Embed Size (px)
Citation preview
Application No.: A.19-08- Exhibit No.: SCE-04, Vol. 3 Witnesses: G. Haddox
(U 338-E)
2021 General Rate Case
Cybersecurity
Before the
Public Utilities Commission of the State of California
Rosemead, California August 30, 2019
SCE-04, Vol. 3: Cybersecurity Table Of Contents
Section Page Witness
-i-
I. INTRODUCTION .............................................................................................1 G. Haddox
A. Content and Organization of Volume ....................................................1
B. Summary of O&M and Capital Request ................................................1
II. CYBERSECURITY ...........................................................................................4
A. Overview ................................................................................................4
1. Risk factors, Safety, Reliability and Connection with RAMP ................................................................................4
a) SED/Other Intervenor Comments ..................................6
2. Regulatory Background/Policies Driving SCE’s Request .......................................................................................7
B. Compliance Requirements .....................................................................8
C. Cybersecurity Delivery & IT Compliance .............................................9
1. Project or Program Description ...............................................10
2. Need for Activity .....................................................................15
3. RAMP Integration ....................................................................17
a) Reconciliation between RAMP and GRC ....................17
(1) O&M ................................................................17
(2) Capital ..............................................................18
4. Comparison of Authorized 2018 to Recorded .........................18
a) O&M ............................................................................18
b) Capital ..........................................................................19
5. Scope & Forecast Analysis ......................................................19
a) Historical Variance Analysis .......................................19
(1) Labor ................................................................19
SCE-04, Vol. 3: Cybersecurity Table Of Contents (Continued)
Section Page Witness
-ii-
(2) Non-Labor ........................................................20
(3) Capital ..............................................................20
b) Forecast ........................................................................21
(1) Labor ................................................................21
(2) Non-Labor ........................................................24
(3) Capital ..............................................................26
D. Grid Modernization Cybersecurity ......................................................30
1. Project or Program Description ...............................................31
2. Need for Activity Including Risk Avoided ..............................33
3. RAMP Integration ....................................................................34
a) Reconciliation between RAMP & GRC ......................34
(1) O&M ................................................................34
(2) Capital ..............................................................34
4. Comparison of Authorized 2018 to Recorded .........................35
5. Scope and Forecast Analysis ...................................................35
a) Historical Variance Analysis .......................................35
(1) Labor ................................................................35
(2) Non-Labor ........................................................35
b) Forecast ........................................................................36
(1) Labor ................................................................36
(2) Non-Labor ........................................................36
6. Capital Expenditures ................................................................36
a) Summary of Cost Forecast ...........................................36
b) Scope and Forecast Analysis .......................................37
SCE-04, Vol. 3: Cybersecurity Table Of Contents (Continued)
Section Page Witness
-iii-
E. Software License & Maintenance ........................................................40
1. Work Description .....................................................................41
2. Need for Activity .....................................................................41
3. RAMP Integration ....................................................................43
a) Reconciliation between RAMP and GRC ....................43
4. Comparison of Authorized 2018 to Recorded .........................43
5. Scope and Forecast Analysis ...................................................43
a) Historical Variance Analysis .......................................45
(1) Labor ................................................................45
(2) Non-Labor ........................................................45
b) Forecast ........................................................................45
(1) Labor ................................................................45
(2) Non-Labor ........................................................45
1
I. 1
INTRODUCTION 2
A. Content and Organization of Volume 3
In this volume, SCE presents its Operations and Maintenance (O&M) expense forecast for the 4
Test Year 2021 and 2019-2023 capital expenditures forecast for the Cybersecurity Business Planning 5
Element (BPE). This includes cybersecurity activities and infrastructure for SCE’s broader Grid 6
Modernization effort detailed in Exhibit SCE-02, Vol. 4. SCE’s forecasts reinforce the cyber-safe 7
environment essential for our delivery of safe, reliable, affordable, and clean power to our customers. 8
This volume also describes the scope of work, key drivers for the work, and legal requirements that 9
impact the level of O&M and capital requested to support and successfully implement Cybersecurity 10
activities. 11
B. Summary of O&M and Capital Request 12
SCE’s Test Year 2021 O&M forecast for Cybersecurity & IT Compliance of $38.6 million is 13
primarily driven by the risks identified in SCE’s Risk Assessment and Mitigation Phase (RAMP) 14
submission and the resources needed to address those risks. As the grid is modernized, there is a 15
concurrent increase in the need to integrate information technology with operational technology and the 16
associated costs are reflected in the forecast. This is discussed in greater detail in Section II.C. SCE’s 17
Cybersecurity capital forecast of $424.8 million from 2019-2023. In addition to the continuation is 18
ongoing cybersecurity capital programs, the capital forecast increases are driven by several new cyber-19
defense enhancements, including government collaboration initiatives, Identity Governance & 20
Administration implementation, Information Technology/Operational Technology integration and Grid 21
Security infrastructure, applications, and initiatives. These are discussed in greater detail below. 22
2
Figure I-1 Resiliency O&M
(Constant $Million)
3
Figure I-2 Resiliency Capital
(Total Company $Million)
4
II. 1
CYBERSECURITY 2
A. Overview 3
The cybersecurity of the U.S. electric grid has emerged as one of the most important issues 4
facing the electricity sector today.1 As cyber capabilities become more readily available over time, state 5
and non-state actors will continue to develop and employ techniques, tactics and ploys to harm U.S. 6
interests via attacks on the grid.2 Utilities must bolster their defensive layers through people, processes 7
and technologies. As our adversaries become more sophisticated, SCE must improve collaboration with 8
government agencies to further enhance cybersecurity defense and resilience. 9
As electric utilities, including SCE, move toward modernizing the grid with more automated 10
control capabilities and other advancements to enhance efficiency and reliability, the grid faces risks 11
from malicious cyber actors who seek to exploit various aspects of grid infrastructure and search for new 12
pathways to attack via these new technologies.3 13
Cybersecurity was identified as one of SCE’s top risks and was included in the Risk Assessment 14
and Mitigation Phase (RAMP). The section below summarizes the risk factors, controls and mitigations 15
discussed in SCE’s RAMP submission as they inform SCE’s O&M and Capital forecasts presented 16
herein. 17
1. Risk factors, Safety, Reliability and Connection with RAMP 18
In the RAMP Report, SCE identified cyberattacks as one of the top safety risks and 19
proposed a cybersecurity mitigation plan. 20
To define and evaluate the risk of cyberattack within SCE’s environment, SCE 21
constructed a cyberattack risk bowtie, as shown in Figure II-3. Each component of the bowtie represents 22
a critical data point in evaluating this risk. SCE’s RAMP Report explains these components in detail and 23
1 According to NERC’s “State of Reliability Report 2017,” cyber vulnerabilities remain a high-risk profile
relative to grid reliability. https://www.nerc.com/pa/RAPA/PA/Performance%20Analysis%20DL/SOR_2017_MASTER_20170613.pdf.
2 US-CERT “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors.” https://www.us-cert.gov/ncas/alerts/TA18-074A.
3 Department of Homeland Security, “CrashOverride Malware,” June 12, 2017 https://www.us-cert.gov/ncas/alerts/TA17-163A.
5
identifies several options to mitigate the risk, including Risk Spend Efficiency; all of which inform the 1
forecasts in this volume.4 2
Figure II-3 Cyberattack Risk Bowtie
Cybersecurity threats continue to grow more sophisticated and complex.5 SCE’s defense 3
strategy must evolve and adapt to combat these ever-changing threats. Like prior GRCs, SCE organizes 4
its cybersecurity defense into six program areas outlined in detail. Each program area supports SCE’s 5
strategic effort to mitigate the risk of cyberattacks. During the 2018 RAMP development process, SCE 6
quantified the estimated risk and impact reduction for each program area. 7
The risk analysis identified three key drivers: (1) External Actors, (2) Insider Threats, and 8
(3) Supply Chain attacks. Those drivers developed Outcomes that each have consequences with safety, 9
reliability, and financial dimensions. The impacts of those Outcomes range in severity from outcome 1 10
(a small financial impact) to outcome 5 (significant safety, reliability, and financial impact) as detailed 11
in the RAMP Report. 12
The following programs addressed risks included in SCE’s RAMP Report: (1) Perimeter 13
Defense, (2) Interior Defense, (3) Data Protection, (4) SCADA Cybersecurity, (5) North American 14
Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) Compliance, and (6) Grid 15
4 The calculated Risk Spend Efficiency (RSE) is in the 2018 SCE RAMP Report in Chapter 6, Section 1C. The
methodology on how the RSE is calculated is in the 2018 SCE RAMP Report in Chapter 2, Section 1 C. 5 See WPSCE-04V03 pp. 1 - 6.
6
Modernization Cybersecurity. Table II-1 shows the RAMP Control/Mitigation (Programs), and the Risk 1
addressed by each of the controls. 2
Table II-1 RAMP Controls/Mitigation and Risks Addressed
As further discussed in SCE’s RAMP Report, cybersecurity risks facing SCE’s 3
ICS/SCADA systems continue to grow in quantity and complexity. SCE analyzed these risks and 4
created different tiers of risk mitigation as will be referenced in this GRC filing. SCE defends against the 5
growing and persistent threat of cyber-attack by implementing enhanced capabilities referenced in our 6
cybersecurity capital programs, updating cyber defense software and related resources pursuant to 7
multiple software license, maintenance and support agreements, and dedicating sufficient labor and non-8
labor resources to support ongoing and evolving cybersecurity programs. 9
a) SED/Other Intervenor Comments 10
On May 15, 2019, SED issued its report on SCE’s 2018 RAMP report. SED’s 11
report recommended the Commission identify and incorporate a secure process to share specifics on 12
tactics, techniques, and procedures with appropriate parties.6 SED also recommended the Commission 13
identify cybersecurity performance metrics to track implementation of SCE’s mitigation plans. Finally, 14
SED recommended that SCE provide the last five years of metrics from US Dept of Energy Electric 15
Sector Cybersecurity Capability and Maturity Model (C2M2) and BitSight security ratings in SCE’s 16
2021 GRC. 17
6 See A Regulatory Review of Southern California Edison’s Risk Assessment Mitigation Phase Report for the
Test Case 2021 General Rate Case- Investigation 18-11-006, p.50.
7
In response to SED’s recommendation, SCE initially notes that C2M2 metrics 1
have evolved over time with the scope changing to meet the purpose of the assessment. In certain years, 2
the C2M2 assessments have been limited to a narrow sub-set of areas as the use of such assessment was 3
narrowly directed toward benchmarking with other utilities. Consequently, it is not a comprehensive 4
metric to properly assess SCE’s mitigation efforts on an annual basis. The results of C2M2 and BitSight 5
assessments are not being included with SCE’s GRC application as they could disclose how various 6
cyber defenses perform in addressing different threats and where vulnerabilities may exist. As discussed 7
in the RAMP Report, SCE remains amenable to conducting in person briefing with SED to securely 8
share information regarding its cybersecurity efforts, including the results of the assessments over the 9
period requested.7 10
2. Regulatory Background/Policies Driving SCE’s Request 11
The National Cyber Strategy specifically addresses the security of Critical Infrastructure 12
and places responsibility for managing cyber risk to the Nation’s critical infrastructure on both the 13
private sector and the Federal Government.8 The Federal Government incentivizes cyber-defense 14
investments by prioritizing research and development of security innovation to protect critical 15
infrastructure. SCE’s request for the Cybersecurity BPE reflects our continuing efforts to implement 16
defensive and protective controls against cyberattacks with our people, tools, and technology. 17
In addition, FERC has approved a new NERC CIP Standard and revisions to existing 18
NERC CIP Standards that will go into effect in 2020.9 As effective dates for the new Standards 19
approach, we entities will need to address and establish practices related to supply chain management, 20
vendor remote access, and integrity of vendor software, along with newly enforced requirements related 21
to Low Impact Bulk Electricity System (BES) Cyber Systems. Low Impact BES Cyber Systems that do 22
not qualify as High or Medium Impact, perform a BES Reliability Operating Function (BROS) outlined 23
in CIP Standard 002-5.1a (attachment 1, section 4), and are associated with either Control Centers and 24
backup Control Centers, transmission stations and substations, generation resources, system restoration 25
(including Blackstart Resources and Cranking Paths), Special Protection Systems, or Distribution 26
Provider-related Protection Systems. 27
7 See SCE’s RAMP Report at 6-4 – 6-5. 8 National Cyber Strategy for the United States of America (Sept 2018) (Accessible via
https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf). p. 9. 9 See WPSCE-04V03 pp. 7 – 20.
8
FERC has also directed NERC to develop standards that address specific cybersecurity 1
concerns, including confusion within the existing Standards, emerging technological issues, and gaps 2
that have yet to be effectively addressed by the current Standards. As a result, NERC is currently 3
developing a new compliance Standard regarding secure communications between Control Centers and 4
is developing and in the process of reviewing/approving revisions to at least 8 other Standards Revisions 5
to existing Standards to address concepts such as virtualization of cyber assets, incident reporting and 6
response, and modification to the BES Cyber System categorization methodology. FERC approval of 7
these proposed and revised Standards is expected from 2020 through 2022 with additional and revised 8
Standards being becoming effective prior to 2025. 9
The new and modified Standards are addressing increasingly technical and potentially 10
impactful compliance and security concerns. Consequently, SCE must commence work activities to 11
comply with forthcoming requirements far in advance and the forecasts described below reflect SCE’s 12
understanding of the resources necessary to address those Standards. 13
B. Compliance Requirements 14
In D.15-11-021, the Commission required that SCE “include its own forecast and the 15
Commission’s adopted forecast from the previous GRC alongside historical costs, and brief explanations 16
detailing any changes in the scope of a category.” A summary is provided below and within the 17
respective testimony for each GRC activity. 18
In the 2018 GRC, SCE supported the recommendation for establishing a separate proceeding to 19
address how sensitive cyber-related information should be shared during a GRC.10 The Commission 20
agreed with SCE, stating, “further review of how to address cyber-related information would be 21
appropriate in another forum.”11 While there was no corresponding compliance requirement or 22
proceeding opened to-date, SCE remains supportive of collaborating with parties to formally establish 23
standard processes and assessing the manner in which sensitive cybersecurity information may be shared 24
with intervenors and Commission staff. 25
10 A.16-09-001, Exhibit SCE-20 Volume 1, pp.40-42. 11 D.19-05-020, p. 154.
9
C. Cybersecurity Delivery & IT Compliance 1
Figure II-4 shows 2014-2018 recorded costs and Test Year 2021 forecast for the Cybersecurity 2
Delivery & IT Compliance activity.12 3
Figure II-4 Cybersecurity Delivery & IT Compliance Recorded 2014-2018/Forecast 2019-2021
(Nominal 2018 $000)
Figure II-5 shows 2014-2018 recorded expenditures and the 2019-2023 capital forecast for the 4
Cybersecurity Delivery & IT Compliance activity. 5
12 See WPSCE-04V03 pp. 21 – 27.
10
Figure II-5 Cybersecurity Delivery & IT Compliance 2014-2018 Recorded/2019-2023 Forecast
(Nominal 2018 $000)
1. Project or Program Description 1
As cybersecurity threats significantly increase in volume and complexity year over year, 2
SCE must continually adapt its defense strategies. SCE’s Defense in Depth approach to cybersecurity 3
utilizes multiple layers of protection and proactive vulnerability testing to prevent unauthorized access 4
and control of our systems. 5
SCE’s cybersecurity defense is divided into six program areas: (1) Perimeter Defense, 6
(2) Interior Defense, (3) Data Protection, (4) SCADA Cybersecurity; and (5) North American Electric 7
Reliability Corporation Critical Infrastructure Protection (NERC CIP) Compliance. Each of these 8
require investments in O&M and Capital. In addition to ongoing cybersecurity programs, SCE’s O&M 9
and Capital forecast increases are driven by certain new cyber-defense enhancements, including 10
government collaboration initiatives, Identity Governance & Administration implementation, and 11
Information Technology/Operational Technology integration. These are discussed in greater detail in the 12
forecast analysis sections below. 13
11
SCE’s Cybersecurity Delivery & IT Compliance (C&C) activity supports the 1
confidentiality, integrity, and accountability of business technology and grid systems through security 2
engineering, risk management, and industry and government outreach. The rapid evolution of 3
technologies, regulatory requirements, and cyber threats together with the expanding automation of the 4
electric grid require further reinforcement of key C&C functions. 5
The C&C team develops policies and standards to maintain the confidentiality, integrity, 6
and availability of SCE’s information technology assets. SCE performs cybersecurity risk assessments 7
to identify security requirements for project teams. The C&C team also supports the development of 8
required internal cybersecurity training among all SCE employees, as informed employees with a strong 9
knowledge of cybersecurity and IT compliance rules are our first line of defense against growing cyber-10
attacks. 11
SCE’s engineers and analysts protect our systems from cyber threats, including malicious 12
intrusions by hackers or insiders, malware attacks, denial of service attacks and viruses. Without 13
constant monitoring and analysis, SCE’s systems would be vulnerable to harmful infiltration negatively 14
impacting our ability to reliably generate and deliver electric power to our customers. Our engineers 15
conduct cyber threat analysis, monitor, and mitigate threats to information assets, keep abreast of 16
changes in security technologies, perform forensic services, exercise incident response processes, and 17
provide expert advice to other SCE organizations on cybersecurity matters. They also work to detect and 18
prevent unauthorized attempts to copy or send sensitive data outside SCE, intentionally or 19
unintentionally. 20
Social engineering has long been the preferred route for hackers using social media and 21
phishing emails. Over 91% of all cyber-attacks start with a phishing email.13 Therefore, C&C maintains 22
a comprehensive enterprise-wide cybersecurity awareness and training program, which is disseminated 23
via instructor or web-based training, written and visual media, cyber expos, and informational brown 24
bag sessions. The program’s goal is not only to educate employees to recognize, report and resist such 25
attacks, but also to understand the potential impact14 to themselves, their jobs and the future of the 26
company. In addition, a robust cybersecurity portal is available to all SCE employees and contractors 27
with information on the latest cybersecurity threats and preventive measures. The security awareness 28
13 https://www.darkreading.com/endpoint/91--of-cyberattacks-start-with-a-phishing-email/d/d-id/1327704. 14 See WPSCE-04V03 pp. 28 – 32.
