It was during an NRECA CONNECT Conference session on cybersecurity in 2016 when the idea hit Andrea Christoffer.

The presenter was Cynthia Hsu, NRECA’s cybersecurity program manager, and the topic was ransomware. She’d just discussed the widespread impacts of these attacks and outlined several ways for co-ops to build a strong defense.

Christoffer, the marketing & communications manager at Federated Rural Electric in Jackson, Minnesota, started thinking about how the Rural Utilities Services (RUS) requires borrowers to participate in an annual tabletop exercise (TTX) to test their system’s emergency preparedness.

Was there a cyber TTX that she could run her co-op through?

“After hearing Cynthia’s presentation, I thought it would be really helpful to have a way to test our co-op’s systems and processes to see how we’d handle a cyberattack,” she recalls. “So I asked!”

Hsu is also the head of NRECA’s Rural Cooperative Cybersecurity Capabilities (RC3) Program, a U.S. Department of Energy-supported initiative begun in 2016 to help co-ops bolster their cybersecurity culture with resources, tools, and trainings.

She took Christoffer’s request to heart.

This summer, NRECA released a free RC3 Cybersecurity Tabletop Exercise Toolkit, which includes a handbook; templates to help plan and capture lessons learned from the exercise; and exercise scenarios to test the cyberdefenses of an electric co-op, from its network systems to its crisis-communications plan and the physical security of its facilities.

“Andrea is one of the key reasons we started building a TTX toolkit,” Hsu says. “She planted the seed, and then we worked together over the following months to develop the project scope.”

The resources equip a co-op to conduct its own exercise without the expense of an outside facilitator. Co-ops of all sizes can use the toolkit to test their response capabilities against a wide variety of cybersecurity scenarios, pinpoint vulnerabilities, and learn how to reduce risks.

“The toolkit meets electric co-ops where they are with existing cybersecurity skills and enables them to advance, no matter how small,” Hsu says.

Federated Rural Electric, Pioneer Electric Cooperative in Piqua, Ohio, and Roanoke Electric Cooperative in Ahoskie, North Carolina, beta-tested the toolkit and shared their unique challenges to help the RC3 team create realistic scenarios.

‘In the mindset’

Roanoke Electric’s service territory stretches to the ominously named Great Dismal Swamp Wildlife Refuge. Despite its rural locale, the co-op knows it is not immune to cyber mischief.

In April, the city of Greenville, just three counties over, was hit by ransomware that forced a temporary shutdown of its computers and launched an FBI investigation.

The Onslow County Water and Sewer Authority, about 130 miles to the co-op’s south, was hacked last October.

These attacks “solidify that need for training and the importance of cybersecurity more and more,” says Marshall Cherry, the co-op’s chief operating officer. “At Roanoke Electric, we take cybersecurity very seriously. We want to make sure we put forth the effort, that we put up the defense mechanisms to put off these attacks.”

He says testing the RC3 tabletop exercise put co-op staff “in the mindset of preparing for a regular disaster like a hurricane. We learned in that process that we really needed to build strong defenses for business continuity to survive an attack.”

The co-op trains 100 percent of its staff in cybersecurity, starting with onboarding new employees and then on a quarterly basis each year. It also offers cybersecurity training to local churches and businesses and the community at large, awareness outreach that’s important to the co-op.

“Cybersecurity is something you need to talk to consumers about. It’s in the headlines. It’s not just happening with big companies,” Christoffer says. “When you see that happen in a small town, you know it could happen to you.”

All co-ops should consider themselves in the crosshairs, according to Jon Watkins, manager of information services at Pioneer Electric and a veteran in the field of cybersecurity.

“Just because we’re smaller does not mean we are not a target.”

‘Shared effort’

From member services representatives to CEOs and line crews, co-op employees from all departments at the three co-ops participated in the RC3 TTX Toolkit beta testing.

For lineworkers who use tablets for time sheets and maps, “the tabletop brought out the reality that cybersecurity does touch everyone,” Christoffer says.

“It helped all staff understand their shared effort when it comes to cybersecurity,” she says. “It’s not just that one department.”

Watkins underscores that for cybersecurity initiatives to reach their full potential, buy-in from CEOs and co-op boards is crucial. The TTX, he says, brought that to the fore.

“Cyber-risk is a business risk. You have to have policies and procedures to address the risk,” he notes. “If you don’t have that attention from the C-suite, your program doesn’t have any legs.”

Roanoke Electric’s cyber team agrees.

“Anytime you have your leadership behind it, it reinforces attaining the goal of the training,” says Robin Hoggard Harrell, the co-op’s manager of technical services. “Management and all the employees see the importance of it; they see that it is not just an IT issue; it’s everybody’s issue.”

Cherry says Roanoke Electric has made several changes because of the TTX, including hiring a public affairs leader to “deepen its bench” in times of crisis.

And they decided to repeat the exercise but this time with every employee participating.

“I got a lot of comments from outside guys who don’t work with computers,” Hoggard Harrell says. But once the exercise got underway, “they realized, ‘I do have a part to protect our organization. There are things I do that I didn’t know would have that effect.’”

Christoffer says she’s proud to have had a hand in the development of the TTX and considers it a key advantage to work in a program that shares such resources openly.

“It’s an amazing thing to be able to go from making a suggestion at a conference to having an invaluable resource like this.”