Electric Sector Protests Effective Grid Physical Security

Electric Sector Pushes Minimalistic Approach to Grid Physical Security

Despite all the evidence to the contrary, the electric sector would like you to believe that everything is just fine—no further physical security is needed for the electric grid.

By way of background, in 2014 the Federal Energy Regulatory Commission (FERC) ordered the grid’s self regulatory entity, the North American Electric Reliability Corporation (NERC) to draft the physical security standard. (You read that correctly: the electric sector writes is own standards—not the government.) This was the result of Congressional and media concern after spectacular physical attack against a PG&E transformer in Metcalf California in 2013 raising concerns about terrorism.

It is important to understand NERC and the electric sector did not want to write the standard—they were forced. Unfortunately, the resulting standard is weak and fraught with loopholes.

It is also important to note that there have been 245 physical attacks on the grid since the standard became effective.

What My Complaint Was About

After discovering some disturbing inadequacies in the physical security of the electric grid, I filed a complaint with the FERC on January 29, 2020. My complaint alleged that the mandatory physical security standard for the electric grid (CIP-14-2) was grossly inadequate and rarely enforced. I provided detailed analysis of the standard and evidence to support my allegations. FERC opened Docket Number EL20-21-000 on the complaint and invited public comments and intervention.

The first problem with the present physical security standard is that its “applicability” leaves unprotected large swaths of the critical components of the electric grid.

“The purpose of Reliability Standard CIP-014 is to protect Transmission stations and Transmission substations, and their associated primary control centers that if rendered inoperable or damaged as a result of a physical attack could result in instability, uncontrolled separation, or Cascading within an Interconnection.” (CIP-14-2 Guidelines and Technical Basis. Page 22.)

This means that the only facilities that are covered by the standard are those where the loss of that single facility alone could cause a cascading outage. So, very few facilities actually fall under the standard to begin with. No consideration is given to an attack on multiple facilities at once, such as a coordinated terrorist attack.

In fact, most facilities in the electric grid are not covered under the physical security standard at all. In other words, there are no physical security requirements for the majority of the electric grid including:

• Generation plants are not covered by the standard
• Transmission lines are not covered by the standard
• Most transformer stations and substations are not covered by the standard
• Some control facilities are not covered by the standard

Nobody looking objectively at a standard in which so few facilities are covered could argue that we have adequate physical security of the electric grid. And, in addition to the lack of covered facilities, there are other problems:

• Loopholes in the standard itself render the standard ineffective. Even the few entities that are covered can easily avoid having to do much.
• There is no requirement that any physical security plan for even the few covered facilities be effective or even be approved by somebody with physical security expertise.
• There is no requirement that threat assessments and physical security plans be updated.
• Entities are not required to consider coordinated physical attacks on several facilities.

Finally, since the physical security standard became effective, it has only been cited 4 times. It appears that the self regulated industry is refusing to self regulate.

My Complaint was supported by filings from Secure the Grid Coalition co-chair and former CIA Director R. James Woolsey, New Hampshire State Representative David Testerman, the City of Franklin New Hampshire, the Town of Mont Vernon New Hampshire, the Foundation for Resilient Societies, the Task Force on National and Homeland Security and several individuals. Clearly there is concern about the physical security of the electric grid.

Except within the electric sector…

Electric Sector Protests and Asks FERC to Dismiss Complaint

The electric sector submitted three substantive filings—all asking the FERC dismiss the complaint on technicalities and addressing very little on the merits of my complaint.

The three responses were by 1) NERC, 2) a combined response by the Edison Electric Institute (“EEI”)—whose members include the government of the People’s Republic of China—and the National Rural Electric Cooperative Association (“NRECA”), and 3) a combined response by American Public Power Association (“APPA”), the Large Public Power Council (“LPPC”), and Transmission Access Policy Study Group (“TAPS”). Basically, these trade groups represent the most of the electric utility industry.

