FERC’s proposal for incentivizing public utilities to invest in cybersecurity improvements provoked a range of reactions from industry stakeholders in the comment period that closed earlier this week (RM21-3).

The commission introduced the proposed incentive structure in December, building on a white paper published last June that sought to build a complement to the current Critical Infrastructure Protection (CIP) standards (AD20-19). (See FERC Pushes Cybersecurity Incentives.) In light of industry comments on that white paper, the Notice of Proposed Rulemaking suggested a hybrid of two approaches.

The first of these, which FERC called the “NERC CIP incentives” approach, would permit public utilities to receive incentive rate treatment for applying the CIP standards to facilities that are not currently subject to their requirements. This would be achieved by:

• voluntarily applying the requirements for medium- or high-impact bulk electric system cyber systems to low-impact systems, and/or the requirements for high-impact systems to medium-impact systems; and/or
• voluntarily connecting all external routable connectivity to and from a low-impact BES cyber system to a high- or medium-impact system, which FERC termed the “Hub-Spoke” incentive.

Under the second approach, called the “NIST Framework,” incentive rate treatment would be provided to public utilities that implement elements of the National Institute of Standards and Technology’s Cybersecurity Framework, specifically automated and continuous monitoring. Following either the NERC CIP incentives or the NIST Framework approach would qualify public utilities for one of the following incentives:

• Cybersecurity return on investment: applies a 200-basis-point adder to the return on equity for eligible cybersecurity capital investments.
• Regulatory asset: allows utilities to seek deferred cost recovery for certain cybersecurity-related investment expenses.

ERO Fears Conflicts of Interest

Industry responses professed strong support for the idea of encouraging cybersecurity investments by utilities, but reactions were more nuanced when it came to the details of FERC’s proposals. NERC and the regional entities, for example, filed a joint comment urging the commission to “consider the implications for compliance monitoring and enforcement activities … [and] the standards development process” of the ERO Enterprise.

The joint comment focused on the CIP Incentives approach and what role, if any, NERC and the REs are to have in monitoring its implementation. For example, they asked whether the voluntary application of CIP requirements to systems outside their applicability will be subject to evaluation or audit by the ERO Enterprise, and if the ERO Enterprise is to play any part in reviewing utilities’ application for incentives.

Additionally, NERC and the REs expressed concern that FERC’s proposal might “create financial reasons to oppose the standards development process [in which] industry stakeholders have a significant role.” They warned that expanding the scope of the CIP standards on a voluntary basis could create a perverse incentive for industry participants to block future attempts to make the expansion mandatory, because in the former case there would be no penalty for not following the requirements.

Incentive Mechanisms Questioned

The New England Conference of Public Utilities Commissioners (NECPUC) likewise agreed broadly that it “is appropriate for FERC to encourage utility cybersecurity development” while questioning whether an ROE adder and deferred cost recovery are the best mechanisms for incentivizing useful investments.

“It is important to note that cybersecurity poses different challenges than other areas of utility investment. A utility cannot achieve ‘cybersecurity’ through a one-time investment as with some traditional utility investments. … It requires a multifaceted and continuing approach,” NECPUC said. “In addition, while ROE adders may incentivize rate base investment … cybersecurity does not consist of merely, or even mostly, the type of physical assets that are traditionally included in rate base, particularly transmission rate base.”

Instead of exclusively pursuing these options, NECPUC urged FERC to “evaluate all the tools at its disposal … for example … permitting a broader set of cybersecurity expenditures to be added to rate base.” The organization also noted that FERC’s NOPR does not set out appropriate benchmarks or other evaluation tools to determine whether investments will achieve the desired results and suggested that the commission create a framework by which the effectiveness and value of proposed cyber improvements can be measured.

The Edison Electric Institute (EEI) praised the NOPR overall, saying the proposal “recognizes the importance of allowing utilities flexibility in determining the investments that are appropriate for them.” But while the organization said both the CIP Incentives approach and the NIST Framework approach are useful tools for incentivizing cybersecurity improvements, it suggested that the commission clarify how public utilities track their implementation of for the purposes of confirming their eligibility for incentives.

EEI also expressed concern with FERC’s proposal to “limit the eligible costs [for deferred cost recovery] to those associated with implementing cybersecurity upgrades” while excluding ongoing costs such as system maintenance and surveillance. It requested that the commission consider allowing utilities to capitalize these costs and include them in the rate base.