Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Application No.: A.19-08-013 Exhibit No.: SCE-15, Vol. 03 Witnesses: G. Haddox
(U 338-E)
2021 General Rate Case Rebuttal Testimony
Cybersecurity
Before the
Public Utilities Commission of the State of California
Rosemead, California June 12, 2020
SCE-15, Vol. 03: Cybersecurity
Table Of Contents
Section Page Witness
-i-
I. INTRODUCTION .............................................................................................1 G. Haddox
A. Summary of Rebuttal Position ...............................................................2
1. O&M Forecast Summary ...........................................................2
2. Capital Expenditure Summary ...................................................3
II. CYBERSECURITY ...........................................................................................4
A. O&M Expenses ......................................................................................4
1. SCE’s Application .....................................................................4
2. Cal Advocates ............................................................................4
a) Cal Advocates’ Position .................................................4
b) SCE’s Rebuttal to Cal Advocates’ Position ...................6
(1) Cal Advocates’ reduction related to IGAM activities relies on a misinterpretation of SCE’s data request response. ................................................6
(2) Cal Advocates’ reduction related to incremental IT/OT staffing relies on a misinterpretation of SCE’s data request response. ................................................7
(3) Although Cal Advocates supports SCE’s request for the additional staffing for the tech labs, Cal Advocates’ proposed use of the 2019 forecast for 2021 should be rejected. .................8
(4) Cal Advocates’ argument that the staffing to support the NIST should not be authorized due to its voluntary nature is misguided and should be rejected. ..............................................................9
SCE-15, Vol. 03: Cybersecurity
Table Of Contents (Continued)
Section Page Witness
-ii-
(5) Cal Advocates’ reduction related to incremental cybersecurity personnel to support the IT Disaster Recovery Program relies on a misinterpretation of SCE’s data request response. .......................10
(6) Cal Advocates’ argument for a reduction of non-labor forecast is without merit. ...................................................11
3. Conclusion ...............................................................................11
B. Capital Expenditures ............................................................................11
1. SCE’s Application ...................................................................12
2. Cal Advocates ..........................................................................13
a) Cal Advocates’ Position ...............................................13
b) SCE’s Rebuttal to Cal Advocates’ Position .................13
(1) Cal Advocates’ Recommendation does not address the cybersecurity initiatives scheduled for 2021 which cause the higher level of expenditures as compared to 2019 and 2020. ..........................................................14
(2) Cal Advocates’ recommendation of two-year average for Grid Modernization Cybersecurity is not appropriate as the recorded costs in 2018 were significantly reduced due to changing priorities within the company ...........................................................15
3. Conclusion ...............................................................................16
Appendix A Data Request Responses
Appendix B Workpapers
1
I. 1
INTRODUCTION 2
In Exhibit SCE-04, Volume 3, SCE presents its Operations and Maintenance (O&M) expense 3
forecast for the Test Year 2021 and 2019-2023 capital expenditures forecast for the Cybersecurity 4
Business Planning Element (BPE). This includes Cybersecurity and Information Technology (IT) 5
Compliance activities and cybersecurity infrastructure for SCE’s broader Grid Modernization effort 6
detailed in Exhibit SCE-02, Vol. 4. SCE’s forecasts reinforce the cyber-safe environment essential for 7
our delivery of safe, reliable, affordable, and clean power to our customers. That volume also describes 8
the scope of work, key drivers for the work, and legal requirements that impact the level of O&M and 9
capital requested to support and successfully implement Cybersecurity activities. 10
As further discussed throughout Exhibit SCE-04, Volume 3, SCE has undertaken several key 11
initiatives to address the growth of cyberattacks in both volume and sophistication. The significant cyber 12
threats from foreign adversaries seeking to exploit vulnerabilities in the US Bulk-Power System (BPS) 13
resulted in the issuance of a new Presidential Executive Order on May 1, 2020 (Executive Order).1 To 14
mitigate these threats, the Executive Order prohibits transactions that have a nexus with any foreign 15
adversary; authorizes the Secretary of Energy to establish designating criteria for equipment and vendors 16
as “pre-qualified”; requires identification of now prohibited BPS equipment already in use; and 17
establishes a Task Force on Federal Energy Infrastructure Procurement Policies Related to National 18
Security. It also instructs agencies to take “all appropriate measures within their authority” to implement 19
the Executive Order. The Executive Order further reinforces the justification for and reasonableness of 20
SCE’s Cybersecurity BPE forecasts which seek to protect against the ever-growing threat of 21
cyberattacks on its electric infrastructure. 22
The purpose of this testimony is to address the various recommendations raised by the Public 23
Advocates Office (Cal Advocates) related to SCE’s proposals for Cybersecurity related forecast for 24
operations and maintenance (O&M) expenses for the Test Year 2021 and capital expenditures for 2019 25
through 2021. No other party submitted testimony opposing SCE’s Cybersecurity BPE O&M forecast 26
for Test Year 2021 and capital forecast from 2019-2023. 27
1 https://www.whitehouse.gov/presidential-actions/executive-order-securing-united-states-bulk-power-system/.
2
A. Summary of Rebuttal Position 1
The forecasts for the Cybersecurity BPE’s O&M expense and capital expenditures of SCE and 2
Cal Advocates are shown in the following tables. Table I-1 provides a summary of the 2021 O&M 3
forecast for SCE and Cal Advocates, along with the variances from SCE’s forecast where applicable 4
Table I-1 Cybersecurity
2021 O&M Forecast Summary of SCE and Cal Advocates Position
(2018 Constant $000)
Table I-2 provides a summary of Cybersecurity BPE capital expenditure forecast from 2019 to 5
2021 of SCE and Cal Advocates, along with the variance from SCE’s forecast. 6
Table I-2 Cybersecurity
Capital Expenditures 2019-2021 Forecast Summary of SCE, Cal Advocates, and TURN Position
(Nominal $000)
1. O&M Forecast Summary 7
Table I-3 shows the recorded amounts for 2014-2018 and the forecast for 2021 of SCE 8
and Cal Advocates. For the Cybersecurity BPE O&M forecast, Cal Advocates proposed changes to 9
SCE’s forecasts in several Cybersecurity GRC activities. SCE will address the issues raised by Cal 10
Advocates recommendations related to the Cybersecurity BPE O&M forecast for 2021 in the 11
corresponding chapters below. 12
SCECal
Advocates1 Cybersecurity Delivery & IT 32.232$ 20.928$ (11.304)$ 32.232$ 2 Grid Modernization Cybersecurity 0.617$ 0.617$ -$ 0.617$ 3 Software License & Maintenance 5.733$ 5.733$ -$ 5.733$
Total 38.582$ 27.278$ (11.304)$ 38.582$
Line No.
Business Planning Elements2021 Forecast
Variance from SCE
SCE Rebuttal Position
SCEApplication
SCEAdjustment
SCE Revised Forecast
Cal Advocates
1 Cybersecurity Delivery and IT Compliance 138,285$ (656)$ 137,630$ 118,558$ (19,072)$ 137,630$
2 Grid Mod Cybersecurity 95,897$ (408)$ 95,489$ 76,194$ (19,295)$ 95,489$
3 Total 234,182$ (1,063)$ 233,119$ 194,752$ (38,367)$ 233,119$
SCE Rebuttal Position
Variance from SCE
2019 - 2021 ForecastLine No.
Business Planning Element
3
Table I-3 Cybersecurity
2014-2018 Recorded/2021 Forecast Summary of SCE and Cal Advocates Position
(2018 Constant $000)
2. Capital Expenditure Summary 1
Table I-4 provides the recorded expenditures for 2014-2019 and the forecast for 2020-2
2021 for SCE. As described in SCE-12,2 SCE proposes the Commission authorize SCE’s 2019 capital 3
forecast to reflect 2019 recorded levels and has updated its forecast accordingly. Cal Advocates 4
proposes reductions to SCE’s forecasts in several GRC activities within the Cybersecurity BPE. SCE 5
will address the issues raised by Cal Advocates’ recommendations related to SCE’s 2019 - 2021 Capital 6
Expenditures forecast in the corresponding chapters below. 7
Table I-4 Cybersecurity Capital Expenditures
2014-2018 Recorded/2019-2021 Forecast Summary of SCE Position
2 Refer to SCE-12, Volume 1, Section V.
2014 2015 2016 2017 2018 SCECal
Advocates1 Cybersecurity Delivery and IT Compliance 12,020$ 13,148$ 14,987$ 11,892$ 14,872$ 32,232$ 20,928$ (11,304)$ 32,232$ 2 Grid Mod Cybersecurity -$ -$ (53)$ 197$ 3,193$ 617$ 617$ -$ 617$ 3 Cyber Software License and Maintenance 1,907$ 2,302$ 1,504$ 1,697$ 2,367$ 5,733$ 5,733$ -$ 5,733$ 5 Total 13,927$ 15,450$ 16,438$ 13,786$ 20,432$ 38,582$ 27,278$ (11,304)$ 38,582$
Line No.
