Co-Mo Connect (formerly Co-Mo Electric Cooperative) in Tipton, Missouri, serves 33,000 power meters and also connects to 20,000 households and businesses through its fiber network to provide broadband internet, television, and phone service in its 2,300-square-mile service territory.

But Co-Mo Connect’s distribution system, like cooperatives everywhere, is also connected to the world at large through the internet, which makes cybersecurity a priority—one that is growing with the use of smart devices that depend on two-way communications.

Cybersecurity, once largely focused on IT, is now increasingly also concerned with OT, or operational technology.

The two present different challenges, says Cynthia Hsu, NRECA cybersecurity program manager. To protect both, co-ops like Co-Mo have adopted multifaceted, in-depth approaches.

“In the past five years, we haven’t had anything,” says Ryan Newlon, Co-Mo Connect’s IT manager, about system intrusions. “We try really hard to do everything we can to keep it that way. That doesn’t mean it won’t happen.”

In fact, Newlon, who also works in cybersecurity as a signal warrant officer with the Missouri National Guard, says when it comes to attacks from hackers or a destructive computer virus, “it’s the same for everyone. It’s not a matter of if but when.”

But he maintains that electric cooperatives can take steps to make their systems difficult to penetrate and to limit the damage if there is an intrusion.

“We’ve got really good firewalls with two-factor authentication,” Newlon says. “We do penetration tests with white-hat hackers. We do awareness campaigns. We use complex passwords and good password hygiene. We’re constantly running scans that tell us whether software is up to date.”

The co-op has segmented its network so if a hacker, virus, or worm gains access, the impact is limited. It uses different servers for specific roles, for example, so one server doesn’t have multiple ports connecting it to the internet and increasing its vulnerability, in addition to numerous other protocols and approaches to keep online systems secure.

Grid-edge devices

Co-Mo Electric is one of several electric co-ops testing a cybersecurity tool being funded by the federal government and developed by NRECA that can detect anomalies in system operations by monitoring data flows. Using artificial intelligence, the tool can identify potential security breaches in seconds.

“It has great potential,” Newlon says. “I’m excited to see how it’s going to impact the co-op world in the future.”

The effort to develop this tool reflects the increased attention on OT cybersecurity.

“The tools that exist have been focused on IT,” says Doug Lambert, senior principal for grid solutions at NRECA. “OT requires new tools, which is exactly why we’ve been funded. It’s why (the federal government) is trying to really push this right now.”

While the responsibility for cybersecurity still remains largely within IT departments at co-ops, NRECA’s Hsu says, the differences in IT and OT cybersecurity can cause conflicts within a cooperative if they’re not understood by both sides.

There is overlap between the two, but IT generally involves data and the assets that manage data, such as the workstations, servers, software, cloud services, and networks that support the business, planning, and engineering work at a co-op. OT consists of embedded devices in a power distribution system that can perform specific tasks or monitor equipment performance.

In OT, she says, it’s not just about the data; it’s about devices and systems where the data and the physical actions taken based on the data are intimately linked together.

Grid-edge devices like power electronics—solid-state sensors, converters, and control mechanisms that can include microprocessors—are one example of OT that can create cybersecurity vulnerabilities. The U.S. Department of Energy estimates that by 2030, 80% of electricity could flow through power electronics, which can provide more efficient control and conversion of electrical power through advanced control capabilities.

But a report by the Advanced Energy Economy Institute noted that grid-edge devices create cybersecurity challenges partly because of their limited capabilities. Their memory, storage and processing capacities are sufficient for their intended tasks but little else.

“A lot of the legacy equipment out in the field was developed in what we call a ‘trust environment,’ so it’s not designed to take in certain kinds of digital information; it’s not designed to do certain types of checks and balances because it assumed at the time we created it that the only thing that would be sent to it was a trusted message,” Hsu says.

Moin Shaikh, cybersecurity principal at NRECA, says cooperatives need to consider both device-level and systemic-level security when assessing the cybersecurity risks of OT.

“Device-level is how secure the device itself is,” he says. “And then the question is, what is the impact of having these interconnected devices as part of the system? These are two individual aspects we have to evaluate when adding hardware to the system.”

