The staff paper opens with an overview of staff’s perception of cybersecurity threats to the Commission-jurisdictional Bulk Electric System (BES), along with the work of the Commission and electric reliability organization NERC to adopt and enforce mandatory CIP Reliability Standards pursuant to the Energy Policy Act of 2005. The initial CIP Reliability Standards were approved by the Commission in 2008, and they have been modified several times to address new technologies and “the evolving nature of cyber-related threats to the bulk power system.”
According to the staff paper, as of mid-June 2020, the CIP Reliability Standards “consist of 13 standards specifying a set of requirements that registered entities must follow to ensure the cyber and physical security of the bulk power system” including 10 active cybersecurity standards, 1 active physical security standard, and two cybersecurity standards which will take effect in the near future.
The report next addresses “why there is a need to adopt a new approach to incentivize cybersecurity investments.” According to the white paper, “While the CIP Reliability Standards form an effective technical baseline for cybersecurity practices, they have certain limitations.” According to staff, the standards do not necessarily require covered entities to adopt best practices, and the process through which mandatory standards are developed is poorly suited to agile action in response to emerging or evolving needs.
For these reasons, this staff paper discusses augmenting the current CIP Reliability Standards under FPA section 215 with an incentive-based approach under FPA section 219 that encourages utilities to undertake cybersecurity investments on a voluntary basis. This approach would incentivize a utility to adopt best practices to protect its own transmission system as well as improve the security of the BES. Further, it could allow the industry to be more agile in monitoring and responding to new and (un)anticipated cybersecurity threats, to identify and respond to a wider range of threats, and to address threats with comprehensive and more effective solutions. An incentive-based approach allows a utility to tailor its request for incentives to the potential challenges and responsive actions that it faces. In the future, these voluntary actions taken by utilities, if proven beneficial, could be the basis of future CIP Reliability Standards that are mandatory.As noted by staff, if the Commission wants to provide transmission incentives for cybersecurity investments, the Commission may need to “establish a new framework for evaluating requests for transmission incentives by utilities for cybersecurity investments.” Staff suggests that “a first necessary step is to establish approaches that examine the effectiveness of cybersecurity investments in enabling the utility to achieve a level of protection that exceeds the CIP Reliability Standards but also enhances the security of its transmission system.”
According to the whitepaper, this kind of evaluation will enable utilities to “identify the cybersecurity investments for which it seeks transmission incentives” and the Commission to “evaluate such transmission incentive requests”. In the whitepaper, staff discusses traditional ratemaking incentives available to transmission projects, and how the Commission could apply these incentives in the context of cybersecurity; two possible ways to evaluate which cybersecurity investments warrant incentives; and a proposed process for utilities to apply for cybersecurity incentives.
Staff invited interested parties to file comments on the staff paper and on 11 sets of specific questions it identifies, with comments due within 60 days of the paper’s issuance and reply comments due within 75 days of its issuance.
No comments:
Post a Comment