DOE, NREL open call for second CECA cohort to advance cyber innovation, address grid vulnerabilities

The U.S. Department of Energy and the National Renewable Energy Laboratory (NREL) announced on Monday a call for applications for the second Clean Energy Cybersecurity Accelerator (CECA) cohort. It gives participants in the Cybersecurity Accelerator Program work to advance cyber innovation and address grid vulnerabilities while supporting the transition to a clean energy future. 

Now open through Feb. 10, Cohort 2 will assess solutions that actively identify all industrial control system (ICS) assets connected to a utility’s infrastructure, both physically and virtually, to understand the totality of assets that need to be monitored and protected within the environment. Furthermore, the solutions should support the identification of unauthorized, unmanaged, or compromised assets to be removed or remediated.

CECA follows a down-selection process to determine the topic of each cycle, which dictates the environment, tactics, procedures, and length of the evaluation. Cohorts go through an accelerator period of three to 12 months, sharing ideas and threat intelligence before validating solutions in the lab. CECA works on accelerating cyber innovation for modern, renewable energy technologies and offers a pathway to technical validation, demonstration, and commercialization.

In order to be eligible for the program, interested solution providers must be based in the U.S., offer technology solutions focused on solving hidden risks due to incomplete system visibility and device security and configuration, and be at a Technology Readiness Level 4 or above as defined by the DOE Technology Readiness Assessment/Technology Maturation Plan Process Guide. 

NREL will select up to five participants for the second CECA cohort, where the candidates will also receive professional evaluations of their technologies and partnership opportunities while developing and evaluating cyber-risk solutions in a collaborative setting. The program integrates federal experts, energy industry representatives, and innovators in a unified effort to rapidly develop cybersecurity solutions for renewable energy resources and other grid operations and to bring them to market faster.

As part of the CECA program, DOE and NREL have partnered with Berkshire Hathaway Energy, Duke Energy, and Xcel Energy in a joint effort to tackle the growing cyber threats to the U.S. energy sector, and other utilities are invited to join. The partnering utilities may use the cohort’s cybersecurity technologies once they are assessed and validated and will also gain insights from the technology developers on the latest cyber challenges, best practices, trends, and the ability to understand cyber technology solutions.

In December, DOE and NREL announced the CECA program’s initial cohort, where three participants with cyber-defense technologies unproven in energy systems to authenticate distributed energy resources. The three participants have recently started a technical assessment of their technologies and will have the opportunity to showcase their solutions using NREL’s world-class laboratory facilities.

CECA has emerged as a key component of DOE’s strategy to ensure America’s critical energy infrastructure remains reliable, resilient, and secure as more renewable energy is incorporated into the generation mix to achieve President Joe Biden’s ambitious vision of a 100 percent clean electricity sector by 2035 and net-zero economy by 2050. The program offers solution providers in the technology space the opportunity to test their solutions in a laboratory environment, to boost innovation, and address high-priority security threats.

Cohort members will work with experts to use NREL’s Advanced Research on Integrated Energy Systems (ARIES) cyber range to evaluate the proposed cyber-risk solutions. With a connection to more than 20 MW of energy system hardware, the environment subjects the technologies to realistic adversary scenarios, facilitated by NREL staff. ARIES users can evaluate technologies at scale through real-time visualization of proactive defense and automated response.

Cohort members will exit the program with competitive experience, new partnership opportunities, and professional evaluation related to the most urgent cybersecurity challenges facing modern energy systems.

“As physical and virtual threats to our critical energy infrastructure continue to evolve, DOE is using all the tools at our disposal to lock down cybersecurity vulnerabilities of today and tomorrow,” Jennifer M. Granholm, U.S. Secretary of Energy, said in a media statement. “By supporting new, innovative technologies, the CECA program will help bring cutting-edge solutions to market more rapidly—ensuring our nation’s electric grid is secure and reliable as it transitions to 100% clean energy.”

Last year, one of the DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER)’s signature achievements was launching the Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance (RMUC) Program. Through the program, CESER will provide $250 million of funding from the bipartisan Infrastructure Investment and Jobs Act (IIJA), also known as the Bipartisan Infrastructure Law (BIL), over five years to help rural, municipal, and small investor-owned electric utilities improve their cybersecurity posture and increase their participation in threat information-sharing programs.

Puesh Kumar, director of CESER at the DOE, said in November that “safeguarding America’s energy infrastructure is a top priority for the Department of Energy and a primary objective of the Office of Cybersecurity, Energy Security, and Emergency Response.” He added that “it is incredibly important that while we transition to innovative and cleaner, more affordable energy sources that we invest in and build resources and systems that are inherently reliable, resilient, and secure.”

The DOE released in June the National Cyber-Informed Engineering (CIE) Strategy that looks at guiding the efforts of the energy sector to incorporate cybersecurity practices into the design life cycle of engineered systems to reduce cyber risk. The CIE Strategy is a shift away from the prevailing structure, where the cybersecurity for most critical infrastructure control systems is addressed separately from system design and engineering. This gap has resulted in an expanding list of additive security technologies that are introduced after the fact to mitigate cyber vulnerabilities.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.