Author: Bill Zuretti, director of regulatory affairs and counsel, EPSA
As part of their mission to provide safe, reliable power to Americans, competitive power suppliers take extensive measures to protect against cybersecurity threats to our electric grid. EPSA encourages FERC to further strengthen critical energy infrastructure by extending cybersecurity incentives to all parts of the bulk power system in addition to transmission providers.
Cybersecurity threats pose a risk to reliable electric service—and ultimately America’s homes and businesses—with the potential to disrupt everything from routine needs like turning the lights on and connecting to the internet to emergency and life-saving services. Along with the rest of the electricity sector, competitive power suppliers are constantly on the watch to protect essential generation resources against current and emerging cybersecurity breaches. But as would-be attackers continue to seek new ways to disrupt the nation’s power grid, new tools may be needed to enhance electric reliability and stay ahead of ever-evolving threats. Providing incentives to all parts of America’s bulk electric system—including competitive power suppliers—will help ensure the greatest possible protection for our critical infrastructure and the millions who rely on it.
This past December, the Federal Energy Regulatory Commission (FERC) issued a Notice of Proposed Rulemaking (NOPR) on cybersecurity incentives that could support and reward companies working to advance the security of essential infrastructure. FERC’s proposal contemplates providing new incentives for Transmission Providers (TPs) that make investments that exceed what is required by current recommendations—as included in the North American Electric Reliability Corporation Critical Infrastructure Protection (CIP) Reliability Standards and the National Institute of Standards and Technology (NIST) Framework. As EPSA notes in comments filed April 6, FERC could strengthen this proposal by extending similar incentives to all links in the bulk power chain, including competitive power suppliers, independent power producers, and merchant generators.
As the FERC proposal highlights, Commission staff outlined in its Cybersecurity Incentives Policy White Paper that a new incentive framework could allow the electric industry to be more agile and better protect critical infrastructure. The framework would better equip the industry to:
- Monitor and respond to new and evolving cybersecurity threats;
- Identify and respond to a wider range of threats; and
- Address threats with comprehensive and more effective solutions.
In the White Paper, Commission staff reason that a voluntary incentive-based framework would allow a public utility to tailor its request for incentives to the potential challenges it faces and take quick, responsive action to confront new threats as they emerge—rather than waiting for regulatory standards to be implemented and mandated. Commission staff explain that these voluntary actions taken by public utilities, if proven beneficial, could inform future standards that could become mandatory.
Beyond Transmission – All Parts of the BPS Should Be Incented to Strengthen the Grid
FERC’s NOPR and Staff White Paper currently focus on incentives for transmission providers (which operate under cost-of-service regulation). But offering similar incentives to entities like independent power producers (IPPs) and competitive suppliers (which recover their costs through competitive markets) would serve the same end—further achieving FERC’s objectives and providing even greater protection and cybersecurity readiness of the nation’s Bulk-Power System (BPS).
While transmission providers face complex cybersecurity risks, so too do the electric generation resources that are an essential part of the bulk power system. For this reason, competitive suppliers routinely exceed what is required by standards and regulations. Extra vigilance protects generation facilities and ensures the most reliable operations.
Given the interconnected nature of the modern electric system, cyber threats can often cut across segments—from transmission to power generation to distribution. Power generators work in concert with transmission providers to deliver wholesale power to end users. All elements of the bulk power system must therefore be as fortified as is reasonably possible. Providing incentives to one segment while leaving out others may squander an opportunity for the system as a whole to remain ahead of the curve regarding cybersecurity threats.
FERC’s NOPR identifies incentive areas that could also apply to power generation facilities, including the Med/High Incentive and the High/Low Incentive. This incentive parity should also apply to certain investments made by generators under the NIST Framework Approach. For example, installing a dynamic asset management program to improve an entity’s ability to quickly detect and address new or previously unknown equipment on its network applies to generators as it does to transmission providers. These investments would benefit the entire bulk power system as they improve the ability to detect and respond to new threats and minimize service disruptions.
Single Issue Ratemaking Could Help
EPSA recognizes that incenting voluntary behavior is not as straightforward for those entities that recover their costs through competitive markets rather than a guaranteed rate of return. While the Commission can offer a return on equity adder to transmission providers, it has no such vehicle for IPPs and competitive suppliers that operate in competitive markets. With that said, single issue ratemaking may offer a pathway for the Commission to pursue as it will properly incent the right amount of investment required to ensure parity with vertically integrated monopolies.
For example, to reasonably mirror the incentive dynamic that the NOPR outlines for transmission providers, the Commission might publish a series of areas that it identifies as emerging and future cybersecurity risks—perhaps on an annual basis. In order to optimize the utilization of these investments, the Commission could set a threshold at which an entity is eligible for cost recovery for these investments if a demonstration is made that the bulk power system as a whole would benefit from their installation. Hence, if a competitive market participant petitions the Commission for authorization to make an upgrade with the required showing of benefits and the Commission approves the petition, that entity would then be able to make the
cybersecurity update and file for cost recovery of the costs incurred to make the upgrade. The Commission operates under a similar paradigm for assessing costs
associated with providing reactive power service. While not a perfect match for the incentive structure outlined in the NOPR, this path would ultimately help achieve the stated cybersecurity goal and lead to similar outcomes as the incentives proposed for transmission providers, all while preserving Commission oversight and discretion over the associated costs.
EPSA outlined these recommendations in comments to FERC as part of our mission to advance reliable electric service for customers and our nation as a whole. Competitive power suppliers already take aggressive action to protect electric generation resources from physical and cyber threats. Providing greater cybersecurity incentives and support to competitive generators and all parts of the bulk electric system in addition to transmission providers will enhance the overall strength of our interconnected grid and our national security. We look forward to continuing to work with the Commission and all stakeholders to help ensure reliable electric service.
Read EPSA’s Comments on FERC Cybersecurity Incentives Notice of Proposed Rulemaking.
Learn more about how competitive power suppliers are further strengthening America’s power grid in EPSA’s Cybersecurity Report.
Find key takeaways from the SolarWinds breach and how EPSA and its members work with the government to shield against, prepare for and respond to incidents.