Case Study: Muskingum Valley Electric Cooperative

🏢

Company Overview

PROFILE ▼

Legal Name

Muskingum Valley Electric Cooperative, Inc.

MVEC

Entity Type

Member-Owned Rural Electric Cooperative

Not-for-profit | 501(c)(12)

Founded

1939

Organized under the Rural Electrification Act

Headquarters

418 Chestnut Street

Coshocton, Ohio 43812

Annual Revenue

$18.4 Million

FY 2024 (unaudited)

Total Employees

34 Full-Time

+ 2 part-time, 3 contracted

Service Area

~1,140 sq. miles

Coshocton, Muskingum & Guernsey Counties

Customers Served

14,620 Meters

~38,200 residents & businesses

Wholesale Power

Buckeye Power, Inc.

Member of Ohio Rural Electric Cooperatives (OREC)

Regulatory Compliance

NERC CIP — Low Impact

PUCO-regulated distribution utility

Primary Contact

David Harmon, General Manager

dharmon@mvec-ohio.coop

IT/Cybersecurity Contact

TechPath Solutions LLC (MSP)

Contracted; no in-house CISO or IT Manager

Company Description

Muskingum Valley Electric Cooperative (MVEC) is a member-owned rural electric cooperative serving approximately 14,620 metered customers across portions of Coshocton, Muskingum, and Guernsey Counties in east-central Ohio. The cooperative distributes electricity at distribution voltages (4 kV–34.5 kV) and does not own generation assets. Wholesale power is purchased from Buckeye Power, Inc., MVEC's generation and transmission cooperative, which is a member of the Ohio Rural Electric Cooperatives (OREC).

MVEC operates entirely as a distribution-only utility. Its service territory is predominantly rural, covering small communities, farms, and residential properties. Key served communities include Coshocton, Warsaw, Newcomerstown, West Lafayette, and Plainfield. The cooperative employs 34 full-time staff including lineworkers, operations and engineering staff, customer service, and administrative personnel. There is no dedicated IT or cybersecurity staff; IT support is provided under contract by TechPath Solutions LLC, a local managed service provider based in Coshocton.

🏭

Facilities & Physical Infrastructure

PHYSICAL ▼

Facility	Location	Function	Physical Security	IT/OT Present
Main Office & Operations Center	418 Chestnut St., Coshocton, OH	Executive offices, customer service, SCADA dispatch, IT server room, engineering	Key-card entry (main), deadbolt server room, exterior cameras (4)	High — Servers & SCADA
Coshocton Substation (SS-01)	Otsego Ave., Coshocton, OH	Primary 69kV/12.5kV transformation; feeds 4 distribution feeders	Chain-link fence, padlock gate, no cameras, no motion sensors	High — RTU, relays
Warsaw Substation (SS-02)	SR-60, Warsaw, OH	Secondary 69kV/12.5kV transformation; feeds 3 distribution feeders	Chain-link fence, padlock gate, no cameras	High — RTU, relays
Newcomerstown Substation (SS-03)	Canal St., Newcomerstown, OH	12.5kV distribution switching; 1 distribution feeder	Chain-link fence, padlock only	Medium — RTU only
Equipment Yard & Warehouse	Adjacent to Main Office, Coshocton	Line truck fleet (9 vehicles), pole yard, transformer storage	Chain-link fence, manual padlock gate; no cameras	Low — GPS in 3 trucks
West Lafayette Switching Station (SS-04)	SR-36, West Lafayette, OH	Automated distribution switching, recloser bank	Metal cabinet (padlocked), no fence, roadside location	Medium — Automated recloser controller

Physical Security Note for Assessors Three of four substations have no surveillance cameras, intrusion detection, or alarm systems. Physical access logs are not maintained. Access to substation control panels relies entirely on padlocks; key control procedures are undocumented.

👥

Organizational Structure & Staffing

WORKFORCE ▼

Organizational Chart (Simplified)

Title	Name	Cybersecurity Role
General Manager	David Harmon	Executive sponsor (informal); approves IT budget
Operations Manager	Randy Fulton	OT/SCADA system owner; no formal cybersecurity training
Engineering & Planning Manager	Teresa Albright, PE	GIS, distribution model; no cybersecurity training
Customer Service Manager	Carol Bynum	CIS system owner; oversees billing data
Finance Manager	Gene Westfall	Accounting systems; no cybersecurity role
Line Superintendent	Mike Dobrowski	Fleet GPS; no formal cybersecurity role
IT Support (Contracted)	TechPath Solutions LLC	Manages workstations, servers, email, basic firewall; remote access via VPN
SCADA Technician	Kyle Zumpf	Operates SCADA HMI; not cybersecurity trained
Administrative Assistant	Sharon Pryor	General office; handles some IT tickets via TechPath

Staffing Summary

Department	FTE Count	Notes
Executive / Management	4	GM, Ops Mgr, Eng. Mgr, Finance Mgr
Line Operations (Lineworkers)	18	Journeyman and apprentice linemen
Customer Service / Billing	5	CSR staff + manager
Engineering / GIS	3	1 PE, 2 GIS/mapping technicians
SCADA / Substation Ops	2	1 SCADA tech, 1 substation tech
Administrative / HR	2	Admin assistant, HR coordinator
IT / Cybersecurity (In-house)	0	No dedicated IT staff
Contracted IT (TechPath)	~0.25 FTE equiv.	On-call / part-time managed services

Critical Gap — Workforce Domain (WORK) MVEC has zero dedicated cybersecurity personnel. The contracted MSP (TechPath Solutions) manages IT on a reactive basis with no formal security responsibilities defined in their service agreement. No cybersecurity awareness training has been delivered to staff in the past 24 months.

💻

IT Asset Inventory

ASSET ▼

Asset Inventory Status MVEC does not maintain a formal, documented asset inventory. The list below was compiled by TechPath Solutions during a 2023 site visit and has not been formally reviewed or approved by MVEC management. Participants should note that undocumented assets likely exist.

Servers & Core Infrastructure

Asset ID	Hostname	Type / OS	Function	Location	Patch Status	Criticality
SRV-001	MVEC-FILESRV	Dell PowerEdge R440 Windows Server 2019	Primary file server; shared drives for all departments	Server room, Main Office	Partially Current (~6 mo lag)	HIGH
SRV-002	MVEC-SCADA01	HP ProLiant DL360 G9 Windows Server 2016	SCADA application server (GE e-terra Habitat v2.8); hosts HMI and historian	Server room, Main Office	Critical Lag (18+ months)	CRITICAL
SRV-003	MVEC-ACCTG	Dell OptiPlex (repurposed) Windows Server 2012 R2	QuickBooks Enterprise server; accounts payable/receivable, payroll	Finance office, Main Office	End-of-Support OS No patches since 2023	HIGH
SRV-004	MVEC-AMI-HE	Dell PowerEdge R340 Windows Server 2019	Landis+Gyr Gridstream AMI head-end; manages 14,620 smart meters	Server room, Main Office	Partially Current	HIGH
SRV-005	MVEC-CIS	Virtual (VMware on SRV-001) Windows Server 2019	Milsoft Utility Solutions CIS (customer billing, outage management)	Logical (runs on SRV-001)	Partially Current	HIGH
SRV-006	MVEC-GIS	Virtual (VMware on SRV-001) Windows Server 2019	ESRI ArcGIS Server; distribution system geographic model	Logical (runs on SRV-001)	Partially Current	MEDIUM

Workstations & End-User Devices

Count	Type / OS	Users / Location	Antivirus	Notes
6	Desktop PC — Windows 11 Pro	Management, Finance, Engineering	Windows Defender (not centrally managed)	Mostly current patches; joined to workgroup (no AD domain)
7	Desktop PC — Windows 10 Pro	Customer Service, Admin, Operations	Windows Defender (not centrally managed)	Mixed patch levels; 2 units running Win 10 21H2 (EOL)
2	Desktop PC — Windows 10 LTSC 2019	SCADA HMI workstations (OT network)	None — AV disabled by SCADA vendor recommendation	Dedicated SCADA HMI; no internet access (by policy)
4	Laptop — Windows 11 Pro	Engineering, Operations, GM (remote work)	Windows Defender	BitLocker enabled on 2 of 4; all take work data home
3	Tablet — iPad (iOS 17)	Field engineering, line superintendent	N/A (iOS)	Access ESRI Field Maps; MDM not deployed; personal Apple IDs used
9	Smartphone — Mixed (iOS/Android)	Line crew leads, managers	N/A	Access Office 365 email; no MDM; BYOD, no formal policy

Business Applications (Software)

