- The Federal Energy Regulatory Commission on June 18 issued a white paper contemplating transmission incentives for utilities making cybersecurity enhancements to the electric grid.
- One approach outlined in the framework would provide utilities a higher return on equity (ROE) for voluntarily applying certain Critical Infrastructure Protection (CIP) Reliability Standards to facilities that are not currently subject to those requirements.
- Security experts say an incentive-based approach could help spur security investments faster than standards, which are often slow to adapt. "The rate of change in technology and cybersecurity is quicker than what we can keep up with from a regulatory perspective," Tobias Whitney, vice president of energy security solutions at Fortress Information Security, told Utility Dive.
The North American Electric Reliability Corp. (NERC) oversees CIP standards for the power sector, but those can take years to develop and roll out. Technology and evolving grid threats move faster than that, say experts.
"Regulatory standards may not always be able to address some of today's emerging technology challenges," said Whitney, who spent six years working at NERC. The CIP standards create a baseline of security, but "giving the industry financial incentives to greatly exceed what is the bare minimum provides us a very good circumstance for utilities to use best practices."
The white paper asks stakeholders to address a range of questions, including whether a 200-basis point, project-specific ROE adder is "enough to materially incent cybersecurity investments that exceed the requirements of the CIP Reliability Standards."
And for non-ROE incentives, the white paper says "cybersecurity investments could be eligible for Construction Work in Progress, recovery of abandoned plant costs, and accelerated depreciation," some of the same incentives offered to projects under the commission's current electric transmission incentives policy.
Construction Work in Progress incentives allow an entity to record on its books the current costs related to long-term projects. Recovery of abandoned plant costs refers to the ability to recover some or all costs if the project is canceled for reasons beyond the entity's control. Accelerated depreciation would allow for greater tax deductions in the early years of an asset.
"Regulation has its place, but market incentives or financial incentives are also important for organizations," Phil Neray, vice president of IoT and industrial cybersecurity at security firm CyberX, told Utility Dive. Microsoft announced Monday it acquired CyberX, in order to accelerate and secure customer deployments of connected devices.
"Sometimes the carrot is the better way to move industry than the stick," Neray said.
Most of NERC's CIP reliability standards apply to high and medium impact systems. The white paper contemplates ROE adders for utilities that voluntarily apply those same standards to lower-impact facilities.
"Adversaries that try to compromise a smaller substation in a rural area could still cause massive disruption," Neray said. "Anything that encourages utilities to put stricter security at all levels of infrastructure is a good thing."
FERC may also consider changes to accounting rules for some technology acquired as a service.
"To encourage investment in cybersecurity, the commission could consider allowing utilities to defer and amortize
eligible costs that are typically recorded as expenses that are associated with third-party hardware, software, and computing and networking services over a shorter period (such as five years)."
Utilities with formula rates can recover costs related to security and reliability, including software, as expenses through those rates. FERC also accepted utility proposals to recover security costs as part of utilities' stated rates. The white paper suggests the commission could consider allowing a utility to defer certain costs that have traditionally been characterized and recovered through rates as expenses.
The changes could give a boost to utility investments in cloud-based security, said Whitney.
"Cloud technologies have not been adopted by industry and that is one of the unfortunate challenges we face when managing CIP compliance," Whitney said. "The use of cloud technologies creates quite a few challenges from a regulatory perspective." However, he said they can also improve a utility's ability "to more effectively manage large-scale assets at a lower cost point than what you would potentially have internally."
The white paper opens a 60-day comment period, with reply comments due 15 days later.
The potential incentives are "very early in the development stage," Whitney noted, but could significantly improve grid security. "I like the combination of providing some level of standardization, but also providing an incentive to go beyond that."