That's the central question Tanner Greer poses when he talks about third-party cyber risk.

“Be careful who you give those keys to," says Greer, senior vice president and chief technology officer at Blue Ridge Energy. “If you own member or employee data, you are ultimately responsible. Having a vendor does not necessarily transfer the risk."

His co-op, based in Lenoir, North Carolina, learned that hard lesson when co-op staff and member data was stolen after one of its vendors was hit by a ransomware attack.

And Blue Ridge Energy is not alone.

Third-party breaches are on the rise for utilities, both on the information technology side—email, customer service billing platforms, benefits software, cloud storage—and the operational technology side like SCADA, load management systems and other inside-the-fence platforms.

“The number of vendor interfaces with the co-op is increasing, and each one expands your attack surface," says Carter Manucy, NRECA cybersecurity director. “The more you bring into your environment, the more opportunities there are for attackers to find and exploit possible vendor vulnerabilities."

In some cases, third-party vendors may have more system access than a co-op's own staff.

“If they're compromised, their access becomes your exposure, even if you're doing a great job of patching your internal systems, segmenting, monitoring, all the things that we talk about in cybersecurity," says Manucy.

And vendors who serve data-rich utilities are becoming a particularly attractive target.

“Why would I as an attacker want to try to attack 100 secure utilities when you can just hit one weak vendor and get access to all of them?"

The breach

For Blue Ridge Energy, this scenario became real and prompted the co-op to not only strengthen its cyber defenses in new ways, but to share its experiences to help other co-ops.

Eight days later, the vendor told the co-op that some of its records were among those stolen.

A few days after that, an outside cybersecurity company informed Blue Ridge Energy that staff and member information was spotted on the dark web, where hackers fence stolen data.

“We thought only the third party was affected," recalls Greer. “That was not the case."

Blue Ridge Energy quickly began deploying its cyber incident response plan, contacting its lawyers and cybersecurity insurance provider and launching its own investigation to find exactly what data had been compromised.


 

Greer and his team created a limited-access “situation room" at the co-op's headquarters. Using old, wiped computers, TV monitors and a printer not connected to the co-op's network, a team of IT professionals began searching the dark web for Blue Ridge Energy data.

What did they find?

“Things you don't want to find," says Greer. “Personally identifiable information for both members and employees, totaling about 500 records. Most of the data had been on the third party's systems for five years."

The co-op quickly notified those affected by the breach about what personal information was compromised and how the matter was being addressed.

They tapped a credit reporting agency to assist those impacted. On Oct. 19, senior staff held a “town hall" to update everyone and answer questions.

“We felt that as soon as we knew who was directly impacted that we should contact them," says Greer. “We called knowing that there might be some people really mad, but the response from our members, the few who were impacted, was more sanguine than we expected."

He attributes that to perhaps how data breaches are becoming commonplace across all industries.

“Any one of us or any of our third-party vendors could have an incident, so we've just got to do what we can do to minimize that as best we can," he says.

The vendor's final forensics report contained no new information for the co-op, says Greer.

“We were able to make sure we had all the data that was out there."

Lessons learned

Blue Ridge Energy recovered from the third-party breach after about four months, but remains cautious in dealing with vendors.

“It opened our eyes a little bit to be more careful about engaging vendors, especially those with access and use of the co-op's data. Our experience and increase in dependency on more vendors expands the threat vectors and risk," Greer says.

Greer says the key takeaways include the importance of cybersecurity insurance with sufficient coverage, good legal counsel and NRECA's Cyber Goals, particularly those focused on establishing a cybersecurity point of contact, contract review and having a cyber incident response plan (IRP).

“There's been a lot of benefit out of the Cyber Goals," says Greer. “For co-ops, it's about standing together, sharing with each other and challenging each other. We've picked up the mantle of the Cyber Goals to make sure we're working towards them."

Blue Ridge Energy has also taken additional measures, including placing greater restrictions on how a third party enters its system and elevating the security of confidential information to the level of personally identifiable information.

The co-op also annually reevaluates and updates its cybersecurity policies to inquire about third parties' cybersecurity and hold them to an information-sharing standard. Data privacy and confidentiality requirements are part of every new contract. Provisions also require vendors to delete data as soon as it is no longer needed.

The co-op also requests all departments to participate in its regular cyber tabletop exercises.

Manucy says using every tool to stay vigilant is critical.

“We're often distracted, constantly bombarded by alerts, policy shifts, changes in the weather, so don't think for a minute that the adversaries aren't aware of this as well and trying to use it to their advantage at every chance that they get," he says. “When we talk about third-party vulnerabilities, we're not pointing fingers. We're identifying a key area where trust and security should be balanced."

Co-op culture

Whatever the crisis, Greer says he believes that an honest and open workplace culture is a key defense.

“You're not going to be able to completely eliminate your cyber risk, but I'd rather go through a crisis with 170 people who've got my back than on my own," says Greer. “You can't be everywhere at once. You want to create a security culture built on shared responsibility. One that encourages everyone to be your eyes and ears, and to confidently report anything that seems unusual. But they are not going to do that if you haven't built good relationships."

But how is that done?

Greer suggests workplace culture starts at the top, where leadership makes it a priority. “And then, honestly, it's just old-fashioned relationship building."

He concedes that relationship-building is slow, but says it's about finding opportunities across the co-op, from the lunchroom to the conference room.

“As an IT leader, you have to have a relationship with all the other departments in a way that's more than just, 'I need something from you,'" he says. “You need to know about them; what's going on in their lives.

“Having that great culture between the employees and the different leaders of the different departments pays dividends over and over. In a lot of ways, it may be the best preparation of all."

MORE FROM NRECA