CIP-014-2: Physical Security

Purpose

To identify and protect  Transmission stations and Transmission  substations, and their associated primary control  centers , that if rendered inoperable or damaged as a result of a physical attack could result  in  instability, uncontrolled separation , or  Cascading within an  Interconnection.

Applicability

4.1. Functional Entities:

4.1.1 Transmission Owner that owns  a  Transmission station or  Transmission  substation  that meets any of the following criteria :

4.1.1.1 Transmission Facilities operated at 500 kV or higher. For the purpose  of this criterion, the collector bus for a generation plant is not  considered a Transmission Facility, but is part of the generation  interconnection Facility.

4.1.1.2 Transmission Facilities that are operating between 200 kV and 499 kV at a single station or substation, where the station or substation is  connected  at 200 kV or higher voltages  to three or more other  Transmission stations or substations and  has an “aggregate weighted  value” exceeding 3000 according to the table below. The “aggregate weighted value” for  a single station or substation is determined by  summing the “weight value per line” shown in  the table below for  each incoming  and each outgoing BES Transmission Line that is  connected to another Transmission station or substation. For the  purpose of this criterion, the collector bus for a generation plant is  not considered a Transmission Facility , but is part of the generation  interconnection Facility.

Voltage Value of a LineWeight Value per Line
less than 200 kV (not applicable) (not applicable)
200 kV to 299 kV 700
300 kV to 499 kV 1300
500 kV and above0

4.1.1.3 Transmission Facilities at a single station or substation location that  are identified by its Reliability Coordinator, Planning Coordinator, or Transmission Planner as critical to the derivation of Interconnection  Reliability Operating Limits (IROLs) and t heir associated  contingencies.

4.1.1.4 Transmission Facilities identified as essential to meeting Nuclear Plant  Interface Requirements.

4.1.2 Transmission Operator.

Exemption: Facilities  in a “protected area,” as defined in 10 C.F.R. § 73.2,  within  the scope of a  security  plan  approved  or accepted by the Nuclear Regulatory Commission are not subject to this Standard; or, Facilities within the scope of a security plan approved  or accepted by the Canadian Nuclear Safety Commission are not subject to this Standard.

Effective Dates:

See Implementation Plan for CIP – 014 – 2.

Background:

This Reliability Standard addresses the directives from the FERC  order  issued March 7,  2014 , Reliability Standards for Physical Security Measures, 146 FERC ¶ 61,166 (2014),  which required NERC to  develop a physical security  reliability standard ( s ) t o identify  and protect  facilities  that if rendered inoperable or  damaged could result in  instability, uncontrolled separation , or  Cascading within an Interconnection .

Requirements and Measures

R1. Each Transmission Owner shall perform an initial risk assessment  and subsequent  risk  assessment s of  its Transmission stations and Transmission substation s (existing and  planned to be in service within 24 months) that meet the criteria specified in  Applicability  Section 4.1.1 . The  initial and  subsequent risk assessment s shall consist of a  transmission analysis or transmission analyses designed  to identify the  Transmission  station ( s ) and Transmission  sub station ( s ) that if rendered inoperable or damaged  could  result in  instability, uncontrolled separation , or  Cascading  within an  Interconnection . [VRF:  High ; Time – Horizon: Long – term Planning]

1.1. Subsequent risk assessments shall be performed:

  • At least once every 30 calendar months for a Transmission Owner that has  identified in its previous risk assessment  (as verified according to Requirement R2)  one or more  Transmission stations  or Transmission substations that if rendered inoperable or damaged could result in instability, uncontrolled separation, or Cascading within an Interconnection; or
  • At least once every 60 calendar months for a Transmission Owner that has not  identified in its previous risk assessment (as verified according to Requirement R2)  any Transmission stations or Transmission substation s that if rendered inoperable or damaged could result in instability, uncontrolled  separation , or Cascading within an Interconnection.

1.2. The Transmission Owner shall identify  the primary control  center that  operationally controls each Transmission station or Transmission substation identified in  the  Requirement R1 risk assessment .

M1. Examples of acceptable evidence may include, but  are not limited to, dated  written or  electronic  documentation of the risk assessment of  its  Transmission station s and  Transmission substation s (existing and planned to be in service within 24 months) that  meet the criteria in  Applicability  Section 4.1.1 as specified in Requirement  R1 . Additionally, examples of acceptable evidence may include, but  are not limited to,  dated written or electronic documentation of the identification of the primary control  center  that operationally controls each  Transmission station or Transmission  substation identified in  the Requirement R1 risk assessment as specified in  Requirement R1, Part 1.2.

R2. Each Transmission Owner shall have a n unaffiliated third party verify the risk  assessment performed under Requirement R1. The verification may occur concurrent  with or after the  risk assessment  performed under Requirement R1. [VRF: Medium;  Time – Horizon: Long – term Planning]

2.1. Each Transmission Owner shall select an unaffiliated verifying entity that is  either:

2.2. The  unaffiliated  third party  verification  shall verify the Transmission Owner’s risk  assessment performed under Requirement R1 , which may include  recommendations f or the addition or deletion of a Transmission station(s) or  Transmission substation(s).   The Transmission Owner shall ensure the  verification is completed within 90 calendar days following the completion of the  Requirement R1 risk assessment.

2.3. If the  unaffiliated  verifying entity recommends that the Transmission Owner add  a Transmission station (s) or Transmission substation (s) to, or remove a  Transmission station (s) or Transmission substation (s) from, its identification  under Requirement R1, the Transmission Owner shall either, within 60 calendar  days of completion of the verification, for each recommended addition or removal of a  Transmission station or Transmission substation:

  • Modify its identification under Requirement R1 consistent with  the  recommendation; or
  • Document the technical basis for not modifying the identification in  accordance with the recommendation.