Application	Vendor	Function	Hosting	Authentication
GE e-terra Habitat v2.8	GE Grid Solutions	SCADA / EMS / DMS	On-premise (SRV-002)	Shared local account; no MFA
Milsoft Utility Solutions	Milsoft Utility Solutions	CIS, outage management, work orders	On-premise (SRV-005)	Individual accounts; no MFA
Milsoft WindMil	Milsoft Utility Solutions	Distribution planning & modeling	Desktop (2 engineering PCs)	Windows login only
ESRI ArcGIS Server	Esri	GIS — distribution system map	On-premise (SRV-006)	Windows auth; no MFA
Landis+Gyr Command Center	Landis+Gyr	AMI meter data management	On-premise (SRV-004)	Local accounts; no MFA
QuickBooks Enterprise 22.0	Intuit	Accounting, payroll, AP/AR	On-premise (SRV-003)	Local QB accounts; no MFA
Microsoft 365 (E1)	Microsoft	Email (Exchange Online), OneDrive, Teams	Cloud (SaaS)	Password only; MFA not enforced
Buckeye Power EMS Link	Buckeye Power / OSIsoft	Wholesale energy metering data exchange	Vendor-hosted; VPN tunnel to Buckeye Power	Shared service account
AutoCAD LT 2022	Autodesk	Engineering drawings (substation layouts)	Desktop (engineering PCs)	Autodesk cloud license
NISC SmartHub (portal)	NISC	Customer self-service web portal (billing, outage reporting)	Cloud (NISC-hosted SaaS)	Customer-facing; internal admin access via password only

⚡

OT / ICS / SCADA Asset Inventory

OT / ICS ▼

SCADA / Control System Components

Asset ID	Device / System	Vendor / Model	Location	Function	Firmware Status	Notes
OT-001	SCADA Application Server	GE e-terra Habitat v2.8	Main Office (SRV-002)	Supervisory control, data acquisition, HMI, historian	End of Vendor Support (EOL 2021)	No upgrade budget allocated
OT-002	RTU — SS-01 Coshocton	GE D20MX RTU	SS-01, Coshocton	Remote terminal unit; collects breaker status, voltage, current; sends to SCADA	Firmware v3.04 (2 versions behind)	DNP3 protocol over fiber
OT-003	RTU — SS-02 Warsaw	GE D20MX RTU	SS-02, Warsaw	Same as OT-002	Firmware v3.04	DNP3 protocol over fiber
OT-004	RTU — SS-03 Newcomerstown	SEL-2414 RTU	SS-03, Newcomerstown	Monitoring only; no control capability	Current	900 MHz licensed radio to Main Office
OT-005	Protective Relay — SS-01 (x3)	SEL-351 Feeder Protection Relay	SS-01, Coshocton	Distribution feeder protection; overcurrent, ground fault	R114-V2 (1 version behind)	Serial to RTU (no direct Ethernet); default passwords unchanged
OT-006	Protective Relay — SS-02 (x3)	SEL-351 Feeder Protection Relay	SS-02, Warsaw	Same as OT-005	R114-V2	Default vendor passwords in use
OT-007	Automated Recloser Controllers (x12)	S&C Electric IntelliRupter PulseCloser	Various field locations (12 total)	Automated fault isolation and service restoration	Mixed — 4 of 12 current	900 MHz radio to SCADA; some use older unencrypted radio protocol
OT-008	AMI Head-End System	Landis+Gyr Command Center v8.2	Main Office (SRV-004)	Smart meter data collection, demand response, remote disconnect	v8.2 (current is v9.1)	RF mesh network (2.4 GHz) — 14,620 meters enrolled
OT-009	Power Quality Monitor	Dranetz HDPQ Xplorer	SS-01 (permanent install)	Voltage sag/swell, flicker monitoring	Current	USB data export; no network connectivity

Critical OT Finding — Default Credentials SEL-351 relays at SS-02 Warsaw Substation are using factory-default vendor passwords. These credentials are publicly documented in the SEL instruction manual. Additionally, the GE e-terra SCADA system uses a shared "SCADA_ADMIN" local account accessed by two operators and the TechPath MSP — there is no individual accountability for SCADA actions.

