Security and Resilience (Cyber and Physical)

APPA says FERC cybersecurity incentive proposals are not needed to promote investments

Cybersecurity incentive proposals included in a Notice of Proposed Rulemaking (NOPR) issued by the Federal Energy Regulatory Commission (FERC) are neither necessary nor appropriate to promote effective cybersecurity investment, the American Public Power Association (APPA) said in April 6 comments submitted to FERC.

Moreover, the proposals outlined by FERC do not satisfy the requirements for incentive rate mechanisms under the Federal Power Act (FPA), APPA said in urging the Commission not to adopt the NOPR’s incentive rate proposals. 

The NOPR follows a FERC staff white paper issued in June 2020 that outlined an incentive framework for cybersecurity investments similar to the proposals included in the NOPR. 

APPA filed comments and reply comments in response to the white paper opposing the proposed incentives, while also making a number of recommendations regarding the structure and implementation of any cybersecurity incentive program the Commission chose to adopt.

The NOPR proposes an incentive rate framework intended to encourage voluntary cybersecurity investments that “go above and beyond” the current requirements of the Critical Infrastructure Protection (CIP) reliability standards established by the North American Electric Reliability Corporation (NERC), APPA noted.

The NOPR suggests that such investments could “materially enhance the cybersecurity posture of the Bulk-Power System by enhancing the applicants’ cybersecurity posture substantially above levels required by CIP reliability standards, to the benefit of ratepayers.”

The incentives would be available to public utilities, as well as “to non-public utilities to the extent that they have Commission-jurisdictional rates.”

In the context of FERC regulations, public utilities are defined as those that are Commission-jurisdictional (e.g., investor-owned utilities).

NOPR proposes two approaches

The NOPR proposes two cybersecurity investment approaches that may be eligible for incentives: the NERC CIP incentives approach and the National Institute of Standards and Technology (NIST) framework approach.

The NERC CIP incentives approach would award incentives for investments associated with voluntarily applying the CIP reliability standards to facilities that are not currently subject to the CIP requirements.

The NIST framework approach would award incentives for implementing certain security controls in the cybersecurity framework developed by NIST relating to automated and continuous monitoring.

Qualifying investments would be eligible for either a 200-basis point return on equity (ROE Adder) or a “Regulatory Asset Incentive” that would permit deferred cost recovery -- with a return -- for several categories of costs that have traditionally been treated as expenses.

Public utilities would not be eligible to receive the ROE Adder and the Regulatory Asset Incentive for the same expenditures.

APPA said that it recognizes that today’s electric grid faces increasing cybersecurity risks, and it appreciates the Commission’s efforts to assess how its policies might be best shaped to allow the industry to respond to these threats. 

“APPA respectfully submits, however, that the incentive program outlined in the NOPR is neither necessary nor appropriate to promote prudent public utility investment in cybersecurity measures. On the contrary if adopted, the White Paper framework could result in investment that raises transmission costs for customers without providing meaningful cybersecurity benefits in return,” the trade group said in the comments.

As an initial matter, the NOPR does not establish that the Commission has the authority to grant incentives to promote cybersecurity under its general ratemaking authority, APPA argued.

“Even if the Commission possesses such authority under the FPA, the incentive framework proposed in the NOPR fails to meet the longstanding requirements for just and reasonable incentive rates, including quantified benefits to consumers,” it said.

Neither generic application of CIP reliability standard requirements to lower impact Bulk Electric System (BES) cyber systems that are not currently subject to those requirements, nor broad adoption of NIST Framework security controls would necessarily result in a meaningful increase in cybersecurity, as the NOPR appears to assume, APPA said.

“This is not to say that use of these approaches in certain circumstances would not have cybersecurity benefits, but APPA disputes the assumption that widespread adoption of these approaches as contemplated in the NOPR would be a cost-effective way of achieving meaningful cybersecurity outcomes.”

APPA went on to say that even in circumstances where more robust cybersecurity investment might be beneficial, new incentives would not be just and reasonable because they are not needed to promote such investment. 

It said that the record from a March 28, 2019 technical conference convened by the Commission and the Department of Energy strongly supports this conclusion, and existing cost recovery mechanisms are sufficient to accommodate prudent cybersecurity investment. 

If the Commission proceeds with the NOPR, APPA said that it should preserve the features of the proposed rule that will help protect customers and ensure transparency, including:

  • Public utilities will not be eligible to receive the ROE Adder and the Regulatory Asset Incentive for the same expenditures;
  • Only the portion of enterprise-wide cybersecurity investments allocable to the transmission function will be recoverable;
  • Rate incentives will be of limited duration;
  • An FPA section 205 filing will be required to receive incentives, and utilities will be required to submit subsequent informational filings; and
  • The ROE Adder will be capped at the high end of the zone of reasonableness

Moreover, APPA said that FERC should adopt a number of clarifications or modifications to the proposed rule, including the following:

  • In applying the cap on ROE incentives, a public utility should be required to take into account ROE adders other than the cybersecurity investment adder;
  • Incentives should be limited to the portion of the overall project investment that the applicant demonstrates is necessary to produce significant reliability benefits beyond those provided by the current applicability of the CIP reliability standards;
  • Public utilities should not be permitted to collect an incentive ROE adder or the Regulatory Asset Incentive on cost overruns;
  • Public utilities should be required to identify quantifiable metrics to measure the expected benefits of the investments;
  • The initial compliance filing should be made prior to incentive rates going into effect, rather than within 120 days of the completion of the cybersecurity upgrades; and
  • Prompt reporting of non-compliance with the incentive criteria should be a condition of an award of incentives.