PowerWorld & NERC Physical Security Station List

Back Story

• 16 April 2013 PG&E Metcalf station attacked– It WAS in the press!!! (contrary to what you might

read or hear)• FERC Chairman(former) Jon Wellinghoff– Championed the issue of physical security– He has powerful help:

• Rep. Henry Waxman (D-Calif.) • Sen. Harry Reid (D-Nevada)• Sen. Dianne Feinstein (D-Calif.)• Sen. Ron Wyden (D-Oregon)

Recent WSJ Article…the Back Story

When seconds matter cops are only minutes away…

Security Briefing Industry Update – How Did We Get Here?

Attack Ideas Available on the Internet1/15/2013

Attacks on Critical InfrastructureMetcalf 4/16/2013

Arkansas 9/16/2013

5

“If someone decides to blast a transformer at its base as prepper Bryan Smith did, and the oil drains out, then the transformer either burns out catastrophically, or if the utility is lucky, a software routine notices the problem and shuts the substation (or at least the affected portion) down” (http://www.bob-owens.com/2013/01/shock-the-system/)

Security Briefing Industry Update – How Did We Get Here?

Press Reports Fan The Flames… and Politics in Action…

The Standard (CIP-014-01)

• Identify Stations on the “List”– All 500 kV stations– 200 kV to 499 kV with 3 or more lines and where

the summed aggregate of the lines exceed 3000 (see table for weights):

Voltage Value of a Line Weight Value per Line

less than 200 kV (not applicable)

(not applicable)

200 kV to 299 kV 700

300 kV to 499 kV 1300

500 kV and above 0

FERC Docket No. RD14-6-000

90 days of the ORDER…not the Federal Register

Read It Here

• http://www.ferc.gov/CalendarFiles/20140307185442-RD14-6-000.pdf

What the?

What Policy Makers Hear!

OMG! So NOT true!!!

FERC says Standards should…

• …require owners or operators of the Bulk-Power System to perform a risk assessment of their systems to identify their “critical facilities.”

• …require owners or operators of the identified critical facilities to evaluate the potential threats and vulnerabilities to those identified facilities.

• …require those owners or operators of critical facilities to develop and implement a security plan designed to protect against attacks to those identified critical facilities based on the assessment of the potential threats and vulnerabilities to their physical security.

FERC wants Oversight

• In addition, the risk assessment used by an owner or operator to identify critical facilities should be verified by an entity other than the owner or operator. Such verification could be performed by NERC, the relevant Regional Entity, a Reliability Coordinator, or another entity. The Reliability Standards should include a procedure for the verifying entity, as well as the Commission, to add or remove facilities from an owner’s or operator’s list of critical facilities

Columbia Grid?

CIP-014-01 Applicability

CIP-014-01 Requirement R1

CIP-014-01 Requirement R2

Risk Assessment

• Risk equals– Probability * Consequences• Good luck with sorting out the probability problem…

• Examples of Risk Assessment gone bad– Katrina (New Orleans)– Fukushima Daiichi Nuclear Power Station– Sandy (New York)– Challenger & Columbia– Thresher & Scorpion

Threat Profile (G/Y/R)