🌐

Network Architecture

ARCH ▼

Network Segments

Segment	Subnet	VLAN	Systems	Segmentation
Corporate LAN	192.168.1.0/24	None (flat)	All workstations, SRV-001, SRV-003, SRV-005, SRV-006, printers, VOIP phones	Flat — no VLANs
SCADA / OT Network	10.0.10.0/24	None (separate switch port)	SRV-002 (SCADA), SRV-004 (AMI), 2× HMI workstations, Cisco 2960 switch (SCADA)	Partial — separate switch, but layer-3 route to Corp LAN exists
DMZ / Internet Perimeter	172.16.1.0/30	N/A	Fortinet FortiGate 60E (WAN side); ISP hand-off	Firewall present
Guest Wi-Fi	192.168.5.0/24	None (separate SSID)	2× Netgear WAC104 APs; shared by visitor, BYOD employee devices	Not isolated from Corporate LAN at switch level
Field Communications (WAN)	N/A	N/A	RTUs at SS-01, SS-02 via single-mode fiber; SS-03 and reclosers via 900 MHz licensed radio	No encryption on radio links
Vendor / Remote Access	N/A	N/A	Cisco ASA 5505 (end-of-support); TechPath Solutions uses this for remote IT management; GE uses for SCADA support	EoL device, no MFA, shared credentials

Logical Network Diagram

┌─────────────────────────────────────────────────────────────────────────────────────────┐ │ INTERNET / WAN │ └───────────────────────────────────────┬─────────────────────────────────────────────────┘ │ 100 Mbps Fiber (Spectrum Business) ┌──────────────┴──────────────┐ │ Fortinet FortiGate 60E │ ◄── WAN Perimeter Firewall │ Firmware: 7.0.12 │ (rules: last reviewed 2022) └──────────────┬──────────────┘ │ ┌─────────────────────────┼──────────────────────────────────┐ │ │ │ ┌──────────┴──────────┐ ┌───────────┴───────────┐ ┌───────────────┴────────────┐ │ Cisco ASA 5505 VPN │ │ Cisco Catalyst 2960-X │ │ Netgear WAC104 × 2 │ │ (End-of-Support) │ │ CORPORATE LAN SWITCH │ │ Wi-Fi APs (2.4/5 GHz) │ │ TechPath + GE VPN │ │ 192.168.1.0/24 (flat) │ │ SSID: MVEC-Staff │ └──────────┬──────────┘ └───────────┬───────────┘ │ SSID: MVEC-Guest │ │ │ │ (NOT isolated from LAN) │ └─────────────────────────┘ └────────────────────────────┘ │ ┌─────────────────────────┼────────────────────────────────────────┐ │ │ │ ┌──────────┴───────┐ ┌────────────┴─────────┐ ┌──────────────────────┐ │ SRV-001 FILESRV │ │ SRV-003 ACCOUNTING │ │ Workstations (13×) │ │ Win Server 2019 │ │ Win Server 2012 R2 │ │ Desktops/Laptops │ │ (VMware host for │ │ QuickBooks Ent. │ │ No AD Domain │ │ SRV-005, SRV-006│ │ (EOL — no patches) │ │ Workgroup only │ └──────────────────┘ └──────────────────────┘ └──────────────────────┘ ─ ─ ─ ─ ─ ─ ─ PARTIAL SEGMENTATION (layer-2 switch, layer-3 route STILL EXISTS) ─ ─ ─ ─ ─ ─ ─ ┌─────────────────────────┐ ┌──────────────────────────────────────────┐ │ Cisco Catalyst 2960 │ │ FIELD COMMUNICATIONS │ │ OT/SCADA SWITCH │ │ SS-01 ─── Single-mode fiber ──► RTU │ │ 10.0.10.0/24 │ │ SS-02 ─── Single-mode fiber ──► RTU │ └──────────┬──────────────┘ │ SS-03 ─── 900 MHz radio (unencrypted)│ │ │ Reclosers ─ 900 MHz radio (12×) │ ┌────────────────────┼──────────────┐ └──────────────────────────────────────────┘ │ │ │ ┌──┴──────────────┐ ┌──┴───────────┐ │ ┌──────────────────────────────────────────┐ │ SRV-002 SCADA01 │ │ SRV-004 AMI-HE│ └──►│ CLOUD / EXTERNAL │ │ GE e-terra v2.8 │ │ L+G Cmd Ctr │ │ Microsoft 365 (O365 email) │ │ EOL — no support │ │ AMI head-end │ │ NISC SmartHub (customer portal) │ └─────────────────┘ └──────────────┘ │ Buckeye Power EMS link (VPN tunnel) │ ┌─────────────────┐ ┌──────────────┐ │ Landis+Gyr cloud (AMI analytics) │ │ HMI WS-01 │ │ HMI WS-02 │ └──────────────────────────────────────────┘ │ Win10 LTSC 2019 │ │ Win10 LTSC │ │ No AV installed │ │ No AV installed│ └─────────────────┘ └──────────────┘

