Below is a summary of the six requirements included in the draft reliability standard for physical security of the grid.
- Transmission owners should perform a risk assessment of transmission stations and substations to determine which ones, if disabled or damaged, could result in “widespread instability, uncontrolled separation, or cascading within an Interconnection.” Assessments should be repeated every 30 months if such a vulnerability is identified and every 60 months if not.
- Transmission owners should have an unaffiliated third party verify the risk assessment. Such third parties can be a registered planning coordinator, transmission planner or reliability coordinator, or “an entity that has transmission planning or analysis experience.”
- Transmission owners with stations or substations identified under Requirements 1 or 2 that are not under their direct control must notify the operator of a primary control center that does control the stations of their critical status.
- Operators of stations, substations or primary control centers identified as critical under Requirements 1 through 3 must conduct an evaluation of potential threats and vulnerabilities of those facilities. The evaluation must consider the characteristics of the facilities and any prior history or attack of similar facilities, and incorporate any threat intelligence provided by NERC, law enforcement or other authorities.
- Operators of facilities identified during the threat analyses must develop within 120 days a physical security plan for the facilities, incorporating security measures, law enforcement contact information, a timeline for implementing the security plan and ways to conduct ongoing threat evaluations.
- Transmission owners and operators must have a third party evaluate the threat analysis in Requirement 4 and the security plan developed in Requirement 5. The evaluation must be completed within 90 days of the security plan completion, and any changes suggested by the third party must be performed within 60 days.