Attacks and Vulnerabilities
Critical infrastructure
News
System Design & Architecture
Technology & Solutions
Threat Landscape
Utilities: Energy & Power, Water, Waste

APPA announces RFP for OT cybersecurity data aggregation framework

August 22, 2023
APPA announces RFP for OT cybersecurity data aggregation framework

The American Public Power Association (APPA) is soliciting proposals for a vendor(s) to assist and support the development of a data aggregation framework under APPA’s Cooperative Agreement (CA) with the U.S. Department of Energy (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER). The Request for Proposal (RFP) document outlines that the program’s goal is to refine existing, but disparate, operational technology (OT) cybersecurity models, frameworks, and monitoring criteria into more uniform hardware specifications and guidance to facilitate improved deployment at small- and medium-sized public power utilities.

The deadline for proposals for the RFP is 5 p.m. ET on Monday, Sept. 18. The agency will also host RFP webinars on Sept. 5 and Sept. 7 with potential bidders receiving a link to the webinar when available. APPA will provide an overview of the RFP and will address any questions formally received before the webinar time and date. APPA will also address any questions received during the Webinar. A recording of the RFP overview session will be made available to all attendees and any bidders that contacted APPA with the intent to bid. 

APPA also requests vendors to assert an ‘intent to bid’ by 5 pm EDT on Sept. 8. The final day to submit questions in writing to APPA is 5 pm EDT on Sept. 11. 

The DOE entered into a CA with APPA, Award Number DE-CR0000007, to develop and deploy cyber and cyber-physical OT solutions within the public power community in 2020. “This agreement establishes APPA’s partnership with DOE, under which the association will utilize its unique capabilities and position as a convener of community-owned electric utilities to work with DOE CESER, as well as the National Energy Technology Laboratory (NETL), to develop, demonstrate, and deploy cyber and cyber-physical OT solutions within the public power community.” 

As public power utilities deploy OT sensor technology under the DOE cooperative agreement, members will benefit from a methodology for information sharing that allows aggregated and anonymized OT sensor data to move from where it is collected to where it can be analyzed. Participating utilities in the program will benefit from a framework and methodology for information sharing to allow OT cybersecurity data to move in a secure and anonymized fashion from municipal utilities to analysis providers. 

The project will deliver a technical framework and methodology for participating utilities that may securely share anonymized, aggregated OT data with analysis providers. The project will also include the legal framework to track and manage data ownership as it moves from one entity to another.

Through this CA with DOE, APPA will work to solve organizational coordination challenges by developing an independent, secure, and replicable OT data aggregation model and framework, the agency said. “This framework will allow participants to anonymously deliver threat data from deployed hardware to cybersecurity information sharing analysis centers to perform deep analysis. As this analysis identifies patterns and detects threats, the analysis centers can refine cyber threat and mitigation recommendations to inform public power utilities and to help them reduce risk.” 

Likewise, this approach should allow for sharing the OT data for deeper analysis with the broader electricity subsector to enhance and reinforce collective defense. Overall, the proposer will support APPA on the tasks described in the Statement of Work (SOW). 

APPA must assign a program manager. After awarding the contract, APPA will work with the proposer to establish a project schedule as defined in the SOW and work with the proposer to determine the parameters of deliverables to APPA and any associated project collateral. Lead meetings between vendor and APPA members during technical meetings as the vendor gathers framework specifications. APPA will also provide access to its members through meetings of the Cybersecurity Defense Community (CDC) and various APPA groups and certain databases of demographic data, if needed, to help inform the materials.

Furthermore, APPA’s Principal Investigator will be responsible for the presentation of material to DOE and APPA leadership and APPA members. The proposer may be included in meetings and present materials at APPA’s discretion. APPA will also assign various staff and/or contracted technical consultants to work with the Proposer. The APPA staff representative will review documents developed by the Proposer in sufficient detail to ensure understanding others of the purpose, timing, and deliverables. 

APPA will provide edits to documents and approve all deliverables before documents are submitted to DOE, APPA leadership, and/or APPA members. Lastly, APPA will provide final editing and graphic design services for publishing the final deliverables.

APPA will work with industry partners to develop a framework and methodology for information sharing to allow OT cybersecurity data to move in a secure and anonymized fashion from municipal utilities to analysis providers. The agency will also establish suitable agreements related to data ownership and control for stakeholders. The project will also include setting up a legal framework and applicable agreements between stakeholders to share anonymized data from point to point. 

