-
Industrial
- Healthcare
-
Commercial
- Public Sector
- Threat Research
- Partners
-
Resources
Featured Content
- Company
Blog / 10 min read
The Federal Energy Regulatory Commission (FERC) regulates the transmission of electricity, natural gas, and oil, and the oversight of hydropower projects and natural gas terminals. Their mission is to assist consumers in obtaining reliable, efficient, and sustainable energy services at a reasonable cost through appropriate regulatory and market means. As concerns continue to grow regarding the safety and security of the nation’s critical infrastructure, FERC has expanded their standards and regulations to include cybersecurity in an effort to protect our nation’s energy infrastructure from catastrophe.
As the energy sector becomes increasingly reliant on digital technologies and interconnected cyber-physical systems (CPS), FERC has worked closely with the North American Electric Reliability Corporation (NERC), and other government agencies and industry stakeholders, to develop and enforce cybersecurity standards for the electric grid. NERC is certified as the nation’s Electric Reliability Organizations, and has developed Critical Infrastructure Protection (CIP) cybersecurity reliability standards to ensure effective and efficient reduction of risk to the reliability and security of the grid. The two organizations have been working together since 2016 to tackle supply chain security risk. Recently, FERC has issued a rule paving the way for rate incentives for cybersecurity investments. FERC cybersecurity incentives provide a new mechanism for promoting the cybersecurity of the bulk power system by rewarding utilities for enhancing their cybersecurity programs behind the mandatory requirements of NERC-CIP. This new pathway can help the electric utilities sector implement current advancements in cybersecurity on an expedited basis.
NERC-CIP was established as a set of standards to regulate, enforce, monitor, and manage the security of the Bulk Electric Systems (BES) in North America. The CIP standards provide a cybersecurity framework for identifying and securing critical assets that impact the supply of electricity in the United States, several provinces in Canada, and one state in Mexico. These standards require critical infrastructure of all entities, including owners, operators, and users of any part of the system to adhere to a baseline set of cybersecurity measures. The fundamental requirements utilities must follow under NERC-CIP are to identify critical assets, create control mechanisms, enforce logical and physical security of their systems, and recover any affected assets following a cybersecurity incident. While the new FERC cybersecurity pathway offers a “carrot” approach — incentivizing and rewarding businesses for making investments in cybersecurity — NERC-CIP standards take the “stick” approach, penalizing companies for non-compliance. NERC-CIP standards also typically take years to draft and approve, creating a lag between the awareness of new cyberthreats and mandated solutions. Overall, FERC’s proposed incentives can support the rapid implementation of cyber protections that the utilities industry needs.
The FERC Incentives for Advanced Cybersecurity Investment has established that cybersecurity expenditures will be eligible for an incentive including both expenses and capital investments associated with advanced cybersecurity technology and participation in a cybersecurity threat information sharing program. Section 219A of the Federal Power Act (FPA) defines “Advanced Cybersecurity Technology” as any technology, operational capability, or service, including computer hardware, software, or related assets, that enhances the security posture of public utilities through improvements in the ability to protect against, detect, respond to, or recover from a cybersecurity threat. In order for energy utilities to qualify for incentive-based rate treatment, FERC will evaluate the impact of a cybersecurity threat information sharing program with the follow criteria:
Is the program sponsored by the federal or state government?
Does it provide two-way communications from and to the electric industry and government entities?
Does it deliver relevant and actionable cybersecurity information to program participants from the U.S. electricity industry?
The Final Rule also defined a time period during which a utility may seek incentive treatment for a particular investment. Specifically, a utility may not request incentive treatment if it had already been incurring costs for the investment for more than three months prior to filling out the incentive application. This rule stands unless the investment is for participation in an eligible cybersecurity threat information sharing program. To identify the types of expenditures eligible for an incentive, the Notice of Proposed Rulemaking (NOPR) established a dual framework:
1. Pre-qualified (PQ) list approach:
Initially, the PQ List will include expenditures participating in the Cyber Risk Information Sharing Program (CRISP) — a public-private partnership that delivers relevant and actionable cybersecurity information to participants from the United States electricity industry — and expenditures associated with internal network security monitoring with the utility’s cyber systems.
2. Case-by-case approach:
For investments not identified on the PQ List, FERC will also evaluate cybersecurity expenditures on a case-by-case basis, allowing utilities to request incentives for tailored solutions. Under this approach, FERC will allow utilities to receive incentives for cybersecurity investments made to comply with cybersecurity-related NERC reliability standards for the time period between when they are approved by FERC and become effective.
The U.S. electricity grid is an especially attractive target for our nation’s advisories as the extended internet of things (XIoT) continues to grow while previously disconnected operational technology (OT) environments begins to converge. As digital transformation accelerates, OT systems in the electric utilities sector are increasingly allowing remote access and connections to business networks, giving threat actors another attack vector to exploit — risking potential disruption to operations. This challenge, coupled with the fact that many utilities face geographic and organizational complexity — including the decentralized nature of many organizations' cybersecurity leadership — makes it difficult for them to comply with existing industry regulations and standards. However, without a proper industrial cybersecurity strategy in place, organizations will find it difficult to protect their critical infrastructure from attacks. Hence the establishment of FERC Incentives for Advanced Cybersecurity Investment.
