I recently wrote two posts – here and here - on lessons that can be learned from CIP-014, the standard for physical security of critical substations, which came into effect two years ago. I’m interested in CIP-014 because it was the first objectives-based CIP standard; it was followed by two other such standards: CIP-013 and now CIP-012. There are also at least three objectives-based requirements: CIP-003 R2, CIP-007 R3 and CIP-010 R4. In fact, all of the standards or requirements that NERC has developed since CIP version 5 have been objectives-based (and this was mostly because FERC has made it clear in their orders for new standards that they wanted them to be objectives-based. I am quite sure that FERC will order all new standards going forward to be such). I think it’s very helpful to take account of these lessons, since it will help not only entities that have to comply with CIP-014, but also all entities (a much larger group) that have to comply with CIP-013, the new supply chain security standard.
In the previous two posts, I discussed two things I learned from talking with a CIP physical security compliance specialist at a large utility, both based on experiences they had while getting ready to comply with CIP-014. However, I recently attended a meeting of one of the NERC regional entities and talked with two entities that had already been audited on CIP-014 and had some interesting experiences in their audits. In this post I’ll discuss an important fact I learned from those two conversations (without identifying the two entities, of course). And I’ll draw on other things I learned from these conversations in an upcoming post on the question of how standards and requirements that are based on the entity’s developing and implementing a plan can be audited (actually, on whether they can be audited in any meaningful sense. You’ll have to stay in suspense on this point until I write the post).
You can download CIP-014 and read about the standard, which has six requirements. What’s most important for this post are requirements 4-6, which seem to be where a number of NERC entities are running into trouble. Requirements 1-3 are about determining which substations (and control centers) are in scope for the standard, but R4-R6 cover:
- R4: For the substations and control centers that are in scope, conduct an assessment of those facilities’ “potential threats and vulnerabilities” to physical attack;
- R5: For each facility in scope, develop and implement a physical security plan that “covers” the substations and control centers in scope; and
- R6: Have a qualified third party validate both the assessment in step 3 and the plan developed in step 4. The third party may recommend changes in either document; the entity must change the plan to reflect those recommendations, or document why it did not. And since the plan has to be implemented, these changes will also need to be implemented
Both entities reported a serious issue with the auditors based on the following:
- CIP-014 R1 requires the entity to conduct a risk assessment of all of their “Medium impact” substations and perform an analysis to determine which of those “if rendered inoperable or damaged could result in instability, uncontrolled separation, or cascading within an Interconnection.” Note that this is a holistic criterion: It looks at what will happen if the entire substation is taken out, not if any particular Facility within the substation is rendered inoperable (e.g. individual transformers or buses).
- In R4, the entity is required to perform an “evaluation of the potential threats and vulnerabilities of a physical attack to each of their respective Transmission substations…” Note again that this is a holistic criterion. The attacks in question are ones on the substation itself, not on any individual Facilities in the substation.
- R5 requires the entity to develop and implement “documented physical security plan(s) that covers their respective Transmission stations…” Once again, this is a holistic requirement; the plan is for the whole substation, not any of the Facilities found at it.
You may suspect where I’m going with this. It seems pretty clear that the requirements as written are only addressing the substation as a whole. Specifically, the evaluation of threats and vulnerabilities and the physical security plan seem to only apply to the entire substation. But guess what the auditors are looking for? You’re right – they’re looking for the security plan to address protection of the Facilities at the substation, not just the substation as a whole!
In fact, both the entities I talked to said they were specifically called out on the fact that their R4 threat and vulnerability assessments and their R5 physical security plans didn’t address the transformers and other Facilities (like buses) at the substations. One entity received an Area of Concern because of this, while the other received an actual Potential Non-Compliance finding. Yet, as you’ve just seen, nowhere in the CIP-014 requirements is there any mention of anything but the substation as a whole!
Now, I’m certainly ready to admit that the auditors weren’t unreasonable in telling both entities that they need to address this issue. After all, the snipers who carried out the Metcalf substation attack, which prompted FERC to order this standard, didn’t destroy the substation; they just attacked a number of the transformers. But they were almost able to have a major impact on the grid in that area. So it’s not unreasonable to expect that NERC entities that own critical substations should take some steps to protect the individual Facilities there.
It may not be unreasonable, but it’s also not required by the language of CIP-014! So this is one area where the auditors need to simply issue an Area of Concern and stress that this is something the entity should strongly consider doing for grid security, even though it’s not in any way required.
And why isn’t it required? I think the drafting team must have simply made a mistake.[i] After all, FERC only gave NERC 90 days to draft and approve the standard – a mere blink of an eye in NERC-dom.
The views and opinions expressed here are my own, and do not reflect those of any organization I work with. If you would like to comment on what you have read here, I would love to hear from you. Please email me at firstname.lastname@example.org.
[i] I also heard about another mistake the SDT made. The risk assessment required in R1 is specifically mandated (in R1.1) to be re-performed every 30 months. However, the threat and vulnerability assessment required in R4 doesn’t have to be re-performed at all! Yet I’ve heard auditors are asking utilities whether they will re-perform that assessment every 30 months. In this case also, the auditors should make clear that, while it isn’t required by the wording of the standard, it certainly makes sense to re-perform both assessments every 30 months, not just one of them.