Consumer advocacy group Public Citizen filed a protest with the Federal Energy Regulatory Commission (FERC) on Tuesday over Duke Energy's request to recover $137.4 million in capital investments from ratepayers for cybersecurity upgrades.
The timing of Duke's request has raised suspicions considering the North Carolina utility earlier this year received a $10 million fine from the North American Electric Reliability Corporation (NERC) for cybersecurity violations, the highest on record for a utility.
The utility's request for allowance for funds used during construction for its Cybersecurity Informational Technology-Operational Technology (IT-OT) program "is not related to NERC-CIP compliance," according to Catherine Butler, Duke corporate communications. "We look forward to working collaboratively with FERC to help them understand the importance of these investments and how to best manage the costs."
Public Citizen hopes its protest will provide clarity surrounding the authorization of Duke's cybersecurity expenses and shine a light on the relationship between the utility's rate-recovery request and its record-breaking NERC fine. Tyson Slocum, the director of Public Citizen's Energy Program, described Duke's failure to clearly establish the authority under which it seeks to recover the investment as "alarming."
The watchdog group also wants FERC to scrutinize these types of requests more skeptically, especially given Duke's poor track record when it comes to the oversight of its cybersecurity initiatives, Slocum told Utility Dive.
"I'm not opposed to rate recovery for prudent cybersecurity needs," Slocum said. "I just don't understand where the authorization for this came from. And I'm uncomfortable with having ratepayers pay the bill for significant cybersecurity capital expenses when I'm not confident that Duke Energy is in a position to effectively manage that program."
On March 13, Duke Energy filed a request for approval with FERC in which it seeks to recover $137.4 million in capital investments from ratepayers for its cybersecurity IT-OT program. This program is focused on protecting hardware and software to address threats to the "safety, reliability and security systems at power plants, T&D infrastructure and more," as well as the IT areas of Duke's operational environments, according to Butler.
"Our cybersecurity initiatives directly benefit our customers and communities. We believe we should be able to accrue the financing costs for large cybersecurity projects – similar to other major capital investments – and include these expenses in the overall cost of service," Butler said in an e-mail to Utility Dive. "The intended benefits of the program will be recognized at the completion of installation – similar to when a power plant comes online or a transmission line is energized."
This request has raised concerns at Public Citizen, given that in January, the Charlotte, North Carolina-based utility agreed to pay the largest cybersecurity-related penalty in history.
"We've got concerns that there might be a relationship here between the mitigation plan as required under the NERC Notice of Penalty and Duke's rate recovered request," Slocum said. "If there is a relationship, we have significant concerns that ratepayers should not be paying for a mitigation plan that results from management failures at compliance. If Duke has to undertake spending to address noncompliance, it should be a cost borne by its shareholders, not by its rate base."
Butler denied a relationship between the March filing for the fund recovery and its compliance with NERC.
The North Carolina Utilities Commission did not respond to Utility Dive's request for comment.
Public Citizen, which regularly comments on FERC dockets, said this is the first time it has come across a rate-recovery request for cybersecurity expenses at the federal agency. Normally, these types of requests are handled at the state level.
According to its protest filing, Public Citizen interviewed regulatory staff in at least two of the states impacted by Duke's cybersecurity request.
"Neither had any knowledge of this docket, or of Duke's Cybersecurity IT-OT plan," the filing said.
Slocum attributes this lack of knowledge on the state level to the fact that FERC is not proactively reaching out to state commissions, state consumer advocates and other potentially interested parties to notify them about the potentially-important proceeding.
As part of its settlement with NERC, Duke agreed increase specified training, oversight, restructuring of roles and addition of management and compliance tools.
"Duke Energy makes cyber security a top priority and is strongly committed to comprehensive, multi-layered cyber security measures designed to protect power plants and the electric grid," Duke spokesperson Dave Scanzoni said in a February email.
This article has been updated to include comments from Duke.