On December 17, 2020, the United States Federal Energy Regulatory Commission (FERC) proposed new incentives for qualifying cybersecurity investments by public utilities.
In the related Notice of Proposed Rulemaking (NOPR), FERC proposed a cybersecurity incentives framework encourages public utilities to undertake cybersecurity investments on a voluntary basis that are above and beyond the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection Reliability Standards (CIP Reliability Standards) and, thereby, better ensure secure service for ratepayers and to enhance the cybersecurity posture of the Bulk-Power System (BPS)1.
Notably, the new incentives are not only for investment in transmission facilities but also for certain cybersecurity investment in information technology and operational technology networks that a public utility uses to provide other FERC-jurisdictional services. The incentives are proposed under sections 205 and 206 of the Federal Power Act (FPA), which (and as FERC notes in the NOPR) provides a broader authority than that under section 219 of the FPA, but which authority is still subject to the requirement that affected rates are and remain just and reasonable and are not unduly discriminatory or preferential.
In the NOPR, FERC proposes two different approaches.
First, FERC proposes to add §35.48(b)(1) to FERC’s regulations to provide that a public utility may receive incentive rate treatment for voluntarily applying identified CIP Reliability Standards to facilities that are not currently subject to those requirements (NERC CIP Incentives Approach).
Second, FERC proposes to add §35.48(b)(2) to FERC’s regulations to provide that a public utility may receive incentive rate treatment for implementing certain security controls included in the NIST Framework2 (NIST Framework Approach).
The NERC CIP Incentives Approach
FERC proposes two separate incentives under the NERC CIP Incentives Approach.
First, FERC proposes to add §35.48(b)(1)(i) to FERC’s regulations to allow a public utility to receive incentive rate treatment for voluntarily applying the requirements for medium- or high-impact systems to low-impact systems and/or the requirements for high-impact systems to medium-impact systems (Med/High Incentive).
Second, FERC proposes to add §35.48(b)(1)(ii) to FERC’s regulations to allow a public utility to receive incentive rate treatment for voluntarily ensuring that all external routable connectivity to and from the low-impact system connect to a high- or medium-impact BES Cyber System (Hub-Spoke Incentive).
The NIST Framework Approach
While the NIST Framework contains many types of security controls, FERC limits eligibility for cybersecurity incentives to the types of controls that are most likely to provide a significant benefit to the cybersecurity of FERC-jurisdictional transmission facilities, not just the Bulk Energy System (BES).
In an earlier white paper3, FERC staff had identified five types of security controls included in the NIST Framework that may be considered for incentives under the NIST Framework Approach: (1) automated and continuous monitoring; (2) access control; (3) data protection; (4) incident response; and (5) physical security of cyber systems. Commission staff also acknowledged that, given the continuous and rapid changes in cybersecurity risks, the Commission may need to periodically update the types of security controls eligible for incentives.
However, in proposing the NIST Framework Approach, FERC states that it will initially only consider incentives that fall within the first type of security controls—i.e., automated and continuous monitoring—however, FERC states that it may consider additional security control types in the future.
ROE and Regulatory Asset Incentives
Under the NOPR, FERC proposes two separate and distinct incentives4—namely, a return on equity (ROE) adder and a regulatory asset for certain capital investments and expenses that go above and beyond the CIP Reliability Standards.
First, FERC proposes to add §35.48(c)(1) to FERC’s regulations to allow a public utility that makes eligible cybersecurity capital investments, as more fully described above, to request an ROE adder of 200 basis points (Cybersecurity ROE Incentives) for those eligible cybersecurity investments that are capital investments rather than costs entitled to the other incentive.
Second, FERC proposes to add §35.48(c)(2) to the Commission’s regulations to allow a public utility to seek deferred cost recovery of certain cybersecurity costs that are generally expensed as incurred and to treat them as regulatory assets, while also allowing such regulatory assets to be included in transmission rate base (Regulatory Asset Incentive).
Under the NOPR, only three categories of expenses would be eligible for the Regulatory Asset Incentive: (1) expenses associated with third-party provision of hardware, software and computing networking services; (2) expenses for training to implement new cybersecurity enhancements undertaken pursuant to this rule; and (3) other implementation expenses, such as system assessments by third parties or internal system reviews and initial responses to findings of such assessments. In all such cases, eligible costs are limited to costs associated with implementing cybersecurity upgrades and do not include ongoing costs, including system maintenance, surveillance and other labor costs, either in the form of employee salaries or third-party service contracts.
Possible Additional Incentives
While the NOPR only specifically proposes the Cybersecurity ROE Incentive and the Regulatory Asset Incentive, FERC states that other incentives, such as construction work in progress, may be warranted to encourage investment in cybersecurity if adequately supported. Accordingly, FERC also proposes, in order to maintain flexibility for other types of incentives, to add §35.48(c)(3) to FERC’s regulations to provide additional flexibility for FERC to grant a public utility any other incentives that FERC deems to be just and reasonable and not unduly discriminatory or preferential for investments undertaken under the proposed rule.
Incentivizing additional cybersecurity investment to protect the BPS seems likely non-controversial—especially at a time when there are reports of sophisticated hacking into critical infrastructure and systems; however, we cannot help but wonder whether and, if so, when such additional investments (i.e., above and beyond those required under the CIP Reliability Standards) may be determined to not be just and reasonable and thus ineligible for the proposed incentives.
1 BPS is defined in section 215 of the FPA as “facilities and control systems necessary for operating an interconnected electric energy transmission network (or any portion thereof), and electric energy from generation facilities needed to maintain transmission system reliability.” The term does not include facilities used in the local distribution of electric energy.
2 Current National Institute of Standards and Technology (NIST) version 1.1 (April 16, 2018) available at: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.
4 The means of collecting incentives would be through cost-of-service rates. Some transmission companies that collect negotiated rates not based on Uniform System of Accounts (18 C.F.R. Part 101) might not be eligible to charge cost-of-service rates, and the applicability of the incentive mechanism to those entities is not yet clear.