On April 16, my old office at the Department of Energy announced the release of its latest Cybersecurity for Energy Delivery Systems (CEDS) R&D Funding Opportunity Announcement (FOA). Click here for article.
The FOA identifies five topic areas:
- Redesign for Cyber-resilient Architecture – Electric and Oil and Natural Gas (ONG) Subsectors
- Cybersecurity for the Oil and Natural Gas (ONG) Environment
- Cybersecure Communications
- Cybersecure Cloud-based Technologies in the Operation Technology (OT) Environment
- Innovative Technologies that Enhance Cybersecurity in the Energy Sector
The FOA also notes:
DOE expects to make Federal funding in the amount of $25,000,000 available for new awards under this FOA. DOE estimates between 5 and 10 new awards under this FOA, depending on the size of the awards.
While the maximum award size (i.e., the ceiling) is $4,000,000, not including cost share, DOE anticipates that the majority of the awards will be in the $2,000,000 to $3,000,000 range, not including cost share, for the total project period.
A short history
The announcement fails to mention a critical piece of background information; the Roadmap to Achieve Energy Delivery Systems Cybersecurity led to the creation of the CEDS R&D program. It is common practice for new administrations to minimize or re-brand successful programs established in previous administrations; I believe it is critical to understand what led to the highly successful CEDS R&D program.
The first Roadmap to Achieve Energy Delivery Systems Cybersecurity was published in 2006 and updated in 2011. Its focus was energy delivery systems, or ICS – not IT cybersecurity. DOE implements its management role in Roadmap activities through the Cybersecurity for Energy Delivery Systems (CEDS) R&D program.
The Roadmap’s Vision Statement is: Design, install, operate, and maintain resilient energy delivery systems that survive a cyber incident while sustaining critical functions. It represents the Energy Sector’s synthesis of energy delivery systems security challenges, R&D needs, and implementation milestones. It provides the strategic framework for industry partners to:
- Align activities to sector needs
- Coordinate public and private programs
- Stimulate investments in energy delivery systems security
Why focus only on ICS?
Because in 2006 – and to a large extent, even today - there were lots of IT cybersecurity companies and most of their solutions would not work in the ICS environment. Also, most electric utilities do not have a R&D budget. So, DOE uses tax payer dollars to help fill this gap.
DOE, in partnership with DHS, facilitates the Roadmap activities, but the strategies and priorities are the Energy Sector’s. What does this mean? It means that the results of these R&D projects will actually be used.
All of the industry focused projects require cost share from the winning vendor. For example, if an ABB proposal is selected and DOE funds the project with $2 mil, ABB kicks in $2 million. Most of the time, the vendor cost share is met with in-kind support from its employees.
Routinely, the winning vendor also partners with an owner/operator or two from the Electricity or Oil and Natural Gas Subsectors to participate in the project; they help design and test the solution in their ICS networks. In the end, they all have skin in the game, the technology addresses a Roadmap goal and the Energy Sector is more cyber secure.
Since 2010, DOE-OE has invested more than $240 million in cybersecurity research, development and demonstration projects that are led by industry, universities and National Labs. Since then, more than 35 new tools and technologies that DOE investments helped support are now being used to improve the security and resilience of the Nation’s energy delivery systems. More information about these projects is available here.