The URL can be used to link to this page

Home My WebLink About8 Attachement 1 - CPUC Phase I Decision260335905 - 1 - COM/CR6/avs Date of Issuance 1/22/2019 Decision 19-01-018 January 10, 2019 BEFORE THE PUBLIC UTILITIES COMMISSION OF THE STATE OF CALIFORNIA Order Instituting Rulemaking Regarding Policies, Procedures and Rules for Regulation of Physical Security for the Electric Supply Facilities of Electrical Corporations Consistent with Public Utilities Code Section 364 and to Establish Standards for Disaster and Emergency Preparedness Plans for Electrical Corporations and Regulated Water Companies Pursuant to Public Utilities Code Section 768.6. Rulemaking 15-06-009 PHASE I DECISION ON ORDER INSTITUTING RULEMAKING REGARDING THE PHYSICAL SECURITY OF ELECTRICAL CORPORATIONS ATTACHMENT 1 R.15-06-009 COM/CR6/avs - i - TABLE OF CONTENTS Title Page PHASE I DECISION ON ORDER INSTITUTING RULEMAKING REGARDING THE PHYSICAL SECURITY OF ELECTRICAL CORPORATIONS .................................................................................................... 2 Summary .................................................................................................................. 2 1. Factual Background ........................................................................................... 3 1.1. Procedural Background ............................................................................ 5 2. Electric Physical Security Prior to Metcalf ..................................................... 9 3. Jurisdictional Issue ........................................................................................... 10 3.1. Position of CMUA, LADWP, NRECA and SMUD ............................ 11 3.3. Safety Policy Concerns Support Commission Jurisdiction by POUs in Phase I ............................................................ 19 3.4. Phase II Jurisdiction ................................................................................ 22 4. The Joint Utility Proposal ............................................................................... 23 4.1. Identification ............................................................................................ 24 4.2. Assessment ............................................................................................... 26 4.3. Mitigation Plan ........................................................................................ 27 4.4. Verification ............................................................................................... 28 4.5. Records ...................................................................................................... 29 4.6. Timelines and Frequency ....................................................................... 30 4.7. Cost ............................................................................................................ 30 5. SED RASA Staff Evaluation of Joint Utility Proposal, Security Plan Element and SED RASA Recommendations ...................... 31 6. Guiding Principles of California Electric Physical Security ..................... 32 6.1. Six-Step Procedure to Address Utilities’ Distribution Assets .......... 32 6.2. Additional Requirements for Mitigation Plans .................................. 34 6.2.1. Additional Optional Requirements for Mitigation Plans ................... 35 6.3. Third-Party Verification ......................................................................... 36 6.4. Third-Party Expert Qualifications ........................................................ 37 6.5. Access to Information ............................................................................. 38 6.6. Timeline for Implementation ................................................................. 41 6.7. Reporting .................................................................................................. 41 6.8. Cost Recovery .......................................................................................... 42 7. Commission Position on Joint Utility Proposal and SED RASA Recommendations ........................................................................................... 43 8. Safety Considerations ...................................................................................... 44 R.15-06-009 COM/CR6/avs TABLE OF CONTENTS Con’t. Title Page - ii - 9. Conclusion ........................................................................................................ 44 10. Comment Period.............................................................................................. 44 11. Assignment of Proceeding ............................................................................. 45 Findings of Fact ...................................................................................................... 45 Conclusions of Law ................................................................................................ 49 ORDER ..................................................................................................................... 50 R.15-06-009 COM/CR6/avs PHASE I DECISION ON ORDER INSTITUTING RULEMAKING REGARDING THE PHYSICAL SECURITY OF ELECTRICAL CORPORATIONS Summary This decision requires electric utilities to identify electric distribution assets that may merit special protection and measures to lessen identified risks and threats. In order to address the risk of long-term outage to a distribution facility, each Operator will develop and implement a Mitigation Plan. The Mitigation Plans will follow a six-step procedure for carrying out these new physical security plan requirements. The six-step plan is modeled on the security plan requirements set forth by the North America Electric Reliability Corporation (NERC) Critical Infrastructure Protocol (CIP)-014. This decision requires the Investor Owned Utilities (IOUs) to prepare and submit to the Commission a preliminary assessment of priority facilities for their distribution assets and control centers (“covered assets”) within 18 months of this decision. An unaffiliated, third-party review of the plans should be completed within 27 months of this decision. Within 30 months of this decision, the IOUs will be required to submit their Final Security Plan Report. Within 30 months, each of the Publicly Owned Utilities (POUs) will be required to provide the Commission with notice that an independently-reviewed plan has been adopted. Sections 8001-8057 of the Public Utilities Code compel the POUs to also adhere to this decision as it relates to physical security and Phase I of this proceeding. Any new rules for emergency and disaster preparedness plans promulgated within Phase II of this proceeding will not apply to the POUs. However, the POUs are strongly encouraged to participate in Phase II. This R.15-06-009 COM/CR6/avs - 3 - proceeding will remain open at the conclusion of Phase I to address Phase II issues. 1. Factual Background In April 2013, a rifle attack at PG&E’s Metcalf Transmission Substation south of San Jose resulted in approximately $15.4 million in damages. Although PG&E initiated various changes to its security protocol, in late August 2014, burglars entered the Metcalf facility and removed $38,651 of tools and equipment.1 Changes were made to Pub. Util. Code § 364(a) as a direct result of the Metcalf incident, addressing the vulnerability of electrical supply facilities to physical security threats. Phase I of this proceeding was initiated by Senate Bill (SB) 699 (Stats. 2014, Ch. 550, Sec. 2). The Federal government swiftly responded to the Metcalf attack, resulting in new additional provisions to the decade-old Critical Infrastructure Protocols (CIP). These were developed in a rulemaking conducted by the Federal Energy Regulatory Commission (FERC). FERC directed the North American Electric Reliability Corporation (NERC) to establish various criteria for determining which assets would be subject to the new CIP rules. The CIP rules cover both physical- and cyber-security rules. The new CIP rules and requirements (CIP-014) require electric utilities to employ physical security plans as a way to address vulnerabilities. Among other things, CIP-014 applies to any asset deemed not redundant and for which failure of these assets could result in cascading power failures. These rules established a risk-based protocol that identifies critical transmission assets and control centers. 1 PG&E Metcalf Root Cause Analysis Summary Report. November 21, 2014, at 2. R.15-06-009 COM/CR6/avs - 4 - CIP-014 authorized FERC to establish a uniform, mandatory physical security standard for the nation’s transmission assets. On June 11, 2015, the Commission issued an Order Instituting Rulemaking (OIR) to establish policies, procedures, and rules for the regulation of physical security risks to the electric supply facilities of electrical corporations consistent with Public Utilities (Pub. Util.) Code § 364 (Phase I) and to establish standards for disaster and emergency preparedness plans for electrical corporations and regulated water companies consistent with Pub. Util. Code § 768.6 (Phase II).2 SB 699 amended Pub. Util. Code § 364 and requires the Commission to develop rules for addressing physical security risks to the distribution systems of electrical corporations. Section 364 was amended by SB 699 to read:3 The commission shall … consider adopting rules to address the physical security risks to the distribution systems of electrical corporations. The standards or rules, which shall be prescriptive or performance based, or both, and may be based on risk management, as appropriate, for each substantial type of distribution equipment or facility, shall provide for high- quality, safe, and reliable service. Section 364(b) continues in relevant part that: In setting its standards or rules, the commission shall consider: cost, local geography and weather, applicable 2 This decision addresses only Phase I issues. A decision addressing Phase II issues will be issued once Phase II of this proceeding has concluded. 3 Section 364 was subsequently amended by SB 697, effective January 1, 2016. The subsequent changes to § 364 after the passage of SB 699 can be found at the following link: http://leginfo.legislature.ca.gov/faces/billCompareClient.xhtml?bill_id=201520160SB697. Although it might appear that the annual reporting requirement has been deleted from § 364, as a result of SB 697, this language has simply been relocated to § 590. R.15-06-009 COM/CR6/avs - 5 - codes, potential physical security risks, national electric industry practices, sound engineering judgment, and experience. The commission shall also adopt standards for operation, reliability, and safety during periods of emergency and disaster. The commission shall require each electrical corporation to report annually on its compliance with the standards or rules. Except as provided in subdivision (d), that report shall be made available to the public. Phase II of this proceeding was instituted as a result of Pub. Util. Code § 768.6 being added to the Pub. Util. Code by Assembly Bill (AB) 1650. It requires the Commission to: Establish standards for disaster and emergency preparedness plans within an existing proceeding, including, but not limited to, use of weather reports to preposition manpower and equipment before anticipated severe weather, methods of improving communications between governmental agencies and the public, and methods of working to control and mitigate an emergency or disaster and its aftereffects. This language bears similarities to the pre-amendment version of § 364(b), which states: In setting its standards, the commission shall consider: cost, local geography and weather, applicable codes, national electric industry practices, sound engineering judgment, and experience. The commission shall also adopt standards for operation, reliability, and safety during periods of emergency and disaster. Phase II of this proceeding is ongoing. 1.1. Procedural Background An initial prehearing conference (PHC) was held on October 29, 2015. A supplemental PHC was conducted on February 2, 2017 and a Scoping Memo and Ruling was issued on March 10, 2017. The scoping memo set forth the following issues to be addressed in this proceeding: R.15-06-009 COM/CR6/avs - 6 - 1. What is currently in place in terms of physical security regulations at the state and federal level? 2. What are the key potential physical security risks to electrical distribution facilities? 