Expert Discussions and Key Takeaways Focus on Physical Security
On August 10, 2023, the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) conducted a day-long Technical Conference to identify potential improvements to the NERC CIP-014-3 Physical Security standard. The Technical Conference involving expert panelists from government, utilities and other related organizations is a result of a FERC Order issued in December of 2022 directing NERC to prepare and submit a report on the effectiveness of the current CIP-014-3 standard while considering the increasing level of physical attacks on utility facilities.
NERC submitted its report on the effectiveness of CIP-014 on April 14, 2023, noting that improvements were needed but that for the most part the standard achieves its purpose of protection of key Facilities necessary to avoid widespread Bulk Electric System adverse outcomes due to physical attacks.
Key Technical Conference Takeaways
Many security details were discussed via these four industry expert panels:
Applicability of the CIP Standard – Panelists made suggestions regarding CIP-014-3 applicability provisions and their ability to identify the correct Facilities requiring physical security protection plans. Discussions included:
- The potential addition of more Facilities to be covered under the standards.
- The need for criteria to identify the risks from multiple simultaneous physical attacks on transmission lines and substations.
- How to identify what levels of load loss (due to undervoltage load shedding and stability loss) should be considered when identifying the facilities to be protected with physical security plans.
- The amount of load loss that requires scrutiny for security breach events is likely dependent on the operational area where the entity operates.
- The need for this operating area context and whether facilities that perform physical security monitoring functions (that are not currently explicitly subject to CIP-014-3) should be considered for inclusion in the applicability provisions of CIP-014-3 as well.
- The need for a performance-based approach to verifying security system performance for future standard enhancement.
Minimum Level of Protection – Panelists discussed specific attacks and the motivations of threat actors. Discussions included:
- The reliability goal of the standard and whether there should be a mandatory minimum resiliency and security protection program for all power system facilities.
- The design basis threat development using threat intelligence process as a possible mechanism, with examples such as the advent of drones.
- Whether information protection should be considered to limit the availability of facility location data.
- Risk based approaches to identify facilities and how to tailor security plans and how to best allocate resources for physical security.
- The importance of flexible processes and security plans focused on Detection, Assessment, and Response to simultaneously address affordability for electricity consumers. A major challenge for utilities and regulators alike is preparing for the potential to have multi-site attacks with the possibility to have a more widespread impact to the BES and impact transmission costs. It was mentioned that we cannot protect against everything, so what is prudent was discussed.
Solutions – Panelists identified best practices for prevention, deterring, protection, response and recovery from physical security attacks. Key points and solutions discussed included:
- Effective restoration and resilient communications are needed for resilience and
- The spare equipment process, including modular mobile spare transformers with a three-day installation time to augment existing spare equipment programs.
- The threat landscape includes the rise of domestic extremists and ballistic attacks. Utilities are installing more ballistic protection and other solutions (early detection for example) to keep focused on protection, resilience, and recovery.
- UAV (drone) threats are an evolving concern.
- Penetration tests are part of the learning process to strengthen physical security plans prevention and resilience.
- The NATF worked with EPRI to define the term resilience and sponsors annual Resilience Summits to identify leading practices for the benefit of the industry.
- There are many benefits to implementing training exercises and drills using physical attack scenarios.
- Improvements in information sharing processes is ongoing.
Grid Planning to Respond to and Recover from Physical and Cyber Threats – Panelists reviewed planning practices related to responses and recovery from physical and cyber security threats. Discussions included:
- Identification of practical obstacles to developing and implementing response plans instead of security hardening plans.
- How best to integrate security with traditional planning and engineering practices.
- Planning process changes can reduce exposure for load serving, generation producing facility losses and the criteria for deciding on removing facilities from a given company’s CIP-014 list.
- A key concept gaining traction is to add a P8 contingency to the TPL-001 standard for an extreme contingency condition which may or may not be initiated by a physical attack.
- How to best determine when to mitigate the risk of a critical station physical security risk through transmission design or to protect that substation.
- Balancing the likelihood of a physical attack and the system performance expected after that event is a challenge.
The information shared and documented during the Technical Conference will be used to inform the review of the CIP-014-3 standard that is currently underway to identify implement improvements to the standard. In its decisions FERC has noted that certain improvements are needed considering the various physical attached on Bulk Electric and other lower-level utility facilities that have resulted in customer outages recently.
TRC recommends utility physical security compliance subject matter experts note the Technical Conference discussion and view the recording of that event and the discussion points which emanated from the experts on each panel.
- Joint Technical Conference Regarding Physical Security of the Bulk-Power System
- FERC Order Directing CIP-014-3 Effectiveness Report – December 15, 2022
- NERC Report on the Effectiveness of CIP-014-3
- TRC Security Services
- TRC Physical and Cybersecurity Specialized Consulting
Your Trusted Regulatory Advisor
TRC closely follows the national and state regulatory trends in all regions of North America. Our approach to power system security, engineering, planning, design, construction and commissioning testing, balances solutions that incorporate industry reliability risk trends, mandatory reliability standard requirements, regulatory guidance, compliance obligations, best practices, operational goals and budgets. With expertise in power system security, engineering, planning and operations, TRC supports public utilities and private energy providers in their efforts to stay ahead of the curve and to meet or exceed regulatory requirements as they evolve.
TRC is committed to supporting the reliability and security goals for the bulk power system. We actively monitor CIP standards including participating in panels and writing comments. Recently, our author, Larry Fitzgerald participated in the Joint FERC-NERC Physical Security Technical Conference to support both FERC’s and NERC’s on-going efforts to better understand physical security challenges related to the bulk power system.
This regulatory update is provided as a service to TRC’s utility clients, helping to keep you informed of forward-looking issues that will impact your company’s electric system reliability risks along with related topics regarding regulatory developments to help you achieve your company’s business goals.
Larry Fitzgerald at LFitzgerald@TRCcompanines.com
(Larry was a Panelist in the CIP-014 Technical Conference)