2.4. Each Transmission Owner shall implement procedures, such as the use of non – disclosure agreements, for protecting sensitive or confidential information made  available to the unaffiliated third party verifier and to protect or exempt sensitive or confidential information developed pursuant to this Reliability Standard from public disclosure .

M2. Examples of acceptable evidence may include, but are not limited to, dated written or  electronic documentation that the Transmission Owner completed  an unaffiliated third party verification of the  Requirement R1  risk assessment and satisfied all of the applicable  provisions of Requirement R2 , including, if applicable,  documenting the technical basis for not modifying the  Requirement R1  identification  as specified under Part 2.3. Additionally, examples of evidence may include, but  are not limited to, written or electronic documentation of procedures to protect information under Part  2.4 .

R3. For a primary control center( s ) identified by the Transmission Owner according to  Requirement R1, Part 1.2 that a) operationally controls an identified Transmission  station or Transmission substation verified according to Requirement R2, and b) is not  under the operational control of the Transmission Owner : the Transmission Owner  shall,  within  seven calendar days following completion of Requirement R2, notify the  Transmission Operator that has operational control of the primary control center of such identification and the date of completion of Requirement  R 2 . [VRF: Lower; Time – Horizon: Long – term Planning]

3.1. If a Transmission station or  Transmission  substation previously identified  under  Requirement R1 and verified according to Requirement R2  is removed from the  identification  during a subsequent risk assessment performed  according to Requirement R1 or a verification according to Requirement R2 , then  the  Transmission Owner shall,  within  seven calendar  days  following the verification  or the subsequent risk assessment , notify the Transmission Operator that  has  operational control of the primary control center of the removal.

M3. Examples of acceptable  evidence may include, but  are not limited to, dated written or  electronic  notifications or  communications  that  the Transmission Owner notified  each Transmission Operator, as applicable, according to Requirement R3.

R4. Each Transmission Owner  that  identified a Transmission station,  Transmission  substation , or  a  primary control center  in Requirement R1 and verified according to  Requirement R2 , and  each  Transmission Operator  notified by a Transmission Owner according to Requirement R3 , shall conduct an evaluation of the potential threats and  vulnerabilities  of a physical attack to  each of  their respective  Transmission station ( s ) , Transmission substation ( s ) , and  primary  control center ( s ) identified in Requirement  R1 and verified according to Requirement R2 . The  e valuation shall consider  the  following: [VRF: Medium ; Time – Horizon: Operations Planning,  Long – term Planning]

4.1. Unique characteristics of the identified  and verified  Transmission station(s),  Transmission  substation(s), and primary control center(s);

4.2. Prior history o f attack on similar facilities taking into account the  frequency,  geographic proximity, and severity of past  physical  security related events ; and

4.3. Intelligence or  threat  warnings  received  from  sources such as  law enforcement, the Electric Reliability Organization (ERO), the Electricity Sector Information  Sharing and Analysis Center (ES – ISAC), U.S.  federal and /or Canadian  governmental agencies, or their successors .

M4. Examples of evidence may include, but  are not limited to, dated written or electronic  documentation that  the Transmission Owner or Transmission Operator conducted an  evaluation of the potential threats and vulnerabilities of a physical attack to the irrespective Transmission  station ( s ), Transmission substation (s) and  primary  control  center (s) as specified in Requirement R4 .

R5. Each Transmission Owner that identified a Transmission station, Transmission  substation , or primary control center in Requirement R1 and verified according to  Requirement R2, and each Transmission Operator notified by a Transmission Owner according to Requirement R3 , shall develop and implement a documented physical  security plan (s) that covers their  respective Transmission station( s ), Transmission  substation ( s ), and primary control center ( s).  The physical security plan(s) shall be developed within  120 calendar  days  following  the  completion of Requirement R 2 and  executed according to the timeline  specified in the physical security  plan(s) . The  physical security plan(s)  shall include the following attributes : [VRF: High ; Time – Horizon: Long – term Planning]

5.1. Resiliency or security  measures designed collectively to  deter, detect, delay,  assess, communicate , and respond to potential  physical threats and  vulnerabilities identified during  the  evaluation conducted in Requirement R4.

5.2. L aw enforcement contact  and coordination  information.

5.3. A timeline for  executing the physical security  enhancements and modifications specified in the physical security plan.

5.4. Provisions to evaluate evolving physical threats, and their corresponding  security measures, to the  Transmission station(s), Transmission  substation(s) , or  primary  control center (s ).

M5. Examples of evidence may include, but are not limited to, dated written or electronic documentation of its physical security plan (s) that covers their respective identified and verified Transmission station ( s ), Transmission substation (s) , and primary control  center (s) as specified in Requirement R5, and additional evidence demonstrating  execution of the physical security plan according to the timeline specified in the  physical security plan.

R6. Each Transmission Owner that identified a Transmission station,  Transmission  substation, or primary control center in Requirement R1 and verified according to  Requirement R2, and each Transmission Operator  notified by a Transmission Owner according to Requirement R3, shall have an unaffiliated third party review the  evaluation performed under  Requirement  R4 and the security plan (s) developed  under Requirement R5. The review may occur concurrently with or after completion  of  the evaluation performed under Requirement R4  and the  security plan  development  under Requirement R5. [VRF: Medium; Time – Horizon: Long – term  Planning]

6.1. Each Transmission Owner and Transmission Operator shall select a n unaffiliated  third party reviewer from the following:

  • An entity or organization with electric industry physical security  experience  and whose review staff has at least one member who hold s either a Certified  Protection Professional (CPP) or Physical Security Professional (PSP)  certification.
  • An entity or organization approved by the ERO .
  • A governmental agency with physical security expertise
  • An entity or organization with demonstrated law enforcement , government , or military physical security expertise.

