[co-author: Shawn Whites]
Building off its White Paper issued last summer, the Federal Energy Regulatory Commission (FERC or the “Commission”) has proposed changes to its regulations that would encourage more robust investment in cybersecurity infrastructure. The notice of proposed rulemaking (NOPR) provides incentive rate treatment for voluntary utility investments that go “above and beyond” FERC’s mandatory cybersecurity standards. Comments on the NOPR are due April 6.
The Commission’s Critical Infrastructure Protection (CIP) Reliability Standards require users, owners and operators of the “bulk-power system”1 to safeguard critical cyber assets. FERC categorizes assets based on the risk to the bulk-power system if the assets are compromised, with different requirements applying depending on the risk category. Most of the requirements apply to the high- and medium-risk categories.
In the face of “numerous and complex cybersecurity challenges,” some of which have been heightened by an increased reliance on telework in response to COVID-19, the NOPR recognizes that FERC’s existing cybersecurity framework has certain limitations. Developing and implementing rules to address evolving threats can take too long, and FERC’s focus on higher-risk assets for its mandatory standards fails to recognize the increasingly interdependent nature of networks and equipment that keep the power flowing.
To address these shortcomings, FERC proposes two approaches to bolster cybersecurity investments. Under the first approach, the Commission would offer incentive rate treatment to utilities that voluntarily apply existing CIP Reliability Standards to facilities that are not currently subject to those standards. For example, a utility could propose to apply standards applicable to high- and medium-risk assets to low-risk assets.
The second approach would borrow from the cybersecurity framework developed by the National Institute of Standards and Technology (NIST).2 FERC proposes to offer incentive rate treatment for investments implementing certain security controls from the NIST framework that exceed the CIP Reliability Standards. At least initially, FERC proposes to limit incentives under this approach to investments in “automated and continuous monitoring,” such as a dynamic asset management program that would allow the utility to quickly detect previously unknown equipment on its network.
The NOPR identifies two forms of incentive rate treatment: a Return on Equity (ROE) adder of 200 basis points on the qualifying investment3 and a deferred cost recovery benefit.4 FERC also intends to leave open the possibility for other types of incentive rate treatment, such as construction work in progress, on a case-by-case basis. Applications would be submitted pursuant to Section 205 of the Federal Power Act and must provide a detailed explanation of how the utility plans to implement the investment. Notably, applications seeking incentive treatment under the CIP Reliability Standards approach would be entitled to a rebuttable presumption that the investment materially enhances the bulk-power system, though no such presumption would be available under the NIST approach. FERC seeks comment on what kind of demonstration an applicant would need to make for incentive treatment under the NIST approach.
1 “Bulk-power system” means “facilities and control systems necessary for operating an interconnected electric energy transmission network (or any portion thereof); and . . . electric energy from generation facilities needed to maintain transmission system reliability,” excluding “facilities used in the local distribution of electric energy.” 16 U.S.C. § 824o (2018).
2 NIST, Framework for Improving Critical Infrastructure Cybersecurity (Apr. 16, 2018), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.
3 The ROE adder would be available for capital investments under either the CIP Reliability Standards approach or the NIST approach.
4 The deferred cost recovery incentive would be available for certain expenses associated with investments that receive Commission approval for ROE incentives. Three categories of expenses would be eligible: (1) expenses associated with thirty-party provision of hardware, software, and computing networking services; (2) expenses for training to implement new cybersecurity enhancements; and (3) other implementation expenses, such as system assessments by third parties or internal system reviews and initial responses to findings of such assessments.