NERC CIP and the need to protect Critical Infrastructure

NERC CIP-014-2 (North American Electric Reliability Corporation Critical Infrastructure Protection), created as a guideline for the protection of North American electric power substations from physical attack.

NERC CIP-014-2 is intended as a best practices blueprint for the guidance of not only bulk electric power providers/utilities, but also for physical security professionals and integrators to provide the most effective protection of vital outdoor-located electrical transmission and distribution assets.

NERC CIP and Physical Protection using a Systems Approach

NERC-CIP-14 describes a “systems approach” for providing physical security protection of mission-critical substation facilities and other key assets within a utility.

There are six specific actions identified by NERC: Deter, Detect, Delay, Assess, Communicate and Respond. NERC also recommends a “defense in depth” concept to “prevent the advance of an attacker.”

This concept entails the creation of several zones of protection over a wide area, so that the utility may respond to an event over a wider time interval, instead of using a “single, strong defensive line.” These zones or layers of protection would typically initiate with the fencing surrounding the facility, as well as controlled access points for authorized personnel, and ultimately terminate at some very critical location, such as the shelter containing the control and metering equipment at the substation.

As part of the NERC-CIP-014 implementation process, each utility must identify their most mission-critical facilities — defined as installations that in the event they were damaged or taken offline, would “result in widespread instability, uncontrolled separation or cascading within an interconnection.” To demonstrate compliance, a utility is required to perform a complete security audit and review to identify any potential threats to the substations and other mission-critical assets, confirm the risk assessment with an independent third party, and finally implement the physical security protection necessary to maintain protection of those assets.