Like a model candidate, the applicant arrived to his job interview at Wheat Belt PPD 30 minutes early, laptop in hand. That was just enough time for him to hack into the unsuspecting co-op’s wireless network and gain access to the files stored there.
Tim Lindahl, the ethical hacker, then shared the system’s vulnerabilities with his interviewers at the small Sidney, Neb.- based utility. He was hired that day in 2005 as its IT specialist.
Today, Lindahl is Wheat Belt’s general manager and joins electric cooperative leaders nationwide in advocating for co-ops to make cyber security a high priority. For those who have not yet taken action, he says, they should do so soon.
“The technology is too easy to breach,” he says. “If you don’t have a good plan in place, there is no way to know what’s going on until it’s too late.”
But should electric co-ops really consider themselves a target? If so, how can a small co-op begin to build its defenses?
'You Are a Target'
Any entity with a computer system that stores sensitive financial data or personally identifiable information (PII)—Social Security numbers, dates of birth, credit card numbers, billing information—should consider itself a target for hackers.
Is your co-op connected to the Internet? Do you have customers who pay bills online? Do you give your employees remote-operation capability? All of these increase exposure.
“It doesn’t take much to be vulnerable,” says Joe Trentacosta, who’s been vice president and chief information officer at Southern Maryland Electric Cooperative (SMECO) in Hughesville since 2003.
And being small and rural is no protection.
“Attackers don’t know the size of a utility until they breach it. All cyber stores look the same from the outside,” Lindahl says. “If you are a utility, you are a target no matter the size.”
Wheat Belt has 27 employees, but he says its system is under constant attack.
“We have hits every day to our network,” Lindahl says. “We’ve caught people not in the network but trying extremely hard to get in, and we’ve turned them over to law enforcement.”
Cyber criminals come in three varieties: those who hack to steal PII to sell on the dark web; those who hack to sabotage; and those who hack a system just to prove they can.
The most common menace involves “phishing,” where fraudulent e-mails with links or attached files are sent to businesses, posing as an invoice or something the recipient might ordinarily click on without thinking about it. But that one click can launch malicious code and open a system to data theft or other damage.
Masquerading as a trusted party, cyber criminals will use e-mail to request a recipient to wire money into an account. Hackers can also infect a computer with malware to shut it down and hold critical information “hostage” until a ransom is paid.
“You have to be constantly vigilant,” Trentacosta says. “If you look at the logs for our intrusion detection and prevention tools, you will see that they stop hundreds of attempts every week by outside entities probing our network to gain access.”
Rappahannock Electric Cooperative has seen an uptick in such attempted hacks, says Gary Schwartz, director of technology at the Fredericksburg, Va., co-op.
Electric cooperatives can be cyber targets for their SCADA systems and their connection to the nation’s electric grid, says Marc Seay, a Lockheed Martin Energy IT program manager who provides cyber security services to Rappahannock Electric.
“Various malicious groups or individuals target electric utilities—some to gain command and control of critical infrastructure, while others are just looking to cause chaos and public alarm,” Seay says. “The cyber criminal is looking to gain PII.”
All co-ops have to be on guard. “With a wealth of information about members and the ability to control very critical infrastructure, we are targets,” Seay says.
People, Processes, Technology
What happens when your system has been compromised?
Experts say the best time to answer that question is before a breach. Leaders in cyber security encourage co-ops to build inclusive programs that involve every staffer with e-mail and a laptop.
“Cyber security is not just about IT,” Trentacosta says. “It’s about the whole organization, from the board of directors to senior staff to every employee.”
Once, a SMECO employee inadvertently clicked on an e-mail link that downloaded malware to the network and attempted to do damage. A third-party intrusion and detection system alerted the co-op.
“We activated our incident-response plan,” Trentacosta says. “We were able to catch it, wipe it clean, and mitigate the issue.”
“Real cyber security is people, processes, and technology. It involves all three,” says Patrick Engebretson, a noted cyber security author and chief information officer at East River Electric Power Cooperative, a G&T based in Madison, S.D. “Attacks are often successful today as a result of some basic misconfiguration or human error that we could avoid with the right training.”
