By Rich Heidorn Jr.

The leaders of the Senate Energy and Natural Resources Committee last week announced bipartisan legislation to provide $250 million in funding for transmission owners’ cybersecurity investments as independent power producers said they may seek to recover their compliance costs through RTO capacity markets.

The Protecting Resources on the Electric grid with Cybersecurity Technology (PROTECT) Act, would direct FERC to initiate a rulemaking on rate incentives, and the Department of Energy to offer grants and technical assistance, for investments in “advanced cybersecurity technology.” The DOE program would be for electric cooperatives, municipal utilities and others not regulated by FERC.

Announced on Thursday, the legislation would provide $50 million annually for fiscal years 2020-2024.

Committee Chair Lisa Murkowski (R-Alaska) introduced the bill with ranking member Sen. Joe Manchin (D-W.Va.) and Sens. James Risch (R-Idaho), Maria Cantwell (D-Wash.) and Angus King (I-Maine).

Prospects for the legislation were clouded Monday by President Trump’s announcement that he will nominate FERC General Counsel James Danly to fill an open Republican spot on the commission without also filling the open Democratic seat. E&E News reported last month that Senate Minority Leader Chuck Schumer (D-N.Y.) was threatening to block ENR Committee bills from reaching the floor if the Republicans push a GOP nominee without a Democratic pairing.

The bill, which would amend the Federal Power Act, defines “advanced cybersecurity technology” as “any technology, operational capability or service, including computer hardware, software or a related asset, that enhances the security posture of public utilities through improvements in the ability to protect against, detect, respond to or recover from a cybersecurity threat.”

FERC would be required to initiate a study within six months after the bill’s enactment “to identify incentive-based, including performance-based, rate treatments” to encourage cybersecurity investments and participation in threat information-sharing programs. FERC would be required to consult with DOE, NERC, the Electricity Subsector Coordinating Council and the National Association of Regulatory Utility Commissioners on the study.

The incentives would be available for investments that reduce cyber risks to “defense critical electric infrastructure” and other FERC-jurisdictional facilities “critical to public safety, national defense or homeland security.” Also eligible would be facilities of small- or medium-sized public utilities with limited cybersecurity resources.

Utilities would seek incentives through a “single issue” filing under FPA Section 205 that would be “without regard to changes in receipts or other costs of the public utility.”

DOE would issue grants and technical assistance on a competitive basis, giving priority to companies with limited cybersecurity resources or that own defense critical infrastructure or other assets “critical” to the reliability of the bulk power system.

“The consequences of a successful cyber-incursion would be widespread and potentially devastating,” Murkowski said in a statement. “We know the threat of cyberattacks by our foreign adversaries and other sophisticated entities is real and growing.”

EPSA Report

On Monday, meanwhile, the Electric Power Supply Association (EPSA), which represents independent power producers and marketers, issued a report saying that competitive generators may need to seek additional revenue through RTO operations and maintenance (O&M) charges if cybersecurity rules on them are tightened.

EPSA said regulators should give generation owners “flexibility … to prioritize and address critical security matters.”

“Factors including company size, extent of asset ownership, transmission configuration, physical location and design of facilities, presence in organized wholesale markets, regional resource and system constraints, and prior patterns of theft, vandalism, and other security-related activities all influence analyses and decisions regarding critical asset identification and risk threat assessments by individual companies,” EPSA said. “Should the government opt to vastly ramp up or change cyber and physical security requirements, additional cost recovery avenues or mechanisms may merit consideration for companies that operate in market-based rate regimes.”

EPSA said the costs of complying with additional security requirements should be recovered in a “regional or systemwide basis.”

“As some of the cyber and physical security costs clearly fall into the O&M bucket, the capacity markets are where these costs should be appropriately priced and ultimately recovered. By reflecting these costs into net [cost of new entry] calculations, ISOs/RTOs will ensure that resources can be compensated through the capacity markets for their costs of doing business, including necessary cyber and physical security investments.”

The report also complained that EPSA members sometimes do not learn of security incidents for 18 to 24 months afterward, “which makes preparing for and girding against these threats more difficult or not timely as the incident/threat may have already run its course or caused significant damage by the time they are briefed.

“It is important that companies have access to the critical information needed to ensure that their systems and awareness are up to date,” EPSA continued. “An important improvement would be to ensure that such information is not overly restricted as classified unless warranted, and that there are numerous persons at a company with the necessary security clearance to receive it. The security of the system is far too important to hinge on the availability of one or two people at a company with the necessary clearance to receive timely information.”

“Timely declassification of actionable information is important to grid reliability and security,” NERC spokeswoman Kimberly Mielcarek said. “The quicker the Electricity Information Sharing and Analysis Center and industry receive this information, the better we are able to safeguard the grid and mitigate risk.”

Concern Rising

Concern has risen since the revelations of Russian hackers’ attacks on Ukraine’s electric grid in 2015 and 2016.

In January, the U.S. Intelligence Community’s 2019 Worldwide Threat Assessment reported that Russia has the ability to execute cyberattacks in the U.S. that could disrupt “an electrical distribution network for at least a few hours.”

The report also said that “China has the ability to launch cyberattacks that cause localized, temporary disruptive effects on critical infrastructure — such as disruption of a natural gas pipeline for days to weeks.”

Sen. King has called for more urgency in addressing the threat, saying the federal government should develop an “offensive response” to attacks on the grid and other critical infrastructure. (See “Sen. King Calls for ‘Offensive’ on Cyberthreats,” Overheard at NECPUC 71st Annual Symposium.)

At a FERC technical conference in May, the idea of incentivizing investments to improve resilience received mixed reviews. ITC Holdings said the commission should ensure cost recovery for TOs that go beyond NERC standards “consistent with Order No. 679,” which established incentives to compensate for the challenges faced by specific transmission projects, for forming a transmission-only company and for joining an RTO.

But Alliant Energy rejected the idea of a “resilience incentive,” saying it was unnecessary and would provide a windfall to TOs. “Transmission owners currently do not have difficulty securing financing for transmission projects,” Alliant said. (See Mixed Reaction for ‘Resilience Incentives’.)

In July, NARUC released tools to help regulatory commissions gauge the effectiveness of utilities’ cybersecurity preparedness efforts and the prudence of related expenditures. (See NARUC Offers Tools for Measuring Cybersecurity.)