BILL ANALYSIS ��
SB 699
Page A
Date of Hearing: March 17, 2014
ASSEMBLY COMMITTEE ON UTILITIES AND COMMERCE
Steven Bradford, Chair
SB 699 (Hill) - As Amended: March 12, 2014
SENATE VOTE : (vote not relevant)
SUBJECT : Public utilities: electrical and gas corporations.
SUMMARY : This bill requires electrical corporations to submit
security plans to the California Public Utilities Commission
(PUC) and coordinate with law enforcement to achieve the goals
of the security plan. Specifically, this bill :
1) Requires investor owned utilities (IOUs) to prepare and
submit security plans on or before July 1, 2015.
2) Allows the PUC to review, modify, and approve the
security plan, and determine the level of public access to
the security plan.
3) Provides that implementation costs related to security
plans are considered during the electrical corporation's
next general rate case application.
4) Requires electrical or gas corporations to establish a
memorandum of understanding (MOU) with law enforcement to
coordinate in the event of deliberate destruction of
utility equipment.
5) Requires electric and gas utilities, in consultation
with the California Highway Patrol, to designate certain
employees as first responders to manage hazards and restore
service following an accident, natural disaster, or
security breach.
EXISTING LAW
1) Establishes that private corporations and persons that
own, operate, control, or manage a line, plant, or system
for the transportation of people or property, the
transmission of telephone and telegraph messages, or the
production, generation, transmission, or furnishing of
heat, light, water, power, storage, or wharfage directly or
�
SB 699
Page B
indirectly to or for the public, and common carriers, are
public utilities subject to control by the Legislature.
(Article 12, Section 3, California Constitution)
2) Authorizes the PUC to fix rates, establish rules,
examine records, issue subpoenas, administer oaths, take
testimony, punish for contempt, and prescribe a uniform
system of accounts for all public utilities subject to its
jurisdiction. (Article 12, Section 6 of the California
Constitution)
3) Authorizes the PUC to set standards for inspection,
maintenance, repair, and replacement standards for
electrical distribution systems of investor-owned electric
utilities and report annually on compliance with those
standards. Requires each utility to publically report
annually on compliance with these standards. Requires the
PUC to determine whether the standards have been met and
order appropriate sanctions, including penalties or
monetary fines. (Public Utilities Code 364)
4) Authorizes the PUC to adopt rules for public utilities
regarding a showing of information to be made in support of
proposed rate changes and allowing opportunities to protest
those rate changes. (Public Utilities Code 454(c))
5) Provides that the PUC may withhold public access to
information given to the PUC by a public utility (or
subsidiaries, affiliates or corporations hold a controlling
interest in a public utility) and establishes that any
present or former officer or employee of the commission who
divulges any such information is guilty of a misdemeanor.
(Public Utilities Code 583)
6) Authorizes the PUC to order IOUs to make additions,
extensions, repairs, or improvements to, or changes in, the
existing plant, equipment, apparatus, facilities to promote
the security of employees or the public to secure adequate
service or facilities. (Public Utilities Code 762)
FISCAL EFFECT : UNKNOWN
COMMENTS :
1) Author's statement: According to the author, "The
�
SB 699
Page C
security of our nation's infrastructure is of paramount
importance. The recent sophisticated attack on an electric
substation that a former vice president at PG&E described
as a "dress rehearsal" for future attacks is evidence-not
only that we are vulnerable-but that our vulnerabilities
are clearly understood by those who wish to exploit them.
As has been made clear by a recent National Research
Council report, one of the best ways to protect ourselves
from an attack on the electric grid is to lessen the damage
that any attack can do. If we lessen the consequence of
the failure of any one location or piece of equipment, if
we increase the speed with which we can respond to an
outage, if we can protect critical facilities from power
disruption by using clean distributed generation, then the
effort required for a malicious actor to seriously disrupt
our power delivery system will make the target much less
interesting-and we will be left with a more reliable grid."
2) An attack on an electrical substation in California. A
major driver of this bill is based on extensive damage that
occurred in April 2013 at an electrical substation caused
by a physical attack (approximately 100 rounds from a
high-powered rifle) fired on electrical equipment. The
severity of the damage and the appearance that the attack
was well planned raised attention to the extent to which
critical electric infrastructure were vulnerable to
potential terrorist attacks and raised questions about the
extent to which utilities addressed potential
vulnerabilities. In this incident the utility successfully
rerouted power to maintain electrical services and the
California Independent System Operator called for customer
conservation to maintain electrical system frequency within
federal regulatory requirements.
Investigations into identifying the perpetrator(s) of the
attack are ongoing.
3) Attacks on the electric power system. Although attacks
on electric infrastructure are not frequent in the U.S.,
they are prevalent in other parts of the world. The
National Research Council (NRC) report "Terrorism in the
Electric Power System"<1> states that, from 1996-2006,
terrorists groups in various parts of the world conducted
--------------------------
<1> National Research Council, Terrorism in the Electric Power
System, 2012. http://www.nap.edu/catalog.php?record_id=12050
�
SB 699
Page D
2,500 attacks on transmission lines and towers and more
than 500 attacks on substations.
The report found that "well-planned attacks on the power
system, undertaken by informed terrorists, could result in
power outages with extents and durations that are much
larger than those produced by all but the largest natural
events," but that "any increase in the reliability of the
power grid makes the system more capable of withstanding
terrorist attacks, more able to mitigate the impacts of
such, and less interesting as a target of terrorists."
4) Distinction between federal and state jurisdiction of
the electricity grid. The Federal Energy Regulatory
Commission (FERC) is a federal agency that regulates the
interstate transmission of electricity, natural gas, and
oil, including regulations of transmission and wholesale
sales of electricity in interstate commerce. California
utilities own and operate facilities that are regulated by
FERC.
The PUC regulates investor owned electric, gas, water,
rail, some telecommunication companies. The PUC has
authority to order the California Investor Owned Utilities
(IOUs) to maintain distribution infrastructure and make
improvements as deemed necessary and allow the IOUs to
recover these costs in rates.
California's Publicly Owned Utilities (POUs) are
self-governing by a local government (city or county) or an
independently elected Board of Directors.
The attack occurred at an electrical substation under the
jurisdiction of FERC. Similarly, interstate natural gas
pipelines are under the jurisdiction of FERC. Most
telecommunication industries are regulated by the Federal
Communication Commission.
The author may wish to consider an amendment to clarify
that this statute excludes facilities under federal
regulatory jurisdiction and applies electrical facilities
under PUC jurisdiction.
5) FERC directive on security threats. Immediately
following the attack, FERC took action with the National
�
SB 699
Page E
Electrical Reliability Corporation (NERC), Department of
Homeland Security, Department of Energy, Federal Bureau of
Investigation, state agencies, and transmission and
generation asset owners and operators. FERC coordinated
with these groups to inform utilities about the specific
facts of the attack and the need for asset owners to
increase the physical protection of key facilities. FERC
has also conducted detailed grid modeling to identify the
most critical facilities and helped identify protective
measures that would be appropriate for particular types of
facilities and locations.
On March 7, 2014, FERC directed<2> NERC to develop
reliability standards that require owners and operators of
the Bulk-Power System to address risks due to physical
security threats and vulnerabilities. The new physical
security standards must be written by NERC within 90 days
(by June 5, 2014). FERC expects the standards will require
owners or operators to:
a) Perform a risk assessment of their systems to
identify 'critical facilities.'
b) Evaluate possible threats and vulnerabilities to
critical facilities.
c) Develop and implement a security plan designed for
critical facilities based on the assessment of the
potential threats and vulnerabilities to their physical
security.
1) Distribution system vulnerabilities and impacts .
Distribution system vulnerabilities with respect to attacks
on distribution systems are different than those for
electric transmission systems. Whereas a transmission
system incident can have a widespread impact affecting
millions of customers, distribution system incidents have
local impacts that affect far fewer customers in a limited
region. Additionally, IOUs have the capability, in most
circumstances, to reroute electricity deliveries so that
outage duration is limited.
Copper theft and vandalism are the most common disruptors
of the electric distribution system. IOUs and POUs have
-------------------------
<2>Federal Energy Regulatory Commission, "Reliability Standards
for Physical Security Measures", Docket No. RD14-6-000,
http://elibrary.ferc.gov/idmws/common/opennat.asp?fileID=13479401
�
SB 699
Page F
experience with criminalist activity and vandalism (copper
theft, vandalism, etc.) on their electrical facilities.
For example, in June 2009 two thieves were found
electrocuted in San Jacinto in an attempt to remove copper
from an electrical box. The incident resulted in a brief
power outage affecting 1,600 residents. In April 2012 a
copper thief in Fontana was fatally electrocuted cutting a
live electrical wire in an attempt to steal copper. This
incident resulted in a local power outage lasting
approximately 90 minutes affecting 3,100 customers of
Southern California Edison.
In 2012, AB 316 (Carter) established copper theft to be
punishable by a fine of up $10,500 and/or imprisonment of
up to 3 years.
2) Confidentiality of vulnerability assessments and
security. Under Section 583 of the Public Utilities Code,
no information furnished to the PUC by a public utility
shall be open to the public, except those matters
specifically required to be open to the public. This code
allows the PUC the authority to withhold information it
deems sensitive, such as security plans.
The author may wish to consider an amendment that removes
language in 761.4(c) related to public access to security
plans.
3) PUC policies and procedures related to security
information. The PUC's General Order 166 currently
establishes emergency response planning, coordination, and
training between IOUs and first responders. SB 699 proposes
requirements similar to General Order 166 except that it
adds a requirement to develop "an official memorandum of
understanding (MOU) with state and local law enforcement
officials." It is unclear how the addition of an MOU would
enhance or improve existing requirements.
The author may wish to consider an amendment to strike
761.6(a).
4) Utility worker first responder status. First responders
in California are generally considered law enforcement,
fire safety, or medical personnel. Emergency response
training is also addressed by the PUC's General Order 166.
�
SB 699
Page G
As written in SB 699, it is unclear why designating a
utility worker as a first responder is needed. The PUC's
General Order 166 current establishes emergency response
planning, coordination, and training between IOUs and first
responders.
The author may wish to consider an amendment to strike
761.6(b).
5) Should security assessments be included in annual
assessments that are already required under current law?
Current law requires the PUC to set standards set standards
for inspection, maintenance, repair, and replacement
standards for electrical distribution systems of IOUs and
report annually on compliance with those standards. In
addition, existing law requires IOUs to publicly report
annually on compliance with these standards.
The PUC recently (March 2014) initiated a review of IOU
security programs to investigate means and methods used to
prevent disruptions of electrical service at substations,
plans and procedures to respond to disruptions, and
emergency response plans. This will be followed by a
workshop to discuss current security measures (the workshop
will not be open to the public). The PUC will use the
information to inform a security recommendation report that
it plans to complete by September 2014.
The author may wish to consider an amendment to direct the
PUC to include security considerations in its current
standards for electrical distribution systems. This would
necessitate striking proposed Section 761.4 and placing it
instead in Public Utilities Code Section 364. By so doing,
this would clarify that that this statute (1) applies only
to electric IOUs under PUC jurisdiction and not to systems
under FERC jurisdiction and (2) allow the PUC's current
authority to deem sections of the annual report
confidential for the purposes of the IOU annual reports.
6) Support and Opposition
Opponents have concerns with public access to security
plans, and the potential for individuals with malicious
intent to use confidential information to harm facilities.
They point out that cyber security plans are already being
�
SB 699
Page H
addressed through state and national legislation, and
believe SB 699 should exclude cyber security plans to avoid
duplicity and inconsistent standards and plans. Another
concern is the establishment of memorandums of
understanding with law enforcement, and the real world
implications of this requirement. Additionally, they argue
that designating utility workers as first responders should
be carefully evaluated. Finally, they believe the July 1,
2015 implementation date may be too aggressive, as they are
trying to coordinate security plans with national standards
being developed by FERC.
7) Summary of suggested amendments .
SECTION 1. Section 761.4 is added to the Public Utilities
Code, to read:
761.4. (a) On or before July 1, 2015, an electrical
corporation shall submit to the commission a security plan
to enhance the robustness and resilience of its electrical
distribution facilities that identifies improvements to
achieve all of the following:
(1) Make the power delivery system less vulnerable to
security threats, whether physical, cyber, or
personnel-related, which may include the hardening of key
substations and control centers, increased physical
surveillance, and increased air-gapping of electronic
communication and control systems.
(2) Reduce the consequence of successful security breaches,
which may include more robust substation and grid design,
infrastructure modernization, and selective demandside
management.
(3) Improve the speed of power restoration in the event of
a successful security breach, which may include enhanced
training of relevant personnel, improved blackstart
capability, and acquisition of convenient locations for
critical spare parts.
