The constant evolution of cyber threats has made it much more challenging for organizations to protect their identities and secure access to all resources. This is especially true in the utility sector, which continues to experience an increase in cyberattacks that threaten its reliability.
In response to a congressional directive to address this growing threat, the Federal Energy Regulatory Commission (FERC) recently revised its regulations to provide utilities the opportunity to receive an incentive-based rate recovery when they make certain pre-qualified cybersecurity investments or join a threat information-sharing program. These investments will benefit consumers by encouraging utilities to invest in an Advanced Cybersecurity Technology program and participate in cybersecurity threat information-sharing programs, as directed by the Infrastructure Investment and Jobs Act (IIJA) of 2021.
In this post, we will explain what the incentives for the Advanced Cybersecurity Investment program entail and how Silverfort can help utilities take advantage of the incentives by FERC and to invest in solutions like Silverfort.
Table Of Contents
On July 3, 2023, utilities throughout the United States became eligible to join the Incentives for Advanced Cybersecurity Investment program, a voluntary cyber incentive framework established by the Federal Energy Regulatory Commission under the Infrastructure Investment and Jobs Act developed by the Biden administration.
The order offers an incentive program for qualified investments in cybersecurity. Using this incentive, utilities will be able to claim deferred cost recovery for eligible cybersecurity investments, allowing utilities to include the unamortized portion in their rate base. This incentive applies to expenses such as operation and maintenance costs, labor costs, implementation costs, network monitoring costs, training costs, and software-as-a-service (SaaS) costs.
As part of the program, expenses and capital investments are associated with advanced cybersecurity technology as well as participation in a cybersecurity threat information sharing program. Section 219A of the Federal Power Act (FPA) defines Advanced Cybersecurity Technology as “any technology, operational capability, or service, including computer hardware, software, or related assets, that enhances the security posture of public utilities through improvements in the ability to protect against, detect, respond to, or recover from a cybersecurity threat.”
The new rule also alleviates one of the main challenges faced by owners and operators of critical infrastructure: a lack of available financial resources to invest in cybersecurity.
In order to qualify for incentive-based rate treatment, FERC requires energy utilities to align their cybersecurity investments with the following criteria:
- Increases cybersecurity either by implementing Advanced Cybersecurity Technology or participating in a threat information-sharing program.
- Is not already mandated by the Reliability Standards( NERC Reliability Standards define the reliability requirements for planning and operating the North American bulk power system.), or otherwise mandated by local, state, or federal law, decision, or directive; otherwise legally mandated; or an action taken in response to a federal or state agency merger condition, consent decree from a federal or state agency, or settlement agreement that resolves a dispute between a utility and a public or private party
Additionally, the program defined a period of time during which utilities may seek incentive treatment for a particular investment. Specifically, a utility may not request incentive treatment if it has already incurred costs for the investment for more than three months before filing the incentive application.
The Notice of Proposed Rulemaking (NOPR) established two frameworks to identify the types of expenditures eligible for an incentive:
1. Pre-qualified (PQ) list approach:
The PQ list will include expenditures as part of the Cyber Risk Information Sharing Program (CRISP) – a public-private partnership that provides relevant and actionable cybersecurity information to participants from the United States electricity industry – as well as expenditures associated with internal network security monitoring of the utility’s cyber systems.
2. Case-by-case approach:
To allow utilities to request incentives for tailored solutions, FERC will also evaluate cybersecurity expenditures not identified on the PQ list on a case-by-case basis. According to this policy, FERC will allow utilities to receive incentives for cybersecurity investments made as part of their compliance with cybersecurity-related NERC reliability standards for a period of time between when the standards are approved by FERC and when they become effective.
According to the rule, other potential investments that have not yet been defined by the Commission require “a high degree of confidence that such items will likely materially improve cybersecurity for all utilities.” FERC will re-evaluate the pre-qualified investment list periodically.
Because utilities have historically been unable to protect legacy resources with modern security controls, the U.S. electricity grid is an especially attractive target for malicious actors. In failing to take a more proactive approach to security, they are inadvertently providing threat actors with a way to breach resources, resulting in the risk of operational disruption. Because these security controls are not in place, utility organizations also encounter difficulties in complying with existing industry regulations and standards.
According to a research report by cybersecurity firm Black Kite, over 25% of the 150 top U.S. energy companies are highly susceptible to ransomware attacks. As the number of cyberattacks targeting the electric grid increases, the establishment of incentive-based rate treatments for utilities to invest in advanced cybersecurity technologies is a step in the right direction when it comes to helping utility companies modernize their infrastructure, prevent incidents, and comply with requirements.
The traction of clean energy initiatives is causing electric power companies to embrace digital transformation. As a result, new innovations are rapidly transforming electric utilities. However, for many power authorities, these benefits are overshadowed by increasing cybersecurity risks.
The consequences of this troublesome reality have already manifested in recent years as highly disruptive state-sponsored attacks against electric grids. To mitigate these risks and, ultimately, gain cyber and operational resilience, all segments of the electric utilities industry must embrace a holistic cyber security strategy that protects users’ access to critical resources. This is where Silverfort comes into play.
Silverfort has pioneered the first purpose-built Unified Identity Protection platform that can extend MFA to any user and resource; automate the discovery, monitoring, and protection of service accounts; and proactively prevent lateral movement and ransomware spread attacks. Silverfort connects to all domain controllers and other on-prem identity providers (IdPs) in the environment for continuous monitoring, risk analysis, and access policy enforcement on every authentication and access attempt made by users, admins, or service accounts.
By utilizing Silverfort’s identity protection platform, utilities can better prepare themselves to comply with FERC cybersecurity rules in order to qualify for incentive-based rate treatment. Using Silverfort’s rule-based and risk-based authentication and MFA authentication capabilities can significantly improve utilities’ cybersecurity posture by protecting them against an expanded threat landscape and ensuring they are cyber resilient.
Want to increase your resilience to identity threats and be aligned with FERC’s Advanced Cybersecurity Investment program? Schedule a call with one of our experts.