Navigating the Practicality of Cybersecurity Investment Incentives

When the U.S. Cyberspace Solarium Commission released its findings on the state of cybersecurity in its March 2020 report, it validated what 1898 & Co. has been advising: Baseline security must be elevated. Layered cyber deterrence is required in a way that is commensurate with the level of risk to the electrical grid and our national interests.

Later that year, the Federal Energy Regulatory Commission’s (FERC) Notice of Proposed Rulemaking (NOPR) proposed cybersecurity investment incentives for public utilities. The NOPR is an effort to recognize the increased threat levels posed to the bulk electric system (BES) and provide a pathway for electric utilities to accelerate their countermeasures without the laborious and time-consuming process of regulation review and approval.

The NOPR is a step in the right direction, but there are some practical implications that may inhibit adoption in the way that’s really needed. Here we summarize the NOPR and its proposed incentives while also touching on a few of the issues that may still need to be addressed.

Background and Context

On Dec. 17, 2020, FERC proposed new incentives for qualifying cybersecurity investments by public utilities. In the NOPR, FERC proposed a cybersecurity incentives framework that encourages public utilities to undertake cybersecurity investments on a voluntary basis that go above and beyond North American Electric Reliability Corp. (NERC) Critical Infrastructure Protection (CIP) Reliability Standards, consequently improving reliability and resiliency of power systems for the public at large, in addition to enhancing the cybersecurity posture of the bulk power system (BPS).

The new incentives are targeted for cybersecurity investment in information technology (IT) and/or operational technology (OT) networks that a public utility uses to provide services under FERC jurisdiction, as well as transmission facilities.

In the NOPR, FERC proposes two different approaches: one focused on NERC CIP incentives and one focused on the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

The NERC CIP incentives approach would allow a public utility to receive incentive rate treatment for voluntarily applying identified CIP Reliability Standards to facilities that are not currently subject to those requirements. FERC proposes two separate incentives:

• Medium/High Incentive — This would allow a public utility to receive incentive rate treatment for voluntarily applying the requirements for medium- or high-impact systems to low-impact systems and/or the requirements for high-impact systems to medium-impact systems.
• Hub-Spoke Incentive — This would allow a public utility to receive incentive rate treatment for voluntarily ensuring that all external routable connectivity to and from the low-impact system connects to a high- or medium-impact BES cyber system.

The NIST Framework approach would allow a public utility to receive incentive rate treatment for implementing certain security controls included in the NIST Framework. While that framework contains many types of security controls, FERC limits eligibility for cybersecurity incentives to the types of controls that are most likely to provide a significant benefit to the cybersecurity of the BES as well as the FERC-jurisdictional transmission facilities.

In a June 2020 Notice of Intent, FERC staff identified five types of security controls included in the NIST Framework that may be considered for incentives under the NIST Framework approach:

• Automated and continuous monitoring
• Access control
• Data protection
• Incident response
• Physical security of cyber systems

Commission staff also acknowledged that, given the continuous and rapid changes in cybersecurity risks, FERC will continue to periodically update the types of security controls eligible for incentives. At this time, the NOPR states that it will only consider incentives aligned with automated and continuous monitoring. FERC did, however, state that it may consider additional security control types down the road.

ROE and Regulatory Asset Incentives

Under the NOPR, FERC proposes two separate and distinct incentives: a return on equity (ROE) adder and a regulatory asset incentive for certain capital investments and expenses that go above and beyond the CIP Reliability Standards.

The ROE incentive would allow a public utility that makes eligible cybersecurity capital investments to request an ROE adder of 200 basis points for those eligible cybersecurity investments that are capital investments rather than costs entitled to the other incentive. The regulatory asset incentive would allow a public utility to seek deferred recovery of certain cybersecurity costs that are generally expensed as incurred and to treat them as regulatory assets, while also allowing such regulatory assets to be included in the transmission rate base.

Three categories of expenses would be eligible for the regulatory asset incentive, according to the NOPR:

• Other implementation expenses — This includes expenses such as third-party assessments (e.g., GAP/maturity, risk/threat, vulnerability and firewall assessments) or internal system reviews and initial responses to findings of such assessments (e.g., NIST Framework Protect services such as hardening; segmentation; identity and access management; SIEM implementation, tuning and/or optimization; and malware and patch management).
• Third-party solution expenses — This includes provision of hardware, software and computing networking services.
• Training expenses — This covers training to implement new cybersecurity enhancements undertaken pursuant to this rule.

In all such cases, eligible costs are limited to costs associated with implementing cybersecurity upgrades (capital expenditures, or CAPEX) and do not include operating expenses (OPEX), including system maintenance, surveillance and other labor costs, either in the form of employee salaries or third-party service contracts.

What’s Missing?

While we applaud the first steps offered by FERC through the NOPR, we have identified a few areas we recommend FERC consider for revision:

• It doesn’t go far enough. As noted earlier, FERC staff had previously identified five specific cybersecurity controls that should be incentivized to close a pretty significant gap between where asset owners are today versus a more reasonable risk management position. While we applaud the willingness to engage on the first of those five controls, FERC could put the additional four cybersecurity controls into play in the same way.
• It needs better implementation level guidance. There is potential for confusion, given that the NOPR does not delve into the details for areas of conflict. For example, the NERC CIP incentives encourage asset owners to implement some of the cybersecurity controls that would typically come into play for CIP medium- or high-impact sites at what has traditionally been classified as a CIP low-impact site. But this introduces conflict, because the additional controls at medium/high sites also include requiring personnel to undergo background checks, among other differences. From what we’ve seen, the NOPR remains silent on details such as this, leaving asset owners with questions about what does and does not qualify.
• It needs an approach for addressing OPEX challenges. One of the biggest challenges for critical infrastructure companies is the global talent gap for cybersecurity. Cybersecurity Ventures estimates there will be roughly 3.5 million more cybersecurity jobs than people to fill them in 2021. That issue is only exacerbated within critical infrastructure environments, where extra skill sets come into focus in addition to pure cybersecurity skills. Due to the imbalance, cybersecurity talent is expensive and difficult to retain, which means critical infrastructure companies are increasingly seeking ways to gain access to these talent pools by way of managed security services. Adversaries don’t take a rain check when a business cannot retain highly skilled personnel to implement protections and mitigations; they see that as an invitation to press harder. FERC must determine a way to include managed security services in an upcoming NOPR incentive program.

Bottom Line

While the NOPR takes steps in the right direction, it falls short of achieving cyber resiliency or deterrence for the nation’s grid at a time when there have been multiple intrusions and reports of sophisticated hacking into critical infrastructure systems — SolarWinds, Oldsmar water treatment, Black Hills Energy gas line, and a natural gas compression facility, just to name a few.

Some power utilities will leverage the NOPR to justify further cybersecurity investment while also realizing a positive rate of return. Of the two incentives offered within the NOPR, the NIST Framework approach is favored to rule the day.

Explore how regulatory compliance with NERC CIP Reliability Standards falls short of a minimum viable cybersecurity standard.