[House Hearing, 110 Congress] [From the U.S. Government Publishing Office] PROTECTING THE ELECTRIC GRID FROM CYBERSECURITY THREATS ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON ENERGY AND AIR QUALITY OF THE COMMITTEE ON ENERGY AND COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED TENTH CONGRESS SECOND SESSION __________ SEPTEMBER 11, 2008 __________ Serial No. 110-145Printed for the use of the Committee on Energy and Commerce energycommerce.house.gov U.S. GOVERNMENT PRINTING OFFICE 61-860 PDF WASHINGTON : 2008 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 COMMITTEE ON ENERGY AND COMMERCE JOHN D. DINGELL, Michigan, Chairman HENRY A. WAXMAN, California JOE BARTON, Texas EDWARD J. MARKEY, Massachusetts Ranking Member RICK BOUCHER, Virginia RALPH M. HALL, Texas EDOLPHUS TOWNS, New York FRED UPTON, Michigan FRANK PALLONE, Jr., New Jersey CLIFF STEARNS, Florida BART GORDON, Tennessee NATHAN DEAL, Georgia BOBBY L. RUSH, Illinois ED WHITFIELD, Kentucky ANNA G. ESHOO, California BARBARA CUBIN, Wyoming BART STUPAK, Michigan JOHN SHIMKUS, Illinois ELIOT L. ENGEL, New York HEATHER WILSON, New Mexico GENE GREEN, Texas JOHN SHADEGG, Arizona DIANA DeGETTE, Colorado CHARLES W. ``CHIP'' PICKERING, Vice Chairman Mississippi LOIS CAPPS, California VITO FOSSELLA, New York MIKE DOYLE, Pennsylvania ROY BLUNT, Missouri JANE HARMAN, California STEVE BUYER, Indiana TOM ALLEN, Maine GEORGE RADANOVICH, California JAN SCHAKOWSKY, Illinois JOSEPH R. PITTS, Pennsylvania HILDA L. SOLIS, California MARY BONO MACK, California CHARLES A. GONZALEZ, Texas GREG WALDEN, Oregon JAY INSLEE, Washington LEE TERRY, Nebraska TAMMY BALDWIN, Wisconsin MIKE FERGUSON, New Jersey MIKE ROSS, Arkansas MIKE ROGERS, Michigan DARLENE HOOLEY, Oregon SUE WILKINS MYRICK, North Carolina ANTHONY D. WEINER, New York JOHN SULLIVAN, Oklahoma JIM MATHESON, Utah TIM MURPHY, Pennsylvania G.K. BUTTERFIELD, North Carolina MICHAEL C. BURGESS, Texas CHARLIE MELANCON, Louisiana MARSHA BLACKBURN, Tennessee JOHN BARROW, Georgia DORIS O. MATSUI, California ______ Professional Staff Dennis B. Fitzgibbons, Chief of Staff Gregg A. Rothschild, Chief Counsel Sharon E. Davis, Chief Clerk Bud Albright, Minority Staff Director (ii) Subcommittee on Energy and Air Quality RICK BOUCHER, Virginia, Chairman G.K. BUTTERFIELD, North Carolina, FRED UPTON, Michigan Vice Chairman Ranking Member CHARLIE MELANCON, Louisiana RALPH M. HALL, Texas JOHN BARROW, Georgia ED WHITFIELD, Kentucky HENRY A. WAXMAN, California JOHN SHIMKUS, Illinois EDWARD J. MARKEY, Massachusetts JOHN B. SHADEGG, Arizona ALBERT R. WYNN, Maryland CHARLES W. ``CHIP'' PICKERING, MIKE DOYLE, Pennsylvania Mississippi JANE HARMAN, California ROY BLUNT, Missouri TOM ALLEN, Maine MARY BONO MACK, California CHARLES A. GONZALEZ, Texas GREG WALDEN, Oregon JAY INSLEE, Washington MIKE ROGERS, Michigan TAMMY BALDWIN, Wisconsin SUE WILKINS MYRICK, North Carolina MIKE ROSS, Arkansas JOHN SULLIVAN, Oklahoma DARLENE HOOLEY, Oregon MICHAEL C. BURGESS, Texas ANTHONY D. WEINER, New York MARSHA BLACKBURN, Tennessee JIM MATHESON, Utah JOE BARTON, Texas (ex officio) DORIS O. MATSUI, California JOHN D. DINGELL, Michigan (ex officio) ------ Professional Staff Sue D. Sheridan, Chief Counsel John W. Jimison, Counsel Rachel Bleshman, Legislative Clerk David McCarthy, Minority Counsel C O N T E N T S ---------- Page Hon. Rick Boucher, a Representative in Congress from the Commonwealth of Virginia, opening statement.................... 1 Hon. Fred Upton, a Representative in Congress from the State of Michigan, opening statement.................................... 13 Hon. Edward J. Markey, a Representative in Congress from the Commonwealth of Massachussetts, opening statement.............. 13 Hon. Joe Barton, a Representative in Congress from the State of Texas, opening statement....................................... 14 Hon. Mike Rogers, a Representative in Congress from the State of Michigan, prepared statement................................... 16 Hon. John D. Dingell, a Representative in Congress from the State of Michigan, prepared statement................................ 128 Witnesses James R. Langevin, Chairman, Subcomittee on Emerging Threats, Cybersecurity, and Science and Technology, Committee on Homeland Security.............................................. 19 Prepared statement........................................... 22 Joseph Kelliher, Chairman, Federal Energy Regulatory Commission.. 36 Prepared statement........................................... 39 Answers to submitted questions............................... 145 Kevin M. Kolevar, Assistant Secretary, Office of Electricity Delivery and Energy Reliability, U.S. Department of Energy..... 45 Prepared statement........................................... 48 Answers to submitted questions............................... 164 Richard P. Sergel, President, North American Electric Reliability Corporation.................................................... 64 Prepared statement........................................... 67 Answers to submitted questions............................... 176 Susan N. Kelly, Vice President, Policy Analysis, and General Counsel, American Public Power Association..................... 78 Prepared statement........................................... 81 Answers to submitted questions............................... 178 Steven T. Naumann, Vice President, Wholesale Market Development, Government and Environmental Affairs and Public Policy, Exelon Corporation.................................................... 93 Prepared statement........................................... 95 Answers to submitted questions............................... 183 Barry R. Lawson, Manager, Power Delivery, National Rural Electric Cooperative Association........................................ 107 Prepared statement........................................... 109 Answers to submitted questions............................... 188 Submitted Material Discussion draft................................................. 4 National Association of Regulatory Utility Commissioners, NARUC, statement of, submitted by Mr. Boucher......................... 129 Electricity Consumers Resource Council, ELCON, statement of, submitted by Mr. Boucher....................................... 134 Canadian Electricity Association, CEA, statement of, submitted by Mr. Boucher.................................................... 138 Subcommittee exhibit binder index................................ 144 PROTECTING THE ELECTRIC GRID FROM CYBERSECURITY THREATS ---------- THURSDAY, SEPTEMBER 11, 2008 House of Representatives, Subcommittee on Energy and Air Quality, Committee on Energy and Commerce, Washington, DC. The subcommittee met, pursuant to call, at 11:10 a.m., in room 2322 of the Rayburn House Office Building, Hon. Rick Boucher (chairman) presiding. Members present: Representatives Boucher, Melancon, Barrow, Markey, Upton, Shimkus, Walden, Rogers, and Barton (ex officio). Staff present: John Jimison, Richard Miller, Rachel Bleshman, Alex Haurek, David McCarthy, Andrea Spring, and Garrett Golding. OPENING STATEMENT OF HON. RICK BOUCHER, A REPRESENTATIVE IN CONGRESS FROM THE COMMONWEALTH OF VIRGINIA Mr. Boucher. The subcommittee will come to order. This morning we are addressing a means of protecting the Nation's electricity grid from cybersecurity threats through which computer hackers could maliciously gain access by way of the Internet to the computers controlling key components of our Nation's electricity system and cause either short term system outages or more serious permanent system damage. No industry is more essential to the Nation's economy than is our electricity sector, and its protection is vital to both our economic security and to our national security. The Nation's electricity system consists of generators and regional networks of interconnected transmission lines. The controls which operate the grid and electricity generators attached to it are increasingly computer-connected to the Internet. In fact, increasing the degree of interactive grid computerization is a major element of the development of a smart grid which will improve system reliability, optimize generation, promote load balance, improve consumption management, and integrate new smart appliances and equipment. But with increased reliance on interactive digital technology comes the added risk of computer hackers entering the system and causing truly extensive damage. The Idaho National Laboratory conducted tests using the code name Aurora, demonstrating that standard utility control systems could be penetrated and adversely affected through unauthorized computer access. This demonstration showed that a cyber intruder could manipulate the control systems of a generation facility resulting in massive physical damage that could take months to repair. Cyber attacks on electricity systems have occurred in a number of nations, and the Federal Energy Regulatory Commission reports 20 documented cases where hackers have penetrated networks and were able to affect controls on dams, on a nuclear reactor, and have disabled backup generation and shut down power plants. The Defense Science Board reports that U.S. grid control systems are continuously probed electronically, and while none has yet been the subject of major damage or grid outages in the United States, cyber attacks have caused major grid outages in other nations. In 2007, the Department of Homeland Security notified the North American Electricity Reliability Corporation, known as NERC, of the Aurora vulnerability demonstrated by the Idaho National Laboratory. Based on this notification, the NERC issued an advisory to 1,800 owners and operators of facilities associated with our Nation's power grid and provided a 60-day schedule for immediate mitigation measures as well as longer term measures that would be implemented over a 180-day period. But compliance with this advisory recommendation was entirely voluntary by these 1,800 owners of facilities that are components of the national grid. The Federal Energy Regulatory Commission recently audited compliance with the advisory issued by the NERC and conducted that audit among 30 utilities. It found that of the 30 audited, 23 were not in compliance with the NERC advisory. One utility reportedly had a 10-year compliance schedule, notwithstanding the fact that 180 days was the outer limit for compliance in the NERC advisory. Another utility had never changed the factory-installed user names and passwords on its computers controlling its systems, and it was therefore clear that self-interest alone was not a sufficient motivation to mitigate the Aurora vulnerability. Based on the documented threat to the electricity system and on the noncompliance with voluntary measures which the audit revealed, the FERC, along with the U.S. Department of Energy and the Department of Defense, have identified an urgent need for legislative authority to allow the federal government to compel implementation of the measures to respond to the cybersecurity threat to our Nation's electricity grid. In response to that need, this subcommittee, on a bipartisan basis, has developed a bipartisan discussion draft. It requires the FERC to undertake a rulemaking to determine what measures or actions should be required to protect the bulk power system against vulnerabilities and then provides the FERC with the authority to enforce the rule once adopted. In addition, the FERC would be granted authority to issue such emergency orders as it deems necessary to protect the reliability of the bulk power system with regard to potential new cybersecurity emergencies not identified in the original rule, which are judged to be imminent threats under presidential declaration. While the discussion draft represents an outstanding bipartisan step toward enactment of the necessary federal legislation, several questions do remain open, and these questions will be addressed by our witnesses this morning. The outstanding issues include whether any legislation should be limited to cybersecurity threats alone or whether a grant of authority to address physical attacks on the grid should also be included. Another open issue is the exact wording of the specific definition of cybersecurity threat. A third open issue is the set of circumstances under which interim measures may be discontinued once they are activated. And finally the scope of the bill with regard to whether it includes entities not technically within our bulk power system, such as the electricity systems of the States of Hawaii and Alaska, the territory of Guam, and also core distribution facilities for electricity in some of our major cities such as New York City and Washington, D.C. And we will hear from our witnesses with regard to their sometimes contrasting views on these outstanding issues. Today's hearing will feature expert witnesses who will present information on both the potential threat of cybersecurity attacks against the electricity system and also the appropriate legislative response that we should be making to guard against those threats. I want to commend the staff on a bipartisan basis for the outstanding work that they have done during the August recess on this matter. The staff on both sides of the aisle have participated together in obtaining briefings from the agencies I have identified in this statement. They have participated together in constructing the legislative draft that is the subject of our hearing this morning, the discussion draft. And I want to commend them for doing that at a time when Congress was not here and when they were busily at work attending to this urgent business. I also want to say thank you to the ranking member of this subcommittee, Mr. Upton from Michigan, for his outstanding efforts and for that of his staff. He and I have had discussions with regard to this matter. We are participating jointly in the exercise to move our discussion draft to final legislation and to markup. Hopefully that will occur perhaps within the course of the coming week. And that partnership is a reflection of how this subcommittee and our full committee operate when it is at its best, and that is working in a bipartisan fashion to produce consensus solutions to the major problems that confront us. Nowhere has that effort been better reflected than in the work that has been done over August and that we continue here this morning. [Discussion draft follows:]
Mr. Boucher. And at this time, I am pleased to recognize the ranking Republican on the Energy and Air Quality Subcommittee, Mr. Upton of Michigan, for his remarks. OPENING STATEMENT OF HON. FRED UPTON, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF MICHIGAN Mr. Upton. Well, thank you, and I do want to thank you and the staff on both sides. This is a very important hearing, an issue that we need to deal with. I appreciate our witnesses joining us this morning as well. Many of us know that the House Homeland Security Committee has examined the issue. They have focused on a vulnerability in electric generator control systems, which could allow remote access, enabling a bad actor or terrorist to remotely destroy a generator. And today we are going to follow up on those hearings and seek additional answers with a focus on the most productive way to ensure the security of our energy infrastructure. Members of this committee will follow up next week with a classified briefing on the topic as well. And following that briefing, I know that we can work together on bipartisan legislation. I would commend both Mr. Dingell, Mr. Barton in their efforts to that end. Major questions do need to be addressed. Is there an actual threat capable of causing catastrophic damage? Is there a regulatory gap that needs to be filled? Which agency should take the lead? And I hope that our witnesses will help address those questions today. Security of our Nation's energy infrastructure from attack is one of these most important issues that our committee will address. This is not an issue that we can take lightly or cover it up in just one hearing. Energy has been one of the leading issues debated in the Congress this year and rightfully so. Energy literally powers our economy. Even small price spikes in supply disruptions can have a large, important economic impact. It is imperative that the security of our Nation's energy infrastructure gets the attention that it deserves. I look forward to working with all my colleagues to address this in a most beneficial way. And, Mr. Chairman, I would yield back the balance of my time. Mr. Boucher. Well, thank you very much, Mr. Upton. And again I thank you for the outstanding cooperation you and your staff have provided on this matter. The gentleman from Massachusetts, Mr. Markey, is recognized for 3 minutes for an opening statement. OPENING STATEMENT OF HON. EDWARD J. MARKEY, A REPRESENTATIVE IN CONGRESS FROM THE COMMONWEALTH OF MASSACHUSETTS Mr. Markey. Thank you, Chairman Boucher, for holding this important hearing today and having it on 9/11, the seventh anniversary of that horrific event. It serves as a stark reminder that addressing the vulnerability of cyber threats is long overdue. We have seen the reality of these incidents in various settings over the years, including the slammer worm at the Davis Besse Nuclear Power Plant and the Aurora vulnerability exposed at the Idaho National Laboratory. We know that this threat is real. We also know the impacts are real and potentially devastating. The Northeast blackout in 2003, when an estimated 50 million people lost electricity, is estimated to have cost up to $10 billion and eight lives. And we also know the impacts of these events are the same regardless of whether the incident is caused by someone who wants to do us harm or someone who simply doesn't know they are about to. But this hearing is timely for other reasons as well. This Nation is finally, after years of control and of pocket padding by the oil industry, gathering the momentum to transition away from a dependence on foreign oil. It is a long overdue transition, and every day that we wait to rechart our course is a lost day. Based on the knowledge we have gained through hours of hearings in Congress, we know that the grid stands as one of the best and most immediate solutions to this crisis. With the surge in interest in alternative energy sources tapping into the grid and the increasing use and promise of electric vehicles, the grid is vital to our move towards energy independence. But it can only serve in this critical role if it is protected as a crucial asset. Fundamental changes to the structure of our grid could also eliminate or reduce cyber threats or diminish the harm resulting from them. Features offered through the developing smart grid technology, for example, could be used to reduce this threat and better position our response to such an event should such a cyber attack occur. Likewise, more distributed generation could conceivably reduce the extent of the impacts of a cyber attack. I thank you, Chairman Boucher, for having this hearing. It is obvious that the technologies that affect the two wires or the three wires that go into everyone's home, the cable, the phone company, and the electric company are now all merging in terms of the technologies. And one can help the other, and the other can help the one as we learn how to use technology, both to advance our energy independence agenda and at the same time, ensure that we are being protected from homeland security threats. So I thank you for being here. I see Jim Langevin down there, my good friend. We welcome you here as well, and I yield back the balance of my time. Mr. Boucher. I thank you very much, Mr. Markey, and, as you have noted, this issue is at the focal point of several issues in which you and I have a common interest, and that is information technology policy as well as energy policy. And I very much welcome your remarks today. The gentleman from Texas, Mr. Barton, the ranking Republican member of the full committee, is recognized for 5 minutes. OPENING STATEMENT OF HON. JOE BARTON, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF TEXAS Mr. Barton. Thank you, Mr. Chairman. I just returned from the 9/11 ceremony out at the Pentagon. There couldn't be a better time to hold this hearing on cybersecurity. As we memorialize those brave men and women who gave their lives on September 11, both at the Pentagon and at the World Trade Center and in the fields of Pennsylvania, we have a real threat against the United States of America. It is not going away, and we need to defend ourselves against it, both militarily, and as this hearing is going to show, electronically in terms of protecting the power grid that provides electricity for our great Nation. I think we have a lot to learn in this area because the whole idea of a cyber attack is something that is, quite frankly, somewhat foreign to most of us, myself included. We have some feeling for the physical attacks which we have seen against our Nation time after time. But this is a new type of attack. What are the vulnerabilities? Is our electricity grid adequately protected? Will a one-time cyber reliability rule solve the problem, or do we have to have redundant systems and change those over time to upgrade against the continually changing threat? What are the consequences of a cyber attack if successful? Is it a matter of losing power in a certain region for a few hours? Is it a matter of destroying critical equipment, or is it a matter of losing power all over our great Nation for long periods of time? We simply don't know. Should the government write cybersecurity standards in this case, the Federal Energy Regulatory Commission, because under current law, the North American Electric Reliability Corporation, or Council, is simply too slow? If so, where should we draw the line? Do we address the bulk power system? What about military installations? What about local distribution systems? What about rural electric co-ops within single state boundaries? How do we do those? What about Canada and Mexico? What are their views giving the FERC authority for the first time to coordinate and regulate with these nations that aren't within our own boundaries? Can we enforce such regulations if we agree that they are in the interest of these three nations? What about the views of the Defense Department and the National Security Council? What do they think about giving FERC the authority that we are thinking about giving them? Whatever we do in this subcommittee and next week in the full committee, this is certainly an issue that needs to be addressed, and I want to commend you, Mr. Chairman, for addressing it. I want to welcome our witnesses today. The distinguished subcommittee chairman of the Homeland Security Committee, the distinguished chairman of the Federal Energy Regulatory Committee Commission and the other witnesses. I do want to say one thing, Mr. Chairman, before I yield back. It was my understanding that Mr. Kelliher was going to be on a panel by himself. I see that you have him listed on a panel with non-elected officials. I think that is unacceptable. If I had known that was the way it was going to be, I would have objected strenuously. So I hope that before you actually begin the hearing, you will give a presidential appointee the courtesy that we have always given other appointees, and that is to testify by himself or herself. Mr. Boucher. Would the gentleman yield? Mr. Barton. Sure. Mr. Boucher. I thank the gentleman for making those remarks and comments, and would advise him that in the interest of time, Mr. Kelliher has graciously agreed to be a part of the second panel; although, he will be the first witness on that panel. Given the fact that we had the memorial today at the Pentagon this morning, and there is a subsequent one involving the House of Representatives at 11:45 and the urgency of addressing this issue, this was the only morning we could do it. And given that urgency, Mr. Kelliher has graciously agreed to help us expedite our proceedings by allowing us just to have one panel of witnesses following the statement that Mr. Langevin will make. And I thank him for that and---- Mr. Barton. It is not---- Mr. Boucher. Otherwise, I can assure the gentleman that we would have done as he suggests. Mr. Barton. Well, I appreciate the gentleman's--the chairman's explanation. With that, Mr. Chairman, I yield back. Mr. Boucher. Thank you very much, Mr. Barton. The gentleman from Louisiana, Mr. Melancon, is recognized for 3 minutes. Mr. Melancon waives his opening statement and will have 3 minutes added to his questioning time for the second panel of witnesses. The gentleman from Michigan, Mr. Rogers, is recognized for 3 minutes. OPENING STATEMENT OF HON. MIKE ROGERS, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF MICHIGAN Mr. Rogers. Thank you, Mr. Chairman. I happen to serve on the Intelligence Committee with Mr. Langevin, and so I am at least glad that he is paying attention to this because I think he will bring a good perspective from that side of the House. And I am not sure sometimes if it is a benefit or a hindrance being on that committee. And today, I am not sure either because I worry a little bit about the speed at which we are working here. We watched through the creation of the Director of National Intelligence that we were trying to coordinate our activities and our resources. And in a bipartisan way in this Congress we said slow down. The exponential growth was not necessarily serving the interests of national security. And our cyber infrastructure goes well beyond the grid. The grid is an incredibly important part of that protection and security apparatus, but it is a part of that. And we have lots of talent and lots of resources spread across the 16 intelligence agencies and Department of Defense, who have spent some serious amount of time and accumulated intellectual capital necessary to defeat what we know is a growing threat. And it is from terrorist organizations. It is from extortionists. It is joy riders on the superhighway, if you will, and it is certainly and very worrisome more aggressive by nation-states. And we see all of that activity growing exponentially. So the threat is very, very real. But my concern is we are doing a ready, shoot, aim approach to how we are going to solve this problem because what we are going to do, even if you give authorities, with that will go people and resources. And then they have to go back and try to find integration with the very organizations I just mentioned before. I am not sure that that is the right way to get where we want to go, and I want to commend all of you for working on this. I think it is a very, very important issue, and it is a serious issue. But I don't think creating a separate group through separate authorization is likely to get where we want to go in a timely manner. We have resources. We have coordination efforts already that we are trying to work through, and I think Mr. Langevin is certainly aware of those. And I am not sure this helps it. Matter of fact, in some cases, I think it might actually hinder it. So I hope that we take our time and slow down a little bit. I think it is great that we highlight the problem, but the fact that we don't have representation from Department of Defense, from the National Security Council, from the intelligence community, quite frankly from the DNI. I think the DNI should-- these are exactly the issues of which the director of national intelligence by this Congress was designated to help us move through some of these integrated policy issues where there is a cross spectrum of resources. So again I hope the hearing is for informational purposes. I would not be in a hurry, Mr. Chairman, to pass a bill and move it through the House without the full cooperation and coordination of those resources. I think it would be critical to the end here that we do this correctly. Mr. Boucher. Would the gentleman yield? Mr. Rogers. Absolutely. Yes, sir. Mr. Boucher. I thank the gentleman for those remarks, and I agree with the gentleman completely. There is a great sense of urgency that we address this need, as our witnesses will tell us this morning. On a bipartisan basis, we have constructed a discussion draft which addresses the core concerns that have been brought to us. There are some open issues which I have identified. They will be discussed here as well this morning. We invited the Department of Defense to send a witness to address the subcommittee this morning, and the Department of Defense declined to do that. I can tell the gentleman that we do intend to have a classified briefing for the--an opportunity offered to members for a classified briefing next week, and the Central Intelligence Agency. And the director of Central Intelligence will be a part of that briefing. And so the gentleman's request will be honored. I can tell him also that we intend to go through regular order in processing this legislation. Assuming that we are in a position to resolve the outstanding issues, and I very much hope that we will be, we would like to move to a markup next week. That would be after the classified briefing takes place. If the issues are resolved to the satisfaction of members, I see no reason why we shouldn't do that, given the urgency that exists. And then hopefully we can move to the full committee rapidly after that and then to the House floor. But I respect what the gentleman is saying, and he has expressed my view as well that we need to be very careful as we construct this measure. And we certainly intend to be. Mr. Upton. And if the gentleman will just yield. I have had some discussions with the chairman, Chairman Boucher, on this issue, and I agree that we ought to have regular order here. There are a number of witnesses that are not on the list that ought to be here. Just looking at the brief presentation that CNN made on the air I want to say it was last year, there are a number of folks, Homeland Security agency and others, that really ought to be represented. We need to do this right. It is critical. I don't have the luxury as you have, serving on the Intelligence Committee, Mr. Langevin and others. And as we are prepared to make sure that this is our level best, we have to have that input which is one of the reasons why the chairman and I thought it would be wise to have a classified briefing at the earliest moment which is, since we don't have votes tomorrow until Monday afternoon, Tuesday morning was the earliest time that we could do that to afford all members on both sides of the aisle to be able to ask questions in a private way. It will lend us a better understanding of the way that we should proceed and do it in the right course. Mr. Rogers. And I commend you for having that classified briefing. I think hopefully that will give us a different look at it, and I would understand why DOD might have a hard time here. Some of the things that our communities are working on are very, very sensitive. And because of the aggressive state of nation-states involved in cyber espionage and cyber terrorism, I can understand why they might have some reluctance to come here and not be able to answer questions. It puts it in an awkward place. So I hope that we take the time to see with this classified briefing. And I think it might help us all understand how yes, it is important, but it is more important that we do it right than we do something. Mr. Upton. That is right. And your attendance there will help all of us in terms of what you have been able to go through because of your experience on the Intelligence Committee. Mr. Boucher. I thank the gentleman for his contributions this morning. The gentleman from Oregon, Mr. Walden, is recognized for 3 minutes. Mr. Walden. Mr. Chairman, I will waive an opening statement. Thank you, sir. Mr. Boucher. Thank you very much, Mr. Walden. We now welcome our first witness this morning, the Honorable Jim Langevin from Rhode Island, and we appreciate very much your attendance here. Mr. Langevin is the chairman of the Subcommittee on Emerging Threat, Cybersecurity, and Science and Technology of the Committee on Homeland Security, and I know from my discussions with him, has been actively involved in examining the question of cybersecurity for his tenure of chairman of that subcommittee. And he has much useful information he can share with us this morning. So, Jim, we welcome you, and your prepared statement will be made a part of the record. And we would welcome your oral remarks. STATEMENT OF JAMES R. LANGEVIN, CHAIRMAN, SUBCOMMITTEE ON EMERGING THREATS, CYBERSECURITY, AND SCIENCE AND TECHNOLOGY, COMMITTEE ON HOMELAND SECURITY Mr. Langevin. Thank you, Mr. Chairman, and good morning. I would like to thank Chairman Boucher for his invitation to testify on this critical---- Mr. Boucher. If you could move that microphone a little bit closer and be sure it is on, that would help us in hearing you. Thank you. Mr. Langevin. Is that better? Mr. Boucher. That is better. Mr. Langevin. Very good. I want to thank Chairman Boucher for his invitation to testify on this critical issue of national security. I very much appreciate the chairman's interest and that of Ranking Member Upton, and your interest in cybersecurity relates to the electric grid. And I commend both these gentlemen, the full committee, and its staff for their efforts in this area. I would also like to thank Chairman Thompson of the Homeland Security Committee for his proactive leadership on these issues as well. Mr. Chairman, as you mentioned, I chair the Emerging Threat, Cybersecurity, and Science and Technology Subcommittee for the Homeland Security Committee where I have conducted eight hearings and dozens of investigations on cybersecurity issues during the 110th Congress. I am also a member of the House Permanent Subcommittee on Intelligence, and I co-chair the Center for Strategic and International Studies Commission on Cybersecurity for the 44th Presidency. Each of these positions has afforded me the opportunity to examine the issues that are before this committee today. Now, I want to clearly state that I believe America is disturbingly vulnerable to a cyber attack against the electric grid that could cause significant consequences to our Nation's critical infrastructure. Virtually every expert I have consulted shares this assessment. Though I cannot provide classified details at this hearing, I hope that my testimony will support this assertion, encourage you to act on this legislation. The effective functioning of the bulk power system is highly dependent on control systems, computer-based systems used to monitor and control sensitive processes and physical functions. Once largely closed to the outside world, control systems are increasingly connected to open networks, and the risks to these systems is steadily increasing. Consider what has happened in the last 5 years. Criminal extortion schemes have exploited control systems for economic gain. Numerous disruptions from the Davis-Besse Power Plant incident in 2003 to the Northeast blackout, to the Browns Ferry Nuclear Power Plant failure in 2006 were caused by unintentional cyber incidents. Furthermore, the U.S. has evidence that Al Qaeda is interested in the vulnerabilities of our public and private utilities. Additionally, nation-state adversaries have publicly stated that attacking our domestic critical infrastructure, including the civilian electric grids, will be part of their war plans in an engagement with the United States. Clearly intentional and unintentional control system failures on the BPS can have a potentially devastating impact on the economy, public health, and national security of the United States. Now, for a society that runs on power, the discontinuity of electricity to chemical plants, banks, refineries, and water systems presents a terrifying scenario. These incidents would also severely impact our war-fighting capability as recognized by the Defense Science Board. In the interest of national security, we must ensure effective and reliable energy flows to America's critical infrastructure facilities. With this in mind, my subcommittee initiated a review of the Federal Government's efforts and ability to ensure the security of the BPS from cyber attack. We became particularly concerned about the private sector's efforts to mitigate a vulnerability known as Aurora, which the chairman mentioned in his opening remarks, which if exploited, could result in catastrophic losses of power for long periods of time. I was convinced of the seriousness of this vulnerability and began doing all I could to ensure that we were fixing it. In June 2007, the Electric Sector Information Sharing and Analysis Center introduced a voluntary mitigation document to the industry. During my review of the electric sector mitigation efforts, however, it became evident that mitigation was highly inconsistent. I was surprised and disturbed to see how dismissive many of the companies were of this vulnerability, particularly given the significant technical evidence backing up the test. Even worse, NERC, the private sector reliability organization, seemed uninterested in determining the extent of industry compliance. NERC provided false, confusing, or misleading testimony to my subcommittee during our investigation. Now, NERC has since realized their mistakes, corrected their testimony, and began demonstrating the leadership that we expect. Nevertheless, I am still worried about the electric sector's approach towards timely mitigation of cybersecurity vulnerabilities. Now, in light of this failure of initiative throughout the electric sector, my subcommittee made a formal request of FERC to investigate the extent to which owners and operators were implementing the Aurora mitigation efforts. Thankfully, FERC has demonstrated great initiative, and I want to take this opportunity to publicly thank Chairman Kelliher and his staff for their efforts. FERC's initial observations suggest that while no company completely ignored the advisory, there were varying degrees of compliance. At this time, the subcommittee also requested that FERC assess its ability to respond to an imminent cyber attack under the current legal authorities contained in section 215 of the Federal Power Act. In testimony before the subcommittee on May 21, Chairman Kelliher concluded that additional authorities are necessary to adequately protect the BPS, and I fully support the chairman's conclusion. In the interest of national security, a statutory mechanism is necessary to protect the grid against cybersecurity threats. I congratulate the subcommittee for its legislative initiative, and I have several comments on the draft legislation that are before us. First, emergency standards should become enforceable upon a finding by a national security or intelligence agency. I fear that additional executive determinations would create unnecessary delays in the protections of the BPS. Second, FERC should be authorized to act if either one, a malicious act is likely to occur, or two, there is a substantial possibility of disruption to the grid due to such an act. Specific threat information on this subject is difficult to come by, and it would be very hard to put together likelihood and consequence. We must not limit the ability of our federal agencies to act. Finally, I am concerned that the current legislation does not cover assets that are outside the definition of the bulk power system, which, if left unprotected, will keep our Nation vulnerable. As the committee is aware, and as the chairman had referred to, the Federal Power Act leaves vulnerable Alaska, Hawaii, and many other--and many major cities like D.C. and New York and the Nation's critical infrastructures like our military installations because they don't fall under the definition of the BPS. Generation, transmission, and distribution must be protected under this legislation, and I would ask the committee to consider an amendment that would allow FERC to address cyber threats against all of these areas. Now, in closing, on this day when we vow to be vigilant in protecting the country against threats of all kinds, let nobody accuse us of having a September 10 mindset when it comes to cybersecurity. With that, I want to thank you, Mr. Chairman, for allowing me the opportunity to testify today, and I look forward to answering your questions. Thank you. [The prepared statement of Mr. Langevin follows:]
