On Friday morning, just about the first email I received for the day was from a good friend who’s getting ready to take a cybersecurity job in the new administration and seems to read the Federal Register with his morning coffee (me, I read the Times and WaPo online, along with the WSJ - for balance, dontcha know - in hard copy).
His email included the FR
appearance (starting on page 8309) of FERC’s new NOPR on Cybersecurity
Incentives, which I hadn’t seen. He wanted to know what I thought of it, and I
promised to write a post about it on Sunday. Here’s that post, but I must admit
there’s a lot more meat in it than I thought. This post discusses one important
aspect of the NOPR – i.e. the money side – but I also want to weigh in on the
cybersecurity side as well; I’ll do that very soon.
The post builds on the white paper
on Cybersecurity Incentives Policy, put out by FERC staff last June. To sum it
up very briefly, the NOPR proposes that FERC will provide “transmission
incentives” to electric utilities that go beyond the NERC CIP standards to
implement certain designated cybersecurity measures that FERC deems valuable to
the interstate transmission system (which is really what FERC is concerned
with, as opposed to the BES that NERC concerns itself with. I can guess at the
difference between the two, but if someone knowledgeable wants to explain it to
me, I’d appreciate that).
Of course, when FERC talks about
incentives, they’re not talking about money they can hand out – FERC doesn’t
have a pot of gold sitting in its headquarters, ready to fork over to deserving
utilities. They’re talking about rate relief, meaning the money will come from…guess
who?...the ratepayers, of course.
But I was surprised that neither
the NOPR nor the white paper mentioned one fact: there are only about 35 utility
organizations in the US who will benefit from these incentives. As you probably
know, there are three main types of utilities in the US: investor-owned (IOUs),
municipals and cooperatives. There might be about 200 IOUs, but since the
majority are included in multi-utility holding companies, there are only about
35 separate investor-owned utility organizations, vs. literally thousands of
coops and municipals.
The IOUs are all regulated by the
state public utility commissions, who set their rates. FERC’s new regulations –
if they are implemented – will essentially tell the PUCs that they should allow
additional rate relief to the IOUs for the cybersecurity improvements described
in the NOPR. So the ratepayers that are served by IOUs will have to cough up a
little more on their monthly bills, to fund these improvements.
But what about the coops and
munis? Don’t they have ratepayers? No, they don’t. Coops have members, who essentially
share the cost of running the utility – there are no profits strictly speaking.
If the staff of the coop decides they need to spend more on cybersecurity, they’ll
need to get permission to spend that from the board, which is elected by the
members. FERC can say whatever they want, but a coop isn’t going to spend a
dime extra on cybersecurity unless their members agree to it.
And who are the “ratepayers” of a
municipal utility? They’re the citizens who live in the service area (which can
be a city, town, state, or region of a state – or, in the case of TVA, multiple
states). And who decides the rates? The utility is usually a department of a
local government, so they’re subject to the same accountability that any other
branch of that government is. If you don’t like the way the Roads Department is
patching potholes, you might vote against the current mayor in the next
election. And if you don’t like the electric rates charged by the Power
Department (although it doesn’t usually have that exact name), you also vote against
the mayor (of course, there are certainly other ways to pressure a municipal
utility over rates, such as petitions, rallies, etc).
Here’s the bottom line: There are 35
utility organizations in the US that will be able to take advantage of FERC’s “generosity”
(with their ratepayers’ money). But there are thousands of utilities that won’t
make a dime off of this proposal. However, it does need to be said that those
35 utility organizations account for around ¾ (or more) of total electric load
served in the US – so the proposal will certainly lead to an increase in overall
power cybersecurity (and hopefully reliability) for the great majority of American
electricity users.
At the same time, it would be nice
if the coops and munis, along with their members and voters, also got a little
piece of the action. However, as I said, FERC has no pot of gold to divvy up
with them.
But maybe they should. For a
while, I’ve believed that the cybersecurity of the power grid is really a
national concern and should be addressed on a national basis. Rather than
putting the squeeze on IOU ratepayers to pay for the greater part of grid
security (which they undoubtedly are at the moment. Munis and coops are
chronically underfunded for cybersecurity expenditures, although I’m very impressed
by how well they spend what they have available), it would be much better if
Congress would ask a few questions:
1.
What will it cost to
secure the US bulk electric system to the degree necessary for all of us to feel
that we’re safe from power outages due to cyberattacks? I feel pretty safe
right now, so I don’t think we need to spend a lot more than we are now,
although I do think that what we do spend on cybersecurity could go a lot
further if the NERC CIP standards were rewritten to be completely risk based
(plus a few other important changes). On the other hand, there are certainly a
lot of people who believe that the country needs to be spending a lot more on grid
cybersecurity than even FERC’s proposing.
2.
What would be the
right distribution of that spending among the US population? The answer
certainly wouldn’t be the simplest: divide the amount from item 1 by the number
of households in the US. There are many considerations that would go into
determining this optimal distribution of costs, and it’s certain that lots of
people will be unhappy with any solution proposed. But Congress is there in
order to allow the different voices to be heard, and reach…not the perfect
solution, but a solution that’s one of the least hated.
3.
Once Congress knows
what item 2 is, they then need to look at what customers/members/voters are
paying to each utility for cybersecurity expenditures and determine who’s
overpaying (if anybody is currently overpaying) and who’s underpaying, relative
to what their share should be.
4.
But instead of raising
everybody’s rates until we’ve reached the total in item 1, Congress now needs
to consider: Since the security of the power grid benefits everybody, why
should it be financed any differently than say the military? We don’t all pay a
monthly bill based on how much we use military services, since most of the
benefits from the military come about when they’re needed most – during war. When
we’re not at war, the cost of having the military doesn’t fall to zero, even
though its benefits aren’t anywhere near as visible. We need to fund the
military continually, so we’re ready for the next war (although obviously the
military performs lots of important functions between wars, one of the most
important nowadays being cybersecurity).
5.
I’m not saying we
should have the government fund 100% of cybersecurity expenditures by electric
utilities, any more than the government should fund 100% of expenditures on say
transmission line construction. But, given that the expectations for cybersecurity
expenditures by electric utilities are growing all the time, I am saying that expecting
their ratepayers/members/voters to keep paying increasing amounts ad
infinitum isn’t realistic at all. A certain portion will need to be funded out
of general revenues on the national level.
I also have something to say on
the cybersecurity aspects of the NOPR. More on that soon.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would
love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment