Last Friday, the North American Electric Reliability Corporation (NERC) submitted for approval by the Federal Energy Regulatory Commission (FERC), in Docket No. RM14-15, a proposed new physical reliability standard. The proposed new standard is intended to comply with FERC’s March 7, 2014 order directing NERC to propose one or more reliability standards to require certain entities to “take steps or demonstrate that they have taken steps to address physical security risks and vulnerabilities related to the reliable operation of the Bulk-Power System.”
Proposed Reliability Standard CIP-014-1 – Physical Security
Proposed Reliability Standard CIP-014-1 would require transmission owners and operators to protect critical transmission stations and substations and their associated primary control centers that if rendered inoperable or damaged as a result of a physical attack could result in widespread instability, uncontrolled separation, or cascading within an interconnection. Specifically:
- Requirement R1 requires applicable transmission owners1 to perform risk assessments on a periodic basis to identify their transmission stations and substations that if rendered inoperable or damaged could result in widespread instability, uncontrolled separation, or cascading within an interconnection. The transmission owner must then identify the primary control center that operationally controls each of the identified transmission stations or substations. Subsequent risk assessments must be performed:
- At least once every 30 calendar months for a transmission owner that has identified in its previous risk assessment one or more transmission stations or substations that if rendered inoperable or damaged could result in widespread instability, uncontrolled separation, or cascading within an interconnection; or
- At least once every 60 calendar months for a transmission owner that has not identified in its previous risk assessment any transmission stations or substations that if rendered inoperable or damaged could result in widespread instability, uncontrolled separation, or cascading within an interconnection.
- Requirement R2 provides that each applicable transmission owner shall have an unaffiliated third party with appropriate experience verify the risk assessment performed under Requirement R1. The transmission owner must either modify its identification of facilities consistent with the verifier’s recommendation or document the technical basis for not doing so.
- Requirement R3 requires the transmission owner to notify a transmission operator that operationally controls a primary control center identified under Requirement R1 of such identification. This requirement helps ensure that such a transmission operator has notice of the identification so that it may timely fulfill its resulting obligations under Requirements R4 and R5 to protect that primary control center.
- Requirement R4 requires each applicable transmission owner and transmission operator to conduct an evaluation of the potential threats and vulnerabilities of a physical attack to each of its respective transmission station(s), substation(s), and primary control center(s) identified in Requirement R1, as verified under Requirement R2. The evaluation shall consider the following:
- Unique characteristics of the transmission station(s), substation(s), and primary control center(s);
- Prior history of attack on similar facilities taking into account the frequency, geographic proximity, and severity of past physical security related events; and
- Intelligence or threat warnings received from sources such as law enforcement, the Electric Reliability Organization, the Electricity Sector Information Sharing and Analysis Center, U.S. federal and/or Canadian governmental agencies, or their successors.
- Requirement R5 requires each transmission owner and transmission operator to develop and implement a documented physical security plan that covers each of its respective transmission stations, substations, and primary control centers identified in Requirement R1, as verified under Requirement R2. The physical security plan(s) shall include the following attributes:
- Resiliency or security measures designed collectively to deter, detect, delay, assess, communicate, and respond to potential physical threats and vulnerabilities identified during the evaluation conducted in Requirement R4. These measures could include, for example: (i) modifications to system topology, (ii) the construction of a new transmission station or substation that would lessen the criticality of the facility, (iii) providing for access to spare or replacement equipment.
- Law enforcement contact and coordination information.
- A timeline for executing the physical security enhancements and modifications specified in the physical security plan.
- Provisions to evaluate evolving physical threats, and their corresponding security measures, to the transmission station(s), substation(s), or primary control center(s). An entity's physical security plan should include processes and responsibilities for obtaining and handling alerts, intelligence, and threat warnings from various sources
- Requirement R6 provides that each transmission owner and transmission operator subject to Requirements R4 and R5 have an unaffiliated third party with appropriate experience review its Requirement R4 evaluation and Requirement R5 security plan. The transmission owner and transmission operator must either modify its evaluation and security plan consistent with the recommendation of the reviewer or document its reasons for not doing so.
The proposed new standard also creates an affirmative obligation on each transmission owner and transmission operator to implement procedures for protecting sensitive or confidential information made available to the unaffiliated third party reviewer and to protect sensitive or confidential information from public disclosure. Procedures for protecting confidential information may include, among other things: (1) the control and retention of information at the applicable entity’s facility for third party verifiers/reviewers; (2) restricting information to only those employees that need to know such information for purposes of carrying out their job functions; (3) marking all relevant documents as confidential; (4) securely storing and destroying information, both physical and electronically; and (5) requiring senior manager sign-off prior to releasing any sensitive or confidential information to an outside entity.
Proposed Implementation Plan
The proposed implementation plan would require transmission owners to complete their initial risk assessments on or before the effective date of the proposed new standard. NERC has requested that FERC approve the proposed new standard to become effective on the first day of the first calendar quarter that is six months after Commission approval.
If approved by FERC, the proposed new standard would hold transmission owners and operators potentially accountable if physical security measures later viewed as inadequate were to contribute to widespread instability, uncontrolled separation, or cascading within an interconnection. Transmission owners and operators will want to carefully document compliance with the standard and prudent evaluation of the full range of options available to reduce physical threats, including the construction of new assets that would lessen the criticality of any one facility. Entities with stated transmission rates (rather than formula rates) also may want to consider regulatory strategies to ensure full recovery of prudent costs incurred to comply with the new standard, including the costs of third party verifiers.
1 The proposed standard applies only to those transmission owners that own a transmission station or substation that meets the description of “Medium Impact” Transmission Facilities listed in Attachment 1 of Reliability Standard CIP-002-5.1. NERC expects that a number of transmission owners required to perform risk assessments under Requirement R1 will not identify any transmission stations or substations that, if damaged or rendered inoperable as a result of physical attack, pose a risk of widespread instability, uncontrolled separation, or cascading within an interconnection. Nevertheless, NERC and the standard drafting team concluded that using the “Medium Impact” criteria was a prudent approach to balancing the need for a reliability standard that is broad enough to capture all critical transmission stations and substations while narrowing the scope of the reliability standard so as not to unnecessarily include entities that do not own or operate such critical facilities.