This month’s question: What are your co-op’s biggest cybersecurity challenges, priorities, successes?

Answer: Developing and maintaining an effective cybersecurity program is a never-ending challenge for every electric cooperative. Designing a layered network with defense in depth is an important part of the solution, but the real challenge is incorporating security best practices into everyone's daily routine. No matter how well it is designed, a network is only as safe and effective as the people using it, and our education program began at the top. Once the board, management, IT and every employee understood our cybersecurity goals, the foundation for progress was in place. Specific priorities at our cooperative include strong passwords, frequent social engineering training and maintaining excellent backups. Requiring long and strong passwords is important, and now that it's part of our routine, the network is infinitely stronger. External threats are always a concern, and all employees are trained to be aware and think before they click. Nightly backups are crucial and are not only pushed to our disaster recovery location but also copied to tape and stored off premises. Our biggest success is that all employees recognize the important role they play in our cybersecurity program, and in an ever-changing threat landscape, that is imperative. We train the basics of cybersecurity, not just at work but also stress the importance of extending this to employees' homes. A 24/7 cyber-aware employee is our best line of defense!

Answer: Now more than ever, members expect consistency and reliability in the services we provide. Major technological innovations in the information systems of electric utilities could not come at a more opportune time. As retirees begin leaving our cooperatives, they take vast institutional knowledge with them. For new personnel, the most efficient way to transfer that valuable knowledge is through the collected data of networked technologies connecting metering systems, major utility infrastructure, mapping and billing. We should embrace these technologies not only to provide modern efficiencies and automation but also as tools for less experienced employees to lead our cooperatives into the future. Without effective cybersecurity protection, we risk not meeting member expectations of consistency in service and rates. Modern firewalls and projects like NRECA’s Essence introduce tools that help us quickly identify disturbances in our systems, whether it be ransomware or a hacker trying to control key assets in our SCADA. Cybersecurity professionals deploying penetration tests help detect vulnerabilities early and allow us to appreciate the value of strong passwords and carefully designed network protection. It is critical we position the next generation of cooperative employees such that they can confidently rely on the valuable data that will drive their decisions for offering enhanced service and reliability to members.

Answer: At Vermont Electric Cooperative, we take a team approach to cybersecurity. Our Cybersecurity Steering Team uses the DOE-ES-C2M2 framework to identify opportunities for improvement and constantly gauge our practices and investments. We focus on cybersecurity at every level of the organization. As cybercriminals become smarter and social engineering attacks harder to spot, we spend a lot of time on awareness and education. At board meetings and operational meetings, we often have a “cyber-minute” to keep up awareness. We recently shared a close call when an employee clicked on a shipping notification, only to realize the computer’s mouse was moving by itself a short time later. With our firewalls in place and quick action taken by the employee and our IT team, we were able to avert disaster. We learned, and broadly shared, some important lessons about pausing to truly review emails from outside the company. Though we focus many of our efforts on preventing an attack, our restoration strategies are just as important. Our philosophy is that a cyberattack will someday arrive. It’s not “if”; it’s “when.” We want to reduce the risk of it happening, minimize the damage if it does and have a strong restoration plan for a worst-case scenario. Finally, we also participate in tabletop drills (internally and with other utilities in the state), using a lessons-learned approach for sharing when close calls show up.

Answer: We maintain a communications network for metering and SCADA services for our five distribution cooperatives in upstate South Carolina. The number of endpoints continues to grow as we see more downline devices being introduced on the distribution networks, as well as devices such as fault indicators on the transmission system. This expanding footprint along with increasing service demands consumers pose challenges for keeping the industrial control systems safe from cyberattacks. The recent Colonial Pipeline disruption was a great reminder of just how quickly an attack can occur and how costly it can be. Ransomware continues to haunt technology and security professionals, as it bypasses the standard defense mechanisms we relied upon for so long. Challenges exist in segmenting networks, limiting opportunities for unwanted data encryption or the ability for a bad actor to pivot and move within the network. Our priorities include steps from employee education and training to sophisticated monitoring platforms like NRECA’s Essence 2.0 platform. Quantifying cybersecurity successes is not easy and seems risky since nobody wants to brag about not having an incident. However, small wins such as phishing campaigns with no clicks or having employees report potential email threats are worthy of celebrating. Cybersecurity is much like safety in that it is everyone’s job. When we all remain diligent and do our part, the better protected we are against attacks.