BILL ANALYSIS Ó 1 SENATE ENERGY, UTILITIES AND COMMUNICATIONS COMMITTEE ALEX PADILLA, CHAIR SB 699 - Hill Hearing Date: August 28, 2014 S As Amended: August 22, 2014 FISCAL B 6 9 9 NOTE : The Assembly amendments create a new bill and this measure has been referred to the Committee pursuant to Senate Rule 29.10 (d) for consideration. The Committee may, by a vote of the majority, either: (1) hold the bill, or (2) return the bill to the Senate floor for consideration of the bill as amended in the Assembly. DESCRIPTION Current law requires the California Public Utilities Commission (CPUC) to adopt inspection, maintenance, repair, and replacement standards for the distribution systems of investor-owned electric utilities (IOUs). (Public Utilities Code § 364) This bill requires the CPUC to consider adopting rules to address physical security risks to the distribution systems of electrical corporations in a new proceeding, or new phase of an existing proceeding, by July 1, 2015. Current law requires that the records of every state agency be made available for public inspection upon request, with certain exemptions and subject to procedures. This law is commonly referred to as the California Public Records Act (CPRA). Exemptions for specified information are included but an agency must justify withholding any record by demonstrating that the record in question is exempt under the law or that on the facts of the particular case the public interest served by not disclosing the record clearly outweighs the public interest served by disclosure of the record. (Government Code § 6250 et seq.) Current law establishes a presumption against public disclosure of any information submitted to the CPUC by a public utility unless the CPUC orders the information to be made public or made public in the course of a CPUC hearing or proceeding. Any official or employee of the CPUC who releases confidential information not ordered for release is guilty of a misdemeanor. (Public Utilities Code § 583) This bill authorizes the CPUC to, consistent with other provisions of law, withhold from the public information generated or obtained pursuant to these rules that it deems would pose a security threat to the public if disclosed. BACKGROUND HV Transformers - The electric utility industry operates as an integrated system of generation, transmission, and distribution facilities to deliver electric power to consumers. In the United States, this system consists of over 9,000 electric generating units connected to over 200,000 miles of high-voltage transmission lines strung between large towers and rated at 230 kilovolts (kV) or greater. This network is interspersed with hundreds of large electric power transformers whose function is to adjust electric voltage as needed to move power across the network. High voltage (HV) transformer units make up less than 3% of transformers in U.S. power substations, but they carry 60%-70% of the nation's electricity. Because they serve as vital transmission network nodes and carry bulk volumes of electricity, HV transformers are critical elements of the nation's electric power grid. The U.S. electric power grid has historically operated with such high reliability that any major disruption, either caused by weather, operational errors, or sabotage, makes news headlines. Such outages can have considerable negative impacts on business, government services, and daily life. Notwithstanding its high reliability overall, the U.S. power grid has periodically experienced major regional outages. Recent examples include the Northeast Blackout of 2003 (which affected 55 million customer in eight states and Canada) and extended outages in the New York/New Jersey area after Superstorm Sandy in 2012.<1> Grid Vulnerability - The vulnerability of individual transformer substations has been demonstrated by successful attacks in recent years. In the most serious case, a rifle attack occurred in April 2013 at PG&E's 500 kV Metcalf substation south of San Jose. In this attack, multiple individuals outside the substation reportedly shot and severely damaged 17 HV transformer radiators with .30 caliber rounds, causing them to leak cooling oil, overheat, and become inoperative and requiring over $15 million worth of repairs. To avert a black-out, the California Independent System Operator rerouted power from nearby Silicon Valley-based power plants. It is very difficult to restore a damaged HV transformer substation. Transmission experts assert that most HV transformers currently in service are custom designed and, therefore, cannot be generally interchanged. Furthermore, at $3-$5 million per unit or more, maintaining large inventories of spare HV transformers solely as emergency replacements is prohibitively costly, so limited extras are on hand. State and Federal Jurisdiction - Regulatory jurisdiction over transmission towers and substations is split between state and federal agencies based on the capacity of the transmission. The Federal Energy Regulatory Commission, or FERC, is an independent agency that regulates the interstate transmission of electricity including the "Bulk-Power System" and related facilities including some high voltage transmission and substations. Smaller capacity lines and substations are under the jurisdiction of the CPUC. Several grid security guidelines or standards have been developed or proposed to address the physical security of the grid, including HV transformers. These standards have been promulgated by the North American Electric Reliability --------------------------- <1> Physical Security of the U.S. Power Grid: High-Voltage Transformer Substations". Congressional Research Service. June 17, 2014. Corporation,<2> at the direction of FERC, as voluntary best practices since at least 2002, with subsequent revisions. However, in the wake of the Metcalf incident, FERC has ordered the imposition of mandatory physical security standards in 2014 which are under development by NERC. The standards are intended to require, at least: Risk assessment of facilities to determine criticality; Evaluation of potential threats and vulnerabilities; and Development and implementation of a security plan. Earlier this year the CPUC's Safety and Enforcement Division (SED) directed the IOUs to "[E]xamine your company's security programs and make any necessary changes to minimize the likelihood of a physical or cyber-attack." This direction was followed by a two-day workshop on security issues. At this juncture the CPUC reports that it is waiting for finalization of the NERC standards before taking further action. Historical CPUC Records Disclosure Policy - Unlike other state agencies, the CPUC operates under a statute (Public Utilities Code § 583) which, in practice, has made public access to much of the information in its proceedings the exception, rather than the rule without positive action by the CPUC to make those documents public. According to prior analyses on this issue, the statute has its origins in a law enacted in 1951. Notwithstanding the subsequent "open government" reforms in California reflected in the CPRA, the statutory standard for public access to utility filings held by the CPUC, has not fundamentally changed since 1951. The CPRA gives every person the right to inspect and obtain copies of all state and local government documents not exempt from disclosure. Exemptions include corporate financial records and corporate proprietary information, including trade secrets. The CPRA also specifically provides that information held by the CPUC which is deemed confidential under Public Utilities Code § 583 is not required to be disclosed. However, the "exemptions" of the CPRA are narrowly construed and the fact that a record may fall within a CPRA exemption does not preclude the CPUC from disclosing the record if the CPUC believes disclosure is in the --------------------------- <2> The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose mission is to ensure the reliability of the bulk power system in North America. public interest. COMMENTS 1. Author's Purpose . According to the author, the security of our nation's infrastructure is of paramount importance. The recent sophisticated attack on an electric substation that a former vice president at PG&E described as a "dress rehearsal" for future attacks is evidence - not only that we are vulnerable - but that our vulnerabilities are clearly understood by those who wish to exploit them. As has been made clear by a recent National Research Council report, one of the best ways to protect ourselves from an attack on the electric grid is to lessen the damage that any attack can do. If we lessen the consequence of the failure of any one location or piece of equipment, if we increase the speed with which we can respond to an outage, if we can protect critical facilities from power disruption by using clean distributed generation, then the effort required for a malicious actor to seriously disrupt our power delivery system will make the target much less interesting - and we will be left with a more reliable grid. 2. Necessity . This bill requires the CPUC to engage in a public proceeding in which it considers the adoption of rules to address the physical security risks of the grid. The work of NERC will inform the process. Current reliability and safety standards at the state and federal level do not specifically require IOUs to take steps to reasonably protect against physical security attacks. This bill will fill that gap. It is important to note that there is generally not a "one size fits all" response to protect against physical security threats. The effectiveness of the standards will require due diligence and constant vigilance by the IOUs. POSITIONS Sponsor: Author Support: None on file. Oppose: None on file. Kellie Smith SB 699 Analysis Hearing Date: August 28, 2014