The URL can be used to link to this page

Home My WebLink AboutStaff Report 12218City of Palo Alto (ID # 12218) City Council Staff Report Report Type: Consent Calendar Meeting Date: 9/13/2021 City of Palo Alto Page 1 Title: Adoption of a Resolution Approving the City of Palo Alto's 2021 Electric Utility Physical Security Plan From: City Manager Lead Department: Utilities Recommendation Staff recommends the City Council adopt a Resolution (Attachment A, Linked Document) approving the City of Palo Alto’s 2021 Electric Utility Physical Security Plan. Executive Summary In January 2019 the California Public Utilities Commission (CPUC) approved Decision 19-01- 0181, requiring all electric utilities to develop and implement a plan which identifies electric distribution assets that may require increased protection, and specifies measures to reduce risks to those facilities. Ensuring the safety of its facilities is a top priority for City of Palo Alto Utilities (CPAU), therefore, CPAU voluntarily participated in the CPUC’s Physical Security proceeding and has undertaken this assessment. The overarching goal of the City’s Utility Security Plan (Attachment B, Linked Document) is to describe CPAU’s risk management approach toward physical security, with appropriate consideration of resiliency, impact, and cost. Background On April 16, 2013, one or more individuals attacked equipment located within Pacific Gas and Electric Company’s (PG&E) Metcalf Transmission Substation, ultimately damaging 17 transformers. These individuals also cut nearby fiber-optic telecommunication cables owned by AT&T. In response, the Federal Energy Regulatory Commission (FERC) directed the North American Electric Reliability Corporation (NERC) to develop new physical security requirements, resulting in the creation of NERC’s critical infrastructure plan (CIP) standard CIP-0142. The goal of CIP-014 is to enhance physical security measures for the most critical substations and control centers in North America. Focused on the bulk power transmission system, CIP-014 does not cover distribution facilities owned by City of Palo Alto. 1 D 19-01-018 is available at: https://docs.cpuc.ca.gov/PublishedDocs/Published/G000/M260/K335/260335905.PDF. 2 https://www.nerc.com/_layouts/15/PrintStandard.aspx?standardnumber=CIP-014- 2&title=Physical%20Security&Jurisdiction=United%20States 3 Packet Pg. 10 City of Palo Alto Page 2 At the state level, Senator Jerry Hill authored Senate Bill (SB) 699 (2014), directing the California Public Utility Commission (CPUC) to “consider adopting rules to address the physical security risks to the distribution systems of electrical corporations.” The CPUC hosted a series of workshops to better understand the state of utility physical security protections and to seek input on refining their proposal. In order to support a statewide improvement of how utilities address distribution-level physical security risks, the California Municipal Utilities Association (CMUA), the statewide trade association for POUs, coordinated with the state’s investor-owned utilities (IOUs) to develop a comprehensive Straw Proposal3 (Joint IOU/POU Straw Proposal) for a process to identify at-risk facilities and, if necessary, develop physical security mitigation plans. As a member of CMUA, CPAU staff participated in the development of the Joint IOU/POU Straw Proposal through a CMUA working group, as well as through direct meetings with the IOUs. The Joint POU/IOU Straw Proposal set out a process: (1) identifying if the utility has any high priority distribution facilities; (2) evaluating the potential risks to those high priority distribution facilities; (3) for the distribution facilities where the identified risks are not effectively mitigated through existing resilience/security measures, developing a mitigation plan; (4) obtaining third party reviews of the mitigation plans; (5) adopting a document retention policy; (6) ensuring a review process established by the POU governing board; and (7) implementing information sharing protocols. In early 2019, the CPUC approved Decision (D.) 19-01-018, which adopted the Joint IOU/POU Straw Proposal with additional clarifications and guidance. CPAU is issuing this report to reflect its existing commitment to safety and to protecting its ratepayers’ investment by taking reasonable and cost-effective measures to safeguard key distribution system assets. Discussion CPAU utilized a multi-step process to develop this Utility Security Plan (Linked Document) that is consistent with the Joint IOU/POU Straw Proposal and D.19-01-018. The six steps of that process are: STEP 1: Assessment/Plan Development CPAU staff and/or consultants prepare a Draft Utility Security Plan (Linked Document) through the process set forth in Steps 1A, 1B, and 1C. STEP 1A: Identify Covered Distribution Facilities CPAU evaluates all distribution-level facilities in its service territory that are subject to its control to determine if any facility meets D.19-01-018’s definition of a “Covered Distribution Facility”4 using the seven factors identified in the Joint IOU/POU Straw Proposal. 3 Straw Proposal available at: https://www.cpuc.ca.gov/uploadedFiles/CPUCWebsite/Content/Safety/Risk_Assessment/physicalsecurity/R1506009- Updated%20Joint%20Straw%20Proposal%20and%20Cover%20083117%20Filing.pdf. 4 Per D.19-01-018 at 26, “covered is the utility working group term employed to describe those assets that are applicable, or that should be subject to physical security.” For purposes of this Plan, CPAU has determined that Covered Distribution Facilities 3 Packet Pg. 11 City of Palo Alto Page 3 STEP 1B: Perform risk assessment For every individual Covered Distribution Facility identified pursuant to Step 1A, CPAU performs an evaluation of the potential risks associated with a successful physical attack on that Covered Distribution Facility, and whether existing grid resiliency, back-up generation, and/or physical security measures appropriately mitigate identified risks. STEP 1C: Develop mitigation plan If there are any individual Covered Distribution Facilities where the Risk Assessment performed pursuant to Step 1B finds that the existing mitigation and/or resiliency measures do not effectively mitigate the identified risks, then CPAU will develop a Mitigation Plan for that Covered Distribution Facility. The Mitigation Plan will use a risk-based approach to select reasonable and cost-effective measures that can either be security focused (e.g., walls or alarms) or resiliency focused (e.g., adequate spare parts). STEP 2: Independent review For every Utility Security Plan cycle, CPAU will document the results of the identification process, risk assessment, and Mitigation Plan development performed pursuant to Steps 1A, 1B, and 1C. This documentation in combination with narrative descriptions constitutes CPAU’s Draft Utility Security Plan. Each Draft Utility Security Plan is submitted to a Qualified Third Party for Independent Review, which may be a governmental entity with demonstrated law enforcement expertise. The City’s Qualified Third-Party reviewer is the Palo Alto Office of Emergency Services. The Qualified Third-Party Reviewer will then issue an evaluation that identifies any potential deficiencies in the Draft Utility Security Plan as well as recommendations for improvements. The combination of the Draft Utility Security Plan, the non-confidential conclusions of the Qualified Third-Party Reviewer, and CPAU’s responses to the Qualified Third-Party Review will constitute CPAU’s Utility Security Plan. STEP 3: Validation CPAU submitted its Utility Security Plan to a Qualified Authority for validation on the overall adequacy of the Plan. The Qualified Authority must have sufficient familiarity with relevant federal, state and local standards regarding critical asset protection and emergency response. The City’s Fire Department agreed to serve as the Qualified Authority for this validation step, and will provide additional feedback and evaluation of CPAU’s Utility Security Plan and may deem the Utility Security Plan adequate. STEP 4: Adoption CPAU’s Utility Security Plan will be presented to and approved by the City Council at a public meeting. include Distribution Substations, but not Distribution Control Centers, since analysis of Distribution Control Centers is applicable to Investor Owned Utilities only (see pages 35 and 49 of D. 19-01-018.)” 3 Packet Pg. 12 City of Palo Alto Page 4 STEP 5: Maintenance CPAU will refine and update its Utility Security as appropriate and as necessary to preserve Plan integrity. STEP 6: Repeat process CPAU will repeat the above five steps at least once every five years. Council Adoption Staff has completed Steps 1 through 3, and Council is being asked to approve the Utility Security Plan (Step 4) via approval of the attached resolution (Linked Document), so that staff may provide notice to the CPUC upon adoption. Although CPUC’s original deadline for Council approval was July 10, 2021, CPAU, like many participating municipal utilities, required additional time to identify a qualified authority willing and able to review its Plan. Staff has informed CPUC of the updated timeline, which will be met upon Council approval of the attached resolution (Linked Document). Staff will be responsible for Steps 5 and 6, which is the ongoing plan maintenance and full review at least every five years. Stakeholder Engagement As a member of CMUA, CPAU staff participated in the development of the Joint IOU/POU Straw Proposal through a CMUA working group as well as through direct meetings with the IOUs. Following CPUC Decision 19-01-018, the CMUA coordinated with CPAU staff to develop the Utility Security Plan. Resource Impact Existing staff resources in engineering and the City Attorney’s Office developed the framework of the Plan, and the Plan itself. The Palo Alto Office of Emergency Services has performed the Qualified Third-Party Review. The Palo Alto Fire Department performed the Third-Party Qualified Authority Review at no cost to the City. Mitigation measures identified in the Plan include electric substation physical security capital improvement plans (e.g. security fence, lighting, and video upgrades) already in progress since FY19, with funding included in the FY 2021 Capital budget for EL-16003. Restoring resiliency to the electric power system feeding a Covered Facility after a potential security breach would be accomplished using existing staff and protocols in place for operation of electric equipment. Future mitigation measures identified as necessary will be approved annually through the Capital and Operating Budget process. Note that implementation of required mitigation could impact trees within substation perimeters, and as such staff will endeavor to minimize any such impacts. Policy Implications Adopting a resolution approving the Utility Security Plan is in line with the Utilities Strategic Plan to collaborate with government, trade, and regional agencies enhances our sphere of 3 Packet Pg. 13 City of Palo Alto Page 5 influence, allows us to identify common ground, and leverage economies of scale. (Priority #2, Strategy #4). Environmental Review The Council’s decision to approve the Utility Security Plan does not meet the California Environmental Quality Act’s (CEQA) definition of a project under Public Resources Code Section 21065 and CEQA Guidelines Section 15378(b)(5), because it is an operational activity which will not cause a direct or indirect physical change in the environment, and therefore, no environmental review is required. Individual upgrades or changes at utility facilities, if needed as a result of the City’s implementation of the Plan, will be analyzed under CEQA. Attachments: • Attachment3.a: Attachment A: Resolution • Attachment3.b: Attachment B: Electric Utility Security Plan 3 Packet Pg. 14 *Not Yet Passed* 6055477RV3 Resolution No. ________ Resolution of the Council of the City of Palo Alto Approving the City of Palo Alto’s 2021 Electric Utility Physical Security Plan R E C I T A L S A. On January 10, 2019, the California Public Utilities Commission (“CPUC”) approved Decision (D.) 19-01-018 (“Decision”) requiring all electric utilities to develop and implement a plan that (1) identifies electric distribution assets that require greater protection; and (2) specifies measures to reduce the identified risks and threats to those facilities (“Physical Security Plan”). B. While City of Palo Alto Utilities (CPAU), like other publicly owned utilities (POUs), is not subject to CPUC jurisdiction, safety is a top priority for POUs, so in the spirit of continued voluntary cooperation, CPAU and other POUs agreed to draft Physical Security Plans. C. The Physical Security Plan attached is the public report on CPAU’s physical security program for the electric distribution-level facilities that require evaluation under the Decision. D. The CPAU’s Physical Security Plan includes the following self-evaluation steps: a. Identifies covered distribution facilities by analyzing all distribution-level facilities in CPAU’s service territory, using seven screening factors. b. Assesses the potential risks associated with a successful physical attack on each covered facility and determines whether existing resiliency and/or physical security measures appropriately mitigate identified risks. c. Develops mitigation plans for any individual covered facilities as needed, using reasonable and cost-effective measures. E. The Plan also details ongoing maintenance practices and planned additions that will ensure the physical safety of the identified facilities. This includes descriptions of workforce training and imminent updates to facility designs, as needed. F. Independent review steps follow CPAU’s self-evaluation: a. Qualified Third-Party review. The Decision requires an entity independent of CPAU with law enforcement and physical security expertise, such as the Palo Alto Police Department, to evaluate and analyze the Physical Security Plan. The Palo Alto Police Department’s Office of Emergency Services (OES) performed the Qualified Third-Party review for this Plan in May, 2021, and supported the Plan’s findings. It asserted that the Plan’s proposed actions would increase overall 3.a Packet Pg. 15 *Not Yet Passed* 6055477RV3 resilience. It listed a few specific areas that CPAU could focus on for additional resiliency in the future, such as local generation and storage. CPAU agreed, also noting the importance of local generation and storage. b. Qualified Authority Validation. CPAU must submit its Utility Security Plan to a Qualified Authority for validation on the overall adequacy of the Plan. The Qualified Authority must have sufficient familiarity with relevant federal, state and local standards regarding critical asset protection and emergency response. The City’s Fire Department agreed to serve as the Qualified Authority for this validation step, provide additional feedback and evaluation of CPAU’s Utility Security Plan, and determine the Utility Security Plan’s adequacy. The Palo Alto Fire