5. Comments on Proposed Decision

The proposed decision (PD) of Commissioner Ryan in this matter was mailed to the parties in accordance with Section 311 of the Pub. Util. Code and comments were allowed under Rule 14.3 of the Commission's Rules of Practice and Procedure.

Comments were filed by June 10, 2010 by AT&T, CDT/EFF, CESA, CFC, DRA, EDF, EPIC, GPI, GraniteKey, Greenlining, ISO, PG&E, Researchers, SCE, SDG&E, To the Point, TURN, UCAN, and Wal-Mart. Reply comments were filed on June 16, 2010 by PG&E, Researchers SCE, SDG&E, and TURN.

We have reviewed the comments and replies of all parties and have modified the decision as we deem appropriate. We discuss certain comments, however, in greater detail in the sections that follow to make our reasoning transparent.

5.1. Comments on Deployment Plan Requirements and Procedures

SCE "seeks confirmation that Smart Grid Deployment Plans will in fact be used as a source of guidance about future Smart Grid investments"³³⁹ and seeks clarifying changes. In addition, SCE seeks clarification that the cost-benefit analysis that the deployment plans will contain are "conceptual" in nature.³⁴⁰ SCE also seeks clarification that the proceeding to review the Smart Grid Deployment Plans "will not be considered a ratemaking proceeding."³⁴¹

The Smart Grid Deployment Plans will be used as a source of guidance, and we have made clarifying changes to the proposed decision. Similarly, the cost-benefit analysis will be conceptual in nature, and we have made other clarifying changes to the PD. Furthermore, we clarify that the proceeding to review the Smart Grid Deployment Plans will not set any rates. The categorization of that proceeding, however, will be made at the time of utility filing of the Smart Grid Deployment Plans.

SDG&E asks for "guidance on the type of prices desired..."³⁴² that it will eventually disclose to customers and provides details on the complexities that bedevil electric pricing. Concerning cost estimates, SDG&E, like SCE, asks for clarification that "probable cost estimates and ranges available" or "an approximation of the probable total cost of a product, program, or project, computed on the basis of currently available information" will be acceptable.³⁴³ Concerning SDG&E's request for details on what it should disclose as an electricity price, we intend to make that clarification in a decision issued prior to the implementation of the price disclosure program and therefore we do not address this issue at this time. Concerning SDG&E's request for clarification of "cost estimates," we have revised the decision's language to clarify that the Commission is cognizant of the uncertainties that currently surround the costs of Smart Grid technologies.

ISO argues that the "Smart Market" discussion should include "the need to create pricing structures and market products that help integrate renewable resources into the grid."³⁴⁴ The ISO also seeks clarification on a number of points, including whether the Smart Grid includes the transmission infrastructure and a "discussion of how the IOUs intend to work with other entities."³⁴⁵

In response, we reiterate that we do not expect deployment plans to propose pricing structures and market products to help integrate renewable resources into the grid, but we agree that the deployment plans should address the integration of renewable resources. In addition, we agree that the deployment plans should discuss Smart Grid investments on transmission infrastructure. In addition, the utilities should use a collaborative process prior to filing the deployment plans. We anticipate that a workshop to facilitate this collaborative process will be part of the process leading to the filing of Smart Grid Deployment Plans, but plan to address this issue through a later ruling.

EDF argues that "[t]o meet SB 17, the `Smart Utility' section should discuss how the smart grid will help meet the state's environmental laws and policies ..."³⁴⁶ In addition, EDF argues for the use of stronger language in the decision, replacing words such as "would be helpful" with "require."³⁴⁷ EDF also asks that the Commission require a more explicit discussion of environmental benefits in deployment plans.

We agree with EDF's points and have modified the decision in numerous places to reflect the importance that both the Commission and SB 17 place on the environmental benefits of the Smart Grid.

Greenlining argues that GO 156 requirements "must not be an afterthought to deployment plans."³⁴⁸

Greenlining also highlights challenges the utilities may face with regard to GO 156 requirements as utilities increase their business with new suppliers in the technology area.³⁴⁹ We agree and the decision has been modified to emphasize that utilities should pay special attention to GO 156 as utility investment grows in new areas.

UCAN argues that the "Smart Grid vision statement is insufficient to ensure that the requirements of Code Section 8360(j)."³⁵⁰ We find UCAN's argument unpersuasive. It is not just the Smart Grid vision statement that permits the Commission to ensure the requirements of § 8360(j). The Commission will review the entire Smart Grid Deployment Plan and the specific Smart Grid investments proposed in subsequent Commission proceedings, and these comprehensive reviews will enable the Commission to assure that the Smart Grid meets the requirements of § 8360(j). AT&T asks, among other things, that the Commission clarify "that in addition to following the national guidelines utilities and communications providers must engaged in their own detailed cyber security risk assessment."³⁵¹ AT&T also asks that the Commission clarify that "IOUs consider not only third party wireline communications providers' services, but wireless communications services and managed services, such as hosting, security and cloud computing services, as well."³⁵² We agree that IOUs and utilities should pursue risk assessment beyond what is required. We also expect that IOUs will consider all third-party communications alternatives, not just those provided by wireline companies. We have made changes in the decision to clarify these matters.

