Summary: The electric grid of the United States is a prime target for cyberattacks, particularly those launched by nation-state actors and organized crime. Due in part to the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) reliability regulations, electric utilities have strengthened their cybersecurity defenses faster than the majority of the energy sector. Nevertheless, the federal government may soon offer financial incentives to power utilities that employ cybersecurity safeguards beyond the CIP standards and other requirements.

As directed by the Infrastructure Investment and Jobs Act of 2021 (IIJA), on September 22, 2022, the Federal Energy Regulatory Commission (FERC) issued a Notice of Proposed Rulemaking (Cybersecurity NOPR) to establish incentive-based rate treatments for utilities’ investment in advanced cybersecurity technologies and participation in cybersecurity threat information sharing programs.

Cybersecurity NOPR Overview

Cybersecurity NOPR arrives during a hectic year for energy industry cybersecurity. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 was passed by Congress earlier this year. It includes incident and ransom payment reporting requirements applicable to the electric and natural gas industries, as well as other operators of critical infrastructure. The Cybersecurity & Infrastructure Security Agency (CISA) has initiated the regulatory process to adopt these reporting obligations. In addition, the Transportation Security Administration published a new Security Directive for critical pipelines and liquified natural gas installations.

The Cybersecurity NOPR proposes several changes to FERC’s electric transmission incentives policy under Section 219A of the Federal Power Act (FPA). Most notably, it allows utilities to earn an additional 200 basis points (referred to by FERC as an “adder”) to the allowed return on equity (ROE) for certain cybersecurity investments or defer cost recovery for those expenditures.

Under IIJA, advanced cybersecurity technologies eligible for the incentive program may include:

  • Cybersecurity products like security information and event management (SIEM), intrusion detection or prevention systems (IDS/IPS), encryption tools, data loss prevention (DLP) systems, and authentication solutions
  • Cybersecurity services like network administration, vulnerability management, incident response, training, and disaster recovery

Concerning participation in cybersecurity threat information-sharing programs, the Cybersecurity NOPR states that the proposed incentive-based rate treatments are designed to help overcome existing barriers to information sharing, such as the possibility of excessive costs.

The NOPR makes suggestions and solicits input on a number of themes, including:

  1. Criteria for acceptable spending on cybersecurity
  2. Methodologies for determining the eligibility of cybersecurity expenditures, including whether FERC should maintain a list of presumed acceptable spending or use a case-by-case approach
  3. Rate incentives and structures proposed
  4. Incentive implementation, duration, and filing and reporting requirements.

Comments on the NOPR are due 30 days after publication in the Federal Register, with reply comments due 15 days later. IIJA mandates that FERC issue a final rule no later than May 2023, therefore the Commission will need to act expeditiously to issue its final regulation.

Significant Steps to Encourage Voluntary Cybersecurity Measures

Certain cybersecurity protections are currently mandated by the NERC CIP reliability standards, and the FERC has already proposed to add to these mandates in a separate regulatory procedure. However, the Cybersecurity NOPR goes even further by trying to incentivize investments that exceed safeguards already specified by CIP reliability requirements or federal legislation.

To be eligible for an incentive under the Cybersecurity NOPR, an expenditure must

  1. be voluntary, i.e., not mandated by the CIP reliability standards or any applicable laws, and
  2. “materially improve cybersecurity,” either through investment in advanced cybersecurity technology or participation in cybersecurity threat information sharing programs.

In deciding whether an expenditure would meaningfully improve cybersecurity, FERC refers to many federal government cybersecurity resources, including NIST 800-53, the NIST Cybersecurity Framework, and guidelines from CISA or the Department of Energy (DOE).

The Cybersecurity NOPR recommends establishing a list of prequalified expenditures (PQ list) that would be entitled to a rebuttable presumption of eligibility for rate incentives. The “PQ list” would need to be regularly updated but would initially include costs associated with participation in the Department of Energy’s Cybersecurity Risk Information Sharing Program (CRISP) and costs associated with internal network security monitoring within a utility’s cyber systems. FERC also expressed a readiness to adopt a case-by-case evaluation of eligibility but emphasized that there would be no eligibility presumption under this method.

Not everyone believes that an incentive-based program is the most effective method for enhancing cybersecurity. While FERC Commissioner Phillips supported the plan as a “gap-filling measure” to combat quickly emerging risks until required standards can be established, FERC Chairman Glick expressed concern that cybersecurity is better addressed through obligatory standards from the start.

In the absence of a definitive regulation from FERC, utilities will have to decide whether to prepare for an incentive-based approach to cybersecurity investment in the future or to begin preparing for the prospect of mandated standards. Either way, electric grid utilities can seek advice on how to comply with all regulations by speaking to an expert, such as the ones we have at ITEGRITI. Let’s get in touch to guide you through the regulatory landscape.