NERC Response to Grid Security

Summary:

Grid security efforts are just one piece of the multi-pronged approach NERC takes in its daily mission to assure the reliability, resilience and security of the North American bulk power system. Most importantly, the electricity industry is the only critical infrastructure to have mandatory and enforceable reliability standards. Our suite of Critical Infrastructure Protection Reliability Standards provide a foundation for sound security practices for addressing both key cyber and physical security challenges, including those identified in DHS’ recent “Shields Up” guidance. These standards, which were initially approved in January 2008, establish necessary controls and physical and electronic perimeters for cyber assets. They also mandate recovery plans, incident reporting and vulnerability assessments. Entities are regularly audited to ensure compliance with these standards, with non-compliance subject to significant financial penalties. This, in combination with the activities of NERC’s Electricity Information Sharing and Analysis Center, provides a robust cyber and physical security structure for industry in the United States and Canada. In 2014, FERC directed NERC to develop a mandatory physical security standard that was put in place to address issues related to the 2013 Metcalf substation event in California, which although serious, did not result in any outages to consumers. FERC said at the time: “electric systems are designed to be resilient and it would be difficult for attackers to disable many locations.” The majority of physical security incidents are related to copper theft, trespassing, damage from hunters and drone surveillance. In addition, through capabilities including the Cybersecurity Risk Information Sharing Program (CRISP) and other sensor and intelligence platforms, the E-ISAC analyzes security data for patterns of incidents and shares the result with asset owners and operators. This information sharing and industry collaboration facilitates strong, knowledge-based defense-in-depth capabilities. NERC also coordinates closely with other critical infrastructure sectors and our government partners, both in the United States and Canada, including the U.S. Department of Energy, which serves as the risk management agency for the energy sector. This level of collaboration allows the E-ISAC to rapidly share intelligence about vulnerabilities and mitigation approaches to its membership, ensures vigilance and provides the ability to respond quickly should situations evolve, while supporting industry’s efforts to maintain the reliability and security of the grid.​Security of the grid continues to be a key priority for NERC, the U.S. and Canadian governments and industry. The continued coordination across our industry helps ensure vigilance and allows us to respond quickly should the need arise – we know nearly 400 million North Americans are counting on us.