2021 General Rate Case Rebuttal Testimony€¦ · 3 the non-labor forecasts. SCE notes Cal Advocates’ reductions appear to total $11.095 million as opposed 4 to the $11.304 million

Application No.: A.19-08-013 Exhibit No.: SCE-15, Vol. 03 Witnesses: G. Haddox

(U 338-E)

2021 General Rate Case Rebuttal Testimony

Cybersecurity

Before the

Public Utilities Commission of the State of California

Rosemead, California June 12, 2020

SCE-15, Vol. 03: Cybersecurity

Table Of Contents

Section Page Witness

-i-

I. INTRODUCTION .............................................................................................1 G. Haddox

A. Summary of Rebuttal Position ...............................................................2

1. O&M Forecast Summary ...........................................................2

2. Capital Expenditure Summary ...................................................3

II. CYBERSECURITY ...........................................................................................4

A. O&M Expenses ......................................................................................4

1. SCE’s Application .....................................................................4

2. Cal Advocates ............................................................................4

a) Cal Advocates’ Position .................................................4

b) SCE’s Rebuttal to Cal Advocates’ Position ...................6

(1) Cal Advocates’ reduction related to IGAM activities relies on a misinterpretation of SCE’s data request response. ................................................6

(2) Cal Advocates’ reduction related to incremental IT/OT staffing relies on a misinterpretation of SCE’s data request response. ................................................7

(3) Although Cal Advocates supports SCE’s request for the additional staffing for the tech labs, Cal Advocates’ proposed use of the 2019 forecast for 2021 should be rejected. .................8

(4) Cal Advocates’ argument that the staffing to support the NIST should not be authorized due to its voluntary nature is misguided and should be rejected. ..............................................................9

SCE-15, Vol. 03: Cybersecurity

Table Of Contents (Continued)

Section Page Witness

-ii-

(5) Cal Advocates’ reduction related to incremental cybersecurity personnel to support the IT Disaster Recovery Program relies on a misinterpretation of SCE’s data request response. .......................10

(6) Cal Advocates’ argument for a reduction of non-labor forecast is without merit. ...................................................11

3. Conclusion ...............................................................................11

B. Capital Expenditures ............................................................................11

1. SCE’s Application ...................................................................12

2. Cal Advocates ..........................................................................13

a) Cal Advocates’ Position ...............................................13

b) SCE’s Rebuttal to Cal Advocates’ Position .................13

(1) Cal Advocates’ Recommendation does not address the cybersecurity initiatives scheduled for 2021 which cause the higher level of expenditures as compared to 2019 and 2020. ..........................................................14

(2) Cal Advocates’ recommendation of two-year average for Grid Modernization Cybersecurity is not appropriate as the recorded costs in 2018 were significantly reduced due to changing priorities within the company ...........................................................15

3. Conclusion ...............................................................................16

Appendix A Data Request Responses

Appendix B Workpapers

1

I. 1

INTRODUCTION 2

In Exhibit SCE-04, Volume 3, SCE presents its Operations and Maintenance (O&M) expense 3

forecast for the Test Year 2021 and 2019-2023 capital expenditures forecast for the Cybersecurity 4

Business Planning Element (BPE). This includes Cybersecurity and Information Technology (IT) 5

Compliance activities and cybersecurity infrastructure for SCE’s broader Grid Modernization effort 6

detailed in Exhibit SCE-02, Vol. 4. SCE’s forecasts reinforce the cyber-safe environment essential for 7

our delivery of safe, reliable, affordable, and clean power to our customers. That volume also describes 8

the scope of work, key drivers for the work, and legal requirements that impact the level of O&M and 9

capital requested to support and successfully implement Cybersecurity activities. 10

As further discussed throughout Exhibit SCE-04, Volume 3, SCE has undertaken several key 11

initiatives to address the growth of cyberattacks in both volume and sophistication. The significant cyber 12

threats from foreign adversaries seeking to exploit vulnerabilities in the US Bulk-Power System (BPS) 13

resulted in the issuance of a new Presidential Executive Order on May 1, 2020 (Executive Order).1 To 14

mitigate these threats, the Executive Order prohibits transactions that have a nexus with any foreign 15

adversary; authorizes the Secretary of Energy to establish designating criteria for equipment and vendors 16

as “pre-qualified”; requires identification of now prohibited BPS equipment already in use; and 17

establishes a Task Force on Federal Energy Infrastructure Procurement Policies Related to National 18

Security. It also instructs agencies to take “all appropriate measures within their authority” to implement 19

the Executive Order. The Executive Order further reinforces the justification for and reasonableness of 20

SCE’s Cybersecurity BPE forecasts which seek to protect against the ever-growing threat of 21

cyberattacks on its electric infrastructure. 22

The purpose of this testimony is to address the various recommendations raised by the Public 23

Advocates Office (Cal Advocates) related to SCE’s proposals for Cybersecurity related forecast for 24

operations and maintenance (O&M) expenses for the Test Year 2021 and capital expenditures for 2019 25

through 2021. No other party submitted testimony opposing SCE’s Cybersecurity BPE O&M forecast 26

for Test Year 2021 and capital forecast from 2019-2023. 27

1 https://www.whitehouse.gov/presidential-actions/executive-order-securing-united-states-bulk-power-system/.

2

A. Summary of Rebuttal Position 1

The forecasts for the Cybersecurity BPE’s O&M expense and capital expenditures of SCE and 2

Cal Advocates are shown in the following tables. Table I-1 provides a summary of the 2021 O&M 3

forecast for SCE and Cal Advocates, along with the variances from SCE’s forecast where applicable 4

Table I-1 Cybersecurity

2021 O&M Forecast Summary of SCE and Cal Advocates Position

(2018 Constant $000)

Table I-2 provides a summary of Cybersecurity BPE capital expenditure forecast from 2019 to 5

2021 of SCE and Cal Advocates, along with the variance from SCE’s forecast. 6


Capital Expenditures 2019-2021 Forecast Summary of SCE, Cal Advocates, and TURN Position

(Nominal $000)

1. O&M Forecast Summary 7

Table I-3 shows the recorded amounts for 2014-2018 and the forecast for 2021 of SCE 8

and Cal Advocates. For the Cybersecurity BPE O&M forecast, Cal Advocates proposed changes to 9

SCE’s forecasts in several Cybersecurity GRC activities. SCE will address the issues raised by Cal 10

Advocates recommendations related to the Cybersecurity BPE O&M forecast for 2021 in the 11

corresponding chapters below. 12

SCECal

Advocates1 Cybersecurity Delivery & IT 32.232$ 20.928$ (11.304)$ 32.232$ 2 Grid Modernization Cybersecurity 0.617$ 0.617$ -$ 0.617$ 3 Software License & Maintenance 5.733$ 5.733$ -$ 5.733$

Total 38.582$ 27.278$ (11.304)$ 38.582$

Line No.

Business Planning Elements2021 Forecast

Variance from SCE

SCE Rebuttal Position

SCEApplication

SCEAdjustment

SCE Revised Forecast

Cal Advocates

1 Cybersecurity Delivery and IT Compliance 138,285$ (656)$ 137,630$ 118,558$ (19,072)$ 137,630$

2 Grid Mod Cybersecurity 95,897$ (408)$ 95,489$ 76,194$ (19,295)$ 95,489$

3 Total 234,182$ (1,063)$ 233,119$ 194,752$ (38,367)$ 233,119$

SCE Rebuttal Position

Variance from SCE

2019 - 2021 ForecastLine No.

Business Planning Element

3


2014-2018 Recorded/2021 Forecast Summary of SCE and Cal Advocates Position


2. Capital Expenditure Summary 1

Table I-4 provides the recorded expenditures for 2014-2019 and the forecast for 2020-2

2021 for SCE. As described in SCE-12,2 SCE proposes the Commission authorize SCE’s 2019 capital 3

forecast to reflect 2019 recorded levels and has updated its forecast accordingly. Cal Advocates 4

proposes reductions to SCE’s forecasts in several GRC activities within the Cybersecurity BPE. SCE 5

will address the issues raised by Cal Advocates’ recommendations related to SCE’s 2019 - 2021 Capital 6

Expenditures forecast in the corresponding chapters below. 7

Table I-4 Cybersecurity Capital Expenditures

2014-2018 Recorded/2019-2021 Forecast Summary of SCE Position

2 Refer to SCE-12, Volume 1, Section V.

2014 2015 2016 2017 2018 SCECal

Advocates1 Cybersecurity Delivery and IT Compliance 12,020$ 13,148$ 14,987$ 11,892$ 14,872$ 32,232$ 20,928$ (11,304)$ 32,232$ 2 Grid Mod Cybersecurity -$ -$ (53)$ 197$ 3,193$ 617$ 617$ -$ 617$ 3 Cyber Software License and Maintenance 1,907$ 2,302$ 1,504$ 1,697$ 2,367$ 5,733$ 5,733$ -$ 5,733$ 5 Total 13,927$ 15,450$ 16,438$ 13,786$ 20,432$ 38,582$ 27,278$ (11,304)$ 38,582$

Line No.

Cybersecurity SCE Recorded SCE

Rebuttal Position

Variance from SCE

2021 Forecast

2014 2015 2016 2017 2018 2019* 2020 2021Total

2020-20211 NERC CIP 2,763$ 384$ (2)$ -$ 2,656$ 3,208 2,478$ 5,478$ 11,164$ 2 Perimeter Defense 12,194$ 11,771$ 5,687$ 18,158$ 14,308$ 16,099 19,452$ 37,577$ 73,129$ 3 Data Protection 8,183$ 9,000$ 3,652$ 10,440$ 2,449$ 5,991 7,268$ 8,571$ 21,830$ 4 Interior Defense 4,717$ 7,408$ 7,801$ 10,128$ 7,216$ 8,254 8,103$ 8,107$ 24,464$ 5 SCADA Cybersecurity -$ -$ -$ -$ -$ 2,448 2,549$ 2,551$ 7,549$ 6 Grid Mod Cybersecurity -$ -$ 2,901$ 14,999$ 21,267$ 25,702 24,542$ 45,245$ 95,489$ 7 Total 27,857$ 28,563$ 20,039$ 53,725$ 47,896$ 61,702$ 64,392$ 107,530$ 233,624$

*2019 forecast as of filing

Lin

e #

Business Planning ElementSCE Recorded SCE Forecast

4

II. 1

CYBERSECURITY 2

A. O&M Expenses 3

SCE’s Test Year 2021 O&M forecast for the Cybersecurity BPE is outlined in Table II-5 below. 4

The table provides the recorded amounts for 2014 – 2018 and the Test Year 2021 forecast of SCE and 5

Cal Advocates. For the Cybersecurity O&M forecast, Cal Advocates proposes forecast reductions to five 6

GRC activities, which are detailed in the pages that follow. Cal Advocates does not oppose SCE’s 7

forecasts for Cybersecurity Software License and Maintenance or Grid Mod Cybersecurity. No other 8

party submitted testimony opposing the Cybersecurity O&M forecast for Test Year 2021. 9

Table II-5 Cybersecurity

2014-2018 Recorded/2021 Forecast Summary of SCE and Cal Advocates Position


1. SCE’s Application 10

The Test Year 2021 forecast for the Cybersecurity BPE is primarily driven by the risks 11

identified in SCE’s Risk Assessment and Mitigation Phase (RAMP) submission and the resources 12

needed to address those risks. As the grid is modernized and new technologies are implemented, there is 13

a concurrent increase in the need to integrate information technology with operational technology and to 14

identify threats and mitigate vulnerabilities and the associated costs are reflected in the forecast. 15

2. Cal Advocates 16

a) Cal Advocates’ Position 17

Table II-6 below provides a summary of Cal Advocates recommendations. 18

2014 2015 2016 2017 2018 SCECal

Advocates1 Total Labor 8,184$ 9,301$ 9,449$ 9,107$ 8,941$ 20,114$ 14,853$ (5,129)$ 20,114$ 2 Cybersecurity Delivery and IT Compliance 8,175$ 9,290$ 9,430$ 9,088$ 8,796$ 19,982$ 14,853$ (5,129)$ 19,982$ 3 Grid Mod Cybersecurity -$ -$ 12$ 17$ 141$ 131$ 131$ -$ 131$ 4 Cyber Software License and Maintenance 9$ 11$ 7$ 2$ 4$ -$ -$ -$ -$ 5 Total Non-Labor 5,744$ 6,149$ 6,990$ 4,679$ 11,491$ 18,468$ 6,075$ (6,175)$ 18,468$ 6 Cybersecurity Delivery and IT Compliance 3,846$ 3,859$ 5,557$ 2,804$ 6,075$ 12,250$ 6,075$ (6,175)$ 12,250$ 7 Grid Mod Cybersecurity -$ -$ (65)$ 180$ 3,052$ 485$ 485$ -$ 485$ 8 Cyber Software License and Maintenance 1,898$ 2,290$ 1,498$ 1,695$ 2,364$ 5,733$ 5,733$ -$ 5,733$ 9 Total (L/NL) 13,928$ 15,450$ 16,439$ 13,786$ 20,432$ 38,582$ 20,928$ (11,304)$ 38,582$

SCE Rebuttal

PositionLin

e #

CybersecuritySCE Recorded 2021 Forecast

Variance from SCE

5

Table II-6 Summary of SCE and Cal Advocates Position


Cal Advocates recommends a Test Year 2021 forecast of $27.278 million, a 1

reduction of $11.304 million from SCE’s forecast. Cal Advocates’ reductions impact both the labor and 2

the non-labor forecasts. SCE notes Cal Advocates’ reductions appear to total $11.095 million as opposed 3

to the $11.304 million figure cited in Cal Advocates’ testimony.3 While SCE attempted to clarify the 4

amount of Cal Advocates’ recommended reduction via data request, Cal Advocates’ response only 5

restated the amount of $11.304 million without explaining how that amount was derived.4 This restated 6

figure remains inconsistent with the total of the proposed reductions as shown in Table II-6 above. 7

For labor expenses, Cal Advocates recommends a forecast of $14.853 million, a 8

reduction of $5.129 million from SCE’s request of $19.982 million. Cal Advocates starts from 9

“forecasted 2019 as the basis for the labor forecast,”5 and rejects SCE’s adjustments to the Test Year 10

2021 labor forecast as follows: (1) $900,000 for “additional staffing to support IGAM”, stating “SCE 11

will be shifting staff to support IGAM in future years” from the existing, legacy system;6 (2) $1.920 12

million for information technology/operational technology (IT/OT) integration, stating SCE has 13

provided “no actual support as to what positions would be hired, or what workload would be beyond 14

3 Exhibit PAO-07, pp. 2 and 4 (Table 7-2) (both show the $11.304 million figure).

4 See Cal Advocates response to SCE-PubAdv-013-MC (attached as Appendix A-1 – A-3).

5 Exhibit PAO-07, p. 22.

6 Id.

Cal Advocates Recommended Reductions Labor Non-Labor TotalsIGAM (900)$ -$ (900)$ IT/OT (1,920)$ -$ (1,920)$ Tech Labs (900)$ -$ (900)$ NIST Gap assessment (900)$ -$ (900)$ Disaster Recovery Activities (300)$ -$ (300)$ Non-Labor Recommendations ‐$ (6,175)$ (6,175)$

Total Recommended Reductions (4,920)$ (6,175)$ (11,095)$

Summary of Cal Advocates Positions

6

today’s base level”;7 (3) $900,000 for National Institute of Standards and Technology (NIST) gap 1

assessment “due to the [NIST] framework being voluntary and not mandatory”;8 (4) $300,000 increase 2

for “additional personnel to collaborate with the Business Resiliency personnel due the two departments 3

already having strong communication and bi-weekly team meetings”;9 and (5) $900,000 for additional 4

staffing for the tech labs, arguing that “use of SCE’s forecasted 2019 forecast as a base year and the 5

additional staff would have been hired in 2019.”10 6

For non-labor test year expenses, Cal Advocates proposes $6.075 million, a 7

reduction of $6.175 million from SCE’s forecast of $12.250 million. Cal Advocates observes that SCE’s 8

forecast is “significantly higher by double to quadruple the recorded amounts in 2014 through 2018” and 9

concludes that “[u]sing recorded 2018 costs is more appropriate because SCE has not adequately 10

supported or shown the need for a significant increase in non-labor costs.”11 11

b) SCE’s Rebuttal to Cal Advocates’ Position 12

Cal Advocates’ recommendations for reductions in multiple GRC activities 13

should be rejected as detailed in the sections below. 14

(1) Cal Advocates’ reduction related to IGAM activities relies on a 15

misinterpretation of SCE’s data request response. 16

In support of its reduction for IGAM-related labor cost increases in the 17

Test Year, Cal Advocates cites to SCE’s response to PubAdv-SCE-079, Question 6.a, which asked “Will 18

the employees currently working on the IAM be reassigned to work on the IGAM?” In its response, SCE 19

confirms that employees maintaining the IAM (the platform that will be replaced by IGAM) will be 20

shifted to support the IGAM program in future years.12 Cal Advocates misconstrues SCE’s response to 21

mean that IGAM program support will be limited to only those SCE employees who are currently 22

maintaining IAM and ignores SCE’s workpapers (submitted with its direct testimony in September 23

2019) showing the incremental staffing for the IGAM program to provide IGAM operational and 24


8 Id.

9 Id.

10 Id.

11 Exhibit PAO-07, pp. 23-24.

12 See SCEs response to data request PubAdv-SCE-079-MW5, Q.6a, attached in Appendix A at p. A-4.

7

compliance support as and IGAM Application and system onboarding.13 As the IGAM will be classified 1

as a High Impact NERC CIP asset, this classification mandates meeting specific regulatory 2

requirements14 and further supports the need for incremental staffing to onboard IGAM hardware and 3

applications and to provide ongoing operational support and maintenance. As the IGAM program 4

requires both shifting existing SCE staff maintaining the IAM and adding staff to address the additional 5

activities associated with the IGAM program, Cal Advocates’ recommendation should be rejected as 6

unsupported. 7

(2) Cal Advocates’ reduction related to incremental IT/OT staffing relies 8

on a misinterpretation of SCE’s data request response. 9

In support of its reduction of labor costs associated with incremental 10

staffing IT/OT activities, Cal Advocates cites to SCE’s response to PubAdv-SCE-079-MW5 Q.6.b. This 11

data request states, “Will current SCE staff being trained to work on IT/OT?” In response, SCE 12

affirmatively responded and also noted that additional staffing will be needed with specialized expertise 13

beyond the traditional cybersecurity infrastructure to support integrating modern grid assets in a secure 14

manner.15 Notwithstanding, Cal Advocates claims this data request response supports the proposition 15

that IT/OT activities will not exceed “today’s base level” due to “SCE’s plan to train current staff.”16 16

Beyond SCE’s response stating that “IT/OT drives an emerging need to 17

have specialized expertise beyond the traditional cybersecurity infrastructure to support integrating 18

modern grid assets in a secure manner”, SCE’s direct testimony and workpapers and additional data 19

request responses support the need for incremental staffing to address the level of work associated with 20

IT/OT activities during the Test Year.17 This initiative considers the vast number of cybersecurity 21

processes that must be modified and added as T&D and software vendors integrate analog equipment 22

with digital equipment. 23

13 Exhibit WPSCE04V03, p. 83, attached in Appendix B at p. B-1.

14 https://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-004-6.pdf.

15 Exhibit PAO-7, Workpapers, p. 13.


17 See Exhibit PAO-07, Workpapers, p. 13 (SCEs response to data request PubAdv-SCE-079-MW5 Q.6.b); Exhibit SCE-04, Volume 3, p. 22; SCE-04, Volume 3, Workpapers, p. 83 (attached as Appendix B-1) and SCE’s response to data request PubAdv-SCE-079-MW5 Q. 9.a (attached as Appendix A-5 – A-6 to this volume).

8

To the extent Cal Advocates now seeks further information concerning the 1

specific nature of the positions, the following list provides a description and job duties for the additional 2

staff required: 3

Security Architects designing security solutions into systems to 4

preempt potential threats 5

Risk Assessors assessing potential threats based on current system 6

security measures and recommending enhancements, conducting 7

periodic system tests, continuous monitoring of network security, and 8

analyzing and collecting data about existing systems and environments 9

Security Engineers implementing business technologies with 10

monitoring tools to detect security breaches or intrusions, and 11

designing strategies to protect the IT/OT networks from unauthorized 12

access 13

Penetration Testers conducting penetration testing of systems once 14

they have been engineered to identify vulnerabilities. 15

Given the critical need to protect against threats exposed by the integration 16

of operational technology (analog) with information technology (digital), Cal Advocates’ 17

recommendation to disallow the incremental staffing needed to support this need should be rejected. 18

(3) Although Cal Advocates supports SCE’s request for the additional 19

staffing for the tech labs, Cal Advocates’ proposed use of the 2019 20

forecast for 2021 should be rejected. 21

As explained in both its testimony and in response to data requests, SCE’s 22

hiring for tech labs positions will begin in 2019, but additional positions will be added in the two 23

subsequent years.18 Cal Advocates’ proposal to utilize the 2019 forecast for these labor costs in 2021 24

reflects a misinterpretation of SCE’s data request response and testimony. Although SCE began hiring 25

for those five full-time positions starting in 2019, the 2019 forecast for the tech lab positions does not 26

reflects the costs of a full year for all five positions. In contrast, the Test Year forecast reflects the 27

filling of all five positions by the start of 2021. As Cal Advocates does not dispute the need for all five 28

18 Exhibit SCE-04, Vol. 3, p. 23; see also, SCE’s response to data request PubAdv-SCE-079-MW5 Q.6.b,

(attached as Appendix A-3).

9

positions for the SCE tech labs, Cal Advocates’ proposal to use 2019 forecast costs for 2021 should be 1

rejected. 2

(4) Cal Advocates’ argument that the staffing to support the NIST should 3

not be authorized due to its voluntary nature is misguided and should 4

be rejected. 5

As stated in testimony, SCE requires additional staff to perform NIST gap 6

assessments to our policies and standards and enhance our ability to prevent, detect, and respond to 7

cyberattacks in accordance with the NIST Cybersecurity Framework.19 While the NIST Cybersecurity 8

Framework is not mandated by law, those guidelines are nationally recognized as the model for 9

cybersecurity and in use by private-sector owners and operators of critical infrastructure throughout the 10

United States and federal and state agencies across all sixteen critical infrastructure sectors.20 By 11

meeting these guidelines, SCE leverages these recognized best practices and common security 12

nomenclature in a prioritized, flexible, repeatable, and cost-effective approach to manage cybersecurity-13

related risk. 14

The NIST Cybersecurity Framework was developed by industry, 15

academia, and government stakeholders in response to Presidential Executive Order (EO) 13636, 16

Improving Critical Infrastructure Cybersecurity, which was issued in 2013.21 Per the EO, “[i]t is the 17

policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure 18

and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity 19

while promoting safety, security, business confidentiality, privacy, and civil liberties.” As computing 20

technology increases in complexity and interconnectedness within the operational and information 21

technology environments, utilities must remain at the forefront of securing underlying systems, 22

component products, and related vendor services to support the economic and national security interests 23

of the United States. SCE leverages this framework within the critical infrastructure space in line with 24

other investor owned utilities, financial institutions, and government entities. 25

As stated in testimony, SCE requires additional staff to perform these gap 26

assessments against our current policies and standards as new versions of this framework are released to 27

19 Exhibit SCE-04, Vol.3, p. 23.

20 https://www.nist.gov/industry-impacts/cybersecurity-framework.

21 https://obamawhitehouse.archives.gov/issues/foreign-policy/cybersecurity/eo-13636.

10

address new technology and evolving threats to prevent, detect, and respond to cyberattacks attacks 1

against critical infrastructure. While the Commission has not explicitly mandated the adoption the NIST 2

Cybersecurity Framework to date, SCE’s proactive adoption helps mitigate cybersecurity risks to our 3

customers and the general public. This additional staffing directly supports this effort by establishing the 4

appropriate security baselines to efficiently leverage the NIST Cybersecurity Framework. Accordingly, 5

Cal Advocates’ recommendation to disallow funding for the incremental staffing supporting this 6

initiative solely due to the absence of a formal mandate should be rejected. 7

(5) Cal Advocates’ reduction related to incremental cybersecurity 8

personnel to support the IT Disaster Recovery Program relies on a 9

misinterpretation of SCE’s data request response. 10

In support of its reduction of labor costs associated with incremental 11

cybersecurity staff to collaborate with Business Resiliency personnel for SCE’s IT Disaster Recovery 12

program, Cal Advocates cites to SCE’s response to PubAdv-SCE-079-MW5 Q.7.c. While SCE 13

acknowledges there exists a bi-weekly collaboration with Business Resiliency, Cal Advocates fails to 14

acknowledge the complete data request response which explains the need for the incremental staff. As 15

set forth therein, “[i]n order to maintain and mature the Business Resiliency and IT Disaster Recovery 16

Programs in a complex computing environment and changing utility environment, additional personnel 17

are required for these governance and infrastructure efforts.”22 18

SCE’s Business Resiliency departments leads the Business Impact 19

Analysis (BIA) process, which is an enterprise-wide governance body to allow for “the functional 20

prioritization of business continuity and disaster recovery plans of critical IT applications and assets to 21

manage the continuity of operations during an emergency”.23 This effort requires the support of 22

“additional staff [who] will be responsible for the creation, training and exercising of emergency plans, 23

processes and procedures associated with critical IT systems and applications”.24 Cal Advocates’ 24

recommendation disregards the critical need for additional cybersecurity staff dedicated to supporting 25

the advancement of the IT-focused disaster recovery efforts and should be rejected. 26

22 See SCEs response to data request PubAdv-SCE-079-MW5 Q.7.c, (attached as Appendix A-6 – A-7).

23 Exhibit SCE-04, Vol.1, p. 12.

24 Exhibit SCE-04, Vol. 3, pp. 23 – 24.

11

(6) Cal Advocates’ argument for a reduction of non-labor forecast is 1

without merit. 2

Cal Advocates’ recommendation to use 2018 recorded non-labor costs for 3

the Test Year forecast ignores SCE’s detailed support for increased non-labor costs in the Test Year 4

associated with additional activities identified in SCE’s RAMP report. As stated in testimony and 5

consistent with the RAMP Report, SCE forecasts a higher and recurring need to utilize industry 6

consultants to perform additional evaluations of our cybersecurity protections (specifically for Perimeter 7

Defense, Interior Defense, Data Protection, and SCADA Cybersecurity programs).25 Third-party 8

consultants are needed to augment existing staff with their specialized expertise and experience 9

performing comparable work for other utilities and companies in other sectors and to conduct 10

independent assessments or evaluations.26 While asserting the increase was unsupported, Cal Advocates 11

failed to identify any deficiencies or otherwise dispute the detailed materials supporting SCE’s Test 12

Year non-labor costs expense and its recommendation should be rejected. 13

3. Conclusion 14

In summary, the Commission should reject Cal Advocate’s recommendations and adopt 15

SCE’s Test Year 2021 forecast for the Cybersecurity BPE. Cal Advocates’ arguments are meritless and 16

make no effort to dispute SCE’s testimony, workpapers and data request responses supporting the need 17

for incremental staffing and outside consultant costs. SCE’s forecast increases are further supported by 18

the recent issuance of the new Presidential Executive Order on May 1, 2020 discussed in Chapter I of 19

this volume. The supporting materials and record provide a comprehensive, detailed forecast for 20

Cybersecurity Delivery & IT Compliance labor and non-labor activities that occur in the Test Year 2021 21

and should be adopted as requested. 22

B. Capital Expenditures 23

SCE’s capital forecast for the Cybersecurity BPE is outlined in Table II-7 below. The table 24

provides the recorded amounts for 2014 – 2019 and the forecast for 2020-2021. SCE’s recorded 2019 25

capital expenditures were $9.640 million above the 2019 capital forecast submitted with SCE’s GRC 26

application. The higher level of expenditures than initially forecast was primarily due to identified 27

critical vulnerabilities within tech labs and perimeter infrastructure that required immediate remediation. 28

25 Exhibit SCE-04, Vol.3, p. 24 and WPSCE04V03, p. 85, in Appendix B.

26 Exhibit SCE-04, Vol. 3, p. 29 and RAMP Report p. 6-32 to 6-34, in the Appendix B.

12

SCE notes Cal Advocates is inconsistent in recommending adoption of SCE’s 2019 initial forecast 1

versus 2019 recorded expenditures for the Cybersecurity BPE where it results in a forecast increase, as 2

contrasted with Cal Advocates’ recommendation to utilize 2019 recorded expenditures in other BPEs, 3

such as Physical Security, where doing so results in a forecast decrease.27 4

For the Cybersecurity BPE capital forecast, Cal Advocates proposed the use of two-year average 5

methodologies for two GRC activities, which are detailed in the pages that follow. Cal Advocates does 6

not oppose SCE’s forecast for the remaining four GRC activities, namely, NERC CIP, Data Protection, 7

Interior Defense, or SCADA. No other party submitted testimony opposing SCE’s Cybersecurity BPE 8

capital forecast. 9

1. SCE’s Application 10

SCE’s capital forecast for the Cybersecurity BPE supports ongoing cybersecurity capital 11

programs and new cyber-defense enhancements to address increased areas of exposure and risk in the 12

immediate future. As described in SCE’s direct testimony, the forecast is driven by the growth in 13

quantity and complexity of cyberattacks and includes new initiatives, including enhanced government 14

collaboration, Identity Governance & Administration Management (IGAM) implementation, 15

improvements for SCE technical labs, Information Technology/Operational Technology (IT/OT) 16

integration and Grid Modernization Cybersecurity infrastructure and applications, to confront and 17

mitigate against these expanding threats.28 18

27 See Cal Advocates response to SCE-PubAdv-013-MC (attached as Appendix A-1 – A-3).

28 Refer to SCE-04, Vol.3, pp.21-24.

13

Table II-7 Cybersecurity Capital Expenditures

2019-2021 Forecast Summary of SCE and Cal Advocates Position

(Nominal $000)

2. Cal Advocates 1

a) Cal Advocates’ Position 2

While Cal Advocates accepts SCE’s 2019-2021 forecasts for NERC, Data 3

Protection, Interior Defense, and SCADA and SCE’s 2019 and 2020 forecasts for Perimeter Defense and 4

Grid Modernization Cybersecurity, Cal Advocates proposes reduced 2021 forecasts for Perimeter 5

Defense and Grid Modernization Cybersecurity. Cal Advocate notes Perimeter Defense recorded costs 6

have “fluctuated significantly over the years”,29 and recommends a 2021 forecast based on the two-year 7

average of SCE’s 2019 and 2020 forecasts. For Grid Modernization Cybersecurity, Cal Advocates notes 8

that SCE only started recording costs for this category in 2016, and that “SCE’s forecast is more than 9

double what was recorded in 2018.”30 Cal Advocates recommends that the 2021 forecast be reduced to 10

the “two-year average of the 2019 actual expense and the forecasted 2020” capital expenditures.31 11

b) SCE’s Rebuttal to Cal Advocates’ Position 12

As detailed below, Cal Advocates’ proposals for reductions to SCE’s 2021 capital 13

forecasts for Perimeter Defense and Grid Modernization Cybersecurity do not consider the significant 14

support submitted by SCE showing the need for a higher level of expenditures during 2021arising from 15

the timing of project implementation. 16




2019Recorded

2020Forecast

2021Forecast

Total 2019 - 2021

2019Forecast

2020Forecast

2021Forecast

Total 2019 - 2021

1 NERC CIP 2,793$ 2,478$ 5,478$ 10,750$ 3,208$ 2,478$ 5,478$ 11,164$ 414$ 2 Perimeter Defense 26,476$ 19,452$ 37,577$ 83,505$ 16,099$ 19,602$ 17,851$ 53,552$ (29,953)$ 3 Data Protection 6,203$ 7,268$ 8,571$ 22,041$ 5,991$ 7,268$ 8,571$ 21,830$ (211)$ 4 Interior Defense 7,620$ 8,103$ 8,107$ 23,830$ 8,254$ 8,103$ 8,107$ 24,464$ 634$ 5 SCADA Cybersecurity 147$ 2,549$ 2,551$ 5,248$ 2,448$ 2,549$ 2,551$ 7,549$ 2,301$ 6 Grid Mod Cybersecurity 26,136$ 24,542$ 45,245$ 95,922$ 25,702$ 24,949$ 25,543$ 76,194$ (19,728)$ 7 Total 69,374$ 64,392$ 107,530$ 241,295$ 61,702$ 64,949$ 68,101$ 194,751$ 46,544$

Line No.

CybersecurityVariance

From SCE 2020 - 2021

SCE Rebuttal Position Cal Advocates

14

(1) Cal Advocates’ Recommendation does not address the cybersecurity 1

initiatives scheduled for 2021 which cause the higher level of 2

expenditures as compared to 2019 and 2020.32 3

SCE’s capital forecast for Perimeter Defense is risk based and itemized 4

based on planned enhancements and upgrades to SCE’s computing environment for each year. Hence, 5

while SCE’s 2019 forecast for Perimeter Defense includes ongoing enhancements and upgrades to our 6

perimeter controls, the 2021 forecast includes additional enhancement and upgrade activities which are 7

not part of the 2019 forecast. In particular, SCE’s 2021 forecast includes the following incremental 8

project work: 1) Identity Governance & Access Management (IGAM) Phase 2 and 3, 2) IT/OT 9

integration, 3) Foundational Tools, and 4) Labs. The work is planned annually to align with updates to 10

the grid and computing environments to address the dynamic threat landscape. 11

The higher level of expenditures in 2021 aligns with the conditions 12

envisaged during that year which require incremental hardware and software implementation and related 13

services. As IT and OT converge, SCE must make corresponding enhancements to protect against 14

vulnerabilities that become exposed by this convergence. The IGAM program involves a series of 15

projects that enhance cybersecurity as computing environments evolve from the traditional IT 16

infrastructure within the data center and expand into cloud and Software-as-a-Service (SaaS) offerings. 17

These projects focus on mitigating security risks within SCE’s IT environment and cloud service 18

providers and improving the overall cybersecurity posture. The Foundational Tools involve the 19

implementation of new cybersecurity tools as the grid environment evolves and exposes new security 20

gaps. Cybersecurity enhancements are needed for tech labs across SCE’s environment for routine testing 21

and continuous monitoring and operational support. 22

Given the foregoing incremental activities are forecast during 2021, Cal 23

Advocates’ recommended use of 2019 and 2020 forecasts fails to properly account for the level of 24

expenditures needed for the projects planned for 2021 and should be rejected. 25

32 Exhibit See SCE-04, Vol. 3, Table-II-9 p.27.

15

(2) Cal Advocates’ recommendation of two-year average for Grid 1

Modernization Cybersecurity is not appropriate as the recorded costs 2

in 2018 were significantly reduced due to changing priorities within 3

the company 4

While Cal Advocates accurately observes that SCE’s 2021 forecast for 5

Grid Modernization Cybersecurity is a substantial increase from 2018 recorded expenditures, Cal 6

Advocates makes no effort to dispute SCE’s detailed recitation of the incremental activities driving and 7

supporting the higher level of expenditures during 2021. As described in direct testimony and 8

workpapers, SCE’s forecast of 2019 and 2020 capital expenditures relate to the implementation and 9

deployment of core or foundational grid modernization cybersecurity capabilities, such as network 10

access control, vulnerability management, threat detection and network forensics. Starting in 2021, SCE 11

shall be deploying and configuring security and data protection capabilities related to multiple grid 12

modernization workstreams, including Field Area Network (FAN), Common Substation Platform (CSP), 13

Wide Area Network (WAN), and Grid Management System (GMS).33 Notably, Cal Advocates did not 14

challenge SCE’s forecasts for FAN, CSP or WAN. While Cal Advocates recommends reductions to 15

SCE’s GMS forecast, Cal Advocates did not question the need for the GMS.34 The implementation of 16

these grid modernizations workstreams warrants the higher level of cybersecurity expenditures for 17

hardware, software and related services costs during 2021. 18

Moreover, Cal Advocates does not appear to discuss or otherwise 19

challenge SCE’s forecast of the level of Grid Modernization Cybersecurity activities and related 20

expenditures. Instead, Cal Advocates asserts that SCE’s 2021 forecast should be rejected since it is 21

“based on vendor quotes as opposed to signed contracts”35 Given these activities are not planned until 22

2021, there are no executed contracts in place and vendor quotations represent the best available 23

information on what the ultimate costs will be at this point in time. SCE’s reliance on vendor quotations 24

for forecasting the costs of the hardware, software and related services costs is reasonable and the 25

specific cost estimates are outlined in workpapers.36 As Cal Advocates does not explain why SCE’s 26

33 Exhibit SCE-04, Volume 4, p. 34.


35 Refer to SCE-04, Volume 3.

36 Exhibit WPSCE04V03, pg. 126, (attached as Appendix B-6).

16

reliance on vendor quotations is unreasonable or otherwise dispute SCE’s forecast of expenditures for 1

Grid Modernization Cybersecurity during 2021, Cal Advocates’ recommendation should be rejected and 2

SCE’s 2021 forecast should be adopted as requested. 3

3. Conclusion 4

The Commission should reject Cal Advocates’ recommendations for reductions to SCE’s 5

2021 forecasts for Perimeter Defense and Grid Modernization Cybersecurity. SCE’s itemized forecasts 6

are supported by testimony, workpapers and data request responses detailing the nature and scope of 7

work planned for 2021 and quotations from the vendors who will be supplying hardware, software and 8

labor needed to implement security enhancements. As Cal Advocates does not challenge SCE’s 9

justification for the incremental initiatives and related activities in making its recommendations or 10

plausibly challenge the reasonableness of SCE’s forecast, SCE’s 2021 forecasts for both programs 11

should be adopted without modification.12

Appendix A

Data Request Responses

DATA REQUEST PAGE(S)

SCE-PubAdv-013-MC A-1 – A-3

PubAdv-SCE-079-MW5 Q.6.b A-4

PubAdv-SCE-079-MW5 Q. 9.a A-5 – A-6

PubAdv-SCE-079-MW5 Q.7.c A-7 – A-8

PUBLIC ADVOCATES OFFICE DATA RESPONSE

Southern California Edison Company Test Year 2021 General Rate Case A.19-08-013

Date: 15 May 2020

Origination Date: 7 May 2020

Response Due: 15 May 2020

To: Martin Collette, [email protected]

cc: [email protected] [email protected] [email protected]

From: Truman Burns, Project Coordinator Public Advocates Office 505 Van Ness Avenue, Room 4104 San Francisco, CA 94102 [email protected]

Response by: Monica Weaver Phone: 415-703-2396Email: [email protected]

Data Request No: SCE-PubAdv-013-MC

SCE Questions: 1. In Exhibit PAO-07, p. 32, Cal Advocates notes that they “did not have a chance to properly

analyze the recorded 2019” capital expenditures for Cybersecurity, and accepts SCE’s forecastfor 2019 for all of the categories of Cybersecurity capital expenditures. For Grid Modernization– Cybersecurity, Cal Advocates “recommends a two-year average of the 2019 actual expenseand the forecasted 2020 to forecast TY 2021”. Please explain why Cal Advocatesrecommends using “2019 actual expense” notwithstanding its statement that such recordedcosts had not been properly analyzed in advance of its proposed forecast for the Test Year.

2. In Exhibit PAO-07, pp. 22-24, Cal Advocates recommends reductions to SCE’s CybersecurityDelivery & IT Compliance O&M forecast in the following areas: (1) $0.900 million for Labor tosupport IGAM, (2) $1.920 for Labor to support IT/OT, (3) $0.900 million for Labor to supporttech labs, (4) $0.900 million for Labor to support NIST, (5) $0.300 million for Labor toCollaborate with Business Resiliency, and (6) $6.175 million for Non-Labor. The sum of thesereductions equals $11.095 million, a difference of $0.209 million from Cal Advocates’ statedreduction of $11.304 million in Table 7-11 and values listed on p. 22, lines 7-10. Please clarifywhether Cal Advocates recommends a reduction of $11.095 million rather than $11.304 million.

A-1

mailto:[email protected]





a. If not, please explain the $0.209 million variance between Table 7-11 and the calculatedsum of the adjustments, including calculations, and provide all supporting materialsincluding spreadsheets.

3. In Exhibit PAO-07, p.23, Cal Advocates “opposes the $0.900 million increase for the U.S.Department of Commerce’s National Institute on Standards and Technology (NIST)Standards Gap due to the framework being voluntary and not mandatory according to theNIST website…..” Did Cal Advocates perform any analysis or research to concludewhether it would be beneficial to adopt the NIST framework? If so, please provide theanalysis and findings to SCE.

a. Has Cal Advocates evaluated whether other utilities or government agencies haveadopted the NIST framework?

4. In Exhibit PAO-7, Cal Advocates accepts SCE’s forecast for 2019 capital expenditures forBusiness Continuation, Emergency Management, and Cybersecurity, but adopts 2019recorded capital expenditures for Physical Security.

a. Please provide any analysis conducted on the 2019 recorded expenditures forPhysical Security.

b. Please explain the rationale for utilizing the 2019 recorded expenditures forPhysical Security, but not utilizing the 2019 recorded expenditures in BusinessContinuation, Emergency Management and Cybersecurity in Cal Advocates’recommended forecasts.

Public Advocates Office Response:

1. SCE’s 2019 recorded cost for Cybersecurity had significantly increased from the forecast byover $9 million dollars. Of the over $9 million increase, Grid Modernization-Cybersecurityshowed an increase of just below $450 thousand. Due to the slight increase, the PublicAdvocates Office recommended using recorded 2019 as a factor as well as forecasted2020.

2. The Public Advocates Office recommends a reduction of $11.304 million.a. Please see the Public Advocates Office’s response to SCE-PubAdv-001-MC

Question 2 for a breakdown of the Public Advocates Office’s calculation.3. SCE did not provide analysis or research for the Public Advocates Office to conclude NIST

would be beneficial aside from the one bullet point and the footnote stating the NISTwebsite on page 23 of Ex. SCE-04 Vol. 3.

a. The NIST website provide limited information about whether utilities had adoptedthe NIST framework.

4. a. The Public Advocates Office reviewed the recorded amounts for Physical Securitycompared to forecasted amounts.

A-2

b. The Public Advocates Office’s rationale for utilizing the 2019 recorded expenditures forPhysical Security was based on its review of the recorded and forecasted amounts forPhysical Security. Based on that review, the Public Advocates Office utilized the 2019recorded expenditures for its recommendation rather than the higher forecasted amount.SCE did not provide justification for the $10 million increase over recorded 2019 data forPublic Advocates Office to use SCE’s forecast.

END OF RESPONSE

A-3

Southern California Edison

A.19-08-013 – SCE 2021 General Rate Case

DATA REQUEST SET P u b A d v - S C E - 0 7 9 - M W 5

To: Public Advocates Office Prepared by: Lorane Luna Job Title: Senior Specialist Received Date: 1/17/2020

Response Date: 2/3/2020

Question 06.a-b: Regarding Ex. SCE-04, Vol. 3, p. 22:

a. Will the employees currently working on the IAM be reassigned to work on the IGAM?i. If no, why not?ii. If yes, please identify where the reassignment is tracked.

b. Will current SCE staff being trained to work on IT/OT?i. If no, why not?ii. If yes, please identify where this is tracked.

Response to Question 06.a-b:

6.a – Yes. SCE staff currently performing ongoing maintenance of IAM services will gradually shiftto support IGAM in future years as SCE onboards new applications for Access Controls withIGAM.

6.a.i – Please see SCE’s response to 6.a above.

6.a.ii – These costs will be tracked in the respective work orders within the IAM and future IGAMwork orders.

6.b – Yes. SCE’s existing staff will be trained on IT/OT. However, SCE’s forecast accounts forincremental IT/OT activities and workload beyond today’s base level of cybersecurity andcompliance work that will continue in Test Year 2021 and future years. In addition, IT/OT drivesan emerging need to have specialized expertise beyond the traditional cybersecurity infrastructure tosupport integrating modern grid assets in a secure manner.

6.a.i – Please see SCE’s response to 6.b above.

6.a.ii – These costs will be tracked in future work orders for IT/OT, which will roll up to CostCenter F530187 as detailed in WPSCE04V3 at page 83.

A-4






Question 09.a-e: Regarding SCE-04, Vol. 3, p. 29:

a. Please provide the benefits of IT/OT integration.b. Is SCE aware of any other Utility using IT/OT integration?c. Was IT/OT approved by the commission?

i. If yes, please provide supporting documentation.d. Is the IT/OT integration replacing another program?

i. If yes, please provide which program and where the cost savings are located.e. Is IT/ OT required?

i. If yes, please provide supporting documentation.

Response to Question 09.a-e:

a. While SCE has not conducted a quantified benefit analysis of IT/OT integration, IT/OTintegration benefits the public and SCE customers by reducing the risk of cybersecuritythreats and intrusions that could range from minor to catastrophic given the size andcomplexity of SCE’s grid.

OT devices were once built around dedicated hardware-based architectures. They have now been replaced by digital platforms with embedded computers (e.g., servers), software (including operating systems and application) and wired and wireless communications capabilities. Enhanced IT technologies and network connectivity (e.g., Internet Protocol) make possible new operating models that can improve customer service, grid operations and associated business outcomes, ranging from Smart Grid / AMI deployments to IP-connected transmission and distribution assets. Some additional benefits of this IT/OT integration include the following:

1. Increased use of digital information and controls technology improvesresponsiveness, reliability, security, and efficiency of the electric grid

2. Improved operational efficiencies (e.g., demand management)3. Remote substation operations and maintenance4. Enhanced outage management and predictive fault analysis5. Supports optimization of grid operations and resources

A-5

PubAdv-SCE-079-MW5: 09.a-e Page 2 of 2

6. Allows for the deployment and integration of distributed resources and generation,including renewable resources.

7. Supports ability for consumers to have access to timely information and controloptions.

b. Yes, although using widely differing names, many utilities are at various levels ofimplementing IT/OT integration. Awareness of these efforts are through peer informationsharing across the utility industry. This also includes combining the benefits of securityprograms across their IT and grid networks for shared intelligence, monitoring, andresponse. Some utilities are also integrating components of their physical security programsas well.

c. No since funding for IT/OT integration was not requested in SCE’s 2018 GRC and also doesnot include activities that would require separate Commission approval (e.g., changes tocustomer tariffs).

d. No, it is not replacing another program. It will integrate and build upon SCE’s existingcybersecurity work and systems. IT/OT integration represents an emergent need driven bythe increased digitization and interconnected nature of grid assets.

e. No, as SCE interprets this question to be asking if IT/OT integration is specificallymandated by statute or regulation. While IT/OT integration is not the subject of a specificcompliance requirement, IT/OT integration is required as SCE continues to introduce moredigital-based assets to our grid and across the enterprise’s operations. Starting on page 6-20of the SCE’s 2018 RAMP Report and continuing through page 6-29, each of the controlareas listed below are described in detail. Each control area is dependent upon the successfulcombination of IT and OT policies, procedures, and technical resources to support effectiveresponse to cybersecurity-based attacks.

C1 Perimeter Defense

C2 Interior Defense

C3 Data Protection

C4 SCADA Cybersecurity

C5 Grid Modernization Cybersecurity

A-6






Question 07.a-c: Regarding EX. SCE-04, Vol. 3, p. 23:

a. Please provide how many additional staff members were hired in 2019 for SCE Tech labs.i. How many additional staff members did SCE anticipate hiring in 2019?

b. Has SCE incorporated the NIST Cybersecurity Framework before 2019?i. If no, why not?

c. Do the IT Compliance/Disaster recovery personnel currently communicate with the BusinessResiliency personnel?

ii. If no, why not.

Response to Question 07.a-c:

a. SCE assigned one existing FTE (a cyber project manager) to help establish processes andprocedures and brought in three consultants to assist with this effort. SCE hired one FTE atthe end of 2019, totaling five resources to support SCE Tech labs in 2019. SCE plans to hirefour FTEs for SCE Tech Labs in 2020

i. SCE anticipated hiring five FTEs in 2019

b. No. SCE began to operationalize our NIST Cybersecurity Framework at the tech labs in2019. This work is ongoing.

i. Up until late 2018, SCE was in the process of evaluating the NIST CybersecurityFramework at the tech labs.

c. Business Resiliency is a key partner of IT Compliance/Disaster Recovery, and accordingly,the teams communicate regularly. This includes bi-weekly team meetings to reviewchanges and process improvements and to discuss current projects. SCE has a BusinessResiliency & IT Disaster Recovery Governance for the purpose of strengthening SCE’sability to protect critical infrastructure, prevent attacks against our facilities and information,mitigate threats/hazards, and support SCE’s response to and recovery from catastrophicdisasters and business disruptions. In order to maintain and mature the Business Resiliencyand IT Disaster Recovery Programs in a complex computing environment and changingutility environment, additional personnel are required for these governance andinfrastructure efforts.

A-7

PubAdv-SCE-079-MW5: 07.a-c Page 2 of 2

i. See response to question c above.

A-8

Appendix B

Workpapers

Workpapers PAGE(S)

WPSCE04V03, p. 83 B-1

WPSCE04V03, p. 85 B-2

RAMP Report p. 6-32 to 6-34 B-3 – B-5

WPSCE04V03, p. 126 B-6

Workpaper – Southern California Edison / 2021 General Rate Case

Exhibit No. SCE-04 Vol.03 Witnesses: G. Haddox

GRC Cyb

er O Lab

or Increa

ses for 2019‐2023

#OU

FUNCTION/D

irve

rWork Scope

Identify Operational Constraints and

Impact

Cost Typ

e Cost Recove

ry

Mechan

ism

Notes from IT

/ Description of Work (for IT in

ternal discussions/

not submitted)

FCC

Cost

3IT

IT/O

TIncrem

ental support to m

itigate

cybersecurity risk as m

ore

automation occurrs in field and

network becomes in

crea

singly

complex

staffing for testing

O&M

GRC

Increm

ental d

ollars to prepare an

d support substations to align to

the cybersecurity policies an

d standards. Efforts include

implemen

ting OS an

d application patching, patch assessm

ent,

scan

ning, vulnerab

ility m

anagem

ent, user access m

anagem

ent,

network switches and support, etc.. for 500+ substations. [Grid:

2019/2020‐ 700k/yr. 2

021‐2023: 1

.3M/yr]. [Cyb

er:2019‐2023

F530187

3.96

10

ITIT/O

TIncrem

ental support to m

itigate


ore

automation occurrs in field and

network becomes in

crea

singly

complex


O&M

GRC

Increm

ental d





implemen

ting OS an


ent,

scan

ning, vulnerab

ility m

anagem

ent, user access m

anagem

ent,


2019/2020‐ 700k/yr. 2

021‐2023: 1

.3M/yr].

F530187

1.8

14

ITLabs

Enhan

ce cyb

ersecurity of SC

E labs

and operational support


O&M

GRC

(Scanning) ‐ 1FTE ea

ch.

0.2 (20%) for non‐lab

or dollars.

F300165

4.05

17

ITFo

undational Tools

Increm

ental support for new

cyb

er

tools and technologies to

strengthen

security posture in

the

Grid environmen

t. Address

security gap

s.

Staffing for configu

ration,

implemen

tation

O&M

GRC

2019 & 2020: ‐ 3 FTEs (2 for sec gap assmt remed

iation) , = 1.8M

2021+ 6 FTEs (5 for sec gap assmt remed

iation), = 3M

F300165

5.67

22

ITGAP Assesmen

tGrid Services gap assessm

ent

against the cyber/N

IST stan

dards

staffing

O&M

GRC

2019‐2020: 2

FTEs for sec gap assmt remed

iation; =$

0.75M

2021 4FTEs for sec gap assmt remed

iation;=$1.4M

F300165

3.78

33

ITIGAM

Grid M

od Application and system

onboarding, & IG

AM operational

and compliance support

Staffing for maintenan

ceO&M

GRC

Labor:

1 FTE 2019‐2022; A

dditional FTE in

2023.

1 FTE 2020‐2023.

F300165

1.26

34

ITIGAM

Grid M


onboarding, & IG

AM operational

and compliance support

staffing

O&M

GRC

labor/Non‐Lab

or

Application onboarding: 2019 (PDR & Historian

apps ‐ $100k/ap

p

for 2 apps=$200k); 2

021 (5 apps ‐ GMS rel 1.0) ‐ $500k

Hardware maint: 58 servers ‐ $100k/yr

F300165

0.72

O&M

21.24

83

B-1



GRC Cyb

er Non‐Lab

or Increa

ses for 2019‐2023

Internal

ID#

OU

FUNCTION/

Drive

rWork Scope

Identify Operational Constraints and Im

pact

Cost Typ

e

Notes from IT

/ Description of Work (for IT in

ternal discussions/

not submitted)

FCC

Cost

3IT

IT/O

T

Increm

ental support to m

itigate


ore automation

occurrs in field and network becomes

increa

singly complex

Consultan

ts for testing

O&M

Increm

ental d





implemen

ting OS an


ent,

scan

ning, vulnerab

ility m

anagem

ent, user access m

anagem

ent,


2019/2020‐ 700k/yr. 2

021‐2023: 1

.3M/yr]. [Cyb

er:2019‐2023

F530187

2.64

5IT

Governmen

t

Initiiatives

Increm

ental support to build

out or

pilo

t technologies to in

tegrate with

governmen

t system

s for the purpose of

national security

Consultan

ts for testing

O&M

F529896

4.75

14

ITLabs

Enhan

ce cyb

ersecurity of SC

E labs an

d

operational support

Consultan

ts for testing

O&M

0.45(20%) for non‐lab

or dollars.

F300165

0.45

17

ITFo

undational

Tools

Increm

ental support for new

cyb

er tools

and technologies to stren

gthen

security

posture in

the Grid environmen

t.

Address security gap

s.

Staffing for configu

ration, implemen

tation

and m

aintenan

ce of new

assets

O&M

Grid Services non‐lab

or maintenan

ce ‐ 20% of half of capital costs

for14 cyb

er tools = 0.63M/yea

rF300165

0.63

22

GAP

Assesmen

t

Grid Services gap assessm

ent against

the cyber/N

IST stan

dards

O&M

F300165

0.42

30

ITIGAM

AMR

PS/HW for im

plemen

tation

O&M

Item

#1: T

here will be AMR work for new

in‐scope assets. P

lease

allocate 10% ($25K‐$50K) an

nually for AMR/IAM Support.

Item

#2: T

here will be AMR work for new

in‐scope assets &

decommissioning support. P

lease allocate $50K for AMR/IAM

Support.

F300165

0.3

31

ITIGAM

AMR

PS/HW for im

plemen

tation

O&M

increa

se fee

s for WEC

C Audit for AMR support to $250K.

F300165

0.75

33

ITIGAM

Grid M


onboarding, & IG

AM operational and

compliance support

Consultan

ts for testing

O&M

Labor:

1 FTE 2019‐2022; A

dditional FTE in

2023.

1 FTE 2020‐2023.

F300165

0.14

34

ITIGAM

Grid M


onboarding, & IG

AM operational and

compliance support

HW m

aintenan

ceO&M

Hardware maint: 58 servers ‐ $100k/yr

F300165

0.08

O&M

10.16

85

B-2

6 32

V. Proposed Plan

Cybersecurity is inherently difficult to quantify. The risks and threats that we face as a utility inone of the largest metropolitan cities42 in the world are vast and diverse. Trying to forecast theprobability of successful breaches of our systems controls involves making a series of educatedassumptions based on what we know about our existing defenses, the demographics andcapabilities of our attackers, and the growth and complexity of the attacks we will face in thefuture. In addition, the risk of cyberattack has the potential to change significantly due to globalpolitics and the associated actions of nation states. Cybersecurity threats are not limited to ourservice territory, but instead can originate from virtually anywhere across the world.Cybersecurity challenges can also be triggered or motivated by social unrest, politicaldifferences and upheavals, and religious and cultural factors.

Measuring the effectiveness of controls and mitigations becomes equally difficult when wedon’t have a base level of historical data and experience to draw from. Fortunately, SCE has notexperienced a significant breach of our control systems yet.

Through the development of this RAMP report, SCE was able to take initial steps forward inquantifying the cyberattack risk to SCE, as well as the effectiveness of our controls andmitigations. This is truly a first generation model, but one that SCE believes provides a strongfoundation upon which to improve in the future.

SCE analyzed, from a historical perspective, the relative effectiveness of our cybersecuritycontrols and mitigations in addressing SCADA/ICS attacks that have occurred around the worldover the past few years.43 SCE used this analysis to inform the mitigation evaluation and riskspend efficiency calculations.

SCE has evaluated each control and mitigation discussed in Sections III and IV and hasdeveloped a Proposed Plan for addressing this risk, as shown in Table V 1 below.

42 Los Angeles, as a service area, comprises a high density of customers to geographic areas,headquarters a great deal of the media/entertainment industry, and has a high profile in the news.Thus, a cyberattack in Los Angeles will be a much more reported upon event and will provide theattackers with relatively higher visibility.43 Please refer to WP Ch. 6, pp. 6.7 – 6.9 (Outcome Based Risk Reduction Model Overview) for furtherdetail on this cyberattack outcome based risk assessment.

B-3

6 33

Table V 1 – Proposed Plan (2018 2023 Totals)

A. OverviewSCE evaluated our internal defenses against cyberattack capabilities and threats. This

evaluation indicated that SCE has implemented adequate cyber defense strategies for thethreats that exist today. However, through developing this RAMP report, we have identifiedincreased exposure and risk in the future. As such, in the Proposed Plan, SCE continues todeploy and enhance its defense in depth cybersecurity approach by maturing and expandingexisting cybersecurity practices. In addition, SCE supplements this work with enhancedcapabilities, tools, and resources to address the growth of cyberattack risks at a reasonablelevel of spend.

The Proposed Plan carries forward the scope of work from our existing activities, and addsadditional training, penetration testing, and vulnerability assessments. Training is essential inhelping ensure that SCE personnel are up to date on the latest technology and techniques usedto protect and operate the grid network. Vulnerability assessments performed by independentand trusted third parties evaluate how SCE manages risks associated with vulnerabilities in thenetwork environments. These assessments can also serve as checkpoints for ongoing projects.Use of penetration testing allows SCE to see:

What an adversary would identify as key assets for compromise; What attack paths and techniques apparently would succeed within the SCE environment;

and How practically effective the security mitigations are in preventing, mitigating, or detecting

an attack.

ID Name Start Date End Date Capital O&M MRR RSE MRR RSE

C1a Perimeter Defense 2018 2023 $80.8 $34.9 1.51 0.013 9.13 0.079

C2a Interior Defense 2018 2023 $47.9 $23.7 0.91 0.013 5.83 0.082

C3a Data Protection 2018 2023 $30.7 $16.7 0.02 0.000 0.03 0.001

C4a SCADA Cybersecurity 2018 2023 $19.8 $19.9 0.46 0.012 3.04 0.077

C5a Grid Modernization Cybersecurity 2018 2023 $169.2 $33.8 1.41 0.007 9.28 0.046

MRR = Mitigation Risk Reduction Total Proposed Plan $348.4 $129.0 4.31 0.009 27.32 0.057

MARS = Multi Attribute Risk ScoreRSE = Risk Spend Efficiency (risk units reduced per $1M spend).

Mean (MARS)Proposed PlanRAMP Period

ImplementationCost Estimates ($M) Tail Average (MARS)

B-4

6 34

B. Execution feasibilitySCE evaluated the feasibility of executing the Proposed Plan based on current organizational

capabilities and the technical limitations of our internal computing and operational systems.The Proposed Plan is feasible and prudent to execute.

C. AffordabilityThe Proposed Plan strikes a reasonable balance between cost and risk reduction. This plan is

only slightly more expensive (<5%) than the Alternative Plan #1, but delivers nearly twice theamount of risk reduction. In addition, the RSE of this plan is approximately 40% greater than theAlternative Plan #1.

The Proposed Plan does not deliver as much risk reduction, nor at the level of RSE, asAlternative Plan #2 does. However, Alternative Plan #2 requires much greater costs to deliverthese benefits.

SCE contemplated whether to pursue Alternative Plan #2, but chose not to for the followingreasons: (1) SCE must balance the need to invest in cybersecurity on the one hand, versus theneed to spend to address other risks and meet other important objectives on the other hand;(2) at this time, our evaluation indicates that the Proposed Plan represents a reasonable level ofcommitment and spend over the RAMP period; and (3) SCE does not believe that deploying M1Accelerated Hardware Refresh (a notable feature of Alternative Plan #2) is an operationallypractical, technologically mature, or fiscally prudent choice at this time. This is discussed furtherin Section VII, where we examine Alternative Plan #2 in more detail.

D. Other ConsiderationsAdvances in the sophistication of cyberattack threats and the deployment of new attack

methods may render the Proposed Plan ineffective. SCE must predict where the threat will goin the future. If we have not predicted this correctly, the mitigations laid out in the ProposedPlan may not be sufficient. In addition, global politics, social unrest, and war can potentiallylead to increased numbers of, and greater sophistication of, attacks by nation states on ourelectric system. As discussed previously, SCE builds, maintains, and operates critical energyinfrastructure that could be more susceptible to attack should the global environment change.

B-5



2019

2020

2021

2022

2023

To

tal

Har

dwar

e32

,508

,386

$

5,

397,

479.

43$

4,

989,

856

$

9,04

9,00

8$

5,

786,

769

$

7,28

5,27

3$

32

,508

,386

$

Ven

dor

Labo

r69

%22

,505

,523

$

4,

883,

433.

77$

3,

243,

406

$

5,88

1,85

5$

3,

761,

400

$

4,73

5,42

8$

22

,505

,523

$

SC

E IT

Lab

or34

%11

,030

,954

$

1,

542,

136.

98$

1,

746,

450

$

3,16

7,15

3$

2,

025,

369

$

2,54

9,84

6$

11

,030

,954

$

Lab

or

Su

bto

tal

66,0

44,8

63$

11,8

23,0

50$

9,97

9,71

2$

18

,098

,016

$

11

,573

,538

$

14

,570

,547

$

66

,044

,863

$

Sof

twar

e26

7%86

,892

,088

$

12

,337

,096

$

13

,722

,104

$

24

,884

,773

$

15

,913

,614

$

20

,034

,502

$

86

,892

,088

$

Lice

nses

26%

8,31

9,86

4$

1,

542,

137

$

1,24

7,46

4$

2,

262,

252

$

1,44

6,69

2$

1,

821,

318

$

8,31

9,86

4$

To

tal H

W &

Lic

.95

,211

,952

$

13

,879

,233

$

14

,969

,568

$

27

,147

,025

$

17

,360

,306

$

21

,855

,820

$

95

,211

,952

$

To

tal P

roje

ct C

os t

161,

256,

815

$

25,7

02,2

83$

24,9

49,2

80$

45,2

45,0

41$

28,9

33,8

44$

36,4

26,3

67$

161,

256,

815

$

TO

TA

L16

1,25

6,81

5$

25

,702

,283

$

24

,949

,280

$

45

,245

,041

$

28

,933

,844

$

36

,426

,367

$

16

1,25

6,81

5$

GR

ID M

OD

Cyb

erse

curi

ty -

CIT

-00-

TR

-RM

-781

701

126

B-6

Documents

2021 General Rate Case Rebuttal Testimony€¦ · 3 the non-labor forecasts. SCE notes Cal Advocates’ reductions appear to total $11.095 million as opposed 4 to the $11.304 million