Physical Security Risk Element

The Electric Reliability Organization (ERO) Compliance Monitoring and Enforcement Program (CMEP) Implementation Plan (IP) annually highlights the risk elements that should be prioritized for oversight during a given year.

Physical security remains a key concern for the ERO in the 2025 CMEP IP. Physical security risks were initially identified as an ERO priority in the 2024 CMEP IP with an emphasis on Reliability Standard CIP-014-3, which is applicable to entities with medium/high-impact Bulk Electric System (BES) Cyber Systems (BCS). ERO analysis showed that physical security threat levels remain elevated and in addition, there has been an upward trend in threats involving low-impact BES Cyber Systems. The 2025 CMEP IP has expanded the definition of physical security risks from the prior year to include Reliability Standard CIP-003-8.

The physical security risk element in the CMEP IP provides additional context. A key challenge of executing a physical security program is managing tasks that require repetitive behavior over significant periods, as there is increased potential for personnel to lose focus on the performance of an individual act or forget the importance of the act itself.

Registered entities with applicable BCS should expect to see the following Standards–CIP-014-3 and CIP-003-8—in their 2025 engagement scopes (if those Standards are applicable and have not been included in a recent engagement). During an engagement, in addition to evaluating compliance, the Texas RE engagement team will look at preventive, detective, and corrective controls an entity has to mitigate overall risks. Texas RE engagement observations may be reflected in the entity’s next Compliance Oversight Plan (COP).

For physical security risks, entities should consider these questions around controls:

1. CIP-014-3 R4, R5
   • Do you have effective processes to evaluate potential threats and vulnerabilities of a physical attack to each applicable station identified in R1 and verified in R2?
   • Do you have controls to ensure the physical security plans are developed and implemented within the required timeframes?
   • Do you regularly evaluate the efficacy of the physical security plans and address identified deficiencies?
2. CIP-003-8 R2
   • Do you have controls to monitor unauthorized physical access? Do you evaluate the efficacy of these controls periodically and update controls as necessary?
   • Do you have processes to manage permissions for personnel with authorized electronic or physical access to assets containing low-impact BCS? Is the access control policy periodically reviewed and approved by senior management?

For more information on physical security, please review the recent Talk with Texas RE on the subject. The Engagement Common Questions document on Texas RE’s website also provides insights on areas Texas RE could focus on during an engagement.