From: Belden, Matthew L Sent: Friday, June 4, 2021 11:12 AM To: ElectricSystemEO Cc: Dulgeroff, Alan Subject: [EXTERNAL] SDG&E Response to DOE RFI Dear Mr. Coe, Please see below the San Diego Gas & Electric response to the Department of Energy Request for Information along with the following attachments. Attachments 1. Declaration of Paul Stockton 2. Declaration of William Sauntry 3. USMC Letter 2. What specific additional actions could be taken by regulators to address the security of critical electric infrastructure and the incorporation of criteria for evaluating foreign ownership, control, and influence into supply chain risk management. San Diego Gas & Electric Company, SDG&E, believes there are additional actions that could be taken by regulators to address the security of critical electric infrastructure, specifically providing a national mandate to protect safety-security sensitive infrastructure information. For example, SDG&E would like to highlight the serious matter of critical information publicly posted on websites (e.g., the DHS website at https://hifld-geoplatform.opendata.arcgis.com/datasets/electric-power-transmission-lines?geometry=-114.805%2C34.152%2C-104.379%2C37.273 ). SDG&E treats this information as sensitive and confidential because this type of information goes well beyond simply the location of infrastructure (e.g., satellite images), and instead contains multiple layers of specific electric transmission and substation location, configuration, and high-resolution GIS data, including potentially strategic information depicting how lines are connected, underground lines not visible in satellite imagery, voltage, status (e.g., operational), owner, name, ID, type of configuration (e.g., double circuit), fuel type, rating (MW/MWh), etc. SDG&E understands that many others in the industry also consider this information as sensitive, and accordingly do not post it publicly. Critical Energy/Electric Infrastructure Information (CEII) regulations of the Federal Energy Regulatory Commission (FERC) attempt to ensure the federal protection of this information when submitted by an industry participant. However, they stop short of a requirement of all industry participants and agencies, including state regulators, to maintain it as confidential. Without clear federal criteria and mandate, decisions on whether to freely disclose this sensitive information with national security implications are left to the varying interpretations and policies of states and stakeholders. Failing to provide a national mandate against publicly posting this information, whether already posted on certain websites or not, could pose a threat to public safety and the reliability of the electric grid, as described in the attached sworn declaration of William C. Sauntry, which was submitted in the context of a California Public Utilities Commission proceeding. In the wrong hands, this information provides a road map for an individual or entity meaning to do harm, to carry out an attack on high impact facilities with detrimental effect to the public and the electric grid. SDG&E’s treatment of this information as confidential aligns with the CEII and North American Electric Reliability Corporation (NERC) Rules of Procedure criteria. SDG&E provides some CEII information to third parties, such as project developers, but limits any such sharing to those on a need-to-know basis that have a Non-Disclosure Agreement (NDA) in place. With an increased focus on security, industry standards provide guidance to utilities in addressing the protection of key physical assets. For example, the stated purpose of NERC CIP-014 and its requirements is to identify and protect transmission lines and substations (and their associated control centers) that, if rendered inoperable or damaged as a result of a physical attack, could result in widespread instability, uncontrolled separation or cascading within an Interconnection. CEII is defined by FERC as information related to, or proposed for, critical electric infrastructure: • Generated by or provided to the Commission or other state or federal agencies other than classified national security information • That is designated as critical electric infrastructure information by the Commission or the Secretary of the Department of Energy pursuant to section 215A(d) of the Federal Power Act CEII is specific engineering, vulnerability, or detailed design information about proposed or existing critical infrastructure (physical or virtual) that: • Relates details about the production, generation, transmission, or distribution of energy • Could be useful to a person planning an attack on critical infrastructure • Is exempt from mandatory disclosure under the Freedom of Information Act; and • Gives strategic information beyond the location of the critical infrastructure. The information that SDG&E deems sensitive and potentially subject to CEII protection, as exemplified by filings such as FERC 715, includes but is not limited to existing and planned electric transmission and substation: • Lines, conductor routing, equipment (including generation), and structures • Asset or equipment identification • Asset or equipment ratings (e.g., current, power, voltage) • Asset or equipment actual or forecasted load and generation (e.g., current, power) • Locational information in reference to the above, such as GIS coordinates The need to identify, protect and minimize access to sensitive information is particularly important in today’s operating environment where cyber intrusions (including intrusions against the electric industry) are growing in frequency and seriousness. Fixing America’s Surface Transportation (FAST) Act turns CEII into a Freedom of Information Act (FOIA) exemption to limit the public’s ability to obtain CEII. Other security experts we’ve engaged, including with experience in the Ukraine cyberattacks and a senior Obama Administration official responsible for U.S. infrastructure defense (please see Dr. Paul Stockton declaration attached), have helped validate our concerns related to the sensitivity of this information and the risks that foreign adversaries may use it to design and execute attacks on the grid. The recent attack on the Colonial Pipeline further underscores the international threats to critical infrastructure that we face as a nation. December 2020 events in Aspen and Nashville also highlight the growing risk that domestic violent extremists may use widely available, and highly destructive, weapons and explosives to attack critical infrastructure nodes. SDG&E is also engaging with customers to hear their insight and potential concerns related to the sensitivity of this data. For example, the United States Marine Corps, one of our largest customers with a critical mission supported by the local and interstate electric system, shared SDG&E’s concerns in the attached letter. Akin to our social security numbers which were often freely shared decades ago and are now carefully guarded, our classification and protection of sensitive electric system data should also evolve. SDG&E urges the federal government to expeditiously eliminate public postings (such as the DHS site reference above), review and bolster government controls and handling of similarly sensitive data, and institute a national directive to consistently safe guard this sensitive information. Please feel free to contact SDG&E to discuss this further. Respectfully, Matt Belden Manager | Distribution Planning T 619.230.7809 E MBelden@sdge.com Build a Better Business www.sdgenews.com Follow us: