OT Cyber Coalition responds to FERC NOPR on advanced cybersecurity investments

The Operational Technology Cybersecurity Coalition (OT Cyber Coalition) has responded to a Notice of Proposed Rulemaking (NOPR) that the Federal Energy Regulatory Commission (FERC) issued in September on establishing rules that provide incentive-based rate treatment for utilities making certain voluntary cybersecurity investments.

The OT Cyber Coalition responded to the NOPR to inform on the FERC’s decision-making process as it applies to how it governs how utilities determine whether cybersecurity investments will qualify for incentives. It also covered the criteria FERC might consider in developing its potential ‘pre-qualified’ expenditures list (PQ List). 

The NOPR presents multiple solutions to its incentive-based rate treatments, including a solution in which electricity providers will be offered a PQ List that includes both expenditures associated with participation in DOE’s Cybersecurity Risk Information Sharing Program (CRISP), and expenditures that would ‘materially improve cybersecurity,’ Andrew Howell, OT Cyber Coalition, wrote in the filing.

“This solution expedites review by FERC because it gives utilities the clarity of knowing what expenditures will be accepted, thereby making adjudication easier for all parties. However, this approach requires the opening of a rulemaking process to add new technologies, which is a time-intensive process,” according to Howell. “The OTCC is concerned that a slow process to add new advanced cybersecurity technologies to the PQ List would mitigate the security benefits of the tremendous innovation taking place in the technology community.” 

Howell also wrote that in the view of the OT Cyber Coalition, FERC should allow applicants to use either the PQ process or the case-by-case process. “By taking this step, the Commission could benefit from a fast process under the PQ List while also giving utilities that want to access the latest and greatest advanced cybersecurity technologies on a case-by-case basis. Further, once FERC determines some type or category of technology has been requested by multiple applicants in the case-by-case process, it can then open a rulemaking to move that technology onto the PQ List.”

The OT Cyber Coalition is a diverse group of industrial control system (ICS) and OT cybersecurity vendors, founded by Claroty, Forescout, Honeywell, Nozomi Networks, and Tenable. The companies have aligned to improve the cybersecurity of OT environments, to build a strong, effective approach to securing collective defense using an open, vendor-neutral approach that allows for diverse solutions and information sharing without compromising cybersecurity defenses.

The OT Cyber Coalition can envision a situation in which utilities with significantly advanced cybersecurity technology needs will appreciate the ability to have some critical mass of technology on the PQ List so that they can quickly move ahead with technology deployment, Howell said. “We can also envision utilities with a more mature cybersecurity program wanting to deploy tools that are not yet on the PQ List. An approach which enables both the PQ List and case-by-case approaches would allow entities at different levels of cybersecurity maturity to further enhance their cybersecurity in the way that works best for them.”

Howell points out that FERC Commissioner Willie L. Phillips notes in his concurring memorandum that 75 percent of electricity customers in the continental United States are already served by utilities that participate in CRISP, potentially limiting the number of utilities that could participate under that allowance on the PQ List. “While this will require FERC to develop two adjudication processes, it provides maximum flexibility for utilities to determine what advanced cybersecurity solutions work best in their risk management environment,” he adds. 

If FERC decides to proceed with developing a PQ List, the OT Cyber Coalition urges “the Commission to make sure the list encourages the deployment of vendor-neutral and interoperable technologies and systems that provide asset and network visibility, indicators of compromise, threat detections, and warnings with actionable intelligence,” according to Howell.

Addressing the list of considerations for ICS/OT cybersecurity monitoring technologies released by the Department of Energy’s (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER), Howell said that the OT Cyber Coalition believes that these represent a good start in considering which technologies to deploy on ICS and OT networks. 

To expand that list, Howell adds technologies that discover and maintain an updated asset inventory of critical systems core to maintaining safety and resiliency that draw on industry-recognized and supported standards, including CIS CSC, ISA/IEC 62443, NIST SP 800-53, and NIST SP 800-82. He also incorporates technologies that include continuous threat and vulnerability intelligence feeds focused on the access, exploitation, and protection of ICS and OT environments and entities.

Howell also includes technology with analytic and detection capabilities, which are dynamically updatable either on-premises or cloud-based leveraging timely, validated, and trusted external or internal threat intelligence. The move works through a repository of known vulnerabilities and exposures of assets core to maintaining safety and resilience that, to the extent possible, leverage CVSS Base Score Metrics, Temporal Score Metrics, and Environmental Score Metrics as outlined by the National Vulnerability Database scoring methodology.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.