Department performed the Qualified Authority Validation for this Plan in August, 2021, and found that the plan logically identified known risks and provided reasonable mitigation plans. CPAU accepted this conclusion and restated its commitment to maintaining and improving its security measures. G. With the completion of the Qualified Third-Party review and Validation, staff is presenting the Physical Security Plan to Council for approval, and upon approval will provide notice to the CPUC. NOW, THEREFORE, the Council of the City of Palo Alto RESOLVES as follows: SECTION 1. The Council hereby adopts a resolution approving CPAU’s 2021 Electric Utility Physical Security Plan, as shown in Exhibit A, enabling CPAU to submit an executed copy of this Resolution as notice of the Plan’s approval to CPUC. SECTION 2. The Council directs CPAU staff to continue ongoing evaluation of the Physical Security Plan as appropriate and necessary to preserve the Plan’s integrity, with a goal of renewed evaluation every five years, as encouraged by CPUC guidelines. // // // // // // // // 3.a Packet Pg. 16 *Not Yet Passed* 6055477RV3 // SECTION 3. The Council finds that the adoption of this resolution does not meet the definition of a project under Public Resources Code Section 21065, thus, no environmental assessment under the California Environmental Quality Act is required at present. Individual upgrades or changes at utility facilities, if needed as a result of the City’s implementation of the Plan, will be analyzed under CEQA. INTRODUCED AND PASSED: AYES: NOES: ABSENT: ABSTENTIONS: ATTEST: __________________________ _____________________________ City Clerk Mayor APPROVED AS TO FORM: APPROVED: __________________________ _____________________________ Assistant City Attorney City Manager _____________________________ Director of Utilities 3.a Packet Pg. 17 CITY OF PALO ALTO ELECTRIC UTILITY SECURITY PLAN PUBLIC REPORT ON CITY OF PALO ALTO’S PHYSICAL SECURITY PROGRAM FOR ELECTRIC DISTRIBUTION- LEVEL FACILITIES May 5, 2021 3.b Packet Pg. 18 TABLE OF CONTENTS I. Overview .............................................................................................................................................. 4 A. Goal of Utility Security Plan ............................................................................................................ 4 B. Description of CPAU ....................................................................................................................... 4 C. Results of Utility Security PLan Assessment ................................................................................... 4 II. Background .......................................................................................................................................... 6 III. Plan development process ................................................................................................................ 8 A. Physical Security Principles ............................................................................................................. 8 B. Utility Security Plan Development Process ................................................................................... 8 STEP 1: Assessment/Plan Development ............................................................................................. 8 STEp 1A: Identify Covered Distribution Facilities ............................................................................... 8 STEP 1B: Perform risk assessment ........................................................................................................ 9 STEP 1C: Develop mitigation plan ..................................................................................................... 9 STEP 2: Independent review ............................................................................................................... 9 STEP 3: Validation ................................................................................................................................. 9 STEP 4: Adoption ................................................................................................................................ 10 STEP 5: Maintenance ......................................................................................................................... 10 STEP 6: Repeat process ..................................................................................................................... 10 IV. Identification of covered distribution faciliites (Step 1A) .............................................................. 10 A. Identification Factors .................................................................................................................... 10 B. Identification analysis ................................................................................................................... 11 V. Risk assessment (Step 1B) .................................................................................................................. 13 A. Methodology ................................................................................................................................. 13 B. Mitigation Measures ..................................................................................................................... 13 C. Risk Assessment ............................................................................................................................. 15 3.b Packet Pg. 19 VI. Covered Distribution Facility Mitigation plans (Step 1C) .............................................................. 18 VII. Independent evaluation and Response (Step 2) .......................................................................... 19 A. Requirements for qualified third party review ........................................................................... 19 B. Identification of third party reviewer .......................................................................................... 19 C. Public results of third party evaluation ....................................................................................... 19 D. CPAU REsponse ............................................................................................................................. 19 VIII. Validation (Step 3) ............................................................................................................................. 20 A. Selection of qualified authority ................................................................................................... 20 B. Results of qualified authority review ........................................................................................... 20 C. CPAU Response to Qualied authority review ............................................................................ 20 IX. Narrative Descriptions for Utility Security Plan ................................................................................ 21 A. Asset Management program ...................................................................................................... 21 B. Workforce training and retention program ............................................................................... 21 C. Preventative maintenance plan ................................................................................................ 21 D. Physical security Event Training ................................................................................................... 