BILL ANALYSIS                                                                                                                                                                                                    �




                                                                  SB 699
                                                                  Page A
          Date of Hearing:   March 17, 2014

                    ASSEMBLY COMMITTEE ON UTILITIES AND COMMERCE
                               Steven Bradford, Chair
                     SB 699 (Hill) - As Amended:  March 12, 2014

           SENATE VOTE  :   (vote not relevant)
           
          SUBJECT  :   Public utilities: electrical and gas corporations.

           SUMMARY  :   This bill requires electrical corporations to submit  
          security plans to the California Public Utilities Commission  
          (PUC) and coordinate with law enforcement to achieve the goals  
          of the security plan. Specifically,  this bill :  

             1)   Requires investor owned utilities (IOUs) to prepare and  
               submit security plans on or before July 1, 2015. 

             2)   Allows the PUC to review, modify, and approve the  
               security plan, and determine the level of public access to  
               the security plan.

             3)   Provides that implementation costs related to security  
               plans are considered during the electrical corporation's  
               next general rate case application.

             4)   Requires electrical or gas corporations to establish a  
               memorandum of understanding (MOU) with law enforcement to  
               coordinate in the event of deliberate destruction of  
               utility equipment.

             5)   Requires electric and gas utilities, in consultation  
               with the California Highway Patrol, to designate certain  
               employees as first responders to manage hazards and restore  
               service following an accident, natural disaster, or  
               security breach.

           EXISTING LAW  

             1)   Establishes that private corporations and persons that  
               own, operate, control, or manage a line, plant, or system  
               for the transportation of people or property, the  
               transmission of telephone and telegraph messages, or the  
               production, generation, transmission, or furnishing of  
               heat, light, water, power, storage, or wharfage directly or  









                                                                  SB 699
                                                                  Page B
               indirectly to or for the public, and common carriers, are  
               public utilities subject to control by the Legislature.  
               (Article 12, Section 3, California Constitution)

             2)   Authorizes the PUC to fix rates, establish rules,  
               examine records, issue subpoenas, administer oaths, take  
               testimony, punish for contempt, and prescribe a uniform  
               system of accounts for all public utilities subject to its  
               jurisdiction. (Article 12, Section 6 of the California  
               Constitution)

             3)   Authorizes the PUC to set standards for inspection,  
               maintenance, repair, and replacement standards for  
               electrical distribution systems of investor-owned electric  
               utilities and report annually on compliance with those  
               standards. Requires each utility to publically report  
               annually on compliance with these standards. Requires the  
               PUC to determine whether the standards have been met and  
               order appropriate sanctions, including penalties or  
               monetary fines. (Public Utilities Code 364)

             4)   Authorizes the PUC to adopt rules for public utilities  
               regarding a showing of information to be made in support of  
               proposed rate changes and allowing opportunities to protest  
               those rate changes. (Public Utilities Code 454(c))

             5)   Provides that the PUC may withhold public access to  
               information given to the PUC by a public utility (or  
               subsidiaries, affiliates or corporations hold a controlling  
               interest in a public utility) and establishes that any  
               present or former officer or employee of the commission who  
               divulges any such information is guilty of a misdemeanor.  
               (Public Utilities Code 583)

             6)   Authorizes the PUC to order IOUs to make additions,  
               extensions, repairs, or improvements to, or changes in, the  
               existing plant, equipment, apparatus, facilities to promote  
               the security of employees or the public to secure adequate  
               service or facilities. (Public Utilities Code 762)

           FISCAL EFFECT  :   UNKNOWN

           COMMENTS  :   

              1)   Author's statement:  According to the author, "The  









                                                                  SB 699
                                                                  Page C
               security of our nation's infrastructure is of paramount  
               importance.  The recent sophisticated attack on an electric  
               substation that a former vice president at PG&E described  
               as a "dress rehearsal" for future attacks is evidence-not  
               only that we are vulnerable-but that our vulnerabilities  
               are clearly understood by those who wish to exploit them.   
               As has been made clear by a recent National Research  
               Council report, one of the best ways to protect ourselves  
               from an attack on the electric grid is to lessen the damage  
               that any attack can do.  If we lessen the consequence of  
               the failure of any one location or piece of equipment, if  
               we increase the speed with which we can respond to an  
               outage, if we can protect critical facilities from power  
               disruption by using clean distributed generation, then the  
               effort required for a malicious actor to seriously disrupt  
               our power delivery system will make the target much less  
               interesting-and we will be left with a more reliable grid."

              2)   An attack on an electrical substation in California.  A  
               major driver of this bill is based on extensive damage that  
               occurred in April 2013 at an electrical substation caused  
               by a physical attack (approximately 100 rounds from a  
               high-powered rifle) fired on electrical equipment. The  
               severity of the damage and the appearance that the attack  
               was well planned raised attention to the extent to which  
               critical electric infrastructure were vulnerable to  
               potential terrorist attacks and raised questions about the  
               extent to which utilities addressed potential  
               vulnerabilities. In this incident the utility successfully  
               rerouted power to maintain electrical services and the  
               California Independent System Operator called for customer  
               conservation to maintain electrical system frequency within  
               federal regulatory requirements.

               Investigations into identifying the perpetrator(s) of the  
               attack are ongoing.

              3)   Attacks on the electric power system.  Although attacks  
               on electric infrastructure are not frequent in the U.S.,  
               they are prevalent in other parts of the world. The  
               National Research Council (NRC) report "Terrorism in the  
               Electric Power System"<1> states that, from 1996-2006,  
               terrorists groups in various parts of the world conducted  


             --------------------------
          <1> National Research Council, Terrorism in the Electric Power  
          System, 2012.  http://www.nap.edu/catalog.php?record_id=12050  








                                                                  SB 699
                                                                  Page D
               2,500 attacks on transmission lines and towers and more  
               than 500 attacks on substations.

               The report found that "well-planned attacks on the power  
               system, undertaken by informed terrorists, could result in  
               power outages with extents and durations that are much  
               larger than those produced by all but the largest natural  
               events," but that "any increase in the reliability of the  
               power grid makes the system more capable of withstanding  
               terrorist attacks, more able to mitigate the impacts of  
               such, and less interesting as a target of terrorists." 

              4)   Distinction between federal and state jurisdiction of  
               the electricity grid.  The Federal Energy Regulatory  
               Commission (FERC) is a federal agency that regulates the  
               interstate transmission of electricity, natural gas, and  
               oil, including regulations of transmission and wholesale  
               sales of electricity in interstate commerce. California  
               utilities own and operate facilities that are regulated by  
               FERC.
                
                The PUC regulates investor owned electric, gas, water,  
               rail, some telecommunication companies. The PUC has  
               authority to order the California Investor Owned Utilities  
               (IOUs) to maintain distribution infrastructure and make  
               improvements as deemed necessary and allow the IOUs to  
               recover these costs in rates.

               California's Publicly Owned Utilities (POUs) are  
               self-governing by a local government (city or county) or an  
               independently elected Board of Directors.

               The attack occurred at an electrical substation under the  
               jurisdiction of FERC. Similarly, interstate natural gas  
               pipelines are under the jurisdiction of FERC. Most  
               telecommunication industries are regulated by the Federal  
               Communication Commission.

                The author may wish to consider an amendment to clarify  
               that this statute excludes facilities under federal  
               regulatory jurisdiction and applies electrical facilities  
               under PUC jurisdiction.

             5)   FERC directive on security threats.   Immediately  
               following the attack, FERC took action with the National  









                                                                  SB 699
                                                                  Page E
               Electrical Reliability Corporation (NERC), Department of  
               Homeland Security, Department of Energy, Federal Bureau of  
               Investigation, state agencies, and transmission and  
               generation asset owners and operators. FERC coordinated  
               with these groups to inform utilities about the specific  
               facts of the attack and the need for asset owners to  
               increase the physical protection of key facilities. FERC  
               has also conducted detailed grid modeling to identify the  
               most critical facilities and helped identify protective  
               measures that would be appropriate for particular types of  
               facilities and locations.
                
