The North American Electric Reliability Corporation (NERC) is currently drafting a physical security standard for approval by the Federal Energy Regulatory Commission (FERC). This much needed proposed standard will eventually prescribe physical security for transmission stations and substations operating above 500 kV, and in some cases operating as low as 200 kV. Say hello to NERC CIP-014-1.
The stated purpose of NERC CIP-014-1 is: “To identify and protect transmission stations and transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in widespread instability, uncontrolled separation, or cascading within an interconnection.”
CIP-014-1, or “Sip Fourteen,” requires each transmission operator to perform an initial physical security risk assessment and periodic subsequent physical risk assessments. Effective security proceeds from a thorough risk assessment – this is the right starting place. Each risk assessment then requires an audit by a third party. The plan goes on to require operators to define risk mitigation plans, to have those plans audited by a third party, and to then implement the plan. Finally, a third party must validate that the plan has been properly implemented.
Not So Wide
This sounds like a long, drawn-out process, but it’s the right pathway: assess the risk, plan the mitigation, and then execute the plan. Each step audited by a non-affiliated third party. Security done right.
The FERC liked NERC’s proposal except for one word: widespread. Where the FERC had directed NERC to develop a plan that requires “identification of facilities whose loss could result in instability, uncontrolled separation, or cascading failures,” NERC modified the requirement to prevent widespread instability. The FERC rejected this: “The term ‘widespread’ is undefined and could potentially render the Reliability Standard unenforceable or could lead to an inadequate level of reliability by omitting facilities that are critical to the reliable operation of the Bulk-Power System.”
In other words, the FERC is nervous that any given utility may choose to define widespread instability as a total global blackout, making anything less severe outside the scope of this standard. There’s a precedent for this: the original deployment of NERC CIP standards resulted in 77% of U.S. utilities claiming that they had no critical cyber assets and were therefore automatically NERC CIP-compliant without taking any action. It’s not exactly back to the drawing board for NERC, as the FERC praised much of NERC’s proposed standard, but it is one more go-round of comments, proposals, and approval. And to the FERC: Good catch!
One other much welcomed bit of goodness in the proposal is resiliency. The FERC writes in its comments, “Resiliency is as, or even more, important than physical security given that physical security cannot protect against all possible attacks.” Amen and hallelujah! As we learned with the Metcalf Substation in April 2013, some kinetic attacks cannot be prevented. But Pacific Gas and Electric (PG&E) had enough network resiliency in place that even the loss of a large substation resulted in not one outage. PG&E knew: you can’t hold off all the attackers, but you can have a Plan B in place to deal with their damage. And if that Plan B is automated, so much the better.