21 E. Communication infrastructure risk assessment ......................................................................... 22 F. Facility design Features ................................................................................................................ 22 3.b Packet Pg. 20 CPAU Utility Security Plan May 5, 2021 – Step 2; Independent Review - Complete 4 I.OVERVIEW A.GOAL OF UTILITY SECURITY PLAN Ensuring the safety of its facilities is a top priority for City of Palo Alto Utilities (CPAU), and CPAU prioritizes safety in all aspects of its design, operation, and maintenance practices. The overarching goal of this Utility Security Plan is to describe CPAU’s risk management approach toward distribution system physical security, with appropriate consideration of resiliency, impact, and cost. CPAU recognizes the importance of securing the safety and reliability of its electric system and, therefore, CPAU voluntarily participated in the California Public Utilities Commission’s (CPUC) Physical Security proceeding and has undertaken this assessment. In the spirit of continued voluntary cooperation, CPAU offers the following in response to CPUC Decision 19-01-018. B.DESCRIPTION OF CPAU CPAU is a municipal utility that operates in the charter city of Palo Alto, California. CPAU serves approximately 30,000 customers in an urban setting via 9 distribution substations consisting of 9 miles of subtransmission lines and 307 distribution lines across 26 square miles. Nine of these substations meet the definition of Distribution Substation1 as each is considered an electrical power substation associated with the distribution system and the primary feeders for supply to residential, commercial and/or industrial loads. C. RESULTS OF UTILITY SECURITY PLAN ASSESSMENT CPAU applied the methodology described in Section 3B of this document to identify Covered Distribution Facilities2, assess the risk of a successful physical attack, identify preliminary mitigation measures, secure Third Party Verification, and develop and implement a Final Security Plan, consistent with D.19-01-018. Three Covered Distribution Facilities’ loads, which serve a wastewater treatment facility and Level 1 trauma centers, are served by 2 substations. Based on this assessment, additional mitigation measures are recommended at 1 substation, to reduce the effective risk level from MID to LOW. The mitigation projects identified within this Plan will reduce this level from MID to LOW, including enhanced physical security protections to reduce the likelihood of 1 Per D.19-01-018 at 23, “The Joint Utility Proposal defines Distribution Substation as an electric power substation associated with the distribution system and the primary feeders for supply to residential, commercial and/or industrial loads. 2 Per D.19-01-018 at 25, note 49, “Distribution Facilities” include “A Distribution Substation or Distribution Control Center.” 3.b Packet Pg. 21 CPAU Utility Security Plan May 5, 2021 – Step 2; Independent Review - Complete 5 attack, and site improvement projects to eliminate access. All other Distribution Facilities have LOW or negligible risk and, consistent with the Joint Utility Proposal described in D.19-01-018, were not further evaluated. The City’s Office of Emergency Services (OES), on behalf of the Palo Alto Police Department, is the third party reviewing entity. The OES Chief is a sworn law enforcement officer. Palo Alto OES supports the internal risk and threat profiles identified by CPAU and the proposed mitigation measures and corrective actions. 3.b Packet Pg. 22 CPAU Utility Security Plan May 5, 2021 – Step 2; Independent Review - Complete 6 II.BACKGROUND On April 16, 2013, one or more individuals attacked equipment located within Pacific Gas and Electric Company’s (PG&E) Metcalf Transmission Substation, ultimately damaging 17 transformers. These individuals also cut nearby fiber-optic telecommunication cables owned by AT&T. In response to the attack, the Federal Energy Regulatory Commission (FERC) directed the North American Electric Reliability Corporation (NERC) to develop new physical security requirements, resulting in the creation of CIP-014. At the state level, Senator Jerry Hill authored SB 699 (2014), directing the CPUC to “consider adopting rules to address the physical security risks to the distribution systems of electrical corporations.” In response to SB 699, the CPUC’s Safety and Enforcement Division, Risk Assessment and Safety Advisory Section (RASA) prepared a white paper proposing a new requirement for investor owned utilities (IOUs) and publicly owned utilities (POUs) to develop security plans that would identify security risks to their distribution and transmission systems, and propose methods to mitigate those risks. The CPUC hosted a series of workshops to better understand the state of utility physical security protections and to seek input on refining their proposal. In order to support a statewide improvement of how utilities address distribution level physical security risks, the California Municipal Utilities Association (CMUA), which is the statewide trade association for POUs, coordinated with the state’s IOUs to develop a comprehensive Straw Proposal3 (Joint IOU/POU Straw Proposal) for a process to identify at-risk facilities and, if necessary, develop physical security mitigation plans. As a member of CMUA, CPAU staff participated in the development of the Joint IOU/POU Straw Proposal through a CMUA working group as well as through direct meetings with the IOUs. The Joint POU/IOU Straw Proposal set out a process for the following: (1) identifying if the utility has any high priority distribution facilities; (2) evaluating the potential risks to those high priority distribution facilities; (3) for the distribution facilities where the identified risks are not effectively mitigated through existing resilience/security measures, developing a mitigation plan; (4) obtaining third party reviews of the mitigation plans; (5)adopting a document retention policy; (6) ensuring a review process established by the POU governing board; and (7) implementing information sharing protocols. RASA filed a response4 to the Joint IOU/POU Straw Proposal that recommended various modifications and clarifications, including a six-step process. Additionally, RASA recommended that the utility mitigation plans include: (1) an assessment of supply chain vulnerabilities; (2) training programs for law enforcement and utility staff to improve communication during physical security events; and (3) an assessment of any nearby communication utility infrastructure that supports priority distribution substations. 3 Straw Proposal available at: https://www.cpuc.ca.gov/uploadedFiles/CPUCWebsite/Content/Safety/Risk_Assessment/physicalsecurity/R1506009- Updated%20Joint%20Straw%20Proposal%20and%20Cover%20083117%20Filing.pdf. 4 RASA Response available at: https://www.cpuc.ca.gov/uploadedFiles/CPUCWebsite/Content/Safety/Risk_Assessment/physicalsecurity/Final%20Staff%20Recommendation%20for%20Commission%20Consideration%20010318.pdf. 3.b Packet Pg. 23 CPAU Utility Security Plan May 5, 2021 – Step 2; Independent Review - Complete 7 In early 2019, the CPUC approved Decision (D.) 19-01-018, which adopted the Joint IOU/POU Straw Proposal as modified by the RASA proposal, with additional clarifications and guidance. D.19-01-018 clarified that where there is a conflict between the Straw Proposal and the RASA proposal, then it is the rule in the RASA proposal that controls.5 D.19-01-018 asserted that the POUs should utilize the Utility Security Plan process described therein. CPAU is following the process and issuing this report at this time to reflect its existing commitment to safety and to protecting its ratepayers’ investment by taking reasonable and cost-effective measures in an effort to safeguard key assets of its distribution system. 