Internet & Wide-Area Connectivity

Connection	Type / Speed	Provider	Purpose	Security
Primary Internet	Fiber — 100/100 Mbps	Spectrum Business	Corporate internet, email, cloud apps	Fortinet FortiGate 60E firewall; NAT; stateful inspection
VPN — TechPath MSP	IPsec tunnel via Cisco ASA 5505	TechPath Solutions LLC	Remote IT support access (always-on tunnel)	EoL device; shared PSK; no MFA; no session logging
VPN — GE Support	IPsec tunnel via same Cisco ASA 5505	GE Grid Solutions	Remote SCADA support (on-demand)	Same EoL VPN appliance; separate pre-shared key; no monitoring
EMS Data Link — Buckeye Power	IPsec VPN over ISP connection	Buckeye Power, Inc.	Wholesale energy metering, generation scheduling	Managed by Buckeye Power; MVEC has limited visibility into tunnel configuration
Field RTU (SS-01, SS-02)	Single-mode fiber (dedicated)	MVEC-owned	SCADA DNP3 data from substations	No encryption (DNP3 SAv5 not implemented)
Field RTU / Reclosers	Licensed 900 MHz radio	FCC licensed — MVEC	SCADA data from SS-03 and 12 reclosers	No encryption; no authentication on radio frames

🛡️

Cybersecurity Controls & Security Technologies

SECURITY TECH ▼

Security Control Category	Tool / Solution	Coverage	Status / Maturity
Perimeter Firewall (IT)	Fortinet FortiGate 60E	Corporate internet perimeter	Functional — firmware 7.0.12 (1 minor version behind); rules last reviewed Nov 2022; no IPS signatures enabled; basic stateful only
Firewall (OT / SCADA)	None dedicated	OT network	Gap — No dedicated OT/IT boundary firewall; OT switch connects to Corp LAN switch via trunk port with no ACLs
Intrusion Detection / Prevention (IDS/IPS)	None	IT & OT	Gap — No IDS/IPS deployed anywhere on the network
Security Information & Event Management (SIEM)	None	IT & OT	Gap — No centralized log collection or alerting; Windows event logs stored locally, 30-day retention only
Endpoint Detection & Response (EDR)	None — Windows Defender only	IT workstations/servers	Gap — Defender is not centrally managed; OT HMI workstations have Defender disabled; no EDR product deployed
Anti-Malware / Endpoint AV	Windows Defender (built-in)	IT workstations/laptops only	Partial — Enabled on IT assets; disabled on 2 SCADA HMI workstations; not centrally managed; definition updates may lag
Multi-Factor Authentication (MFA)	Not deployed	All systems	Gap — No MFA on any system: Microsoft 365, SCADA, CIS, VPN remote access, or financial applications
Privileged Access Management (PAM)	None	All systems	Gap — No PAM solution; shared admin credentials on SCADA and servers; no session recording for privileged access
Vulnerability Scanning	None regular	IT (ad hoc only)	Gap — TechPath ran a one-time Nessus scan in 2022 on IT systems only; no remediation tracking; no OT scanning
Patch Management	Manual (TechPath handles IT)	IT (partial); OT (minimal)	Partial — IT patches applied 3–6 months behind; OT patches 12–18 months behind; no formal patch policy; OT changes require vendor pre-approval (not documented)
Backup & Recovery	Tape backup (weekly full, nightly incremental)	SRV-001 (file server) only	Partial — Tape rotated offsite weekly to GM's home; SCADA historian, AMI, and accounting NOT included in backup; last restore test: never documented
Network Monitoring (NPM/NMS)	None formal; TechPath uses RMM agent (ConnectWise Automate)	IT servers and workstations only	Partial — IT assets only; no OT network monitoring; no baseline traffic analysis; no alerting for anomalous behavior
Email Security (Anti-phishing / Anti-spam)	Microsoft Defender for Office 365 Plan 1 (bundled with M365 E1)	Microsoft 365 email	Partial — Basic anti-spam enabled; no DMARC/DKIM configured; no anti-phishing simulation training run; no impersonation protection
DNS / Web Filtering	None	All outbound web traffic	Gap — No DNS filtering; no web proxy; no content categorization; users have unrestricted internet access
Data Loss Prevention (DLP)	None	All data	Gap — No DLP controls on endpoints, email, or cloud storage
Identity & Access Management (IAM)	Local Windows accounts (no Active Directory domain)	IT workstations	Gap — No centralized IAM; no AD/Entra; accounts managed individually on each machine; no formal onboarding/offboarding process documented
Security Awareness Training	None (last attempt: informal 2022 lunch-and-learn)	N/A	Gap — No formal training program; no phishing simulations; no cybersecurity policy acknowledgment required by staff
Incident Response Plan	Not formally documented	IT & OT	Gap — No documented IRP; no tabletop exercises conducted; staff are unclear on escalation contacts; no relationship with E-ISAC threat intel sharing
Threat Intelligence	E-ISAC membership (subscribed, not actively monitored)	N/A	Nominal — MVEC is an E-ISAC member; daily alerts go to General Manager's inbox but are rarely read; no OT-specific threat intel subscription (ICS-CERT alerts not subscribed)

