By Ryan Cornelius, CCC, Manager, Corporate Relations Corn Belt Power Cooperative, Humboldt, Iowa

NRECA’s Rural Cooperative Cybersecurity Capabilities (RC3) Program is advancing quickly. We asked Cynthia Hsu, NRECA’s Cybersecurity Program and Product Manager, a little bit about what made 2018 so special and what we can look forward to in 2019.

What kind of progress have you made over the last year with the RC3 program?

We have seen a steady increase in cybersecurity awareness within the co-op community since the RC3 Program began in 2016, and it just keeps increasing. I believe the 200 co-ops who attended an RC3 Cybersecurity Summit, and the 70 co-ops that have benefited from the cybersecurity training opportunities we’ve provided have been instrumental in sustaining and building up that momentum.

It’s great to see cooperatives allocating resources to improve their existing cybersecurity efforts. The 36 cooperatives that participated in the RC3 Self-Assessment Research Program all found it worthwhile to take time to evaluate what security controls they already have in place, and to identify where there are gaps so they can prioritize where to make additional investments. Identifying high risk areas and prioritizing security controls relevant to those areas makes sense. These co-ops helped us create the RC3 Cybersecurity Self-Assessment Do-It-Yourself Toolkit, and now that Toolkit is available to all cooperatives to use from cooperative.com. (https://www.cooperative.com/programs-services/bts/Pages/Assessing-Your-Cybersecurity-Posture.aspx)

Members can access all of the RC3 Program resources from the RC3 website on cooperative.com. (https://www.cooperative.com/programs-services/bts/rc3/Pages/default.aspx) The website includes copies of the presentations made at the RC3 Summits, articles on lessons learned in the past two years, toolkits, and announcements for upcoming training opportunities.

What are some of the biggest takeaways? What have you learned?

Cooperatives are actively working to improve their cybersecurity programs.

We have some amazing first-rate talent in our community, and many co-op staff are more than happy to share their expertise. The challenge is getting everyone to meet everyone when we’re all so busy. Since RC3 started, we’ve been out in the field supporting the efforts of staff with cybersecurity responsibilities interested in sharing their skills and experiences at IT Association meetings, and at statewide, G&T, and NRECA-hosted conferences and summits. It’s been really great to see two states, Oklahoma and Iowa, creating new IT Associations in 2018. Federal funding for RC3 ends in 2019. Anything we can do now to help train, facilitate, and foster communities of practice will help expand the benefits of the RC3 Program to the whole co-op community even after the funding ends.

Access to cybersecurity training is needed. When we announced the RC3 SANS Voucher Training Program in 2018 we had more than 130 applications for 40 slots, which tells me that our cooperatives are eager to improve their cybersecurity technical skills, but we need access to more training programs and more affordable training programs.

Some of the formal cybersecurity shared services arrangements I’ve seen have been instrumental in helping co-ops with limited in-house resources make concrete improvements in their cybersecurity programs. Shared services arrangements can include G&Ts providing IT or cybersecurity services to their member co-ops, or developing a new co-op to provide IT/cybersecurity services to a community. For example, see the NRECA article on Golden Spread Electric Cooperative’s shared services. (https://www.cooperative.com/programs-services/bts/Documents/Advisories/Advisory-Strategic-Sourcing-Case-Study-Golden-Spread-July-2018.pdf) We need more arrangements like that within our community, where co-ops with fewer resources can reach out to trusted partners and receive technical assistance.

What kind of reception have you received from co-ops nationwide?

I’ve been really humbled by the reception the RC3 Team has received from our members. All of the cooperatives that have chosen to participate in an RC3 Program or event have been highly engaged. I never feel like the efforts we’ve made are unwelcome. Almost always there is more interest and need than we have resources to meet.

Cybersecurity is just one challenge co-ops are facing right now and it has to be balanced with many other novel challenges that are demanding a CEO’s or General Manager’s attention. So when I meet a CEO or GM that doesn’t have cybersecurity as their number one priority right at this moment, I don’t assume it’s not important to them.

Where do you see the program going in the future?

I have high hopes that the resources we have produced and will be producing in 2019 will enable the momentum we’ve built up to continue long after our funding ends. Our goal in RC3 is to create stepping stones that are user-friendly and are there, ready to be implemented when a co-op is ready to move their cybersecurity efforts up another notch. I knew that the Program had a limited amount of time, so we designed many of the RC3 products to be do-it-yourself toolkits that would be useful after the RC3 Program funding ended. These first two years we spent building and testing materials. In year three we will be releasing a lot of products, training materials, tabletop exercises, and other resources that co-ops will be able to use over the next few years, whether the RC3 Program receives additional funding or not.

It would be wonderful if Congress and the Department of Energy see the value of what we’ve accomplished thus far and decide to continue funding our efforts. Without federal funding, it will be up the members and NRECA’s leadership to decide what aspects of the RC3 Program should continue and how they will be funded after 2019.

What are some of the main agenda items for the next year?

The priority goals for the final year are to:

• Support the broader community in developing an infrastructure of trusted relationships that will continue after the RC3 Program funding ends.
• Move the RC3 Cybersecurity Self-Assessment tool onto a web-based platform, finalize all of the supporting do-it-yourself documents for the Self-Assessment Toolkit, and provide free access to 3-year licenses for our members to utilize the on-line platform.
• Publish 7 Cybersecurity Guidebooks. Each Guidebook will be a resource for different cooperative staff roles so they have a better understanding of their responsibilities in cybersecurity.
• Release the RC3 Cybersecurity Tabletop-in-a-Box Toolkit to provide cooperatives with a do-it-yourself resource to exercise their cybersecurity capabilities.
• Offer 2 more RC3 Cybersecurity Summits for members to attend.
• Provide access to advanced cybersecurity training to another 60 cooperatives through our RC3 SANS Voucher Training Program.
• Continue analyzing and publishing the lessons learned from the cooperatives that participated the RC3 Self-Assessment Research Program, RC3 Cybersecurity Summits, and RC3 cybersecurity training opportunities.

Deploy and test the RC3 research projects dedicated to advancing our ability to detect a cybersecurity breach.