· Although the Public Utilities Commission is responsible for ensuring the safety and security of the clean water and water systems, including the local and regional water systems, the Public Utilities Commission has failed to implement security enhancement projects at its facilities in a timely manner. More than two years after Lawrence Livermore National Laboratory identified the Public Utilities Commission's various critical sites that are vulnerable to potential security-related emergency situations, the Public Utilities Commission is only now drafting the Request for Proposals for a security design consultant to oversee the assessment, integration, and installation of electronic security equipment. The Public Utilities Commission has also failed to implement capital projects to enhance the physical security system of its facilities in a timely manner. For example, the Public Utilities Commission has not spent $3.9 million, or approximately 81.3 percent, of the $4.8 million budget for the Facilities Security Project originally appropriated by the Board of Supervisors in FY 2003-2004.

· The Public Utilities Commission has not filled the new Security Director position, which reports to the Public Utilities Commission's Deputy General Manager and has been vacant for more than one year. According to Public Utilities Commission staff, the failure to fill the vacant Security Director position has resulted in a lack of guidance in security program coordination and decision-making and setting performance measures. Without this position, the Public Utilities Commission lacks a voice to communicate and understand security-related issues for all of the Public Utilities Commission.

· The Deputy General Manager has not ensured that the operating divisions' Emergency Operations Plans are updated regularly. Because these plans assign responsibility in emergencies to individuals within the organization, the plans need to be current to ensure accurate information in an emergency. For example, the City Distribution Division's current Emergency Operations Plan is outdated, not reflecting staff turnover and recent organizational changes.

· During a site visit to the Southeast Water Pollution Control Plant, a management audit team member, along with Public Utilities Commission staff, witnessed two people outside the Southeast Water Pollution Control Plant facility carrying two metal tubes. The Public Utilities Commission staff suspected that the two people just jumped the facility's fence and stole the metal tube to be sold for money. According to the Public Utilities Commission, staff are specifically directed not to confront intruders to avoid unnecessary injury. However, the Public Utilities Commission has no written department-wide policy covering responses to criminal activity or security breaches, no department-wide program to train staff regarding the policy, no department-wide incident reporting system, and no process to identify the relative costs of criminal activity and programs to reduce criminal activity.

The Public Utilities Commission's Security Plan

The Public Utilities Commission has several components to its security planning process, including the Emergency Operations Plan and capital planning to enhance the physical and electronic security of the Public Utilities Commission's facilities. The Public Utilities Commission Deputy General Manager is responsible for managing the Public Utilities Commission's security planning and monitoring functions.

The Emergency Operations Plans

The Public Utilities Commission currently has an Emergency Operations Plan that contains a general framework for responding to any type or magnitude of emergency or disaster. This Emergency Operations Plan, which was first implemented in 1998 and most recently updated in September of 2004, , addresses a broad range of potential emergency situations that may affect the Public Utilities Commission. This plan aligns with the City and County of San Francisco's Emergency Operations Plan and is considered a "living" document, which is updated periodically, as emergency contacts change and new policies and procedures arise. Since the Emergency Operations Plan is comprised of multiple documents in one binder, a pocket-sized Emergency Reference Guide has been developed to serve as a quick reference for those assigned to perform emergency situations. Some of the materials contained in this Emergency Operations Plan binder are the Public Utilities Commission's basic plan in the event of natural or man made emergencies and disasters, lines of succession, an employee emergency action plan, emergency response roles and priorities for each division and bureau, and a Security Contingency Plan. The purpose of this Security Contingency Plan is to provide a security-preparedness plan to protect Public Utilities Commission personnel against injuries and loss of lives and to protect the Public Utilities Commission water and water/power infrastructures against contamination and/or damage.

