[image-caption title="After%20dealing%20with%20a%20third-party%20breach%20last%20fall%2C%20Blue%20Ridge%20Energy%20is%20sharing%20its%20experience%20and%20offering%2013%20lessons%20to%20help%20other%20co-ops%20when%20a%20vendor%20is%20the%20victim%20of%20a%20cyberattack.%20(Photo%20By%3A%20anyaberkut%2FGetty%20Images)" description="%20" image="%2Fnews%2FPublishingImages%2FGettyImages-2157164022.jpg" /]
WILMINGTON, N.C.—When a vendor gets hacked, how can an electric cooperative protect its members, its staff and its resources ASAP?
At North Carolina's Electric Cooperatives' recent Cooperative Technologies Conference and Expo, Blue Ridge Energy shared its experiences after a third-party data breach left them vulnerable.
“Two things you never want to hear: 'We feel we have been compromised' or vendors notifying you of suspicious activity," said Tanner Greer, senior vice president and chief technology officer at the Lenoir, North Carolina-based co-op.
Last Sept. 27, they heard that a third-party vendor had been compromised.
That day, a vendor contacted the co-op about a breach but said there was no evidence of customer data being compromised. They recommended disabling all third-party access to internal servers and any “ad-hoc" remote clients. Blue Ridge Energy did so and began keeping a close watch on the situation.
The vendor's next big update on Oct. 5 identified the group behind the attack and disclosed that “some data" was taken, said Greer. Six days later, an outside cybersecurity vendor provided Blue Ridge Energy with evidence that its data had indeed been compromised.
The co-op called its cyber insurance provider, contacted its legal department and launched its own forensic investigation.
“We thought only the third party was affected," Greer said. “This altered our response. We decided to look through the data ourselves."
At its headquarters, the co-op created a “situation room" to safely enter the dark web where hackers fence stolen data. A conference room was furnished with retired, wiped computers and an old printer not connected to the co-op's network. TV screens became monitors, and clean USB drives were used for data transfers. Access was limited to four staff involved in cybersecurity and data management.
Soon Greer's team located a tranche of sensitive co-op data, including member and staff Social Security numbers, account numbers, login information, meter numbers and locations.
The co-op held a “town hall" meeting Oct. 19 to provide staff with details of the breach and answer their questions, Greer said.
“People in the room were obviously upset," he said. “But we were not trying to hide behind anything, and that resonated with them."
Employees and members were contacted if their specific data was breached. The co-op sent a letter that included what had happened, what personal information was affected, proactive steps the co-op was taking, how the co-op was monitoring the situation, and suggested steps employees or members could take on a personal level. Furthermore, the co-op transmitted a list of those affected to TransUnion, a credit reporting agency that provided credit monitoring.
When the vendor's forensics firm issued its report Nov. 10, it did not include anything more than what the co-op had already discovered. “They even missed some of our findings," Greer said.
“We were able to make sure we had all the data that was out there."
The bottom line: “No one is going to care about your data like you do."
Greer offered 13 lessons to help co-ops when a vendor is the victim of a cyberattack:
Follow your Incident Response Plan. If yours lacks a data breach section, add it now.
Know all the ways a vendor can access your network, and be able to disable them quickly. Transition vendors away from always-on connections.
Know your data and how vendors use it, including how they store it, who else has access and their retention policy.
Have an insurance strategy for cybersecurity and know what it covers.
Acquire forensic tools and practice using them in tabletop breach exercises.
Organize, document, communicate and secure findings during a forensic investigation, and update senior management and the board.
Know and define your roles for handling and reporting on the situation, including technical, legal, accounting and communications.
Remember the data owner is always responsible for the data, no matter where a theft occurs.
Be transparent once you fully know the scope of the breach. Premature discussions can be problematic.
Do not mail or transfer stolen data to avoid liability. Be careful what you share.
Don't trust someone else to tell you what data was compromised in a breach.
Be careful where you get information, because rumors run wild after a breach.
Act decisively; hackers can make stolen data disappear from the dark web.