3. What new rules, standards, or General Orders or modifications to existing policies should the Commission consider to help mitigate physical security risks to electrical distribution facilities? 4. Should the Commission go beyond the physical security regulations presented in the NERC CIP-014-2 physical security regulations? 5. Should any new rules, standards, or General Orders or modifications to existing policies apply to all electrical supply facilities within the jurisdiction of the Commission, including publicly owned electrical utilities and rural electric cooperatives? 6. What regulations or standards should be established for small and multi-jurisdictional electric corporations? 7. What has changed since Metcalf and what still needs to be accomplished in terms of physical security? 8. Are there other factors not listed in Section 364(b) of the Pub. Util. Code that the Commission should consider when adopting any new rules, standards, or General Orders or modifications to existing policies during this rulemaking that will help to minimize attacks and the extent of damages? 9. What new rules or standards or modifications to existing policies should the Commission consider to allow for adequate disclosure of information to the public without disclosing sensitive information that could pose a physical security risk or threat if disclosed? 10. What is the role of cost and risk management in relation to the mitigation of any potential physical security risks to electrical supply facilities? R.15-06-009 COM/CR6/avs - 7 - 11. Should any new rules, standards, or General Orders or modifications to existing policies the Commission considers be prescriptive or performance based, or both? 12. What new rules, standards, or General Orders or modifications to existing policies should the Commission consider to ensure continued operation, reliability and safety during periods of emergencies and disasters as it relates to the physical security of electrical facilities? 13. How should this rulemaking proceed in order to ensure consistency with the NERC, Federal Energy Regulatory Commissions (FERC), the California Independent System Operator (CAISO), the Department of Homeland Security (DHS), the Federal Bureau of Investigations (FBI) and other regulatory agency regulations? 14. What ongoing processes should be instituted to ensure confidentiality of physical security information while providing adequate access to necessary information by the Commission4? On July 12, 2017, the assigned Administrative Law Judge (ALJ) issued a ruling requesting that parties file a Straw Proposal for Physical Security Regulations (Joint Utility Proposal). The Joint Utility Proposal was filed on 4 Despite the sensitive nature of the documents involved, we remind the utilities that even without the compulsion of a subpoena, the Commission may under Pub. Util. Code Sections 313, 314, 314.5, 315, 582, 584, 591, 701, 702, 1794 and 1795, compel information from a public utility, and that Commission staff has the general investigatory authority of the Commission. Specifically, we remind the utilities that pursuant to these provisions the Commission may direct the utilities to provide the requested information in a place and form of the Commission’s choosing. Any confidential or sensitive information should be marked as confidential pursuant to Section 583, which mandates the non-disclosure of such information. and in accordance with the process for declaring exemptions from public disclosure per General Order 66 D adopted by D.17-09-023 in R.14-11-001, and revised by Assigned Commissioner’s Ruling of September 28, 2018. R.15-06-009 COM/CR6/avs - 8 - August 31, 2017.5 On September 14, 2017, the Office of Ratepayer Advocates (ORA)6 and the Electric Safety and Reliability Branch of the Safety and Enforcement Division (SED Advocacy) filed comments on the Joint Utility Proposal. On January 3, 2018, the assigned ALJ issued a ruling allowing the parties to file legal briefs concerning the Commission’s jurisdiction over POUs and rural electric cooperatives. CMUA, LADWP, NRECA and SMUD filed a joint opening brief on January 26, 2018, opposing any attempt by the Commission to assert safety jurisdiction over the POUs and rural cooperatives. Also, on January 26, 2018, SED Advocacy7 and ORA filed briefs in support of the Commission’s ability to assert jurisdiction over the POUs. On February 9, 2018, CMUA, LADWP, NRECA and SMUD jointly filed a reply brief on the jurisdictional issue. SED Advocacy also filed a reply brief at the same time. On January 4, 2018, SED’s Risk Assessment and Safety Advisory (RASA) unit8 5 The parties to the Joint Utility Proposal are: Bear Valley Electric Service, California Municipal Utilities Association (CMUA), Los Angeles Department of Water & Power (LADWP), Liberty CalPeco, National Rural Electric Cooperative Association (NRECA), PacifiCorp, Pacific Gas & Electric Company (PG&E) Sacramento Municipal Utility District (SMUD), San Diego Gas & Electric Company (SDG&E) and Southern California Edison Company (SCE). 6 Senate Bill (SB) 854 (Stats. 2018, ch. 51) amended Pub. Util. Code Section 309.5(a) so that the Office of Ratepayer Advocates is now named the Public Advocate’s Office of the Public Utilities Commission. Because the pleadings in this case were primarily filed under the name Office of Ratepayer Advocates, we will refer to this party as ORA in this decision. 7 In this proceeding, SED Advocacy is represented by the Electric Safety and Reliability Branch (ESRB). 8 SED RASA is not a party in this proceeding but provides advisory support to the ALJ and Assigned Commissioner. R.15-06-009 COM/CR6/avs - 9 - completed its recommendations and analysis on the Joint Utility Proposal9 (RASA evaluation). On January 16, 2018, the assigned ALJ issued a ruling that made available the RASA evaluation as an attachment and that requested comments and reply comments on the RASA evaluation. Comments were filed on February 9, 2018 by SCE, SDG&E, ORA, SED, SMUD, LADWP, and NRECA. Reply comments were filed on February 23, 2018 by the same parties. On March 2, 2018, SCE filed sur-reply comments. 2. Electric Physical Security Prior to Metcalf Before the Metcalf incident, electric physical security in the United States had been voluntary and primarily directed at monitoring physical security incidents. In 2001, NERC issued guidelines prescribing new physical security requirements for electric utilities, and the Institute for Electric and Electronic Engineers (IEEE) published its own guidelines titled 1402-2000 IEEE Guide for Electric Power Substation Physical and Electronic Security.10 In 2010, the National Infrastructure Advisory Council, in conjunction with the U.S. Department of Homeland Security (DHS), issued A Framework for Establishing Critical Infrastructure Resilience Goals11 which defined resilience as the ability to reduce the magnitude and/or duration of disruptive events. The report noted the potential for public agencies to enhance the resilience of the electricity 9 Safety & Enforcement Division’s Risk Assessment & Safety Advisory (RASA) section evaluation of the Joint Utility Proposal and Recommendations for Consideration available at http://docs.cpuc.ca.gov/PublishedDocs/Efile/G000/M204/K457/204457381.PDF 10 https://standards.ieee.org/standard/1402-2000.html. 11 https://www.dhs.gov/publication/niac-framework-establishing-resilience-goals-final- report. R.15-06-009 COM/CR6/avs - 10 - sector through policy, planning, standards and regulations. The report also stressed the importance of improving access to information regarding threats. Early in 2013, Presidential Policy Directive 2112 established Federal agencies’ roles regarding physical- and cyber-security threats. These policies reemphasized the need for a collaborative approach to security and risk assessment, with the U.S. Department of Energy (U.S. DOE) overseeing issues related to the electric utility sector through the newly-formed Electric Subsector Coordinating Council (ESCC). 3. Jurisdictional Issue When this rulemaking was initiated, CMUA, LADWP, NRECA and SMUD objected to any attempt to have either Phase I or II of this proceeding be applicable to them. They assert that the Commission does not have jurisdiction to assert any new regulations on them. SED and ORA argue that there is an underlying safety concern which mandates that this rulemaking apply to them. CMUA, LADWP, NRECA and SMUD actively participated in Phase I of this proceeding. The insight and knowledge that they brought to this proceeding was valuable and the Commission acknowledges their engagement and contributions. Working together has allowed us to develop an extremely important set of standards to help ensure the safety of all residents in California. The Joint Parties agreed to fully participate in Phase I and address the issue of jurisdiction in legal briefs near the conclusion of Phase I. The Commission recognizes the high level of cooperation among everyone involved 12 https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy- directive-critical-infrastructure-security-and-resil. R.15-06-009 COM/CR6/avs - 11 - with Phase I and encourages continued cooperation by everyone in Phase II. We will now address why new Phase I rules apply to the POUs. 3.1. Position of CMUA, LADWP, NRECA and SMUD The POUs contend that Commission jurisdiction over POUs’ physical security is not supported by (1) the statutory language, (2) legislative history, (3) case law, or (4) policy. (1) Statutory Language and Legislative History The POUs argue that Article XI, Section 7 of the California Constitution provides certain POUs with the authority to own and operate their own utility systems and self-regulate their operations, and that the statutory and legislative history demonstrate that SB 699 was not intended to apply to the POUs. SB 699 amended § 364 to provide that “[t}he Commission shall … in a new proceeding … consider adopting rules to address the physical security risks to the distribution systems of electrical corporations.”13 The POUs argue they are not “electrical corporations” as traditionally defined in § 218,14 and that nothing in § 364 provides the Commission with authority to adopt such rules for the POUs.15 Moreover, they argue that POUs do not fall within the meaning of “electrical corporations” referenced in § 364(a). In support of this argument, the POUs quote extensively from SB 699 legislative reports that appear to exclusively discuss IOUs or expressly state that POUs “are 13 Id. At 8. 14 Opening Brief of CMUA, LADWP, NRECA and SMUD at 10. 15 Id. At 13. R.15-06-009 COM/CR6/avs - 12 - self-governing by a local government.”16 They state that because the POUs are not electrical corporations and the legislature did not explicitly refer to POUs in § 364(a), it clearly intended to have the requirements of this provision apply solely to the IOUs. The POUs also state that nowhere in §§ 8001-8057 did the Legislature provide mechanisms for the Commission to enforce its adopted regulations against a POU.17 Additionally, they state that § 2107 of the Pub. Util. Code, which grants the Commission authority to perform investigations and levy fines against the IOUs, does not apply to the POUs, and the Commission therefore lacks the authority to levy fines or penalties against them. (2) Case Law In addition to statutory language and legislative history, the POUs rely on County of Inyo v. Pub. Util. Comm’n18 for the proposition that the Commission has no jurisdiction over them without express statutory authorization. (3) Public Policy Considerations The POUs also argue that exempting POUs from the rulemaking would not pose a public safety threat because POUs are beholden to their local boards and oversight bodies, which are typically directly-elected officials put in office by local voters. Because POU customers, the POUs explain, ultimately have the ability to vote in or out POU board members, the POUs are held accountable and function under close scrutiny of their local communities. 16 LADWP Opening Comments, July 22, 2015 at 3-5. 17 Joint Parties Opening Brief at 26-27. 