A proposed physical security standard for the U.S. high-voltage grid has won widespread acceptance from electric power companies, but approval followed a debate in which key provisions were questioned and some company executives wondered whether the security rules would work -- or were even needed.
The proposal was submitted last week to the Federal Energy Regulatory Commission by the federally appointed grid monitor, the North American Electric Reliability Corp. (NERC), after the plan received an 86 percent approval score from NERC's industry representatives.
The 818-page NERC proposal, which now awaits FERC action, provides the details of issues raised by industry participants, and the response of the proposal's drafting committee chaired by Susan Ivey, vice president of transmission strategy and compliance of Exelon Corp. Lou Oberski, a manager for regulation and policy at Dominion Resources Services, was vice chairman. FERC directed NERC to prepare the standard on March 7 in its docket RD14-6, with a tight, 90-day timetable.
One of the sharpest critiques came from the Bonneville Power Administration, the largest transmission owner in the western United States.
"It is virtually impossible to fully protect all critical BES [bulk electrical facilities -- the high-voltage grid] from attack by a determined foe," Bonneville's representative commented.
"The means to damage BES facilities is already available ... and implementable regardless of what level of physical hardening is implemented," BPA said.
The NERC proposal closely follows the outlines of FERC's order. It requires "transmission owners and transmission operators" to protect "critical transmission stations and substations" and "associated primary control centers" against attacks that could cause widespread breakdowns or cascading outages in the three North American grid segments.
The proposed order would direct such owners to list critical facilities, assess threats and vulnerabilities to these installations, and develop security plans to defend them and mitigate damage from an attack. In one controversial provision, the NERC plan would also require transmission owners to submit to independent, third-party audits of their critical facilities list and their threat evaluations and security plans.
"The biggest general question to answer is what will be considered adequate protection," BPA said. "Will we need a 24-hour on-site armed security force because the location is too remote to augment detection technology with fast response" to keep losses to an acceptable minimum level?
"Will we need security walls constructed to be as impervious as those of a maximum security prison? The list of potential risk mitigation barriers is endless, as is the cost of building and maintaining elaborate barriers for facilities that cover acres of ground."
More typical of industry reaction was a general endorsement by the Edison Electric Institute, which called NERC's draft "fully responsive to the FERC March 7 order" but requested more flexibility in compliance timetables and clarity in requirements. "The project has moved along a very aggressive timeline and naturally raises a broad range of practical and implementation issues," said EEI, which represents investor-owned utilities.
The 'Metcalf' factor
Some power company representatives challenged FERC's action as a hasty, poorly conceived response to an armed attack on a Pacific Gas & Electric substation near San Jose, Calif., that disabled transformers by knocking out cooling equipment. The still-unsolved attack occurred in April 2013, but FERC commissioners did not issue their order until nearly a year later -- shortly after a pair of Wall Street Journal articles highlighted the threat.
One article recounted the attack on the PGE Metcalf substation and quoted former FERC Chairman Jon Wellinghoff's fears about the grid's vulnerability to physical assaults. The second article the following month reportedly disclosed results of confidential FERC study in 2013, which found that taking down as few as nine critical substations in a coordinated assault could cause catastrophic, cascading power outages across the U.S., lasting weeks if not months.
Two days after the initial Wall Street Journal article Feb. 5, four Senate Democrats wrote to Wellinghoff's successor, acting FERC Chairwoman Cheryl LaFleur, and NERC Chief Executive Gerry Cauley saying they were concerned that the voluntary response NERC and FERC were following might not be adequate.
"While it appears that many utilities have a firm grasp on the problem, we simply do now know if there are substantial numbers of utilities or others that have not taken adequate measures," the letter said, signed by Senate Majority Leader Harry Reid (D-Nev.), Dianne Feinstein (D-Calif.), Al Franken (D-Minn.) and Ron Wyden (D-Ore.). The authority of FERC and NERC to address physical threats "is clear and unmistakable," they said.
In its comments to NERC, the Nebraska Public Power District zeroed in on the FERC vulnerability study.
"If a list of the most critical substations exists, why are we trying to develop a new process to determine the list without first getting to see the list?" it asked.
"If we truly have a small subset of nine key substations that are as critical as was quoted in the Wall Street Journal, why isn't the military protecting these substations? ... Is this threat real or is it political sensationalism? ... By installing additional security on these facilities, aren't we painting those assets as targets by clearly identifying them?"
The Nebraska utility added, "I feel like we have been blind-folded and put into a room and told to hit a small target with a dart and we don't even know which wall or direction to throw the dart."
