- Energy stakeholders were divided in comments filed last week on a Federal Energy Regulatory Commission white paper that considered a higher return on equity (ROE) for voluntarily applying certain Critical Infrastructure Protection (CIP) Reliability Standards to facilities that are not currently subject to those requirements.
- Investor-owned utility group Edison Electric Institute argued in favor of federal transmission incentives for voluntary security enhancements to the electric grid in Aug. 17 comments, noting that proactive investments are "necessary to keep pace with evolving cybersecurity and physical threats."
- Transmission customers and some state regulators are not in favor of the proposal, however. A group of transmission-dependent utilities told the commission that the proposed incentives "will increase consumer costs without necessarily providing any new security benefits."
Opinions on new transmission incentives largely hinge on whether a party stands to profit or pay for the enhanced security measures. But whichever way FERC goes, experts say the federal government will almost certainly take some action to boost grid resilience.
"There aren't a whole lot of issues that seem like they're bipartisan," said Morgan Lewis partner J. Daniel Skees, who regularly represents electric utilities. "But regardless of what happens in November, this is one of those areas where we would expect FERC to march forward without interruption."
FERC's consideration of transmission incentives for security upgrades is just one of several initiatives designed to boost grid security. The commission is also considering whether CIP standards adequately address cybersecurity risks pertaining to data security, detecting anomalies and events, and mitigating cybersecurity vulnerabilities.
And the White House and U.S. Department of Energy are considering ways to limit the installation of bulk power system equipment sourced from foreign adversaries.
"We're at a point now where all of the different federal agencies are looking at tools in their toolboxes to see what they can do," said Skees. "FERC has both a carrot and stick approach. Traditionally they have relied very heavily on the stick."
New transmission incentives would represent a change in that approach, said Skees. "Initial comments filed so far suggest that there is an appreciation for the idea that FERC is looking to see if they can use some carrot rather than just more stick," he said.
Security experts say new incentives may be necessary to combat growing threats to the grid.
"Regulation has its place, but market incentives or financial incentives are also important for organizations," said Phil Neray, vice president of IoT and industrial cybersecurity at security firm CyberX, which is owned by Microsoft. "Sometimes the carrot is the better way to move industry than the stick."
Ratepayers urge caution over new incentives
That doesn't mean regulators and the industry will not move cautiously, however. Ratepayer advocates, said Skees, will want to ensure the incentives are necessary and amount to more than the federal government handing utilities money. Stakeholders want to ensure the program does not become "a financial handout to any utility that can come up with something they think will enhance cybersecurity," he said.
According to the Transmission Access Policy Study Group (TAPS), which represents entities across almost three dozen states that are largely dependent on transmission facilities owned and controlled by others, FERC's recovery policies already make cybersecurity projects attractive, low-risk investments.
The commission's white paper "ignores evidence ... demonstrating that transmission owners are already making above-and-beyond cybersecurity investments using the current cost recovery mechanisms," TAPS said. "Transmission owners must not be eligible for cybersecurity incentives for investments they would otherwise have made."
The California Public Utilities Commission, representing the state's electric consumers, also urged FERC not to adopt further incentives. The state body argued federal regulators should "instead explore approaches to strengthening the cybersecurity posture of the grid without increasing transmission rates above a just and reasonable level, in particular by collaborating with state regulators."
Likewise, Maryland regulators warned FERC against providing additional incentives when the existing National Institute of Standards and Technology (NIST) framework for security controls could be more extensively applied to bulk electric system (BES) equipment.
"Fully applying the NIST Framework to the Reliability Standards, as originally intended, could bring the cyber security benefits and enhanced BES reliability the White Paper seeks without the need for costly investment incentives," the Maryland Public Service Commission said in its comments.
Regulated utilities support further incentives
Transmission owners, however, see potential gains in the commission's consideration of a 200-basis point, project-specific return on equity for some cybersecurity investments.
The higher return "is reasonable given the relatively low expenditure amounts associated with cybersecurity investments and the fact that these investments are recovered over a short period of time," EEI said in its comments.
Transmission owners in the Midcontinent ISO market also encouraged FERC to consider incentives for cybersecurity investment "that allow recovery of prudent cybersecurity costs through capitalization of items that otherwise would be expensed."
The MISO transmission owners said they also encourage the commission to "adopt incentive reporting requirements that reflect the preventative nature of cybersecurity investment and ensure the protection of critical system information."
The groups' positions make sense, according to Skees.
"You can make more money as a regulated entity if you can come up with a good cybersecurity proposal," said Skees. "If you really want to incentivize something, you have to give an opportunity to make a profit." What the FERC staff proposed basically says, "if you're willing to go above and beyond, we will give you a new mechanism to make money."
But exactly what that form the incentives could take "is a little up in the air," said Skees. And the timing is somewhat unclear, he added. FERC could issue a policy statement on how utilities can come in and make requests. If the commission wants to adopt new regulations, it will need to go through a traditional notice and comment process.
"I would expect sometime over next 12 to 18 months utilities will probably have the opportunity to start coming in with initial proposals," said Skees.