Industry
News
Regulation, Standards and Compliance
Utilities: Energy & Power, Water, Waste

FERC proposes incentives for cybersecurity investments by public utilities

December 27, 2020
FERC public utilities

The Federal Energy Regulatory Commission (FERC) recently strengthened its cybersecurity framework for bulk power systems with a proposal for public utilities to secure incentive-based rate treatment for voluntary cybersecurity investments that go beyond mandatory Critical Infrastructure Protection (CIP) Reliability Standards.

It released a Notice of Proposed Rulemaking (NOPR) that recognizes that the energy sector faces numerous and complex cybersecurity challenges at a time of both great change in the operation of the transmission system and an increase in the number and nature of attack methods, FERC said. These increasing risks create challenges in defending the digitally interconnected components of the grid from cyber exploitation.

In June 2020, Commission staff issued a white paper to explore a new framework for providing transmission incentives to public utilities for investments that produce significant cybersecurity benefits for actions taken that exceed the requirements of the CIP Reliability Standards. They also sought comment on an incentive-based framework that could encourage public utilities to adopt best practices to protect their own transmission systems and improve grid security.

Such a framework would allow the electric industry to be more agile in monitoring and responding to new and evolving cybersecurity threats, to identify and respond to a variety of threats, and to address threats with comprehensive and more effective solutions.

The proposed cybersecurity incentives framework would motivate a public utility to adopt cybersecurity practices that would not only better protect its own systems, but also improve the cybersecurity of the bulk power system, according to FERC.

The CIP Reliability Standards currently consist of 12 standards specifying a set of requirements that entities must follow to ensure the cyber and physical security of the bulk power system. There are currently ten effective cybersecurity standards, and one cybersecurity standard that has been approved by the Commission which becomes enforceable on Jul. 1, 2022, FERC said. There is also one physical security standard, which is not the subject of this NOPR.

The incentives would be available for certain investments that voluntarily apply specific CIP Reliability Standards to facilities that are not subject to those requirements and/or implement standards and guidelines from the National Institute of Standards and Technology’s (NIST) voluntary framework for improving critical infrastructure cybersecurity.

NIST is a part of the U.S. Department of Commerce that advances measurement science, standards and technology. The NIST framework was designed to address and manage cybersecurity risk in a cost-effective way based on business and organizational needs without placing additional regulatory requirements on businesses.

The draft NOPR would allow a public utility to request incentives using any combination of the two proposed approaches. Under the draft NOPR, a public utility that makes cybersecurity investments consistent with the two approaches would be eligible either to apply for a 200 basis-point adder to the return on equity for eligible cybersecurity capital investments and is referred to as the cybersecurity ROE incentive, or enable a public utility to seek deferred cost recovery for certain expenses related to cybersecurity investments and is referred to as the Regulatory Asset Incentive.

The draft NOPR also states that public utilities would have to receive either incentive, and would require an annual informational filing, FERC said.

Deferred cost recovery would be allowed for three categories of expenses: expenses associated with third-party provision of hardware, software and computing networking services; expenses for training to implement new cybersecurity enhancements undertaken pursuant to this rule; and other implementation expenses, such as risk assessments by third parties or internal system reviews and initial responses to findings of such assessments, according to FERC.

Prior or continuing costs would not be eligible for incentives, and deferred regulatory assets whose costs are typically expensed would be amortized over a five-year period. Public utilities seeking to implement the proposed incentives must obtain prior Commission approval, and the proposed rule would impose initial and annual reporting requirements.

Comments on the NOPR are due 60 days after publication in the Federal Register, with reply comments due 30 days later.

In March, the FERC posted a notice of inquiry to the Federal Registry inviting comments on the potential benefits and risks associated with the use of virtualization and cloud computing services in association with bulk electric system operations. It also sought to look into whether barriers exist in the Commission-approved CIP Reliability Standards that impede the voluntary adoption of virtualization or cloud computing services.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations