February 3, 2025 – Bryson Bort is joined by Carter Manucy, Director of Cybersecurity at the National Rural Electric Cooperative Association to discuss rural electric cooperatives, the importance of collaboration, and the state of cybersecurity in the energy sector. With over two decades of experience in the sector, Carter was recently awarded E-ISAC’s prestigious Michael J. Assante Award for his leadership on initiatives to protect the grid and electric co-ops.
How are cooperatives fostering a stronger cybersecurity culture? What are the unique challenges faced by rural electric cooperatives in the cybersecurity landscape? And what does Carter see in his crystal ball for the future of cybersecurity in the energy sector?
“I think as a country, we’ve really got to pull together or else we’re going to be behind the eight ball in a few years, and that could really look bad for everybody…power runs all of our lives,” Carter said. “If I had that magic wand, I think I would get rid of a lot of the politics that are there so that we can focus on getting funding to help in the areas that it really is needed, and move that needle forward.”
Join us for this and more on this episode of Hack the Plan[e]t.
Hack the Plant is brought to you by ICS Village and the Institute for Security and Technology. View transcript.
Transcript
I’m Bryson Bort and this is Hack the Plant.
For today’s episode, I’m joined by Carter Manucy, Cybersecurity Director at NRECA, the National Rural Electric Cooperative Association. Carter leads cybersecurity initiatives for over 900 electrical rural cooperatives throughout the United States.
”The bottom line, they’re trying to do things with the most value possible. So a lot of times that means that your generation may not be the most modern, or they may be using some outdated technologies because they still work and they still do their job very well. So, it becomes a more difficult thing to invest and not be able to recover the rates through just raising rates through the customer base.
They don’t want to do that with a co-op. The member is actually owned and operated. The members of the utility, meaning the people that are paying the electric bills, the homeowners, actually own that co-op. So they don’t want to raise rates unless they really need to. Same thing for municipals, it can become a political thing, but keeping low-power, low-cost energy and electricity is a main driver for a lot of these companies, because a lot of these companies are serving customers that have very little income.
Carter explains why affordability is a top priority for rural electric cooperatives, and how they remain low-cost for their members.
Project Guardian is a federally funded effort that we have with the Department of Energy, five year efforts. It has multiple different levels that we’re trying to focus on, but one of those is the idea around the cyber champion. The cyber champions are a concept where we have a cooperative that can help other cooperatives, because we realize as NRECA we can’t have one-to-one relationships with all 900 of our members down to their particular level of need. We can build programs that help all 900, but we can’t necessarily have all of those constant relationships.
So the idea is having a localized resource that can have those one-to-one relationships, and then they can make sure that we are communicating both directions, both inter-ACC program-wise and help-wise. But also, if that co-op needs specific help, they can help bring that message forward. And then bring that to a larger community so that they can get the resources they need to help them in their particular situation.
He highlights the importance of collaboration and taking a localized approach to cybersecurity in the energy sector.
A lot of what drives NRECA and me is our cooperative principles. Co-ops have a series of seven principles. We focus on a few of them specifically in our cybersecurity side.
But cooperation around cooperatives is key among those values. And that really resonates not only with me, but also it helps our members help each other. And I think that that’s really what helps promote a good culture, and culture is really the key component that has to change in order for cybersecurity, I think, to take a good grip in a utility, and actually make progress and be successful. If you don’t have that good culture, you don’t have that good comprehension of what needs to happen. You don’t understand the threats and you’re not communicating them well. Things might never change. And I see that changing a lot. And that makes me a lot of hope
How are cooperatives fostering a stronger cybersecurity culture? What are the unique challenges faced by rural electric cooperatives in the cybersecurity landscape? And what does Carter see in his crystal ball for the future of cybersecurity in the energy sector? Find out the answers to these questions and more on this episode of Hack the Plant.
Before we kick off today’s episode, I wanted to take this opportunity to remember Mike Assante, a pioneer in the field of industrial control system cyber security, and who sadly passed away in 2019. Dragos CEO and close friend of Mike’s Robert Lee joined me to share his memories with us.
Rob, who was Michael Assante?
