On behalf of the North American Electric Reliability Corporation (NERC), its President and CEO Jim Robb, recently presented to the Federal Energy Regulatory Commission (FERC) a summary of NERC’s report on the effectiveness of NERC’s CIP-014 Physical Security Standard. There were almost 1,700 physical security incidents reported to the Electricity-Information Security Analysis Center (E-ISAC) in 2022, an increase of 10.5% from 2021. Typical physical security incidents against the power system involve vandalism, tampering, arson and ballistic damage. NERC’s report outlines future actions to strengthen the physical security standard and foster robust stakeholder engagement to implement additional risk-based enhancements.
Report Makes Findings on Applicability, Risk Assessment and Protection
NERC’s CIP-014 standard came under scrutiny following recent highly publicized physical security attacks on utility facilities. NERC’s report on CIP-014 effectiveness found that the applicability criteria of the standards meet the objectives of CIP-014 (Bulk Power System Protection) and NERC does not recommend expansion of the CIP-014 applicability. CIP-014 was conceived to identify only those critical assets that if rendered inoperable could result in instability, uncontrolled separation, or cascading power system conditions. The criteria established by CIP-014 make the requirements applicable to the majority of the 345 kV and all 500 kV substations. NERC’s analysis does not suggest that attacks on additional assets, beyond those already identified, would result in the negative outcomes that CIP-014 was designed to protect against.
NERC found that the objective of the CIP-014 risk assessment requirements remains appropriate but additional specificity is needed concerning expectations and methods used for the risk assessment (R1) to identify which of the subset of applicable substations should be deemed “critical” under the standard.
Data from the NERC compliance monitoring and enforcement program found inconsistent approaches to performing the (R1) risk assessment, especially as it relates to dynamic studies. In some instances, utilities did not provide the technical studies expected nor adequate justification for study decisions. NERC believes inconsistent approaches to the risk assessment originate from a lack of specificity in the CIP-014 requirement language concerning the nature and parameters used in the risk assessment. To address this, NERC will initiate a standards development project to provide additional clarity and is developing a Standard Authorization Request.
NERC is not recommending a common minimum level of physical security protections at this time, but rather advocates that utilities take a risk-based approach to physical security based on location, exposure of the facilities, and the extent of the impact locally for loss of those facilities.
NERC and FERC are planning to hold a technical conference on the subject sometime in the next several months. The development of a Standards Authorization Request (SAR) to change CIP-014 is underway.
Next Steps
TRC recommends that utility clients review the NERC physical security report and its findings. Utilities should consider beginning the process of internally reviewing how they would modify their physical security plans and procedures to adapt to the stakeholder discussion as it unfolds.
Resources:
NERC Report to FERC on CIP-014 effectiveness
TRC Physical and Cyber Security Services
TRC Services – NERC Compliance
Your Trusted Regulatory Advisor:
The forgoing FERC action is a significant regulatory event which will implement fundamental changes in security preparation and operating obligations.
TRC closely follows the national and state regulatory trends in all regions of North America. Our approach to power system security, engineering, planning, design, construction and commissioning testing, balances solutions that incorporate industry reliability risk trends, mandatory reliability standard requirements, regulatory guidance, compliance obligations, best practices, operational goals, and budgets. With expertise in power system engineering, planning and operations, TRC supports public utilities and private energy providers in their efforts to stay ahead of the curve and to meet or exceed regulatory requirements as they evolve.
This regulatory update is provided as a service to TRC’s utility clients, helping to keep you informed of forward-looking issues that will impact your company’s electric system reliability risks along with related topics regarding regulatory developments to help you achieve your company’s business goals.
Sarah P. Fuller
Sarah P. Fuller, M.A., CPTED, BPATS, is an Emergency and Security Planner with TRC’s Security and Emergency Management Services team. She specializes in threat and vulnerability assessments for utilities, state and local governments, and educational facilities, as well as emergency management (plans, exercises, etc.) and crisis communications across multiple sectors. She has managed and supported security and emergency management projects for utility clients across the country. Contact Sarah at SFuller@trccompanies.com.
Larry Fitzgerald
Larry Fitzgerald, CPTED, PSP, CPP leads TRC’s national Security and Emergency Management Practice, where he has supported security many different types of Critical Infrastructure, including dozens of utilities. He has assessed security, developed security master plans, security designs, developed policies, provided training, and overall security consulting/strategy for clients nationwide. Contact Larry at LFitzgerald@trccompanies.com