Should Public Utilities Get Paid to Secure the Power Grid?Proposed Financial Incentives, New Research Ask Which Is Better - 'Candy' or Stick?
The U.S. power grid is made up of 3,000 public utilities of varying sizes, and each set of generation facilities and distribution lines is a potential weak link that cyberattackers can exploit and potentially sever electrical services to thousands of people.
Whether to punish utilities or incentivize them into better cybersecurity has been a matter of debate for years - but one academic team says it has an algorithm that at least could allocate funds to where they have the greatest impact.
Research from Purdue University comes as the Federal Energy Regulatory Commission has expressed fears utilities aren't keeping pace with emerging threats, particularly with nation-state actors actively attacking the grid in Ukraine. FERC on Sept. 22 proposed a rule that would give utilities rate incentives for investing in advanced cybersecurity technologies.
Proposed FERC incentives for cybersecurity first emerged in 2020 but the commission took no action until directed to by Congress in the Infrastructure Investment and Jobs Act of 2021. The commission has overseen bulk power cybersecurity since 2005.
It can fine utilities for cybersecurity lapses - the largest so far being a $10 million fine against Duke Energy in 2019 - but Purdue University professor Saurabh Bagchi says that fines are typically levied as a "reactive measure" and don't relate to the "security investments or data of the different operators in critical infrastructure."
Bagchi, a professor of electrical and computer engineering, was the technical lead of a Purdue research team to develop an algorithm to help the nation's 3,000 utilities prioritize their security investments to harden the grid. In simulations of real-world infrastructure systems, researchers used a tax or fine to punish utilities for hurting the overall security of the system and rewarded them for making optimal security investments to protect the grid.
"Our incentive mechanism incentivizes those kinds of stakeholders to make appropriate security investment decisions because of the obvious reason - if you don't take care of your own asset, then of course that's going to be poison and also the rest of the system becomes more vulnerable," Bagchi says.
In a gaming scenario, Purdue researchers studied how groups of students who were asked to protect utility "assets" with limited funds were influenced by biases. The students typically guessed poorly about which assets to protect, with most tending to spread their investments around instead of focusing on individual assets, even after they were told which asset was most vulnerable to attack.
A common problem in human behavior, Bagchi says, it that decision-makers tend to underestimate or overestimate the impact of various threats, which could range from nation-state attackers with the skills to breach multiple assets across the system or cybercriminals interested in compromising part of it for monetary gain. CISOs with limited budgets face those types of decisions every day, Bagchi says.
Tyler Farrar, CISO at threat detection software vendor Exabeam, says Purdue's approach may have merit in improving security risk management and helping to make faster, better decisions about security investments.
"It's a solid complement to current vulnerability management and attack surface management activities," Farrar adds. "Leveraging technology to enhance human decision-making powers security teams with analytics-driven insights."
Pre-Qualified List of Cyber Investments
Whether FERC should be handing out incentives in the first place isn't a settled issue. Several FERC commissioners during the Sept. 22 monthly open agency meeting expressed concerns that the incentives are giving more "FERC candy" to utilities for doing something they should be required to do.
Chairman Richard Glick said the voluntary aspect with incentives means some utilities probably won't participate, "and as we know, it just takes one weak link in the whole system to cause major catastrophic damage."
"There's a reason over the years these adders have come to be known as FERC candy," Commissioner Mark Christie said during the meeting. "They're really sweet for those who get it, but not for consumers who have to pay for it - pretty sour to consumers."
To qualify for FERC incentives, utilities must demonstrate that expenditures will "materially improve a utility's security posture" based on controls recommended by the National Institute of Standards and Technology and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, which is planning to introduce sector-specific standards for all critical infrastructure entities and cyber grants for public entities.
Investments that could qualify include training costs, assessments by third parties, software and services, and threat information-sharing programs. FERC will continually update a pre-qualified list of cyber defense solutions.
In exchange for making qualifying investments, FERC's proposed rule would allow utilities to request to earn a return on equity that is 2% higher than the ROE approved for its existing rates. Or utilities could recover cybersecurity costs that typically are expensed and treat those expenses as a regulatory asset that would be included in the transmission rate base amount.
Commissioners said they favor mandating investments and best practices for the industry, but that the incentives may help spur progress until those mandates can be adopted.
"It's a lengthy process to develop new standards, but as a practical matter I am wondering what role this proposal will play to fill that gap relative to getting stronger rules in place because the administrative process does not keep up with the ever-evolving threat," said FERC Commissioner Allison Clements.
John Bambenek, principal threat hunter at Netenrich, says that the pre-qualified list of solutions could result in utilities just checking off a box instead of making meaningful improvements, noting that "there hasn't been any real innovation in vulnerability management in a decade."
"It’s a case study in how regulation can make a lucrative business model while accomplishing little," Bambenek says. "Any good vulnerability management/attack surface management model needs to be intelligence-focused on what adversaries actually do and, often, they rely on mistakes and misconfigurations the VM/ASM miss."
Bagchi said that in addition to providing incentives alone, regulators should also consider ways to measure the effectiveness of the investments and adjust the program accordingly.