18 County of Inyo v. Pub. Util. Comm’n, 26 Cal. 3d 154 (1980) (Tobriner, J.). R.15-06-009 COM/CR6/avs - 13 - In 1996, the Legislature adopted § 364. Section 364(a) required the Commission to “adopt inspection, maintenance, repair, and replacemen t standards.” These maintenance and inspection standards were promulgated and applied to IOUs in D.97-03-070. The standards were later applied to POUs in D.98-03-036. CMUA asked for rehearing on the issue of jurisdiction over POUs, which the Commission denied in D.98-10-059. CMUA then filed a petition to modify D.98-03-036 and vacate D.98-10-059. This second petition was denied in D.99-12-052. Meanwhile, § 364(b) required the Commission to “adopt standards for operation, reliability, and safety during periods of emergency and disaster.” These emergency response standards were proposed in D.98-03-036 and applied to IOUs in D.98-07-097. However, D.98-07-097 clarified that the emergency response standards did not apply to POUs. D.98-03-036 and D.98-10-059 attempt to explain why the Commission has jurisdiction over POUs with respect to § 364(a) inspection and maintenance standards but not with respect to § 364(b) emergency response standards. Specifically, D.98-03-036 asserts that under §§ 8001-8057, the “Commission has historically had authority over the public safety aspects of publicly-owned utilities. . . ‘for the purpose of safety to employees and the general public.’”19 The Commission further noted that it not only has the authority to regulate public safety aspects of the publicly-owned utilities' operations, but that it has a duty to do so under PU Code § 8037 and § 8056, which expressly required the Commission to enforce such rules against POUs.20 The Commission’s 19 D.98-03-036 at 13. 20 D.98-03-036 at 8. R.15-06-009 COM/CR6/avs - 14 - jurisdiction over maintenance and construction was affirmed by the California Supreme Court in Polk v. City of Los Angeles.21 The Legislature did not alter the Commission’s jurisdiction when it enacted § 364(a); the Commission therefore rightly concluded that it could apply the maintenance and construction standards to POUs.22 CMUA argued that §§ 8001-8057 did not confer jurisdiction on the Commission to regulate the public safety aspects of POUs, and characterized Polk as merely holding that Commission safety rules established a POU’s duty of care in a negligence action. D.98-10-059 rejected CMUA’s arguments. More recently, the Commission summarized its jurisdiction over POUs in R.08-11-005: “Under Pub. Util. Code §§ 8002, 8037, and 8056, the Commission’s jurisdiction extended to publicly-owned utilities for the limited purpose of adopting and enforcing rules governing electric transmission and distribution facilities to protect the safety of employees and the general public.”23 3.2. Legal Precedent We now turn to the case law beyond these prior Commission precedents. Both the POUs and SED Advocacy rely on County of Inyo24 to support contrary positions. In County of Inyo, Inyo County initiated a complaint proceeding against LADWP over water rates charged to the County and its residents.25 Inyo 21 Polk v. City of Los Angeles, 26 Cal. 3d 519 (1945). 22 The jurisdictional analysis in D.98-03-036 was written confusingly. In D.98-07-097, the Commission clarified that the emergency response standards did not apply to POUs but did not explain further. 23 D.09-08-029 at 8. 24 County of Inyo v. Pub. Util. Comm’n, 26 Cal. 3d 154 (1980) (Tobriner, J.). 25 Id. at 156. R.15-06-009 COM/CR6/avs - 15 - County argued there was a practical need for Commission regulation because Inyo residents could not vote in Los Angeles elections and thus had no political remedy for unreasonable water rates charged by LADWP.26 The Commission, however, dismissed the complaint for want of jurisdiction over POUs, as the Legislature had not included POUs “within the classes of regulated public utilities in divisions 1 and 2 of the Public Utilities Code.” Although the California Supreme Court determined that Commission jurisdiction over POUs was a constitutional possibility, as legislation conferring PUC jurisdiction “would fall clearly within the scope of present article XII, section 5 [of the California Constitution],” it also found that the Legislature had never enacted such a statute to confer jurisdiction.27 Therefore, despite the equities favoring Inyo County and its residents, the Court was obliged to affirm the Commission’s dismissal. In this proceeding, the POUs argue that “the plain language of Section 364 and SB 699’s legislative history both confirm that POUs are outside the scope of this OIR” because there is no statute granting jurisdiction.28 In D.98-10-059, the Commission cited to County of Inyo for the proposition that “Article XII, section 5 authorizes the Legislature’s grant of jurisdiction” over POUs.29 However, that decision concluded that Commission jurisdiction over POUs was granted not by § 364, but by §§ 8001-8057, which expressly confer jurisdiction to regulate electric lines for public safety purposes. The Commission 26 Id. at 156, 158-59. 27 Id. at 164. 28 LADWPLADWT Opening Cmt. at 5. 29 D.98-10-059 at 3. R.15-06-009 COM/CR6/avs - 16 - reasoned that because §§ 8001-8057 were not limited to IOUs and § 364 did not purport to restrict Commission jurisdiction, it could enforce § 364 against POUs under §§ 8001-8057. “Moreover,” D.98-10-059 noted, “the Commission’s jurisdiction is liberally construed” under Consumers Lobby Against Monopolies v. Pub. Util. Comm’n,30 and therefore “the absence of a specific statutory authorization [did] not necessarily deprive the Commission of jurisdiction.”31 As correctly noted in the Opening Brief of ORA, the Commission has consistently affirmed its jurisdiction to regulate safety issues concerning POUs. In D.98-03-036, the Commission held that pursuant to the Pub. Util. Code, it has the authority and duty to regulate and enforce safety aspects of the POUs.32 ORA contends that the CPUC subsequently affirmed this determination in D.09-08-029 and D.10-02-034.33 In D.09-08-029, the CPUC concluded that, as a matter of law, its jurisdiction “extends to POUs for the limited purpose of adopting and enforcing rules governing electric transmission and distribution facilities to protect the safety of employees and the general public.”34 Polk35 provides a basis to exercise Commission jurisdiction over POUs with respect to electric lines. In Polk, a tree trimmer was injured after a fall from a ladder caused by an electric shock from an overhead power line with worn insulation operated by the City of Los Angeles in its capacity as a municipal 30 Consumers Lobby Against Monopolies v. Pub. Util. Comm’n, 25 Cal. 3d 891, 905 (1975). 31 D.98-10-059 at 4. 32 ORA Opening Brief at 5. 33 See Id. 34 D.09-08-029, Conclusion of Law Number (No.) 3. 35 Polk v. City of Los Angeles, 26 Cal. 3d 519 (1945). R.15-06-009 COM/CR6/avs - 17 - utility.36 The overhead line was not maintained in accordance with General Order (GO) 64-A, a predecessor to GO 95, which prescribes rules for the design, construction, and maintenance of overhead lines.37 At trial, the implied violation of GO 64-A was used to establish the duty of care for the municipal utility as well as the resultant breach.38 On appeal before the California Supreme Court, the city argued that the Commission lacked jurisdiction over POUs and thus its safety rules could not prescribe POUs’ duty of care. The Court conceded that, as a general matter, the Commission did lack jurisdiction over POUs, but then proceeded to state an exception for electric lines. The Polk Court first observed that the predecessor statutes to §§ 8002, 8003, 8037, and 8056 applied by their express terms to municipalities and empowered the Railroad Commission (before it was reconstituted as the Public Utilities Commission) to inspect all electric lines and “make such further additions or changes as said commission may deem necessary for the purposes of safety to employees and the general public.”39 The Court then noted that the regulations which established the duty of care, GO 64-A, were promulgated pursuant to the foregoing statutory provisions. Because “[t]here can be no doubt that the Legislature was empowered to pass such a statute and make it 36 Id. at 523-24. 37 Id. at 538-39. 38 Id. at 542 (Commission has “duty of making safety rules and regulations applicable to privately owned public utilities, and it is clear that such rules and regulations establish the standard of care . . . We can perceive of no reason why the same standard of care should not be applicable to all utilities whether publicly or privately owned.”). 39 Id. at 540. R.15-06-009 COM/CR6/avs - 18 - applicable to [POUs]” and because “danger to the public is a matter of state concern,” POUs were subject to the Commission’s rules for electric lines.40 The Court’s analysis is essentially the same as the Commission’s in D.98-10-059, which denied rehearing of the decision to apply the § 364(a) maintenance and inspection rules to POUs. In Polk, the Court noted that “safety rules are in reality not regulations or the exercise of control by the commission” but are “nothing more than safety requirements in which the entire state has an interest.”41 The Commission reiterated that point in its conclusion about jurisdiction in D.98-10-059. The Court sanctioned the use of GO 64-A to prescribe POUs’ duty of care on the basis that the Legislature had long since authorized the Commission to inspect electric lines, including those owned by local governments, in the interest of public safety. In Polk, the Court noted that Commission authority over the public safety aspects of POUs’ operation is derived from the overriding statewide concern for public safety. The Polk Court found that “the safety of overhead wire maintenance is a matter of statewide rather than local concern, the state law is paramount.” Sections 8001-8057, read in light of the Polk decision, make it clear that the Commission has the authority to apply physical security rules created through this rulemaking to the POUs. The Legislature granted the Commission the power to make “further additions or changes as the Commission deems necessary for the purpose of safety to employees and the general public.”42 The 40 Id. at 540-41. 41 Id. at 541. 42 Public Utilities Code §§ 8037, 8056. R.15-06-009 COM/CR6/avs - 19 - Commission is relying on this authority to set minimum standards to ensure the physical security of the State’s electric grid, which is operated by both investor owned utilities and publicly owned utilities. The rationale employed by the Polk Court applies even more forcefully in the present case, given the increased importance of electric service and the distribution grid, and the interconnected nature of the grid. The Legislature has directed the Commission to ensure the safety of employees and the public. That includes not only ensuring that wires are clear from accidental contact but also that the electrical systems are safe from intentional intrusions by bad actors. As the need to ensure the public safety of electric infrastructure is greater now, more so than ever before, the Commission’s regulatory mandate is also correspondingly enhanced. 3.3. Safety Policy Concerns Support Commission Jurisdiction by POUs in Phase I The physical security rules contemplated by the amended version of § 364(a) are similar to the maintenance and inspection rules contained in GO 165 and made applicable to POUs by D.98-03-036. Given this context, it is notable that the Legislature did not insert any language in the amended version of § 364(a) restricting the Commission’s jurisdiction. Moreover, even without § 364, the Commission has authority to make the new physical security rules applicable to POUs, as the statutory provisions which enabled the application of GO 64-A in Polk are virtually identical to §§ 8001-8056. As noted above, Sections 8037 and 8056 authorize the Commission to “inspect all work” relating to surface and underground transmission and “make such further additions or changes as the commission deems necessary for the purpose of safety to employees and the general public.” Section 8002 states that R.15-06-009 COM/CR6/avs - 20 - the term “person” includes any “commission, officer, agent, or employee of this State, or any county, city, city and county, or other political subdivision thereof, and any other person, firm, or corporation.” Based on these statutory provisions, D.98-03-036 made GO 165 applicable to POUs. Sections 8001-8057 expressly apply to local government entities and authorize the Commission to promulgate new rules to ensure the safety of electrical lines. The mandate in § 364(a) to enforce “inspection, maintenance, repair, and replacement standards” is consistent with §§ 8001-8057, and Polk indicates that those statutory provisions provide sufficient statutory authority to extend the Commission’s physical security rules to POUs. The POUs argue that the Commission’s jurisdiction over them is limited and it is inappropriate for the Commission to use statewide concerns about safety to expand the scope of the Commission’s jurisdiction.43 They do concede that Commission decisions relating to safety may be relevant to the POUs to the extent that they represent industry standards.44 In view of the Commission’s mandate to ensure the safety of the State’s electric grid, the Legislature tasked it with developing standards for the overhead and underground electrical systems. The authorizing statutes specifically grant the Commission authority to develop these standards and ensure compliance with them, not just by IOUs, but also the POUs.45 The POUs state that by applying new physical security rules to them, the 43 Joint Opening Comments at 4. 