On December 17, 2020, the Federal Energy Regulatory Commission (“FERC”) took two separate actions intended to enhance the cybersecurity of the Bulk Electric System (“BES”). First, FERC issued a Notice of Proposed Rulemaking (“NOPR”) in Docket No. RM21-3 to establish rules for incentive-based rate treatment for public utilities’ voluntary cybersecurity investments that exceed the North American Electric Reliability Corporation (“NERC”) Critical Infrastructure Protection (“CIP”) Reliability Standards requirements. This action builds off FERC Staff’s White Paper addressing cybersecurity investment incentives, issued this past summer.
Unlike the pending transmission incentives NOPR in Docket No. RM20-10, FERC does not act pursuant to its authority under Federal Power Act (“FPA”) § 219 to establish a rule for incentive-based rate treatment for the transmission of electric energy in interstate commerce to benefit consumers by ensuring reliability and reducing transmission congestion. Rather, FERC issues its NOPR pursuant to its broader ratemaking authority under FPA §§ 205 and 206 to allow for incentives beyond transmission investment, to cybersecurity investment in information technology and operational technology networks used by public utilities to provide other FERC-jurisdictional services. The potential incentives a utility could apply for in a FPA § 205 filing are left open-ended to those approved by FERC on an individual case basis, but would explicitly include a 200 basis point adder to the utility’s return on equity (“ROE”) or deferred recovery of cybersecurity upgrade implementation costs through regulatory asset treatment. FERC does not propose NERC would serve a role in reviewing implementation of, or otherwise participating in, the NOPR’s voluntary incentives program. Notably, FERC proposes to grant incentive rate treatment to public utilities implementing certain security controls included in the National Institute of Standards and Technology (“NIST”) Framework. FERC Chairman Danly and Commissioner Glick authored a concurring opinion, asking: (1) whether a better approach would be to direct that NERC expand its CIP Standards to mandate some or all of the NOPR’s contemplated cybersecurity investments; and (2) whether, and why, additional measures are needed to incentivize public utilities to adopt additional cybersecurity measures.
Second, FERC issued an Order in Docket No. RM20-8 directing NERC to submit, by January 1, 2022, an informational filing on the feasibility of, and any NERC plans for, modifying the CIP Reliability Standards to facilitate registered entities voluntarily using virtualization and cloud computing for purposes beyond data storage, namely to perform BES reliability operating services. The directive takes into account comments on FERC’s February 20, 2020 Notice of Inquiry that raise a need for regulatory certainty to mitigate compliance risk when implementing such technologies.
FERC’s NOPR regarding cybersecurity rate incentives is available here.
FERC’s Order regarding virtualization and cloud computing is available here.
For further information on these matters or more generally on NERC’s CIP Reliability Standards, please contact Lisa Gast, Kristen Connolly McCullough, Sean Neal, or Lauren Perkins.