Submitted Project Plans are also required to include a section on the technical approach to cyber security. Cyber security should be addressed in every phase of the engineering lifecycle of the project, including design and procurement, installation and commissioning, and the ability to provide ongoing maintenance and support. Cyber security solutions should be comprehensive and capable of being extended or upgraded in response to changes to the threat or technological environment. The technical approach to cyber security should include:
A summary of the cyber security risks and how they will be mitigated at each stage of the lifecycle (focusing on vulnerabilities and impact). A summary of the cyber security criteria utilized for vendor and device selection. A summary of the relevant cyber security standards and/or best practices that will be followed. A summary of how the project will support emerging smart grid cyber security standards.
DOE intends to work with those selected for award but may not make an award to an otherwise meritorious application if that applicant can not provide reasonable assurance that their cyber security will provide protection against broad based systemic failures in the electric grid in the event of a cyber security breach.
Hmmmm...Looks like time to find out how these requirements are going to be verified, and to find out exactly how much weight should should have. More to come...