Loopholes in Grid Physical Security Identified

Posted on February 20, 2020 by Michael Mabee

Click HERE for PDF Copy

Introduction

I am a private citizen who conducts public interest research on the security of the electric grid. I am also the Complainant in this docket.

In addition to the information and recommendations contained in the original Complaint, filed on January 29, 2020 and docketed by the Commission on February 6, 2020, I wish to submit supplemental information and additional recommendations for the record. In the Complaint, I alleged that: 1) The mandatory physical security standard is inadequate, and 2) Enforcement of the mandatory physical security standard seems nonexistent. Below, I provide further background and detail on the allegations and further recommendations. 

CIP-14-2 is Critical to the National Security of the U.S.

 Presidential Policy Directive 21 (PPD-21) identifies the energy sector as uniquely critical due to the enabling functions it provides across all 16 critical infrastructure sectors.[1] The bulk power system is the lynchpin: All 16 critical infrastructures – including the rest of the energy sector – depend on the bulk power system. Therefore, any threat to the bulk power system is a threat to U.S. national security.

CIP-14-2 (Physical Security) is the only mandatory physical security standard that protects this key component necessary to the functioning of all 16 critical infrastructures identified in PPD 21.

The threat of physical attack on the electric grid is not theoretical: CIP-14-2 became effective on October 2, 2015. Department of Energy OE-417 data shows that there have been 245 physical attacks on the grid since the standard became effective. (Exhibit A is a listing of the OE-417 reported physical attacks between October 2, 2015 and December 31, 2019.)

Historically, we have seen spectacular and sophisticated physical attacks against the electric grid such as

•  2013 The Metcalf Sniper Attack.[2] No arrests have ever been made in one of the most alarming physical attacks against the electric grid. The attack on the PG&E Metcalf substation raised Congressional concern which lead to the Commission directing the North American Electric Reliability Corporation (NERC) to develop a physical security standard. Unfortunately, as I will explain below, the standard is fraught with loopholes and covers very few facilities.
• 2013 The Arkansas grid attacks.[3] In a period of a few weeks, attacks occurred against a two transmission lines and a substation. The perpetrator was eventually arrested but the attacks demonstrate the extreme vulnerability of transmission lines and substations to physical attack.
• 2014 The Nogales IED attack.[4] An improvised explosive device (IED) was used in an attempt to blow up a 50,000-gallon diesel fuel tank at a critical transformer substation. The bomb failed to ignite the fuel, but called into larger question the physical security of the grid.
• 2014 The Hydro-Québec attack by airplane.[5] While the details of the attack are under court seal, the attacker used an airplane to short out two major transmission lines, cutting off power to over 180,000 customers. This incident demonstrated the vulnerability of the grid to an attack by air.

While these four particular attacks took place prior to the effective date of CIP-14-2, it is debatable whether the present standard would have stopped them if they occurred today. In fact, in the case of PG&E’s Metcalf station, the following year the Metcalf station was attacked for a second time[6] and PG&E’s credibility was shot when its public statements about its physical security improvements were contradicted by a leaked internal memo.[7]

And the fact remains that since the effective date of CIP-14-2, there have been 245 physical attacks on the grid. This simply cannot be ignored.

Moreover, the threat of a coordinated physical attack is not theoretical. There are numerous recent and historic examples of terrorists or “inferior forces” using well-planned sophisticated attacks against multiple targets with great effect. The Tet Offensive on January 30, 1968 was a coordinated surprise attack on over 100 cities and outposts in Vietnam. The attack caught the U.S. totally by surprise and it is widely attributed to turning the tide of the war against the U.S.[8] On September 11, 2001, terrorists attacked the U.S. in a sophisticated, well-coordinated attack against multiple targets.[9] The impacts to the U.S. from the 9/11 attacks were dramatic and society changing.

More recently, on September 14, 2019 two oil production facilities in Saudi Arabia were attacked by drones and missiles causing a substantial temporary loss of Saudi Arabia’s oil production.[10] Responsibility for this attack was claimed by Houthi rebels in Yemen, however, the United States and other countries have accused Iran of involvement.[11] Terrorist organizations such as ISIS (a.k.a. “Islamic State”) are also known to have deployed weaponized drones.[12]

The U.S. electric grid, built over generations in which domestic terrorism was not a concern, was not designed to thwart physical attacks. That physical security must now be put into place through meaningful mandatory standards. The electric grid is an open target. For example, in 5 minutes using Google Maps, I was able to trace transmission lines from two generating plants to various equipment and substations on the grid. I was able to see the equipment and locations in excellent detail. (Exhibit B is several screen shots from my 5-minute Google Maps “reconnaissance” of part of the grid.) Terrorists can easily map out sections of the grid and locate critical equipment. With drones, they could attack these facilities from several kilometers away.[13]

 Finally, CIP-14-2 is riddled with loopholes to the point where it is largely a voluntary standard, not a mandatory standard. The only requirement is that those few facilities who are subject to it have a notebook labeled “Physical Security Plan” with some certain papers of dubious value. It makes no requirement whatsoever that physical security plans of these few facilities be effective or be approved by any regulatory authority. CIP-14-2 leaves out the majority of facilities in the bulk power system. I will discuss this in more detail below.

The current threat landscape requires a full reevaluation of CIP-14-2. FERC needs to understand that it is the only federal agency that has the authority to protect the bulk power system from simultaneous physical attacks involving multiple critical facilities that could threaten the 16 critical infrastructures identified in PPD-21.

If FERC fails to direct substantial improvements to CIP-14-2, then it is neglecting the very real danger that an inadequately protected bulk power system poses to the 16 critical infrastructures and is neglecting the Commission’s responsibility to the American people.

I hope this is not the case.

Loopholes in the present CIP-14-2 “Applicability” make the standard inadequate.

Unfortunately, CIP-14-2 admittedly expects the population of facilities covered by the standard “will be small and that many Transmission Owners that meet the applicability of this standard will not actually identify any such Facilities.”[14] And, unbelievably, “the SDT[15] determined that it was not necessary to include Generator Operators and Generator Owners in the Reliability Standard.”[16]

Most alarmingly, FERC has admitted that: “Reliability Standard CIP-014-1 does not require responsible entities to assess the criticality of Bulk-Power System facilities based on a simultaneous attack on multiple facilities.”[17] Although the issue of simultaneous attacks was raised strenuously in rulemaking, FERC declined to address it:

Moreover, the March 7 Order “anticipate[d] that the number of facilities identified as critical will be relatively small compared to the number of facilities that comprise the Bulk-Power System … [and that the Commission’s] preliminary view is that most of these would not be ‘critical’ as the term is used in [the March 7 Order].” Accordingly, NERC was not required to address in the physical security Reliability Standards scenarios of simultaneous physical attacks involving multiple critical facilities.[18] [Internal footnotes omitted.]

There are over 2000 EHV LPTs[19] (Extra High Voltage Large Power Transformers) in the United States and tens of thousands of LPTs. But according to CIP-14-2’s applicability, very few of these would meet the criteria for coverage. That is a lot of critical targets for a potential simultaneous terrorist attack which are not covered by the standard.

But it gets worse.

Power generation plants are not covered under CIP-14-2. OE-417 data from the Department of Energy shows that there have been 66 disturbances cause by fuel supply deficiency since 2010.[20] There have also been at least 17 disturbances cause by “generation interruption” during the same period.[21] During times of extreme weather, we have seen the systems in New England, Texas and California strained to the limits. And this is in “normal times.”

Then FERC Chairman Cheryl LaFleur testified on September 22, 2014 before the Senate Energy Committee and admitted: “A carefully planned and executed attack on a single or multiple generation plants could cause cascading outages…”[22]

If, as FERC admits, an attack on one generation plant could cause a cascading failure, a simultaneous terrorist strike on several generation facilities is a grave danger. If such an attack occurs in conjunction with a “public appeal” to reduce electricity consumption – which have occurred at least 64 times since 2010[23] – or in conjunction with a weather-related event – which have occurred 800 times since 2010,[24] the consequences for an already stressed grid are dire.

Transmission lines are not covered under CIP-14-2. While it may not be feasible to fully secure 240,000 miles of high voltage transmission lines, this does not mean that they should be completely excluded from the CIP standard. There are actions that should be required.

For example, Transmission Owners and Operators should be required to coordinate with all law enforcement agencies through whose jurisdiction the lines pass. They should be required to provide these law enforcement agencies with maps, access points and have a standing “no trespassing” enforcement request. Signage should be required. In critical access areas, gates should be installed to limit vehicular access to authorized vehicles.

Critical military bases and other critical infrastructures may lose power. CIP-14-2’s “applicability” will not protect the grid from a coordinated attack on smaller facilities.

“The purpose of Reliability Standard CIP-014 is to protect Transmission stations and Transmission substations, and their associated primary control centers that if rendered inoperable or damaged as a result of a physical attack could result in instability, uncontrolled separation, or Cascading within an Interconnection.”[25]

This means that the standard only applies to each individual facility that if disabled alone would meet this applicability. Moreover,

“The Standard Drafting Team (SDT) expects this population will be small and that many Transmission Owners that meet the applicability of this standard will not actually identify any such Facilities.”[26]

A coordinated attack against uncovered facilities could threaten our key military bases in that area and other critical infrastructures. FERC admits that:

Reliability Standard CIP-014-1 does not require responsible entities to assess the criticality of Bulk-Power System facilities based on a simultaneous attack on multiple facilities.[27]

CIP-14-2’s “applicability” leaves unprotected large swaths of the critical components of the electric grid which are susceptible to a coordinated terrorist attack, including:

•  Generation plants
• Transmission lines
• Most transformer stations and substations
• Some control facilities

A standard with an “applicability” to so little of the most critical of our critical infrastructures cannot be deemed “adequate” under any circumstances.

Loopholes in the present CIP-14-2 “Requirements” make the standard inadequate.

The “requirements” of CIP-14-2 are fraught with loopholes to the point where the standard covers few facilities and the loopholes render this largely a voluntary standard, not a mandatory standard. The only ultimate requirement is that those few facilities who are subject to it have a notebook labeled “Physical Security Plan” with some certain papers of dubious value. It makes no requirement whatsoever that physical security plans for these few facilities be effective or approved by any regulatory authority. CIP-14-2 leaves out the majority of facilities in the bulk power system.

Requirement R1. “Each Transmission Owner shall perform an initial risk assessment and subsequent risk assessments of its Transmission stations and Transmission substations (existing and planned to be in service within 24 months) that meet the criteria specified in Applicability Section 4.1.1.”

R1 Loophole: The population of covered facilities which would be identified in the “risk assessment” is small. This standard only applies if the loss of the individual facility alone could cause a cascading failure. There are no provisions for facilities that in a coordinated attack on multiple facilities could have the same impact. In fact, in the Guidelines and Technical Basis section, NERC explains that: “The Standard Drafting Team (SDT) expects this population will be small and that many Transmission Owners that meet the applicability of this standard will not actually identify any such Facilities.”

This loophole must be closed. FERC should direct that the standard be modified to include any facilities that alone or in a coordinated attack on multiple facilities, could contribute to a critical impact on the operation of the Interconnection in the event the asset is rendered inoperable or damaged.

FERC should also direct that the standard be modified to require Transmission Planners and Reliability Coordinators to model the loss of one or more critical substations on their system with a focus on a simultaneous attack on multiple locations. Such modeling will better inform the industry and regulators on vulnerabilities in the system.

Requirement R2. “Each Transmission Owner shall have an unaffiliated third party verify the risk assessment performed under Requirement R1.” While this sounds good on the surface, several loopholes exist which cast the effectiveness of the requirement in doubt.

R2.2 Loophole #1: Many, if not all, peer Transmission Owners would meet the requirement to be a “verifying entity.” This means that peer Transmission Owners could verify each other’s risk assessments. This creates an obvious conflict of interest and could incent Transmission Owners to “go easy – they are verifying us next week.”

R2.2 Loophole #2: “The unaffiliated third party verification shall verify the Transmission Owner’s risk assessment performed under Requirement R1, which may include recommendations for the addition or deletion of a Transmission station(s) or Transmission substation(s).”