44 Id. 45 Public Utilities Code section 8002. R.15-06-009 COM/CR6/avs - 21 - Commission is encroaching on the domain of the public entities’ police, fire and safety departments. This argument is without merit. Precedent, public policy considerations and longstanding Commission practice provides the Commission with sufficient basis in this particular case to extend physical security rules to POUs. The Commission already possesses jurisdiction over the POUs, for the purposes of setting, and ensuring compliance with, standards for their electrical grids to ensure safety. The Commission does not intend in any way to usurp the role of the public utilities’ police, fire and safety departments. The rules set forth in this decision are the minimum standards to ensure the physical security of the State’s electric grid. The POUs’ governing bodies may, of course, prescribe standards that go above and beyond these requirements. The major focus of Phase I of this proceeding is to address the risks and threats of a long-term outage to a distribution facility. Clearly, a lon g-term outage at any distribution facility poses numerous safety issues, whether it be at an IOU or POU facility. The Commission was tasked with establishing industry standards to help reduce the risk and threats of a long-term outage. Minimizing the risks to distribution systems throughout the state promotes public safety and helps to establish industry standards. Further, as the Commission noted in D.98- 10-059, electrical disruptions can affect neighboring utilities, regardless of their ownership: “emergencies or power outages with a municipal utility’s service area can have effects on the State’s grid that are not confined to that utility’s electric system.”46 Threats to the electrical grid and public safety do not discriminate based on the utility’s ownership. Therefore, we conclude that it is 46 D.98-10-059 at p. 4. R.15-06-009 COM/CR6/avs - 22 - within the authority and jurisdiction of the Commission to have these standards apply to both the IOUs and the POUs. We now will briefly address the issues raised concerning § 2107, which grants the Commission authority to perform investigations and levy fines against the IOUs. It is the intention of the Commission to use Phase I of this proceeding to establish systemwide industry standards that are aimed at addressing the potential risks and threats associated with a long-term outage at a distribution facility on a statewide basis, and we are optimistic that the POUs, having participated extensively in the proceeding, will adhere to these standards. This proceeding is not designed to expand Commission investigatory or penalty authority against the POUs beyond what it already possesses. 3.4. Phase II Jurisdiction The POUs assert that neither the Pub. Util. Code nor public policy supports the exercise of Commission jurisdiction over emergency and disaster preparedness planning for Phase 2. As originally enacted, § 364(b) required the Commission to “adopt standards for operation, reliability, and safety during periods of emergency and disaster.” However, in D.98-03-036 and D.98-07-097, the Commission clarified that the emergency response rules could not be applied to POUs. The Commission concluded that because §§ 8001-8057 do not relate to emergency and disaster preparedness, those provisions do not support the exercise of Commission jurisdiction over POUs with respect to emergency and disaster preparedness. This conclusion is still sound, as § 768.6 does not evince a Legislative intent to alter the status quo by expanding the Commission’s jurisdiction. We therefore conclude that adherence to proposed Phase II rules concerning disaster and R.15-06-009 COM/CR6/avs - 23 - emergency preparedness plans shall not be required of the POUs. Although not bound by Commission rules pertaining to disaster and emergency preparedness plans, the POUs are encouraged to participate in Phase II of this proceeding and to adopt resulting best practices to the extent they find them useful and appropriate. Consistency on a statewide level as it relates to emergency and disaster preparedness plans is a desirable goal. POU participation will advance this aim. 4. The Joint Utility Proposal To meet the requirements of SB 699, SED RASA conducted a series of four physical security workshops from May to September 2017. In connection with these four workshops, a technical working group was formed by the parties which submitted the Joint Utility Proposal to provide guidance for compliance with § 364. The Joint Proposal describes how a utility should establish a Distribution Substation and Distribution Control Center Security Program (Distribution Security Program).47 The Distribution Security Program consists of the following: 1) Identification of distribution facilities, 2) Assessment of physical security risk on distribution facilities, 3) Development and implementation of security plans, 4) Verification, 5) Record keeping, 6) Timelines and 7) Cost recovery. The following is a summary of the utility working group’s Joint Proposal: 47 The Joint Utility Proposal defines Distribution Substation as an electric power substation associated with the distribution system and the primary feeders for supply to residential, commercial and/or industrial loads. A Distribution Control Center is defined as a facility that has responsibility for monitoring and directing operational activity on distribution power lines and Distribution substations. R.15-06-009 COM/CR6/avs - 24 - 4.1. Identification In accordance with the general direction of SB 699, the intent of the Joint Utility Proposal is to implement a risk management approach towards distribution system physical security, with appropriate consideration for resiliency, impact and cost. The Joint Utility Proposal sets forth a set of general principles that derive from information described and evaluated during the workshops. These principles note the following: 1. Distribution systems are not subject to the same physical security risks and associated consequences, including threats of physical attack by terrorists, as the transmission system. 2. Distribution utilities will not be able to eliminate the risk of a physical attack occurring, but certain actions can be taken to reduce the risk or consequences, or both, of a significant attack. 3. A one-size-fits-all standard or rule will not work. Distribution utilities should have the flexibility to address physical security risks in a manner that works best for their systems and unique situations, consistent with a risk management approach. 4. Protecting the distribution system should consider both physical security protection and operational resiliency or redundancy. 5. The focus should not be on all Distribution Facilities, but only those that risk dictates would require additional measures. 6. Planning and coordination with the appropriate federal and state regulatory and law enforcement authorities will help prepare for attacks on the electrical distribution system and thereby help reduce or mitigate the potential consequences of such attacks. R.15-06-009 COM/CR6/avs - 25 - Consistent with these general principles, the Joint Utility Proposal suggests various criteria to provide Operators48 with guidance needed to identify Distribution Facilities49 requiring further assessment. Specifically, the Joint Utility Proposal sets forth the following as facilities requiring such assessments: 1. Distribution Facility necessary for crank path, black start or capability essential to the restoration of regional electricity service that are not subject to the California Independent System Operator’s (CAISO) operational control and/or subject to North American Electric Reliability Corporation (NERC) Reliability Standard CIP-014-2 or its successors; 2. Distribution Facility that is the primary source of electrical service to a military installation essential to national security and/or emergency response services (may include certain air fields, command centers, weapons stations, emergency supply depots); 3. Distribution Facility that serves installations necessary for the provision of regional drinking water supplies and wastewater services (may include certain aqueducts, well fields, groundwater pumps, and treatment plants); 4. Distribution Facility that serves a regional public safety establishment (may include County Emergency Operations Centers; county sheriff’s department and major city police department headquarters; major state and county fire service headquarters; county jails and state and federal prisons; and 911 dispatch centers); 5. Distribution Facility that serves a major transportation facility (may include International Airport, Mega Seaport, 48 An Operator is an Electrical Corporation, a Local Publicly Owned Electric Utility, or an Electrical Cooperative responsible for the reliability of one or more Distribution Facilities. 49 A Distribution Substation or Distribution Control Center. R.15-06-009 COM/CR6/avs - 26 - other air traffic control center, and international border crossing); 6. Distribution Facility that serves as a Level 1 Trauma Center as designated by the Office of Statewide Health Planning and Development; and 7. Distribution Facility that serves over 60,000 meters. 4.2. Assessment After the Operator has identified any Distribution Facility requiring additional assessment (“Covered50 Distribution Facility”), the operator will conduct an evaluation of the potential risks associated with a successful physical attack on such a facility or facilities and whether existing grid resiliency, requirements for customer-owned back-up generation and/or physical security measures appropriately mitigate identified risks. In doing so, the Operator may consider the following: 1. The existing system resiliency and/or redundancy solutions (e.g., switching the load to another substation or circuit capable of serving the load, temporary circuit ties, mobile generation and/or storage solutions); 2. The availability of spare assets to restore a particular load; 3. The existing physical security protections to reasonably address the risk; 4. The potential for emergency responders to identify and respond to an attack in a timely manner; 5. Location and physical surroundings, including proximity to gas pipelines and geographical challenges, and impacts of weather; 50 “Covered” is the utility working group term employed to describe those assets that are applicable, or that should be subject to physical security. We will employ this term for the length of this decision for the sake of consistency. R.15-06-009 COM/CR6/avs - 27 - 6. History of criminal activity at the Distribution Facility and in the area; 7. The availability of other sources of energy to serve the load (e.g., customer owned back-up generation or storage solutions); 8. The availability of alternative ways to meet the health, safety, or security; and 9. requirements served by the load (e.g., back up command center or water storage facility). 