Navigating FERC Cybersecurity Regulations
Our world has evolved to be highly interconnected, and the pace of technical advancement only continues to march forward. As a result, cyber-resilient energy infrastructure is more essential now than ever. However, a major hurdle for energy and utility providers is a lack of funds to invest in cybersecurity.
The Federal Energy Regulatory Commission (FERC) is a federal agency that regulates the transmission of electricity, natural gas, and oil. It also has the authority to protect critical infrastructure from cyber threats, and recently, FERC paved the way for energy and utilities to invest in cybersecurity programs.
With an intricate mesh of policies, understanding FERC’s cybersecurity standards is pivotal for those in the energy sector. This blog dives into the complex landscape of FERC regulations, providing clarity and guidance to ensure compliance and enhance security.
What are FERC Cybersecurity Standards?
Federal Energy Regulatory Commission (FERC) is a federal agency under the Department of Energy (DOE) that regulates the interstate transmission of electricity, natural gas, and oil. FERC cybersecurity standards, also called reliability standards, aim to fortify the cybersecurity posture of the bulk power system (BPS).
Since 2016, FERC has worked closely with the North American Electric Reliability Corporation (NERC), an international not-for-profit organization. The NERC Critical Infrastructure Protection (CIP) standards require energy and utility providers to identify and secure critical assets from cyber threats.
Most recently, FERC has introduced incentive-based rate treatment for voluntary cybersecurity investments to encourage utility providers to go beyond mandatory standards. Incentive-based rates may also serve as an expedited pathway to compliance with NERC CIP standards for many utility providers.
How are FERC and NERC CIP Different?
FERC is a federal agency that can issue regulations and policies with broad implications for the cybersecurity of critical energy infrastructure. Their incentive-based rate treatment directly contrasts with NERC CIP, which does not offer incentives for voluntary actions beyond compliance with minimum standards. In contrast, FERC incentives support a faster implementation of cyber protections and reward utility providers for proactively enhancing their cybersecurity programs. Essentially, FERC incentives function as a “carrot” meant to motivate utility providers, while NERC CIP functions more like a “stick.”
Additionally, NERC CIP standards take years to draft and approve, creating a lag between a threat and mandated protections. While NERC CIP standards set a strong baseline for cyber protections, given the highly volatile nature of the cyber threat landscape, waiting for new CIP standards is an untenable approach to protecting critical infrastructure.
What are the FERC Incentives for Advanced Cybersecurity Investment?
Funding often stands in the way of utility providers investing in cybersecurity, which is understandable as security tools can be cost-prohibitive and may require personnel to operate and monitor. Adding to the complexity, approved rates for power prevent them from covering cybersecurity expenses with rate hikes. To elevate this pain point, the FERC Incentives for Advanced Cybersecurity Investment allows utility providers to apply for incentive-based rate recovery when they invest in advanced cybersecurity technology or join a threat information-sharing program.
Utility providers can request incentives for a range of expenses, including operation and maintenance expenses, labor costs, implementation costs, network monitoring and training costs, and certain software-as-a-service (SaaS) expenses, provided the expenses are approved.
FERC will evaluate the eligibility of cybersecurity investments to confirm that they meet specific criteria; chiefly, the investment must “materially improve” cybersecurity and not already mandated by local, state, or federal law, decision, or directive.
To demonstrate eligibility, utility providers can choose one of two paths:
- Ensure their investment or threat information sharing program is on the Prequalified List (PQ List).
- Request approval on a case-by-case basis, and the commission will evaluate the application using a combination of NIST and other regulatory guidance.
Participation in threat information sharing programs has separate eligibility criteria. FERC will evaluate each program to determine the following:
- Is the program sponsored by the federal or state government?
- Does it provide two-way communications from and to the electric industry and government entities?
- Does it deliver relevant and actionable cybersecurity information to program participants from the electricity industry?
Notably, the incentive is limited to new cybersecurity investments that occur after the order’s effective date and are materially different from cybersecurity investments already incurred by the utility provider more than three months before the incentive request.
Who Needs to Comply with FERC?
FERC mandates compliance with cybersecurity standards from entities involved in the electric industry to protect the BPS from cyber attacks. The groups required to adhere to FERC’s regulations include:
- Owners and operators of Bulk Power Systems (BPS) — These entities provide services necessary for maintaining the reliability and security of the bulk power grid.
- Electric utilities — Both public and investor-owned utility companies must comply, given their integral role in electricity generation, transmission, and distribution.
- Independent System Operators (ISOs) and Regional Transmission Organizations (RTOs) — These coordinators and controllers of multi-state electric grids ensure adherence to cybersecurity reliability standards.
- Generation and transmission cooperative organizations — As electricity providers, they are expected to secure their infrastructure according to FERC standards.
What Types of Cyber Threats does FERC Help Protect against?
The electric industry continues modernizing, adopting new, interconnected technologies to deliver electricity to a digital-first economy. Internet of Things (IoT) and Operational Technology (OT) devices can help facilitate constant and precise monitoring of critical infrastructure, but unfortunately, they can be targeted by malicious actors. From small utility providers to essential grid operators, attackers want in, and they will target any device on the network that can serve as an initial point of access— such as vulnerable firewalls.
In 2019, NERC reported a cyber attack against the power grid in the Western United States. Thankfully, the disruption was minimal, only causing communication disruptions at a power control center and several small power generation sites. Threat actors exploited unpatched vulnerabilities in internet-facing firewalls, causing the firewalls to reboot and go offline. NERC investigated the attack and worked with the utility provider to deploy a firmware patch from the firewall manufacturer. While the attack can arguably be called a good news story— there were no blackouts and no impact on power generation—it also serves to highlight the importance of timely vulnerability management and software patching.
How Asimily Helps Meet FERC Standards
The rapid increase of cybersecurity threats makes securing our critical infrastructure an imperative. Recently, Asimily was selected to participate in the second cohort of the Department of Energy’s Clean Energy Cybersecurity Accelerator (CECA). The CECA program evaluates solutions for identifying OT, IoT, and IT assets connected to utility infrastructures. By participating, we will contribute to raising the baseline security of the electric grid and use our capabilities to identify OT and IoT assets to protect utilities against even the most advanced cyber threats.
. By partnering with Asimily, utility providers can take steps to fortify their infrastructure against cyber attacks. Our platform is purpose-built to monitor for vulnerabilities and other threats, allowing utility providers to take control of their entire attack surface, including connected OT and IoT devices, keeping customers safe and uptime high.
Asimily’s inventory and vulnerability detection capabilities ensure you can identify critical assets and resolve business-critical weaknesses across your entire attack surface. In the event of a cyberattack, our platform, with its rapid response features, quickly captures packets to aid incident responders. With Asimily, security teams can keep a handle on their IoT attack surface and ensure they are as safe as possible, providing a sense of reassurance and security.
To learn more about Asimily, download our whitepaper, IoT Device Security in 2024: The High Cost of Doing Nothing, or contact us today.
Reduce Vulnerabilities 10x Faster with Half the Resources
Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.