It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat.
So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach.
Back in March 2022, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was signed into law. It requires critical infrastructure companies, including financial services, to report cybersecurity incidents, such as ransomware attacks, to the Cybersecurity and Infrastructure Security Agency (CISA). That’s the stick.
Now, a new voluntary cyber incentive framework from the Federal Energy Regulatory Commission will allow utilities to apply for an incentive-based rate recovery. Companies can do this when they make certain pre-qualified cybersecurity investments or join a threat information-sharing program. The new rule helps overcome one of the biggest hurdles for critical infrastructure owners and operators: a lack of money to invest in cybersecurity. That’s the carrot.
With critical infrastructure an increasingly attractive target for threat actors, will this carrot-and-stick approach be enough?
Regulation coming soon
In the United States, two cybersecurity regulations will impact several industries in the commercial sector. First, CIRCIA requires critical infrastructure companies, including financial services, to report cybersecurity incidents, such as ransomware attacks, to the CISA.
Cyber incident and ransomware reporting under CIRCIA will not be required until the final rule goes into effect. Still, CISA encourages critical infrastructure owners and operators to voluntarily share information on cyber incidents prior to the effective date of the final rule.
In addition, the U.S. Securities and Exchange Commission (SEC) has proposed a rule requiring publicly listed companies to report cybersecurity incidents, their cybersecurity capabilities and their board’s cybersecurity expertise and oversight.
The SEC’s Fall 2022 Unified Agenda of Regulatory and Deregulatory Actions has proposed cybersecurity-focused agenda items, including:
- Rules to address registrant cybersecurity risk and related disclosures
- Rule amendments to better inform investors about a registrant’s cybersecurity risk management, strategy and governance and to provide timely notification of material cybersecurity incidents
- Rules to enhance fund and investment adviser disclosures and governance relating to cybersecurity risks.
Victims of cyberattacks include some of the largest energy suppliers, insurance carriers and financial services firms. Meanwhile, the FBI reported more than 800,000 cyber-crime-related complaints filed in 2022. The total losses were over $10 billion, shattering 2021’s total of $6.9 billion, according to the bureau’s Internet Crime Complaint Center (IC3).
However, these stats represent only a fraction of all cyber criminal activity. Previously, the FBI estimated it receives complaints for only 10-12% of all cyber crimes. Other studies have also concluded that underreporting cyber crime — even when disclosure is legally mandated — appears to be the norm. A recent Bitdefender report revealed that over 40% of surveyed IT security professionals say they’ve been told to keep quiet about network breaches. This number increases to 71% among U.S.-based respondents.
There are many reasons cyber crime goes unreported. For starters, some organizations may not even realize they were victims of an attack or breach. Other companies avoid reporting cyber crime due to reputational concerns or fear of customer or investor backlash. Companies may also decide that paying a ransom is the easiest path to resolution. The fear of lawsuits may also deter companies from reporting a data breach.
However, given the CIRCIA and SEC’s planned cyber-disclosure regulations, these excuses may not be viable any longer.
More positive incentives
The Feds aren’t using a stick-only approach to improve critical infrastructure’s response to cyberattacks. This year, utilities may be able to fund certain cybersecurity investments through increases in consumer electric bills. This is part of an effort to help cash-strapped utility owners and operators to protect themselves against cyber threats.
The initiative is a voluntary cyber incentive framework supported by the Federal Energy Regulatory Commission. The program falls under the requirements of the Biden administration’s bipartisan Infrastructure Investment and Jobs Act. The plan will enable utilities to receive an incentive-based rate recovery. To be eligible, utilities must make pre-qualified cybersecurity investments, such as joining a threat information-sharing program.
In general, utilities must adhere to approved rates for power and can only charge up to a limit. And these rates are heavily regulated. Therefore, utilities can’t increase their charges at will to cover their costs. However, the new rate recovery program provides an alternative to help pay for security tools.
Utilities recover costs for providing electric service through a combination of rate components that become customers’ monthly electric bills. Rates are set by state regulators and vary by jurisdiction, utility and customer class. In general, rate design balances economic efficiency, equity and fairness, customer satisfaction, utility revenue stability and customer price and bill stability.
Now, cybersecurity has become part of the equation. This shows how deeply concerns about cyberattacks have penetrated the fabric of society.
Incentives for cybersecurity investment
The federal government continues to seek ways to improve infrastructure security, which has become a priority for the White House. Critical infrastructure is a juicy target for attackers, especially state-sponsored groups.
The Federal Register considers the following sources as potential cybersecurity investments that will materially improve a utility’s security posture:
- Security controls enumerated in the NIST Special Publication (SP) 800–53 “Security and Privacy Controls for Information Systems and Organizations” catalog.
- Security controls satisfying an objective found in the NIST Cybersecurity Framework.
- A specific recommendation from the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) or the Department of Energy (DOE).
- A specific recommendation from the CISA Shields Up Campaign.
- Participation in the Cybersecurity Risk Information Sharing Program (CRISP) or similar cybersecurity threat information sharing program.
- The Cybersecurity Capability Maturity Model (C2M2) Domains at the highest Maturity Indicator Level.
Clearly, owners and operators must improve their cyber defenses. Given that utility budgets are regulated, the federal government understood it had to provide new funding resources. But the bill will be paid by consumers of electricity. This is further proof of how cybersecurity can impact economic stability. It looks like we all are going to have to make sacrifices for stronger cybersecurity.