The Federal Energy Regulatory Commission (FERC) recently strengthened its cybersecurity framework for bulk power systems with a proposal for public utilities to secure incentive-based rate treatment for voluntary cybersecurity investments that go beyond mandatory Critical Infrastructure Protection (CIP) Reliability Standards.
It released a Notice of Proposed Rulemaking (NOPR) that recognizes that the energy sector faces numerous and complex cybersecurity challenges at a time of both great change in the operation of the transmission system and an increase in the number and nature of attack methods, FERC said. These increasing risks create challenges in defending the digitally interconnected components of the grid from cyber exploitation.
In June 2020, Commission staff issued a white paper to explore a new framework for providing transmission incentives to public utilities for investments that produce significant cybersecurity benefits for actions taken that exceed the requirements of the CIP Reliability Standards. They also sought comment on an incentive-based framework that could encourage public utilities to adopt best practices to protect their own transmission systems and improve grid security.
Such a framework would allow the electric industry to be more agile in monitoring and responding to new and evolving cybersecurity threats, to identify and respond to a variety of threats, and to address threats with comprehensive and more effective solutions.
The proposed cybersecurity incentives framework would motivate a public utility to adopt cybersecurity practices that would not only better protect its own systems, but also improve the cybersecurity of the bulk power system, according to FERC.
The CIP Reliability Standards currently consist of 12 standards specifying a set of requirements that entities must follow to ensure the cyber and physical security of the bulk power system. There are currently ten effective cybersecurity standards, and one cybersecurity standard that has been approved by the Commission which becomes enforceable on Jul. 1, 2022, FERC said. There is also one physical security standard, which is not the subject of this NOPR.
The incentives would be available for certain investments that voluntarily apply specific CIP Reliability Standards to facilities that are not subject to those requirements and/or implement standards and guidelines from the National Institute of Standards and Technology’s (NIST) voluntary framework for improving critical infrastructure cybersecurity.
NIST is a part of the U.S. Department of Commerce that advances measurement science, standards and technology. The NIST framework was designed to address and manage cybersecurity risk in a cost-effective way based on business and organizational needs without placing additional regulatory requirements on businesses.
The draft NOPR would allow a public utility to request incentives using any combination of the two proposed approaches. Under the draft NOPR, a public utility that makes cybersecurity investments consistent with the two approaches would be eligible either to apply for a 200 basis-point adder to the return on equity for eligible cybersecurity capital investments and is referred to as the cybersecurity ROE incentive, or enable a public utility to seek deferred cost recovery for certain expenses related to cybersecurity investments and is referred to as the Regulatory Asset Incentive.
The draft NOPR also states that public utilities would have to receive either incentive, and would require an annual informational filing, FERC said.
Deferred cost recovery would be allowed for three categories of expenses: expenses associated with third-party provision of hardware, software and computing networking services; expenses for training to implement new cybersecurity enhancements undertaken pursuant to this rule; and other implementation expenses, such as risk assessments by third parties or internal system reviews and initial responses to findings of such assessments, according to FERC.
Prior or continuing costs would not be eligible for incentives, and deferred regulatory assets whose costs are typically expensed would be amortized over a five-year period. Public utilities seeking to implement the proposed incentives must obtain prior Commission approval, and the proposed rule would impose initial and annual reporting requirements.
Comments on the NOPR are due 60 days after publication in the Federal Register, with reply comments due 30 days later.
In March, the FERC posted a notice of inquiry to the Federal Registry inviting comments on the potential benefits and risks associated with the use of virtualization and cloud computing services in association with bulk electric system operations. It also sought to look into whether barriers exist in the Commission-approved CIP Reliability Standards that impede the voluntary adoption of virtualization or cloud computing services.