The North American Electric Reliability Corporation on April 14 filed a report with the Federal Energy Regulatory Commission that analyzed the effectiveness of the existing NERC reliability standard addressing physical security of the bulk power system, Critical Infrastructure Protection reliability standard CIP-014.
The report, which was directed by FERC in a December 15, 2022 order, called for NERC to study the applicability criteria of the standard and the adequacy of the risk assessment and to assess whether a minimum level of physical security protections should be established for all bulk power system transmission stations, substations, and primary control centers.
“This evaluation was important given the heightened physical security threat environment and the high profile attacks which occurred in the fourth quarter of 2022. Our study outlines actions to strengthen the physical security standard and foster robust stakeholder engagement to consider additional risk-based enhancements,” said Jim Robb, NERC president and CEO, in a statement.
“Following recent events, industry and the E-ISAC developed and shared a physical security resource guide that detailed broader considerations in developing a physical security approach for all assets beyond those identified as critical by CIP-014. The actions outlined in our report will help further secure critical bulk power system assets and ensure the foundational protections of CIP-014 are keeping pace with a dynamic risk environment.”
Among the findings and follow-up actions outlined in the report is that NERC does not recommend expansion of the CIP-014 applicability criteria.
NERC said it will work with FERC staff to hold a technical conference to evaluate whether additional substation configurations should be included in the existing criteria.
Based on available data, NERC found no evidence that expansion of the criteria would identify additional substations as critical. Our review does suggest that additional data and analysis is needed on whether additional substations configurations warrant assessment under CIP-014.
A technical conference will identify which substations should be studied and establish data needs on a periodic basis to determine whether they should be included in the applicability criteria, NERC said.
The report found that the objective of the CIP-014 risk assessment requirement is appropriate, but should be refined to help ensure the assessment are performed using consistently and with the appropriate technical rigor. To promote consistency, NERC will initiate a standards development project to clarify risk assessment expectations, including for dynamic studies.
While NERC is not recommending a common minimum level of physical security protections, NERC finds that, given the increase in physical security attacks on bulk power system substations, there is a need to evaluate additional reliability, resiliency, and security measures designed to mitigate the risks associated with those physical security attacks.
NERC said it will work with FERC staff to hold a technical conference to further study appropriate levels of physical protections.
NERC said it advocates taking a risk-based approach to determine what level of investment would be appropriate based on local risk factors, regional system configuration, and the asset’s mean time to recover.
The technical conference will gather additional data on protection, response, and resiliency measures and discuss whether and how they could be appropriately incorporated into reliability standards or guidelines.