Security and Resilience (Cyber and Physical)

APPA says cybersecurity incentive program is not needed, could hike transmission costs

An incentive program for cybersecurity investments outlined in a recent Federal Energy Regulatory Commission staff White Paper is not needed to encourage investment in cybersecurity measures and could lead to investment that raises transmission costs for customers without providing meaningful cybersecurity benefits in return, the American Public Power Association recently said.

APPA on Aug. 17 submitted comments at FERC in response to the White Paper, which proposed a new framework for providing transmission incentives to utilities for cybersecurity investments. FERC staff cited “the evolving and increasing threats to the cybersecurity of the electric grid” as the impetus for the Cybersecurity Incentives Policy white paper (Docket No. AD20-19-000).

APPA said that it recognizes that today’s electric grid faces increasing cybersecurity risks, adding that it appreciates FERC staff’s efforts to evaluate how the Commission might facilitate utility investment that could mitigate these risks.

“APPA respectfully submits, however, that the incentive program outlined in the White Paper is not needed to promote prudent public utility investment in cybersecurity measures,” the trade group said.

“On the contrary if adopted, the White Paper framework could result in investment that raises transmission costs for customers without providing meaningful cybersecurity benefits in return,” APPA said.

APPA sees several threshold problems

APPA said that there are several threshold problems with the incentive approaches described in the White Paper.

First, neither generic application of North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP) reliability standard requirements to lower impact Bulk Electric System (BES) cyber systems that are not currently subject to those requirements, nor broad adoption of National Institute of Standards and Technology (NIST) framework security controls “would necessarily result in a meaningful increase in cybersecurity, as the White Paper appears to assume,” APPA said.

“This is not to say that use of these approaches in certain circumstances would not have cybersecurity benefits, but APPA questions the assumption that widespread adoption of these approaches as contemplated in the White Paper would be a cost-effective way of achieving meaningful cybersecurity outcomes.”

Second, APPA argued that even in circumstances where more robust cybersecurity investment might be beneficial, new incentives or cost recovery mechanisms should not be necessary to promote it.

It said that the record from a March 2019 technical conference convened by the Commission and the Department of Energy strongly supports this conclusion. “Awarding incentives where they are not needed would contravene longstanding requirements for just and reasonable incentive rates,” APPA said.

Moreover, as the White Paper notes, it is not clear that incentives – particularly the proposed 200 basis point return on equity adder – would prompt utilities to make the investments that the White Paper describes, APPA told FERC.

“This lack of response would not be a problem to the extent that investments would not have substantially reduced cybersecurity risk, but if the Commission’s goal is to revise its policies to encourage prudent and cost-effective cybersecurity investment, ROE adders may not be an effective way to accomplish the goal.”

Rising transmission costs

APPA said that FERC must be cognizant of the fact that customers continue to incur rising transmission costs. 

While the trade group supports prudent expenditures to help secure the transmission system against cyber threats, it said that rate incentives that are unnecessary or even counter-productive will needlessly increase customer costs without providing commensurate consumer benefits. 

Unjustified incentives could be particularly problematic for public power utilities, many of which are dependent on public utilities for transmission service, APPA pointed out.  The costs of incentives paid by public power utilities in their transmission rates might be on top of infrastructure security costs incurred by public power utilities on their own systems to guard against growing cyber risks, it said.

APPA says FERC should adopt changes if it moves forward with White Paper proposal

If FERC decides to move forward with the White Paper proposal, it should adopt a number of changes and clarifications, APPA said.

Specifically, APPA argued that applicants under either of the two incentive approaches described in the Whiter Paper should be required to demonstrate how the investments will directly result in significant cybersecurity benefits for Commission-jurisdictional transmission facilities, with reference to quantifiable metrics for the expected enhanced cybersecurity benefits. 

APPA took issue with the White Paper’s proposal to presume that extending the application of CIP reliability standards to lower impact BES cyber systems will result in significant benefits.

In addition, an entity seeking an incentive should be required to show that there is at least a rational relationship between each incentive sought and the decision to invest in the project, consistent with the requirements of just and reasonable incentive rates.

APPA offered a number of other suggested changes including:

  • Incentives should be limited to the portion of the overall project investment that the applicant demonstrates is necessary to produce significant reliability benefits beyond those provided by the CIP reliability standards;
  • ROE adders should be limited to the cost of the project used in the application for incentives;
  • ROE adders on cybersecurity investment should be subject to any overall basis point cap on a utility’s ROE incentives; and
  • Any new incentive rules or policy grounded in FPA section 219 would need to be limited to cybersecurity investments that enhance the reliability of transmission facilities

Reply comments

In reply comments filed on Sept. 1 at FERC in the proceeding, APPA said that if the Commission ultimately proceeds with an incentive program for cybersecurity investments, it should not accept calls to expand the program beyond the framework described in the White Paper.

FERC staff correctly recognizes that an incentive framework must include an approach for identifying the cybersecurity investments that FERC seeks to incentivize, APPA said.

An incentive program that allows utilities to request incentives for any activity or investment that provides a benefit to the reliability and security of the transmission system, or that allegedly constitutes an application of the NIST Framework, “does not clearly identify which investments are eligible for incentives.”

Such an approach would increase the likelihood that utilities would seek incentives for routine cybersecurity measures that are simply good utility practice, and it would exacerbate the already considerable challenges that would be presented in trying to assess “compliance” with the NIST framework under the White Paper’s proposal, APPA argued.

APPA went on to note that incentives under Federal Power Act section 219 are limited to those that promote investments in transmission facilities or technologies.

However, a number of commenters in the proceeding argued that the Commission should require transmission customers to fund incentives for enterprise-wide cybersecurity investments, or even cybersecurity expenditures by merchant generators.

“The commenters urging such broad eligibility for transmission incentives make no effort to reconcile their positions with the text of FPA section 219, even though the White Paper specifically requested input on this issue.”

Even if section 219 were not limited to incentives that promote transmission investment, cost causation principles would preclude requiring transmission customers under cost-based rates to subsidize cybersecurity investments benefitting other corporate businesses or functions, APPA said.