FERC Takes Action to Encourage Cybersecurity Investments

Mar 3, 2021

Reading Time : 2 min

By: Shawn Whites (Energy Regulatory Specialist)

The Commission’s Critical Infrastructure Protection (CIP) Reliability Standards require users, owners and operators of the “bulk-power system”1 to safeguard critical cyber assets. FERC categorizes assets based on the risk to the bulk-power system if the assets are compromised, with different requirements applying depending on the risk category. Most of the requirements apply to the high- and medium-risk categories.

In the face of “numerous and complex cybersecurity challenges,” some of which have been heightened by an increased reliance on telework in response to COVID-19, the NOPR recognizes that FERC’s existing cybersecurity framework has certain limitations. Developing and implementing rules to address evolving threats can take too long, and FERC’s focus on higher-risk assets for its mandatory standards fails to recognize the increasingly interdependent nature of networks and equipment that keep the power flowing.

To address these shortcomings, FERC proposes two approaches to bolster cybersecurity investments. Under the first approach, the Commission would offer incentive rate treatment to utilities that voluntarily apply existing CIP Reliability Standards to facilities that are not currently subject to those standards. For example, a utility could propose to apply standards applicable to high- and medium-risk assets to low-risk assets.

The second approach would borrow from the cybersecurity framework developed by the National Institute of Standards and Technology (NIST).2 FERC proposes to offer incentive rate treatment for investments implementing certain security controls from the NIST framework that exceed the CIP Reliability Standards. At least initially, FERC proposes to limit incentives under this approach to investments in “automated and continuous monitoring,” such as a dynamic asset management program that would allow the utility to quickly detect previously unknown equipment on its network.

            The NOPR identifies two forms of incentive rate treatment: a Return on Equity (ROE) adder of 200 basis points on the qualifying investment3 and a deferred cost recovery benefit.4 FERC also intends to leave open the possibility for other types of incentive rate treatment, such as construction work in progress, on a case-by-case basis. Applications would be submitted pursuant to Section 205 of the Federal Power Act and must provide a detailed explanation of how the utility plans to implement the investment. Notably, applications seeking incentive treatment under the CIP Reliability Standards approach would be entitled to a rebuttable presumption that the investment materially enhances the bulk-power system, though no such presumption would be available under the NIST approach. FERC seeks comment on what kind of demonstration an applicant would need to make for incentive treatment under the NIST approach.


1 “Bulk-power system” means “facilities and control systems necessary for operating an interconnected electric energy transmission network (or any portion thereof); and . . . electric energy from generation facilities needed to maintain transmission system reliability,” excluding “facilities used in the local distribution of electric energy.” 16 U.S.C. § 824o (2018).

2 NIST, Framework for Improving Critical Infrastructure Cybersecurity (Apr. 16, 2018), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.

3 The ROE adder would be available for capital investments under either the CIP Reliability Standards approach or the NIST approach.

4 The deferred cost recovery incentive would be available for certain expenses associated with investments that receive Commission approval for ROE incentives. Three categories of expenses would be eligible: (1) expenses associated with thirty-party provision of hardware, software, and computing networking services; (2) expenses for training to implement new cybersecurity enhancements; and (3) other implementation expenses, such as system assessments by third parties or internal system reviews and initial responses to findings of such assessments.

Share This Insight

Previous Entries

Speaking Energy

June 25, 2026

On June 18, 2026, the Federal Energy Regulatory Commission (FERC or the Commission) issued an order to the California Independent System Operator Corporation (CAISO) directing CAISO and CAISO transmission owners to show cause as to why CAISO’s tariff should not be found to be unjust and unreasonable (California Indep. Sys. Operator Corp., 195 FERC ¶ 61,214 (2026) (the Order)) because it fails to sufficiently:

...

Read More

Speaking Energy

June 24, 2026

On June 18, 2026, the Federal Energy Regulatory Commission (FERC or the Commission) issued an order to New York Independent System Operator, Inc. (NYISO) directing NYISO and NYISO transmission owners to show cause as to why NYISO’s tariff should not be found to be unjust and unreasonable (New York Independent System Operator, Inc., 195 FERC ¶ 61,216 (2026) (Order)) because it fails to sufficiently:

...

Read More

Speaking Energy

June 23, 2026

On June 18, 2026, the Federal Energy Regulatory Commission (FERC or the Commission) issued an order to Midcontinent Independent System Operator, Inc. (MISO) directing MISO and MISO transmission owners to show cause as to why MISO’s tariff should not be found to be unjust and unreasonable (Midcontinent Independent System Operator, Inc., 195 FERC ¶ 61,212 (2026) (Order)) because it fails to sufficiently:

...

Read More

Speaking Energy

June 23, 2026

On June 18, 2026, the Federal Energy Regulatory Commission (FERC or the Commission) issued an order to PJM Interconnection, L.L.C. directing PJM and PJM transmission owners to show cause as to why PJM’s tariff should not be found to be unjust and unreasonable (PJM Interconnection, L.L.C., 195 FERC ¶ 61,211 (2026) (the Order)) because it fails to sufficiently:

...

Read More

© 2026 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.