The Federal Energy Regulatory Commission on Thursday incentives offered for utilities to make certain investments in cybersecurity on a voluntary basis. The proposal is required by the Infrastructure Investment and Employment Act.
The proposed incentives, including an additional 2% return on equity, would cover advanced cybersecurity technology and utility participation in cybersecurity threat information sharing programs.
However, FERC Chairman Richard Glick said he had “significant concerns” that cyber threats could be better addressed through mandatory standards rather than incentives for voluntary measures. “If we encourage an activity, some utilities may commit to that investment or participate in some programs and other utilities may not,” Glick said at the agency’s monthly meeting. “And as we know, it only takes one weak link in the entire system to potentially cause major catastrophic damage.”
Overview of the dive:
Under the proposed rule, incentive-eligible expenditures must significantly improve cybersecurity and cannot already be required by North American Electric Reliability Corp. reliability standards. or by law.
FERC proposed adopting a list of prequalified measures, or PQs, that would be presumed eligible for incentives. The list would be periodically updated, as proposed.
The agency also proposed starting the list of PQs with two metrics: expenses associated with participating in the Department of Energy’s cybersecurity risk information sharing program and expenses related to security oversight. of the internal network in the cybersystems of a public service.
“With the commission having pre-reviewed potential PQ List items, we believe utility-specific incentive filings could be significantly streamlined from using a case-by-case approach,” said FERC in the proposal.
But FERC said it’s also open to evaluating cybersecurity spending on a case-by-case basis.
In addition to collecting an additional 2% on the equity portion of their expenses, a utility could choose to defer cost recovery for qualifying expenses, which would allow it to defer expenses and include the unamortized portion in its rate base, as proposed. A utility could benefit from the incentives for a specific investment for up to five years.
FERC Commissioner Allison Clements said the incentive proposal could help fill a gap in mandatory standards, which Clements and other commissioners say may take a long time to develop.
“Our CIP standards are foundational and are adhered to as strong, and they should remain as current as possible,” Clements said. “Practically, I’m interested in [the] role that this proposal can play in helping to fill this gap compared to putting in place more stringent rules, as the administrative process does not keep up with the ever-evolving threat.
Mandatory standards may be the best approach to cybersecurity, but standards take a long time to develop, according to FERC Commissioner James Danly.
“It’s a slow process in what is probably the fastest growing area of our security concerns,” Danly said.
Mandatory cybersecurity standards are “a great foundation” but take too long to develop, FERC Commissioner Willie Phillips said, adding he strongly supports the proposal.
“We absolutely have to make sure that our public services don’t do the bare minimum, but reach for the sky,” Phillips said, pointing to the Colonial Pipeline Hack in May and cyberwar in Ukraine as examples of the threats facing public services.
FERC Commissioner Mark Christie echoed Glick’s concerns about taking an incentive approach to cybersecurity threats, while questioning whether utilities should get an additional 2% ROE for “doing what they should be doing anyway”.
“There’s a reason these adders are known as ‘FERC candies,'” Christie said. “They’re really nice for those who get it, but not for the consumers who have to pay for it.”
FERC in December 2020 issued a proposed cybersecurity incentive rulebut this proposition is replaced by the last proposition.
Comments on the proposal are due 30 days after it is published in the Federal Register. The Infrastructure Act requires FERC to issue a rule by May.