Following a directive from the US Congress, FERC issued Order No. 893, providing incentive-based rates for public and nonpublic utilities to encourage voluntary investments in Advanced Cybersecurity Technology[1] and participation in cybersecurity threat information sharing programs, such as the US Department of Energy’s Cybersecurity Risk Information Sharing Program (CRISP).[2] Aspects of the final rule were hotly contested and the Commission’s final rule sought a middle ground between competing proposals, but, based on the evidence to date, FERC’s decision has not yet succeeded in accomplishing its primary objective: granting incentives that encourage heightened cybersecurity protections.
BACKGROUND
The Commission promulgated Order No. 893 pursuant to Section 40123 of the Infrastructure Investment and Jobs Act, which directed FERC to promulgate a rule to establish incentive-based rates for utilities.[3]
Under the final rule, both public and nonpublic utilities that have or will have a rate on file with FERC may apply for incentive-based rate treatment for eligible cybersecurity investments. However, utilities may not receive incentive-based rates on cybersecurity investments related to market-based sales of energy, capacity, or ancillary services. Instead, they must make a separate cost-of-service rate filing with FERC under FPA 205.[4]
Investments may be eligible for incentive-based rates if they are in Advanced Cybersecurity Technology or expenses related to participation in a cybersecurity threat information sharing program. Advanced Cybersecurity Technology includes both products and services. Cybersecurity products includes hardware, software, or other types of IT systems,[5] while cybersecurity services includes system installation and maintenance, network administration, and asset management.[6]
There is a two-step process to determine whether the Advanced Cybersecurity Technology or cybersecurity threat information sharing program investments are eligible for incentive-based treatment: investments must make (1) material improvement to cybersecurity and (2) be voluntary.
An investment will be presumed to materially improve cybersecurity if it is for either Advanced Cybersecurity Technology or participation in a cybersecurity threat information sharing program.[7] In order for an investment to be voluntary, the investment cannot be mandated by Reliability Standards maintained by an Electric Reliability Organization; mandated by local, state, or federal law; an action taken in response to a federal or state agency merger condition or consent decree from a federal or state agency; or an action taken in response to a settlement agreement that resolves a dispute between a utility and a public or private party.[8]
FERC has two approaches for determining if a voluntary cybersecurity investment satisfies the eligibility criteria, the first being the prequalified (PQ) list. Any cybersecurity investment that is on the PQ list is entitled to a rebuttable presumption of eligibility for incentive-based rate treatment. This presumption may be rebutted by a protestor demonstrating that, given the unique circumstances of the utility, the investment on the PQ list does not materially improve the utility’s cybersecurity.[9]
In the rule, FERC included only two types of investments on the PQ list: (1) cybersecurity investments associated with participation in CRISP and (2) cybersecurity investments associated with internal network security monitoring within the utility’s information technology and/or operational technology cyber systems.
The second approach to determine if a voluntary cybersecurity benefit is eligible is through a case-by-case review. If a cybersecurity investment is not on the PQ list, FERC will conduct a case-specific review to see if the investment materially improves cybersecurity and is voluntary. In a case-by-case review, the burden is on the utility to prove the investment materially improves cybersecurity and therefore is eligible to receive incentive-based rate treatment.[10] Rates will only be approved under the PQ or case-by-case pathway if the final rate is just and reasonable.
Incremental improvements are eligible for incentive-based rates. Where a cybersecurity investment results in a utility not only meeting a mandatory Reliability Standard, but also providing cybersecurity benefits exceeding those standards, the incremental investment that resulted in the utility exceeding Reliability Standards is eligible for incentive-based rate treatment.[11]
Investments resulting in early adherence to forthcoming Reliability Standards are also eligible for incentive-based rates. If a utility makes a cybersecurity investment in preparation of a forthcoming Reliability Standard, that investment is eligible for incentive-based rate treatment until the Reliability Standard becomes mandatory.[12] For example, if a utility makes an upgrade in January to comply with a Reliability Standard that will become mandatory in July, they are eligible for inventive-based rates for six months.
FERC allows utilities to treat eligible cybersecurity investments as regulatory assets and include those assets in the transmission rate base.[13] Utilities may seek this enhanced recovery for a range of expenses, including operation and maintenance expenses, labor costs, implementation costs, network monitoring, and training costs.[14] Utilities may use incentive-based rate recovery for up to five years and must submit annual informational reports to the Commission for the duration of the cybersecurity incentive.[15]
NO INCENTIVES GRANTED TO DATE
As of the writing of this article, despite the press surrounding the incentives, not a single utility has initiated the application process. As the purpose of the law is to encourage utilities to enhance cybersecurity by providing financial incentives, the lack of such applications suggests FERC misjudged how much of an incentive is necessary.
