On May 23, 2014, the North American Electric Reliability Corporation (“NERC”) submitted a physical security Reliability Standard (CIP-014-1) for FERC approval. The Reliability Standard is designed to increase physical security measures and reduce the Bulk-Power System’s vulnerability to physical attacks.
On March 7, 2014, FERC issued an order directing NERC to submit one or more Reliability Standards for the physical protection of the Bulk-Power System (see March 14, 2014 edition of the WER). In the March 7 order, FERC acknowledged that current Reliability Standards do not require entities to take reasonable steps to protect against physical attacks. Therefore, FERC directed NERC to develop Reliability Standards where owners or operators of the Bulk-Power System are required to take certain steps to address the risks from a physical attack.
In the May 23 petition, NERC submitted a single Reliability Standard to address FERC’s directives. Specifically, the Reliability Standard requires transmission owners to take three steps to address physical risks. First, transmission owners must perform a risk assessment of their systems to identify those facilities which could cause widespread outages if unable to operate. Next, those transmission owners would be required to evaluate the potential risks and vulnerabilities to the facilities identified in the risk assessment. Finally, the transmission owners would be required to develop and implement a security plan based on the evaluation.
In addition to transmission owners, under CIP-014-1 transmission operators would be required to conduct their own evaluations if any control centers under their operation were identified as a critical facility in the transmission owners’ risk assessment. The transmission operators would then be required to develop their own security and implementation plan.
Finally, the Reliability Standard adds requirements for: (1) the protection of sensitive or critical information; (2) third-party approval of the risk assessment, evaluation of threats and vulnerabilities, and security plan by an entity with transmission planning or analysis experience that is not a corporate affiliate of the Transmission Owner; and (3) periodic reevaluation of the threats, vulnerabilities, and security plan.
A copy of the petition is available here.