Docket Nos. RM22-19-000 and RM21-3-000
I concur in today’s Notice of Proposed Rulemaking[1] to highlight the importance of today’s action and to encourage stakeholder comment in certain areas. In today’s highly interconnected world, the nation’s security and economic well-being depends on reliable and cyber-resilient energy infrastructure. This is why it is critical that we continue to build upon the mandatory framework that the industry has already identified through the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards. But, these mandatory CIP standards are just a baseline and can take years to implement. Recent cyber-attacks in Ukraine and here at home remind us of the constant threat of foreign and domestic attacks on our critical infrastructure, and the need for advanced and innovative technology and threat information sharing programs for emerging threats. Therefore, I fully support this action we are taking under section 219A of the Federal Power Act (FPA)[2] to encourage utilities to proactively make additional cybersecurity investments in their systems.
There are significant costs when there is a cybersecurity breach on the electric or gas system. Not only are consumers impacted by loss of service, but the recovery costs are significant. For example, the Colonial Pipeline cybersecurity breach effectively shut down half of the country’s fuel supply, and even though the pipeline invested $200 million dollars over five years to contain a potential attack,[3] Colonial Pipeline still spent millions more to recover from the event in 2021.[4]
This NOPR serves as a critical step to incent public and non-public utilities to make urgent cybersecurity investments in advanced technology. First, the NOPR proposes to incentivize expenditures that materially improve the cybersecurity posture of utilities.[5] Second, the NOPR provides that those cybersecurity investments must not already “be mandated by [CIP] Reliability Standards, or local, state, of federal law.”[6] Third, the NOPR proposes that the Commission either use a pre-qualified (PQ) list of approved cybersecurity expenditures, where any expenditures that meet the list would be entitled to a rebuttable presumption that the utility is eligible for an incentive,[7] or that the Commission assess expenditures on a case-by-case basis.[8] Lastly, the NOPR proposes that if a utility meets the requirements for an incentive, it could either receive a return on equity (ROE) adder of 200 basis points or deferred cost recovery for expenditures that enables the utility to defer expenses and include the unamortized portion in rate base.[9] All of these items are essential to improving utilities’ ability to protect, detect, respond to, and recover from a cybersecurity threat.
Specifically, I am interested in feedback on whether the proposed PQ list is broad enough to include all expenditures that may warrant incentives. As proposed, if an expense is associated with participation in the Cybersecurity Risk Sharing Program (CRISP)[10] or if an expenditure is associated with internal network security monitoring within the utility’s cyber systems,[11] there would be a rebuttable presumption that that expense is entitled to an incentive. I agree that each eligible cybersecurity expenditure on the PQ list should have a single, clear, and non-trivial benchmark that must be met for a utility to qualify for incentive rate treatment. But, the proposed PQ list is limited. For example, 75% of electricity customers in the continental U.S. are served by investor-owned utilities that already participate in CRISP,[12] which demonstrates the limited potential benefits from this incentive. Under the NOPR proposal, it is unclear whether a utility that already participates in CRISP could receive an incentive for future subscription costs for continued CRISP participation. I encourage comments on whether any final rule should clarify that such continued CRISP participation is indeed entitled to an incentive.
I also recognize that a case-by-case approach, as opposed to the proposed PQ list, would be more adaptable and less prescriptive, allowing a variety of solutions that utilities could potentially tailor to their specific situations. However, given the diverse and evolving nature of cybersecurity activities, this option could be very time-consuming and administratively inefficient. Thus, I believe that an expanded PQ list is a reasonable approach that would satisfy the applicable statutory directives while providing a high degree of certainty for regulated entities. I urge all interested stakeholders to provide comments on whether the Commission should widen the PQ list’s universe of potential expenditures. I especially encourage stakeholders to comment on whether the Commission should consider external penetration tests, a security awareness program, a patch management program, and/or the capability to disconnect operational technology from the information technology network for the PQ list.
I also want to underscore the need for utilities to conduct analyses of electric and gas interdependencies, and how such actions would benefit cybersecurity on the bulk electric system. I fully recognize that FPA section 219A states that the Commission can establish “incentive-based, including performance-based, rate treatments for the transmission of electric energy in interstate commerce,”[13] and the Infrastructure Act only modified section 219 regarding incentives and not the Natural Gas Act (NGA).[14] However, electric and gas companies are especially vulnerable to cyberattacks, particularly because utilities that use both sources have an expansive and increasing attack surface, arising from their geographic and organizational complexity. Indeed, the electric and gas sector’s unique interdependencies increase their vulnerability to exploitation, which can include the commandeering of the operational-technology system to stop energy infrastructure from working at times when consumers most need it. To the extent we can identify the need for cybersecurity information sharing between the natural gas and electric systems, and incentivize participation in such a program, I encourage stakeholder comment.
I further urge stakeholders to comment on whether the proposed duration of the incentives is sufficient and whether a 200-basis point adder is reasonable, as the NOPR contemplates.[15] To be clear, I do not support open-ended or permanent cyber incentives. I believe the 5-year proposed duration and the 200-basis point adder are adequate to properly incent utilities. Unlike expenses in the traditional transmission incentives context,[16] the dollar amounts in cybersecurity investments are typically small. Yet, the benefits of additional, advanced cybersecurity investments cannot be ignored. Offering anything less than what is proposed would likely be insufficient to incent any action by utilities, as required by Congress. Therefore, commenters should provide specific, compelling reasons if they oppose the NOPR proposal regarding the duration of the incentive and the amount added to a utility’s ROE.