Mr. Boucher. Thank you very much, Mr. Langevin. We appreciate that testimony, and your comments this morning will prove very helpful to us as we proceed with our work. I do not have questions of you, at least not at this time. We may consult you as we proceed with further steps in this process, but I do not have questions of you at this moment. I would ask if there are other members of the panel who would care to pose questions to Mr. Langevin. Mr. Upton seeks recognition. Mr. Upton. I just have one. And, Jim, we appreciate your testimony and your work on this for sure. You indicated in your statement that you feared that the presidential secretarial determination as currently provided in the draft legislation would create an unnecessary delay in the protection of the BPS, but you have to have a chain of command. And one of the issues that may be raised is FERC is certainly the appropriate agency overseeing the grid and all of that, but shouldn't you have someone at the White House or someone at the Pentagon, someone, perhaps the Secretary of Energy, someone with direct--not that our good friend Joe doesn't have access to folks like that. But shouldn't you have some White House command similar to what happened on 9/11 when the FAA ruled, because of Secretary Menetta, that all the planes were going to stop wherever they were. That came in direct consultation with the White House, and, bingo, it happened. Shouldn't you have that type of chain of control--chain of command as part of the legislation which seems to be one of the criticisms that you might have here? Am I misreading what your comments were? Mr. Langevin. That is true, but certainly the Secretary of Homeland Security can be clearly a national emergency---- Mr. Upton. Yes, that would be appropriate too. Mr. Langevin [continuing]. Along these lines. But we have to understand that in this day and age of cybersecurity, cyber attacks, it is one thing if we had days to go through the process of ultimately getting a presidential directive in place. But when we have actionable intelligence, these types of cyber attacks, cyber threats, could actually come in seconds or minutes or hours. And when we have direct actionable intelligence, there should be a rapid ability to respond. And I am concerned about unnecessary delays. Even if this directive authority I am suggesting that FERC would be given would be temporary in nature until a more permanent solution can be addressed would be fine. But I think that we have to recognize in this day and age of cyber, things don't move in days or weeks. They move in seconds. Mr. Upton. I yield back. Mr. Boucher. Thank you very much, Mr. Upton. Mr. Langevin, we appreciate your attendance here this morning, and we will move now to our second panel of witnesses. Mr. Langevin. Thank you, Mr. Chairman. Mr. Boucher. We are pleased to welcome on the second panel the chairman of the Federal Energy Regulatory Commission, Mr. Joe Kelliher; Mr. Kevin Kolevar, the assistant secretary of the United States Department of Energy; Mr. Rick Sergel, the president of the North American Reliability Corporation; Susan Kelly, vice-president and general counsel of the American Public Power Association; Steve Naumann, vice-president of the Exelon Corporation; and Barry Lawson, manager of power delivery for the National Rural Electric Cooperative Association. We welcome each of our witnesses and thank you for your attendance this morning. And your prepared written statements will be made a part of our record. We would welcome your oral summaries and ask that in the interest of time, you try to keep your oral summaries to approximately 5 minutes. We are going to operate slightly out of order this morning because both Mr. Kelliher and Mr. Kolevar have expressed a need to depart rather quickly in order to attend to some rather urgent outside business. And so we are going to take their opening statements first. We will ask questions of them, and then we will proceed to the opening statements and questions of the balance of our witnesses. And so with that understanding, Mr. Kelliher, we will be happy to hear from you, and then Mr. Kolevar. STATEMENT OF JOSEPH KELLIHER, CHAIRMAN, FEDERAL ENERGY REGULATORY COMMISSION Mr. Kelliher. Thank you, Mr. Boucher. Mr. Chairman, Mr. Upton, members of the subcommittee, I want to thank you for the invitation to testify here today, and I want to say it is good to be back before the subcommittee. I appreciate the opportunity to discuss the need to improve cybersecurity and to protect the reliability of the power grid against cyber attacks and other national security threats. Three years ago, Congress made FERC responsible for protecting the reliability of the power grid by establishing and enforcing mandatory reliability standards. Congress specifically directed FERC to develop cybersecurity standards to protect the grid, and we have done so. But I am here today to offer my conclusion that the tools you gave us 3 years ago are inadequate to the task and that FERC needs additional legal authority to adequately protect the grid from cyber attacks and other national security threats. There has been much progress made on reliability over the past 3 years. FERC has certified an electric reliability organization. We have established mandatory reliability standards including cyber standards. We are working to improve those standards over time to raise the bar, and we have established a reliability enforcement regime. But the grid remains vulnerable to a cyber attack through communication devices that could secure access control and remote operation of key components of our electricity system, such as large generating facilities, substations, transmission lines, and local distribution facilities. And that through remote operation, a cyber attack could damage or destroy generation in other facilities, and because an attack could damage or destroy facilities that could take weeks or longer to replace, the effects of a successful cyber attack could be much greater than a blackout. In my view, an effective defense of the power grid from cyber attacks has three necessary elements. First, there is a need for timely and effective identification of cyber vulnerabilities. Second, there is a need to have an ability to require mandatory actions that mitigate those vulnerabilities on a timely basis, so action that is both rapid and mandatory. And third, the ability to maintain the confidentiality of information because current law is inadequate to mount such a defense. FERC is not a national security or intelligence agency, and FERC is not in the best position to identify cyber threats. But the U.S. government has the ability to identify cyber threats in a timely and effective manner. FERC cooperates with agencies that are in that position, including the Department of Energy. However, there is no adequate means to take mandatory action in a timely manner under existing law. Currently, there are two means to protect the power grid against cyber attacks. The 215 process established by Congress in the Energy Policy Act of 2005 and also NERC advisories. But in my view, neither is adequate to defend against cyber attacks. The 215 process produces reliability standards that are mandatory but untimely given the nature of cyber threats. And NERC advisories are timely or can be timely, but they are also voluntary. Both approaches fail to protect critical information. FERC is using and will continue to use the process established by 215 of the Federal Power Act to set reliability standards including cyber standards. But the principal flaw of the 215 process is that it takes too long and does not allow for the protection of critical information. Under the normal 215 process, it typically takes years to develop new and modified reliability standards including cyber standards. Even reliability standards developed under the urgent action process can take months or longer. Also FERC cannot modify a proposed standard. We can reject or remand or approve and direct changes that will occur over time, but if we reject a standard, it just simply reinitiates a process that could take months or years. Why is there a need for timely action in this area? It is simply because the cyber threat is different from other reliability threats. The section 215 process was designed around a fundamentally different reliability challenge, namely vegetation management or tree growth, relay maintenance, grid control operations, and operator training. The reliability threat posed by trees and poor vegetation management is a passive threat, while the threat posed by cyber attacks is organized and much more active. The nature of the cyber threat is different. It is a national security threat that may be posed by foreign countries or organized groups. A process designed to guard against poor vegetation management is poorly suited to meet national security threats. There is another limitation in that section 215 only authorizes FERC to ultimately establish standards and that some cyber threats or other national security threats may require action that are not standards. NERC advisories also, I think, are an inadequate way to ensure or to protect cybersecurity. The principal virtue of a NERC advisory is speed, but the principal flaw is that compliance with those advisories is voluntary. And there is a lack of confidentiality. NERC issued an advisory last year in response to the Aurora cyber threat, and I commend NERC for acting quickly in response to that threat. As detailed in my written testimony, FERC has been reviewing the industry response to that advisory. I have to say the industry has made progress in response to the NERC advisory. I think cybersecurity is higher as a result, but our review indicates that the industry response has not mitigated the Aurora threat. And to some extent, that response is the predictable result of reliance on a voluntary advisory. Now, confidentiality. I think it is also clear that an effective defense against cyber threats requires confidentiality. The standards development process under section 215 of the Federal Power Act typically imposes few or no restrictions on the dissemination of information related to development of new standards including cyber standards. The case of cyber vulnerabilities and public release of information related to cybersecurity could be very harmful, and that FERC currently has very limited authority to limit the public dissemination of information. So in my view, I think there is a need for legislation. I think section 215 of the Federal Power Act is an adequate basis to address reliability threats other than national security threats, such as cyber attacks. And I, for that reason, do not believe that section 215 should be amended. But I do believe there is a need for legislation that would grant FERC a separate authorization to, number one, immediately require measures to address known cyber vulnerabilities, such as related to Aurora, and two, require mandatory actions needed to protect the power grid from future national security threats on an interim basis after a finding by the President or the Secretary of Energy. I think under this approach, it is clear FERC cannot act with respect to future cyber and other national security threats without such a finding by the President or the Secretary. So I think that it appropriately limits us and relies on the superior knowledge of the President and the Secretary with respect to national security threats. It is also vital that a bill allow FERC to take action before a cyber attack and not only after the fact. It is critical that the threshold or trigger for a finding by the President or the Secretary not be so high as to be insurmountable, and I think the trigger in the proposed act discussion draft is appropriate. There is also a need to address national security threats other than cyber, but I want to say I do support the staff discussion draft as is. It strikes the right balance, and I look forward to working with the subcommittee as you move towards markup. And I do recognize the Department of Energy has a proposal that I think also should be considered as you move to markup in coming days. In conclusion, you gave us the duty 3 years ago to protect reliability of the power grid, to establish and enforce reliability standards. We are exercising that duty, but we have come to the conclusion that we don't have the right tools to address the cyber threat. And the reason is that the nature of the threat, the reliability threat to the grid is different than perhaps was anticipated 3\1/2\ years ago. And so I do ask you to act and legislate, but until and unless you do that, FERC and NERC will use existing authorities. We will use the tools we have as best we can. And with that, I appreciate the opportunity to testify here today. [The prepared statement of Mr. Kelliher follows:] Statement of Joseph T. Kelliher Summary The Energy Policy Act of 2005 (EPAct 2005) authorized the Federal Energy Regulatory Commission to approve and enforce mandatory reliability standards, including cyber security standards, to protect and improve the reliability of the bulk power system. These reliability standards are proposed to the Commission by the Electric Reliability Organization (ERO) (the North American Electric Reliability Corporation or NERC), after an open and inclusive stakeholder process. The Commission cannot author the standards or make any modifications, and instead must either approve the proposed standards or remand them to NERC. FERC is well underway in implementing the new law, including now having in place an initial set of cyber security standards, for which full compliance is not required until 2010. Section 215 is an adequate statutory foundation to protect the bulk power system against most reliability threats. However, the threat of cyber attacks or other intentional malicious acts against the electric grid is different. These are national security threats that may be posed by foreign nations or others intent on attacking the U.S. through its electric grid. The nature of the threat stands in stark contrast to other major reliability vulnerabilities that have caused regional blackouts and reliability failures in the past, such as vegetation management and relay maintenance. Damage from cyber attacks could be enormous. A coordinated attack could affect the electrical grid to a greater extent than the August 2003 blackout and cause much more extensive damage. Cyber attacks can physically damage the generating facilities and other equipment such that restoration of power takes weeks or longer, instead of a few hours or days. Widespread disruption of electric service can quickly undermine our government, military readiness and economy, and endanger the health and safety of millions of citizens. Thus, there may be a need to act quickly to protect the grid, to act in a manner where action is mandatory rather than voluntary, and to protect security-sensitive information from public disclosure. The Commission's legal authority is inadequate for such action. This is true of both cyber and non-cyber threats that pose national security concerns. In the case of such threats to the electric system, the Commission does not have sufficient authority to timely protect the reliability of the system. Legislation should be enacted allowing the Commission to act promptly to protect against current cyber threats as well as future cyber or other national security threats. Testimony Introduction and Summary Mr. Chairman and members of the Subcommittee, thank you for the opportunity to speak here today about cyber and other national security threats to our Nation's electrical grid, and the need for legislation allowing the Federal Energy Regulatory Commission (FERC or the Commission) to address those threats quickly and effectively. I appreciate the Subcommittee's attention to this critically important issue. The Energy Policy Act of 2005 (EPAct 2005) gave the Commission certain responsibilities for overseeing the reliability of the bulk power system. The bulk power system is defined to include facilities and control systems necessary for operating