180 likes | 407 Views
PowerWorld & NERC Physical Security Station List. Back Story. 16 April 2013 PG&E Metcalf station attacked It WAS in the press!!! (contrary to what you might read or hear) FERC Chairman(former) Jon Wellinghoff Championed the issue of physical security He has powerful help:
E N D
Back Story • 16 April 2013 PG&E Metcalf station attacked • It WAS in the press!!! (contrary to what you might read or hear) • FERC Chairman(former) Jon Wellinghoff • Championed the issue of physical security • He has powerful help: • Rep. Henry Waxman (D-Calif.) • Sen. Harry Reid (D-Nevada) • Sen. Dianne Feinstein (D-Calif.) • Sen. Ron Wyden (D-Oregon)
Recent WSJ Article…the Back Story When seconds matter cops are only minutes away…
Security Briefing Industry Update – How Did We Get Here? Attack Ideas Available on the Internet 1/15/2013 Attacks on Critical Infrastructure Metcalf 4/16/2013 Arkansas 9/16/2013 “If someone decides to blast a transformer at its base as prepper Bryan Smith did, and the oil drains out, then the transformer either burns out catastrophically, or if the utility is lucky, a software routine notices the problem and shuts the substation (or at least the affected portion) down” (http://www.bob-owens.com/2013/01/shock-the-system/)
Security Briefing Industry Update – How Did We Get Here? Press Reports Fan The Flames… and Politics in Action…
The Standard (CIP-014-01) • Identify Stations on the “List” • All 500 kV stations • 200 kV to 499 kV with 3 or more lines and where the summed aggregate of the lines exceed 3000 (see table for weights):
FERC Docket No. RD14-6-000 90 days of the ORDER…not the Federal Register
Read It Here • http://www.ferc.gov/CalendarFiles/20140307185442-RD14-6-000.pdf
What Policy Makers Hear! OMG! So NOT true!!!
FERC says Standards should… • …require owners or operators of the Bulk-Power System to perform a risk assessment of their systems to identify their “critical facilities.” • …require owners or operators of the identified critical facilities to evaluate the potential threats and vulnerabilities to those identified facilities. • …require those owners or operators of critical facilities to develop and implement a security plan designed to protect against attacks to those identified critical facilities based on the assessment of the potential threats and vulnerabilities to their physical security.
FERC wants Oversight • In addition, the risk assessment used by an owner or operator to identify critical facilities should be verified by an entity other than the owner or operator. Such verification could be performed by NERC, the relevant Regional Entity, a Reliability Coordinator, or another entity. The Reliability Standards should include a procedure for the verifying entity, as well as the Commission, to add or remove facilities from an owner’s or operator’s list of critical facilities Columbia Grid?
Risk Assessment • Risk equals • Probability * Consequences • Good luck with sorting out the probability problem… • Examples of Risk Assessment gone bad • Katrina (New Orleans) • Fukushima Daiichi Nuclear Power Station • Sandy (New York) • Challenger & Columbia • Thresher & Scorpion