Critical infrastructure serves Americans year-round, but as winter storms bring snow, ice, and wind to great swaths of the country and our communities are brightened by holiday lights, we are reminded of the importance of securing our energy infrastructure. Within the Office of Cybersecurity, Energy Security, and Emergency Response (CESER), one expert working at the cyber/energy nexus is poised to help advance infrastructure security in America from the ground up. 
Cynthia Hsu is responsible for CESER’s Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance (RMUC) program. RMUC aims to enhance the security posture of rural, municipal, and small private electric utilities and improve their ability to protect against, detect, respond to, and recover from a cybersecurity threat. This work is fundamental to our nation’s infrastructure security.  
Many American households and businesses are powered by large, regulated investor-owned utilities (IOUs). As of 2017, almost three quarters of utility customers purchased or used electricity from these companies. While most people live in large urban areas served by IOUs, the majority of the country is rural and receives power from electric cooperatives and publicly owned utilities. These not-for-profit utilities are essential to sustaining the fabric of American rural life and supporting the energy needs of smaller towns and cities. RMUC will provide $250 million to the utilities powering rural America over the next five years to help them advance their cybersecurity programs, benefiting communities across the country. 
As the leader of this effort at DOE, Cynthia brings a unique background and perspective. Her career has spanned from journalism, social services, and 15 years in academia as a scientist, to risk analysis, technical policy work in Congress, and finally to cybersecurity. With her diverse experience, she is adept at making connections between scientific research or analysis, policy implications, and real-world outcomes.  
When asked if she saw herself ending up in the cyber field, Cynthia is quick to point out career paths aren’t always linear. Sometimes an unexpected progression is best. “You don’t have to know from the start that you’re destined to work in the cybersecurity field,” she says. “I would never have predicted I would have this career, working to help utilities improve their cybersecurity, and I love it. Cybersecurity is a fascinating challenge, combining human behavior, policy, and science. And it’s even more amazing that I get to be part of this historic moment of dramatic change that’s happening in energy."  
Dramatic change is what the RMUC program is out to provide for utilities that might otherwise struggle to address cybersecurity threats. Providing utilities with a leg up financially, and with opportunities to improve staff skills, share best practices and learn from each other, harden systems, improve incident response capabilities, and build stronger relationships with the information sharing community and other key players in the energy security space are primary objectives of the program.  
“They’re ready to make these changes,” Cynthia explains. “These utilities don’t necessarily have access to the cybersecurity training, services, and technical assistance they need, but they want to do this. We can focus RMUC on identifying and filling gaps in what’s currently available so they can accelerate their progress. That potential for having a real impact makes leading this program so exciting.” 
Cynthia recognizes that energy cybersecurity, and infrastructure security overall is deeply connected to the lives of individual people. After all, utilities are operated by individuals, and in the case of rural, municipal, and small IOUs, entire communities have a stake in the success and reliable operation of their local utilities. By empowering and equipping professionals working in utilities across the nation with the knowledge, skills, resources, and technologies needed to bolster their cybersecurity posture, DOE can make great strides toward a more secure grid across the country.

Every utility is starting from a different place, so programs like RMUC must work consciously to be adaptable and capable of understanding where professionals are in their cybersecurity journey. “If you design that path forward strategically, and you develop practical solutions that meet them where they are in cybersecurity maturity and enable them to advance from A to B, you can get everyone to improve. But you can’t ask them to make it across that gap in one big leap,” says Cynthia. 

“Cybersecurity is a process of continuous improvement,” she continues, “not a solution you can purchase and deploy. That to me is the key. Technology is essential but it’s not just about installing new technology. It’s about understanding and utilizing the full suite of staff skills and abilities, the utility’s policies and procedures, and the technology and service options available to implement a cybersecurity program that fits the utility and will reduce the utility’s cybersecurity risks. As the cybersecurity maturity of the utility increases the most appropriate solutions will change.” 
Mitigating risk is the endgame for the RMUC program and for infrastructure security initiatives nationwide. Cynthia Hsu is one of many dedicated professionals working within CESER, and within the broader infrastructure security realm, who are raising the bar to protect and defend our national security in the face of evolving threats.