A recent article in Bloomberg documents several large US utilities' efforts to recover current and future cyber security investments the same way they get paid for other infrastructure programs: by getting clearance from their state utility commissions to approve these expenses in their rate cases.
Actually rate payers (aka electricity customers) will pay one way or another, as they should, for the essential service that makes our modern lifestyles possible. Possible methods of payment include:
This concept was articulated more formally by Michael Daniel, special assistant to the President on Cybersecurity, when he included rate recovery as one of a number of cyber incentive strategies for critical infrastructure providers:
- Absorbing the costs to their businesses and their lives associated with brown outs or black outs or electricity quality issues stemming from successful attacks on control centers or systems
- Paying more every month to cover some, most or all (TBD) of their utilities' cyber-protection expenses
- Or, as Pepco CIO Doug Myers said, as cited in the Bloomberg article, allowing utilities to be reimbursed through federal grants
Rate Recovery for Price Regulated Industries — Agencies [DHS, Commerce, Treasury] recommended further dialogue with federal, state, and local regulators and sector specific agencies on whether the regulatory agencies that set utility rates should consider allowing utilities recovery for cybersecurity investments related to complying with the Framework and participation in the Program.As this blog often reiterates, we have to acknowledge and accept the costs of living in a technology-enabled world, where the impulse to cyber secure important services must become every bit as natural as physically securing our more tangible valuables.
Else, I have a nice cave I'd like to show you. And no, it doesn't have wifi.