Utility security is so bad, US DoE offers rate cuts to improve it
New hardware? Consultants? You tell us because your infosec is off the grid
The US Department of Energy has proposed regulations to financially reward cybersecurity modernization at power plants by offering rate deals for everything from buying new hardware to paying for outside help.
In a notice of proposed rulemaking published earlier this week (which nullified a similar 2021 plan), the DoE said the time was right "to establish rules for incentive-based rate treatments" for utilities making investments in cybersecurity technology.
The DoE said these included products and services, and information like plans, policies, procedures and other info related to cybersecurity tech.
Industrial systems like those used in power plants are known to be security soft spots – much of the equipment used in operational technology (OT) environments isn't designed to be connected to the internet and simply can't be configured in a safe manner.
Moody's recently said utilities are at the highest risk of cyber attack, so until the US moves to more distributed forms of energy generation, power plants will continue to be large, tempting targets for infrastructure disrupting cyber-attacks, making any policy that incentivizes security a good idea.
In addition to stimulting voluntary security improvements, the proposed policy also encourages utilities to join cyber threat information sharing programs, and mandates regular reports for the duration of incentives.
Generous breaks, strict requirements
The DoE's proposal includes a long list of things it said would be eligible for incentive-based rate treatments. While it's too long to include here, the DoE's language about what it will allow means it could essentially include anything that could "materially improve cybersecurity," be that a product, service or info-sharing program.
The DoE said that hardware incentives would have a five-year depreciation period, while activities would cease to be incentivized once they become mandatory.
As for how the rewards would be applied, the proposal specifies two methods: A return on equity (RoE) of 200 base points (2 percent) that would be applied to transmission rates, and a cost-recovery deferral that would allow them to amortize equipment purchased and treated as a regulatory asset.
"We believe both offer meaningful incentive to encourage cybersecurity expenditure that improves a utility's cybersecurity posture," the DoE said. The 2 percent RoE exceeds what the DoE usually offers for similar programs, it said, but noted that the cost of cybersecurity projects are small compared to "conventional transmission projects."
The 2 percent rate is also necessary to help utilities decide to make security investments without passing costs along to consumers through rate hikes, the DoE said.
- Malware 'clearly' behind Ukraine power outage, SANS utility expert says
- Taking CHIPS Act cash? You're banned from planting advanced fabs on Chinese soil
- China-linked spies used six backdoors to steal info from defense, industrial enterprise orgs
- CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
While the monetary rewards are generous, the list of pre-qualified (PQ) expenditures is starting off quite small, and only includes costs incurred as part of participation in the DoE's Cybersecurity Risk Information Sharing Program (CRISP) [PDF], and costs associated with internal network monitoring of IT and/or OT systems.
The DoE knows the PQ list is small, and as part of the rulemaking process "we seek comment on these and any additional cybersecurity expenditures to consider for inclusion on the initial PQ List," the agency said.
It's worth noting that any technology mandated by the Critical Infrastructure Protection Reliability Standards (which covers a lot of typical IT hardware) or other state, local or federal law is exempt from the program, so no double-dipping. ®