In this series, I rely on my 50+ years in the electric utility industry to outline concerns and improvements to NERC’s Reliability Standards.
This article focuses on CIP-014-3 — Physical Security. It is especially relevant because the Federal Energy Regulatory Commission (FERC) and NERC are holding a joint conference to address concerns over physical security within the power system. I will be attending the conference on August 10, 2023, and will share my experience afterwards.
In this article, I outline concerns and recommendations that I hope to bring to the attention of NERC and FERC officers during the upcoming conference.
CIP-014-3 Stated Purpose
The stated purpose of NERC Reliability Standard CIP-014-3 is:
“To identify and protect Transmission stations and Transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in instability, uncontrolled separation, or Cascading within an Interconnection.”
Concerns with Reliability Standard CIP-014-3
Like other reliability standards, CIP-014-3 lists Requirements and Measures, Compliance, Violation Severity Levels, etc. in legalese most useful for attorneys. However, if a reliability standard is to be effective, it must be written in the jargon of the user, in this case, transmission system operators and protective relay engineers.
Lessons learned in other industries have not been incorporated into NERC reliability standards. Most noteworthy is the Chicago Air Route Traffic Control Center fire in Aurora, Illinois in September 2014. The same components installed in the control center in Aurora are installed in substation control houses and relied upon by transmission system operators and protective relay engineers. Other noteworthy incidents have impacted the physical security of both the electric energy grid and other industries.
Let’s take a closer look at four concerns with CIP-014-3.
Concern 1: Lack of Preparedness for Total Substation Loss
Transmission system operators focus on normal system conditions with, and without, facilities out of service for maintenance or repair. During normal conditions, the electric energy grid is designed and operated to accommodate one facility removed from service every fifteen minutes. During severe weather conditions, the grid is operated in a manner that accommodates removing two facilities from service at the same time.
Protective relay engineers design redundant protective systems that trip facilities when short circuits occur. Protective relaying schemes are designed with the assumption that only one facility is short circuited at any given time.
The electric energy grid is not prepared for the total loss of a substation through attack or sabotage. Protective relay schemes are not designed to detect and isolate multiple, simultaneous short circuits.
Concern 2: Lack of System Recovery Models
Models have not been developed to show recovery of the electric energy grid after an intruder damages vital areas in substations.
Concern 3: Inadequate Aggregated Weighted Values
Paragraph 4.1.1.2 provides an aggregated weight chart that is used to determine the criticality of a substation. This is an inadequate method of assessing vulnerability, and completely ignores the fact that the electric energy grid is a single machine from the Atlantic Ocean to the Rocky Mountains.
Concern 4: Insufficient Third-Party Reviews
Requirement 6, paragraph 6.1 mandates that unaffiliated third-party Certified Protection Professionals (CPP) or Physical Security Professionals (PSP) with certification perform periodic reviews. This assumes that Transmission Owners have properly identified critical components in critical facilities and conveyed their importance to security professionals; however, this is rarely the case.
Enhancement Plans for NERC CIP-014-3
The following actions will substantially improve the effectiveness of CIP-014-3.
1. Add the requirement that areas in substations with 230 KV and higher voltage facilities be designated as one of three tiers:
Vital – high risk
Protected – moderate risk
Controlled – low risk
Basis:
Each designation provides a basis for security professionals. Vital designates that a damaged or destroyed component in that area will impact other substations across a wide area. Protected designates that components are important to a neighborhood, but not a wide area. Controlled indicates that components are inside a substation security perimeter.
2. Add the requirement that substation criticality be based on recovery after a three-phase fault persists for one second.
Basis:
Short circuit studies are developed, and systems are modelled assuming three phase faults with stuck circuit breakers are cleared in less than 250 milliseconds.
When a three-phase fault occurs, some air conditioner compressors stall while some shut off, and many pumps and fans slow down. Then, when voltage recovers, many air conditioner compressors, pump motors, and fan motors attempt to reaccelerate simultaneously. This is predictable and needs to be analyzed via recovery models.
3. Add the requirement that transmission system owners must prepare bifurcated recovery models that are based on peak load conditions with delayed voltage recovery.
Basis:
Voltage is depressed across a wide area whenever a three-phase fault occurs. The amount of load that trips offline or attempts to simultaneously reaccelerate is a function of fault location, grid configuration, and load type.
Modern computer-based models need to be developed to automatically change load models based on fault voltage using the following parameters:
1. Fault voltage greater than 80%:
Compressor motors, pump motors, and fan motors slow down and reaccelerate when voltage recovers.
2. Fault voltage between 40% and 80%:
Compressor motors stall and restart when voltage recovers.
Pump motors and fan motors slow down and reaccelerate when voltage recovers.
3. Fault voltage less than 40%:
Compressor motors, pump motors, and fan motors trip offline and remain off until restarted.
All three of the above conditions occur at distinct locations every time a short circuit occurs. The concern is that existing models do not account for these conditions.
4. Add the requirement that multiple parties contribute to the process of developing reliability standards.
Basis:
When electric utilities develop reliability standards without input from other subject matter experts, potential issues are overlooked or ignored. Including subject matter experts other than electric utility staff members in the development of CIP-014-3 will enhance this document.
Subject matter experts with physical security experience at nuclear power plants and DoD facilities should be asked to contribute to enhanced security requirements.
Specialized industry groups can contribute specific information for recovery models. For example, members of the American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE) have a much better understanding of air conditioning compressor operation that electric utility engineers. This external knowledge is vital when modeling compressor reacceleration after a fault.
A Collaborative Mindset Will Improve NERC’s Standards
Throughout my 50+ years in the electric utility industry, I have had the opportunity to investigate anomalies that reinforce the benefit of working with subject matter experts. One such investigation, involving a water hammer in large pipe systems, was caused by opening and closing circuit breakers in substations.
It is time that NERC uses a collaborative mindset to engage with a variety of subject matter experts to update NERC Reliability Standard CIP-014-3. NERC needs to recognize that wide area blackouts will occur until root cause issues are addressed.
A better purpose statement for NERC CIP-014-3 would be:
“To identify and protect Transmission stations and Transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of from a physical attack that could result in instability, uncontrolled separation, or Cascading within an Interconnection a wide area blackout.”
In our next article in this series, I will share my concerns and recommendations for improvements to NERC Reliability Standard PRC-010-2 – Under Voltage Load Shedding. Follow along with this blog series to learn more.
Questions about expertise or recommendations? Please email me directly or submit our contact us form.