Stakeholder comments on FERC’s proposals for encouraging cybersecurity investments by utilities reveal widespread misgivings about the commission’s planned framework, even as most respondents acknowledged the need for action on protecting the grid from cyber threats (AD20-19).
FERC solicited comments in June on a white paper calling for an incentive framework that would complement the current Critical Infrastructure Protection standards, which the commission called an “effective technical baseline for cybersecurity practices.” The commission proposed two approaches for identifying cybersecurity investments that should be incentivized: one that would encourage entities to apply the current CIP standards voluntarily in areas where they are not currently required — specifically, to low-impact bulk electric system cyber systems — and a more open-ended alternative that would incentivize utilities to meet goals based on the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework.
Commenters Lean Toward Combined Approach
The commission’s first question to stakeholders was which of the two frameworks — or whether a combination of both — should be adopted. A number of respondents endorsed the combined approach; International Transmission Co., for instance, asserted that the NIST framework and the CIP standards are “not mutually exclusive,” while Boston Consulting Group (BCG) favored including the Department of Energy’s Electricity Subsector Cybersecurity Capability Maturity Model as well in order to “provide a comprehensive view of cybersecurity … with the corresponding methodology for cybersecurity maturity assessment.”
The U.S. Bureau of Reclamation was an outlier, arguing for an incentive approach based solely on the NIST framework. Calling the CIP standards “compliance focused [and] overly prescriptive,” the bureau said a NIST-only approach would allow utilities greater flexibility and creativity to craft their own solutions.
FERC Accused of Overstepping Role
The commission also received some sharp dissents, with several commenters focusing on the potential impact to ratepayers. One such criticism came from Transmission Dependent Utility Systems, an ad hoc group of rural electric cooperatives, which said the commission’s incentive plan would essentially allow transmission owners to profit from essential cybersecurity investments rather than simply recouping the costs, potentially raising rates for end-use consumers.
“[Customer] interests are not even an afterthought; they do not draw a single mention, at a time when unemployment is at levels not seen for nearly a century and the media are filled with stories predicting a coming wave of housing and small-business evictions,” the group said. “For this reason alone, it would be appropriate for the commission to direct its staff to reconsider its proposal.”
It also accused the commission of assuming authority delegated by Congress to NERC, as the CIP-based framework would have the effect — if not necessarily the intent — of applying those standards to systems explicitly excluded by NERC. Supporting this view was the New Jersey Board of Public Utilities, which compared the proposed scheme to “the era of voluntary utility engagement” that was ended by the Energy Policy Act of 2005.
“Congress did not intend for FERC to create reliability standards itself. … It is for NERC, the ERO, not FERC, to utilize its technical expertise in deciding the adequate level of reliability and designing standards that ensure it,” the board said. “While the commission can request that NERC modify the CIP reliability standards, it cannot propose its own mechanisms to augment reliability on a voluntary basis.”
Even those that supported the incentive proposal in general tended to disagree with FERC on specific aspects of implementation. The commission’s question about adopting a sunset date for incentivized cybersecurity investments in order to encourage utilities to keep up to date with the changing security environment attracted dissent from trade group WIRES, which said that because every threat is different, there is no point in “drawing an arbitrary line in the sand” to declare a particular mitigation measure no longer useful.
BCG and the Indiana Utility Regulatory Commission were less categorical in their rejection of sunset dates, but both cautioned against setting them too broadly. The IURC recommended tying sunset periods to the useful life of the upgrade — for example, shorter periods for software that can be replaced relatively quickly, and longer for physical investments that will stay in place longer — while BCG urged the commission to adopt a “review cycle” to periodically reassess utilities’ cybersecurity investments.
Canadian Regulators Urge International Focus
The response from Canada’s Energy and Utility Regulators (CAMPUT) — the Canadian approximation of the National Association of Regulatory Utility Commissioners — sought to remind FERC of the high degree of interconnection between the U.S. and Canadian grids. While Canadian utilities are not under FERC’s jurisdiction, as a practical matter, Canadian provinces normally implement similar or identical reliability standards to those in force in the U.S., as “security is a matter of mutual interest.”
While CAMPUT noted that commenting on the proposed incentive framework would be outside of its prerogatives, the organization voiced concerns that any FERC incentive package could create a “disparity in North American CIP practices” if similar programs were not offered in the Canadian provinces. CAMPUT requested the commission consider a “North American cybersecurity dialogue” that would enable regulators to address this new threat collectively.
“Cybersecurity matters are very different than traditional reliability considerations such as vegetation management, and may require a new approach to address risk,” CAMPUT said. “By utilizing NERC to facilitate such a conversation amongst all stakeholders of the BES, there would be an opportunity to ensure that cybersecurity risks are optimally and collaboratively addressed throughout North America.”