Cybersecurity SCE Recorded SCE
Rebuttal Position
Variance from SCE
2021 Forecast
2014 2015 2016 2017 2018 2019* 2020 2021Total
2020-20211 NERC CIP 2,763$ 384$ (2)$ -$ 2,656$ 3,208 2,478$ 5,478$ 11,164$ 2 Perimeter Defense 12,194$ 11,771$ 5,687$ 18,158$ 14,308$ 16,099 19,452$ 37,577$ 73,129$ 3 Data Protection 8,183$ 9,000$ 3,652$ 10,440$ 2,449$ 5,991 7,268$ 8,571$ 21,830$ 4 Interior Defense 4,717$ 7,408$ 7,801$ 10,128$ 7,216$ 8,254 8,103$ 8,107$ 24,464$ 5 SCADA Cybersecurity -$ -$ -$ -$ -$ 2,448 2,549$ 2,551$ 7,549$ 6 Grid Mod Cybersecurity -$ -$ 2,901$ 14,999$ 21,267$ 25,702 24,542$ 45,245$ 95,489$ 7 Total 27,857$ 28,563$ 20,039$ 53,725$ 47,896$ 61,702$ 64,392$ 107,530$ 233,624$
*2019 forecast as of filing
Lin
e #
Business Planning ElementSCE Recorded SCE Forecast
4
II. 1
CYBERSECURITY 2
A. O&M Expenses 3
SCE’s Test Year 2021 O&M forecast for the Cybersecurity BPE is outlined in Table II-5 below. 4
The table provides the recorded amounts for 2014 – 2018 and the Test Year 2021 forecast of SCE and 5
Cal Advocates. For the Cybersecurity O&M forecast, Cal Advocates proposes forecast reductions to five 6
GRC activities, which are detailed in the pages that follow. Cal Advocates does not oppose SCE’s 7
forecasts for Cybersecurity Software License and Maintenance or Grid Mod Cybersecurity. No other 8
party submitted testimony opposing the Cybersecurity O&M forecast for Test Year 2021. 9
Table II-5 Cybersecurity
2014-2018 Recorded/2021 Forecast Summary of SCE and Cal Advocates Position
(2018 Constant $000)
1. SCE’s Application 10
The Test Year 2021 forecast for the Cybersecurity BPE is primarily driven by the risks 11
identified in SCE’s Risk Assessment and Mitigation Phase (RAMP) submission and the resources 12
needed to address those risks. As the grid is modernized and new technologies are implemented, there is 13
a concurrent increase in the need to integrate information technology with operational technology and to 14
identify threats and mitigate vulnerabilities and the associated costs are reflected in the forecast. 15
2. Cal Advocates 16
a) Cal Advocates’ Position 17
Table II-6 below provides a summary of Cal Advocates recommendations. 18
2014 2015 2016 2017 2018 SCECal
Advocates1 Total Labor 8,184$ 9,301$ 9,449$ 9,107$ 8,941$ 20,114$ 14,853$ (5,129)$ 20,114$ 2 Cybersecurity Delivery and IT Compliance 8,175$ 9,290$ 9,430$ 9,088$ 8,796$ 19,982$ 14,853$ (5,129)$ 19,982$ 3 Grid Mod Cybersecurity -$ -$ 12$ 17$ 141$ 131$ 131$ -$ 131$ 4 Cyber Software License and Maintenance 9$ 11$ 7$ 2$ 4$ -$ -$ -$ -$ 5 Total Non-Labor 5,744$ 6,149$ 6,990$ 4,679$ 11,491$ 18,468$ 6,075$ (6,175)$ 18,468$ 6 Cybersecurity Delivery and IT Compliance 3,846$ 3,859$ 5,557$ 2,804$ 6,075$ 12,250$ 6,075$ (6,175)$ 12,250$ 7 Grid Mod Cybersecurity -$ -$ (65)$ 180$ 3,052$ 485$ 485$ -$ 485$ 8 Cyber Software License and Maintenance 1,898$ 2,290$ 1,498$ 1,695$ 2,364$ 5,733$ 5,733$ -$ 5,733$ 9 Total (L/NL) 13,928$ 15,450$ 16,439$ 13,786$ 20,432$ 38,582$ 20,928$ (11,304)$ 38,582$
SCE Rebuttal
PositionLin
e #
CybersecuritySCE Recorded 2021 Forecast
Variance from SCE
5
Table II-6 Summary of SCE and Cal Advocates Position
(2018 Constant $000)
Cal Advocates recommends a Test Year 2021 forecast of $27.278 million, a 1
reduction of $11.304 million from SCE’s forecast. Cal Advocates’ reductions impact both the labor and 2
the non-labor forecasts. SCE notes Cal Advocates’ reductions appear to total $11.095 million as opposed 3
to the $11.304 million figure cited in Cal Advocates’ testimony.3 While SCE attempted to clarify the 4
amount of Cal Advocates’ recommended reduction via data request, Cal Advocates’ response only 5
restated the amount of $11.304 million without explaining how that amount was derived.4 This restated 6
figure remains inconsistent with the total of the proposed reductions as shown in Table II-6 above. 7
For labor expenses, Cal Advocates recommends a forecast of $14.853 million, a 8
reduction of $5.129 million from SCE’s request of $19.982 million. Cal Advocates starts from 9
“forecasted 2019 as the basis for the labor forecast,”5 and rejects SCE’s adjustments to the Test Year 10
2021 labor forecast as follows: (1) $900,000 for “additional staffing to support IGAM”, stating “SCE 11
will be shifting staff to support IGAM in future years” from the existing, legacy system;6 (2) $1.920 12
million for information technology/operational technology (IT/OT) integration, stating SCE has 13
provided “no actual support as to what positions would be hired, or what workload would be beyond 14
3 Exhibit PAO-07, pp. 2 and 4 (Table 7-2) (both show the $11.304 million figure).
4 See Cal Advocates response to SCE-PubAdv-013-MC (attached as Appendix A-1 – A-3).
5 Exhibit PAO-07, p. 22.
6 Id.
Cal Advocates Recommended Reductions Labor Non-Labor TotalsIGAM (900)$ -$ (900)$ IT/OT (1,920)$ -$ (1,920)$ Tech Labs (900)$ -$ (900)$ NIST Gap assessment (900)$ -$ (900)$ Disaster Recovery Activities (300)$ -$ (300)$ Non-Labor Recommendations ‐$ (6,175)$ (6,175)$
Total Recommended Reductions (4,920)$ (6,175)$ (11,095)$
Summary of Cal Advocates Positions
6
today’s base level”;7 (3) $900,000 for National Institute of Standards and Technology (NIST) gap 1
assessment “due to the [NIST] framework being voluntary and not mandatory”;8 (4) $300,000 increase 2
for “additional personnel to collaborate with the Business Resiliency personnel due the two departments 3
already having strong communication and bi-weekly team meetings”;9 and (5) $900,000 for additional 4
staffing for the tech labs, arguing that “use of SCE’s forecasted 2019 forecast as a base year and the 5
additional staff would have been hired in 2019.”10 6
For non-labor test year expenses, Cal Advocates proposes $6.075 million, a 7
reduction of $6.175 million from SCE’s forecast of $12.250 million. Cal Advocates observes that SCE’s 8
forecast is “significantly higher by double to quadruple the recorded amounts in 2014 through 2018” and 9
concludes that “[u]sing recorded 2018 costs is more appropriate because SCE has not adequately 10
supported or shown the need for a significant increase in non-labor costs.”11 11
b) SCE’s Rebuttal to Cal Advocates’ Position 12
Cal Advocates’ recommendations for reductions in multiple GRC activities 13
should be rejected as detailed in the sections below. 14
(1) Cal Advocates’ reduction related to IGAM activities relies on a 15
misinterpretation of SCE’s data request response. 16
In support of its reduction for IGAM-related labor cost increases in the 17
Test Year, Cal Advocates cites to SCE’s response to PubAdv-SCE-079, Question 6.a, which asked “Will 18
the employees currently working on the IAM be reassigned to work on the IGAM?” In its response, SCE 19
confirms that employees maintaining the IAM (the platform that will be replaced by IGAM) will be 20
shifted to support the IGAM program in future years.12 Cal Advocates misconstrues SCE’s response to 21
mean that IGAM program support will be limited to only those SCE employees who are currently 22
maintaining IAM and ignores SCE’s workpapers (submitted with its direct testimony in September 23
2019) showing the incremental staffing for the IGAM program to provide IGAM operational and 24
