What about the Physical Security of the U.S. Power Grid?
By Jim Vess
In an effort to protect the United States electric transmission system a lot of the focus has been placed on cybersecurity. This is understandable with all the recent press about hackers – some alleged funded by foreign governments – stealing critical information from financial institutions, entertainment giants, and major retailers. It seems like hackers are everywhere and billions of dollars have been spent improving the cybersecurity of critical infrastructure in the U.S., including the transmission system. But what’s being done about the physical security of the grid?
A physical attack on the Pacific Gas & Electric (PG&E) Metcalf substation near San Jose, CA, in April 2013 brought attention to the need to address the physical security standards of the nation’s power grid and raised fears regarding the vulnerability of the grid to terrorist attack.
Just after midnight on the morning of April 16, 2013, fiber optic cables were cut in the area around the Metcalf substation, interrupting some local 911 services, landline service to the substation, and cell phone service in the area. The attackers then fired more than 100 rounds from what officials described as high-powered rifles, possibly AK-47’s, at several transformers in the facility, which knocked out 17 large transformers that power the Silicon Valley.
This incident led, in April 2014, to the Federal Energy Regulatory Commission (FERC) requiring the North America Energy Reliability Corporation (NERC) to establish Critical Infrastructure Protection (CIP) standards to address physical security threats and vulnerabilities related to the reliable operation of the U.S. power grid. NERC developed and issued Reliability Standard CIP-014-1. This is a physical security standard that has a stated purpose to identify and protect critical transmission facilities. CIP-014-1 became effective on January 26, 2015.
Under Reliability Standard CIP-014-1, transmission owners will be required to identify their transmission stations and substations that, if rendered inoperable or damaged, could result in grid instability, uncontrolled separation, or cascading failures. This includes substations operated at or above 500 kV and substations between 200 kV and 499 kV that have three or more interconnected substations. Transmission owners and transmission operators will also be required to evaluate potential threats of physical attacks against their respective transmission stations and substations, and to develop and implement documented security plans to address those threats and vulnerabilities. Security plans must include “[r]esiliency or security measures designed collectively to deter, detect, delay, assess, communicate, and respond to potential physical threats and vulnerabilities identified during the evaluation[.]” Both the identification of vulnerable transmission facilities and the security plans developed by transmission owners and transmission operators will be subject to verification by an unaffiliated third party. Third party verifiers will provide an independent layer of expertise in the identification, assessment and protection of critical transmission facilities.
Whether it’s a coordinated terrorist attack or Joe Bob with too many beers and too much ammunition, the potential of a physical attack on critical transmission infrastructure is as real as the potential for a cyberattack. As transmission owners and operators comply with the new CIP standard, they will take giant steps to safeguard the transmission system from possible disaster.
And the cost? The costs to implement CIP-014-1 are minimal when compared to potential revenue lost due to damaged equipment and interrupted electric service caused by a successful physical attack on the nation’s power grid.