TURN asks that "any potential new `pricing structures' included in the vision statements must be considered in a ratemaking proceeding."³⁵³ TURN also asks that the "smart vision requirement of education and marketing should include a specific blueprint to ensure `education' not public relations."³⁵⁴ TURN also clarifies that its position is Smart Grid investments "would be best addressed in rate cases"³⁵⁵ and not through special applications.

In response to TURN, we reiterate that we do not anticipate reviewing pricing structures in this proceeding. We also agree that education should not be public relations, but we need not address this issue until we review specific public education proposals. Finally, we agree that Smart Grid investments may be best considered in rate cases and prefer that IOUs propose Smart Grid investments as part of their GRCs. However, for the reasons cited above, it is impractical to adopt this as a procedural requirement because of the timing of GRCs and because of the likely need to make investments to facilitate the timely disclosure of information on usage and prices to customers.

CESA asks that the Commission clarify that its vision of a Smart Grid includes "energy storage."³⁵⁶ This is indeed the case and we have made changes to clarify this matter.

GPI argues that the Commission should examine pricing structures in this proceeding. In addition, GPI asks that "vision statements ... reflect how the Smart Grid will enable a utility to operate its transmission and distribution system in ways that facilitate the deployment of increasing levels of renewables ..., anticipate events, enable responsiveness, and permit automatic or "self-healing" responses by the grid."³⁵⁷ As noted above, at this time we do not plan to consider pricing structures in this proceeding. GPI's views concerning the scope of the vision statement are consistent with the Commission's views. To the Point stresses the importance of education programs that listen to consumers and respond to diverse interests. These points are well taken, and we will keep these recommendations in mind as we review Smart Grid Deployment Plans and specific investments.

5.2. Demarcation Point

Wal-Mart comments that the Commission "must expressly designate a physical demarcation point now to provide guidance" to the utilities and market participants in order to meet the goal of interoperability.³⁵⁸ Wal-Mart seeks clarification that a demarcation point not be defined "on a case by case basis in the context of individual utility applications or general rate cases."³⁵⁹

AT&T seeks clarification that the Commission will ensure that a utility "gains no competitive advantage over any other energy management service from its access to the customer's home."³⁶⁰

Greenlining comments that the Commission should "revisit their decision when deployment plans are reviewed. ... A comprehensive review at a designated point in time is preferable..."³⁶¹ Greenlining notes the possibility of stranded investments made by consumers should the utility eventually be allowed to invest and distribute consumer-side devices, and seeks clarification that the demarcation point be the same for all utilities.³⁶²

The Commission sees no need to define a demarcation point at this time. The Commission does clarify that we will revisit this issue during the review of the utilities' deployment plan. At that time, the Commission will have additional information on utilities' Smart Grid plans, and will benefit from the participation of interested parties and market participants. Should the Commission decide to create a demarcation point at that time, it may act accordingly. It will, however, be the policy of this Commission to ensure that no utility gets an unfair competitive advantage from a regulatory decision and that the Smart Grid implementation proceed in ways that do not discourage the participation of third parties in Smart Grid deployment, investment, and marketing. The Commission's review of deployment plans will seek to promote both these policies.

5.3. Comments Concerning Security, Privacy and Interoperability Issues

SCE argues that "there can be no such thing as an absolute assurance of security"³⁶³ and requests the use of "more nuanced language" throughout the decision.³⁶⁴ Concerning security audits, SCE asks for a workshop that discusses "security audits" and the submission of security audits to the Commission.³⁶⁵ ³⁶⁶SCE also points out that to meet the deadlines adopted for providing access to information, SCE may need to make investments in the near future. SCE therefore seeks the inclusion of language that could permit such investment with Commission authorization.³⁶⁷

Concerning SCE's arguments, the Commission understands that despite the importance of security, there can be no assurance of security. Concerning security audits, although it is important that IOUs conduct security audits, it is not necessary to have these audits filed at the Commission as long as the Commission is assured that the audits are being done, is able to discuss the structure of the audits in workshops, and can have access to the audits and the audit data as needed. For this reason, we will not require the submission of security audits at this time, but will consider the issue of access to this information in the future proceedings, including the review of the initial Smart Grid Deployment Plans. To use a metaphor, at this time, the Commission seeks to assure itself that the security "cake" has been baked appropriately, but we do not see the need to require submission of the "recipe" or to see a "videotape" of the cooking, particularly if the Commission can obtain ready access to this information as needed. Finally, concerning SCE's request to seek Commission reviews of investments to facilitate disclosure of usage and pricing information to customers, we agree that there is no reason to restrict the timing of these reviews in any way and we have changed the decision to reflect this.

SDG&E asks that the decision clarify "that utilities are allowed to consider other industry accepted best practices"³⁶⁸ in security matters. PG&E asks for a similar clarification.³⁶⁹ This is indeed the case - we expect companies to consider industry best practices.