4.3. Mitigation Plan In order to address the risk of a long-term outage to a Covered Distribution Facility due to a physical attack, each Operator will develop and implement a Mitigation Plan51. The Operator should have discretion to select the specific security measures that are most appropriate for the Covered Distribution Facility. The Mitigation Plan will include consideration of the costs associated with any physical security improvements. In developing the Mitigation Plans, the Operator may also consider local geography and weather, engineering judgment and its own experience. In developing Mitigation Plans, Operators may use risk-based performance standards to identify the means by which a Covered Distribution Facility’s security can be upgraded (e.g., perimeter security, improved monitoring) and its resiliency improved (e.g., timely access to spare equipment, the ability to serve in whole or in part from another facility or circuit, back-up generation or storage). A performance standard specifies the outcome required 51 The documentation of a risk-based strategy for mitigating the impacts of a physical attack on a Covered Distribution Facility. The strategy may consist of operational resiliency measures or physical security measures. R.15-06-009 COM/CR6/avs - 28 - but leaves the specific measures to achieve that outcome up to the discretion of the Operator. The goal in this case is to reduce the risk and/or consequences of a successful physical attack on a Covered Distribution Facility and provide a variety of solutions to mitigate the risk and/or consequences and achieve the goal. Examples of potential resiliency and security solutions that could be deployed to address identified risks and are not meant to be binding or definitive or to be required for any particular Distribution Facility include, but are not limited to: Examples of Potential Resiliency Solutions: 1. Strategically Located Spares – Strategically locate spare equipment to facilitate the repair of a Covered Distribution Facility; 2. Distribution Resiliency Upgrades – Adding circuit ties or other facilities to enhance the ability to switch around damaged facilities to facilitate the repair and restoration of service; 3. Enhanced Resiliency Response – Develop response strategies for temporarily restoring service (e.g., mobile generation/storage, jumper from an adjacent circuit); Examples of Potential Security Solutions: 1. Access – Measures to limit unauthorized entry or breach of the facility (e.g., fencing, gates, barriers or other security devices); 2. Deterrent – Measures to discourage unauthorized entry or breach of the facility (e.g., cameras, lights); and Coordination – Measures to further collaborate with law enforcement as appropriate. 4.4. Verification R.15-06-009 COM/CR6/avs - 29 - In order to evaluate each Mitigation Plan(s), each Operator will select an unaffiliated third party with the appropriate experience needed to review the Identification and Assessment evaluations and the Mitigation Plan(s) performed and developed by the Operator. After the Mitigation Plans have been evaluated, the Operator should either modify its Mitigation Plan to be consistent with the recommendations or document its reasons for not doing so. 4.5. Records Adequate record retention is important to ensure each utility’s Mitigation Plan is successful. Electronic or hard copy records of the Distribution Security Program implementation will be retained for not less than five (5) years. Such records are extremely confidential and will be maintained in a secure manner at the Operator’s headquarters. The records maintained by an Operator will be available for inspection at its headquarters or San Francisco offices by Commission staff upon request. Electronic or hard copy records of the Operator’s Distribution Security Program Implementation will include, at a minimum: 1) The Operator’s Identification of Distribution Facilities requiring further assessment; 2) Each Operator’s Assessment of the potential threats and vulnerabilities of a physical attack and whether existing grid resiliency, customer-owned back-up generation and/or physical security measures appropriately mitigate the risks on each of its identified Distribution Facilities; 3) Each Operator’s Mitigation Plans covering each of its Covered Distribution Facilities under Section 4; 4) The unaffiliated third-party evaluation of the Operator’s Identification and Assessment evaluations and Mitigation Plans performed and developed by the Operator; and R.15-06-009 COM/CR6/avs - 30 - 5) If applicable, the Operator’s documented reasons for not modifying its Mitigation Plans consistent with the unaffiliated third-party’s evaluation. 4.6. Timelines and Frequency Any Operator that has identified at least one Distribution Facility requiring further assessment whose risks are not found to be appropriately mitigated during the verification phase will complete an initial draft of its Mitigation Plan(s), within eighteen (18) months from the effective date of these guidelines. Where the Operator is required to seek verification, the Operator will obtain an unaffiliated, third-party review within twenty-seven (27) months from the effective date of these guidelines. Each Operator will meet all obligations set out in this decision within thirty (30) months of the effective date of these guidelines. 4.7. Cost52 The IOUs propose that at its discretion, the Operator may establish an account to track the expenditures associated with the development and execution of its Distribution Security Program. IOUs request authorization to file Tier 1 Advice Letters for this purpose. Electrical Cooperatives and POUs would act in accordance with any processes established by a governing or other type of board with the requisite authority. IOUs also recommend that they be authorized to file separate applications or GRC requests for the recovery of costs associated with their respective 52 The issue of costs discussed in this section are the positions advanced by the IOUs. We decline to implement the cost recovery measures suggested by the IOUs. Rather, they will follow the cost recovery methods as set forth in Section 6.8 below. R.15-06-009 COM/CR6/avs - 31 - Distribution Security Programs. Although the Distribution Security Program documents are considered security-sensitive information and cannot be filed as supporting documentation, the IOUs may file a public version of the unaffiliated third-party review and Commission approval in support of their recovery requests. 5. SED RASA Staff Evaluation of Joint Utility Proposal, Security Plan Element and SED RASA Recommendations Four workshops were conducted during Phase I of this proceeding. The first three workshops identified and explored the regulatory framework that currently exists for assessing physical security and how new regulations could be drafted. The utilities presented the Joint Utility Proposal at the fourth workshop. In addition to being actively involved with the workshops, SED RASA analyzed the Joint Utility Proposal and made various recommendations. This analysis was made available to the parties on January 16, 2018 within a ruling by the assigned ALJ. The parties filed both comments and reply comments on SED RASA’s evaluation. SED RASA thoroughly considered all comments and reply comments, and in response undertook additional evaluation, and revisited its original set of recommendations. The Joint Utility Proposal would introduce new requirements covering electric assets that support distribution-level service within California’s regulatory and safety jurisdiction. These assets, largely substations and control centers, do not typically rise to the level of critical infrastructure as defined in the federal Critical Infrastructure Protocols (CIPs). Yet, they are essential for providing reliable energy to residential, commercial and industrial loads. In addition to the new rules and measures articulated by the Joint Utilities in their Proposal, as outlined in Section 4 above, SED RASA recommends additional new rules and measures, and guiding principles, above and beyond R.15-06-009 COM/CR6/avs - 32 - those outlined in Section 4, to further strengthen the Joint Utility Proposal. These items are detailed below. 6. Guiding Principles of California Electric Physical Security 1) Costs of incremental physical security measures should be reasonable, controlled, and weighed against potential benefit, so they do not result in a burden to ratepayers. 2) Opportunities to incorporate high-benefit, low-cost measures should be captured, particularly at the time of new or upgraded substation construction. 3) Distribution assets should be hardened or designated with consideration for ensuring service integrity to essential customers, among other factors identified in the Joint Proposal. 4) Resiliency strategies to ensure that priority distribution assets, particularly those tied to service of essential customers remain in service and are able to rapidly recover from an unplanned service outage should be considered an equally effective response to addressing physical security risks. 6.1. Six-Step Procedure to Address Utilities’ Distribution Assets SED RASA recommends the following six-step procedure for carrying out new physical security plan requirements to address utilities’ distribution assets. These proposed steps are modeled on the security plan requirements set forth by NERC CIP-014. This six-step plan is as follows: Step 1. Assessment. Drafting of a plan, addressing prevention, response, and recovery, which could be prepared in-house or by a consultant, and which shall include proposed and recommended mitigation measures. Step 2. Independent Review and Utility Response to Recommendations. Proposed plan would be reviewed and by R.15-06-009 COM/CR6/avs - 33 - an independent third party, likely a qualified consultant expert, national laboratory, or a regulatory or industry standard body (such as the Electric Power Research Institute). Step 2 would include reviewer recommendations that assess and appraise the appropriateness of the risk assessment, proposed mitigation measures, and other plan elements. A utility would be expected to fully address reviewer recommendations, including justifying any mitigations that it declines to accept; the independent third-party opinion/recommendations, utility response, threat and risk assessment, and mitigation measures combined would constitute a final plan report. Step 3. SED Review (for IOUs only). Final plan report would be reviewed by the CPUC SED (recurring every five years)53 so as to determine whether it is in compliance with regulatory requirements, and eligible to request funding for implementation. Upon five years from the date of adoption, a utility would be required to have any revised or original plan updated and repeat the review process. Utilities may be afforded regulatory relief by way of an exemption request process for special cases where undertaking of the plan overhaul and/or review process may be impracticable or unduly burdensome. Non-compliance could result in an enforcement action, potentially resulting in sanctions and/or penalties as provided by PU Code Sec. 364(c). An SED finding of compliance would render IOUs eligible to request funding for appropriate physical security needs identified by IOUs; project expenditures would be tracked in a memorandum account and subject to reasonableness review in the GRC. 53 This time interval is based on the requirements instituted for the City of Los Angeles under City Charter. R.15-06-009 COM/CR6/avs - 34 - Step 3a. Plan Review (for POUs only). Final plan report would be deemed adequate (recurring every five years, and eligible for same exemption request process made available to the IOUs) by a qualified authority designated by the applicable local governance body. (For example, Riverside Public Utilities currently develops a security and emergency response plan that conforms to the Governor’s Office of Emergency Services (CalOES) and Federal Emergency Management Agency (FEMA) standards and receives their endorsement.) Step 4. Adoption (for POUs only). Reviewed plan would be submitted to the appropriate regulatory oversight body (local governance body) for review and greenlighting (adoption). Step 4 should include funding to implement the plan. Step 4a. Notice. (for POUs only). Provide CPUC with official notice (ideally including a copy of a resolution of the adopted plan action. Step 5. Maintenance. Ongoing adopted plan refinement and updates as appropriate and as necessary to preserve plan integrity. All security plans should be concurrent with and integrated into utility resiliency plans and activities. Step 6. Repeat Process. Plan overhaul and review every five years. For now, the Commission finds the process described above, adequate. Should the Commission subsequently find that a more structured and formal process of Security Plan approval is desirable or changes to the Security Plans themselves, the Commission could make such determination via resolution or a decision based upon a developed record. Changes to Security Plan requirements may also be done by SED (or successor entity) director letter. 6.2. Additional Requirements for Mitigation Plans These additional requirements are: R.15-06-009 COM/CR6/avs - 35 - 1. California electric utilities shall, within any new or renovated distribution substation, incorporate and design their facilities to incorporate reasonable security features. 2. Utilities’ security plans shall include a detailed narrative explaining how the utility is taking steps to implement: (a) An asset management program to promote optimization and quality assurance for tracking and locating spare parts stock, ensuring availability and the rapid dispatch of available spare parts; (b) A robust workforce training and retention program to employ a full roster of highly-qualified service technicians able to respond to make repairs in short order throughout a utility’s service territory using spare parts stockpiles and inventory; (c) A preventative maintenance plan for security equipment to ensure that mitigation measures are functional and performing adequately; and, (d) A description of Distribution Control Center and Security Control Center roles and actions related to distribution system physical security (this item would be for IOUs only). 6.2.1. Additional Optional Requirements for Mitigation Plans The Commission highly encourages and recommends the following optional security measures and best practices: 1. A training program for appropriate local law enforcement and utility security staff to optimize communication during a physical security event. Training for law enforcement should include information on physical infrastructure and relevant utility operations; 2. A determination of the vulnerability of any associated communication utility infrastructure that supports priority distribution assets, which if deemed to be vulnerable, should have appropriate mitigation measures prescribed; and R.15-06-009 COM/CR6/avs - 36 - 3. Incorporating into applicable new and renovated or upgraded utility facilities design features that promote a sense of order and ownership, increase surrounding visibility and sightlines, capture opportunities for defensibility, and confound intrusion attempts by delaying and frustrating attackers via strategic placement of assets. These concepts, well-established within and embraced by the power industry and other applications, are encouraged and called out by NERC within CIP-014 guidelines as Defense in Depth and Community Protection through Environmental Design. The Commission finds that these additional measures hold potential for increasing grid resilience and reliability, but declines at this time to make the measures obligatory, recognizing the utilities’ work ahead to master new physical security regulations and complete their first iteration of mitigation plans and annual reports. 6.3. Third-Party Verification As noted in Section 6.1 above (“Step 2. Independent Review and Utility Response to Recommendations”), a required third-party review shall occur in tandem with completion of a list of recommended mitigation measures.54 The third-party reviewer shall prepare recommendations on appropriate mitigation measures and/or a statement supporting or rejecting proposed mitigation measures. This statement shall contain justification for the acceptance or rejection of each proposed mitigation measure. Each utility shall produce a response to these proposed mitigation measures and the third-party expert’s opinion and recommendations, indicating whether it concurs or disagrees, and whether a given mitigation measure will be implemented, or is declined. Utilities should provide a justification for declining any proposed mitigation measures. 54 This original plan and the third-party review may collectively be called the Mitigation Plan. R.15-06-009 COM/CR6/avs - 37 - A utility’s risk-threat assessment, mitigation plan, consultant appraisal and statement, and utility response, would together comprise its Security Plan Report. The Security Plan should include an estimated timeframe for how long it will take to implement the Mitigation Plan and a cost estimate for incremental expenses associated with implementing the Mitigation Plan. 6.4. Third-Party Expert Qualifications Each utility shall employ a qualified third-party expert to provide independent verification of any Distribution Security Program and Mitigation Plans, taking the following requirements into account: Unaffiliated Third-Party Reviewer: The Unaffiliated Third-Party Reviewer shall be an entity other than the Operator with appropriate expertise, as described below. The selected third-party reviewer cannot be a corporate affiliate of the Operator (i.e., the third-party reviewer cannot be an entity that is controlled by the utility or controlled by or is under common control with, the Operator). A third-party reviewer also cannot be a division of the Operator that operates as a functional unit. A governmental entity can select as the third-party reviewer another governmental entity within the same political subdivision, so long as the entity has the appropriate expertise, and is not a division of the Operator that operates as a functional unit, i.e., a municipality could use its police department as its third-party reviewer if it has the appropriate expertise. Unaffiliated Third Party Reviewer Appropriate Expertise:55 The Unaffiliated Third-Party Reviewer shall be an entity or organization with electric industry physical security experience and whose review staff has appropriate physical security expertise, i.e., have at least one member who holds either an ASIS International Certified Protection Professional (CPP) 55 Unaffiliated Third-Party Reviewer Appropriate Expertise can be established by any of these methods. R.15-06-009 COM/CR6/avs - 38 - or Physical Security Professional (PSP) certification; an entity or organization with demonstrated law enforcement, government, or military physical security expertise; or an entity or organization approved to do physical security assessments by the CPUC, Electric Reliability Organization or similar electrical industry regulatory body. 6.5. Access to Information The Commission is currently engaged in an effort to update its policies regarding the protection of confidential information in a rulemaking related to Public Records Act requests.56 Additionally, a recent decision approved an update to General Order 66-D, which took effect in January 2018. The utilities in their Joint Proposal and in comments have advocated for the use of a Reading Room approach that would require that Commission staff visit IOU property to view physical security-related information that they consider to be highly confidential, or at a level of sensitivity which utilities believe Commission confidentiality rules and provisions are unequipped to address. Commission staff, in the course of carrying out Phase I of this proceeding, report having tested the Reading Room approach with mixed results. Commission staff report having visited utility offices to obtain data and view documentation previously denied by investor owed utilities in response to data requests. Commission staff’s complaint with the Reading Room approach is they were not allowed by the utilities to engage in notetaking or any other means of keeping records of documents made available in the Reading Room. The Commission recognizes that the Reading Room approach by nature entails certain limitations on Commission staff’s ability to freely and 56 R.14-11-001, Order Instituting Rulemaking to Improve Public Access to Public Records Pursuant to the California Public Records Act. R.15-06-009 COM/CR6/avs - 39 - independently review and assess utility documents utility reports and submittals. For these reasons, we have concerns about relying on the Reading Room approach as the sole means for accessing utility information necessary to gauge whether utilities are in compliance with this decision’s provisions for producing and furnishing the Commission with recurring regulatory compliance reports and ongoing updates. Parties including SED Advocacy and ORA recommend making the Reading Room approach temporary, while the utilities recommend that it be designated permanent status. We conclude that neither recommendation fully satisfies the need to conveniently access regular regulatory filings. At the same time, we are mindful of the concerns raised by the utilities regarding sensitive physical security- related information. We therefore bifurcate utility physical security-related information into two categories for the purposes of Commission staff access and the transfer of data:  Category 1 - information that is specifically required to reviewed by the Commission in this decision (“routine regulatory compliance filings);” and  Category 2 - other information which Commission staff may request of utilities from time to time (“ad hoc information”). Category 1 routine regulatory compliance filings will not be subject to the Reading Room approach and shall be provided to SED staff by means of transmittal to the Commission. Category 2 ad hoc information shall be subject to the Reading Room approach. R.15-06-009 COM/CR6/avs - 40 - The Commission adopts the Reading Room approach as an interim solution pending the ongoing R.14-11-001 rulemaking establishing new rules for the safekeeping, sharing, transmittal, and inspection of confidential information. The Commission intends to monitor the effectiveness of the Reading Room approach, and review and revise the approach as needed. The Reading Room approach shall entail utility information being made available to Commission staff on utility property at a location convenient and agreed to by CPUC staff. It remains without question that the Commission and its staff require and are fully entitled to access to such information, as long as protections against public release are maintained. Especially in cases where the Commission is investigating an incident (whether it is already defined in our regulations or a new aspect, such as physical or cyber-attack), access to records shall be provided promptly upon the Commission request. It should be noted that the Reading Room approach only relates to how the Commission may access confidential utility information relating to physical security, and that utilities still are required to first justify confidentiality claims relating to all information being made applicable to the Reading Room approach as per generally applicable Commission requirements. Additionally, nothing in the present decision establishes a basis for utilities to restrict access to any information that is publicly accessible pursuant to Commission rulings, orders, or other actions. To the extent that utilities believe that restricting public access to any category of information that is publicly available is necessary for mitigating physical security risks to a Covered Distribution Facility, they should describe and justify any restrictions on R.15-06-009 COM/CR6/avs - 41 - information access they propose within their Mitigation Plans for any affected Covered Distribution Facilities. 6.6. Timeline for Implementation Security Plans shall be completed in accordance with the following criteria: 1. Each utility’s Security Plan Report is due to the CPUC within 30 months of the approval of this decision; and 2. POUs only — Within 30 months of the approval of this decision, the POUs shall provide the Director of Safety and Enforcement Division and the Director of the Energy Division with notice of the plan adoption by way of copy of a signed resolution, ordinance or letter by a responsible elected- or appointed official, or utility director. If a POU has an existing security plan that has been adopted by its Board of Directors or City Council within three years prior to the date of this decision, the requirement to have a plan adopted may be waived by the Commission. 