A cyber expert at the Department of Defense before joining East River Electric in 2015, Engebretson says even basic steps, such as using strong passwords, should not be overlooked.
Rappahannock Electric’s Schwartz concurs, saying co-ops must create a culture of cyber security with agile policies and procedures communicated up and down the line.
“Cyber policy needs to start at the top to be successful,” he says.
Great River Energy’s security executive committee involves the entire co-op and covers both cyber and physical security. The Maple Grove, Minn., G&T also runs periodic communication campaigns to update employees on cyber security threats and procedures to handle them.
Jim Jones, Great River Energy’s vice president and CIO since 2003, says co-ops can look to their successful safety cultures when considering cyber security strategy.
“Cooperatives have been really good at establishing a safety program— empowering individuals to stand up when they see unsafe practices and get it straightened out,” he says. “You need to empower people in the same way about cyber security.
“Each breach carries with it tremendous cost,” Engebretson says, potentially tens of millions of dollars to notify members whose information is at risk, repay stolen cash, offer credit monitoring, and settle lawsuits from customers.
Currently 47 states enforce various cyber security laws and regulations, including definitions of what constitutes a breach, mandates to notify affected parties, deadlines, and fines, among other requirements. Co-ops are advised to learn their legal obligations.
“Cyber security is becoming the cost of doing business,” Lindahl says. “Like a bucket truck.”
That’s where cyber insurance can come in handy. Nick Pascale, NRECA assistant general counsel, calls insurance coverage for cyber risk “important to business continuity and recovery of any losses sustained by a co-op or its members.”
While not mandatory, a cyber policy can cover the expensive fallout from a breach that results in business stoppage and litigation.
“The costs of these breaches can range anywhere from $25 to $210 per record, so the costs to comply with these regulations can be quite high,” says William West, vice president at Federated Rural Electric Insurance Exchange in Lenexa, Kan., the insurance agency for electric and telephone cooperatives in 40 states. “A 25,000-member co-op could be looking at $500,000 to $1 million in response costs alone.”
A standard cyber insurance policy pays for liability suits from allegations of privacy breach and security breach, expenses related to privacy breach responses, credit monitoring, member notifications, and protection of the co-op’s digital assets, West says. It also can cover cyber extortion, cyber terrorism and reputational damage, and regulatory fines and penalties.
“One of the biggest benefits of cyber insurance is the availability of expert claims teams on a 24/7 basis to handle the legal, forensic, and technical issues associated with a breach. This keeps the co-op from having to arrange for those services ahead of an incident, saving time and money,” West says.
The insurance industry is seeing an increase in cyber coverage. West says Federated wrote more than 100 policies within four months of introducing its product in September 2015. “The next insurance coverage on the horizon will cover physical damage to the co-op’s own equipment caused by malicious software, such as a virus that infects a co-op’s ICS/SCADA systems, causing a malfunction,” he says.
G&Ts and some larger distribution co-ops are subject to federal cyber security standards to protect the grid. These ever-evolving Critical Infrastructure Protection (CIP) standards are developed by the North American Electric Reliability Corp., with oversight by the Federal Energy Regulatory Commission (FERC). The most recent version of the CIP standards was approved by FERC on January 21.
CIP standards help secure the bulk power system, says Jones of Great River Energy, but “complying with the standards is no insurance policy and no guarantee against cyber attacks.”
“Your security program needs to be more comprehensive and deeper to be a healthy program,” he says. “The best defense is to make sure your employees are aware, trained, and educated on risks and internal procedures and practices.”
In Congress, debate is expected to heat up this year on national data breach legislation to replace a current patchwork of state cyber laws. Lawmakers appear ready to examine the legal ramifications, risks, and responsibilities of an entity when personal information is stolen.
The federal Cybersecurity Information Sharing Act of 2015, signed into law in December, provides certain protections to private or public entities that voluntarily share information about cyber threats, breaches, and defense measures among themselves, states, or the federal government. This first major law on cyber security lays the groundwork for future action by the federal government.
