On April 16, 2013, attackers cut fiber optic cables in an underground vault and then fired more than 100 rounds from at least two high-powered rifles on Pacific Gas and Electric’s Metcalf power transmission station near San Jose, California. The attack did not cause major power disruptions because officials were able to reroute electricity remotely during the 27 days it took to repair the installation and get it back on line, according to PG&E spokesman Brian Swanson. The California power utility had never previously experienced such a large-scale act of aggression.i “Ever since, we’ve been working very aggressively to improve substation security, not just at Metcalf but throughout our system,” Swanson said. “Its not just PG&E acting alone. The utility industry as a whole is working with stakeholders like the Edison Electric Institute, with policy makers, with government and law enforcement officials at all levels,” he added. An FBI investigation is ongoing, but has so far resulted in no arrests. Swanson declined to speculate on the perpetrators’ identity or possible motive.ii
Also, as a result of the Metcalf incident, PG&E said it would invest $100 million over three years on new security around many of its critical facilities, including better security cameras, fencing and lighting.iii
At a California Public Utilities Commission meeting last year to review the incident, PG&E senior director of substations Ken Wells said the Metcalf attack was “a game changer.”
“No doubt about it, …this event caused us and the entire industry to take a new and closer look at our critical facilities and what we can do to protect them,” Wells said.iv
Following the attack, the Federal Energy Regulatory Commission (FERC) directed the industry to write new rules for physical security.v
The outcome of this mandate came from the North American Electric Reliability Corporation (NERC) as the six part Critical Infrastructure Protection standard known as NERC CIP-014. In this fifth installment of the series, we take a look at the R5 element of the standard.
The R5 standard requires transmission owners or those with operational control of transmission substations to develop and implement a documented physical security plan within 120 days of the completion of the R2 requirement of the NERC CIP-014 standard. The R5 standard includes key risk assessment parameters that must be included in the plan, as well as steps to integrate with law enforcement agencies. The standard is to include attributes as follows in order to be NERC CIP-014 compliant:
Resiliency or security measures designed to deter, detect, delay, assess, communicate, and respond to potential physical threats and vulnerabilities based on the results of the evaluation conducted in Requirement R4.
- Law enforcement contact and coordination information.
- A timeline for implementing the physical security enhancements and modifications specified in the physical security plan.
- Provisions to evaluate evolving physical threats, and their corresponding security measures, to the Transmission station(s), Transmission substation(s), or primary control center(s).