6.7. Reporting Utilities shall provide to the Director of the Safety and Enforcement Division and the Director of the Energy Division copies of all OE-417 reports submitted to the U.S. DOE within two weeks of filing with U.S. DOE. All utilities except SDG&E objected to SED RASA’s recommendation of annual reporting, citing a preference for data requests as the appropriate vehicle. We disagree that the responsibility to be made aware of any incidents should fall on the Commission. Additionally, such an annual reporting requirement is enshrined into law per § 590 of the Pub. Util. Code. Therefore, and in order to ensure statewide consistency, we require the utilities to submit an annual report. These annual reports shall be submitted to the Director of the Safety and Enforcement Division and the Director of the Energy Division by March 31 each year, commencing in 2020. Each report shall include a section that describes any physical security incident resulting in a utility insurance claim. The Commission R.15-06-009 COM/CR6/avs - 42 - does not require copies of filed insurance claims or specifics of asset vulnerability that allowed for a physical security breach. Rather, the submittal should be a high-level report. Utilities should make mention of any incidents reported for insurance claims within the annual reporting period of April 1 to March 31 and include such general information as location, and impact of the incident, and monetary value of claim. Filing should include a data file (in Microsoft Excel format). As with all Commission filings, should utilities believe that certain information is sensitive, they must follow GO 66-D requirements for identifying confidential information. To meet the reporting requirement introduced in SB 699 in Pub. Util. Code § 364 (b) now located in § 590, these annual reports should also include any significant changes to the Security Plan Reports (including new facilities covered by the Plan or major mitigation upgrades at previously identified facilities). Because the statutory language provided that these be publicly available, the utility may provide both a complete report for the Commission and an appropriately redacted version for the public to be posted on the Commission’s web site. 6.8. Cost Recovery The Joint Utilities propose that they should be authorized to file separate applications to request recovery of the costs associated with their Distribution Security Programs. We disagree that the electric utilities should be authorized to file separate applications to request recovery of costs associated with their respective Distribution Security Programs. Utilities may establish a memorandum account to track associated costs. However, cost recovery requests shall be made in each utility’s general rate case (GRC). R.15-06-009 COM/CR6/avs - 43 - Electrical Cooperatives and POUs should act in accordance with processes established by a governing or other type of board with the authority to approve such processes, if any. 7. Commission Position on Joint Utility Proposal and SED RASA Recommendations The Commission finds that the elements of the Joint Utility Proposal set forth in the mitigation plans represent a first-of-its kind effort at the state level, and yet they do not go far enough to prescribe reasonable physical security measures. Additionally, the Commission finds that the SED RASA recommendation to include additional requirements is sound and advisable. We find that the Joint Utility Proposal, augmented by all of the above additional measures and clarifications as recommended by SED RASA57 strike the right balance between achieving grid protection and keeping electricity service affordable. As such, the Commission finds adoption of the combined provisions of Sections 4 and 6 outlined above, will provide an appropriate level of physical security and ensure California grid resilience should another Metcalf -type sabotage event target the state’s electric utilities’ distribution infrastructure.58 57 SED RASA recommendations for additional measures consist of the following: 6.0 Guiding Principles of California Electric Physical Security 6.1Six-Step Procedure to Address Utilities’ Distribution Assets 6.2.1 Additional Optional Requirements for Mitigation Plans 6.2 Additional Requirements for Mitigation Plans 6.3 Third-Party Verification 6.4 Third-Party Expert Qualifications 6.5 Access to Information 6.6 Timeline for Implementation 6.7 Reporting 6.8 Cost Recovery 58 Should there be any question of which shall predominate should there be any incongruity or conflict between a utility or SED RASA recommended rule, the SED RASA rule shall apply. R.15-06-009 COM/CR6/avs - 44 - In closing, the Commission notes that it is desirable that California’s electric utilities coordinate to the fullest extent practicable to exchange information and best practices that advance the State’s safety, security, and resilience goals. To this end, all utilities will be expected to relay information about critical loads within a service territory to any other utility in California whose distribution facilities also are used to supply electricity for those critical loads. 8. Safety Considerations Safety is a major concern for the Commission. The Commission’s safety goals are furthered by ensuring all California electric utilities have identified priority distribution assets that merit special protection, and prescribing measures to reduce risks and threats to these assets. 9. Conclusion Phase I of this proceeding requires electric utilities to identify electric supply facilities which may require special protection and measures to identify risks and threats. Each Operator will develop and implement a six-step Mitigation Plan modeled on the security plan requirements set forth by NERC CIP-014. The safety and security benefits promoted by these Mitigation Plans mandate that the POUs also comply with these requirements as set forth in this decision. 10. Comment Period The proposed decision in this matter was mailed in accordance with § 311 of the Pub. Util. Code and comments were allowed under Rule 14.3 of the Commission’s Rules of Practice and Procedure. Comments were filed on November 29, 2018, by PG&E, SCE, SDG&E, CMUA/LADWP/SMUD and SED Advocacy, and reply comments were filed on December 4, 2018 by PG&E, SCE, R.15-06-009 COM/CR6/avs - 45 - SDG&E, CMUA/LADWP/SMUD, SED Advocacy and ORA, filing as the Public Advocates Office. In their comments the utilities sought greater conformity with the original Joint Utility Proposal, particularly in the proposed timeline for compliance, and argued against the requirements in the Plans regarding asset management, workforce training, and preventative maintenance planning going beyond federal CIP-014 requirements, recommended by SED RASA. SED Advocacy sought to make mandatory certain optional aspects of the RASA recommended changes to the Joint Utility Proposal. SCE sought to eliminate certain requirements for submitting confidential information in their plans to the CPUC for staff validation and to make the Reading Room approach to access to sensitive data a permanent feature. POUs expressed concerns about sharing information about critical loads among adjacent utilities, and sought clarification of definitions of physical security incidents reported in the federal OE-417 reports. The Commission finds it reasonable to adopt the compliance timelines initially expressed in the Joint Utility Proposal and has clarified some of the requirements for providing the Commission with plans and reports in the body of this decision. Additionally, the proposed decision that was initially mailed for comment included an Appendix. Upon further review, we have decided to remove the Appendix from the final decision. Other proposed changes are not adopted. 11. Assignment of Proceeding Clifford Rechtschaffen is the assigned Commissioner and Gerald F. Kelly is the assigned Administrative Law Judge to the proceeding. Findings of Fact R.15-06-009 COM/CR6/avs - 46 - 1. SB 699 directs the Commission to develop rules for addressing physical security risks to the distribution systems of electrical corporations. 2. AB 1650 directs the Commission to develop emergency preparedness plans applicable to electrical corporations and water companies regulated by the Commission. 3. This proceeding will be conducted in two phases. 4. Phase I of this proceeding pertains to the requirements set forth in SB 699. 5. Phase II of this proceeding pertains to the requirements set forth in AB 1650. 6. Ensuring the physical security of all electrical supply systems is of great importance to the Commission. 7. Ensuring the physical security of all electrical supply systems within the state will help maintain high quality, safe and reliable service. 8. Four Phase I physical security workshops were conducted by SED RASA from May to September 2017. 9. During these workshops, a technical working group was formed by the utilities. 10. As a result of technical working group discussions, the utilities submitted a Joint Utility Proposal. 11. The Joint Utility Proposal offered guidance for compliance with SB 699, and represented a first-of-its-kind effort to establish new critical asset protections at the distribution level. 12. The Joint Utility Proposal (at 4.1.6 and 4.3.3 above) provided assurance that IOUs and POUs would partner with law enforcement agencies broadly to plan, coordinate, and share information to ensure safety, resilience, and security. R.15-06-009 COM/CR6/avs - 47 - 13. The Commission expects that all California utilities will communicate, coordinate, and share best practices with law enforcement and each other, as appropriate to advance, local, State, and Federal safety and security goals. 14. SED RASA evaluated the Joint Utility Proposal and identified areas where the proposed security plans could be improved. 15. Review of the Distribution Security Plans (Security Plans and its components are the process of drafting the Mitigation Plan) and Mitigation Plans (Mitigation Plans are the plans that are ultimately adopted) by independent third parties will help to strengthen these plans. 16. Ensuring that confidential security information is not released to the public is of great importance to the Commission. 17. The Commission is currently engaged in an effort to update its policies regarding the protection of confidential information in a rulemaking related to Public Record Acts Requests in R.14-11-001. 18. D.17-09-023, which became effective on January 1, 2018, updated GO 66 D as it relates to submission of confidential information to the Commission. 19. The Commission and its staff are fully entitled to access confidential information, as long as protections against public release are maintained. 20. The Commission recognizes that the Reading Room approach advanced in the Joint Utility Proposal is imperfect, with SED staff reporting inconsistency statewide, and issues and concerns with its ease, practicality, usefulness, and timeliness in their experience with testing it in the course of carrying out th is proceeding. 21. The Commission recognizes that the Reading Room approach by nature entails certain limitations on Commission staff’s ability to review IOU documents, which may not afford notetaking or records retention all and any of R.15-06-009 COM/CR6/avs - 48 - which may render arduous and impractical its usage for the purposes of reviewing recurring and routine required submittals described within this decision. 22. The Commission therefore determines that it is not desirable to apply the Reading Room approach to recurring and routine required IOU submittals and updates described within this decision (i.e., Physical Security Plan Reports and Drafts, Mitigation Measures and Consultant-prepared documents, Annual Reporting, and OE-417 Reports). 23. The Commission adopts the Reading Room approach as an interim solution to the handling and sharing of other physical security data requested by Commission staff on an ad hoc basis, allowing Commission staff to review documents at a utility property location convenient to and agreed to by CPUC staff such as the utility’s San Francisco office address. 24. The Reading Room approach shall be superseded by outcomes in the ongoing R.14-11-001 rulemaking. 25. It is important to maintain uniformity at a statewide level as it relates to ensuring the physical security of the electrical distribution system. 26. It is reasonable that Step 2 of the Six-step Plan Process require that an independent third-party review a utility’s physical security plan to assess and appraise the sufficiency of the risk assessment, proposed mitigation measures, and other plan elements and make recommendations regarding the plan elements. 27. It is reasonable that Step 3a of the Six-step Plan Process require that the POUs provide the Commission with notice of successful completion of their Security Plan review and adoption. R.15-06-009 COM/CR6/avs - 49 - 28. It is reasonable that all California electric utilities be required, within any new or renovated distribution substation, to design their facilities to incorporate reasonable security features. 