At its December open meeting, FERC proposed to establish rules for incentive-based rate treatments for voluntary cybersecurity investments by a public utility. If approved, the regulations would provide incentives for utilities to invest in cybersecurity improvements above and beyond existing mandatory requirements, provided the investments are related to the jurisdictional transmission or sale of electric energy. Traditionally FERC has worked to enhance the cybersecurity of the bulk-power system by directing the development and expansion of mandatory NERC Critical Infrastructure Protection (CIP) reliability standards. The proposed rules here would be quietly revolutionary by offering the “carrot” of financial incentives for cybersecurity enhancements, rather than relying exclusively on the “stick” of monetary sanctions that result from violations of mandatory requirements.
This summer, FERC staff had issued a white paper suggesting an incentive-based framework for providing transmission incentives to public utilities for cybersecurity investments. The white paper theorized that FERC could provide those incentives under Section 219 of the Federal Power Act (FPA), which is the statutory provision reserved for transmission rate incentives.
But the proposed rulemaking changed course. FERC now plans to rely on its broad rate authority under FPA Sections 205 and 206. FERC reasoned that using Sections 205 and 206 would provide the agency with more flexibility to approve a wider range of solutions to address the myriad cybersecurity threats facing public utilities today. Relying on those sections also avoids tying incentives to a section of the FPA designed primarily for the construction and expansion of transmission facilities. FERC’s interest in cybersecurity improvements applies not only to new facilities, but also the many long-standing transmission assets and their supporting and operating control centers and data centers around the United States.
Identifying Eligible Investments
FERC proposed to allow a public utility to receive incentive rate treatment for voluntarily making qualified investments in cybersecurity controls. The eligible incentives would be based on two possible approaches, and require investments that go above and beyond the minimum requirements of the NERC CIP reliability standards.
The first approach is based on the application of stronger cybersecurity requirements to facilities subject to a lower level of mandatory CIP requirements. The CIP standards apply generally to sets of programmable electronic devices identified and grouped by the public utility (known as “BES Cyber Systems”) that are categorized based on an impact rating reflecting their criticality to the bulk electric system. The most rigorous controls apply to high or medium impact BES Cyber Systems, which include major transmission facilities, transmission control centers, and associated data centers. Conversely, low impact BES Cyber Systems, which compose the vast majority of in-scope assets, are subject to less stringent requirements.
To implement this first approach, FERC proposed regulations to allow incentive rate treatment if utilities voluntarily (1) apply requirements for medium or high impact systems to low impact systems, and/or the requirements for high impact systems to medium impact systems, or (2) protect cyber communications with low impact systems using a higher security level normally reserved for medium and high impact systems.
The second narrower approach is tied to the NIST Framework for Improving Critical Infrastructure Cybersecurity. Under FERC’s proposal, utilities could receive incentive rate treatment for implementing security controls included in the NIST Framework. FERC proposed to limit incentive eligibility under this approach to those controls under the NIST Framework that are most likely to provide a significant benefit to the cybersecurity of jurisdictional transmission facilities, and not just the bulk electric system as a whole. Utilities making incentives under this approach would also need to demonstrate to FERC that their cybersecurity investments go “above and beyond” the CIP Standards, which could require a detailed technical explanation.
FERC proposed to grant either a return-on-equity (ROE) incentive or a deferred cost recovery incentive for cybersecurity costs that are either directly assigned transmission costs or costs that are conventionally allocated (i.e., using the wages and salaries allocator) for enterprise-wide expenses, provided the utility can demonstrate how the investment will enhance cybersecurity to the benefit of ratepayers.
The ROE incentive would allow an adder of 200 basis points for capital investments. Alternatively, the utility could seek the deferred cost recovery incentive, which would allow the deferred recovery of certain cybersecurity costs that are generally expensed as incurred, and the treatment of those costs as regulatory assets, while also allowing the regulatory assets to be included in transmission rate base. Deferred cost recovery would be available for three categories of expenses: (1) expenses associated with third-party provision of hardware, software, and computing networking services; (2) expenses for training to implement new cybersecurity enhancements; and (3) large, one-time expenses associated with implementing cybersecurity upgrades (e.g., system assessments by third parties or internal system reviews). FERC also proposed to allow consideration of other cybersecurity incentives on a case-by-case basis.
Application of Incentives
If approved, the proposed rule will allow utilities to request one or more incentive based-rate treatments in a filing pursuant to FPA Section 205. The applicant would need to include a detailed explanation of how it plans to implement one or both of the proposed incentive approaches and the requested rate treatment. Public utilities seeking incentives under the approach for raising the NERC CIP compliance bar by increasing the impact level assigned to an asset would be entitled to a rebuttable presumption that their investments materially enhance cybersecurity. However, utilities relying on the NIST Framework would not be entitled to the same rebuttable presumption, and would instead need to demonstrate that their investments merit incentives under the FPA Section 205 “just and reasonable standard.” FERC has requested comment on the parameters for that demonstration.
FERC also proposed to allow approved incentives to last for the lesser of (1) the depreciation life of the underlying asset; (2) 10 years from when the cybersecurity improvements enter service; (3) when the investments or activities that serve as the basis of that incentive become mandatory pursuant to a FERC-approved Reliability Standard; or (4) when the public utility no longer meets the requirements for receiving the incentive. Utilities receiving incentives would also need to submit annual informational filings detailing the investments made and the associated regulatory accounting treatment.
The proposed rulemaking is FERC’s latest effort to encourage public utilities to increase their focus on cybersecurity vulnerabilities in the electric industry. This latest proposal to spur cybersecurity investments through transmission incentives suggests that FERC will continue to explore new avenues to promote cybersecurity reforms and oversee the reliability of the bulk electric system. For public utilities seeking these incentives, FERC’s proposal is advantageous in several ways:
- The proposal provides financial incentives for undertaking certain cybersecurity enhancements rather than relying strictly on penalties to drive security improvements.
- The cybersecurity improvements can be targeted to certain facilities that may particularly benefit from the enhanced protections, as opposed to mandatory requirements that apply across the utility’s assets.
- The financial incentives are available for cutting-edge security improvements that are unlikely to ever be mandatory or would not be appropriately applied to all bulk electric system assets.
Comments on the proposal are due 60 days after the NOPR’s publication in the Federal Register. Reply comments are due 30 days later.