By Rich Heidorn Jr.
FERC Chairman Neil Chatterjee’s suggestion that incentives may be needed to encourage investments in infrastructure security received mixed reaction in comments filed with the commission this week (AD19-12).
At a March 28 technical conference by FERC and the Department of Energy, Chatterjee said he wanted to learn whether incentives were needed to encourage security investments beyond those required by NERC reliability standards. (See TSA Defends Pipeline Security Practices Before FERC.)
In post-conference comments, the Edison Electric Institute and EEI members Dominion Energy, FirstEnergy and American Electric Power expressed support for some form of “resilience incentives,” along with the North American Generator Forum, Calpine and International Transmission Co. EEI asked for incentives for technologies such as “high-temperature superconductor, smart grid communications-enabled technology or resilient hardened substation designs.”
But EEI members Exelon and Alliant Energy opposed the idea, as did the Electric Power Supply Association, the American Public Power Association, transmission-dependent utilities (TDUs) and industrial consumers.
“An initiative to revise existing incentives or develop new ones may unintentionally distract resources from what is truly needed to continue making investments in the physical and cybersecurity of our assets: the regulatory certainty provided by timely and fair commission action on filings that involve cost recovery and price formation matters,” Exelon said.
[Editor’s Note: An earlier version of this article was based on only eight parties’ comments that were recorded in FERC’s e-Library before the agency shut down because of a failure of its HVAC system Tuesday.]
Competitive Generators
The North American Generator Forum said deregulated generators have no federal or state cost recovery mechanisms for security spending and “have significant challenges justifying additional cybersecurity spending beyond the mandatory requirements.”
Small generators also cannot afford dedicated information and operational technology staff on site, it said. “A government-sponsored program to provide cyber forensic assistance for facilities with limited resources would be a welcome tool for those facilities to be able to rely upon in times of need,” it said.
It also said market mechanisms and tax incentives should be considered as ways to provide cost recovery, noting state property taxes act as a disincentive for maintaining spare transformers. “We should ensure that early adopters that have completed security projects beyond the required compliance have a method to recover costs.”
EPSA called for “continued observation and analysis” of incentives in the future but said competitive suppliers “are currently able to recover costs associated with cyber and physical security through a number of sources, whether through market-based rates collected in the organized electricity markets, retail revenues, provisions within power purchase agreements or other sources of revenue.”
But EPSA member Calpine said the commission should consider “maturity credits” for industry participants who meet or exceed security goals to encourage best practices.
The Electricity Consumers Resource Council (ELCON), which represents industrial users, countered that competitive generators already have incentive to adopt cost-effective security practices — the opportunity cost of foregone market revenues if they are idled. “Shifting a segment of competitive generators’ costs to cost-of-service would set a deeply problematic precedent,” it said. “Security is an easy justification for cost-of-service entities to expand rate base.”
ELCON criticized ISO-NE’s proposal to recover generators’ costs for meeting critical infrastructure protection (CIP) standards via cost-based rates, saying such costs should be collected via energy and capacity markets. (See Eversource Balks at ISO-NE Plan on CIP Costs.)
“The costs of compliance with new regulations — CIP or otherwise — is an investment risk that should be internalized by competitive generators, not socialized through a new charge on transmission customers.”
If market power mitigation rules do not allow the collection of such costs, they should be changed, ELCON said.
Dominion, however, said generators subject to CIP standards in organized markets may be at a disadvantage without “tailored cost recovery mechanisms in RTOs.”
“Under current market rules, developers may favor only building new generation resources that are not subject to NERC CIP standards, resulting in incremental generation on the system that is not optimally located for reliability and system stability.”
Transmission Incentives
ITC said the commission should ensure cost recovery for transmission owners that go beyond NERC standards “consistent with Order No. 679 and associated commission policy.”
But Alliant rejected the idea of a “resilience incentive,” saying it would “provide a financial windfall to transmission owners without providing commensurate benefit to transmission customers. As stated at the technical conference, transmission owners currently do not have difficulty securing financing for transmission projects.”