The vulnerabilities of connected hardware can vary by manufacturers, he adds, although vendors are working to improve the security of grid-edge devices. Still, when considering systemic risks, cooperatives need to answer basic security questions about new hardware, including how it connects to the internet; what communication medium is used to transmit or receive data—wireless or wired; and whether the devices can be reconfigured over the internet or only through an on-board point-to-point connection.

Vulnerabilities exposed at the device level due to misconfiguration or lack of security capabilities could not only compromise the devices but also introduce cybersecurity risks at the systems level, Shaikh adds.

“It’s important to realize that even if the individual devices are secure, once they are combined into a system, misconfigurations and system-level processes can result in the system itself being insecure,” Hsu explains.

IT/OT tensions

Segmenting networks, monitoring data for anomalies, and probing for internal weaknesses like Co-Mo Connect does can all help protect OT.

“You need to set up layers of defense with the reality that some of the equipment can’t protect itself because it wasn’t designed that way when it was built,” Hsu says. “So you have to minimize what can get in, and you have to improve your capabilities to detect something if it’s inside your system.”

There’s also a human side to the equation, she says. IT and OT departments can have different priorities and approaches to dealing with problems. Experts refer to a cybersecurity model known as the “CIA triangle,” created to guide a company’s efforts. The acronym stands for confidentiality, integrity, and availability. For IT personnel, confidentiality—making sure data remains secure—is a priority. For OT staff, availability, which means hardware is working and doing what it’s supposed to be doing, is critical.

“For any of the devices that control the flow of electrons, availability rules,” Hsu says. “If a security action could potentially have a negative impact on keeping the lights on, then it’s going to be rigorously evaluated before it’s implemented.”

The differing responsibilities can cause tensions.

“There are silos that have always been there, IT and OT,” Lambert notes. “Your SCADA engineer is not going to allow IT to touch the network, and if they do, they’re not going to know what they’re touching.”

Veteran engineering and operations staff, who have been focused on traditional indicators of system reliability through their careers, may not recognize the cybersecurity vulnerabilities that can now impact reliability, he adds. NRECA is working to develop tools for operators that give them situational awareness of cybersecurity vulnerabilities to help close this gap.

RC3

Understanding your co-op’s exposure to potential threats is central to cybersecurity.

NRECA’s Rural Cooperative Cybersecurity Capabilities (RC3) program offers co-ops a self-assessment toolkit to identify where they might be vulnerable and develop a cybersecurity action plan.

Hsu says about 480 electric cooperatives are taking part in RC3, which also provides tools, education, training, and collaborative opportunities for co-ops to improve cybersecurity.

Montana, where 22 of the state’s 25 distribution co-ops signed up, is one of several states where all or a large majority of cooperatives are participating.

“We really pushed it because we believe it was perfect for our rural area,” says Ryan Hall, Montana Electric Cooperatives’ Association communications director. “We have several very small co-ops, and that’s exactly who this program is for: co-ops that don’t have a huge budget and don’t have a lot of folks for cybersecurity.”

Lower Yellowstone Rural Electric Cooperative (LYREC), based in Sidney, Montana, has 2,400 members and serves more than 6,100 meters in five counties in eastern Montana and western North Dakota, including oil fields in the region.

“One of the most valuable things that we learned [from RC3] is cybersecurity is more than just a single individual, or more than just the IT group,” says Kyle Kavanagh, LYREC’s IT coordinator. “It expands throughout the whole co-op, every department. It certainly extends to operations. Getting everybody onboard and understanding they’re all part of a solution is one of the most important steps.”

LYREC hasn’t faced a serious cyberattack, Kavanagh says, but the co-op has strengthened security measures both in its internal networks and in the co-op’s digital connections with the larger world.

“We’ve taken action and implemented different services to help us monitor all internet activity, east, west, north, and south,” he says, “in and out of the system.”

Hall notes that building strong cybersecurity practices before Montana’s electric co-ops faced a serious attack was a key driver in RC3 participation.

“We wanted to be proactive and ready instead of reactive,” he says. “If you’re reactive in the technology sector, you’re in a really bad position.”

Read More:

• NRECA's Rural Cooperative Cybersecurity Capabilities (RC3) Program