Everything happened so quickly.

As a severe storm ripped down power lines, word came from the finance department about a potential cyberattack. Within 15 minutes, the IT team learned that member data had been compromised, and then a hacker’s dreaded ransomware demand arrived. Almost immediately, calls came from the media and the governor’s office about a rumored security breach.

Were you prepared?

That’s what an innovative new virtual cybersecurity exercise will help electric co-ops determine.

CyberSEEC—CyberSecurity Exercises for Electric Communities—was developed by NRECA’s RC3 program with the help of several co-op volunteers and in partnership with Norwich University Applied Research Institutes. It aims to help co-ops take a clear-eyed look at how their cybersecurity response plans hold up in a close-to-life scenario.

Participants are hit with stressful developments, multiple times an hour, meant to highlight strengths and weaknesses: How well does your co-op communicate across departments to address a breach when time is of the essence? Do all staff know the policies for dealing with ransomware? Do you have a specific point of contact to handle media inquiries involving cybersecurity?

“CyberSEEC helps you evaluate how well your staff understand your cybersecurity policies and procedures,” says Cynthia Hsu, RC3 manager and NRECA cybersecurity solutions principal. “It can also help you look for gaps in your implementation. Things like, when do you contact your insurance company? How do you prioritize what to fix first?”

While many cyber drills test staff responses with IT, operations, and co-op leaders all in one room, CyberSEEC requires wider department participation and employs “distributed play,” where each person receives crisis information, called “scenario injections,” while they are working at their own computer—in the office or at home—in 15-minute intervals.

“Cyberattacks don’t happen when all the department heads are all sitting around the same table,” Hsu says. “They happen incrementally. Everyone sees something different, and no one sees the whole picture.”

The structure of CyberSEEC is ideal, particularly given co-ops’ ongoing pandemic restrictions, says Bridgette Bourge, NRECA’s legislative affairs director and lead for the association’s National Cyber Security Awareness Month events.

“Knowing how to engage with your own departments is critical,” she says. “A distributed-play exercise was an excellent solution.”

‘Stressful … and a little fun’

Nearly 160 participants from 26 electric co-ops were the first to test CyberSEEC this past fall. The two-hour drill offered co-ops a choice of three levels of difficulty and required an hour of preparation for the players and another hour for a post-exercise discussion of lessons learned.

“The exercise is designed to challenge participants and see if they share information quickly and work as a team,” Hsu says. “By the end of the exercise, everyone should have a better idea of where there is room for improvement. Ideally it is stressful … and a little fun.”

Shawna Ryan, NRECA principal for IT cooperative relations and one of the CyberSEEC planners, said the goal was to be “as realistic as you can get in a role-playing exercise.”

“It definitely got the incident response conversation started by creating that stress level they would feel during an actual incident.”

A follow-up survey showed a positive response to the exercise, and several participants committed to a second round in October. That includes Palmer, Alaska-based Matanuska Electric Association, a 67,000-meter distribution and generation cooperative. Matanuska is a veteran of such tabletop exercises, including GridEx, the national-level biennial test where federal and state agencies and utilities address simulated cyber- and physical attacks on the bulk power system.

“When we deal with an outage or storm-related event, you’re engaging all those teams,” says Jeff Myers, the co-op’s CIO and senior manager of information technology. “In a cyber event, it’s not any different.”

Yet CyberSEEC presented new and significant challenges.

A key departure from GridEx and most tabletops was how CyberSEEC involved finance, human resources, and public relations, Myers says.

“That was an important piece.”

With participants at their regular workstations, the fast-paced scenarios “boldly tested our cyber-response capability and our communications to staff and our members,” he says. “It was a welcome change.”

Myers believes that involving more co-op departments will heighten cybersecurity awareness and help staff understand better why certain procedures are in place.

“It will improve communications all around, not just within the cooperative but with our members and people outside our cooperative.”

‘Continuous training’

Roanoke Electric Cooperative, which serves about 14,000 meters, has incorporated cybersecurity in its operations, employee onboarding, and staff training for years. The Ahoskie, North Carolina-based distribution co-op helped launch the RC3 cybersecurity tabletop exercise toolkit in 2019, and its senior leadership agreed to be among the first to participate in CyberSEEC.

Marshall Cherry, the co-op’s chief operations officer, describes the exercise as a “very intense” experience that led to a few “aha” moments.

The scenario ballooned from a phishing email to a ransomware attack that compromised credit card information to a media leak and a barrage of calls from worried members.

“Fortunately, we haven’t experienced that,” Cherry says. “If we had to live this out, what would be our level of composure as an organization?”

After the hard-hitting test, Roanoke Electric decided to increase staff and contractor cybersecurity training from quarterly to monthly, he says.

“What we’re learning and gleaning is the need for continuous training,” Cherry says. “By and large, our employee base is very engaged. We’ve gained a lot of ground, but we do still see some opportunity there. These types of exercises help us continue to get better, to continue to grow.”

NRECA’s Bourge says helping participants grow is a key goal of CyberSEEC.

“No matter how much time and effort you put in planning and preparing for something, if you don’t test it, you won’t identify gaps until an incident occurs,” she says. “We want members to be prepared before it occurs.”

Communication vulnerabilities

For Canoochee EMC in Reidsville, Georgia, the takeaway was significant: Build a cybersecurity response that emphasizes departmentwide communications to speed identification of a cyberattack and how to resolve it.

CyberSEEC laid bare the potential consequences for the 21,000-meter co-op in the absence of such a plan.

Without gathering in a single room, participants had to turn to email, cellphone calls, or texts. The need to have contact information quickly became apparent.

“Our employees are our first line of defense against a cyber event,” says Patrick Burkhalter Jr., Canoochee’s chief administration officer. “How will our employees communicate with our IT department if our network and phone lines are down? We now see the importance of incorporating cybersecurity into our communications plan.”

When senior staff saw the simulated events unfold that could occur in real life, “it really opened their eyes,” he says. “When they go through an exercise, they see how disruptive a cybersecurity event can be—disruptive for our cooperative and our members.”

Canoochee plans to re-up for the drill this fall.

“I would encourage other cooperatives to really take advantage of this free program, to get as many employees involved in the exercise as possible,” Burkhalter says. “Once they go through it, they’ll see how important it is.”