Read New Topics

Blog single

NERC CIP-014 R2 – Third Party Verification – Part 3 of 7

The vulnerability of our nation’s power grid to cyber and physical attack has been well known to industry insiders for some time. However, public consciousness is a different story. The media coverage of terrorist threats that assault one’s sensibilities on a daily basis can numb awareness to less sensationalist, but equally life-threatening, risks to non-human assets. However, the public’s perception and awareness of the risk to its safety through cyber or physical attacks to our nations power grid, is rapidly changing.

On March 24, 2015, USA Today ran a lengthy, front page article by Steve Reilly entitled: One is Too Much, covering the critical risk to the nation’s power grid. According to federal government records unearthed by Mr. Reilly, the US government acknowledges that there is an attack, either physical or cyber, on the nations power grid, once every four days! Due to the interconnectedness of the nation’s power infrastructure, a localized attack on a specific substation can “cascade” its way through the entire network with catastrophic and geographically widespread consequences. Describing the present risk situation and the systems (or lack thereof) to protect the power grid, the article uses dire language such as: “game changer,” “badly broken,” “one is too many”, and so forth.

In mid-2014, the culmination of several years of effort by the Federal Energy Regulatory Commission (FERC) resulted in a mandate to the North American Electric Reliability Corporation (NERC) to come up with industry-wide standards of security compliance to address this vulnerability. The result was the Critical Infrastructure Protection (CIP) standard for cyber security known as NERC CIP-014. It consists of six specific sub-sections, R1-R6.

NERC CIP-014 R2 deals with compliance, and is a very significant element of the standard. For the first time in the industry, NERC CIP-014 conformity requires objective, third-party evaluation of the vulnerability assessment and protocols for that transmission owners may have in place in their stations and substations. NERC CIP-014 R1 requires a vulnerability and risk assessment of electric substations. NERC CIP-014 R2 requires that each transmission owner have an unaffiliated third party verify the risk assessment performed under the NERC CIP-014 R1 standard. The verification may occur concurrent with or after the risk assessment performed under the R1 requirement.

The independent third party, must be either:

  • A registered planning coordinator, transmission planner, or reliability coordinator; or
  • An entity that has transmission planning or analysis experience.


The unaffiliated verifying entity shall either verify the transmission owner’s risk assessment performed under Requirement R1, or recommend the addition or deletion of a transmission station(s) or transmission substation(s). The transmission owner must ensure the verification is completed within 90 calendar days following the completion of the NERC CIP-014 R1 risk assessment. If the unaffiliated verifying entity recommends that the transmission owner add a transmission station(s) or transmission substation(s) to, or remove a transmission station(s) or transmission substation(s) from its identification under NERC CIP-014 R1, the transmission owner shall either, within 60 calendar days of completion of the verification, for each recommended addition or removal of a transmission station or transmission substation:

  • Modify its identification under NERC CIP-014 R1 consistent with the recommendation; or
  • Document the technical basis for not modifying the identification in accordance with the recommendation.
  • Each transmission owner must implement procedures (such as the use of non-disclosure agreements) for protecting sensitive or confidential information exchanged with the unaffiliated verifying entity.


The “teeth” of the accountability metric, its firm deadlines, and the oversight by an unaffiliated third party, is a significant change and addition to the “self-evaluated” industry regulations that existed prior to the 2014 inauguration of NERC CIP-014.