So bad DoE offers rate cuts to improve it • The Register

The US Department of Energy has proposed regulations to financially reward cybersecurity upgrades at power plants by offering tariffs for everything from buying new hardware to paying for outside help.

In a note released earlier this week about the proposed rulemaking (which scuttled a similar plan for 2021), the DoE said the time was right to “set rules for incentive-based tariff treatments” for utilities investing in cybersecurity technology.

The DoE said these include products and services and information such as plans, policies, procedures and other information related to cybersecurity technology.

Industrial systems, such as those used in power plants, are known to be security vulnerabilities – many of the devices used in industrial engineering (OT) environments are not designed to connect to the internet and simply cannot be configured securely.

Moody’s recently said utility companies are at the highest risk of cyberattacks. Until the US moves towards more distributed forms of power generation, power plants will continue to be large and tempting targets for infrastructure-disrupting cyberattacks, making any policy that incentivizes security a good idea.

In addition to encouraging voluntary security improvements, the proposed policy also encourages utilities to participate in cyber threat intelligence-sharing programs and mandates regular reporting for the duration of the incentives.

Generous breaks, strict conditions

The DoE’s proposal contains a long list of things it said would qualify for incentive-based tariff treatments. While it’s too long to include here, the DoE’s language about what it will allow means it could essentially include anything that could “materially improve cybersecurity,” be it a product, service, or a program for the exchange of information.

The DoE said hardware incentives would have a five-year amortization period, while activities would cease receiving incentives once they became mandatory.

For the application of the rewards, the proposal envisages two methods: a return on equity (RoE) of 200 basis points (2 percent) that would be applied to the transmission rates, and a cost recovery deferral that would allow them to be amortized acquired and as regulatory asset treated equipment.

“We believe both provide a meaningful incentive to encourage cybersecurity spending that improves a utility’s cybersecurity posture,” the DoE said. The 2 percent RoE exceeds what the DoE typically offers for similar programs, it said, but noted that the cost of cybersecurity projects is small compared to “conventional transmission projects.”

The 2 percent rate is also necessary to help utility companies decide to make security investments without passing on the cost of rate hikes to consumers, the DoE said.

While the monetary rewards are generous, the list of pre-qualified (PQ) expenses starts off fairly small, only including costs incurred as part of participating in the DoE’s Cybersecurity Risk Information Sharing Program (CRISP). [PDF]and costs related to internal network monitoring of IT and/or OT systems.

The DoE recognizes that the PQ list is small, and as part of the rulemaking process, “we solicit comments on these and any additional cybersecurity issues that should be considered for inclusion on the original PQ list,” the agency said.

It’s worth noting that any technology mandated by Critical Infrastructure Protection Reliability Standards (which cover many typical IT hardware devices) or other state, local, or federal laws are exempt from the program, so no double-dips. ®

https://www.theregister.com/2022/10/07/utility_security/ So bad DoE offers rate cuts to improve it • The Register

Rick Schindler

World Time Todays is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – admin@worldtimetodays.com. The content will be deleted within 24 hours.

Related Articles

Back to top button