Finally, I note that for years now, the White House, the U.S. Congress, and senior government leaders have sounded the alarm on increasing cybersecurity threats and their sophistication.[17] I also note that the Commission began assessing the potential use of incentives to improve cybersecurity prior to the passage of the Infrastructure Act.[18] While we are terminating the proceeding in Docket No. RM21-3-000, I am heartened that the Commission remains committed to this issue. I look forward to examining all the comments as we seek to issue a final rule around these topics.
For these reasons, I respectfully concur.
[1] Incentives for Advanced Cybersecurity Investment, 180 FERC ¶ 61,189 (2022) (NOPR).
[2] 16 U.S.C. 824s-1.
[3] See Cyber Threats in the Pipeline: Using Lessons from the Colonial Ransomware Attack to Defend Critical Infrastructure, Hearing Before the Committee on Homeland Security, 117th Cong. (2021) (Statement of Joseph A. Blount).
[4] See Everhart v. Colonial Pipeline Company, 2022 WL 3699967, (N.D. Ga. 2022) (“Colonial paid the cybercriminals . . . a $4.4 million ransom in return for a decryption tool that allowed Colonial to retrieve the encrypted or locked data.”).
[5] NOPR at PP 2, 20, 22.
[6] NOPR at PP 2, 22.
[7] NOPR at PP 3, 19; see infra at PP 4-5.
[8] NOPR at PP 3, 19, 22-23.
[9] NOPR at PP 4, 34, 37.
[10] Co-funded by the Department of Energy (DOE) and industry and managed by E-ISAC, CRISP is a public-private partnership that enables and manages the near real-time sharing of IT network information between electricity utilities and key DOE resources. The purpose of CRISP is to enable collaboration among energy sector partners to facilitate the timely bi-directional sharing of unclassified and classified threat information and to develop situational awareness tools that enhance the energy sector’s ability to identify, prioritize, and coordinate the protection of critical infrastructure.
[11] The Commission issued a NOPR that proposed to direct NERC to develop a mandatory standard regarding internal network security monitoring in the context of high and medium impact bulk electric system. See Internal Network Security Monitoring for High and Medium Impact Bulk Electric System Cyber Systems, 178 FERC ¶ 61,038 (2022).
[12] See Energy Sector Cybersecurity Preparedness, available at: https://www.energy.gov/ceser/energy-sector-cybersecurity-preparedness.
[13] 16 U.S.C. § 824s-1(c) (emphasis added).
[14] The Infrastructure Investment and Jobs Act (Infrastructure Act) modified Section 219 of the FPA regarding electric energy rate treatments and directed the Commission to consider incentives for the transmission of electric energy regarding cybersecurity. Section 219 did not, however, explicitly reference or modify the NGA regarding gas incentives.
[15] NOPR at PP 4, 33, 36-37; see, e.g., Initial Comments of Edison Electric Institute., Docket No. RM21-3-000, at 2 (filed April 6, 2021) (“EEI agrees that given the relatively low dollar amounts associated with cybersecurity investments . . . the proposed 200 basis point cap is reasonable.”); Comments of MISO Transmission Owners, Docket No. RM21-3-000, at 9 (filed April 6, 2021) (explaining why inclusion of enterprise-wide costs is appropriate to incent investment in critical facilities).
[16] Brattle-Grid Strategies Oct. 2021 Report at 2 (citing Johannes Pfeifenberger & John Tsoukalis, The Brattle Group, Transmission Investment Needs and Challenges, at slide 2 (June 1, 2021), https://www.brattle.com/wp-content/uploads/2021/10/Transmission-Investment-Needs-and-Challenges.pdf); Johannes Pfeifenberger et al., The Brattle Group, Cost Savings Offered by Competition in Electric Transmission: Experience to Date and the Potential for Additional Customer Value, at 2-3 & fig.1 (Apr. 2019), available at: https://www.brattle.com/wp-content/uploads/2021/05/16726_cost_savings_offered_by_competition_in_electric_transmission.pdf (Brattle Apr. 2019 Competition Report).
[17] For example, President Biden told utilities and other companies that “critical infrastructure owners and operators must accelerate efforts to lock their digital doors.” See Statement by President Biden on Our Nation’s Cybersecurity, available at: https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/statement-by-president-biden-on-our-nations-cybersecurity. President Biden has also since announced an executive order on cybersecurity and is using funds from the Infrastructure Act to provide grants to state, local, and territorial governments as they respond to cyber threats. See Exec. Order No. 14,028, 86 FR 26633 (2021). Former President Obama declared that cybersecurity threats are “the most serious economic and national security challenge[] we face as a nation” and that “America’s economic prosperity . . . will depend on cybersecurity.” See National Security Council, Cyber Security, available at: http://www.whitehouse.gov/administration/eop/nsc/cybersecurity. Former Defense Secretary Leon Panetta warned that the country is “increasingly vulnerable to foreign computer hackers who could dismantle the nation’s power grid.” See Elizabeth Bumiller and Thom Shanker, Panetta Warns of Dire Threat of Cyberattacks on U.S., The New York Times, October 11, 2021, available at: http://www.nytimes.com/2012/10/12/world/panetta-warns-of-dire-threat-of-cyberattack.html?pagewanted=all.
[18] See, e.g., FERC, Cybersecurity Incentives Policy White Paper, Docket No. AD20-19-000, (June 2020), available at: https://www.ferc.gov/sites/default/files/2020-06/notice-cybersecurity.pdf (discussing the potential new framework for providing transmission incentives to utilities for cybersecurity investments); Cybersecurity Incentives, 87 FR 4173 (Jan. 27, 2021), 173 FERC ¶ 61,240 (2020) (proposing to allow utilities to request incentives for certain cybersecurity investments that go above and beyond the requirements of the CIP reliability standards). This NOPR supersedes the Cybersecurity Incentives NOPR, but it illustrates my colleagues’ commitment to building out a more resilient electric system.