🤝

Third-Party & Vendor Risk

3RD-PTY ▼

Vendor / Partner	Type	Services Provided	Access Level	Contract / SLA	Cyber Risk
TechPath Solutions LLC Coshocton, OH	Managed IT Services (MSP)	Workstation mgmt, server admin, email support, firewall, helpdesk	Full admin — remote & on-site; no session recording	Annual contract; MSA in place; no cybersecurity obligations specified; no SOC 2 audit	HIGH
GE Grid Solutions (Baker Hughes co.)	SCADA OEM Support	Remote and on-site support for GE e-terra SCADA system	Remote access via VPN to SCADA server; unmonitored	Time & materials; no formal support contract; GE e-terra EOL; support is best-effort	CRITICAL
Buckeye Power, Inc.	Generation & Transmission G&T Cooperative	Wholesale power supply; MVEC G&T member; EMS data exchange	IPsec VPN for EMS metering data; Buckeye manages their side; MVEC side not fully controlled	G&T member agreement; no separate cybersecurity MOU	MEDIUM
Landis+Gyr	AMI Vendor	Smart meter hardware, Command Center head-end software, remote analytics (cloud)	SaaS cloud access to AMI analytics portal; agents phone home to Landis+Gyr cloud	Software maintenance agreement; SOC 2 Type II available but not reviewed by MVEC	MEDIUM
S&C Electric Company	OT Equipment Vendor	IntelliRupter automated recloser hardware & firmware updates	On-site only for physical maintenance; no remote access currently	Hardware warranty; no cybersecurity requirements in PO terms	LOW
NISC (National Information Solutions Cooperative)	SaaS — Customer Portal	SmartHub customer self-service portal (billing, outage reporting)	NISC-hosted SaaS; MVEC admin access via password (no MFA)	Service agreement; NISC ISO 27001 certified; MVEC hasn't reviewed their security documentation	MEDIUM
E.ON Technologies (Relay Contractor)	Substation / Relay Contractor	Relay testing, calibration, substation maintenance (annual)	Physical on-site access; brings own laptops for relay programming	Annual PO; background check not required; no cybersecurity requirements in PO	MEDIUM
Ohio Rural Electric Cooperatives (OREC)	Trade Association / Support	Member services, engineering support, group purchasing, cybersecurity resources	No direct system access	Membership; OREC provides RE-ISAC participation and cybersecurity program templates	LOW

Third-Party Risk Gap — No Vendor Cybersecurity Requirements MVEC has no supply chain cybersecurity policy, no vendor risk assessment process, and no cybersecurity addenda in any vendor contracts. TechPath Solutions and GE Grid Solutions both have privileged remote access to critical IT and OT systems with no monitoring, session recording, or contractual cybersecurity obligations. Third-party risk is a significant exposure in the THIRD-PARTIES domain.

📋

Policies, Governance & Compliance Posture

PROGRAM ▼

Existing Policy Documents

Policy	Status	Last Reviewed
Acceptable Use Policy (AUP)	Exists — outdated	2019; not enforced
Password Policy	Informal	Never formally documented; verbal guidance only
Remote Access Policy	None	—
Incident Response Plan	None	—
SCADA / OT Security Policy	None	—
Third-Party / Vendor Security Policy	None	—
Data Classification Policy	None	—
Business Continuity / Disaster Recovery Plan	Draft	Draft from 2021; never finalized or tested
Physical Security Policy	Informal	Verbal procedures; key control undocumented
Employee Onboarding / Offboarding (IT)	Informal	No IT checklist; HR handles paper forms only
Cybersecurity Risk Management Policy	None	—
Asset Inventory Policy	None	—

