Energy and powerNews

Federal rule incentivises cybersecurity investments for US utilities

As cyberattacks continue to hit the critical infrastructure space, the Federal Energy Regulatory Commission (FERC) is working to ensure that utilities are investing in measures to protect the grid. A new rule approved by FERC will allow US electric utilities to seek a greater incentive from the rate-base for certain cybersecurity investments.

The final rule allows electric utilities to earn up to an additional 50 basis points (0.5%) return on equity for certain cybersecurity investments. In the original NOPR the adder had been set at 200 basis points (2%).

The original NOPR, issued September 22, 2022, said:

  • Cybersecurity expenditures would be eligible for an incentive including both expenses and capital investments associated with advanced cybersecurity technology and participation in a cybersecurity threat information sharing program.
  • Eligible cybersecurity expenditures would be voluntary and have to materially improve the utility’s cybersecurity posture. FERC proposes to establish a pre-qualified (PQ) list of cybersecurity expenditures that are eligible for incentives that would be publicly maintained on the FERC.gov website.
  • The incentives would take two forms: a return on equity adder of 200 basis points, or deferred cost recovery that would enable the utility to defer expenses and include the unamortized portion in its rate base.
  • Approved incentives, with certain exceptions, would remain in effect for up to five years from the date on which the investments enter service or expenses are incurred.

Have you read:
How ‘defence in depth’ can repel energy sector cyberattacks
Survey: Cybersecurity of IoT is top-of-mind for US smart utilities and tech providers

The final rule largely tracks the NOPR, but includes some additions:

  • The Commission expanded the definition of eligible cybersecurity investments to include not only a pre-qualified list of cybersecurity investments, but also those investments that are done on a case-by-case basis, allowing utilities to request incentives for a variety of solutions tailored to their specific situations.
  • The Commission will allow utilities to seek incentives for early compliance with new cybersecurity reliability standards.
  • The final rule adopts the NOPR’s proposed requirement that expenditures materially improve a utility’s cybersecurity posture. It also adopts the proposal to allow deferred cost recovery that would enable the utility to defer expenses and include the unamortized portion in its rate base but does not adopt the proposed return on equity adder of 200 basis points. The rule also states that approved incentives, with certain exceptions, will remain in effect for up to five years from the date on which expenses are incurred, provided that the investments remain voluntary.

Today’s rule follows Congress’ direction under the Infrastructure Investment and Jobs Act of 2021 that the Commission revise its regulations to establish incentive-based rate treatments to encourage utilities to invest in advanced cybersecurity technology and participate in cybersecurity threat information sharing programs for the benefit of consumers.

“In today’s highly interconnected world, our nation’s security and economic well-being depend on reliable and cyber-resilient energy infrastructure,” FERC Chairman Willie Phillips said. “We must continue to build upon the mandatory framework of our cybersecurity reliability standards with efforts such as this to encourage utilities to proactively make additional cybersecurity investments in their systems.”

You can access the full document here.

The final rule takes effect 60 days following publication in the Federal Register.

Originally published on Power-Grid International.