7 Exhibit PAO-07, p. 23.
8 Id.
9 Id.
10 Id.
11 Exhibit PAO-07, pp. 23-24.
12 See SCEs response to data request PubAdv-SCE-079-MW5, Q.6a, attached in Appendix A at p. A-4.
7
compliance support as and IGAM Application and system onboarding.13 As the IGAM will be classified 1
as a High Impact NERC CIP asset, this classification mandates meeting specific regulatory 2
requirements14 and further supports the need for incremental staffing to onboard IGAM hardware and 3
applications and to provide ongoing operational support and maintenance. As the IGAM program 4
requires both shifting existing SCE staff maintaining the IAM and adding staff to address the additional 5
activities associated with the IGAM program, Cal Advocates’ recommendation should be rejected as 6
unsupported. 7
(2) Cal Advocates’ reduction related to incremental IT/OT staffing relies 8
on a misinterpretation of SCE’s data request response. 9
In support of its reduction of labor costs associated with incremental 10
staffing IT/OT activities, Cal Advocates cites to SCE’s response to PubAdv-SCE-079-MW5 Q.6.b. This 11
data request states, “Will current SCE staff being trained to work on IT/OT?” In response, SCE 12
affirmatively responded and also noted that additional staffing will be needed with specialized expertise 13
beyond the traditional cybersecurity infrastructure to support integrating modern grid assets in a secure 14
manner.15 Notwithstanding, Cal Advocates claims this data request response supports the proposition 15
that IT/OT activities will not exceed “today’s base level” due to “SCE’s plan to train current staff.”16 16
Beyond SCE’s response stating that “IT/OT drives an emerging need to 17
have specialized expertise beyond the traditional cybersecurity infrastructure to support integrating 18
modern grid assets in a secure manner”, SCE’s direct testimony and workpapers and additional data 19
request responses support the need for incremental staffing to address the level of work associated with 20
IT/OT activities during the Test Year.17 This initiative considers the vast number of cybersecurity 21
processes that must be modified and added as T&D and software vendors integrate analog equipment 22
with digital equipment. 23
13 Exhibit WPSCE04V03, p. 83, attached in Appendix B at p. B-1.
14 https://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-004-6.pdf.
15 Exhibit PAO-7, Workpapers, p. 13.
16 Exhibit PAO-7, p. 23.
17 See Exhibit PAO-07, Workpapers, p. 13 (SCEs response to data request PubAdv-SCE-079-MW5 Q.6.b); Exhibit SCE-04, Volume 3, p. 22; SCE-04, Volume 3, Workpapers, p. 83 (attached as Appendix B-1) and SCE’s response to data request PubAdv-SCE-079-MW5 Q. 9.a (attached as Appendix A-5 – A-6 to this volume).
8
To the extent Cal Advocates now seeks further information concerning the 1
specific nature of the positions, the following list provides a description and job duties for the additional 2
staff required: 3
Security Architects designing security solutions into systems to 4
preempt potential threats 5
Risk Assessors assessing potential threats based on current system 6
security measures and recommending enhancements, conducting 7
periodic system tests, continuous monitoring of network security, and 8
analyzing and collecting data about existing systems and environments 9
Security Engineers implementing business technologies with 10
monitoring tools to detect security breaches or intrusions, and 11
designing strategies to protect the IT/OT networks from unauthorized 12
access 13
Penetration Testers conducting penetration testing of systems once 14
they have been engineered to identify vulnerabilities. 15
Given the critical need to protect against threats exposed by the integration 16
of operational technology (analog) with information technology (digital), Cal Advocates’ 17
recommendation to disallow the incremental staffing needed to support this need should be rejected. 18
(3) Although Cal Advocates supports SCE’s request for the additional 19
staffing for the tech labs, Cal Advocates’ proposed use of the 2019 20
forecast for 2021 should be rejected. 21
As explained in both its testimony and in response to data requests, SCE’s 22
hiring for tech labs positions will begin in 2019, but additional positions will be added in the two 23
subsequent years.18 Cal Advocates’ proposal to utilize the 2019 forecast for these labor costs in 2021 24
reflects a misinterpretation of SCE’s data request response and testimony. Although SCE began hiring 25
for those five full-time positions starting in 2019, the 2019 forecast for the tech lab positions does not 26
reflects the costs of a full year for all five positions. In contrast, the Test Year forecast reflects the 27
filling of all five positions by the start of 2021. As Cal Advocates does not dispute the need for all five 28
18 Exhibit SCE-04, Vol. 3, p. 23; see also, SCE’s response to data request PubAdv-SCE-079-MW5 Q.6.b,
(attached as Appendix A-3).
9
positions for the SCE tech labs, Cal Advocates’ proposal to use 2019 forecast costs for 2021 should be 1
rejected. 2
(4) Cal Advocates’ argument that the staffing to support the NIST should 3
not be authorized due to its voluntary nature is misguided and should 4
be rejected. 5
As stated in testimony, SCE requires additional staff to perform NIST gap 6
assessments to our policies and standards and enhance our ability to prevent, detect, and respond to 7
cyberattacks in accordance with the NIST Cybersecurity Framework.19 While the NIST Cybersecurity 8
Framework is not mandated by law, those guidelines are nationally recognized as the model for 9
cybersecurity and in use by private-sector owners and operators of critical infrastructure throughout the 10
United States and federal and state agencies across all sixteen critical infrastructure sectors.20 By 11
meeting these guidelines, SCE leverages these recognized best practices and common security 12
nomenclature in a prioritized, flexible, repeatable, and cost-effective approach to manage cybersecurity-13
related risk. 14
The NIST Cybersecurity Framework was developed by industry, 15
academia, and government stakeholders in response to Presidential Executive Order (EO) 13636, 16
Improving Critical Infrastructure Cybersecurity, which was issued in 2013.21 Per the EO, “[i]t is the 17
policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure 18
and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity 19
while promoting safety, security, business confidentiality, privacy, and civil liberties.” As computing 20
technology increases in complexity and interconnectedness within the operational and information 21
technology environments, utilities must remain at the forefront of securing underlying systems, 22
component products, and related vendor services to support the economic and national security interests 23
of the United States. SCE leverages this framework within the critical infrastructure space in line with 24
other investor owned utilities, financial institutions, and government entities. 25
As stated in testimony, SCE requires additional staff to perform these gap 26
assessments against our current policies and standards as new versions of this framework are released to 27
19 Exhibit SCE-04, Vol.3, p. 23.
20 https://www.nist.gov/industry-impacts/cybersecurity-framework.
21 https://obamawhitehouse.archives.gov/issues/foreign-policy/cybersecurity/eo-13636.
