Skip to main content
close search
site logo
Dive Brief

NERC opposes expanding physical security rules for critical substations following Duke, PSE, other attacks

Published April 17, 2023
Robert Walton's headshot
Senior Reporter
Electrical power substation in rural Texas.
fstop123 via Getty Images

Dive Brief:

  • The physical security rule in place now for critical substations “appropriately focuses limited industry resources” and should not be expanded to a broader set of assets on the bulk power system, or BPS, the North American Electric Reliability Corp. concluded in a report published Friday. 
  • However, NERC also found a need to “evaluate additional reliability, resiliency and security measures” following a rise in substation attacks last year. The reliability organization and the Federal Energy Regulatory Commission are planning a technical conference “to further study appropriate levels of physical protections.”
  • NERC’s physical security reliability standard, known as CIP-014, will likely eventually be modified, according to Mike Hamilton, chief information security officer of Critical Insight, a cybersecurity firm. But that process could be lengthy and “the gist of this announcement is that operators must conduct physical risk assessments of substations. Now,” he said.

Dive Insight:

The scope of the North American grid is extensive, with tens of thousands of substations in remote areas. NERC’s physical security rules focus on assets that are critical to the reliable operation of the BPS.

The criteria for a substation to fall under the CIP-014 rule is “broad enough” to capture critical facilities, the report said. “NERC did not find evidence that an expansion of the applicability criteria would identify additional substations that would qualify as ‘critical’ substations.”

While NERC stopped short of recommending a broad expansion of its physical security rule, it did acknowledge the growing threat and need for additional study and action.

“Given the increase in physical security attacks on BPS substations, there is a need to evaluate additional reliability, resiliency, and security measures designed to mitigate the risks associated with those physical security attacks,” NERC said.

Nearly 1,700 physical security incidents were reported to the Electricity Information Sharing and Analysis Center in 2022, up 10.5% from 2021. The majority of reported incidents were categorized as gunfire, ballistic damage, intrusion or tampering and vandalism.

Supplementary data “could show that additional substation configurations would warrant assessment” under the rule, NERC said.

NERC said it would work with FERC staff to hold a technical conference to “identify the type of substation configurations that should be studied to determine whether any additional substations should be included in the applicability criteria.” 

FERC called for NERC to consider expanding CIP-014 applicability in December, following a North Carolina firearms attack that knocked power out to about 45,000 Duke Energy customers. Later that month, multiple substations in Washington were damaged, leading to more than 14,000 outages on the Tacoma Power and Puget Sound Energy systems. 

But NERC’s report concluded establishing a “uniform, bright line set of minimum physical security protections” for all BPS substations and associated primary controls centers “is unlikely to be an effective approach to mitigating physical security risks and their potential impacts” because it “fails to provide for a methodical approach necessary to address site-specific threats or objectives.”

“NERC finds that this more holistic approach will provide greater long-term flexibility and minimize the impacts of physical attacks on BPS reliability,” the report concluded. NERC is recommending “further evaluation of the appropriate combination of reliability, resiliency and security measures that would be effective in helping to mitigate the impact of physical security attacks.”

Critical Insight’s Hamilton said he found NERC’s recommendation against expanding CIP-014 “curious,” but that new security rules were likely coming — as they have for other critical sectors. The health, aviation, pipeline and water sectors have all received new requirements within the last six weeks, he said.

CIP-014 “will likely be modified to reflect the increased scrutiny of substation physical security and document potential compensating controls,” he said. But waiting for a rulemaking and comment period “is not sufficiently rapid to counter a known and prevalent threat.”

“NERC is playing ‘catch up’ to address recent physical attacks and not waiting for the bureaucracy,” Hamilton said.

Editors' picks

Company Announcements

View all | Post a press release
Regional grid operator holds board meeting at boycotted hotel, drawing criticism from climate …
From Fix the Grid Campaign
November 06, 2024
General Atlantic’s BeyondNetZero Fund and TA Partner to Drive Continued Growth of Technosylva
From Technosylva
November 21, 2024
Oncor System Resiliency Plan Approved by PUCT
From Oncor
November 14, 2024
TESCO Solidifies Leadership in Electric Meter and EV Charging Station Accuracy
From TESCO - The Eastern Specialty Company
November 12, 2024
Editors' picks
Latest in Grid Security & Reliability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell