A standard is only as good as the accuracy of its measure. A law is only as good as the will to enforce it. Historically, the energy industry has been self-governing when it comes to electric substation security. This has led to some criticism and accusations of conflict of interest from within the industry as well as government regulators:i Thomas Popik, president of the Foundation for Resilient Societies, a Nashua, N.H.-based advocacy group, argued the power industry is given too much leeway to control its own security rules.
“The system is so badly broken,” Popik said. “For physical protection, the standards are very weak.”
Under guidelines set by the Energy Policy Act of 2005, an industry-funded non-profit – the North American Electrical Reliability Corporation (NERC) — writes standards for the industry, which are then approved or disapproved by FERC, the federal agency that has jurisdiction over the power grid.
In a 2012 report, the non-partisan Congressional Research Service called the regulatory arrangement unusual and said it “may potentially be a conflict of interest” for an industry to write its own rules. Federal regulators also look to NERC for enforcement of those rules, which has decreased in recent years. The number of enforcement actions taken by NERC against utilities for failing to follow critical infrastructure protection guidelines decreased 30% from 1,230 in 2013 to 860 in 2014. NERC president and CEO, Gerry Cauley, said decreasing fines point to increased compliance, rather than decreasing enforcement:
“Longer term, you expect people to get the message and make the adjustments to keep improving,” he said. “It’s not because we’re being nicer.”
Addressing the perceived problems of industry self-monitoring for security, in March of 2014 the Federal Energy Regulatory Commission (FERC) directed the North American Electric Reliability Corporation (NERC), to develop and implement reliability standards for the nation’s bulk power providers. The outcome of the mandate was the development and adoption of the NERC Critical Infrastructure Protection standard for cyber security known as NERC CIP-014, R1-R6. The sixth and final regulation of the standard (NERC CIP-014 R6) provides what heretofore has been an unprecedented level of internal industry accountability.
NERC CIP-014 R6 requires that transmission owners and operators identified in NERC CIP-014 R3 that own or operate a transmission station, substation, or primary control center identified in NERC CIP-014 R1 and verified according to NERC CIP-014 R2, shall have an unaffiliated third party review the evaluation performed under NERC CIP-014 R4 and the security plan(s) developed under NERC CIP-014 R5. The review may occur concurrently with, or after, completion of the evaluation performed under NERC CIP-014 R4 and the security plan development under NERC CIP-014 R5.
This is a bit dense in language, but it boils down to this: Not only must substation owners and operators have an independent third party evaluation of their security plans and protocols (as required in the earlier sections of the regulation), but the evaluation itself, must be reviewed.
Transmission station owners and operators do not have carte blanche latitude to choose just any reviewing entity. Unaffiliated third party reviewers must be selected from the following criteria:
• An entity or organization with electric industry physical security experience and whose review staff has at least one member who holds either a Certified Protection Professional (CPP) or Physical Security Professional (PSP) certification.
• An entity or organization approved by the ERO.
• A governmental agency with physical security expertise.
• An entity or organization with demonstrated law enforcement, government, or military physical security expertise.
The transmission owner or operator, respectively, must ensure that the unaffiliated third party review is completed within ninety calendar days of completing the security plan(s) developed in NERC CIP-014 R5. The unaffiliated third party review may, but is not required to, include recommended changes to the evaluation performed under NERC CIP-014 R4 or the security plan(s) developed under NERC CIP-014 R5.
If the unaffiliated reviewing entity recommends changes to the evaluation performed under NERC CIP-014R4 or security plan(s) developed under NERC CIP-014 R5, the transmission owner or operator shall, within sixty calendar days of the completion of the unaffiliated third party review, for each recommendation:
• Modify its evaluation or security plan(s) consistent with the recommendation; or
• Document the reason(s) for not modifying the evaluation or security plan(s) consistent with the recommendation.
Each transmission owner and operator shall implement procedures, such as the use of non-disclosure agreements, for protecting sensitive or confidential information exchanged with the unaffiliated reviewing entity.
The introduction of the NERC CIP-014 R1-R6 standard is a watershed moment in the industry. It acknowledges the very real and present threat to the nation’s power grid substations from cyber or physical attack.
iWhat follows is taken and adapted from Steve Reilly, USA TODAY March 24, 2015.