FERC on Monday completed a back-and-forth on NERC’s 2023 Business Plan and Budget that it began last November with an order accepting the ERO’s clarification of the commission’s questions (RR22-4-002).
The commission said it was satisfied with NERC’s compliance filing, which the ERO submitted in January in response to FERC’s order accepting the budget in November. (See FERC Orders Clarification in ERO Budget Filing.) FERC also accepted the 2023 business plans and budgets of the regional entities and the Western Interconnection Regional Advisory Board in the same filing.
FERC had ordered the compliance filing to clear up a number of questions, some initially raised by the Edison Electric Institute, about how the funds in the budget were to be used. The commission said its oversight duties would be best served by “additional transparency” into costs relating to the Electricity Information Sharing and Analysis Center’s (E-ISAC) operations — particularly how NERC’s new Business Technology Department relates to the E-ISAC — in addition to the program’s relationship with outside partners and vendors.
The commission also demanded information on NERC’s fixed asset costs and allocation of its loan proceeds, and the inclusion of natural gas companies in the E-ISAC and the Cybersecurity Risk Information Sharing Program (CRISP).
In its filing, NERC explained that the Business Technology Department supports all of the ERO, including the E-ISAC. The organization told the commission that in its budget, costs directly assigned to a particular department may be reflected as indirect costs in each department that it supports; for example, the 2023 E-ISAC budget includes fixed asset additions of $1.1 million, $258,000 of which are directly assigned to the E-ISAC and $928,000 of which are allocated as indirect expenses from the administrative departments.
Explaining the $4 million loan proceeds, which the budget said would be used for software investments, NERC said the funds were specifically for the Align and Secure Evidence Locker projects. The ERO said budgeting this financing activity in its General and Administrative line item was “consistent with NERC’s historical practice” regarding software financing but acknowledged the commission’s “concern” about the lack of clarity this creates regarding where funds finally are to be spent.
NERC said future budgets would “allocate the budgeted capital financing activity … using weighted percentages of departments’ capital software spending.”
Regarding the E-ISAC vendor affiliate program, NERC said the program’s tiered structure — under which vendors may pay more for additional benefits such as access to networking sessions at the GridSecCon security conference — allows vendors of smaller sizes and resources to access the program that otherwise might not be able to join. The ERO also outlined its screening process for the program and asserted that the E-ISAC reviews the materials of vendors who will participate in its events to ensure they do not contain sales or promotional content, another concern raised by FERC.
Finally, NERC explained that the E-ISAC’s collaboration with the Downstream Natural Gas Information Sharing and Analysis Center provides the E-ISAC’s members with “increased insights into threats affecting a sector that has many overlaps” with their business through the sharing of informational bulletins. The ERO also said natural gas utilities that participate in CRISP pay for their access the same as any other participants.