ERO Backs Latest FERC Cyber Incentives Proposal

Shutterstock

Nov 10, 2022 | Holden Mann

NERC and the REs expressed support for FERC's proposal to incentivize voluntary cybersecurity investments, while urging it to also build on existing standards.

NERC and the regional entities this week expressed support for FERC’s proposal to incentivize utilities for voluntary cybersecurity investments, while urging to commission to ensure that its final plan “build upon and complement the cybersecurity standards [already] in place” (RM22-19).

The ERO’s comments came Monday in response to the Notice of Proposed Rulemaking that the commission issued in September. FERC suggested a 200-basis-point incentive for expenses and capital investments that “materially improve” a utility’s cybersecurity posture and are not already required by NERC’s Critical Infrastructure Protection (CIP) standards or local, state or federal law. (See FERC Reluctantly Proposes Cybersecurity Incentives.) Expenses for participating in cybersecurity threat information-sharing programs would also be covered.

In their response, NERC and the REs did not “take a position on the necessity, amount, duration or type” of incentives that FERC might adopt to encourage cybersecurity investments. However, they praised the commission for “considering a variety of methods to encourage entities to … invest in cybersecurity,” noting that the security threat landscape continues to be “both unprecedented and ruthless.”

Among the list of pre-qualified expenditures that are eligible for incentives is the cost of participation in the Department of Energy’s Cybersecurity Risk Information Sharing Program (CRISP), through which the Electricity Information Sharing and Analysis Center provides participants with information on emerging threat actors and attack vectors. The ERO said it was “pleased” at this inclusion, which could encourage stakeholders to participate in CRISP and thereby enhance its information-sharing capabilities.

In this vein, NERC and the REs suggested that the commission consider expanding the prequalified list further to include an operational technology (OT) visibility program begun by the E-ISAC in 2021. The ERO did not name the program, but it might refer to cybersecurity firm Dragos’ Neighborhood Keeper threat intelligence system, which provides data on threat analytics and indicators of compromise based on information gathered through a network of sensors in utilities’ industrial control systems and OT environments. (See E-ISAC Joins Dragos for Data Sharing Initiative.)

In their comments on this program, NERC and the REs focused on the cost of installing new sensors, pointing out their usefulness to understanding the threat landscape. They suggested that FERC add the costs of new sensors to the incentive plan, in light of the potential benefit of assisting small and medium-sized entities to join the program and increase visibility across the industry.

Suggestions for Improvement

The ERO did suggest there was room for refinement in the language regarding the relationship of NERC’s CIP standards to the cybersecurity investments that would qualify for FERC’s incentives. Specifically, NERC and the REs took issue with the commission’s mention of excluding technology- or threat information-sharing programs that are “already mandated by the [CIP] standards.”

The problem with this, according to the ERO, is that it misunderstands the nature of NERC’s reliability standards, which are designed to be technology neutral.

“CIP requirements do not prescribe a particular technological method, tool or approach to comply,” NERC and the REs said in their response. “The CIP … standards generally provide flexibility in how registered entities identify, categorize, protect and monitor applicable [bulk electric system] cyber systems; there is no one ‘mandated’ technology for compliance with CIP reliability standards. As such, an entity could use any number of approaches to comply with a particular requirement.”

The ERO observed that entities often use “multiple approaches and tools to comply with a single standard.” As a result, it may be hard for FERC and regulated utilities to determine whether a particular investment is “mandated” by the CIP standards and therefore eligible for incentives. To avoid confusion, respondents said FERC’s final rule should make clear whether its incentives are available for investments that “help an entity demonstrate compliance with” CIP standards, even if they are not explicitly mandated.

In addition, NERC and the REs reminded the commission that the CIP standards, like all NERC reliability standards, are subject to ongoing revision as the industry evolves, a process that includes input from industry stakeholders. They urged FERC to ensure that participants are not “discouraged from making necessary revisions to the … standards due to possibly losing the incentive prior to the expiration of the full term of the investments’ eligibility.”

CIP FERC & Federal NERC & Committees Regional Entities