There are no unimportant North American Electric Reliability Corporation (NERC) reliability standards, but from time to time, NERC and the Regional Entities (Regions) place greater emphasis on certain reliability standards in response to events affecting the grid. With headline-grabbing physical attacks on power substations across the country in recent months, one of NERC’s greatest current priorities is evaluating the effectiveness of its physical security standards, most notably CIP-014.
Registered Entities, which are required to comply with the reliability standards, should monitor NERC and the Regions’ standards development projects for potential new and revised reliability standards focused on physical security. Utilities should also assume that physical security will be more highly scrutinized during compliance enforcement and audit engagements.
Risk to the Electric Grid
There have been more than 100 reported incidents of attacks and suspicious activities at US power substations in the last year. Although the recent attacks have affected only a relatively small percentage of the 75,000-plus substations in the country, the number and frequency of attacks represent a substantial increase over prior years.
Reports on the attacks identify the crimes as ranging from vandalism to terrorism. However, the motivation behind most of these attacks is unclear. Nevertheless, the energy industry is on raised alert due to the risk to their facilities’ operations and the overall bulk power system (BPS). Some attacks, for example, have led to the loss of power for thousands of customers, and FERC has long been concerned that the execution of multiple coordinated attacks to disable major transmission substations could cause cascading blackouts.
FERC’s Response to Attacks
Almost a decade ago, FERC directed NERC to develop and implement a physical security reliability standard on an expedited basis in response to notable attacks at the time—primarily the “Metcalf incident,” named for the California substation that was affected. The resulting standard, CIP-014, was quickly developed and approved, and has not received significant revisions in the intervening years.
On December 15, 2022, FERC directed NERC to study the continued effectiveness of the CIP-014 reliability standard for physical security of the BPS and determine whether the standard needs improvement. FERC explained that the directive is directly in response to the recent physical attacks on electric infrastructure.
NERC was directed to evaluate the applicability criteria in the reliability standard, the requirement risk assessment set forth in the reliability standard, and whether a minimal baseline level of physical security protections should be required for all BPS stations, substations, and associated primary control centers. NERC has 120 days to submit a report on the effectiveness of the reliability standard.
Typically, additions or changes to the reliability standards take multiple years; a reliability standard must complete the drafting and balloting process and then be approved by FERC. However, given FERC’s recent directive, changes to the CIP-014 reliability standard, if deemed necessary, may be expedited to better protect the BPS from attacks. Registered Entities should monitor the standards development process at a minimum, and consider engaging in the commenting and balloting process, to ensure they are able to quickly adapt to potentially new reliability requirements.
In addition, we expect that CIP-014 will receive increased attention in audits of reliability standards compliance. This increase will be driven, in part, by the Electric Reliability Organization–endorsed CMEP practice guide issued in early 2022 and revised in September 2022. Unlike implementation guidance intended to provide examples to Registered Entities of how to comply with a reliability standard, the CMEP practice guide instructs CMEP staff how to execute compliance monitoring and enforcement activities and sets significant bright-line criteria for measuring compliance, potentially beyond the language of the reliability standard itself.
Utilities should prepare in advance for audits expected to include CIP-014 and ensure they can demonstrate compliance with all physical security requirements, particularly the CIP-014 reliability standard with an eye to the CMEP practice guide. Early preparation also gives Registered Entities opportunities to self-report instances of potential noncompliance in advance of audits, which may mitigate potential penalties.