FERC Orders Physical Security Standards

On Friday March 7, FERC issued an Order directing NERC to develop one or more Reliability Standards for physical protection of certain critical Facilities in the Bulk Power System.  Here are some of the highlights of the Order:

1. FERC is giving NERC only 90 days to develop these standards.  Folks, that ain’t much time at all.  There will be a lot of midnight oil burned to accomplish this.
2. The Commission specifies three steps that must be included in the standards.  The first step is for owners and operators of the Bulk Power System[i] to identify their “Critical Facilities”.  FERC states that “A critical facility is one that, if rendered inoperable or damaged, could have a critical impact on the operation of the interconnection through instability, uncontrolled separation or cascading failures on the Bulk-Power System.”  Moreover, the Commission “expects that critical facilities generally will include, but not be limited to, critical substations and critical control centers.”
3. The Order states, “The Commission is not requiring NERC to adopt a specific type of risk assessment, nor is the Commission requiring that a mandatory number of facilities be identified as critical facilities under the Reliability Standards.”  So they don’t want NERC to require an Risk Based Assessment Methodology like in CIP Versions 1-3; nor do they want bright-line criteria as in CIP Versions 4 and 5.
4. They do want grid owners and operators to “consider resilience of the grid” when identifying critical facilities.  They also want them to consider “the elements that make up those facilities, such as transformers that typically require significant time to repair or replace.”
5. The second step should require owners and operators to “to evaluate the potential threats and vulnerabilities to those identified facilities.”   FERC makes very clear that those threats and vulnerabilities will vary greatly from facility to facility, and they don’t even want NERC to try to figure out what the common threats are to all critical facilities.
6. In the third step, the owners and operators of critical facilities should be required to “develop and implement a security plan designed to protect against attacks to those identified critical facilities based on the assessment of the potential threats and vulnerabilities to their physical security.”   
7. So the whole approach of NERC CIP – that all Critical Assets (in v1-3) face similar cyber threats and should apply the same controls, or that all High, Medium and Low impact assets face similar threats and require the same controls (as in v4 and v5) – is out the window.  Been there, done that, got the T-shirt.  We’re now in a purely risk-based standards world.[ii]
8. They state in a few places they are not expecting that a large number of facilities will be identified as critical. 
9. They direct NERC to develop a procedure so that compliance information remains confidential, yet is still shared among those who need to see it at NERC, FERC, and the Regional Entities.
10. They further require that what an entity does for each of the three steps should be reviewed by “NERC, the relevant Regional Entity, a Reliability Coordinator, or another entity.”  This is of course interesting because NERC and the RE’s will be playing two roles here: they will be auditing compliance with the new requirements, but they will also be providing advice to the entities on how they might improve their identification of critical facilities and threats and vulnerabilities to those facilities, as well as improve their mitigation plans.  This of course is very different from CIP (I’m not sure how it compares to the other NERC standards), where NERC and the RE’s bend over backwards not to give any specific compliance advice to individual entities.  I think FERC feels the threat here is much too serious to start taking a rigorous compliance mindset, which will definitely greatly slow down the whole process of making the grid more physically secure.
11. I recommend you read Commissioner Norris’ separate statement, which is attached to the end of the Order.  He makes three very good points – while still concurring with the Order.  Since I want to get this posted, I won’t restate those points here.

March 12: I heard from a couple parties this week that the 90-day timeline FERC gave to NERC for developing the new standard(s) isn't realistic, since an SDT needs to be constituted and then meet to draw up the standards.  These then need to be reviewed by NERC, posted for ballot, and hopefully approved on the first ballot. Finally, the NERC Board of Trustees needs to approve them, before they are sent to FERC.  How could all of this possibly be accomplished in 90 days?

First off, there is a precedent for this.  When FERC approved v2 in 2009, they ordered NERC to make one change - adding a requirement for continuous escorting of visitors within the PSP - and come back with that in 90 days.  NERC went through all of the above steps, and came back with the change (in a new set of standards called CIP v3) on time (this of course was a less controversial step than what FERC is now asking for, which is a completely new standard).

More importantly, when NERC is under a FERC deadline to do something, as they are now, they have to do it – period.  If you read sections 309 and 321 of the NERC Rules of Procedure, you will see that, if a standard ordered be FERC isn’t drafted and approved in a ballot on time, the Board can simply order the staff to write it, then approve it and send it to FERC.  So if anybody wants to bet me that the physical security standards won’t be approved and sent to FERC by the 90-day deadline (and that may mean 90 days after publication in the Federal Register, not 90 days after the order was issued), let me know.  This is almost as sure a bet as that the Cubs won’t win the World Series this year or that the world will stop spinning on its axis, which come to think of it would probably happen if the Cubs did win the Series.

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

  

---

[i] FERC always refers to the Bulk Power System, while NERC refers to the Bulk Electric System.  I’m sure there are wonderful reasons why this is the case, but I’ve decided that learning why this is the case doesn’t have to be one of my priorities in life.

[ii] Those of you familiar with CFATS will recognize this approach: first decide what are the critical facilities, then identify the threats to those facilities, then mitigate those threats.  I’m not saying this would be a better approach for cyber security standards, or even that FERC wouldn’t want NERC to use the prescriptive CIP approach if they felt they had the time that would be required to develop prescriptive standards.  But FERC clearly feels they are under the gun (no pun intended) here, and the gun is of course the Metcalf substation attack in California.  They want standards to be developed quickly, and this is really the only way to do it.