On March 7, 2014, FERC ordered the North American Electric Reliability Corporation (“NERC”) to establish Reliability Standards for the physical protection of the Bulk-Power System.  The Reliability Standards will require certain owners or operators of facilities critical to the operation of the Bulk-Power System to identify such facilities and develop and implement plans for the physical protection of those facilities.  FERC directed NERC to submit the proposed Reliability Standards to FERC for approval within 90 days of the order.

In directing NERC to develop these standards, FERC recognized that there is no “one size fits all” approach to the physical protection of critical grid facilities against threats, but outlined three steps that owners or operators of the Bulk-Power System should take to address risks. 

First, FERC stated that the Reliability Standards should require owners or operators of the Bulk-Power System to perform a risk assessment that identifies “critical facilities.”  FERC defined a critical facility as one that “if damaged could have a critical impact on the operation of the interconnection through instability, uncontrolled separation or cascading failures on the Bulk-Power System.”  FERC also stated that this risk assessment should be verified by an entity other than the owner or operator, such as NERC or a Regional Entity.

Second, once the critical facilities are identified, the Reliability Standards should require owners or operators of those facilities to evaluate the physical threats to and weaknesses of these facilities.  In this step, FERC indicated that the Reliability Standards should allow owners or operators the flexibility to “tailor” their evaluation to the specific characteristics of the identified critical facilities.

Third, FERC stated that the Reliability Standards should require owners or operators of critical facilities to develop and implement a physical security plan for their identified critical facilities based on their assessment of the threats and vulnerabilities to their system.  FERC noted that the standard does not need to identify specific steps owners or operators should take, only that the standards result in adequate levels of protection to critical facilities. 

In addition to the three steps outlined above, FERC stated that the Reliability Standards should include a procedure that allows for the confidential treatment of any sensitive or confidential information that is submitted as a part of these Reliability Standards.

Concurring in a separate statement, Commissioner John Norris noted that while he generally supported the order, he still had concerns about physical security.  First, Commissioner Norris expressed concern regarding the procedural approach FERC took in directing the creation of Reliability Standards, because in his view not all parties will be able to engage FERC in the development process due to restrictions on ex parte communications.  Second, Commissioner Norris stated that the industry remains concerned about sharing sensitive or confidential information with FERC regarding their facilities due to Freedom of Information Act (“FOIA”) requests, and the Reliability Standards will only have limited impact if such information is not freely exchanged.  Commissioner Norris called upon Congress to pass legislation that will clearly exempt such information from a FOIA request.  Last, Commissioner Norris highlighted his concerns that FERC’s efforts are too narrowly tailored to physical security, and should be equally focused on all threats to the grid, including cybersecurity, geomagnetic disturbances, electromagnetic pulses, and natural disasters.

A copy of the order is available here.