6. Cyber-Security and the Environmental Metrics

Throughout the discussions over metrics, two specific topics were addressed repeatedly and deserve special attention: cyber-security and environmental protection. These two topics present special circumstances for the development of metrics because neither topic, albeit of critical policy significance, is subject to the straightforward quantification that would permit the construction of a simple metric.

As a consequence, the Commission directs, as described in more detail below, the creation of two additional Technical Working Groups to begin the discussion around developing consensus metrics on cyber-security and environmental benefits from Smart Grid deployments.

6.1. Positions of Parties

All parties that commented on this topic agreed that the creation of Technical Working Groups on cyber-security and environmental metrics was warranted.

SCE supported the creation of "an informal technical working group to address the development of future cyber-security metrics."⁸⁴ SCE also supported the creation of an inventory of utility cyber-security practices as proposed by Granite Key/Aspect Labs, as well as the need for parties to sign an appropriate non-disclosure agreement.⁸⁵

SDG&E stated that a working group on "cyber security metrics would serve to promote stakeholders engagement and collaborative dialogues concerning this important matter."⁸⁶ SDG&E, however, cautioned that due to the sensitive nature of the topic a non-disclosure agreement may not be sufficient to protect the information.⁸⁷ SDG&E reiterated that "[t]he security of these systems and data are essential to avoiding disruptions in critical utility operations, as well as to prevent data tampering, fraud, and inappropriate disclosure of sensitive information."⁸⁸

PG&E supported a Technical Working Group on cyber-security metrics, but cautioned that it "remains skeptical that cyber-security issues can be reduced to `metrics'..."⁸⁹ PG&E, instead, viewed the Technical Working Group as a means to informally share information, "including the sharing of confidential and security sensitive information through appropriate non-disclosure protections and protocols."⁹⁰

DRA also supported the creation of working group on cyber-security. DRA recommended, however, that the group be called a "Cyber Security Technical Review Group" to "emphasize that the review group would not be advising PG&E, SCE and SDG&E on cyber security measures."⁹¹ Specifically, DRA stated that this group "would collectively formulate and review metrics that will assist in informing the Commission and interested parties on the success or failure of cyber security specifically related to Smart Grid deployment."⁹² Further, DRA argued that the purpose of the Technical Review Group is to "develop cyber security metrics that do not compromise the utilities' security."⁹³ Finally, DRA argued that the group should be considered confidential as participants may discuss confidential materials relating to cyber-security policies of the utility.⁹⁴

SoCalGas stated that they have participated in the previous discussions on cyber-security metrics, and that a Technical Working Group on cyber-security "would be helpful in continuing the discussion among parties on these issues."⁹⁵

Granite Key/Aspect Labs also supported the creation of a Technical Working Group on cyber-security metrics. Granite Key/Aspect Labs proposed that the working group "should perform an inventory of practices a utility already does in regards to grid and cyber-security."⁹⁶ Additionally, the working group should "allow for an informal sharing of information about utilities' cyber-security policies and protocols" in order to help inform participants in creating metrics.⁹⁷ Finally, Granite Key/Aspect Labs identified an initial list of 19 questions designed "to gather information about the current state of utilities' cyber-security practices" that will help inform the conversation.⁹⁸

6.2. Discussion of Cyber-security and
Environmental Metrics

There is substantial agreement among parties concerning the path forward on these issues. The parties agree that the creation of a Technical Working Group to begin discussing and creating metrics on cyber-security would be beneficial. Additionally, as discussed above, there is also substantial agreement that a Technical Working Group should also be created to address the creation of metrics associated with potential environmental benefits from Smart Grid deployment.

Based on the consensual arguments of the parties, the Commission will create a Technical Working Group to develop cyber-security metrics for Smart Grid and a second Technical Working Group to develop environmental metrics.

On cyber-security, the Commission agrees with the parties that cyber-security is an important attribute of any Smart Grid deployment. Furthermore, the Commission has a responsibility to the customers of PG&E, SCE and SDG&E that any investments and deployments approved by the Commission contain a high-level of security and safety assurances. These metrics should provide a means to measure the effectiveness of a utility's cyber-security policies and protocols as it applies to existing and new Smart Grid deployments.

The creation of a Technical Working Group to recommend metrics on cyber-security is reasonable. These metrics, when adopted by the Commission, should be applied consistently across the three Investor-owned Utilities and should be reported, to the greatest possible extent feasible and consistent with security goals, publicly.⁹⁹ Finally, any consensus metrics that are developed in this process should be included in the Technical Working Group's report.

This decision also finds the proposal of Granite Key/Aspect Labs for structuring the initial Technical Working Group meetings a constructive suggestion for facilitating initial discussions and have added it as Appendix B to this decision. The Technical Working Group's initial efforts should undertake an inventory of what cyber-security information the utilities are already collecting, what information on cyber-security the utilities are already providing to the Commission, and other state and Federal agencies, and what cyber-security practices are currently in use by the utilities.¹⁰⁰ Once an inventory is done, the Technical Working Group should begin considering the creation of metrics based on this inventory that can be applied to PG&E, SCE and SDG&E.

The Commission therefore directs its Staff to initiate this Technical Working Group, and to make careful and appropriate use of the initial list of questions proposed by Granite Key/Aspect Labs and included as Attachment B to this decision as a starting point for discussion. The utilities will not be required to disclose cyber-security gaps and vulnerabilities, cryptographic and software protective measures, or other similar items in the workshop setting. Finally, the Technical Working Group should consider and create, to the extent necessary, a non-disclosure agreement for all participants to ensure the ability of all parties to discuss and collaborate freely and openly.

In D.10-06-047, the Commission required the utilities' Smart Grid Deployment Plans to include a section on Grid and Cyber-Security. As the Commission explained:

The Commission and the public have good cause to be concerned and a right to expect that the electric grid will remain secure with the deployment of Smart Grid technology.¹⁰¹

This Technical Working Group should be a forum for the Commission, utilities and interested parties to begin discussing policies and protocols that the Commission may adopt to ensure the security of the grid as Smart Grid is deployed. Additionally, this should also be a forum to discuss any policies that the Commission may need to adopt to address potential cyber-security issues with legacy equipment.

The Commission expects to continue participating in national efforts on cyber-security, and will expect the utilities to use any agreed-upon standard or protocol that is developed in that process. The Commission is also aware that investment in and deployment of Smart Grid technology and infrastructure in California is ahead of most of the United States; it is, therefore, incumbent upon the Commission to ensure that these deployments contain an appropriate level of cyber-security, and to ensure cyber-security is a fundamental practice for Smart Grid deployments. In addition, the Commission will rely on Energy Division staff to bring proposed revisions to the Commission's attention.

Concerning the development of environmental metrics, the Commission directs the creation of a separate Technical Working Group to develop metrics to measure the environmental benefits that can be attributed to Smart Grid deployments. The Commission appreciates the efforts already made by the utilities and EDF to begin this discussion. The Commission directs Commission Staff to initiate this Working Group, and begin discussions on this topic. Commission Staff should consult with the utilities, EDF, and other interested participants in the preparation of the first meeting and work towards a report that will be filed in this proceeding.

EDF, in its comments, identified an initial set of potential environmental metrics associated with Demand Response and Distributed Generation.¹⁰² The Commission also agrees with EDF's observation that as Smart Grid deployments increase, it may become possible to measure additional environmental benefits that can be attributed to Smart Grid deployments. This Technical Working Group should be forum for this discussion.

Any consensus metrics that are developed in this process should be included in the report of this Technical Working Group. In addition, the Commission will rely on Energy Division staff to bring proposed revisions to the Commission's attention.

⁸⁴ SCE Comments at 8.

⁸⁵ SCE Reply Comments at 9.

⁸⁶ SDG&E Comments at 3.

⁸⁷ SDG&E Reply Comments at 3.

⁸⁸ Id.

⁸⁹ PG&E Comments at 3.

⁹⁰ Id.

⁹¹ DRA Comments at 6.

⁹² Id.

⁹³ Id.

⁹⁴ Id. at 6-7.

⁹⁵ SoCalGas Comments at 6.

⁹⁶ Granite Key/Aspect Labs Comments at 2.

⁹⁷ Id. at 2.

⁹⁸ Id. at 3-4.

⁹⁹ The Commission understands that there may be sensitive data that cannot be reported publicly; in that case, metrics can be filed under seal, and be provided to Commission Staff, DRA and those who have signed the appropriate non-disclosure agreement.

¹⁰⁰ The full list of items is available at Attachment B.

¹⁰¹ D.10-06-047 at 58.

¹⁰² EDF Comments at 4.