An examination by USA TODAY in collaboration with more than ten Gannett newspapers and TV stations across the country, and drawing on thousands of pages of government records, federal energy data and a survey of more than fifty electric utilities, finds:
• More often than once a week, the physical and computerized security mechanisms intended to protect Americans from widespread power outages are affected by attacks, with less severe cyber attacks happening even more often.
• Transformers and other critical equipment often sit in plain view, protected only by chain-link fencing and a few security cameras.
• Suspects have never been identified in connection with many of the 300-plus attacks on electrical infrastructure since 2011.
• An organization funded by the power industry writes and enforces the industry’s own guidelines for security, and decreased the number of security penalties it issued by 30% from 2013 to 2014, leading to questions about oversight.
“It’s one of those things: One is too many, so that’s why we have to pay attention,” said Federal Energy Regulatory Commission (FERC) Chairman Cheryl LaFleur. “The threats continue to evolve, and we have to continue to evolve as well.”
The vulnerability of our nation’s electric power grid is receiving new attention from both within and from outside the industry. In March of 2014, the North American Electric Reliability Corporation released the Critical Infrastructure Protection standard, known as NERC CIP-014. This standard has six subsections (R1-R6). The NERC CIP-014 R3 requirement is a bit technical, but it addresses a situation where a primary power control center is not under the direct operational control of a transmission owner. Here is the exact language of R3:
For a primary control center(s) identified by the Transmission Owner according to Requirement R1 and verified according to Requirement R2 that is not under the operational control of the Transmission Owner, the Transmission Owner shall, within seven calendar days following completion of Requirement R2, notify the Transmission Operator that has operational control of the primary control center of such identification and the date of completion of Requirement R2.
If a Transmission station or Transmission substation previously identified under Requirement R1 and verified according to Requirement R2 is removed from the identification during a subsequent risk assessment performed according to Requirement R1 or a verification according to Requirement R2, then the Transmission Owner shall, within seven calendar days following the verification or the subsequent risk assessment, notify the Transmission Operator that has operational control of the primary control center of the removal.
This can be a tad obscure for non-industry insiders. The short version is NERC CIP-014 R3 tries to assure that power grid substations that are operated by organizational entities not directly owned by the transmission owners are informed of their standing in regard to NERC CIP-014 R1 and R2 and are given the opportunity to comply.