an interconnected transmission network (or any portion thereof), and electric energy from generation facilities needed to maintain transmission system reliability. EPAct 2005 authorized the Commission to approve and enforce mandatory reliability standards, including cyber security standards, to protect and improve the reliability of the bulk power system. Under this framework, reliability standards are developed and proposed to the Commission by the Electric Reliability Organization (ERO) (the North American Electric Reliability Corporation or NERC) through an open and inclusive stakeholder process. The Commission cannot author the standards or make any modifications, and instead must either approve the proposed standards or remand them to NERC. The Commission is well underway in implementing the new law, including now having in place an initial set of cyber security standards with varying implementation dates. Much progress has been made in the past 3 years. However, more work needs to be done, both with respect to improving those cyber security standards and possibly adding new ones. In my view, FERC does not have sufficient authority to guard against national security threats to reliability of the electric system. Legislation should be enacted allowing the Commission to act quickly to protect against current cyber threats as well as future cyber or other national security threats. Background In EPAct 2005, the Congress entrusted the Commission with a major new responsibility to oversee mandatory, enforceable reliability standards for the Nation's bulk power system (excluding Alaska and Hawaii). This authority is in section 215 of the Federal Power Act. section 215 requires the Commission to select an ERO that is responsible for proposing, for Commission review and approval, reliability standards or modifications to existing reliability standards to help protect and improve the reliability of the Nation's bulk power system. The reliability standards apply to the users, owners and operators of the bulk power system and become mandatory only after Commission approval. The ERO also is authorized to impose, after notice and opportunity for a hearing, penalties for violations of the reliability standards, subject to Commission review and approval. The ERO may delegate certain responsibilities to ``Regional Entities,'' subject to Commission approval. The Commission may approve proposed reliability standards or modifications to previously approved standards if it finds them ``just, reasonable, not unduly discriminatory or preferential, and in the public interest.'' If the Commission disapproves a proposed standard or modification, section 215 requires the Commission to remand it to the ERO for further consideration. The Commission, upon its own motion or upon complaint, may direct the ERO to submit a proposed standard or modification on a specific matter. The Commission also may initiate enforcement on its own motion. The Commission has implemented section 215 diligently. Within 180 days of enactment, the Commission adopted rules governing the reliability program. In mid-2006, it approved NERC as the ERO. In March 2007, the Commission approved the first set of national mandatory and enforceable reliability standards. In April 2007, it approved eight regional delegation agreements to provide for development of new or modified standards and enforcement of approved standards by Regional Entities. In exercising its new authority, the Commission has interacted extensively with NERC and the industry. The Commission also has coordinated with other federal agencies, such as the Department of Homeland Security, the Department of Energy, the Nuclear Regulatory Commission, and the Department of Defense. Also, the Commission has established regular communications with regulators from Canada and Mexico regarding reliability, since the North American bulk power system is an interconnected continental system subject to the laws of three nations. Cyber Security Standards Approved Under section 215 Section 215 defines ``reliability standard[s]'' as including requirements for the ``reliable operation'' of the bulk power system including ``cybersecurity protection.'' section 215 defines reliable operation to mean operating the elements of the bulk power system within certain limits so instability, uncontrolled separation, or cascading failures will not occur ``as a result of a sudden disturbance, including a cybersecurity incident.'' section 215 also defines a ``cybersecurity incident'' as a ``malicious act or suspicious event that disrupts, or was an attempt to disrupt, the operation of those programmable electronic devices and communication networks including hardware, software and data that are essential to the reliable operation of the bulk power system.'' In August 2006, NERC submitted eight new cyber security standards, known as the Critical Infrastructure Protection (CIP) standards, to the Commission for approval under section 215. Critical infrastructure, as defined by NERC for purposes of the CIP standards, includes facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the ``Bulk Electric System.'' NERC proposed an implementation plan under which certain requirements would be ``auditably compliant'' beginning by mid-2009, and full compliance with the CIP standards would not be mandatory until 2010. On January 18, 2008, the Commission issued a Final Rule approving the CIP Reliability Standards and concurrently directed NERC to develop modifications addressing specific concerns, such as the breadth of discretion left to utilities by the standards. For example, the standards state that utilities ``should interpret and apply the reliability standard[s] using reasonable business judgment.'' Similarly, the standards at times require certain steps ``where technically feasible,'' but this is defined as not requiring the utility ``to replace any equipment in order to achieve compliance.'' Also, the standards would allow a utility at times not to take certain action if the utility documents its ``acceptance of risk.'' To address this, the Final Rule directed NERC, among other things: (1) to develop modifications to remove the ``reasonable business judgment'' language and the ``acceptance of risk'' exceptions; and, (2) to develop specific conditions that a responsible entity must satisfy to invoke the ``technical feasibility'' exception. A further example of this discretion involved the utility's ability to determine which of its facilities would be subject to the cyber security standards. For these requirements, the Commission addressed its concerns by requiring independent oversight of a utility's decisions by industry entities with a ``wide-area view,'' such as reliability coordinators or the Regional Entities, subject to the review of the Commission. However, until such time as the standards are modified by the ERO through its stakeholder process, approved by the Commission, and implemented by industry, the discretion remains. Current Process To Address Cyber or Other National Security Threats to the Bulk Power System As an initial matter, it is important to recognize how mandatory reliability standards are established under section 215. Under section 215, reliability standards are developed by the ERO through an open, inclusive, and public process. The Commission can direct NERC to develop a reliability standard to address a particular reliability matter, including cyber security threats. However, the NERC process typically takes years to develop standards for the Commission's review. In fact, the cyber security standards approved by FERC took the industry approximately three years to develop. NERC's procedures for developing standards allow extensive opportunity for industry comment, are open, and are generally based on the procedures of the American National Standards Institute (ANSI). The NERC process is intended to develop consensus on both the need for the standard and on the substance of the proposed standard. Although inclusive, the process is relatively slow and cumbersome. Key steps in the NERC process include: nomination of a proposed standard using a Standard Authorization Request (SAR); public posting of the SAR for comment; review of the comments by industry volunteers; drafting or redrafting of the standard by a team of industry volunteers; public posting of the draft standard; field testing of the draft standard, if appropriate; formal balloting of the draft standard, with approval requiring a quorum of votes by 75 percent of the ballot pool and affirmative votes by two-thirds of the weighted industry sector votes; re-balloting, if negative votes are supported by specific comments; voting by NERC's board of trustees; and an appeals mechanism to resolve any complaints about the standards process. NERC-approved standards are then submitted to the Commission for its review. Generally, the procedures used by NERC are appropriate for developing and approving reliability standards. The process allows extensive opportunities for industry and public comment. The public nature of the reliability standards development process is a strength of the process as it relates to most reliability standards. However, it can be an impediment when measures or actions need to be taken on a timely basis to effectively address threats to national security. The procedures used under section 215 for the development and approval of reliability standards do not provide an effective and timely means of addressing urgent cyber or other national security risks to the bulk power system, particularly in emergency situations. Certain circumstances, such as those involving national security, may require immediate action. If a significant vulnerability in the bulk power system is identified, procedures used so far for adoption of reliability standards take too long to implement effective corrective steps. FERC rules governing review and establishment of reliability standards allow the agency to direct the ERO to develop and propose reliability standards under an expedited schedule. For example, FERC could order the ERO to submit a reliability standard to address a reliability vulnerability within 60 days. Also, NERC's rules of procedure include a provision for approval of urgent action standards that can be completed within 60 days and which may be further expedited by a written finding by the NERC board of trustees that an extraordinary and immediate threat exists to bulk power system reliability or national security. However, it is not clear NERC could meet this schedule in practice. Even a reliability standard developed under the urgent action provisions would likely be too slow in certain circumstances. Faced with a cyber security or other national security threat to reliability, there may be a need to act decisively in hours or days, rather than weeks, months or years. That would not be feasible under the urgent action process. In the meantime, the bulk power system would be left vulnerable to a known national security threat. Moreover, existing procedures, including the urgent action procedure, would widely publicize both the vulnerability and the proposed solutions, thus increasing the risk of hostile actions before the appropriate solutions are implemented. In addition, the proposed standard submitted to the Commission may not be sufficient to address the vulnerability. As noted above, when a proposed reliability standard is submitted to FERC for its review, whether submitted under the urgent action provisions or the usual process, the agency cannot modify such standard and must either approve or remand it. Since the Commission may not modify a proposed reliability standard under section 215, we would have the choice of approving an inadequate standard and directing changes, which reinitiates a process that can take years, or rejecting the standard altogether. Under either approach, the bulk power system would remain vulnerable for a prolonged period. NERC's ``Aurora'' Advisory and Subsequent Actions Currently, the alternative to a mandatory reliability standard is for NERC to issue an advisory encouraging utilities and others to take voluntary action to guard against cyber or other vulnerabilities. That approach provides for quicker action, but any such advisory is not mandatory, and should be expected to produce inconsistent and potentially ineffective responses. That was our experience with the response to an advisory issued last year by NERC regarding an identified cyber security threat referred to as the ``Aurora'' threat. Reliance on voluntary measures to assure national security is fundamentally inconsistent with the conclusion Congress reached during enactment of EPAct 2005, that voluntary standards cannot assure reliability of the bulk power system. In response to the Aurora threat, NERC issued an advisory to certain generator owners, generator operators, transmission owners, and transmission operators. According to NERC, this advisory identified a number of short-term measures, mid-term measures and long-term measures designed to mitigate the cyber vulnerability. NERC asked the recipients to voluntarily implement the measures within specific time periods. NERC also sent a data request to industry members to determine compliance with the advisory. That data request was limited in scope, however, asking only that industry members indicate if their mitigation plans are ``complete,'' ``in progress,'' or ``not performing.'' The Commission determined that the information sought by NERC in the above data request was not sufficient for the Commission to discharge its duties under section 215 because it did not provide sufficient details about individual mitigation efforts for the Commission to be certain that the threat had been addressed. For example, it did not provide information such as what facilities were the subject of the mitigation plans, what steps to mitigate the cyber vulnerability were being taken, and when those steps were planned to be taken-- and, if certain actions were not being taken, why not. In October 2007, the Commission sought emergency processing by the Office of Management and Budget (OMB) of a proposed directive to require utilities to provide information immediately on their mitigation efforts. OMB posted the proposal for public comment in December 2007, and received several comments raising issues about the Commission's ability to protect sensitive information from public disclosure. The Commission ultimately asked OMB to hold the proposal in abeyance while Commission staff asked a sampling of generation and transmission entities to voluntarily discuss with staff their compliance with the Aurora advisory. In February, Commission staff began interviewing them. Commission staff has conducted 30 detailed interviews with a variety of electric utilities geographically dispersed across the contiguous 48 states, to assess the state of the industry's protection against remote access cyber vulnerabilities, including the Aurora vulnerability. Each interview typically lasted six to eight hours and utilities voluntarily participated. The utilities were well prepared with documents to explain their actions, and were very cooperative in responding to staff questions. Staff found a wide range of equipment, configurations and security features implemented by the utilities. Several observations can be made based on the interviews. All of the companies selected by the Commission fully cooperated in the interviews. We learned that there was a broad range of compliance based on individual interpretations of the threat that affected the application of the recommended mitigation measures. In fact, all of the utilities interviewed by the Commission requested additional information to help understand the technical implications of the attack and the specific strategies to mitigate the identified vulnerabilities. Through these selected interviews, FERC staff has determined that although progress has been made by almost every entity it interviewed, much work remains to be done and, in large part, the Aurora threat remains. While NERC can issue an alert, as it did in response to the Aurora vulnerability, compliance with these alerts is voluntary and subject to the interpretation of the individual utilities. Because an alert is voluntary, it may tend to be general in nature, and lack specificity. Further, as Commission staff has found with the Aurora alert, such alerts can cause uncertainty about the specific strategies needed to mitigate the identified vulnerabilities and the assets to which they apply. Damage from cyber attacks could be enormous. All of the electric system is potentially subject to cyber attack, including power plants, substations, transmission lines, and local distribution lines. A coordinated attack could affect the electrical grid to a greater extent than the August 2003 blackout and cause much more extensive damage. Cyber attacks can physically damage the generating facilities and other equipment such that restoration of power takes weeks or longer, instead of a few hours or days. The harm could extend not only to the economy and the health and welfare of our citizens, but even to the ability of our military forces to defend us, since many military installations rely on the bulk power system for their electricity. The cost of protecting against cyber attacks is difficult to estimate but, undoubtedly, is much less than the damages and disruptions that could be incurred if we do not protect against them. The need for vigilance may increase as new technologies are added to the bulk power system. For example, ``smart grid'' technology may provide significant benefits in the use of electricity. These include the ability to manage not only energy sources, but also energy consumption, in the reliable operation of the Nation's electric grid. However, smart grid technology will also introduce many potential access points to the computer systems used by the electric industry to operate the electric grid. Security features must be an integral consideration. To some degree, this is similar to the banking industry allowing its customers to bank on line, but only with appropriate security protections in place. As the ``smart grid'' effort moves forward, steps will need to be taken to ensure that cyber security protections are in place prior to its implementation. The challenge will be to focus not only on general approaches but, importantly, on the details of specific technologies and the risks they may present. Key Elements of Needed Legislation In my view, section 215 is an adequate statutory foundation to protect the bulk power system against most reliability threats. However, the threat of cyber attacks or other intentional malicious acts against the electric grid is different. These are national security threats that may be posed by foreign nations or others intent on attacking the U.S. through its electric grid. The nature of the threat stands in stark contrast to other major reliability vulnerabilities that have caused regional blackouts and reliability failures in the past, such as vegetation management and relay maintenance. Though the nature of the threat is different, the consequences are identical. Widespread disruption of electric service can quickly undermine the U.S. government and economy and endanger the health and safety of millions of citizens. Given the national security dimension to this threat, there may be a need to act quickly to protect the grid, to act in a manner where action is mandatory rather than voluntary, and to protect certain information from public disclosure. Our legal authority is inadequate for such action. This is true of both cyber and non-cyber threats that pose national security concerns. In the case of such threats to the electric system, the Commission does not have sufficient authority to timely protect the reliability of the system. I ask Congress to enact legislation, outside of section 215, containing the following major elements. The bill should direct the Commission to establish, after notice and opportunity for comment, interim reliability measures to protect against the threats identified in NERC's ``Aurora'' advisory and related remote access issues. These interim measures could later be replaced by reliability standards developed, approved and implemented under the section 215 process. The bill also should allow the Commission, upon directive by the President (directly or through the Secretary of Energy), to issue emergency orders directing actions necessary to protect the reliability of the bulk power system against an imminent cyber security or other national security threat. Significantly, FERC could only act upon such a directive. This reflects the reality that the President and national security and intelligence agencies such as DOE are in a better position than the Commission to determine the nature of a national security threat, while the Commission has the expertise to develop appropriate interim reliability measures. I emphasize that the latter authority should apply not only to cyber security threats but also to other national security threats. Intentional physical malicious acts (targeting, for example, critical substations and generating stations) can cause equal or greater destruction than cyber attacks and the Commission should have no less ability to address them when an emergency arises. This additional authority would not displace other means of protecting the grid, such as action by federal, state and local law enforcement and the National Guard, but the Commission has unique expertise regarding the reliability of the grid, the consequences of threats to it and the measures necessary to safeguard it. If particular circumstances cause both FERC and other governmental authorities to require action by utilities, FERC will coordinate with other authorities as appropriate. The bill should allow measures or actions that might be imposed under this new authority to be replaced by standards developed under section 215 where applicable. For example, there may be circumstances in which use of the section 215 process would not be applicable, such as when targeted and/or temporary measures are necessary based on specific threat information. Also, the Commission should be allowed to maintain appropriate confidentiality of any security-sensitive information submitted or developed through the exercise of this authority. The bill also should address the following details. First, the bill should allow the Commission to take emergency action before a cyber or other national security incident has occurred, if there is a likelihood of a malicious act or a substantial possibility of disruption due to such an act. In order to protect the grid, it is vital that the Commission be authorized to act before a cyber attack. It is equally necessary that the threshold for a threat determination not be so high as to be insurmountable. Second, with respect to the Aurora and related cyber threats of which we are aware today, the Commission should be permitted and directed, after notice and comment, to require owners, users and operators of the bulk power system to take adequate measures to address those threats, and those measures should remain in effect until the measures are no longer necessary, for example, if replacement standards are approved and implemented under section 215. Third, with respect to other actions or measures the Commission might order to address future imminent threats to reliability, any time-triggered sunset provision applicable to emergency actions ordered by the Commission should allow an exception if the President (directly or through the Secretary of Energy) reaffirms the continuing nature of the threat. In the event that the action is determined to be no longer necessary or if the measures or actions ordered by the Commission are replaced by standards approved and implemented under section 215, the Commission should issue a ``discontinuance'' order. Finally, Congress should be aware of the fact that if additional reliability authority is limited to the ``bulk power system,'' as defined in the FPA, it would exclude protection against reliability threats and emergency actions involving Alaska and Hawaii and possibly the territories, including any federal installations located therein. The current interpretation of ``bulk power system'' also would exclude some transmission and all local distribution facilities, including virtually all of the grid facilities in large cities such as New York and Washington, D.C., thus precluding possible Commission action to mitigate imminent cyber or other national security threats to reliability that involve such facilities and major population areas. Conclusion The Commission's authority is not adequate to address urgent cyber or other national security threats. These types of threats pose an increasing risk to our Nation's electric grid, which undergirds our government and economy and helps ensure the health and welfare of our citizens. Congress should address this risk now. Thank you again for the opportunity to testify today. I would be happy to answer any questions you may have. ---------- Mr. Boucher. Thank you very much, Mr. Kelliher. Mr. Kolevar, we will be happy to hear from you. STATEMENT OF KEVIN M. KOLEVAR, ASSISTANT SECRETARY, OFFICE OF ELECTRICITY DELIVERY AND ENERGY RELIABILITY, U.S. DEPARTMENT OF ENERGY Mr. Kolevar. Thank you, Mr. Chairman, members of the committee, for the opportunity to testify before you today on this critically important matter. Let me just note at the beginning that, as you would expect, the chairman and I and our staff have discussed this issue on a number of occasions. I would like to associate myself with his remarks. I think that as we move forward, you will find broad agreement between the Department of Energy and the FERC. This hearing addresses more than just a reliability concern. It addresses a national security concern. The Department of Energy and FERC and the electric sector must work cooperatively toward eliminating cyber vulnerabilities in control systems and preventing malicious cyber attacks on our electric infrastructure. Our Nation's electric power grid must be better protected. We must harden our power system. The Department of Energy regularly discovers new vulnerabilities in the control systems employed by many utilities. This is not hyperbole. Let me assure you that cyber attacks against control systems have occurred, and they are becoming increasingly sophisticated. The director of National Intelligence only underscored these concerns when he acknowledged earlier this year that cyber exploitation has not only grown more sophisticated but more targeted and more serious. Embedded processes and controllers in critical sectors are being targeted for exploitation and potentially for disruption or destruction with increasing frequency by a growing number of adversaries, not all of whom are in the pay of foreign governments. According to one senior CIA analyst, some cyber intrusions in utilities have been followed by extortion demands. Cyber attacks have been used to disrupt power equipment in regions outside the United States, and in at least one case, a cyber- based disruption caused an outage that affected multiple cities. Let me for a moment drill down on one point, and this actually speaks to Congressman Rogers's point. The following text is drawn from the intelligence community assisting us in preparation of this draft. For a nation-state to execute a coordinated attack across the Nation with certainty at a point in time chosen have geopolitical or military effect would require considerable planning and would require sustained access during an extensive preparation period to numerous points in the control systems that help operate the national grid. Planning this type of attack would require extensive collection of information, expertise on both cyber and power systems, probably some type of extensive modeling to be sure of the effect, and then gaining and maintaining access to the actual target systems. Even maintaining reliable clandestine access requires resources and constant attention because system software and configurations change over time, and the adversary must be careful not to tip his hand with obvious activity. Gaining initial access to particular systems may require the recruitment of insiders or conducting supply chain attacks, which might require months or years of preparation. Even gathering the necessary detailed information needed to identify targets and possible points of access may require some form of long-term clandestine operations. As a matter of risk management, we need to make sure that we are not facilitating each of these critical steps for our adversaries by leaving ourselves open to collection of target information, open to easy access and reconnaissance or vulnerable by virtue of leaving systems misconfigured or unpatched. The Departments of Energy and Homeland Security have been working with industry to increase awareness and to help them make sensible risk management choices. And, Mr. Chairman, I think this also speaks to the confidentiality requirements that the chairman mentioned. To be clear, however, notwithstanding the many difficulties associated with the execution of a very serious cyber attack on the electric sector, the potential consequences are significant. For that reason, a limited role for the federal government is warranted if the Nation's energy infrastructure is to be protected. The Department has been substantively engaged on this issue for some time. In 2003, DOE's Office of Energy Assurance, the predecessor program to the Office of Electricity Delivery and Energy Reliability, was designated to work directly with the energy owners and operators to protect energy infrastructures from all hazards and make them become more resilient. DOE does this by selectively conducting vulnerability assessments and applying sound risk management practices at critical facilities, and we implement physical and cyber solutions to mitigate the risks based on the vulnerabilities we identify. To date, the department and its national laboratories have conducted test bed and onsite field assessments of 15 common control systems used widely across the energy sector. These assessments have revealed vulnerabilities ranging in severity from minimal to high impact. With 17 testing facilities from five Department of Energy national laboratories, we are also constantly leveraging an extensive intelligence gathering network, proving methodologies, and highly skilled professionals from across the national security and intelligence communities, in particular DHS, to assess an interpret threat information. Nevertheless, we need to do more and be thoughtful. The cyber threat to electric power systems is certainly among the most critical in our Nation's infrastructure. However, cyberspace has become critical to all of our other infrastructures as well with potential national security, economic, and safety concerns. As a Nation, we need to make sure that we are addressing risk management across all of our infrastructures in a holistic manner and that we not solve one problem only to create new problems or restrain solutions elsewhere. As a result, we believe any legislation should be carefully coordinated across the executive branch. We need to move expeditiously to protect the power grid, but let us get this right. The administration is continuing to examine what additional authorities are appropriate for DOE and the FERC. To the extent that Congress acts in this area, we recommend that it consider the following: allow the FERC to establish interim reliability standards for the purpose of rapidly responding to specific electric sector vulnerabilities. When presented with a credible cyber threat against the bulk power system, such interim reliability standards could provide an effective bridge until being replaced by cybersecurity reliability standards developed, approved, and implemented pursuant to section 215. With respect to potential measures in the face of an imminent threat to the bulk power system, allow the Department of Energy to issue an order for immediate remedial action. That order could stand until new FERC interim standards or standards developed pursuant to section 215 were put into place. Mr. Chairman, that concludes my statement. I am prepared to take any questions. [The prepared statement of Mr. Kolevar follows:]
Mr. Boucher. Thank you very much, Mr. Kolevar. Mr. Kelliher, I am going to direct my questions to you, and I would appreciate your turning, if you have the information there, to the audit, which the NERC conducted of the 1,200 entities connected to the bulk power system that received the FERC advisory recommending certain steps that should be taken to enhance protection against cybersecurity threats and outlining a schedule of either 90 days in the case of some steps or 180 days in the case of other steps, by which those protections should be put in place. You audited a number of those 1,200 entities. As I recall, that number was 30. Is that correct? Mr. Kelliher. Yes sir. Mr. Boucher. With regard to those 30 audited companies, how many did you find that were at the time of your audit in full compliance with the advisory that had been issued by the NERC? Mr. Kelliher. Seven of the 30, sir. Mr. Boucher. So seven of the 30 were in full compliance? Of the remaining 23, had some of those taken some steps toward compliance but were not in full compliance? Or were there any among those 23 that had taken no steps at all? Mr. Kelliher. I believe all of the 23 took some steps. It varied on how many they took. Mr. Boucher. How many would you classify, based on your audit, as still being vulnerable to the Aurora vulnerability determined by the Idaho laboratory? Mr. Kelliher. Well, that is a more difficult question because full compliance with the advisory itself, in our view, wouldn't necessarily mitigate the Aurora threat. So you are really asking, which companies went beyond the advisory to take steps broader than what NERC had recommended. And that we would say two of the 30 had mitigated the Aurora threat. Mr. Boucher. Leaving 28 still vulnerable in FERC's view? Mr. Kelliher. Yes, sir. Mr. Boucher. OK, talk a little bit about what you found in terms of the compliance schedules that had been adopted by the various utilities. Did some of them have truly extraordinary schedules extending over many years as compared to the NERC advisory, which was that these steps be put in place within 180 days? Mr. Kelliher. Yes sir, and I think there was some confusion in some of the companies between the timelines in the NERC advisory and the scope of facilities affected covered by the NERC advisory with the rules that the Commission issued, the cyber standards that the Commission approved in January, which envisioned a longer time frame than the NERC advisory. Some companies incorrectly assumed that the longer timelines in the FERC rule govern their compliance with the NERC advisory. Mr. Boucher. So they really didn't understand the NERC advisory? Mr. Kelliher. Some of them certainly did not understand the timelines of when their actions were supposed to take place. Mr. Boucher. All right, did you find that there were utilities that had done little or nothing in compliance with the NERC advisory other than simply preparing for the FERC interview that was a part of your audit? Mr. Kelliher. They readily participated in our review, so I think the industry gets credit for openly participating. They did ask for some confidentiality, and because they are providing this information voluntarily, we agreed to that. In some cases, I don't think there was a sufficient understanding of what facilities really should be covered by the NERC advisory. I think companies thought they could freely determine if facilities were not part of the bulk power system and were therefore not covered by the advisory, and then shrink the scope of facilities where they might have to act to protect cybersecurity. In other cases, there was a lack of appreciation for the communication among their facilities. Many and really most electric facilities are capable of remote operation, and some utilities didn't seem to appreciate how interconnected some of their facilities were. Mr. Boucher. And so I gather from that answer that there were utilities that incorrectly assumed that their equipment was not vulnerable to the Aurora vulnerability, when, in fact, you could readily see that that equipment was subject to that vulnerability? Mr. Kelliher. Yes, sir. Mr. Boucher. Did you find any entities that excluded critical assets from the implementation to the extent they were implementing the NERC advisory that should have, in fact, been covered and been a part of that implementation? Mr. Kelliher. Yes, sir, we think some facilities should have been included that were not. Mr. Boucher. Let me ask for your reasoning, briefly stated, on some of the key issues that we have detected as remaining outstanding where there is some difference of opinion among interested parties with regard to the discussion draft that we have put forward. Specifically the definition of what constitutes a cybersecurity threat, whether or not the authority that is extended to the FERC should go beyond protecting against cybersecurity attacks to protecting against physical attacks to those facilities, whether or not--I am sorry--the conditions under which there should be a sunset on the emergency powers that would be granted upon a Presidential or Secretary of Energy designated emergency? And then finally, the scope of the authority granted to you in terms of its basic coverage. Should it extend beyond the