Jim Robb, President and CEO, North American Electric Reliability Corporation
Good afternoon, Chairman and Commissioners. On behalf of NERC, I appreciate the opportunity to review NERC’s response to the Commission’s order directing a study of the CIP-014 physical security standard. Filed with the Commission last Friday, our study outlines actions to strengthen the physical security standard and foster robust stakeholder engagement to consider additional risk-based enhancements.
Let me begin by stressing that NERC fully shares the Commission’s deep concern for the recent increase in physical attacks on electricity infrastructure. There were almost 1,700 physical security incidents reported to the E-ISAC in 2022, an increase of 10.5% from 2021. Typical physical security incidents against the grid involve vandalism, tampering, arson, and ballistic damage.
Most of these do not result in grid impacts but a trend toward more serious events occurred in 2022. And to cite several recent examples, in November of last year, there were a series of attacks at six different substations in Oregon and Washington State, five of which resulted in power disruptions. Shortly thereafter, on December 3rd, a ballistic attack against two substations in Moore County, North Carolina, targeted the substations’ transformer radiators and their circuit breakers. This resulted in the substations removal from service, forcing five additional undamaged substations to be powered down and resulted in outages for approximately 42,000 customers during a December cold spell. Last December, damage to two substations in the Seattle-Tacoma area resulted in outages during the Christmas holiday. These recent high profile events are deeply concerning for their sophistication and effectiveness, even while noting that customer impacts were localized.
And in February, law enforcement effectively thwarted a plot by domestic extremists to attack five substations in the Baltimore area with an eye toward disrupting service to the majority of the city. These are sobering times indeed.
NERC has a front row seat to these kinds of security events through our operation of the Electricity-ISAC and our physical security team, and the role Manny Cancel and I play on the Electricity Subsector Coordinating Council. The ESCC convened shortly after the Moore County events to share insights and coordinate industry response. In January, we convened the ESCC leadership and decided to have the E-ISAC and industry trade associations collaborate to develop and share a physical security resource guide that detailed broader considerations in developing a physical security approach for all assets beyond those identified as critical by CIP-014.
Recognizing the increase in physical attacks and a need to evaluate adequacy of the physical security standard in the evolving risk environment, the Commission ordered NERC to conduct a study evaluating CIP-014. In my conversations with Commission leadership, I felt this was entirely appropriate, and I appreciate the Commission creating the needed focus to conduct such an assessment.
In its order, FERC directed NERC to address three questions:
- Are the applicability criteria of CIP-014 adequate?
- Is the risk assessment adequate, taking into account information gathered during compliance audits of the standard?
- Should a minimum level of physical protection be established for all BPS transmission stations and substations and primary control centers?
I believe these are important questions and I will address our findings against each in turn.
Concerning the first question, we found that the applicability criteria meet the objectives of CIP-014 and we do not recommend expansion of the CIP-014 applicability criteria at this time. CIP-014 was conceived to identify those critical assets that if rendered inoperable could result in instability, uncontrolled separation, or cascading system conditions. The criteria established by CIP 014 make the requirements applicable to the overwhelming majority of the 345kv and all 500kv substations. The analytics we have conducted and the data we have collected do not suggest additional assets beyond those already identified could result in the “evil three” outcomes CIP-014 was designed to protect against. This finding is buttressed by the work of one major multi-state utility system who shared with us that their assessment of all of their substations came to the same conclusion.
That said, we do think that it is possible that additional data and analysis could lead to a different conclusion and that more substation configurations could warrant assessment under CIP-014. We recommend that NERC work with Commission staff to hold a technical conference aimed at identifying if additional substations should be studied and establish data needs to determine whether they should be included in the applicability criteria.
Regarding the second question, our findings demonstrate that the objective of the CIP-014 risk assessment requirements remains appropriate. However, we believe additional specificity is needed concerning expectations for the risk assessment used to identify which of the subset of applicable substations should be deemed “critical” under the standard. Data from the compliance monitoring and enforcement program found inconsistent approaches to performing the risk assessment, especially as it relates to dynamic studies. In some instances, entities did not provide the technical studies expected nor adequate justification for study decisions, resulting in noncompliance. We believe inconsistent approaches to the risk assessment stem from a lack of specificity in the requirement language concerning the nature and parameters of the risk assessment. To address this, NERC will initiate a standards development project to provide additional clarity on the risk assessment and is starting to craft a Standard Authorization Request to that end.
On the third question, we are not recommending a common minimum level of physical security protections at this time. That does not mean that we are insensitive to the vulnerabilities inherent in the sprawling above ground design of the electric grid nor to the fact that many substations are located outside of population centers areas where there is substantial traffic and visibility.
However, we strongly recommend and believe in taking a risk-based approach. Physical security hardening of substations can be quite expensive (for example, even camera installations could easily run into hundreds of thousands of dollars) so it is important the risk abated is commensurate with the capital needed. Utilities have reported spending $10-15 million on substation security. Those substations outside of CIP-014 may create localized impacts if rendered inoperable but not the broad BPS events CIP-014 was designed to prevent. Further, the local/regional risk and resilience will differ substantially across the continent making an appropriate uniform standard difficult to establish. Finally, utilities will differ in the ability to isolate a damaged substation and restore service quickly through use of spares or even mobile substation equipment. We further note that as in many NERC standards, CIP-014 establishes a baseline requirement. Utilities can, in consultation with their cost recovery authorities, invest in additional protections designed to mitigate the local impact of physical attacks, if deemed warranted.
All that said, given the increase in physical security attacks on bulk power system substations, we think there is a need to further evaluate additional reliability, resiliency, and security measures designed to mitigate the risks associated with physical security attacks. As with our response to the first question regarding CIP-014 applicability, my team will work with Commission staff to hold a technical conference to further study appropriate levels of physical protections and other measures that could mitigate the impact of a physical attack. That assessment should be a risk-based approach to determine what level of investment would be appropriate based on local risk factors, regional system configuration, and the asset’s mean time to recover. The technical conference will gather additional data on protection, response, and resiliency measures and discuss whether they should be incorporated into reliability standards or guidelines, and, if so, the best way to do so.
We are confident the actions outlined in our report will help further secure critical bulk power system assets and ensure that the foundational protections of CIP-014 are keeping pace with a dynamic risk environment. You have my commitment we will act on these recommendations with due urgency and continue to reinforce that there are many ongoing activities that industry stakeholders should continue to pursue. To summarize a few:
- Law-enforcement and information sharing relationships are key and utilities should be proactive in building ties with local FBI field offices and local/state law enforcement. The Baltimore-area plot stress the need for strong relationships with law enforcement at all levels, the intelligence community, and the E-ISAC.
- As noted earlier, industry should leverage the ESCC Resource Guide to implement best practices in risk assessment and mitigation.
- To enhance recovery options, more standardization of substations and critical equipment should be pursued.
- Finally, where feasible, looking for ways to reconfigure transmission systems to build a system that is inherently more resilient will reduce the number of critical assets and help engineer for security.
Again, Mr. Chairman and Commissioners, I appreciate the opportunity to discuss our report and its findings with you today. This concludes my presentation.