Utilities will be able to receive financial incentives for making certain cybersecurity investments and taking part in threat information sharing programs under a decision released Friday by the Federal Energy Regulatory Commission.
The rule, approved, 3-1, was required by the Infrastructure Investment and Jobs Act. It largely tracks a proposal issued in September, but the commission dropped a proposed 2% return on equity adder that was supported by investor-owned utilities.
“We must continue to build upon the mandatory framework of our cybersecurity reliability standards with efforts such as this to encourage utilities to proactively make additional cybersecurity investments in their systems,” FERC Acting Chairman Willie Phillips said in a statement.
Eligible cybersecurity investments include a list of pre-qualified investments that FERC expects to periodically update.
The initial pre-qualified list has two measures: expenditures associated with participating in the Department of Energy’s Cybersecurity Risk Information Sharing Program and expenditures related to internal network security monitoring within a utility’s cyber systems.
FERC will also consider incentives for investments case-by-case, allowing utilities to request incentives for tailored solutions, the agency said.
Utilities can also seek incentives for early compliance with new cybersecurity reliability standards.
Under the rule, utilities may defer expenses and include the unamortized portion in their rate bases, according to FERC. Approved incentives, with certain exceptions, will remain in effect for up to five years from the date expenses were incurred, provided that the investments remain voluntary, the agency said.
FERC will only grant the incentives to cyber investments that materially improve cybersecurity and are not required by the North American Electric Reliability Corp.’s Critical Infrastructure Protection reliability standards or by law.
FERC Commissioner James Danly dissented, saying the rules are too narrow as they don’t apply to utilities that sell power at market-based rates. There were about 2,500 market-based rate sellers in 2019, according to Danly.
Danly also objected to the requirement that utilities show their investments or participation in an information sharing program “materially improve” their cybersecurity.
“Instead of following Congress’ instructions, and taking this reliability threat seriously, the majority passes up the opportunity to harden the cybersecurity defenses of the nation’s critical energy infrastructure,” he said.