FERC Considers Enhancements to Cybersecurity in Notice of Inquiry and Staff White Paper

The Federal Energy Regulatory Commission (FERC) issued a Notice of Inquiry (NOI) on June 18, 2020, requesting comments on potential enhancements to the current U.S. Critical Infrastructure Protection (CIP) Reliability Standards (CIP Standards). In the NOI, FERC also seeks input on the potential risk of a coordinated cyberattack on geographically distributed targets and the need for FERC to address such risk.

In a related development, that same day FERC Staff (Staff) issued a Cybersecurity Incentives Policy White Paper (the White Paper) that discusses a potential new framework for providing transmission incentives to utilities for cybersecurity investments. The Staff presents a framework for providing transmission incentives to utilities "for cybersecurity investments that produce significant benefits for actions that exceed" the CIP Standards.

The NOI

CIP Standards are mandatory and enforceable following their approval by FERC. They are intended to provide a risk-based, defense-in-depth approach to cybersecurity of the bulk electric system (BES).

An important source for improving the CIP Standards to address evolving cyber threats is the National Institute of Standards and Technology Cyber Security Framework (NIST Framework). The NIST Framework sets forth a comprehensive structure to guide cybersecurity activities and to consider cybersecurity risks as part of an organization's risk management processes regarding its critical infrastructure.

Staff recently performed a comparative review of the NIST Framework with the CIP Standards. Staff identified certain topics addressed in the NIST Framework that may not be adequately addressed in the CIP Standards. Based on this analysis, FERC seeks comment on the following topics:

• (1) Cybersecurity risks pertaining to data security – The security controls in the Data Security Category under the NIST Framework require the management of information and records (i.e., data) consistent with an organization's risk strategy to protect the confidentiality, integrity, and availability of information and data. FERC seeks comment on whether the CIP Standards adequately address each data security subcategory as outlined in the NIST Framework and, if not, what are possible solutions.
• (2) Detection of anomalies and events – The security controls in the Anomalies and Events Category under the NIST Framework require that anomalous activity is detected and the potential impact of events is understood, and that the detected events are analyzed to understand attack targets and methods. FERC seeks comment on whether the CIP Standards adequately address the detection and mitigation of anomalous activity as outlined in the NIST Framework and, if not, what are possible solutions.
• (3) Mitigation of cybersecurity events – The security controls in the Mitigation Category under the NIST Framework require that newly identified vulnerabilities are mitigated or, alternatively, documented as accepted risks. FERC seeks comment on whether the CIP Standards adequately address the mitigation of newly identified vulnerabilities as outlined in the NIST Framework and, if not, what are possible solutions.

A commenter need not address all of these topics or answer every question.

FERC also questions whether greater defense in depth is warranted to better protect the BES from a coordinated attack on multiple cyber assets. FERC surmises that the risk of such a coordinated attack may be exacerbated by the recent shift from larger, centralized generation resources to smaller, more geographically distributed generation resources. Accordingly, FERC asks a number of specific questions regarding the procedures and security controls that are currently employed to protect against the potential risk of a coordinated cyberattack on geographically distributed targets on the BES, and seeks comment on whether FERC action, including potential modifications to the CIP Standards, would be appropriate to address such a risk.

Initial comments on the NOI are due August 24, 2020, and reply comments are due September 22, 2020.

The White Paper

In the White Paper, Staff recounts FERC efforts historically to provide incentives for infrastructure security and Staff's efforts to engage utilities to encourage voluntary infrastructure security investments and implementation of best practices for cybersecurity measures. Staff acknowledges that FERC's primary tool for promoting changes to cybersecurity practices—the CIP Standards—have "certain limitations," including that they do not require entities to employ best practices and that the standard development process "does not lend itself to addressing rapidly evolving cybersecurity threats." Consequently, Staff identifies the need for augmenting the CIP Standards with a new framework that encourages utilities to undertake cybersecurity investments voluntarily, including the adoption of best practices to protect their transmission systems and improve the security of the BES.

Under Staff's proposed framework, incentives for cybersecurity investments can include both return on equity (ROE) and non-ROE incentives. The ROE incentives, Staff notes, would apply only to the specific incremental cybersecurity investments identified in an applicant's filing. Staff proposes that utilities could be eligible for up to 200 basis points of ROE incentive for cybersecurity investments. To reduce ratepayer impacts, Staff proposes that all such ROE incentives be subject to a sunset date of no more than three to five years. As for non-ROE incentives, Staff provides examples, including accelerated depreciation, but notes that these may not create the most effective incentive since cybersecurity investments may not be capital-intensive.

To determine whether a utility's cybersecurity investments are eligible for incentives, FERC would need to develop an approach for identifying the cybersecurity investments it seeks to incentivize. The White Paper proposes two approaches. Under the first approach, a utility would voluntarily apply higher CIP Standard requirements to transmission elements that are not subject to those requirements (e.g., applying all requirements applicable to medium- or high-impact systems to low-impact systems). In return for this expanded application of the CIP Standards, FERC could provide the utility with an ROE adder or other incentives for capital expenditures incurred to apply the CIP Standards.

The second approach is based on a utility voluntarily implementing portions of the NIST Framework. Staff suggests that FERC could use the NIST framework to evaluate whether cybersecurity investments that exceed the CIP Standards are eligible for incentives. Under this second approach, a utility seeking an incentive would need to show how a proposed investment (e.g., infrastructure or software) would allow the utility to meet the NIST Framework, and how satisfying that framework would exceed the CIP Standards.

For each of these two approaches, Staff observed that a utility's application for an incentive will likely differ from applications for traditional transmission incentives. Under the first approach, the utility would need to show what CIP Standards were voluntarily applied and where, and would be presumed to be eligible for the incentive. Under the second approach, the utility's request would include a description of how investments meet the security controls under the NIST Framework, and exceed the CIP Standard requirements.

Staff invites interested parties to file comments on the matters addressed in the White Paper, various questions that Staff asks interested parties to consider, and any additional approaches for structuring an incentive for cybersecurity investments not explored in the White Paper. Initial comments are due August 17, 2020, and reply comments are due September 1, 2020.

Some Potential Challenges Regarding the NOI and White Paper

FERC and utilities face a number of challenges in considering incentives for cybersecurity investment pursuant to the NOI and the White Paper. From a policy perspective, stakeholders may see the dueling CIP Standards and NIST Framework as liable to cause regulatory confusion, and certain parties are likely to contest the notion that utilities should be financially incentivized to protect their cyber systems and challenge as excessive the level of any incentive that may be proposed.

There are also myriad issues to address from an implementation perspective, including how to manage investment timing issues given that cybersecurity threats are rapidly changing and the CIP Standards and NIST Framework are being scrutinized for possible modification. FERC clearly wants to promulgate measures to enhance cybersecurity, but the process is in the very early stages of what will likely be a protracted period of deliberation that is further complicated by COVID-19 and the uncertain outcome of the presidential election in November.