FERC on Thursday proposed incentives to encourage public utilities to make cybersecurity investments above and beyond the requirements of NERC’s Critical Infrastructure Protection (CIP) standards.

“As we’ve seen recently in the news this rulemaking cannot be more timely,” FERC Chairman James Danly said at the commission’s open meeting Thursday, referring to the wave of cyberattacks against U.S. government computer networks linked to SolarWinds’ Orion products that the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) had acknowledged just the day before.

Within hours of the FERC meeting, POLITICO reported that FERC and the Department of Energy had been targeted in the attacks as well. Officials with DOE indicated that FERC had suffered more damage than other agencies, without elaborating, POLITICO reported. FERC did not immediately respond to a request for comment on the report.

NOPR Follows Hybrid Approach

The Notice of Proposed Rulemaking (NOPR) approved by FERC Thursday builds on a commission white paper published in June that sought to build a complement to the current CIP standards (AD20-19). FERC called the standards an “effective technical baseline” that utilities would need to supplement with additional innovative solutions. (See FERC Seeks Comments on Cyber Investment Incentives.)

“[The] energy sector faces numerous and complex cybersecurity challenges at a time of both great change in the operation of the transmission system and an increase in the number and nature of attack methods,” FERC said in a press release. “These ever-expanding risks create challenges in defending the digitally interconnected components of the grid from cyber exploitation.”

Andres Lopez, of FERC’s Office of Electric Reliability, told the commissioners that the incentives will encourage utilities to respond to evolving threats more quickly than the lengthy NERC standard development process allows. “The cybersecurity threats public utilities face evolve and arise on their own time frame,” Lopez said.  “That time frame may not coincide with the NERC standards development process, which can take months for new reliability standards to be developed and … months or years before a new reliability standard is fully implemented and enforceable.”

The NOPR incorporates industry players’ responses to the white paper, which revealed widespread misgivings about the planned framework. (See Industry Pushes Back on FERC Cyber Incentives.) In particular, FERC’s proposal unifies the two approaches it originally put forward as alternatives, as suggested by many commenters.

The first of these, which FERC staff called the “NERC CIP incentives” approach in their presentation, would permit public utilities to receive incentive rate treatment for applying the CIP standards to “facilities that are not currently subject to those requirements.”

This would be achieved by:

• voluntarily applying the requirements for medium- or high-impact bulk electric system (BES) cyber systems to low-impact systems, and/or the requirements for high-impact systems to medium-impact systems; and/or
• voluntarily connecting all external routable connectivity to and from a low-impact BES cyber system to a high- or medium-impact system, which FERC termed the “Hub-Spoke” incentive.

FERC’s second approach would allow incentive rate treatment to be provided to public utilities that implement elements of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, specifically automated and continuous monitoring. The commission calls this the NIST Framework approach.

In its white paper, FERC asked for industry participants to indicate which approach they preferred, or if a combination of both would be best. Commenters overwhelmingly preferred a combined approach; therefore, either the NERC CIP incentives approach or the NIST Framework approach will qualify public utilities for one of the following incentives:

• Cybersecurity return on investment: Applies a 200 basis-point adder to the return on equity for eligible cybersecurity capital investments.
• Regulatory asset: Allows utilities to seek deferred cost recovery for certain cybersecurity-related investment expenses.

Expenses qualifying for deferred cost recovery include those associated with third-party provision of hardware, software and networking services; expenses for training to implement new cybersecurity enhancements in pursuit of the new policy; and other implementation expenses such as risk assessments by third parties or internal system reviews. “Prior or continuing costs” would not qualify. Incentives will be continued until one of four categories is reached:

• The depreciation life of the underlying asset;
• 10 years from when the relevant cybersecurity improvement enters service;
• when the investment is mandated by FERC-approved reliability standards and thus no longer voluntary; or
• when a public utility no longer meets the requirements for the incentive.

Commissioners Urge More Action on Cyber Threats

Commissioners Neil Chatterjee and Richard Glick joined Danly in calling the NOPR a timely response to recent cybersecurity concerns.

Glick called on “the commission and the entire federal government” to keep raising national awareness of cybersecurity threats.

“[The] commission needs to inquire why these types of investments are not being made today, if in fact they aren’t,” Glick said. “We should only be providing incentives to the extent they cause utilities to change their behavior. That’s what the term ‘incentives’ means. Unless the commission determines that utilities aren’t making these cybersecurity investments because the return [is] insufficient, there’s no point to raising those returns.”