On April 16, 2013, snipers fired for 19 minutes on PG&E Corp.'s Metcalf electric power transmission station near San Diego, California, knocking out 17 giant transformers that supply electricity to Silicon Valley. At least 100 rounds were fired from at least one high-powered rifle. The power grid was rerouted to avoid a blackout, but it took 27 days to make repairs and get the substation back up and running.
The incident got the attention of regulators and security professionals in the utility industry. There are some theories the incident was a dress rehearsal for a terrorist attack. To address such risks, the North American Electric Reliability Corporation (NERC) has adopted reliability standards to minimise the security risks and vulnerabilities related to the reliable operation of the nation’s bulk power systems. The standard will guide owners and operators of such facilities to develop, validate and implement plans to protect against physical attacks that might compromise the operability or recovery of such facilities. The NERC Board of Trustees adopted the related CIP-014-1 standard at its May 13, 2014, meeting and will submit the standard to the Federal Energy Regulatory Commission (FERC).
Adopting new CIP-14 standard - challenge
Helping utility companies meet the new CIP-14 standard is an urgent new challenge – and opportunity – for the physical security marketplace, especially for suppliers of perimeter security technologies that could provide early warning of an attack on a remote transmission site. “I have seven or eight teams working on it right now,” says R.J. Hope, department manager, global security services for Burns & McDonnell, an A&E firm. Protecting remote, unmanned locations particularly lends itself to a technology solution, he says.
Historically such sites have relied on fence-based systems, but the systems tend to generate false alarms when the wind blows debris or a deer walks by. Even a 1 percent false alarm rate can be too high if an operator is monitoring 1,000 different substations.
A promising technology Hope sees is ground-based radar, which can expand the range of perimeter security systems even beyond a fence or other barrier and let operators know “the bad guy is coming as soon as possible.” One company that supplies such systems is SpotterRF, which specialises in small-size, low-power systems for use in wide area ground surveillance. One SpotterRF product has a range of 1,200 meters and covers an area of more than 940,000 square meters (233 acres). Ground-based radar could be combined with video systems.
The new CIP-14 standard is an opportunity for the physical security marketplace, especially for suppliers of perimeter security technologies that could provide early warning of an attack on a remote transmission site
In addition to early detection, systems are needed that reduce the amount of data flowing into a main hub room. Other critical data – such as SCADA alarms, system performance feedback, etc. -- cannot be compromised by bandwidth-hogging video. Recording video remotely and backing it up during slower off-hours can help address the problem.
Impact of CIP -14 standard on security industry
The expected impact of the new utility standard follows a familiar pattern in the security market – security spending is generally precipitated either by a regulation, such as CIP-14, or by an event. For example, a company might look for new security if someone were hurt in a parking lot or if there were a large internal theft ring.
Another example of how regulations can increase security spending was the impact on the chemical marketplace of the Department of Homeland Security’s Chemical Facility Anti-Terrorism Standards (CFATS). Spending related to CFATS compliance peaked around 2010 or 2011.
The push for compliance with CFATS has now largely come and gone, says Hope. Companies are now mostly compliant with the regulation’s 18 risk-based performance standards aimed at facilities that “present high levels of security risk” based on the chemicals they manufacture, store and/or distribute. Burns & McDonnell has consulted with dozens of clients in recent years that handle one or more of the 300-plus “chemicals of interest” on the CFATS list, including common substances like hydrogen peroxide and acetone used in manufacturing processes, says Hope.
Impact of CFATS regulation on security equipment
The lagging impact of CFATS regulation on the security equipment marketplace might come from companies whose business changes to include a CFATS-targeted chemical or to increase an amount they handle, thus making them subject to CFATS’s risk requirements. Also, the paperwork burden of documenting CFATS compliance continues to take a toll on end users, especially among chemical distributors whose mix of chemicals changes significantly and often, based on client demand. Many chemical distributors have hired new employees just to handle Department of Homeland Security (DHS) compliance, says Hope.
Although CFATS’s “risk-based standards” did not specify use of any certain equipment, many end users looked to equipment solutions as a tool to achieve CFATS requirements of surveillance, access control and measures to “deter, detect and delay.”
CFATS demonstrated the power of regulatory compliance to drive security purchases, and now NERC’s CIP-14 standard is poised to have a similar impact on the U.S. utility sector.