FERC provides additional details on incentives for advanced cybersecurity investments

The Federal Energy Regulatory Commission (FERC) announced this week that it is revising its regulations to offer incentive-based rate treatment for the transmission of electric energy in interstate commerce and the wholesale sale of electric energy by utilities. These investments will benefit consumers by encouraging utilities to invest in Advanced Cybersecurity Technology and participate in cybersecurity threat information-sharing programs, as directed by the Infrastructure Investment and Jobs Act (IIJA) of 2021.

“In this final rule, the Federal Energy Regulatory Commission revises its regulations pursuant to section 219A of the Federal Power Act (FPA) to add subpart K, consisting of § 35.48, to our regulations to establish rules for incentive-based rate treatment for certain voluntary cybersecurity investments by utilities as described in this final rule,” the FERC said in a notice published in the Federal Register. “These rules make incentive-based rate treatment available to utilities that make voluntary cybersecurity investments in Advanced Cybersecurity Technology that enhance their security posture by improving their ability to protect against, detect, respond to, or recover from a cybersecurity threat and to utilities that participate in cybersecurity threat information sharing programs.”

The commission is issuing this final rule to comply with FPA section 219A(c). “This voluntary cybersecurity incentive-based rate treatment is for the purpose of benefitting consumers by encouraging cybersecurity investments in Advanced Cybersecurity Technology and in participation in cybersecurity threat information-sharing programs,” it added.

FERC said that it establish a regulatory framework for utilities to request incentive-based rate treatment for certain voluntary cybersecurity investments. Under this framework, the commission will: 

• identify the utilities permitted to request incentive-based rate treatment for cybersecurity investments; 
• establish the criteria that the Commission will use to determine whether a cybersecurity investment is eligible to receive an incentive-based rate treatment; 
• discuss the approaches that a utility may use to demonstrate that a cybersecurity investment satisfies the eligibility criteria;
• explain the types of incentive-based rate treatments available for qualifying cybersecurity investments; 
• set limits on the duration of the incentive-based rate treatment; 
• describe what utilities must include in their applications for incentive-based rate treatment for cybersecurity investments; and 
• establish the annual reporting requirements for utilities that receive incentive-based rate treatment for their cybersecurity investments. 

Section 40123 of the IIJA added section 219A to the FPA, directing the Commission to revise regulations to establish incentive-based rate treatments for electric energy transmission and wholesale sale. The move will benefit consumers by encouraging investments in Advanced Cybersecurity Technology and participation in cybersecurity threat information-sharing programs.

FPA section 219A(a) defines Advanced Cybersecurity Technology as a product or service, consisting of hardware, software, and cybersecurity services for IT and OT systems. These products include security information, event management systems, intrusion detection, anomaly detection, encryption tools, data loss prevention, forensic tools, incident response, imaging, network behavior analysis, access management, configuration management, anti-malware tools, user behavior analytic software, event logging, and access control, identification, authentication, and authorization control systems.

The Federal Register notice identified cybersecurity services may be either automated or manual and can include, but are not limited to, system installation and maintenance, network administration, asset management, threat and vulnerability management, training, incident response, forensic investigation, network monitoring, data sharing, data recovery, disaster recovery, network restoration, log analytics, cloud network storage, and any general cybersecurity consulting service.

Under FPA section 219A(a), Advanced Cybersecurity Technology Information may include but is not limited to, plans, policies, procedures, specifications, implementation, configuration, manuals, instructions, accounting, financials, logs, records, and physical or electronic access lists related to or regarding the Advanced Cybersecurity Technology. 

“FPA section 219A(g) states that Advanced Cybersecurity Technology Information that is provided to, generated by, or collected by the Federal Government under FPA section 219A subsections (b), (c), or (f) shall be considered to be critical electric infrastructure information under FPA section 215A,” the Federal Register notice said. “Utilities submitting to the Commission Advanced Cybersecurity Technology Information or other information they believe to be Critical Energy/Electric Infrastructure Information (CEII) must clearly indicate which portions of their filing contain CEII and provide public and non-public versions of the information pursuant to the Commission’s regulations.”

