Insights from the FERC/NERC Physical Security Technical Conference

The reliability and security of the bulk power system (BPS) is of paramount importance toensure the stable and efficient supply of electricity across North America.

With the increasing prevalence of physical attacks on substations, industry leaders, regulatory authorities, and stakeholders gathered at a Physical Security Technical Conference hosted by the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) at NERC’s Atlanta Office on August 10, 2023. This hybrid meeting brought together experts from various realms, both in person and through virtual participation, to deliberate over the efficacy of the Critical Infrastructure Protection (CIP) Standard CIP-014 and potential avenues for enhancing the physical security of critical substations.

CIP-014 Reliability Standard: Safeguarding Critical Substations

The primary objective of CIP-014 is to safeguard critical substations and their associated primary control centers against physical attacks that could trigger instability, uncontrolled separation, or cascading effects within the Interconnection. This standard mandates Transmission Owners (TOs) and Transmission Operators (TOPs) to conduct periodic risk assessments on their substations to identify “critical” ones that, if compromised, could lead to disruptions in BPS reliability. Identified critical substations are required to have a documented physical security plan in place to mitigate identified potential risks.

FERC Directive and NERC Response: A Comprehensive Study

In response to the rising frequency of physical attacks on substations, FERC issued a directive on December 15, 2022, instructing NERC to assess the effectiveness of CIP-014-3 in mitigating risks posed by physical attacks. NERC’s comprehensive study evaluated various aspects of the standard, including its applicability criteria, the effectiveness of risk assessment, and the potential need for a baseline level of physical security measures for all BPS substations and primary control centers.

In NERC’s response, conclusions and outlined strategic actions to enhance CIP-014-3 were provided. The conclusions included an analysis of the applicability criteria, refinement of risk assessment language, and the evaluation of mitigation measures. These conclusions served as the foundation for discussions at the FERC/NERC Physical Security Technical Conference.

Insights from the Technical Conference

The conference was structured around four panels that delved into crucial aspects of enhancing physical security for critical substations. These panels focused respectively on applicability, the minimum level of physical protection, best practices and operational preparedness, and grid planning for response and recovery from both physical and cyber security threats.

Applicability Panel: Striking the Balance Between Scope and Precision

Panel discussions on applicability revolved around the adequacy of the existing criteria for identifying critical substations. While some voices advocated for a broader inclusion of substations, the prevailing sentiment aligned with NERC’s assessment. This assessment underlines that the current criteria effectively encompass the most critical substations. Suggestions to integrate other standards, such as TPL-001, and the contemplation of coordinated attacks triggered invaluable discourse. Acknowledging the potential for gaps in the current criteria, the panel recognized the need for further deliberations to refine and optimize the applicability criteria.

Minimum Level of Physical Protection Panel: Tailored Approach

The second panel unanimously dismissed the notion of mandating a uniform minimum level of physical protection for all Bulk Electric System (BES) substations. Panelists underscored the intricate and cost-intensive nature of such an endeavor. Instead, they rallied for a risk-based approach tailored to the unique characteristics of each substation. The significance of collaboration with Public Utility Commissions (PUCs) and law enforcement agencies to secure funding and support was emphasized. Furthermore, the role of legislation in deterring physical attacks emerged as a noteworthy theme.

Best Practices and Operational Preparedness Panel: Forward-Thinking Strategies

The third panel stressed the importance of embedding physical security considerations in the very fabric of substation design. This approach streamlines processes and reduces costs. The panel championed the prominence of recovery planning, advocating for comprehensive plans that span short, medium, and long-term horizons. The role of risk evaluation, ranking frameworks, and proactive engagement with law enforcement agencies gained prominence as essential strategies.

Grid Planning Panel: A Holistic Approach

The final panel delved into the intricacies of comprehensive planning for responding to, and recovering from, physical and cyber security incidents. Discourses spanned reducing the number of critical substations, integrating physical security into planning, addressing the evolving challenges posed by behind-the-meter generation, and navigating the evolving resource mix. The panel emphasized an inclusive approach, highlighting the need for a comprehensive strategy that integrates both physical and cyber security measures.

A Path Forward and Concluding Reflections

The conference concluded with FERC announcing an upcoming commenting period to gather public feedback on the discussions and insights presented during the event. Key takeaways included the industry’s proactive efforts to enhance physical security, the importance of collaboration between federal and state entities, and the integration of security and resiliency into future grid planning.

The FERC/NERC Physical Security Technical Conference served as a platform for industry leaders and stakeholders to engage in meaningful discussions on enhancing the physical security of critical substations. The insights shared during the conference will undoubtedly shape the future direction of regulatory standards, industry practices, and collaborative efforts aimed at safeguarding the reliability and security of the BPS.

As the energy landscape continues to evolve, the commitment to physical security remains steadfast, with FERC staff reiterating that security is job number one at the commission. Through collective efforts and ongoing collaboration, the industry is poised to enhance its preparedness and resilience in the face of potential physical security threats to critical substations and the broader BPS.

– Sam Zewdie, Principal Compliance Engineer, MRO