Justin Haar is one of the guardians of the cyberspace galaxy at Minnkota Power Cooperative. The team defends against cyberattacks on the internet highway, as malicious hackers continually try to find an offramp into the cooperative’s systems.
As a cybersecurity specialist at Minnkota Power Cooperative, Haar is just one defender of electric cooperative consumers, keeping them safe from cyber threats to their electrical power grid.
While cybersecurity is a challenging concept to describe, Haar simplifies it: “It’s the job of trying to ensure that computers are only used by the people who should use them in the way they are intended to be used. It gets down to protecting people from the malicious actors that are out there.”
Daniel Graham, chief security/compliance officer at Basin Electric Power Cooperative, describes cybersecurity as a triad composed of confidentiality, integrity and availability.
“Confidentiality is making sure that only people who are supposed to see the information can see it, integrity is what you put down is not altered along the way and availability is that it’s available when you need it,” he says.
North Dakota’s electric cooperatives continually monitor their systems for cybersecurity threats, as nearly every aspect of today’s business is tied to the internet in some way.
Electric generation and transmission cooperatives like Minnkota Power Cooperative, based in Grand Forks, and Basin Electric Power Cooperative, headquartered in Bismarck, provide power to the distribution electric cooperatives, which then flow power to the end consumer.
Minnkota provides wholesale electric energy to 11 member-owner distribution cooperatives in eastern North Dakota and northwestern Minnesota. Basin Electric Power Cooperative is a generation and transmission cooperative owned by 131 member cooperative systems across nine states.
“Our focus is making sure our system is protected so we can continue providing power to our members,” Graham says.
All pieces of the puzzle
The pieces of cybersecurity form a triangle, made up of people, process and technology, Haar explains.
“I always view technology as the smallest end of that triangle. It’s 10% of the challenge. If you have the technology set up right, it’s working and it’s going to continue to work. It’s the people and the processes that really drive an organization and can introduce those security threats,” he says.
Threats, he says, are more likely to come from hackers trying to trick employees into providing information to access the system.
“They can’t get around our technology easily, but if they can get a person on the inside to let them in, they don’t have to worry about the technology, because they’re already past it,” Haar says.
So, electric cooperative employees are trained and educated to identify what’s safe and not safe and to “think twice before clicking,” Haar says.
“Helping people understand why it’s important and generate buy-in with them, so they want to protect the cooperative and the organization and they want to make sure that we are safe and secure,” he describes.
That triangle helps “detect, deter, prevent and recover from cyberattacks,” Graham says.
The energy sector sees many types of hackers trying to infiltrate a system. One is the foreign country or entity working on behalf of a foreign country. “Their interests are in gaining access to things that could cause disruption or reduce reliability of the grid,” Haar says.
A more common type are those trying to trick the organization into giving away money, such as installing ransomware on a computer or impersonating a CEO asking the company to wire money.
New safeguards added
But electric cooperatives have safeguards in place, such as a new system developed by the National Rural Electric Cooperative Association in collaboration with the U.S. Department of Energy and two development partners. The system uses sophisticated real-time anomaly detection to identify and warn of possible network breaches.
“It gives us a greater insight or view into what is happening in our control network, so we can avoid issues,” Haar says. “I think it’s a game-changer, because it’s a space that’s hard to get visibility in using our traditional IT tools. It is designed by people who really understand energy transmission and distribution.”
The cooperatives also keep the business system separate from the electric grid system, so even a business disruption will not disrupt power.
“Such separation allows us to continue to generate and transmit energy reliably, even in the event of disruption to other areas of the cooperative,” Haar says.
The COVID-19 pandemic brought an entirely new set of challenges for cooperatives, as employees began working remotely, and requiring remote access, Haar says.
“That meant we had to have more access to our system than we previously did, and that introduced a lot of challenges,” Haar says. But the challenge made the cooperatives more nimble and even identified better ways to operate.
