On March 7, the Federal Energy Regulatory Commission (FERC) ordered the North American Electric Reliability Corporation (NERC) to develop and submit for approval within 90 days new reliability standards to address physical security at critical facilities (Reliability Standards for Physical Security Measures, Docket No. RD14-6-000). The new standards will require owners and operators of Bulk Power System assets to perform a three-step process to identify critical facilities, assess physical security threats and vulnerabilities risks to such facilities, and implement appropriate security plans. At each of the three steps in the process, owners and operators will be required to obtain third-party verification and review.
Background on the March 7 Order
In response to a series of press interviews in February with Jon Wellinghoff, in which the former FERC Chairman discussed details of an attack last April on transformers at the Metcalf substation in California, Senators Wyden, Reid, Feinstein, and Franken began to question whether the electric grid is adequately protected against physical attacks (see the February 7 letter to FERC and NERC).
While FERC took no immediate regulatory action in response to the Metcalf incident, acting FERC Chairman Cheryl LaFleur quickly responded to the increased media attention and public concern. The March 7 FERC order directs NERC to develop additional reliability standards “to address physical security risks and vulnerabilities related to the reliable operation of the Bulk-Power System.”
Key Elements of the March 7 Order
The order requires NERC to submit reliability standards that establish a three-step process for identifying and protecting critical assets from physical attacks.
First, owners and operators will be required to perform a risk assessment of assets within their control to determine which of their facilities are “critical facilities.” The order defines a critical facility as “one that, if rendered inoperable or damaged, could have a critical impact on the operation of the interconnection through instability, uncontrolled separation or cascading failures on the Bulk-Power System.” Critical facilities are those that could cause instability, uncontrolled separation, or cascading failures if damaged or rendered inoperable. FERC states that the initial risk assessments should consider grid resiliency issues, including the length of time needed for repair or replacement of certain transformers and the sophistication of recovery plans and inventory management.
Once critical facilities have been identified, the second step is to evaluate potential threats and vulnerabilities to these facilities. The third and final step will require owners and operators to develop and implement a security plan to provide an “adequate” level of protection against the identified threats.
The new standards will also require owners and operators to obtain third-party review and verification of their critical facility assessments, vulnerability assessments, and security plans. The order states that NERC, the relevant regional entity, a reliability coordinator, or another entity with appropriate expertise may be designated to provide this review. Both FERC and the evaluating entity will be able to add or remove facilities from an owner or operator’s list of critical facilities. Owners and operators also will also be required to periodically reevaluate their assessments and implementation plans.
Implications for the Power Sector
The expedited 90-day deadline for NERC to submit new reliability standards will likely require NERC to invoke its “Rule 321” procedures, under which the NERC Board of Trustees may short-cut the otherwise lengthy standards development process (which normally involves the formation of a standard drafting team and one or more rounds of stakeholder balloting).
The order provides little detail as to what kind of assessments FERC expects entities to use to determine which facilities are “critical” for purposes of the compliance with the new physical security requirements in the order. For example, it is not clear whether the process for identifying “critical facilities” in the new order will match or differ from the high, medium, and low impact asset identification process required by Version 5 of the Critical Infrastructure Protection (CIP) reliability standards.
The order also does not address the fundamental question of what measures will constitute an “adequate level of protection” against potential threats and vulnerabilities to identified critical facilities. Because of the 90-day deadline to develop and submit new reliability standards to FERC, it is doubtful that NERC will be able to craft specific performance-based guidelines that include clear operational and actionable definitions of what physical security protection measures will be deemed “adequate.”
Once it develops the initial standards, NERC must submit the standards to FERC, along with an implementation plan. FERC will typically propose to either approve or modify the proposed standards and implementation plan. After allowing for public comment, FERC will issue a final order approving the new standards and implementation plan or directing NERC to make further modifications.
For assistance or additional information, please contact Andrew Art
at (202) 298-1817. Described by Chambers USA as “the best energy boutique in the USA,” and with one of the largest electric practices in the country, Van Ness Feldman counsels, advises and trains a wide range of clients on reliability matters. Subscribe to our free Electric Reliability Update: Reliability@vnf.com
and follow us on Twitter @VanNessFeldman and @VNFELECTRIC.