DOE RFI looks toward improving and strengthening energy security across rural communities

The U.S. Department of Energy (DOE) issued a  Request for Information (RFI) seeking public response on a new US$250 million program to strengthen the cybersecurity posture of rural, municipal, and small investor-owned electric utilities. 

Among other objectives, the RFI is looking for ways to improve cybersecurity incident preparedness, response, and threat information sharing; cybersecurity workforce challenges; risks associated with technologies deployed on the electric grid; national-scale initiatives to accelerate cybersecurity improvements in these utilities; and opportunities to strengthen partnerships, selection criteria and application process for funding awards.  

Information collected from the RFI may be used by DOE for planning purposes, which could include developing future funding opportunity announcements (FOA), broad agency announcements, or other solicitations related to the implementation of the Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program (RMUC Program). 

To help with RMUC program implementation, DOE is seeking input from the cybersecurity community, including eligible utilities and representatives of third parties and organizations that support or interact with these utilities. The information collected in response to the RFI will not be published.

Responses to the DOE RFI must be submitted electronically no later than 5:00 pm (ET) on December 19, 2022. The intent of this RFI is to obtain public input to inform the scope and priorities of the agency’s RMUC program and enable DOE to design opportunities that improve an eligible utility’s cybersecurity posture. The RMUC Program is part of the Infrastructure Investment and Jobs Act (IIJA), also commonly known as the Bipartisan Infrastructure Law (BIL), through investments in operational capabilities, services, technology deployments, and increased participation in threat intelligence information-sharing programs.

The DOE hosted a series of listening sessions for utilities and stakeholders to ask questions and provide feedback that will help inform the development and implementation of the RMUC Program. The final listening session will take place on October 25, 2022.

“Rural and municipal utilities provide power for a large portion of low- and moderate-income families across the nation and play a critical role in ensuring the economic security of our nation’s energy supply,” Jennifer M. Granholm, U.S. Secretary of Energy, said in a media statement. “This new program reflects the Biden Administration’s commitment to improving energy reliability and connecting our nation’s rural communities to resilient energy infrastructure and the transformative benefits that come with it.”

The program will provide financial and technical assistance to help rural, municipal, and small investor-owned electric utilities improve operational capabilities, increase access to cybersecurity services, deploy advanced cybersecurity technologies, and increase participation of eligible entities in cybersecurity threat information sharing programs. Priority will be given to eligible utilities that have limited cybersecurity resources, are critical to the reliability of the bulk power system, or support the nation’s defense infrastructure.

DOE is interested in comments providing insight into the people, process, and technology challenges and barriers electric cooperatives, public utilities, and small investor‐owned utilities (eligible utilities) face in improving their cybersecurity posture. It is also pursuing enhancing the ability of eligible utilities to protect against, detect, respond to, and recover from cybersecurity threats and incidents, and increasing the participation of eligible utilities in cybersecurity threat information sharing programs. 

The electric agency is also keen on looking into how to design opportunities that provide both immediate benefits and the ability to continue to expand after BIL funding ends. Additionally, it is looking for ideas for national-scale initiatives where DOE can partner with private, not‐for‐profit, and public sector organizations to accelerate improvements in the ability of eligible utilities to protect against, detect, respond to, and recover from cybersecurity threats and incidents. 

DOE is also seeking opportunities for strengthening local and regional partnerships between eligible utilities and eligible not‐for‐profit entities with other private, not‐for‐profit, and public sector organizations, especially in the areas of cybersecurity incident preparedness and incident response, and cybersecurity technical assistance. 

For this RFI, DOE is requesting input across four categories. These include key challenges and opportunities facing eligible utilities, and key challenges and opportunities for utilities serving military installations. It also covers partnerships with manufacturers, vendors, service providers, public agencies, labor unions, and other stakeholders. It also includes Equity, Environmental, and Energy Justice (EEEJ) in the identification of potential applicants, the application process, criteria for selection, and stakeholder engagement. 

The RMUC Program will need to focus on investments that will provide the greatest security benefits to eligible utilities. Cybersecurity best practices could include practices focused on cybersecurity awareness training, recruitment, hiring, and training a security workforce to implement and utilize cybersecurity tools and technologies and address internal cultural silos. It also covers processes, such as cybersecurity assessments and penetration tests, policies and procedures to manage third‐party risks during the selection and hiring of vendors or purchasing equipment and devices, and increasing senior leadership support or budgets. 

The program also addresses technologies such as updating existing technology; implementing technical mitigations for legacy technologies, purchasing new technology solutions like multi-factor authentication or intrusion detection systems, analyzing and addressing system architecture vulnerabilities using solutions like network segmentation, creating demilitarized zones, or implementing zero trust practices.

In August, the DOE announced a $45 million FOA that creates, accelerates, and tests technology to protect the electric grid from cyber-attacks. The move will support six proposed topic areas for projects that will help make American energy systems secure, resilient, and reliable, apart from seamlessly helping deploy clean and cheap energy to Americans.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.