continental bulk power system to the States of Alaska and Hawaii? Should it extend to major distribution systems in our largest cities such as New York and Washington, D.C.? And I realize that is a question that could occupy a half hour in response. What I am asking for is maybe a 3-minute response if you could. Mr. Kelliher. OK, I will do my best. In terms of threshold, I think the threshold in the bill is appropriate. If the threshold is set so high that it is virtually impossible for the President or the Secretary to make a threat determination, then it is probably better not to legislate in the first place because you will end up with a statute that becomes somewhat of a dead letter. With respect to scope of facilities, we think the scope is appropriate, but it is important for the subcommittee to understand that it is not true that the only cyber threat to the U.S. electricity system is directed at the bulk power system. It can be directed towards other transmission facilities that are not part of the bulk power system. It can be directed towards local distribution facilities. In part, we support the current scope because from FERC's point of view, that is what you entrusted to us 3\1/2\ years ago. You said FERC, you are responsible to assure reliability of the bulk power system, not the entire electricity system of the United States. We are sticking with what you entrusted to us 3 years ago. We think that scope is appropriate, but we don't want the subcommittee to think that is the only part of the U.S. electricity system that is at risk. You had four questions. That was only two of them. The---- Mr. Boucher. Well, also the conditions under which there could be a sunset on the emergency power. Mr. Kelliher. The sunset? I frankly don't think a sunset is appropriate because we are talking about emergency powers and national security law. And FERC isn't usually associated with emergency powers, and I think a sunset is inconsistent with the exercise of emergency power. Mr. Boucher. Well, if the emergency subsides, then obviously the powers associated with addressing that emergency would no longer be necessary. Mr. Kelliher. Yes, sir, but I think part of it is how likely do you think the President or the Secretary of Energy would be to declare a threat? If the threat subsided, I think the President and the Secretary would be ready to acknowledge that the threat had subsided. And then the FERC action would terminate. Mr. Boucher. Well, it sounds like your answer to that question is upon a Presidential or Secretary of Energy determination that the threat has ended--because some of the other proposals would have automatic termination---- Mr. Kelliher. Yes, sir. Mr. Boucher [continuing]. Upon a period of 1 year---- Mr. Kelliher. Yes, sir. Mr. Boucher [continuing]. As an example unless the emergency was reviewed by affirmative action of the executive. And so your thought on that would be what? Mr. Kelliher. I think a sunset is workable, but I think it is inconsistent generally with national security law and the exercise of emergency powers. And you have one more question I haven't gotten to, sir, but I---- Mr. Boucher. The definition of what constitutes an emergency---- Mr. Kelliher. OK. Mr. Boucher [continuing]. And the notion of substantially as a part of the statutory definition. Mr. Kelliher. We support the ``or'' configuration not the ``and'' configuration because we think the ``and'' configuration just sets the bar too high. Mr. Boucher. That is too limiting in your view? Mr. Kelliher. Yes, sir. Mr. Boucher. All right, thank you. One other question I have. Mr. Kelliher. Yes, sir. Mr. Boucher. Did you estimate while you were undertaking your audit of entities attached to the bulk power system what the cost of complying with the FERC advisory would be for the typical attached entity? That is a key consideration. If it is a minor cost, then there would be little reason for noncompliance to have occurred certainly to the extent that it did. If it is a major cost, then obviously a different set of considerations begin to apply, and that would necessarily affect timeframes that you would want to have in your order or that we might want to have in the statute for obtaining compliance. So the question of cost is relevant. As a part of your audit, did you address that question? And if so, do you have an estimate of what the cost of compliance per covered facility would be? Mr. Kelliher. We do not have a good estimate of what the cost of compliance would be. One aspect of FERC being the actor in this area is that FERC is a regulatory agency, and we can provide for cost recovery. And I think that is an important consideration to industry. And we don't regulate all parts of the electricity industry--I wanted to make sure Sue Kelly heard me say that. Mr. Boucher. It is an important concern to industry, but a larger concern that we take into consideration is the ultimate cost to the energy---- Mr. Kelliher. Yes, sir. Mr. Boucher [continuing]. User as well. Mr. Kelliher. Yes, sir. Mr. Boucher. And cost recovery simply shifts it downward-- -- Mr. Kelliher. I agree. Mr. Boucher [continuing]. To the ultimate user, and that is something we would need to consider. So---- Mr. Kelliher. Yes, sir. Mr. Boucher [continuing]. One thing that I would be very interested in learning, and perhaps other witnesses in their opening statements could address this, is what that estimated cost would be. My time has been grossly exceeded here. Mr. Kelliher, you have been very helpful. I thank you and recognize the gentleman from Michigan for his questions. Mr. Upton. Thank you again for your testimony this morning. I do have a couple of questions. And for me again, I am very anxious for our classified briefing with perhaps a few more parties that can help us with this issue so that we can appropriately so come up with the absolute best vehicle. And of course, as I think back, it was the blackout through much of the Midwest that really prompted the '05 bill. That was the engine that drove the train, bringing about those reliability standards which passed on a pretty broad bipartisan basis. Both Mr. Dingell and Mr. Barton had key roles. They supported the bill. The same thing was in the Senate. I was a part of that conference, and we are glad to see it happen. And I guess if I had to use an analogy, I raised about the FAA towers, the FAA control back on 9/11 today ordering all the planes to come down. In essence, you all can send out advisories, but you can't enforce what you have to say. So it would be very much along what American Airlines was told a few months ago when they literally had to shut down their airline as they had to rebundle all of those wiring packages in their planes because the advisory came out. And those planes couldn't fly until it was done. And in essence, I would think that we need to make sure that you have the power to, as you issue those advisories, to make sure that they are completed in a timely manner. And in response to Mr. Boucher's question about cost, I suppose as part of that advisory, you could ask the utilities what they anticipate those costs to be. Is that not something that you do now then in terms of the advisories that go out or not? Mr. Kelliher. Certainly with respect to any action we take to mitigate the Aurora threat, that would be through a notice and comment rulemaking, and the industry would certainly raise cost in the context of that rulemaking. Mr. Upton. What type of trigger would you mean? As we think about Jim Langevin, our colleague who spoke earlier in terms of the chain of command. And one of the issues that he raised was that it may happen so fast, cyber seconds, you may not have time to go to the whatever chain of command that you have, whether it be the NSA, the President, the Secretary of Energy. What type of pre-trigger would you suggest be employed for you to I would suppose, what shut down a utility or shut down part of the grid to make sure that it doesn't expand? Is that the type of threat that you would envision would happen? Mr. Kelliher. Let me try to come up with a hypothetical that could try to put it in place, and hypotheticals are sometimes useful, sometimes not helpful. But I will take the risk. Let us assume that the Department of Energy or the President or somewhere in the National Security Agency, they identified some threat to substations in a city. There was some effort to destroy substations, and the President or the Secretary made a finding consistent with the statute, that there is a credible--I don't actually remember the exact words--but the President or the Secretary made a finding consistent with the statute. FERC would not be in a position to make that finding because we are not an intelligence agency. But upon that finding, we could theoretically identify where there are spare transformers in a country. We could theoretically order them to be relocated to that metropolitan area in anticipation of a possible attack. And we could also allow for cost recovery for the owners of those transformers, if they are regulated entities. And we could try to come up with a creative approach to address cost recovery if they are not. That is the kind of thing that conceivably we could do under this scenario. In an urban area, we could order generators to have higher spinning--to operate their system differently to basically have more generation on call in the event some facilities were damaged or destroyed. So there are operational changes that we could order. We could order the relocation of spare transformers, and there would be other hypotheticals as well. Mr. Upton. That would take time though. I mean that would actually be something--by the time you located a generator and move it to the right spot, it could---- Mr. Kelliher. Not the second one. Ordering generators to have higher spinning reserve levels, that is something that could be done immediately. Mr. Upton. You know, as I think about what happened back in '05--and remember I am from Michigan---- Mr. Kelliher. Yes, sir. Mr. Upton [continuing]. So go like this. And I live over here, and we have two nuclear plants, and I can remember one of our plants, the Palisades plants, they were within less than a minute of shutting that facility down because of the drain on the network from Columbus and Ohio and other places. It was just sucking the power through the grid, and had that shut that plant down, it would have gone right around the horn over to Chicago. And it would have been even far worse. So they had to make the decision as to whether they were going to keep it online. And thank goodness they didn't have to hit the shutoff button, which who knows how long. It would have been much longer, much more in damages in terms of what would have happened. But that was their own independent decision as to whether they were going to--and I think it was Consumers Energy then owned it. It could have been Entergy, but it was that nuclear plant that, because it stayed on, actually prevented it from going and hitting even more of the Midwest than what happened. But as I recall that was their own independent decision. It wasn't FERC that told them to shut it down or somebody else. And I don't know if the '05 act would change that, who would enforce it. If it was a cyber act, you would think that again it would be pretty--whoever the president would be would take almost immediate action to try and prevent damages or loss from expanding beyond perhaps individual facilities which would trigger even broader blackout for who knows how long. Mr. Kelliher. That kind of scenario in terms of the 2003 blackout, that might--I am not familiar with the particular circumstances of that nuclear plant. But that is something that could be covered by the reliability standards that the Commission approved a year-and-a-half ago. But if---- Mr. Upton. But who would give that order? I mean would you--are you able now to enforce---- Mr. Kelliher. I think---- Mr. Upton [continuing]. Have some enforcement action? Mr. Kelliher. I can't say with certainty that there is a current reliability standard that would govern the decision by a nuclear plant whether or not to continue to operate because nuclear plants--there are standards that the NERC establishes, the governing loss of offsite power. And nuclear plants, I think they generally do shut down when they lose offsite power. So we have tried to synch up our reliability standards with NERC standards, and we wouldn't want to interfere with NERC safety standards. Mr. Upton. Yes, I wonder if we should have the NERC as a participant in our meeting next week. Probably should. So I have gone beyond my time as well, so I yield. Mr. Kolevar. Mr. Chairman, if I can respond to the Congressman's question as well. When we look at this, there are really probably three situations that we need to think about when we are talking about threats to the grid and then immediate reliability implications and long-term reliability implications. Congressman, I think the situation you described falls into the latter category. Those are actions that the utilities would take or that the operators at that nuclear facility would take as a result of the standards development process. When we are looking at the draft legislation today at the Department of Energy, we really seek two other scenarios. One is you have a credible threat probably against a specific facility or a portion of the grid that requires immediate action. The Department of Energy does exercise some similar emergency authorities for the purposes of interconnection in particular. And that can be issued in about an hour. I think the FERC actually has some similar authorities to 202C that are able to be executed very quickly. So that is your imminent immediate threat to which the Federal Government must take action and respond and give direction to the sector. The second is the situation that I think Aurora exemplifies, and that is a vulnerability. But the risk of exploitation of that vulnerability is relatively low. You don't have a player. You don't have a time. You don't have a specific threat. And in that type of situation, that does speak to an interim authority at the FERC over a period of 90 days, 120 days, 6 months, whatever it is that the commission of the utilities decide is most appropriate to speak to that threat and identify the interim standards that are going to be employed to ensure that that threat can't be exploited. Mr. Upton. Thank you. Mr. Boucher. Thank you very much, Mr. Upton. The gentleman from Oregon, Mr. Walden, is recognized for 5 minutes. Mr. Walden. Thank you very much, Mr. Chairman. I think it is appropriate we are having this hearing today because I think for some of us this issue really came to life in a post-9/11 environment, some of the briefings that we had at that time. And for those of us in the West with the long interconnection ties, I think of my district in Oregon where we ship the power from the hydro system through those big DC converter lines down to California at all. That there are enormous vulnerabilities and opportunities for mischief, if not downright destruction. And I guess, Mr. Kelliher, I would like to ask a couple of questions. One involves this--and I have had no classified briefings on this. So if I stumble into an area I don't belong, shut me down. That is fine. But it would seem to me that, if there is a cyber threat, is the issue that they can do a phase shift then and modify the power itself and cause disruption in the transformers. Is that part of it? Can they do voltage spikes? Blow up the transformers? What sorts of issues do we need to be aware of here? Mr. Kelliher. It is probably better to say they can cause physical damage and actually destroy facilities like transformers, and there are different ways they can--a cyber attack could cause that damage. Mr. Walden. And then when it comes to the destruction of transformers, because that could be done with a explosive device. I mean today somebody could go out out to one of those substations and do damage. Have we in the interceding 7 years taken stock of sort of our transformer supply? Because my understanding is that it could take months if not perhaps longer than that to replace some of these transformers if you had to start over from scratch and build them. Is that correct? Mr. Kelliher. We have taken the first steps at FERC to encourage the development of spare transformers. Mr. Walden. OK. Mr. Kelliher. Because, as you say, transformers, they can take months, perhaps a year or longer actually to manufacture. And there generally are not very many spare transformers in the United States. Mr. Walden. They are very expensive. Mr. Kelliher. They are very expensive. So we have issued an order that would provide for cost recovery to the extent regulated companies develop spare transformers so that they could then be pooled for use. Mr. Walden. And do you know are there companies taking advantage of that? Mr. Kelliher. I don't know the status of whether there has been an increase in the purchase of transformers. We have an order that allows for cost recovery. I don't know what has followed the issuance of our order. Mr. Walden. Because I can see an oversight hearing post some event where we question the utilities about why they didn't take advantage of that and have at least some sort of backup. I realize you are not going to have one for one. I fully understand that, but it would seem to me that is an area where we would need backup because isn't the alternative that the grid could be down for a long period of time? Mr. Kelliher. Certain facilities can be damaged or destroyed, and that is different than a blackout scenario where you can recover relatively quickly. Recovery could take longer in the wake of a successful cyber attack. Mr. Walden. Or a physical attack. Mr. Kelliher. Yes, sir. Mr. Walden. Either one. So it would seem to me that, one, we need to investigate more in terms of where utilities are in backup transformers because that just seems logical to me. Just as you have generators ready to go in case there is a hurricane somewhere or any other disaster. This notion of having backup transformers would certainly make sense. This other issue about having to have a presidential declaration and all. It would strike me--and perhaps, Mr. Kolevar, you can address this as well--that if a utility or grid manager got word that there is some potential cyber attack, wouldn't they want to react instantly to stop any damage to their systems? Mr. Kolevar. I would expect they would. Mr. Walden. And I heard some reference that it could take upwards of an hour perhaps. Why would it take that long? Mr. Kolevar. Your question goes to the actions that the utility---- Mr. Walden. Right. Mr. Kolevar [continuing]. Upon information---- Mr. Walden. Like shutting down a nuclear plant. Mr. Kolevar [continuing]. Would take. My