A Transmission Owner could hire a “verifying entity” just to “verify” that they did a risk assessment and specifically not make recommendations. Recommendations should be required. The word “may” should be changed to “shall.”

FERC should direct NERC to modify R2 to prohibit reciprocal “verifications” between Transmission Owners to avoid even the appearance of a conflict of interest in the process. Moreover, the requirement should specify that the “verifying entity” ensure that an analysis was conducted on the impact that an attack on multiple facilities would have on the entire interconnection.

R2.3 Loophole: Notwithstanding that in the present standard, recommendations are not “required” and can be easily avoided, there is no regulatory approval required if an entity simply “Document[s] the technical basis for not modifying the identification in accordance with the recommendation.” Regulatory approval should be required if a Transmission Owner decides not to modify its identification under Requirement R1.

This should not be burdensome – if a valid reason exists, it should be approved. However, the security of the entire interconnection is at stake in these decisions and therefore, regulators need visibility on the identifications – and protection – of critical facilities.

Requirement R4. “Each Transmission Owner that identified a Transmission station, Transmission substation, or a primary control center in Requirement R1 and verified according to Requirement R2, and each Transmission Operator notified by a Transmission Owner according to Requirement R3, shall conduct an evaluation of the potential threats and vulnerabilities of a physical attack to each of their respective Transmission station(s), Transmission substation(s), and primary control center(s) identified in Requirement R1 and verified according to Requirement R2.”

R4 Loophole: There is no requirement that anybody with threat evaluation or physical security knowledge or experience even be consulted. There is no requirement for on-site evaluations of these facilities. As this requirement is written, any reasonably literate employee could conduct this threat and vulnerability evaluation from a desk at the corporate office and meet the standard.[28]

FERC should direct NERC to modify Requirement R4 to specify that this evaluation be conducted by a person or entity with threat evaluation and physical security experience and that such evaluation include on-site assessments of each covered facility.

Another loophole in R4 is that there is no provision that subsequent evaluations of the potential threats and vulnerabilities be performed. As written, this “evaluation” is done once. Many such evaluations could now be years old. Given the evolving threats and changes to the geography around a facility, FERC must direct NERC to modify CIP-14-2 to require that such evaluations be done at least annually and include on-site inspections by qualified personnel.

Requirement R5. “Each Transmission Owner that identified a Transmission station, Transmission substation, or primary control center in Requirement R1 and verified according to Requirement R2, and each Transmission Operator notified by a Transmission Owner according to Requirement R3, shall develop and implement a documented physical security plan(s) that covers their respective Transmission station(s), Transmission substation(s), and primary control center(s).”

R5 Loophole: There is no requirement that the plan be effective in any way and there is no requirement that anybody with physical security experience even be involved in developing the plan. Transmission Owners have the discretion to do a very minimal amount to meet Requirements R5.1 through R5.4. Further, the weaknesses in R1, R2 and R4 are compounded here in physical security plans based on questionable peer reviews and non-expert threat and vulnerability evaluations.

Requirement R6. “Each Transmission Owner that identified a Transmission station, Transmission substation, or primary control center in Requirement R1 and verified according to Requirement R2, and each Transmission Operator notified by a Transmission Owner according to Requirement R3, shall have an unaffiliated third party review the evaluation performed under Requirement R4 and the security plan(s) developed under Requirement R5.”

R6.1 Loophole: This “unaffiliated third party” can still be a peer Transmission Owner who meets the criteria of R6.1 (which most probably do). This means that peer Transmission Owners could verify each other’s evaluations (R4) and physical security plans (R5). This creates an obvious conflict of interest and could incent an “unaffiliated third party” to “go easy – they are reviewing us next week.”

Another example. One acceptable “unaffiliated third party” under R6.1 is: “An entity or organization with electric industry physical security experience and whose review staff has at least one member who holds either a Certified Protection Professional (CPP) or Physical Security Professional (PSP) certification.” However, this one member on the review staff may not be the leader or the person writing the “review.” There is sufficient “flexibility” to marginalize the role of this “at least one member” of the review staff who has experience, in this largely paper exercise. There is no requirement that this one member who might have some knowledge perform any type of on-site evaluation. In the end, this loophole makes the qualifications and marching orders of the “review staff” – especially peer utilities – suspect.

