The URL can be used to link to this page

Home My WebLink AboutAgenda Report - June 16, 2021 C-19/09 AGENDA ITEM r CITY OF LODI COUNCIL COMMUNICATION TM AGENDA TITLE: Adopt Resolution Adopting Lodi Electric Utility's 2021 Physical Security Plan MEETING DATE: June 16, 2021 PREPARED BY: Electric Utility Director RECOMMENDED ACTION: Adopt a resolution adopting Lodi Electric Utility's 2021 Physical Security Plan (PSP). BACKGROUND INFORMATION: On Jan 18, 2019, The California Public Utility Commission (CPUC) issued Decision 19-01-018, requiring utilities to develop and implement a Physical Security Plan (PSP), modeled on the requirements as set forth by the North America Electric Reliability Corporation (NERC) Critical Infrastructure Protocol (CIP)-014. The intent of this Council action is to comply with this new regulatory requirement. The CPUC's Decision requires that within 30 months, all Publicly Owned Utilities (POUs) provide the CPUC with a notice that an independently reviewed plan has been adopted. To comply with the Decision, Lodi Electric Utility (LEU) has developed a PSP (included as Exhibit -A, attached) and engaged an unaffiliated third -party to review and provide recommendations (if any). The auditor has concurred with the regulatory compliance of the report as -written, (auditor's report included as Exhibit -B, attached). LEU's PSP was further reviewed and signed by Lodi Police Department (LPD), (LPD response included as Exhibit -C, attached). LEU respectfully submits this 2021 PSP to Council for adoption. FISCAL IMPACT: FUNDING AVAILABLE Not applicable. Not applicable. Jeff Berkheimer Electric Utility Director PREPARED BY: Tim Conn, Sr. Power Engineer APPROVED: Steve Schwabauer Stephen Schwabauer, City Manager Physical Security Plan LODI ELECTRIC UTILITY Physical Security Plan Dated: April 29, 2021 Confidential and Sensitive Information — not to be copied or shared without the written permission of LEU PSP Report Developed by: AESI-US Inc Name Signature Date Loreto Sarracini P.Eng. (0 9 Zcz June 9, 2021 Paul Stanley, CPP ASIS Certificate No# 8212 June 9, 2021 PSP Report Approved by: Lodi Electric Utility Name Signature Date Jeff Berkheimer (0 9 Zcz Unaffiliated Third -Party Reviewer: TRC Solutions Name Signature Date Michael Mello 06/08/2021 Deemed Adequate by Qualified Authority: City of Lodi Police Department Name Signature Date f{_1E'VIn1 W -T 0(41 41 p -Do -A Confidential and Sensitive Information — not to be copied or shared without the written permission of LEU Page I i TABLE OF CONTENTS 1. Executive Summary........................................................................................................ 3 2. Introduction and Objectives............................................................................................. 3 3. PSP SCOPE................................................................................................................... 3 4. Summary of PSP Development Methodology and Approach ......................................... 4 4.1. PSP Development Methodology and Approach.......................................................... 4 5. Description of the Utility's Distribution Facilities.............................................................. 4 6. Identification of the In -Scope Distribution Facilities Subject to the CPUC Decision 19- 01-18 per SB699........................................................................................................................ 6 7. Details on the Assessment of the Covered Distribution Facility ...................................... 7 8. Identified Threat/Vulnerabilities & Risk Assessment....................................................... 7 9. Mitigations for Identified Threats and Vulnerabilities....................................................... 8 10. PSP Validation................................................................................................................ 8 10.1. Unaffiliated Third -Party Evaluation.......................................................................... 8 10.2. Qualified Authority.................................................................................................... 8 11. Repeat Process............................................................................................................... 8 12. Implementation Plan....................................................................................................... 9 APPENDIX LISTING Appendix A CPUC Decision 19-01-18 Guidance Appendix B LEU Documentation Appendix C CPUC Decision 19-01-8 Six -Step Procedure Confidential and Sensitive Information — not to be copied or shared without the written permission of LEU Page I ii LODI 1. EXECUTIVE SUMMARY Physical Security Plan An assessment of Lodi Electric Utility (LEU)'s four distribution substations, pursuant to CPUC's Decision 19-01-18, has identified that none of their substations (hereafter referred to as "Covered' Distribution Facility") listed in the following table require any special measures to reduce risks or threats. Distribution Henning Substation No Industrial Substation No Killelea Substation No McLane Substation No Since none of LEU's four distribution substations are considered covered distribution facilities, a physical security threat and vulnerability risk assessment is not required. 2. INTRODUCTION AND OBJECTIVES The California Public Utility Commission (CPUC) issued Decision 19-01-018 ("Decision") on Jan 18, 2019.To mitigate the risk of long-term outages, this Decision requires utilities to develop and implement a Physical Security Plan (PSP). The PSP will be modeled on the requirements as set forth by the North America Electric Reliability Corporation (NERC) Critical Infrastructure Protocol (CIP)-014 (presented in Appendix C). The Decision requires that within 30 months all Publicly Owned Utilities (POUs) will provide the Commission with a notice that an independently reviewed plan has been adopted. To comply with the Decision, Lodi Electric Utility (LEU) has developed a PSP and engaged an unaffiliated third - party to review and provide recommendations. Those recommendations will be reviewed and addressed. 3. PSP SCOPE The overall scope of this PSP is to assess all of LEU's distribution facilities and identify which facilities are considered as Covered Distribution Facilities pursuant to the Decision. Once the facilities have been identified, the potential physical security threats will be evaluated, followed by a threat and vulnerability risk assessment to determine the likelihood of an event occurring and the level of impact. Finally, the recommended mitigations for each identified threat will be evaluated while factoring in any appropriate considerations for resiliency, impact, and cost. ' "Covered" is the utility working group term employed to describe those assets that are applicable, or that should be subject to physical security. We will employ this term for the length of this decision for the sake of consistency. Confidential and Sensitive Information — not to be copied or shared without the written permission of LEU Page 13 E�EEiRI� Physical Security Plan 4. SUMMARY OF PSP DEVELOPMENT METHODOLOGY AND APPROACH 4.1.PSP Development Methodology and Approach The PSP is developed by following a four -phased approach to ensure that the scope objectives are accomplished. Phase II: Phase III: Phase IV: Discovery Risk Assessment Physical Security Plan (Assessment Phase) (Report &Presentation) Pre -Discovery Assessment — Project Execution Plan, Preliminary review of facility information, and LEU documentation. Discovery — The discovery phase, includes the following: a. Interviews with LEU management, and Subject Matter Experts (SMEs), gathering any additional information to determine the Covered Distribution Facilities which will need greater protection per the Decision. b. If required, conduct a physical walk down of the Covered Distribution Facilities to identify any potential threats or vulnerabilities. c. If required, conduct additional interviews with LEU management, SMEs and first responders to discuss the findings and gather additional information. III. Post -Assessment —Based on the outcome of Phases I and II, conduct the threat and vulnerability risk assessment, identify the baseline risks, the required mitigations and the resulting residual risks. IV. Physical Security Plan Report — Prepare the PSP report by documenting the findings, the potential threats and vulnerabilities, the risk assessments and the required mitigations. 5. DESCRIPTION OF THE UTILITY'S DISTRIBUTION FACILITIES The City of Lodi, with its Electric Utility Department, provides electric services to all residents and customers within the City's boundary including the White Slough Wastewater Pollution Control Facility. The electrical load at City of Lodi is served from four (4) substations: 1. Henning Substation 2. Industrial Substation 3. Killelea Substation 4. McLane Substation The following is a copy of LEU's distribution system map. Confidential and Sensitive Information — not to be copied or shared without the written permission of LEU Page 14 EIEEiR/� REDACTED FROM PUBLIC VIEW FOR SECURITY Physical Security Plan J The Industrial distribution substation is interconnected with Pacific Gas & Electric (PG&E) at 60kV and then from the Industrial Substation, a 60 kV line loops around the city to energize the other three substations, Henning, McLane and Killelea. The distribution voltage from the substations is at 12 W. The LEU serves approximately 28,000 meters including residential and commercial customers. The historical peak load is approximately 140 MW. Also included in the LEU footprint is a 27 MW backup generating facility that is owned and operated by Northern California Power Agency (NCPA). This generating facility is adjacent to the McLane substation and the electricity is wheeled though the PG&E network and therefore there is no dependence on the McLane substation. 6. IDENTIFICATION OF THE IN -SCOPE DISTRIBUTION FACILITIES SUBJECT TO THE CPUC DECISION 19-01-18 PER SB699 Based on the description of LEU's distribution system as presented in Section 5.0, and the criteria to provide Operatorsz with guidance (Appendix A) needed to identify Covered Distribution Facilities3, LEU has not identified any facilities that meet the criteria. 2 An Operator is an Electrical Corporation, a Local Publicly Owned Electric Utility, or an Electrical Cooperative responsible for the reliability of one or more Distribution Facilities 3 A Distribution Substation or Distribution Control Center Confidential and Sensitive Information — not to be copied or shared without the written permission of LEU Page 15 Lv&Dl Physical Security Plan 6. IDENTIFICATION OF THE IN -SCOPE DISTRIBUTION FACILITIES SUBJECT TO THE CPUC DECISION 19-01-18 PER SB699 Based on the description of LEU's distribution system as presented in Section 5.0, and the criteria to provide Operatorsz with guidance (Appendix A) needed to identify Covered Distribution Facilities3, LEU has not identified any facilities that meet the criteria. A summary of the assessment is as follows: Factor Joint IMPOIJ Straw Proposal Assessment Distribution Facility necessary for crank path, black start or capability essential to the restoration of regional electricity service that are not subject to the LEU does not have any distribution 1 California Independent System Operator's (CAISO) substations that are necessary to operational control and/or subject to North support the requirements of this factor. American Electric Reliability Corporation (NERC) Reliability Standard CIP-014-2 or its successors Distribution Facility that is the primary source of LEU does not provide a primary electrical service to a military installation essential source of electric service to a military 2 to national security and/or emergency response installation essential to national services (may include certain airfields, command security and/or emergency response centers, weapons stations, emergency supply depots) services. LEU does not provide any services for installation for regional drinking water Distribution Facility that serves installations supplies and wastewater services. necessary for the provision of regional drinking It should be noted that the City of Lodi, 3 water supplies and wastewater services (may does provide water and wastewater include certain aqueducts, well fields, groundwater services but just for the City of Lodi, pumps, and treatment plants) which is less than 30,000 water and less than 30,000 wastewater customers within city limits. 2 An Operator is an Electrical Corporation, a Local Publicly Owned Electric Utility, or an Electrical Cooperative responsible for the reliability of one or more Distribution Facilities 3 A Distribution Substation or Distribution Control Center Confidential and Sensitive Information — not to be copied or shared without the written permission of LEU Page 16 0Ogg t.: hnW Physical Security Plan Therefore, LEU does not have any "Covered" distribution facilities. 7. DETAILS ON THE ASSESSMENT OF THE COVERED DISTRIBUTION FACILITY Since there were no "Covered" distribution facilities identified this section was not required. 8. IDENTIFIED THREATNULNERABILITIES & RISK ASSESSMENT Since there were no "Covered" distribution facilities identified this section was not required. Confidential and Sensitive Information — not to be copied or shared without the written permission of LEU Page 17 LEU does not provide any services for a regional public safety establishment. Distribution Facility that serves a regional public safety establishment (may include County It should be noted that LEU does Emergency Operations Centers; county sheriff's provide services for the City of Lodi 4 department and major city police department Police and Fire which serve a headquarters; major state and county fire service population of less than 70,000 within headquarters; county jails and state and federal the city and there are no CA State prisons; and 911 dispatch centers) Prison, US Penitentiary or Federal Correctional Institute in the City of Lodi. Distribution Facility that serves a major LEU does not provide any services for 5 transportation facility (may include International a major transportation facilities or Airport, Mega Seaport, other air traffic control boarder crossing. center, and international border crossing) LEU does not provide any services for a Level 1 Trauma Center as Distribution Facility that serves as a Level 1 Trauma designated by the Office of Statewide 6 Center as designated by the Office of Statewide Health Planning and Development. Health Planning and Development It should be noted that LEU does provide services to the City of Lodi's Memorial Hospital. LEU provides services approximately 7 Distribution Facility that serves over 60,000 meters 28,000 electric meters, which is below the CPUC guidance threshold of 60,000 meters. Therefore, LEU does not have any "Covered" distribution facilities. 7. DETAILS ON THE ASSESSMENT OF THE COVERED DISTRIBUTION FACILITY Since there were no "Covered" distribution facilities identified this section was not required. 8. IDENTIFIED THREATNULNERABILITIES & RISK ASSESSMENT Since there were no "Covered" distribution facilities identified this section was not required. Confidential and Sensitive Information — not to be copied or shared without the written permission of LEU Page 17 EEE(TR/� O� RTlll(l Physical Security Plan 9. MITIGATIONS FOR IDENTIFIED THREATS AND VULNERABILITIES Since there were no "Covered" distribution facilities identified this section was not required. 10. PSP VALIDATION 10.1. Unaffiliated Third -Party Evaluation For every PSP cycle, (see section 11) LEU will: 1. Identify Covered Distribution Facilities 2. Identify the Physical Threats and Vulnerabilities and Conduct the Risk Assessment 3. Develop a Physical Security Plan (Mitigation Plan) This document constitutes LEU's Draft Physical Security Plan. The Draft Physical Security Plan will be submitted to a Qualified Third Party for Independent Review. The Qualified Third -Party Reviewer will then issue an evaluation that identifies any potential deficiencies in the Draft PSP as well as recommendations for improvements. LEU will then modify its plan to address any recommendations or will document the reasons why any recommendations were not adopted. The combination of the Draft Physical Security Plan, the non -confidential conclusions of the Qualified Third -Party Reviewer, and LEU's responses to the Qualified Third -Party Review will constitute LEU's Final Physical Security Plan. 10.2. Qualified Authority The final Physical Security Plan must be deemed adequate by Lodi Police Department or by a Qualified Authority designated by the Lodi City Council. When the agency completes its review and provides LEU with any recommendations regarding this plan or LEU's operations, then LEU will take one of the following actions: • Will update or revise the PSP as appropriate based on the recommendations provided by the agency, or • Document the reason(s) for not modifying the PSP. 11. REPEAT PROCESS LEU will repeat the process at least once every five (5) calendar years as described below: 1. Assess all of the LEU's distribution facilities, identify which facilities are considered "Covered" Distribution Facilities pursuant to the Decision. 2. Once the "Covered" Distribution facilities have been identified, identify any potential physical security threats and vulnerabilities, and conduct a threat and vulnerability risk assessment. Determine the baseline risk based on the likelihood of an event occurring and the level of impact if the event occurred. Confidential and Sensitive Information — not to be copied or shared without the written permission of LEU Page 18 L 0*,, D I Physical Security Plan 3. Based on the risk assessment, develop the recommended mitigation measures to reduce the identified risk and determine the residual risk based on the recommended measures. 4. Develop or update the PSP, establish an implementation plan, implement the identified mitigation measures and integrate the PSP into LEU's resiliency plans and activities. 12. IMPLEMENTATION PLAN Since there were no "Covered" distribution facilities identified this section was not required. Confidential and Sensitive Information — not to be copied or shared without the written permission of LEU Page 19 E.I Physical Security Plan APPENDIX A - CPUC DECISION 19-01-18 GUIDANCE The following contains the various criteria to provide Operators with guidance needed to identify Distribution Facilities requiring further assessment. Specifically, the CPUC Decision 19-01-18 sets forth the following as facilities requiring such assessments: 1. Distribution Facility necessary for crank path, black start or capability essential to the restoration of regional electricity service that are not subject to the California Independent System Operator's (CAISO) operational control and/or subject to North American Electric Reliability Corporation (NERC) Reliability Standard CIP-014-2 or its successors. 