It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat.

So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach.

Back in March 2022, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was signed into law. It requires critical infrastructure companies, including financial services, to report cybersecurity incidents, such as ransomware attacks, to the Cybersecurity and Infrastructure Security Agency (CISA). That’s the stick.

Now, a new voluntary cyber incentive framework from the Federal Energy Regulatory Commission will allow utilities to apply for an incentive-based rate recovery. Companies can do this when they make certain pre-qualified cybersecurity investments or join a threat information-sharing program. The new rule helps overcome one of the biggest hurdles for critical infrastructure owners and operators: a lack of money to invest in cybersecurity. That’s the carrot.

With critical infrastructure an increasingly attractive target for threat actors, will this carrot-and-stick approach be enough?

Regulation coming soon

In the United States, two cybersecurity regulations will impact several industries in the commercial sector. First, CIRCIA requires critical infrastructure companies, including financial services, to report cybersecurity incidents, such as ransomware attacks, to the CISA.

Cyber incident and ransomware reporting under CIRCIA will not be required until the final rule goes into effect. Still, CISA encourages critical infrastructure owners and operators to voluntarily share information on cyber incidents prior to the effective date of the final rule.

In addition, the U.S. Securities and Exchange Commission (SEC) has proposed a rule requiring publicly listed companies to report cybersecurity incidents, their cybersecurity capabilities and their board’s cybersecurity expertise and oversight.

The SEC’s Fall 2022 Unified Agenda of Regulatory and Deregulatory Actions has proposed cybersecurity-focused agenda items, including:

  • Rules to address registrant cybersecurity risk and related disclosures
  • Rule amendments to better inform investors about a registrant’s cybersecurity risk management, strategy and governance and to provide timely notification of material cybersecurity incidents
  • Rules to enhance fund and investment adviser disclosures and governance relating to cybersecurity risks.

Cyberattacks underreported

Victims of cyberattacks include some of the largest energy suppliers, insurance carriers and financial services firms. Meanwhile, the FBI reported more than 800,000 cyber-crime-related complaints filed in 2022. The total losses were over $10 billion, shattering 2021’s total of $6.9 billion, according to the bureau’s Internet Crime Complaint Center (IC3).

However, these stats represent only a fraction of all cyber criminal activity. Previously, the FBI estimated it receives complaints for only 10-12% of all cyber crimes. Other studies have also concluded that underreporting cyber crime — even when disclosure is legally mandated — appears to be the norm. A recent Bitdefender report revealed that over 40% of surveyed IT security professionals say they’ve been told to keep quiet about network breaches. This number increases to 71% among U.S.-based respondents.

There are many reasons cyber crime goes unreported. For starters, some organizations may not even realize they were victims of an attack or breach. Other companies avoid reporting cyber crime due to reputational concerns or fear of customer or investor backlash. Companies may also decide that paying a ransom is the easiest path to resolution. The fear of lawsuits may also deter companies from reporting a data breach.

However, given the CIRCIA and SEC’s planned cyber-disclosure regulations, these excuses may not be viable any longer.

More positive incentives

The Feds aren’t using a stick-only approach to improve critical infrastructure’s response to cyberattacks. This year, utilities may be able to fund certain cybersecurity investments through increases in consumer electric bills. This is part of an effort to help cash-strapped utility owners and operators to protect themselves against cyber threats.

The initiative is a voluntary cyber incentive framework supported by the Federal Energy Regulatory Commission. The program falls under the requirements of the Biden administration’s bipartisan Infrastructure Investment and Jobs Act. The plan will enable utilities to receive an incentive-based rate recovery. To be eligible, utilities must make pre-qualified cybersecurity investments, such as joining a threat information-sharing program.

In general, utilities must adhere to approved rates for power and can only charge up to a limit. And these rates are heavily regulated. Therefore, utilities can’t increase their charges at will to cover their costs. However, the new rate recovery program provides an alternative to help pay for security tools.

Utilities recover costs for providing electric service through a combination of rate components that become customers’ monthly electric bills. Rates are set by state regulators and vary by jurisdiction, utility and customer class. In general, rate design balances economic efficiency, equity and fairness, customer satisfaction, utility revenue stability and customer price and bill stability.

Now, cybersecurity has become part of the equation. This shows how deeply concerns about cyberattacks have penetrated the fabric of society.

Incentives for cybersecurity investment

The federal government continues to seek ways to improve infrastructure security, which has become a priority for the White House. Critical infrastructure is a juicy target for attackers, especially state-sponsored groups.

The Federal Register considers the following sources as potential cybersecurity investments that will materially improve a utility’s security posture:

  1. Security controls enumerated in the NIST Special Publication (SP) 800–53 “Security and Privacy Controls for Information Systems and Organizations” catalog.
  2. Security controls satisfying an objective found in the NIST Cybersecurity Framework.
  3. A specific recommendation from the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) or the Department of Energy (DOE).
  4. A specific recommendation from the CISA Shields Up Campaign.
  5. Participation in the Cybersecurity Risk Information Sharing Program (CRISP) or similar cybersecurity threat information sharing program.
  6. The Cybersecurity Capability Maturity Model (C2M2) Domains at the highest Maturity Indicator Level.

Clearly, owners and operators must improve their cyber defenses. Given that utility budgets are regulated, the federal government understood it had to provide new funding resources. But the bill will be paid by consumers of electricity. This is further proof of how cybersecurity can impact economic stability. It looks like we all are going to have to make sacrifices for stronger cybersecurity.

More from News

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…

New report names attack surface management leaders

4 min read - Cloud adoption, digital transformation and the remote work explosion have widened nearly every company’s digital footprint and attack surface. Today’s enterprise is more distributed and more dynamic than ever — and new assets connect to a company’s network daily. According to one report, 67% of organizations have seen their attack surfaces expand in the preceding two years. To make things worse, 69% have been compromised by an unknown or poorly managed internet-facing asset in the past year. For these reasons, Gartner…