Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Regulation, Standards and Compliance
Risk & Compliance
Utilities: Energy & Power, Water, Waste

FERC authorizes incentive rate treatment for cybersecurity investments

April 21, 2023
FERC authorizes incentive rate treatment for cybersecurity investments

The Federal Energy Regulatory Commission (FERC) issued Thursday a final rule providing incentive-based rate treatment for utilities making certain voluntary cybersecurity investments. The rule follows Congress’ direction under the Infrastructure Investment and Jobs Act (IIJA) of 2021 that the Commission revise its regulations to establish incentive-based rate treatments to encourage utilities to invest in advanced cybersecurity technology and participate in cybersecurity threat information sharing programs for the benefit of consumers. 

The FERC final rule comes after the September 2022 issue of a Notice of Proposed Rulemaking (NOPR) to establish rules providing incentive-based rate treatment for utilities making certain voluntary cybersecurity investments. The Commission also analyzes the participation of utilities in cybersecurity threat information-sharing programs.

“In today’s highly interconnected world, our nation’s security and economic well-being depend on reliable and cyber-resilient energy infrastructure,” Willie Phillips, FERC chairman, said in a media statement. “We must continue to build upon the mandatory framework of our cybersecurity reliability standards with efforts such as this to encourage utilities to proactively make additional cybersecurity investments in their systems.”

Set to take effect 60 days following publication in the Federal Register, the final rule largely tracks the September NOPR but includes some important additions. The Commission expanded the definition of eligible cybersecurity investments to include not only a pre-qualified list of cybersecurity investments but also those investments that are done on a case-by-case basis, allowing utilities to request incentives for a variety of solutions tailored to their specific situations. Additionally, FERC will allow utilities to seek incentives for early compliance with new cybersecurity reliability standards.

The final rule adopts the NOPR’s proposed requirement that expenditures materially improve a utility’s cybersecurity posture. It also adopts the proposal to allow deferred cost recovery that would enable the utility to defer expenses and include the unamortized portion in its rate base but does not adopt the proposed return on equity adder of 200 basis points. The rule also states that approved incentives, with certain exceptions, will remain in effect for up to five years from the date on which expenses are incurred, provided that the investments remain voluntary.

The IIJA had directed the Commission to revise its regulations to establish, by rule, incentive-based, including performance-based, rate treatments for the transmission of electric energy in interstate commerce and the sale of electric energy at wholesale in interstate commerce by public utilities, by encouraging investments by public utilities in advanced cybersecurity technology and participation by public utilities in cybersecurity threat information sharing programs.

Last month, FERC published an order approving the proposed Reliability Standard CIP-003-9 put forward by the North American Electric Reliability Corporation (NERC) in December. The agency also approved the associated implementation plan, associated violation risk factors, violation severity levels, and the retirement of the currently effective Commission-approved Reliability Standard CIP-003-8 immediately prior to the effective date of Reliability Standard CIP-003-9.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved