In this fifth installment of this article series, the focus is on subsection 4 of the NERC CIP-014 standard: NERC CIP-014 R4. The R4 subsection requires not only primary transmission and substation owners to conduct vulnerability assessments of their facilities, but also, any “sub-contracted,” or independent third party entity that may have daily operational control of a substation identified in sections R1-R3 of the standard to conduct an evaluation of potential threats and vulnerabilities at each of the transmission stations or substations for which they have operational control and oversight. The exact nature of the assessment is itemized in the R4 standard as follows:
• Unique characteristics of the identified and verified transmission station(s), transmission substation(s), and primary control center(s);
• Prior history or attack on similar facilities taking into account the frequency, geographic proximity, and severity of past physical security related events; and
• Intelligence or threat warnings from sources such as law enforcement, the Electric Reliability Organization (ERO), the Electricity Sector Information Sharing and Analysis Center (ES-ISAC), U.S. federal and/or Canadian governmental agencies, or their successors.
The days of trusting a chain link fence and an inexpensive guard shack to protect a facility are over. Modern terrorists groups and lone-wolf operators are highly sophisticated and are always developing and evolving new threat mechanisms. Prudent facility managers and those with ownership responsibility at transmission station and substation facilities must address the first line of defense — perimeter security — with deterrence capabilities that are technologically advanced and evolving as well.