Following a directive from the US Congress, FERC issued Order No. 893, providing incentive-based rates for public and nonpublic utilities to encourage voluntary investments in Advanced Cybersecurity Technology[1] and participation in cybersecurity threat information sharing programs, such as the US Department of Energy’s Cybersecurity Risk Information Sharing Program (CRISP).[2] Aspects of the final rule were hotly contested and the Commission’s final rule sought a middle ground between competing proposals, but, based on the evidence to date, FERC’s decision has not yet succeeded in accomplishing its primary objective: granting incentives that encourage heightened cybersecurity protections.
The Commission promulgated Order No. 893 pursuant to Section 40123 of the Infrastructure Investment and Jobs Act, which directed FERC to promulgate a rule to establish incentive-based rates for utilities.[3]
Under the final rule, both public and nonpublic utilities that have or will have a rate on file with FERC may apply for incentive-based rate treatment for eligible cybersecurity investments. However, utilities may not receive incentive-based rates on cybersecurity investments related to market-based sales of energy, capacity, or ancillary services. Instead, they must make a separate cost-of-service rate filing with FERC under FPA 205.[4]
Investments may be eligible for incentive-based rates if they are in Advanced Cybersecurity Technology or expenses related to participation in a cybersecurity threat information sharing program. Advanced Cybersecurity Technology includes both products and services. Cybersecurity products includes hardware, software, or other types of IT systems,[5] while cybersecurity services includes system installation and maintenance, network administration, and asset management.[6]
There is a two-step process to determine whether the Advanced Cybersecurity Technology or cybersecurity threat information sharing program investments are eligible for incentive-based treatment: investments must make (1) material improvement to cybersecurity and (2) be voluntary.
An investment will be presumed to materially improve cybersecurity if it is for either Advanced Cybersecurity Technology or participation in a cybersecurity threat information sharing program.[7] In order for an investment to be voluntary, the investment cannot be mandated by Reliability Standards maintained by an Electric Reliability Organization; mandated by local, state, or federal law; an action taken in response to a federal or state agency merger condition or consent decree from a federal or state agency; or an action taken in response to a settlement agreement that resolves a dispute between a utility and a public or private party.[8]
FERC has two approaches for determining if a voluntary cybersecurity investment satisfies the eligibility criteria, the first being the prequalified (PQ) list. Any cybersecurity investment that is on the PQ list is entitled to a rebuttable presumption of eligibility for incentive-based rate treatment. This presumption may be rebutted by a protestor demonstrating that, given the unique circumstances of the utility, the investment on the PQ list does not materially improve the utility’s cybersecurity.[9]
In the rule, FERC included only two types of investments on the PQ list: (1) cybersecurity investments associated with participation in CRISP and (2) cybersecurity investments associated with internal network security monitoring within the utility’s information technology and/or operational technology cyber systems.
The second approach to determine if a voluntary cybersecurity benefit is eligible is through a case-by-case review. If a cybersecurity investment is not on the PQ list, FERC will conduct a case-specific review to see if the investment materially improves cybersecurity and is voluntary. In a case-by-case review, the burden is on the utility to prove the investment materially improves cybersecurity and therefore is eligible to receive incentive-based rate treatment.[10] Rates will only be approved under the PQ or case-by-case pathway if the final rate is just and reasonable.
Incremental improvements are eligible for incentive-based rates. Where a cybersecurity investment results in a utility not only meeting a mandatory Reliability Standard, but also providing cybersecurity benefits exceeding those standards, the incremental investment that resulted in the utility exceeding Reliability Standards is eligible for incentive-based rate treatment.[11]
Investments resulting in early adherence to forthcoming Reliability Standards are also eligible for incentive-based rates. If a utility makes a cybersecurity investment in preparation of a forthcoming Reliability Standard, that investment is eligible for incentive-based rate treatment until the Reliability Standard becomes mandatory.[12] For example, if a utility makes an upgrade in January to comply with a Reliability Standard that will become mandatory in July, they are eligible for inventive-based rates for six months.
FERC allows utilities to treat eligible cybersecurity investments as regulatory assets and include those assets in the transmission rate base.[13] Utilities may seek this enhanced recovery for a range of expenses, including operation and maintenance expenses, labor costs, implementation costs, network monitoring, and training costs.[14] Utilities may use incentive-based rate recovery for up to five years and must submit annual informational reports to the Commission for the duration of the cybersecurity incentive.[15]
As of the writing of this article, despite the press surrounding the incentives, not a single utility has initiated the application process. As the purpose of the law is to encourage utilities to enhance cybersecurity by providing financial incentives, the lack of such applications suggests FERC misjudged how much of an incentive is necessary.
Whether a utility seeks a financial incentive reflects basic economic principles—if the financial benefit is worth the effort, utilities will seek it. The fact that no utility has submitted an application demonstrates that the financial incentives are not worth the effort they would take, which in turn means that the financial incentives are not high enough to encourage the investments Congress wants to see.
There are a few likely reasons why this is the case:
At this point there is nothing that clearly shows FERC plans to take action to reexamine its cybersecurity incentives policy and reconfigure it to generate interest from utilities. As a result, the implication is that Congress’s directive will, for all practical purposes, go unfulfilled.
[1] Defined as any technology, operational capability, or service, including computer hardware, software, or a related asset, that enhances the security posture of public utilities through improvements in the ability to protect against, detect, respond to, or recover from a cybersecurity threat (as defined in Section 102 of the Cybersecurity Act of 2015). Incentives for Advanced Cybersecurity Investment, Order No. 893, 183 FERC ¶ 61,033, at 27 (2023).
[2] Id. at PP 1, 23.
[3] 16 USC § 824s-1.
[4] Order No. 893, 183 FERC ¶ 61,033 at P 26.
[5] Id. at P 4.
[6] Id. at P 5.
[7] In determining which cybersecurity investments will materially improve a utility’s security posture, the Commission will consider the following sources: (1) security controls enumerated in the NIST SP 800-53 “Security and Privacy Controls for Information Systems and Organizations” catalog; (2) security controls satisfying an objective found in the NIST Cybersecurity Framework technical subcategory; (3) a specific cybersecurity recommendation from a relevant federal authority (e.g., DHS’s CISA, FBI, NSA, DOE); (4) participation in a relevant cybersecurity threat information sharing program; and/or (5) achieving and sustaining one or more of the C2M2 Domains at the highest Maturity Indicator Level. Id. at P 40.
[8] Id. at P 45.
[9] Id. at P 64.
[10] Id. at P 107.
[11] Id. at P 47.
[12] Id. at P 117.
[13] Id. at P 135.
[14] Id. at P 147.
[15] Id. at PP 172, 193.