Historically, utilities have shouldered the burden of mitigating the security risks inherent in energy generation, distribution and transmission. The utilities were, and continue to be, well-placed to do so as they benefit from historical knowledge, existing relationships with regulators and grid operators, large and highly-trained workforces and, perhaps most importantly, the ability to rate base. Although the nature of risks has evolved over the years, with terror threats and privacy concerns added to the list of conventional risks like weather events, traditional utilities have been up to the task with a few noteworthy exceptions.
However, the traditional model of energy generation and distribution is in midst of an evolution that, arguably, could be more impactful to the U.S. grid than deregulation has been. Even in competitive generation markets, retail interaction with customers has been handled almost exclusively by the utility as an energy aggregator with the ability to rate base. Places like New York are now serving as the test labs for alternate models as regulators there have been shifting their gazes toward distributed generation models where smaller, independent entities would drive power supply through resources co-located, or else located in proximity, with end users.
While there are undoubted opportunities embedded in such a model, it is also true that there are risks that need to be addressed. Distributed generation resources are arguably physically safer from attack than large, centralized plants and generally increase the resiliency of the grid. However, the opportunities being afforded to distributed generation developers and owners almost inherently means the entrance into the market of smaller, potentially inexperienced operators who, under most models, won’t have the same rate-basing opportunities as utilities.
It shouldn’t be difficult for even advocates of distributed generation-focused systems to see that such a system could be susceptible to everything from cyber attacks, both hindering the functions of the grid and creating privacy concerns, to hardware attacks, in a way that has not been the case in the past. Against this backdrop is the reality that the reliance on technology to manage the grid in a distributed generation environment will increase exponentially at just the point in history that the capabilities of threats to the grid have never been higher.
While these problems are clear, their resolutions remain murky. As a policy matter, it is still unclear where the burden for grid security will ultimately fall under new frameworks. As is often the case in the fragmented environment that is the hallmark of U.S. energy regulation, it is possible that burdens could fall unequally on classes of customers or on different market participants in different jurisdictions. In cases where burdens fall mainly on distributed generation owners, it is likely that at least one solution will be provided by insurers.
Insurers already address risks related to terror, weather, business interruptions and cyber threats among other things related to the issues noted above. However, insurance is already one of the largest, if not the largest, costs involved in the ongoing operation of renewable energy facilities after they are placed in service. Cobbling together a set of disparate coverages to mitigate risks would be too heavy a financial burden for most renewable energy operators. As a result, it is unclear that insurance products currently exist that would mitigate the risks created by the security burdens that could be placed on generators in the grid of tomorrow in a cost effective manner.