Cascade Valley Electric Cooperative

Serving rural communities in the Columbia River Gorge region since 1952

12,500
Customers Served
850
Square Miles Coverage
1,280
Miles of Lines
68
Total Employees

Company Information

Founded: 1952

Type: Rural Electric Cooperative

Headquarters: Hood River, Washington

Service Territory: Rural communities in Columbia River Gorge (WA & OR)

Peak Demand: 45 MW

Annual Energy Sales: 285 GWh

Average Rate: $0.11/kWh

Mission Statement

To provide safe, reliable, and affordable electricity to rural communities while maintaining strong environmental stewardship and community engagement.

Audit Focus: This interactive profile is designed for cybersecurity compliance audit training. Pay attention to IT/OT infrastructure, security controls, and risk factors throughout each section.

Organizational Structure

Total Full-Time Equivalent Employees: 68

Executive Leadership
4
CEO, CFO, Asst. GM, Board Secretary
Operations
28
Linemen, Operators, Technicians
Engineering
12
Engineers, GIS, Construction
Customer Services
14
Service Reps, Billing, Communications
Administration
10
HR, Accounting, IT, Safety

Key Personnel with System Access

High-Privilege Access Users:

  • System Operators (2): 24/7 SCADA control access
  • IT Support Specialists (2): Administrative access to all systems
  • Chief Engineer: Engineering systems and protection settings
  • Operations Manager: Field operations and maintenance systems
  • General Manager: Executive dashboard and reporting systems
Audit Note: These personnel require enhanced background checks and regular access reviews per NERC CIP requirements.

Workforce Challenges

Retirement Risk:
35% eligible within 10 years
  • Knowledge transfer programs in development
  • Apprenticeship programs for technical positions
  • Cross-training initiatives to reduce single points of failure

IT Infrastructure Overview

Total IT Assets: 142 devices

Servers & Virtualization

  • 12 Physical Servers
  • 4 Virtualization Hosts
  • 28 Virtual Machines
  • 600 sq ft Data Center

End-User Devices

  • 72 Desktop Workstations
  • 18 Laptops (Field Personnel)
  • 12 Ruggedized Tablets
  • 15 Printers/MFDs

Network Infrastructure

  • 24 Managed Switches
  • 8 Routers
  • 6 Wireless Access Points
  • Fiber Backbone Network

Operational Technology (OT) Systems

SCADA System Components:

  • Master Station: Redundant servers with GE iFIX HMI
  • RTUs: 28 Remote Terminal Units at substations
  • Communication: DNP3 over IP, serial, and radio
  • Data Historian: PI System for archiving and analytics
Security Note: All SCADA communications are encrypted and use industrial firewalls for network segmentation.

Generation & Distribution Assets

Substations (8 total)

  • 2 Transmission (115kV/25kV)
  • 6 Distribution (25kV/12.47kV)
  • SEL Protection Relays
  • Fiber + Cellular Backup

Generation

  • 2.5 MW Hydro Plant (1958)
  • 1.2 MW Solar Arrays
  • 3 Emergency Diesel Generators

Smart Grid Implementation

AMI Deployment:
8,500 of 12,500 meters
  • 45 Automated distribution switches
  • 18 Automated capacitor banks
  • 125 Fault indicators
  • Target: 100% AMI deployment by 2026

Cybersecurity Infrastructure

Compliance Framework: NERC CIP Standards, NIST Cybersecurity Framework

Network Security

  • 2 Enterprise Firewalls (Primary/Backup)
  • 8 Industrial Firewalls (Substations)
  • Network Segmentation (IT/OT)
  • VPN Access Control

Monitoring & Detection

  • 24/7 Managed SIEM Service
  • Network Traffic Analysis
  • Endpoint Detection & Response
  • NRECA Essence Program

Identity & Access

  • Active Directory
  • Multi-Factor Authentication
  • Role-Based Access Control
  • Privileged Account Management

Security Assessment

Current Security Metrics:

Patch Management:
85% compliant
Employee Training:
95% completion
Backup Testing:
Monthly verified
Recommendation: Improve patch management processes to achieve 95%+ compliance within 60 days.

Incident Response Capabilities

  • Response Team: 5 trained personnel (IT, Operations, Management)
  • Communication Plan: Automated notification system
  • Recovery Procedures: Documented playbooks for major scenarios
  • External Support: 24/7 managed security services contract

Emergency Response Contacts:

  • Internal CISO: (509) 555-0101
  • Managed SOC: (800) 555-CYBER
  • FBI Cyber Division: (855) 292-3937
  • NRECA Cyber Support: (703) 907-5500
  • Washington State Patrol: (360) 596-4000

Physical Infrastructure

CVEC operates multiple facilities across its service territory to ensure reliable power delivery.