The electric utility for the city of Tallahassee, Fla., challenged the expedited schedule for the rule. "The timeline of this directive appears to be solely in reaction to the publishing of the Metcalf incident," it commented.
"This directive and expedited timeline precludes the dialog from occurring that needs to take place," the utility said. It predicted the standard would be difficult to enforce "with little benefit" to the large majority of grid operators.
The Empire District Electric Co., based in Joplin, Mo., said, "The apparent driver of this effort, the WSJ article, seems a bit misdirected. The Metcalf event occurred over a year ago, yet the standard has been mandated to be issued within 90 days. If the issue was that critical, why hasn't something been done sooner?
"And if this is a truly critical situation, we need to be sure to move logically in a well thought-out process" to reach the right conclusion rather than respond with a "knee-jerk reaction to a newspaper article."
"How was the list of nine substations in the WSJ article determined?" the Missouri utility's representative asked. "This study must be vetted by industry experts to first establish if a reliability gap exists."
Consumers Energy, Michigan's largest utility, joined in that complaint. "Is there an imminent threat? If so, our leaders should find a more appropriate path for a solution (i.e. deploy our military)."
A few comments, on the other hand, said the NERC proposal didn't go far enough.
The Foundation for Resilient Societies, which grew out of a congressionally chartered inquiry into worst-case threats to the power grid, argued that defensive measures must go beyond barriers to conventional armed attacks, to include assaults by intentional electromagnetic interference weapons in terrorists' hands.
This requires specific defense strategies, including deployment of electromagnetic sensors and special training for control room operators to enable them to detect such sophisticated attacks, the foundation said. "The Metcalf incident unambiguously showed the value of equipment monitoring in mitigating physical attack on power transformers," the foundation said. Gunfire sensors, for example, could have alerted law enforcement during the attack, the foundation said.
The foundation also found fault in NERC's proposal to exclude three major grid reliability coordinators from the security requirements. The Midcontinent Independent System Organization, the Southwest Power Pool and Peak Reliability in the western grid are not covered because they are not transmission owners or operators, the foundation said. But as multistate power flow coordinators, they operate control centers that manage power for 141 million people, the foundation said. "If critical substations and their reliability coordinators are attacked in a coordinated manner, what entity will lead system restoration?"
In its comments, MISO said it would not support a decision to bring it under the physical security standard because reliability coordinators' control centers are adequately protected by other FERC standards, a point the foundation disputes.
American Electric Power, based in Columbus, Ohio, was one of a number of companies urging more clarity in the regulation.
"FERC and NERC have implied that the number of critical facilities identified in this process will be relatively small -- fewer than 100 of the 55,000 transmission stations dispersed throughout the country. However, for previous 'critical asset' determinations requested by NERC, AEP has already identified almost that many just on our own system," AEP said.
"This analysis suggests that determination of a particular station as a critical physical facility is not a yes/no question, but rather a tiered approach ... is required," AEP added.
"However, the changes NERC and FERC are proposing could result in massive changes, bringing excessive additional costs with no guarantee of desired outcomes," AEP said.
"Even with increased physical security, there will always be some potential for an attack on a critical facility. Larger fences and armed guards will make attacks marginally more difficult. They will not make the facilities immune to attack," the utility's representative said.
Flathead Electric Cooperative in Montana opposed the requirement for third-party review, saying it "seems like a full employment effort by security consultants and others."
Idaho Power expressed "great concern" over turning over sensitive information on vulnerabilities to third-party auditors who "may have no accountability to the regulators" if information is disclosed.
The NERC drafting team responded with a requirement obligating each transmission owner to ensure the confidentiality of sensitive information.
After adding language to clarify scheduling issues, the team said, "The timelines are aggressive but achievable."
Despite the critiques, the one-sided approval of the NERC plan indicated a consensus on the need for new standards to deal with physical threats to the grid, a consensus that began with FERC and NERC, officials said.
The federal regulatory agency and its designated grid overseer have had issues in developing security guidelines over the past seven years, but on this one, they appeared in tune.
Cauley questioned the accuracy of FERC's grid vulnerability study in a conversation with reporters in March. But NERC said it took physical attacks seriously, organizing a 13-city security briefing on the Metcalf incident and including armed attack scenarios in a two-day "war games" exercise for grid operators last November.
Cauley said he supported the approach in FERC's order, which put the onus on transmission owners to develop reliability standards requiring owners and operators of the interstate bulk power system to address physical security threats to key facilities.
"FERC wrote a good order. This analysis has to be done by each company," he said.