FPA section 219A(c) directs the Commission to identify incentive-based rate treatments that could support participation by public utilities in cybersecurity threat information-sharing programs, the notice said. “Utilities face barriers to participating in cybersecurity information sharing programs, such as the high costs associated with implementing monitoring technology and maintenance of sensor technology, the amount of time and effort required to share information, incurring fees to participate in cybersecurity threat information sharing programs, and concerns regarding the confidentiality of the information once shared.”

The Commission proposed to allow a utility granted a cybersecurity return on equity (ROE) incentive to receive that incentive until the earliest of the conclusion of the depreciation life of the underlying asset; five years from when the cybersecurity investment(s) enter service;  the time that the investment(s) or activities that serve as the basis of that incentive become mandatory pursuant to a Reliability Standard approved by the Commission, or local, State, or Federal law; or the recipient no longer meets the requirements for receiving the incentive.

The Commission recognized that incentive-eligible cybersecurity investments primarily include equipment or system modifications that typically have short depreciation lives, as opposed to long-lived assets like physical structures. The Commission believed that most cybersecurity incentives granted under this rulemaking would remain in effect until the conclusion of the depreciation life of the underlying asset. However, for investments with useful lives exceeding five years, the Commission proposed that the incentive end at the conclusion of five years from the time that the asset receiving the cybersecurity incentive entered service, noting that most IT investments feature useful lives no longer than five years. 

The Commission preliminarily found that five years is a reasonable expected life to encourage utilities to make an investment and to ensure just and reasonable rates. The Commission also sought comment on whether the proposed duration should be three years instead of five years. 

In order to ensure that a utility receiving incentive rate treatment has implemented the requirements of the incentive and to ensure that it continues to adhere to the requirements, the Commission proposed to require utilities to submit informational reports to the Commission for the duration of the incentive.

The Commission also proposed that a utility that has received cybersecurity incentives under this section must make an annual informational filing by June 1, provided that the utility has received Commission approval for the incentive at least 60 days prior to June 1 of that year, the Federal Register notice identified. “Utilities that receive Commission-approval for an incentive later than 60 days prior to June 1 would be required to submit an annual informational filing beginning on June 1 of the following year.” 

The Commission proposed that the annual filing should detail the specific investments, if any, as of that date, that were made pursuant to the Commission’s approval and the corresponding FERC account for which expenditures are booked. 

“For recipients of the Cybersecurity ROE Incentive, the Commission proposed that each annual informational filing should describe the parts of its network that it upgraded in addition to the nature and cost of the various investments,” the notice said. “For recipients of the Cybersecurity Regulatory Asset Incentive, the Commission proposed that each annual informational filing should describe such expenses in sufficient detail to demonstrate that such expenses are specifically related to the eligible cybersecurity investment underlying the incentives and not for ongoing services including system maintenance, surveillance, and other labor costs.”

The Federal Register notice said that information collection requirements contained in this final rule are subject to review by the Office of Management and Budget (OMB) under the Paperwork Reduction Act of 1995 at 44 U.S.C. 3507(d). OMB’s regulations require approval of certain information collection requirements imposed by agency rules.

^“Upon approval of a collection of information, OMB will assign an OMB control number and expiration date,” according to the notice. “Respondents subject to the filing requirements of this proposed rule will not be penalized for failing to respond to this collection of information unless the collection of information displays a valid OMB Control Number. This final rule establishes the Commission’s regulations with respect to the implementation of FPA section 219A.”

FERC also noted that it could also conduct periodic verification to assess cybersecurity investments and expenses for which it has approved incentives. ^“The Commission could perform such verifications through multiple means ( i.e., directing further informational filings, audits, etc.). The Commission stated that the annual informational filings would inform the Commission on how and when any additional verification is warranted,” the notice added. 

The notice also identified that “these regulations are effective [insert date 60 days from publication in Federal Register]. The Commission has determined, with the concurrence of the Administrator of the Office of Information and Regulatory Affairs of OMB, that this rule is not a ‘major rule’ as defined in section 351 of the Small Business Regulatory Enforcement Fairness Act of 1996.”

In January, FERC called upon the North American Electric Reliability Corporation (NERC) to develop new or modified Critical Infrastructure Protection (CIP) reliability standards that require internal network security monitoring (INSM) for CIP-networked environments. The move would affect high-impact bulk electric system (BES) cyber systems with and without external routable connectivity and medium-impact BES cyber systems with external routable connectivity.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.