experience with the electric sector is they would take immediate actions to protect their system. They do that now when they have anomalies on the grid. To the extent that you are talking about an emergency order issued by the Federal Government--and for our purposes, we think the analogous order is a section 202C order under the Federal Power Act where the Secretary of Energy finds that an emergency exists in the sector, and that might be because of a natural disaster. The hurricanes that hit in 2005---- Mr. Walden. Right. Mr. Kolevar [continuing]. Caused one. Or we have a reliability emergency, which was the case in the order that was issued for the local Mirin plant on the Potomac River. And the point is to say that where there is a need to act quickly with Federal orders speaking to the operation of a system, that there is a history of the Federal Government moving very quickly from administration to administration in preparing and releasing an order to the electric sector to respond accordingly. Mr. Walden. All right, Mr. Chairman, I know my time has expired, and I know we have been joined by my colleague from Illinois. So I would thank you for your indulgence. Mr. Boucher. Thank you very much, Mr. Walden. The gentleman from Illinois is welcomed to the subcommittee today, and Mr. Shimkus is recognized for 5 minutes. Mr. Shimkus. Thank you, Mr. Chairman. I was on the floor, as you know, fighting for coal. Thought you would appreciate that. Mr. Boucher. Did you bring some with you? Mr. Shimkus. Right here. It is good southern Illinois coal. Mr. Boucher. We talked about coal a lot in this subcommittee. I am not aware we have actually had it here before. Mr. Shimkus. Well ---- Mr. Boucher. I thank the gentleman. Mr. Shimkus. We need a new good electric grid for all that Illinois coal to be used in electricity generation and spread to lower prices for all over the country, Chairman. I am unprepared to follow up with concise questions. So I will just yield back, Mr. Chairman. Mr. Boucher. Well, you will have your opportunity on the second panel, and I thank the gentleman. Mr. Kelliher, did you care to make another remark? Mr. Kelliher. Mr. Chairman, I just wanted to clarify my earlier comments about the sunset. I do think generally a sunset is inconsistent with the use of emergency powers, but FERC has, in our discussions with industry groups and with others, agreed to a sunset in the scenario where if there would be a Presidential finding or a finding by the Secretary, FERC would be directed to act. We have agreed to a 1-year sunset in the course of discussions in order to develop the broadest possible consensus. So I just wanted to clarify my comments on sunset. Mr. Boucher. And then on the question, Mr. Kelliher, of the basic powers that the statute would confer upon FERC, that would not be subject to a sunset? The basic requirements that the facilities connected to the grid take certain steps, all of them take certain steps as a basic protection against cybersecurity would not be subject to sunset. It would only be the emergency powers that are granted pursuant to special Federal finding, Presidential finding that there is a unique emergency that would be subject to some sunset? Mr. Kelliher. Yes sir, and the permanent standards that we have established under section 215 would not sunset, would not be affected. It would be the emergency actions, if you will. Mr. Boucher. Thank you for that clarification. It is very helpful. Mr. Kolevar, Mr. Kelliher, I know that both of you have urgent obligations elsewhere. We thank you for your attendance this morning, and you are excused. We now turn to our remaining witnesses on the panel who have already been introduced. And we would ask that your oral statements be kept to approximately 5 minutes, and that will leave us ample time for questions. Mr. Sergel, we will be happy to begin with you. STATEMENT OF RICHARD P. SERGEL, PRESIDENT, NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION Mr. Sergel. Thank you, Mr. Chairman and members of the subcommittee. My name is Rick Sergel, and I am the president of the North American Electrical Reliability Corporation, known here as NERC. I appreciate the opportunity to appear before you today on this very special day and on this very important topic. Let me be clear: the risk to the operation of the Nation's electricity system from potential intrusion through the Internet into computerized system control capabilities, AKA cybersecurity attacks, is real. It is not new. The Energy Policy Act of 2005 in which this committee played a major role and which, for the first time, authorized the promulgation and enforcement of mandatory reliability standards to protect the bulk power system defined reliability standards as specifically including cybersecurity protection. You identified that early on. But at the same time, the nature of the threat is new every day because it changes all the time. And as the entity entrusted with protecting the reliability of the North American bulk power system, subject to FERC oversight in the United States, NERC takes very seriously its responsibilities for protecting the cybersecurity of the North American bulk power system and meeting this ever-evolving threat. NERC now has the ability to enforce over 100 reliability standards, including nine dealing with cybersecurity. These standards have improved the reliability of the system, including its cybersecurity. However, cybersecurity threats are different from other reliability concerns. Potential threats can arise very quickly, requiring rapid, effective, and often confidential responses. Cybersecurity threats are more likely to be driven by intentional manipulation of devices as opposed to operational events in the bulk power system, such as lightning or equipment malfunctions. When there is an imminent cybersecurity threat, the response must be immediate. It must provide for confidential treatment of critical information, rapid threat analysis, and directed actions necessary to address the threat. NERC develops reliability standards using a transparent process that provides for full participation of interested parties and draws heavily on industry expertise, but this takes time, and it takes transparent exchanges of data and views that are not well suited for a cybersecurity threat. For these reasons, it is NERC's position that in the event of an imminent cybersecurity threat, the U.S. Government should be authorized to act immediately. With emergency responsibilities in the hand of government, NERC will be better able to do what it does best. That is develop and implement cybersecurity reliability standards that will harden the grid against intrusion and aid in responding effectively to cybersecurity incidents. NERC is committed to ensuring the reliability of the system and assuring that NERC's efforts will be complementary to those of government and industry with regard to cybersecurity protection. Finally, NERC is committed to assuring that there are no gaps and that responsibility is clear for execution of cybersecurity protection initiatives. With helpful guidance from Chairman Langevin, NERC has elevated the importance and the urgency of understanding and addressing cybersecurity threats. Key elements of this strategy include consolidating responsibility for coordination of all cybersecurity matters across all NERC activities into a single responsibility area lead by our new chief security officer, Michael Assante, who is here with me today. Improving our standards and developing processes to enable us to set standards on a more expedited basis are also important, as well as: raising the importance of the issue within the industry by engaging CEOs at the strategic and policy setting level; communicating more effectively with industry on critical infrastructure security matters; and coordinating effectively with the multiple government stakeholders involved in protecting the grid from cybersecurity attacks. You have talked about that several times this morning. In summary, cybersecurity threats to the bulk power system are real. Working with the government and industry, NERC is committed to addressing these threats; however, in order to address an imminent cybersecurity threat, the Federal Government must have emergency authority to act. NERC commends the subcommittee's efforts to develop appropriate emergency legislation and pledges to assist in this effort in any way that we can. Several times this morning, you have discussed our actions with respect to responding to Aurora, I think it is fair to say that when we acted with respect to Aurora by issuing our advisory, we did do some good. There has been progress as a result of sending that out, and we did the right thing to send it out. We also demonstrated, and for NERC painfully, the limitations of that process. There are limitations with respect to every aspect of it, including who did it go to. You mentioned numbers here today, 1,200, 1,500. I am uncomfortable with all of those because we know so much better who the individuals are that should get that advisory today than we did at that time. But the most important thing that we demonstrated was the limitation of trying to use a voluntary standards process and thinking that it could deal with an emergency threat. We recognize that there is a better way to do that and would ask you to establish legislation that can make that happen. Thank you very much. [The prepared statement of Mr. Sergel follows:]
Mr. Boucher. Thank you very much, Mr. Sergel. Ms. Kelly. STATEMENT OF SUSAN N. KELLY, VICE PRESIDENT, POLICY ANALYSIS, AND GENERAL COUNSEL, AMERICAN PUBLIC POWER ASSOCIATION Ms. Kelly. Thank you. I am Susan Kelly. I am the Vice President of Policy Analysis and the General Counsel of APPA. And I have with me Alan Mosher, who is our Senior Director of reliability. We represent the interests of more than 2,000 publicly-owned electric systems in 49 States, and we serve 45 million Americans. Those of you who know our industry know it is rare for our trade associations to speak with one voice on a federal energy policy issue, for legitimate reasons. We generally have very different views. But on the issue of protecting the bulk power system from cybersecurity emergencies, we have come together. APPA, the Canadian Electricity Association, the Edison Electric Institute, the Electric Consumers Resource Counsel, the Electric Power Supply Association, the Large Public Power Counsel, the National Association of Regulatory Utility Commissioners, the National Rural Electric Cooperative Association, and the Transmission Access Policy Study Group all support carefully crafted specific legislation as the basis to deal with the discrete issue of cyber system emergencies. We understand the seriousness of the issue and the need to deal with it, but at the same time, we think that legislation needs to be carefully crafted and narrowly drawn. The subcommittee has asked me to address several issues regarding the House discussion draft. The full answers are in my written testimony, and I will just hit the highlights here. The associations support the House discussion draft with the specific language options that the associations have proposed. As so modified, we think it provides the commission with sufficient authority to deal with cyber system security emergencies. The draft would fill a narrow gap in the mandatory reliability standards regime that has been set up under section 215. Under that section, FERC has certified NERC as the ERO. With the help of hundreds of industry volunteers, NERC develops and enforces mandatory reliability standards for the bulk power system to keep our lights on. FERC oversees NERC's activities in the United States. But NERC's standards also apply to utilities in Canada and northern Mexico. This industry-based framework is working to assure the reliable planning and operation of the bulk power system. Cybersecurity emergencies present a special case for three different reasons. First, they require protection against deliberate, malicious attacks intended to disrupt bulk power system operations. Second, new and unforeseen threats can arise very quickly, leaving little time to react. Third, there is a need for confidentiality, at least until the initial measures are in place. For these reasons, the association supports specific legislation to deal with such emergencies, but it must not undermine the section 215 framework. That framework needs to be able to continue to develop and mature. The House discussion draft dovetails with section 215. It is limited to the users, owners, and operators of the bulk power system. As NERC has applied that term in practice with FERC's approval, retail customers, local distribution facilities, small generators, and small utilities are generally excluded from the scheme. Any new cybersecurity legislation should apply to the same universe of facilities and entities. To do otherwise would raise jurisdictional and implementation issues that could greatly complicate consideration of this legislation. State regulatory commissions regulate local distribution facilities. The state's authority to regulate the reliability of local distribution networks and service should be preserved. I was specifically asked to discuss the remaining differences between the associations and FERC on the House discussion draft. The associations negotiated at length with FERC staff regarding this draft. We reached closure on many issues. We thank the FERC staff for the constructive and positive attitude it displayed throughout the negotiations. We were unable to reach closure on three issues, but that should not undermine the very substantial progress that we did make. The three areas are, first, the definition of a cybersecurity threat, as you have already heard. The associations and FERC agreed on most elements of that definition, but we think our proposed language limits the legislation to true cybersecurity emergencies, meaning threats that have a substantial likelihood of happening and that could substantially disrupt operations if they do happen. FERC's proposed definition is broader. The second issue is the inclusion of national security threats. FERC wants to expand the legislation to include ``other national security threats'' as well as cybersecurity threats. Our associations believe that other government entities, both State and Federal, have more direct responsibility in the general area of national security. Moreover, this additional authority is quite vague in its wording and potentially all-encompassing in nature. We think including this language would spark an intense discussion that could slow the legislation down. Third, the sunset of interim measures that FERC enacts. We negotiated at length with FERC on the sunset provisions, and we reached closure on all issues except one. And that has to do with whether the sunset after 1 year unless there is an indication from DOE or the President that it should continue, should apply to both the interim measures under subsection B and the emergency measures under subsection C. Subsection B deals with Aurora. Subsection C deals with what happens thereafter on a going forward basis. We think those measures and orders should be either time limited by their natures or replaced by NERC reliability standards because in the long run, we think the standards should deal with this. FERC doesn't agree with this position. We couldn't reach closure, but we do think that we made a lot of progress on legislation. As this process moves forward, we strongly urge Congress to retain the carefully crafted language that the associations support. We thank you very much, and we stand ready to answer questions. [The prepared statement of Ms. Kelly follows:]
Mr. Boucher. Thank you very much, Ms. Kelly. Mr. Naumann. STATEMENT OF STEVEN T. NAUMANN, VICE PRESIDENT, WHOLESALE MARKET DEVELOPMENT, GOVERNMENT AND ENVIRONMENTAL AFFAIRS AND PUBLIC POLICY, EXELON CORPORATION Mr. Naumann. Thank you, Mr. Chairman, members of the subcommittee. My name is Steven Naumann. I am Vice President for Wholesale Market Development for Exelon Corporation. I serve as Vice Chairman of the Members Representative Committee of NERC. I am also accompanied by Mr. Dan Hill, Exelon Senior Vice President and Chief Information Officer. I appreciate the opportunity to testify about protecting the electric grid from cybersecurity threats. I am appearing today on behalf of the Edison Electric Institute and the Electric Power Supply Association, and Exelon is a member of both these groups. My testimony focuses primarily on the nature of cybersecurity threats to the bulk power electric system and the efforts of electric utilities to respond to those threats, but it will also touch on proposed legislation before the subcommittee. I want to start, however, by assuring the subcommittee that Exelon and other electric utilities take cybersecurity very seriously. Electric utilities routinely monitor for and detect electronic probing of their systems from a variety of sources, confirming the likelihood of real cybersecurity threats. However utilities and other private sector entities are at a disadvantage in assessing the degree and the urgency of possible or perceived cyber threats because of their limited access to intelligence possessed only by the government. Many cybersecurity issues are already being addressed under current law. Critical infrastructure protection standards have been implemented under section 215 of the Federal Power Act, which provide for mandatory and enforceable reliability rules. However, the current reliability regime has limitations in its ability to be responsive to emergencies requiring immediate, focused, and confidential actions. Therefore it is appropriate for Congress to provide FERC with explicit authority to address cybersecurity in certain emergency situations. Any new FERC authority should be complementary to the existing authorities under section 215 of the Federal Power Act, which rely on the industry expertise as the foundation for developing reliability standards. Legislation should clarify the respective roles, responsibilities, and procedures of the Federal government and of industry; be narrowly tailored to deal with real emergencies; and promote consultation with industry stakeholders and owner-operators of the bulk power system on remediation measures. The scope of damages that could result from a cybersecurity threat depends on the details of any particular incident, but a carefully planned cyber attack could have potentially serious consequences. In mitigating a particular cybersecurity vulnerability, electric utilities must also consider the potential consequences caused by any mitigation measure on safe and reliable utility operations. For these reasons, for ensuring the cybersecurity of the bulk power system, the best framework is one that utilizes the respective strengths of both the government and the electric companies. It is critically important that as much as possible, any cybersecurity framework provide for ongoing consultation and sharing of information between government agencies and utilities to the extent possible. In conclusion, I want to reassure the subcommittee that owners, operators, and users of the bulk power system take cybersecurity very seriously. We are actively engaged in addressing threats as they arise, and in employing specific strategies that make every reasonable effort to protect our cyber infrastructures and mitigate the risks of cyber threats. As the industry relies increasingly on electronic and computerized devices and connections and the nature of cyber threats continually evolves and becomes more complex, cybersecurity will remain a constant challenge. But we believe we are up to the task of building on the industry's historical and deep-rooted commitment to maintaining system reliability. I appreciate the opportunity to appear today and would be happy to answer any questions. Thank you. [The prepared statement of Mr. Naumann follows:]
