Cybersecurity (CS)

The proliferation of communications channels on the grid and the rising sophistication of cyber-attacks have substantially increased vulnerability to malicious intrusion, data theft, lost productivity and, potentially, service disruption. All co-ops, regardless of size, need to take ongoing steps to ensure the security of their data and connected hardware. The Cybersecurity Work Group has identified three major drivers: protecting sensitive customer data; reliability; and productivity. This work group supports co-ops not only with the implementation and management of Smart Grid devices, but it also provides assistance with systems audits, risk assessment, monitoring effectiveness, and organizational support.

For information about the current work products and resources available through this Work Group, please see our Business and Technology Strategies department’s Portfolio (PDF).

Articles and Other Resources

Cybersecurity Needs to be Job One for Everyone – National Cyber Security Awareness Month Forum: October 10, 2017

Cybersecurity Resource Guide

NRECA’s Business & Technology Strategies (BTS) department has a Cybersecurity Work Group focused on helping co-ops improve their cybersecurity postures. But other organizations have also developed resources that co-ops may find useful in this effort.

This guide brings together free cybersecurity resources from both NRECA and outside organizations. If you have a favorite CS resource not shown here, or if you have feedback on this page, please send it to

Cybersecurity Plan Guide and Template

NRECA’s Guide to Developing a Cybersecurity and Risk Mitigation Plan distills the best thinking on cybersecurity in the utility space–more than 10,000 pages from sources like NIST, IBM, DOE, and DHS—into a concise, straightforward primer on risk and mitigation. The companion template can be filled in by co-ops to produce a straightforward, actionable plan for improving cybersecurity that focuses on continuous improvement.

KAEC Cybersecurity Policy Framework

The Kentucky Association of Electric Cooperatives (KAEC) has developed a set of cybersecurity policy templates for co-ops to review and adapt for their specific needs. Collectively, these templates serve as a toolkit for cooperatives to create, maintain, and verify their own cybersecurity program that is based on their specific needs and resources.

Security Questions for Smart Grid Vendors

More and more “smart” devices are being deployed on co-op systems. These include advanced meters, automated switches, RTUs… anything able to store and process information. But what assurance do co-ops have that the vendors who developed and manufactured these devices followed best practices with regard to cybersecurity? These questions were created so that co-ops can submit them with RFPs for new smart device purchases. Based on NIST 7628, the questions ask specific questions about cybersecurity practices, and enable co-ops to better identify those vendors who take cybersecurity seriously.

Cybersecurity Procurement Language for Energy Delivery

After a co-op has selected a vendor for a smart device purchase, this DOE document helps the co-op craft procurement language that address cybersecurity. The document contains sample language addressing  configuration and functionality. For instance, the co-op may require the vendor to turn off all ports on the device not intended for use or to disallow multiple concurrent logins using the same authentication credentials.  By embedding cybersecurity in the procurement process, the co-op gets delivery of its new equipment in a more secure state.
Get a copy of the Cybersecurity Procurement Language for Energy Delivery

ICS-CERT Training

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) offers training in securing control systems. Besides their Web-based learning portal, they hold classes ranging from a 1-day Introduction to Control Systems Cybersecurity to a 5-day, hands-on workshop where attendees split into attack and defend teams for 10-hours of cyber attack exercises.
Get information on training available through ICS-CERT