Recently, the Federal Energy Regulatory Commission (FERC) staff published a White Paper detailing what they believe could be new and effective ways of incentivizing utilities to invest more heavily in cybersecurity. Currently, utilities are only required to meet the minimum security level established by the Energy Policy Act of 2005’s Reliability Standards. These Standards are reviewed by the FERC and, once approved, are mandatory and enforceable. Currently, the Standards categorize utilities’ assets as “Low, “Medium,” or “High” in terms of their risk to the entire bulk system power grid. Naturally, the higher the risk, the higher the cybersecurity standard imposed upon the utilities. In order to promulgate these Standards, the FERC has authorized incentives programs for utilities to recover the costs incurred by making securities investments and upgrades.
However, even with these programs in place, the White Paper argues that there still remains a pressing need for more investment by utilities. Among several reasons for this, the staff points out:
- the Standards are results-based, and do not require entities to employ the best practices;
- the Standards generally only cover facilities that are 100kV or higher – not all technology on the grid is covered; and
- the power sector, like many others as a result of COVID-19, is beginning to transition more towards remote work, which may create even more vulnerabilities.
So, how do they get utilities to invest their money into cybersecurity? The Commission will have to establish a new framework that is not just results-based, but focused on the effectiveness of each cybersecurity investment. If the utility’s investment is effective, they can then qualify for incentives. In order to judge the effectiveness of an investment, the White Paper offers two approaches: look for whether the utility (a) over-applied existing Standards into facilities not currently governed by them; or (b) voluntarily implemented parts of the cybersecurity framework adopted by the National Institute of Standards and Technology (NIST). The gist of both approaches is that the utilities will be going above and beyond what is already required of them by the Commission.
In order to receive incentive from the FERC, utilities would then simply apply to the Commission for incentives, showing that they either over-applied some existing Standards (such as those for “High” risk facilities onto “Low” or “Medium” risk facilities) or they adopted the five types of NIST Framework controls:
- automated and continuous monitoring,
- access control,
- data protection,
- incident response, and
- physical security of cyber systems.
Of course, this raises some issues about auditing, and the potential for that investment to become mandated by FERC or even obsolete. Without offering a solution for all of their concerns, the White Paper includes an extensive Request for Comments. Read the full report here.