Skip Navigation

APPA grant to fund research initiative tied to enhancing grid resilience

June 15, 2021

by Paul Ciampoli
APPA News Director
June 15, 2021

The University of Massachusetts Amherst’s Energy Transition Institute (ETI) has been awarded a grant of more than $100,000 from the American Public Power Association’s (APPA) Demonstration of Energy & Efficiency Developments (DEED) program to launch Project Groundwork, a research initiative that will explore electric distribution solutions to enhance grid resilience.

ETI is partnering on the effort with Groundwork Data, a non-profit research initiative focused on public infrastructure, as well as the Massachusetts Municipal Wholesale Electric Company (MMWEC), the joint action agency for municipal utilities in the Commonwealth.

Project Groundwork examines the costs and benefits of a set of innovative strategies for undergrounding utility lines in non-high-density cities.

These strategies include:

The research team will construct a model that optimizes construction of new utility corridors on the basis of estimated cost and projected benefits, including enhanced reliability of electric service and access to broadband.

The team will then use this model to analyze investment scenarios based on mapping data from towns and cities across the U.S.

“Municipal utilities have a hundred-plus year track record of operational excellence as evidenced through providing the most affordable and reliable services across the country,” said Christopher Roy, general manager of Shrewsbury Electric and Cable Operations and a board member of DEED.

The project was awarded a DEED grant of $123,198 to develop the initial cost-benefit model.

“MMWEC is pleased to support this effort to better inform municipal utilities on the feasibility of undergrounding in their specific communities,” said MMWEC Chief Executive Officer Ronald DeCurzio in a statement. “The model being developed by the research team is expected to benefit municipal utilities across the country.” 

Additional information about ETI is available here.

To learn more about the DEED program, click here.

White House memorandum outlines best practices to protect against ransomware

June 7, 2021

by Paul Ciampoli
APPA News Director
June 7, 2021

The Biden Administration on June 2 issued a memorandum to corporate executives and business leaders that outlines the U.S. government’s recommended best practices to guard against the threat of ransomware.

The memo was sent by Anne Neuberger, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology.

“The most important takeaway from the recent spate of ransomware attacks on U.S., Irish, German and other organizations around the world is that companies that view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively,” she wrote. “To understand your risk, business executives should immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture and business continuity plans to ensure you have the ability to continue or quickly restore operations.”

The memo outlines several steps that should be taken now to address the threat of ransomware.

First, it recommends implementing the five best practices from President Biden’s Improving the Nation’s Cybersecurity Executive Order.

Second, the memo recommends backing up data, system images, and configurations, regularly testing them, and keeping the backups offline. “Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.”

It also recommends updating and patching systems promptly. This includes maintaining the security of operating systems, applications, and firmware, in a timely manner. “Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.”

Testing of incident response plans should also occur. “There’s nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?”

In addition, the memo highlights the need to check a security team’s work and recommends using a third party to test the security of systems and the ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors, the memo notes.

The memo also recommends segmenting networks. “There’s been a recent shift in ransomware attacks – from stealing data to disrupting operations. It’s critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure Industrial Control System (ICS) networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.” 

Ransomware is a very familiar threat to the public power segment of the industry and APPA held a webinar on April 21 of this year, with the Cybersecurity and Infrastructure Security Agency. The slide deck and the recording can be accessed here. Additionally, the Electricity Information Sharing and Analysis Center (E-ISAC) in February of this year released a report labeled Ransomware Trends for Utilities and APPA encourages public power utilities to review this resource.

APPA continues to stress the importance of public power utilities joining the E-ISAC for timely and actionable sharing of threats to the electricity subsector. Currently, the E-ISAC is specifically designing a portal and report for small and medium sized public power and cooperative utilities.  To learn more about the E-ISAC and how to join, visit the E-ISAC website or contact E-ISAC Member Services or the public power address below.

Any questions can be directed to: cybersecurity@publicpower.org.

Biden signs cybersecurity executive order focused on securing federal networks

May 18, 2021

by Paul Ciampoli
APPA News Director
May 18, 2021

President Joseph Biden on May 12 signed a cybersecurity executive order (EO) that focuses on securing federal networks and establishes a new government entity modeled after the National Transportation Safety Review Board to review major breaches.