Whether a utility seeks a financial incentive reflects basic economic principles—if the financial benefit is worth the effort, utilities will seek it. The fact that no utility has submitted an application demonstrates that the financial incentives are not worth the effort they would take, which in turn means that the financial incentives are not high enough to encourage the investments Congress wants to see.
There are a few likely reasons why this is the case:
- The financial incentives are too low. The investments on the PQ list as well as most other cybersecurity investments are likely to be in the low millions of dollars. The incentives offered by FERC are limited to earn a return on these costs in rate base by treating them as a regulatory asset. Essentially, the utility will earn its return on equity on these few millions in costs over an amortization period of up to five years. On a practical level, that does not provide meaningful dollars to the utility, particularly given the offsetting costs of seeking the incentive.
- The PQ list is limited. The PQ list is intended to provide an efficient mechanism for identifying cybersecurity investments that are precleared (under a rebuttable presumption) for incentive treatment, but the list currently contains only two types of investments: those associated with CRISP participation and internal network security monitoring. FERC declined to add other threat information programs and cybersecurity technologies recommended by industry commenters, citing a lack of specificity in the proposals or, in some cases, a lack of confidence that the proposals would materially improve utility cybersecurity. Limiting the inclusions on the PQ list may have deterred initial utility interest in the incentive program, although FERC claims it is open to modifying the PQ list in the future.
- The legal process is uncertain and could be expensive. Any applicant seeking incentives would need to make a complex rate filing with FERC, which could be protested. Particularly if complex issues are raised by a protestor surrounding the technology or its implementation, FERC could set the entire dispute for settlement and hearing, at which point legal fees are likely to overwhelm the value of the incentive. To avoid a drawn-out process, applicants will be incentivized to reduce the value of their requested incentive, further undermining the value of the process. FERC has tried to minimize this for the two items on the PQ list but it remains unclear whether this will expedite the process in practice.
- Market-based rate sellers are discouraged from applying. Although most transmission providers operate under cost-based rates in which incentives are relatively common, much of the power sales business in the United States operates under negotiated rates. FERC’s final rule excluded such sellers entirely despite the fact that the loss of significant generation to cyberattacks could cause a major grid disturbance. Such utilities could seek a cost-of-service rate for such incentives, but they would need to establish the necessary complex FERC accounting and recordkeeping controls in order to prepare and track the incentives. As market-based rate sellers are generally exempt from those requirements, this creates another major cost that would not be recoverable.
At this point there is nothing that clearly shows FERC plans to take action to reexamine its cybersecurity incentives policy and reconfigure it to generate interest from utilities. As a result, the implication is that Congress’s directive will, for all practical purposes, go unfulfilled.
[1] Defined as any technology, operational capability, or service, including computer hardware, software, or a related asset, that enhances the security posture of public utilities through improvements in the ability to protect against, detect, respond to, or recover from a cybersecurity threat (as defined in Section 102 of the Cybersecurity Act of 2015). Incentives for Advanced Cybersecurity Investment, Order No. 893, 183 FERC ¶ 61,033, at 27 (2023).
[2] Id. at PP 1, 23.
[3] 16 USC § 824s-1.
[4] Order No. 893, 183 FERC ¶ 61,033 at P 26.
[5] Id. at P 4.
[6] Id. at P 5.
[7] In determining which cybersecurity investments will materially improve a utility’s security posture, the Commission will consider the following sources: (1) security controls enumerated in the NIST SP 800-53 “Security and Privacy Controls for Information Systems and Organizations” catalog; (2) security controls satisfying an objective found in the NIST Cybersecurity Framework technical subcategory; (3) a specific cybersecurity recommendation from a relevant federal authority (e.g., DHS’s CISA, FBI, NSA, DOE); (4) participation in a relevant cybersecurity threat information sharing program; and/or (5) achieving and sustaining one or more of the C2M2 Domains at the highest Maturity Indicator Level. Id. at P 40.
[8] Id. at P 45.
[9] Id. at P 64.
[10] Id. at P 107.
[11] Id. at P 47.
[12] Id. at P 117.
[13] Id. at P 135.
[14] Id. at P 147.
[15] Id. at PP 172, 193.
[View source.]