6.2. The  Transmission Owner or Transmission Operator, respectively, shall ensure that the unaffiliated third party  review is completed  within  90 calendar days of  completing the security plan (s) developed in Requirement R5 . The unaffiliated  third party review may, but is not required to, include recommended changes to  the evaluation performed under Requirement R4 or the security plan(s)  developed under Requirement R5.

6.3. If the unaffiliated  third party  review er recommends changes to the  evaluation  performed under Requirement  R4 or security plan(s) developed under  Requirement R5, the Transmission Owner or Transmission Operator  shall , within  60 calendar days of the completion of the unaffiliated third party  review , for  each recommendation: ? Modify its  evaluation or  security plan (s) consistent with the recommendation;  or ? Document the  reason (s) for not modifying the  evaluation or  security plan (s) consistent with the recommendation.

6.4. Each Transmission Owner and Transmission Operator shall implement  procedures, such as the use of non – disclosure agreements, for protecting  sensitive or confidential information  made available to  the  unaffiliated  third  party  review er and  to protect  or exempt sensitive or confidential information developed pursuant to this Reliability Standard from public disclosure .

M6.  Examples of evidence may include, but are not limited to, written or electronic  documentation that  the Transmission Owner or Transmission Operator had  an  unaffiliated third party  review  the evaluation performed under Requirement R4 and  the security plan(s) developed under Requirement R5 as specified in Requirement R6 including, if applicable,  documenting the reasons  for not modifying the evaluation or  security plan(s) in accordance with  a recommendation under Part 6.3 . Additionally,  examples of evidence may include, but are not limited to, written or electronic  documentation of procedures to protect information under Part 6.4 .

Compliance

Compliance Monitoring Process:

1.1. Compliance Enforcement Authority

As defined in the NERC Rules of Procedure, “Compliance Enforcement Authority”  (CEA) means  NERC or the Regional Entity in their respective roles of monitoring  and enforcing compliance with the NERC Reliability Standards.

1.2. Evidence Retention

The following evidence retention periods identify the period of time an entity is  required to retain specific evidence to demonstrate compliance. For instances  where the evidence retention period specified below is shorter than the time  since the last audit, the CEA may ask an entity to provide other evidence during  an on – site visit  to show that it was compliant for the full time period since the last audit.

The  Transmission Owner and Transmission Operator shall keep data or evidence  to show compliance, as  identified below, unless directed by its Compliance  Enforcement Authority (CEA) to retain specific evidence for a longer period of  time as part of an investigation.

The responsible entities shall retain documentation as evidence for three years.

If a  Responsible Entity is found non – compliant, it shall keep information related  to the non – compliance  until mitigation is complete and approved , or for the time  specified above, whichever is longer.

The CEA shall keep the last audit records and all requested and submitted  subsequent audit records , subject to the confidentiality provisions of Section  1500 of the Rules of Procedure and the provisions of Section 1.4 below.

1.3. Compliance Monitoring and Assessment Processes:

Compliance Audits

Self – Certifications

Spot Checking

Compliance Violation Investigations

Self – Reporting

Complaints Text

1.4. Additional Compliance Information

Confidentiality: To protect the confidentiality and sensitive nature of the  evidence for demonstrating compliance with this standard, all evidence will be  retained at the Transmission Owner ’s and Transmission Operator ’s facilities.

Guidelines and Technical Basis

Section 4 Applicability

The purpose of  Reliability Standard CIP – 014 is  to protect Transmission stations and  Transmission substations, and their associated primary control centers that if rendered  inoperable or damaged as a result of a physical attack could result in instability, uncontrolled  separation, or Cascading within an Interconnection. To  properly include those entities that own  or operate such  Facilities , the Reliability Standard CIP – 014 first applies to Transmission Owners  that own Transmission Facilities that meet the specific criteria in Applicability Section 4.1.1.1  through 4.1.1.4.  The  Facilities described in Applicability Section 4.1.1.1 through 4.1.1.4 mirror  those Transmission  Facilities that meet the bright line criteria for “Medium Impact”  Transmission  Facilities under Attachment 1 of Reliability Standard CIP – 002 – 5.1 . Each  Transmission  Owner that owns Transmission Facilities that meet the criteria in Section 4.1.1.1  through 4.1.1.4 is required to perform a risk assessment as specified in Requirement R1 to  identify its Transmission stations and Transmission substations, and their associated primary  control centers, that if rendered inoperable or damaged as a result of a physical attack could  result in instability, uncontrolled separation, or Cascading within an Interconnection. Th e  Standard Drafting Team (SDT) expects this population will be small and that many Transmission  Owner s that meet the applicability of this standard will not actually identify any such Facilities.  Only those Transmission  Owner s with Transmission stations or Transmission substations  identified in the risk assessment (and verified under Requirement R2) have performance  obligations under Requirements R3 through R6.

This standard also applies to Transmission Operators.  A Transmission  Operator’s  obligations  under the standard, however, are only triggered if the Transmission  Operator is notified by an  applicable Transmission  Owner under Requirement R3 that the Transmission  Operator operates  a primary control center that operationally controls  a  Transmission  station ( s ) or Transmission  substation ( s ) identified in the Requirement R1  risk assessment. A primary control center  operationally controls a Transmission station or Transmission substation  when the control  center’s electronic actions can cause direct physical action at the identified Transmission  station  or Transmission substation, such as opening a breaker,  as opposed to a control center  that only has information from the Transmission station  or Transmission substation and must  coordinate direct action through another entity. Only Transmission  Operators who are notified  that they have primary control centers under this standard have performance obligations under Requirements R4 through R6.  I n other words,  primary control center for purposes of this  Standard is the control center that the Transmission Owner or Transmission Operator ,  respectively, uses as its primary, permanently – manned site to physically operate  a Transmission  station or Transmission  substation that is identified in Requirement  R 1 and verified in  Requirement  R 2.    Control centers  that provide back – up capability  are not applicable, as they  are a form of resiliency and  intentionally redundant.