Regulatory & Compliance Obligations

Framework / Regulation	Applicability	Current Status
NERC CIP	Low Impact BES Cyber Systems	Applicable — Low Impact only; CIP-003-8 electronic access control obligations partially addressed
C2M2 v2.1	Voluntary (DOE recommended)	No prior self-evaluation conducted
Ohio Public Utilities Commission (PUCO)	State distribution utility	Compliant — annual reporting current
NIST Cybersecurity Framework (CSF)	Voluntary / PUCO recommended	Not formally adopted or assessed against
E-ISAC Membership	Voluntary	Member — alerts received but not acted upon
CISA Critical Infrastructure	Energy Sector CISA partnership	No engagement with CISA; not enrolled in CISA services (e.g., CSET, CyHy)
Rural Utilities Service (RUS) / USDA	Federal loan programs	Active RUS loan; RUS cybersecurity guidelines apply but not formally reviewed

Note on NERC CIP Low Impact MVEC's BES Cyber Systems are classified as Low Impact under NERC CIP. This means CIP-003-8 applies, requiring Electronic Access Controls (EACs), Physical Security Controls, and a Cyber Security Incident Response Plan for Low Impact BES Cyber Systems. MVEC has not formally documented these controls to CIP-003-8 standards.

📊

Domain-by-Domain Assessment Data for Participants

ALL 10 DOMAINS ▼

Use the data below for each C2M2 domain. Each card summarizes the key observable facts about MVEC's current state relevant to that domain, along with an indicative current MIL level for participants to validate, challenge, and score.

🗂️ ASSET — Asset, Change & Configuration Mgmt

No formal IT or OT asset inventory exists; ad-hoc list from TechPath (2023)
No configuration management baseline for IT servers or OT devices
No change management process — SCADA changes made informally by Kyle Zumpf or TechPath
Software inventory not maintained; unauthorized software not monitored
Hardware lifecycle not tracked; EoL systems (Server 2012 R2, GE e-terra) in active use
Portable media (USB) use is unrestricted on corporate PCs

Indicative Current: MIL 1 (partial)

🛡️ THREAT — Threat & Vulnerability Mgmt

One-time Nessus scan performed in 2022 by TechPath; no remediation tracked
No regular vulnerability scanning program; no OT scanning ever performed
E-ISAC membership exists; threat alerts go to GM inbox, rarely read
No ICS-CERT / CISA alert subscription or review process
Patches applied reactively; 12–18 month lag on OT systems
No threat intelligence analysis process or threat hunting activity

Indicative Current: MIL 1 (minimal)

⚖️ RISK — Risk Management

No formal cybersecurity risk assessment has ever been conducted
No risk register maintained for IT or OT
No risk management policy or procedure documented
Board of Directors is not briefed on cybersecurity risks
GM informally acknowledges some risks but no risk tolerance defined
USDA/RUS loan requirements include cybersecurity — not formally reviewed

Indicative Current: MIL 0–1 (not performed)

🔑 ACCESS — Identity & Access Management

No Active Directory — individual local accounts on each machine
No MFA enforced anywhere (M365, SCADA, VPN, CIS)
Shared SCADA admin account ("SCADA_ADMIN") used by 2 operators + MSP
Default vendor passwords on SEL-351 relays at SS-02
No formal access provisioning or deprovisioning process
Former employee accounts: no audit of whether accounts were removed
TechPath has always-on VPN admin access with no session recording

Indicative Current: MIL 1 (ad hoc)

👁️ SITUATE — Situational Awareness

No SIEM; no centralized log collection
Windows event logs stored locally, 30-day retention; never reviewed
No IDS/IPS or network traffic monitoring
Firewall logs exist on FortiGate but are not routinely reviewed
SCADA historian captures operational data but not security events
No network baseline established; anomalous behavior would not be detected
E-ISAC alerts unmonitored; no threat intel ingestion process

Indicative Current: MIL 0–1 (no monitoring)

🚨 RESPONSE — Event & Incident Response, COO

No documented Incident Response Plan (IRP)
No tabletop or drill exercises have ever been conducted
Staff do not know who to contact in case of a cyber incident
Business Continuity Plan drafted (2021) but never finalized or tested
Backup only covers file server (SRV-001); SCADA, AMI, accounting excluded
Recovery Time Objective (RTO) and Recovery Point Objective (RPO) not defined
No relationship with CISA, MS-ISAC, or FBI Cyber for incident reporting

