As electric cooperatives keep pace with the growing complexities of cybersecurity, many are finding it makes sense to outsource certain tasks. But inviting a third party or “managed service provider” into a co-op’s network can create its own vulnerabilities and pitfalls.
To help co-ops navigate the contracting and managing of MSPs, NRECA has released a new advisory that highlights key steps for co-ops to take before and after a contract is signed.
“We understand a co-op can contract an MSP to do anything it does not have the time or resources to do itself, including cybersecurity,” said Ryan Newlon, NRECA principal for cybersecurity solutions. “With that in mind, we put together significant cybersecurity resources to assist co-ops when they turn to a managed service provider.”
The MSP advisory also directs them to NRECA’s Rural Cooperative Cybersecurity Capabilities (RC3) guidance documents, self-assessment tools and other resources.
“It is important to apply the basics of vendor management when it comes to an MSP,” Newlon said. “But you should also be aware that circumstances may require additional diligence both before and during the term of the services.”
Here are a few considerations the report recommends that co-ops weigh:
Before contracting an MSP
• Work with your attorney when reviewing and negotiating contract terms.
• Do your due diligence and request an MSP provide verifiable information on its ability to deliver cybersecurity, including documented security policies and procedures and certified proof of test results.
• Request an MSP provide information on mitigation efforts to address past data breaches or cyber incidents.
• Create processes to ensure accounts made for the MSP are unique and secure. Disable them when MSP personnel change.
After contracting an MSP
• Enforce multifactor authentication for logging into your co-op’s system and monitor for unexplained failed logins.
• Conduct regular cybersecurity checks with the MSP’s operations and systems.
• Participate in external cyber exercises or conduct your own to evaluate your co-op’s incident response, business continuity and disaster recovery procedures.
The MSP advisory suggests co-ops hold additional drills after major system upgrades or configuration changes. The RC3 program offers a toolkit with several tabletop exercises.
“Due diligence and well-negotiated contracts can greatly mitigate risk but cannot guarantee protection against all cybersecurity threats,” Newlon said. “What is important is to stay vigilant throughout the term of the agreement with the MSP.”