5 D.19-01-018 at 43, footnote 58 (“Should there be any question of which shall predominate should there be any incongruity or conflict between a utility or SED RASA recommended rule, the SED RASA rule shall apply.”). 3.b Packet Pg. 24 CPAU Utility Security Plan May 5, 2021 – Step 2; Independent Review - Complete 8 III. PLAN DEVELOPMENT PROCESS A. PHYSICAL SECURITY PRINCIPLES The Joint IOU/POU Straw Proposal seeks to support the creation of a risk management approach toward distribution system physical security, with appropriate considerations of resiliency, impact, and cost. In order to accomplish this risk-based approach, the Joint IOU/POU Straw Proposal identifies several principles to guide the development of each individual utility’s program. These principles are the following: 1. Distribution systems are not subject to the same physical security risks and associated consequences, including threats of physical attack by terrorists, as the transmission system. 2. Distribution utilities will not be able to eliminate the risk of a physical attack occurring, but certain actions can be taken to reduce the risk or consequences, or both, of a significant attack. 3. A one-size-fits-all standard or rule will not work. Distribution utilities should have the flexibility to address physical security risks in a manner that works best for their systems and unique situations, consistent with a risk management approach. 4. Protecting the distribution system should consider both physical security protection and operational resiliency or redundancy. 5. The focus should not be on all Distribution Facilities, but only those that risk dictates would require additional measures. 6. Planning and coordination with the appropriate federal and state regulatory and law enforcement authorities will help prepare for attacks on the electrical distribution system and thereby help reduce or mitigate the potential consequences of such attacks. B. Utility Security Plan Development Process CPAU utilized a multi-step process to develop this Utility Security Plan that is consistent with the Joint IOU/POU Straw Proposal and D.19-01-018. The relevant six steps of that process are the following: STEP 1: ASSESSMENT/PLAN DEVELOPMENT CPAU staff prepares a Draft Utility Security Plan through the process set forth in Steps 1A, 1B, and 1C. STEP 1A: IDENTIFY COVERED DISTRIBUTION FACILITIES 3.b Packet Pg. 25 CPAU Utility Security Plan May 5, 2021 – Step 2; Independent Review - Complete 9 CPAU will evaluate all distribution-level facilities in its service territory that are subject to its control to determine if any facility meets D.19-01-018’s definition of a “Covered Distribution Facility”6 using the seven factors identified in the Joint IOU/POU Straw Proposal. STEP 1B: PERFORM RISK ASSESSMENT For every individual Covered Distribution Facility identified pursuant to Step 1A, CPAU will perform an evaluation of the potential risks associated with a successful physical attack on that Covered Distribution Facility, and whether existing grid resiliency, back-up generation, and/or physical security measures appropriately mitigate identified risks. STEP 1C: DEVELOP MITIGATION PLAN If there are any individual Covered Distribution Facilities where the Risk Assessment performed pursuant to Step 1B finds that the existing mitigation and/or resiliency measures do not effectively mitigate the identified risks, then CPAU will develop a Mitigation Plan for that Covered Distribution Facility. The Mitigation Plan will use a risk-based approach to select reasonable and cost-effective measures that can either be security focused (e.g., walls or alarms) or resiliency focused (e.g., adequate spare parts). STEP 2: INDEPENDENT REVIEW For every Utility Security Plan cycle, CPAU will document the results of the identification process, risk assessment, and Mitigation Plan development performed pursuant to Steps 1A, 1B, and 1C. This documentation in combination with narrative description in Section IX below, constitutes CPAU’s Draft Utility Security Plan. Each Draft Utility Security Plan is submitted to a Qualified Third Party for Independent Review. The Qualified Third Party Reviewer will then issue an evaluation that identifies any potential deficiencies in the Draft Utility Security Plan as well as recommendations for improvements. CPAU will then modify its plan to address any identified deficiencies or recommendations, or will document the reasons why any recommendations were not adopted. The combination of the Draft Utility Security Plan, the non-confidential conclusions of the Qualified Third Party Reviewer, and CPAU’s responses to the Qualified Third Party Review will constitute CPAU’s Utility Security Plan. STEP 3: VALIDATION 6 Per D.19-01-018 at 26, “covered is the utility working group term employed to describe those assets that are applicable, or that should be subject to physical security.” For purposes of this Plan, CPAU has determined that Covered Distribution Facilities include Distribution Substations, but not Distribution Control Centers, since analysis of Distribution Control Centers is applicable to Investor Owned Utilities only (see pages 35 and 49 of D. 19-01-018.)” 3.b Packet Pg. 26 CPAU Utility Security Plan May 5, 2021 – Step 2; Independent Review - Complete 10 CPAU will submit its Utility Security Plan to a qualified authority for review. Such entity will provide additional feedback and evaluation of CPAU’s Utility Security Plan and, to the extent that this entity is authorized, such entity may deem the Utility Security Plan as adequate. STEP 4: ADOPTION CPAU’s Utility Security Plan will be presented to and adopted by City of Palo Alto Council at a public meeting. STEP 5: MAINTENANCE CPAU will refine and update the Utility Security as appropriate and as necessary to preserve plan integrity. STEP 6: REPEAT PROCESS CPAU will repeat this six step process at least once every five years. IV. IDENTIFICATION OF COVERED DISTRIBUTION FACILIITES (STEP 1A) As described in Section III, Step 1A of the Utility Security Plan process involves assessing all distribution-level facilities that are subject to the control of CPAU to determine which facilities are “Covered Distribution Facilities” subject to the need for a risk assessment. This Section describes the factors that CPAU used to evaluate its distribution facilities and the results of its evaluation. A. IDENTIFICATION FACTORS The Joint IOU/POU Straw Proposal defines seven screening factors to determine if a facility is a “Covered Distribution Facility.” Some factors require additional definitions and/or clarifications in order to be applied to CPAU’s facilities. The following Table provides the Joint IOU/POU Straw Proposal’s Factors as modified/clarified by CPAU. Factor Joint IOU/POU Straw Proposal Description Facilities Covered with Additional Clarifications 1 Distribution Facility necessary for crank path, black start or capability essential to the restoration of regional electricity service that are not subject to the California Independent System Operator’s (CAISO) operational control and/or subject to North American Electric Reliability Corporation (NERC) Reliability Standard CIP-014-2 or its successors CPAU has no black start facilities within its service territory. 