The  SDT considered several options  for bright line criteria that could be used to determine  applicability and provide an initial threshold that defines the set of Transmission stations and  Transmission substations that would meet the directives of the FERC order on physical security  ( i.e. , those that  could cause  instability , uncontrolled separation , or Cascading within  an Interconnection).  The SDT determined that using the criteria for Medium Impact  Transmission  Facilities in Attachment 1 of CIP – 002 – 5 .1 would provide a conservative threshold for  defining  which Transmission stations and Transmission substations must be included in the risk  assessment in  Requirement  R1 of CIP – 014. Additionally, the SDT concluded that using the CIP – 002 – 5.1 Medium Impact criteria  was appropriate because it has been  approved by stakeholders, NERC , and FERC , and its use provide s a technically sound basis to determine  which Transmission Owners should conduct the risk assessment.  As described in CIP – 00 2 – 5 .1 ,  the failure of a Transmission station or Transmission substation that meets the  Medium Impact  criteria could have  t he capability to result in exceeding one or more Interconnection Reliability  Operating Limits (IROLs). The SDT understands that using this bright line criteria to determine  applicability may require some Transmission Owners to perform risk assessments under  Requirement R1 that will result in a finding that none of their  Transmission stations or  Transmission  substations would pose a risk of  instability, uncontrolled separation, or Cascading  within an Interconnection. However, the SDT determined  that higher bright lines could not be  technically justified to ensure inclusion of all  Transmission stations and Transmission  substations, and their associated primary control centers that , if rendered inoperable or  damaged as a result of a physical attack could result in instability, uncontrolled separation, or  Cascading within an  Interconnection. Further guidance and technical basis for the bright line  criteria for Medium Impact Facilities can be found in the  Guidelines and Technical Basis section  of CIP – 002 – 5 .1.

Additionally, the SDT  determined that it was not necessary  to include Generator Operators and  Generator Owners in the  Reliability  Standard.   First ,  Transmission stations or  Transmission  substations interconnecting generation facilities are considered when determining applicability.  Transmission Owners will consider those  Transmission  stations  and  Transmission  sub stations  that  include a Transmission station on the high side of the Generator  Step – up transformer  (GS U ) using  Applicability Section  4.1.1.1 and 4.1.1.2. As an example, a  Transmission station or  Transmission substation identified as a Transmission  Owner facility  that  interconnects  generation will be subject to the Requirement R1 ri sk assessment if it operates at 500kV or  greater or if it is connected at 200 kV  – 499kV to three or more other Transmission stations or  Transmission  substations and has an “aggregate weighted value” exceeding 3000 according to  the table in  Applicability Section  4.1.1.2.  Second, the  Transmission analysis or analyses  conducted under Requirement R1  should take into account the impact of the loss of generation  connected to applicable Transmission stations or Transmission substations. Additionally,  the  FERC order does not explicitly mention generation assets and is reasonably understood to focus  on the most critical Transmission Facilities. The diagram below shows an example of a station.

Also,  the SDT uses the phrase “Transmission stations or  Transmission  substations” to recognize  the existence of both stations and substations. Many entities in industry consider a substation  to be a location with physical borders (i.e. fence, wall, etc.) that contains at least an  autotransformer. Locations also exist that do not contain autotransformers, and many entities  in industry refer to those locations as stations ( switching stations  or switchyards). Therefore,  the SDT chose to use both “station” and “substation” to refer to the locations where groups of  Transmission Facilities exist.

On the issue of joint ownership, the S D T recognizes that this issue is not unique to CIP – 014, and  expects that the applicable Transmission  Owner s and Transmission  Operators will develop  memorandums of understanding, agreements, Coordinated Functional  Registrations, or  procedures, etc. , to  designate responsibilities under CIP – 014 when joint ownership is at issue,  which is similar to what many entities have completed for other Reliability Standards.

The language contained in the applicability section regarding the collector bus is directly copied  from CIP – 002 – 5.1 , Attachment 1, and has no additional meaning within the CIP – 014 standard.

Requirement R1

The initial risk assessment required under Requirement R1 must be completed  on or before the  effective date of the standard.  Subsequent risk assessments are to be performed at least once  every 30 or 60 months depending on the results of  the  previous risk assessment per  Requirement R1, Part 1.1.  In performing the risk assessment under Requirement R1,  the Transmission Owner should first identify their population of  Transmission  stations and  Transmission  substations  that meet the criteria contained in Applicability Section 4.1.1.  Requirement R1 then requires the Transmission Owner to perform a risk assessment, consisting  of a transmission analysis, to determine which of those Transmission stations and Transmission  Substations  if rendered inoperable or damaged could result in instability, uncontrolled  separation, or Cascading within an Interconnection . The requirement is not to require  identification of, and thus , not intended to bring within the scope of  the standard a  Transmission  station or  Transmission sub station unless the applicable Transmission Owner  determines through technical studies and  analyses based on objective analysis, technical  expertise,  operating experience  and experienced judgment that the loss of such facility would  have a critical impact on the operation of the  Interconnection  in the event the asset is rendered  inoperable or damaged . I n the  November 20, 2014 Order,  FERC reiterated that “ only an  instability that has a “critical impact on the operation of the interconnection” warrants finding  that the facility causing the instability is critical under Requirement R1. ” The  Transmission  Owner may determine the criteria for critical impact by considering, among other criteria, any  of the following:

  • Criteria or methodology  used by Transmission Planners or Planning Coordinators  in TPL – 001 – 4, Requirement R6
  • NERC EOP – 004 – 2 reporting criteria
  • Area or magnitude of potential impact

The  standard does not mandate the  specific analytical method for performing the risk  assessment.  The Transmission Owner has the discretion to choose the specific method that  best suites its needs. As an  example, an entity  may  perform a Power Flow analysis and stability  analysis at a variety of load levels.

Performing Risk Assessments

The Transmission  Owner has the discretion to select a transmission analysis  method  that fits its  facts and  system  circumstances.  To mandate a specific approach is not technically desirable and may lead to results that fail to adequately consider regional, topological , and system  circumstances. T h e following  guidance is  only  an example on how a Transmission Owner may  perform  a  power flow and /or stability analysis to identify those Transmission stations and  Transmission substations that if  rendered inoperable or damaged as a result of a physical attack  could result in instability, uncontrolled separation, or Cascading within an Interconnection. A n  entity  could remove all lines , without regard to the  voltage level, to a single Transmission  station or Transmission  substation and review the simulation results to assess system behavior  to determine if Cascading of Transmission  Facilities, uncontrolled separation, or voltage or  frequency instability is likely to occur over a  significant  area of the Interconnection .  Using  engineering judgment, the Transmission Owner (possibly in  consultation with regional planning  or operation committees and/or ISO/RTO committee input) should develop criteria  (e.g.  imposing a fault near the removed  Transmission station or Transmission  substation)  to identify  a contingency  or parameters that  result in potential instability, uncontrolled separation , or  Cascading within an Interconnection.  Regional consultation on these matters  is likely to be helpful and informative , given that the inputs for the risk assessment and the attributes of what  constitutes instability, uncontrolled separation ,  or Cascading within an Interconnection will  likely vary from region – to – region or from ISO – to – ISO based on topology, system characteristics , and system configurations. Criteria could  also  include post – contingency facilities loadings above  a certain emergency rating or  failure of a power flow case to converge.  Available special  protection systems (SPS) , if any, could be applied to determine if the system experiences any  additional instability which may result in uncontrolled separation. Example criteria may include:

( a) Thermal overloads beyond facility emergency ratings;

(b) Voltage deviation exceeding ± 10%;  or

(c) Cascading outage/ voltage collapse;  or

(d) Frequency below under – frequency load shed points

Periodicity A Transmission  Owner who identifies one or more Transmission stations or Transmission  substations  (as verified under Requirement R2)  that if rendered inoperable or  damaged could  result in instability, uncontrolled separation, or Cascading within an Interconnection is required to conduct a risk assessment at least once every 30 months. This period ensures that the risk  assessment remains current with projected conditions and configuration s in the planned  system. This risk assessment, as the  initial assessment, must consider applicable  planned  Transmission  stations and Transmission  substations to be in service within 24 months.   T he 30  month timeframe aligns with the 24 month planned to be in service date because the  Transmission  Owner is provided the flexibility, depending on i ts planning cycle and the  frequency in which it may plan to construct a new Transmission station or Transmission  substation to more closely align these dates.  The requirement is to conduct the risk assessment  at least  once every 30 months, so for  a  Transmission  Owner that believe s it is better to conduct  a risk assessment once every 24 months, because of its planning cycle, it has the flexibility to do  so.

Transmission  Owner s  that have not identified any Transmission stations or Transmission  substations  (as verified under Requirement R2)  that if rendered inoperable or damaged could  result in instability, uncontrolled separation, or Cascading within an Interconnection are  unlikely to see changes to their risk assessment in the Near – Term Planning Horizon.  Consequently, a 60 month periodicity for completing a subsequent risk assessment is specified.

Identification of Primary Control Centers

After completing the risk assessment specified in Requirement R1, it is important to additionally  identify the primary  control center that operationally controls each Transmission station or  Transmission  substation that if rendered inoperable or damaged could result in instability,  uncontrolled separation, or Cascading within an Interconnection .  A primary control center “ operationally controls” a Transmission station or Transmission substation when  the control  center ’s electronic actions can cause direct physical actions at the identified Transmission  station and Transmission substation, such as opening a breaker.

Requirement R2

This requirement  specifies verification  of the risk assessment performed under Requirement R1  by an entity other than the owner or operator of  the Requirement R1 risk assessment.  A verification of the risk assessment by an unaffiliated third party, as  specified in  Requirement  R2 , could consist of:

1. Certifying that the Requirement R1 risk assessment considers the  Transmission stations  and Transmission substations identified in  Applicability Section 4.1.1 .

2. Review of the model used to conduct the risk assessment to ensure it contains sufficient  system topology to identify Transmission stations and Transmission substations that if  rendered inoperable or damaged could cause instability, uncontrolled separation, or  Cascading within an Interconnection.

3. Review of the Requirement R1  risk assessment methodology.

This requirement provides the flexibility for a Transmission Owner to select from unaffiliated  registered and non – registered entities with transmission planning or analysis experience to  perform the verification of the Requirement R1 risk assessment.  The term unaffiliated means  that the selected verifying entity cannot be a corporate affiliate ( i.e., the verifying or  third party  reviewer cannot be an entity that corporately controls, is controlled by or is under common  control with, the Transmission  Owner).  The verifying entity also cannot be a division of the  Transmission Owner that operates as a functional unit.

The prohibition on registered entities using a corporate affiliate to conduct the verification,  however, does not prohibit a  governmental entity ( e.g., a city,  a  municipality,  a  U.S. federal  power marketing agency, or any other political subdivision of U.S . or Canadian federal, state , or  provincial governments ) from  selecting  as the verifying entity another governmental entity  within the same political subdivision.  For instance, a  U.S. federal power marketing agency may  select as its verifier another U.S.  federal agency to conduct its verification so long as the  selected entity has transmission planning or analysis experience.  Similarly, a Transmission  Owner owned by a Canadian province can use a separate agency of that province to perform  the verification .    The verifying entity, however, must still be a third party  and  cannot be a  division of the  registered entity  that operates as a functional unit.

