Matheson: Co-ops Need More Cybersecurity R&D, Information-Sharing

NRECA CEO brings co-op message to Capitol Hill

NRECA CEO Jim Matheson testifies before the Senate Energy and Natural Resources Committee on March 1. (Photo By: NRECA)
NRECA CEO Jim Matheson testifies before the Senate Energy and Natural Resources Committee on March 1. (Photo By: NRECA)

NRECA CEO Jim Matheson told U.S. senators examining cybersecurity that the electric power sector is well prepared to combat cyber threats, but said the federal government should pursue greater R&D for small and medium-sized utilities and improve information sharing to bolster the industry’s cyber defense.

“Protecting the electric grid from threats that could affect national security and public safety is a responsibility shared by both the government and the electric power sector,” Matheson told the Senate Energy and Natural Resources Committee at a March 1 hearing.

“Maintaining the resilience and security of the electric grid requires a flexible approach that draws on a variety of resources and options. As threats and threat actors continue to evolve, so must government and industry’s capability to defend against them.”

Matheson outlined ongoing cybersecurity measures by the electric sector, including participation in federal exercises such as the Department of Energy’s Clear Path and the North American Electric Reliability Corp.’s GridEx.

“The possibility of a cybersecurity attack impacting grid operations is something for which the electric sector has been preparing for years,” he said, noting the industry has bolstered its defenses by partnering with the DOE, national laboratories and other federal agencies on cybersecurity research.

Matheson pointed to the Rural Cooperative Cybersecurity Capabilities Program, or RC3, a cost-shared partnership between DOE and NRECA that has provided cybersecurity assessment and training to more than 150 member co-ops and developed resources for small and mid-sized utilities.

“It’s really a toolbox of different options they can use to identify vulnerabilities and risks and share best practices with each other,” Matheson said in response to a question by Sen. Joe Manchin, D-W.Va., about which cybersecurity efforts are working.

RC3 also involves a continuous improvement process. “We all know wherever we are today, we’ve got to get better by tomorrow,” said Matheson.

Sen. Steve Daines, R-Mont., praised electric co-ops as representing a “true cross section of our state” and for their efforts in cybersecurity.

“I do believe our rural co-ops are on the front line in defense of our grid, especially in rural states like Montana,” said Daines. “The co-ops you represent don’t have a lot of excess cash to spend on research or new expensive technologies. Further, there isn’t one single solution we know.”

Matheson agreed that America’s electric cooperatives face diverse circumstances when it comes to protecting against cyberthreats. About 120 co-ops that connect to the bulk electric system must comply with NERC reliability standards and audits to stem operational threats. Meanwhile, smaller distribution co-ops encounter hackers going after personal information.

“We try to create a peer-to-peer relationship where co-ops can compare, consolidate and share assets,” said Matheson. “We have a really coordinated effort to make sure we are sharing best practices with each other to take on the cybersecurity threat.”

Daines also asked about ways his Cyber SAFETY Act, which among other things provides liability protections for private-sector cybersecurity tools and services, might help electric co-ops.

Matheson said rural co-ops and the rest of the electric utility sector support the bill for removing impediments. “Efforts to produce more innovations in this area are something we strongly support and a step in the right direction,” he said.

Cathy Cash is a staff writer at NRECA.