2. Distribution Facility that is the primary source of electrical service to a military installation essential to national security and/or emergency response services (may include certain airfields, command centers, weapons stations, emergency supply depots). 3. Distribution Facility that serves installations necessary for the provision of regional drinking water supplies and wastewater services (may include certain aqueducts, well fields, groundwater pumps, and treatment plants). 4. Distribution Facility that serves a regional public safety establishment (may include County Emergency Operations Centers; county sheriff's department and major city police department headquarters; major state and county fire service headquarters; county jails and state and federal prisons; and 911 dispatch centers). 5. Distribution Facility that serves a major transportation facility (may include International Airport, Mega Seaport, other air traffic control center, and international border crossing). 6. Distribution Facility that serves as a Level 1 Trauma Center as designated by the Office of Statewide Health Planning and Development: and 7. Distribution Facility that serves over 60,000 meters. Confidential and Sensitive Information — not to be copied or shared without the written permission of LEU Page 110 APPENDIX B - LEU'S DOCUMENTATION The following table contains a list of the documentation that was provided by LEU and reviewed by AESI along with AESI's comments and observations on the documentation. Document Observations About Lodi Electric.pdf A write up the Lodi Electric Utility system, which describes the various loads that they serve. Assessment of Covered Facilities.xlsx LEU's initial assessment of their distribution substations as compared to the criteria to provide Operators with guidance needed to identify Distribution Facilities requiring further assessment, which is listed in Appendix A. Exhibit - A 60 kV loop.pdf A pdf diagram of LEU's distribution system on-line diagram which shows all of LEU's four distribution substations. Confidential and Sensitive Information — not to be copied or shared without the written permission of LEU Page 111 APPENDIX C - CPUC DECISION 19-01-8 SIX -STEP PROCEDURE Safety and Enforcement Division's (SED) Risk Assessment & Safety Advisory (RASA) recommend six -step procedure for carrying out new physical security plan requirements to address utilities' distribution assets. These proposed steps are modeled on the security plan requirements set forth by NERC CIP-014. Step 1. Assessment. Drafting of a plan, addressing prevention, response, and recovery, which could be prepared in-house or by a consultant, and which shall include proposed and recommended mitigation measures. Step 2. Independent Review and Utility Response to Recommendations. Proposed plan would be reviewed and by an independent third party, likely a qualified consultant expert, national laboratory, or a regulatory or industry standard body (such as the Electric Power Research Institute). Step 2 would include reviewer recommendations that assess and appraise the appropriateness of the risk assessment, proposed mitigation measures, and other plan elements. A utility would be expected to fully address reviewer recommendations, including justifying any mitigations that it declines to accept; the independent third -party opinion/recommendations, utility response, threat and risk assessment, and mitigation measures combined would constitute a final plan report. Step 3. Safety and Enforcement Division (SED) Review (for IOUs only). Final plan report would be reviewed by the CPUC SED (recurring every five years) so as to determine whether it is in compliance with regulatory requirements, and eligible to request funding for implementation. Upon five years from the date of adoption, a utility would be required to have any revised or original plan updated and repeat the review process. Utilities may be afforded regulatory relief by way of an exemption request process for special cases where undertaking of the plan overhaul and/or review process may be impracticable or unduly burdensome. Non-compliance could result in an enforcement action, potentially resulting in sanctions and/or penalties as provided by. An SED finding of compliance would render IOUs eligible to request funding for appropriate physical security needs identified by IOUs; project expenditures would be tracked in a memorandum account and subject to reasonableness review in the GRC. Step 3a. Plan Review (for POUs only). Final plan report would be deemed adequate (recurring every five years, and eligible for same exemption request process made available to the IOUs) by a qualified authority designated by the applicable local governance body. (For example, Riverside Public Utilities currently develops a security and emergency response plan that conforms to the Governor's Office of Emergency Services (CalOES) and Federal Emergency Management Agency (FEMA) standards and receives their endorsement.) Step 4. Adoption (for POUs only). Reviewed plan would be submitted to the appropriate regulatory oversight body (local governance body) for review and greenlighting (adoption). Step 4 should include funding to implement the plan. Step 4a. Notice. (for POUs only). Provide CPUC with official notice (ideally including a copy of a resolution of the adopted plan action. Step 5. Maintenance. Ongoing adopted plan refinement and updates as appropriate and as necessary to preserve plan integrity. All security plans should be concurrent with and integrated into utility resiliency plans and activities. Step 6. Repeat Process. Plan overhaul and review every five years. Confidential and Sensitive Information — not to be copied or shared without the written permission of LEU Page 112 'i TrC Contains Security Sensitive Information — Do Not Release Unaffiliated Third -Party Review Lodi Electric Utility Physical Security Plan TRC Project No: 424225.0000.0000 Prepared For: City of Lodi - Electric Utility 1331 S Ham Lane Lodi, CA 95242 Prepared By: TRC Solutions 17911 Von Karman Ave, Suite 400 Irvine, CA 92614 Reviewer m Name: Michael Mello, CPP Reviewer Signature: Y/ K2 Review 6/3/2021 Date: [This page has been intentionally left blank.] Unaffiliated Third -Party Review �i TIRC TIRC Contains Security Sensitive Information — Do Not Release CONFIDENTIAL SECURITY SENSITIVE INFORMATION — DO NOT PHOTOCOPY OR RELEASE NOT FOR PUBLIC DISCLOSURE OR DISTRIBUTION. UNAUTHORIZED RELEASE MAY VIOLATE STATE AND/OR FEDERAL LAW. THIS DOCUMENT CONTAINS INFORMATION, WHICH MAY BE CONSIDERED CONFIDENTIAL OR SENSITIVE UNDER CERTAIN FEDERAL AND STATE STATUTES, REGULATIONS, JUDICIAL DECISIONS, AND ATTORNEY GENERAL OPINIONS. IT IS NOT TO BE DISCLOSED TO THE PUBLIC EXCEPT IN ACCORDANCE WITH APPLICABLE LAW. Unaffiliated Third -Party Review [This page has been intentionally left blank.] Unaffiliated Third -Party Review �i TIRC �i TIRC Table of Contents ACRONYMLIST........................................................................................................................ 