12
and training programs also conducts phishing exercises on reinforcing the awareness and training efforts 1
in a simulated way.15 SCE employees and contractors are tested using real-life scenarios on an ongoing 2
basis.16 3
C&C’s IT Compliance group oversees and manages regulatory compliance activities 4
related to information technology across SCE and develops programs to meet federal and state mandates 5
regarding cybersecurity. The IT Compliance group performs four functions: (1) NERC Compliance, 6
(2) Compliance Monitoring, (3) Business Controls, and (4) Business Continuity Planning. 7
The NERC Compliance function facilitates audits conducted by the Western Electricity 8
Coordinating Council (WECC) assessing compliance with NERC reliability standards by SCE’s 9
Information Technology operating unit (IT) and assesses regulatory notices and emerging control 10
standards for potential impact. 11
The Compliance Monitoring function reviews and assesses compliance with other 12
regulatory mandates, standards, and requirements by IT, and reviews selected IT programs and projects 13
for potential risks and compliance issues. 14
The Business Controls function coordinates internal and external audits and assessments, 15
facilitates remediation plans based on the findings, and tracks data requests. 16
The Disaster Recovery and Business Continuity Planning function supports SCE’s 17
Business Impact Analysis (BIA) process in collaboration with the Business Resiliency department by 18
identifying mission critical and business critical applications and verifying those applications are 19
designed to meet the business availability and capacity requirements during the planning cycle. 20
Additionally, this function coordinates and facilitates the development and testing of Disaster Recovery 21
Plans and Run Books for mission critical and business critical applications and IT Business Continuity 22
Plans. Proactive disaster recovery and business continuity programs identify potential gaps in service 23
allowing for timely adjustment and preparation of business-related impact to operations and mitigation 24
of risks associated with natural disasters and other emergency events. 25
The C&C Outreach function involves collaboration and technology transfer with 26
government agencies and other utilities. Strong industry-government coordination is vitally important as 27
15 See WPSCE-04V03 pp. 33 – 34. 16 See WPSCE-04V03 pp. 35 – 38.
13
utilities do not possess the intelligence-gathering and law enforcement capabilities of government 1
agencies. 2
The functions outlined above also support the following Capital programs: 3
Perimeter Defense: Perimeter Defense represents the outer layer of protection and first 4
line of defense of our Defense in Depth approach.17 It includes the technologies (e.g. firewalls and 5
intrusion detection systems) and related processes, procedures, hardware, and software to protect critical 6
systems such as SAP, customer data, and ultimately our grid from unauthorized access. The perimeter 7
defenses seek to restrict use of systems to those activities required to conduct business. The perimeter 8
technology prevents, absorbs, or detects attacks and reduces the risk to critical back end systems. 9
SCE continues to refine existing intrusion protection measures and implement new ones (such as 10
systems with deep scanning capabilities and advanced data analytics capabilities) to better detect 11
unauthorized intrusions. SCE shall be integrating new tools and controls into our existing Perimeter 12
Defense to enhance our response to security events including: (1) IGAM Phase 2 and 3; (2) Information 13
Technology/Operational Technology (IT/OT) integration; and (3) Foundational Tools; (4) Labs. More 14
discussions regarding these tools and controls and associated costs are outlined in the forecast analysis 15
sections below. 16
Interior Defense: Interior Defense comprises protection controls securing SCE’s internal 17
business systems from unauthorized users, devices, and software. It also includes the use of analytics to 18
anticipate and prevent attacks from happening. Interior Defense helps identify and block security 19
breaches from personnel who have some level of authorized access to the systems. Users of SCE’s 20
business systems can propagate and/or launch malware knowingly or unknowingly. With the Interior 21
Defense controls, SCE promptly identifies suspicious activity and takes immediate action to minimize 22
any potential damage from the attack, including infecting a user’s computer and those of other users on 23
the network. Interior Defense monitors SCE’s internal business network in real time to mitigate against 24
unauthorized users accessing our systems and protect against authorized user’s knowingly or 25
unknowingly propagating cybersecurity attacks. By preventing rogue devices or software from accessing 26
SCE systems, it protects against unauthorized breaches of confidential data and business disruptions. It 27
also addresses Advanced Persistent Threats by applying advanced data collection and analysis 28
technologies to quickly detect potential questionable activity. During this rate case cycle, the Interior 29
17 See WPSCE-04V03 pp. 39 – 43.
14
Defense program will be: (1) extending SCE’s Identity and Access Management system to newer 1
generation security technology, (2) enhancing and expanding SCE’s data collection capabilities to 2
retrieve (and, as needed, collect) disparate pieces of data to form a clearer picture of threats and attacks, 3
(3) implementing technology capabilities to analyze collected information for security threats in a more 4
automated and effective manner, and (4) initiating automated alerts when questionable activity is 5
detected. These improvements allow SCE to stay ahead of potential threats and help prevent attacks 6
from happening. 7
Data Protection: Date Protection safeguards the computing environment housing SCE’s 8
core information. The program protects confidential SCE information residing on computers and devices 9
from unauthorized use, distribution, reproduction, alteration, or destruction. The Data Protection 10
program leverages specialized technology to protect and encrypt data fields within files, enhance access 11
controls to protect sensitive business information, and secure business information stored at external 12
sites that host SCE business systems. In addition, this program supports enhanced controls for granular 13
data protection by deploying Data Loss, Categorization, and Identification tools. Once implementation is 14
complete, these tools will: (1) automate data classification by tying together the different data systems 15
with the ability to classify them; (2) monitor and alert unauthorized access to business information by 16
leveraging the monitoring and data analysis environment with new toolsets; and (3) manage and restrict 17
the copying of business information to mobile devices. Forecast increases in this program cover 18
additional activities for government collaboration initiatives. 19
SCADA Cybersecurity: The SCADA Cybersecurity program enhances security 20
measures by implementing risk reduction methods tailored for SCE’s SCADA systems. SCE’s SCADA 21
systems remotely control and monitor the electric grid. SCADA Cybersecurity protects legacy and 22
future industrial control systems that are currently connected via routable networks.18 As threats evolve, 23
SCE must take measures to improve visibility, detection, and protection controls by: (1) building a 24
secure network to protect the administrative interfaces of critical tools,(2) developing device and user 25
access controls to secure user interactions with control systems and to restrict access to the minimum 26
level required for the user’s particular role, (3) implementing current generation protections to identify 27
malware, (4) deploying vulnerability management tools to search for and identify known vulnerabilities, 28
(5) providing data encryption services; (6) developing system monitoring services, (6) implementing 29
18 See WPSCE-04V03 pp. 44 – 77.
15
integration tools to gather intelligence and monitor and analyze potential and actual threats, and 1
(7) procuring government issued secure technology to defend against advanced attacks. 2
NERC CIP Compliance: This program is an existing compliance control involving the 3
ongoing implementation of systems and processes to comply with the cybersecurity requirements of 4
NERC CIP. These systems and processes improve how SCE manages facility access, maintains asset 5
change control, and controls physical access. The program focuses on enabling and augmenting the 6
system and processes required for NERC CIP compliance as compared to the other programs above 7
covering standalone security controls. The capital forecast increases include implementation of new 8
NERC CIP controls. 9
2. Need for Activity 10
Cybersecurity presents an ever-evolving challenge to SCE. The threat of cyberattacks is 11
growing as attacks continually increase in frequency and sophistication. Our grid is evolving and 12
incorporating technology to enable SCE to respond faster while improving system efficiency and 13
reliability. But greater reliance on advanced technology to operate and communicate necessarily 14
intensifies the risk of cyberattacks and the potential consequences of a successful cyberattack. State and 15
federal government agencies are increasingly supporting cybersecurity initiatives as cyberattacks and 16
related risks grow. 17
According to Industry Week, Cybersecurity attacks skyrocketed in 2018 including “a 18
350% increase in ransomware attacks, a 250% increase in spoofing or business email compromise 19
(BEC) attacks and a 70% increase in spear-phishing attacks in companies overall.”19 Further, the 20
average cost of a cyber-data breach has risen from $4.9 million in 2017 to $7.5 million in 2018, 21
according to the U.S. Securities and Exchange Commission.20 Given the sophistication of cyber threats 22
to our critical infrastructure, SCE must continue and advance C&C work activities to protect our 23
systems. SCE’s forecasts reflect the scope of work activities and resources needed to properly position 24
us against cyberattacks. 25
Since 2009, reporting organizations have experienced an average annual increase of 26
124% for Industrial Control System/Supervisory Control and Data Acquisition (ICS/SCADA) 27
cybersecurity incidents, based on figures published by the Department of Homeland Security’s 28
19 https://www.industryweek.com/technology-and-iiot/cyberattacks-skyrocketed-2018-are-you-ready-2019. 20 Id.
16
Industrial Control Systems Computer Emergency Response Team. As cyber threats grow, so must our 1
ability to neutralize them. C&C activities require skilled and knowledgeable personnel. Highly qualified 2
and trained engineers continually study, evaluate and prioritize the utility’s resources and infrastructure 3
to keep the grid safe and reliable and to mitigate security risks. SCE actively seeks to recruit and retain 4
such engineers in a limited and competitive labor market.21 In addition to resources that protect 5
inwardly, resources must be dedicated to collaborating with external partners such as governments and 6
utility peers. Securing the grid requires continuous investment to support SCE’s ability to anticipate and 7
mitigate current and future threats with both internal defenses and external partnerships. 8
The continued evolution of technology supporting information technology systems and 9
the grid are leading toward more digital and interconnected systems which, in turn, increase the attack 10
surface of SCE’s assets. As technology accelerates, the urgency for secure solutions heightens the need 11
for experienced personnel to support system design, implementation, and operations. Evolving 12
technology and regulatory mandates are continuing to grow at a significantly faster rate than the 13
available cybersecurity talent pool within our service territory. Consequently, SCE must regularly retain 14
outside resources to close the gap, including contractors who can bring the benefit of prior experience 15
addressing comparable issues at other utilities throughout the country. 16
The cybersecurity protection capabilities that SCE utilizes to protect its network and 17
customer data require both capital investment program implementations, hardware, and software 18
(including pre-paid renewals for a term) and labor, consulting and professional services, and 19
maintenance costs (i.e. O&M). SCE’s O&M and capital forecasts reflect the scope and level of activities 20
to properly protect SCE’s assets and the grid. 21
21 See WPSCE-04V03 pp. 78 – 81.
17
3. RAMP Integration 1
a) Reconciliation between RAMP and GRC 2
(1) O&M 3
Table II-2 Cyber Delivery & IT Compliance
RAMP vs GRC O&M Forecast Comparison (Constant 2018 $000)
The forecasts presented in SCE’s RAMP Report were point in time calculations. 4
As SCE became more familiar with the RAMP methodology, we were able to identify other areas that 5
have RAMP implications. The major drivers of the variance were caused by initiatives such as 6
(1) Identity Governance & Access Management (IGAM) Phase 2 and 3; (2) Information 7
Technology/Operational Technology (IT/OT); (3) Foundational Tools; (4) Cybersecurity support for 8
SCE Tech Labs; (5) National Institute of Standards and Technology (NIST) Gap assessment and 9
RAMP Risk RAMP
IDRAMP Control /
Mitigation NameFiling Name 2019 2020 2021
C1a Perimeter Defense 2,721$ 2,990$ 4,486$ C2a Interior Protection 1,819$ 2,483$ 3,634$ C3a Data Protection 1,544$ 2,102$ 3,420$ C4a SCADA Cybersecurity 2,393$ 2,645$ 3,833$
C5aGrid Modernization Cybersecurity 1,619$ 3,131$ 4,474$
Total 10,097$ 13,351$ 19,847$ C1a Perimeter Defense 2,805$ 3,001$ 6,231$ C2a Interior Protection 1,923$ 2,488$ 5,637$ C3a Data Protection 1,647$ 2,119$ 5,359$ C4a SCADA Cybersecurity 2,476$ 2,691$ 5,402$
C5aGrid Modernization Cybersecurity 1,724$ 3,008$ 6,319$
Total 10,575$ 13,307$ 28,948$ C1a Perimeter Defense 83$ 11$ 1,745$ C2a Interior Protection 104$ 5$ 2,003$ C3a Data Protection 103$ 17$ 1,939$ C4a SCADA Cybersecurity 83$ 46$ 1,569$
C5aGrid Modernization Cybersecurity 105$ (123)$ 1,845$
Total 478$ (44)$ 9,101$
Cyber Attack
RAMP
GRC
Cyber Attack
Cyber AttackVariance
18
remediation; (6) IT Compliance/Disaster Recovery. Those initiatives are detailed in multiple sections 1
below. 2
(2) Capital 3
Table II-3 Cyber Delivery & IT Compliance
RAMP vs GRC Capital Forecast Comparison (Nominal 2018 $000)
Like the O&M forecasts from the RAMP Report, SCE has identified other 4
capital investments that have RAMP implications. The major drivers of the variance were caused by 5
initiatives such as (1) Government initiatives; (2) IGAM; (3) Information Technology/Operational 6
Technology (IT/OT); and (4) Foundational Tools; (5) SCE Tech Labs; and (6) NERC CIP compliance 7
requirements. Please see the capital forecast analysis section below for further detail. 8
4. Comparison of Authorized 2018 to Recorded 9
a) O&M 10
SCE was authorized $15.5 million in O&M expenditures for C&C activities in the 11
2018 GRC. This work activity’s recorded 2018 O&M expenses were approximately $14.9 million, 12
which was $0.6 million below authorized. This variance was primarily due to delays in filling a few 13
vacant positions, which resulted in a moderate decline in labor costs. 14
19
b) Capital 1
In 2018, the Commission authorized $41.9 million for C&C. SCE recorded 2
expenditures of $33.5 million in 2018, $8.4 million less than authorized. The variance arose from the 3
accelerated activities of programs, including Data Protection, Interior Defense, and SCADA 4
Cybersecurity (including Grid Cybersecurity Project) during 2017 to address growing cyber intrusion 5
attempts. As a result, SCE’s C&C expenditures exceeded adopted levels by $10.8 million in 2017. 6
Beyond the impact of the augmented 2017 activity level, the variance in 2018 was also tied to 7
operational deployment delays in the NERC CIP program. The lower level of expenditures for those 8
programs was offset by Perimeter Defense-related purchases of software licensing to mitigate certain 9
unforeseen risks. 10
5. Scope & Forecast Analysis 11
Table II-4 Cybersecurity Delivery & IT Compliance Recorded 2014-2018/ Forecast 2019-2021
(Constant 2018 $000s)
a) Historical Variance Analysis 12
(1) Labor 13
Labor costs for C&C increased from 2014 to 2016 due to key staff 14
additions to the Cybersecurity & IT Compliance teams needed for reinforcement of cybersecurity 15
controls and data protection capabilities. C&C also supplemented staff to support risk mitigation efforts 16
in the Interior Defense program during the same period. 17
As discussed in prior GRC submissions, SCE’s cyber workforce strategy 18
of recruiting new talent and retaining skilled staff members continues to support our efforts to address 19
new and emerging cyber threats. Because certain projects and activities that occurred in 2016-2018 20
required specialized cybersecurity expertise, there was a delay in hiring for a few vacant positions 21
resulting in a moderate decline in labor costs of approximately $300,000 between 2017 and 2018 while 22
SCE pursued qualified personnel and staff shifted between organizations to meet urgent needs. 23
20
(2) Non-Labor 1
From 2014 to 2015, non-labor costs were relatively flat. Non-labor costs 2
increased in 2016 due consultant support addressing compliance with updated NERC-CIP requirements. 3
In 2017, non-labor costs decreased as certain planned initiatives were deferred to 2018 resulting in a 4
lower level of outside consultant costs. In 2018, non-labor costs increased as the previously delayed 5
initiatives proceeded. Non-labor cost increases in 2018 were also driven by compliance activities 6
associated with the increasing volume of state and federal cybersecurity and compliance requirements 7
and a significant growth in volume and complexity of cybersecurity intrusion attempts. This results in 8
greater utilization of outside resources to support assessments of cybersecurity posture which is 9
expected to continue going forward. The non-labor costs in 2018 reflect a spike of $3.3 million due to an 10
accounting change causing hardware maintenance costs to be moved from Capital to O&M consistent 11
with SCE accounting practices.22 This spike is not reflected in our Test Year 2021 forecast of non-labor 12
costs. 13
(3) Capital 14
Table II-5 Cybersecurity Delivery & IT Compliance Recorded 2014-2018/ Forecast 2019-2023
(Nominal 2018 $000s)
As shown in Table II-5, SCE’s capital expenditures increased 15
approximately $2.9 million from 2014 to 2015 due to implementation of NERC CIP V5 program and 16
technology, license and hardware expansions associated with risks address by the Interior Defense 17
program. Capital expenditures decreased in 2016 due to a large project reaching its final stages within 18
Perimeter Defenses and Data Protection, which caused other projects to be pushed back as this project 19
provides the secure foundation for those projects. 20
In 2017, capital expenditures increased due to accelerated activities for 21
Data Protection, Interior Defense, and SCADA Cybersecurity (including Grid Cybersecurity Project) 22
22 Please refer to SCE 07, volume 1 for SCE’s accounting practices.
21
programs. As referenced earlier, this acceleration in 2017 resulted in a lower level of expenditures in 1
2018 which was also attributable to operational deployment delays impacting SCE’s NERC CIP 2
program. 3
b) Forecast 4
Table II-6 Cybersecurity Delivery & IT Compliance Recorded 2014-2018/ Forecast 2019-2021
(Constant 2018 $000s)
(1) Labor 5
For Test Year 2021, SCE forecasts C&C labor expenses of $19.98 million. 6
As shown in Table II-6 and detailed in Section a).(1) above, SCE’s 2016-2018 labor expenses steadily 7
declined. Therefore, SCE utilized the 2018 recorded labor costs as the initial basis of our test year 8
forecast. This is consistent with prior Commission guidance stating when recorded costs exhibit a 9
downward trend for three or more years, the last recorded year is an appropriate forecast method. 10
However, as detailed above, SCE had unfilled positions supporting C&C work activities in 2018. SCE 11
remains focused on hiring additional skilled resources who understand new and advanced technologies 12
and possess proactive threat hunting experience combatting advanced persistent threats and nation state 13
attacks. Hence, SCE’s forecast reflects the filling of these vacant positions and the addition of staff to 14
support expanded C&C activities, including the new initiatives associated with drivers identified in 15
SCE’s RAMP Report. 16
Consistent with our RAMP Report, SCE anticipates an increase of $1.9 17
million in 2021 for additional staffing to support existing C&C cyber defense capabilities. The expanded 18
activities include security engineering, architecture and system design, testing, monitoring, education 19
and awareness. 20
Additional adjustments to the Test Year 2021 forecast23 are due to six key 21
initiatives, namely, (1) Identity Governance & Access Management (IGAM) Phases 2 and 3 22
23 See WPSCE-04V03 pp. 82 – 83.
22
(2) Information Technology/Operational Technology (IT/OT); (3) Foundational Tools; 1
(4) Cybersecurity support for tech labs; (5) NIST Gap assessment and remediation; (6) IT 2
Compliance/Disaster Recovery. 3
SCE shall be replacing its legacy Identity & Access Management (IAM) 4
infrastructure with a modern Identity Governance & Administration (IGA) platform for both the 5
Corporate Enterprise and Grid environments. The IGAM program24 involves a series of projects 6
enhancing SCE’s cyber defense capabilities. As the traditional IT infrastructure within data centers 7
expands into cloud and Software-as-a-Service (SaaS) offerings, the IGA platform mitigate security risks 8
within this combined environment of SCE’s IT infrastructure and cloud/SAAS providers.25 The Test 9
Year 2021 forecast reflects an associated increase of $0.9 million based on the additional staffing needed 10
to support IGAM commencing in 2021.26 11
Another key initiative is the IT/OT integration supporting a more 12
comprehensive cyber security environment for the grid. As noted earlier, as technology advances, all 13
associated SCE digital assets must be designed to scale and updated to mitigate against cyberattacks 14
arising from interconnections between IT environments and OT environments. SCE’s organization and 15
culture must transform to meet the ‘new reality’ of IT/OT convergence. IT and cybersecurity must 16
converge as core members of a unified OT delivery team to achieve safety, reliability and security 17
objectives. SCE requires additional staffing to oversee the IT/OT integration efforts, including assisting 18
substations with addressing and expanding SCE’s cybersecurity policies and standards. The forecast 19
increase of $1.92 million is based on additional staff starting in 2021 who are needed for activities 20
supporting over 500 substations. 21
SCE will also be adding staff to support Foundational Tools which are 22
new cyber tools and technologies to strengthen cyber defense posture in the grid environment. Starting 23
in 2021, this will become part of the regular work performed in Cybersecurity & IT compliance as we 24
continue to adapt to increasing threats and utilize new cyber tools as they become available. The staff 25
24 The Cybersecurity BPE will be implementing IGAM projects and capabilities. In contrast, the adoption,
expansion and operational support for IGAM will be addressed in the Technology Adoption sub-work activity within Service Management Office & Operations (see Technology Adoption section of SCE-06, Volume 1, Part 1).
25 See WPSCE-04V03C pp. 1 – 7. 26 Note: The IGAM program discussed herein follows IGAM Phase 1 discussed in the OU Capitalized Software
Volume (SCE 6, Volume 1, Part 2).
23
will support security gap assessments and associated remediation activities, resulting in an upward 1
adjustment of $1.89 million. 2
The Test Year 2021 forecast was also adjusted to reflect: 3
• Cybersecurity enhancement of SCE Tech Labs ($0.9 million 4
increase): Resources needed for routine testing, continuous 5
monitoring, and operational support to address cybersecurity gaps at 6
approximately 20 labs. Additional staff will be hired starting in 2019 7
to support these activities that will extend into future years. 8
• NIST Standards Gap assessment and remediation ($0.9 million 9
increase): The NIST27 Cybersecurity Framework provides a policy 10
framework of computer security guidance for how private sector 11
organizations in the United States can assess and improve their 12
ability to prevent, detect, and respond to cyberattacks. Additional 13
staff will be hired by 2021 to support these activities that will extend 14
into future years. 15
• IT Compliance/Disaster recovery activities ($0.3 million increase): 16
Additional personnel is needed to collaborate with the Business 17
Resiliency personnel addressing the resiliency of SCE’s IT 18
infrastructure and associated systems during natural disasters and 19
emergency events. The Business Impact Analysis (BIA) process 20
works in conjunction with an established governance model aligning 21
Information Technology and Disaster Recovery (IT/DR) critical 22
application functions with existing continuity plans and procedures. 23
This model supports redundancy of critical applications across the 24
company. Given the particularly critical nature of IT systems and 25
applications to grid reliability, SCE will be supplementing the 26
Business Continuity BPE with additional staff focused on addressing 27
the resiliency of IT systems during emergency events. The additional 28
staff will be responsible for the creation, training and exercising of 29
27 https://www.nist.gov/cyberframework.
24
emergency plans, processes and procedures associated with critical 1
IT systems and applications. Please see Exhibit SCE-04, Vol. 1 2
(Business Continuation). 3
(2) Non-Labor 4
For Test Year 2021, we forecast non-labor expenses of $12.25 million. As 5
shown in Table II-6 and discussed earlier, SCE’s non-labor expense fluctuated from 2014 to 2018. The 6
higher level of consultant support starting in 2018 is expected to continue. Although the fluctuations 7
would typically call for an averaging forecast methodology, there are several new Cybersecurity 8
initiatives planned for Test Year 2021 warranting an itemized forecast28 to properly reflect the impact of 9
those initiatives. 10
First, as part of the RAMP Report, SCE detailed several drivers requiring 11
the utilization of outside expertise and skillsets.29 External security consultants continue to be utilized as 12
a resource for independent assessments of our technical controls serving as both a proactive defense 13
strategy in conformity with industry best practices and a way to leverage outside experience supporting 14
the broader industry. As noted earlier, the growth in volume and complexity of cyber intrusion attempts 15
and the need to comply with a growing breadth of state and federal cybersecurity and compliance 16
requirements is expected to continue through 2021 and beyond. Consistent with the Ramp Report, SCE 17
forecasts a higher and recurring need to utilize outside consultants to perform additional evaluations of 18
our cybersecurity protections (specifically for Perimeter Defense, Interior Defense, Data Protection, and 19
SCADA Cybersecurity programs).30 20
As with the Test Year 2021 labor forecast, SCE’s non-labor forecast for 21
C&C work activities is impacted by several new initiatives, including (1) IGAM; (2) IT/OT integration; 22
(3) Cybersecurity support for tech labs; (4) Foundational Tools; (5) NIST Gap assessment and 23
remediation; and (6) Government collaboration initiatives. 24
28 See WPSCE-04V03 pp. 84 – 85. 29 Referenced in RAMP section 6-6 and 6-33. 30 Please refer to the 2018 SCE RAMP filing, Chapter 6, Section V for the increased cost estimates for the
proposed mitigation plan.
25
Table II-7 summarizes the Test Year 2021 non-labor forecast for C&C 1
(including the impact of the new initiatives):31 2
Table II-7 Non-Labor Forecast for Cyber & Compliance
(Constant $000)
SCE’s Cybersecurity team must continue to collaborate with government 3
agencies to promote real-time and actionable threat information sharing and partnering opportunities for 4
technology pilots. Although SCE’s Government collaboration initiatives do not impact the labor 5
forecast, they drive an increase of $1.25 million in non-labor costs during Test Year 2021 for resources, 6
travel and other expenses needed to work with our federal partners in Washington, D.C. and other parts 7
of the country. SCE must play an active role to leverage information sharing and protections at the 8
national level and strengthen our defenses through these partnerships. Because of increasingly 9
sophisticated cyber threats from nation states, our cybersecurity partnership with the federal government 10
is more important as we gain intelligence insight from our federal partners. Concurrently, our federal 11
partners need SCE’s operational expertise and cybersecurity experience specific to the electric utility 12
sector. 13
Due to labor constraints, SCE leverages the expertise of cybersecurity 14
consultants to support deliverables and conduct tabletop exercises. The estimates were derived based on 15
the scope of work and resources required to address growing requirements and support government 16
initiatives. The retention of consultant support for government initiatives will start in 2020 and expand 17
31 As noted earlier, the impact of the $3.3 million spike in non-labor costs during 2018 related to an internal
accounting change is not reflected in the Test Year 2021 forecast of C&C non-labor costs.
Function/Driver 2018 2021Contractor and Professional Services (Base) 2,800$ 3,720$ RAMP 5,500$ IGAM 450$ IT/OT 880$ Labs 100$ Foundational Tools 210$ NIST Gap assessment 140$ Government Initiatives 1,250$
12,250$
26
in 2021 based on the timing of planned work activities.32 Further growth due to RAMP and additional 1
initiatives will continue through 2023. 2
(3) Capital 3
Table II-8 shows 2014-2018 recorded costs and 2019-2023 forecast for the 4
Cybersecurity Delivery & IT Compliance activity. Except where noted otherwise below, the cost 5
estimates were derived from vendor quotes for hardware purchases and software licensing and resources 6
needed for the planned scope of these initiatives. 7
Table II-8 Cybersecurity Delivery & IT Compliance Recorded 2014-2018/ Forecast 2019-2023
(Nominal 2018 $000s)
32 See WPSCE-04V03 pp. 86 – 93.
27
Table II-9 Cybersecurity Delivery & IT Compliance GRC Activity
Capital Forecast (Nominal 2018 $000)
While SCE has actively implemented cyber defense strategies for existing 1
threats through programs, including Perimeter Defense, Interior Defense, Data Protection, SCADA 2
Cybersecurity,33 and NERC CIP Implementation, SCE has identified increased areas of exposure and 3
risk in the future. SCE continues to deploy and enhance its Defense-In-Depth cybersecurity approach by 4
maturing and expanding existing cybersecurity practices. SCE supplements this work with enhanced 5
capabilities, tools, and resources to address the growth of cyberattack risks.34 6
As discussed earlier in connection with O&M, the following initiatives 7
impact SCE’s capital forecast35 for the Cybersecurity Delivery and IT Compliance activities: (1) 8
Government initiatives; (2) IGAM; (3) Information Technology/Operational Technology (IT/OT) 9
integration; and (4) Foundational Tools; (5) Cybersecurity infrastructure for Tech Labs; and (6) NERC 10
