Starting next month, utilities around the country may be able to fund certain cybersecurity investments through increases in consumer electric bills, a move that could help resource-poor owners and operators better protect themselves against malicious hackers.
A new voluntary cyber incentive framework from the Federal Energy Regulatory Commission that was required by the Biden administration’s bipartisan Infrastructure Investment and Jobs Act will allow utilities to make the case for receiving an incentive-based rate recovery when they make certain pre-qualified cybersecurity investments or join a threat information-sharing program.
The new rule also helps clear the path for one of the biggest issue for critical infrastructure owners and operators: a lack of money to invest in cybersecurity.
“It’s about removing the excuses and one of the huge excuses for anyone in the utility space to do anything with cyber has to do with resources and dollars,” said Ron Fabela, field CTO at cybersecurity firm XONA Systems. “Whether it’s an investor-owned utility or a local co-op, they are still beholden to the approved rates for power and that rate is heavily regulated and they can’t necessarily go to the ratepayer — you and me — to cover all their expenditures.”
For instance, in most states public utility commissions are unlikely to approve a rate increase unless it’s directly tied to the ability to generate and deliver power to customers, says Fabela. Those requirements can change depending on the state but nearly all are an arduous process and how they will respond to new cyber investments is still an open question, he said.
“This is essentially telling the public utility commissions that utilities that wish to invest in cybersecurity in these areas and these ways can effectively get rate relief from their customers,” Fabela said.
The new rule that goes into effect July 3 comes as the federal government is grappling with ways to add cyber mandates for critical infrastructure and to help “target rich, cyber poor” owners and operators improve digital defenses. Additionally, the recently released National Cybersecurity Strategy outlined goals for the administration to pursue more cybersecurity regulations for critical infrastructure.
The electric sector is already regulated by FERC, an independent agency under the Energy Department, and the North American Electric Reliability Corp., an international nonprofit corporation. FERC can tell NERC to develop a certain standard to mitigate a threat with input from industry. Once NERC develops new rules, FERC considers whether to implement them. NERC then acts as the enforcer with regular audits and fines.
However, that process can take years from concept to enforcement. And the slow pace of NERC rule-makings has been a common concern among experts as cyberthreats can quickly outpace policy. The cyber incentives plan could help utilities adopt to new threats at a faster pace, experts say.
“There’s the carrot and the stick and sometimes the stick is going to have limitations,” said Jason D. Christopher, director of cyber risk at industrial cybersecurity firm Dragos. “If NERC CIP hasn’t made it mandatory, enforceable, then it’s harder for utilities to get rate recovery and it’s hard for them to necessarily fund the initiative and this provides that flexibility.”
For instance, one of the two pre-qualified investments is internal network security monitoring, which is also a new standard the NERC drafting team is exploring. That proposed rule would require covered utilities to have internal network security monitoring within environments that impact the bulk electric system. However, that rule is still in an early phase and will likely be years before the standard is in place.
“So, we’re talking about years of a period where there’s not going to be a mandatory regulation in place for internal network security monitoring, which is — in our [operational technology] context — how we detect whether or not attackers are in our systems,” said Christopher. “The incentives order says, ‘Hey, if you want to do this before it’s mandatory, enforceable we will help you with that and will provide an incentive in those areas.”
So far, only internal network security monitoring and joining an ISAC are on the pre-qualified list for investments. However, FERC plans on allowing for case-by-case incentives where a utility can make a case why the investment would “materially improve a utility’s security posture.”
Additionally, FERC would consider additional controls from the National Institute of Standards and Technology catalog of “security and privacy controls for information systems and organizations,” NIST’s cybersecurity framework technical subcategory, and specific recommendations from federal agencies like CISA, the FBI, National Security Agency, or DOE.
Other potential investments have yet to be defined as the commission needs “a high degree of confidence that such items will likely materially improve cybersecurity for all utilities,” according to the rule. FERC will re-evaluate the pre-qualified investment list “from time to time.”