10
address new technology and evolving threats to prevent, detect, and respond to cyberattacks attacks 1
against critical infrastructure. While the Commission has not explicitly mandated the adoption the NIST 2
Cybersecurity Framework to date, SCE’s proactive adoption helps mitigate cybersecurity risks to our 3
customers and the general public. This additional staffing directly supports this effort by establishing the 4
appropriate security baselines to efficiently leverage the NIST Cybersecurity Framework. Accordingly, 5
Cal Advocates’ recommendation to disallow funding for the incremental staffing supporting this 6
initiative solely due to the absence of a formal mandate should be rejected. 7
(5) Cal Advocates’ reduction related to incremental cybersecurity 8
personnel to support the IT Disaster Recovery Program relies on a 9
misinterpretation of SCE’s data request response. 10
In support of its reduction of labor costs associated with incremental 11
cybersecurity staff to collaborate with Business Resiliency personnel for SCE’s IT Disaster Recovery 12
program, Cal Advocates cites to SCE’s response to PubAdv-SCE-079-MW5 Q.7.c. While SCE 13
acknowledges there exists a bi-weekly collaboration with Business Resiliency, Cal Advocates fails to 14
acknowledge the complete data request response which explains the need for the incremental staff. As 15
set forth therein, “[i]n order to maintain and mature the Business Resiliency and IT Disaster Recovery 16
Programs in a complex computing environment and changing utility environment, additional personnel 17
are required for these governance and infrastructure efforts.”22 18
SCE’s Business Resiliency departments leads the Business Impact 19
Analysis (BIA) process, which is an enterprise-wide governance body to allow for “the functional 20
prioritization of business continuity and disaster recovery plans of critical IT applications and assets to 21
manage the continuity of operations during an emergency”.23 This effort requires the support of 22
“additional staff [who] will be responsible for the creation, training and exercising of emergency plans, 23
processes and procedures associated with critical IT systems and applications”.24 Cal Advocates’ 24
recommendation disregards the critical need for additional cybersecurity staff dedicated to supporting 25
the advancement of the IT-focused disaster recovery efforts and should be rejected. 26
22 See SCEs response to data request PubAdv-SCE-079-MW5 Q.7.c, (attached as Appendix A-6 – A-7).
23 Exhibit SCE-04, Vol.1, p. 12.
24 Exhibit SCE-04, Vol. 3, pp. 23 – 24.
11
(6) Cal Advocates’ argument for a reduction of non-labor forecast is 1
without merit. 2
Cal Advocates’ recommendation to use 2018 recorded non-labor costs for 3
the Test Year forecast ignores SCE’s detailed support for increased non-labor costs in the Test Year 4
associated with additional activities identified in SCE’s RAMP report. As stated in testimony and 5
consistent with the RAMP Report, SCE forecasts a higher and recurring need to utilize industry 6
consultants to perform additional evaluations of our cybersecurity protections (specifically for Perimeter 7
Defense, Interior Defense, Data Protection, and SCADA Cybersecurity programs).25 Third-party 8
consultants are needed to augment existing staff with their specialized expertise and experience 9
performing comparable work for other utilities and companies in other sectors and to conduct 10
independent assessments or evaluations.26 While asserting the increase was unsupported, Cal Advocates 11
failed to identify any deficiencies or otherwise dispute the detailed materials supporting SCE’s Test 12
Year non-labor costs expense and its recommendation should be rejected. 13
3. Conclusion 14
In summary, the Commission should reject Cal Advocate’s recommendations and adopt 15
SCE’s Test Year 2021 forecast for the Cybersecurity BPE. Cal Advocates’ arguments are meritless and 16
make no effort to dispute SCE’s testimony, workpapers and data request responses supporting the need 17
for incremental staffing and outside consultant costs. SCE’s forecast increases are further supported by 18
the recent issuance of the new Presidential Executive Order on May 1, 2020 discussed in Chapter I of 19
this volume. The supporting materials and record provide a comprehensive, detailed forecast for 20
Cybersecurity Delivery & IT Compliance labor and non-labor activities that occur in the Test Year 2021 21
and should be adopted as requested. 22
B. Capital Expenditures 23
SCE’s capital forecast for the Cybersecurity BPE is outlined in Table II-7 below. The table 24
provides the recorded amounts for 2014 – 2019 and the forecast for 2020-2021. SCE’s recorded 2019 25
capital expenditures were $9.640 million above the 2019 capital forecast submitted with SCE’s GRC 26
application. The higher level of expenditures than initially forecast was primarily due to identified 27
critical vulnerabilities within tech labs and perimeter infrastructure that required immediate remediation. 28
25 Exhibit SCE-04, Vol.3, p. 24 and WPSCE04V03, p. 85, in Appendix B.
26 Exhibit SCE-04, Vol. 3, p. 29 and RAMP Report p. 6-32 to 6-34, in the Appendix B.
12
SCE notes Cal Advocates is inconsistent in recommending adoption of SCE’s 2019 initial forecast 1
versus 2019 recorded expenditures for the Cybersecurity BPE where it results in a forecast increase, as 2
contrasted with Cal Advocates’ recommendation to utilize 2019 recorded expenditures in other BPEs, 3
such as Physical Security, where doing so results in a forecast decrease.27 4
For the Cybersecurity BPE capital forecast, Cal Advocates proposed the use of two-year average 5
methodologies for two GRC activities, which are detailed in the pages that follow. Cal Advocates does 6
not oppose SCE’s forecast for the remaining four GRC activities, namely, NERC CIP, Data Protection, 7
Interior Defense, or SCADA. No other party submitted testimony opposing SCE’s Cybersecurity BPE 8
capital forecast. 9
1. SCE’s Application 10
SCE’s capital forecast for the Cybersecurity BPE supports ongoing cybersecurity capital 11
programs and new cyber-defense enhancements to address increased areas of exposure and risk in the 12
immediate future. As described in SCE’s direct testimony, the forecast is driven by the growth in 13
quantity and complexity of cyberattacks and includes new initiatives, including enhanced government 14
collaboration, Identity Governance & Administration Management (IGAM) implementation, 15
improvements for SCE technical labs, Information Technology/Operational Technology (IT/OT) 16
integration and Grid Modernization Cybersecurity infrastructure and applications, to confront and 17
mitigate against these expanding threats.28 18
27 See Cal Advocates response to SCE-PubAdv-013-MC (attached as Appendix A-1 – A-3).
28 Refer to SCE-04, Vol.3, pp.21-24.
13
Table II-7 Cybersecurity Capital Expenditures
2019-2021 Forecast Summary of SCE and Cal Advocates Position
(Nominal $000)
2. Cal Advocates 1
a) Cal Advocates’ Position 2
While Cal Advocates accepts SCE’s 2019-2021 forecasts for NERC, Data 3
Protection, Interior Defense, and SCADA and SCE’s 2019 and 2020 forecasts for Perimeter Defense and 4
Grid Modernization Cybersecurity, Cal Advocates proposes reduced 2021 forecasts for Perimeter 5
Defense and Grid Modernization Cybersecurity. Cal Advocate notes Perimeter Defense recorded costs 6
have “fluctuated significantly over the years”,29 and recommends a 2021 forecast based on the two-year 7
average of SCE’s 2019 and 2020 forecasts. For Grid Modernization Cybersecurity, Cal Advocates notes 8
that SCE only started recording costs for this category in 2016, and that “SCE’s forecast is more than 9
double what was recorded in 2018.”30 Cal Advocates recommends that the 2021 forecast be reduced to 10
the “two-year average of the 2019 actual expense and the forecasted 2020” capital expenditures.31 11
b) SCE’s Rebuttal to Cal Advocates’ Position 12
As detailed below, Cal Advocates’ proposals for reductions to SCE’s 2021 capital 13
forecasts for Perimeter Defense and Grid Modernization Cybersecurity do not consider the significant 14
support submitted by SCE showing the need for a higher level of expenditures during 2021arising from 15
the timing of project implementation. 16
29 Exhibit PAO-7, p. 33.
30 Exhibit PAO-7, p. 34.
31 Exhibit PAO-07, pp. 32-34.
2019Recorded
2020Forecast
2021Forecast
Total 2019 - 2021
2019Forecast
2020Forecast
2021Forecast
Total 2019 - 2021
1 NERC CIP 2,793$ 2,478$ 5,478$ 10,750$ 3,208$ 2,478$ 5,478$ 11,164$ 414$ 2 Perimeter Defense 26,476$ 19,452$ 37,577$ 83,505$ 16,099$ 19,602$ 17,851$ 53,552$ (29,953)$ 3 Data Protection 6,203$ 7,268$ 8,571$ 22,041$ 5,991$ 7,268$ 8,571$ 21,830$ (211)$ 4 Interior Defense 7,620$ 8,103$ 8,107$ 23,830$ 8,254$ 8,103$ 8,107$ 24,464$ 634$ 5 SCADA Cybersecurity 147$ 2,549$ 2,551$ 5,248$ 2,448$ 2,549$ 2,551$ 7,549$ 2,301$ 6 Grid Mod Cybersecurity 26,136$ 24,542$ 45,245$ 95,922$ 25,702$ 24,949$ 25,543$ 76,194$ (19,728)$ 7 Total 69,374$ 64,392$ 107,530$ 241,295$ 61,702$ 64,949$ 68,101$ 194,751$ 46,544$
Line No.
