Notice of Proposed Rulemaking to Establish Rules for Incentive-Based Rate Treatments for Certain Voluntary Cybersecurity Investments by Utilities.
November 7, 2022
Federal Energy Regulatory Commission
Office of the Secretary
888 First Street NE
Washington, DC 20426
Submitted via electronic filing through https://www.ferc.gov
RE: Operational Technology Cybersecurity Coalition’s Response to Docket No. RM22–19– 000, Notice of Proposed Rulemaking to Establish Rules for Incentive-Based Rate Treatments for Certain Voluntary Cybersecurity Investments by Utilities.
FERC Office of Electric Reliability Team:
The Operational Technology Cybersecurity Coalition (OT Coalition) appreciates the opportunity to submit comments to the teams from the Federal Energy Regulatory Commission (FERC) Office of Electric Reliability and the Department of Energy (DOE) in response to the Notice of Proposed Rulemaking (NOPR) under Docket Number RM22-19-000, Incentives for Advanced Cybersecurity Investment; Cybersecurity Incentives.
The OT Coalition is a diverse group of leading industrial control system (ICS) and operational technology (OT) cybersecurity vendors, founded by Claroty, Forescout, Honeywell, Nozomi Networks, and Tenable. With decades of experience defending our country from cybersecurity threats, we have joined together to improve the cybersecurity of OT environments. We believe that the strongest, most effective approach to securing our collective defense is one that is open, vendor-neutral, and allows for diverse solutions and information sharing without compromising cybersecurity defenses.
With these principles in mind, we welcome the opportunity to respond to this NOPR to inform both FERC’s decision-making process as it applies to how it governs the ways in which utilities determine whether cybersecurity investments will qualify for incentives, as well as criteria FERC might consider in developing its potential “pre-qualified” expenditures list (“PQ List”).
PQ List versus a Case-by-Case Approach
The NOPR presents multiple solutions to its incentive-based rate treatments, including a solution in which electricity providers will be offered a PQ List that includes both expenditures associated with participation in DOE’s Cybersecurity Risk Information Sharing Program (CRISP), and expenditures that would “materially improve cybersecurity.” This solution expedites review by FERC because it gives utilities the clarity of knowing what expenditures will be accepted, thereby making adjudication easier for all parties. However, this approach requires the opening of a rulemaking process to add new technologies, which is a time intensive process. The OTCC is concerned that a slow process to add new advanced cybersecurity technologies to the PQ List would mitigate the security benefits of the tremendous innovation taking place in the technology community.
Alternatively, the NOPR considers instituting a solution in which utilities will be asked to justify their expenditures on a case-by-case basis. This solution allows for greater flexibility in finding solutions that best fit the needs of a utility rather than a menu of solutions that might not suit the needs of every utility. However, in this scenario, the applicant is burdened with making the case that the expenditure qualifies under the program, and FERC would have to expend resources evaluating the proposal.
In our view, FERC should allow applicants to use either the PQ process or the case-by-case process. By taking this step, the Commission could benefit from a fast process under the PQ List while also giving utilities that want to access the latest and greatest advanced cybersecurity technologies on a case-by-case basis. Further, once FERC determines some type or category of technology has been requested by multiple applicants in the case-by-case process, it can then open a rulemaking to move that technology onto the PQ List.
We can envision a situation in which utilities with significant advanced cybersecurity technology needs will appreciate the ability to have some critical mass of technology on the PQ List, so that they can quickly move ahead with technology deployment. We can also envision utilities with a more mature cybersecurity program wanting to deploy tools that are not yet on the PQ List. An approach which enables both the PQ List and case-by-case approaches would allow entities at different levels of cybersecurity maturity to further enhance their cybersecurity in the way that works best for them.
Further, as FERC Commissioner Willie L. Phillips notes in his concurring memorandum, 75 percent of electricity customers in the continental United States are already served by utilities that participate in CRISP, potentially limiting the number of utilities that could participate under that allowance on the PQ List.
While this will require FERC to develop two adjudication processes, it provides maximum flexibility for utilities to determine what advanced cybersecurity solutions work best in their risk management environment.
Additional Considerations for the PQ List
If FERC decides to proceed with developing a PQ List, we urge the Commission to make sure the list encourages the deployment of vendor-neutral and interoperable technologies and systems that provide asset and network visibility, indicators of compromise, threat detections, and warnings with actionable intelligence.
DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) has posted a list of “Considerations for ICS/OT Cybersecurity Monitoring Technologies.” We believe that these represent a good start in considering which technologies to deploy on ICS and OT networks. To expand that list, we offer the following additional suggestions:
Technologies that discover and maintain an updated asset inventory of critical systems core to maintaining safety and resiliency that draw on industry-recognized and supported standards, including CIS CSC, ISA/IEC 62443, NIST SP 800-53, and NIST SP 800-82.
Technologies that include continuous threat and vulnerability intelligence feeds focused on the access, exploitation, and protection of ICS and OT environments and entities.
Technology has analytic and detection capabilities, which are dynamically updatable (either on-premises or cloud-based) leveraging timely, validated, and trusted external or internal threat intelligence through a repository of known vulnerabilities and exposures of assets core to maintaining safety and resilience that, to the extent possible, leverage CVSS Base Score Metrics, Temporal Score Metrics, and Environmental Score Metrics as outlined by the National Vulnerability Database scoring methodology.
Again, the OT Coalition thanks FERC for the opportunity to provide feedback that should inform the important work being done to incentivize cybersecurity investments by utilities in the electricity sector. We welcome questions on our feedback and look forward to continuing to be a part of this discussion as it develops.
Operational Technology Cybersecurity Coalition
 Federal Energy Regulatory Commission and Department of Energy, Incentives for Advanced Cybersecurity Investment; Cybersecurity Incentives, 87 FR 60567 (October 6, 2022) https://www.federalregister.gov/documents/2022/10/06/2022-21003/incentives-for-advanced-cybersecurity-investment-cybersecurity-incentives  Incentives for Advanced Cybersecurity Investment; Cybersecurity Incentives, Proposed Rules, 87 Fed. Reg. 60579 (October 6, 2022)  Department of Energy, Considerations for ICS/OT Cybersecurity Monitoring Technologies (Last accessed: November 2, 2022); https://www.energy.gov/ceser/considerations-icsot-cybersecurity-monitoring-technologies  This is a modified version of one of CESER’s current considerations.