2 Distribution Facility that is the primary source of electrical service to a military installation essential to national security and/or There are no military installations as defined here essential for national 3.b Packet Pg. 27 CPAU Utility Security Plan May 5, 2021 – Step 2; Independent Review - Complete 11 emergency response services (may include certain airfields, command centers, weapons stations, emergency supply depots) security or emergency response within CPAU’s service territory. 3 Distribution Facility that serves installations necessary for the provision of regional drinking water supplies and wastewater services (may include certain aqueducts, well fields, groundwater pumps, and treatment plants) CPAU has a regional Water Quality Control Plant in its service territory that provides wastewater services to the City of Palo Alto and surrounding cities with a combined population of over 100,000. See https://www.cleanbay.org/regional-water-quality-control-plant/regional- water-quality-control-plant 4 Distribution Facility that serves a regional public safety establishment (may include County Emergency Operations Centers; county sheriff’s department and major city police department headquarters; major state and county fire service headquarters; county jails and state and federal prisons; and 911 dispatch centers) There are no regional public safety establishments as defined here in CPAU’s service territory. 5 Distribution Facility that serves a major transportation facility (may include International Airport, Mega Seaport, other air traffic control center, and international border crossing) There are no major transportation facilities as defined here in CPAU’s service territory. 6 Distribution Facility that serves as a Level 1 Trauma Center as designated by the Office of Statewide Health Planning and Development CPAU identified two Level 1 Trauma Centers in its service territory – the Stanford Hospitals at two locations within Palo Alto. See https://stanfordhealthcare.org/for-patients-visitors/locations-and- parking.html 7 Distribution Facility that serves over 60,000 meters CPAU does not have a Distribution Facility that serves over 60,000 meters. CPAU serves 29,136 meters. See https://www.cityofpaloalto.org/civicax/filebank/documents/16777/ B. IDENTIFICATION ANALYSIS In performing this identification analysis, CPAU assessed all distribution level facilities that are subject to its exclusive control. The specific types of facilities include substations. Based on this scope, CPAU has identified 9 facilities that are subject to this identification analysis. Of these 9 facilities, 3 fall within 1 of the categories listed above. These 3 facilities listed below constitute CPAU’s “Covered Distribution Facilities.” The following table summarizes the results of CPAU’s identification analysis. 3.b Packet Pg. 28 CPAU Utility Security Plan May 5, 2021 – Step 2; Independent Review - Complete 12 Facility ID 1. Crank Path, Black Start 2. Military Installation 3. Regional Drinking Water/ Wastewater Services 4. Regional Public Safety 5. Major Transportation Facility 6. Level 1 Trauma Center 7. Over 60,000 Meters Substation 1 New Stanford Hospital at 500 Pasteur Drive Substation 2 Old Stanford Hospital at 300 Pasteur Drive Substation 3 Water Quality Control Plant at 2501 Embarcadero Way 3.b Packet Pg. 29 CPAU Utility Security Plan May 5, 2021 – Step 2; Independent Review - Complete 13 V. RISK ASSESSMENT (STEP 1B) A. METHODOLOGY Pursuant to the process identified in the Joint IOU/POU Straw Proposal and D.19-01-018, CPAU assessed the potential risks associated with a successful physical attack on each of the Covered Distribution Facilities identified in Section IV above. For purpose of this analysis, a physical attack is limited to the following: (1) theft; (2) vandalism; and (3) discharge of a firearm. A “successful physical attack” is limited to circumstances where a theft, vandalism, and/or the discharge of a firearm has directly led to the failure of any elements of the Covered Distribution Facility that are necessary to provide uninterrupted service to the specific load identified in Section IV. In order to perform this risk analysis, CPAU evaluated the relative risk that (1) a physical attack on a Covered Distribution Facility will be successful considering the protective measures in place; or (2) that the impacts of a successful attack will be mitigated due to resiliency and other measures in place. B. MITIGATION MEASURES D.19-01-018 identifies the specific mitigation measures that a utility should consider when performing this risk analysis. The following table lists these mitigation measures and provides CPAU’s additional clarifications that are necessary to apply these measures to CPAU’s territory. Measure D.19-01-018 Description Additional Clarification 1 The existing system resiliency and/or redundancy solutions (e.g., switching the load to another substation or circuit capable of serving the load, temporary circuit ties, mobile generation and/or storage solutions). CPAU evaluated the existing system’s resiliency and redundancy options. CPAU determined that no additional mitigation measures are needed, because all three CPAU Covered Distribution Facilities are fed from circuit feeders that are redundant or can be switched to another circuit feeder from another substation bank. 2 The availability of spare assets to restore a particular load. CPAU evaluated the type and number of compatible spare units available for the 3 Covered Distribution Facilities. CPAU determined that no additional mitigation measures are needed, because if primary circuit feeder breakers, switchgear, power transformers, bus, and/or bus equipment are damaged, the backup substation bank could be switched to the respective Covered Distribution Facility to restore service and prevent an extended outage. 3.b Packet Pg. 30 CPAU Utility Security Plan May 5, 2021 – Step 2; Independent Review - Complete 14 3 The existing physical security protections to reasonably address the risk. CPAU evaluated the site-specific physical security barriers and deterrents above and beyond standard physical security measures, such as remotely monitored alarm, lighting, camera systems, and security walls and fences on the Distribution Facility perimeters. Some of these measures, including minimal cameras and lighting, a secure fence at one of the facilities, and one door alarm, are currently in place for the 3 Covered Distribution Facilities. To enhance their physical security an upgrade is planned for 2022-2023. The construction set for the remaining security measures will be issued for bid in the Summer of 2021 (See 2021.0305 CPA PACKAGE 1 SUBSTATION LTG BID SET (1)). 4 The potential for emergency responders to identify and respond to an attack in a timely manner. CPAU evaluated each Covered Facility and determined that no additional mitigation measures are needed, based on the likelihood that a law enforcement officer could arrive at the Covered Distribution Facility within 15 minutes of a report from the public or from CPAU Utilities Dispatch that a facility alarm had been triggered.7 5 Location and physical surroundings, including proximity to gas pipelines and geographical challenges, and impacts of weather. CPAU evaluated this element based on the proximity of the Covered Distribution Facility to populated areas and the extent to which the interior of the facility is shielded from view and access due to walls, vegetation, or other physical obstructions. Only Substation 3’s physical surroundings may potentially be subject to added risk, due to the adjacent creek. To mitigate access from the creek adjacent to Substation 3, a concrete security wall is planned to be constructed in 2022. 