In every part of our lives, we’re reminded how interconnected our world has become. We are plugged into a world of possibilities, and we benefit through increased capabilities and efficiencies. This includes our energy infrastructure.
This interconnectivity, however, also introduces vulnerabilities to the grid. It’s for this reason the Federal Energy Regulatory Commission (FERC) approved the critical infrastructure protection (CIP) standard for physical security measures (CIP-014) from the North American Electric Reliability Corporation (NERC).
This standard addresses critical transmission stations and substations (along with their associated primary control centers) that, if rendered inoperable or damaged as a result of a physical attack, could result in instability, uncontrolled separation, or a cascading effect within an interconnection.1
While the standard has been in place for nearly two years, there are plenty of questions that remain unanswered, according to Rachel St. John, global key account manager at Bosch Security Systems. “This is the first time a physical security mandate has been handed down for utilities and there are very few specifics on how the mandate should be followed,” she says.
While there has been confusion about the wording used in the standards, a significant point of confusion concerns the six requirements, or steps, included in the standard. Generally, these requirements are to:
- Perform an initial risk assessment and subsequent risk assessments.
- Have an unaffiliated third party verify each risk assessment.
- Notify owners of primary control centers identified by the assessments as being critical.
- Evaluate the potential threats and vulnerabilities of a physical attack to each identified station, substation and control center.
- Develop and implement a documented physical security plan(s) that covers these locations.
- Have an unaffiliated third party review the evaluation performed under the fourth requirement and the security plan(s) developed under the fifth requirement.
But what should the risk assessment include? How extensive should the security plan be and what should it look like?
“Some utilities are ahead of the game, with top-of-the-line physical security measures in place,” St. John points out. “But many don’t know where to start.”
Her advice includes remembering that utilities are experts at transmitting power, not at physical security. To get the best handle on that aspect, she adds, it’s best for utilities to enlist the help of professional consultants.
While CIP-014 deals specifically with physical security, St. John brings up the point that many of today’s physical security measures are interconnected themselves, as part of a larger computer network. This can bring up a host of other issues, including whether or not the cost to upgrade physical security systems might be covered—in part—by a utility’s IT department. It also may affect how physical security relates to cybersecurity (which is covered by CIP-006 and CIP-007, for the most part).
Is This Being Addressed?
“As it stands today, all of the CIP standards, with the exception of CIP-014, promote cybersecurity in one way or another,” says Jon Kerner, partner and IT practice lead at ScottMadden, Inc. “While the industry agrees the cybersecurity of physical assets is important, it is unclear whether any changes would come as a revision to CIP-014 or in the form of their own complementary CIP standard (in a similar fashion to CIP-006 and CIP-007).”
With so many questions yet unanswered, it’s more important than ever for utilities to stay vigilant and enlist help.
“The industry has long been aware of the need for robust security measures to ensure the electric grid remains operational and stable despite attacks by outside threats,” says Kerner. “While the reach of CIP-014 may still have room to grow, the standard is an important step that ensures plans and procedures are in place to safeguard the infrastructure most critical to electric system stability.”