The 2014 Boston Marathon occurred on Monday, April 21. This year’s race was notable because it marked the first time since 1983 an American won the race.
All of us remember the running of the 2013 Boston Marathon on April 15 of last year. That event was notable for the two pressure cooker bombs that exploded at the finish line, resulting in three deaths and more than 264 injuries.
But until recently, an incident on April 16, 2013, at the Pacific Gas and Electric Metcalf substation, grabbed very few headlines because of the Marathon bombings. But its implications could be even more terrifying. Approximately 200 AK-47 type rounds were fired at the substation from a nearby hillside damaging 17 single-phase transformers, with a total repair bill of $15.4 million incurred as a result of the attack, which was first reported as simple vandalism. To date there were still no reported suspects, and many experts are now saying this incident could have been a precursor to a larger terrorist attack.
The substation incident essentially escaped national notice until John Wellinghoff, former chairman of the Federal Energy Regulatory Commission (FERC), raised the profile of the incident and Wall Street Journal reporter Rebecca Smith pieced the story together for the general public. This resulted in FERC Order 146 FERC 61,166 issued on March 7, 2014, calling for the North American Electric Reliability Corporation (NERC) “to submit for approval one or more Reliability Standards that will require certain registered entities to take steps are demonstrate that they have taken steps to address physical security risks and vulnerabilities related to the reliable operation of the Bulk-Power system”. On April 9, 2014, this new reliability standard, CIP-014-1, was released for comment in draft form.
The applicability section of the draft form of CIP-014-1 is taken directly from Section 2.4 and 2.5 of CIP-002-5 thus applying the new CIP-014 to the medium impact facilities defined in CIP-002-5. This essentially includes those transmission facilities operating at 500 kVA or higher as well as those facilities operating between 200 kV and 499 kV that have an aggregated weighted value, as a function of the number of lines entering and leaving the facility, greater than 3,000 according to Table 1.
What is notable about this draft are the six requirements:
- Requirement R1: Requirement R1 stipulates that each Transmission Owner is to perform an initial risk assessment on those transmission stations and substations that meet the applicability criteria. This risk assessment is for the purpose of identifying any facilities that if “rendered inoperable or damaged could result in widespread instability, uncontrolled separation or cascading within an interconnection”. The draft calls for subsequent risk assessments on a defined schedule depending on the results of the initial analysis.
- Requirement R2: Requirement R2 calls for unaffiliated third-party verification of the risk analyses performed in fulfillment of R1. The standard allows this third-party verification to occur simultaneously with the initial risk assessment or be conducted subsequent to completion of the assessment. Section 2.4 of R2 also calls for each transmission owner to develop procedures to protect the confidential risk assessment information provided to and received from the third-party verification entity.
- Requirement R3: Requirement R3 calls for transmission owners with facilities that have been identified and verified according to Requirements R1 and R2, but are not under the operational control of the transmission owner, to notify the transmission operator of these facilities of their identification under R1 and verification under R2.
- Requirement R4: Requirement R4 calls for transmission owners with facilities identified in R1 and verified in R2 to “conduct an evaluation of the potential threats and vulnerabilities of a physical attack to each of their respective Transmission station(s)”.
- Requirement R5: Requirement R5 calls for each transmission owner with facilities identified in R1 and verified in R2 to “develop and implement a documented physical security plan(s) that covers their respective Transmission station(s), Transmission substation(s), and primary control center(s)”. The content of these plans is to include measures to deter, detect, delay, assess, communicate and respond to potential physical threats and vulnerabilities. Law enforcement coordination is also to be addressed.
- Requirement R6: Requirement R6 calls for the independent verification of the security plans developed in R5. Section 6.1 of R6 states that this third-party review entity must have at least one member holding either a Certified Protection Professional (CPP) or Physical Security Professional (PSP) certification both of which are promulgated by ASIS International. Other third-party review options include an entity or organization approved by the ERO, a governmental agency with physical security expertise or an entity with demonstrated law enforcement, government or military physical security expertise.
In other words, this is a classic risk analysis exercise where the likelihood of the loss of a fixed asset is considered with the consequences of that loss.
Substations, and in particular, substations of the class addressed by CIP-014-1, contain a variety of specialized components necessary for the safe, efficient and reliable transfer of electrical energy between various sources and loads. Most of those components are easily damaged but in most cases just as easily replaced, normally within a matter of days.
The transformers are the exception. They are generally the largest single piece of equipment in the substation. This makes them easy to identify and hit. The tank around the windings is full of oil that serves as both an insulator and coolant. Loss of that oil, as through a bullet hole, results in electrical arcing, overheating, and ultimately the unit being disconnected from the grid if the protective systems are functioning properly. If not, the end result is often a transformer fire.
Transformer replacement can be difficult. There are many variables, but unless the utility has a properly specified mobile substation or available spare, replacement can take months.During repairs, the downstream consequences could include crippling outages. In the case of the Metcalf incident, the outages were limited due to redundant system design and the light seasonal loading. As the recovery proceeds, the utility company may also have endure the fact that the affected substation is now a crime scene.
The threats to electric substations and switching stations are well known. These range from simple vandalism and progress through copper theft and end up at the Metcalf incident. What is difficult to gauge is the applicability of the Metcalf threat model to those facilities that make it through the R1 and R2 filter. While electric utility owners and operators have long dealt with the occasional gunshot damage to substation equipment, there is every indication from the post–incident analysis at Metcalf that this was a well-planned event. The fact that more than 12 months later there is no suspect identified provides weight to that assessment. In the absence of any evidence to the contrary, there is every indication that the off-site shooter will need to be included in the threat model identified here in R4.
R5 calls for the development of a security plan to address the identified threats and vulnerabilities. However, the difficulties of applying electronic security systems at electric substations are also well known. While the technological tools available for perimeter intrusion detection and CCTV surveillance/assessment have vastly improved over time; design implementation and management at these systems requires an investment of time and expertise that is not always readily available to electric utilities. The fact that copper theft is a persistent problem indicates that the industry has not done a good job of implementing basic security features to counter this persistent problem.
Addressing the off-site shooter threat also provides a new challenge to the security system designer. Most government, and essentially all private security sector security fixed facility models, are designed to address the threat on or in immediate proximity to the organization’s owned property. However, the off-site shooter can be a significant distance away from the target, well beyond the reach of most current surveillance systems. Additionally, since the shooter does not have to gain access to even the immediate vicinity of the site, perimeter intrusion detection systems will be unaffected by a shooter’s presence.
A couple of approaches to this dilemma have been discussed by practitioners for some time. First, the off-site shooter can be neutralized if line of sight to the targets can be denied. Some utilities, especially with facilities in urban areas, have long placed their substations behind concrete block walls to shield them from view of the residents, as well as to protect and deter vandalism. In the current situation, if the walls can be economically built sufficiently high to deny line of sight with due consideration to the surrounding terrain, this will provide a measure of protection against the substation contents. However, if the surrounding terrain is anything but flat, the height of the perimeter walls and, therefore the costs could become prohibitively high.
The second approach, again one that has been under consideration for some time, is simply to enclose the highest value assets within some sort of ballistic barrier. The questions that arise at this point, specifically with regard to transformers, are maintenance access. What minimum separation distance must be maintained between the transformers and the barrier in order to maintain sufficient airflow under worst-case conditions? And how do you provide adequate cooling over the foils to maintain efficient transformer operation? There are many variations on these questions.
Should the barrier be porous to allow air flow throughout all levels, or can’t it simply be raised off of grade a certain distance to provide for a chimney effect moving along the transformer? The barrier should also be designed to allow for transformer maintenance, which implies they should be easily removable. These questions will need to be answered jointly by the security community and equipment manufacturers.
Another option to be considered is the use of currently available CCTV and video analytic technologies that function well in extreme exterior environments. Couple this with infrared technology, and the system can perform in the absence of an expensive, and sometimes, covenant-prohibited lighting systems.
Implementation of CIP-014-1 will require a strategic shift in the way we think about the security of our most critical substations and switching stations. The challenging yet supported threat model will drive the design of the systems that must deter, detect, delay, and assess physical threats to these facilities. There will not be a single measure that will provide the solution. The solution lies in the effective design and subsequent management of complementary measures, ranging from expanded areas of vegetation control around the station perimeter, and more frequent security patrols, to the use of advanced video analytic tools.
About the Author:
Randy Nason, PE, CPP, is a corporate Vice President as well as Manager of the Security Consulting Group with Guernsey. His experience includes a broad spectrum of the security profession including threat assessment, vulnerability analysis and site surveys through complete system design and construction management. Randy has been particularly involved in the development of security programs and best practice documents for electric infrastructure clients.