Indicative Current: MIL 0–1 (no IRP)

🤝 THIRD-PARTIES — Third-Party Risk Mgmt

No vendor cybersecurity assessment process
No cybersecurity requirements in any vendor contracts or POs
TechPath & GE have privileged access — no monitoring, no contractual cybersecurity SLA
E.ON Technologies contractors bring personal laptops to substations — no controls
No inventory of third-party connections to MVEC systems
NISC and Landis+Gyr SOC 2 reports available but never reviewed by MVEC

Indicative Current: MIL 0–1 (no program)

👷 WORKFORCE — Workforce Management

No cybersecurity awareness training program
Last training event: informal lunch-and-learn, ~2022
No phishing simulation program
No cybersecurity responsibilities in any job descriptions
No formal onboarding cybersecurity briefing
No background check policy beyond standard HR pre-employment screen
SCADA operator (Kyle Zumpf) has had no formal OT cybersecurity training

Indicative Current: MIL 0–1 (not performed)

🏗️ ARCH — Cybersecurity Architecture

IT/OT network partial segmentation only — layer-3 route exists between Corp LAN and SCADA network
No dedicated OT firewall or DMZ between IT and SCADA networks
Guest Wi-Fi not isolated from corporate LAN at switch level
No network diagram formally maintained or reviewed
Radio SCADA links (900 MHz) have no encryption or authentication
No Zero Trust principles; flat network with broad lateral movement potential
No data-in-transit encryption on DNP3 (DNP3-SAv5 not enabled)

Indicative Current: MIL 1 (ad hoc, no design)

📋 PROGRAM — Program Management

No formal cybersecurity program; no CISO or equivalent role
No cybersecurity budget line item — cybersecurity costs bundled into "IT"
No cybersecurity strategy or roadmap
Board of Directors has not been briefed on cybersecurity in at least 3 years
No C2M2 or other framework self-evaluation previously conducted
TechPath MSP manages IT reactively; no proactive security posture management
No metrics or KPIs tracked for cybersecurity program performance

Indicative Current: MIL 0 (no formal program)

🎓

Facilitated Exercise Questions

EXERCISE ▼

Assessment Questions

ASSET: What is the minimum you need to achieve MIL 1 in the ASSET domain? What is the single highest-priority action?
ACCESS: MVEC has shared SCADA credentials and no MFA. What are the specific C2M2 practices in the ACCESS domain that are not met? What remediation would you recommend first?
ARCH: The SCADA network and corporate LAN share a layer-3 route. What C2M2 architecture practices does this violate, and what is the simplest architectural change to improve the score?
THREAT: MVEC's patch lag is 12–18 months on OT systems. Which C2M2 THREAT practices are affected? What is a realistic patching strategy for a cooperative this size?
RESPONSE: If a ransomware attack hit MVEC's corporate network tonight, what would happen? Map the lack of an IRP to specific RESPONSE domain MIL 1 practices not met.
THIRD-PARTIES: TechPath has always-on privileged access with no monitoring. Which THIRD-PARTIES domain practices are not met? What is the minimum viable vendor security requirement MVEC should add to the contract?
PROGRAM: The Board has not been briefed on cybersecurity in 3 years. What PROGRAM domain practices require executive and board-level cybersecurity engagement?

Scenario Injects (Optional)

Inject A — Phishing Incident A customer service representative clicks a phishing email link. Her workstation is now displaying ransomware demand screen. How does MVEC respond? What does the lack of an IRP mean for the response timeline? What C2M2 RESPONSE practices would have mitigated this?

Inject B — OT Anomaly SS-02 Warsaw Substation RTU begins sending unusual control signals. The SCADA operator notices a CB status change he did not initiate. What situational awareness gaps (SITUATE domain) prevented earlier detection? How would the lack of network monitoring affect the investigation?

Inject C — Vendor Compromise TechPath Solutions notifies MVEC that their RMM platform was breached and attacker-controlled commands were pushed to customer endpoints. What THIRD-PARTIES and ARCH domain gaps enabled this risk? What immediate actions should MVEC take? What monitoring capability is missing?

Remediation Planning As a team, develop a 90-day Quick Win plan for MVEC targeting MIL 1 across all 10 domains. Prioritize by risk, budget constraint ($50,000 available), and available staff. Which domain gaps pose the greatest immediate operational risk?