Along with establishing a cybersecurity safety review board, a White House fact sheet notes that the EO will:

“Recent cybersecurity incidents such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline incident are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals,” the fact sheet states. “These incidents share commonalities, including insufficient cybersecurity defenses that leave public and private sector entities more vulnerable to incidents,” the White House said.

The Colonial Pipeline incident “is a reminder that federal action alone is not enough. Much of our domestic critical infrastructure is owned and operated by the private sector, and those private sector companies make their own determination regarding cybersecurity investments. We encourage private sector companies to follow the Federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents,” the White House fact sheet said.

Colonial Pipeline was a recent victim of a cybersecurity attack involving ransomware.  Colonial Pipeline initiated the restart of pipeline operations at approximately 5 p.m. ET on Wednesday, May 12. “Since that time, we have returned the system to normal operations, delivering millions of gallons per hour to the markets we serve,” it said in a May 15 tweet.

Key U.S. energy pipeline company hit by ransomware attack

May 9, 2021

by Paul Ciampoli
APPA News Director
May 9, 2021

Colonial Pipeline on May 7 learned it was the victim of a cybersecurity attack and it has since determined that this incident involves ransomware.

“In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems,” the company said on May 8 in a statement.

“Upon learning of the issue, a leading, third-party cybersecurity firm was engaged, and they have launched an investigation into the nature and scope of this incident, which is ongoing. We have contacted law enforcement and other federal agencies,” Colonial Pipeline said.

Georgia-based Colonial Pipeline said it is taking steps to understand and resolve this issue.

Colonial Pipeline is the largest refined products pipeline in the United States, transporting more than 100 million gallons of fuel daily to meet the energy needs of consumers from Houston, Texas to the New York Harbor.

The company transports 2.5 million barrels per day of gasoline, diesel, jet fuel and other refined products through 5,500 miles of pipelines linking refiners on the Gulf Coast to the eastern and southern United States, Reuters noted in a story about the attack.

“At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation. This process is already underway, and we are working diligently to address this matter and to minimize disruption to our customers and those who rely on Colonial Pipeline,” Colonial Pipeline said in the statement.

Over the past 48 hours, Colonial Pipeline personnel have taken additional precautionary measures to help further monitor and protect the safety and security of its pipeline, it said on Sunday, May 9.

“The Colonial Pipeline operations team is developing a system restart plan. While our mainlines (Lines 1, 2, 3 and 4) remain offline, some smaller lateral lines between terminals and delivery points are now operational. We are in the process of restoring service to other laterals and will bring our full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations,” it said.

Biden declares emergency

The White House declared a state of emergency on Sunday tied to the ransomware cyberattack, the BBC reported. The emergency status enables fuel to be transported by road, the BBC said.

A number of media outlets reported that the attack was carried out by DarkSide. “The cyberextortion attempt that has forced the shutdown of a vital U.S. pipeline was carried out by a criminal gang known as DarkSide that cultivates a Robin Hood image of stealing from corporations and giving a cut to charity, two people close to the investigation said Sunday,” the Christian Science Monitor reported.

On CBS News’ “Face the Nation,” Secretary Gina Raimondo on May 9, said that “This is what businesses now have to worry about, and I will be working very closely with Ali Mayorkas on this. It’s a top priority for the administration. Unfortunately, these sorts of attacks are becoming more frequent,” she said. “They’re here to stay and we have to work in partnership with businesses” to secure networks, “to defend ourselves against these attacks. As it relates to Colonial, the president was briefed yesterday. It’s an all hands on deck effort right now. And we are working closely with the company, state and local officials to, you know, make sure that they get back up to normal operations as quickly as possible and there aren’t disruptions in supply.”

The Department of Homeland Security (DHS) “is monitoring the ransomware incident affecting Colonial Pipeline. Every organization must be vigilant and strengthen its cybersecurity posture against ransomware and other types of cyber-attacks,” said Alejandro Mayorkas, DHS Secretary, said in a May 8 tweet.

