On June 18, 2020, the Federal Energy Regulatory Commission (FERC or the “Commission”) issued a Cybersecurity Incentives Policy White Paper (the “White Paper”). The White Paper, issued in Docket No. AD20-19-000, discusses a new framework for providing incentive rate treatment to utilities making investments in cybersecurity. Interested parties may submit comments through August 17, 2020, with reply comments due by September 1, 2020.

Background

Earlier this year, the Commission proposed to revise its existing transmission incentives policy under Section 219 of the Federal Power Act (FPA).1 Left out of that proposal was cybersecurity, an issue the Commission decided to address independently in a separate proceeding.2 The White Paper initiates that effort. Specifically, the White Paper discusses augmenting the current Critical Infrastructure Protection (CIP) Reliability Standards with an incentive-based approach pursuant to FPA Section 219.

The Commission's CIP Reliability Standards, promulgated under FPA Section 215, have served as FERC's primary tool for regulating cybersecurity practices. They require certain users, owners and operators of the bulk electric system to comply with requirements to safeguard critical transmission system assets. FERC categorizes assets according to the risk to the bulk electric system—high, medium or low—if the assets are compromised, with different requirements applying depending on the risk category. Most of the requirements apply to the high- and medium-risk categories.3

In the Commission's view, these standards establish an effective “technical baseline for cybersecurity practices,” but have limitations. For example, these mandatory standards are not particularly nimble in the face of rapidly evolving threats, nor do they apply to the full suite of operational technologies that can have an impact on the grid's security. The incentive-based approach contemplated in the White Paper is intended to encourage utilities to adopt best practices and make voluntary investments in cybersecurity.

The White Paper

The White Paper proposes two approaches for identifying investments eligible for incentives. Under the first approach, a utility could seek incentive treatment for applying CIP Reliability Standards requirements to transmission facilities that are not subject to those requirements. For example, the utility could propose to apply standards applicable to high- and medium-risk assets to low-risk assets. This approach has the benefit of using an existing, familiar set of requirements.

The second approach would be based on an entirely different set of standards—the cybersecurity framework developed by the National Institute of Standards and Technology (NIST). Under this approach, an applicant would have to demonstrate that a cybersecurity investment meets NIST security controls and would exceed the requirements of the CIP Reliability Standards.

The Commission notes in the White Paper that utilities could be eligible for a return on equity (ROE) adder as high as 200 basis points under these contemplated reforms, although any such incentive treatment may be subject to a sunset provision.4 Given how quickly cybersecurity threats and best practices evolve, FERC proposes no more than three to five years as an appropriate sunset period. Moreover, the Commission notes the possibility that certain investments eligible for incentives may eventually become mandatory, in which case the incentive treatment would end at the earlier of the sunset date and the date when such investment(s) become mandatory.

As noted above, interested parties are invited to provide comments on the issues discussed in the White Paper. Parties may also address in their comments the 11 specific questions provided at the end of the White Paper.5

Footnotes

1 Elec. Transmission Incentives Policy Under Section 219 of the Fed. Power Act, Notice of Proposed Rulemaking, 170 FERC ¶ 61,204 (2020).

2 Id. P 5.

3 See White Paper, Appendix – CIP Reliability Standards Impact-Level Summary.

4 Non-ROE incentive rate treatment may be considered as well. Id. at 13.

5 See id. at 26-27.

Originally published 23 June, 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.