Carrot or Stick? FERC Grapples With How to Incentivize Electric Utility Cybersecurity Investments
The U.S. electric grid is a prime target for cyberattacks, including by both nation-state actors and organized crime. Electric utilities have been ahead of much of the rest of the energy sector in hardening their cybersecurity defenses, owing in part to mandatory cybersecurity rules under the North American Electric Reliability Corporation's (NERC) Critical Infrastructure Protection (CIP) reliability standards. Even so, the federal government may soon be offering electric utilities financial incentives to adopt cybersecurity measures above and beyond the CIP standards and other requirements.
On September 22, 2022, the Federal Energy Regulatory Commission (FERC), as directed by the Infrastructure Investment and Jobs Act of 2021 (IIJA), issued a Notice of Proposed Rulemaking (Cybersecurity NOPR) to establish incentive-based rate treatments for utilities' investment in advanced cybersecurity technologies and participation in cybersecurity threat information sharing programs.
The Cybersecurity NOPR arrives during a busy year for cybersecurity in the energy sector. Earlier this year, Congress enacted the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which includes incident and ransom payment reporting requirements applicable to the electric and natural gas industries, as well as to other critical infrastructure operators. As discussed in a recent blog post, the Cybersecurity & Infrastructure Security Agency (CISA) has publicly begun the rulemaking process to implement those reporting requirements. Additionally, the Transportation Security Administration recently issued a revised Security Directive for critical pipelines and liquified natural gas facilities. We also discussed the new Security Directive on our blog.
The Cybersecurity NOPR in Docket No. RM22-19-000 proposes several changes to FERC's electric transmission incentives policy under Section 219A of the Federal Power Act (FPA), including, notably, allowing utilities to earn an additional 200 basis points (referred to by FERC as an "adder") to the allowed return on equity (ROE) for certain cybersecurity investments or, alternatively, to defer cost recovery for those expenditures.
Under IIJA, advanced cybersecurity technologies subject to the incentive program may include cybersecurity products, such as security information and event management (SIEM), intrusion detection or prevention systems (IDS/IPS), encryption tools, data loss prevention (DLP) systems, and access, authentication, or authorization solutions, or cybersecurity services, including network administration, vulnerability management, incident response, training, disaster recovery, and general consulting. With regard to participation in cybersecurity threat information sharing programs, the Cybersecurity NOPR states that the proposed incentive-based rate treatments are intended to help counteract existing barriers to information sharing, including the potentially high costs.
The NOPR sets forth proposals and solicits feedback on several topics, including:
- Criteria for eligible cybersecurity expenditures;
- Approaches for evaluating the eligibility of cybersecurity expenditures, including whether FERC should maintain a list of presumed eligible expenses or take a case-by-case approach;
- Proposed rate incentives and structures; and
- Incentive implementation, duration, and filing and reporting requirements.
Comments on the NOPR are due 30 days after publication in the Federal Register, with reply comments due 15 days later. The Commission will then need to act with relative haste to issue its final rulemaking, as IIJA requires FERC to issue a final rule no later than May 2023.
Big Steps for Incentivizing Voluntary Cybersecurity Measures
Certain cybersecurity measures are already required under the North American Electric Reliability Corporation's (NERC) Critical Infrastructure Protection (CIP) reliability standards, and FERC has already proposed to add to those existing requirements in a separate rulemaking proceeding in Docket No. RM22-3-000. However, the Cybersecurity NOPR goes even further by seeking to incentivize investments that exceed measures already mandated by CIP reliability standards or under local, state, or federal law.
To be eligible for an incentive under the Cybersecurity NOPR, an expenditure must both (i) be voluntary, i.e., not required under the CIP reliability standards or any applicable laws, and (ii) "materially improve cybersecurity," either through investment in advanced cybersecurity technology or participation in cybersecurity threat information sharing programs. FERC proposes to reference several federal government cybersecurity resources in determining whether an expenditure would materially improve cybersecurity, including NIST 800-53, the NIST Cybersecurity Framework, guidance from CISA or the Department of Energy (DOE), and others.
Big Questions Regarding Implementation
Beyond the general criteria for incentive eligibility, the Cybersecurity NOPR addresses three fundamental implementation issues: (1) FERC's approach for evaluating the eligibility of specific cybersecurity expenditures; (2) the form and structure of available incentives; and (3) the duration and reporting requirements associated with the proposed incentives.
Approaches for Evaluating Eligibility. With regard to determining eligibility for the proposed rate incentives, the Cybersecurity NOPR proposes to establish a list of prequalified expenditures that would be entitled to a rebuttable presumption of eligibility for incentives. The "PQ list" would need to be regularly updated but would initially include any expenditures associated with participating in the DOE's Cybersecurity Risk Information Sharing Program (CRISP) and expenditures related to internal network security monitoring within a utility's cyber systems. FERC also indicated a willingness to adopt a case-by-case eligibility determination but noted that there would be no presumption of eligibility under this approach.
Incentive Form and Structure. FERC proposes to explore two potential incentive options in the Cybersecurity NOPR: a 200-basis point ROE adder applicable to incentive-eligible investments; or deferred cost recovery for qualified expenditures, which would allow utilities to earn a return on the unamortized portion of these costs. The Cybersecurity NOPR notes that the deferred cost recovery approach may be appropriate for expenditures incurred over time, such as for software subscriptions and vendor-provided services. Separately, and as specifically contemplated under IIJA, FERC seeks comment on whether appropriate metrics exist for establishing performance-based rate treatments with respect to cybersecurity investments.
Duration and Reporting. Consistent with FERC's approach to other incentive-based rate treatments, the Cybersecurity NOPR proposes that any utility seeking an incentive for eligible cybersecurity investments should do so in a FPA section 205 filing. For discrete investments in advanced cybersecurity technology, the Cybersecurity NOPR proposes an incentive duration of no longer than five years. For participation in cybersecurity threat information-sharing programs, FERC proposes to allow an exception to the five-year limitation, noting that unlike technology—which can become obsolete—information sharing enables utilities to stay apprised of emerging threats. The Cybersecurity NOPR proposes to require any utility that receives either of these incentives to make an annual informational filing by June 1, detailing the specific investments made.
Not everyone agrees that an incentive-based program is the best approach to improving cybersecurity. While FERC Commissioners Danly, Clements, and Phillips endorsed the proposal as a means of "gap filling" to address rapidly evolving threats until mandatory standards can be established, FERC Chairman Glick voiced concerns that cybersecurity is better addressed through mandatory standards at the outset. Commissioner Christie echoed Chairman Glick's concerns, and his position in prior ROE incentive proceedings, while also arguing against incentivizing any activities that utilities should be undertaking on their own initiative. Pending FERC's issuance of a final rule, utilities will need to decide whether to ready themselves for an incentive-based approach to cybersecurity investment going forward or start preparing for the possibility of mandatory standards.