These filings were chock full of conclusory statements such as: “The Complainant has failed to demonstrate that Reliability Standard CIP-014-2 is inadequate or is otherwise inconsistent with applicable statutory and regulatory law.” Obviously, I disagree and believe that my evidence and analysis trumps their conclusory statements.

What is most remarkable about the electric sector’s responses to the complaint are the allegations that they do not address.

• None of the electric sector’s filings addresses the 245 physical attacks against the grid since the standard became effective.
• All of the electric sector’s filings  basically say “we did what FERC told us to do in 2014” and therefore no further action is needed.
• Only one of the three makes any attempt to address the threat of coordinated attacks on multiple facilities, and that one argument does not even make sense.

For example, in one of the few instances where they make an attempt to rebut my allegations, the lawyers for the trade associations use creative writing, such as this one:

“While NERC was not required to address in the physical security Reliability Standards scenarios of simultaneous physical attacks involving multiple critical facilities, by protecting individual critical facilities, registered entities inherently and necessarily protect critical facilities against simultaneous attacks.” (EEI and NRECA at 5.)

Here is a slight of pen by the electric sector’s attorneys: the term “critical facilities” does not mean “critical facilities” as we would understand the term—it means the very few facilities covered by the physical security standard (even though most of what a reasonable person would deem “critical facilities” are not covered by the standard). So, what this paragraph actually means is that simultaneous attacks against only the very few covered “critical facilities” could purportedly be thwarted. All we have to do is depend on America’s enemies to target just the critical facilities covered by the standard and we’ll be safe. 

Can we expect terrorists to be so accommodating? If not, then the physical security standard will in no way, shape or form protect the electric grid from a coordinated simultaneous attack.

The ball is now in FERC’s court. We can only hope that FERC will do the right thing and direct improvements to the physical security standard and not bow to the pressure of the electric sector to do nothing.

Docket No. EL20-21-000 Filings

Complaint:

• Click HERE for Federal Register Notice of Complaint
  Click HERE for Federal Register Notice of Supplemental Complaint
• Click HERE for Formal Complaint of Michael Mabee in EL20-21-000
• Click HERE for Supplemental Complaint of Michael Mabee in EL20-21-000
• Click HERE for Motion of Michael Mabee for FERC to take Official Notice

Motions To Intervene

• Click HERE for Motion to Intervene of Louisiana Public Service Commission
• Click HERE for Motion to Intervene of Fred A. Reitman
• Click HERE for Doc-less Motion to Intervene of Dayton Power and Light Company
• Click HERE for Doc-less Motion to Intervene of Public Citizen, Inc.
• Click HERE for Motion to Intervene of Former CIA Director R. James Woolsey
• Click HERE for Motion to Intervene of New Hampshire Representative David Testerman
• Click HERE for Motion to Intervene of Joseph A Voglund 
• Click HERE for Motion to Intervene of the Town of Mont Vernon, New Hampshire
• Click HERE for Motion to Intervene of Task Force on National and Homeland Security
• Click HERE for Motion to Intervene of City of Franklin, NH Councilor Karen Testerman
• Click HERE for Doc-less Motion to Intervene of the Large Public Power Council
• Click HERE for Doc-less Motion to Intervene of American Electric Power Service Corporation
• Click HERE for Doc-less Motion to Intervene of the American Public Power Association
• Click HERE for Motion to Intervene of Timothy L Cimino
• Click HERE for Doc-less Motion to Intervene of Transmission Access Policy Study Group
• Click HERE for Doc-less Motion to Intervene of Georgia System Operations Corporation
• Click HERE for Motion to Intervene of the Foundation for Resilient Societies 

And, of course, the Electric Sector says no further physical security is needed:

• Click HERE for Motion to Intervene by NERC
• Click HERE for Motion to Intervene by Edison Electric Institute and the National Rural Electric Cooperative Association
• Click HERE for Protest of American Public Power Association, the Large Public Power Council, and Transmission Access Policy Study Group

(RED denotes electric sector filing)