To provide customers with several payment options, the Utilities Department of the Village of Jackson Center in Ohio accepts bank account direct and credit card payments. To ensure the security of customer information and thwart cyber intrusions overall, Jackson Center took advantage of cybersecurity services offered by its electric service wholesale supplier, American Municipal Power, Inc. (AMP). With the help of an assessment conducted by AMP personnel, Jackson Center has developed a culture of cyber vigilance and addresses vulnerabilities through an effective step-by-step process that is manageable for a small staff.
Cybersecurity One Step at a Time
Jackson Center’s cybersecurity focus intensified in 2017 when the American Public Power Association funded cybersecurity assessments for five member utilities. The Association selected Jackson Center as the small municipality in the program, arranging for a consulting firm to assess its cyber and physical security. Then, in 2019, Jackson Center brought in AMP personnel to conduct a second cybersecurity assessment, a service AMP offers in partnership with Hometown Connections, Inc.
As the services organization dedicated to enhancing the performance of community-owned utilities, Hometown Connections is helping utilities identify shortcomings in their cyber defenses and develop strategies to resolve them. AMP is one of six public power joint action agencies that co-own Hometown Connections. Through an alliance network organized by Hometown Connections, qualified personnel at AMP and other joint action agencies conduct the assessments to:
- Compare the utility’s current technology architecture, policies, and controls with industry standard guidelines
- Use vulnerability scanning tools to look for weaknesses in information systems on the utility’s network
- Conduct simulated phishing attacks and incident response tabletop exercise for staff
- Provide detailed recommendations to address deficiencies, prioritize action items, and budget for security improvements
With an office staff of 4 and a working crew of 10, Jackson Center serves about 780 customers. The utility’s largest industrial account is the factory where Airstream manufactures its iconic “silver bullet” travel trailer. For the 2017 assessment, the consulting firm came in for a launch meeting with the Jackson Center staff and their IT contractor. “One of the consultants sat down, opened his laptop, began typing furiously, and within minutes gained access to the information system for the entire city,” said Bruce Metz, Village Manager. “By accessing our server, he could control everything from our billing system to our downtown billboard signs. That was our instant wakeup call.”
The consulting firm provided a long list of action items for Jackson Center’s IT contractor and staff. “We began with the simple stuff,” Metz said. “The IT team addressed technical issues, including making sure we backup our data off site every 15 minutes. At the staff level, everyone changes their passwords every 30 days, computer screens time out to require frequent log-ins, there is a lock on the door of the IT control room, we conduct staff training every quarter, and we run a phishing test every month. During the test, we distribute surprise emails to evaluate how well our staff is absorbing their training about avoiding suspicious links.”
Because Metz sees the value in asking a neutral third-party to conduct cyber assessments every two years, he brought in the AMP team to conduct the Hometown Connections assessment in 2019. This assessment included a detailed questionnaire about the existing cyber program, a phishing exercise, and an incident response table top exercise that simulates ransomware and other attacks, working through how to return to normal operations as quickly as possible.
“Trust but verify is my motto,” Metz said. “Many of my colleagues in public power focus on the trust part alone, leaving cybersecurity to their IT departments. But cybersecurity is very complex and always changing. Senior managers must roll up their sleeves and get involved. You may not understand all of the technical jargon but you can keep the organization focused on cybersecurity and moving forward.”
Metz advises, “Don’t get stuck like a deer caught in the headlights. Bring someone in to provide a baseline cyber assessment. They will likely give you a long list of vulnerabilities to address. Don’t panic. Begin with the basic items and work your way up. You won’t be able to fix everything at once. But you need to get started and keep going. Be sure to read the alerts and other good information that AMP and the American Public Power Association send out.”
Turning Cybersecurity into a Company-wide Strategy
One fundamental strategy is to train and retrain your staff, over and over again. “We are taking the same approach to cybersecurity as we take to safety,” Metz explained. “The same due diligence our line crews take to safety briefings applies to cybersecurity. All employees receive cyber training regularly. Whenever we conduct phishing exercises, someone inevitably falls for the traps, clicking on such red herrings as links for tracking a package delivery. But hopefully the next time, they will hesitate just long enough to avoid the dangerous click.”
In addition to the cyber practices questionnaire and phishing exercises, Metz valued the incident response table top exercises provided during the AMP/Hometown Connections assessment. “Cybersecurity is never a one and done proposition,” Metz said. “As hard as we are working to prevent hacks, the bad actors are out there, targeting our municipalities and utilities day and night. Through the AMP team, we learned how to limit the damage if the worst happens.”
Metz plans to continue his cycle of bringing in outside help to conduct a cybersecurity assessment every two years. After engaging a consulting firm in 2017 and AMP/Hometown Connections in 2019, in 2021 he may invite his insurance company to conduct Jackson Center’s next cybersecurity audit.
For More Information
Bruce Metz
Village Administrator
Village of Jackson Center, Ohio
937-596-6314
bmetz@jacksoncenter.com
Susan Ryba
Executive Marketing Consultant
Hometown Connections, Inc.
301-602-4002
sryba@hometownconnections.com