The organization in charge of setting and enforcing reliability standards for the U.S. electric grid isn’t recommending new physical security requirements for thousands of electric substations following a rash of shooting attacks that have knocked out power in parts of several states.
Jim Robb, CEO of the North American Electric Reliability Corporation, told the Federal Energy Regulatory Commission Thursday that cost was a major concern.
“We’re not recommending a common minimum level of physical security protections at this time,” Robb said, adding that NERC was aware of the vulnerability of substations and other electric transmission infrastructure, particularly in remote areas. “Physical security hardening of substations can be extraordinarily expensive. For example, something as simple as a camera installation could easily run into hundreds of thousands of dollars per substation.”
He added that “it’s important that the risk abated is commensurate with the capital required.”
Following gunfire attacks on substations last year in Moore County, N.C., Ohio, the Pacific Northwest and elsewhere, the commission tasked NERC with reviewing existing rules, which only currently apply to electric infrastructure, that, if knocked out, would pose a hazard to the broader bulk power system.
The current regulation, known as the CIP-014 Reliability Standard, which came into being in 2014 after a sniper attack on a California substation, “was conceived to identify those critical assets that if rendered inoperable could result in what we call the ‘evil three,’ ” Robb said. Those are instability, uncontrolled separation and cascading outages, the successive loss of elements on the electric system that results in widespread service interruption.
Many substations, like the ones targeted in Moore County, North Carolina, don’t meet that threshold, but damaging them can still result in a loss of power for thousands.
“These recent high-profile events are deeply concerning for their sophistication and effectiveness even while noting that the customer impacts were localized,” Robb said, referencing the planned neo-Nazi attack the FBI says it foiled in Maryland earlier this year. “These are sobering times indeed for the electric grid.”
However, NERC also didn’t recommend extending the applicability criteria under the existing regulations to other, less crucial substations, finding that the rule “appropriately focuses limited industry resources on risks to the reliable operation of the (bulk power system) associated with physical security incidents at the most critical facilities.”
The organization said it would hold a technical conference with FERC to determine whether any additional substations should be included in the criteria.
“NERC recommends further evaluation of the appropriate combination of reliability, resiliency, and security measures that would be effective in helping to mitigate the impact of physical security attacks,” the group’s report says. The review did find that the language in the requirements should be “refined” so that owners of substations that do meet the threshold for the security standards conduct effective risk assessments.
“In certain instances, registered entities failed to provide sufficient technical studies or justification for study decisions resulting in noncompliance. NERC finds that the inconsistent approach to performing the risk assessment is largely due to a lack of specificity in the requirement language,” the report says.
FERC Chairman Willie Phillips called the report “a good start” and said the commission staff would work on putting together the technical conference.
“There is no greater priority for me and for this commission than making sure that we protect the security of our electric grid,” Phillips said.
A NERC spokeswoman said that while the commission cannot create a security standard or tell NERC how to write one, “they do have the authority to order us to establish a new standard or modify an existing one.”
Robb added that NERC sets baseline standards and that utilities, working with their regulators, can “invest in additional protections.”