CybersecurityVariance
From SCE 2020 - 2021
SCE Rebuttal Position Cal Advocates
14
(1) Cal Advocates’ Recommendation does not address the cybersecurity 1
initiatives scheduled for 2021 which cause the higher level of 2
expenditures as compared to 2019 and 2020.32 3
SCE’s capital forecast for Perimeter Defense is risk based and itemized 4
based on planned enhancements and upgrades to SCE’s computing environment for each year. Hence, 5
while SCE’s 2019 forecast for Perimeter Defense includes ongoing enhancements and upgrades to our 6
perimeter controls, the 2021 forecast includes additional enhancement and upgrade activities which are 7
not part of the 2019 forecast. In particular, SCE’s 2021 forecast includes the following incremental 8
project work: 1) Identity Governance & Access Management (IGAM) Phase 2 and 3, 2) IT/OT 9
integration, 3) Foundational Tools, and 4) Labs. The work is planned annually to align with updates to 10
the grid and computing environments to address the dynamic threat landscape. 11
The higher level of expenditures in 2021 aligns with the conditions 12
envisaged during that year which require incremental hardware and software implementation and related 13
services. As IT and OT converge, SCE must make corresponding enhancements to protect against 14
vulnerabilities that become exposed by this convergence. The IGAM program involves a series of 15
projects that enhance cybersecurity as computing environments evolve from the traditional IT 16
infrastructure within the data center and expand into cloud and Software-as-a-Service (SaaS) offerings. 17
These projects focus on mitigating security risks within SCE’s IT environment and cloud service 18
providers and improving the overall cybersecurity posture. The Foundational Tools involve the 19
implementation of new cybersecurity tools as the grid environment evolves and exposes new security 20
gaps. Cybersecurity enhancements are needed for tech labs across SCE’s environment for routine testing 21
and continuous monitoring and operational support. 22
Given the foregoing incremental activities are forecast during 2021, Cal 23
Advocates’ recommended use of 2019 and 2020 forecasts fails to properly account for the level of 24
expenditures needed for the projects planned for 2021 and should be rejected. 25
32 Exhibit See SCE-04, Vol. 3, Table-II-9 p.27.
15
(2) Cal Advocates’ recommendation of two-year average for Grid 1
Modernization Cybersecurity is not appropriate as the recorded costs 2
in 2018 were significantly reduced due to changing priorities within 3
the company 4
While Cal Advocates accurately observes that SCE’s 2021 forecast for 5
Grid Modernization Cybersecurity is a substantial increase from 2018 recorded expenditures, Cal 6
Advocates makes no effort to dispute SCE’s detailed recitation of the incremental activities driving and 7
supporting the higher level of expenditures during 2021. As described in direct testimony and 8
workpapers, SCE’s forecast of 2019 and 2020 capital expenditures relate to the implementation and 9
deployment of core or foundational grid modernization cybersecurity capabilities, such as network 10
access control, vulnerability management, threat detection and network forensics. Starting in 2021, SCE 11
shall be deploying and configuring security and data protection capabilities related to multiple grid 12
modernization workstreams, including Field Area Network (FAN), Common Substation Platform (CSP), 13
Wide Area Network (WAN), and Grid Management System (GMS).33 Notably, Cal Advocates did not 14
challenge SCE’s forecasts for FAN, CSP or WAN. While Cal Advocates recommends reductions to 15
SCE’s GMS forecast, Cal Advocates did not question the need for the GMS.34 The implementation of 16
these grid modernizations workstreams warrants the higher level of cybersecurity expenditures for 17
hardware, software and related services costs during 2021. 18
Moreover, Cal Advocates does not appear to discuss or otherwise 19
challenge SCE’s forecast of the level of Grid Modernization Cybersecurity activities and related 20
expenditures. Instead, Cal Advocates asserts that SCE’s 2021 forecast should be rejected since it is 21
“based on vendor quotes as opposed to signed contracts”35 Given these activities are not planned until 22
2021, there are no executed contracts in place and vendor quotations represent the best available 23
information on what the ultimate costs will be at this point in time. SCE’s reliance on vendor quotations 24
for forecasting the costs of the hardware, software and related services costs is reasonable and the 25
specific cost estimates are outlined in workpapers.36 As Cal Advocates does not explain why SCE’s 26
33 Exhibit SCE-04, Volume 4, p. 34.
34 Exhibit PAO-5, pp. 30-31.
35 Refer to SCE-04, Volume 3.
36 Exhibit WPSCE04V03, pg. 126, (attached as Appendix B-6).
16
reliance on vendor quotations is unreasonable or otherwise dispute SCE’s forecast of expenditures for 1
Grid Modernization Cybersecurity during 2021, Cal Advocates’ recommendation should be rejected and 2
SCE’s 2021 forecast should be adopted as requested. 3
3. Conclusion 4
The Commission should reject Cal Advocates’ recommendations for reductions to SCE’s 5
2021 forecasts for Perimeter Defense and Grid Modernization Cybersecurity. SCE’s itemized forecasts 6
are supported by testimony, workpapers and data request responses detailing the nature and scope of 7
work planned for 2021 and quotations from the vendors who will be supplying hardware, software and 8
labor needed to implement security enhancements. As Cal Advocates does not challenge SCE’s 9
justification for the incremental initiatives and related activities in making its recommendations or 10
plausibly challenge the reasonableness of SCE’s forecast, SCE’s 2021 forecasts for both programs 11
should be adopted without modification.12
Appendix A
Data Request Responses
DATA REQUEST PAGE(S)
SCE-PubAdv-013-MC A-1 – A-3
PubAdv-SCE-079-MW5 Q.6.b A-4
PubAdv-SCE-079-MW5 Q. 9.a A-5 – A-6
PubAdv-SCE-079-MW5 Q.7.c A-7 – A-8
PUBLIC ADVOCATES OFFICE DATA RESPONSE
Southern California Edison Company Test Year 2021 General Rate Case A.19-08-013
Date: 15 May 2020
Origination Date: 7 May 2020
Response Due: 15 May 2020
To: Martin Collette, [email protected]
cc: [email protected] [email protected] [email protected]
From: Truman Burns, Project Coordinator Public Advocates Office 505 Van Ness Avenue, Room 4104 San Francisco, CA 94102 [email protected]
Response by: Monica Weaver Phone: 415-703-2396Email: [email protected]
Data Request No: SCE-PubAdv-013-MC
SCE Questions: 1. In Exhibit PAO-07, p. 32, Cal Advocates notes that they “did not have a chance to properly
analyze the recorded 2019” capital expenditures for Cybersecurity, and accepts SCE’s forecastfor 2019 for all of the categories of Cybersecurity capital expenditures. For Grid Modernization– Cybersecurity, Cal Advocates “recommends a two-year average of the 2019 actual expenseand the forecasted 2020 to forecast TY 2021”. Please explain why Cal Advocatesrecommends using “2019 actual expense” notwithstanding its statement that such recordedcosts had not been properly analyzed in advance of its proposed forecast for the Test Year.
2. In Exhibit PAO-07, pp. 22-24, Cal Advocates recommends reductions to SCE’s CybersecurityDelivery & IT Compliance O&M forecast in the following areas: (1) $0.900 million for Labor tosupport IGAM, (2) $1.920 for Labor to support IT/OT, (3) $0.900 million for Labor to supporttech labs, (4) $0.900 million for Labor to support NIST, (5) $0.300 million for Labor toCollaborate with Business Resiliency, and (6) $6.175 million for Non-Labor. The sum of thesereductions equals $11.095 million, a difference of $0.209 million from Cal Advocates’ statedreduction of $11.304 million in Table 7-11 and values listed on p. 22, lines 7-10. Please clarifywhether Cal Advocates recommends a reduction of $11.095 million rather than $11.304 million.
A-1
a. If not, please explain the $0.209 million variance between Table 7-11 and the calculatedsum of the adjustments, including calculations, and provide all supporting materialsincluding spreadsheets.
