A proposal to award extra financial incentives to electric utilities that implement cybersecurity measures that go above and beyond current mandatory reliability standards drew a divided reaction among power sector stakeholders.
Investor-owned utilities and transmission owners generally threw their support behind the notice of proposed rulemaking (RM21-3) issued by the Federal Energy Regulatory Commission in December, while public power, transmission-dependent utilities and several states urged the commission to toss the proposal in comments due April 6.
The proceeding at issue lays out a framework that would allow utilities to request incentive rate treatment for cybersecurity investments that exceed mandatory critical infrastructure protection (CIP) standards developed by the North American Electric Reliability Corp.
Under a so-called "NERC CIP Incentives Approach," utilities would receive incentives for voluntarily applying CIP requirements for medium- or high-impact bulk electric system cyber systems to low-impact systems, or for implementing high-impact standards at medium-impact facilities. The approach also included a "Hub-Spoke Incentive" that would reward utilities for safeguarding all external routable connectivity to and from low-impact systems that connect to high- or medium-impact systems.
A separate approach would have FERC grant incentives to utilities that implement automated and continuous monitoring controls included in the National Institute of Standards and Technology's Cybersecurity Framework. The "NIST Framework Approach" is aimed at improving a utility's ability to quickly detect and address new or previously unknown equipment in its network — the same penetration methods reportedly behind a cyberattack last year that breached multiple US government departments and major corporations.
Under the first approach, utilities could receive a 200 basis-point adder to their return on equity for eligible cybersecurity capital investments. The second approach proposed to allow utilities to seek deferred cost recovery for certain cybersecurity investments. Utilities would be able to request incentives using any combination of the two approaches, but would have to submit detailed filings to FERC to show the incentive rate treatment was just and reasonable under Section 205 of the Federal Power Act.
Comments filed by the American Public Power Association, Large Public Power Council, Transmission Access Policy Study Group and Organization of MISO States commended the sentiment and desire to promote prudent utility investment in measures to mitigate cybersecurity risks, but found that the proposal missed the mark.
Chief among their concerns was that the proposed incentives could inflate costs without providing any material benefits.
"Requiring ratepayers to pay for more protection than is necessary or required would result in unjust and unreasonable rates," OMS, the regional state committee for the Midcontinent Independent System Operator region, said. "Deciding what systems and components of the bulk power system to protect and how to protect them will always be the result of careful and considered analysis that is best left to NERC and local regulators, not utilities that are seeking a higher ROE."
APPA asserted that the CIP incentives and NIST Framework approaches could actually diminish cybersecurity if, for example, "having all external routable connectivity to and from the low-impact system connect to a high- or medium-impact BES cyber system under the Hub-Spoke method could create new attack vectors for medium- and high-impact facilities."
"More generally, making particular kinds of cybersecurity investments eligible for incentives may prompt utilities to focus on investments that qualify for incentives rather than on what may be the optimal way to enhance cybersecurity under the circumstances," APPA added.
The investor-owned utility trade group Edison Electric Institute, a group of transmission owners in PJM Interconnection and MISO transmission owners urged FERC to move forward with the proceeding but make certain modifications before adopting a final rule.
As articulated in the MISO transmission owners' filing, supporters of the proposal sought "an expanded view of the types of investments eligible for incentive treatment," including broadening the NIST Framework approach to additional categories of security controls, and urged adoption of "streamlined application and verification processes that account for the confidential and sensitive nature of cybersecurity information."
The PJM transmission owners said the commission's final rule on the matter "should provide a third option to allow applicants to request incentives for new and innovative cybersecurity projects that materially increase the cybersecurity profile of their systems but that may not squarely fall into one of the two proposed approaches."
EEI suggested that FERC "ensure that its proposed requirements do not create a new compliance and enforcement monitoring process that will increase the regulatory burden for both applicants and the commission."
Supporters of the NOPR also challenged a provision that would end the period for which an incentive is granted once the actions an entity received incentives for became mandatory and enforceable requirements. EEI proposed that "a utility be able to receive the incentives for the period for which it was originally granted even if a NERC standard is subsequently approved as a utility should not be penalized for recognizing a need and making the necessary capital expenditures."