Analysis
News
Regulation, Standards and Compliance
Utilities: Energy & Power, Water, Waste

FERC publishes final rule, provides incentives for advanced cybersecurity investment

May 04, 2023
FERC publishes final rule, provides incentives for advanced cybersecurity investment

The Federal Energy Regulatory Commission (FERC) published a final rule revising its regulations to provide incentive-based rate treatment for the transmission of electric energy in interstate commerce and the sale of electric energy at wholesale in interstate commerce by utilities. The move will benefit consumers by encouraging investments by utilities in advanced cybersecurity technology and participation by utilities in cybersecurity threat information sharing programs, as directed by the Infrastructure Investment and Jobs Act (IIJA) of 2021.

Effective July 3, the FERC is issuing this final rule to comply with FPA section 219A(c). The voluntary cybersecurity incentive-based rate treatment is for the purpose of benefiting consumers by encouraging cybersecurity investments in advanced cybersecurity technology and in participation in cybersecurity threat information sharing programs.

The Commission revises its regulations to establish rules for incentive-based rate treatment for certain voluntary cybersecurity investments by utilities as described in this final rule, a Federal Register notice published Wednesday disclosed. “These rules make incentive-based rate treatment available to utilities that make voluntary cybersecurity investments in advanced cybersecurity technology that enhance their security posture by improving their ability to protect against, detect, respond to, or recover from a cybersecurity threat and to utilities that participate in cybersecurity threat information sharing programs.” 

FERC said in its notice that it establishes a regulatory framework for utilities to request incentive-based rate treatment for certain voluntary cybersecurity investments. Under this framework, the Commission identifies the utilities permitted to request incentive-based rate treatment for cybersecurity investments. It also establishes the criteria that the Commission will use to determine whether a cybersecurity investment is eligible to receive an incentive-based rate treatment, and discusses the approaches that a utility may use to demonstrate that a cybersecurity investment satisfies the eligibility criteria. 

The framework also explains the types of incentive-based rate treatments available for qualifying cybersecurity investments, sets limits on the duration of the incentive-based rate treatment, describes what utilities must include in their applications for incentive-based rate treatment for cybersecurity investments; and establishes the annual reporting requirements for utilities that receive incentive-based rate treatment for their cybersecurity investments.

Advanced cybersecurity technology can be a product and/or a service, which can be used for IT systems and/or OT (operational technology) systems. These cybersecurity products can include, but are not limited to, security information and event management systems, intrusion detection systems, anomaly detection systems, encryption tools, data loss prevention systems, forensic toolkits, incident response tools, imaging tools, network behavior analysis tools, access management systems, and any system for access control, identification, authentication, and/or authorization control.

The cybersecurity services may be either automated or manual and can include, but are not limited to, system installation and maintenance, network administration, asset management, threat and vulnerability management, training, incident response, forensic investigation, network monitoring, data sharing, data recovery, disaster recovery, network restoration, log analytics, cloud network storage, and any general cybersecurity consulting service.

The FERC has been directed to identify incentive-based rate treatments that could support participation by public utilities in cybersecurity threat information sharing programs, the Federal Register notice identified. “Utilities face barriers to participating in cybersecurity information sharing programs, such as the high costs associated with implementing monitoring technology and maintenance of sensor technology, the amount of time and effort required to share information, incurring fees to participate in cybersecurity threat information sharing programs, and concerns regarding the confidentiality of the information once shared,” it added.

Last month, the FERC authorized incentive rate treatment for utilities making certain voluntary cybersecurity investments. The rule follows Congress’ direction under the IIJA of 2021 that the Commission revise its regulations to establish incentive-based rate treatments to encourage utilities to invest in advanced cybersecurity technology and participate in cybersecurity threat information sharing programs for the benefit of consumers.

The FERC final rule comes after the September 2022 issue of a Notice of Proposed Rulemaking (NOPR) to establish rules providing incentive-based rate treatment for utilities making certain voluntary cybersecurity investments. The Commission also analyzes the participation of utilities in cybersecurity threat information-sharing programs.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights