In proposing to approve NERC’s new Physical Security Reliability Standard, FERC also seeks the ability to identify facilities that must be protected.
On July 17, the Federal Energy Regulatory Commission (FERC) proposed to approve a new mandatory reliability standard that would require electric utilities to protect their transmission facilities and control centers against physical threats. Although FERC did not take issue with most of the language in the CIP-014-1 standard proposed by the North American Electric Reliability Corporation (NERC), FERC did express concern over the ability of utilities to identify their own critical facilities, even when that determination is subject to third-party review. To address that concern, FERC proposed to direct NERC to modify the standard so that FERC, or other appropriate federal agencies, could direct electric utilities to add additional facilities to their list of facilities that need physical security protections.
As proposed by NERC, CIP-014-1 has six core requirements:
- Requirement R1 requires Transmission Owners of certain categories of transmission facilities to perform risk assessments to identify the substations that “if rendered inoperable or damaged could result in widespread instability, uncontrolled separation, or cascading within an Interconnection.” Transmission Owners must also identify the control centers for those critical facilities.
- Requirement R2 requires that the risk assessments be verified by unaffiliated and qualified third parties.
- Requirement R3 directs Transmission Owners to notify the Transmission Operators of the identified critical control centers that their control centers are responsible for critical transmission facilities.
- Requirement R4 requires Transmission Owners and Transmission Operators of critical facilities to perform threat assessments to identify the physical threats to their facilities and any vulnerabilities.
- Requirement R5 directs Transmission Owners and Transmission Operators of critical facilities to develop and implement physical security plans to address the threats and vulnerabilities they have identified.
- Requirement R6 requires that an unaffiliated, qualified third party review the threat assessments and physical security plans.
FERC proposed to approve the standard, along with its associated implementation plan and effective date, but also proposed to direct NERC to modify the standard to address what FERC sees as a limitation on its ability to add to the list of critical facilities requiring physical protections. Although FERC noted that it does not foresee using such authority often, it does need the option to do so. FERC explained that the ability to bring an enforcement action against a utility for an insufficient risk assessment does not ensure timely corrections to protect against security threats. This is similar to FERC’s long-standing concern in the cybersecurity context that permitting utilities to identify the facilities and assets that they consider critical could lead to under-identification, and therefore lack of protection, for assets essential to system reliability.
FERC also requested comment on a number of other topics, including the following:
- Whether “widespread” should be removed from the risk assessment definition, which, as proposed by NERC, refers to “widespread instability, uncontrolled separation, or cascading within an Interconnection”
- Whether NERC should perform an analysis and submit an informational filing to explain whether all transmission control centers considered High Impact under CIP-002-5.1 should be per se subject to CIP-014-1
- Whether there are concerns about the reliability impact from the omission of generator owned or operated substations from the scope of CIP-014-1
- Whether the proposed standard’s requirement that utilities provide a written, technical justification for rejecting recommendations made by third-party reviewers is appropriate and sufficient
- Whether NERC should be required to submit an informational report on the resiliency of the bulk-power system when critical facilities are lost
Comments on FERC’s proposal are due 45 days after publication in theFederal Register. Reply comments will be due 15 days later.