On March 13, 2019, in AC19-75, Duke Energy Corporation, on behalf of its six utility operating companies1 (collectively, Duke), filed an accounting request for approval to treat its Cybersecurity Informational Technology-Operational Technology Program (Cybersecurity Program) as a single project for purposes of calculating Allowance for Funds Used During Construction (AFUDC). FERC approved Duke’s request.
Duke requested approval to treat its Cybersecurity Program as a single project for purposes of determining the accrual period for AFUDC and the in-service date for those assets constructed as part of the Cybersecurity Program. Duke seeks confirmation that it may continue to accrue AFUDC on all of the Cybersecurity Program’s costs until all of the deliverables have been tested, found to be used and useful by Duke’s Operations Council, and placed in service after the completion of the entire Cybersecurity Program. Duke states that it will make over $137 million in capital investments as part of its Cybersecurity Program over the next 36 to 42 months across its generation, transmission, and distribution assets to address the increasing threat of cyberattacks. Duke explains that the Cybersecurity Program is designed based on the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity, which consists of five core functions—identify, protect, detect, respond, and recover. According to Duke, it will make capital investments and deploy hardware and software to address each of these core functions on an enterprise-wide basis. Duke states that the focus areas of the Cybersecurity Program include safety systems critical to protect customer’s and employee’s safety, reliability systems critical to reliably operate the platforms, and security systems critical to protecting assets and operations as well as to detecting security anomalies across the platforms. Consistent with the Commission’s AFUDC policy, Duke explains that it has assessed whether capital expenditures for the Cybersecurity Program continue to be incurred and activities that are necessary to get the construction project ready for its intended use are in progress for the duration of construction of all of the Cybersecurity Program’s assets. Duke states that, under its Cybersecurity Program, it “will incur a continuous and steady stream of construction activity expenses” through early 2022. According to Duke, the deliverables for each of the NIST Cybersecurity Framework’s five core functions—identify, protect, detect, respond, and recover—involve complementary, interrelated and interdependent technologies and, “[t]o be effective, all the interdependent hardware and software must be implemented across the entire enterprise, which will take the duration of the Program.” Duke asserts that, although the constituent parts of the Cybersecurity Program will be deployed over shorter timeframes, the Cybersecurity Program’s intended use and benefits—to optimize cybersecurity protection across all lines of business—cannot be achieved until the entire Cybersecurity Program is complete. Duke further declares that “no singular Program asset or deliverable will be ready for service or provide protection value until the completion of the entire Program.”
Under the Commission’s existing AFUDC policy in Accounting Release No. 5, AFUDC may continue to accrue on a project as long as two conditions are present: “(1) capital expenditures for the project [continue to be] incurred; and (2) activities that are necessary to get the construction project ready for its intended use are in progress.” Accounting Release No. 5 states that “[c]apitalization of AFUDC stops when the facilities have been tested and are placed in, or ready for, service,” which includes “those portions of construction projects completed and put into service although the project is not fully completed.” The instructions for AFUDC in the Commission’s Uniform System of Accounts also state that: When a part only of a plant or project is placed in operation or is completed and ready for service but the construction work as a whole is incomplete, that part of the cost of the property placed in operation or ready for service, shall be treated as Electric Plant in Service and [AFUDC] thereon as a charge to construction shall cease. [AFUDC] on that part of the cost of the plant which is incomplete may be continued as a charge to construction until such time as it is placed in operation or is ready for service . . . . Duke’s request was to seek clarification that it could treat the Cybersecurity Program as one project.
Dr. Paul Dumais
CEO of Dumais Consulting with expertise in FERC regulatory matters, including transmission formula rates.