FERC Directs NERC to Present Security Report in Response to Physical Attacks on the Electric Grid
On December 15, 2022, FERC issued an order[1] directing the North American Electric Reliability Corporation ("NERC") to study the efficacy of its physical security reliability standard in light of a rash of recent physical attacks on electric infrastructure that resulted in thousands of customer outages and related damages, including the December 3, 2022, physical attack on two substations in Moore County, North Carolina.[2] Attacks at substations in the Pacific Northwest in November 2022 also resulted in customer outages.
Specifically, FERC directed NERC to conduct a study evaluating: (1) the applicability criteria set forth in the Physical Security Reliability Standard CIP-014-3 ("Physical Security Reliability Standard"); (2) the required risk assessment set forth in the Physical Security Reliability Standard; and (3) whether a minimum level of physical security protections should be required for all Bulk-Power System ("BPS") transmission stations and substations and primary control centers. FERC believes that an updated assessment of the effectiveness of the Physical Security Reliability Standard is necessary to protect the BPS against physical threats like the recent attacks.
The Currently Effective Physical Security Reliability Standard
Applicability
FERC stated that the purpose of the currently effective version of the Physical Security Reliability Standard is to "identify and protect transmission stations and transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in instability, uncontrolled separation or Cascading within an interconnection."[3] The current Physical Security Reliability Standard applies to transmission owners that own a transmission station or substation that meets the following criteria: (1) transmission facilities that are operated at 500 kV or higher; (2) transmission facilities that are operated between 200 kV and 499 kV at a single station or substation where the station or substation is connected at 200 kV or higher voltages to three or more other transmission stations or substations and that exceed an "aggregated weighted value" as defined in the standard; (3) transmission facilities at a single station or substation location that are identified by their reliability coordinator, planning coordinator, or transmission planner as critical to the derivation of interconnection reliability operating limits and their associated contingencies; and (4) transmission facilities identified as essential to meeting nuclear plant interface requirements.[4]
Current Requirements
The Physical Security Reliability Standard currently requires:
- transmission owners to perform risk assessments on a periodic basis to identify their transmission stations and transmission substations that, if rendered inoperable or damaged, could result in instability, uncontrolled separation, or cascading within an interconnection, as well as the primary control centers that operationally control each transmission substation;[5]
- the transmission owner to have an unaffiliated third party verify the risk assessment;[6] and
- entities to conduct an evaluation of the potential threats and vulnerabilities of a physical attack on each transmission station, substation, and control center identified in the risk assessment, followed by the development of a documented physical security plan.[7]
The FERC Order
In the Order, FERC highlighted a number of areas related to the Physical Security Reliability Standard that NERC should assess. Particularly, FERC directed NERC to:
- examine the "applicability" criteria of the Physical Security Reliability Standard to determine whether additional BPS transmission stations and substations and primary control centers should be subject to requirements to perform risk assessments as set forth in the Physical Security Reliability Standard;[8]
- assess the adequacy of the required risk assessment;[9]
- assess whether additional criteria or parameters to the required risk assessment (e.g., requiring stability analysis) should be added to ensure greater consistency among transmission owner risk assessments, and whether further refinement could result in a more methodical and accurate approach to identifying the transmission stations and substations and primary control centers that should be subject to physical security plans;[10] and
- examine whether a minimum level of physical security protections should be required for all BPS transmission stations and substations and primary control centers.
Compliance
FERC directed NERC to submit a report to the Commission on the study's findings and recommendations by April 14, 2023, within 120 days of the issuance of the Order.[11]
FERC's directive in the Order follows NERC's own efforts to assess enhanced security risks (both physical and cyber) to the BPS related to the introduction of new electric technologies and resources entering the electricity markets, particularly distributed energy resources. NERC issued a "Security Integration Strategy"[12] in December 2022 that identifies enhanced security risks associated with the changing electric resource mix and its strategy to integrate cyber and physical security aspects into conventional planning, design, and operations engineering practices.
NERC confronts numerous challenges in assessing and helping to maintain BPS reliability in the face of heightened physical and cyber-attack risks. One such challenge is the protracted nature of developing or modifying reliability standards to address those risks in an integrated fashion. Indeed, FERC's departing Chairman recently stated that Congressional action is needed to provide FERC with the authority to address grid security in emergency situations involving physical threats to infrastructure.[13] It remains to be seen how NERC reconciles FERC's directive, NERC's own findings, and the need to protect the physical and cyber integrity of the nation's BPS in a rapidly changing landscape of resource development and threats.
[1] Order Directing Report, Docket No. RD23-2-000 (December 15, 2022) 181 FERC ¶ 61,230 (the "Order").
[2] Order at 6.
[3] Id. at 4.
[4] Id.
[5] Id. at 5.
[6] Id.
[7] Id. Both the evaluation and physical security plan are subject to an unaffiliated third-party review.
[8] Currently, the only instruction regarding the risk assessment is that it shall consist of an analysis "designed to identify the transmission stations or transmission Substations that if rendered inoperable or damaged could result in instability, uncontrolled separation, or Cascading within an Interconnection." Id. at 7.
[9] Id.
[10] Id.
[11] Id. at 8.
[12] NERC "Security Integration Strategy" – Ensuring Security of the Bulk Power System through Cyber and Physical Security Integration into Planning, Design, and Operational Engineering Practices (December 2022).
[13] Tom Tiernan, Congress should boost FERC authority on grid emergencies, Glick says, Megawatt Daily, Dec. 27, 2022, at 4.