Light Dark
August 23, 2023 By Jonathan Reed 4 min read
News

It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat.

So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach.

Back in March 2022, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was signed into law. It requires critical infrastructure companies, including financial services, to report cybersecurity incidents, such as ransomware attacks, to the Cybersecurity and Infrastructure Security Agency (CISA). That’s the stick.

Now, a new voluntary cyber incentive framework from the Federal Energy Regulatory Commission will allow utilities to apply for an incentive-based rate recovery. Companies can do this when they make certain pre-qualified cybersecurity investments or join a threat information-sharing program. The new rule helps overcome one of the biggest hurdles for critical infrastructure owners and operators: a lack of money to invest in cybersecurity. That’s the carrot.

With critical infrastructure an increasingly attractive target for threat actors, will this carrot-and-stick approach be enough?

Regulation coming soon

In the United States, two cybersecurity regulations will impact several industries in the commercial sector. First, CIRCIA requires critical infrastructure companies, including financial services, to report cybersecurity incidents, such as ransomware attacks, to the CISA.

Cyber incident and ransomware reporting under CIRCIA will not be required until the final rule goes into effect. Still, CISA encourages critical infrastructure owners and operators to voluntarily share information on cyber incidents prior to the effective date of the final rule.

In addition, the U.S. Securities and Exchange Commission (SEC) has proposed a rule requiring publicly listed companies to report cybersecurity incidents, their cybersecurity capabilities and their board’s cybersecurity expertise and oversight.

The SEC’s Fall 2022 Unified Agenda of Regulatory and Deregulatory Actions has proposed cybersecurity-focused agenda items, including:

  • Rules to address registrant cybersecurity risk and related disclosures
  • Rule amendments to better inform investors about a registrant’s cybersecurity risk management, strategy and governance and to provide timely notification of material cybersecurity incidents
  • Rules to enhance fund and investment adviser disclosures and governance relating to cybersecurity risks.

Cyberattacks underreported

Victims of cyberattacks include some of the largest energy suppliers, insurance carriers and financial services firms. Meanwhile, the FBI reported more than 800,000 cyber-crime-related complaints filed in 2022. The total losses were over $10 billion, shattering 2021’s total of $6.9 billion, according to the bureau’s Internet Crime Complaint Center (IC3).

However, these stats represent only a fraction of all cyber criminal activity. Previously, the FBI estimated it receives complaints for only 10-12% of all cyber crimes. Other studies have also concluded that underreporting cyber crime — even when disclosure is legally mandated — appears to be the norm. A recent Bitdefender report revealed that over 40% of surveyed IT security professionals say they’ve been told to keep quiet about network breaches. This number increases to 71% among U.S.-based respondents.

There are many reasons cyber crime goes unreported. For starters, some organizations may not even realize they were victims of an attack or breach. Other companies avoid reporting cyber crime due to reputational concerns or fear of customer or investor backlash. Companies may also decide that paying a ransom is the easiest path to resolution. The fear of lawsuits may also deter companies from reporting a data breach.

However, given the CIRCIA and SEC’s planned cyber-disclosure regulations, these excuses may not be viable any longer.

More positive incentives

The Feds aren’t using a stick-only approach to improve critical infrastructure’s response to cyberattacks. This year, utilities may be able to fund certain cybersecurity investments through increases in consumer electric bills. This is part of an effort to help cash-strapped utility owners and operators to protect themselves against cyber threats.

The initiative is a voluntary cyber incentive framework supported by the Federal Energy Regulatory Commission. The program falls under the requirements of the Biden administration’s bipartisan Infrastructure Investment and Jobs Act. The plan will enable utilities to receive an incentive-based rate recovery. To be eligible, utilities must make pre-qualified cybersecurity investments, such as joining a threat information-sharing program.

In general, utilities must adhere to approved rates for power and can only charge up to a limit. And these rates are heavily regulated. Therefore, utilities can’t increase their charges at will to cover their costs. However, the new rate recovery program provides an alternative to help pay for security tools.

Utilities recover costs for providing electric service through a combination of rate components that become customers’ monthly electric bills. Rates are set by state regulators and vary by jurisdiction, utility and customer class. In general, rate design balances economic efficiency, equity and fairness, customer satisfaction, utility revenue stability and customer price and bill stability.

Now, cybersecurity has become part of the equation. This shows how deeply concerns about cyberattacks have penetrated the fabric of society.

Incentives for cybersecurity investment

The federal government continues to seek ways to improve infrastructure security, which has become a priority for the White House. Critical infrastructure is a juicy target for attackers, especially state-sponsored groups.

The Federal Register considers the following sources as potential cybersecurity investments that will materially improve a utility’s security posture:

  1. Security controls enumerated in the NIST Special Publication (SP) 800–53 “Security and Privacy Controls for Information Systems and Organizations” catalog.
  2. Security controls satisfying an objective found in the NIST Cybersecurity Framework.
  3. A specific recommendation from the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) or the Department of Energy (DOE).
  4. A specific recommendation from the CISA Shields Up Campaign.
  5. Participation in the Cybersecurity Risk Information Sharing Program (CRISP) or similar cybersecurity threat information sharing program.
  6. The Cybersecurity Capability Maturity Model (C2M2) Domains at the highest Maturity Indicator Level.

Clearly, owners and operators must improve their cyber defenses. Given that utility budgets are regulated, the federal government understood it had to provide new funding resources. But the bill will be paid by consumers of electricity. This is further proof of how cybersecurity can impact economic stability. It looks like we all are going to have to make sacrifices for stronger cybersecurity.

 |  |  |  |  |  |  |  |  |  |  |  |  |  | 
Jonathan Reed
Freelance Technology Writer

More from News
December 23, 2024

Ransomware attack on Rhode Island health system exposes data of hundreds of thousands

3 min read - Rhode Island is grappling with the fallout of a significant ransomware attack that has compromised the personal information of hundreds of thousands of residents enrolled in the state’s health and social services programs. Officials confirmed the attack on the RIBridges system—the state’s central platform for benefits like Medicaid and SNAP—after hackers infiltrated the system on December 5, planting malicious software and threatening to release sensitive data unless a ransom is paid. Governor Dan McKee, addressing the media, called the attack…

December 16, 2024

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

December 9, 2024

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally. The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets. Who is exploiting the NGFW zero-day? As of now, little is known about the…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature