The State of Industrial Control System Cybersecurity Training


Summary

The State of Industrial Control System Cybersecurity Training opportunity will support market research to better understand the current and future industrial control systems (ICS) and operational technology (OT) cybersecurity workforce landscape and needs. The program will focus on three efforts: defining the state of workforce development and training, understanding workforce needs and pipeline, and informing the development of a cybersecurity workforce strategic plan. Approximately $160k will be funded through 1-2 awards.

Information

Description

The State of Industrial Control System Cybersecurity Training Opportunity seeks to understand the current and future ICS/OT cybersecurity workforce landscape and requirements to inform the development of a cybersecurity workforce strategy. The stated mission of the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) is to strengthen the security and resilience of the U.S. energy sector from cyber, physical, and climate-based risks and disruptions. To advance this mission, CESER is developing a cybersecurity workforce strategy to identify areas for investment that will increase the cybersecurity capabilities of the existing energy sector workforce, and to increase the pool of potential employees equipped with the appropriate cybersecurity knowledge, skills, and abilities (KSAs) to work in the energy sector.

To effectively build this cybersecurity workforce strategy, CESER requires awareness of the current market of ICS/OT cybersecurity training programs, courses, and other workforce development efforts currently available. Further, CESER needs additional information around the current pipeline and the KSAs that the energy sector is seeking in cybersecurity professionals. This market research will inform the development of a 3–5-year strategy that will be used to prioritize financial investments to accomplish CESER’s cybersecurity workforce goals.

Objective

The objective of this Opportunity is to fund proposals from performer(s) with knowledge of ICS/OT cybersecurity workforce training and development programs that currently support the energy sector or could potentially expand to serve the energy sector. Performer(s) could be: government, nonprofit, or private sector organizations focused on workforce development in the energy sector; recruiting offices that specialize in ICS/OT cybersecurity talent in the energy sector; or labor market consultants that specialize in the energy sector or ICS/OT cybersecurity.

This opportunity will fund three related efforts:

  1. State of Workforce Development and Training – Identifying existing workforce development mechanisms focused on improving an employee’s ICS/OT cybersecurity skills and abilities, including but not limited to:
    1. internships, apprenticeships, cybersecurity clinics, and other skills-based on-the-job training programs;
    2. competitions, e.g. capture-the-flag, red team-blue team exercises, cyber ranges;
    3. training courses, degrees, and/or certifications offered by academic, nonprofit, for-profit, and vendor/original equipment manufacturers; and
    4. other types of workforce development methods in use for the energy sector or that could be adapted for use in a workforce development program for the energy sector.
    This effort is limited to existing and commercial-off-the-shelf mechanisms and will not consider proposals to develop new offerings. Examples of existing delivery mechanisms and programs do not need to be exclusively for the energy sector but must include or focus on ICS/OT cybersecurity. Any examples that are specific to the energy sector should be highlighted.
    CESER is also interested in understanding whether any of the existing efforts are focused on tribal communities, or include an explicit component aimed at increasing diversity, equity, inclusion, and accessibility among the ICS/OT cybersecurity workforce.
    1. Sub-Effort 1.a Selected performer(s) will utilize only methods that do not require direct contact, for example internet searches, reports, and other passive methods, to identify existing workforce mechanisms. The performer(s) will provide the following lists. Each list must include the source of the information provided, a link if available, a description of the workforce mechanisms being offered and target audience(s) for the program (e.g. job role, skill level, type of organization, demographics, etc.), and a date or date range indicating when the entity made the information available and whether the performer believes the information is still active and valid.
      1. Providers of commercially available ICS/OT cybersecurity workforce development and training;
      2. Academic programs that include ICS/OT cybersecurity;
        1. Two-year programs and those located in rural and/or tribal communities should be highlighted
      3. Not-for-profit organizations and programs providing ICS/OT cybersecurity workforce development and training;
      4. Original equipment manufacturers that provide ICS/OT cybersecurity training associated with their products/services;
      5. Security vendors and service providers that provide ICS/OT cybersecurity workforce development and training;
      6. Government agencies (military and civilian) that provide ICS/OT cybersecurity workforce development and training, including but not limited to DOE, FBI, DHS/CISA, DoD (e.g. National Guard), etc.;
        1. Including information on whether veteran participation is a focus.
      7. Federally Funded Research and Development Centers (FFRDCs) and national laboratories that provide ICS/OT cybersecurity workforce development and training;
      8. Other public sector entities, e.g. non-energy utilities, manufacturing, libraries, etc., that provide ICS/OT cybersecurity workforce development and training;
      9. Other private sector entities, e.g. trade organizations, energy markets, manufacturing, non-energy utilities, insurance companies, financial companies, etc., that provide ICS/OT cybersecurity workforce development and training.
    2. Sub-Effort 1.b Selected performer(s) will provide answers to the following questions:
      1. Which of the workforce development efforts identified in 1.a above support new job opportunities and/or upskilling/reskilling the existing workforce to transition into ICS/OT cybersecurity?
      2. Who is providing ICS/OT cybersecurity workforce transition programs for specific energy industries, for example electric, oil, natural gas, energy markets, energy regulators, renewable energy, distributed energy, storage, etc.?
      3. Who is providing ICS/OT cybersecurity training or workforce development programs that include a focus on veterans, women, elderly/retired, minorities, neurodivergent, or other disadvantaged communities?
  2. Workforce Needs and Pipeline – Understanding current and future ICS/OT cybersecurity workforce needs and pipeline. Performer(s) will develop three related reports with information on small (fewer than 50 employees), medium (50-300 employees), and large (more than 300 employees) organizations. Some of the goals of this effort are to understand: Where does the energy sector hire ICS/OT cybersecurity talent from? When ICS/OT employees leave the energy sector where do they go? What are the requested skills/abilities energy sector employers are seeking in a new ICS/OT employee and do these differ by energy vertical (electric, oil, natural gas, renewable energy, distributed energy resources, etc.)? How do current employers train their ICS/OT employees? How long do ICS/OT employees stay with an employer? What are the current pay rates?
    The performer(s) will provide the following within a date range to be determined:
    1. Raw data and summary analysis of job descriptions of energy sector ICS/OT cybersecurity employment positions that are filled and open.
    2. Raw data and summary analysis of how long ICS/OT cybersecurity employees stay with their current employer grouped by employer/job role categories.
    3. Raw data and summary analysis of energy sector ICS/OT cybersecurity salaries currently offered by organizational chart categories such as entry-level, mid-level, senior, and/or by job description/skills.
    4. Raw data and summary analysis of required and preferred experience and KSAs for entry- level, mid-level, and senior ICS/OT cybersecurity positions from job descriptions and job announcements.
    5. Raw data and summary analysis of on-the-job training provided by current employers and categorization of the training as knowledge-based and/or skills/abilities-based.
    6. Summary analysis of most frequently requested KSAs for different energy subsectors (electric, oil, and natural gas) and renewable energy providers (wind, solar, geothermal, etc.) for ICS/OT cybersecurity positions.
    7. Raw data and summary analysis of the sequence of employers and jobs held by currently employed ICS/OT employees in the energy sector, information on current and former job roles and job descriptions, and how long they stayed with each of their former employers.
  3. Cybersecurity Workforce and Strategic Plan - Identifying needs in the ICS/OT cybersecurity training and workforce development landscape in the energy sector; and contributing recommendations and language for CESER’s Cybersecurity Workforce Strategic Plan. The performer(s) will support plan development by:
    1. Conducting and delivering a gap analysis that identifies needs in the ICS/OT cybersecurity training and workforce development landscape in the energy sector; and
    2. Developing recommendations and contributing language to the workforce strategic plan resulting from the market assessment results.

Proposals can be submitted to address one or more of the efforts above. CESER anticipates designating 1-2 awards for a total of approximately $160k.

It is expected that the period of performance for selected performer(s) will be 6 months, with the ability to add a one-time 3-month no cost extension.

How to Participate

  1. Recommended: View the prerecorded Informational Webinar/Objective Strategic Session
  2. Recommended: Attend the Office Hours on December 11, 2024 at 2:00 pm ET
  3. Required: Download and fill-out the Project Narrative Template:
    Download Project Narrative Template
  4. Required: Complete the submission and upload here:
    Submit by December 23, 2024 5:00 PM ET

Important Dates

Opportunity Announcement

November 13, 2024

Prerecorded Informational Webinar/Objective Strategic Session

Posted November 19, 2024

Informational “Office Hours” Session

December 11, 2024 at 2:00 pm ET

Submission Deadline(s)

December 23, 2024 at 5:00 pm ET

Process Details

Timeline(s)

Phase 1) Submissions Open from November 13, 2024 – December 23, 2024

Phase 2) DOE Selection is expected in February 2025: DOE will review submissions based on relevance to the program objectives and review criteria and notify selected entities for next steps. Note that DOE may choose to meet with submitters or ask additional clarifying questions prior to selection.

