New regulations put utilities on the clock for physical security improvements
By Mickey McCarter, Security Industry Association
Around 1 a.m. on the morning of April 16, 2013, unknown gunmen attacked an electric substation near San Jose, Calif.
For about 19 minutes, attackers fired more than 100 rounds into electricity infrastructure equipment owned and operated by Pacific Gas and Electric at the Metcalf power transmission station. The attack resulted in hundreds of thousands of dollars of damage. Although 17 transformers were hit, the attackers were gone by the time police arrived, and no suspects were ever identified.
As a direct result of the attack, the Federal Energy Regulatory Commission (FERC) undertook the creation of mandatory regulation for the most critical substations in the electric sector. FERC is projected to publish the final rule in late 2014, setting in motion security upgrades intended to prevent such an attack from occurring again.
The electric grid already had a great deal of redundancy built into it as well as some precautions to mitigate such damage, said Brian Harrell, director of the Electricity Sector Information Sharing and Analysis Center, North American Electric Reliability Corp. (NERC), during a webcast presented by the Security Industry Association.
“It is very important to note that there was absolutely no electricity lost that day,” Harrell said. “That speaks to the significant resiliency of the bulk power system. We are very segmented, and we have the ability to reroute power.” Though similar attacks could cause pockets of outages, he explained the overall integrity of the power system would remain intact.
Grid sees new physical security standards and requirements
Consultant Bradley Schreiber, president of Homeland Security Solutions, described the requirements as outlined in FERC CIP-014, suggesting they will spark the adoption of new identification technologies across the electricity sector.
First, owners and operators of electric utilities will identify critical transmission stations and substations as well as control centers. Consideration must be given to stations and substations that “if rendered inoperable or damaged, could result in widespread instability, uncontrolled separation or cascading within an interconnection.” Effected control centers will include those that operate those specific stations and substations. After identification of these critical facilities, an unaffiliated third party must verify the selections.
Once operators are informed that they manage a primary control center, they must evaluate the potential threats and vulnerabilities of a physical attack. Then, they must develop and implement physical security plans to protect those targets. Another third-party review then follows to determine gaps in the physical security plans.
NERC is organized nationally in eight regions, employing a total of 63 critical infrastructure auditors. Under FERC CIP-014, NERC auditors would visit utilities every one to three years to ensure compliance with the standards. They already do so under earlier guidance from FERC CIP-006, which sets physical security standards for critical cyberassets.
Ensuring compliance with the new standard will require more auditors and physical security expertise within NERC. Schreiber predicts that former military, law enforcement and intelligence personnel will move into electric sector to meet the demand. “A lot of utilities already have these professionals, but I think you’ll see a lot more pop up over the next year,” he said.
Timeline for implementation
The U.S. electric grid consists of more than 55,000 transmission substations of 100kV or higher, but the final FERC rule will be mandatory for less than 500 of these. Although only a small subset will be required to comply with the rule, Harrell suggests it will bring the conversation to the forefront and lead others to invest in physical security measures whether required to do so or not.
“To get an entire industry to wrap its head around a concept and have agreement by and large across sector was a significant lift,” he said.
A directive on the physical security standards under FERC CP-014 was submitted to NERC in March and the approach for development of physical security plans was approved by industry in May. FERC published its notice of proposed rulemaking in July. NERC anticipates a final order in November or December, said Harrell, who was a member of the eight-person drafting team for the standard.
The clock will start running for electric utilities upon publication of the final FERC rule, said David Batz, director of cyber and infrastructure Security at the Edison Electric Institute. The membership of the institute, which represents electric utilities owners and operators, is responsible for delivery of 70% of the electricity in the United States from generation to transmission and distribution.
Those companies and others will have 180 days to identify their affected facilities and then another 90 days to gain third-party verification of those facilities. Over the next 120-180 days, utilities will have to produce threat analysis and security plans for their facilities. Then they have 90 days to again gain third-party verification of those plans. Sixty days later, utilities must begin implementation of their physical security plans.
Batz estimated completion of final threat analysis and security plans sometime between July and September 2016.
Utilities tend to be conservative when buying equipment to support their physical security plans, Batz said. “They don’t want to purchase and install a product that doesn’t have a track record,” he said.
Manufacturers must demonstrate that their products can meet the needs of the utilities — perhaps by withstanding challenging climates or working with low-bandwidth communications for remote substations — and be able to speak to how they have performed in other sectors and at other installations, Batz explained.
The FERC standard provides utilities with flexibility in the development of their physical security plans. This is important as every station will require something different to fulfill the requirements of their unique physical security plans, said Harrell. “There is no such thing as a cookie cutter substation — each has individual and specific challenges,” he warned.
NERC looks at recommendations for compliance with the FERC standards as an exercise in protecting people, the industry’s most critical asset. Powerful security technologies are available including live video surveillance with intrusion deterrent technologies, limited access smart locks and access card systems, employee screening for insider threats as well as other countermeasures, Harrell said.
Electric utilities already have ideas as to what works and what doesn’t as well as how much physical security measures can cost.
NERC previously published guidance for the development of physical security plans through its Critical Infrastructure Protection Committee and has held training exercises known as GridEx, which simulated breaches at power plants where attackers used improvised explosive devices.
Utilities will rely on these experiences and others to request funding to cover their physical security plans, said Batz. They will go before a state public service commission, or in the case of municipalities, they would go before the local governing body to make a case for rate increases, he said. “There will need to be regulatory approval for investments made in this space,” he added.
In general, regulators have been very supportive, but they may become concerned when incremental investments lead to higher utility bills for consumers. “It’s going to be a company-led effort versus a publicly funded effort,” Schreiber said. “There is no pool of money they are going to be able to draw from to do these major enhancements.”
Companies interested in learning more about this topic can contact Elizabeth Hunger, manager of government relations at the Security Industry Association, at [email protected].