Pepco Holdings Inc. (POM) and Exelon Corp. (EXC) are among the electric utilities seeking authority to raise customer rates or take other steps to recoup costs of meeting U.S. demands to protect the nation’s power grid from hackers.
Utilities face increased expenses to comply with cybersecurity regulations being developed by President Barack Obama’s administration, and representatives of several power companies said they want regulators to clarify how they can recover those costs.
Incentives for utilities should include the authority to raise rates, Edward Goetz, a vice president for Chicago-based Exelon, said yesterday in an interview in Washington.
Ensuring power generation and distribution networks are protected from hackers could represent “huge investments for companies like Exelon,” Goetz said, without providing a cost estimate. “We would look for some way to recover some of those costs because this is a national security issue.”
The U.S. Federal Energy Regulatory Commission requires about 1,100 utilities to ensure that generators, power meters and other components that are connected to the Internet are secure.
Obama has made protecting the power grid and other critical infrastructure from cyber-attacks a top priority, and in February issued an executive order directing regulators to review whether rules are needed for industries they oversee.
Obama’s executive order called for offering incentives to companies responsible for protecting critical infrastructure.
Allowing utilities to increase rates to cover cybersecurity expenses is one of eight incentives the administration is considering to encourage companies to better protect their networks, Michael Daniel, White House cybersecurity coordinator, wrote in a blog yesterday.
“To promote cybersecurity practices and develop these core capabilities, we are working with critical infrastructure owners and operators to create a cybersecurity framework,” Daniel wrote. “While the set of core practices have been known for years, barriers to adoption exist, such as the challenge of clearly identifying the benefits of making certain cybersecurity investments.”
Utilities want to recover costs they are paying now to protect their networks from digital attacks, Susan Mora, director of federal affairs for Washington-based Pepco, said in an interview at a conference hosted by the nonprofit Bipartisan Policy Center in Washington yesterday.
They also want the authority to be reimbursed as new threats arise and as additional regulations are established, she said.
The rules governing how utilities can recover costs need to be clarified, Tony Clark, a FERC commissioner, said in an interview.
Costs associated with energy distribution are overseen by states, while costs associated with power transmission are overseen by FERC, Clark said.
“The rules of the road have to be clear,” he said. “I understand their concerns because there are significant costs.”
Utilities are looking to FERC regulators or the Obama administration to clarify how they can go about seeking to recover cybersecurity-related expenses, Exelon’s Goetz said.
Doug Myers, chief information officer for Pepco, agreed. “Having some sort of federal consistency around what utilities should be able to recover I believe is in our national interest,” he said.
In addition to raising rates, another option could be allowing utilities to be reimbursed through federal grants, said Myers. He didn’t have an estimate for how much in expenses Pepco might seek to recover.
Awareness among utility executives about the potential damage of cyber-attacks “has risen dramatically” in the past three years, Chris Peters, a vice president for Entergy Corp. (ETR), based in New Orleans, said at the conference yesterday.
“The cyber message needs to come from the top,” he said. “We have to maintain an accurate security and compliance state.”
The Stuxnet computer worm was discovered in 2010 to damage Iranian nuclear facilities, the first time a cyber weapon was known to have caused physical damage to infrastructure.
An August 2012 cyber attack on the state-owned Saudi Arabian Oil Co. using the Shamoon computer malware damaged as many as 30,000 computers, showing that energy company networks are exposed to significant threats, according to a September 2012 report from The Baker Institute at Rice University in Houston, a public-policy nonprofit organization.
“The potential for a real cyberattack capable of physically impacting electricity generation and transmission as well as upstream and downstream oil and gas operations has moved from hypothetical to possible,” the report stated.
To contact the reporter on this story: Chris Strohm in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Bernard Kohn at email@example.com