Phase 3) Negotiations will occur for approximately two months after selections are made: Selected organizations will meet with TechWerx to negotiate work, budget, timing, and impact.

Eligibility & Review Criteria

Review Criteria

  1. Technical Expertise and Approach (55% total; breakdown below)
    1. Are the phases of work reasonable, comprehensive, and presented in a logical order? (5%)
    2. Will the categories of data collected and the analysis results provide comprehensive and novel insights into ICS/OT cybersecurity workforce and training opportunities and/or workforce needs and an understanding of the workforce pipeline? (15%)
    3. Were the methods of analysis appropriate for the type(s) of data collected? (10%)
    4. Will the proposed final products meet the objectives described in the Opportunity Announcement? (15%)
    5. Do the applicant’s examples of past performance demonstrate the relevant technical expertise to meet the objectives described in the Opportunity Announcement? (10%)
  2. Data Security Plan (10%)
    1. Are the applicant’s data security practices appropriate for the sensitivity of the data and analyses conducted?
  3. Budget and Milestones (20%)
    1. Performer(s) are expected to complete the work within budget and in a 6-month timeframe, with the option of a one-time 3-month no-cost extension. Has the applicant demonstrated the ability to complete the proposed work within the proposed budget and on time?
  4. Project Team Composition (15%)
    1. Does the project team include all necessary performer roles and relevant work experience?

Eligible performers meet the following criteria:

  1. Applicant qualifies as a domestic entity1
  2. Applicant must certify it is not owned by, controlled by, or subject to the jurisdiction or direction of government of Country of Risk2
  3. Ineligible entities for this solicitation are:
    1. Individuals
    2. Foreign Entities
    3. Persons participating in a Foreign Government-Sponsored Talent Recruitment Program of a Foreign Country of Risk are prohibited from participating in projects selected for federal funding under this Opportunity. Should an award result from this Opportunity, the recipient must exercise ongoing due diligence to reasonably ensure that no individuals participating on the DOE-funded project are participating in a Foreign Government-Sponsored Talent Recruitment Program of a Foreign Country of Risk. Consequences for violations of this prohibition will be determined according to applicable law, regulations, and policy. Further, the recipient must notify DOE within five (5) business days upon learning that an individual on the project team is or is believed to be participating in a foreign government talent recruitment program of a foreign country of risk. DOE may modify and add requirements related to this prohibition to the extent required by law.3

DOE retains the prerogative to require additional information from the applicants to verify the applicant meets the eligibility requirements. Further, DOE retains the prerogative to decide whether to fund the proposed project entirely, partially, or not at all.

1 To qualify as a domestic entity, the entity must be organized, chartered or incorporated (or otherwise formed) under the laws of a particular state or territory of the United States; have majority domestic ownership and control; and have a physical place of business in the United States.

2 DOE defines Country of Risk to include China, Russia, North Korea, and Iran. This list is subject to change.

3 Foreign Government-Sponsored Talent Recruitment Program is defined as an effort directly or indirectly organized, managed, or funded by a foreign government, or a foreign government instrumentality or entity, to recruit science and technology professionals or students (regardless of citizenship or national origin, or whether having a full-time or part-time position). Some foreign government-sponsored talent recruitment programs operate with the intent to import or otherwise acquire from abroad, sometimes through illicit means, proprietary technology or software, unpublished data and methods, and intellectual property to further the military modernization goals and/or economic goals of a foreign government. Many, but not all, programs aim to incentivize the targeted individual to relocate physically to the foreign state for the above purpose. Some programs allow for or encourage continued employment at United States research facilities or receipt of federal research funds while concurrently working at and/or receiving compensation from a foreign institution, and some direct participants not to disclose their participation to U.S. entities. Compensation could take many forms including cash, research funding, complimentary foreign travel, honorific titles, career advancement opportunities, promised future compensation, or other types of remuneration or consideration, including in-kind compensation.

Webinar(s) and Resources

Download the SICSCT Slide Deck 11.19.2024 Download the SICSCT Transcript 11.19.2024
Apply here