Creating a Culture of Cybersecurity

MYRTLE BEACH, S.C.—Joe Brannan, executive vice president and CEO of North Carolina’s Electric Cooperatives, recalled an urgent early morning call from his IT group. A cyber vulnerability had been discovered.

Joe Brannan of North Carolina's Electric Cooperatives says co-ops need a culture of cybersecurity. (Photo By: NCEC)

But because the cooperative has a policy in place to fast-track security responses and protect systems, the vulnerability was isolated quickly and no data was compromised.

“You can’t just patch systems in society today. You have to have a plan,” said Brannan. “You have to have a crisp assessment to make a decision.”

Cybersecurity as a means to keep electric cooperatives safe from attacks to steal critical data or take down power lines requires more than an IT department. It demands a culture.

That’s the message Brannan, Jack Reasor, CEO of Old Dominion Electric Cooperative, and Mike Couick, CEO of The Electric Cooperatives of South Carolina, shared with IT and cybersecurity co-op professionals at the 2016 Technology Conference. North Carolina’s Electric Cooperatives, based in Raleigh, sponsored the 14th annual conference.

Brannan advised participants that now is the time to raise awareness with their boards that a cybersecurity policy and mandatory training of all co-op staff are necessary.

Cybersecurity “has to be embedded in our culture,” said Brannan. “As personnel change, as processes change, do we really have it embedded in the co-op?”

Reasor agreed. IT plays a “critical role but that is only one party to the team in finding solutions,” he said. “CEOs can be slow on the uptake of what risks like this we face. We look to you to help us.”

Reasor, whose co-op is headquartered in Glen Allen, Virginia, outlined the work the utility industry, along with other industries and government agencies, is doing to try to identify these cybersecurity risks and exposure.

Couick underscored that boards must be apprised of cyber threats and encouraged to embrace technologies and processes to prevent them. Members will be patient with co-ops that charge ahead to address cybersecurity, but less so “if we pull back on the future,” he said.

“Cyber threats are like a Category 5 hurricane [forecast] that never goes away,” said Couick, who heads the statewide association in Cayce, South Carolina. “You don’t know when it’s going to hit and you don’t know where it’s going to hit.”

Hackers can hide inside a network on average for 140 days before detection, allowing them to cause profound damage, said Jim Spiers, NRECA vice president of Business and Technology Strategies.

With $7.5 million in support from the Department of Energy, NRECA plans to work with co-ops across the board over three years to identify the best practices, technologies and ideas to defend against cyber attacks, detect intrusions and recover from them.

“How can we thwart intrusions, shorten the 140 days if they occur and recover quickly?” Spiers asked the conference. “That needs to be part of the culture, part of everyone’s jobs. Just like safety.”

“We learn from each other,” Brannan added. “We can’t point to any one group and say, ‘IT, it’s your problem.’ ”