In fact, the “unaffiliated third party” could fully meet their obligations from their own corporate office by reviewing the “physical security” binder. There is no requirement that they ever set foot on the Transmission Owner’s property.

It is worth noting that R6.1 is the only place in the CIP-14-2 that purports to require any modicum of physical security knowledge or expertise in the process. But the loopholes in R6 make it easy for a Transmission Owner to completely marginalize or avoid entirely any chance that the “unaffiliated third party” will recommend that there is further work to be done. The standard, as written, makes this all completely optional.

R6.2 Loophole: “The unaffiliated third party review may, but is not required to, include recommended changes to the evaluation performed under Requirement R4 or the security plan(s) developed under Requirement R5.” A Transmission Owner could hire a “unaffiliated third party” reviewer just to “review” that they have a binder labeled “Physical Security” with all of the requisite papers. A Transmission Owner could specifically ask the “reviewer” not make recommendations. Recommendations should be required. Moreover, the review should also consist of on-site visits to the covered facilities.

R6.3 Loophole: Notwithstanding that in the requirement as currently written recommendations are not “required” and can be easily avoided, there is no regulatory approval required if an entity simply “Document[s] the reason(s) for not modifying the evaluation or security plan(s) consistent with the recommendation.”

Regulatory approval should be required if a Transmission Owner decides not to modify its physical security under Requirement R6. If a valid reason exists, it should be approved. However, the security of the entire interconnection is at stake in these decisions and therefore, regulators need visibility on the effectiveness of the physical security plans – and protection – of critical facilities.

Another loophole in R6 is that there is no provision for subsequent “review [of] the evaluation performed under Requirement R4 and the security plan(s) developed under Requirement R5.” As written, this “review” is done once. Many such reviews could now be years old. Given the evolving threats and changes to the geography around a facility, FERC must direct NERC to modify CIP-14-2 to require that such evaluations be done at least annually and include on-site inspections by qualified personnel.

The physical security plan for critical facilities should contain tangible security measures (or reasons they are not required) such as:

• CCTV
• Ballistic barriers
• Gunfire locators
• Fencing or barriers to obscure gunfire targets
• Overhead threat detection
• Overhead threat protection

Finally, physical security plans under Requirement R5 should be effective and the effectiveness must be part of the “review” under R6.[29] FERC should direct NERC to modify CIP-14-2 to modify the phrase in R5 to read: “develop and implement a documented and effective physical security plan(s)…” Further, FERC should direct NERC to modify CIP-14-2 to modify R6 to require that the “review” evaluate the effectiveness of the physical security plan developed under R5 and require on-site inspections by the “reviewer.” Finally, FERC should direct NERC to modify R6 to prohibit reciprocal “reviews” between Transmission Owners to avoid even the appearance of a conflict of interest in the process.

Loopholes in the present CIP-14-2 “Compliance Monitoring Process” make the standard ineffective.

As previously discussed, an effective CIP-14-2 which protects the bulk power system, and thus the 16 critical infrastructures, is of paramount importance to the national security of the United States. As noted in my Complaint, CIP-14-2 has been cited only 4 times since it became effective.[30]

If the reason that the standard hasn’t been cited more often is because every Transmission Owner has a three-ring binder labeled “Physical Security” for the few assets that actually fall under the standard, that is one problem – the standard itself is inadequate.

The enforcement of the standard is another problem. It is important to recall that the electric industry did not want this standard. NERC itself opposed a physical Security Standard; then NERC CEO Gerry Cauley stated in a Senate Hearing:

I do not believe it makes sense to move to mandatory standards at this time. There are more than 55,000 substations of 100 kV or higher across North America, and not all those assets can be 100% protected against all threats. I am concerned that a rule-based approach for physical security would not provide the flexibility needed to deal with the widely varying risk profiles and circumstances across the North American grid and would instead create unnecessary and inefficient regulatory burdens and compliance obligations. [31]

FERC, under immense pressure from Congress, directed NERC to develop a standard anyway. So, the industry went to work writing the physical security standard it didn’t want. We shouldn’t be surprised at the result – if you force a person, organization or industry to do something they don’t want to do, expecting them to rip into the task with zeal is probably a stretch. NERC submitted their proposed standard (known as CIP-014-1[32]) on May 23, 2014.

