August 23, 2023 By Jonathan Reed 4 min read

It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat.

So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach.

Back in March 2022, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was signed into law. It requires critical infrastructure companies, including financial services, to report cybersecurity incidents, such as ransomware attacks, to the Cybersecurity and Infrastructure Security Agency (CISA). That’s the stick.

Now, a new voluntary cyber incentive framework from the Federal Energy Regulatory Commission will allow utilities to apply for an incentive-based rate recovery. Companies can do this when they make certain pre-qualified cybersecurity investments or join a threat information-sharing program. The new rule helps overcome one of the biggest hurdles for critical infrastructure owners and operators: a lack of money to invest in cybersecurity. That’s the carrot.

With critical infrastructure an increasingly attractive target for threat actors, will this carrot-and-stick approach be enough?

Regulation coming soon

In the United States, two cybersecurity regulations will impact several industries in the commercial sector. First, CIRCIA requires critical infrastructure companies, including financial services, to report cybersecurity incidents, such as ransomware attacks, to the CISA.

Cyber incident and ransomware reporting under CIRCIA will not be required until the final rule goes into effect. Still, CISA encourages critical infrastructure owners and operators to voluntarily share information on cyber incidents prior to the effective date of the final rule.

In addition, the U.S. Securities and Exchange Commission (SEC) has proposed a rule requiring publicly listed companies to report cybersecurity incidents, their cybersecurity capabilities and their board’s cybersecurity expertise and oversight.

The SEC’s Fall 2022 Unified Agenda of Regulatory and Deregulatory Actions has proposed cybersecurity-focused agenda items, including:

  • Rules to address registrant cybersecurity risk and related disclosures
  • Rule amendments to better inform investors about a registrant’s cybersecurity risk management, strategy and governance and to provide timely notification of material cybersecurity incidents
  • Rules to enhance fund and investment adviser disclosures and governance relating to cybersecurity risks.

Cyberattacks underreported

Victims of cyberattacks include some of the largest energy suppliers, insurance carriers and financial services firms. Meanwhile, the FBI reported more than 800,000 cyber-crime-related complaints filed in 2022. The total losses were over $10 billion, shattering 2021’s total of $6.9 billion, according to the bureau’s Internet Crime Complaint Center (IC3).

However, these stats represent only a fraction of all cyber criminal activity. Previously, the FBI estimated it receives complaints for only 10-12% of all cyber crimes. Other studies have also concluded that underreporting cyber crime — even when disclosure is legally mandated — appears to be the norm. A recent Bitdefender report revealed that over 40% of surveyed IT security professionals say they’ve been told to keep quiet about network breaches. This number increases to 71% among U.S.-based respondents.

There are many reasons cyber crime goes unreported. For starters, some organizations may not even realize they were victims of an attack or breach. Other companies avoid reporting cyber crime due to reputational concerns or fear of customer or investor backlash. Companies may also decide that paying a ransom is the easiest path to resolution. The fear of lawsuits may also deter companies from reporting a data breach.

However, given the CIRCIA and SEC’s planned cyber-disclosure regulations, these excuses may not be viable any longer.

More positive incentives

The Feds aren’t using a stick-only approach to improve critical infrastructure’s response to cyberattacks. This year, utilities may be able to fund certain cybersecurity investments through increases in consumer electric bills. This is part of an effort to help cash-strapped utility owners and operators to protect themselves against cyber threats.

The initiative is a voluntary cyber incentive framework supported by the Federal Energy Regulatory Commission. The program falls under the requirements of the Biden administration’s bipartisan Infrastructure Investment and Jobs Act. The plan will enable utilities to receive an incentive-based rate recovery. To be eligible, utilities must make pre-qualified cybersecurity investments, such as joining a threat information-sharing program.

In general, utilities must adhere to approved rates for power and can only charge up to a limit. And these rates are heavily regulated. Therefore, utilities can’t increase their charges at will to cover their costs. However, the new rate recovery program provides an alternative to help pay for security tools.

Utilities recover costs for providing electric service through a combination of rate components that become customers’ monthly electric bills. Rates are set by state regulators and vary by jurisdiction, utility and customer class. In general, rate design balances economic efficiency, equity and fairness, customer satisfaction, utility revenue stability and customer price and bill stability.

Now, cybersecurity has become part of the equation. This shows how deeply concerns about cyberattacks have penetrated the fabric of society.

Incentives for cybersecurity investment

The federal government continues to seek ways to improve infrastructure security, which has become a priority for the White House. Critical infrastructure is a juicy target for attackers, especially state-sponsored groups.

The Federal Register considers the following sources as potential cybersecurity investments that will materially improve a utility’s security posture:

  1. Security controls enumerated in the NIST Special Publication (SP) 800–53 “Security and Privacy Controls for Information Systems and Organizations” catalog.
  2. Security controls satisfying an objective found in the NIST Cybersecurity Framework.
  3. A specific recommendation from the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) or the Department of Energy (DOE).
  4. A specific recommendation from the CISA Shields Up Campaign.
  5. Participation in the Cybersecurity Risk Information Sharing Program (CRISP) or similar cybersecurity threat information sharing program.
  6. The Cybersecurity Capability Maturity Model (C2M2) Domains at the highest Maturity Indicator Level.

Clearly, owners and operators must improve their cyber defenses. Given that utility budgets are regulated, the federal government understood it had to provide new funding resources. But the bill will be paid by consumers of electricity. This is further proof of how cybersecurity can impact economic stability. It looks like we all are going to have to make sacrifices for stronger cybersecurity.

More from News

Regulatory harmonization in OT-critical infrastructure faces hurdles

3 min read - In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI). The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous. Meanwhile, the magnitude of…

Why the Christie’s auction house hack is different

3 min read - Christie's, one of the world's leading auction houses, was hacked in May, and the cyber group RansomHub has claimed responsibility. On May 12, Christie’s CEO Guillaume Cerutti announced on LinkedIn that the company had “experienced a technology security incident.” RansomHub threatened to leak “sensitive personal information” from exfiltrated ID document data, including names, dates of birth and nationalities. On the group’s dark website, RansomHub claims to possess 2GB of data on “at least 500,000” Christie’s clients from around the world.…

Should there be a total ban on ransomware payments?

3 min read - The debate about the United States government banning companies from making ransomware payments is back in the headlines. Recently, the Ransomware Task Force for the Institute for Security and Technology released a memo on the topic. The task force stated that making a ban on ransomware payments in the U.S. at the current time will worsen the harm to victims, society and the economy. Additionally, small businesses cannot withstand a lengthy business disruption and might go out of business after…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today