FERC, NERC Conference Addresses Security Challenges

Little support for minimum security rules on critical facilities to protect against physical attacks.

Attendees at Thursday's conference in NERC's Atlanta headquarters. | © RTO Insider LLC

Aug 10, 2023 | Holden Mann

Panelists at a FERC-NERC technical conference said they oppose mandatory minimum security rules on critical facilities to protect against physical attacks.

ATLANTA — In his opening remarks at Thursday’s joint FERC–NERC technical conference on physical security, FERC Chair Willie Phillips reminded attendees that “it is not a matter of if, but when there is another attack” on North America’s electric infrastructure.

Phillips’ attendance at the conference, held in NERC’s headquarters in Atlanta, was intended to demonstrate the seriousness with which the commission takes the growing threat of violence against the grid. FERC and the ERO organized the technical conference following NERC’s April report on its physical security reliability standards and recent physical security incidents, including the Dec. 3 gunfire attack on two substations in North Carolina that left 45,000 customers without power for days. (See NERC Says Changes Coming to Physical Security Standards.)

“I thought that it was important that I be here to help kick things off, because I want to underscore a couple of things,” Phillips said to the audience. “One, how important this dialogue is; and [second], we can’t do this alone. NERC can’t do this alone. No one entity can do what we need to do to protect the integrity of the [grid] from physical security attacks. … That’s why we’re here today.”

The goal of the conference was to discuss potential improvements to NERC’s reliability standards — particularly CIP-014-3 (Physical security) — in addition to other actions that registered entities can take to improve grid security.

NERC CEO Jim Robb noted that more than 1,200 people were watching the meeting online, in addition to those in the room. He said the size of the audience showed “the breadth of interest, both in the topic and the importance of getting this right.” He emphasized that any grid security solution must take the reality of utilities’ limited resources into account.

“Nobody wants to have an entity have to construct Fort Knox around a bag of pennies,” Robb said. “At the same time, we also have to be cognizant about the difference between the money that we spend to protect versus the money we spend to be able to recover, and recover quickly. And I think, given the sprawling above-ground physical nature of the electric system, that’s a really important balance to keep in mind when we think about physical security of our infrastructure.”

Left to right: Matthew Fedor, FBI; NERC CEO Jim Robb; Bridget Bartol, DOE; FERC Chair Willie Phillips. | © RTO Insider LLC

Room for Improvement in Security Standard

In the first panel, speakers focused on CIP-014-3, which aims to “identify and protect transmission stations and transmission substations, and their associated primary control centers, that if rendered inoperable or damaged [by] a physical attack could result in instability, uncontrolled separation or cascading within an interconnection.”

Jamie Calderon, a manager of standards development at NERC and contributor to the ERO’s April report on grid security, briefly described its conclusions. The report found that the standard’s applicability criteria are effective to “focus limited industry resources” on the most critical facilities and did not need to be expanded; however, the ERO also found that utilities’ approaches to some studies required by the standard are inconsistent because its wording is unclear.

Lawrence Fitzgerald, director of security and emergency management at engineering consultancy TRC, said that CIP-014-3 has “done a good job” identifying sites critical to grid security. However, he said the standard could be improved, asserting that some of its requirements seem to require utilities to certify the compliance of facilities that haven’t even been built yet.

“We get put in an awkward position for facilities, substations and control centers that are only on the drawing board. They don’t exist yet. It can’t cause a cascading outage,” Fitzgerald said. “But we’re being asked to … certify that everything’s copacetic and working well. I can’t do that if I don’t know what the connectivity between the substation and the monitoring center is, [or] if I can’t see a camera view or know how a facility is actually going to look on the ground.”

Mark Rice, senior power engineer at Pacific Northwest National Lab, observed that there is a longstanding divide between operational staff, who “care about the next 24 hours,” and those involved in planning who think “five, 10, or 15 years out.” He said “there probably needs to be a better conversation” between those who are responsible for evaluating risk at these different scales.

“I know [from] talking to some utilities at the transmission level, they have no clue what the load is, and they don’t know that it’s identified as critical to someone downstream,” Rice said. “And so we have to get that information into our systems or into our evaluations before I can do the next step of evaluating risk.”

Cool on Mandatory Minimums

Participants in the second panel discussed whether NERC should mandate minimum resiliency or security protections against physical attacks at critical facilities.

Jackie Flowers, director of Tacoma Public Utilities — which suffered a coordinated attack last December as two men damaged several substations as part of a robbery plot — expressed skepticism about establishing mandatory minimum protections. (See Wash. Sabotage Suspect Pleads Guilty.) She said resiliency would be better served by allowing utilities the flexibility to address the myriad different challenges that could apply at each site.

“We believe that a uniform, bright-line set of physical security measures is unlikely to offer as effective of an approach, because of the very site-specific conditions and varied risks that we have from infrastructure to infrastructure,” Flowers said. “So it’s very important that utilities are at the table and part of identifying what those risks are.”

Flowers’ fellow panelists agreed. Mike Melvin, director of corporate security and corporate and information security services at Exelon, emphasized that “you’re never going to get that risk [of physical attack] down to zero.”

Melvin pointed to the arrests earlier this year of neo-Nazi leader Brandon Russell and one of his followers for plotting to attack substations operated by Baltimore Gas and Electric (an Exelon subsidiary) in hopes of starting a race war. (See Feds Charge Two in Alleged Conspiracy to Attack BGE Grid.) He suggested that Russell’s plot, which was based on publicly available information on the utility’s facilities, showed that “where there’s readily [available] information out there, you can never pull it back in.”

Rather than mandatory minimum standards, the panelists suggested that robust information sharing networks, both among utilities and with law enforcement, are key to foiling physical attacks and sabotage before they escalate into disaster. Flowers endorsed the Electricity Information Sharing and Analysis Center as a way for utilities to update their peers on the latest physical and cyber security threats.

Left to right: Travis Moran, SERC; Jackie Flowers, Tacoma Public Utilities; Mike Melvin, Exelon; Kathy Judge, National Grid. | © RTO Insider LLC

Above and Beyond Reliability Standards

Panelists in the afternoon session — the theme of which was “Solutions Beyond CIP-014-3” — agreed the standard should be considered a baseline for physical security rather than an end goal in itself.

Scott Aaronson, a senior vice president at Edison Electric Institute, warned against a one-size-fits-all approach to physical security, noting that threat actors are increasingly sophisticated.

“I’ve said it before — you protect diamonds like diamonds and pencils like pencils, and what [are] the crown jewels [is] going to continue to change,” Aaronson said. “So I think open dialogue about understanding where those truly critical nodes reside, and how best to protect them and/or ensure redundance and resiliency and opportunity to recover is going to be key.”

Aaronson echoed earlier panelists’ calls for information sharing, while warning against letting that crucial data spread outside the industry. He raised the chilling prospect of a map of critical substations appearing “on the front page of The Wall Street Journal.”

Vinit Gupta, vice president at ITC Holdings, recommended holding regular penetration tests in which a third party attempts to break into a facility and cause simulated damage. He said that in one case, testers found several vulnerabilities at his company using techniques found in videos on YouTube, or cheap devices purchased on Amazon.

“You’d be surprised to see that you can buy a $10 device and do some of those [threatening] activities,” Gupta said. “So when we looked at some of the recommendations … that actually prompted us to reevaluate our approach, with physical access control systems and video monitoring systems. And we’re right now in the middle of replacing that and looking at where we go from here, because the threat landscape continues to change.”