On The Frontlines
For co-ops just beginning to arm themselves against cyber threats, security experts recommend what’s called penetration testing to learn vulnerabilities and then build layers of security.
Best practices say co-ops should begin with good “password hygiene,” where passwords are strong, changed on a regular basis, and kept private. Also look into intrusion and protection systems, monitoring, and cyber security exercises.
Co-ops that cannot invest in outside expertise should contact NRECA, statewide associations, or neighboring co-ops that have already taken steps to protect their systems, Seay says.
“A big piece of cyber security awareness and education is collaboration with your peers,” he says.
Co-ops’ exceptional ability to share important information is one of their strongest defenses against cyber attacks, Schwartz says.
“We’re listening to what others are doing, strategies they implemented, and we can leverage their success,” he says. “Sharing information is vital. We don’t have to reinvent the wheel every day.”
Cyber security safety drills, modeled on drills for natural disasters, may prove invaluable, along with training on how to notify members, law enforcement, and the media of a breach.
NRECA’s Business and Technology Strategies group offers co-ops cyber security tools, guidelines, and methods to minimize risk and help build “defense in depth.”
“It’s really critical that co-ops understand how vulnerable they are and then build their ‘defense in depth’ strategy with cyber security evaluation tools and penetration tests,” says Tony Thomas, NRECA principle engineer for distribution and engineering operations.
Over the past couple of years, NRECA has included cyber security and data breach issues on the agendas of a variety of meetings, including the CEO and director conferences, NRECA board meetings, regional meetings, annual meetings, TechAdvantage®, and state-level gatherings, says Barry Lawson, NRECA’s associate director of power delivery & reliability. “We plan to continue this in 2016 to ensure the membership is aware of the importance of these issues.”
In addition, NRECA is spearheading development of the Essence network security tool, a system that establishes a “normal” state for a computer network and raises an alarm when anything out of the ordinary occurs.
NRECA Chief Scientist Craig Miller says the tool could be a “game changer” for any entity with a network. It’s currently in testing with electric cooperatives with a launch set for early 2017.
Whither The Cloud
One option for data storage that co-ops are grappling with is whether to rely on “the cloud.” (See the TechSurveillance article “Demystifying the Cloud” in the January 2016 issue of RE Magazine for more information.)
Essentially, the cloud uses the Internet, with its thousands of connected computing resources, to run processing tasks and store data. It offers a range of benefits, including 24/7 access, scalability, and data redundancy.
“From a business standpoint, the cloud cannot be ignored. There is great potential for return on investment,” Engebretson says. “There are companies out there that do the cloud well. But at the end of the day, for the co-op, it’s their data and customer information and their risk. We have a responsibility as co-ops that that data remain secure.”
Seay agrees. “Cloud services have a place. There are definitely benefits, and there are instances where it makes complete business sense to move to the cloud,” he says. “Our position today is highly sensitive member and corporate information stay on premise and under our control.”
Wheat Belt PPD is moving its phone system to the cloud and weighing whether to do the same with billing and accounting. “We came to the conclusion that the cloud might be more secure and less expensive in some instances,” Lindahl says.
Great River Energy’s Jones recommends that co-ops consider only cloud providers that are well-established, carry a strong reputation, and run a profitable ongoing service.
Trentacosta of SMECO offers additional advice on cloud security. “If you’re going to put something in the cloud, make sure all elements of your security program apply to them as well. Ask questions about what security measures they have in place: How often do they apply security patches? How quickly do they notify their clients in the event of an issue or breach?”
Liability remains a major concern when engaging with outside resources for cyber security.
“When a co-op looks at a cloud-based solution, it needs to be very careful to look at third-party vendor management practices,” Engebretson says. “They need to understand who they’re dealing with and consider privacy and security issues. If a cloud-based solution is hacked and data is lost, members will look at you and your organization; they will not blame the cloud-provider. There is reputational risk associated with that.”