                On March 7, 2014, FERC directed<2> NERC to develop  
               reliability standards that require owners and operators of  
               the Bulk-Power System to address risks due to physical  
               security threats and vulnerabilities. The new physical  
               security standards must be written by NERC within 90 days  
               (by June 5, 2014). FERC expects the standards will require  
               owners or operators to:
               a)     Perform a risk assessment of their systems to  
                 identify 'critical facilities.'
               b)     Evaluate possible threats and vulnerabilities to  
                 critical facilities.
               c)     Develop and implement a security plan designed for  
                 critical facilities based on the assessment of the  
                 potential threats and vulnerabilities to their physical  
                 security.

              1)   Distribution system vulnerabilities and impacts  .  
               Distribution system vulnerabilities with respect to attacks  
               on distribution systems are different than those for  
               electric transmission systems. Whereas a transmission  
               system incident can have a widespread impact affecting  
               millions of customers, distribution system incidents have  
               local impacts that affect far fewer customers in a limited  
               region. Additionally, IOUs have the capability, in most  
               circumstances, to reroute electricity deliveries so that  
               outage duration is limited. 
                
                Copper theft and vandalism are the most common disruptors  
               of the electric distribution system. IOUs and POUs have  
               -------------------------
          <2>Federal Energy Regulatory Commission, "Reliability Standards  
          for Physical Security Measures", Docket No. RD14-6-000,  
           http://elibrary.ferc.gov/idmws/common/opennat.asp?fileID=13479401 
           








                                                                  SB 699
                                                                  Page F
               experience with criminalist activity and vandalism (copper  
               theft, vandalism, etc.) on their electrical facilities.   
               For example, in June 2009 two thieves were found  
               electrocuted in San Jacinto in an attempt to remove copper  
               from an electrical box. The incident resulted in a brief  
               power outage affecting 1,600 residents. In April 2012 a  
               copper thief in Fontana was fatally electrocuted cutting a  
               live electrical wire in an attempt to steal copper. This  
               incident resulted in a local power outage lasting  
               approximately 90 minutes affecting 3,100 customers of  
               Southern California Edison.

               In 2012, AB 316 (Carter) established copper theft to be  
               punishable by a fine of up $10,500 and/or imprisonment of  
               up to 3 years.

              2)   Confidentiality of vulnerability assessments and  
               security.  Under Section 583 of the Public Utilities Code,  
               no information furnished to the PUC by a public utility  
               shall be open to the public, except those matters  
               specifically required to be open to the public. This code  
               allows the PUC the authority to withhold information it  
               deems sensitive, such as security plans. 
                
               The author may wish to consider an amendment that removes  
               language in 761.4(c) related to public access to security  
               plans.  

              3)   PUC policies and procedures related to security  
               information.  The PUC's General Order 166 currently  
               establishes emergency response planning, coordination, and  
               training between IOUs and first responders. SB 699 proposes  
               requirements similar to General Order 166 except that it  
               adds a requirement to develop "an official memorandum of  
               understanding (MOU) with state and local law enforcement  
               officials." It is unclear how the addition of an MOU would  
               enhance or improve existing requirements. 
                
               The author may wish to consider an amendment to strike  
               761.6(a).  

              4)   Utility worker first responder status.  First responders  
               in California are generally considered law enforcement,  
               fire safety, or medical personnel. Emergency response  
               training is also addressed by the PUC's General Order 166.  









                                                                  SB 699
                                                                  Page G
               As written in SB 699, it is unclear why designating a  
               utility worker as a first responder is needed. The PUC's  
               General Order 166 current establishes emergency response  
               planning, coordination, and training between IOUs and first  
               responders.
                
               The author may wish to consider an amendment to strike  
               761.6(b).  

              5)   Should security assessments be included in annual  
               assessments that are already required under current law?   
               Current law requires the PUC to set standards set standards  
               for inspection, maintenance, repair, and replacement  
               standards for electrical distribution systems of IOUs and  
               report annually on compliance with those standards. In  
               addition, existing law requires IOUs to publicly report  
               annually on compliance with these standards.

               The PUC recently (March 2014) initiated a review of IOU  
               security programs to investigate means and methods used to  
               prevent disruptions of electrical service at substations,  
               plans and procedures to respond to disruptions, and  
               emergency response plans.  This will be followed by a  
               workshop to discuss current security measures (the workshop  
               will not be open to the public). The PUC will use the  
               information to inform a security recommendation report that  
               it plans to complete by September 2014.
                
               The author may wish to consider an amendment to direct the  
               PUC to include security considerations in its current  
               standards for electrical distribution systems. This would  
               necessitate striking proposed Section 761.4 and placing it  
               instead in Public Utilities Code Section 364. By so doing,  
               this would clarify that that this statute (1) applies only  
               to electric IOUs under PUC jurisdiction and not to systems  
               under FERC jurisdiction and (2) allow the PUC's current  
               authority to deem sections of the annual report  
               confidential for the purposes of the IOU annual reports. 

             6)   Support and Opposition
               
               Opponents have concerns with public access to security  
               plans, and the potential for individuals with malicious  
               intent to use confidential information to harm facilities.  
               They point out that cyber security plans are already being  









                                                                  SB 699
                                                                  Page H
               addressed through state and national legislation, and  
               believe SB 699 should exclude cyber security plans to avoid  
               duplicity and inconsistent standards and plans. Another  
               concern is the establishment of memorandums of  
               understanding with law enforcement, and the real world  
               implications of this requirement. Additionally, they argue  
               that designating utility workers as first responders should  
               be carefully evaluated. Finally, they believe the July 1,  
               2015 implementation date may be too aggressive, as they are  
               trying to coordinate security plans with national standards  
               being developed by FERC.
                
             7)   Summary of suggested amendments  .  

                 SECTION 1.  Section 761.4 is added to the Public Utilities  
               Code, to read:   
                 761.4.  (a) On or before July 1, 2015, an electrical  
               corporation shall submit to the commission a security plan  
               to enhance the robustness and resilience of its electrical  
               distribution facilities that identifies improvements to  
               achieve all of the following:   
                 (1) Make the power delivery system less vulnerable to  
               security threats, whether physical, cyber, or  
               personnel-related, which may include the hardening of key  
               substations and control centers, increased physical  
               surveillance, and increased air-gapping of electronic  
               communication and control systems.  
                 (2) Reduce the consequence of successful security breaches,  
               which may include more robust substation and grid design,  
               infrastructure modernization, and selective demandside  
               management.   
                 (3) Improve the speed of power restoration in the event of  
               a successful security breach, which may include enhanced  
               training of relevant personnel, improved blackstart  
               capability, and acquisition of convenient locations for  
               critical spare parts.   
                 (4) Make critical services less vulnerable while the  
               delivery of conventional electric power has been disrupted,  
               which may include the avoidance of cross dependencies and  
               the collocation of generation or storage with critical  
               loads such as pumps for water supply.   
                 (b) In developing its plan, an electrical corporation shall  
               consider improvements that can be incorporated  
               cost-effectively and consistent with reductions or  
               increases in local generation capacity needs, safety and  









