Co-ops and other utilities are never in danger of running out of things to spend serious time and money on. Lately, global hackers and hoodlums have introduced another potentially high-cost headache for utility executives: the prospect of data break-ins that could compromise sensitive corporate and consumer data, disrupt system operations, or freeze internal computer networks.
Hackers are an inventive lot, forcing co-ops to be always on the lookout for phishing campaigns, malware intrusions, ransomware threats, or whatever the latest form an attack may take.
“The threat of cyberattacks is constantly growing,” says Nick Jackson, director of member services at Escambia River Electric Cooperative in Jay, Florida. “I don’t foresee that ever going away. The industry is always going to be looking for a new level of security.”
At Cass County Electric Cooperative in Fargo, North Dakota, Tim Sanden ticks off a daunting list of challenges a co-op faces in achieving and maintaining each new level of security:
“The need for 24/7 monitoring of events and incidents, a shortage of information security talent in the workforce, and the high cost to train skilled information security staff,” says Sanden, the co-op’s vice president of information technology & CIO.
But help is out there. “Managed security services providers assume those burdens, allowing cooperatives to focus on providing service to our members,” he says.
'They Just Don't Have the Resources'
Jackson and Sanden get help from familiar sources: SEDC, based in Atlanta, Georgia, and the National Information Solutions Cooperative, or NISC, based in Lake St. Louis, Missouri. In recent years, the two data-processing cooperatives have broadened their businesses to include managed security services.
“What we found was that at some smaller co-ops, they have just one person, or no one at all, to handle security,” says Jacek Szamrej, SEDC’s vice president of cybersecurity. “They just don’t have the resources, so we provide training administration, for instance. And at any point in time, whenever you are ready, you can start managing this on your own.”
SEDC offers its clients cybereducation, a resource library, and encryption and multi-factor authentication services, among other options.
NISC breaks its security package into five parts: education, endpoint protection, incident detection and response, perimeter defense, and vulnerability management.
“We look at our role as we’re already a technology provider,” says Jeff Nelson, general counsel & vice president of information security and risk management at NISC. “This is another technology solution we can help you with.”
Through its outsourcing contract with NISC, Cass County has access to a range of cyber support, including a comprehensive managed security service that monitors incidents, detects intrusions, and assesses vulnerabilities.
Sanden says outsourcing cybersecurity is a valuable option for resource-constrained co-ops, but it doesn’t relieve the co-op of the need to be on alert.
“We do have our own security and firewalls in place as well,” he says.
Jackson of Escambia River Electric says outsourcing with SEDC helps to ensure there are no gaps in the 12,000-meter co-op’s defenses.
“Protecting our members’ data is a top priority of ours,” he says. “We make sure that safeguards in our network are up and running and our systems are secure. We do that on a 24/7 basis.”
Sanden says like every business on the internet, his 60,000-meter system in eastern North Dakota ends up regularly on the radar of hackers.
“There are new vulnerabilities being discovered every day, on top of the new attacks that people with malicious intent are coming up with every day,” he says. “This is not a local issue; it’s global. You have a global group of malicious people who are developing attacks and stealing information from companies.”
If you don’t have the resources in house to deal with such round-the-clock and round-the-world threats, it pays to leverage the expertise of others.
“There are just too many [threats] for any one organization to defend against,” Sanden says. “That’s where the defense in depth comes into play. You need to have some local presence, to be responsible for your network, but you also need partners who have a much more global response.”
Another resource for co-ops looking for help with their cybersecurity is NRECA’s Rural Cooperative Cybersecurity Capabilities Program, nicknamed RC3.
The program, funded with the help of a U.S. Department of Energy grant, offers self-assessment tools in resiliency and vulnerability, new technology integration, and information sharing. A series of cybersecurity summits introduces co-op staff to the nature and scope of current threats and steps they can take to protect their co-op’s data and systems.
“Using a self-assessment tool, we facilitate a discussion so a co-op can find out for themselves where they are strong and where they need work,” says Cynthia Hsu, NRECA’s cybersecurity program manager.
Hsu points out that G&Ts can often be a valuable resource to member cooperatives in understanding threats and sometimes even helping to secure their systems against cyberattacks.
Ultimately, she says, cybersecurity comes down to the training, awareness, and dedication of each co-op staffer.
“Every single person has a role to play.”