Part of Grid Network »

The Transmission Professionals special interest group covers the distribution of power from generation to final destination. 



Paul Dumais's picture
CEO Dumais Consulting

Owner and CEO of Dumais Consulting ( which provides expert ratemaking services to energy companies. Dr. Dumais is a ratemaking and regulatory expert who specializes on...

  • Member since 2018
  • 157 items added with 120,485 views
  • Dec 24, 2020

FERC issued a Notice of Proposed Rulemaking (NOPR) in Docket RM-21-3 that would allow public utilities to request incentives for certain cybersecurity investments that go above and beyond the requirements of the North American Electric Reliability Corporation, or NERC, Critical Infrastructure Protection Reliability Standards, the CIP Reliability Standards.  The proposed cybersecurity incentives framework encourages public utilities to undertake cybersecurity investments on a voluntary basis that are above and beyond the requirements of the mandatory CIP Reliability Standards and, thereby, better ensure secure service for customers.  This approach would incent a public utility to adopt cybersecurity practices that would not only better protect its own systems but also improve the cybersecurity of the Bulk-Power System.  The NOPR includes two incentive approaches:
The first approach, the NERC CIP Incentives Approach, would allow a public utility to receive incentive rate treatment for voluntarily applying identified CIP Reliability Standards to facilities that are not currently subject to those requirements.    

  • Under the NERC CIP Incentives Approach, a public utility has two options for requesting an incentive.  A public utility would request incentive rate treatment for voluntarily applying the requirements for medium or high impact systems to low impact systems, and/or the requirements for high impact systems to medium impact systems, referred to as the Medium/High Incentive. 
  • Alternatively, or in addition to the Medium/High Incentive, a public utility would request incentive rate treatment for voluntarily ensuring that all external routable connectivity to and from the low impact system connect to a high or medium impact bulk electric system Cyber System, referred to as the Hub-Spoke Incentive.

The second approach would allow a public utility to receive incentive rate treatment for implementing certain security controls included in the Cybersecurity Framework developed by the National Institute of Standards and Technology, the NIST Framework.  This is the NIST Framework Approach.  The NIST Framework includes many types of security controls; however, the NOPR proposes to initially only consider one type of security controls, automated and continuous monitoring, as eligible for an incentive under this approach.
The NOPR would allow a public utility to request incentives using any combination of the two proposed approaches.
Under the NOPR, a public utility that makes cybersecurity investments consistent with the two approaches that we have described would be eligible for one of the following two types of incentives:
The first incentive would apply a 200 basis-point adder to the return on equity for eligible cybersecurity capital investments and is referred to as the Cybersecurity ROE Incentive.
Alternatively, the second incentive would allow a public utility to seek deferred cost recovery for certain expenses related to cybersecurity investments and is referred to as the Regulatory Asset Incentive.
Finally, the NOPR describes the showings that a public utility would have to make to receive either incentive and would require an annual informational filing.  Initial comments are due 60 days (mid-February 2021), and reply comments 90 days (mid-March 2021), after the date of publication in the Federal Register.

Matt Chester's picture
Matt Chester on Dec 24, 2020

It's interesting to see development of this in an incentive route rather than a mandate route. I'd think that regulation would be more required, given that weakness in one asset can be a threat to the whole grid

Richard Brooks's picture
Richard Brooks on Dec 24, 2020

This FERC docket is indeed an improvement over the current NERC CIP standards, guidelines and practices. I'm guessing this NOPR was produced before the Solarwinds software supply chain incursion was discovered as there is no specific mention of the need for software supply chain risk assessments. Maybe this will change in the final Order.

Paul Dumais's picture
Thank Paul for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »