Cybersecurity and Physical Security

FERC white paper seeks comments on grid cybersecurity incentives

Federal Energy Regulatory Commission (FERC) staff is seeking comments on a white paper that proposes “a new framework for providing transmission incentives to utilities for cybersecurity investments.”

FERC staff cited “the evolving and increasing threats to the cybersecurity of the electric grid” as the impetus for the Cybersecurity Incentives Policy white paper (Docket No. AD20-19-000).

In the paper, FERC staff aims to provide incentives for investments that go beyond the requirements of the Critical Infrastructure Protection (CIP) Reliability Standards that are promulgated by the North American Electric Reliability Corp. (NERC) and are under the jurisdiction of Section 215 of the Federal Power Act.

The white paper proposes “augmenting the current CIP Reliability Standards” under Section 215 with an incentive-based approach under Section 219 of the FPA that would encourage utilities to make cybersecurity investments on a voluntary basis. FERC staff suggests that those voluntary actions could, in the future, become the basis for future, mandatory CIP Reliability Standards.

In the paper, FERC staff argues that the current regime under Section 215 is not able to respond as quickly as needed to thwart rapidly evolving cyberattack threats. “It can take many months for a new standard to be developed, and once approved, it may be several more months or years before fully implemented and enforceable,” the paper says.

In addition, attackers can “exploit the interdependency of connected networks and equipment” to target facilities that might not be covered by CIP standards which are geared to the wholesale or bulk electric system, FERC staff said, adding that the public and deliberative standards development process creates vulnerabilities that can be exploited by cyber attackers.

And, the paper notes, changes to the grid operating environment can change rapidly as seen in the response to the COVID-19 emergency. “As the power sector is adapting to expanded remote operations, there is the potential for increased vulnerabilities and potential amplification of the effect of cybersecurity threats,” making it important that utilities have “the ability to make cybersecurity investments to quickly and effectively adapt to address unforeseen circumstances.”

The white paper suggests that incentives for cybersecurity investments could include return on equity (ROE) adders, which could be as high as 200 basis points but be subject to a sunset date, and non-ROE incentives, such as eligibility for construction work in progress, accelerated depreciation, and recovery of abandoned plant costs, which allows for some cost recovery of projects abandoned for reasons outside of a utility’s control. FERC staff also suggests that in some circumstances there could be consideration of allowing deferral and amortization of some costs that have traditionally been treated as expenses under FERC’s ratemaking policies.

The white paper describes two potential approaches to identifying eligible cybersecurity investments.

Under the first approach, a utility could seek incentives for investments for portions of its system that are not covered by CIP standards. CIP categorizes assets as high, medium, or low impact to the bulk electric system. Most CIP standards apply to high and medium impact systems. So, under the first approach a utility could apply standards applicable to high- and medium-risk assets to low-risk assets.

FERC staff notes two ways that this could be accomplished. First, the utility could implement medium or high impact CIP security controls for low or medium impact systems.  Second, utilities could use a “hub-spoke method” for applying CIP standards to low impact systems. In that scenario, all the cyber communications to and from a low impact system must come from a medium or high impact system so that the cyber communication would be protected at a higher level before being transmitted to the low impact system.

In FERC staff’s second proposed approach, incentives would be awarded based on a utility voluntarily implementing portions of the cybersecurity framework developed by the National Institute of Standards and Technology (NIST). CIP standards would still be considered the basis for granting cybersecurity incentives, but the approach would offer utilities “the flexibility of non-prescriptive implementation options to encourage utilities to exceed the CIP Reliability Standards.”

The white paper includes a list of specific questions regarding the proposals it outlines. Comments are due Aug. 17. Reply comments are due by Sept. 1, 2020.

The white paper is available here.