5 1.0 Introduction....................................................................................................................... 6 2.0 Objective........................................................................................................................... 7 3.0 Qualifications to Perform Third -Party Review.................................................................... 7 4.0 Review Implementation Milestone Dates.......................................................................... 8 5.0 Description........................................................................................................................ 9 6.0 Recommended Changes to the Physical Security Plan ...................................................... 11 7.0 Limitations & Exclusions.................................................................................................. 12 Appendix A — CPP Certification Badge................................................................................... 13 4 Unaffiliated Third -Party Review �i TIRC ACRONYM LIST BPATS Best Practices for Anti -Terrorism Security CAISO California Independent System Operator CFATS Chemical Facility Anti -Terrorism Standards CIP Critical Infrastructure Protection CPP Certified Protection Professional CPTED Crime Prevention Through Environmental Design CPUC California Public Utility Commission LEU Lodi Electric Utility NERC North American Electric Reliability Corporation PSP Physical Security Professional Unaffiliated Third -Party Review 5 �i TRIC Contains Security Sensitive Information — Do Not Release 1.0 Introduction This unaffiliated third -party review was conducted by TRC Senior Security Consultant Mike Mello, CPP. This review was conducted of the Lodi Electric Utility (LEU) Physical Security Plan and its criteria for following the California Public Utilities Commission's (CPUC) Decision 19-01- 018 of January 22, 2019. The physical security plan was prepared by LEU and reviewed by TRC. Mike Mello, CPP led the assessment of the LEU physical security plan (draft) and was assisted by Rico Senence, CPTED, BPATS. This review was conducted in accordance with and is intended to meet the requirements of, CPUC Decision 19-01-018 January 10, 2019, with a date of issuance of 1/22/2019. CPUC Decision 19-01-018 states: This decision requires electric utilities to identify electric distribution assets that may merit special protection and measures to lessen identified risks and threats. In order to address the risk of long-term outage to a distribution facility, each Operator will develop and implement a Mitigation Plan. The Mitigation Plans will follow a six -step procedure for carrying out these new physical security plan requirements. The six -step plan is modeled on the security plan requirements set forth by the North America Electric Reliability Corporation (NERC) Critical Infrastructure Protocol (CIP)-014. Specifically, the Joint Utility Proposal sets forth the following as facilities requiring such assessments: 1. Distribution Facility necessary for crank path, black start or capability essential to the restoration of regional electricity service that is not subject to the California Independent System Operator's (CAISO) operational control and/or subject to North American Electric Reliability Corporation (NERC) Reliability Standard CIP-014-2 or its successors; 2. Distribution Facility that is the primary source of electrical service to a military installation essential to national security and/or emergency response services (may include certain airfields, command centers, weapons stations, emergency supply depots); 3. Distribution Facility that serves installations necessary forthe provision of regional drinking water supplies and wastewater services (may include certain aqueducts, well fields, groundwater pumps, and treatment plants); 4. Distribution Facility that serves a regional public safety establishment (may include County Emergency Operations Centers; county sheriff's department and major city police department headquarters; major 9 Unaffiliated Third -Party Review �i TRIC Contains Security Sensitive Information — Do Not Release state and county fire service headquarters; county jails and state and federal prisons; and 911 dispatch centers); 5. Distribution Facility that serves a major transportation facility (may include International Airport, Mega Seaport, other air traffic control center, and international border crossing); 6. Distribution Facility that serves as a Level 1 Trauma Center as designated by the Office of Statewide Health Planning and Development; and 7. Distribution Facility that serves over 60,000 meters. To evaluate each Mitigation Plan(s), each Operator will select an unaffiliated third party with the appropriate experience needed to review the Identification and Assessment evaluations and the Mitigation Plan(s) performed and developed by the Operator. After the Mitigation Plans have been evaluated, the Operator should either modify its Mitigation Plan to be consistent with the recommendations or document its reasons for not doing so. 2.0 Objective Conduct an unaffiliated third -party review of the physical security plan developed CPUC Decision 19-01-018. 3.0 Qualifications to Perform Third -Party Review Each utility shall employ a qualified third -party expert to provide independent verification of any Distribution Security Program and Mitigation Plans, taking the following requirements into account: Unaffiliated Third -Party Reviewer: The Unaffiliated Third -Party Reviewer shall be an entity other than the Operator with appropriate expertise, as described below. The selected third - party reviewer cannot be a corporate affiliate of the Operator (i.e., the third -party reviewer cannot be an entity that is controlled by the utility or controlled by or is under common control with, the Operator). A third -party reviewer also cannot be a division of the Operator that operates as a functional unit. A governmental entity can select as the third -party reviewer another governmental entity within the same political subdivision, so long as the entity has the appropriate expertise, and is not a division of the Operator that operates as a functional unit, i.e., a municipality could use its police department as its third -party reviewer if it has the appropriate expertise. Unaffiliated Third Party Reviewer Appropriate Expertise: The Unaffiliated Third -Party Reviewer shall be an entity or organization with electric industry physical security experience and whose review staff has appropriate physical security expertise, i.e., have at least one member who holds either an ASIS International Certified Protection Professional (CPP) or Physical Security Professional (PSP) certification; an entity or organization with demonstrated law enforcement, 7 Unaffiliated Third -Party Review �i TRIC Contains Security Sensitive Information — Do Not Release government, or military physical security expertise; or an entity or organization approved to do physical security assessments by the CPUC, Electric Reliability Organization or similar electrical industry regulatory body. The Unaffiliated Third -Party Reviewer is Michael Mello, CPP. Michael Mello is a Senior Security Consultant for TRC and fully meets the credential requirements CPUC Decision 19-01-018 6.4. He has been employed with TRC since 2019. Mr. Mello is a Certified Protection Professional (CPP) through ASIS International, having achieved the CPP certification in 2018 (CPP# 17339; Certification Date: 08/2018). Mr. Mello spent 30 years in law enforcement retiring from that position in 2010. Since that time, he has been deeply involved in consultation on areas of risk mitigation and management from a security standpoint, both as an educator and evaluator of technology, processes, and personnel. Mr. Mello's expertise extends to both national and international projects with subject matter expertise in security strategies, emergency management, and emerging technology. 4.0 Review Implementation Milestone Dates CPUC Decision 19-01-018 6.6 Timeline for Implementation states: 1. Each utility's Security Plan Report is due to the CPUC within 30 months of the approval of this decision; and 2. POUs only — Within 30 months of the approval of this decision, the POUs shall provide the Director of Safety and Enforcement Division and the Director of the Energy Division with notice of the plan adoption by way of a copy of a signed resolution, ordinance or letter by a responsible elected- or appointed official, or utility director. If a POU has an existing security plan that has been adopted by its Board of Directors or City Council within three years prior to the date of this decision, the requirement to have a plan adopted may be waived by the Commission. Table 1: Implementation Milestones Requirement Description Calendar Due Date Actual Posted Date R1 Physical Security Plan July 10, 2021 April 29, 2021 R2 Third -party verification of R1 6/4/2021 6/4/2021 8 Unaffiliated Third -Party Review �i TRC Contains Security Sensitive Information — Do Not Release 5.0 Description On June 3, 2021, this reviewer, along with Rico Senence from TRC, conducted a review of the draft physical security plan provided by LEU in accordance with CPUC Decision 19-01-018. LEU also provided information pertaining to an assessment of LEU's four distribution substations, which LEU has identified that none of their substations (hereafter referred to as "Covered Distribution Facility") require any special measures to reduce risks or threats. Since none of LEU's four distribution substations are considered covered distribution facilities, a physical security threat and vulnerability risk assessment are not required. It is further noted that LEU is not a NERC registered entity and therefore is not required to meet any standards under the NERC CIP regulations. The LEU listed Facilities include: Industrial, 1215 Thurman St., Lodi, CA Killelea, 545 E. Locust St., Lodi, CA Henning, 1331 South Ham Ln., Lodi, CA McLane, 2102 W. Turner Rd., Lodi CA The overall scope of the physical security plan is described as "to assess all of LEU -s distribution facilities and identify which facilities are considered as Covered Distribution Facilities pursuant to the Decision. Once the facilities have been identified, the potential physical security threats will be evaluated, followed by a threat and vulnerability risk assessment to determine the likelihood of an event occurring and the level of impact. Finally, the recommended mitigations for each identified threat will be evaluated while factoring in any appropriate considerations for resiliency, impact, and cost." As previously stated, during the evaluation process it was determined that the LEU locations listed do not meet the criteria level listed in CPUC's Decision 19-01-8 and are not considered "Covered" distribution facilities. Section 6 of the physical security plan outlines the criteria for CPUC's Decision 19-01-8 and LUE's assessment under those criteria and is identified in Table 2 below. 0 Unaffiliated Third -Party Review <i TrRC Contains Security Sensitive Information — Do Not Release Table 2: Identification of the in -scope distribution facilities Factor Joint IOU/POU Straw Proposal Assessment Distribution Facility necessary for crank path, black start or capability essential to the restoration of LEU does not have any distribution regional electricity service that are not subject to substations that are necessary to 1 the California Independent System Operator's support the requirements of this (CAISO) operational control and/or subject to North factor. American Electric Reliability Corporation (NERC) Reliability Standard CIP-014-2 or its successors Distribution Facility that is the primary source of LEU does not provide a primary electrical service to a military installation essential source of electric service a military 2 to national security and/or emergency response installation essential to national onal services (may include certain airfields, command