Policies to create financial incentives and expand cost recovery mechanisms for energy infrastructure security investments would burden consumers with higher costs without significantly bolstering the U.S. power and natural gas sectors' resilience to cyber and physical threats, according to industrial electricity consumers and a Midwest utility.

But one of the nation's largest natural gas industry groups said the Federal Energy Regulatory Commission should support financial incentives for "prudent" cybersecurity investments while also arguing that states should ensure that cost recovery options exist for expenses related to participating in voluntary federal programs.

Meanwhile, an advocacy organization told FERC that relying on utilities to self-report cybersecurity violations is a fundamentally flawed compliance strategy that fails to keep consumers secure.

The filings respond to an April 25 FERC notice inviting comments on topics discussed at a March 28 technical conference convened by FERC and the U.S. Department of Energy. The meeting examined cybersecurity and physical security practices used by utilities, generators and pipelines to protect their assets and considered whether federal and state regulators could offer incentives and cost recovery to foster further investment in security.

In its comments, electric and gas utility Alliant Energy said, "[A]dditional financial incentives for vague 'resilience' purposes will only serve to benefit shareholders, not the security of the grid or transmission customers." The utility contended that attempts to define the "broad and somewhat nebulous concept" of resilience could "ultimately limit its application and efficacy" and lead to the creation of counterproductive policies that encourage inappropriate and unnecessary grid investments.

Incentives "that merely reinforce good business practice and security would provide a financial windfall to transmission owners without providing commensurate benefit to transmission customers," Alliant said.

Expressing a similar sentiment, the Electricity Consumers Resource Council, or ELCON, which represents large industrial consumers of electricity, said the pursuit of such incentives "would impose unjustified costs," potentially exposing industrial consumers "to billions in annual cost risk without any verification of benefits."

Best practices

"[S]ometimes the best practice is to forego an expensive practice and leave the risk unhedged," ELCON said, a view it asserted is part of "every risk management sphere" but rarely framed as such "in the security domain due to the misconception that there is no cost-security trade-off worth considering." The group stressed that "cost recovery for security investments is especially vulnerable to hyperbolized scenarios and red herrings," increasing the need for vigilance as "American manufacturing cannot survive endless cost increases intended to mitigate every possible scenario."

"Some representatives at the technical conference suggested that an incentive for security investments would likely encourage going 'above compliance,' perhaps through the adoption of advanced technologies or grid modernization initiatives by transmission owners," Alliant said.

Alliant and ELCON spoke to the unlikelihood of a resilience incentive spurring accelerated adoption of new technologies.

"Incentives add costs to consumers for infrastructure that would already be built," ELCON said. "Any perceived deficiencies in investment result from faults in procurement mechanisms, which incentives do not address."

However, the American Gas Association, or AGA, argued that investments in infrastructure and processes that ensure regular "life cycle refreshes" reduce cyberrisks. "While a one-size-fits-all approach may not be appropriate, there are a few incentives that could apply across all of the energy sectors," the AGA said, citing tax credits and security certifications as two examples.

"Tax credits would reduce the costs of making cybersecurity investments," the group explained, adding that high-level security certifications can also be leveraged to obtain lower insurance rates and premiums.

Noting that states' rules around security riders vary, the AGA said allowing for cost recovery based on nationally recognized but optional cybersecurity measures could "accelerate the adoption of enhanced security practices and tools."

Economic framework

ELCON also said flaws in critical infrastructure protection standards, such as those that deter the use of new, reliable cloud-based services, "carry over into retail rate recovery proceedings," likely perpetuating the "approval of outdated practices that are imprudent costs for consumers to incur, while foregoing prudent practices needed to address a rapidly evolving threat landscape."

Greater attention should be given to promulgating policies or programs to enhance industry's voluntary, risk-informed decision-making, ELCON said. "Since best practices evolve rapidly, improved threat diagnostics and expedited information sharing may improve private sector performance."

Without better defense and intelligence information, "consumers' confidence will erode in the institutions and grid security initiatives addressing valid and invalid pursuits alike," ELCON said.

The group added that "any security benefits should be remunerated through transmission planning processes and market design and not require out-of-market mechanisms or above-market rates of return."

It urged FERC to develop an economic framework to evaluate costs and benefits for nonmarket segments of the bulk power system. "An economic framework would enhance conventional policy and introduce a prudency instrument for evaluating and prioritizing resilience and security considerations," the group said.

Public disclosure

In addition, consumer-focused advocacy group Public Citizen argued that FERC should publicly disclose the identities of utilities that commit cybersecurity violations. Public Citizen's comments echoed a position the group outlined in April following media reports that Duke Energy Corp. was the unnamed recipient of a $10 million, mandatory penalty for violating the reliability standard.

In its comments, Public Citizen disagreed with the position of the North American Electric Reliability Corp. that disclosing the names of violators with "inadequate" cybersecurity compliance may make them "more vulnerable to cyber attacks." According to Public Citizen, that claim "is not supported by evidence."

Moreover, the group asserted that withholding the identity of offending utilities from state utility regulators and from customer intervenors participating in state utility commission proceedings "could allow the utility to seek retail rate recovery for compliance costs associated with the notice of penalty."

Public Citizen also contended that concealing Duke Energy's identity as the recipient of the largest fine in NERC's history "sends a confusing message to the public that large penalties do not come with full accountability, as future violators may be able to similarly hide behind the veil of anonymity."

In addition, the group suggested that FERC proactively encourage states to create regional advisory bodies to advise the commission and NERC on whether reliability or cybersecurity proposals are just, reasonable and in the public interest. FERC also should encourage a formal role for whistleblowers "to find safe harbor in helping to identify cybersecurity weaknesses and violations," Public Citizen said. (FERC docket AD19-12)

Jasmin Melvin is a reporter for S&P Global Platts. S&P Global Market Intelligence and S&P Global Platts are owned by S&P Global Inc.