If you want to get really good at something, you’ve got to practice. Cybersecurity is no different.
"Today, co-ops have to consider drills with an additional layer of an intentional and malicious means," said Duane Highley, president and CEO of Arkansas Electric Cooperative Corp. in Little Rock. "We have to be all the more prepared for that."
Where to start? NRECA has tools and guidance, and statewide associations and generation and transmission co-ops can help set up drills and penetration tests.
There's also a national a national tabletop drill that will occur in November to test electric grid, communications systems and other critical infrastructure.
GridX IV is organized by North American Electric Reliability Corp., the departments of Energy and Homeland Security and other federal agencies every two years. The exercise will also involve supply chain groups, the intelligence community and law enforcement and first responders.
"Drills are a key element of cybersecurity preparedness," said Highley. "For example, we just lost all communications; what is the next step? Do employees know how to do the steps [toward disaster recovery] and in what order? That's all part of the drills."
AECC uses the GridEx drill to test state its emergency preparedness against cyber threats and disasters. The simultaneous exercise involves state and local police, emergency personnel, communications and others. Highley encourages other statewides and G&Ts to do likewise.
"Do not wait for a day when the system is down to figure out who to go to for help," said Highley. "If it's been a while since you've conducted a drill, it's good to make the connections before you need them."
Highley also serves as co-chairman of the Electricity Subsector Coordinating Council. The ESCC is the principal contact between electric power sector CEOs, including co-ops, and the federal government for coordinating preparedness for national incidents or threats impacting critical infrastructure.
To keep up with the latest cyber threats, Highley advises all co-ops to register with the Electricity Information Sharing and Analysis Center (E-ISAC), the non-profit information technology sector forum aimed at managing risk to infrastructure. He said it's "essential that every co-op that has any IT system" monitor reports from the E-ISAC. The group also shares fixes and offers updates to "cyber hygiene" practices, such as firewalls and anti-virus tools.
When it comes to sharing information about the latest cyber threats, the federal government can be slower than desired, Highley noted, because much of the information about cyber threats is considered classified. Unfortunately, this can leave the private sector vulnerable.
ESCC will continue to press harder for DHS, the Department of Energy and the Defense Department to be more forthcoming, he said.
"Once we know about cyber threats, we can design a response," said Highley. "But oftentimes, the federal government does not share threat information in a timely way, so we find ourselves reading about it in the paper."