Newsletter
empowered
September 27, 2024
In response to a directive from the U.S. Congress, FERC issues Order No. 893 to encourage voluntary investment in advanced cybersecurity technologies (1) and participation in cybersecurity threat information sharing programs such as the U.S. Department of State. provided incentive-based rates to public and non-public utilities. (2) Although aspects of the final rule were hotly contested and the Commission’s final rule sought to compromise between competing proposals, based on the evidence to date, FERC’s decisions have not yet been successful. To achieve the main purpose of providing incentives to encourage increased cybersecurity protection.
background
The Commission promulgated Order No. 893 under Section 40123 of the Infrastructure Investment and Jobs Act directing FERC to promulgate regulations establishing incentive-based rates for public utilities. (3)
The final rule allows both public and non-public utilities that have or will have a fee registration with FERC to apply for incentive-based fee treatment for eligible cybersecurity investments. However, utilities cannot receive incentive-based fees for cybersecurity investments associated with market-based sales of energy, capacity, or ancillary services. Instead, you must separately submit a cost of service fee to FERC under FPA 205. (4)
Investments may be subject to incentive-based fees if they relate to advanced cybersecurity technology or costs associated with participating in a cybersecurity threat information sharing program. Advanced cybersecurity technology includes both products and services. Cybersecurity products include hardware, software, or other types of IT systems (5). Cybersecurity services, on the other hand, include system installation and maintenance, network management, and asset management (6).
There is a two-step process to determine whether an investment in advanced cybersecurity technology or a cybersecurity threat information sharing program qualifies for incentive-based treatment. Investments must (1) result in significant improvements in cybersecurity, and (2) be voluntary.
Investments in either advanced cybersecurity technology or participation in cybersecurity threat information sharing programs are estimated to significantly improve cybersecurity. (7) For an investment to be voluntary, it cannot be mandated by reliability standards maintained by the company. Electrical Reliability Authority; Mandated by local, state, or federal law. Actions taken pursuant to the terms of a federal or state agency merger or a consent order from a federal or state agency. or actions taken pursuant to a settlement agreement resolving a dispute between an electric utility and a public or private party. (8)
FERC has two approaches to determining whether voluntary cybersecurity investments meet eligibility criteria, the first being the pre-qualified (PQ) listing. Cybersecurity investments on the PQ list have rebuttable presumptive eligibility for incentive-based fee treatment. This presumption may be countered by protesters who show that investments in PQ listings do not substantially improve a utility’s cybersecurity, given the utility’s unique circumstances (9).
In this rule, FERC included only two types of investments on the PQ list: (1) cybersecurity investments related to participation in CRISP, and (2) investments within a utility’s information technology and/or operational technology cyber systems. Cybersecurity investments related to internal network security monitoring.
The second approach to determining eligibility for voluntary cybersecurity benefits is a case-by-case review. If a cybersecurity investment is not on the PQ list, FERC will conduct a case-by-case review to determine whether the investment substantially improves cybersecurity and is voluntary. Masu. On a case-by-case review, the burden is on the utility to demonstrate that the investment significantly improves cybersecurity and qualifies for incentive-based rate treatment. (10) Rates are approved only on a PQ or case-by-case basis. Case pathway where the final rate is fair and reasonable.
Incremental improvements are subject to incentive-based pricing. If the investment in cybersecurity results in the utility not only meeting the required reliability standards, but also providing cybersecurity benefits that exceed those standards, the resulting additional investment exceeds the utility’s reliability standards. are eligible for incentive-based fee treatment (11).
Investments that lead to early compliance with future reliability standards are also eligible for incentive-based fees. When utilities make investments in cybersecurity to prepare for future reliability standards, those investments will be eligible for incentive-based rate treatment until reliability standards become mandatory. (12) For example, if a utility upgrades in January to comply with the following reliability standards, it will apply invention-based rates for six months based on the reliability standards that become mandatory in July. I am eligible.
FERC allows utilities to treat eligible cybersecurity investments as regulated assets and include them in their transmission rate base. (13) Utilities may seek this enhanced recovery for a variety of costs, including operation and maintenance costs, labor costs, implementation costs, and network monitoring. (14) Utilities may take advantage of incentive-based rate recovery for up to five years and must submit an annual information report to the Commission during the period of the cybersecurity incentive. (15)
No incentives have been granted to date.
