How Cyber Threats Are Evolving for Electric Cooperatives—and What the Data Is Telling Us

Electric cooperatives sit at the intersection of rural resilience and national security. Their digital infrastructure supports not only the communities they serve, but also a wide swath of critical U.S. assets—including the majority of military bases and oil and gas pipelines. That’s why events like the NRECA Cyber Coop Conference and the Texas Electric Cooperatives IT Show are more than just industry meetups—they’re ground zero for understanding the evolving cyber threat landscape affecting America's grid.

Here are the key takeaways we believe every co-op should be thinking about now:

1. Third-Party Risk Isn’t Going Away
For the second year running, third-party vendor risk ranked as the #1 cybersecurity concern across cooperatives. This reflects a hard reality: even if your environment is locked down, your partners may not be. The growing complexity of supply chains and integrations continues to open doors to threat actors.

2. Ransomware and Social Engineering Are on the Rise
Ransomware remains a top-tier concern and is increasing annually in both sophistication and frequency. More alarming is the surge in social engineering attacks—phishing, vishing, and other manipulative tactics are working. Co-ops must double down on user awareness and real-time detection.

3. Static Testing Isn’t Enough: The Shift to Purple Teaming
One of the most discussed topics was the move from standard penetration testing to purple teaming—a hybrid approach that blends offensive tactics with defensive validation. 

This reinforces a central truth: if you don’t test your controls under real-world conditions, you don’t really know if they work.

Purple teaming was also mentioned as a preferred method over traditional pen testing by multiple presenters—InfoSight was publicly recognized during one session for offering this value-added approach.

4. Visibility Gaps Are Real—and Dangerous
A surprising finding came out of testing two instances of Arctic Wolf: one showed 100% visibility into a simulated attack; the other had none, with no clear reason why. This kind of inconsistency highlights the importance of understanding what your tools are actually seeing—or not seeing—in real time.

Key questions to ask your vendors:

Are your tools detecting live scans as they happen?

How easy is it to conduct forensics afterward?

Can you validate that your tools are functioning as promised?

5. IRP Maturity Is Alarmingly Low
Nearly 40% of co-ops only have fragments of an incident response plan (IRP). Another 40% have a complete plan but rarely test it. In a regulated environment where DOE now requires same-day or even one-hour incident reporting, this is a critical gap. It’s not just about having a plan—it’s about operationalizing and testing it.

6. Operational Technology (OT) Exposure is Increasing
Roughly 50% of substations are now connected to the internet, introducing substantial risk to the OT layer. Presenters shared research on radio commands between PLCs and RTUs, noting the need for better visibility and threat detection in these environments.

Couple that with multi-factor authentication (MFA) gaps—especially for APIs—and the attack surface grows wider still. MFA bypasses via automation were specifically called out as a rising concern.

7. Better Data Presentation = Better Decisions
One of the major themes was the need for co-ops to benchmark their performance against peers—not just internally year over year. Data should drive visibility, context, and clarity. This includes:

Trend analysis across multiple years

Real-time performance comparisons

Tighter alignment between cyber outcomes and operational impact

8. The Role of Real-Time Monitoring Over Forensics
Forensics were described by one speaker as “the absolute worst part” of cybersecurity—not because they’re unnecessary, but because of how time-consuming and painful they are post-incident. The takeaway? Real-time detection and response is a much better investment than post-mortem investigation.

9. National Support Is Uneven—Plan Accordingly
Resources from CISA and the National Guard vary significantly by region. Some states can deploy rapid cyber support, others cannot. Co-ops must plan for this disparity and not assume federal support will be available in time.

As cooperatives continue to play a vital role in both local resilience and national security, their cybersecurity posture must evolve. The 2025 NRECA and TEC events highlighted how the threats are changing—and how the response must become more proactive, data-driven, and adversary-aware.

At InfoSight, we’re proud to support the co-op community with over a decade of experience delivering cybersecurity services built for the realities of today’s threat landscape—from purple teaming and real-time monitoring to OT/ICS threat visibility and MFA evaluation.