“We are engaged with the company and our interagency partners regarding the situation. This underscores the threat that ransomware poses to organizations regardless of size or sector. We encourage every organization to take action to strengthen their cybersecurity posture to reduce their exposure to these types of threats,” said Eric Goldstein, Executive Assistant Director for Cybersecurity for the Cybersecurity and Infrastructure Security Agency, which is part of the DHS.

“This incident highlights that ransomware continues to be a significant issue facing all critical infrastructure sectors. While this incident did not involve an electric utility, the relevance to the electricity subsector cannot be understated,” said Sam Rozenberg, Senior Director of Security and Resilience at the American Public Power Association.

Ransomware is a very familiar threat to the public power segment of the industry and APPA held a webinar on April 21st of this year, with the Cybersecurity and Infrastructure Security Agency. The slide deck and the recording can be accessed here. Additionally, the Electricity Information Sharing and Analysis Center (E-ISAC) in February of this year released a report labeled Ransomware Trends for Utilities and APPA encourages public power utilities to review this resource.

APPA continues to stress the importance of public power utilities joining the E-ISAC for timely and actionable sharing of threats to the electricity subsector. To learn more about the E-ISAC and how to join, visit the E-ISAC website or contact E-ISAC Member Services.

Any questions can be directed to: cybersecurity@publicpower.org.

DOE moves to modernize cybersecurity defenses and secure energy sector supply chain

April 20, 2021

by Paul Ciampoli
APPA News Director
April 20, 2021

The U.S. Department of Energy (DOE) on April 20 launched an initiative to enhance the cybersecurity of electric utilities’ industrial control systems (ICS) and secure the energy sector supply chain.

The plan is a coordinated effort between DOE, the electricity industry and the Cybersecurity and Infrastructure Security Agency (CISA).

Over the next 100 days, DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER), in partnership with electric utilities, will continue to advance technologies and systems that will provide cyber visibility, detection, and response capabilities for industrial control systems of electric utilities, DOE said in a news release.

DOE said the initiative modernizes cybersecurity defenses and:

RFI

In addition, DOE released a request for information (RFI) to seek input from electric utilities, energy companies, academia, research laboratories, government agencies, and other stakeholders to inform future recommendations for supply chain security in U.S. energy systems.

The comments received in response to the RFI will enable DOE “to evaluate new executive actions to further secure the nation’s critical infrastructure against malicious cyber activity and strengthen the domestic manufacturing base,” it said.

Accordingly, DOE expects that, during the period of time in which further recommendations are being developed, “utilities will continue to  act in a way that minimizes the risk of installing electric equipment and programmable components  that are subject to foreign adversaries’ ownership, control, or influence.”

The RFI is available on the DOE Office of Electricity’s web page, www.energy.gov/oe/securing-critical-electric-infrastructure.

“Ensuring the cyber and physical security of our nation’s electric grid is a top priority for APPA and its industry and government partners. As threats to our electric system continue to evolve, we are encouraged to see the Administration take action to engage industry in an effort to continuously improve our collective posture,” the American Public Power Association (APPA) said.

“We see this action as complementary to the existing partnership between APPA and DOE-CESER to help smaller public power utilities improve their security by implementing hardware, firmware and software to detect and respond to adversarial activity through information sharing; provide advanced analytics for pinpointing when and where a system was compromised; and employ autonomous defense at remote endpoints,” APPA said.

APPA says FERC cybersecurity incentive proposals are not needed to promote investments

April 13, 2021

by Paul Ciampoli
APPA News Director
April 13, 2021

Cybersecurity incentive proposals included in a Notice of Proposed Rulemaking (NOPR) issued by the Federal Energy Regulatory Commission (FERC) are neither necessary nor appropriate to promote effective cybersecurity investment, the American Public Power Association (APPA) said in April 6 comments submitted to FERC.

Moreover, the proposals outlined by FERC do not satisfy the requirements for incentive rate mechanisms under the Federal Power Act (FPA), APPA said in urging the Commission not to adopt the NOPR’s incentive rate proposals. 