3. In Exhibit PAO-07, p.23, Cal Advocates “opposes the $0.900 million increase for the U.S.Department of Commerce’s National Institute on Standards and Technology (NIST)Standards Gap due to the framework being voluntary and not mandatory according to theNIST website…..” Did Cal Advocates perform any analysis or research to concludewhether it would be beneficial to adopt the NIST framework? If so, please provide theanalysis and findings to SCE.
a. Has Cal Advocates evaluated whether other utilities or government agencies haveadopted the NIST framework?
4. In Exhibit PAO-7, Cal Advocates accepts SCE’s forecast for 2019 capital expenditures forBusiness Continuation, Emergency Management, and Cybersecurity, but adopts 2019recorded capital expenditures for Physical Security.
a. Please provide any analysis conducted on the 2019 recorded expenditures forPhysical Security.
b. Please explain the rationale for utilizing the 2019 recorded expenditures forPhysical Security, but not utilizing the 2019 recorded expenditures in BusinessContinuation, Emergency Management and Cybersecurity in Cal Advocates’recommended forecasts.
Public Advocates Office Response:
1. SCE’s 2019 recorded cost for Cybersecurity had significantly increased from the forecast byover $9 million dollars. Of the over $9 million increase, Grid Modernization-Cybersecurityshowed an increase of just below $450 thousand. Due to the slight increase, the PublicAdvocates Office recommended using recorded 2019 as a factor as well as forecasted2020.
2. The Public Advocates Office recommends a reduction of $11.304 million.a. Please see the Public Advocates Office’s response to SCE-PubAdv-001-MC
Question 2 for a breakdown of the Public Advocates Office’s calculation.3. SCE did not provide analysis or research for the Public Advocates Office to conclude NIST
would be beneficial aside from the one bullet point and the footnote stating the NISTwebsite on page 23 of Ex. SCE-04 Vol. 3.
a. The NIST website provide limited information about whether utilities had adoptedthe NIST framework.
4. a. The Public Advocates Office reviewed the recorded amounts for Physical Securitycompared to forecasted amounts.
A-2
b. The Public Advocates Office’s rationale for utilizing the 2019 recorded expenditures forPhysical Security was based on its review of the recorded and forecasted amounts forPhysical Security. Based on that review, the Public Advocates Office utilized the 2019recorded expenditures for its recommendation rather than the higher forecasted amount.SCE did not provide justification for the $10 million increase over recorded 2019 data forPublic Advocates Office to use SCE’s forecast.
END OF RESPONSE
A-3
Southern California Edison
A.19-08-013 – SCE 2021 General Rate Case
DATA REQUEST SET P u b A d v - S C E - 0 7 9 - M W 5
To: Public Advocates Office Prepared by: Lorane Luna Job Title: Senior Specialist Received Date: 1/17/2020
Response Date: 2/3/2020
Question 06.a-b: Regarding Ex. SCE-04, Vol. 3, p. 22:
a. Will the employees currently working on the IAM be reassigned to work on the IGAM?i. If no, why not?ii. If yes, please identify where the reassignment is tracked.
b. Will current SCE staff being trained to work on IT/OT?i. If no, why not?ii. If yes, please identify where this is tracked.
Response to Question 06.a-b:
6.a – Yes. SCE staff currently performing ongoing maintenance of IAM services will gradually shiftto support IGAM in future years as SCE onboards new applications for Access Controls withIGAM.
6.a.i – Please see SCE’s response to 6.a above.
6.a.ii – These costs will be tracked in the respective work orders within the IAM and future IGAMwork orders.
6.b – Yes. SCE’s existing staff will be trained on IT/OT. However, SCE’s forecast accounts forincremental IT/OT activities and workload beyond today’s base level of cybersecurity andcompliance work that will continue in Test Year 2021 and future years. In addition, IT/OT drivesan emerging need to have specialized expertise beyond the traditional cybersecurity infrastructure tosupport integrating modern grid assets in a secure manner.
6.a.i – Please see SCE’s response to 6.b above.
6.a.ii – These costs will be tracked in future work orders for IT/OT, which will roll up to CostCenter F530187 as detailed in WPSCE04V3 at page 83.
A-4
Southern California Edison
A.19-08-013 – SCE 2021 General Rate Case
DATA REQUEST SET P u b A d v - S C E - 0 7 9 - M W 5
To: Public Advocates Office Prepared by: Lorane Luna Job Title: Senior Specialist Received Date: 1/17/2020
Response Date: 1/31/2020
Question 09.a-e: Regarding SCE-04, Vol. 3, p. 29:
a. Please provide the benefits of IT/OT integration.b. Is SCE aware of any other Utility using IT/OT integration?c. Was IT/OT approved by the commission?
i. If yes, please provide supporting documentation.d. Is the IT/OT integration replacing another program?
i. If yes, please provide which program and where the cost savings are located.e. Is IT/ OT required?
i. If yes, please provide supporting documentation.
Response to Question 09.a-e:
a. While SCE has not conducted a quantified benefit analysis of IT/OT integration, IT/OTintegration benefits the public and SCE customers by reducing the risk of cybersecuritythreats and intrusions that could range from minor to catastrophic given the size andcomplexity of SCE’s grid.
OT devices were once built around dedicated hardware-based architectures. They have now been replaced by digital platforms with embedded computers (e.g., servers), software (including operating systems and application) and wired and wireless communications capabilities. Enhanced IT technologies and network connectivity (e.g., Internet Protocol) make possible new operating models that can improve customer service, grid operations and associated business outcomes, ranging from Smart Grid / AMI deployments to IP-connected transmission and distribution assets. Some additional benefits of this IT/OT integration include the following:
1. Increased use of digital information and controls technology improvesresponsiveness, reliability, security, and efficiency of the electric grid
2. Improved operational efficiencies (e.g., demand management)3. Remote substation operations and maintenance4. Enhanced outage management and predictive fault analysis5. Supports optimization of grid operations and resources
A-5
PubAdv-SCE-079-MW5: 09.a-e Page 2 of 2
6. Allows for the deployment and integration of distributed resources and generation,including renewable resources.
7. Supports ability for consumers to have access to timely information and controloptions.
b. Yes, although using widely differing names, many utilities are at various levels ofimplementing IT/OT integration. Awareness of these efforts are through peer informationsharing across the utility industry. This also includes combining the benefits of securityprograms across their IT and grid networks for shared intelligence, monitoring, andresponse. Some utilities are also integrating components of their physical security programsas well.
c. No since funding for IT/OT integration was not requested in SCE’s 2018 GRC and also doesnot include activities that would require separate Commission approval (e.g., changes tocustomer tariffs).
d. No, it is not replacing another program. It will integrate and build upon SCE’s existingcybersecurity work and systems. IT/OT integration represents an emergent need driven bythe increased digitization and interconnected nature of grid assets.
e. No, as SCE interprets this question to be asking if IT/OT integration is specificallymandated by statute or regulation. While IT/OT integration is not the subject of a specificcompliance requirement, IT/OT integration is required as SCE continues to introduce moredigital-based assets to our grid and across the enterprise’s operations. Starting on page 6-20of the SCE’s 2018 RAMP Report and continuing through page 6-29, each of the controlareas listed below are described in detail. Each control area is dependent upon the successfulcombination of IT and OT policies, procedures, and technical resources to support effectiveresponse to cybersecurity-based attacks.
C1 Perimeter Defense
C2 Interior Defense
C3 Data Protection
C4 SCADA Cybersecurity
C5 Grid Modernization Cybersecurity
A-6
Southern California Edison
A.19-08-013 – SCE 2021 General Rate Case
DATA REQUEST SET P u b A d v - S C E - 0 7 9 - M W 5
To: Public Advocates Office Prepared by: Lorane Luna Job Title: Senior Specialist Received Date: 1/17/2020
Response Date: 1/31/2020
Question 07.a-c: Regarding EX. SCE-04, Vol. 3, p. 23:
a. Please provide how many additional staff members were hired in 2019 for SCE Tech labs.i. How many additional staff members did SCE anticipate hiring in 2019?
b. Has SCE incorporated the NIST Cybersecurity Framework before 2019?i. If no, why not?
c. Do the IT Compliance/Disaster recovery personnel currently communicate with the BusinessResiliency personnel?
ii. If no, why not.
