A white paper from Federal Energy Regulatory Commission staff on potential cybersecurity incentives policy, or CIP, drew a healthy dose of criticism from municipal utilities, electric cooperatives and state utility regulators that questioned the benefits consumers would receive from what the groups viewed as indiscriminate rate increases in the name of cybersecurity.

While the proposal generally drew support from the transmission group WIRES, the Edison Electric Institute's investor-owned utilities and the grid-security advocacy group Protect Our Power, other entities commended the sentiment and desire to promote prudent utility investment in measures to mitigate cybersecurity risks but found flaws with the proposed execution of that plan.

The American Public Power Association, National Rural Electric Cooperative Association, or NRECA, California Public Utilities Commission, California Department of Water Resources, New Jersey Board of Public Utilities and Maryland Public Service Commission filed comments voicing concerns with the proposal's cost-effectiveness and ability to encourage the cybersecurity practices needed to protect the grid.

The staff white paper (FERC docket AD20-19), issued June 18, explored transmission incentives FERC could put in place to motivate utility spending on security protocols above and beyond the mandatory critical infrastructure protection requirements crafted and enforced by the North American Electric Reliability Corp.

Commission staff looked at two potential approaches to encourage investment. One envisioned FERC providing a return-on-equity incentive to utilities that voluntarily apply the CIP requirements for medium- or high-impact bulk electric system cyber systems to low-impact systems, while the other would have FERC grant ROE incentives to utilities that implement certain security controls included in the National Institute of Standards and Technology's, or NIST's, Cybersecurity Framework.

Industry, state concerns

The American Public Power Association, or APPA, said the cybersecurity incentive proposals in the white paper were neither necessary nor appropriate to promote investment. "Awarding incentives as outlined in the white paper could prompt public utilities to undertake programs that may provide little cybersecurity return on investment while increasing costs to already over-burdened transmission customers," the group said.

Of greatest concern was the white paper's assumption that generic application of CIP reliability standards to lower-impact bulk electric system, or BES, cyber systems or broad adoption of NIST Framework security controls would result in a meaningful increase in cybersecurity, the APPA said.

The APPA also suggested that the power industry is already sufficiently motivated to avoid cybersecurity breaches without the adoption of new incentives or cost recovery mechanisms. Further, "it is not clear that … the proposed 200 basis point ROE adder would prompt public utilities to make the investments that the white paper describes," the APPA said.

The NRECA similarly expressed concern that the approaches outlined would not achieve the desired results, adding that they could inadvertently divert finite utility resources away from systems that pose the greatest risks if attacked, in pursuit of a greater ROE by investing in facilities that may have little or no effect on overall grid reliability and security.

And "because an ROE adder incents investment and not [for instance] the hiring of personnel, utilities may not make the most efficient use of their resources, diminishing the impact of those resources on security of the BES," the NRECA said.

Comments from state agencies stressed the potential rate impacts on consumers with little assurances that the higher transmission costs would translate into adaptable cybersecurity practices resulting in significant consumer benefits.

The New Jersey Board of Public Utilities said it had reservations about the legality of the proposals in the white paper as they appear to undermine NERC's role as the creator of reliability standards, raise consumer costs to unjust and unreasonable levels, and impose resilience measures under a statute whose scope is limited to reliability.

'Sensible approaches'

Protect Our Power applauded "the sensible approaches suggested in the staff white paper" and pitched three other potential approaches to encourage "utilities to do much more than simply meet that bare technical baseline" the CIP standards established.

Those would entail making voluntary investments in cybersecurity best practices presumptively eligible for incentives, allowing preapproval of comprehensive, one- or two-year cybersecurity investment plans whose costs could be recovered from rates if implemented, and authorizing cross-utility collaboration on cyber activities and investments that take advantage of economies of scale, partnerships or pooling of resources between non-affiliated utilities.

The group also called on FERC to convene a technical conference to further explore the development of a cybersecurity incentives framework and application process.

WIRES noted recent estimates of a 35% jump in cyberattacks on the grid since the coronavirus pandemic forced much of the electric-sector workforce to work from home.

The trade group said it supported both the ROE and non-ROE incentives envisioned in the white paper and offered some improvements, such as allowing the capitalization of costs that have historically been expensed or alternatively allowing the creation of regulatory assets, to ensure the incentives have the desired impact.

Jasmin Melvin is a reporter with S&P Global Platts. S&P Global Market Intelligence and S&P Global Platts are owned by S&P Global Inc.