NERC Assesses Bulk Power System Physical Security Standards
Image courtesy of Jeff Wallace under Attribution-NonCommercial 2.0 Generic License, resized to 700 x 391 pixels.
In April 2023, the North American Reliability Corp. (NERC) sent a report to the Federal Energy Regulatory Commission with a recommendation on whether minimum physical security standards should be set for the bulk power system, including transmission stations, substations and control centers. This was in response to a Dec. 2022 mandate from FERC for NERC to assess physical security.
NERC’s conclusion? Leave well enough alone (for now).
NERC’s Thoughts on Bulk Power System Physical Security Standards
Surprisingly, NERC did not believe it is necessary to mandate a minimum level of protections against physical attacks at this time, nor does it believe that expanding applicability criteria regarding the definition of a “critical” substation is appropriate at this time.
While the NERC study outlines actions to strengthen physical security standards and consider additional risk-based enhancements, it does not conclude that a minimum-level mandate is appropriate at this time. Although the report strongly suggests that additional assessments around security, reliability and resilience are needed given the increase in physical security breaches in 2022, there are additional prerequisite steps that must be executed first.
For example, NERC said it must first refine the objective of the risk assessment by executing a standards-development project to clarify processes and expectations. NERC also plans to work with FERC to hold a technical conference to dive deeper into physical protection considerations, including compiling additional data on protection measures, identifying how they could be embedded into reliability standards, and updating or refining the criteria that would define a substation as “critical.”
Personally, I was a little disappointed in the report’s conclusion. While the identified next steps are logical, I worry about how long the process will take. Simply put, from a pure emergency preparedness standpoint, physical and cybersecurity are huge risks that must be accounted for in emergency plans, and the longer we need to wait for NERC’s bulk power system recommendations, the longer we’re at a heightened level of risk. Fingers crossed the timeline is faster than I’m anticipating!