Response to Question 07.a-c:
a. SCE assigned one existing FTE (a cyber project manager) to help establish processes andprocedures and brought in three consultants to assist with this effort. SCE hired one FTE atthe end of 2019, totaling five resources to support SCE Tech labs in 2019. SCE plans to hirefour FTEs for SCE Tech Labs in 2020
i. SCE anticipated hiring five FTEs in 2019
b. No. SCE began to operationalize our NIST Cybersecurity Framework at the tech labs in2019. This work is ongoing.
i. Up until late 2018, SCE was in the process of evaluating the NIST CybersecurityFramework at the tech labs.
c. Business Resiliency is a key partner of IT Compliance/Disaster Recovery, and accordingly,the teams communicate regularly. This includes bi-weekly team meetings to reviewchanges and process improvements and to discuss current projects. SCE has a BusinessResiliency & IT Disaster Recovery Governance for the purpose of strengthening SCE’sability to protect critical infrastructure, prevent attacks against our facilities and information,mitigate threats/hazards, and support SCE’s response to and recovery from catastrophicdisasters and business disruptions. In order to maintain and mature the Business Resiliencyand IT Disaster Recovery Programs in a complex computing environment and changingutility environment, additional personnel are required for these governance andinfrastructure efforts.
A-7
PubAdv-SCE-079-MW5: 07.a-c Page 2 of 2
i. See response to question c above.
A-8
Appendix B
Workpapers
Workpapers PAGE(S)
WPSCE04V03, p. 83 B-1
WPSCE04V03, p. 85 B-2
RAMP Report p. 6-32 to 6-34 B-3 – B-5
WPSCE04V03, p. 126 B-6
Workpaper – Southern California Edison / 2021 General Rate Case
Exhibit No. SCE-04 Vol.03 Witnesses: G. Haddox
GRC Cyb
er O Lab
or Increa
ses for 2019‐2023
#OU
FUNCTION/D
irve
rWork Scope
Identify Operational Constraints and
Impact
Cost Typ
e Cost Recove
ry
Mechan
ism
Notes from IT
/ Description of Work (for IT in
ternal discussions/
not submitted)
FCC
Cost
3IT
IT/O
TIncrem
ental support to m
itigate
cybersecurity risk as m
ore
automation occurrs in field and
network becomes in
crea
singly
complex
staffing for testing
O&M
GRC
Increm
ental d
ollars to prepare an
d support substations to align to
the cybersecurity policies an
d standards. Efforts include
implemen
ting OS an
d application patching, patch assessm
ent,
scan
ning, vulnerab
ility m
anagem
ent, user access m
anagem
ent,
network switches and support, etc.. for 500+ substations. [Grid:
2019/2020‐ 700k/yr. 2
021‐2023: 1
.3M/yr]. [Cyb
er:2019‐2023
F530187
3.96
10
ITIT/O
TIncrem
ental support to m
itigate
cybersecurity risk as m
ore
automation occurrs in field and
network becomes in
crea
singly
complex
staffing for testing
O&M
GRC
Increm
ental d
ollars to prepare an
d support substations to align to
the cybersecurity policies an
d standards. Efforts include
implemen
ting OS an
d application patching, patch assessm
ent,
scan
ning, vulnerab
ility m
anagem
ent, user access m
anagem
ent,
network switches and support, etc.. for 500+ substations. [Grid:
2019/2020‐ 700k/yr. 2
021‐2023: 1
.3M/yr].
F530187
1.8
14
ITLabs
Enhan
ce cyb
ersecurity of SC
E labs
and operational support
staffing for testing
O&M
GRC
(Scanning) ‐ 1FTE ea
ch.
0.2 (20%) for non‐lab
or dollars.
F300165
4.05
17
ITFo
undational Tools
Increm
ental support for new
cyb
er
tools and technologies to
strengthen
security posture in
the
Grid environmen
t. Address
security gap
s.
Staffing for configu
ration,
implemen
tation
O&M
GRC
2019 & 2020: ‐ 3 FTEs (2 for sec gap assmt remed
iation) , = 1.8M
2021+ 6 FTEs (5 for sec gap assmt remed
iation), = 3M
F300165
5.67
22
ITGAP Assesmen
tGrid Services gap assessm
ent
against the cyber/N
IST stan
dards
staffing
O&M
GRC
2019‐2020: 2
FTEs for sec gap assmt remed
iation; =$
0.75M
2021 4FTEs for sec gap assmt remed
iation;=$1.4M
F300165
3.78
33
ITIGAM
Grid M
od Application and system
onboarding, & IG
AM operational
and compliance support
Staffing for maintenan
ceO&M
GRC
Labor:
1 FTE 2019‐2022; A
dditional FTE in
2023.
1 FTE 2020‐2023.
F300165
1.26
34
ITIGAM
Grid M
od Application and system
onboarding, & IG
AM operational
and compliance support
staffing
O&M
GRC
labor/Non‐Lab
or
Application onboarding: 2019 (PDR & Historian
apps ‐ $100k/ap
p
for 2 apps=$200k); 2
021 (5 apps ‐ GMS rel 1.0) ‐ $500k
Hardware maint: 58 servers ‐ $100k/yr
F300165
0.72
O&M
21.24
83
B-1
Workpaper – Southern California Edison / 2021 General Rate Case
Exhibit No. SCE-04 Vol.03 Witnesses: G. Haddox
GRC Cyb
er Non‐Lab
or Increa
ses for 2019‐2023
Internal
ID#
OU
FUNCTION/
Drive
rWork Scope
Identify Operational Constraints and Im
pact
Cost Typ
e
Notes from IT
/ Description of Work (for IT in
ternal discussions/
not submitted)
FCC
Cost
3IT
IT/O
T
Increm
ental support to m
itigate
cybersecurity risk as m
ore automation
occurrs in field and network becomes
increa
singly complex
Consultan
ts for testing
O&M
Increm
ental d
ollars to prepare an
d support substations to align to
the cybersecurity policies an
d standards. Efforts include
implemen
ting OS an
d application patching, patch assessm
ent,
scan
ning, vulnerab
ility m
anagem
ent, user access m
anagem
ent,
network switches and support, etc.. for 500+ substations. [Grid:
2019/2020‐ 700k/yr. 2
021‐2023: 1
.3M/yr]. [Cyb
er:2019‐2023
F530187
2.64
5IT
Governmen
t
Initiiatives
Increm
ental support to build
out or
pilo
t technologies to in
tegrate with
governmen
t system
s for the purpose of
national security
Consultan
ts for testing
O&M
F529896
4.75
14
ITLabs
Enhan
ce cyb
ersecurity of SC
E labs an
d
operational support
Consultan
ts for testing
O&M
0.45(20%) for non‐lab
or dollars.
F300165
0.45
17
ITFo
undational
Tools
Increm
ental support for new
cyb
er tools
and technologies to stren
gthen
security
posture in
the Grid environmen
t.
Address security gap
s.
Staffing for configu
ration, implemen
tation
and m
aintenan
ce of new
assets
O&M
Grid Services non‐lab
or maintenan
ce ‐ 20% of half of capital costs
for14 cyb
er tools = 0.63M/yea
rF300165
0.63
22
GAP
Assesmen
t
Grid Services gap assessm
ent against
the cyber/N
IST stan
dards
O&M
F300165
0.42
30
ITIGAM
AMR
PS/HW for im
plemen
tation
O&M
Item
#1: T
here will be AMR work for new
in‐scope assets. P
lease
allocate 10% ($25K‐$50K) an
nually for AMR/IAM Support.
Item
#2: T
here will be AMR work for new
in‐scope assets &
decommissioning support. P
lease allocate $50K for AMR/IAM
Support.
F300165
0.3
31
ITIGAM
AMR
PS/HW for im
plemen
tation
O&M
increa
se fee
s for WEC
C Audit for AMR support to $250K.
F300165
0.75
33
ITIGAM
Grid M
od Application and system
onboarding, & IG
AM operational and
compliance support
Consultan
ts for testing
O&M
Labor:
1 FTE 2019‐2022; A
dditional FTE in
2023.
