Implementing Continuous Testing and Collaboration to Protect Essential Services
- Year Founded: 1949
- Operational reach: Serving 2.5 million people across 93 counties in North Carolina.
About NCEC:
To empower North Carolina’s rural communities by delivering safe, reliable, and affordable electricity through a cooperative model that champions innovation, resilience, and sustainability. North Carolina Electric Cooperatives (NCEC) is dedicated to enhancing the quality of life for its members, fostering economic growth, and advancing renewable energy initiatives while safeguarding the integrity of critical infrastructure against evolving cyber threats.
As digital threats continue to evolve, critical infrastructure—including energy, water, and transportation systems—has continued to be a prime target for cyberattacks. These essential services are increasingly interconnected, exposing them to risks from sophisticated cybercriminals and nation-state actors. The consequences of a successful attack on critical infrastructure can be devastating, leading to prolonged outages, significant economic impacts, and even threats to public safety. To mitigate these risks, organizations must adopt a preemptive and proactive cybersecurity approach that emphasizes continuous assessments, vulnerability management, and robust defense strategies. In the face of rapidly advancing threats, only forward-thinking security programs can ensure the resilience and reliability of these essential systems.
One example of “proactive defense in action” can be found at the North Carolina Electric Cooperatives (NCEC). They have emerged as a leader in cybersecurity within the energy sector, taking steps to secure both Operational Technology (OT) and Information Technology (IT) environments across their network of 26 independent, member-owned cooperatives. Against the unique challenges posed by its decentralized structure, NCEC has implemented a comprehensive cybersecurity strategy that integrates continuous penetration testing, rigorous training, and a culture of constant vigilance.
Working Independently, Protecting Collectively
Brian Burnett, Director of Cybersecurity at NCEC, explains that “each cooperative operates independently, with some co-ops having dedicated cybersecurity personnel and others managing cybersecurity alongside their day-to-day IT duties.” He leads the organization’s defense strategies, which span both corporate IT and OT systems essential to energy production. NCEC’s structure allows each cooperative to operate independently, creating unique security needs across its network.
“This structure gives them flexibility but also introduces challenges for maintaining consistency and resilience.”
Organizational Structure and Security Challenges
NCEC’s cybersecurity landscape spans traditional IT environments and OT systems, both crucial for power generation and distribution. Each cooperative is independently responsible for its security program, but cooperative size and resources vary greatly—some have dedicated cybersecurity staff, while others manage multiple roles within IT. “The diversity in size and resources across co-ops is substantial,” notes Brian. “It’s not sustainable long-term if we’re aiming for resilience, so we’re launching an intern program next year to help build dedicated roles at each cooperative.”
NCEC’s intern program, set to launch next year, aims to create a pipeline of trained cybersecurity professionals within each cooperative, providing consistency and specialized focus.
The energy sector has seen a significant increase in cyberattacks, with U.S. utilities experiencing a 70% surge in 2024 compared to the previous year (Reuters, 2024). This increase underscores the importance of NCEC’s proactive approach. The rise in attacks reinforces NCEC’s focus on continuous monitoring to stay ahead of threats.
IT and OT Segregation
Protecting both IT and OT environments requires distinct approaches, as OT includes specialized hardware and software used in power generation. OT assets, found in substations, microgrids, and renewable energy sources, operate with unique configurations and often connect with business IT for management.
“IT and OT environments are very different…the technology in substations, solar arrays, and microgrids is in a class of its own, while there’s connectivity to business IT, rigorous controls ensure security.”
NCEC also works with Idaho National Laboratory (INL) to integrate cybersecurity into the design of new OT assets, reinforcing a “secure-by-design” approach. “By working with INL, we ensure cybersecurity is part of the engineering process, not an afterthought,” Brian explains. “That way, new assets are deployed with security built-in from day one.”
