October 1, 2016

Cyber Security Patrols

Electric co-ops enhance efforts to protect their members’ personal data and the reliability and security of their electric distribution systems.

Your home probably has several security features—door locks, bolts, and an alarm system. When it comes to cyber security, electric co-ops follow the same principle—building and reinforcing multiple layers of protection to safeguard your personal data from attacks.

Securing digital data on an electric distribution system isn’t a “once and done” job. It’s a continual process of evaluating and addressing risks, tightening measures, planning, and evaluating again. While it’s difficult to thwart a determined computer hacker, with constant vigilance electric co-ops can significantly minimize the possibilities.

“Keeping our members’ information secure is a top priority,” explains Tom Manting, manager of finance and information technology at HomeWorks Tri-County Electric Cooperative in Portland, MI. “Technology constantly changes, requiring a ‘continuously improving’ approach towards cyber hazards.”

HomeWorks Tri-County has over 22,000 members, and represents a national trend of cooperatives bulking up cyber security with tools from the Cooperative Research Network (CRN), the research arm of the National Rural Electric Cooperative Association (NRECA). CRN’s “Guide to Developing a Risk Mitigation and Cyber Security Plan,” and supporting documents released in 2011 with funding support from the Department of Energy (DOE), help utilities of all types develop a process to shore up cyber defenses.

“Electric cooperatives have made substantial progress in cyber security without additional regulation because they owe it to their members to protect system reliability and prevent unauthorized access to personal information,” explains Glenn English, NRECA’s CEO.

Manting agrees, and at HomeWorks special precautions are taken to protect members’ information in several ways. “Members are required to positively identify themselves when calling us, and we’ve completely purged our files of all credit card information,” he explains. “Social Security numbers are also encrypted.” And, members who wish to pay their energy bill with a credit card are required to use one of the self-serve options, including online, entering payment information themselves through the automated phone system, or using payment kiosks in the co-op’s lobbies.

Computers rarely get hacked, Manting says, but instead people are often tricked into revealing personal information. “So, by removing our people from the transaction, we’ve greatly reduced the potential for criminals to access our systems.”

Of note is that none of Michigan’s electric co-ops sell member information to others, and many are updating or creating cyber security plans. And, while all the co-ops take precautions to protect their members’ information, not all use the CRN plan. For example, at Cherryland Electric Cooperative (over 34,000 members) in Grawn, IT Administrator Steve Weaver says, “In addition to the standard best practices of anti-virus and anti-Spyware installed on computers, encryption of members’ data, and enterprise class firewalls installed, we use a service that monitors all inbound and outbound traffic looking for and blocking suspicious activity.”

At Midwest Energy Cooperative in Cassopolis (over 30,000 members), they are currently doing a major information technology (IT) risk audit that will result in some significant changes. “We always want to be sure we’re doing all we can to protect our members’ information against identify theft and other threats that can result from our dependence on technology,” says Candy Riem, member services manager. “The audit is intended to evaluate and improve the security of personal information and review all internal and external processes, systems and staff that impact daily operations. This action will help us identify risks and deficiencies, so that we are well-positioned to serve our members.” Riem expects a formal strategic plan by the end of the year.

“At this time, we do have a firewall that is tested on a regular basis for potential threats,” Riem adds. “We also encrypt certain pieces of our members’ information in the system to help prevent identify theft if someone were to breach the system.”

Great Lakes Energy, with over 101,000 members, uses plans from several sources, says Mike Youngs, director of information security and business continuity. “We use a variety of processes and technology, including encryption, access control, malware protection and monitoring,” Youngs says. Security Sweep Electric co-ops have been working with the DOE, North American Electric Reliability Corporation (NERC), Federal Energy Regulatory Commission (FERC), U.S. Department of Homeland Security, the Obama administration, and the electric utility industry to strengthen cyber security. An assault on a co-op, for example, could be a prelude to, or part of, a coordinated cyber strike on the country’s power grid as a whole that could impact electric reliability. Last year, NERC, the nation’s electricity reliability watchdog, conducted an exercise dubbed “GridEx” to identify cyber security concerns and encourage utilities and government agencies to work together to resolve the issues uncovered.

“GridEx provided a realistic environment for organizations to assess their cyber response capabilities,” observes Brian Harrell, NERC’s manager of critical infrastructure protection standards. “Through the interaction, participants forged relationships across the cyber security community.”

A report on the test notes most utilities have adequate response plans in place, but more training and updated guidelines were suggested. Communication difficulties were also identified—a problem NERC will confront by developing outreach strategies for secure information sharing.

To further pinpoint cyber vulnerabilities, a seven-year utility system security study was conducted by the DOE’s Idaho National Laboratory (INL). Poor “patch management” was cited as the biggest utility weakness—patches fix publicly-known security problems.

To prevent would-be hackers from discovering security lapses, teams of grid guardians routinely scour electric distribution systems to find and fix weak spots.

“I look for vulnerabilities in control system software,” remarks May Chaffin, an INL cyber security researcher. “I try to get them repaired before someone takes advantage.”

Lessons learned from the GridEx activity and researchers like Chaffin have been incorporated into CRN’s cyber security toolkit. Based on best practices developed by the National Institute of Standards and Technology (NIST) and other industry groups, the guide focuses on procedures co-ops should adopt to continuously monitor cyber threats and enhance risk preparedness.

“CRN’s cyber security resources are well-rounded tools that helped make our existing security plan more complete and serve as references for future projects,” Manting adds.

Andy Bochman, an energy security lead for IBM, praises CRN’s efforts. “While the [IT] community is waiting for [practical] implementation guides from NIST, CRN’s offering breaks things down into actionable, prioritized parts. It allows co-ops to travel down a well-marked path toward better cyber security and risk mitigation planning in the age of the smart grid.” Regulating Security The possibility of cyber mischief undermining the automated digital technologies used by utilities has Congress, the White House, and regulators considering the right balance of security and emergency response initiatives.

“There is no question that there will be some kind of legislation,” predicts English. “It’s important that policymakers make a distinction between what’s appropriate security for bulk power versus distribution systems. The question is whether what’s put forward makes sense, if it will be overly burdensome, and if it will make electricity less affordable for our members.”

In 2010, the U.S. House considered the Grid Reliability and Infrastructure Defense Act. A similar measure, the Cyber Security Act of 2012, was introduced to the Senate in February. Both bills would provide the federal government with more power to draft cyber security standards, but would weaken the NERC/FERC partnership that allows industry stakeholders to help ensure standards are technically sound and able to be properly implemented. Cyber security experts at NRECA believe any legislation should focus on encouraging federal agencies to routinely provide actionable, timely intelligence about cyber threats and vulnerabilities to utility industry experts.

“Hackers are getting smarter, and for some, much of the fun is the challenge of beating your system,” observes Maurice Martin, CRN’s program manager. “Co-ops understand cyber security isn’t a one-time thing. Improved communications about potential trouble remains key to this effort.”

Electric co-ops are building cyber barricades and robust plans for addressing current and future dangers. But in a rapidly evolving cyber environment, there’s no such thing as perfect security.