What keeps Haar awake at night are visions of black swans, those unexpected events that cannot be anticipated. He points to large-scale blackouts in Ukraine’s power grid in 2015, caused by a cyberattack.
“I worry about those big unexpected things, which are entirely outside the cooperative’s control, but could still significantly impact the cooperative,” he says.
“You prepare to respond and be agile and deal with it,” he says.
Generation and transmission cooperatives also follow rules and guidance on how to structure and protect systems.
“The first NERC Critical Infrastructure Protection standards went into effect in 2008, and since then several new versions have added requirements and broadened the number of regulated entities and assets. These standards are enforced nationwide through recurring audits conducted by six regional entities. Noncompliance subjects utilities to potential million-dollar fines per day, per violation,” according to a story in the “Minnkota Current.”
The Critical Infrastructure Protection standards provide baseline security expectations for the electric industry, and is just one piece of the cybersecurity work by the electric cooperatives.
“The goal is to be a secure and highly effective reliable organization,” Haar says. “If we achieve that goal, we will also ensure we are compliant with NERC CIP.”
“We understand our core mission is to make sure the lights are on when you need the lights to be on. The work we are doing in the cybersecurity space is aimed entirely at helping support that,” Haar says. “We’re doing everything we can to ensure protection of our systems, so if the worst happens, the lights stay on.”
Luann Dart is a freelance writer and editor who lives in the Elgin area.
October is Cybersecurity Awareness Month
Electric co-ops protect the private information of members and ensure hackers don’t tamper with the reliability of the electric grid, but member-owners have a lot at stake, too. Think about losing all the photos on your smartphone or having bank or credit card information stolen from your computer.
Cyber criminals all over the world are on the prowl through the internet.
There are simple steps you can do to protect yourself online during Cybersecurity Awareness Month in October – and all year-round:
Create a strong password
Creating and remembering complex passwords can be daunting. To help make this easier to manage, think of a passphrase rather than a password. ILove!ceCr3am would be a good password. And avoid using the same password for all your online accounts. An easy way of keeping track and remembering your passwords is by using a password manager.
Enable multi-factor authentication (MFA), which adds that necessary second check to verify your identity when logging in to one of your accounts. By requiring multiple methods of authentication, your account is further protected from being compromised.
Remember to change the password at least every six months.
Keep software updated
Updates often add security patches to protect against new threats. When a device prompts that it’s time to update the software, it may be tempting to simply click postpone and ignore the message. However, having the latest security software, web browser and operating system on devices is one of the best defenses against online threats.
Think before clicking
A lot of the computer hacking problems result from people clicking on links or attached files that infect their computers or mobile devices. An email can even be disguised to look like it’s coming from your best friend, so simple diligence can be extremely beneficial. Take a moment and move your cursor over a link to reveal the full address before clicking it.
Do some research before downloading anything new to your device, such as apps. Check who created the app, what the user reviews say and if there are any articles published online about the app’s privacy and security features.
Install and use virus protection
Buy your anti-virus software from one of the recognized major companies, and make it a subscription-type service that regularly sends automatic updates.
Back up your devices
Make sure you have a current copy of everything on your computer or mobile device. Every few weeks, transfer your contents to an external storage system that you then unplug from your computer.
Check your settings
Check your privacy and security settings and be aware who can access your documents. This extends from Google docs, to Zoom calls and beyond. For meetings on Zoom, for example, create passwords so only those invited to the session can attend, and restrict who can share their screen or files with the rest of the attendees.
Secure all your devices
Hackers have started invading wireless printers and baby monitors that work through the internet. Read the instructions carefully, set good passwords, keep the devices updated and make sure any wireless routers in your home are secure as well. Any internet-connected device is vulnerable – smart TVs, cameras, voice-activated speakers, thermostats, video games, fitness bracelets, internet-connected refrigerators and even lightbulbs.
Protect the kids
Don’t forget that children also need to be aware and practice good cyber hygiene. They should know not to share information such as birthdates and other ID numbers. Learn to use age-appropriate parental control options on your hardware and software, too.