November 18, 2024
FERC Seeks Comments on Cyber Investment Incentives
FERC is seeking comment on a proposed incentive framework for utilities making cybersecurity investments above the requirements of NERC’s CIP standards.

FERC is seeking industry comments on a proposed incentive framework meant to encourage utilities to make cybersecurity investments above and beyond the requirements of NERC’s Critical Infrastructure Protection (CIP) standards (AD20-19).

Limitations in CIP Standards Recognized

In a white paper published Thursday, FERC described the proposed incentive framework as a complement to the current CIP standards, which the commission called an “effective technical baseline for cybersecurity practices.” A separate Notice of Inquiry, also issued Thursday, is seeking comments on potential gaps in the standards and suggestions on actions the commission can take to improve them. (See related story, FERC Starts Inquiry on CIP Standards.)

The new proposal is not directly connected to the NOI. Although the commission did recognize “certain limitations” in the existing CIP standards and suggested that voluntary actions by utilities as a result of the planned incentives “could be the basis of future” versions of the standards, FERC’s goal is to encourage utilities to pursue innovative — and voluntary — solutions that would protect their own transmission systems as well as the bulk electric system overall, while allowing the industry to:

  • be more agile in monitoring and responding to new cybersecurity threats;
  • identify and respond to a wider range of threats; and
  • create comprehensive solutions for addressing cybersecurity threats.

Such encouragement could take the form of either return on equity and non-ROE incentives, but the commission favored a mix of both approaches based on the type of investments being reported. ROE incentives would apply to specific incremental cybersecurity investments, while non-ROE measures could apply to construction work in progress, recovery of abandoned plant costs and accelerated depreciation, which would allow utilities to mitigate cash flow concerns caused by initiatives with a longer-term payoff.

Alternative Frameworks Proposed

FERC also sought input on how to identify the cybersecurity investments that merit its incentives, proposing two approaches that could be used independently or in combination. Both would reward utilities for going beyond the requirements of the CIP standards but would use a different basis for assessing their success.

Cyber Investment Incentives
| Shutterstock

The first proposed method would encourage entities to apply the current standards in areas where they are not currently relevant. Specifically, several CIP standards apply only to medium- and/or high-impact BES cyber systems, leaving many low-impact systems unaddressed — a distinction that has prompted criticism from security activists. (See NERC Pushes Back on New CIP Standard Challenge.) FERC would provide an ROE adder or other incentive for utilities that voluntarily apply CIP standards to BES cyber systems with a lower impact than those for which the standards were intended.

An advantage of this approach is that utilities and regulators would be working within a framework with which they are already familiar, making the criteria for approving an incentive clear. On the other hand, it would also leave registered entities with little reason to look beyond this framework. For that reason, the commission put forward another approach, under which incentives would be based on the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework. This more open-ended approach would require more work from the commission to assess whether cybersecurity investments meet its goals but would allow greater flexibility and creativity on the part of utilities.

Further Questions

In the white paper, FERC emphasized that it is far from making a decision on the final shape of its incentive framework. To guide its decision-making, the commission is requesting comments on a number of questions, including:

  • whether the CIP standards or the NIST Framework, or both, should be considered as the basis for incentivizing cybersecurity investments;
  • how FERC can ensure that the incentive eligibility and applicant evaluation processes are clear and fair;
  • what guidance FERC can provide on structuring cybersecurity incentive applications;
  • which components of the NIST framework should be considered for an incentive, and how entities might demonstrate that their cybersecurity expenditures qualify under the framework; and
  • whether the commission should adopt a sunset date for incentivized cybersecurity investments in order to encourage utilities to keep up to date with a changing security environment.

Comments on the white paper are due within 60 days of its issuance, with reply comments due within 75 days.

CIPFERC & Federal

Leave a Reply

Your email address will not be published. Required fields are marked *