This article was published in Intelligent Utility Newsletter, January 2015 and authored by William E. Reiter II, Vice President of Security at Telgian Corporation.
What every utility should know about the new physical security standard
William E. Reiter | Jan 29, 2015
On April 16, 2013, an incident in San Jose, California, led to development of a new physical security standard for owners and operators of transmission stations and substations.
In the 2013 incident, a sniper attack on a Pacific Gas & Electric transmission substation knocked out 17 large transformers that powered Silicon Valley. The sniper attack served as a dramatic wake-up call for the industry and raised fears regarding the vulnerability of the nation’s power grid to terrorist attack.
The more than 160,000 transmission line miles that comprise the U.S. power grid are designed to handle natural and man-made disasters, as well as fluctuations in demand; but what about physical attack?
As a result of the San Jose assault, the Federal Energy Regulatory Commission (FERC) in April 2014 required the North America Energy Reliability Corporation (NERC) to establish Critical Infrastructure Protection (CIP) standards to “address physical security risks and vulnerabilities related to the reliable operation” of the bulk power system.
NERC developed and issued what is now commonly referred to as CIP-014-1. This is a physical security standard that has a stated purpose to identify and protect transmissions stations and transmission substations and their associated primary control centers that—if rendered inoperable or damaged as a result of a physical attack—could result in uncontrolled separation or cascading within an interconnection.
CIP-014-1 has essentially two major components, each with three specific requirements. The first major component is applicability and the second is security. Here’s a breakdown of what every utility should know about the requirements of CIP-014-1.
Applicability: Requirements 1-3
R1: The primary purpose of the first requirement is to determine if your particular transmission stations and/or transmission substations are covered by the standard. The R1 process requires an initial risk assessment and subsequent risks assessments of your transmission stations and transmissions substations to ascertain if they meet the criteria specified in the Applicability Section 4.1.1. In addition, the transmission owner must identify the primary control center that operationally controls each transmission station or transmission substation during the R1 risk assessment.
R2: The second part of the standard requires each transmission owner to have an unaffiliated third party verify the risk assessment performed under requirement R1. An unaffiliated third party in this context is considered to be someone outside the corporate structure.
R3: The third requirement involves notification of control center operators of the primary control centers identified in the R1 assessment.
Security: Requirements 4-6
R4: For those locations identified in the R1, R2 and R3 process, owners are required to conduct an evaluation of the potential threats and vulnerabilities of a physical attack on their location. The assessment is required to include unique characteristics (e.g. terrain, crime statistics, weather), prior history of attack on similar facilities, and intelligence or threat warnings.
R5: This step requires developing, and eventually implementing, a documented security plan that addresses each of the impacted locations identified as a result of the R4 assessment and their identified threats and vulnerabilities. The essential elements of the plan must be inclusive of:
- Resiliency or security measures designed collectively to deter, detect, delay, assess, communicate, and respond to identified potential physical threats and vulnerabilities;
- Contact and coordination with law enforcement;
- A timeline for executing the physical security enhancements or modifications; and,
- Provisions for evaluating evolving physical threats and any necessary corresponding security measures.
R6: The final step requires the engagement of a “qualified, unaffiliated third party” to review the evaluation performed under R4 and the security plan developed under R5 to make a professional judgment of the assessment.
In addition to the summary above, other requirements of which utility owners should be aware include:
- Owners must put in place non-disclosure procedures to protect sensitive or confidential information from public disclosure.
- This is not a “one time deal.” Subsequent risk assessments are required under the standard to maintain physical security of transmission stations and substations in the future.
- Engagement of unaffiliated third parties is not limited to R2 and R6; third parties may be engaged throughout the process to ensure compliance with the new standard. Whether you use a third party only as required or in every step of the process, the earlier that party is engaged, the more likely it is that thorough, practicable and cost-effective solutions can be found.
Utility owners who understand and act quickly to comply with the new standard will not only safeguard themselves from future penalties for non-compliance but also safeguard our nation’s critical electrical infrastructure from the potentially catastrophic consequences of physical attack.