Ron Ponist, GAI Consultants
The electricity sector has traditionally developed and executed service restoration plans to mitigate the effects of widespread outages caused by weather, other natural disasters, equipment failure and vandalism. Now these plans need to be amended to accommodate a new threat: physical and cyber terrorist attacks. Since it is not practical to protect the entire transmission system, it is imperative to prepare or revise these plans to provide for threat detection, deterrence, damage mitigation and restoration.
But, the first step is determining the extent of your problem. This can be done by conducting a vulnerability and risk assessment using assessment tools like RAM-T (for “risk assessment methodology for transmission”), which has been recently developed by Sandia National Laboratories. This assessment could be done internally or by an outside engineering firm experienced in transmission line design and construction, recognizing that expert judgment is required to assign reasonable probabilities to certain events.
The transmission line assessment should include a structural, reliability-based evaluation that considers its original design basis, existing physical condition and the entire spectrum of threats it is expected to be subject to, including weather-induced events, equipment failure, vandalism and terrorism. Ascertaining the existing condition of the transmission line would provide assurance that it does not have an inherent deficiency that would amplify the effect of any triggering event. It may be prudent and cost-effective to harden the system by reinforcing towers at critical points and provide anti-cascading structures to mitigate damage.
Developing and implementing system security procedures are not optional; the Federal Energy Regulatory Commission (FERC), the North American Electric Reliability Council (NERC) and the Department of Energy (DOE) all require them. FERC has specified in Appendix G of the Standard Electricity Market Design (SMD) Notice of Proposed Rulemaking (NOPR), minimum-security standards for all electric market participants. These standards include requirements to protect the cyber assets and provide physical security that will assure a secure physical environment for cyber resources used to interact with bulk electric system operations. Compliance is mandatory and scheduled to begin January 2004. An annual certification of compliance must be filed with FERC and certified by a corporate officer that the participant is in compliance with the standards listed. Failure to comply will result in loss of direct access privileges to the electric market.
NERC has initiated a process to establish NERC cyber security standards for computers that interact with the bulk electric system operations. Substantial compliance is required by January 2004, full compliance by January 2005. These 17 standards (1201-1216) were developed using an ANSI-accredited standards making process, i.e. open and consensus-based. A certification of compliance must be submitted annually, and be signed by a senior management official. FERC will include these standards by reference in Appendix G of its SMD NOPR, and they will supplant those currently listed. In addition, while compliance with NERC reliability standards has always been mandatory, compliance with standards 1201-1216 will now be enforced by FERC.
DOE has also established mandatory reporting requirements for electric emergency incidents and disturbances in the U.S. Nine specific incidents and disturbances are listed including actual or suspected physical or cyber attack that could impact system adequacy, reliability, or vulnerability, including vandalism to any security system component. Each incident or disturbance requires an initial report to be filed within 60 minutes, with a follow-up report to be sent within 48 hours.
Utility asset management has always evaluated the reliability of its system based on the largest expected single contingency event. However, post 9/11, this event may be a well-planned effectively coordinated attack on the transmission system at multiple points, possibly combined with a cyber attack on the SCADA/ control system, and should be part of asset management’s due diligence evaluation. The chief risk officer (CRO) or other senior management is ultimately responsible for determining the acceptable level of risk, whether implicitly or explicitly.
While the ascertained risk to the transmission system may be acceptable to management, this acceptance harbors implicit economic ramifications, and the public, shareholders and government review boards may subsequently challenge this classification, following a widespread sustained outage. Remember, the electrical sector is a terrorist target for good reason: It is the lynchpin that supports most other critical infrastructures. Management that views security issues as part of its strategic planning process, may properly conclude that expenditures for transmission line security, which serve to reduce its potential liability, are necessary and prudent.
Ponist, a staff consultant at GAI, has over 30 years of transmission line design experience. He recently attended one of NERC’s two-day workshops on how to protect the North American electric infrastructure.