Looking to mitigate a financial disadvantage imposed on a small subset of resources deemed critical to maintaining grid reliability, ISO New England has proposed a mechanism that would allow these resources to recover costs tied to their compliance with more stringent cybersecurity requirements.

ISO-NE designates certain generation and transmission facilities within its region as "critical to the derivation of interconnection reliability operating limits (IROL)," which must be maintained to avoid instability, uncontrolled separation and cascading outages on the bulk electric system.

These facilities must comply with the North American Electric Reliability Corp.'s critical infrastructure protection standards for medium-impact BES cyber systems — higher standards that carry with them higher compliance costs.

As such, ISO-NE determined a mechanism was needed to address this financial disadvantage relative to similar facilities that compete in the New England wholesale power markets but do not carry the IROL-critical designation.

"With this proposal, the ISO is providing a simple mechanism that owners of IROL-critical facilities ... may use to recover commission-approved incremental costs to comply with NERC [critical infrastructure protection, or CIP] standards' requirements for medium-impact assets," the grid operator said in a Jan. 6 filing to FERC. It added that its proposal was in line with "long-standing policy to enable the recovery of prudently incurred, reliability-related costs."

Currently, 27 generation units at 15 plant locations and one merchant transmission facility are designated as IROL-critical facilities. ISO-NE reviews these designations annually, or more frequently if significant system changes warrant.

Under the proposed IROL-CIP cost recovery rules, eligible facility owners would submit Federal Power Act Section 205 filings to FERC requesting approval of the incremental costs of complying with NERC CIP requirements for medium-impact assets — that is, costs paid in excess of charges incurred to meet standards for low-impact systems.

A FERC order accepting those incremental costs would then prompt ISO-NE to allocate and collect those costs from transmission customers and disburse those funds to the pertinent IROL-critical facilities.

The proposed cost-recovery mechanism would be reflected in a new Schedule 17 added to ISO-NE's tariff.

Eligible costs

ISO-NE sought an engineering firm's expertise in identifying the categories of costs commonly observed as necessary to support a cybersecurity program for medium-impact bulk electric system cyber systems.

The proposal lays out direct-cost primary categories that include facility staff labor; compliance staff labor; other labor; equipment costs; software/license, maintenance, support and upgrade costs; outside services and fees; physical improvement costs; and production, printing and shipping costs. It also provides an "other" category to capture lodging, food, transport, administrative, regulatory and other costs directly or indirectly associated with compliance.

The proposal also offers a prefiling construct "designed to provide interested parties an opportunity to meaningfully review and understand an IROL-critical facilities owner's IROL-CIP costs before they are filed with the commission for approval," ISO-NE said.

The grid operator said that feature "was of significant import to stakeholders" because "having this upfront opportunity to review and understand proposed IROL-CIP costs may help to avoid or minimize expensive and protracted litigation of individual Section 205 filings before the commission."

ISO-NE is seeking a March 6 effective date for the new cost-recovery mechanism. (FERC docket ER20-739)

Jasmin Melvin is a reporter with S&P Global Platts. S&P Global Market Intelligence and S&P Global Platts are owned by S&P Global Inc.