Have the North American Electric Reliability Corp.’s physical security standards made the U.S. grid more secure?
A recent analysis by the Congressional Research Service says the record is incomplete, “a work in progress.” The March 18 report – “NERC Standards for Bulk Power Physical Security: Is the Grid More Secure? – finds that “although it is probably accurate to conclude that, based on the objectives of the [NERC] standards, the U.S. electric grid is more physically secure than it was five years ago, it has not necessarily reached the level of physical security needed based on the sector’s own assessments of risk.”
The report by analyst Paul W. Parfomak concludes, “Although the electric power sector seems to be moving in the direction of more extensive physical security, many measures have yet to be implemented and the process of corporate realignment around physical security is still underway.”
The report cites the California Public Utilities Commission:
“It appears that the North American electric industry is in intermediate stages of fully harnessing the potential of security technologies and staff expertise, and integrating security and risk assessment values into the utility culture such that utility physical security ultimately is prioritized on par with safety and reliability.”
NERC’s initial efforts focus on protecting the grid from cyber attacks, and NERC’s standards for protection of critical infrastructure. That changed in 2013, with a sophisticated rifle attack on a critical substation in Metcalf, Calif. That event, says Parfomak, “marked a turning point for the U.S. electric power sector.”
The event garnered a lot of press attention, an FBI investigation (with no known results), congressional huffing and puffing, and action by a somewhat spooked Federal Energy Regulatory Commission. FERC told NERC to come up with mandatory physical security standard, which the Atlanta-based group produced in 2015 as CIP-014, Physical Security Reliability Standard.
The CRS report suggests that Congress may wish to look at some additional issues “with policy significance.” These include implementation oversight, cost recovery, hardening vs. resilience, and “the quality of threat information.”
Until recently, CRS reports were not publicly available, although Steven Aftergood of the Federation of American Scientists since 1997 has made as many public as he could obtain through non-official sources on the FAS website. During that period, FAS and other public-interest groups have pushed to make the reports public.
On March 26, that changed. Aftergood reported, “All non-confidential reports of the Congressional Research Service must be made publicly available online through a Government Publishing Office website within 90 to 270 days under a provision of the 2018 omnibus appropriations act that was passed by Congress and signed by the President last week.”
One of the activists pushing for public release, Daniel Schuman of Demand Progress, said, “Congressional Research Service (CRS) reports are the gold standard when it comes to even-handed, non-partisan analysis of the important issues before Congress. For too long, they’ve only been primarily available to the well-connected and the well-heeled. At long last, Congress will make the non-confidential reports available to every American for free.
— Kennedy Maize