FERC Published Cybersecurity Incentives NPRM

Today the Federal Energy Regulatory Commission published a notice of proposed rulemaking in the Federal Register (86 FR 8309-8325) on ‘Cybersecurity Incentives’. The rulemaking would “establish rules for incentive-based rate treatments for voluntary cybersecurity investments by a public utility for or in connection with the transmission or sale of electric energy subject to the jurisdiction of the Commission, and rates or practices affecting or pertaining to such rates for the purpose of ensuring the reliability of the Bulk-Power System.”

While investments and expenses required to conform to CIP Reliability Standard would not be covered in this proposal, FERC proposes to allow deferred cost recovery for three categories of expenses:

•Expenses associated with third-party provision of hardware, software, and computing networking services,

•Expenses for training to implement new cybersecurity enhancements undertaken pursuant to this rule, and

• Other implementation expenses, such as risk assessments by third parties or internal system reviews and initial responses to findings of such assessments.

CIP Applied to New Facilities

In the new 18 CFR 35.48 that is being proposed in this rulemaking FERC is proposing two separate modalities for facilities to claim the cybersecurity incentives for through voluntary investment in applying the requirements of the CIP Reliability Standards to additional facilities. In the proposed §35.48(b)(1)(i) FERC would allow “a public utility to receive incentive rate treatment for voluntarily applying the requirements for medium or high impact systems to low impact systems, and/or the requirements for high impact systems to medium impact systems”.

The second instance is found in the proposed §35.48(b)(1)(ii) where FERC would allow “a public utility to receive incentive rate treatment for voluntarily ensuring that all external routable connectivity [56] to and from the low impact system connect to a high or medium impact BES Cyber System.”

NIST Framework

In §35.48(b)(2) FERC would authorize a public utility to “receive incentive rate treatment for implementing certain security controls included in the NIST Framework (NIST Framework Approach).” The ‘certain security controls’ are not enumerated in §35.48, but the preamble notes that they include:

• Automated and continuous monitoring,

• Access control,

• Data protection,

• Incident response, and

• Physical security of cyber systems.

Public Comments

FERC is soliciting public comments on the proposed rulemaking. FERC does not use the Federal eRulemaking Portal. Comments may be submitted via the FERC eFiling site (Docket No. RM20-3-000). Comments should be submitted by April 6^th, 2021; return comments by May 6^th, 2021.