Federal Energy
Regulatory Commission
FERC Seeks Incentives for Voluntary Cybersecurity Improvements Made by Public Utilities
The Federal Energy Regulatory Commission wants to implement an incentive-based policy that rewards electric companies for voluntarily investing in certain cybersecurity improvements.
In a notice of proposed rulemaking published on the Federal Register, FERC suggested that the federal government cover costs incurred by public utilities for any cybersecurity improvements they make to their infrastructure that go beyond the minimum requirements set by the National Institute of Standards and Technology.
The incentive-based policy applies to three areas of cybersecurity investment: expenses incurred for purchasing third-party hardware, software and computing, and networking services, FCW reported.
Additionally, the proposal allows public utilities to seek "deferred cost recovery" for investing in employee training to implement new cybersecurity enhancements and third-party risk assessments or internal system reviews.
The proposal specifically seeks to incentivize improvements made to infrastructure with short depreciation lives and not for long-lived assets like physical structures.
FERC said, however, that the proposal only covers costs associated with implementing cybersecurity upgrades and excludes ongoing costs, including system maintenance, surveillance and other labor costs.
Any successful cybersecurity improvements voluntarily taken up by public utilities may eventually become mandatory, the proposal stated.
FERC issued the rulemaking change, citing the need to quickly and effectively address risks associated with the pandemic-induced telework setup.
"The rapid expansion of teleworking capabilities revealed potential vulnerabilities, and some identified cybersecurity events specifically targeting remote access network equipment," according to the proposal.
FERC will accept comments to the proposed rule until April 6.
Category: Cybersecurity