Encari’s Key Takeaways from SPP’s Webinar – Upcoming Standards on August 6, 2015
FERC directed NERC to develop a physical security standard on March 7, 2014. The order requires a standard, “to identify facilities on the Bulk-Power System that are critical to the reliable operation of the Bulk-Power System. Then, owners or operators of those identified critical facilities should develop, validate and implement plans to protect against physical attacks that may compromise the operability or recovery of such facilities.” There are 90 days to submit standard to FERC.
Applicability: Transmission Owners that own:
- 500 kV or higher Transmission Facilities
- 200 kV to 499 kV Transmission Facilities that meet the weighting table’s 3000 point threshold
- Transmission Facilities identified by the Reliability Coordinator, Planning Coordinator, or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits
- Transmission Facilities identified as essential to meeting Nuclear Plant Interface Requirements
The first three requirements deal with risk assessment to identify in-scope assets, review of the risk assessment by an unaffiliated third-party reviewer, and sharing of information with affected entities. The three subsequent requirements deal specifically with physical security issues including evaluation of potential threats and vulnerabilities, development and implementation of a documented physical security plan, and unaffiliated third-party review of the evaluation and corresponding security plan.
R1 must be completed by October 1, 2015. Parts 2.1, 2.2, and 2.4 of R2 must be completed by December 30, 2015. Part 2.3 of R2 shall be completed within 60 calendar days of the completion of performance under R2 part 2.2. R3 should be completed within 7 calendar days of completion performance under R2. R4 and R5 shall be completed within 120 calendar days of completion of performance under R2. Parts 6.1, 6.2, and 6.4 of R6 shall be completed within 90 calendar days of completion of performance under R5 and part 6.3 shall be completed within 60 days of part 6.2.
CIP-014-2 Suggested Evidence:
- List all BES stations / substations
- List of Transmission stations / substations planned in the next 24 months
- List of Transmission stations / substations that meet criteria specified in Section 4.1.1
- Current and Prior 1 risk assessments
- Dated evidence of third-party verification of entity’s risk assessment performed under R1
- Dated documentation of third-party verification and recommendations for addition or deletion, if any, including recommendations from third-party verifier or explicit statement from third-party verifier that the verification was completed with no recommendations.
- If applicable, dated communications with TOP identified control centers as in scope for R4-R6
- List of all stations, substations, and control centers identified in R1-R3
- A description of the entity’s process for executing the evaluation prescribed in Requirement R4
- Dated threat and vulnerability assessment containing all components specified in Requirement R4. Threat and vulnerability assessments may be separate documents provided they are used together to determine vulnerabilities.
- List of all stations, substation, and control centers identified in R1-R3
- Dated physical security plan(s) addressing all components of R5
- Evidence supporting implementation of measures identified in the physical security plan such as training records, work orders, photographic evidence, visual verification, and direct observations.
- Dated documentation of unaffiliated third-party dated review of entity’s R4 evaluation and R5 security plans
- Documentation of recommendations or statement indicating no recommendations
- Documentation of changes in response to recommendations and / or rationale for declining recommended changes.