The Federal Energy Regulatory Commission on Thursday proposed incentives for utilities to make certain cybersecurity investments on a voluntary basis. The proposal is required by the Infrastructure Investment and Jobs Act.
The proposed incentives, including an extra 2% return on equity, would cover advanced cybersecurity technology and utility participation in cybersecurity threat information sharing programs.
However, FERC Chairman Richard Glick said he had “significant concerns” that cyber threats may be better addressed through mandatory standards instead of incentives for voluntary measures. “If we incentivize an activity, some utilities might engage in that investment or participate in certain programs and other utilities might not,” Glick said during the agency’s monthly meeting. “And as we know, it just takes one weak link in the whole system to potentially cause major catastrophic damage.”
Under the proposed rule, incentive-eligible expenditures must materially improve cybersecurity and they cannot already be required by the North American Electric Reliability Corp.’s Critical Infrastructure Protection reliability standards or by law.
FERC proposed adopting a list of prequalified, or PQ, measures that would be presumed to be eligible for incentives. The list would be periodically updated, according to the proposal.
The agency also proposed starting the PQ list with two measures: expenditures associated with participating in the Department of Energy’s Cybersecurity Risk Information Sharing Program and expenditures related to internal network security monitoring within a utility’s cyber systems.
“With the commission having pre-reviewed potential PQ List items, we believe that utility-specific incentive filings could be substantially streamlined compared to use of a case-by-case approach,” FERC said in the proposal.
But FERC said it is also open to assessing cybersecurity expenditures on a case-by-case approach.
Besides garnering an extra 2% on the equity portion of their expenditures, a utility could opt to defer cost recovery for eligible expenditures, enabling it to defer expenses and include the unamortized portion in their rate base, according to the proposal. A utility could take advantage of the incentives for a specific investment for no more than five years.
FERC Commissioner Allison Clements said the incentive proposal could help fill a gap compared to mandatory standards, which Clements and other commissioners noted can take a long time to develop.
“Our CIP standards are foundational and are respected as strong, and they should stay as current as we can make them,” Clements said. “As a practical matter, I am interested in [the] role that this proposal can play in helping to fill that gap relative to getting stronger rules in place, because the administrative process doesn’t keep up with the ever-evolving threat.”
Mandatory standards may be the best approach to cybersecurity, but the standards take a long time to be developed, according to FERC Commissioner James Danly.
“It is a slow-moving process in what is probably the fastest moving field in our security concerns,” Danly said.
Mandatory cybersecurity standards are “a great foundation,” but take too long to develop, FERC Commissioner Willie Phillips said, adding that he strongly supports the proposal.
“We absolutely need to make sure our utilities don’t do the bare minimum but they’re reaching for the sky,” Phillips said, pointing to the Colonial Pipeline hack in May and cyber warfare in Ukraine as examples of the threats utilities face.
FERC Commissioner Mark Christie echoed Glick’s concerns about taking an incentive-based approach to cybersecurity threats while also questioning whether utilities should be given an extra 2% ROE for “doing what they ought to be doing anyway.”
“There’s a reason why these adders have come to be known as ‘FERC candy,’” Christie said. “They’re really sweet for those who get it, but not the consumers who have to pay for it.”
FERC in December 2020 issued a proposed cybersecurity incentive rule, but that proposal is superseded by the latest proposal.
Comments on the proposal are due 30 days after it is published in the Federal Register. The infrastructure law requires FERC to issue a rule by May.