan and set priorities for “situational awareness," where staff and resources are at the ready to monitor and mitigate cyber-risks. Heatmaps of senior executives' priorities and likely threat scenarios for the co-op, plus a comparison of best practices, helped inform an action plan.
“Once we came up with a list of threats and vulnerabilities, we got metrics on the likelihood of threats happening at LPEA, the cost of mitigation and reputational impacts," he said. “We used that to determine total risk."
LPEA underwent self-assessments with vandalism, supply chain and insider threat scenarios and measured itself against National Institute of Standards and Technology best practices. Timmerman said co-ops can use NRECA's Rural Cooperative Cybersecurity Capabilities (RC3) Program to locate gaps in their cybersecurity.
The co-op's action plan focused on three components:
- Incident response planning and tabletop exercises.
- Expanded risk management, which included evaluating vendors.
- Legal concerns, such as training and cybersecurity insurance.
LPEA performs ransomware tabletops based on NRECA scenarios with a large cross-section of staff. “We got finance, legal, operations folks and communications involved so everyone would get a better understanding of when and how they would serve in a ransomware attack," he said. “Cybersecurity is a continuous cycle."
A high-level model and a “periodic table" of projects shows where co-op departments fit in the overall cybersecurity plan. It has served as an effective tool in communicating with the board on the need for resources and attention to cybersecurity, he said.
"Feel free to utilize our concept of a periodic table at your utility," Timmerman told conference attendees. “The big goal is to help everyone understand that cybersecurity is not just an IT problem. Cybersecurity needs everyone's support."