Requirement R2 also provides that the “ verification may occur concurrent with or after the  risk  assessment  performed under Requirement R1. ”  This provision is designed to provide the  Transmission Owner the flexibility to work with the verifying entity throughout ( i.e., concurrent with ) the risk assessment, which for some Transmission Owners may be more efficient and  effective.  In other words, a Transmission Owner could  collaborate with their unaffiliated  verifying entity to perform  the risk assessment under Requirement R1  such that both  Requirement R1 and Requirement R2 are satisfied concurrently . The  intent of Requirement R2 is to have an entity other than the owner or operator of the facility to be involved in the risk  assessment process and have an opportunity to provide input.  Accordingly, Requirement R2 is  designed to allow entities the discretion to have a two – step process, where the Transmission  Owner performs the risk assessment and subsequently has a third party review that  assessment, or a one – step process, where  the entity collaborates with a third party to perform  the risk assessment.

Characteristics to consider in selecting a  third party reviewer could include:

  • Registered Entity with applicable planning and reliability functions .
  • Experience in power system studies and planning .
  • The entity ’s understanding of the MOD standards, TPL standards , and facility ratings as  they pertain to planning studies.
  • The entity ’s familiarity with the  Interconnection within which the  Transmission  Owner is  located

With respect to the requirement that Transmission owners develop and implement procedures for protecting confidential and sensitive information, t he  Transmission Owner could have a  method for identifying documents that require  confidential treatment .  One mechanism for  protecting confidential or sensitive information is to prohibit removal of sensitive or  confidential information from the Transmission  Owner ’s site. Transmission Owners could  include such a prohibition in a  non – disclosure agreement with the verifying entity.

A  Technical feasibility study is not  required  in the  Requirement  R2 documentation of the  technical basis for not modifying the identification in accordance with the recommendation.

On the issue of the difference between a verifier in Requirement  R 2 and a reviewer in  Requirement  R 6, the S DT indicates that the verifier will  confirm that the risk assessment was  completed in accordance with Requirement  R 1, including the number of Transmission stations  and substations identified, while the reviewer in Requirement  R 6 is providing expertise on the  manner in which the  evaluation of threats was conducted in accordance with Requirement  R 4,  and the physical security plan in accordance with Requirement  R 5 . In the latter situation there  is no verification of a technical analysis, rather an application of experience and expertise to  provide guidance or recommendations, if needed.

Part s 2.4  and 6.4  require the entities to have procedures to  protect the confidentiality of sensitive or confidential information.   Those procedures may  include the following elements :

1. Control  and retention  of information on site for third party verifiers/reviewers .

2. Only  “ need to know ” employees, etc. , get the information .

3. Marking  documents as confidential

4. Securely storing and destroying information when no longer needed.

5. Not  releasing  information outside  the entity  without, for example, General  Counsel sign – off.

Requirement R3

Some Transmission Operators will have obligations under this standard for certain primary  control center s .  Those obligations, however ,  are contingent upon a Transmission Owner first  completing the risk assessment  specified by Requirement R1 and the verification specified by  Requirement R2 . Requirement  R3  is intended to ensure that  a  Transmission Operator that  has  operational control of a primary  control center identified in Requirement R1 receive notice so  that  the Transmission Operator may fulfill the rest of the obligations required in Requirements  R4 through R6. Since the timing obligations in Requirements R4 through R6 are based upon  completion of Requirement R2, the Transmission Owner must also include within the notice the  date of completion of Requirement R2. Similarly, the Transmission Owner must notify the  Transmission Operator of any removals from identification that result from a subsequent risk  assessment under Requirement R1 or as a result of the verification process under Requirement  R2.

Requirement R4

This requirement  requires owners and operators of facilities  identified by the Requirement R1 risk assessment and that are verified under Requirement  R2 to  conduct an assessment of potential threats and vulnerabilities to those  Transmission stations, Transmission substations,  and primary control centers using a tailored evaluation process. Threats and vulnerabilities may  vary from facility to facility based on any number of factors that include , but are not limited to, location, size, function, existing physical security protections , and attractiveness as a target.

In order to effectively conduct a threat and vulnerability assessment, the asset owner may be  the best source to determine specific site vulnerabilities, but current and evolving threats may  best be determined by others in the intelligence or law enforcement communities. A number of  resources have been identified in the standard, but many others exist and asset owners  are not limited to where they may turn for assistance. Additional resources may include state or local  fusion centers, U.S. Department of Homeland Security, Federal Bureau of Investigations (FBI) , Public Safety Canada, Royal Canadian Mounted Police, and InfraGard chapters coordinated by  the FBI.

The Responsible Entity is required to take a number of factors into account in  P arts 4.1 to 4. 3 in  order to make a risk – based evaluation  under Requirement R4 .

To assist in determining the current threat for a facility , the prior history of attacks on  similarly  protected facilities should be considered  when assessing probability and likelihood of  occurrence at the facility in question .

Resources that may be  useful in conducting threat and vulnerability assessments include:

  • NERC Security Guideline for the Electricity Sector: Physical Security .
  • NERC Security Guideline: Physical Security Response .
  • ASIS International General Risk Assessment Guidelines .
  • ASIS International Facilities Physical Security Measure Guideline .
  • ASIS International Security Management Standard: Physical Asset Protection .
  • Whole Building Design Guide  – Threat/Vulnerability Assessments .

