The North American Electric Reliability Corporation (NERC) has proposed guidelines to improve the physical security of the power grid. NERC is the regulatory authority that works to ensure the reliability of North America’s bulk power system. NERC’s Physical Security Reliability Standard (CIP-014-1) was submitted this week for consideration by the Federal Energy Regulatory Commission (FERC).
On March 7, 2014, the Commission issued a Physical Security Order that gave NERC 90 days to draft reliability standards that address physical security risks and vulnerabilities. The proposed standard would require owners and operators of critical power facilities to identify and protect those locations that would result in widespread outages if damaged by physical attack.
The Commission suggested that owners and operators should take at least three steps:
- “Perform a risk assessment of their systems to identify their ‘critical facilities.'”
- “Evaluate the potential threats and vulnerabilities to those identified critical facilities.”
- “Develop and implement a security plan designed to protect against attacks based on the assessment of the potential threats and vulnerabilities to their physical security.”
NERC’s proposed CIP-014-1 standard responded by outlining six requirements for transmission stations, transmission substations and their associated primary control centers. These include:
- Owners must perform risk assessments on a periodic basis to identify their critical transmission stations and substations as well as the primary control center for each.
- An unaffiliated third party must verify the risk assessment performed above.
- Transmission owner must notify a transmission operator that operationally controls a primary control center identified under Requirement R1 of such identification and its resulting obligations.
- Transmission owners and operators must conduct an evaluation of the potential threats and vulnerabilities of a physical attack to each identified critical facility.
- Transmission owners and operators must develop and implement a documented physical security plan that covers each of its identified critical facilities.
- An unaffiliated third party must review the physical security plan developed by the owner and operator.
Key to the requirements is the physical security plan that must be developed for each facility. While it does not make specific directives regarding technologies or systems to deploy, it will likely result in a review of PACS/LACS and identity management systems across the massive power grid. It does establish that the security plan should include:
- Security measures designed collectively to deter, detect, delay, assess, communicate and respond to potential physical threats and identified.
- Law enforcement contact and coordination information.
- Timeline for executing the physical security enhancements and modifications specified in the physical security plan.
- Provisions to evaluate evolving physical threats and corresponding security measures.
The standard specifically lists security measures including security guards, video cameras, fences or ballistic protections. Certainly, it seems likely that the intent would also encompass other critical PACS technologies, components, identity management and credentialing solutions, visitor management solutions and more.