Incentivizing Cybersecurity Investments in the U.S. Electric Grid

By Rick Mroz, former president, NJ Board of Public Utilities

A little more than one year ago, Protect Our Power and the Energy and Environment Institute at Vermont Law School (VLS) published a report identifying state-level challenges to improving the U.S. electric grid.  A main issue in that report were the challenges for smaller cooperative, municipal, and rural electric companies to invest in new and emerging technologies to guard against grid attacks, particularly sophisticated cyberattacks.

As the VLS report noted, the need for substantial cybersecurity investments is a relatively new phenomenon and have a unique profile that requires regulatory commissions to consider special and perhaps more flexible cost recovery mechanisms that are designed to incentivize investment while simultaneously protecting the public interest.

This situation is particularly vexing for smaller and non-profit utilities that may not have the revenues or rate bases to afford necessary investments, and the issue is elevated to a matter of broader national concern because the grid overall is only as strong, and secure, as its weakest link.  This is not meant to suggest that smaller utilities are weak links, per se, but rather to point out that this situation has the potential to affect our entire national electricity supply system and will likely require special attention and consideration.

Cybersecurity investments differ significantly from traditional utility infrastructure investments, with software, technology and training systems having lifespans in the range of 3 – 7 years,  as opposed to physical infrastructure such as poles and wires with lifespans of 30 to 40-years. And cybersecurity infrastructure is less likely to produce offsetting revenue increases or expense reductions.

Now a new survey from Moody’s Investors Service has found that “amid growing cyberattacks, survey results reveal disparities in levels of preparedness across electric utility types… Cybersecurity readiness tends to be stronger among large, privately owned regulated utilities than among state-owned or unregulated and not-for-profit power providers.”

The Moody’s survey involved 115 responses from utility companies across North America, Europe and the Asia Pacific region from March to September 2020, and found that “large, privately-owned, regulated utilities have more robust cyber risk governance and management practices in place than state-owned or unregulated and not-for-profit peers.

The survey also noted that “smaller utilities, not-for-profits in particular, favor a risk transfer approach to cyber risk mitigation.”  Transferring risk by purchasing cyber insurance is a passive approach, and therefore less expensive, as opposed to mitigating risks by proactively investing in equipment and systems that decrease or eliminate the likelihood of a successful attack.

According to the American Public Power Association (APPA), smaller utilities often choose the insurance approach because they face less risk and utilize information sharing tools among their peers to boost security.  Larger utilities have a “higher value as a target,” according to APPA, and therefore “have to invest more … to meet their needs and protect their assets.”

The Moody’s survey results align with the Protect Our Power/VLS report and further highlight the need to provide innovative and flexible incentive structures for cyber investment for all utilities — and especially for the smaller and non-profit utilities that deliver approximately 26 percent of the nation’s bulk electric power supply.  Regulators and government officials responsible for overseeing these electric systems need to actively consider such incentives.

A logical way to address this challenge is through alternative utility ratemaking options, the potential use of which raises key questions:

  • Does the commission/government oversight body have the authority to use an alternative rate mechanism?
  • Is use of the alternative rate mechanism necessary?
  • Is the alternative rate mechanism designed to protect the public interest?
  • Are there other mechanisms, structures, or programs already available to allow the investments to be made?

While the answers to these questions will vary state-to-state, and in most if not all instances will require legislative authorization, the reality is that utilities large and small are investing in cybersecurity now. The total amount of investment is forecasted to nearly double in the next decade as more state commissions open grid modernization dockets that encourage cybersecurity programs.

This transformation necessarily begs the question of whether existing, historic cost recovery mechanisms adequately incentivize the levels of investment required to boost the resiliency of the grid. Against this backdrop, all regulators or government oversight agencies of utilities should be proactive and consider the need for an alternative rate mechanism.

In Missouri, for example, the Public Service Commission produced a set of four principles for the General Assembly to consider if it drafted legislation. Those four principles — avoid massive, radical overhaul; do not impede the Commission’s authority to balance utility and customer interests; any change should be narrowly tailored; and, use of a new rate mechanism would have to be authorized by the Commission — could be used by any state commission considering use of an alternative rate mechanism.

As utilities increasingly need flexibility and incentives to invest in needed non-revenue-generating cyber protection assets to ensure grid and resilience, utility commissions will continue to wrestle with a new range of considerations, technologies and competing interests, all while balancing public needs against public costs.

Additionally, at the national level, since the nation’s 15 critical infrastructure groups depend on a reliable and resilient supply of electricity to power their operations, any major infrastructure legislation considered by Congress should contain a funding component dedicated to improving the ability of the electric grid to repel potentially disabling attacks.

The recommendations in the Vermont Law School report for Protect Our Power provide commissions, local governments, state legislatures, and Congress valuable analysis and guidance in identifying options to encourage and advance these protective investments. They also provide a proper balance between the varying interests, including how to make prudent investments without undermining or losing sight of the main objective — further securing the single most important component of our critical U.S. infrastructure — the electric grid.

Rick Mroz

Author Bio