The Public Utilities Commission's Security Section, which is under the direction of the Public Utilities Commission's Deputy General Manger, regularly provides the operating division staff with updated emergency preparedness information. Each operating division has its own version of the Emergency Operations Plan. Although these operating division Emergency Operations Plans should be reviewed at least annually and updated as needed, the Security Section has not ensured that the operating Emergency Operations Plans are current. For example, the City Distribution Division has its own emergency operations plan that needs to be updated due to staff turnover and recent organizational changes. Further, the Security Division should ensure that these plans are user-friendly and easily accessible to field staff.

The Public Utilities Commission's Delays in Implementing Facilities Security Enhancements

The Public Utilities Commission has identified critical sites that are vulnerable to security breaches or emergency events, but the Department has failed to implement security enhancement projects at its facilities in a timely manner. In March 2003, the Lawrence Livermore National Laboratory completed the Vulnerability Assessment for the Public Utilities Commission. This report identifies the primary critical Public Utilities Commission sites (for example, the water supply system) that are vulnerable to potential security-related emergency situations or incidents.

Overall, the Department has been slow in implementing recommendations included in the vulnerability report. Over two years after Lawrence Livermore National Laboratory completed the Vulnerability Assessment, the Public Utilities Commission is only now drafting the Request for Proposals for a security design consultant to oversee the planning, design, and implementation of security enhancement projects at the various Public Utilities Commission enterprises, including the assessment, integration, and installation of electronic equipment. The Department intends to award the contract in the fall of 2005, approximately two and a half years after the Vulnerability Assessment was completed.

According to Public Utilities Commission staff, the Public Utilities Commission's security enhancement projects have two parts: (a) physical security and (b) electronic security. Although the Public Utilities Commission has the resources to address physical security enhancements by performing tasks such as putting up barriers, fences, locks, and lighting, the Department lacks qualified staff to implement electronic security enhancement. For this reason, the Department plans to hire a security consultant to integrate and install such electronic security equipment. The Public Utilities Commission's engineering staff can plan the electronic enhancements, many of which will be included in the Water System Capital Improvement Program projects, including retrofitting of reservoirs, updating other facilities, and standardizing various security operations, such as standard vents, alarms, and card readers. The security consultant would be tasked with actually assessing, integrating, and installing the electronic components of their security enhancement plans.

In addition to the delay in the hiring of a consultant to implement electronic security measures, the Public Utilities Commission has also failed to implement the capital projects to enhance the physical security system of its facilities in a timely manner. For example, of the $4.8 million budget for the Facilities Security Project (CUW253) originally appropriated in FY 2003-2004,¹ the Public Utilities Commission has an outstanding unexpended balance of $3.9 million, approximately 81.3 percent of the original appropriation.

Delays in Filling the Vacant Security Director Position

The Public Utilities Commission has failed to fill the vacant Security Director position for more than a year, which has resulted in a lack of guidance in security program coordination and decision-making within the organization. The new Security Director position, first approved by the Board of Supervisors in FY 2004-2005 would report directly to the Public Utilities Commission's Deputy General Manager and manage the Public Utilities Commission's security program. According to the Public Utilities Commission, this Security Director position has been vacant for over one year. This position, which is placed high in the organization, would ultimately oversee the planning and implementation of all security projects and programs at the Public Utilities Commission, including coordinating various components of the organization and accessing all of Public Utilities Commission's sites and facilities. The Department needs to prioritize the hiring of its Security Director in order to ensure that security projects go beyond planning and into implementation.

Day-to-Day Field Security

The operating divisions, particularly the Southeast Water Pollution Control Plant, risk loss from theft, break-ins, vandalism, and other illegal acts. The Public Utilities Commission lacks a mechanism to systematically document and determine the costs of such thefts. Public Utilities Commission staff informed the Budget Analyst that there have been a number of break-ins in their Southeast Water Pollution Control Plant involving people stealing such materials as copper lines, equipment, and aluminum covers from their facilities. According to Public Utilities Commission staff, such break-ins and thefts happen almost every week and that the situation is getting worse.