FERC issued an order on November 20, 2014[33] literally ordering NERC to change one word. (The word was: “widespread” and was used 30 times in the proposed standard. This word—a slight of pen by NERC’s attorneys—would have excluded many more facilities from falling under the standard.)

On October 2, 2015, FERC approved the “Physical Security” standard, known as CIP-014-2.

What we know is that according to the Department of Energy OE-417 Electric Emergency Incident and Disturbance Reports there have been 245 physical attacks against the electric grid since the standard became effective.[34] And we know that there have been only 4 citations for violations of the physical security standard.

It does not appear that NERC even wishes to enforce this lame standard. Gerry Cauley’s voice may still echo in the hallways of NERC.

FERC must direct NERC to not only develop a standard that provides adequate protection to the bulk power system from physical attacks – specifically the all too real threat of a coordinated attack against multiple facilities – but also to enforce it. NERC shouldn’t be simply checking for the for the presence of a three-ring binder – it should be ensuring effective physical security for the bulk power system.

The CIP-14-2 (or successor) standard must be monitored and audited by teams with physical security expertise. NERC and the Regional Entities must employ or contract such experts if they do not already have them. Audits should include on-site visits to covered facilities and must evaluate the effectiveness of physical security plans – not just the existence of a three-ring binder.

Red Teams and Force-on-Force exercises should be regularly conducted so that all Transmission Owners gain this valuable experience and sense of urgency. Getting grid physical security right is a matter of national security.

NERC has just been recertified as the “Electric Reliability Organization” (ERO).[35] NERC’s action (or inaction) on the physical security of the bulk power system must be closely monitored by FERC and Congress. What has happened between the date CIP-14-2 became effective and now is unacceptable.

In sum, this present almost voluntary hollow standard must be substantially improved to become truly mandatory and must ensure adequate protection of one of the nation’s most valuable – and most vulnerable – assets. The bulk power system.

Conclusion and Recommendations

Publicly available information indicates that: 1) the mandatory physical security standard is inadequate, and 2) enforcement of mandatory physical security standard seems nonexistent. In my Complaint, I recommended that FERC take the following actions:

3. FERC should direct NERC to modify CIP-014-2 (Physical Security) to require that the entity’s “Physical Security Plan” be effective and receive regulatory approval. The standard should specify that all “risk assessments” “evaluations” and “security plans” should be reviewed by qualified non-affiliated persons with expertise in physical security.
4. FERC should direct NERC to submit to the Commission for approval a compliance and enforcement plan for physical security that would provide meaningful assurances that the regulators and regulated entities are taking seriously their obligations to protect the bulk power system from physical threats.
5. FERC (in collaboration with DOE, DHS, DOD, and the National Guard) should “Red Team” entities in order to evaluate weaknesses and determine whether their physical security (and cybersecurity) programs are effective. FERC should work with state PUCs to ensure like actions at the state-level.

In the preceding pages, I provided additional specific section-by-section recommendations which all relate back to my original recommendations.

FERC finds itself as the only federal government agency in a position to protect the 16 critical infrastructures and the American people from a dire threat of a coordinated attack on the bulk power system. FERC’s actions now could avert a catastrophe. FERC’s inaction could enable it.

Respectfully submitted,

Michael Mabee

CC:

U.S. Department of Homeland Security
U.S. Department of Defense
U.S. Senate Committee on Energy and Natural Resources
U.S. House Committee on Energy and Commerce

Exhibit A (OE-417 Physical Attacks)

Exhibit B (5-minute Google Maps “reconnaissance” of part of the grid)

Click HERE for PDF copy of entire filing

Motions To Intervene

• Click HERE for Motion to Intervene by Louisiana Public Service Commission
• Click HERE for Motion to Intervene by Fred A. Reitman
• Click HERE for Motion to Intervene by Dayton Power and Light Company
• Click HERE for Motion to Intervene by Public Citizen, Inc.
• Click HERE for Motion to Intervene by Former CIA Director R. James Woolsey
• Click HERE for Motion to Intervene by New Hampshire Representative David Testerman

And, of course, the Industry says no further physical security is needed:

• Click HERE for Motion to Intervene by NERC

[1] Presidential Policy Directive 21 (PPD-21) – Critical Infrastructure Security and Resilience. February 12, 2013. http://bit.ly/2NUr04k (accessed February 16, 2020).