Requirement R5 This requirement  specifies  development and implementation of a security plan (s) designed to  protect against attacks to the facilities identified in Requirement R1 based on the assessment  performed under Requirement R4.

Requirement R5 specifies the following attributes for the physical security plan:

  • Resiliency or security measures  designed  collectively to  deter, detect, delay, assess,  communicate, and respond to potential physical threats and vulnerabilities  identified during the evaluation conducted in Requirement R4 .

Resiliency may include, among other things

a . System  topology changes,

b . Spare equipment,

c . Construction  of  a new Transmission  station or Transmission  substation .

While most security measures will work together to collectively harden the entire site,  some  may be allocated to  protect  specific critical components.  For example, if  protection from gunfire is considered necessary,  the entity may only install  ballistic  protection for critical components, not the entire site.

  • Law enforcement contact and coordination information.

Examples  of such information  may be posting 9 – 1 – 1 for emergency calls and providing  substation safety and familiarization training for local and federal law enforcement, fire  department, and  Emergency  Medical  Services .

  • A timeline for  executing  the  physical security enhancements and modifications specified  in the physical security plan .

Entities have the flexibility to  prioritize the implementation of the various resiliency or  security  enhancements and modifications in their security plan according to risk,  resources , or other factors. The requirement to include a timeline in the physical  security plan for  executing the actual physical security  enhancements and modifications does not also require that the  enhancements and modifications be  completed within  120 days.  The actual timeline  may  extend beyond the 120 days, depending on the amount of work to be completed .

  • Provisions to evaluate evolving physical threats, and their corresponding security  measures, to the Transmission station(s), Transmission substation(s), or primary control  center(s).

A registered entity’s physical security plan should include  processes and responsibilities  for obtaining and handling  alerts, intelligence, and threat warnings from  various sources. Some of these sources could include  the ERO, ES – ISAC, and US and/or Canadian  federal agencies. This information should be used to reevaluate or  consider changes in  the  security plan and corresponding security measures of the security plan found in R5. Incremental changes  made to  the physical security plan prior to the next required third  party review  do not require additional third party reviews.

Requirement R6

This requirement  specifies  review by an entity other than the  Transmission  Owner or  Transmission  Operator with appropriate expertise  for the evaluation performed according to  Requirement R4 and the security plan (s) developed according to Requirement R5. As with  Requirement R2, t he term unaffiliated means that the selected  third party reviewer cannot be a  corp orate affiliate ( i.e., the  third party reviewer cannot be an entity that corporately controls, is  controlled by or is under common control with, the Transmission  Operator ).   A  third party  reviewer also cannot be a division of the Transmission Operator that operates as a functional  unit.

As noted in the guidance for Requirement R2, the prohibition on registered entities using a  corporate affiliate to conduct the review, however, does not prohibit a governmental entity  from selecting as the  third party review er another governmental entity within the same  political subdivision.  For instance, a city or municipality may use its local enforcement agency,  so long as the local law enforcement agency satisfies the criteria in Requirement R6.   The  third  party reviewer , however, must still be a third party and  cannot be a division of the  registered  entity that operates as a functional unit.

The Responsible Entity can select from several  possible entities to  perform the  review :

  • An entity or organization with electric  industry physical security experience and whose  review staff has at least one member who holds either a Certified Protection  Professional (CPP) or Physical Security Professional (PSP) certification.
    • In selecting CPP and PSP for use in this standard, the  SDT  believed it was important  that if a private entity such as a consulting or security firm was engaged to conduct  the third party review, they must tangibly demonstrate competence to conduct the  review. This includes electric industry physical security experience and either of the  premier security industry certifications sponsored by ASIS International. The ASIS  certification program was initiated in 1977, and those that hold the CPP certification  are board certified in security management. Those that hold the PSP certification are  board certified in physical security.
  • An entity or organization approved by the ERO.
  • A governmental agency with physical security expertise.
  • An entity or organization with demonstrated law enforcement, government, or  military physical security expertise.

As with the verification under Requirement R2, Requirement R6 provides that t he “review may  occur concurrently with or after completion of the evaluation performed under Requirement  R4 and the security plan development under  Requirement R5.” This provision  is designed to  provide applicable Transmission  Owner s and Transmission  Operator s  the flexibility to work with  the  third party reviewer throughout ( i.e., concurrent with) the evaluation performed according  to Requirement R4 and the security plan(s) developed according to Requirement R5, which for  some Responsible Entities may be more efficient and effective.  In other words, a Transmission  Owner or Transmission  Operator could  collaborate  with their unaffiliated  third party reviewer to perform an evaluation of potential threats and vulnerabilities (Requirement R4) and develop  a security plan (Requirement R5) to satisfy Requirements R4 through R6 simultaneous ly. The  intent of Requirement R 6 is to have an entity other than the owner or operator of the facility to  be involved in the  Requirement R4 evaluation and the development of the Requirement R5  security plans and have an opportunity to provide input on the evaluation and the security plan .   Accordingly, Requirement R 6 is designed to allow entities the discretion to have a two – step  process, where the Transmission  Owner performs the  evaluation and develops the security plan  itself and then has a third party review that assessment, or a one – step process, where the entity  collaborates with a third party to perform the  evaluation and develop the security plan .

Timeline

 

Rationale

During development of this standard, text boxes were embedded within the  standard to explain  the rationale for various parts of the standard.  Upon BOT approval, the text from the rationale  text boxes was moved to this section .

