Electric, water, and natural gas utilities face some of the most demanding physical security requirements in any industry. Between NERC CIP-014 compliance for the electric sector, RAM-W risk assessments for water systems, FERC and PHMSA requirements for natural gas facilities, escalating threats against critical infrastructure, and the operational realities of protecting geographically dispersed assets, utility security programs must satisfy both regulators and real-world adversaries.
NERC CIP Physical Security Compliance
NERC CIP-014 requires transmission owners and operators to assess the physical security risks to critical transmission stations and substations, and to develop and implement documented physical security plans. Protective Resources supports utilities through the full compliance lifecycle:
- Threat and vulnerability evaluations of critical transmission stations and substations (CIP-014 R4)
- Independent third-party review of risk assessments and security plans (CIP-014 R2, R6)
- Physical security plan development, including deter, detect, delay, assess, communicate, and respond measures (CIP-014 R5)
- Physical Access Control System (PACS) design supporting CIP-006 requirements for BES Cyber System protection
- Documentation and evidence preparation for regional entity audits
Water Utilities — RAM-W Studies
Water and wastewater utilities protect assets where a security failure is also a public health event. Protective Resources performs RAM-W (Risk Assessment Methodology for Water) studies — the Sandia National Laboratories–developed methodology for water utilities — evaluating threats against treatment plants, wellfields, intakes, storage tanks, pump stations, and SCADA-connected facilities:
- Adversary characterization and design basis threat development for the utility’s service area
- Fault-tree analysis of critical assets — identifying where a determined adversary could most effectively disrupt treatment or distribution
- Physical protection system effectiveness evaluation: detection, delay, and response timelines against the design basis threat
- Prioritized countermeasure recommendations balancing risk reduction against capital and operating cost
- Support for AWIA (America’s Water Infrastructure Act) Risk and Resilience Assessments and Emergency Response Plan updates on the statutory recertification cycle
Natural Gas — FERC and PHMSA Requirements
Natural gas facilities and transmission systems answer to overlapping federal regulators: FERC for jurisdictional facilities including LNG terminals, and PHMSA for pipeline and LNG plant safety and security under 49 CFR Parts 192 and 193. We support gas operators with:
- Facility security assessments for compressor stations, city gate stations, metering and regulation facilities, and storage fields
- LNG plant security reviews addressing PHMSA 49 CFR Part 193 Subpart J requirements — enclosures, protective enclosure construction, monitoring, and security procedures
- Security documentation supporting FERC filings and site reviews for jurisdictional facilities
- Gas transmission system security planning consistent with TSA Pipeline Security Guidelines — critical facility identification, access control, and monitoring for dispersed right-of-way assets
- Integration of physical security with pipeline integrity management and control room operations
High-Security Installation Design
Beyond compliance, utilities operate facilities that demand genuinely hardened security: generation plants, control centers, substations, and operations centers. Our consultants design and specify:
- Perimeter intrusion detection systems (PIDS) and ballistic-rated barrier strategies for substations
- Video surveillance with analytics suited to unmanned, remote sites
- Access control integration across dispersed facilities and shared control centers
- Security Operations Center (SOC) design for centralized alarm monitoring and assessment
- Security lighting surveys and CPTED reviews for critical sites
Why Independence Matters
Because Protective Resources is not affiliated with any manufacturer or systems integrator, our vulnerability assessments and basis of design documents stand up to regulatory scrutiny as independent, objective work products — a critical distinction when your security plan will be reviewed by auditors.