After the Protecting Resources on the Electric grid with Cybersecurity Technology (PROTECT) Act stalled in Congress last year, leaders of the Senate Energy and Natural Resources Committee on Thursday announced they had reintroduced the bipartisan legislation that would provide $250 million over the next five years to support transmission owners’ cybersecurity investments.

Chair Joe Manchin (D-W.Va.) and ranking member Lisa Murkowski (R-Alaska) introduced the bill, along with Sens. James Risch (R-Idaho), Angus King (I-Maine) and Jacky Rosen (D-Nev.). A nearly identical group introduced the previous version in October 2019, with Sen. Maria Cantwell (D-Wash.) instead of Rosen. (See Senate ENR Seeks $250M for Utility Cyber Spending.)

FERC Required to Implement Cyber Incentives

The latest iteration of the PROTECT Act is almost identical to the one introduced in 2019, with a few changes. It would direct FERC to conduct a study — in consultation with the Department of Energy, NERC, the Electricity Subsector Coordinating Council (ESCC) and the National Association of Regulatory Utility Commissioners — to “identify incentive-based, including performance-based, rate treatments for the transmission and sale of electric energy” — the previous version only mentioned transmission — “subject to the jurisdiction of the commission” that could encourage:

• investment by public utilities in advanced cybersecurity technology, defined in the bill as “any technology, operational capability or service … that enhances the [ability] of public utilities to protect against, detect, respond to or recover from a cybersecurity threat”; and
• participation by public utilities in cybersecurity threat information sharing programs.

No more than a year after the conclusion of the study, FERC would be required to issue a rulemaking on such rate incentives. Language added to the reintroduced act specifies that such a rule “shall preclude rate treatments that allow unjust and unreasonable double recovery” for cybersecurity investments.

Utilities would seek incentives through a “single issue” filing under Section 205 of the Federal Power Act that would be “without regard to changes in receipts or other costs of the public utility.” Incentives would be made available for investments that reduce cyber risks to defense critical electric infrastructure (DCEI) and other facilities under FERC jurisdiction that are “critical to public safety, national defense or homeland security.” Facilities belonging to small- or medium-sized public utilities with limited cyber resources would also be eligible.

DCEI is defined in the FPA as “any electric infrastructure that serves” facilities that are critical to the defense of the U.S. and vulnerable to disruption of electric energy provided by an external service, as long as it is not owned or operated by management at the facility.

DOE to Provide Grants, Cyber Assistance

Alongside the FERC rulemaking effort, the act would require DOE, consulting with FERC, NERC and the ESCC, to create a program providing grants and technical assistance for deployment of advanced cybersecurity technology to utilities not regulated by the commission. Eligible entities under this program would include:

• rural electric cooperatives;
• utilities owned by political subdivisions of states such as municipalities;
• utilities owned by any agency or authority of such political subdivisions;
• nonprofit entities in partnership with at least six of the above-mentioned utilities; and
• investor-owned utilities that sell less than 4 million MWh per year (another addition to the newest version of the bill).

Priority for grants and assistance would be given to entities with limited cybersecurity resources, assets critical to the reliability of the bulk power system or DCEI.

Senate’s Partisan Divide Persists

The previous version of the PROTECT Act was passed out of committee in January 2020 but stalled in the Senate. No official reason was given, but then-Minority Leader Chuck Schumer (D-N.Y.) had earlier threatened to block ENR Committee bills from reaching the floor because of President Donald Trump’s nomination of James Danly to fill the open Republican spot on FERC without also filling the open Democratic seat. With Democrats now holding a slim majority in the Senate, the bill could become the target of hostage-taking from the other side.

Since then, FERC has proposed its own framework for incentivizing cybersecurity investments by public utilities (RM21-3). (See FERC Pushes Cybersecurity Incentives.) While industry stakeholders have expressed concerns about the potential compliance burdens of the commission’s plan, the PROTECT Act may provide the push needed to carry the incentives through in some form. (See Industry Warns of Hidden Dangers in Cyber Incentives.)

“In Alaska where energy prices are already amongst the nation’s highest, the cost for small co-ops to properly secure their cybersecurity needs is continuing to rise,” Murkowski said in a statement. “The federal government and industry have a shared responsibility to enhance the cybersecurity posture of electric utilities, municipal utilities and electric utility systems owned by electric cooperatives to protect our electric grid from cyber threats.”