The electric utility industry is the only critical infrastructure sector (besides nuclear power) that has mandatory and enforceable federal regulatory standards in place for cyber and physical security. Early security measures were focused on public safety and preventing vandalism and theft, but attention has been shifted toward the vulnerability of the power grid to terrorist attacks which could cause widespread, extended blackouts.
The standards regime for the bulk power system were initially established in the Energy Policy Act of 2005, as part of the Federal Power Act approved by Congress.
Following a rifle attack on a critical electric power substation in Metcalf, CA in 2013 utilities across the country began to reevaluate and adjust their physical security programs, in a shift from a trending emphasis on cybersecurity. The Federal Energy Regulatory Commission (FERC) and Congress soon released a new mandatory Physical Security Reliability Standard (CIP-014) for bulk power asset owners. The not-for-profit organization North American Electric Reliability Corporation (NERC), responsible for ensuring grid reliability, transmits those standards to the North American bulk power system, and under FERC’s oversight it conducts audits and enforces CIP-014 among other standards.
Given the vast differences in the configuration, size, and ownership of the 3,000 electric distribution utilities in the U.S., establishing and enforcing security standards that apply universally is challenging. CIP standards are centered on scope severity ratings: high, medium and low; and compliance is achieved based upon scope.
As part of the CIP-014 implementation process, each utility must identify their most mission-critical facilities, and perform a complete security audit and review to identify any potential threats to the mission-critical assets. This risk assessment must then be confirmed with an independent third party, and following this the utility is to implement the physical security protection necessary to maintain protection of those assets, with additional third-party review.
The March, 2018 report entitled “NERC Standards for Bulk Power Physical Security: Is the Grid More Secure?”, prepared for members and committees of Congress, states that “based on the objectives of the CIP-014 standards, the U.S. electric grid is more physically secure than it was five years ago, [but] it has not necessarily reached the level of physical security needed based on the sector’s own assessments of risk”. It also mentions that many utilities appear to be reconfiguring and elevating physical security functions within their corporate structures, and centralizing and bolstering their physical security capabilities at the operational level.
NERC and the report prepared for Congress feel there appears to be physical security improvements underway among owners of bulk power critical assets -- and point out that “no major cyber- and few physical-related load losses have happened to date” – but both parties recognize that bulk power physical security remains a work in progress. CIP-014 does not provide a great amount of guidance in areas of technical controls, for example, but tries to establish best practices structure.
According to experts in bulk power security and CIP standards, several areas of weakness are relatively common to utility companies - even after establishing compliance. Partnering with a qualified integrator could alleviate some of the problems within these areas.
- Personnel and training: Standard CIP-004-6 has requirements for awareness training, a process for checking and evaluating criminal history, and personnel risk assessments. There is also a requirement for audit records addressing identity and access management, and these records have to be assessed every 15 months, showing the data is correct and updated. It is easy for utilities to slip up in the area of records maintenance and access management – but these are great places to involve a security integrator to manage.
- Electronic security perimeter (ESP): CIP-005-05 deals with the control systems, server room, telecom room and critical cyber-assets. A lot of resources are typically put toward constructing the perimeter itself, but not always enough attention is paid to the internal security. Physical access controls, video equipment and monitoring systems – vital to securing the ESP, yet not always kept up to best performance standards -- can be managed by an integrator, keeping the utility in better compliance.
- Physical security: CIP-006-6 requires documented existence of physical access controls, human security, fences, seismic monitoring, video monitoring and locks. But stipulations about securing the camera network, maintenance of fences and testing of breach detection are lacking. Here, too, working with a security integrator can shift that responsibility from burdened utility personnel to a trained and trusted resource, and great improvements can be made in physical security systems.
While the threat potential by terrorist activity to disrupt the delivery of electric power is likely to remain and even escalate in the foreseeable future, bulk power utilities are also facing issues like theft and vandalism. High copper prices make electrical substations an attractive target for theft, which poses great danger for the thieves and the facility’s maintenance personnel. Vendors offer specialized products for shielding and protecting critical components of power utilities, and security integrators can help to put hardware and software systems into place that maximize intrusion detection and facilitate early situational response.