Robert Lee: Michael Assante was an individual who sort of went beyond any one category or defining thing. He started out in the U.S. Navy, which we forgive him for his inferior choice in the military, but that’s okay. I started out in the U S Navy, did a lot of stuff that we’ll never be allowed to talk about, but did really cool things, understanding control systems at a time that folks really didn’t understand the impact of them from a cyber perspective.
After that, he did a bunch of interesting things in the intelligence community, became a chief security officer at one of the largest power companies out there. Became one of the, the plank holders and founding members, the electric ISAC, became sort of the chief security person for the regulator for the North American electric power grid, uh, and electric system.
He has been in front of Congress presidents and parliamentary members more often than probably anybody else. And all along that time he was out building communities and that is probably what was his superpower. He would bring together people. And he wouldn’t do it as an event organizer. He did it as the person that was the expert on the topic.
And he always made you feel like you could talk to him and share in his level of expertise, even though he was levels ahead of you. Um, he made you feel special. He made you feel good. He made you feel like you could get up in the morning and go change the world. Even if it was in areas that he was already changing, and so he was my friend, my colleague, my mentor, my brother, and his work over the Sands Institute, for 20 plus years, bringing communities together and building the courses and answering the call of the industry was something that made him special.
His place as a man of faith and a family member and always doing what was right for the global community, not just this country. That was, that was something special. And so Mike is the reason that a lot of us are in ICS security. He is the reason ICS security is where it is today. And a lot of people who don’t even know his name, uh, are benefiting from all the work that he did.
And there’s a lot of people in ICS security that don’t know who he is, that are probably only doing what they’re doing in ICS security in some small part, if not large part, to what he did. So, Mike was special.
Thanks Rob. The Electricity Information Sharing and Analysis Center named the E-ISAC Electricity Security Service Award in Mike’s honor, to recognize individuals who have made significant contributions to the electric industry and demonstrate the leadership and innovation that he exemplified.
Carter Manucy was the recipient of this prestigious award in 2024 for his work on initiatives to protect the grid and electric co-ops. And I’m excited to have him here with us today. Welcome, Carter!
Carter: Hey everybody, this is Carter Manucy. I am the cybersecurity director for the BTS area of NRECA, the National Rural Electric Cooperative Association, where we have over 900 electric-rural cooperatives throughout the United States that are a member of our organization.
Bryson: So NRECA, what is that? What do you do?
Carter: Our mission at NRECA is focused on our members. So we have a series of programs or funding that we try to bring to our co-ops to help them improve their cybersecurity. That’s the bottom line. That’s really what we’re trying to do is find out how to meet our cooperatives, where they are, improve their cybersecurity, improve their awareness, and do that through a number of different funding mechanisms that we have. Be it member dues, federal funding, just about anything we can do to bring that there.
Bryson: You were with Florida Power and Electric before this, correct?
Carter: Florida Municipal Power Agency. So Florida–FMPA is a municipal operations joint action agency. I was with them for 27 years before coming to NRECA. So I thought that I’d never leave when I first started, and I started getting into my career, but I ended up as the IT, OT Cybersecurity Director there, overseeing both our corporate IT cybersecurity, and also our operational technology, OT side, cybersecurity as it related to the generation facilities and stuff like that, that FMPA owned and operated.
Bryson: What does it mean to be a municipal?
Carter: The difference between the munis and the co-ops, or the municipals and the cooperatives, is an interesting conversation I have with a number of people. Effectively, at the bottom line, both are considerably non-profit. For a municipal, that means that they’re generally owned or operated by a city.
A cooperative is a group that has decided to come together and fulfill a mission. The cooperatives were formed differently than the municipals back, you know, when electrification was first hitting America. For the cooperatives it was, nobody else wanted to serve these areas, and they had to get lines and power and everything else to areas of the U.S. that were not centrally located. You know, they weren’t part of a large populace. So that’s where a lot of the munis started as well, were small cities and then, oh, we need power. So they built a power plant and then they would serve their local community. Over time that grew and changed as, you know, electrification and the grid modernized.
