Support
No items found.

Cybersecurity for Smaller Utilities: A Matter of Funding?

August 27, 2024

This blog is contributed by guest author Joy Ditto, a leader in the power industry and strategic advisor to Industrial Defender.

This blog will focus on the smaller electric utilities in the U.S., the nature of their cybersecurity challenges, and federal funding available to help them meet those challenges. Before delving more deeply into these areas, it’s important to understand what we mean by “small utilities.”  Of the approximately 3,000 electric utilities in the United States, the vast majority are small, if we use the definition included in several pieces of federal legislation.

As an example, the Infrastructure Investment and Jobs Act (IIJA) of 2022 makes available $250 million over 5 years via the newly created Rural and Municipal Advanced Cybersecurity Grant and Technical Assistance Program (RMUC) to qualifying utilities that are either rural electric cooperatives, municipal utilities in addition to investor owned utilities (IOUs) who sell less than four million megawatt hours of electricity annually. With variables based on weather-related energy use (e.g., air conditioners) and other factors, that means utilities selling electricity to fewer than approximately 400,000 homes -- or a mix of homes and businesses -- per year.

With that threshold in mind, approximately 1,975 of the 2,000 not-for-profit, publicly owned electric utilities in the country meet it. The vast majority of 880 not-for-profit rural electric cooperative utilities also meet this threshold.

Contrastingly, only a handful of the approximately 160 for-profit, investor-owned utilities would qualify for RMUC funding under the threshold. (Note deliberate approximations here – recent data is not readily available, but these estimates are based on data collected in the last 20 years that has not shifted substantially.) Put another way, the not-for-profit part of the sector generally includes smaller utilities while the for-profit side of the sector generally includes larger, often multi-state, utilities serving millions of customers.  It’s also important to note that “smaller” utilities include those providing service to fewer than 100 homes in remote Alaskan villages all the way up to that 400,000-home range.

To state the obvious, within that 100-400,000 customer range is a ton of variability in resources, infrastructure, and digital deployment – such digital deployment dictates the level of cyber risk each of these smaller utilities face. Some of these smaller utilities, for example, have not needed to deploy much, if any, significant operational technology (programmable systems or devices that interact with the physical environment, or manage devices that interact with the physical environment, as defined by the U.S. Department of Commerce’s National Institute of Standards and Technology, NIST).

The more complex the operational technology environment is, the more oversight and technical expertise is needed to oversee it, whether in-house and/or working with outside consultants.  For small entities with little to no operational technology on their distribution systems their cyber risk is typically primarily related to their website, billing system, etc. – what is typically referred to their information technology (IT) - rather than direct operational exposure. The larger of the small utilities, however, likely have more extensive operational technology, such as supervisory control and data acquisition (SCADA), an industrial control system used heavily within the power sector that monitors, gathers and processes data as well as applies operational controls over the system to address operational challenges (data integrity, delays, expedient system component communications, etc.) and general system monitoring including sensors and advanced metering infrastructure among others. And everything in between. Some of these “larger-smaller” utilities are also captured by NERC CIP standards because their distributions systems or local generation facilities could have an impact on the bulk power system. This puts them in a different posture than their “smaller-smaller” brethren from a cybersecurity compliance standpoint who are generally not under federal NERC CIP standards.

What they all face however, whether now or in the future, are changing customer behaviors at the edge of the grid, including from behind-the-meter resources, and the proliferation of electrification. These changes are already resulting in increasingly variable loads that put pressure on existing infrastructure and processes. Unexpectedly high commercial energy demand from data centers in many locations has also created additional challenges for utilities, especially the smaller ones who are in many of the rural areas where many of these build outs are happening. This is on top of the significant increases we see of historically pure distribution systems taking on, or building out their own, distributed energy resources (DER). One solution to many (not all) of these challenges lies in deploying digital technologies that furthers distribution system optimization. Such operational technology comes with additional cybersecurity risks that must be managed, whether these smaller utilities are part of the bulk power system or not, for the security and resilience of their communities.

