Where’s the cyber crook? Maybe in a basement apartment in the Ukraine. Maybe sipping an espresso at the coffee shop. Maybe at your co-op.
All of those are possibilities, says Barry Lawson; all of those and more, and that’s why electric cooperatives cannot afford to think they’re small fish in the cyber security pool.
“Small and rural does not exclude co-ops from paying attention to cyber security,” said Lawson, NRECA associate director for power delivery and reliability. “Cyber security is important to all co-ops.”
Grid-wide issues are beyond the reach of individual co-ops, whose vulnerabilities lie in other areas, primarily data about their members, Lawson said. An estimated 71 percent of security breaches are reported by small businesses.
For example, most co-ops have online bill paying capabilities. That opens up portals that crooks or hackers might be able to exploit by searching for personal data, Social Security numbers or credit card information. After all, a credit card number can go for $20 to $40 on the black market, Lawson said.
Or a lineman in the field might use a wi-fi signal to relay information back to headquarters—another possible source of trouble. “When you’re at Starbucks or anywhere else you hop on to a wi-fi signal, just remember that there are things you don’t know about that connection.”
It’s not an academic exercise, either, said David Revill, manager of cyber security operations for Tucker, Georgia-based Georgia Transmission Corp. An outside party sent emails to co-op officials from the gatrens.com domain—easily confused with the co-ops’s gatrans.com domain.
But the co-op has regularly conducted cyber training for employees, who picked up right away on the fake domain, enabling GTC to block it.
“This was a success story for us, but that’s not always how things are going to play out,” Revill said.
So what’s a co-op to do?
Train all your employees. That way, co-op employees know that cyber security is not just a responsibility for the IT department, Revill said. “Training and awareness are powerful,” he said. “We know how to do this already because risk management is key to our business every day. We just need to expand it.”
Have a plan. Co-ops have strategic plans and political plans; they should have a cyber security plan, adopted by the board and reviewed regularly, Lawson said. Someone should be in charge—a chief information officer, for example—with a top-down commitment to cyber security. “Everyone from the top of the co-op needs to walk the walk. If senior management doesn’t follow the proper procedures, it’ll be difficult to get other to buy into them,” Lawson said.
Pay a contractor to hack your system. A well-executed hack by a co-op contractor can expose system weaknesses before bad guys exploit them, said Joe Trentacosta, senior vice president and chief information officer at Southern Maryland Electric Cooperative in Hughesville, Maryland. “We get a third-party organization and we hire them to try to penetrate our network from the outside. They simulate what a hacker would do to get into our network,” he said. “They give us a report that says, ‘Here’s where you can make some improvements on the network.’ ”
Use all available tools. Cyber security might be tough for a small co-op to implement on its own. That’s OK. There is plenty of free info from NRECA and its units that can help pinpoint weaknesses and offer remedial action. “We’re all vulnerable,” Lawson said. “The question is what do we do about it?”
Steven Johnson is a staff writer at NRECA.