Rationale for Requirement R1:

This requirement meets the FERC directive from paragraph 6  of its Marc h 7, 2014  order on  physical security to perform a risk assessment to identify which facilities if rendered inoperable  or  damaged could impact  an Interconnection through instability, uncontrolled separation, or  cascading failures.  The requirement is not  intended to bring within the scope of  the standard a  Transmission  station or  Transmission sub station unless the applicable Transmission Owner  determines through technical studies and analyses based on objective analysis, technical  expertise,  operating experience  and experienced judgment that the loss of such facility would  have a critical impact on the operation of the  Interconnection  in the event the asset is rendered  inoperable or damaged . I n the  November 20, 2014 Order,  FERC reiterated that “ only an  inst ability that has a “critical impact on the operation of the interconnection” warrants finding  that the facility causing the instability is critical under Requirement R1. ” The Transmission  Owner may determine the criteria for critical impact by considering, among other criteria, any  of the following:

  • Criteria or methodology  used by Transmission Planners or Planning Coordinators  in TPL – 001 – 4, Requirement R6
  • NERC EOP – 004 – 2 reporting criteria
  • Area or magnitude of potential impact

Requirement R1  also meets the FERC directive for periodic reevaluation of the risk assessment by requiring the risk assessment to be performed every 30 months (or 60 months for an entity  that has not identified in a previous risk assessment any Transmission stations or Transmission  substations that if rendered inoperable or damaged could result in instability, uncontrolled  separation, or Cascading within an Interconnection ) .

After identifying each  Transmission station and Transmission substation that meets the criteria  in Requirement R 1, it is important to additionally identify the primary  control  c enter that  operationally controls that  Transmission station or Transmission  substation ( i.e., the  control  c enter whose electronic actions can cause direct physical actions at the identified  Transmission  station and Transmission substation , such as opening a breaker, compared to a  control  center  that only has  the ability to monitor  the  Transmission station and Transmission substation and ,  therefore,  must coordinate direct  physical  action through another entity ).

Rationale for Requirement R2 :

This requirement meets the FERC directive from paragraph 11 in the order on physical security  requiring verification by an entity other than the owner or operator of the risk assessment  performed under Requirement R1.

This requirement provides the flexibility for a Transmission Owner to select registered and non – registered entities with  transmission planning or analysis experience to perform the verification  of the Requirement R1 risk assessment. The term “unaffiliated” means that the selected  verifying entity cannot be a corporate affiliate ( i.e. , the verifying entity cannot be an entity that  controls, is controlled by , or is under common control with, the  Transmission owner) . The  verifying entity also cannot be a division of the  Transmission Owner that operates as a  functional unit. The term “unaffiliated” is not intended to prohibit a governmental entity from  using another government entity to be a verifier under Requirement R2.

Requirement R2 also provides the Transmission Owner the flexibility to work with the verifying  entity throughout the Requirement R1 risk assessment, which for some Transmission Owners  may be more efficient and effective. In other words, a Transmission Owner could coordinate  with their unaffiliated verifying entity to perform a Requirement R1 risk assessment to satisfy  both Requirement R1 and Requirement R2 concurrently.

Planning Coordinator is a functional entity listed in Part 2.1.  The Planning Coordinator and  Planning Authority are the same entity as shown in the NERC Glossary of Terms Used in NERC  Reliability Standards.

Rationale for Requirement R3:

Some Transmission Operators will have obligations under this standard for certain primary  control center s . Those obligations, however, are contingent upon a Transmission Owner first  identifying which  Transmission stations and Transmission substation s meet the criteria  specified by Requirement R1 , as verified according to Requirement R2 . This requirement is  intended to ensure that  a  Transmission Operator that  has  operational control of a primary  control center identified in Requirement R1 , Part 1.2 of a Transmission station or Transmission  substation verified according to Requirement R2  receive s notice of such identification so that  the Transmission Operator may  timely  fulfill  its resulting obligations  under Requirements R4  through R6. Since the timing obligations in Requirements R4 through R6 are based upon  completion of Requirement R2, the Transmission Owner must also include notice of the date of  completion of Requirement R2. Similarly, the Transmission Owner must notify the Transmission  Operator of any removals from identification that result from a subsequent risk assessment  under Requirement R1 or the verification process under Requirement R2.

Rationale for Requirement R4 :

This requirement meets the FERC directive from paragraph 8 in the order on physical security  that the reliability standard must require tailored evaluation of potential threats and  vulnerabilities to  facilities identified in Requirement R1 and verified according to Requirement  R2 . Threats and vulnerabilities may vary from facility to facility based on factors such as the  facility’s location, size, function, existing protections, and attractiveness of t he target. As such,  the requirement does not mandate a one – size – fits – all approach but requires entities to account  for the unique characteristics of their facilities.

Requirement R4 does not explicitly state when the evaluation of threats and vulnerabilities  must occur or be completed. However, Requirement R5 requires that the entity’s security plan(s), which is dependent on the Requirement R4 evaluation, must be completed within 120  calendar days following completion of Requirement R2. Thus, an entity has  the flexibility when  to complete the Requirement R4 evaluation, provided that it is completed in time to comply  with the requirement in Requirement R5 to develop a physical security plan 120 calendar days  following completion of Requirement R2.

Rationale  for Requirement R5:

This requirement meets the FERC directive from paragraph 9 in the order on physical security  requiring  the  development and implementation of a security plan (s) designed to protect against  attacks to the facilities identified in Requirement R1 based on the assessment performed under  Requirement R4.

Rationale for Requirement R6: This requirement meets the FERC directive from paragraph 11 in the order on physical security  requiring review by an entity other than the owner or operator with  appropriate expertise of  the evaluation performed according to Requirement R4 and the security plan (s) developed  according to Requirement R5.  As with the verification required by Requirement R2, Requirement R6 provides Transmission  Owners and Transmission Operators the flexibility to work with the third party reviewer  throughout the Requirement R4 evaluation and the development of the Requirement R5  security plan(s). This would allow entities to satisfy their obligations under Requirement R6  concurrent with the satisfaction of their obligations under Requirements R4 and R5.


Top