Dive Brief:

• Federal regulators have issued a Notice of Proposed Rulemaking (NOPR) to consider incentives for cybersecurity investments that exceed mandatory Critical Infrastructure Protection (CIP) reliability standards. Experts say the incentives could help to quickly shore up weaknesses in grid defenses, but also question whether they will be sufficient.
• The Federal Energy Regulatory Commission is proposing two types of incentives for utilities making voluntary security investments: a 200 basis-point adder to the rate of return on equity (ROE) for the upgrades, and deferred cost recovery for certain cybersecurity-related expenses. 
• "It takes a really long time to develop new cybersecurity requirements," said J. Daniel Skees, a partner at Morgan Lewis. Using incentives, he said, "is much more expeditious than relying on a mandatory process."

Dive Insight:

FERC proposed new security incentives on the same day the U.S. Department of Energy confirmed its systems had been breached in the SolarWinds hack, highlighting the need for fast action.

"It's encouraging that FERC sees the need for incentives to accelerate the pace at which public utilities improve their cybersecurity capabilities," Mark Carrigan, chief operating officer and chief revenue officer at security firm PAS Global, said in an email. But he also said the proposed incentives fall short of what may be needed to truly accelerate cybersecurity readiness.

"There are some good ideas in the incentives recently proposed," Carrigan said, pointing to deferred cost recovery for third-party provision of hardware, software and computing networking services, third party risk assessments, and training-related expenses.

FERC has outlined two approaches to identifying qualifying investments. Under the first, the commission is proposing incentive rate treatment for utilities voluntarily applying CIP reliability standards to facilities that are not currently subject to those requirements. A second approach would allow utilities to receive incentives for implementing security controls  included in the cybersecurity framework developed by the National Institute of Standards and Technology.

Utilities could claim either the ROE adder or deferred cost recovery incentives for the investments, but not both.

But Carrigan said annual reporting requirements could reduce utility interest in the incentives, and limiting the incentives to exclude continuing costs "fails to fully appreciate that investment in cybersecurity preparedness is not a one-time activity."

He also said the proposed incentives "only touch on the biggest challenge in cybersecurity, which is the shortage of qualified personnel."

Reaction from security experts was generally positive, though they also warned some ratepayer groups were likely to push back on the idea.

"I think this idea is wonderful," said TAG Cyber CEO Ed Amoroso. "Rate-based incentives can really move the needle toward more secure utilities."

The 200 basis-point ROE adder could shift utility thinking on security projects that were borderline investments, said Skees, "but frankly it's too early to tell" if the adder is large enough. "I suspect it's probably generous enough that if a utility was on the fence, maybe it's enough to push them over."

"There's certainly no downside," Skees said. "Given all the hacks and breaches across the federal government, things like this are certainly steps in the right direction."

The SolarWinds attack targeted multiple U.S. government agencies, along with DOE, and is widely believed to be the work of Russian hackers associated with that nation's intelligence service. Experts say the utility sector is working to determine its own level of exposure, but tracking down malware will take time and resources.

Comments on the NOPR are due within 60 days and reply comments will be due 30 days after that deadline.

The commission floated the idea of transmission incentives for utilities making cybersecurity enhancements in June, and received some criticism. The Transmission Access Policy Study Group (TAPS), which represents entities largely dependent on transmission facilities owned and controlled by others, said cost recovery policies already make cybersecurity projects attractive, low-risk investments.

TAPS told the commission the proposal "ignores evidence ... demonstrating that transmission owners are already making above-and-beyond cybersecurity investments using the current cost recovery mechanisms," and added that transmission owners "must not be eligible for cybersecurity incentives for investments they would otherwise have made."

According to Skees, some parties are likely to question whether voluntary utility security enhancements will provide benefit — and if they do, ask why FERC would not make them mandatory. But he said the approach "could expand the scope of facilities receiving heightened cybersecurity protections" and it "allows FERC to use a carrot approach, to bring more facilities into CIP compliance."