Reacting to recent sabotage events, FERC ordered NERC Thursday to report within 120 days on the effectiveness of its existing physical security reliability standards and determine whether improvements are needed (RD23-2).
The commission acted in response to the Dec. 3 gunfire attack on two Duke Energy (NYSE:DUK) substations in North Carolina, which left 45,000 customers without power for as long as four days. Shots also were fired near Duke’s Wateree Hydro Station in Ridgeway, S.C., last week. (See Duke Completes Power Restoration After NC Substation Attack.)
“In light of the increasing number of recent reports of physical attacks on our nation’s infrastructure, it is important that we fully and clearly review the effectiveness of our existing physical security standard to determine whether additional improvements are necessary to safeguard the bulk power system,” FERC Chairman Richard Glick said.
FERC’s existing physical security reliability standard (CIP-014-3), approved in 2014, requires transmission owners to perform periodic risk assessments to identify transmission stations and substations whose loss or damage could result in instability, uncontrolled separation or cascading outages. The standard also applies to primary control centers overseeing such facilities.
Transmission owners and operators must evaluate potential vulnerabilities of a physical attack to each of those assets and develop and implement physical security plans to protect them. It requires TOs to have an unaffiliated third party verify the risk assessments and security plans.
The commission directed NERC to assess the effectiveness of the current standard in light of the recent attacks, including evaluations of the adequacy of the applicability criteria and required risk assessments. NERC also must determine whether a minimum level of physical security protections should be required for all BPS transmission stations, substations and primary control centers.
Glick said the North Carolina attacks, and news reports of incidents in the Northwest and elsewhere, “reminds us that we need to take physical security into account just like cybersecurity.”
“We don’t want to get out in front of the FBI [which is investigating the North Carolina incident] and we don’t know exactly what [the attackers’] motives were or what or what actually happened. … But in the meantime, I think it’s a good idea … to reassess our existing security standards, and whether changes need to be made.”
Glick also noted that some incidents occur at electric facilities below the bulk power system, which are subject to state regulation. “So we need to work with our state colleagues as well to make sure that we’re prepared; they’re prepared; and we all do as much as we can to make sure that the grid is as secure as possible.”
Commissioner Mark Christie said common distribution transformers are “vulnerable to a drunk with a gun and an attitude and … we have a lot of incidents of that. [The loss of a transformer] knocks out a block or two — a substation, several tens of thousands of people.”
Christie said he expects NERC to recommend upgrades to the standard, such as requiring high-definition cameras at substations. “That’s gonna be really costly,” he said, adding that he hoped the Department of Energy will provide support from the $15 billion in grid resilience funding from the Infrastructure Investment and Jobs Act.
“I hope this does not flow through to ratepayers,” he said.