U.S. electric power grids are increasingly susceptible to cyberattacks — especially smaller utilities with limited resources. For them, deploying cybersecurity technology is a daunting task. The Department of Energy (DoE) knows this and has been trying to accelerate adoption by making funds, training and technology available through a series of funding opportunity announcements (FOAs). Since 2021, the DoE Office of Cybersecurity, Energy Security and Emergency Response (CESER) has made millions of dollars available to these smaller utilities, either directly or via their member associations.
Unfortunately, getting money into the right hands can take longer than intended, especially when it comes to federal grants. Here’s how the DoE grants work and how rural, municipal and small investor-owned utilities can tap available funds to secure their industrial control systems.
Why Small Electric Utilities Need Security Monitoring
According to the North American Electric Reliability Corporation (NERC), which regulates large operators that power the bulk electric system, Russia’s invasion of Ukraine and the war in Gaza have compounded an already steady stream of Chinese attacks on U.S. energy infrastructure. Nation-state actors like to target high-profile industries with weak spots that can easily be exploited. The energy sector fits the bill: NERC estimates that in 2023 domestic power grids had 23,000 to 24,000 software or hardware vulnerabilities that could be exploited.
Thanks to strong oversight by NERC, much of the U.S. (and Canadian) electric utilities industry is more resilient than other critical infrastructure sectors. After more than a decade of compliance with prescriptive NERC Critical Infrastructure Protection (CIP) reliability standards, many large operators have mastered the basics of cyber hygiene: automated asset inventory, vulnerability assessment, network monitoring, threat detection and reporting. But what about smaller entities, such as rural electric cooperatives and municipal and small investor-owned utilities? They’re also considered critical infrastructure, yet many remain unable to defend themselves from cyber threats.
Cybersecurity Funding Sources for Small Utilities
Funded by the 2021 Biden Administration’s Bipartisan Infrastructure Law, in October 2022 the DoE’s Office of Cybersecurity, Energy Security and Emergency Response (CESER) launched the Rural and Municipal Utility (RMUC) Advanced Cybersecurity Grant and Technical Assistance Program. The $250 million program is designed to help smaller utilities protect against, detect, respond to and recover from cybersecurity threats and share threat information centrally. The program spawned several initiatives, including a series of FOAs to enable these utilities to purchase security monitoring and other technology that exceeded their budgets. Announcements are ongoing, but here are some of the major FOAs:
- Direct funding: $70 million to RMUCs to harden utility systems, deliver technical assistance and provide cybersecurity training to the electric utility workforce. The deadline for this FOA closed in June 2024.
- NRECA funding: $15 million to the National Rural Electric Cooperative Association to help members rapidly deploy technologies that protect, defend of harden OT systems subjected to external threats due to IT/OT convergence. NRECA represents 900+ rural cooperative electric utilities across the U.S. The award was to be spread over three years, with $10 million disbursed in 2022 and the remaining $5 million in subsequent years.
- APPA funding: More than $25 million to the American Public Power Association to improve the cybersecurity maturity and posture of its members. APPA represents 2,000+ community-owned electric utilities across the U.S.
The Nozomi Networks platform is pre-approved by CESER, NRECA and APPA to be provided at no cost to APPA members for the first two years and to NRECA members for the first year.
Get Access to Exceptional OT Security
The Nozomi Networks platform is purpose-built to protect OT and IoT assets in power generation, transmission and distribution networks from cyber and operational risk. We secure more electric power grids around the globe than any other cyber vendor. Best of all, our platform is pre-approved by CESER, NRECA and APPA to be provided at no cost to APPA members for the first two years and to NRECA members for the first year. Once you apply for DoE funds and are approved, we’ll work with you to deploy and optimize the core platform for your environment, including automated asset inventory, network visualization and threat and anomaly detection.
The best time to start your cybersecurity program is now, when funding is available to help you succeed. Contact us to learn more about this program and see for yourself how our platform supports the security and reliability of electric power systems.
