On April 16, 2013, an incident in San Jose,
California, led to development of a new physical
security standard for owners and operators of
transmission stations and substations.
In the 2013 incident, a sniper attack on a Pacific
Gas & Electric transmission substation knocked out
17 large transformers that powered Silicon Valley.
The sniper attack served as a dramatic wake-up call
for the industry and raised fears regarding the
vulnerability of the nation's power grid to
terrorist attack.
The more than 160,000 transmission line miles that
comprise the U.S. power grid are designed to handle
natural and man-made disasters, as well as
fluctuations in demand; but what about physical
attack?
As a result of the San Jose assault, the Federal
Energy Regulatory Commission (FERC) in April 2014
required the North America Energy Reliability
Corporation (NERC) to establish Critical
Infrastructure Protection (CIP) standards to
'address physical security risks and vulnerabilities
related to the reliable operation' of the bulk power
system.
NERC developed and issued what is now commonly
referred to as CIP-014-1. This is a physical
security standard that has a stated purpose to
identify and protect transmissions stations and
transmission substations and their associated
primary control centers thatÑif rendered inoperable
or damaged as a result of a physical attackÑcould
result in uncontrolled separation or cascading
within an interconnection.
CIP-014-1 has essentially two major components, each
with three specific requirements. The first major
component is applicability and the second is
security. Here's a breakdown of what every utility
should know about the requirements of CIP-014-1.
Applicability:
Requirements 1-3
R1: The primary purpose of the first requirement is
to determine if your particular transmission
stations and/or transmission substations are covered
by the standard. The R1 process requires an initial
risk assessment and subsequent risks assessments of
your transmission stations and transmissions
substations to ascertain if they meet the criteria
specified in the Applicability Section 4.1.1. In
addition, the transmission owner must identify the
primary control center that operationally controls
each transmission station or transmission substation
during the R1 risk assessment.
R2: The second part of the standard requires each
transmission owner to have an unaffiliated third
party verify the risk assessment performed under
requirement R1. An unaffiliated third party in this
context is considered to be someone outside the
corporate structure.
R3: The third requirement involves notification of
control center operators of the primary control
centers identified in the R1 assessment.
Security: Requirements
4-6
R4: For those locations identified in the R1, R2
and R3 process, owners are required to conduct an
evaluation of the potential threats and
vulnerabilities of a physical attack on their
location. The assessment is required to include
unique characteristics (e.g. terrain, crime
statistics, weather), prior history of attack on
similar facilities, and intelligence or threat
warnings.
R5: This step requires developing, and eventually
implementing, a documented security plan that
addresses each of the impacted locations identified
as a result of the R4 assessment and their
identified threats and vulnerabilities. The
essential elements of the plan must be inclusive of:
* Resiliency or security measures designed
collectively to deter, detect, delay, assess,
communicate, and respond to identified potential
physical threats and vulnerabilities;
* Contact and coordination with law enforcement;
* A timeline for executing the physical security
enhancements or modifications; and,
* Provisions for evaluating evolving physical
threats and any necessary corresponding security
measures.
R6: The final step requires the engagement of a
'qualified, unaffiliated third party' to review the
evaluation performed under R4 and the security plan
developed under R5 to make a professional judgment
of the assessment.
In addition to the
summary above, other requirements of which utility
owners should be aware include:
* Owners must put in place non-disclosure
procedures to protect sensitive or confidential
information from public disclosure.
* This is not a 'one time deal.' Subsequent risk
assessments are required under the standard to
maintain physical security of transmission stations
and substations in the future.
* Engagement of unaffiliated third parties is not
limited to R2 and R6; third parties may be engaged
throughout the process to ensure compliance with the
new standard. Whether you use a third party only as
required or in every step of the process, the
earlier that party is engaged, the more likely it is
that thorough, practicable and cost-effective
solutions can be found.
Standard CIP-014-1 can be read in its entirety on
the NERC website at:
http://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-014-1.pdf.
Utility owners who understand and act quickly to
comply with the new standard will not only safeguard
themselves from future penalties for non-compliance
but also safeguard our nation's critical electrical
infrastructure from the potentially catastrophic
consequences of physical attack.
About the Author
William E. Reiter II is a Certified Protection
Professional (CPP) and vice president of security
operations for Telgian Corporation, a full-service
global engineering and risk consultancy specializing
in complex, multi-discipline public and private
sector projects.
http://www.telgian.com/
Copyright © 1996-2015 by
CyberTech,
Inc.
All rights reserved.
To subscribe or visit go to:
http://www.energycentral.com
To subscribe or visit go to:
http://www.energybiz.com
http://www.energybiz.com/article/15/02/what-every-utility-should-know-about-new-physical-security-standard