“Given that utilities with cost-of-service rates are able to recover the costs of any prudent security investments, it is neither necessary nor appropriate to grant them financial incentives for such investments,” agreed the Transmission Access Policy Study Group, which represents TDUs.
APPA said “unjustified incentives could be particularly problematic for its” TDU members. “The costs of incentives paid by public power utilities in their transmission rates might be on top of infrastructure security costs incurred by public power utilities on their own systems,” it said.
FirstEnergy said FERC should ensure black start resources are “appropriately valued” as transmission assets. It also called for funding for information sharing programs such as the Cybersecurity Risk Information Sharing Program (CRISP) managed by NERC’s Electricity Information Sharing and Analysis Center. “The costs for participation in CRISP can be prohibitively expensive for smaller companies or municipalities. While companies participating in CRISP cover over 75% of U.S. customers, the goal should be 100%. Given the interconnected nature of the grid, the lack of participation by smaller entities could pose a significant threat to the reliability of the Bulk Power System.”
Gas: Incentives Yes, Standards No
The American Gas Association, which represents local distribution companies, said it supports tax credits to reduce the costs of cybersecurity investments and certification processes that can be used to obtain lower insurance rates.
It also said state regulators should provide cost recovery for physical and cybersecurity measures, including cyber mutual assistance programs, video surveillance, sensor technology, physical barriers and lighting. Only some states allow security riders to recover investments outside of a full rate case, AGA said.
It said the gas industry should continue following voluntary guidelines and best practices rather than being subject to the kind of mandatory standards that cover electric utilities.
“Allowing for riders based on, for example, the [Transportation Security Administration] Pipeline Security Guidelines, [the National Institute of Standards and Technology’s] Framework for Improving Critical Infrastructure Cybersecurity or [DOE’s Cybersecurity Capability Maturity Model] could accelerate the adoption of enhanced security practices and tools,” it said. “Cost recovery that is limited to mandatory guidelines or standards for high-risk or critical energy facilities penalizes forward-thinking operators that are being proactive voluntarily and looking ahead to the next challenge.”
Bandwidth
The Utilities Technology Council — a trade group for electric, gas and water utilities’ telecommunications and IT functions — called on FERC to join it in fighting the Federal Communications Commission’s proposal to allow others access to the 6-GHz frequency band, a communications channel used by electric utilities and other critical-infrastructure industries (CII).
“While UTC recognizes FERC has no authority over the FCC or spectrum, it nonetheless has a distinct interest in this proceeding. As the agency responsible for assuring the reliability of our nation’s Bulk Electric System, FERC should amplify the significant concerns raised by the entire electric utility and the oil and natural gas industries that are in opposition to the FCC’s 6-GHz plan and urge the FCC to protect utilities and other CII from interference in the band.”
Public Citizen criticized FERC’s reliance on “industry self-reporting” and said it should do more to protect whistleblowers. It also called for public identification of utilities that violate NERC standards and said NERC is not independent of the electric utility industry.
Delta Star, a Virginia-based provider of substation equipment, used its comments to make a sales pitch for trailer-mounted mobile substations, calling them “the only product that can be remotely secured from terrorist, cyber and physical threats and still be dispatched and installed within a matter of hours.”
Beyond Standards
The National Association of Regulatory Utility Commissioners did not say whether it supported incentives. Instead, it suggested states would benefit from improved information sharing by FERC’s Office of Electricity and Infrastructure Security and DOE’s Office of Cybersecurity, Energy Security and Emergency Response.
ELCON called for less emphasis on mandatory NERC standards and more information sharing on emerging threats and best practices for defense. “The rapid rate of change in computing technology is outpacing the ability of standards development processes,” it said.
On that, EEI appeared to agree. “The commission’s current approach of addressing new threats with new requirements is pushing the CIP standards into areas beyond the electric industry and electric company control,” it said. “We encourage the commission to take a more comprehensive approach to security than simply directing the development of modified or new industry security requirements.”