[2] Smith, Rebecca. The Wall Street Journal. “Assault on California Power Station Raises Alarm on Potential for Terrorism.” February 5, 2014. https://www.wsj.com/articles/assault-on-california-power-station-raises-alarm-on-potential-for-terrorism-1391570879 (accessed February 16, 2020).

[3] Pentland, William. Forbes. Weekend Attacks on Arkansas’ Electric Grid Leave 10,000 Without Power; ‘YOU SHOULD HAVE EXPECTED U.S.’ Oct 7, 2013. https://www.forbes.com/sites/williampentland/2013/10/07/weekend-attacks-on-arkansas-electric-grid-leave-10000-without-power-you-should-have-expected-u-s/ (accessed February 16, 2020); Pentland, William. Forbes. Vandals Attack Electric Grid In Arkansas. Sep 26, 2013. https://www.forbes.com/sites/williampentland/2013/09/26/terrorists-attack-electric-grid-in-arkansas/#35a862fd35ef (accessed February 16, 2020); FBI: Attacks on Arkansas Power Grid – Perpetrator Sentenced to 15 Years. August 10, 2015. https://www.fbi.gov/news/stories/attacks-on-arkansas-power-grid (accessed February 16, 2020).

[4] Holstege, Sean. The Republic. Sabotage at Nogales station puts focus on threats to grid. June 12, 2014. https://www.azcentral.com/story/news/arizona/2014/06/12/sabotage-nogales-station-puts-focus-threats-grid/10408053/ (accessed February 16, 2020); Sobczak, Blake and Behr, Peter. E&E News. ‘Crude’ bomb at Ariz. substation stokes broader security concerns. June 13, 2014. https://www.eenews.net/stories/1060001267 (accessed February 16, 2020).

[5] Freeman, Alan. The Washington Post. Pilot to be sentenced in sabotage that crippled Quebec power grid. November 2, 2018. https://www.washingtonpost.com/world/2018/11/02/pilot-be-sentenced-sabotage-that-crippled-quebec-power-grid/ (accessed February 16, 2020);

Behr, Peter. E&E News. Outage on Quebec power grid traced to airborne attacker. June 17, 2015. https://www.eenews.net/stories/1060020352 (accessed February 16, 2020).

[6] Wald, Matthew L. The New York Times. “California Power Substation Attacked in 2013 Is Struck Again.” August 28, 2014. https://www.nytimes.com/2014/08/29/us/california-power-substation-attacked-in-2013-is-hit-again.html (accessed February 16, 2020).

[7] NBC Bay Area “Internal Memo: PG&E Years Away from Substation Security.” May 15, 2015 https://www.nbcbayarea.com/on-air/as-seen-on/internal-memo_-pg_e-years-away-from-substation-security_bay-area/69201/ (accessed January 29, 2020).

[8] History Channel. Tet Offensive. October 29, 2009. https://www.history.com/topics/vietnam-war/tet-offensive (accessed February 16, 2020).

[9] The National Commission on Terrorist Attacks Upon the United States. “The 9/11 Commission Report.” July 22, 2004. http://bit.ly/3bjibKW (accessed February 16, 2020).

[10] Reid, David. CNBC. Saudi Aramco reveals attack damage at oil production plants. September 20, 2019. https://www.cnbc.com/2019/09/20/oil-drone-attack-damage-revealed-at-saudi-aramco-facility.html (accessed February 16, 2020).

[11] Reuters. U.S. blames Iran for Saudi oil attack, Trump says ‘locked and loaded.’ September 15, 2019. https://www.reuters.com/article/us-saudi-aramco-attacks/u-s-blames-iran-for-saudi-oil-attack-trump-says-locked-and-loaded-idUSKBN1W00SA (accessed February 16, 2020).

