Join us in
Denver, Colorado, October 9-13
2017 Co-op U
to take advantage of two new cybersecurity learning opportunities:
- Managing Cybersecurity Risks in Purchasing Decisions - Oct 12 (full-day)
- Who Do You Let In? Procuring and Managing Cybersecurity Vulnerability Assessment Providers - Oct 13 (half-day)
The proliferation of communications channels on the grid and the rising sophistication of cyber-attacks have substantially increased vulnerability to malicious intrusion, data theft, lost productivity and, potentially, service disruption. All co-ops, regardless of size, need to take ongoing steps to ensure the security of their data and connected hardware. The Cybersecurity Work Group has identified three major drivers: protecting sensitive customer data; reliability; and productivity. This work group supports co-ops not only with the implementation and management of Smart Grid devices, but it also provides assistance with systems audits, risk assessment, monitoring effectiveness, and organizational support.
For information about the current work products and resources available through this Work Group, please see our Business and Technology Strategies department’s
Cybersecurity Resource Guide
NRECA’s Business & Technology Strategies (BTS) department has a Cybersecurity Work Group focused on helping co-ops improve their cybersecurity postures. But other organizations have also developed resources that co-ops may find useful in this effort.
This guide brings together free cybersecurity resources from both NRECA and outside organizations. If you have a favorite CS resource not shown here, or if you have feedback on this page, please send it to BTS_CS@NRECA.coop.
Cybersecurity Plan Guide and Template
NRECA’s Guide to Developing a Cybersecurity and Risk Mitigation Plan distills the best thinking on cybersecurity in the utility space–more than 10,000 pages from sources like NIST, IBM, DOE, and DHS—into a concise, straightforward primer on risk and mitigation. The companion template can be filled in by co-ops to produce a straightforward, actionable plan for improving cybersecurity that focuses on continuous improvement.
- Go to NRECA Smart Grid Regional Demonstration Project
- Click on Download the Cybersecurity Materials
- Click Accept to accept the legal statement
- Look for the following document titles: Guide to Developing a Cybersecurity and Risk Mitigation Plan
- Cybersecurity Plan Template
KAEC Cybersecurity Policy Framework
The Kentucky Association of Electric Cooperatives (KAEC) has developed a set of cybersecurity policy templates for co-ops to review and adapt for their specific needs. Collectively, these templates serve as a toolkit for cooperatives to create, maintain, and verify their own cybersecurity program that is based on their specific needs and resources.
Materials referenced and provided herein are general in nature. Readers are reminded to perform due diligence in applying this general information to their specific needs as it is not possible to have sufficient understanding of any specific situation to ensure relevancy or applicability of any of the materials contained herein. Anything contained in the materials herein are for general consideration and do not constitute legal advice or set an established standard or best practice. Users should consult their legal counsel for addressing specific issues and circumstances. End users should independently develop an understanding of what laws and regulations, if any, pertain to them, including consulting counsel. The materials are not a substitute for, nor guarantee compliance with any laws, regulations or standards.
NRECA is not the author or contributor to the KAEC
Cybersecurity Policy Framework and Cybersecurity Employee Awareness Training Program, and as such NRECA does not endorse, recommend, or opine on the materials. Any comments, recommendations or opinions are the author’s and may or may not be consistent with NRECA’s.
NRECA expressly disclaims any and all liability, and assumes no obligation whatsoever, for how readers may use, or damages resulting from, the distribution and use of any materials herein. In addition, NRECA makes no, and specifically disclaims any, warranties or representations, including, but not limited to, any representation that the use of these contents does not infringe on privately held rights. By using the materials contained herein, the end user agrees to hold harmless NRECA from any and all claims or damages arising out of their misuse or inappropriate use of the materials.
The materials herein were prepared by the Kentucky Association of Electric Cooperatives (KAEC) Information Technology (IT) Association – Cybersecurity Subcommittee. Please be certain to refer to and understand additional disclaimers contained in the KAEC materials before using them any respect. When using KAEC’s materials the reader should be mindful that the language has been kept deliberately generic. It must be recognized that these materials may not be appropriate for all end users. It must also be recognized that technology, law, and cooperatives change over time, and so would the general nature of the materials contained herein. These documents are provided for illustrative purposes only and may not be suitable for the individual needs of your cooperative.
Note: The KAEC Cybersecurity Policy Framework provides policy templates that can be used in conjunction with the NRECA
Guide to Developing a Cybersecurity and Risk Mitigation Plan. The NRECA
Guide helps co-ops develop a cybersecurity plan, while the KAEC Framework provides policies which (after being reviewed and adapted for the co-op’s specific needs) can support implementation of the plan. The table below maps KAEC
Framework policies map to the activities identified in the NRECA
Guide and template.
KAEC Cybersecurity Policy Framework||
Guide/template activity/security control ID|
|Information & Cybersecurity Policy||3|
|IT Risk Management||5, 6, 9, 10, 13|
|Third Party Access||94|
|Outsourced Information Processing||31, 64, 67, 68|
|Accountability of Assets||2|
|Physical & Environmental Security||126, 154, 179, 184, 189|
|Documentation Procedures||11, 48, 49, 57, 58, 62, 63, 103|
|System Patching||104, 150|
|System Logging & Monitoring||35, 59, 80, 92, 109, 155|
|System Acceptance & Configuration||104|
|Malware Prevention||105, 150|
|Backup & Recovery|
|Network Management||79, 86, 95|
|User Account Management||113, 115, 157|
|Password Policy||108, 113|
|Business Continuity & Disaster Recovery||41, 159|
|Compliance Requirements||9, 13|
|Encryption||88, 96, 97, 98, 144|
KAEC Cybersecurity Employee Awareness Training Program||
Guide/template activity/security control ID|
|Roles & Responsibilities||23, 30|
|Training Needs Assessment||22, 31|
Security Questions for Smart Grid Vendors
More and more “smart” devices are being deployed on co-op systems. These include advanced meters, automated switches, RTUs… anything able to store and process information. But what assurance do co-ops have that the vendors who developed and manufactured these devices followed best practices with regard to cybersecurity? These questions were created so that co-ops can submit them with RFPs for new smart device purchases. Based on NIST 7628, the questions ask specific questions about cybersecurity practices, and enable co-ops to better identify those vendors who take cybersecurity seriously.
Cybersecurity Procurement Language for Energy Delivery
After a co-op has selected a vendor for a smart device purchase, this DOE document helps the co-op craft procurement language that address cybersecurity. The document contains sample language addressing configuration and functionality. For instance, the co-op may require the vendor to turn off all ports on the device not intended for use or to disallow multiple concurrent logins using the same authentication credentials. By embedding cybersecurity in the procurement process, the co-op gets delivery of its new equipment in a more secure state.
Get a copy of the Cybersecurity Procurement Language for Energy Delivery
The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) offers training in securing control systems. Besides their Web-based learning portal, they hold classes ranging from a 1-day Introduction to Control Systems Cybersecurity to a 5-day, hands-on workshop where attendees split into attack and defend teams for 10-hours of cyber attack exercises.
Get information on training available through ICS-CERT