So now we’re all obviously interconnected in a much larger world. But we have effectively in this arena, we’ve got three different types of electric utilities. You’ve got your municipals, which I used to work for, the cooperatives, which I work for now, and then the Investor Owned Utilities or the IRUs, which are the third component of that.
And those are your Florida Power and Lights and Duke Energy Support.
Bryson: So everybody’s been reading about the increasing threat that stalks the cybersecurity landscape, and we’ve had reports of Chinese, Russian, and potentially Iranian actors that are targeting this level of critical infrastructure. But let’s put the cybersecurity part to the side for a second. What is the challenge at the municipal level? What is hard about generating, transmitting, distributing electricity?
Carter: Both for the municipals and the co-ops, because they are not for profits a lot of times, or in a municipal space, they may have money that gets transferred back to the city government, which becomes a whole other issue. But the bottom line, they’re trying to do things with the most value possible.
So a lot of times that means that your generation may not be the most modern, or they may be using some outdated technologies because they still work and they still do their job very well. So it becomes a more difficult thing to invest and not be able to recover the rates through just raising rates through the customer base.
They don’t want to do that with a co-op. The member is actually owned and operated. The members of the utility, meaning the people that are paying the electric bills, the homeowners, actually own that co-op. So they don’t want to raise rates unless they really need to. Same thing for municipals, it can become a political thing, but keeping low-power, low-cost energy and electricity is a main driver for a lot of these companies. Because a lot of these companies are serving customers that have very little income.
So they’re trying to do this in a very cost effective manner so that these folks actually can still stay in those locations and aren’t driven out by high-cost electricity, along with all the other increasing food and housing and all the other things that are going on in the world.
Bryson: Another aspect of it is this is also the key element that drives business growth and innovation. If I am starting a manufacturing plant, if I’m building an office park, I need electricity, I need you to provide me that infrastructure to be able to grow and to operate. I’m aware that particularly since the start of the Ukraine War in 2022, that there was a supply chain issue with industrial control systems, and so there were elements of business growth where that lead time got longer and it affected us. Is that something that you saw? How did you deal with that?
Carter: There was definitely a big situation, still remains a situation, especially around transformers and being able to procure them. And transformers are that base converter that takes a high voltage into something that’s actually usable by a consumer, or a business, or what have you.
That is still a huge problem throughout, and because the U.S. doesn’t manufacture a lot of those, it becomes a supply chain component of a global scale. And if we’re not sourcing these things from countries that are friendly with the U.S., that becomes an even more compounding problem. So yes, the supply chain problems are real.
It is not just because of the Ukraine War anymore, but there was definitely an inflection point around COVID and everything else that happened that just caused this cascading series of problems that I don’t think we still have fully climbed out of that hole.
Bryson: Now let’s add cybersecurity as a problem on top of everything we’ve just discussed. Go.
Carter: Well, that’s the reason I’m here, right? It’s a reason that I moved to NRECA was because I really wanted to be able to put these programs in place and be able to have a much larger impact across the U.S. Cybersecurity, there’s a number of programs, obviously, that we have in place that are trying to help our cooperatives with that, least of which is our Threat Analysis Center, where one of the big problems we know with cyber is it’s just pervasive, right? It is continuous.
There’s just a ton of alerts that come out through EISAC, and CISA, and everybody under the sun is throwing new vulnerabilities alerts at you. So recognizing that we put together a platform that allows our members to come in and filter down on the things that are just important to them, their particular cooperative, and really that helps limit the number of alerts that they’re seeing to ones that are really truly to them.
And in the event that something is happening that perhaps they are not aware of, we can elevate that trigger, so to speak, and actually broadcast a little more. Maybe a good example that was recently, we’ve had a number of vulnerabilities with. Cisco and Fortinet, and it’s this constant stuff around firewalling and VPN devices.
And we saw that across the board. It didn’t really matter what manufacturer you’re using, you’re more than likely going to be affected by one of these things happening because of the attacks that were being brought forward by all the adversaries on this particular points of entrance into so many different businesses.
So we would put together kind of a meta alert and broadcast that thought to everybody and to say, Hey, just as a reminder, you probably have a security control device that has been affected and just make sure that you are paying attention to your manufacturer’s current situation, and you’re staying up to date with anything on your edge device.
