Voglio sapere a riguardo di…

jbell on DSKJLSW7X2PROD with PROPOSALS

8316

Federal Register / Vol. 86, No. 23 / Friday, February 5, 2021 / Proposed Rules
qualify as automated and continuous monitoring security controls.60 While this will limit the NIST Framework security controls eligible for incentives at this time, the Commission considers this to be an important next step in encouraging cybersecurity investments and may consider additional security control types in the future.
34. Under this proposal, one example of an investment that could warrant an incentive as automated and continuous monitoring would be for a public utility to install a dynamic asset management program to improve its ability to quickly detect and address new or previously unknown equipment on its network.
Unknown and unattended equipment can present significant vulnerabilities and threats to both the information technology and operational technology networks. Implementing a process that automatically and continuously scans the current inventory of hardware and software across both the information technology and operational technology networks can identify, block, log and report any unauthorized access.
35. Another example of an automated and continuous monitoring investment eligible for an incentive is the implementation of a dynamic file analysis program or a sandbox. One deployment of a sandbox is as an automated malware detection environment that continuously scans email attachments and weblinks in the corporate email system for malicious code. When malicious code is detected, a sandbox blocks delivery to the end user in real time and automatically issues an alert to the security team.
Malicious code deployed in the sandbox will potentially be activated when placed there, but it will be isolated from the information technology and operational technology networks, thereby protecting the networks while alerting the public utility to the threat.
The deployment of sandboxes enhances the ability of a public utility to detect and prevent the delivery of malicious code, disrupts social engineering attacks on users, and tests software for dangerous behavior. Further, the ability to perform post-incident forensic triage and analysis enables public utilities to establish the root causes of an event, identify related vulnerabilities, and mitigate associated risks in an expedited manner to optimize long-term operational capabilities.
36. As discussed below, public utilities seeking an incentive under this 60 NIST, Information Security Continuous Monitoring for Federal Information Systems and Organizations, NIST Special Publication 800137, at 13 Sep. 2011, https nvlpubs.nist.gov/nistpubs/
Legacy/SP/nistspecialpublication800-137.pdf.

VerDate Sep<11>2014

16:29 Feb 04, 2021

Jkt 253001

approach would need to show how a cybersecurity investment, for example, in physical components, software, licensing for cybersecurity enhancements as well as operational costs such as contracts with security providers, third-party incident responders, and third-party security operations centers, allows the public utility to meet NIST Framework security controls, as identified above, will go above and beyond the requirements of the CIP Reliability Standards, and materially enhance the current cybersecurity posture of the Bulk-Power System by enhancing the applicants cybersecurity posture substantially above levels required by CIP Reliability Standards, to the benefit of ratepayers.
As the Commission evaluates incentive applications, we will remain cognizant of ongoing changes to the CIP Reliability Standards, the NIST Framework, and underlying referenced security controls.
37. As with the NERC CIP Incentives Approach, if a public utility ceases to maintain the cybersecurity posture associated with the Commissions order approving its NIST Framework Approach incentives application, the public utility would not be able to receive the incentive for the period during which it is not implementing the CIP Reliability Standards as described in the Commissions order approving its application.
C. Incentives for Cybersecurity Investments 1. ROE Adder 38. We propose to add 35.48c1 to the Commissions regulations to allow a public utility that makes eligible cybersecurity capital investments, as more fully described above, to request an ROE adder of 200 basis points Cybersecurity ROE Incentives for those eligible cybersecurity investments. This ROE incentive will encourage public utilities to proactively make additional investments in cybersecurity systems.
We believe that such a 200-basis point adder is appropriate to provide a meaningful incentive to encourage public utilities to improve their systems cybersecurity. For example, we note that given the relatively small size of such investments, compared to conventional transmission projects, the dollar amounts provided under the incentives should not have a burdensome effect on the public utilitys rates. Yet, the benefit to the system, and ultimately to rate payers, by this additional investment will provide additional cybersecurity protections that could have a large impact on the public utilitys system by allowing it to better detect and address
PO 00000

Frm 00008

Fmt 4702

Sfmt 4702

cybersecurity threats to the Bulk-Power System. The total cybersecurity incentives requested would be capped at the zone of reasonableness.61
Additionally, we find that the same expenditures should not be eligible for both the Cybersecurity ROE Incentives and the Regulatory Asset Incentives discussed below. Given that regulatory asset treatment is available to costs that are normally treated as expenses, as discussed below, we believe that it is unnecessary to incent investment to also enable deferred costs that would otherwise be expensed to receive this 200 basis-point incentive. We propose that public utilities only be eligible to receive the Cybersecurity ROE Incentive as a cybersecurity incentive for capital investments.
39. Transmission-specific investments based on the NERC CIP Incentives Approach and the NIST Framework Approach may be eligible for the Cybersecurity ROE Incentive under this NOPR. In addition, we propose that enterprise-wide costswhich are not specific to transmission but a portion of which are recovered through transmission ratesmay also be eligible for incentives if the applicant can demonstrate how the investment will materially enhance the security posture of the Bulk-Power System by enhancing the applicants cybersecurity posture substantially above levels required by CIP Reliability Standards, to the benefit of ratepayers. While cybersecurity systems that are not subject to the CIP
Reliability Standards may be less critical to reliable operations, compromise of these systems may nevertheless allow access to more critical systems and therefore we believe that incentivizing the enhanced protection of these systems is important to the reliability of the Bulk-PowerSystem.62 Only the conventionally allocated portion of such investments that flows through to Commission jurisdictional cost-of-service rates will be eligible for this rate treatment. For instance, if a public utility seeks an incentive for cybersecurity investment that it made to its general plant 61 In the Transmission Incentives NOPR the Commission proposes that, under FPA section 219, the Commission may approve a rate that exceeds the zone of reasonableness to further the purposes of that statutory provision. In this NOPR, however, the Commission is acting under FPA sections 205
and 206.
62 For example, WANNACRY attacked specific servers that were vulnerable and once the attacker gained access to the server, the attacker moved to other internal systems to complete the attack. See, NCCIC, Fact Sheet, What is Wannacry/
Wanacryptor?, https us-cert.cisa.gov/sites/default/
files/FactSheets/NCCIC%20ICS_FactSheet_
WannaCry_Ransomware_S508C.pdf.

E:FRFM05FEP1.SGM

05FEP1