Grid’s physical safeguards ‘a work in progress’ — CRS

Source: Blake Sobczak, E&E News reporter • Posted: Monday, April 2, 2018

The electric power industry’s efforts to secure the grid remain “a work in progress” five years after an eye-opening attack on a California substation, according to congressional researchers.

A new report from the Congressional Research Service credits major electric utilities for apparently hardening key facilities after one or more heavily armed attackers opened fire on Pacific Gas and Electric Co.’s Metcalf substation in April 2013.

Though it didn’t cause a blackout, that coordinated assault signaled a “turning point” in grid security, CRS researcher Paul Parfomak noted in the report. But he added that lawmakers could find it challenging to track utilities’ progress, given the secretive nature of security plans.

“There is currently no comprehensive accounting of changes in physical security throughout the sector,” he concluded. “Nonetheless, anecdotal information in the public domain suggests that such changes may be significant and widespread.”

The nonprofit North American Electric Reliability Corp. is responsible for overseeing the physical and cybersecurity of the bulk U.S. power grid, but few of its risk assessments, audits and enforcement actions are aired publicly.

The Metcalf attack prompted regulators at NERC and the Federal Energy Regulatory Commission to set new physical “critical infrastructure protection” standards in 2014, which required transmission owners to identify their most crucial facilities and develop plans to protect them.

Parfomak said in the report that it is “probably accurate” to say that the standards have boosted grid defenses, but the industry “has not necessarily reached the level of physical security needed based on the sector’s own assessments of risk.”

In other words, utilities haven’t yet fully protected all the critical sites identified in their security plans — “although they may be well on the way to doing so,” he clarified in an email.

For its part, NERC claims to have observed “remarkable progress” with utilities’ security plans and has yet to uncover any major failures, according to the report.

NERC officials told CRS researchers in December that some companies have started to factor security into their transmission planning, in a bid “to reduce the criticality of particular transformer substations in congested areas by providing more transmission paths around them.”

A controversial FERC report leaked to the media in 2014 found that attackers could disable nine substations to cause a nationwide blackout (Energywire, March 14, 2014).

Merging with cyber

Parfomak cited anecdotal evidence that grid operators are treating physical security seriously, pointing out that two major manufacturers offer transformers with ballistic shielding to protect against Metcalf-style attacks.

While he acknowledged that marketing “does not mean that many utilities are buying them” necessarily, he also pointed to “physical security specialist” job openings at the Tennessee Valley Authority and the appointment of senior-level chief security officers at PG&E, American Electric Power Co. Inc. and Xcel Energy Inc., among other transmission owners.

“It appears that many utilities have been reconfiguring and elevating physical security functions within their corporate structures,” he concluded.

Andrew Bochman, senior cyber and energy security strategist at the Idaho National Laboratory, pointed out the importance of empowering chief security officers to manage hacking risks in addition to physical ones.

“Physical and cyber security are merging as more of these physical systems are becoming computer- and network-based,” he said.

Appointing a “true” chief security officer “doesn’t solve everything, but it gives the CEO a chance to have a common operating picture of security,” Bochman said.

Parfomak noted in the CRS report that the utility industry rehearses how companies and government agencies would respond to a combined cyber and physical attack during the biennial GridEx security exercises.

He also pointed to the Department of Energy’s newly minted Office of Cybersecurity, Energy Security and Emergency Response, aimed at guarding the grid “from cyber threats, physical attack and natural disaster.”

“How this reorganization will affect DOE’s activities in bulk power physical security remains to be seen,” Parfomak wrote.