security and/or emergency response centers, weapons stations, emergency supply depots) services. LEU does not provide any services for installation for regional drinking water supplies and wastewater services. Distribution Facility that serves installations necessary for the provision of regional drinking It should be noted that the City of 3 water supplies and wastewater services (may Lodi, does provide water and include certain aqueducts, well fields, groundwater wastewater services but just for the pumps, and treatment plants) City of Lodi, which is less than 30,000 water and less than 30,000 wastewater customers within city limits. LEU does not provide any services for a regional public safety establishment. Distribution Facility that serves a regional public safety establishment (may include County It should be noted that LEU does Emergency Operations Centers; county sheriff's provide services for the City of Lodi 4 department and major city police department Police and Fire which serve a headquarters; major state and county fire service population of less than 70,000 within headquarters; county jails and state and federal the city and there are no CA State prisons; and 911 dispatch centers) Prison, US Penitentiary, or Federal Correctional Institute in the City of Lodi. Distribution Facility that serves a major LEU does not provide any services for 5 transportation facility (may include International major transportation facilities or Airport, Mega Seaport, other air traffic control border crossing. center, and international border crossing) 10 Unaffiliated Third -Party Review <i TrRC Contains Security Sensitive Information — Do Not Release For this reason, this reviewer assesses that TRC agrees that LEU does not have any "Covered" facilities per CPUC Decision 19-01-018 and that the draft physical security plan proposed by LEU adequately meets the requirements of LEU's needs for a Physical Security Plan. Further, the planned overhaul and review of every five years is an adequate time frame under the Safety and Enforcement Division's Risk Assessment & Safety Advisory's six -step procedure for carrying out new physical security plan requirements which are modeled on NERC CIP-014 security plan requirements. The only exception to this review time would be in the case of a major change, such as new construction, purchase or sale of a facility, or other large-scale change that could affect whether a location is a Covered Distribution Facility or not. 6.0 Recommended Changes to the Physical Security Plan CPUC Decision 19-01-018 Requirement 4.4 Verification states: In order to evaluate each Mitigation Plan(s), each Operator will select an unaffiliated third party with the appropriate experience needed to review the Identification and Assessment evaluations and the Mitigation Plan(s) performed and developed by the Operator. After the Mitigation Plans have been evaluated, the Operator should either modify its Mitigation Plan to be consistent with the recommendations or document its reasons for not doing so. Table 3 below lists all recommended physical security enhancements, modifications, and mitigations developed during this Review. It should be noted that the response to these recommendations is auditable. Table 3: Recommended Changes Recommended Changes to the Physical Security Plan No recommendations. 11 Unaffiliated Third -Party Review LEU does not provide any services for a Level 1 Trauma Center as designated Distribution Facility that serves as a Level 1 Trauma by the Office of Statewide Health 6 Center as designated by the Office of Statewide Planning and Development. Health Planning and Development It should be noted that LEU does provide services to the City of Lodi's Memorial Hospital. LEU provides services of 7 Distribution Facility that serves over 60,000 meters approximately 28,000 electric meters,which is below the CPUC guidance threshold of 60,000 meters. For this reason, this reviewer assesses that TRC agrees that LEU does not have any "Covered" facilities per CPUC Decision 19-01-018 and that the draft physical security plan proposed by LEU adequately meets the requirements of LEU's needs for a Physical Security Plan. Further, the planned overhaul and review of every five years is an adequate time frame under the Safety and Enforcement Division's Risk Assessment & Safety Advisory's six -step procedure for carrying out new physical security plan requirements which are modeled on NERC CIP-014 security plan requirements. The only exception to this review time would be in the case of a major change, such as new construction, purchase or sale of a facility, or other large-scale change that could affect whether a location is a Covered Distribution Facility or not. 6.0 Recommended Changes to the Physical Security Plan CPUC Decision 19-01-018 Requirement 4.4 Verification states: In order to evaluate each Mitigation Plan(s), each Operator will select an unaffiliated third party with the appropriate experience needed to review the Identification and Assessment evaluations and the Mitigation Plan(s) performed and developed by the Operator. After the Mitigation Plans have been evaluated, the Operator should either modify its Mitigation Plan to be consistent with the recommendations or document its reasons for not doing so. Table 3 below lists all recommended physical security enhancements, modifications, and mitigations developed during this Review. It should be noted that the response to these recommendations is auditable. Table 3: Recommended Changes Recommended Changes to the Physical Security Plan No recommendations. 11 Unaffiliated Third -Party Review <i TrRC Contains Security Sensitive Information — Do Not Release 7.0 Limitations & Exclusions LEU is to be reminded that per Step 6 of the six -step plan as outlined in CPUC Decision 19-01- 018 states "Plan overhaul and review every five years. Changes to Security Plan requirements may also be done by SED (or successor entity) director letter." By performing this Unaffiliated Third -Party Review, TRC is not declaring LEU's sites safe or secure from all threats and hazards. The Threats, and the associated Vulnerabilities at the site, that would be presented in an Assessment, would have dictated the security measures that are to be outlined in the Physical Security Plan; and these vulnerabilities and security measures would be the focus of this review. The Physical Security Plan provides information on those specific security measures discussed herein that will be implemented at a site based on the existing security posture at the time of this project, in which there were no "Covered" distribution facilities identified. 