APPA Details How it Can Help Implement DOE Cybersecurity Grant and Technical Assistance Program

by Paul Ciampoli
APPA News Director
December 20, 2022

There are a number of ways in which the American Public Power Association (APPA) can help the Department of Energy successfully implement a Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program including assisting in identifying solutions as well as potential pathways for increasing information sharing with small- and medium-sized public power utilities, APPA said.

APPA made its Dec. 19 comments in response to a request for information (RFI) issued by the U.S. Department of Energy’s (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) to inform its implementation of the Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program.

In its comments, APPA noted that public power utilities are eligible entities for the new program, with over 1,000 of these utilities likely to fall into one or more of the priority categories of: (1) having limited cybersecurity resources; (2) owning assets critical to the reliability of the bulk power system; or (3) owning defense critical electric infrastructure (as defined in section 215A(a) of the Federal Power Act.

APPA said that along with awarding grants directly to owners and operators to address individual entity needs, DOE should also consider working with trade associations and other trusted partners around technical assistance options and needs.

“The needs of eligible utilities are diverse — some entities are in need of technical assistance on simply how to begin or move forward with basic programs, whereas others are more advanced and may be in need of assistance (financing and/or technical) in implementing technology or other cybersecurity solutions,“ APPA said.

APPA “presents a robust pathway for assisting large swaths of these communities, especially for those whose cybersecurity preparedness is not as mature as others,” it said.

For smaller utilities — including many public power utilities that make up the majority of eligible utility entities for this new grant program — cybersecurity can be daunting task, APPA pointed out.

“Many public power utilities have limited resources to put toward cyber services, technology deployments, additional cyber staff, or to increase participation in threat intelligence information sharing programs. Moreover, most public power utilities are distribution only utilities, whereas most existing government cybersecurity resources are focused on the bulk electric system (BES).”

The program’s focus on small- and medium-sized electric utilities, particularly public power and rural electric cooperative utilities, is a welcome development, the trade group told DOE.

In addition, APPA encouraged DOE to work with trade associations to reach their smaller members to ensure they are engaged and have clear pathways for resources available under the program.

APPA pointed out that it has worked with DOE through cooperative agreements on efforts like increasing increase adoption of cybersecurity solutions for operational technologies. This work has included the production of templates and guidance to assist in the adoption of these types of technologies, such as data sharing considerations.

APPA went on to note that tools and resources that are specifically intended for small distribution utilities are more likely to be utilized. “Therefore, it would be beneficial for DOE to consider pathways for creating, updating, or promoting these types of materials and resources.”

It would also be beneficial, when it comes to public power utilities, for DOE to consider ways it could partner with the Department of Homeland Security to identify tools and resources that DHS has already created for State, Local, Tribal, or Territorial communities that could be promoted, updated, and utilized by public power utilities, APPA told DOE.

“APPA is very interested in assisting and promoting such an effort within its membership, including bringing members to the table to help shape such products.”

These efforts would need to be complementary, not in place of, individual grant awards to qualifying utility owners and operators to implement solutions they have individually identified, the public power trade group said. “Access to a trusted community-focused forum where best practices can be confidentially shared and learned from would be very valuable for these communities.”

APPA also said the program will provide opportunities for smaller utilities to lean further in on cybersecurity issues to the benefit of their communities and the nation. “The ease of the process and the ability for smaller utilities to meet program requirements will be enormous factors in how much traction this new program is able to generate. To that end, DOE should also seek opportunities to limit the application of cost share or compliance reporting requirements, as these obligations may place an undue administrative burden on smaller utilities and be a significant barrier to participation.”