(4) Make critical services less vulnerable while the
delivery of conventional electric power has been disrupted,
which may include the avoidance of cross dependencies and
the collocation of generation or storage with critical
loads such as pumps for water supply.
(b) In developing its plan, an electrical corporation shall
consider improvements that can be incorporated
cost-effectively and consistent with reductions or
increases in local generation capacity needs, safety and
�
SB 699
Page I
reliability needs, planned efforts to promote distributed
resources, demandside management, smart grid, and other
security efforts undertaken at the regional and national
level.
(c) The commission, in consultation with each electrical
corporation and applicable local, state, and federal
agencies, shall determine an appropriate level of public
access to the security plan submitted by the electrical
corporation that is consistent with Section 583 and
existing commission policies. A determination that the
commission makes regarding public access to security plans
shall not create barriers to essential information sharing
between local, state, and federal law enforcement and
emergency response agencies. The commission shall make
this determination before accepting the security plan from
an electrical corporation.
(d) The commission shall review each distribution security
plan and approve, or modify and approve, the plan for that
corporation.
(e) The commission shall consider the costs of constructing
distribution infrastructure necessary to implement the
security plan as a part of the next general rate case for
the electrical corporation unless the commission determines
otherwise. The commission may also adopt criteria,
benchmarks, and accountability mechanisms to evaluate the
success of any investment authorized pursuant to the
security plan.
SEC. 2. Section 761.6 is added to the Public Utilities
Code, to read:
761.6 (a) An electrical or gas corporation shall develop
official memorandum of understanding with state and local
law enforcement officials that describes each party's
responsibilities before, during, and immediately following
deliberate destruction of the electrical or gas
corporation's equipment that leads to a disruption of
electric or gas service. The memorandum of understanding
shall provide a clear understanding of who is in charge and
explain how decisions will be reached in dealing with
potential tensions between crime scene investigation and
timely restoration of service, as well as with
unanticipated contingencies.
(b) An electrical or gas corporation, after consultation
with, and approval from, the Department of the California
Highway Patrol, shall train and designate relevant
employees as first responders to manage infrastructure
�
SB 699
Page J
hazards and restore essential gas and electric service in
the event of an accident, natural disaster, or security
breach. The of the California Highway Patrol may impose
any requirements necessary to ensure that the designation
of relevant electrical or gas corporation employees
promotes public health, safety, and security.
SEC 1.
The Legislature finds and declares the following:
a) Physical or electronic threats to the electrical
distribution system could threaten public health and
safety and disrupt economic activity in California.
b) Ensuring appropriate actions are taken to protect
and secure vulnerable electrical distribution system
assets from physical or electronic threats that could
disrupt safe and reliable electricity service, or disrupt
essential public services such as safe drinking water
supplies, are in the public interest.
c) Proper planning, in coordination with the
appropriate federal and state regulatory and law
enforcement authorities, will help prepare for attacks on
the electric distribution system and thereby help reduce
the potential consequences of such attacks.
SEC 2. Section 364 of the Public Utilities Code is amended,
to read:
364. (a) The commission shall adopt inspection,
maintenance, repair, and replacement standards , and address
security threats, for the distribution systems of
investor-owned electric utilities no later than March 31,
1997 by no later than July 1, 2015. The standards, which
shall be performance or prescriptive standards, or both,
and may be based on risk management, as appropriate, for
each substantial type of distribution equipment or
facility, shall provide for high quality, safe and reliable
service.
(b) In setting its standards, the commission shall
consider: cost, local geography and weather, applicable
codes, addressing security threats , national electric
industry practices, sound engineering judgment, and
experience. The commission shall also adopt standards for
operation, reliability, and safety during periods of
emergency and disaster. The commission shall require each
utility to report annually on its compliance with the
standards. That report shall be made available to the
public.
(c) The commission shall conduct a review to determine
�
SB 699
Page K
whether the standards prescribed in this section have been
met. If the commission finds that the standards have not
been met, the commission may order appropriate sanctions,
including penalties in the form of rate reductions or
monetary fines. The review shall be performed after every
major outage. Any money collected pursuant to this
subdivision shall be used to offset funding for the
California Alternative Rates for Energy Program.
REGISTERED SUPPORT / OPPOSITION :
Support
None on file.
Opposition
Pacific Gas and Electric (PG&E) (oppose unless amended)
Analysis Prepared by : Brandon Gaytan / U. & C. / (916)
319-2083