In addition to the money, winners will also get cybersecurity technical assistance. To play, they must be municipal or other state political subdivision-owned, rural cooperative or small investor-owned electric utilities. The Rural and Municipal Utility Cybersecurity (RMUC) Program will award all of this through its Advanced Cybersecurity Technology (ACT) 1 Prize Competition. As many as 55 utilities may be awarded these prizes, with priority given to utilities that lack cyber resources or serve military installations.
Officials are looking for utilities that have significant need as well as cybersecurity plans they could act on if they had the money, said Mara Winn, deputy director of the Preparedness, Policy and Risk Analysis division for the DOE’s Office of Cybersecurity, Energy Security and Emergency Response (CESER).
The RMUC Program will ultimately provide $250 million over five years through a series of prizes. ACT 1 is the first. Applications are accepted through Nov. 29, and rules are available online.
The recent Volt Typhoon incident heightened attention on threats to the energy grid. Officials said the Chinese government-backed hacking group had installed malware in energy utilities that serve U.S. military bases located both at home and abroad. The New York Times noted that any disruption might impact civilians too, because infrastructure serving bases also serves homes and businesses. Nation-state actors aren’t the only concern, either, and ransomware is also a regular threat, Winn said.
Plus, defending small utilities will put all utilities on stronger footing.
“Our entire energy system across the U.S. is interlinked,” Winn said. “… You want to make sure that these rural co-ops and rural municipality-based utilities are as defensive as our large, big investor-owned utilities. Because we all know that one point of access into the system is a comprehensive access.”
While the money is inherently the easiest thing to quantify, the prize does also give out technical assistance and access to subject matter experts to help ensure winners can carry through on implementing their plans. Winn said the program was designed to make delivering support simple.
“We're well aware of some of the complications in government funding, and a prize is a very straightforward, easy way to get funds into the hands of people who most need them,” Winn said.
Utilities need staff onsite who know how to react to cybersecurity alerts, reaching out to government for support and information. But, rural and municipal utilities have said during listening sessions that they struggle to recruit cybersecurity talent, offer trainings on par with those available in big cities and fund modernization.
“It doesn’t work if you have someone who will only dial in and do a training online,” Winn said. “Sometimes [with] these kinds of things, you need to be hands-on-keyboard in-house working on these challenging problems. But if you live in rural North Dakota, and it's a two-hour drive to the nearest airport, current training companies might not be interested in coming for that small two-hour window for training.”
Channeling prize funding into cybersecurity training also helps develop resources locally, meaning the whole community can benefit long term from the program, Winn said. While the prize won’t resolve all the energy grid needs, it’s a good start.
“This prize competition is one of many, because we know there's diversity of needs and diversity of capabilities,” she said. “We know this money does not solve all problems. It's not a magic wand ... but what it does do is start the process. And it allows us to understand and prioritize the goals.”
Along with the prize, the RMUC program is collaborating with the Idaho National Laboratory to offer free three-day trainings for electric utility’s technical practitioners. These will focus on industrial control systems and operational technology cybersecurity.
Interested participants can learn more by signing up for the program’s email list at CESER.RMUC@hq.doe.gov. Trainings are scheduled for the following dates:
- Oct. 31-Nov. 2, in Columbus, Ohio
- Nov. 28-30, in Orlando, Fla.
- Dec. 5-7, in Kansas City, Mo.
- Jan. 17-19, in San Diego, Calif.
- Jan. 23-25, in Dallas, Texas
- April 23-25, in Buffalo, N.Y.