How Do the Biden Administration's Planned Cybersecurity Performance Goals Affect Utilities?

In a bid to improve cybersecurity infrastructure, the Biden administration issued a memo last week to set up the Industrial Control Systems Cybersecurity Initiative – a voluntary, collaborative effort between the U.S. government and the critical infrastructure community to significantly improve cybersecurity. The initiative is voluntary and the administration plans to   suggest cybersecurity performance goals on Sep 22. The goals will be finalized a year later.

Two things are interesting about this development.

First, it clears the pathway for possible updating NERC’s CIP standards and possible migration to the NIST framework. During the press briefing, the administration’s officials said the government’s current posture towards cybersecurity initiatives has been “woefully insufficient”. “The administration is committed to leveraging every authority we have, though limited, and we’re also open to new approaches, both voluntary and mandatory,” the administration official said. Of course, as Richard Brooks pointed out in his link about the topic, the question of aligning NERC’s rudimentary CIP standards with the more expansive NIST 41-page guidelines will still be determined through an open FERC proceeding.

Second, the administration’s cybersecurity goals might help propel a cybersecurity insurance market aimed at utilities. During the press briefing, officials from the administration said they were considering reworking incentives to ensure that utilities comply with the “voluntary” initiative. “We have been investing a lot of time in understanding the incentives and understanding the barriers and looking at what can be done across grants, across potential tax credits, across, potentially, you know performance incentive mechanisms. Cyber insurance mechanism is a really interesting mechanism as well,” he said.

The last option has been under consideration for some time now. A 2014 report by the Bipartisan Policy Center discussed the Obama administration’s efforts to kickstart a market for cybersecurity insurance. According to the report’s authors, cybersecurity insurance would limit potential economic losses at individual entities experiencing a cyberattack or event. “At present, cybersecurity insurance does exist; however, coverage for utility companies is limited and often expensive,” the authors wrote.

I am not sure if the market has grown since then. Considering the frequency and extent of attacks since then, chances are high. Large utilities do disclose the threat of losses due to cybersecurity attacks in their annual reports. Previous reports have made it clear that there is no clarity about the terms of insurance.

Meanwhile, the New York Public Services Commission rejected a cybersecurity insurance requirement for third-party entities access utility services and data in 2019. Instead, the commission adopted new security requirements for these entities to access the grid.