CIP compliance requirements. The amounts per year are outlined in Table II-9. 11
33 See WPSCE-04V03 pp. 94 – 98. 34 See WPSCE-04V03 pp. 99 – 105. 35 See WPSCE-04V03 pp. 106 – 107.
CAPITAL 2019 2020 2021 2022 2023NERC CIP (Base) 3,200,000 2,500,000 2,500,000 2,500,000 2,500,000 NERC CIP Compliance Requirements 3,000,000 3,200,000 2,000,000
NERC CIP Total 3,200,000 2,500,000 5,500,000 5,700,000 4,500,000 Perimeter Defense 13,100,000 13,600,000 13,600,000 13,600,000 13,600,000 IT/OT 13,500,000 13,500,000 13,500,000 GRID 1,500,000 1,500,000 1,500,000 IGAM 6,500,000 5,800,000 6,800,000 Labs 3,000,000 6,000,000 2,500,000 3,000,000
Perimeter Defense Total 16,100,000 19,600,000 37,600,000 37,400,000 35,400,000 Data Protection 6,000,000 6,100,000 6,100,000 6,100,000 6,100,000 Government Initiatives 1,200,000 2,500,000 2,500,000 6,300,000
Data Protection Total 6,000,000 7,300,000 8,600,000 8,600,000 12,400,000 Interior Defense Total 8,300,000 8,100,000 8,100,000 8,100,000 8,100,000
Interior Defense Total 8,300,000 8,100,000 8,100,000 8,100,000 8,100,000 SCADA 2,400,000 2,500,000 2,500,000 2,500,000 2,500,000
SCADA Total 2,400,000 2,500,000 2,500,000 2,500,000 2,500,000
28
Government collaboration initiative represents $12.5 million from 2020-1
2023. The expenditures include hardware purchases, five-year software licensing, and labor for 2
implementation activities. 3
Another such significant initiative which drove our capital forecast is 4
SCE’s plan to replace its legacy Identity & Access Management (IAM) infrastructure with a modern 5
Identity Governance & Administration (IGA)36 platform for both the Corporate Enterprise and Grid 6
environments. The IGAM capital forecast from 2021-2023 is $19.1 million and includes hardware 7
purchases, five-year software licensing, and capitalized labor for implementation activities consistent 8
with SCE’s accounting practices.37 As stated earlier in the O&M forecast, the IGAM program is a series 9
of projects that will be focused on delivering new cybersecurity services and capabilities. Industry best 10
practices38 now are focused on improved capabilities with IGA services. Key Projects/Capabilities 11
within this program include: 12
• NERC CIP/Grid IGAM Implementation - Implementation of an 13
IGA platform to perform Lifecycle Management, Access Request 14
& Revocations, and Access Certifications while supporting NERC 15
CIP and Grid regulatory compliance requirements. This includes 16
access governance and administration of critical NERC CIP 17
Systems, Applications, Physical Access, and Protected Information 18
Repositories. 19
• External User Access Management - Implementation of a system 20
and process to manage the external users (e.g. suppliers, vendors, 21
contractors, etc.) requiring access to SCE’s systems, applications, 22
and information and to manage the accounts and related lifecycle 23
access from creation, modification, certification, and deletion. 24
• Privileged Access Management39 - Integration of SCE’s Privileged 25
Access Management system with the IGA platform for enhanced 26
36 See WPSCE-04V03 pp. 108 – 109. 37 See WPSCE-04V03 pp. 110 – 111. 38 See WPSCE-04V03C pp. 8 – 23, 24 – 48, and 49 – 59. 39 See WPSCE-04V03C pp. 60 – 95, 96 – 130 and 131 – 163.
29
protection from privileged accounts and access within SCE’s IT 1
environments. Capability will provide advanced policies and 2
certification processes to reduce overall cybersecurity risk. 3
• Identity & Threat Analytics - Implementation of capabilities to 4
perform deeper Identity and Access reporting and analytics to 5
drive reduction of excessive and/or unused access, automation by 6
policy-based access controls, and integration of Identities into 7
Cybersecurity operations and risk management tools. 8
• Enhanced Access Certifications - Enhanced capabilities within the 9
Access Certification processes from IGA platform to reduce the 10
risk of users with unused/outdated access entitlements, increased 11
coverage of scope of certification processes, and enhancements to 12
enable business reviewers with better decision making during a 13
certification review. 14
IT/OT integration capital expenditures of $40.5 million are forecast from 15
2021-2023. With the ever-increasing convergence of IT and OT technologies, routine maintenance, 16
sparing and technology refresh are more complex as product lines continually evolve to include IT-17
centric technologies rendering like-for-like replacement difficult and, in some cases, impossible. While 18
these technologies enable significant new business opportunities, they also magnify the need for a strong 19
cybersecurity capability. It requires that utilities transform their organizations, breaking down traditional 20
silos and bringing together the combined OT, IT and cybersecurity expertise needed to effectively 21
design, develop, deploy, operate and protect future IT-enabled grid assets and infrastructure. The 22
forecast from 2021-2023 covers hardware purchases, five-year software licensing, and labor for 23
implementation activities. The cost estimates were derived from vendor quotes for hardware purchases 24
and software licensing, as well as understanding the effort and scope for these initiatives to extrapolate 25
the labor dollars.40 26
Foundational Tools represent $4.5 million of the capital forecast from 27
2021-2023. Covered expenditures include hardware purchases, five-year software licensing, and 28
capitalized labor for implementation activities. 29
40 See WPSCE-04V03 pp. 112 – 115.
30
Cybersecurity infrastructure for SCE Tech Labs accounts for an increase 1
of $14.5 million in 2019-2022. The expenditures include hardware purchases, five-year software 2
licensing, and labor for hardware/software implementation activities. 3
Lastly, NERC CIP compliance implementation represent an increase of 4
$8.2 million from 2021-2023. The activities include tool and process implementation to meet new 5
NERC CIP standards. Expenditures include hardware purchases, five-year software licensing, and labor 6
for implementation activities. The forecast increase was derived from historic expenditures for NERC 7
CIP V.5 implementation costs. 8
D. Grid Modernization Cybersecurity 9
Figure II-6 shows 2014-2018 O&M recorded costs and Test Year 2021 forecast for the Grid 10
Modernization Cybersecurity activity. 11
Figure II-6 Grid Modernization Cybersecurity O&M Recorded 2014-2018/Forecast 2019-2021
(Constant 2018 $000)
Table II-10 shows 2014-2018 Capital 2019-2023 forecast for the Grid Modernization 12
Cybersecurity. 13
31
Table II-10 Grid Modernization Cybersecurity Capital Expenditures
2014-2018 Recorded/2019-2023 Forecast (Nominal 2018 $000)
1. Project or Program Description 1
While modernizing the electric grid allows for many new capabilities such as Distributed 2
Energy Resources (DER) integration and automation, such modernization comes with new cybersecurity 3
challenges. Grid Modernization Cybersecurity program41 focuses on addressing the comprehensive 4
security and data protection needs of all new infrastructure and application assets being added through 5
SCE’s Grid Modernization program.42 This includes: 6
• Field Area Network (FAN) 7
• Common Substation Platform (CSP) 8
• Wide Area Network (WAN) 9
• Grid Management System (GMS) 10
• DRP External Portal (DRPEP) 11
• Grid Interconnection Processing Tool (GIPT) 12
41 Given the sensitive nature of cybersecurity information, only limited content is being presented in this public
document. Specific details can be provided in confidential briefings. 42 Please refer to SCE-02 V.04.
32
Consistent with the Commission’s final decision in the 2018 GRC, SCE is upgrading 1
several legacy systems that are obsolete such as the old NetComm wireless network, the existing 2
Distribution Management System (DMS) and Outage Management System (OMS). Also consistent with 3
the various Distributed Resources Plan (DRP) compliance requirements described in SCE-02, Volume 4, 4
SCE is delivering new customer-facing capabilities such as those offered through DRPEP and GIPT. 5
The Grid Modernization Cybersecurity program addresses the critical need for modern and robust 6
cybersecurity measures and controls by detecting, isolating, fixing or removing, and restoring electric 7
distribution grid systems and devices as quickly and efficiently as possible. The program seeks to 8
accomplish this through a combination of infrastructure, applications, and threat intelligence initiatives. 9
SCE’s new Grid Modernization Communications system comprising the FAN, CSP, and 10
WAN will provide the opportunity to significantly enhance the underlying cybersecurity capabilities. 11
Indeed, through this cybersecurity program, the new communication paths designed for two-way data 12
flows will be actively monitored, maintained, and controlled. In addition, advanced infrastructure 13
service layers will be deployed to extend strong cybersecurity controls to the edges of the grid 14
network43. Moreover, the new grid control applications planned by the GMS program will be designed 15
with cybersecurity controls throughout their implementation lifecycle thus integrating strong access 16
controls, secure communications, and secure programming code. With the combination of WAN and 17
CSP, secure network segmentation schemes will be configured and secure advanced remote access to 18
the substation will provide complete visibility to SCE’s Security Operations Center. Furthermore, this 19
program will invest in additional software and hardware tools to secure externally facing connections 20
with customers and/or 3rd parties (e.g. DER aggregators) that will interact with SCE via a variety of 21
access methods, such as the DRP External Portal (DRPEP) and Grid Interconnection Processing Tool 22
(GIPT). Lastly, Grid Modernization cybersecurity Program will integrate cybersecurity operations with 23
external government organizations to enhance incident investigation and response capabilities. 24
Despite the implementation of strong preventative controls, cybersecurity for grid 25
modernization designs must account for the possibility that compromise of a system on the distribution 26
network will occur. A compromised system on the grid enables an avenue of attack to escalate privilege, 27
launch malware attacks, or render a grid system inoperable. Preventative controls will be imperative to 28
defending SCE’s infrastructure as well as the ability to identify when a compromised system behaves 29
43 SCE defines the edge of the grid network as the portion of the system between the distribution substation and
the customer meter.
33
anomalously and execute an automated response to isolate the system and minimize its potential impact 1
to the grid operations. This program’s scope addresses the multiple layers of technology, vulnerability 2
testing, resources, processes, and procedures that are necessary which include: 3
• Grid Data Center Cybersecurity foundational capabilities providing detection and 4
response 5
• Industrial Control Systems (ICS) Threat & Asset Visibility and Information 6
Protection capabilities: Vulnerability Management, Boundary Defense, Access 7
Control, System Response, Device Management, Malware Protection 8
• Cybersecurity Lab/destructive test environment 9
• Grid Data Center upgrade/replace existing tools 10
• Grid Data Center capacity/technology enhancements 11
• Government Technology Transfer 12
O&M costs for the Grid Modernization Cybersecurity program are related to pre-13
planning and project start-up tasks, business and process analysis, procurement support, training, 14
hardware maintenance, and employee travel related expenses. 15
2. Need for Activity Including Risk Avoided 16
SCE’s Grid Modernization program will continue implementing new capabilities to 17
support the evolving use of the distribution system, including the additional communication channels 18
that increase the potential for cyber-attacks. While enabling a distributed control system requires real-19
time communications from edge distribution systems to central operations control facilities, these 20
systems can be used as a foothold by an attacker to attempt to compromise various layers of the grid 21
network. However, the new communication paths provided by the WAN will enable centrally managed 22
cybersecurity controls designed in a more preventative and automated architecture that will provide 23
layered defense-in-depth cybersecurity controls while enabling new GMS applications to function. 24
In summary, this program is needed to ensure that cybersecurity is natively integrated 25
into each grid modernization component throughout its lifecycle and thus provide a strong framework 26
against a cyber-attack.44 27
For O&M costs, as is the case with all other SCE grid modernization programs, Project 28
O&M support is an essential activity to initiate and complete the upfront work required to properly start 29
44 Refer to SCE-02, Vol. 4, pt.1 for more information on SCE’s Grid Modernization program.
34
the overall program. This activity defines scoping requirements, documents changes in business and 1
ongoing support processes, conducts relevant training, and supports procurements from industry vendors 2
through competitive solicitations. 3
3. RAMP Integration 4
a) Reconciliation between RAMP & GRC 5
(1) O&M 6
Table II-11 Grid Mod Cybersecurity
RAMP vs GRC O&M Forecast Comparison (Nominal 2018 $000)
There is minimal difference between RAMP and the GRC request for Grid 7
Mod Cybersecurity O&M. 8
(2) Capital 9
Table II-12 Grid Mod Cybersecurity
RAMP vs GRC Capital Forecast Comparison (Nominal 2018 $000)
The Grid Modernization Cybersecurity Program capital forecast presented 10
in the RAMP Report were a point in time calculation. As SCE became more familiar with the RAMP 11
methodology, SCE identified additional resources for Grid Modernization Cybersecurity. Due to the 12
alignment of these changes, the 2019-2020 forecasts are lower due to the timing of the FAN and GMS 13
workstreams and higher in 2021-2023. SCE’s 2019-2023 forecast is detailed in Section D.6 below. 14
RAMP Risk
RAMP ID
RAMP Control Name
Filing Name 2019 2020 2021RAMP 709$ 624$ 628$ GRC 722$ 625$ 630$
Variance 13$ 1$ 2$
Cyber Attack
Grid Modernization CybersecurityC5a
35
4. Comparison of Authorized 2018 to Recorded 1
In 2018, capital expenditures for the Grid Modernization Cybersecurity program 2
exceeded the authorized amount by $13 million ($21 million recorded versus $8 million authorized). 3
The recorded expenditures were consistent with SCE’s request in the 2018 GRC. The variance is 4
primarily a reflection of the Commission’s approval of approximately 40% of SCE’s request. The 5
variance also arose from the complexity of the Grid Modernization Cybersecurity architecture definition 6
and design documentation which necessitated additional technology support from external contractors 7
and SCE’s Grid Services and Enterprise Architecture teams. The variance was also attributable to higher 8
than anticipated levels of expenditures for hardware purchases and professional services needed to build 9
and configure several cybersecurity tools. 10
5. Scope and Forecast Analysis 11
Table II-13 shows 2014-2018 recorded O&M costs and the Test Year 2021 forecast for 12
the Grid Modernization Cybersecurity Program 13
Table II-13 Grid Modernization Cybersecurity
Recorded 2014-2018/ Forecast 2019-2021 Constant 2018 ($000s)
a) Historical Variance Analysis 14
(1) Labor 15
As shown in Table II-13, low levels of recorded labor costs were incurred 16
from 2016 to 2017 as Grid Mod Cybersecurity was in its planning and scoping stage. In 2018, staff was 17
initially assigned to map business processes and perform hardware maintenance. 18
(2) Non-Labor 19
Non-labor costs for Grid Modernization Cybersecurity include costs for 20
training and conferences, training travel expenses, and conducting onsite training support on the 21
operations of the cybersecurity network boundary defense and industrial controls system security tools 22
36
and technologies. As reflected in Table II-13, SCE began incurring non-labor expenses in 201745 as 1
outside resources were utilized to perform architecture evaluations and build requirements definitions as 2
part of planning and scoping effort. In 2018, the non-labor costs reflect a one-time increase of $2.5 3
million due to an accounting change resulting in certain costs being moved from capital to O&M. 4
b) Forecast 5
(1) Labor 6
As shown in Table II-13, SCE’s 2016-2018 recorded expense has shown 7
an upward trend. SCE forecasts labor levels consistent with 2018 levels to support project management 8
of Grid Modernization Cybersecurity activities. As such, the forecast utilizes the last recorded year 9
consistent with Commission guidance when historic costs exhibit a certain trend or are relatively stable 10
for three or more years. From the 2018 recorded labor amount of $141,000, SCE forecasts a minor 11
decrease, which results in a Test Year 2021 forecast of $131,000. The variance of $10,000 in labor is 12
attributable to assigned staff being able to charge certain work to other areas beginning in 2021. 13
(2) Non-Labor 14
The Test Year 2021 non-labor forecast is a decrease from 2018 recorded 15
costs. Excluding the impact of the accounting change in 2018, the level of non-labor costs is otherwise 16
consistent with the level of non-labor costs $0.6 million incurred in 2018 which provides the basis for 17
the forecast. 18
6. Capital Expenditures 19
a) Summary of Cost Forecast 20
Table II-14 summarizes the 2016-2018 recorded and the 2019-2023 forecast of 21
capital expenditures for the Grid Modernization Cybersecurity program. 22
45 The negative recorded value shown in 2016 is due to an accounting error that was corrected to appropriately
reflect as a capital expenditure.
37
Table II-14 Grid Modernization Cybersecurity- Capital Expenditures
2014-2019 Recorded/2019-2023 Forecast (Nominal $000)
The Grid Modernization Cybersecurity Program began in 2016. The increase 1
from 2016 to 2017 reflects a higher level of expenditures for the overall system architecture and 2
technical designs supporting the multitude of grid modernization projects discussed above. Recorded 3
expenditures in 2017 also included procurement of hardware for SCE’s CSP and the new supporting 4
data center environments. From 2017 to 2018, the program activities continued to ramp up and increases 5
were driven by the procurement of the foundational cybersecurity tools46, access control technology, and 6
privileged account management software. 7
The capital forecast for the Grid Modernization Cybersecurity program includes 8
project team costs for SCE employees, supplemental workers, consultants, software, hardware, and 9
selected vendor costs. For more detailed information on the forecast expenditures, please see the work 10
papers.47 From 2019 to 2020, capital expenditures relate to the implementation and deployment of core 11
cybersecurity capabilities such as network access control, vulnerability management, threat detection 12
and analysis, certificate management, encryption services, privileged identity management, and device 13
and network forensics. Starting in 2021 and continuing through 2023, expenditures involve deploying 14
and configuring capabilities related to the specific grid modernization workstreams, including those for 15
FAN, CSP, WAN, and GMS. The notable increase in expenditures in 2021 is due to the timing of the 16
FAN and GMS workstreams and the ramp up of their production implementation schedules. 17
b) Scope and Forecast Analysis 18
SCE forecasts $161 million in capital expenditures48 for the Grid Modernization 19
Cybersecurity Program from 2019 to 2023.49 The forecast includes certain expenditures previously 20
46 The foundational cybersecurity tools are advanced software and hardware tools the details of which cannot be
disclosed in this public document. 47 See WPSCE-04V03 pp. 116 – 122. 48 See WPSCE-04V03 pp. 123 – 124. 49 See WPSCE-04V03 pp. 125 – 126.
38
planned for prior years and a higher level of vendor and professional services costs based on the 1
projected workstreams. The scope of capital expenditures under the Grid Modernization Cybersecurity 2
program from 2019-2023 consists of the following: 3
• Field Area Network (FAN) 4
SCE Cybersecurity is supporting the FAN program by providing 5
capabilities to monitor the network, internally and to other network hand-6
offs (interfaces) and then creating priority-based alerts to operations and 7
support teams of suspected cyber-attacks. Active radio and host integrity 8
monitoring will protect the integrity of the FAN by programmatically 9
disabling the access of compromised devices to the rest of the FAN. 10
Additionally, directory services will be integrated that require certificate-11
based authentication using Public Key Infrastructure (PKI) for the radios 12
and tied to a strong encryption model preventing adversaries from 13
monitoring or changing the data transmitted over the FAN.50 Multi-factor 14
authentication will protect the user login capabilities as needed.51 15
• Common Substation Platform (CSP) 16
As a key component of SCE’s new Communications system, the CSP is 17
designed to integrate with different substation implementations and 18
provide network segmentation which will prevent grid network traffic 19
from accessing the substation network. Within the substation, only 20
authorized and approved computing devices can connect to the substation 21
network and only specific software tools/applications can be launched on 22
those devices. All network traffic within the substation will be monitored 23
for inappropriate or unauthorized communications and alerts are generated 24
and sent to response teams as necessary. 25
• Wide Area Network (WAN) 26
In augmenting the capabilities for the WAN, Cybersecurity only permits 27
SCE-issued computing devices to connect to internal networks and 28
50 https://www.nist.gov/industry-impacts/online-security-through-strong-encryption. 51 https://www.nist.gov/itl/tig/back-basics-multi-factor-authentication.
39
performs Deep Packet Inspection (DPI) on network traffic crossing 1
security boundaries to ensure that attempts to compromise or exfiltrate 2
SCE grid information systems are prevented and alerted on. Those 3
connected computing devices run multiple cybersecurity applications to 4
ensure that they have not been modified from the approved standards for 5
operation. Cybersecurity utilizes multiple technologies to protect and 6
automate the responses to support a defense-in-depth strategy of 7
overlapping capabilities to prevent adversaries from gaining or exploiting 8
access to SCE systems.52 9
• Grid Management System (GMS) 10
The multiple components that make up the GMS will each need protection 11
that will be provided by this Cybersecurity program. Tasks that require 12
privileged access to the software underlying the GMS will be supported by 13
limited use accounts that are restricted in scope and lifetime. The 14
computing pieces of the GMS platform will run specific cybersecurity 15
software tools/applications to ensure that unauthorized software and 16
content is not present or allowed to launch. All network activity will be 17
tracked, monitored, and examined for evidence of malicious behavior. 18
When detected, automated response capabilities will be used to remediate 19
potential compromises and restrict the ability for an attacker to move 20
through SCE networks. Information sharing will continue to be used to 21
coordinate relevant and timely data between the SCE, others in the utility 22
industry, and government resources in order to protect and respond to 23
emerging threats. Tools designed to simulate attacker activities and test 24
detection and response capabilities will be deployed to routinely check the 25
security posture of the GMS components and report on potential issues. 26
In addition, Cybersecurity will support a specific network zone to permit 27
approved and trusted third-party access to authorized grid resources that are protected by multi-factor 28
52 https://www.csoonline.com/article/3268066/how-important-defense-in-depth-will-be-as-the-lines-between-
security-layers-blur.html.
40
authentication and strong encryption. This allows for effective remote support for specialized hardware 1
and software for vendors and related companies. 2
• DRP External Portal (DRPEP) and Grid Interconnection Processing 3
Tool (GIPT) 4
DRPEP and GIPT are new applications to be used by SCE’s customers for 5
viewing updated DER hosting capacity on distribution circuits and 6
automate the existing manual tasks associated with DER interconnection 7
requests. These applications will be protected from disclosure by requiring 8
strong encryption and inspecting the communication for hidden malicious 9
content between the customer’s computing device and the SCE asset 10
providing the service. Access to these applications will be restricted such 11
that Internet addresses that have been previously flagged as participating 12
in suspicious or malicious behavior will not have access. Once the 13
information has been provided by the customer, that data is protected 14
internally against disclosure or access by unauthorized parties. 15
E. Software License & Maintenance 16
Figure II-7 shows O&M recorded costs from 2014-2018 and the Test Year 2021 forecast for the 17
Cybersecurity Software License & Maintenance activity. 18
41
Figure II-7 Software License & Maintenance
Recorded 2014-2018/Forecast 2019-2021
1. Work Description 1
The Cybersecurity Software Licenses & Maintenances account includes the costs of 2
licenses and maintenance agreements to maintain SCE’s cybersecurity hardware and software assets. 3
These costs include software support agreements that give SCE access to break/fix 4
support, service patches, software updates, and upgrades of all kind for a large variety of cybersecurity 5
software products used by SCE. The secure operation and maintenance of these applications is vital and 6
the patches and updates from vendors are needed to address security, operational defects and operating 7
system compatibility and improve performance. 8
The regular introduction of new tools or projects can result in year-to-year variances in 9
this spend. New software implementations normally come with five years of pre-paid, capitalized 10
licensing and maintenance costs. After five years, the maintenance costs are treated as O&M. The 11
number and size of license renewals vary from year to year depending on the year of software 12
implementation. 13
2. Need for Activity 14
Cybersecurity attacks are constantly changing and require frequent updates and changes 15
in defensive technology to adjust. Ensuring that cybersecurity tools are up to date requires investment in 16
the licensing and maintenance for adequate coverage across the spectrum of adversarial activity. 17
42
Cybersecurity presents an ever-evolving challenge to SCE. The threat of cyberattacks is 1
growing; attacks are continually becoming more frequent and more sophisticated. Our grid is evolving 2
and incorporating communicating and operating technology that enable us to respond faster, operate our 3
system more efficiently and reliably, and incorporate distributed energy resources at a greater level. But 4
more reliance on advanced technology to operate and communicate necessarily increases risk of 5
cyberattack, and greater potential consequences if a cyberattack is successful. 6
SCE needs the latest tools to protect against cyber threats, such as malicious intrusion by 7
hackers or insiders and the proliferation of various forms of attacks through malware, denial of service 8
attacks and viruses, which can affect the ability to provide reliable generation and delivery of electric 9
power. Without these tools, SCE would be vulnerable to harmful infiltration. Regular renewal of vendor 10
support and maintenance for our software is needed to secure vendor availability to respond in a timely 11
fashion when critical systems experience outages or system failures. Of equal importance is the ongoing 12
support facilitated by these vendors’ agreements to provide security patches and system updates. Absent 13
implementation of critical security patches, the security of customer data and critical system 14
infrastructure would be placed at significant risk. As new threat arise that are not addressed by the 15
existing software and hardware in use, these support contracts allow SCE to get access to development 16
and engineering resources to generate appropriate countermeasures. 17
43
3. RAMP Integration 1
a) Reconciliation between RAMP and GRC 2
Table II-15 Cyber Software License & Maintenance Controls
RAMP vs GRC O&M Forecast Comparison (Nominal 2018 $000)
There is minimal difference between RAMP and the GRC request for Cyber 3
Software License and Maintenance O&M. 4
4. Comparison of Authorized 2018 to Recorded 5
SCE was authorized $3.3 million in O&M expenditures for Software License & 6
Maintenance in the 2018 GRC decision. This work activity’s recorded 2018 O&M expenditures were 7
approximately $2.4 million, which was $0.9 million below authorized. This decreased spending 8
compared to authorized was primarily due to savings from various license negotiations and fewer 9
licenses purchased. 10
5. Scope and Forecast Analysis 11
As stated earlier, ongoing support of cybersecurity tools provide security patches and 12
system capability updates which if not implemented, the security of customer data and critical system 13
infrastructure could be at risk. For new threats that are not currently addressed by the software and 14
44
hardware in use, these support contracts allow SCE to get access to development and engineering 1
resources to create an appropriate countermeasure to the attack. The costs cannot be decoupled due to 2
the inherent connection between license/maintenance and the tools. 3
To determine the growth rates, calculations on projected growth of cyber-attacks by 4
volume and intensity were developed and applied to the total hardware and capital project spend for the 5
RAMP project. In order to assess the projected growth of cyber-attacks by volume and intensity, SCE 6
analyzed data regarding reported critical infrastructure incidents from the National Coordinating Center 7
for Communications Integration Center (NCCIC) and Industrial Control Systems Cyber Emergency 8
Response Team (ICS-CERT) Annual Review Reports.53 These organizations operate under the direction 9
of the Department of Homeland Security (DHS). This nationwide data showed that the average number 10
of incidents reported from 2014 to 2016 was 277. SCE then filtered this data and determined that 61 of 11
those total incidents involved the energy industry. 12
SCE then used data from these reports and the SANS - Securing Industrial Control 13
Systems 2017 Report to ascertain that approximately 12% of ICS/SCADA security incidents result in 14
actual intrusion into control systems. SCE then sourced these control system intrusions to each of the 15
three drivers. SCE applied growth rates to each driver to account for the increase in volume of 16
cyberattacks, and the risks incurred if our proposed cyber defenses were not fully deployed. 17
Table II-16 below provides recorded costs from 2014 to 2018 and the Test Year 2021 18
forecast for the Software License & Maintenance activity. 19
53 See WPSCE-04V03 pp. 127 – 141.
45
Table II-16 Software License & Maintenance
Recorded 2014-2018/ Forecast 2019-2021 (Constant 2018 $000s)
a) Historical Variance Analysis 1
(1) Labor 2
Table II-16 shows certain amounts for labor expenses from 2014 to 2018; 3
however, those amounts were erroneously charged to this GRC activity as the Software License & 4
Maintenance activity does not record labor costs. As noted in the forecast section, SCE does not forecast 5
any labor costs for this activity. 6
(2) Non-Labor 7
Non-labor costs for this activity have significantly fluctuated from 2014 to 8
2018 in this work activity as the volume of support, maintenance, renewals and upgrades needed varies 9
from year to year and are based on the negotiated terms of multiple software and license agreements. 10
b) Forecast 11
(1) Labor 12
SCE does not forecast any labor expenses for this GRC activity. 13
(2) Non-Labor 14
SCE’s non-labor forecast for Test-Year 2021 is $5.7 million.54 As noted 15
earlier, the Cybersecurity Software License & Maintenance activity provides the essential support to 16
securely operate and maintain the reliability and performance of critical tools employed for our 17
cybersecurity strategy. These tools are utilized for all Cybersecurity Programs. For example, firewall 18
technology utilizes licenses and software features to enable specific security controls, such as deep 19
packet inspection.55 Absent this license and software, the security control would be disabled or 20
54 See WPSCE-04V03 pp. 142 – 148. 55 https://digitalguardian.com/blog/what-deep-packet-inspection-how-it-works-use-cases-dpi-and-more contains
an explanation of deep packet inspection and what capabilities it has.
46
prevented from receiving future updates. This would severely degrade the capability of this Perimeter 1
Defense control and reduce the ability to prevent or mitigate cyber-attacks. 2
The forecast is based on the costs for an itemized list of software and 3
licenses, aligned with what has been identified in RAMP to support the grid.56 In some cases, these 4
technology solutions may be upgraded or augmented to operate more efficiently and improve the 5
security posture of SCE. While we cannot publish the actual names of those software tools and upgrades 6
due to the sensitive nature of the materials, a workpaper outlines the lifecycle for those tools and 7
upgrades which drives the timing of the refresh and associated costs that form the basis for the 8
forecast.57 9
56 Referenced in RAMP Report, section 6-6. 57 See WPSCE-04V03 pp. 149 – 150.
