2025 Cyber Vulnerability Assessment of Lakeland Electric’s Energy Management System

Lakeland Electric, a vertically integrated municipal electric utility owned and operated by the City of Lakeland, Florida, is soliciting proposals from qualified consulting firms to perform a comprehensive Cyber Vulnerability Assessment (CVA) of its Energy Management System (EMS). The assessment must ensure compliance with the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standard CIP-010-4 R3, which requires evaluation of security controls effectiveness, identification of exploitable vulnerabilities, and assessment of risk to the Bulk Electric System (BES) reliability.

Lakeland Electric operates critical infrastructure across approximately 256 square miles in Polk County, Florida, including approximately 28 circuit miles of 230kV transmission lines and approximately 135 circuit miles of 69kV sub-transmission lines. The utility maintains 8 synchronous tie lines with three different utilities (Duke Energy Florida, Tampa Electric Company, and Orlando Utilities Commission), owns and operates its own generating units, and operates two medium-impact control centers, seven low-impact BES substations, and one low-impact generating unit. No facilities are rated as high impact.

The CVA deliverables must include identification of vulnerabilities, assessment of the effectiveness of existing security controls, recommendations for mitigation strategies, and suggested improvements to align with NERC CIP requirements while strengthening Lakeland Electric's overall security posture. The consultant must demonstrate expertise in NERC CIP standards, Energy Management Systems, and cybersecurity assessment methodologies.

Key dates: Q&A Deadline - April 8, 2025 at 9:00 PM ET; Proposal Submission Deadline - April 18, 2025 at 6:00 PM ET. Proposals are due by the submission deadline, with detailed evaluation based on the RFP Evaluation Scoresheet criteria. All respondents must comply with indemnification requirements, insurance specifications, safety and occupational health standards, and execute a Non-Disclosure and Confidentiality Agreement as part of the contract.