By Duncan Greatwood, CEO, Xage
Following a series of devastating ransomware attacks, the Biden Administration is keen to improve the nation’s cybersecurity posture. Without the proper incentives, however, their efforts could be futile.
Specifically, the Biden Administration’s 100-day plan to protect the power grid encourages utility companies to exceed existing security mandates, pushing owners and operators to adopt technology for attack detection, prevention, forensics and response.
What the government is alluding to in these calls for change is a zero trust approach. In essence, a zero trust security strategy would enable an electric services company to create and enforce access policies based on the identity of a specific user or machine, and track every single interaction happening across its entire network. Crucially, this approach allows operators to block any rogue device or malware that does get in, preventing the hacker from moving laterally to gain free reign over multiple systems or even the whole operation.
In short, by encouraging utilities to implement zero trust principles, the federal government is looking to ensure that no singular compromise can completely halt a company’s operations as we saw with the Colonial Pipeline last month. After the Colonial Pipeline was hacked, the company had to shut down oil distribution across the entire eastern seaboard, costing millions in ransom payments and lost profits, and leading the public to panic-buy gasoline.
To ensure this scenario isn’t replicated on the U.S. power grid, the The Department of Energy put out a Request For Information (RFI) to help inform future mandates and recommendations. They called on the private sector for more information on the technical assistance needs, supply chain risk management best practices, procurement best practices, and proposed risk mitigation criteria.
Our company, Xage, submitted a public RFI response that not only aims to inform the Department of Energy about the shortcomings of traditional security models and the benefits of zero trust, but also makes the argument for incentivizing cybersecurity investments.
Just as critical as a zero trust model is the incentive to adopt one. Today, utilities are incentivized to make infrastructure improvements (which are considered capital investments) to improve grid stability and resiliency by allowing them to adjust the rates they charge consumers, leading to growth in revenue. However, stand-alone cybersecurity products are largely viewed as operational spending, not capital expenses, meaning cybersecurity purchases aren’t incentivized, and investments are harder to justify.
The Federal Energy Regulatory Commission (FERC) proposed such incentives in February of this year, but have yet to come to fruition. However, given the scale and reach of recent cyber attacks, it’s clear that cybersecurity is in fact an infrastructure improvement that results in better grid stability and resiliency. This in mind, utilities should be able to recover their investments in cybersecurity through current capital expense rate recovery mechanisms.
This policy adjustment, if adopted by FERC and state Public Utility Commissions (PUCs), will create a step change in our nation’s ability to protect our electrical energy infrastructure. And once the precedent is set in utilities, additional incentives could be extended to other industries, such as manufacturing and transportation. It’s these financial motivators that will truly expedite the changes needed to protect the nation’s most critical industries and make devastating cyberattacks a thing of the past.