As stated by FERC Chairman Willie Phillips, “In today’s highly interconnected world, our nation’s security and economic well-being depend on reliable and cyber-resilient energy infrastructure. We must continue to build upon the mandatory framework of our cybersecurity reliability standards with efforts such as this to encourage utilities to proactively make additional cybersecurity investments in their systems”. FERC’s cybersecurity incentive program will help reduce geographic and operations gaps in awareness and communication — allowing organizations to create a culture of cybersecurity. It will also help remediate the issue of securing funding to invest in OT cybersecurity controls, a major challenge faced by many utilities, and will provide for a more holistic approach to the evolving threat landscape and expanding attack surface.
As the electric grid continues to modernize, utilities are adopting new, highly interconnected technology. However, their top priority is providing the reliable delivery of electricity, not security. As data needs and system requirements advance, the push for broader automation and control capabilities also continues to grow. And, as utilities upgrade their industrial control systems (ICS) and electric grid technology to meet this growing need, potential cyber threats are introduced into the environment. Shortcomings in CPS security strategies has led to severe threats to the utilities sector, including the Industroyer2 attack on a Ukrainian electricity provider in 2022.
As a variant of the destructive Industroyer framework, Industroyer2 was purpose-built to target industrial equipment communicating over the IEC-104 (IEC 60870-5-104) protocol. Ukraine's cyber emergency response team linked the malware to the Sandworm APT group, the Russian state-sponsored outfit previously charged with carrying out the 2016 attacks against Ukraine's power grid that left a portion of the country in the dark. Transnational organized ransomware actors continue to improve and execute high-impact ransomware attacks, extorting funds, disrupting critical services, and exposing sensitive data. Although this attack was foiled, it displays the potential damage that cyber incidents of this nature can cause to critical infrastructure without the proper cybersecurity strategy in place.
Many times, utilities lack awareness when it comes to the full scope of their cybersecurity posture. Without the proper resources, they find it difficult to identify assets, and fully comprehend the system and network architectures necessary for conducting cyber security assessments, monitoring, and upgrades. Utilities often times desire guidance when it comes to how to achieve cybersecurity outcomes, and how to develop defenses against targeted attacks. The FERC cybersecurity incentives program aims to enhance the security posture of utilities by improving their ability to protect against, detect, respond to, or recover from a cybersecurity threat. Electric utilities can meet these needs with the help of a purpose-built CPS security platform:
Your critical infrastructure starts with understanding what devices are located in your ecosystem. With a CPS security solution, like Claroty’s Continuous Threat Detection (CTD), electric utilities can gain a highly detailed, centralized inventory of all XIoT assets in their environment. CTD then leverages this in-depth visibility to automate virtual segmentation. With network segmentation policies that can be easily enforced by existing firewalls and NAC solutions, Claroty can harden OT environments and ensure network protection.
All manner of threats that can impact industrial environments requires multiple approaches. That’s why Claroty’s CTD has five detection engines that serve a specific purpose and provides a distinct advantage against these threats. Multiple detection engines automatically profile all assets, communications, and processes in industrial networks, generate a behavioral baseline that characterizes legitimate traffic in order to weed out false positives, and alert users in real-time to anomalies and known, unknown, and emerging threats.
Cyber incidents remotely is key for electric utilities environments operating in dispersed locations. CTD and Claroty’s Secure Remote Access join forces to drive enhanced alert response capabilities across the two solutions. These solutions enable users to detect, investigate, and respond to incidents from any location. As a result, organizations can adapt their overall security posture and workflows for a remote, distributed, or hybrid work environment.
Cyberattacks can be challenging as industrial environments have no tolerance for downtime — so maintenance windows occur rarely no matter the vulnerability or risk. CTD provides attack vector mapping to help electric utilities better contextualize their risk landscape by identifying and analyzing known risks to calculate the most likely scenarios in which an attacker could compromise the network. With risk-based scoring they can also automatically evaluate and score vulnerabilities based on the unique risk they pose to their network, enabling more efficient and effective prioritization and remediation.
As cyberattacks continue to threaten the reliability of the electric grid, FERC’s establishment of incentive-based rate treatments for utilities' investment in advanced cybersecurity technologies and participation in cybersecurity threat information sharing programs is a step in the right direction when it comes to helping utilities comply with cybersecurity requirements and effectively respond to incidents. With help from Claroty’s purpose-built solutions, electric utilities can be better prepared for following FERC cybersecurity rules to achieve incentive-based rate treatment. CTD’s capabilities would assist in materially improving electric utilities cybersecurity posture by protecting against an expanded threat landscape and ensuring cyber resilience. Empowering electric generation, transmission, and distribution companies with the industrial cybersecurity controls to protect their OT, IoT, IIoT, and BMS assets and all other cyber-physical systems (CPS) that underpin their OT environments.
