Employee training, diligence and redundancy lead to cybersecurity strategies with defense in depth, electric co-op experts say. (Photo By: Getty Images/iStockphoto)
Cybersecurity experts at electric cooperatives agree on three truths: Anything connected to the internet is hackable; diligence and building resiliency into your network can help protect your data, your systems and your members; and training staff is crucial.
"The single biggest threat is phishing emails," said Duane Highley, president and CEO of
Arkansas Electric Cooperative Corp. (AECC) in Little Rock. "We give them the keys and let them in."
Highley, who also co-chairs the
Electricity Subsector Coordinating Council, advises co-ops to test staff by sending false phishing emails and checking the click rates. "We must continue to train employees to be cautious when browsing the web or clicking emails," he said.
December 2015 power outage in Ukraine that impacted nearly a quarter million people came about by clicking a malicious email.
"Personnel are still the weakest link," said Highley. "The hard way to get in is to break through a firewall. The easy way is send someone an email to see if they can get in, capture the key strokes and capture credentials."
Michael Meason, manager of technical services at
Western Farmers Electric Cooperative in Anadarko, Oklahoma, recommends an innovative method to protect your operation.
"We take the inside-out approach," said Meason, who was named the 2017 Cybersecurity Professional of the Year by the Energy Sector Security Consortium. "We start with the control system, go deep inside our networks and protect it with all our might, then work our way out to the business systems and the perimeter."
A co-op must first identify its critical assets and where they are located, and then build strategies and tactics to protect them, Meason said.
"Start with the question, do you have an inventory? Do you know what you can't operate without?" he said.
For a cybersecurity plan with defense in depth, include these components:
- Back up your files on a regular basis.
- Install next-generation firewalls.
- Use two-factor authentication.
- Update and patch all operating systems and third-party software on a regular basis.
- Run antivirus software at all end points, and keep it updated.
- Train employees in groups and individually from time to time, and involve board members.
- Restrict network access to an employee's specific job requirements.
- Conduct regular system penetration tests; do it yourself or hire experts.
- Consider cybersecurity insurance, including coverage for ransomware attacks.