29. It is reasonable that all California electric utilities be required to include within their security plans a detailed narrative explaining how the utility is taking steps to implement: a) An asset management program to promote optimization and quality assurance for tracking and locating spare parts stock, ensuring availability and the rapid dispatch of available spare parts; b) A robust workforce training and retention program to employ a full roster of highly-qualified service technicians able to respond to make repairs in short order throughout a utility’s service territory using spare parts stockpiles and inventory; c) A preventative maintenance plan for security equipment to ensure that mitigation measures are functional and performing adequately; and, d) A description of Distribution Control Center and Security Control Center roles and actions related to distribution system physical security (this item (d) would be required for IOUs only). 30. It is reasonable to expect California’s electric utilities to coordinate with one another to the fullest extent practicable, and to relay information about critical loads within a service territory to any other utility in the state whose distribution facilities also are used to supply electricity for those critical loads. Conclusions of Law 1. SB 699 confers on the Commission authority to develop rules for addressing the physical security risks to the distribution systems of electric corporations. R.15-06-009 COM/CR6/avs - 50 - 2. AB 1650 confers on the Commission authority to develop rules for emergency preparedness plans applicable to electrical corporations and water companies regulated by the Commission. 3. This decision fulfills the mandates of SB 699. 4. The decision in Phase II of this proceeding will fulfill the mandates of AB 1650. 5. Pursuant to §§ 8001 to 8057 of the Pub. Util. Code, the Commission has the authority and duty to regulate and enforce safety aspects of POUs. 6. Sections 8001-8057 of the Pub. Util. Code provide that the Commission has jurisdiction over the public safety aspects of POUs. 7. The need to ensure the safety and security of the electrical distribution system mandates that Phase I of this proceeding be applied to both IOUs and POUs. 8. This decision should be effective today. ORDER IT IS ORDERED that: 1. Within 18 months of this decision being adopted, Pacific Gas and Electric Company, San Diego Gas & Electric Company, Southern California Edison, PacifiCorp, Bear Valley Electric Service, and Liberty CalPeco shall prepare and submit to the Commission a preliminary assessment of priority facilities for their distribution assets and control centers. 2. Within 30 months of this decision being adopted, Pacific Gas and Electric Company, San Diego Gas & Electric Company, Southern California Edison, PacifiCorp, Bear Valley Electric Service, and Liberty CalPeco shall submit each utility’s Final Security Plan Report. R.15-06-009 COM/CR6/avs - 51 - 3. Within 30 months of this decision being adopted, the Publicly Owned Utilities shall provide the Commission with notice of final plan adoption. 4. The Publicly Owned Utilities’ notice of final plan adoption may consist of a copy of a signed resolution, ordinance or letter by a responsible elected - or appointed official, or utility director. 5. All California Electric Utility Distribution Asset Physical Security Plans shall conform to the requirements outlined within the Joint Utility Proposal, as modified by this decision (rules and requirements collectively known as “security plan requirements”). 6. The Investor Owned Utilities and Publicly Owned Utilities shall adhere to the Safety and Enforcement Division’s Six-step Security Plan Process. 7. The Six-step Plan Process consists of the following: Assessment; Independent Review and Utility Response to Recommendations; Safety and Enforcement Division Review (for Investor Owned Utilities s); Local Plan Review (for Publicly Owned Utilities); Maintenance and Plan overhaul/new review. 8. Subsequent changes to the security plan requirements deemed beneficial and necessary, shall be enabled by one of the following: 1) Commission Resolution or Decision; 2) Ministerially, by Safety and Enforcement Division (or successor entity) director letter. 9. In carrying out any future changes to the security plan requirements, Safety and Enforcement Division shall confer with utilities about any recommended modifications to the plan requirements. 10. Prior to the submittal of the Security Plan, Pacific Gas and Electric Company, San Diego Gas & Electric Company, Southern California Edison, PacifiCorp, Bear Valley Electric Service, and Liberty CalPeco shall each have their respective plan reviewed by an unaffiliated third-party entity. R.15-06-009 COM/CR6/avs - 52 - 11. The unaffiliated third-party reviewer shall have demonstrated appropriate physical security expertise. 12. California electric utilities shall, within any new or renovated distribution substation, design their facilities to incorporate reasonable security features. 13. Utility security plans shall include a detailed narrative explaining how the utility is taking steps to implement an asset management program to promote optimization, and quality assurance for tracking and locating spare parts stock, ensuring availability, and the rapid dispatch of available spare parts. 14. Utility security plans shall include a detailed narrative explaining how the utility is taking steps to implement a robust workforce training and retention program to employ a full roster of highly-qualified service technicians able to respond to make repairs in short order throughout a utility’s service territory using spare parts stockpiles and inventory. 15. Utility security plans shall include a detailed narrative explaining how the utility is taking steps to implement a preventative maintenance plan for security equipment to ensure that mitigation measures are functional and performing adequately. 16. Utility security plans shall include a detailed narrative explaining how the utility is taking steps to implement a description of Distribution Control Center and Security Control Center roles and actions related to distribution system physical security. 17. Pacific Gas and Electric Company, San Diego Gas & Electric Company, Southern California Edison, PacifiCorp, Bear Valley Electric Service, and Liberty CalPeco shall each document all third-party reviewer recommendations, and specify recommendations that were accepted or declined by the utility. R.15-06-009 COM/CR6/avs - 53 - 18. Pacific Gas and Electric Company, San Diego Gas & Electric Company, Southern California Edison, PacifiCorp, Bear Valley Electric Service, and Liberty CalPeco shall each provide justification supporting its decision to accept or decline any third-party recommendations. 19. Physical Security-related information is bifurcated into two categories. Recurring and routine utility compliance work products and ongoing utility updates required by this decision are not subject to the Reading Room approach but shall be transmitted to the Commission. All other physical security data requested by Commission staff on an ad hoc basis shall be made available to the Commission on utility property in a manner agreed to by the Safety and Enforcement Division, or its successor, until such time that the Commission finalizes its rules for the handling, sharing, and inspection of confidential information. 20. If a Publicly Owned Utility has an existing blanket Security Plan that has been adopted by its Board of Directors or City Council within three years prior to the date of this decision, the requirement to have a plan adopted may be waived by the Commission. 21. In the event that a Publicly Owned Utility’s (POU) Security Plan has not been adopted in time as required by this decision, the POU shall provide the Director of the Commission’s Safety and Enforcement Division with a notice [30] days prior to the deadline with information on the nature of the delay and an estimated date for adoption. 22. Prior to Security Plan adoption, Publicly Owned Utilities in California shall have their plan reviewed by a third party. 23. Such third-party reviewer may be another governmental entity within the same political subdivision, so long as the entity can demonstrate appropriate R.15-06-009 COM/CR6/avs - 54 - expertise, and is not a division of the publicly owned utility that operates as a functional unit (i.e., a municipality could use its police department if it has the appropriate expertise). 24. Publicly Owned Utilities shall conduct a program review of their Security Plan and associated physical security program every five years after initial approval of the Security Plan by their Board of Directors or City Council. Notice of such approval action shall be provided to the Commission’s Safety and Enforcement Division within 30 days of Plan adoption by way of copy of signed resolution or letter by a responsible elected- or appointed official, or utility director. 25. Pacific Gas and Electric Company, San Diego Gas & Electric Company, Southern California Edison, PacifiCorp, Bear Valley Electric Ser vice, and Liberty CalPeco shall conduct a program review of their Security Plan and associated physical security program every five years after Commission review of the first iteration of the Security Plan. 26. A summary of the program review shall be submitted to the Safety and Enforcement Division within 30 days of review completion. 27. In the event of a major physical security event that impacts public safety or results in major sustained outages, all utilities shall preserve records and evidence associated with such event and shall provide the Commission full unfettered access to information associated with its physical security program and the circumstances surrounding such event. 28. An Exemption Request Process shall be available to utilities whose compliance would be clearly inappropriate or inapplicable or whose participation would result in an undue burden and hardship. R.15-06-009 COM/CR6/avs - 55 - 29. Utilities shall provide to the Director of the Safety and Enforcement Division and Energy Division copies of OE-417 reports submitted to the United States Department of Energy (U.S. DOE) within two weeks of filing with U.S. DOE. 30. Pacific Gas and Electric Company, San Diego Gas & Electric Company, Southern California Edison, PacifiCorp, Bear Valley Electric Service, and Liberty CalPeco (collectively, IOUs) shall seek recovery of costs associated with their respective Distribution Security Programs in each IOU’s general rate case. 31. The utilities shall submit an annual report by March 31 each year beginning 2020, reporting physical incidents that result in any utility insurance claims, providing information on incident, location, impact on infrastructure and amount of claim. The insurance claim disclosure reporting, as described in this decision, should be included within a utility’s broader annual Physical Security Report to the Commission due every March 31, beginning in 2020. 32. As appropriate, the requirements set forth in Phase I of this proceeding shall apply to Alameda Municipal Power, City of Anaheim Public Utilities Department, Azusa Light and Water, City of Banning Electric Department, Biggs Municipal Utilities, Burbank Water and Power, Cerritos Electric Utility, City and County of San Francisco, City of Industry, Colton Public Utilities, City of Corona, Eastside Power Authority, Glendale Water and Power, Gridley Electric Utility, City of Healdsburg Electric Department, Imperial Irrigation District, Kirkwood Meadows Public Utility District, Lathrop Irrigation District, Lassen Municipal Utility District, Lodi Electric Utility, City of Lompoc, Los Angeles Department of Water & Power, Merced Irrigation District, Modesto Irrigation District, Moreno Valley Electric Utility, City of Needles, City of Palo Alto, Pasadena Water and Power, City of Pittsburg, Port of Oakland, Port of Stockton, Power and Water R.15-06-009 COM/CR6/avs - 56 - Resources Pooling Authority, Rancho Cucamonga Municipal Utility, Redding Electric Utility, City of Riverside, Roseville Electric, Sacramento Municipal Utility District, City of Shasta Lake, Shelter Cove Resort Improvement District, Silicon Valley Power, Trinity Public Utility District, Truckee Donner Public Utilities District, Turlock Irrigation District, City of Ukiah, City of Vernon, Victorville Municipal Utilities Services, Anza Electric Cooperative, Plumas-Sierra Rural Electric Cooperative, Surprise Valley Electrification Corporation, and Valley Electric Association. 33. This proceeding shall remain open so that the Commission may address the issues presented in Phase II of this proceeding. This order is effective today. Dated January 10, 2019, at San Francisco, California. MICHAEL PICKER President LIANE M. RANDOLPH MARTHA GUZMAN ACEVES CLIFFORD RECHTSCHAFFEN Commissioners