Updated on 2022-09-22
The Federal Energy Regulatory Commission (FERC) has issued a Notice of Proposed Rulemaking (NOPR) seeking public comment on its proposal to “provide incentive-based rate treatment for utilities making certain voluntary cybersecurity investments.” Eligible investments must meet several requirements, which include “materially improv[ing] cybersecurity through either an investment in advanced cybersecurity technology or participation in cybersecurity threat information sharing programs; and [those not already … mandated by Critical Infrastructure Protection (CIP) Reliability Standards, or local, state, or federal law.”
- I think the proposed approach has a dangerous flaw: it is almost 100% focused on either deploying new products and services to get rate reductions or by joining threat sharing. It almost completely avoids the People and Process part of “People, Process and Technology. For example, better IT admin and faster patching is one of the biggest improvements that could be made and in most cases does not require advanced products or new procurements – it requires a security team that can get the admin side to do things differently. The same is true for segmentation, privilege management and many of the Critical Security Controls that provide the biggest bang for the buck. The people skills to work with other organizations and to develop effective and repeatable playbooks to make the operations side better need to be incentivized, not just buying new products/services.
- The comment period runs for 30 days from publication which was 9/22/22. The proposed incentives would take two forms: a return on equity adder of 200 basis points, or deferred cost recovery that would enable the utility to defer expenses and include the unamortized portion in its rate base which could substantially reduce the burden of improving their security. The trick is the improvements must be deemed to materially improve the utilities cyber security, so it is critical to have a clear understanding of what that means. Also be prepared to demonstrate you’ve actually implemented changes, not purchased shelfware.
- Most electric utilities are regulated by the states. The states tend to focus on the rate to the consumer and to discourage what they see as discretionary spending. That contributes to the state of security in the industry. This legislation might well compensate.
Read more in