AICPA SOC Service Organizations - Certrec

Substation Physical Security: NERC Won’t be Expanding Physical Security Rules for Substations

What is Substation Physical Security Why is NERC Opposed to Expanding Physical Security Rules for Critical Substations - Featured Image - Certrec

In the midst of growing cyberattacks, the year 2022 ended with a string of physical attacks on the U.S. electric grid, which set alarm bells ringing regarding the physical security of the grid.

On Christmas Day, last year, three substations were “vandalized,” according to the Pierce County Sheriff’s Department, which caused more than 14,000 outages on the Tacoma Power and Puget Sound Energy systems. And earlier in December 2022, a firearms attack in North Carolina knocked power out to about 45,000 Duke Energy Customers.

What is Substation Physical Security?

Providing physical security to a substation of the electric grid means securing the physical assets from any harm. Physical protection of transmission and distribution substations can play a huge role in decreasing incidents such as those mentioned above.

The threats to critical utility infrastructure are increasing in frequency and can cost a utility enormous financial losses. So, how can physical security be ensured at a substation? The following are some of the methods being used to secure substations:

  • Around-the-clock centralized monitoring and alerts, in order to provide early awareness and visibility into problems;
  • A communications network that is reliable, secure, and high-performance, to communicate between security devices (perimeter sensors, cameras, keypads, lights) and the computers in the utility’s operations center.
  • Enhanced lighting systems, motion detection devices, wireless communication, infrared cameras, and physical barriers around critical equipment.
Why is NERC Opposed to Expanding Physical Security Rules for Critical Substations - Internal Image - Certrec

Why is NERC Opposed to Expanding Physical Security Rules for Critical Substations?

The North American Reliability Corporation (NERC) develops and enforces a set of critical infrastructure protection standards, known as CIP, which govern the rules for the Bulk-Power System in the U.S., Canada, and part of Mexico. Not only does NERC enforce compliance, it also sheds light on system weaknesses, helps the industry participants operate and plan to the highest possible level, while sharing lessons learned.

On December 15, 2022, the Federal Energy Regulatory Commission (FERC) ordered NERC to submit a report “within 120 days, evaluating the adequacy of the applicability criteria and risk assessment provision of CIP-014-3.” The report was also supposed to examine whether or not a minimum level of security must be provided to all electric transmission stations, substations, and primary control centers.

It was submitted on April 14, 2023. According to the report, “NERC did not find evidence that an expansion of the Applicability criteria would identify additional substations that would qualify as ‘critical’ substations under the CIP-014 Requirement R1 risk assessment. Accordingly, at this time, NERC is not recommending expansion of the CIP-014 Applicability criteria.”

The Report concluded that “supplementary data could show that additional substation configurations would warrant assessment under CIP-014. Accordingly, NERC plans to continue evaluating the adequacy of the Applicability criteria in meeting the objective of CIP-014.”

According to Utility Dive, Critical Insight’s Michael Hamilton found NERC’s recommendation against expanding CIP-014 “curious,” but he was of the view that new security rules are on the way. He added that CIP-O14 “will likely be modified to reflect the increased scrutiny of substation physical security and document potential compensating controls.”

Disclaimer: Any opinions expressed in this blog do not necessarily reflect the opinions of Certrec. This content is meant for informational purposes only.