6 History of criminal activity at the Distribution Facility and in the area. CPAU evaluated the property crime rates in the immediate vicinity of the 7 The City’s Police Department confirmed these response time estimates on March 10, 2021. 3.b Packet Pg. 31 CPAU Utility Security Plan May 5, 2021 – Step 2; Independent Review - Complete 15 Covered Distribution Facilities and compared those crimes rates to property crime rates for the county and the state to determine if the area is subject to a higher than average incidence of property related crimes. Based on this evaluation, a concrete security wall is planned to be constructed in 2022 surrounding Substation 3. 7 The availability of other sources of energy to serve the load (e.g., customer owned back-up generation or storage solutions). Of the three Covered Distribution Facilities, one, the New Stanford Hospital has full customer-owned back-up generation capability.8 8 The availability of alternative ways to meet the health, safety, or security. The risk levels and mitigation measures assessed as part of this Plan are sufficient to meet the needs served by CPAU’s critical load. 9 Requirements served by the load (e.g., back up command center or water storage facility). Inherent to the identification methodology considered, the critical loads and corresponding Covered Distribution Facilities were selected based on criteria above and lack of alternatives available to provide that service. Therefore, the requirements served by the load were already considered in the identification and not further contemplated as part of this assessment. C. RISK ASSESSMENT Based on the process described in the Joint IOU/POU Straw Proposal and the direction provided in D.19-01-018, CPAU has determined that existing programs and measures effectively mitigate the risks of a physical attack to LOW for 2 of the 3 Covered Distribution Facilities in Section IV. CPAU’s overall approach to security at all of these substations is to detect, delay or deter most potential adversaries in the timeframe needed to initiate a response that has a reasonable expectation of preventing or containing a catastrophic, negative event. CPAU’s overall prudent utility management and system resiliency measures already in place also serve as mitigation against any impacts of an attempted or successful attack. Physical security is accomplished through perimeter fence, electronic security, and lighting improvements. This applies to all three Covered Distribution Facilities. However, Substation 3 is 8 Confirmed by Stanford’s Assistant Chief Engineer on 4/8/21. 3.b Packet Pg. 32 CPAU Utility Security Plan May 5, 2021 – Step 2; Independent Review - Complete 16 assessed a risk level of MID due to its location and a modest level of increased criminal activity in that area compared to the others. 3.b Packet Pg. 33 CPAU Utility Security Plan May 5, 2021 – Step 2; Independent Review - Complete 17 The following table provides a summary of CPAU’s assessment of each mitigation measure for each Covered Distribution Facility. Facility ID 1. Existing Resiliency 2. Spare Assets 3. Existing Physical Security 4. Emergency Responders 5. Location 6. Criminal History 7. Back up Generation 8-9. Alternate Solution Risk Level Substation 1 Fully Effective Fully Effective In Place / Partly Effective PAPD, primary responder.9 Fully Effective Fully Effective Fully Effective N/A LOW Substation 2 Fully Effective Fully Effective In Place / Partly Effective PAPD, primary responder9 Fully Effective Fully Effective Fully Effective N/A LOW Substation 3 Fully Effective Fully Effective In Place / Partly Effective PAPD, primary responder9 In Place / Partly Effective In Place / Partly Effective Fully Effective N/A MID As identified above, based on the existing protection and control mitigation measures in place, 2 of the 3 Distribution Facilities have a LOW effective risk level. As it is CPAU’s goal to operate the distribution system at as low a risk level as practical, the risk of a successful physical security breach on these Distribution Facilities was determined to be properly mitigated at these 2 locations. However, one Covered Facility was assessed to be a MID level of risk, indicative that additional mitigation measures may be needed to properly reduce the effective risk level to LOW. This facility is discussed in Section VI. 9 While Palo Alto’s Police Department staff will be the primary responder in an emergency, the City of Palo Alto has mutual aid agreements in place with other local agencies that could be called upon as a backup if necessary. 3.b Packet Pg. 34 CPAU Utility Security Plan May 5, 2021 – Step 2; Independent Review - Complete 18 VI. COVERED DISTRIBUTION FACILITY MITIGATION PLANS (STEP 1C) Pursuant to the process identified in the Joint IOU/POU Straw Proposal and D.19-01-018, CPAU has determined that for 1 of the Covered Distribution Facilities that is subject to CPAU’s control, the existing mitigation measures may not effectively reduce the risk of a physical security attack to LOW. This section describes the Mitigation Plan that CPAU has developed for this Covered Distribution Facility. To protect the primary Distribution substation Facilities providing power to the Water Quality Control Plant wastewater facility, additional physical security matters could be taken at Substation 3 to mitigate the risk of attack to LOW. The Distribution Facilities at risk from vandalism and discharge of firearm are circuit feeder breakers, switchgear, power transformer, bus, and/or bus equipment. The risk level is due in part to potential access to the site from the adjacent creek. Thus, the mitigation plan is to enhance the remotely monitored alarms, lighting, and camera systems and add security walls on the Distribution Facility perimeters. A bid for construction of these security measures will be issued in the Spring of 2021. (See 2021.0305 CPA PACKAGE 1 SUBSTATION LTG BID SET (1)). The cost of the alarms, lighting, and camera systems at these Covered Distribution Facilities is estimated to be $500,000, with an estimated completion in 2023. The security walls are an additional $1,500,000 with an estimated completion in 2023. 3.b Packet Pg. 35 CPAU Utility Security Plan May 5, 2021 – Step 2; Independent Review - Complete 19 VII. INDEPENDENT EVALUATION AND RESPONSE (STEP 2) A. REQUIREMENTS FOR QUALIFIED THIRD PARTY REVIEW D.19-01-018 specifies the following criteria for a Qualified Third Party Reviewer: Independence: A Qualified Third Party Reviewer cannot be a division of the POU. A governmental entity can select as the third-party reviewer another governmental entity within the same political subdivision, so long as the entity has the appropriate expertise, and is not a division of the POU that operates as a functional unit, i.e., a municipality could use its police department as its third-party reviewer if it has the appropriate expertise. Adequate Qualifications: A Qualified Third Party Reviewer must be an entity or organization with electric industry physical security experience and whose review staff has appropriate physical security expertise, which means that it meets at least one of the following: (1) an entity or organization with at least one member who holds either an ASIS International Certified Protection Professional (CPP) or Physical