Government Federal Incentives Could Help Utilities Overcome Major Cybersecurity Hurdle: Money
New Rule and Incentive Framework
Starting next month, electric utilities in the United States may be able to fund cybersecurity investments through consumer electric bills. This move aims to assist resource-poor utilities in protecting themselves against malicious hackers. The Federal Energy Regulatory Commission (FERC) has introduced a new voluntary cyber incentive framework, as required by the bipartisan Infrastructure Investment and Jobs Act passed under the Biden administration. This framework will allow utilities to apply for incentive-based rate recovery when they make certain pre-qualified cybersecurity investments or join a threat information-sharing program.
The Challenge of Limited Resources
A lack of funding has been one of the significant hurdles for critical infrastructure owners and operators in implementing robust cybersecurity measures. Utilities have been hesitant to invest in cybersecurity due to financial constraints, as their rates are heavily regulated and they cannot easily pass on the expenses to ratepayers. Public utility commissions, responsible for approving rate increases, are typically unwilling to approve such increases unless they directly contribute to the generation and delivery of power to customers. However, the response from these commissions to new cyber investments is still unknown and varies by state.
Ron Fabela, field CTO at cybersecurity firm XONA Systems, emphasizes that the new rule will remove financial barriers for utilities, allowing them to invest in cybersecurity without burdensome budget constraints. It signals to public utility commissions that utilities can seek rate relief from their customers if they invest in cybersecurity.
The Importance of Federal Cybersecurity Mandates
The new rule comes at a time when the federal government is actively exploring ways to improve cybersecurity across critical infrastructure sectors. The National Cybersecurity Strategy released recently establishes goals for the administration to pursue more cybersecurity regulations for critical infrastructure.
The electric sector is already regulated by FERC, an independent agency under the Energy Department, and the North American Electric Reliability Corp. (NERC), an international nonprofit corporation. FERC can direct NERC to develop specific standards to mitigate cybersecurity threats, considering input from industry stakeholders. NERC then enforces these rules through regular audits and fines. However, this process can be time-consuming, taking years from concept to enforcement. This delay raises concerns, as cyber threats evolve rapidly, often outpacing policy.
The voluntary cyber incentive framework aims to address this challenge by providing a carrot-and-stick approach. While NERC standards are not always mandatory and enforceable, the framework allows utilities to seek rate recovery for investments that improve their cybersecurity posture, even before the regulations become mandatory. This flexibility enables utilities to respond to emerging threats more effectively.
Expert Perspectives
Jason D. Christopher, director of cyber risk at industrial cybersecurity firm Dragos, acknowledges the limitations of solely relying on mandatory regulations to improve cybersecurity. He emphasizes that the incentive framework provides utilities with the necessary flexibility and funding to proactively invest in cybersecurity measures, even before regulatory requirements are fully in place.
Christopher highlights the significance of pre-qualified investments such as internal network security monitoring. This investment aligns with the NERC drafting team’s proposed rule, which requires utilities to have robust internal network security monitoring to detect potential attackers. The incentive framework allows utilities to receive assistance and incentives for implementing these measures before they become mandatory.
FERC has noted that it will evaluate the pre-qualified investment list periodically and consider additional controls and recommendations from federal agencies, such as the National Institute of Standards and Technology (NIST), the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Energy (DOE), to further enhance the cybersecurity posture of utilities.
Editorial: Enhancing Cybersecurity in Critical Infrastructure
The introduction of the voluntary cyber incentive framework from FERC is a significant step toward strengthening cybersecurity in the electric utility sector. By providing utilities with the means to invest in cybersecurity and offering financial incentives, the framework seeks to bridge the gap between limited resources and robust defense against cyber threats.
However, it is crucial to consider the broader implications of relying on incentives rather than mandatory regulations. While financial incentives can help utilities make necessary investments, they should not be seen as a substitute for comprehensive cybersecurity regulations. It is essential for the federal government to continue working on enforcing mandatory standards and regulations, enhancing the cybersecurity posture of critical infrastructure entities.
The Need for Timely Regulations
As mentioned earlier, the slow pace of policy development and enforcement by NERC has been a cause for concern among experts. Cyber threats evolve rapidly, and waiting for years for regulations to be implemented can leave critical infrastructure vulnerable. The voluntary cyber incentive framework is a step toward addressing this concern, allowing utilities to proactively invest in cybersecurity measures before they become mandatory. However, it is crucial to strike a balance between agility and regulatory rigor to ensure timely and effective cybersecurity measures across critical infrastructure sectors.
Collaboration and Information-Sharing
Another important aspect of enhancing cybersecurity in critical infrastructure is fostering collaboration and information-sharing. Joining threat information-sharing programs, as encouraged by the new rule, enables utilities to stay updated on emerging threats and proactive defense strategies. Sharing best practices, threat intelligence, and lessons learned among utilities and cybersecurity firms will strengthen the overall resilience of the electric utility sector.
Advice for Utilities and Policy Makers
For Utilities:
1. Leverage the new incentive framework: Utilities should take advantage of the voluntary cyber incentive framework to access funding for cybersecurity investments. By making a strong case for pre-qualified investments and demonstrating how they would improve their security posture, utilities can receive financial relief and better protect their infrastructure and customers.
2. Align with industry standards and best practices: Utilities should stay informed about evolving cybersecurity standards, particularly those developed by NERC, NIST, and other federal agencies. Implementing internal network security monitoring and adopting recommended controls will enhance their defensive capabilities.
For Policy Makers:
1. Enhance mandatory regulations: While financial incentives play a crucial role, mandatory regulations are necessary to ensure comprehensive cybersecurity in critical infrastructure. Policy makers should prioritize the development and enforcement of effective cybersecurity regulations that keep pace with evolving cyber threats.
2. Streamline regulatory processes: To mitigate the delay between policy development and enforcement, policy makers should work to accelerate the implementation of cybersecurity regulations. By streamlining the regulatory processes and ensuring prompt adoption of new standards, the government can effectively address emerging cyber threats and protect critical infrastructure.
In conclusion, the new voluntary cyber incentive framework from FERC provides a valuable opportunity for utilities to invest in cybersecurity and overcome financial barriers. By combining financial incentives with timely regulatory action and enhanced collaboration, the electric utility sector can strengthen its defenses against cyber threats, safeguarding critical infrastructure and ensuring the reliable delivery of electricity to the nation.
<< photo by Growtika >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- The Growing Threat: Over 700,000 Retired California Workers’ Personal Data Stolen
- The Future of Cybersecurity: Jon Oberheide strengthens DNSFilter as a board member
- The Future of Cybersecurity: Google’s $20 Million Boost for Cybersecurity Clinics
- Boosting Cybersecurity for Rural Water Systems: A Bipartisan Effort
- How Vulnerabilities in Industrial Systems Are Paving the Way for Physical Warfare
- Exploring the New Offer: Google Cloud’s $1 Million Cryptomining Protection
- Thousands Affected by Microsoft Azure AD ‘Log in With Microsoft’ Authentication Bypass
- The Rise of Unsolicited, Suspicious Smartwatches Among US Military Personnel