Given this current situation, and the continuously evolving environment of systems and threats, the federal government, individual states and the owners and operators of these smaller utilities themselves have sought ways to aid smaller utilities in addressing their cyber risks now and into the future.  Much has been done already – for example, the Department of Energy’s Cybersecurity Capability Maturity Model (C2M2) is an existing framework for utilities of all sizes to assess their cyber maturity. Another example is the Department of Homeland Security’s free cyber resources like monitoring or assessments for state, local, tribal and territorial (SLTT) governments, including smaller public power utilities. Long-term efforts to incentivize or encourage participation in information sharing centers (e.g., the Electricity-Information Sharing and Analysis Center for any electric utility and the Multi-State Information Sharing and Analysis Center for public power utilities) have resulted in significant engagement by smaller utilities. While there have also been successful efforts over the last 15-20 years to try to financially assist these smaller utilities in addressing their cyber security challenges, the level of federal funding made available under the IIJA is unparalleled.

Below is a description of the IIJA funding as well as a significant funding pathway made available for rural electric cooperatives under the federal Farm Bill in 2018.

  • As mentioned above, the IIJA DOE RMUC program was authorized under the IIJA for a total of $250 million over five years to provide grants or technical assistance to qualified entities. Through cyber competitions and competitive grants, DOE’s RMUC program awards competitive funding to qualifying entities (electric cooperatives, municipal utilities, not-for-profit entities that are in a partnership with not fewer than six entities which must be electric cooperatives or municipal utilities, or an investor-owned electric utilities that sell less than 4,000,000 megawatt hours of electricity per year). The future of this program is likely to be determined by its success during its initial five-year authorization.
  • Section 70612 of the IIJA also authorized the Department of Homeland Security (DHS) State and Local Cybersecurity Grant Program (SLCGP) effort. This program was initially funded for four years at $1 billion (yes, $1 billion with a “b”). The funding flows from DHS through to the states and can be used for public power utilities within the state as subrecipients, given their designation as units of local governments. How much is getting to these qualifying public power utilities is dependent upon each state. As with all federal grants, whether allocated at the federal or state level, this program includes certain requirements that may deter some small public power utilities from participating.
  • The 2018 Farm Bill amended the US Department of Agriculture’s Rural Utilities Service loan guarantees) for co-ops to expand the existing authority provided to certain coops and public power utilities for their electric infrastructure needs into cybersecurity infrastructure. These loans and loan guarantees for cybersecurity projects can include anything from assessments to hardware and software solutions to training and information sharing.

Other state and local funding may exist for cybersecurity efforts for smaller utilities as well within their individual states, but given the variability from state-to-state, we will not touch on those here. And, to mention the obvious again, funding support for smaller utilities, while important, is one tool in the toolbox to address cybersecurity risk. Free resources exist via technical assistance from DHS and others and can be accessed when/as needed. Information sharing and relationships with others in the sector are other important tools in that toolbox. And for those who haven’t started compiling their cyber toolboxes – there are resources to help with that as well.  For example, in addition to the earlier referenced DOE C2M2 tool there is also DHS cyber assessments or the National Institute of Standards and Technology (NIST) cyber framework to help get you started.  As can resources provided by the national trade associations – like the American Public Power Association’s Public Power Cyber Security Resource Guide or the National Rural Electric Cooperative Association’s Rural Cooperative Cybersecurity Capabilities (RC3) Program – both created in partnership with their Sector Risk Management Agency, the Department of Energy.  

As our critical infrastructures continue to evolve, so will the threat environment.  Getting engaged early, identifying if or where there may be concerns within your system today or for future build outs, are the best options to help ensure resilience for your community. There are many efforts to help you on your path to cybersecurity – from the federal government to others within the electric sector willing to share – don’t hesitate to start, or further, your journey today.