The article discusses the failure of the Federal Energy Regulatory Commission (FERC) to incentivize cybersecurity investments by electric utilities through its Order No. 893, issued under Section 40123 of the Infrastructure Investment and Jobs Act. Here is a summary of the key points:
1. **Purpose of Order No. 893**: FERC aimed to encourage utilities to invest in Advanced Cybersecurity Technology and participate in cybersecurity threat information sharing programs like the US Department of Energy’s Cybersecurity Risk Information Sharing Program (CRISP) by offering incentive-based rates.
2. **Eligibility Criteria**: Utilities can apply for incentive-based rate treatment for eligible cybersecurity investments, which include Advanced Cybersecurity Technology and participation in CRISP. However, investments related to market-based sales of energy, capacity, or ancillary services are not eligible and must be filed separately under FPA 205.
3. **Prequalified (PQ) List**: FERC has a PQ list with two types of investments: those associated with CRISP participation and internal network security monitoring. Investments on this list are entitled to a rebuttable presumption of eligibility for incentive-based rate treatment.
4. **Case-Specific Review**: If an investment is not on the PQ list, FERC conducts a case-specific review to determine if it materially improves the utility’s cybersecurity.
5. **Implementation and Recovery**: Utilities can treat eligible cybersecurity investments as regulatory assets and include them in the transmission rate base. This allows for enhanced recovery of expenses such as operation and maintenance, labor costs, implementation costs, network monitoring, and training costs. Utilities can use this incentive-based rate recovery for up to five years and must submit annual informational reports.
6. **Lack of Applications**: Despite the incentives, no utility has initiated the application process. This suggests that the financial incentives provided by FERC are not sufficient to encourage utilities to enhance their cybersecurity protections.
7. **Implications**: The lack of applications indicates that FERC may have misjudged the level of incentive necessary to encourage utilities to invest in cybersecurity. Without a reevaluation of its policy, Congress’s directive to enhance cybersecurity through financial incentives may go unfulfilled.
Be the first to comment