PG&E asks for clarification on the "procedural schedule for adopting policies on customer privacy and third party access."³⁷⁰ DRA argues strongly that "privacy rules need to be adopted prior to providing third party access to customer usage information" and asks that the Commission "adopt an appropriate schedule for resolution of all privacy matters before the end of 2010."³⁷¹ TURN also asks for a clarification that the Commission may need to amend the requirements of D.09-12-046 to extend deadlines concerning access to data.

We intend to ensure that the implementation of our policy objectives is done in an orderly fashion, without unnecessary costs due to timing and in compliance with possible legislative action. The policy objectives adopted in Ordering Paragraphs 3 and 4 of D.09-12-046 envision the adoption of privacy rules pursuant to Ordering Paragraph 5 of D.09-12-046. Therefore, D.09-12-046 contemplates that the implementation of Ordering Paragraphs 3 and 4 requires a decision in this phase of the proceeding adopting privacy rules. The policy of this Commission embodied in D.09-12-046 is to adopt privacy rules prior to ordering third party access to customer data. Commission-ordered access to information will follow the adoption and implementation of policies to protect privacy. On the issue of scheduling, we plan a ruling following the adoption of this decision.

Researchers recommend that "deployment plans should show enough work to inform the Commission, and members of the public, how the utilities have (or have not) taken the relevant requirements into account."³⁷² In addition, Researchers recommend that the decision explicitly "balance the need for public disclosure of cyber security-related information with the need to protect sensitive information."³⁷³

Concerning Researchers' request for more security information in deployment plans, we find that an approach that allows the Commission to review security matters without disclosing the details of the audit's findings to the public. Each utility should, as part of its Smart Grid Deployment Plan, specify for each applicable requirement in the guidance documents that NIST and DHS are developing, (1) what testing or analysis a utility has done (or relies on, if the testing or analysis was performed by another entity) to gauge their systems against the guidelines; (2) what results were obtained from this testing or analysis; and (3) what criteria were used to determine whether specific requirements are inapplicable. The utility may submit any portion of its deployment plan under seal, but it shall both designate those portions with specificity and state the reasons for its request to file the information under seal. Consistent with our earlier discussion, we anticipate that a "security strategy" would be filed, perhaps under seal, as part of a deployment plan, but a "security audit" would not be filed at the Commission.

At this time, we do not see a conflict between Researchers' desire for information concerning security plans with the concern to not provide a roadmap to those seeking to disrupt the security of the network. In particular, we do not see Researchers' request for specificity concerning what a utility has done or plans to do in order to test its security to be in conflict with our decision to not require the submission of the detailed security audits to the Commission. The Commission seeks information as indicative of a utility's approach to security, not a report on specific system vulnerabilities.

In our analysis, we find three distinctions useful: 1) Security Strategy, which describes a utility's approach to protecting the grid and customer information; 2) Security Assessment, which provides an overview of strengths and weaknesses of the current grid; and 3) Security Audits, which provide details on specific security failures and vulnerabilities. Concerning the issues raised by parties concerning security audits, we agree that a workshop offers the best approach to analyzing this important matter. We will therefore schedule a workshop later this year concerning security matters. The Commission will return to the issue of the appropriate balance between information disclosure and the protection of sensitive information, particularly as concerns security audits, as we consider the deployment plans. The Commission decision that reviews each of the Smart Grid Deployment Plans will also decide the Commission's policies towards the Security Audits. CDT/EFF expresses broad support for the decision's efforts to include cyber security and privacy issues in the deployment plans. CDT/EFF asks the Commission to add certain language to ensure transparency concerning "information sharing with third parties" and "additional language on interoperability."³⁷⁴ CDT/EFF suggests the addition of the following language:

With whom does the utility share customer information and energy data currently? With whom does the utility reasonable foresee sharing data in the future? What does the utility anticipate is or will be the purpose for which the third party will use the data? What measures are or will be employed by the utility to protect the security and privacy of information shared with other entities? What limitations and restrictions will the utility place on third-part use and retention of data and on downstream sharing? How will the utility enforce those limitations and restrictions?

In addition, CDT/EFF argues that the "Commission should address privacy in future workshops and proceedings associated with smart grid rollout" and "delay third party sharing if a privacy framework is not in place."

Concerning these requests, we have modified the decision to incorporate language to improve transparency concerning practices involving information sharing with third parties. In addition, as noted above, we will embark on a phase of this proceeding to develop security and privacy procedures in more detail, and we will not order third-party access to information until such measures are in place.

DRA, in addition to its concerns over privacy issues, seeks clarification on "interoperability standards."³⁷⁵ We clarify that it is our policy to require deployment plans to review NIST interoperability recommendations, and our review of deployment plans will resolve interoperability issues in the process of reviewing the plans.

Granite Key argues that the proposed decision "needs to be amended when the appropriate Federal initiatives/documents are provided"³⁷⁶ and that there is a "need for a CPUC committee or the public to review, comment on, and/or approve a Utilities deployment plans by augmenting the process of "Systematic Risk Assessment" recommended in the Proposed Decision."³⁷⁷ In response, we find that the flexibility built into the review process for Smart Grid Deployment Plans will enable the Commission to accomplish both these tasks.