Utilities Await New Physical Security Standard
U.S. regulator takes next step in approving physical security standard
BY PHILL FELTHAM, Editor-in-Chief
Electricity Today Magazine
Recently, the Federal Energy Regulatory Commission (FERC) announced a proposal to approve the physical security reliability standard (CIP-014-1), submitted by the North American Electric Reliability Corporation (NERC) earlier in the year. This physical security standard is currently being developed in response to an armed assault that occurred on a California substation in early 2013.
Initially, FERC determined that NERC’s current critical infrastructure protection (CIP) standards lacked specifics for entities to “reasonably protect” their infrastructure against physical attacks that could adversely affect power grid reliability. As a result, FERC requested NERC to develop and submit new standards that, according to a news release, “identify critical facilities; evaluate potential threats to, and vulnerabilities of, those facilities; and develop and implement a security plan to protect against attacks on those facilities”.
Approval of the new reliability standard is pending, based on two further modifications. Firstly, FERC is proposing that NERC develop a modification that specifically allows the energy regulator or other governmental authorities to add or subtract facilities from the utility’s list of critical facilities. Secondly, FERC wants NERC to change certain phrases in order to help narrow the scope and number of identified critical facilities. Currently, FERC is awaiting feedback on both proposed modifications.
The new proposed physical security standard was drafted in response to the 2013 sniper attack in California that knocked out Pacific Gas & Electric Company’s Metcalf power substation southeast of San Jose. Communication cables were severed and many transformers and circuit breakers suffered severe damage (17 transformers were knocked out of commission). This attack was a game changer for how utilities view physical security at substations.
According to the Wall Street Journal, a FERC analysis unavailable to the public stated that the U.S. could suffer power outages coast to coast if nine main substations were knocked out simultaneously. Recovery from such an event might prove challenging since large transformers are custom-made for specific locations. These large transformers can take at least a year to build and install, prolonging recovery.
EXPLORING MICROGRIDS
The attack at the California substation has home and business owners exploring other power options such as microgrids. Navigant Research reports that the cost of microgrid projects is expected to skyrocket to $19.9 billion in 2020, a drastic increase from the $4.3 billion spent in 2013.
Microgrids have grown in popularity for a number of reasons. Vulnerabilities in the bulk power grid such as increased number of outages and blackouts due to extreme weather events, aging infrastructure, and acts of terrorism have prompted home and business owners to explore the option of becoming a stand-alone power entity.
THE BOTTOM LiNE
Jon Wellinghoff, former Federal Regulatory Commissioner, told the Wall Street Journal that the attack on the Metcalf power substation was “the most significant incident of domestic terrorism involving the grid that has ever occurred” in the United States.
This chilling fact has electric utilities rethinking their physical security approaches. The Heritage Foundation pointed out in a recent grid cybersecurity report that utilities are more than capable of developing new strategies. Physical threats have been on the electric utility’s radar since the power grid’s inception.
Currently, electric utilities have tools such as Smart Grid technologies available to protect their assets. However, these grid-enhancing applications provide a number of cybersecurity risks of their own that utilities will have to address as well. Improved coordination among utilities could help in handling attacks, but that, too, is a challenge.
NERC’s physical security standard will definitely provide some industry guidance and assistance for utilities. However, whether or not it provides any real security improvements is yet to be proven and is an editorial for a later time.