One conundrum posed by the nation's move to improve the intelligence of the bulk electricity transmission system is how to protect all that new “smartness” from physical or electronic attack. Advanced communications and controls may help prevent problems, or allow quick fixes when lines go down, but the interconnections they enable make them especially vulnerable targets for terrorists and others. New regulations now in effect are designed to address these concerns and could affect of electrical contractors who work in critical utility facilities.
The North American Electric Reliability Corp. (NERC) developed and released last year the new directives, and NERC-approved third parties are just beginning to audit those utilities and transmission companies who are required to comply. The standards apply to the bulk electric system (BES), which, to NERC, includes all networked equipment operated at 100 kilovolts and above. Utilities owning such equipment are required to register themselves as “responsible entities,” which makes them subject to the regulations and resulting compliance audits.
“Owners are required to perform a risk-based assessment analysis to determine if the loss of this equipment will degrade the reliability of the electric system beyond acceptable limits,” said Peter Reichmeider, vice president of Houston-based Quanta Energized Services, a major provider of utility contracting support. He says this category could include substations and generating plants, along with some transmission lines and transformers.
The regulations are broad-reaching, concentrating primarily on the physical security of cyber assets, such as computers and communications systems and the software by which they operate. Electrical contractors, however, need to be especially aware of provisions requiring utilities and their contractors to conduct thorough background checks on employees who work unsupervised on these sites and hold regular safety and security training sessions for these personnel.
Utilities are responsible for ensuring their staff—and that of their contractors—has been screened to applicable standards. Their performance to the standards will be tracked under a compliance auditing program, and they’ll need to have documentation in place to back up contractor compliance claims. As a result, utilities could be adding some contractual penalties for noncompliance in their agreements with contractors to avoid NERC fines that could total up to $1 million per day, per violation.
“The utility has to go beyond just putting language in a contract, they have to do some due diligence,” said Scott Rowe, president of Lenexa, Kan.-based Corporate Risk Solutions, a security consulting firm recently certified by NERC to conduct compliance audits. “It would not be surprising to start seeing some punitive measures in those contracts.”
Many utility contractors already may have practices in place that will meet the new NERC requirements, which Rowe said could be as simple as positive personal identification and a criminal background check going back seven years. For example, Reichmeider said that Quanta Services’ hiring practices already meet today’s standards. In addition, employees who will be granted unescorted access to critical facilities will require initial security training, along with an annual training session and quarterly awareness updates.
It’s possible the scope of these standards could expand beyond their current boundaries, as regulators gain greater understanding of where new smart transmission systems might be vulnerable. A revised version of the standards is already under development, and Rowe sees even stricter oversight down the road.
“The government is not yet satisfied with the level of security,” Rowe said. “There are going to be further updates that will increase the requirements over the next couple years. I see us strengthening these standards and giving them a bigger footprint.”
Rowe believes that footprint could expand to include even distribution-system facilities. But Reichmeider said the current utility regulatory structure would prevent that from happening at a national level, although individual states could choose to make such a move.
“Transmission is regulated by both the federal and state governments,” he said. “However, other than for safety and environmental issues, subtransmission and distribution is primarily regulated by the state governments. For CIP [critical infrastructure protection] standards to propagate to the subtransmission and distribution systems, it will need to be pushed by state regulators or state law makers. Therefore, it would most likely occur only within selected states.”
However, regardless of how far down the transmission and distribution system these regulations end up reaching, it could make sense to spend some time understanding these regulations and incorporating compliant practices into your company’s standard operating procedures. Such an investment could be a boost to your marketing efforts, even if you’re not yet working on projects where such scrutiny is required.
“This is not going away,” Rowe said. “Utilities will want to do business with companies that are currently compliant. It will become a business requirement very shortly, and I think those companies that are compliant will have a market advantage.”
ROSS is a freelance writer located in Brewster, Mass. He can be reached at firstname.lastname@example.org.