The Federal Energy Regulatory Commission has denied a complaint filed by a cybersecurity activist alleging that security measures designed to protect the grid from physical attacks are inadequate and unenforced.
Grid security blogger Michael Mabee had asked the commission to direct the North American Electric Reliability Corp. to correct perceived deficiencies with the physical security reliability standard. NERC developed the standard after gunfire damaged 17 transformers at Pacific Gas and Electric Co.’s Metcalf substation in San Jose, Calif., in April 2013.
The standard requires transmission owners to create physical security plans for their transmission stations, substations and primary control centers, conduct evaluations of the potential threats and vulnerabilities of a physical attack on those facilities, and have unaffiliated third party reviews of those plans and evaluations, among other things.
But Mabee asserted that "nobody with regulatory authority even has to even approve [the security plan] — all you need is somebody to ‘review’ it ... That unapproved three-ring binder of papers is what is standing between the United States and a catastrophic widespread power outage caused by a terrorist attack.”
In rejecting the complaint, FERC concluded that Mabee’s complaint "contains assertions that the commission addressed and rejected in [its order approving the standard] and in the order denying rehearing, or it makes new assertions that are either unsupported or misapprehend the requirements" of the reliability standard.
In addition, the commission assailed Mabee's contention that enforcement of the physical security standard “seems nonexistent.” While 578 physical attacks to the grid have been publicly disclosed in the seven years since the Metcalf attack, “utilities have been cited for violations of the standard only four times,” Mabee said in the complaint.
But FERC said “relying solely on the small number of filed violations is not a sufficient basis for us to conclude that [the standard] is not being enforced when it is equally plausible that the small number of violations could be attributed to industry compliance.”
Further, the standard at issue "does not purport to eliminate all physical attacks; instead, it is designed to protect critical facilities from physical attack,” the commission said.
While standing by FERC’s decision to deny the complaint and requested relief, Commissioner Bernard McNamee encouraged “NERC, regulated entities and the commission to continually reassess the security of all assets used for the generation, transmission and distribution of electricity.”
“Though the complaint at issue in this proceeding is denied, the work to secure the grid is ongoing,” McNamee said in a concurring statement. “In addition to these baseline standards, FERC and NERC must also work collaboratively with industry to establish best practices in addressing these threats.”
Mabee said in a June 11 interview that he was “very disappointed” with FERC’s decision not to do more to protect against physical threats. “Right now, the electric grid is highly vulnerable to physical attacks and the CIP standard presently only covers a very, very small portion of that,” the blogger said. (FERC docket EL20-21)
Jasmin Melvin is a reporter with S&P Global Platts. S&P Global Market Intelligence and S&P Global Platts are owned by S&P Global Inc.