WASHINGTON — The sixth meeting of FERC’s Joint Federal-State Task Force on Transmission, held Wednesday, looked into how the grid can be better protected against physical attacks, which have been on the rise recently.
“There are well over 50,000 high-voltage substations across North America, and more than that if you include those that only support the distribution system,” NERC CEO Jim Robb said at the meeting, held concurrently with the National Association of Regulatory Utility Commissioners’ Winter Policy Forum. “That’s a tremendous amount of infrastructure to think through how to protect responsibly, and to really think through the tradeoffs that need to be made between risk and consequence and the investments that you make between protection and prevention, versus response and recovery.”
Protecting all of those assets is not feasible, as it would cost far too much, but not every substation is a critical asset that needs high levels of security, Robb said.
Even most incidents at substations would not qualify as attacks, with “criminal mischief” — in which people steal copper or vandalize substations — being much more common than occurrences like the attacks in North Carolina and Washington state and the foiled plot in Baltimore.
“But over the last six to nine months, we’ve seen more and more attacks, which would exceed the threshold of criminal mischief and really rise to the level of sabotage,” said Robb.
The increased concern over the rise in attacks is appropriate, but Robb said that only 5% of incidents at substations actually impact the grid, either by causing some customers to lose power, or by putting the system into a contingency operation mode.
CIP-014 (Physical security) was issued after the Metcalf Substation attack in Silicon Valley a decade ago. Its purpose is to ensure that physical attacks on substations did not lead to major, cascading outages on the grid, and so it focuses on substations with more power flows, at 345 kV and above, said Robb.
“While many substations may not need to be technically CIP-014-compliant, their owners may very well build in protections because it’s the right thing to do,” he added. “The utility sector generally leans in very, very hard on security matters, whether physical or cyber, to protect their assets and their ability to serve their customers.”
One idea for updating CIP-014 might be to focus on the possibility of coordinated attacks on multiple substations, said Robb. It could also shift from focusing on preventing cascading outages to preventing any outages at all, he added.
Puesh Kumar, director of the U.S. Department of Energy’s Office of Cybersecurity, Energy Security and Emergency Response, told the task force that the law enforcement community is very focused on the issue, as he is regularly meeting with the FBI and the Department of Justice.
“When we think of the law enforcement angle, that again doesn’t need to just be at the FBI level,” Kumar said. “We need to make sure that we have local law enforcement; we have state law enforcement also engaged in this conversation and really recognizing and appreciating the criticality of the electricity infrastructure across the country.”
Broad Solutions Save Money
With tens of thousands of physical sites requiring protection around the country, along with the need to protect the grid against cyber-attacks and extreme weather, it is important to focus on solutions that cut the risk across the board, Kumar said.
“How are we investing in tools and technologies that can also help us buy down the risk?” Kumar said. “It’s not just the standard that buys down risk; there’s a lot of other ways and tools and technology as part of the puzzle that we have to be thinking about.”
The biggest threat from a single-asset perspective is electric power transformers, which are just part of a substation’s equipment and thus could benefit from increased protections compared to other assets, PPL Electric Utilities Chief Information and Digital Officer Matthew Green told a panel at the NARUC summit earlier in the day. The risk around transformers can also be mitigated by ensuring the industry has enough backup equipment to replace anything that is damaged.
While physical attacks are a concern and a priority for PPL that is being addressed by prudently investing to protect the riskiest assets, it is not Green’s main worry.
“I’m actually more concerned around cybersecurity attacks,” Green said. “And, actually, in 2022 the single biggest contributor to outages for customers in United States continues to be weather-related outages. So that is also still a top concern.”
Investments to prevent outages from those causes need to be made prudently, after an accurate assessment of the relevant risks, he added.
The U.S. grid is decentralized, which means attacks on individual assets are unlikely to really have a major impact reliability across the board, said Kansas Corporation Commissioner Andrew French. But coordinated attacks are an increasing concern, so French asked Robb what the best strategy to address those would be.
One way of complying with CIP-014 is to remove any kind of critical substations from a utility’s network, which can happen in the process of normal grid planning or in coming back after a storm.
“I would love to see that number continue to decline, as we can build more and more redundancy into the system and less dependence on a subset of the assets around the grid,” Robb said.
Beyond that, coming up with a strategy to deal with the risk of coordinated attacks is tricky because it is not financially feasible to harden every grid asset out there. Having backup equipment available to minimize any downtime would help.
“One of the issues that’s vexing the industry right now, with all the supply chain challenges that we have, is that a lot of this equipment isn’t standardized,” Robb said. “So, I think that’s an opportunity as we as we move forward.”
Changes Needed for CIP-014?
Michigan Public Service Commission Chair Dan Scripps said it makes sense that CIP-014 is site-specific, but he asked whether it would also be prudent to have some kind of minimum level of protection spelled out in the standard.
The standard is fairly new, Robb said, so the industry has less experience from which it can draw best practices, but minimum standards are one of the updates that should be considered.
“There’s nothing that would prevent a state from imposing its own security requirements on any of these assets,” Robb said. “So, if to the extent that any of you feel that the NERC standards don’t go far enough to protect the systems under your jurisdiction from issues that you’re concerned about, you can always go further.”
Physical is usually an afterthought when it comes to planning the grid, but acting FERC Chairman Willie Phillips argued it would make sense to change that.
“If we consider it on the front end, I think we do have an opportunity to do something about what can be a very costly process,” Phillips said.
PJM has a process in which it works to minimize the number of critical infrastructure sites on its grid through planning, Phillips said, and that could work well elsewhere, as long as information on sensitive sites is handled correctly.
Connecticut Public Utilities Regulatory Authority Chair Marissa Gillett said that it might make sense to deal with physical security issues in the transmission planning process, but she worried that it would give the industry another excuse to shut out the states from the process in ISO-NE.
“I just think we need to be cognizant of some of the challenges around them,” Gillett said. “Especially because of that tension … between wanting to have openness while needing to respect the concerns about disclosing too much about physical security threats.”