                                                                  SB 699
                                                                  Page I
               reliability needs, planned efforts to promote distributed  
               resources, demandside management, smart grid, and other  
               security efforts undertaken at the regional and national  
               level.   
                 (c) The commission, in consultation with each electrical  
               corporation and applicable local, state, and federal  
               agencies, shall determine an appropriate level of public  
               access to the security plan submitted by the electrical  
               corporation that is consistent with Section 583 and  
               existing commission policies.  A determination that the  
               commission makes regarding public access to security plans  
               shall not create barriers to essential information sharing  
               between local, state, and federal law enforcement and  
               emergency response agencies.  The commission shall make  
               this determination before accepting the security plan from  
               an electrical corporation.   
                 (d) The commission shall review each distribution security  
               plan and approve, or modify and approve, the plan for that  
               corporation.   
                 (e) The commission shall consider the costs of constructing  
               distribution infrastructure necessary to implement the  
               security plan as a part of the next general rate case for  
               the electrical corporation unless the commission determines  
               otherwise. The commission may also adopt criteria,  
               benchmarks, and accountability mechanisms to evaluate the  
               success of any investment authorized pursuant to the  
               security plan.   
                 SEC. 2.  Section 761.6 is added to the Public Utilities  
               Code, to read:   
                 761.6  (a) An electrical or gas corporation shall develop  
               official memorandum of understanding with state and local  
               law enforcement officials that describes each party's  
               responsibilities before, during, and immediately following  
               deliberate destruction of the electrical or gas  
               corporation's equipment that leads to a disruption of  
               electric or gas service. The memorandum of understanding  
               shall provide a clear understanding of who is in charge and  
               explain how decisions will be reached in dealing with  
               potential tensions between crime scene investigation and  
               timely restoration of service, as well as with  
               unanticipated contingencies.  
                 (b) An electrical or gas corporation, after consultation  
               with, and approval from, the Department of the California  
               Highway Patrol, shall train and designate relevant  
               employees as first responders to manage infrastructure  









                                                                  SB 699
                                                                  Page J
               hazards and restore essential gas and electric service in  
               the event of an accident, natural disaster, or security  
               breach.  The of the California Highway Patrol may impose  
               any requirements necessary to ensure that the designation  
               of relevant electrical or gas corporation employees  
               promotes public health, safety, and security.   
                SEC 1.  
                The Legislature finds and declares the following:  
                                                                                      a)     Physical or electronic threats to the electrical  
                 distribution system could threaten public health and  
                 safety and disrupt economic activity in California.
               b)     Ensuring appropriate actions are taken to protect  
                 and secure vulnerable electrical distribution system  
                 assets from physical or electronic threats that could  
                 disrupt safe and reliable electricity service, or disrupt  
                 essential public services such as safe drinking water  
                 supplies, are in the public interest.
               c)     Proper planning, in coordination with the  
                 appropriate federal and state regulatory and law  
                 enforcement authorities, will help prepare for attacks on  
                 the electric distribution system and thereby help reduce  
                 the potential consequences of such attacks.
                SEC 2. Section 364 of the Public Utilities Code is amended,  
               to read:  
                364. (a) The commission shall adopt inspection,  
               maintenance, repair, and replacement standards  , and address  
               security threats,  for the distribution systems of  
               investor-owned electric utilities  no later than March 31,  
               1997   by no later than July 1, 2015.  The standards, which  
               shall be performance or prescriptive standards, or both,  
                and may be based on risk management,  as appropriate, for  
               each substantial type of distribution equipment or  
               facility, shall provide for high quality, safe and reliable  
               service.  
                (b) In setting its standards, the commission shall  
               consider: cost, local geography and weather, applicable  
               codes,  addressing security threats  , national electric  
               industry practices, sound engineering judgment, and  
               experience. The commission shall also adopt standards for  
               operation, reliability, and safety during periods of  
               emergency and disaster. The commission shall require each  
               utility to report annually on its compliance with the  
               standards. That report shall be made available to the  
               public.  
                (c) The commission shall conduct a review to determine  









                                                                  SB 699
                                                                  Page K
               whether the standards prescribed in this section have been  
               met. If the commission finds that the standards have not  
               been met, the commission may order appropriate sanctions,  
               including penalties in the form of rate reductions or  
               monetary fines. The review shall be performed after every  
               major outage. Any money collected pursuant to this  
               subdivision shall be used to offset funding for the  
               California Alternative Rates for Energy Program.  
           
           REGISTERED SUPPORT / OPPOSITION  :   

           Support 
           
          None on file.

           Opposition 
           
          Pacific Gas and Electric (PG&E) (oppose unless amended)
           
          Analysis Prepared by  :    Brandon Gaytan / U. & C. / (916)  
          319-2083