Bryson: So it sounds like a more focused program the way CISA has been doing the KEVs, the Known Exploited Vulnerabilities.
Carter: The KEVs are actually brought into our Threat Analysis Center. We have machine-to-machine connectivity with CISA and also with EISAC, where we can bring their alerts in directly. We don’t have to do any touching of those, although we do a lot of enhancing of those alerts to make sure that they’re a little more focused and polished, but exactly that. So we are looking at things that are actually going on in the space that are directly affecting our members, so that they can focus on those instead of everything. And then that allows them to actually get a little more work done in their day to day life, instead of having to focus and filter through a hundred things that aren’t necessarily relevant to them.
Bryson: High fidelity signal in all of the noise.
Carter: That is the mission.
Bryson: And I think that’s even more critical for this particular asset owner base because of the resource constraints that they have. They do not have substantial cybersecurity teams to be able to respond, to be able to process this information.
Carter: That is 100% correct. That’s also part of another program that we have. Project Guardian is a federal funded effort that we have with the Department of Energy, five year efforts. It has multiple different levels that we’re trying to focus on, but one of those is the idea around the cyber champion.
The cyber champions are a concept where we have a cooperative that can help other cooperatives, because we realize as NRECA we can’t have one to one relationships with all 900 of our members down to their particular level of need. We can build programs that help all 900. But we can’t necessarily have all of those constant relationships.
So the idea is having a localized resource that can have those one to one relationships, and then they can make sure that we are communicating both directions, both inter ACC program wise and help wise. But also, if that co-op needs specific help, they can help bring that message forward. And then bring that to a larger community so that they can get the resources they need to help them in their particular situation.
Bryson: Is there a relationship with the traditional asset owners?
Carter: Most of the relationships that NRECA has and other municipal utilities have are mostly through the Cyber Mutual Assistance Program. So that is a program that was started through the ESCC, the Electric Sector Coordinating Council, probably about 10 years ago, if memory serves correctly, through a GRIDX, even more acronyms here, exercise that identified the fact that we don’t do a great job of communicating with each other.
If something hits the fan, the federal government isn’t going to be able to respond to every single utility that might need help. So, are we able to help each other out? So, this CMA program is very akin to the mutual aid that happens during a normal natural disaster, but on the cyber side. How can we help each other, either through resourcing or through just identification of issues or in just sharing things left to boom that are good practices with each other so that we can take those on in our own way. And I think that’s one of the great benefits right now of the community as a whole coming together and working on the cyber security side, where cyber threats are the same. I think that every type of utility they’re out there, it’s just how you handle them and how your ability to handle them and how many people you have actually responding to those things. That’s basically the biggest delta.
Bryson: What other projects and future things are you trying to do at NRECA?
Carter: We’ve got a ton of different things. One of the big ones is our co-op cybertech conference that we put on every year. It’s coming up again in June, June 24th through the 26th in Denver. But that is where we try to bring not only content to our members and to the general populace, but also hands on exercises like we’ll bring the ICS Village in.
You guys are coming to help us out there. We’ll bring in other villages, we’ll have a lockpick village, soldering, those types of things, hands on exercises. We also do poster sessions, also known as a science fair and other terms ,where we’ll show different types of national labs or .edu type applications or things that are going on, to bring those forward to the co-op so they can understand other things that they might be able to take advantage of.
But this is really just a space for them to come and learn across the I.T. and O.T. space from all levels of education and just helping build that camaraderie, understand what’s going on. And have those good conversations, hawk on, if you will. The networking events, those types of things are just as important, I think, as all the conferencing components.
Outside of our Guardian project, we have a lot of other resources I’d mentioned through the threat analysis. We’re also doing a lot of things around education training, so we have a lot of that funding that’s coming forward through the Department of Energy as well. Just in other terms, we have our operational technology deployment money that’s available out there.
We have 15 million from the DOE to put O.T. sensors out in our cooperative space. So a lot of these different programs we’re bringing forward to the co-ops to say, look, if you have an issue, let us know what it is. And the thing that ties all of these different, educational opportunity things together is our cyber goals program was actually started back in December of ’22. And that actually brought forward the idea of, where do I start?
