The National Rural Electric Cooperative Association is launching a request for proposals for small and mid-sized electric cooperatives to test an affordable, "bi-directional" cybersecurity alert program that automates the sharing of intelligence but also identifies any suspicious behavior.
Cynthia Hsu, the association's, or NRECA's, cybersecurity program manager for business and technology strategies, announced at an Oct. 10 forum in Arlington, Va., that the association is looking for participants to try out the U.S. Department of Energy-funded technology once an request for proposals is issued later in 2017 or early 2018.
NRECA first unveiled the Rural Cooperative Cybersecurity Capabilities Program, or RC3, in 2016 with the aim of helping smaller electric cooperatives that have few or no information technology staffers and limited access to cutting-edge cybersecurity service providers because of their location. The announcement of the request for proposals for the RC3 program occurred during a panel discussion on the current state of cybersecurity for U.S. electric utilities.
At the discussion, Puesh Kumar, DOE director of infrastructure security and energy restoration, said the electricity sector takes cybersecurity threats more seriously than others, as evident by the billions of dollars already invested to upgrade hardware, software and security controls.
However, while acknowledging that smaller utilities, including electric cooperatives, are often more nimble, Kumar said the DOE recognizes that a small utility may not enough resources to implement a lot of changes.
This is where RC3's new automated intelligence sharing program could be of benefit. As explained by Hsu, the hefty price tag for the DOE's existing threat detecting and sharing program, called the Cybersecurity Risk Information Sharing Program, also known as CRISP, currently inhibits national security by limiting participation to larger utilities.
Hsu said the goal of the new automated sharing program is to create a "faster and more efficient way" to share threat intelligence across a community that is both financially affordable and scalable so the program can be of use for any utility, no matter the resources.
"We're talking about a lot of utilities who have minimal IT staff," explained Hsu. "You can't just download eight pages of vulnerabilities and expect somebody with no IT staff to spend every day looking at that. So there's a level of automation that needs to come into this technology."
Hsu said the sharing program envisions participants not only pay attention to incoming "threat feeds" of already known indicators but also share back into the community pool any unusual behavior that "might be an advanced persistent threat [i.e. a cyberattack directed towards a specific victim] or an actual campaign."
"If you see it but you're not aware of that five other utilities saw it also and none of you report it, then from a national perspective, we can't see that campaign," said Hsu. "I understand all the reasons that people don't share threat intel, but it is a real challenge for us to see that campaign without people participating and sharing information."
Kumar agreed with the assessment to go beyond solely sharing info through web briefings and discussions to a faster, automated system that matches the speed of the network.
Kumar went on to say that intelligence sharing needs to go both ways so the DOE can help utilities "connect the dots to larger threats" that individual utilities alone might not see. "But if you start aggregating information streams from various utilities, then suddenly you can start to see patterns and start to address those collectively," he said.