Headquarters Complex

  • 12,000 sq ft Main Building
  • 8,000 sq ft Warehouse
  • 4-Bay Vehicle Garage
  • 200kW Backup Generator
Physical Security Measures:
  • Card-based access control system
  • 12 IP surveillance cameras
  • Monitored intrusion detection
  • 24/7 security patrol service

Field Facilities

  • Satellite Office (Oregon) - 2,000 sq ft
  • 3 Material Storage Yards
  • 8 Substation Control Houses
  • Emergency Response Trailers (2)

Vehicle Fleet

  • 12 Line/Bucket Trucks
  • 8 Service Pickup Trucks
  • 6 Administrative Vehicles
  • GPS Tracking on All Vehicles

Physical Security Assessment

Security Posture Analysis:

Access Control:
Strong
Video Surveillance:
Adequate
Perimeter Security:
Moderate
Recommendation: Consider additional camera coverage at remote substation locations and enhanced perimeter lighting.

Environmental & Safety Features

  • Fire Suppression: Automated systems in data center and control rooms
  • Climate Control: Redundant HVAC systems for critical facilities
  • Emergency Power: UPS systems and backup generators
  • Safety Equipment: PPE storage, eye wash stations, AED units

Comprehensive Risk Assessment

Analysis of operational, cybersecurity, and business risks facing CVEC.

Cybersecurity Risk Profile

Primary Cyber Threats:

Ransomware:
High Risk
Social Engineering:
High Risk
Supply Chain:
Medium Risk
Insider Threats:
Medium Risk
Critical Finding: Legacy SCADA equipment at 3 substations lacks modern security features. Recommend immediate upgrade planning.

Operational Risk Factors

Natural Hazards

  • Wildfire: High risk during summer months
  • Ice Storms: Regional weather pattern concern
  • Earthquakes: Cascadia subduction zone proximity
  • Flooding: Columbia River gorge vulnerability

Infrastructure Aging

  • Distribution Lines: 25% over 40 years old
  • Transformers: 15% nearing end-of-life
  • SCADA System: Some components from 2008
  • Control Systems: Mixed vintage equipment

Business Continuity Assessment

Business Continuity Capabilities:

Backup Systems:
Excellent
Recovery Procedures:
Good
Staff Cross-Training:
Needs Improvement
Strength: Mutual aid agreements with 12 neighboring utilities provide excellent emergency response capability.

Regulatory Compliance Status

NERC CIP Compliance

  • CIP-002: Asset identification - Compliant
  • CIP-003: Security management - Compliant
  • CIP-007: System security - 95% compliant
  • CIP-011: Information protection - Compliant

Other Regulations

  • NIST Framework: Tier 2 implementation
  • State PUC: All filings current
  • Environmental: Clean Air Act compliant
  • Safety: OSHA compliance - No violations

Risk Mitigation Strategies

Priority Risk Mitigation Actions:

  1. Cybersecurity Enhancement (Q2 2025):
    • Upgrade 3 legacy SCADA RTUs
    • Implement zero-trust network architecture
    • Enhanced security awareness training
  2. Infrastructure Modernization (2025-2027):
    • Complete AMI meter deployment
    • Replace aging distribution equipment
    • Upgrade substation protection systems
  3. Workforce Development (Ongoing):
    • Expand apprenticeship programs
    • Knowledge transfer documentation
    • Cross-training initiatives
Budget Impact: Total risk mitigation investments: $8.2M over 3 years

Audit Recommendations Summary

For Student Review: Based on this risk assessment, what would be your top 3 recommendations for improving CVEC's cybersecurity posture?

Key Audit Findings:

Strengths:
  • Strong incident response capabilities
  • Comprehensive backup and recovery procedures
  • Effective employee security training program
  • Good physical security at critical facilities
Areas for Improvement:
  • Legacy SCADA equipment security vulnerabilities
  • Patch management process inconsistencies
  • Limited network segmentation between IT/OT systems
  • Workforce knowledge transfer risks due to retirements

Recommended Priority Actions:

  1. Immediate (0-90 days): Upgrade legacy SCADA RTUs, improve patch management
  2. Short-term (3-12 months): Enhance network segmentation, security monitoring
  3. Long-term (1-3 years): Complete grid modernization, workforce development