As of this writing, despite media coverage of this incentive, not a single utility has begun the application process. Because the purpose of this law is to incentivize utilities to strengthen their cybersecurity by providing financial incentives, the lack of such filings suggests that FERC may have misjudged the extent of incentives needed. It suggests that.
Whether utilities seek financial incentives reflects basic economic principles. If the economic benefit is worth the effort, utilities will seek it. The fact that no utility has submitted an application indicates that the financial incentives are not worth the effort; in other words, the financial incentives are not high enough to encourage the investment that Congress wants. It means that.
In this case, there are several possible reasons.
Financial incentives are too low. Investments on the PQ list, and most other cybersecurity investments, can be in the low millions of dollars. The incentives provided by FERC are limited to generating revenue on a fee basis by treating these costs as regulatory assets. Essentially, utilities can earn a return on equity from these multi-million dollar costs over an amortization period of up to five years. On a practical level, this does not provide meaningful funding to utilities, especially when you consider offsetting the costs of seeking incentives. PQ lists have limitations. Although the PQ List is intended to provide an efficient mechanism for identifying pre-approved cybersecurity investments (under rebuttable presumptions) for incentive treatment, the list currently includes Only two types of investments are included. One is related to participating in CRISP and the other is related to internal network security monitoring. FERC rejects the addition of other threat intelligence programs or cybersecurity technologies recommended by industry commenters, saying the proposals lack specificity or, in some cases, would significantly improve utilities’ cybersecurity. Cited lack of reliability as the reason. FERC maintains that it may change the PQ list in the future, but limiting coverage to the PQ list may have thwarted utility interest in the original incentive program. be. Legal proceedings are uncertain and can be costly. Applicants seeking incentives will be required to file complex fee filings with FERC, which may be subject to appeals. Particularly if complex issues are raised by protesters surrounding the technology or its implementation, FERC could set the entire dispute up for settlement and hearing, at which point the litigation costs would outweigh the value of the incentives. Possibly. To avoid prolonging the process, applicants are incentivized to reduce the value of their requested incentives, further undermining the value of the process. FERC is trying to minimize this for two items on the PQ list, but it remains unclear whether this will actually speed up the process. We recommend that those selling market-based rates refrain from applying. While most transmission utilities operate on cost-based rates, where incentives are relatively common, many electricity sales businesses in the United States operate on negotiated rates. FERC’s final rule completely excluded such sellers, despite the fact that large-scale power generation losses due to cyberattacks could cause large-scale grid disruptions. Such utilities may seek cost-of-service rates for such incentives, but must establish the necessary complex FERC accounting and recordkeeping controls to prepare and track the incentives. . Market-based rate sellers are typically exempt from these requirements, so this creates another significant cost that may not be recoverable.
At this time, there is no clear indication that FERC plans to take steps to reconsider and restructure its cybersecurity incentive policies to garner interest from utilities. As a result, Congress’s directives are, for all practical purposes, unfulfilled.
Return to Empowered >>
(1) Defined as any technology, operational capability, or service, including computer hardware, software, or related assets, that enhances a public utility’s security posture through improved ability to protect against, detect, respond to, or recover from Masu. Cybersecurity Threat (as defined in section 102 of the Cybersecurity Act 2015). Incentives for Advanced Cybersecurity Investments, Order No. 893, 183 FERC ¶ 61,033, 27 Hours (2023).
(2) Same as above. In PP1, 23.
(3) 16 USC § 824s-1.
(4) Order No. 893, 183 FERC ¶ 61,033, P 26.
(5) Same as above. It’s on P4.
(6) Same as above. It’s on P5.
(7) In determining which cybersecurity investments will significantly improve a utility’s security posture, the Commission will consider the following sources of information: (1) Security controls listed in the NIST SP 800-53 “Security and Privacy Controls for Information Systems and Organizations” catalog. (2) Security controls that meet the objectives in the technical subcategories of the NIST Cybersecurity Framework. (3) specific cybersecurity recommendations from relevant federal authorities (e.g., DHS’s CISA, FBI, NSA, DOE); (4) Participation in relevant cybersecurity threat information sharing programs. and/or (5) achieve and maintain one or more C2M2 domains at the highest maturity indicator level. Same as above. It’s on P40.
(8) Same as above. It’s on P45.
(9) Same as above. It’s on page 64.
(10) Same as above. It’s on page 107.
(11) Same as above. It’s on P47.
(12) Same as above. It’s on page 117.
(13) Ibid. It’s on page 135.
(14) Ibid. It’s on page 147.
(15) Same as above. In PP172, 193.
