latest-news-headlines Market Intelligence /marketintelligence/en/news-insights/latest-news-headlines/for-some-ferc-s-proposed-cybersecurity-incentives-framework-misses-the-mark-60091452 content
Log in to other products

Login to Market Intelligence Platform

 /


Looking for more?

Contact Us

Request a Demo

You're one step closer to unlocking our suite of comprehensive and robust tools.

Fill out the form so we can connect you to the right person.

If your company has a current subscription with S&P Global Market Intelligence, you can register as a new user for access to the platform(s) covered by your license at Market Intelligence platform or S&P Capital IQ.

  • First Name*
  • Last Name*
  • Business Email *
  • Phone *
  • Company Name *
  • City *
  • We generated a verification code for you

  • Enter verification Code here*

* Required

Thank you for your interest in S&P Global Market Intelligence! We noticed you've identified yourself as a student. Through existing partnerships with academic institutions around the globe, it's likely you already have access to our resources. Please contact your professors, library, or administrative staff to receive your student login.

At this time we are unable to offer free trials or product demonstrations directly to students. If you discover that our solutions are not available to you, we encourage you to advocate at your university for a best-in-class learning experience that will help you long after you've completed your degree. We apologize for any inconvenience this may cause.

In This List

For some, FERC's proposed cybersecurity incentives framework misses the mark

Essential Energy Insights - September, 2020

Bull market leaves US utilities behind in August

Rate case activity slips, COVID-19 proceedings remain at the forefront in August

Utilities, midstream reckon with energy transformation on the horizon


For some, FERC's proposed cybersecurity incentives framework misses the mark

A white paper from Federal Energy Regulatory Commission staff on potential cybersecurity incentives policy, or CIP, drew a healthy dose of criticism from municipal utilities, electric cooperatives and state utility regulators that questioned the benefits consumers would receive from what the groups viewed as indiscriminate rate increases in the name of cybersecurity.

While the proposal generally drew support from the transmission group WIRES, the Edison Electric Institute's investor-owned utilities and the grid-security advocacy group Protect Our Power, other entities commended the sentiment and desire to promote prudent utility investment in measures to mitigate cybersecurity risks but found flaws with the proposed execution of that plan.

The American Public Power Association, National Rural Electric Cooperative Association, or NRECA, California Public Utilities Commission, California Department of Water Resources, New Jersey Board of Public Utilities and Maryland Public Service Commission filed comments voicing concerns with the proposal's cost-effectiveness and ability to encourage the cybersecurity practices needed to protect the grid.

The staff white paper (FERC docket AD20-19), issued June 18, explored transmission incentives FERC could put in place to motivate utility spending on security protocols above and beyond the mandatory critical infrastructure protection requirements crafted and enforced by the North American Electric Reliability Corp.

Commission staff looked at two potential approaches to encourage investment. One envisioned FERC providing a return-on-equity incentive to utilities that voluntarily apply the CIP requirements for medium- or high-impact bulk electric system cyber systems to low-impact systems, while the other would have FERC grant ROE incentives to utilities that implement certain security controls included in the National Institute of Standards and Technology's, or NIST's, Cybersecurity Framework.

Industry, state concerns

The American Public Power Association, or APPA, said the cybersecurity incentive proposals in the white paper were neither necessary nor appropriate to promote investment. "Awarding incentives as outlined in the white paper could prompt public utilities to undertake programs that may provide little cybersecurity return on investment while increasing costs to already over-burdened transmission customers," the group said.

Of greatest concern was the white paper's assumption that generic application of CIP reliability standards to lower-impact bulk electric system, or BES, cyber systems or broad adoption of NIST Framework security controls would result in a meaningful increase in cybersecurity, the APPA said.

The APPA also suggested that the power industry is already sufficiently motivated to avoid cybersecurity breaches without the adoption of new incentives or cost recovery mechanisms. Further, "it is not clear that … the proposed 200 basis point ROE adder would prompt public utilities to make the investments that the white paper describes," the APPA said.

The NRECA similarly expressed concern that the approaches outlined would not achieve the desired results, adding that they could inadvertently divert finite utility resources away from systems that pose the greatest risks if attacked, in pursuit of a greater ROE by investing in facilities that may have little or no effect on overall grid reliability and security.

And "because an ROE adder incents investment and not [for instance] the hiring of personnel, utilities may not make the most efficient use of their resources, diminishing the impact of those resources on security of the BES," the NRECA said.

Comments from state agencies stressed the potential rate impacts on consumers with little assurances that the higher transmission costs would translate into adaptable cybersecurity practices resulting in significant consumer benefits.

The New Jersey Board of Public Utilities said it had reservations about the legality of the proposals in the white paper as they appear to undermine NERC's role as the creator of reliability standards, raise consumer costs to unjust and unreasonable levels, and impose resilience measures under a statute whose scope is limited to reliability.

'Sensible approaches'

Protect Our Power applauded "the sensible approaches suggested in the staff white paper" and pitched three other potential approaches to encourage "utilities to do much more than simply meet that bare technical baseline" the CIP standards established.

Those would entail making voluntary investments in cybersecurity best practices presumptively eligible for incentives, allowing preapproval of comprehensive, one- or two-year cybersecurity investment plans whose costs could be recovered from rates if implemented, and authorizing cross-utility collaboration on cyber activities and investments that take advantage of economies of scale, partnerships or pooling of resources between non-affiliated utilities.

The group also called on FERC to convene a technical conference to further explore the development of a cybersecurity incentives framework and application process.

WIRES noted recent estimates of a 35% jump in cyberattacks on the grid since the coronavirus pandemic forced much of the electric-sector workforce to work from home.

The trade group said it supported both the ROE and non-ROE incentives envisioned in the white paper and offered some improvements, such as allowing the capitalization of costs that have historically been expensed or alternatively allowing the creation of regulatory assets, to ensure the incentives have the desired impact.

Jasmin Melvin is a reporter with S&P Global Platts. S&P Global Market Intelligence and S&P Global Platts are owned by S&P Global Inc.