So breaking down all of the different frameworks and everything else in the request for cyber security, and where should I be focusing? Earlier this year, we brought together another set of 10 goals, which it added on to the original 10. A lot of these were aligned to other frameworks like the CISA CPGs, the Cybersecurity Performance Goals that CISA had.
And showing folks, look, this is where we think a co-op should be focusing their attention after they get done with the first 10. We’ve got over 425 of our members currently signed up for the CyberWorlds program. And it does a number of different things for NRECA, not only in helping co-ops educate themselves on how to get started, but it also shows us where co-ops might be needing extra help and a push.
For example, one of the cyber goals is around supply chain and making sure that you’ve got your contracts reviewed. If that were something that was a real struggle for our members, we would take resources and start funneling them towards that to help. Okay, well, how do we help our members get better at doing that if that’s something they’re really struggling with?
So we use this program in a number of different ways, but it ties all of our different programming together to bring together all the members to say, look, this is where you start, this is the next step, this is the next step. Because that journey of cybersecurity is it’s never done, but sometimes it’s overwhelming.
And so that’s what our job is a lot of times is to say, okay, we’ve got you here. Let’s get you started, get these things done, move on to the next, move on to the next. And by the time you actually get a few things accomplished, all of a sudden you’re well on your way to perhaps a much larger framework and understanding C2M2 or some of the other CFS frameworks and everything else.
Bryson: Well, it sounds like it’s going well enough. You recently just won the Michael Asante Award. Can you tell us what that is and for what?
Carter: That was a very proud moment. So the Asante Award is an award that the EISAC put together four years ago, if memory serves, and in that they recognize a couple of individuals every year that have contributed to Asante’s legacy.
So Michael Asante, for those that haven’t heard of him, he is probably part of the reason that you and I are sitting here talking today, Bryson. He was really focused on operational technology, and making sure that the community was working together. He was one of the original executives for the EISAC in NERC, but his whole mantra about having people work together and he was that kind hearted soul that you could, you could have a conversation with. And it felt like it was, it was so genuine because it was.
So being able to embody those same types of things and helping the community grow and foster is what this award represents, especially to me. Throughout my career, I have spent a lot of time with NERC through SIPC, and trying to understand the needs of the municipal space back in the day in public power, how NERC requirements and NERC SIP relate to those types of entities, and how to tailor a lot of this stuff to the specific needs of smaller utilities.
I spent a lot of time focused on small utilities throughout that career progression, including, as I mentioned, the Cyber Mutual Assistance Program. And just in general, trying to build out a cybersecurity program, which I have now had a lot of success with at NRECA. And so to have this award and the recognition that goes along with it, really, it hits home for me because it shows not only the fact that I’m doing the right things for the right reasons, but I also like to remind folks that if I can do it, then that means that anybody else can too. All it takes is that perseverance and that dedication to something that you’ve got as a core value of yourself. And once you have that, once you understand that, and you can find your platform, I think folks are willing to see that and promote you for it.
Bryson: What else is NRECA doing with government? And it doesn’t just have to be federal government. Are there different relationships down at the state and the local level?
Carter: NRECA has a number of different member structures. So we have our distribution utilities, and then we have our G&Ts, our generation transmission, and then we also have our statewide.
Our statewides a lot of times are focused on mutual aid and those types of things, but that’s a lot of the focus that NREC has at a state level is what’s going on with the different state organizations. So we support all of those and work with many of them in our programming to help identify where we can have alignment to help them further their goals and their needs.
So, very akin to this, the cyber champion program I was talking about. That’s how a lot of these things relate and come together. Some of the other federal level stuff that we do, a lot of it is focused around the national labs, which are funded through the Department of Energy. So we work with a number of them on projects that are not just cybersecurity focused.
I mean, that’s my swim lane, but we also have a lot of other projects around electric vehicles, enhancing grid technologies, and just new technologies that have to do with clean energy or any of those types of things. And also just in helping through, what is the grid of the future look like? What is a new type of way to deal with distributed energy resources and everything else?
