FERC Directs Mandatory Physical Security Standards

On March 7, 2014, the Federal Energy Regulatory Commission (FERC) directed the North American Electric Reliability Corporation (NERC) to develop and file for approval reliability standards addressing threats and vulnerabilities to the physical security of critical facilities on the Bulk-Power System (BPS). The reliability standards must require owners or operators of BPS facilities ("registered entities") to take at least three steps to address risks posed by physical security attacks. 

First, registered entities must identify their BPS facilities that "if rendered inoperable or damaged, could have a critical impact on the operation of the interconnection through instability, uncontrolled separation or cascading failures on the Bulk-Power System." Second, registered entities that own or operate such critical facilities must evaluate potential physical threats and vulnerabilities to those facilities. Since potential threats and vulnerabilities will vary depending on the critical facility at issue, registered entities must tailor their evaluations to the unique characteristics of their critical facilities.  Third, registered entities must develop and implement a security plan based on this evaluation. 

NERC must file the proposed reliability standards by June 5, 2014. This very short time frame reflects the importance of having mandatory rules in place to address these physical security threats to BPS facilities. According to FERC, although many registered entities may already have taken voluntary steps to enhance their BPS facilities' physical security, the new reliability standards will require them to identify risks and have a plan that results in an adequate level of protection against the potential physical threats and vulnerabilities faced at their critical facilities. 

Given the short time frame for developing these standards and to avoid problems that could arise from standards developed in haste, registered entities should actively participate to ensure that (1) the standards for determining whether a given BPS facility is critical are not so broad as to include facilities that FERC might not have intended to be covered or that reasonably should not be covered by the new standards, and (2) the standards relating to the threat and vulnerability assessment and security plans are not inappropriately prescriptive.