Electric utility executives gathered in D.C. last week to push federal regulators to clarify how utilities can recover the cost of their cybersecurity investments. This comes in the wake of President Obama signing an executive order six months ago to build a framework to protect critical infrastructure from cyberattacks. To meet the grid's needs, the White House is considering eight incentives—identified by the U.S. Departments of Homeland Security, Commerce and the Treasury—to encourage the industry to adopt new cyber security measures, Michael Daniel, White House cybersecurity coordinator and Special Assistant to the President, announced.
These incentives will be augmented by the Cybersecurity Framework the White House plans to draft by October, affirming best practices to manage cybersecurity. The final Framework will be out by February 2014, in addition to a Voluntary Program the White House is developing to help companies adopt the Framework.
As these new standards emerge, Utility Dive identified four incentives utilities want or need the most, along with the paradigm shifts required to make good use of them.
COST RECOVERY WILL DRIVE INVESTMENT
U.S. utilities spend an average of $1.45 million annually on cybersecurity, a Zpryme survey found. That's not that much money. Consequently, utilities need rate hikes to incentivize capital investment, making them confident that they will recover the cost of much-needed cybersecurity initiatives. Chris Peters, VP for Entergy Corp, echoed this message at the recent D.C. cybersecurity conference: “The cyber message needs to come from the top." That’s the only way utilities are going to “maintain an accurate security and compliance state.”
The White House identified rate recovery as one possible solution to incentivizing investment in cybersecurity:
"Agencies recommended further dialogue with federal, state, and local regulators and sector specific agencies on whether the regulatory agencies that set utility rates should consider allowing utilities recovery for cybersecurity investments related to complying with the Framework and participation in the Program."
But gaining support on the regulatory side of things is only half the battle. "[...] Until consumers are more informed about the benefits, costs and risks of smart grid systems, utilities may not invest in, or get approval for, comprehensive security for smart grid systems,” writes Michael Cooney for NetworkWorld.
At the D.C. conference, utilities didn’t specific what kind of returns they would request in rate hikes to recoup cybersecurity spending. Although this is to be expected, being open about these numbers could help utilities move from a more closed, defensive approach to a more transparent and proactive one.
FEDERAL GRANTS WILL ACCELERATE INITIATIVES
If federal grants are available, this will be a major draw for utilities to enroll in the Voluntary Program to accelerate cybersecurity adoption. Grants could pay for R&D costs any public utilities commission would be loath to include in a rate increase. The White House is currently considering grant programs, according to Michael Daniels:
"Agencies suggested leveraging federal grant programs. Agencies suggest incentivizing the adoption of the Framework and participation in the Voluntary Program as a condition or as one of the weighted criteria for federal critical infrastructure grants. Over the next six months, agencies will develop such criteria for consideration."
However, grants are useless if there’s no follow up to assure system implementation and quality control. President Obama’s Recovery Act awarded $3.4 billion to 99 smart grid projects but a gross and unfortunate lack of oversight muddled the requirement that utilities submit complementary cyber security plans. An internal review found 36 of the 99 cyber security plans were incomplete or insufficient, U.S. Department of Energy (DOE) audits revealed. In lieu of detailed and strategic plans were ineffective program summaries and DOE officers rushing to approve new projects. As the DOE looks set to unleash cybersecurity grants in the near future, utilities will have to bone up their cybersecurity plans and prepare for audits.
LIABILITY LIMITATION—CAN IT REALLY BOOST CYBERSECURITY?
The White House is considering more favorable liability legislation to entice bolder cybersecurity development—which is sweet music to utilities' ears, no doubt.
In the wake of Superstorm Sandy, utilities were hit with lawsuits such as this one against Jersey Central Power & Light—but that's just a preview of what might happen in the event of an extreme cyberattack. Lawyer Keith Sullivan helped over 100 plaintiffs sue their utilities by arguing: "Had LIPA and National Grid acted responsibly in preparing for the storm [...] these two communities would not look like a war-zone." That's the same mentality customers will take to court if cyberattacks wreak noticeable havoc to the grid.
In proposing liability protection as a potential avenue to incentivize cybersecurity investment and innovation, Michael Daniels says liability protection could "include reduced tort liability, limited indemnity, higher burdens of proof, or the creation of a Federal legal privilege that preempts State disclosure requirements."
Certainly, liability limitation legislation will make utilities very happy indeed—but will it actually improve utilities' cybersecurity approaches? The jury is still out on that one. Daniels acknowledges the White House's ambivalence on the issue until more research is done:
"Agencies pointed to a range of areas where more information is necessary to determine if legislation to reduce liability on Program participants may appropriately encourage a broader range of critical infrastructure companies to implement the Framework. [...] As the Framework is developed, agencies will continue to gather information about the specific areas identified in the reports related to liability limitation."
TECHNICAL ASSISTANCE—AND OPEN COMMUNICATION—IS REQUIRED
More than legislation, utilities need expertise and technical assistance to help protect the grid in the case of both emergency and non-emergency situations. As a part of its Voluntary Program to be launched next year, the government is considering providing technical assistance in non-emergency situations, in addition to emergency situations:
"Outside of incident response situations, the government could use Framework adoption and participation in the Voluntary Program as secondary criteria for prioritizing who receives that technical assistance. The primary criteria for technical assistance would always remain the criticality of the infrastructure, but for non-emergency situations, technical assistance could be seen as an additional benefit that could help to drive adoption. Agencies currently have the authority to act in these areas without further legislation. As we work with the private sector over the next six months to develop the Voluntary Program, we will simultaneously identify and examine specific programs where this approach could be helpful."
Technical assistance from government agencies will help boost cybersecurity, but utilities need to take matters into their own hands as well.
An IBM report on best practices for cybersecurity recommends fully integrating cybersecurity enterprise from top to bottom. Andy Bochman, security lead at IBM, suggests adding a C-level cyber exec is not enough, “Often, there’s a chief information officer, and then many levels down is security. But [utilities] need security with enterprise coverage.” Raj Samani, VP and CTO for McAfee Europe, Middle East and Africa (EMEA), tells Utility Dive that finding common ground between information technology (IT) and operations technology (OT) utility engineers is another ongoing challenge for utilities.
Technical assistance will no doubt benefit both the grid and utilities in preventing cyberattacks—so long as everyone is on the same page. Information sharing and open communication channels are the key to making cybersecurity work for all.
Would you like to see more utility and energy news like this in your inbox on a daily basis? Subscribe to our Utility Dive email newsletter! You may also want to read Utility Dive's look at the case for 'ObamaGrid': 6 insights from the White House's report on grid resilience to weather outages.