So we have a lot of those different relationships that we do. We also have great relationships on the federal side through Congress, and other ways through our government relations department. There’s a number of interfaces that NRECA will just have touch points on the federal government, local, state levels, everywhere we possibly can.
We also have relationships with individuals and organizations that don’t necessarily have cooperative membership involved in them, like the MS-ISAC or the Multi-State ISAC. We are always trying to make sure that we’ve got a constant finger on the pulse of the nation, and also of what’s going on in cybersecurity so that we can bring any of those resources forward to our membership, regardless of the source of it.
Bryson: You definitely have trained a lot since when I first met you. The way you’re able to rattle all of that off with perfect cadence. I mean, bam, bam, bam, bam.
Carter: I have learned. I have trained myself, I guess you could say Bryson. I have definitely changed my focus quite a bit, but this is really what I came here for.
Was in understanding what options are available out there. How can we do a better job of what we’re doing? How can we move the needle forward? And that’s really what my mission is, is just helping promote and educate any of these small utilities in ways that they don’t understand, or can’t do themselves, and that just resonates with me for whatever reason.
Bryson: Any grab bag things that you didn’t cover that you want to before we go into our final round?
Carter: I think the only other thing to mention is the fact that a lot of what drives NRECA and me is our cooperative principles. Co-ops have a series of seven principles. We focus on a few of them specifically in our cybersecurity side.
But cooperation among cooperatives is key among those values, and that really resonates not only with me, but also it helps our members help each other. And I think that that’s really what helps promote a good culture and culture is really the key component that has to change in order for cybersecurity, I think, to take a good grip in a utility and actually make progress and be successful is if, if you don’t have that good culture, you don’t have that good comprehension of what needs to happen.
You don’t understand the threats and you’re not communicating them well. Things might never change. And I see that changing a lot. And that makes me a lot of hope
Bryson: If you could wave a magic, non-internet connected wand, what would you change?
Carter: I would change a lot of the political landscape that puts barriers up for no reason in my eyes, or should I say, no good reason in my eyes, keeps us from moving the needle forward.
A lot of times we see that we are having fights, so to speak, and I put that word in quotes, around moving the needle forward and not wanting to get out of the mud. Sometimes I’ll call that hostage mode, where folks will just, you know, kind of stick their head in the sand and just not want to recognize that there’s a problem to solve.
I think with all the efforts that we have in play, with all the federal funding, with all of the resources that are available to us, it’s not just NRECA that’s available to this, but also our brother and over at APPA, American Public Power Association. We can make a change, and we can do this for the better, and this is not an unsolvable problem. But I think as a country, we really got to pull together or else we’re going to be behind the eight ball in a few years, and that could really look bad for everybody. And it’s really the power runs all of our lives. It’s central to being a sovereign country, obviously, but also in just understanding the impact that a lack of power has on society as a whole. So we have a great responsibility to carry forward. And if I had that magic wand, I think I would get rid of a lot of the politics that are there so that we can focus on getting funding to help in the areas that it really is needed, and move that needle forward in in ways that hasn’t happened so far.
Bryson: You’ve waved your magic wand. Now, looking into your crystal ball, which looks suspiciously like an HMI. One good and one bad thing that you think will happen.
Carter: One good thing is definitely around our Project Guardian. I am, extraordinarily thrilled with the progress that has been made in just a short time we’ve started this project, but looking forward into all the good things that are going to come out of this. I am thoroughly excited by what the future of all of our cooperatives is going to look like in the cybersecurity space.
For the bad, I would say we have likely a lot more conflict coming up in our future and it could be from a ransomware standpoint, a national state standpoint, but I think we’re just going to be focusing, seeing more and more of this continued upward trend on threats and exploited vulnerabilities that are going to take a higher level of effort for us to be able to counter.
So that’s why I had my magic wand, was to try to dissuade a lot of this stuff that I’m seeing in the future is playing out, because we need to make sure that we’re focused on the efforts today so that we can keep them from happening tomorrow.
Bryson: Thank you very much for joining us today.
Carter: Thanks, Bryson.
Bryson: This is Hack the Plant, a podcast from the ICS Village. Catch us at an event near you. Subscribe wherever you find podcasts to get episodes as soon as they’re released. Thanks for listening.