Norton Rose Fulbright - Data Protection Report blog

On February 5, 2021, the Federal Energy Regulatory Commission (“FERC”) published proposed regulations in the Federal Register that would provide federal financial incentives to utilities that voluntarily increase certain cybersecurity measures above those required by the Critical Infrastructure Protection Reliability Standards (“CIP Reliability Standards”) or by the NIST, Framework for Improving Critical Infrastructure Cybersecurity (“NIST Framework”). (86 Fed. Reg. 8309-8325 (Feb. 5, 2021).)

To obtain the incentive, these voluntary measures must “materially enhance the cybersecurity posture of the bulk-power system by enhancing the applicants’ cybersecurity posture substantially above levels required by CIP Reliability Standards, to the benefit of ratepayers.”   The proposed incentive-based treatments for cybersecurity investments would also be available to non-public utilities to the extent that they have FERC-jurisdictional rates.

Background

The CIP Reliability Standards require entities to comply with specific requirements to safeguard critical cyber assets. These standards are results-based and do not specify a technology or method to achieve compliance, instead leaving it up to the entity to decide how best to comply. The CIP version 5 Standards implement a tiered approach to categorize assets, identifying them as high, medium, or low risk to the operation of the bulk electric system if compromised. Most requirements in the CIP Reliability Standards apply to high and medium impact systems. There are 10 CIP Reliability Standards in-scope for the proposed regulation, but the physical security standard is not in-scope. The ten in-scope standards cover a wide range of security areas, including training, protecting the perimeter, incident response, and supply chain.

Because technology changes faster than regulatory standards, in 2020, FERC staff “reasoned that an incentive-based framework would allow a public utility to tailor its request for incentives to the potential challenges it faces and take responsive action. Commission staff explained that, in the future, these voluntary actions taken by public utilities, if proven beneficial, could be the basis of future CIP Reliability Standards that would be mandatory.” Consequently, the proposed regulation also incentivizes speed of the requests: the incentive would exist only while the cybersecurity measure was voluntarily. Once the measure became required, the incentive would end.

FERC provided an example of a cybersecurity initiative that could qualify for an incentive:

Under this proposal, one example of an investment that could warrant an incentive as automated and continuous monitoring would be for a public utility to install a dynamic asset management program to improve its ability to quickly detect and address new or previously unknown equipment on its network. Unknown and unattended equipment can present significant vulnerabilities and threats to both the information technology and operational technology networks. Implementing a process that automatically and continuously scans the current inventory of hardware and software across both the information technology and operational technology networks can identify, block, log and report any unauthorized access.

The proposed incentives

FERC proposed two approaches for cybersecurity investment incentives. The NERC CIP Incentives approach allows public utilities to receive incentive rate treatment for voluntarily applying CIP Reliability Standards to facilities that are not currently subject to those requirements. For example, investments made by public utilities to make a low impact BES Cyber System meet the requirements applicable to medium or high impact BES Cyber Systems would qualify for the incentives and applicants receive a rebuttable presumption of qualification when applying for the incentives. The second incentive approach allows a public utility to receive incentive rate treatment for implementing certain security controls included in the NIST Framework that are deemed most likely to provide a significant benefit to the cybersecurity of transmission facilities and the BES. Although FERC considered five categories of security controls under the NIST Framework for inclusion in the incentive program, FERC proposes to only consider automated and continuous monitoring security controls initially (which includes, for example, investments in end-point detection and response tools, advanced email threat prevention solutions, and dynamic assessment management tools), but may add more categories in the future.

FERC proposes two methods for public utilities to obtain the cybersecurity investment incentives:

  1. Public utilities making certain cybersecurity investments may request an 200-basis-point increase in the rate of return on equity (ROE) applicable to those capital investments. Such cybersecurity investments would include investments following specific CIP Reliability Standards and/or standards and guidelines from the NIST Framework.
  2. A public utility may seek deferred cost recovery for certain cybersecurity investments. FERC proposes that only expenses for activities that go above and beyond actions required to comply with the CIP Reliability Standards be eligible for these incentives. The deferred cost recovery would apply to three categories of expenses:

(1) Expenses associated with third-party provision of hardware, software, and computing networking services; (2) expenses for training to implement new cybersecurity enhancements undertaken pursuant to this rule; and (3) other implementation expenses, such as risk assessments by third parties or internal system reviews and initial responses to findings of such assessments. In all such cases, eligible costs would be limited to costs associated with implementing cybersecurity upgrades and would not include ongoing costs including system maintenance, surveillance, and other labor costs, either in the form of employee salaries or third-party service contracts. Furthermore, we propose that the deferred regulatory assets whose costs are typically expensed should be amortized over a five-year period.

The proposed regulations would require the utility to make a filing for FERC approval pursuant to FPA section 205 and receive such approval prior to implementing the proposed incentives in its FERC-jurisdictional rates. The proposed regulation lists several mandatory elements to the filing, including the assets that would be affected by the increased cybersecurity, the utility’s current security posture, the costs and expenses of the proposed measures, and the type of incentive the utility is seeking. If the utility receives the incentive, the proposed regulations would require additional reporting within 120 days of completion of the cybersecurity upgrades, and annual reporting thereafter.

FERC recognizes that utilities may consider some of the information requested in these public filings to be confidential. The proposal states “if a public utility applying for incentive rate treatment under this rule is concerned that the information contained in an application for incentives could lead to the disclosure of confidential information or CEII related to its cybersecurity systems, the public utility could request protection of its information pursuant to these procedures.” FERC noted that it expects such requests to be “specific and limited.” In addition, the public portion of the filing must “contain sufficient information for ratepayers to judge the rate impact and scope of the proposed incentives, including the general approach adopted.”

Our take

Public utilities are facing increasingly complex cybersecurity challenges that are evolving at a faster pace than the CIP Reliability Standards can be updated. Recognizing this fact, FERC’s proposed regulations are designed to encourage public utilities to invest in cybersecurity measures that go beyond the minimum requirements set forth in the CIP Reliability Standards. . Because the CIP Reliability Standards do not specify a particular method of technology, cybersecurity measures proposed by one utility may qualify for an incentive, but may not qualify for another. Additionally, the proposed regulations are designed to encourage public utilities to make investments quickly because once NERC makes cybersecurity activities and investment mandatory, only public utilities that received approval for the incentives will continue to be eligible for the incentive program. Comments are due Tuesday, April 6, 2021. Reply comments are due Thursday, May 6, 2021.