By Ryan Cornelius, Co-Mo Electric Cooperative

To get a better understanding of Rural Cooperative Cybersecurity Capabilities, we took some time to talk to a couple of information technology experts. Here’s what we found.

What is RC3?

RC3 stands for Rural Cooperative Cybersecurity Capabilities (R+3 C’s).  In addition to sponsoring cybersecurity training opportunities, developing educational resources, and creating novel cybersecurity technologies, the RC3 program is developing a self-assessment maturity model tool compiled by NRECA with cooperatives in mind. It borrows from NIST, SANS Top 20, C2M2 and other standards. Using a series of questions, the tool provides a measurement of a cooperative’s cybersecurity maturity level, and helps them prioritize what components they need to improve their cybersecurity strategy. NRECA and the American Public Power Association both received U.S. Department of Energy multiyear grants. The grants will be used to teach their respective members how to better protect the power grid elements they operate and maintain.

Who is involved?

The NRECA RC3 self-assessment maturity model was developed by Dr. Cynthia Hsu of NRECA and a handful of consultants with deep knowledge and experience in the cybersecurity field. To date, 33 cooperatives have participated in the research and development of the program. These cooperatives are testing the draft version of the tool, which includes onsite reviews of their current cybersecurity efforts. In addition, they have the ability to guide the development of the RC3 self-assessment tool by offering feedback as to whether any part of the tool needs adjustments/revisions. This is an effort to make it more understandable and attainable for the average rural cooperative. Cooperative senior management are the target audience for the self-assessment. They are key players in moving the needle to improve the cybersecurity maturity at their cooperatives.

Where does an RC3 self-assessment happen?

All of the self-assessments occur onsite at the cooperative, with reviews of results and feedback occurring during the site visit. Attending the onsite meetings are NRECA facilitators, cooperative senior management, and IT personnel. They answer questions in the self-assessment maturity model as a collective group.  NRECA takes the information, processes it, and provides feedback on the cybersecurity maturity level of a cooperative based on the data provided. NRECA’s RC3 program staff then develop a plan/direction on how to increase the cooperative’s maturity level. Follow-up assessments are used to gauge the cooperative’s progress.

When is this happening?

The RC3 program began in 2016 when NRECA received the grant funding. They started researching and developing the self-assessment maturity model, and in spring 2017, they opened up a call for cooperatives to participate in a research program to test the tool.  Forty-one co-ops were selected, and testing began in July and will continue through the fall. Initial results for the first test group were given at the RC3 Summit in Arlington, VA. The follow-up assessments should begin in late 2018.

Why is this important?

In the last few years, it has become clear threat actors are interested in harming the electric grids of many nations. The cyberattacks on the Ukraine in 2015 and 2016 made it even clearer that disruption of power control systems is possible and can have serious national security and/or economic impacts. In the U.S., many rural cooperatives and public power organizations have limited resources and there are very few tools appropriate for small- and mid-sized utilities to assess their shortcomings in cybersecurity; the RC3 self-assessment tool is designed to address this issue.

Where do I go for more information?

The RC3 program has a website on where you can download copies of presentations from the RC3 Cybersecurity Summit series, cybersecurity articles and more.