1 FTE 2020‐2023.
F300165
0.14
34
ITIGAM
Grid M
od Application and system
onboarding, & IG
AM operational and
compliance support
HW m
aintenan
ceO&M
Hardware maint: 58 servers ‐ $100k/yr
F300165
0.08
O&M
10.16
85
B-2
6 32
V. Proposed Plan
Cybersecurity is inherently difficult to quantify. The risks and threats that we face as a utility inone of the largest metropolitan cities42 in the world are vast and diverse. Trying to forecast theprobability of successful breaches of our systems controls involves making a series of educatedassumptions based on what we know about our existing defenses, the demographics andcapabilities of our attackers, and the growth and complexity of the attacks we will face in thefuture. In addition, the risk of cyberattack has the potential to change significantly due to globalpolitics and the associated actions of nation states. Cybersecurity threats are not limited to ourservice territory, but instead can originate from virtually anywhere across the world.Cybersecurity challenges can also be triggered or motivated by social unrest, politicaldifferences and upheavals, and religious and cultural factors.
Measuring the effectiveness of controls and mitigations becomes equally difficult when wedon’t have a base level of historical data and experience to draw from. Fortunately, SCE has notexperienced a significant breach of our control systems yet.
Through the development of this RAMP report, SCE was able to take initial steps forward inquantifying the cyberattack risk to SCE, as well as the effectiveness of our controls andmitigations. This is truly a first generation model, but one that SCE believes provides a strongfoundation upon which to improve in the future.
SCE analyzed, from a historical perspective, the relative effectiveness of our cybersecuritycontrols and mitigations in addressing SCADA/ICS attacks that have occurred around the worldover the past few years.43 SCE used this analysis to inform the mitigation evaluation and riskspend efficiency calculations.
SCE has evaluated each control and mitigation discussed in Sections III and IV and hasdeveloped a Proposed Plan for addressing this risk, as shown in Table V 1 below.
42 Los Angeles, as a service area, comprises a high density of customers to geographic areas,headquarters a great deal of the media/entertainment industry, and has a high profile in the news.Thus, a cyberattack in Los Angeles will be a much more reported upon event and will provide theattackers with relatively higher visibility.43 Please refer to WP Ch. 6, pp. 6.7 – 6.9 (Outcome Based Risk Reduction Model Overview) for furtherdetail on this cyberattack outcome based risk assessment.
B-3
6 33
Table V 1 – Proposed Plan (2018 2023 Totals)
A. OverviewSCE evaluated our internal defenses against cyberattack capabilities and threats. This
evaluation indicated that SCE has implemented adequate cyber defense strategies for thethreats that exist today. However, through developing this RAMP report, we have identifiedincreased exposure and risk in the future. As such, in the Proposed Plan, SCE continues todeploy and enhance its defense in depth cybersecurity approach by maturing and expandingexisting cybersecurity practices. In addition, SCE supplements this work with enhancedcapabilities, tools, and resources to address the growth of cyberattack risks at a reasonablelevel of spend.
The Proposed Plan carries forward the scope of work from our existing activities, and addsadditional training, penetration testing, and vulnerability assessments. Training is essential inhelping ensure that SCE personnel are up to date on the latest technology and techniques usedto protect and operate the grid network. Vulnerability assessments performed by independentand trusted third parties evaluate how SCE manages risks associated with vulnerabilities in thenetwork environments. These assessments can also serve as checkpoints for ongoing projects.Use of penetration testing allows SCE to see:
What an adversary would identify as key assets for compromise; What attack paths and techniques apparently would succeed within the SCE environment;
and How practically effective the security mitigations are in preventing, mitigating, or detecting
an attack.
ID Name Start Date End Date Capital O&M MRR RSE MRR RSE
C1a Perimeter Defense 2018 2023 $80.8 $34.9 1.51 0.013 9.13 0.079
C2a Interior Defense 2018 2023 $47.9 $23.7 0.91 0.013 5.83 0.082
C3a Data Protection 2018 2023 $30.7 $16.7 0.02 0.000 0.03 0.001
C4a SCADA Cybersecurity 2018 2023 $19.8 $19.9 0.46 0.012 3.04 0.077
C5a Grid Modernization Cybersecurity 2018 2023 $169.2 $33.8 1.41 0.007 9.28 0.046
MRR = Mitigation Risk Reduction Total Proposed Plan $348.4 $129.0 4.31 0.009 27.32 0.057
MARS = Multi Attribute Risk ScoreRSE = Risk Spend Efficiency (risk units reduced per $1M spend).
Mean (MARS)Proposed PlanRAMP Period
ImplementationCost Estimates ($M) Tail Average (MARS)
B-4
6 34
B. Execution feasibilitySCE evaluated the feasibility of executing the Proposed Plan based on current organizational
capabilities and the technical limitations of our internal computing and operational systems.The Proposed Plan is feasible and prudent to execute.
C. AffordabilityThe Proposed Plan strikes a reasonable balance between cost and risk reduction. This plan is
only slightly more expensive (<5%) than the Alternative Plan #1, but delivers nearly twice theamount of risk reduction. In addition, the RSE of this plan is approximately 40% greater than theAlternative Plan #1.
The Proposed Plan does not deliver as much risk reduction, nor at the level of RSE, asAlternative Plan #2 does. However, Alternative Plan #2 requires much greater costs to deliverthese benefits.
SCE contemplated whether to pursue Alternative Plan #2, but chose not to for the followingreasons: (1) SCE must balance the need to invest in cybersecurity on the one hand, versus theneed to spend to address other risks and meet other important objectives on the other hand;(2) at this time, our evaluation indicates that the Proposed Plan represents a reasonable level ofcommitment and spend over the RAMP period; and (3) SCE does not believe that deploying M1Accelerated Hardware Refresh (a notable feature of Alternative Plan #2) is an operationallypractical, technologically mature, or fiscally prudent choice at this time. This is discussed furtherin Section VII, where we examine Alternative Plan #2 in more detail.
D. Other ConsiderationsAdvances in the sophistication of cyberattack threats and the deployment of new attack
methods may render the Proposed Plan ineffective. SCE must predict where the threat will goin the future. If we have not predicted this correctly, the mitigations laid out in the ProposedPlan may not be sufficient. In addition, global politics, social unrest, and war can potentiallylead to increased numbers of, and greater sophistication of, attacks by nation states on ourelectric system. As discussed previously, SCE builds, maintains, and operates critical energyinfrastructure that could be more susceptible to attack should the global environment change.
B-5
Workpaper – Southern California Edison / 2021 General Rate Case
Exhibit No. SCE-04 Vol.03 Witnesses: G. Haddox
2019
2020
2021
2022
2023
To
tal
Har
dwar
e32
,508
,386
$
5,
397,
479.
43$
4,
989,
856
$
9,04
9,00
8$
5,
786,
769
$
7,28
5,27
3$
32
,508
,386
$
Ven
dor
Labo
r69
%22
,505
,523
$
4,
883,
433.
77$
3,
243,
406
$
5,88
1,85
5$
3,
761,
400
$
4,73
5,42
8$
22
,505
,523
$
SC
E IT
Lab
or34
%11
,030
,954
$
1,
542,
136.
98$
1,
746,
450
$
3,16
7,15
3$
2,
025,
369
$
2,54
9,84
6$
11
,030
,954
$
Lab
or
Su
bto
tal
66,0
44,8
63$
11,8
23,0
50$
9,97
9,71
2$
18
,098
,016
$
11
,573
,538
$
14
,570
,547
$
66
,044
,863
$
Sof
twar
e26
7%86
,892
,088
$
12
,337
,096
$
13
,722
,104
$
24
,884
,773
$
15
,913
,614
$
20
,034
,502
$
86
,892
,088
$
Lice
nses
26%
8,31
9,86
4$
1,
542,
137
$
1,24
7,46
4$
2,
262,
252
$
1,44
6,69
2$
1,
821,
318
$
8,31
9,86
4$
To
tal H
W &
Lic
.95
,211
,952
$
13
,879
,233
$
14
,969
,568
$
27
,147
,025
$
17
,360
,306
$
21
,855
,820
$
95
,211
,952
$
To
tal P
roje
ct C
os t
161,
256,
815
$
25,7
02,2
83$
24,9
49,2
80$
45,2
45,0
41$
28,9
33,8
44$
36,4
26,3
67$
161,
256,
815
$
TO
TA
L16
1,25
6,81
5$
25
,702
,283
$
24
,949
,280
$
45
,245
,041
$
28
,933
,844
$
36
,426
,367
$
16
1,25
6,81
5$
GR
ID M
OD
Cyb
erse
curi
ty -
CIT
-00-
TR
-RM
-781
701
126
B-6