Even as some electric utilities rack up penalties for not complying with current NERC CIP standards, FERC is considering proposed changes to CIP requirements (NERC CIP-002 version 4) which could dramatically increase security demands placed on U.S. electric utilities.
If approved by FERC, NERC CIP-002 version 4 would apply new bright-line criteria to determine what constitutes Critical Assets that need to be protected, in order to ensure the reliability of the bulk power system. For example, generation assets above a 1,500-MW threshold, black-start resources, transmission facilities of 300 kV or higher, and control centers, would all be counted among Critical Assets under NERC CIP-002 version 4. As pointed out in thisFERC law update article, NERC’s own survey results highlight the enormous potential increase in Critical Assets that will need to be secured and monitored under the new rule.
To quote from the article: …“Among the survey findings are the following: Currently only 50% of substations 300 kV and above are classified as Critical Assets; this number will increase to 70% under CIP-002-4. Almost 25% of generating units producing at least 300 MVA (that are not nuclear or blackstart units) will be Critical Assets under CIP-002-4. 532 system control centers will be Critical Assets with Critical Cyber Assets under CIP-002-4. 1,273 transmission substations 100 kV and above will be Critical Assets with Critical Cyber Assets under CIP-002-4. 475 generating units (that are not nuclear or blackstart units) will be Critical Assets with Critical Cyber Assets under CIP-002-4.”
Add to these eye-opening statistics another trend – the fast pace of consolidation that continues to shape the utility industry.According to another recent article, in the first six months of 2011 alone, “utilities in the United States (announced) mergers and acquisitions with a total value of $44 billion.” This will of course increase the size of these utilities making the monitoring, management and compliance efforts more demanding.
So what does this mean for the ‘security future’ of the average electric utility? With so many more sites to monitor, and the risk of large fines, I predict that many will turn to Situation Management solutions to consolidate and monitor their physical security data, protect their far-flung Critical Assets, ensure compliance across the enterprise, and centralize security operations.
Have you evaluated how NERC CIP Version 4’s new requirements will affect you? Have you estimated the number of additional sites and Critical Assets you’ll need to secure? What have you done to prepare your security operation for this change? I’d be interested to hear from you.
I also invite you to check out the resources below to learn more about Situation Management’s role in NERC CIP compliance. Utilities Feel the Electricity: How Situation Management Empowers Utilities for CIP Compliance (article)NICE Situator for Electric Utilities and NERC-CIP Compliance (white paper) Improving Security Operations and Proving NERC Compliance (recorded webinar)
FERC Law Update, July 5, 2011, Morgan Lewis, http://ferc.morganlewis.com/2011/07/05/responses-to-cip-v4-survey-questions/
Utilities Turn to Mergers as Demand for Power Slows, June 16, 2011, DealB%k (The New York Times), http://dealbook.nytimes.com/2011/06/16/utilities-turn-to-mergers-as-demand-for-power-wanes/