Sunday, February 7, 2021

FERC’s NOPR on Cybersecurity Incentives – part I

On Friday morning, just about the first email I received for the day was from a good friend who’s getting ready to take a cybersecurity job in the new administration and seems to read the Federal Register with his morning coffee (me, I read the Times and WaPo online, along with the WSJ - for balance, dontcha know - in hard copy).

His email included the FR appearance (starting on page 8309) of FERC’s new NOPR on Cybersecurity Incentives, which I hadn’t seen. He wanted to know what I thought of it, and I promised to write a post about it on Sunday. Here’s that post, but I must admit there’s a lot more meat in it than I thought. This post discusses one important aspect of the NOPR – i.e. the money side – but I also want to weigh in on the cybersecurity side as well; I’ll do that very soon.

The post builds on the white paper on Cybersecurity Incentives Policy, put out by FERC staff last June. To sum it up very briefly, the NOPR proposes that FERC will provide “transmission incentives” to electric utilities that go beyond the NERC CIP standards to implement certain designated cybersecurity measures that FERC deems valuable to the interstate transmission system (which is really what FERC is concerned with, as opposed to the BES that NERC concerns itself with. I can guess at the difference between the two, but if someone knowledgeable wants to explain it to me, I’d appreciate that).

Of course, when FERC talks about incentives, they’re not talking about money they can hand out – FERC doesn’t have a pot of gold sitting in its headquarters, ready to fork over to deserving utilities. They’re talking about rate relief, meaning the money will come from…guess who?...the ratepayers, of course.

But I was surprised that neither the NOPR nor the white paper mentioned one fact: there are only about 35 utility organizations in the US who will benefit from these incentives. As you probably know, there are three main types of utilities in the US: investor-owned (IOUs), municipals and cooperatives. There might be about 200 IOUs, but since the majority are included in multi-utility holding companies, there are only about 35 separate investor-owned utility organizations, vs. literally thousands of coops and municipals.

The IOUs are all regulated by the state public utility commissions, who set their rates. FERC’s new regulations – if they are implemented – will essentially tell the PUCs that they should allow additional rate relief to the IOUs for the cybersecurity improvements described in the NOPR. So the ratepayers that are served by IOUs will have to cough up a little more on their monthly bills, to fund these improvements.

But what about the coops and munis? Don’t they have ratepayers? No, they don’t. Coops have members, who essentially share the cost of running the utility – there are no profits strictly speaking. If the staff of the coop decides they need to spend more on cybersecurity, they’ll need to get permission to spend that from the board, which is elected by the members. FERC can say whatever they want, but a coop isn’t going to spend a dime extra on cybersecurity unless their members agree to it.

And who are the “ratepayers” of a municipal utility? They’re the citizens who live in the service area (which can be a city, town, state, or region of a state – or, in the case of TVA, multiple states). And who decides the rates? The utility is usually a department of a local government, so they’re subject to the same accountability that any other branch of that government is. If you don’t like the way the Roads Department is patching potholes, you might vote against the current mayor in the next election. And if you don’t like the electric rates charged by the Power Department (although it doesn’t usually have that exact name), you also vote against the mayor (of course, there are certainly other ways to pressure a municipal utility over rates, such as petitions, rallies, etc).

Here’s the bottom line: There are 35 utility organizations in the US that will be able to take advantage of FERC’s “generosity” (with their ratepayers’ money). But there are thousands of utilities that won’t make a dime off of this proposal. However, it does need to be said that those 35 utility organizations account for around ¾ (or more) of total electric load served in the US – so the proposal will certainly lead to an increase in overall power cybersecurity (and hopefully reliability) for the great majority of American electricity users.

At the same time, it would be nice if the coops and munis, along with their members and voters, also got a little piece of the action. However, as I said, FERC has no pot of gold to divvy up with them.

But maybe they should. For a while, I’ve believed that the cybersecurity of the power grid is really a national concern and should be addressed on a national basis. Rather than putting the squeeze on IOU ratepayers to pay for the greater part of grid security (which they undoubtedly are at the moment. Munis and coops are chronically underfunded for cybersecurity expenditures, although I’m very impressed by how well they spend what they have available), it would be much better if Congress would ask a few questions:

1.      What will it cost to secure the US bulk electric system to the degree necessary for all of us to feel that we’re safe from power outages due to cyberattacks? I feel pretty safe right now, so I don’t think we need to spend a lot more than we are now, although I do think that what we do spend on cybersecurity could go a lot further if the NERC CIP standards were rewritten to be completely risk based (plus a few other important changes). On the other hand, there are certainly a lot of people who believe that the country needs to be spending a lot more on grid cybersecurity than even FERC’s proposing.

2.      What would be the right distribution of that spending among the US population? The answer certainly wouldn’t be the simplest: divide the amount from item 1 by the number of households in the US. There are many considerations that would go into determining this optimal distribution of costs, and it’s certain that lots of people will be unhappy with any solution proposed. But Congress is there in order to allow the different voices to be heard, and reach…not the perfect solution, but a solution that’s one of the least hated.

3.      Once Congress knows what item 2 is, they then need to look at what customers/members/voters are paying to each utility for cybersecurity expenditures and determine who’s overpaying (if anybody is currently overpaying) and who’s underpaying, relative to what their share should be.

4.      But instead of raising everybody’s rates until we’ve reached the total in item 1, Congress now needs to consider: Since the security of the power grid benefits everybody, why should it be financed any differently than say the military? We don’t all pay a monthly bill based on how much we use military services, since most of the benefits from the military come about when they’re needed most – during war. When we’re not at war, the cost of having the military doesn’t fall to zero, even though its benefits aren’t anywhere near as visible. We need to fund the military continually, so we’re ready for the next war (although obviously the military performs lots of important functions between wars, one of the most important nowadays being cybersecurity).

5.      I’m not saying we should have the government fund 100% of cybersecurity expenditures by electric utilities, any more than the government should fund 100% of expenditures on say transmission line construction. But, given that the expectations for cybersecurity expenditures by electric utilities are growing all the time, I am saying that expecting their ratepayers/members/voters to keep paying increasing amounts ad infinitum isn’t realistic at all. A certain portion will need to be funded out of general revenues on the national level.

I also have something to say on the cybersecurity aspects of the NOPR. More on that soon.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

 

No comments:

Post a Comment