The NOPR follows a FERC staff white paper issued in June 2020 that outlined an incentive framework for cybersecurity investments similar to the proposals included in the NOPR. 

APPA filed comments and reply comments in response to the white paper opposing the proposed incentives, while also making a number of recommendations regarding the structure and implementation of any cybersecurity incentive program the Commission chose to adopt.

The NOPR proposes an incentive rate framework intended to encourage voluntary cybersecurity investments that “go above and beyond” the current requirements of the Critical Infrastructure Protection (CIP) reliability standards established by the North American Electric Reliability Corporation (NERC), APPA noted.

The NOPR suggests that such investments could “materially enhance the cybersecurity posture of the Bulk-Power System by enhancing the applicants’ cybersecurity posture substantially above levels required by CIP reliability standards, to the benefit of ratepayers.”

The incentives would be available to public utilities, as well as “to non-public utilities to the extent that they have Commission-jurisdictional rates.”

In the context of FERC regulations, public utilities are defined as those that are Commission-jurisdictional (e.g., investor-owned utilities).

NOPR proposes two approaches

The NOPR proposes two cybersecurity investment approaches that may be eligible for incentives: the NERC CIP incentives approach and the National Institute of Standards and Technology (NIST) framework approach.

The NERC CIP incentives approach would award incentives for investments associated with voluntarily applying the CIP reliability standards to facilities that are not currently subject to the CIP requirements.

The NIST framework approach would award incentives for implementing certain security controls in the cybersecurity framework developed by NIST relating to automated and continuous monitoring.

Qualifying investments would be eligible for either a 200-basis point return on equity (ROE Adder) or a “Regulatory Asset Incentive” that would permit deferred cost recovery — with a return — for several categories of costs that have traditionally been treated as expenses.

Public utilities would not be eligible to receive the ROE Adder and the Regulatory Asset Incentive for the same expenditures.

APPA said that it recognizes that today’s electric grid faces increasing cybersecurity risks, and it appreciates the Commission’s efforts to assess how its policies might be best shaped to allow the industry to respond to these threats. 

“APPA respectfully submits, however, that the incentive program outlined in the NOPR is neither necessary nor appropriate to promote prudent public utility investment in cybersecurity measures. On the contrary if adopted, the White Paper framework could result in investment that raises transmission costs for customers without providing meaningful cybersecurity benefits in return,” the trade group said in the comments.

As an initial matter, the NOPR does not establish that the Commission has the authority to grant incentives to promote cybersecurity under its general ratemaking authority, APPA argued.

“Even if the Commission possesses such authority under the FPA, the incentive framework proposed in the NOPR fails to meet the longstanding requirements for just and reasonable incentive rates, including quantified benefits to consumers,” it said.

Neither generic application of CIP reliability standard requirements to lower impact Bulk Electric System (BES) cyber systems that are not currently subject to those requirements, nor broad adoption of NIST Framework security controls would necessarily result in a meaningful increase in cybersecurity, as the NOPR appears to assume, APPA said.

“This is not to say that use of these approaches in certain circumstances would not have cybersecurity benefits, but APPA disputes the assumption that widespread adoption of these approaches as contemplated in the NOPR would be a cost-effective way of achieving meaningful cybersecurity outcomes.”

APPA went on to say that even in circumstances where more robust cybersecurity investment might be beneficial, new incentives would not be just and reasonable because they are not needed to promote such investment. 

It said that the record from a March 28, 2019 technical conference convened by the Commission and the Department of Energy strongly supports this conclusion, and existing cost recovery mechanisms are sufficient to accommodate prudent cybersecurity investment. 

If the Commission proceeds with the NOPR, APPA said that it should preserve the features of the proposed rule that will help protect customers and ensure transparency, including:

Moreover, APPA said that FERC should adopt a number of clarifications or modifications to the proposed rule, including the following:

Florida city hit with unlawful intrusion of water treatment system

February 9, 2021

by Paul Ciampoli
APPA News Director
February 9, 2021

The Pinellas County Sheriff’s Office in Florida and the City of Oldsmar, Fla., recently disclosed the unlawful intrusion of the city’s water treatment system.

Detectives assigned to a Digital Forensics Unit are investigating an unlawful computer software intrusion at the city’s water treatment plant, the Sheriff’s Office’s said on its website.

On Feb. 5, 2021, the Pinellas County Sheriff’s Office was notified by the city that its computer system had been remotely accessed at 8:00 a.m. and 1:30 p.m. by an unknown suspect.

According to detectives, the City of Oldsmar’s computer control system at the water treatment plant allows for remote access by authorized users to troubleshoot any system problems from other locations.

“The initial intrusion at 8:00 a.m. was brief and not cause for concern due to supervisors regularly accessing the system remotely to monitor the system,” the Sheriff’s Office’s said.

 At 1:30 p.m., a plant operator witnessed a second remote access user opening various functions in the system that control the amount of sodium hydroxide in the water. The operator noted the remote access user raised the levels of sodium hydroxide in the water.

The operator immediately reduced the levels to their appropriate amount. The initial investigation revealed that the hacker remotely accessed the treatment plant’s control system for approximately 3 to 5 minutes.

Cybersecurity firm, Dragos Inc., has published a blog post on the subject: Recommendations Following the Oldsmar Water Treatment Facility Cyber Attack.

“While this incident did not involve an electric utility, the relevance to the electricity subsector cannot be understated,” said Sam Rozenberg, Senior Director of Security and Resilience at the American Public Power Association.

APPA continues to stress the importance of public power utilities joining the Electricity Information Sharing and Analysis Center (E-ISAC) for timely and actionable sharing of threats to the electricity subsector. To learn more about the E-ISAC and how to join, visit the E-ISAC website or contact E-ISAC Member Services.

Any questions can be directed to: cybersecurity@publicpower.org.

CISA released cybersecurity and physical security convergence guide

January 11, 2021

by Paul Ciampoli
APPA News Director
January 11, 2021

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released a new guide designed to provide guidance on converging cybersecurity and physical security functions.

The guide notes that today’s threats are a result of hybrid attacks targeting both physical and cyber assets.

The adoption and integration of Internet of Things and Industrial Internet of Things devices have led to an increasingly interconnected mesh of cyber-physical systems, “which expands the attack surface and blurs the once clear functions of cybersecurity and physical security,” the guide notes.

Meanwhile, efforts to build cyber resilience and accelerate the adoption of advanced technologies can also introduce or exacerbate security risks in this evolving threat landscape, the guide said.

“Together, cyber and physical assets represent a significant amount of risk to physical security and cybersecurity — each can be targeted, separately or simultaneously, to result in compromised systems and/or infrastructure,” CISA said.

“Yet physical security and cybersecurity divisions are often still treated as separate entities. When security leaders operate in these siloes, they lack a holistic view of security threats targeting their enterprise,” the guide noted. As a result, attacks “are more likely to occur and can lead to impacts such as exposure of sensitive or proprietary information, economic damage, loss of life, and disruption of national critical functions.”

Convergence is formal collaboration between previously disjointed security functions, the guide said. “Organizations with converged cybersecurity and physical security functions are more resilient and better prepared to identify, prevent, mitigate, and respond to threats. Convergence also encourages information sharing and developing unified security policies across security divisions.”

Benefits of convergence

CISA said that an integrated threat management strategy reflects in-depth understanding of the cascading impacts to interconnected cyber-physical infrastructure.

As rapidly evolving technology increasingly links physical and cyber assets, the benefits of converged security functions outweigh the challenges of organizational change efforts and enable a flexible, sustainable strategy anchored by shared security practices and goals, the guide said.

“While many utilities have not integrated physical and cybersecurity operations, it is especially important in the energy sector, to take a holistic risk-based approach when thinking about security”, said APPA’s Senior Director of Security & Resilience, Sam Rozenberg, CPP.

The guide includes a framework for aligning security functions, as well as a set of convergence case studies.

The guide is available here.

DOE issues order aimed at reducing risks to bulk-power system from China-related entities

December 21, 2020

by Paul Ciampoli
APPA News Director
December 21, 2020

U.S. Secretary of Energy Dan Brouillette on Dec. 17 issued an order designed to reduce the risks that entities associated with the People’s Republic of China pose to the U.S. bulk-power system (BPS).

The order only applies to utilities that have been designated as defense critical electric infrastructure (DCEI). The Department of Energy informed a small number of public power utilities that they had been designated as DCEI in 2019.

The order invokes the authority delegated to the Secretary of Energy by Executive Order 13920, “Securing the United States Bulk-Power System” (EO 13920) and takes effect January 16, 2021. 

The order prohibits utilities that supply critical defense facilities from procuring from the People’s Republic of China specific BPS electric equipment that poses an undue risk to the BPS, the security or resilience of critical infrastructure, the economy, national security, or safety and security of Americans, the DOE said in a news release related to the order.

President Trump issued EO 13920 on May 1, 2020 and granted implementation authority to the Secretary of Energy.

The DOE order provides a compliance grace period of several weeks to minimize potential procurement and supply chain disruptions.

The order specifically prohibits utilities that supply critical defense facilities at a service voltage of 69-kV or above from acquiring, importing, transferring, or installing BPS electric equipment, and is specific to select equipment manufactured or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the People’s Republic of China.

The order applies from the point of electrical interconnection with the critical defense facility up to and including the next “upstream” transmission substation.

Utilities subject to the order will be notified no later than five days from the issuance of the order.

Additional information including a link to the order is available here.

FERC issues NOPR proposing incentive rate treatment for voluntary cybersecurity investments

December 21, 2020

by APPA News
December 21, 2020

The Federal Energy Regulatory Commission on Dec. 17 issued a notice of proposed rulemaking (NOPR) proposing incentive rate treatment for certain voluntary cybersecurity investments that go above and beyond the requirements of the North American Electric Reliability Corporation’s (NERC) mandatory Critical Infrastructure Protection (CIP) reliability standards.

The NOPR (Docket No. RM21-3-000) was issued by the Commission at its monthly open meeting. It was the first FERC open meeting for Commissioner Allison Clements, who was sworn in on December 8, 2020. Clements did not vote on any of the agenda items.

FERC white paper

In June, FERC staff sought comments on a white paper that proposed “a new framework for providing transmission incentives to utilities for cybersecurity investments.” FERC staff cited “the evolving and increasing threats to the cybersecurity of the electric grid” as the impetus for the Cybersecurity Incentives Policy white paper (Docket No. AD20-19-000).

In response to the white paper, the American Public Power Association in August said that an incentive program for cybersecurity investments is not needed to encourage investment in cybersecurity measures and could lead to investment that raises transmission costs for customers without providing meaningful cybersecurity benefits in return.

Details of NOPR

Reflecting many of the features included in the FERC Staff white paper, the new NOPR would allow FERC-jurisdictional utilities to seek Commission approval, pursuant to section 205 of the Federal Power Act, of two types of incentives for cybersecurity investments:  a rate of return adder of 200 basis points or deferred cost recovery for certain cybersecurity-related expenses.

Qualifying expenditures would be eligible for either, but not both, incentives. The total cybersecurity incentives requested would be capped at the top of the return on equity “zone of reasonableness” used by FERC to establish allowed equity returns for public utilities.

The incentives would be available for certain investments that voluntarily apply specific CIP reliability standards to facilities that are not subject to those requirements and/or implement standards and guidelines from the National Institute of Standards and Technology’s (NIST) voluntary framework for improving critical infrastructure cybersecurity.

Deferred cost recovery would be allowed for three categories of expenses: (1) expenses associated with third-party provision of hardware, software and computing networking services; (2) expenses for training to implement new cybersecurity enhancements undertaken pursuant to this rule; and (3) other implementation expenses, such as risk assessments by third parties or internal system reviews and initial responses to findings of such assessments.

Prior or continuing costs would not be eligible for incentives. Deferred regulatory assets whose costs are typically expensed would be amortized over a five-year period.

Utilities seeking to implement the proposed incentives must obtain prior Commission approval, and the proposed rule would impose initial and annual reporting requirements.

Comments on the NOPR are due 60 days after publication in the Federal Register, with reply comments due 30 days later.