During the Budget Analyst's site visit to the Southeast Water Pollution Control Plant, a management audit team member, along with Public Utilities Commission staff, witnessed two people outside the Southeast Water Pollution Control Plant facility carrying two metal tubes. The Public Utilities Commission staff suspected that the two people just jumped the facility's fence and stole the metal tube to be sold for money. According to the Public Utilities Commission, staff are specifically directed not to confront intruders to avoid unnecessary injury. Although the Public Utilities Commission's stated policy is to report these incidents to law enforcement personnel, the Public Utilities Commission does not have a written department-wide policy or formal procedure to inform staff of the policy.

The Public Utilities Commission Security Director should develop department-wide written policies regarding (a) employees' responsibilities when witnessing a criminal act, including procedures to notify management and law enforcement personnel, and (b) an incident reporting system to track criminal activity or security breaches to determine commonly occurring or high cost incidents. Further, the Security Director, in conjunction with the Assistant General Managers, Infrastructure, Clean Water, and Water, should develop (a) a loss prevention program for losses associated with theft, vandalism, or other criminal activity, and (b) annual reports to the General Manager and the Public Utilities Commission on the estimated costs of loss associated with criminal activity and proposals to reduce loss from criminal activity.

Conclusions

The Public Utilities Commission has identified its various critical sites that are vulnerable to potential security-related emergency situations, but the Department has failed to move forward in implementing its various security enhancement projects in a timely manner. The delay in the Department's hiring of a security consultant to assess, integrate, and install the Department's electronic security measures, over two years after the Vulnerability Assessment has been completed, is evident of the Department's untimely response to its security issues and needs. In addition, this delay is also evident from the fact that only 18.7 percent of its $4.8 million budget for the Facilities Security Project have been expended so far.

Further, the Public Utilities Commission has also been slow in hiring a Security Director, which is a position that has been vacant for over one year. The failure to fill the vacant Security Director position has resulted in a lack of guidance in the Department's security program coordination and decision-making.

Lastly, although the Department's facilities are vulnerable to day-to-day security problems such as thefts and break-ins, the Department has no consistent procedures to respond to these field security issues. This lack of clear guidelines has resulted in the Department's inability to systematically document and determine the costs of such illegal acts.

Recommendations

The Public Utilities Commission General Manager should:

6.1 Direct the Deputy General Manager to ensure that the Security Director and operating division managers regularly revise department-wide and facility-specific Emergency Operations Plans.

6.2 Direct the Deputy General Manager to ensure that the department-wide and facility-specific Emergency Operations Plans are easily accessible to its staff.

6.3 Present a plan and timelines to develop comprehensive electronic security measures for the Public Utilities Commission's facilities to the Public Utilities Commission no later than December 31, 2005.

6.4 Present a capital spending plan and timelines for the Facilities Security Project to the Public Utilities Commission during the February 2006 budget presentation.

6.5 Prioritize the hiring of a Security Director to manage the Public Utilities Commission's security and emergency planning program.

6.6 Direct the Security Director to develop department-wide written policies regarding:

6.7 Direct the Security Director, in conjunction with the Assistant General Managers, Infrastructure, Clean Water, and Water, to develop:

Costs and Benefits

The costs of the above recommendations include the resources used for regularly revising the Emergency Operations Plans and systematically keeping track of security-related incidents. In addition, the Public Utilities Commission's budget contains $4.8 million for the Facilities Security Project, which includes the implementation of both physical and electronic security measures. Benefits include improved measures to identify security weaknesses at Public Utilities Commission facilities, as well as the benefits from being prepared in case of an emergency and disaster. Additionally, filling out the vacant Security Director position with a competent and experienced person would enable the entire organization to have a centralized voice in addressing and coordinating the organization's multifaceted security and emergency preparedness needs and plans. Finally, improvements to facilities security will safeguard against break-ins and theft of the Public Utilities Commission assets.

¹ The Board of Supervisors appropriated $2 million in FY 2003-2004 and $2.8 million in FY 2004-2005 for the Facility Security Project.