Additionally, APPA may work to develop and deploy one or many instances of stable data connection technologies and establish a framework for accessing and sharing this data for threat analysis to key analysis partners in the electricity subsector. 

Addressing the technical approach, the RFP document outlined that APPA will contract for the development of a methodology, guidance, and framework, including technical specifications for secure data aggregation for anonymized OT data streams. This methodology, guidance, framework, and association technical specifications will be utilized in work conducted for future CA tasks. APPA will contract for the development of technical and legal requirements for an RFP for cloud service providers and other commercial applications to securely store OT data.

Furthermore, APPA will coordinate with vendors to utilize the APPA-sponsored Cybersecurity Defense Community (CDC). The agency will also coordinate with the vendor to collaborate with the Electricity Information Sharing and Analysis Center (E-ISAC), the Multi-State Electricity Information Sharing and Analysis Center (MS-ISAC), and DOE’s Energy Threat Analysis Center (ETAC).

After the completion of this scope of work, APPA will use the structures and agreements formulated along with technical methods identified for the transport and storage of data to test the movement of relevant OT data from deployed sensors to analysis centers. Also, after the completion of this scope of work, APPA will develop a final set of procedures, including a framework and model, as well as the documents required to support and maintain consistent data ownership and control from utility to analysis provider. 

The RFP document also said that public power utilities will have a method to share OT cybersecurity data securely and anonymously with analysis providers. 

The Proposer services will include but are not limited to attending meetings (may be virtual) with APPA staff to reach an agreement on the final outline of the contents and specifications; the electronic format of the product(s); and the protocols and procedures for updating the electronic version of the products. Attending meetings (may be virtual) with APPA membership and staff to map OT data feeds and develop technical specifications. Preparing material according to the APPA style guide, which APPA will provide to the proposer. All deliverables will include the acknowledgment and disclaimer language required by the DOE and provided under the terms and conditions of this RFP.  

It also includes preparing draft products in compliance with the specifications agreed upon during the meetings and providing the electronic version of the first draft to the APPA Program Manager and other selected reviewers. It also covers incorporating suggestions to the first draft into the final draft for review by the APPA Program Manager and other selected reviewers and provides the electronic version of the final draft to the APPA Program Manager and other selected reviewers for final review. 

It also incorporates any comments on the final draft into the final version; and provides the electronic version of the final products to the APPA Program Manager and other selected APPA staff. It also includes participating in weekly or bi-weekly progress meetings (virtual) with APPA; and participating in CDC meetings in coordination with APPA, as needed.

The RFP also detailed that the vendor will be responsible for several specific tasks specified in the proposer response spreadsheet in support of the overall objective. These include coordinating with APPA to utilize the CDC to collect technical specifications needed for secure data aggregation for anonymized OT data streams and coordinating with APPA to utilize the CDC to collect legal requirements needed for secure data aggregation for anonymized OT data streams. 

It also covers developing a methodology, guidance, and framework, including technical specifications for secure data aggregation for anonymized OT data stream sharing to allow OT cybersecurity data to move in a secure and anonymized fashion from municipal utilities to analysis providers. This methodology, guidance, framework, and association technical specifications will be utilized in work for future CA tasks.

The RFP also works with CDC members to develop guidance and implementation documentation, and to evaluate commercial applications of log forwarding and event correlation applications that can be modified for smaller-scale operations. It also works on coordinating with APPA to collaborate with the E-ISAC, as well as the MS-ISAC, and DOE to develop and collect technical specifications needed for secure data aggregation for anonymized OT data streams, based on recommendations from CDC members.

The RFP document also works on coordinating with APPA to collaborate with the E-ISAC, MS-ISAC, and DOE to develop and collect legal specifications needed for secure data aggregation for anonymized OT data streams, based on recommendations from CDC members. It also develops technical requirements for RFP for cloud service providers and other commercial applications to securely store OT data and develops legal requirements for RFP for cloud service providers and other commercial applications to securely store OT data.

The agreement will conclude on Sept. 24, 2025, unless mutually agreed to in writing to extend the agreement into future years. Either party, upon 90 business days’ written notice, may cancel the contract; however, any materials, research products, work in progress, or other work products shall be promptly and completely turned over to the APPA program manager.

The RFP document also said that all costs for the preparation and submission of a proposal will be borne by the bidder. “APPA assumes no responsibility whatsoever for reimbursement for preparation of proposals. The RFP response(s) will become part of a contract with the successful bidder. The proposer shall not assign or otherwise transfer its rights or obligations under this potential agreement without the prior written approval of APPA,” it added.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation