Quiero saber acerca de...

8314

Federal Register / Vol. 86, No. 23 / Friday, February 5, 2021 / Proposed Rules
for improved incident response time, pre-emptive planning, and system optimization. Further, relying on FPA
sections 205 and 206 would allow public utilities to be more agile in monitoring and responding to new and unanticipated cybersecurity threats, to identify and respond to a wider range of threats, and to address threats with comprehensive and more effective solutions. An incentive-based approach allows a public utility to tailor its request for incentives to the potential challenges and responsive actions that it faces. Finally, while we recognize that granting incentives to a public utility under this proposal will have an impact on the public utilitys rates, we believe that such impact, over time, will be outweighed by the public utility having a more secure grid and services for the benefit of ratepayers.
IV. Discussion A. Cybersecurity Incentives Framework 20. Pursuant to FPA sections 205 and 206,49 we propose to add 35.48 to the Commissions regulations to establish rules to provide incentive-based rate treatments for voluntary cybersecurity investments made by a public utility for or in connection with the transmission or sale of electric energy subject to the jurisdiction of the Commission. FPA
sections 205 and 206 give the Commission authority over the rates of a public utility for or in connection with the transmission or sale of electric energy subject to the Commissions jurisdiction.50 The Commissions FPA
section 205 and 206 authority is broader than the Commissions authority under FPA section 219. FPA section 219
requires the Commission to issue a rule that provides incentive rate treatment for the transmission of electric energy in interstate commerce by public utilities for the purpose of benefitting consumers by ensuring reliability and reducing the cost of delivered power by reducing transmission congestion.51 However, in this NOPR the Commission is proposing to provide incentives for a different purpose under a different section of the 49 16

U.S.C. 824da.
U.S.C. 824da FPA section 205a provides that all rates and charges made, demanded, or received by any public utility for or in connection with the transmission or sale of electric energy subject to the jurisdiction of the Commission, and all rules and regulations affecting or pertaining to such rates or charges shall be just and reasonable;
see also FERC v. Elec. Power Supply Assn, 136 S.
Ct. 760, 774 2016 stating the Commissions FPA
section 205 and 206 jurisdiction extends to practices that directly affect Commissionjurisdictional rates and that are not otherwise expressly excluded from the Commissions jurisdiction.
51 16 U.S.C. 824sa.

jbell on DSKJLSW7X2PROD with PROPOSALS

50 16

VerDate Sep<11>2014

16:29 Feb 04, 2021

Jkt 253001

FPA: To provide incentives for cybersecurity investment not only in transmission facilities but also for cybersecurity investment in information technology and operational technology 52 networks that a public utility uses to provide other jurisdictional services. Reliance on FPA
sections 205 and 206, therefore, allows for a more comprehensive way to encourage cybersecurity investment than is available under FPA section 219.
We believe that this comprehensive approach is warranted because cybersecurity threats to a public utilitys system can come in a variety of forms, such as through a public utilitys information technology and management systems, and not just through a public utilitys systems that directly operate its transmission facilities. In addition, the means a public utility may need to use to protect against cybersecurity intrusions that may harm its jurisdictional system may not be limited to steps to protect the public utilitys systems that run its transmission assets. Incentive ratemaking to encourage cybersecurity investments for not only those systems that are used to directly operate a public utilitys transmission system but also other systems used for the provision of jurisdictional services is consistent with our general ratemaking authority under FPA sections 205 and 206 under which we may depart from cost-of-service ratemaking.53 We believe that this action is appropriate to facilitate increased cybersecurity investment, and that the resulting rates will be just and reasonable.
B. Applicable Cybersecurity Investments 21. We propose to add 35.48b to the Commissions regulations to authorize incentive-based rate treatments for a public utility that makes voluntary cybersecurity investments in the Bulk-Power System, provided that the proposed incentive is 52 Operational technology is defined as programmable systems or devices that interact with the physical environment or manage devices that interact with the physical environment. These systems/devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include industrial control systems, building management systems, fire control systems, and physical access control mechanisms. NIST, Computer Security Resource Center Glossary, https csrc.nist.gov/glossary/term/
operational_technology.
53 Incentive Ratemaking for Interstate Natural Gas Pipelines, Oil Pipelines, & Elec. Utilities, 61 FERC
61,168, at 61,594 1992; see also Farmers Union Cent. Exchange, Inc. v. FERC, 734 F.2d 1486, 1503
04 D.C. Cir. 1984 In some circumstances, the contrasting or changing characteristics of regulated industries may justify the agencys decision to take a new approach to the determination of just and reasonable rates..

PO 00000

Frm 00006

Fmt 4702

Sfmt 4702

just and reasonable and not unduly discriminatory or preferential.
1. NERC CIP Incentives Approach 22. We propose to add 35.48b1 to the Commissions regulations to provide that a public utility may receive incentive rate treatment for voluntarily applying identified CIP Reliability Standards to facilities that are not currently subject to those requirements NERC CIP Incentives Approach. Using the existing CIP Reliability Standards as a framework for providing cybersecurity incentives allows the Commission to leverage an existing set of baseline cybersecurity requirements. Further, public utilities and the Commission are already familiar with the CIP Reliability Standards and encouraging public utilities to voluntarily apply known standards to additional facilities will establish a benchmark for determining eligibility for an incentive.
23. As discussed above, CIP002
Bulk Electric System Cyber System Categorization implements a tiered approach to categorizing assets, requiring an entity to categorize its cyber assets as high, medium, or low risk to the reliable operation of the BES
if compromised. These impact ratings determine which requirements in the CIP Reliability Standards CIP003
though CIP013 apply to BES Cyber Systems.
24. The CIP version 5 Standards became enforceable for high and medium impact BES Cyber Systems on July 1, 2016, and the CIP Reliability Standards applicable to low impact BES
Cyber Systems became enforceable on April 1, 2020. In approving the CIP
version 5 Standards, the Commission determined that categorizing BES
Cyber Systems based on their low, medium, or high impact on the reliable operation of the BES, with all BES Cyber Systems being categorized as at least low impact, offers more comprehensive protection of the bulk electric system and that the new cybersecurity controls improve the security posture of responsible entities. 54
25. We propose two ways for a public utility to demonstrate that it is eligible for a cybersecurity incentive through voluntary investment in applying the requirements of the CIP Reliability Standards to additional facilities. Public utilities that choose to request the proposed incentives under the NERC
CIP Incentives Approach will receive a rebuttable presumption that the investments materially enhance the security posture of the Bulk-Power System by enhancing the applicants 54 Order
E:FRFM05FEP1.SGM

No. 791, 145 FERC 61,160 at P2.

05FEP1