Enabling security for co-ops

 

FLINT ENERGIES IS A COOPERATIVE UTILITY serving 17 counties in central Georgia, from four customers in the poetically named Chattahoochee County to more than 55,000 in Houston County. That's 88,000 meters in all.

And you can count the number of employees in Flint's IT department on one hand.

That's one reason Frank Sams, manager of network systems for Flint Energies, is glad to be one of nearly two dozen co-ops participating in the Cooperative Research Network's (CRN's) smart grid demonstration project that has produced a cyber security toolkit dubbed Guide to Developing a Cyber Security and Risk Mitigation Plan. (The demonstration project is taking place under the aegis of the National Rural Electric Cooperative Association.)

Remaining invulnerable
Sams described the toolkit as an "actionable template of best practices" created so that any co-op could apply it to its own legacy systems and service territory, rather than having to reinvent the wheel or decipher the many cyber security standards.

The driver for the cyber security measures is ensuring that in the course of automating parts of the grid with digital technology, these co-ops don't become vulnerable to attack. The same co-ops participating in the Cooperative Research Network's demonstration project are also testing in-home energy use displays and their effect on customer behavior.

"Flint, like many co-ops, utilizes anti-virus software, firewalls, passwords and the like," said Sams. "But that doesn't add up to a full-fledged cyber security plan. For us, without a full-time cyber security person, we can customize a plan around our circumstances by using this template. This gave us a good, useful tool to walk through and review our practices and plans."

The template forces the user to walk through operational risks, for instance, and address vulnerabilities-it asks "Can you accept that risk or are you going to mitigate it?"-while linking to documentation in support of a co-op's plan to meet those vulnerabilities.

Cutting through the verbiage
The template is a good way to cut through the rather opaque verbiage in, say, the security standards created by the National Institute of Science and Technology (NIST), Sams said.

"You can get this done on your own, but I wouldn't have done as good a job, especially in the same amount of time, as we've done by using the CRN template."

The template provides guidance for co-ops to ensure that their vendors follow best practices.

"We're working on implementing a new SCADA (supervisory control and data acquisition) system and, by using the template, I have good questions for our vendor," Sams said.

While the CRN reviews the results of security reviews using the template and makes recommendations based on a utility's answers, like much of what gets done at co-ops, the onus to remain vigilant and keep up with security lies squarely in the co-op's court.

"Once you're done, you're on your own," Sams said. "The intent is that once you get this far, you'll have an interest in maintaining your readiness."

Making the task do-able
For instance, in coming months, Flint will be testing ways to apply cyber security to its SCADA system without adverse impacts on functionality.

"You don't want to lock down these systems so that they're not usable," he pointed out. "So you document your changes and procedures for making changes so that you don't introduce new risks."

Speaking to the CRN template's usefulness for co-ops, Sams said, "I'm an IT guy, but here, like most co-ops, I wear a lot of hats, so I'm not a full-time cyber security guy. It's hard to read some of those NIST standards.

"The CRN has cut down a huge task for my co-op and made the process so much more understandable and do-able."