- The Federal Energy Regulatory Commission is proceeding with a plan to offer incentives to utilities making cybersecurity investments that exceed mandatory Critical Infrastructure Protection (CIP) reliability standards. The commission published a Notice of Proposed Rulemaking (NOPR) in the Feb. 5 Federal Register.
- The incentives may help secure the electric grid in the near term, but some experts say having ratepayers continuously fund security upgrades is an untenable approach to a growing threat.
- FERC's proposal is "better than nothing, but it doesn't address the big problem. The demands on utilities are increasing all the time," said Tom Alrich, a CIP compliance consultant.
Similar to how the military is funded, cybersecurity is a national issue and the federal government needs to spend broadly to secure the electric grid, said Alrich.
Hackers are becoming more sophisticated, and "the idea you're going to get the ratepayer to pay more and more all the time in order to keep their local utility safe and running is just not realistic," he continued.
Alrich pointed to the sophistication involved in the SolarWinds hack as evidence utilities are struggling to keep pace with threats. He said security concerns need to be addressed holistically, and the proposed incentives would only benefit a few dozen utility companies. A broader federal approach, however, would likely require Congressional action, he said.
"The grid is a national resource. It needs to be protected as such, and it needs to be protected on a national level," Alrich said. "Utilities still have to kick in their share but I think the federal government has to step in and start financing some of these things."
In addition, there are many utilities not subject to FERC's jurisdiction and so experts say the proposed incentives would be limited.
"FERC, statutorily, can't offer incentives to a lot of utilities because they are not subject to the commission's ratemaking authority," said J. Daniel Skees, a partner at law firm Morgan Lewis.
FERC originally issued the NOPR in December, but it was not published in the Federal Register until this month. Skees said such a delay is not unusual.
"Because it's not going to be a huge change and it is driving some good decision making, I think it's definitely still good policy. But the fact is, FERC can't apply it as broadly as they'd like." Skees said. "You can have one utility doing a fantastic job, but the grid is only as secure as its weakest link."
Cindy Bogorad, attorney for the Transmission Access Policy Study Group (TAPS) and a partner at Spiegel & McDiarmid, said utilities are already making investments in security and the proposed incentives will add limited value. TAPS represents entities largely dependent on transmission facilities owned by others, and they have previously said existing cost recovery policies make cybersecurity projects attractive, low-risk investments.
TAPS is still developing its formal position on the NOPR, said Bogorad, and recognizes security is a "big deal and a growing concern. But it's not clear to us that adding cybersecurity incentives to the cyber related costs consumers bear is necessarily going to prompt utilities to invest."
The NOPR includes two types of incentives for utilities: a 200 basis-point adder to the rate of return on equity for security upgrades, and deferred cost recovery for certain cybersecurity-related expenses. Those expenses include: third-party provision of hardware, software and computing networking services; training to implement new cybersecurity enhancements; and other implementation expenses including system assessments by third parties or internal system reviews. Deferred recovery can provide an incentive for utilities to take on projects when their current rate structure would not currently allow them to recoup those costs.
CIP rules use a tiered approach to categorize assets on the bulk power system as high, medium or low impact facilities, with more stringent security requirements for larger facilities . The proposed incentives would allow a utility to claim the ROE adder for voluntarily applying more stringent standards to lower-impact facilities. But TAPS questions whether that is efficient or necessary.
Large electric grid control centers are considered high impact, coordinating resources 3,000 MW in aggregate or larger. Medium facilities, which begin at 1,500 MW, include some smaller control centers, ultra-high voltage transmission, and large substations and generating facilities. Everything else on the bulk power system is low impact, according to the NOPR.
Applying all medium CIP standards to low impact assets "would be ineffective and expensive," said Bogorad. "Medium standards are really devised and developed to mitigate cyber risk for a limited set of facilities."
Initial comments on the NOPR are due 60 days after publication in the Federal Register, and reply comments are due 30 days later.