WASHINGTON, D.C., Aug. 24, 2020 — Recognizing that U.S. electric utilities do not currently have adequate incentives to invest in advanced cybersecurity protection for the nation’s electric grid, Protect Our Power is proposing that the Federal Energy Regulatory Commission (FERC) convene a technical conference to explore development of a potential cybersecurity incentives framework and application process.

In its response to a recent FERC White Paper on the incentives issues, Protect Our Power, a non-partisan, non-profit organization dedicated to improving grid security nationwide, praised FERC for raising the issue and noting that electric transmission owners are today only required to meet minimum requirements known as Critical Infrastructure Protection Reliability Standards, or CIP Standards.

“Today’s reality is that our electric system needs to go beyond CIP’s ‘technical baseline’ for grid cybersecurity and aggressively keep pace with the increasing, ever-changing cyber threats that aim to disable our power grid,” said Suedeen Kelly, former FERC commissioner and regulatory counsel to Protect our Power. “This can only be accomplished by using the most current and effective solutions, and an incentives policy needs to incent the use of known, effective, and dynamic solutions and best practices.”

The Protect Our Power comments focused on three issues to help advance the discussion begun by FERC and encourage policy innovation beyond current approaches to ratemaking incentives, and

call on FERC to convene a two-part technical conference on cybersecurity incentives practices and policy, exploring existing and emerging best practices in grid cybersecurity as well as the financial and policy design details of a potential cybersecurity incentives framework and application process.

Protect Our Power proposed three additional ways that FERC can allow transmission owners to demonstrate that voluntary cybersecurity investments improve grid security:

• Best Practices for Cybersecurity Solutions — making clear that voluntary transmission owner investments that implement Best Practices for Cybersecurity Solutions (“BPCS”) or fall within the NIST Framework are presumptively eligible for incentives, as long as they are shown to go beyond CIP Standards and are truly voluntary.
• Authorizing Cybersecurity Investment Plans — allowing utilities to propose a comprehensive, 1- to 2-year package of voluntary cybersecurity investments for pre-approval, which can then be recovered through ratemaking if implemented. This could help utilities avoid the significant cost and burdens of proposing investments on a project-by-project basis, which can act as a disincentive.  This approach also encourages transmission owners to think about cybersecurity more holistically which could, in turn, result in enhanced cybersecurity across the system.
• Cross-Utility Collaboration — reducing the cost of cybersecurity investments by 1) allowing utilities to achieve economies of scale by investing in common activities and investments that involve multiple transmission owners; 2) allowing partnerships and the pooling of resources among multiple nonaffiliated utilities/transmission owners. This could particularly benefit cooperatives and small public power and investor-owned utilities by allowing the pooling of capital to make significant cybersecurity investments.  Such partnerships could be regional or national in scope, or even take the form of a voluntary regional cybersecurity organization (an RCO).

Recognizing the complexity of these issues, as well as others addressed in the comments filed, Protect Our Power suggests that FERC host a two-part technical conference to gather more information and evaluate how to design a voluntary cybersecurity incentives framework.

Part I could explore the current cybersecurity investment decisions being made by transmission owners, vendors, and groups such as NIST, Protect Our Power, and others who are working to refine and standardize cybersecurity best practices.  Part II could focus on the financial and policy design of a voluntary cybersecurity incentives framework, tapping into the expertise of transmission owners, consumer advocates, and interested parties such as Protect Our Power.

“The bottom line is that having greater innovation and flexibility in the regulatory system would provide utilities large and small with incentives and encouragement to make needed investments in grid cybersecurity,” Kelly said.  “A reliable supply electricity is critical to the well-being of our country and our economy and, in today’s world, that requires a grid that is cyber-secure.”