[12] Rassler, Don. United States Military Academy. The Islamic State and Drones: Supply, Scale and Future Threats. https://ctc.usma.edu/app/uploads/2018/07/Islamic-State-and-Drones-Release-Version.pdf (accessed February 16, 2020).

[13] See: King, Llewellyn. InsideSources. “Drones Pose a New, Deadly Threat to Energy Infrastructure.” September 20, 2019. https://www.insidesources.com/drones-pose-a-new-deadly-threat-to-energy-infrastructure/ (accessed February 17, 2020); Bean, Tim. PowerGrid International. “Energy Industry also Faces Threats from Drones.” October 9, 2018. https://www.power-grid.com/2018/10/09/energy-industry-also-faces-threats-from-drones/#gref (accessed February 17, 2020); Sobczak, Blake. E&E News. “Feds to energy companies: Beware drones made in China.” May 21, 2019. https://www.eenews.net/stories/1060369689 (accessed February 17, 2020).

[14] CIP-14-2 “Guidelines and Technical Basis,” page 22.

[15] Standard Drafting Team.

[16] CIP-14-2 “Guidelines and Technical Basis,” page 23.

[17] Order Denying Rehearing in Docket RM14-15-001. Page 4 (April 23, 2015).

[18] Order Denying Rehearing in Docket RM14-15-001. Page 5 (April 23, 2015).

[19] U.S. Department of Energy “Large Power Transformers and the U.S. Electric Grid.” June 2012. https://www.energy.gov/sites/prod/files/Large Power Transformer Study – June 2012_0.pdf (accessed January 29, 2020).

[20] See: https://securethegrid.com/oe-417-database/ (accessed February 16, 2020).

[21] See: https://securethegrid.com/oe-417-database/ (accessed February 16, 2020).

[22] Testimony of FERC Chairman Cheryl LaFleur, to U.S. Senate Energy Committee in a letter dated June 4, 2014. https://www.energy.senate.gov/public/index.cfm/files/serve?File_id=86e83c32-636a-40b6-8e5d-c072f2f95a8c (accessed February 16, 2020). Full April 10, 2014 hearing is available at https://www.govinfo.gov/content/pkg/CHRG-113shrg87851/pdf/CHRG-113shrg87851.pdf (accessed February 16, 2020).

[23] See: https://securethegrid.com/oe-417-database/ (accessed February 16, 2020).

[24] See: https://securethegrid.com/oe-417-database/ (accessed February 16, 2020).

[25] CIP-14-2 Guidelines and Technical Basis. Page 22.

[26] CIP-14-2 Guidelines and Technical Basis. Page 22.

[27] Order Denying Rehearing in Docket RM14-15-001. Page 4 (April 23, 2015).

[28] While the Guidelines and Technical basis has suggestions on resources to consult, they are merely suggestions, not requirements.

[29] “Red Teams” are one way to test the effectiveness of physical security plans and find additional vulnerabilities that may need attention.

[30] FERC Docket Numbers: NP19-4-000; NP18-14-000 and NP17-29-000 (2 violations).

[31] Senate Hearing: Keeping the Lights On—Are We Doing Enough to Ensure The Reliability and Security of the U.S. Electric Grid? April 10, 2014. https://www.govinfo.gov/content/pkg/CHRG-113shrg87851/pdf/CHRG-113shrg87851.pdf Page 137. (accessed February 16, 2020).

[32] Available at: https://www.nerc.com/pa/Stand/Reliability Standards/CIP-014-1.pdf (accessed February 16, 2020).

[33] Available at: https://www.ferc.gov/whats-new/comm-meet/2014/112014/E-4.pdf (accessed February 16, 2020).

[34] To the extent that anybody wishes to argue that some of these incidents were “mere vandalism,” this is hardly comforting. If a couple of 13-year-olds can break in and damage equipment, it does not bode well for our protective posture against terrorists.

[35] 170 FERC ¶ 61,029 “Order on Five-Year Performance Assessment.” January 23, 2020.