12 Unaffiliated Third -Party Review �i TRIC Contains Security Sensitive Information — Do Not Release Appendix A - CPP Certification Badge 4A�oT1.1--00 CTI _ cERric,�o MICHAEL MELLO � ASIS o INTERNATIONAL CO, Unaffiliated Third -Party Review 13 Lodi Electric Utilitv "Fi6i- A- Physical Security Plan 2021 `EHEC 1A�C VIIII� JUNE 9 Lodi Police Department Authored by: Lt. Kevin Kent and Sgt. Elias Ambriz Physical Security Plan Review The California Public Utility Commission (CPUC) issued Decision 19-01-018 requiring utilities to develop and implement a Physical Security Plan (PSP). The City of Lodi's electric utility facilities do not meet the identification of the in -scope distribution facilities in accordance with SB 699. Those facilities are as follows: Industrial (1215 Thurman Street, Lodi, CA) Killelea (545 East Locust Street, Lodi, CA) Henning (1331 South Ham Lane, Lodi, CA) McLane (2102 West Turner Road, Lodi, CA) The factors excluding City of Lodi electric utilities facilities are the following: r Joint ICIU/PCII Straw Proposal Description Lodi Electric Utility (LEU) Covered IlDistribution 1 Distribution Facility necessary for crank path, black start or capability essential to the LEU does not have any distribution restoration of regional electricity service that are substations that are necessary to support the not subject to the California Independent System requirements of this factor. Operator's (CAISO) operational control and/or subject to North American Electric Reliability Corporation (NERC) Reliability Standard CIP-014- 2 or its successors Confidential and Sensitive Information — not to be copied or shared without written permission of LEU 2 Distribution Facility that is the primary source of electrical service to a military installation LEU does not provide a primary source of essential to national security and/or emergency electric service to a military installation response services (may include certain air fields, essential to national security and/or command centers, weapons stations, emergency emergency response services. supply depots) It should be noted that the City of Lodi provide services for a local National Guard barrack that is not an essential national security and/or emergency response service. 3 Distribution Facility that serves installations necessary for the provision of regional drinking LEU does not provide any services for water supplies and wastewater services (may installation for regional drinking water include certain aqueducts, well fields, supplies and wastewater services. groundwater pumps, and treatment plants) It should be noted that the City of Lodi does provide water and wastewater services but just for the City of Lodi. 4 Distribution Facility that serves a regional public safety establishment (may include County LEU does not provide any services for a Emergency Operations Centers; county sheriff's regional public safety establishment. department and major city police department headquarters; major state and county fire It should be noted that the LEU does provide service headquarters; county jails and state and services for the City of Lodi Police and Fire federal prisons; and 911 dispatch centers) which serve a population of less than 70,000 within the city and there are no CA State Prison, US Penitentiary, or Federal Correctional Institute in the City of Lodi. 5 Distribution Facility that serves a major transportation facility (may include International LEU does not provide any services for major Airport, Mega Seaport, other air traffic control transportation facilities or border crossing. center, and international border crossing) 6 Distribution Facility that serves as a Level 1 Trauma Center as designated by the Office of LEU does not provide any services for a level Statewide Health Planning and Development 1 Trauma Center as designated by the Officer of Statewide Health Planning and Development. It should be noted that LEU does provide services to the City of Lodi's Memorial Hospital. Confidential and Sensitive Information — not to be copied or shared without written permission of LEU 7 Distribution Facility that serves over 60,000 meters. LEU provides services of approximately 28,000 electric meters, which is below the CPUC guidance threshold of 60,000 meters. In accordance with the Lodi Electric Utility Physical Security Plan section 10.2 - Qualified Authority, the Lodi Police Department makes the following recommended changes to the Physical Security Plan: No recommendations 40 41 VOLIC JZ I I,® Confidential and Sensitive Information — not to be copied or shared without written permission of LEU RESOLUTION NO. 2021-179 A RESOLUTION OF THE LODI CITY COUNCIL ADOPTING LODI ELECTRIC UTILITY'S 2021 PHYSICAL SECURITY PLAN WHEREAS, on January 18, 2019, the California Public Utility Commission (CPUC) issued Decision 19-01-018, requiring utilities to develop and implement a Physical Security Plan (PSP); and WHEREAS, the Decision requires that within 30 months, all publicly -owned utilities (POUs) provide the CPUC with a notice that an independently -reviewed plan has been adopted; and WHEREAS, Lodi Electric Utility (LEU) has developed a PSP and engaged an unaffiliated independent third -party (TRC Solutions) for its review; and WHEREAS, TRC Solutions has concurred with the regulatory compliance of the report as written; and WHEREAS, LEU's PSP was further reviewed and signed by the Lodi Police Department. NOW, THEREFORE, BE IT RESOLVED that the Lodi City Council does hereby adopt the Lodi Electric Utility 2021 Physical Security Plan. Dated: June 16, 2021 ------------------------------------------------------------------------ ------------------------------------------------------------------------ I hereby certify that Resolution No. 2021-179 was passed and adopted by the City Council of the City of Lodi in a regular meeting held on June 16, 2021, by the following vote: AYES: COUNCIL MEMBERS — Chandler, Hothi, Khan, and Kuehne NOES: COUNCIL MEMBERS — None ABSENT: COUNCIL MEMBERS — Nakanishi ABSTAIN. COUNCIL MEMBERS — None NNIFE CUSMIR City Clerk 2021-179