FERC on Tuesday rejected a complaint by security gadfly Michael Mabee alleging that NERC’s physical security standard is ineffectual and unenforced (EL20-21).
Mabee’s complaint alleged that reliability standard CIP-014-2 is “inadequate” and that enforcement “seems nonexistent” because few violations have been cited since it took effect in 2015.
The standard, prompted by the 2013 sniper attack on Pacific Gas and Electric’s Metcalf substation, requires the protection of transmission stations, substations and control centers that “if rendered inoperable or damaged as a result of a physical attack could result in instability, uncontrolled separation or cascading within an interconnection.”
The commission said it had already rejected many of the arguments Mabee made in Order 802, its 2014 ruling approving the first version of the physical security standard (CIP-014-1) and in its 2015 order denying rehearing. The complaint’s new arguments “are either unsupported or misapprehend the requirements” of the standard, FERC said.
Few Violations
Mabee contended that there had been only four violations cited while 245 physical attacks have been reported to the Department of Energy through its Form OE-417 Electric Emergency Incident and Disturbance Reports since the standard took effect.
The commission denied that the small number of violations is proof the standard is not being enforced, saying “it is equally plausible that the small number of violations could be attributed to industry compliance.”
It said the higher number of Form OE-417 filings was not persuasive because “there is no evidence how many of these attacks, if any, were against critical facilities” subject to the standard.
“NERC’s comments also indicate that, as of January 31, 2020, there have been 16 (not four) instances of noncompliance … and that NERC and the regional entities are currently reviewing other instances.”
Coordinated Attacks, Generation
Mabee said the standard is lacking because it does not require registered entities to identify critical facilities based on a coordinated attack of multiple facilities and does not apply to generator owners and operators or smaller transmission lines.
In its order denying rehearing, the commission said by “protecting individual critical facilities, responsible entities will necessarily protect critical facilities against simultaneous attacks.”
Regarding suggestions to expand the scope of covered facilities to include those not individually critical, FERC said, “We are not prepared to do so at this early stage of industry experience with the new requirements.”
The commission said Mabee’s complaint “does not provide any new basis for expanding the scope.”
FERC previously had rejected calls to include generator owners and operators under the standard, saying “a generation facility does not have the same critical functionality as certain transmission stations and transmission substations due to the limited size of generating plants, the availability of other generation capacity connected to the grid and planned resilience of the transmission system to react to the loss of a generation facility.”
Mabee said the standard’s requirement that registered entities obtain third-party verification of their protections could allow collusion. A transmission owner performing a third-party review could “go easy” on another TO in return for reciprocal treatment, he alleged.
“But the complaint offers no evidence that registered entities have engaged, or intend to engage, in bad faith,” FERC said. “We find no reason to conclude that registered entities will abuse this process. Moreover, a sham verification would not benefit the registered entity because … even if a registered entity’s list of critical facilities is verified by a third-party,” the entities could face penalties from NERC for noncompliance.
“While registered entities must address third-party recommendations, Order No. 802 made clear that regional entities, NERC and the commission retain regulatory oversight.”
Effectiveness of Protections
Mabee’s complaint contended that the standard does not require that physical security plans be effective or spell out what the plans should include. The commission said the claim ignores Requirement R5, “which identifies mandatory attributes that must be present in physical security plans” and says that physical security plans must have “[r]esiliency or security measures designed collectively to deter, detect, delay, assess, communicate and respond to potential physical threats and vulnerabilities identified” by the entity’s security evaluation.
He also contended that it does not require updates to vulnerability evaluations and security plans. FERC said although the standard doesn’t require updates to the threat and vulnerability evaluations on a periodic basis, it does require entities “to evaluate evolving physical threats.”
The Edison Electric Institute, National Rural Electric Cooperative Association (NRECA), American Public Power Association (APPA), Transmission Access Policy Study Group (TAPS) and Large Public Power Council (LPPC) were among those who opposed the complaint.
Mabee was supported by several individuals, the Secure the Grid Coalition, the Task Force on National and Homeland Security, the Town of Mount Vernon and the Foundation for Resilient Societies.