The American Public Power Association and several other trade groups recently voiced support for recommendations included in a North American Electric Reliability Corporation physical security reliability standards study.
The recommendations in the NERC report appropriately reflect a risk-based approach to physical security of the bulk power system, while offering reasonable suggestions for further action or analysis on certain specific issues, including a Commission technical conference, and clarification of the risk assessment requirement in Reliability Standard CIP-014, the groups said in their May 15 comments.
Joining APPA in the comments were the Edison Electric Institute, Large Public Power Council, the National Rural Electric Cooperative Association and the Transmission Access Policy Study Group.
The report was filed by NERC on April 14, 2023 in response to a December 2022 Commission order.
“With Trade Association members having been the target of recent attacks, all members are acutely aware of the physical threats posed to the grid,” the groups said. “Effective protective measures are indeed necessary, and the Trade Associations’ members are taking those measures.”
The groups noted, however, the particular challenge of developing and implementing a reliability standard that addresses the highly varied physical and electrical characteristics of the facilities that comprise the BPS.
“As currently conceived, CIP-014 appropriately reflects this reality. CIP-014 applies only to a well-defined set of transmission facilities and associated control centers that are likely to be critical to BPS reliability,” APPA and the other groups said.
They agree with NERC’s conclusion that the current CIP-014 framework remains appropriate. “Reasonably, CIP-014 does not cover all facilities nor seek to mitigate all threats and vulnerabilities to facilities in the BPS. Instead, the risk-based approach responds to reasonably assessed risks to the BPS, while weighing the cost of what otherwise might be an infinite number of measures that responsible entities might take to mitigate physical security risks.”
The groups specifically agree with NERC’s conclusion that CIP-014’s applicability criteria are adequate to identify the subset of “critical” transmission facilities that should be assessed, and with NERC’s recommendation that the CIP-014 applicability criteria not be changed at this time.
The groups also support NERC’s recommendation to establish a technical conference to examine:
The type of substation configurations that should be studied to determine whether any additional substations should be included in CIP-014’s applicability criteria in the future, and
Whether a particular combination of reliability, resiliency, and security measures could be effective in mitigating the impact of physical security attacks.
On the question whether a minimum level of physical security protection is needed, the groups said they agree with NERC that a uniform, bright-line minimum level of security protections would be counterproductive.
APPA and the other groups “also recognize that a technical conference enabling stakeholders to engage in discussions on this matter and to exchange ideas on how to address evolving threats and security risks would be quite valuable,” they told FERC.
The groups said they also understand the thinking behind NERC’s intent to initiate a standard authorization request to examine risk assessment methodologies under CIP-014, the cases employed in assessing risk and to clarify required documentation and the treatment of adjacent substations of differing ownership within line of sight of each other.