SecurityScorecard, the global leader in cybersecurity ratings, commented on the Federal Energy Regulatory Commission’s (FERC or “Commission”) proposal to establish rules for incentive-based rate treatments for certain voluntary cybersecurity investments by utilities.
Cybersecurity is among the greatest threats to the resilience and reliability of America’s critical infrastructure, including its electricity infrastructure. Therefore, the Commission’s work with utilities, the cybersecurity industry, and other stakeholders to enhance the resilience of America’s electricity sub-sector is essential.
SecurityScorecard supports the Commission’s proposal in the Notice of Proposed Rulemaking (NPRM). It draws on existing federal resources relating to cybersecurity risk management to determine whether a utility’s investment qualifies as an “advanced cybersecurity technology,” making it eligible for an incentive. SecurityScorecard also supports the Commission’s proposal to develop and maintain a list of pre-qualified investments (PQ List). This approach will enhance predictability and transparency about the incentive program and help standardize certain best practices in cybersecurity and supply chain risk management.
Having said that, SecurityScorecard noted that the Commission’s proposed list of resources is composed exclusively of U.S. federal government resources. We submit:
The Commission include NIST SP 800-161 Rev. 1, “Software Security in Supply Chains: Enhanced Vendor Risk Assessments,” to this list of resources.
SecurityScorecard also advises that the Commission’s proposed focus on “internal network security monitoring” technologies, as the initial entries on the PQ List, is too narrow. The trend and best practice in cyber risk management is for organizations to consider perimeter and internal security as interdependent elements of a defense-in-depth or zero-trust architecture and continuously monitor not only their own cybersecurity posture, but that of suppliers, business partners, and related third parties. As White House Deputy National Security Advisor for Cyber and Emerging Technologies, Anne Neuberger, has said, “One needs to see a space to defend a space.” Accordingly, we recommend the following:
The Commission should broaden its focus from “internal network security monitoring” to “continuous monitoring” to enable utilities to maintain situational awareness of both the internal and external threat vectors and cyber risks to their networks.
In the NPRM, the Commission also “seeks comment on whether any widely accepted metrics for cybersecurity performance could lend themselves to be benchmarks needed for performance-based rates.” We offer that:
Security ratings are a recognized, trusted source of objective, data-driven metrics for cybersecurity performance.
Cyber Metrics and a Risk-Based Approach to Cybersecurity
Cybersecurity and Infrastructure Security Agency (CISA) Director, Jen Easterly, testified to Congress in 2021, “I think it’s hard to say you’ve reduced risk unless you know how to measure it.” SecurityScorecard wholeheartedly agrees. You can’t manage what you can’t measure nor defend what you can’t see. The cyber threat environment is constantly evolving, and so are organizations’ IT environments. Many organizations are nearly blind to their third-party risk, even though over half of all cyber incidents occur through third-party digital connections.
Organizations must refrain from using a playbook that relies on static analyses and entirely qualitative objectives. Instead, they must continuously assess cybersecurity risk across their entire supply chain and vendor ecosystem and produce quantitative metrics to measure that dynamic risk in a standardized, actionable way. This is what security ratings deliver.
In its January 2021 report, “A Risk-based Approach to National Security,” the National Risk Management Center emphasized the importance of security ratings:
“The emergence of security ratings has driven cyber risk quantification as a way to calculate and measure cyber risk exposure. These security ratings provide a starting point for companies’ cybersecurity capabilities and help elevate cyber risk to board decision-making. Entities can also use security ratings alongside strategic risk metrics to align cyber scenarios with material business exposure; rollup cyber risks with financial exposure to inform risk management decisions; and measure improvement of cyber risk reduction over time. This kind of work needs to happen in the boardroom and also amongst national security leaders.”
Security ratings provide unique, valuable insights and objective, data-driven metrics on an organization’s cybersecurity risk posture and the credibility of its claims about that posture. When conducted independently, assessments validate for the public, third-party organizations, and regulators that an organization is employing adequate cybersecurity measures–and can quantify the investments made in cybersecurity and risk management.
SecurityScorecard looks forward to continuing to work with the Commission to inform and comment further as their rulemaking process continues.