Enter NodeZero®
Before adopting NodeZero, NCEC conducted annual penetration tests through third-party vendors and performed intermittent vulnerability scanning. While effective, these assessments provided only periodic visibility, potentially missing emerging vulnerabilities. “We needed a way to assess our security posture more frequently,” says Brian. “That’s when we investigated Horizon3.ai’s NodeZero platform.”
NodeZero’s continuous, autonomous penetration testing allowed NCEC to run monthly assessments and prioritize high-risk vulnerabilities in real-time, ensuring scalability across all 26 cooperatives.
Deployment and Use Case
To address these challenges, NCEC implemented the NodeZero platform to monitor, detect, and remediate exploitable vulnerabilities continuously.
NCEC’s NodeZero deployment achieved regular testing across both statewide IT and OT environments, which included:
- Monthly IT Security Testing: Monthly penetration tests using NodeZero, synchronized with NCEC’s patch cycle, validated patches and prioritized high-risk vulnerabilities, reducing the manual effort needed for reporting.
- Real-World Phishing Simulations: By integrating NodeZero with its existing phishing simulation platform, NCEC tested the impact of compromised credentials, assessing the potential “blast radius” of a phishing attack.
- Real-Time Response and Adaptation: For zero-day threats and emerging vulnerabilities, NodeZero enabled immediate scans, providing rapid insight and response capabilities.
Immediate Benefits
The implementation of NodeZero provided NCEC with a range of essential benefits that strengthened their overall cybersecurity posture. With monthly scans, NCEC gained enhanced visibility across both IT and OT environments, allowing the team to quickly address high-risk vulnerabilities as they emerged. This real-time insight has been particularly valuable for maintaining a proactive stance against evolving threats. Additionally, the centralized management of NodeZero made it possible for even the smallest cooperatives to access advanced cybersecurity resources, effectively closing the capability gap between larger and smaller entities. “NodeZero lets us support even the smallest co-ops, some without dedicated IT staff. It’s been a game-changer for co-ops that otherwise wouldn’t have regular testing,” says Brian.
NodeZero also brought efficiency to NCEC’s vulnerability management program by prioritizing remediation efforts based on risk level. This approach enabled the cybersecurity team to address critical vulnerabilities first, while less urgent issues could be managed on a scheduled basis. “The prioritization helps us act quickly on critical issues and keeps our workflow organized,” Brian notes, highlighting how NodeZero has streamlined their response and bolstered their ability to maintain a strong security posture.
Enabling Continuous Improvement and Collaboration
To validate NodeZero’s effectiveness, NCEC continues to conduct bi-annual penetration testing with third-party vendors, ensuring NodeZero’s findings align with external reports. Brian shares that “every other year, [they] bring in an external vendor to test our environment and validate NodeZero’s reports. It keeps [them] accountable and ensures [they’re] on the leading edge of security.”
Moreover, these insights also enable NCEC to collaborate with the INL and other industry groups, sharing best practices to continuously improve and advance cybersecurity standards within the energy sector.
Future Plans with NodeZero Insights™
NodeZero’s Insights™ delivers dashboards that will provide real-time visibility into security trends and allow NCEC’s executives to track cybersecurity performance.
“This new Insights feature will bridge the gap between cybersecurity and executive visibility,” Brian notes. “Having a dashboard, we can show to the board will make it easier for them to understand our cybersecurity metrics and see how our efforts are paying off.”
Conclusion
NCEC has transformed their cybersecurity strategy through the NodeZero platform. By implementing continuous penetration testing and extending these resources to member cooperatives, NCEC has built a proactive, scalable, and resilient cybersecurity program that safeguards North Carolina’s critical energy infrastructure.
“Cybersecurity isn’t static, and it’s not a ‘set-it-and-forget-it’ situation,” says Brian. “Our approach with NodeZero allows us to stay ahead, support our co-ops, and ensure our members are safe. In an industry like ours, you can’t afford to be reactive. You must be proactive, and NodeZero has been instrumental in helping us achieve that.”