Security Professional (PSP) certification; (2) an entity or organization with demonstrated law enforcement, government, or military physical security expertise; or (3) an entity or organization approved to do physical security assessments by the CPUC, Electric Reliability Organization, or similar electrical industry regulatory body. B. IDENTIFICATION OF THIRD PARTY REVIEWER CPAU has selected as its Third Party Reviewer the Palo Alto Police Department. The Palo Alto Police Department is a department of the City of Palo Alto, independent of CPAU. Both CPAU and the Palo Alto Police Department operate as independent functional units of the City of Palo Alto. The Palo Alto Police Department has demonstrated law enforcement and physical security expertise. C. PUBLIC RESULTS OF THIRD PARTY EVALUATION The City’s Office of Emergency Services (OES) has reviewed this document and supports the findings herein. OES further asserts that many of the proposed actions will also increase resilience to other threats and hazards, such as outlined in the Threat Hazard Identification and Risk Assessment (THIRA) report available on www.cityofpaloalto.org/thira. OES suggests that CPAU continue work to support local generation (renewables) and storage (battery systems), especially for key loads and systems, including: micro grids, distributed energy resources (DER), mobile/portable solar-battery systems, and so on. 3.b Packet Pg. 36 CPAU Utility Security Plan May 5, 2021 – Step 2; Independent Review - Complete 20 D. CPAU RESPONSE CPAU agrees with OES’ conclusions and recommendations. CPAU looks forward to continuing to enhance the safety and reliability of its electric distribution system, including continued emphasis on local generation, microgrids and distributed energy resources to support resiliency. VIII. VALIDATION (STEP 3) A. SELECTION OF QUALIFIED AUTHORITY As an additional level of review, the Utility Security Plan of any publicly owned utility (POU) must be submitted to a “qualified authority,” which must make a recommendation on the overall adequacy of the plan. CPAU has determined that the Palo Alto Fire Department has sufficient familiarity with relevant federal, state, and local standards relating to critical asset protection and emergency response in order to serve as the “qualified authority” for the review of CPAU’s Utility Security Plan. The Palo Alto Fire Department has relevant experience in its role as public safety. On August 6, 2021, CPAU received the Palo Alto Fire Department’s review of its draft Utility Security Plan. The scope of the Palo Alto Fire Department’s review is to assess the overall adequacy of plan, considering any relevant federal, state, local, and industry standards with which the Palo Alto Fire Department is familiar. B. RESULTS OF QUALIFIED AUTHORITY REVIEW The Palo Alto Fire Department’s level of review involved checking the Plan for basic adequacy. The Palo Alto Fire Department cannot opine on whether the Plan complies with the CPUC Order or other specific laws or standards. The Palo Alto Fire Department opinion is limited to “validating” the plan’s adequately in addressing key physical security risks to the CPAU substations, and the perceived effectiveness of the mitigation measures identified in the plan. The Palo Alto Fire Department has concluded that the plan appears logical and identifies known risks associated with the Substations of Palo Alto Utilities and provides reasonable mitigation plans to address those risks. C. CPAU RESPONSE TO QUALIED AUTHORITY REVIEW CPAU accepts the Palo Alto Fire Department’s conclusion and will endeavor to maintain and improve its security measures. 3.b Packet Pg. 37 CPAU Utility Security Plan May 5, 2021 – Step 2; Independent Review - Complete 21 IX. NARRATIVE DESCRIPTIONS FOR UTILITY SECURITY PLAN A. ASSET MANAGEMENT PROGRAM It is not feasible to maintain a stock of the wide variety of potential parts needs for the 3 Covered Facilities described here, due to the custom nature of most pieces and impracticality of managing that extensive and expensive stock. CPAU has one spare breaker that is lightly used and could serve as a spare; and CPAU’s fabrication shop could potentially remake a damaged bus. CPAU has determined that the best option for locating spare parts in an emergency is to contact the original equipment vendors via nameplate data. Securing a spare part via original vendors would occur within one day, if the part is currently manufactured or available via resellers. The process would begin with research to identify the part and manufacturer, then contact with the manufacturer’s representative for an emergency lead-time quote. For material that is currently manufactured, CPAU can typically source from the manufacturer’s spare stock or from a neighboring utility within 1 day. However, many of CPAU’s breakers, transformers, and switchgear are no longer manufactured. In this case, CPAU would contact resellers. If the part is available, it can be shipped within 1 day. If the part is not found, CPAU would do an emergency replacement of the entire system with an available material. This would take longer, perhaps weeks for a breaker and months for a transformer or switchgear lineup. B. WORKFORCE TRAINING AND RETENTION PROGRAM CPAU provides workforce training through apprentice programs,10 2000 hours of on the job training per year, 2 weeks of in classroom and practical field instruction training per year. CPAU staff also attend internal programs consisting of substation and distribution switching clearance procedures, and job briefings, to retain and share knowledge. As CPAU’s territory and staffing is small, the same staff that performs maintenance is cross-trained to effectively make repairs, with the addition of potentially available contractors. C. PREVENTATIVE MAINTENANCE PLAN CPAU’s primary mitigation plan is to use field switches to switch loads to alternative circuit feeders when one substation is inoperable. Staff executes special switching orders, moving the load around to deenergize switches and feeders, which present opportunities to exercise the switches. In addition, the alternative circuit feeders are currently energized with other loads, essentially placing them in standby mode, meaning the conductors and switches are warm and free of moisture and therefore readily available for use. D. PHYSICAL SECURITY EVENT TRAINING 10 Curriculum may be found here: https://lineman.edu/business/2021-lineman-apprenticeship-program-catalog/. 3.b Packet Pg. 38 CPAU Utility Security Plan May 5, 2021 – Step 2; Independent Review - Complete 22 CPAU ensures staff readiness through the regular workforce training programs described above, rather than through special event trainings. E. COMMUNICATION INFRASTRUCTURE RISK ASSESSMENT CPAU’s primary operation method for its distribution system is physical, in-person field operation of its infrastructure. Therefore, CPAUs vulnerability to communication threats is LOW. F. FACILITY DESIGN FEATURES CPAU is focusing on features that highlight potential attackers with outward facing lighting and accompanying infrared pan/tilt/zoom (PTZ) cameras, removing vegetation that provides hiding areas, and replacing climbable fence sections. In addition, CPAU will staff substations to the extent feasible during high threat situations, such as an elevated recommendation from the federal government regulatory agency, NERC. This could consist of a 24/7 presence, or a nightly presence, depending on the recommendation and severity of the threat. 3.b Packet Pg. 39