Mr. Boucher. Thank you very much, Mr. Naumann. Mr. Lawson. STATEMENT OF BARRY R. LAWSON, MANAGER, POWER DELIVERY, NATIONAL RURAL ELECTRIC COOPERATIVE ASSOCIATION Mr. Lawson. Chairman Boucher, Ranking Member Upton, and members of the subcommittee, thank you for the opportunity to testify today on cybersecurity issues and their potential impacts on the bulk power system. My name is Barry Lawson, and I am the manager of power delivery for the National Rural Electric Cooperative Association. NRECA is a trade association consisting of nearly 1,000 cooperatives, providing electricity to 41 million consumers in 47 States. One of my primary areas of responsibility at NRECA is reliability, including cybersecurity. NRECA and its members understand the importance of cybersecurity. To arrive at the draft bill before you today, NRECA has worked closely with its industry counterparts and with FERC and NERC. NRECA commends FERC under Chairman Kelliher's leadership for its proactive outreach on the topics we are discussing today. Provisions in this draft bill can provide swift, effective emergency protection to the bulk power system in those limited circumstances when NERC cannot. NRECA supports the House discussion draft with the specific language options proposed by the associations. NRECA has been actively engaged with NERC from its origin over 35 years ago, to its transition into the industry ERO and as it issues reliability standards, including the cybersecurity standards FERC approved earlier this year. In January 2008, I began a 2-year chairmanship of the NERC critical infrastructure protection committee. The CIPC is a NERC standing committee that advises the NERC board of trustees on issues related to critical infrastructure protection including cybersecurity. My position on the CIPC requires me to interact with NERC, DOE, and DHS staff on an ongoing basis and contributes to the viewpoints I will share with you today. As both a participant in NERC and an interested observer of its role as the ERO, NRECA believes that the self-regulatory model is the best means of maintaining a strong, reliable bulk power system. The model recognizes that the electric industry addresses events and threats every day, including those posed by natural disasters, vandalism, and equipment failures. Last fall, many Members of Congress and the public were introduced to cybersecurity when news outlets ran a story and video showing a small electric generator that was damaged during a test. The news report said a government lab had demonstrated that computer hackers could cause physical damage to equipment through cyber means. The government labeled this vulnerability Aurora. Today, almost no one outside the intelligence community has been able to examine the technical and engineering details of the Aurora vulnerability. Key information about the vulnerability is still classified. Members of the NERC CIPC first received limited, unclassified information about the Aurora vulnerability from DHS in March of 2007. We were strictly prohibited from sharing this information, meaning I could not inform member cooperatives. In June 2007, DHS placed limited information and mitigation measures into a document that NERC utilized as an industry advisory. Although these measures did not reveal specifics about the vulnerability, cooperatives and other utilities that own or operate bulk power system facilities used their collective expertise to implement the measures on their individual systems. Aurora demonstrated the need for utilities to receive more timely and detailed information from intelligence sources about threats and vulnerabilities and their engineering, cyber, and mechanical implications. Under the existing rules and procedures created by NERC and approved by FERC, NERC can deal with a wide range of cyber threats. NERC's standards development process can sometimes be lengthy to accommodate the highly technical nature of the subject matter. But it can also be shortened when expediency demands. NERC has two special procedures for developing standards more quickly. The urgent action process was developed to approve standards within a few months, and the emergency action process was developed to approve standards within a few weeks. Both processes should be used whenever needed for the expedient development of reliability standards, including those related to cybersecurity. As Mr. Sergel explained to you, NERC recently wrote its board of trustees and industry stakeholders to explain changes and improvements it plans regarding its focus on cybersecurity. This NERC initiative is critically important to the reliability of the bulk power system, and we support these efforts. NRECA is working closely with its counterparts across the industry and agrees there is potential for some cyber threats and vulnerabilities so imminent and substantial that even revised and strengthened NERC procedures cannot assure the timely distribution of information and direction to industry to effectuate an adequate industry response to protect the bulk power system. In those limited circumstances when the President of the United States has determined emergency action is warranted, FERC should be able, after consulting industry and government authorities in Canada and Mexico to issue, orders addressing the emergency. In conclusion, NRECA supports the House discussion draft with the specific language options proposed by the associations. Like our industry counterparts, NRECA is prepared to assist the subcommittee and full committee with advancing this legislation. NRECA also looks forward to continued cooperation with FERC. I am happy to answer any questions you have. [The prepared statement of Mr. Lawson follows:]
Mr. Boucher. Thank you very much, Mr. Lawson, and we thank each of the witnesses for their testimony here today. Mr. Naumann, maybe you can answer the question about cost of implementation. Using the NERC advisory as the standard, realizing that Mr. Kelliher is suggesting that it probably didn't go far enough and that he thinks to completely address the Aurora vulnerability that steps beyond that should be taken. But leaving that aside, just use the NERC advisory as the foundation. What would it cost a typical investor-owned utility to comply with that NERC advisory? Mr. Naumann. Mr. Chairman, could I have one second to consult with Mr. Hill who probably can get me that answer? Mr. Boucher. In the interest of getting the information, of course. Mr. Naumann. Thank you, Mr. Chairman. Mr. Chairman, to comply with the Aurora vulnerability as we were told, and we believe we are fully compliant, was a relatively minor cost for across the entire Exelon Company, and that included the nuclear stations, which technically were not part of the advisory. Having said that, we understand from listening to Chairman Kelliher that they believe that there are additional vulnerabilities too that were not covered by the advisory and that we don't really know about. It would be very hard to estimate the cost without knowing what the vulnerability is, nor what the recommended mitigation is and---- Mr. Boucher. Which is why I phrased the question only in terms of the NERC advisory. Mr. Naumann. Yes, sir. Mr. Boucher. Well, I am pleased by your answer that it is a relatively minor cost. Is there a dollar figure attached to that relatively minor estimate? Mr. Naumann. We don't have it now. If you want, we can try to obtain that. Mr. Boucher. It would be helpful. If you could just send us a letter addressed to the subcommittee following this hearing that states what you think the dollar cost to Exelon would have been across your company to meet the recommended security measures contained in the NERC advisory. That would be very helpful to us. Let me extend that question to others on the panel who might want to respond on behalf of their associations. Ms. Kelly, Mr. Lawson, do you have any answer to what the cost per covered entity would be? Ms. Kelly. I do not have any such answer for you at this time. We could obviously provide that for the record. Mr. Boucher. It would be helpful if you could. Mr. Lawson. Ms. Kelly. And we will look to primarily the three utilities that came in and met, from our membership, with FERC to discuss the vulnerability and what they had done. But I would like to state, and I think Mr. Lawson may be able to elaborate, that there really is a question even as to the NERC advisory as to what constituted compliance and it was not necessarily as clear as it might have been. And so, there was certain--we weren't sure what bar we were being asked to meet. And I think that was a concern. Mr. Boucher. Well, I am trying to get as broad an estimate as possible. We are in the posture now of statutory drafting where we are going to be making some decisions in the very near term about how we empower FERC to move forward with its rulemaking on this subject. Now, a key part of those considerations will be timeframes under which we expect that actions will be taken, actions taken by the FERC, yet advancing its rulemaking process to conclusion. And then actions that would be taken by the covered entities to comply with the rules that FERC puts forward. We may or may not have specifications within the statute that address the latter part of that. But having some understanding of cost and to the extent that you would want to comment on it, other kinds of implementation challenges that you might foresee would assist us in that. Now, as Mr. Naumann pointed out, I fully realize that making definitive decisions about this are difficult at this stage because we really don't know what FERC would choose to do beyond the NERC advisory in terms of steps that would be required for covered entities. So probably our decision will be to simply empower FERC to set the timeframes for compliance by the covered entities. It would be difficult for us to establish that statutorily, but there may be those on our panel who want to do that. So having some information about what the cost to you would be, what other implementation issues you see, just using the NERC advisory itself as a foundation would be helpful to us. Mr. Lawson, would you have any comment about this? Mr. Lawson. Similar to Susan Kelly's comments in that we don't have cost info from the individual cooperatives. I think the best we could do would be to talk to the cooperatives that did meet with FERC on the Aurora advisory and see if they have that kind of information that they can provide us. It is important to understand that cost can vary depending on the scope of the assets at each utility. It is going to be very difficult to have a typical cost. And also what I would be asking the cooperatives would be their cost associated with the language specifically in the NERC advisory. Mr. Boucher. OK, that would be fine. Let me move to one other question, and again I will ask you as I have asked Mr. Kelliher to be somewhat brief in this answer. I would be interested in your views, succinctly spoken, on three questions. Number one, do you believe that the authority that we will be conferring on the FERC to guard against cybersecurity attacks should go beyond the cybersecurity and actually cover physical attacks that might be made on the covered facilities? That is number one. Number two, address, if you will, the question of sunsets on FERC actions, FERC orders. In the first category would be the basic steps that all covered entities would have to take in order to address the Aurora vulnerability specifically. I can tell you my own view is that ought to be permanent in nature. But if you disagree with that, I would like to hear a reason why. And the second category is steps that would have to be taken by the covered entities under FERC order pursuant to a presidentially declared unique emergency. Should there be a sunset on those orders? And if so, what should be the conditions that trigger the sunset? And then number three, what should be the basic scope of the authority that we extend to FERC with regard to the covered entities themselves? Should it just be the continental United States bulk power system? Or should it extend to Alaska and Hawaii and their separate electrical systems? And should it extend to the distribution systems in our larger cities? And I know, Ms. Kelly, you addressed that at some length in your testimony, but I would like to hear what other witnesses have to say. So in view of the fact that Mr. Shimkus is eagerly awaiting his question time, let me ask you to be as succinct as you can in providing that answer. And who would like to begin? Mr. Sergel? Mr. Sergel. Address a couple of those for you. Our role here is to make sure that we can seamlessly and effectively implement whatever legislation you pass and do that and further the good work that was established when you enacted section 215 and created an ERO. So that is where I come from. I think with respect to how broad is the authority, the highest priority is the bulk power system. That doesn't mean there aren't important things in the distribution system. There are, and let me be clear to the extent that the bill doesn't cover that, that will leave open something. That will make me uncomfortable that that is uncovered, but the higher priority is the bulk power system. Hawaii and Alaska are special considerations, and maybe that is independent of distribution. And potentially you could look at it that way because that is even a greater concern. With respect to the sunset provisions, we are going to be able to implement that successfully regardless of what those provisions are. With respect to the authority and how it is granted, we will seek to implement it effectively as written. But the clearer that authority is, and the better that that is laid out, certainly we will be able to implement it better. And finally I would say with respect to--and I think the language in the draft that I looked at was ``and other national security treats.'' Again with respect to that, clearly cybersecurity is the highest priority here. It is the simple one that is most important. It is what we have been focusing on. It is not to minimize other national security here in this context, but we understand those better. We have other ways of doing those things. It is not the highest priority for me. Mr. Boucher. Thank you, Mr. Sergel. Ms. Kelly. Ms. Kelly. Thank you. Your first question had to do with the physical attacks, and I will start there. The association position is no, that they should not be covered in this legislation and in part for the reason that Mr. Sergel just stated is that there are other governmental authorities and entities. And I would just note the FBI, the Department of Energy, state and local law enforcement that are all involved in those activities. And we already have to answer to a substantial number of masters in that regard. Second, the sunset question you asked. The association position is that that should apply to both the interim authorities that are exercised under B, and the emergency authorities under C. Our reasoning for that was that--I am sorry? Mr. Boucher. Go ahead. Ms. Kelly. OK, our reasoning behind that was that we regarded this as stopgap emergency authority for events that would either be time limited and thus would expire by their own terms or should be replaced by NERC set reliability standards. For that reason, we wanted the sunset to apply in both cases. We negotiated with the FERC over that. They did not like the so-called hard sunset. We reached, you know, OK, well, we understand that position. And for that reason, we agreed that it could continue past the year so long as there was a determination that a problem was still existing. Our thought was in most cases that NERC reliability standards should be in place by the end of that year, and therefore it would be a moot question. But we understand that there is a difference of opinion, and that is legitimate. Mr. Boucher. Well, with regard to these interim standards that are designed to address the Aurora vulnerability, the Aurora vulnerability is not going to go away as a security threat. And steps will need to be taken therefore on an ongoing basis to address that threat. And I gather from your testimony that you are suggesting that the FERC should not be the perpetual agency to impose the requirements for what those steps ought to be. And I gather from what you are saying that you think that the NERC, through its consensus-based rulemaking process, should take a hand off of that authority after some period of time. Have I correctly interpreted your comments? Ms. Kelly. I think that is, yes, that is correct. Our view is that we understand the need for FERC to step in to act quickly, but we believe that that needs to then be run through the NERC standard setting process. In part, one of the reasons is, we in the industry, we think we actually have some expertise to offer on the best way to implement these standards. And we are also concerned about cost. Let me just say that. And we want to make sure that these standards, you know, especially if they are going to be in effect for a long time, are done in the most cost effective manner possible. And that is one of the things that the industry can bring to bear. Its expertise can come to bear during the NERC standard setting process. So we are not kicking about FERC getting this authority under B to, you know, act to do this rulemaking on an expedited basis, but we are saying it should then be handed off to NERC. Mr. Boucher. All right, thank you. That is very clear. Mr. Naumann? Mr. Naumann. Yes, Mr. Chairman, on your first question, the draft now has the words ``other national security threats.'' We believe that is an extremely vague term and are uncomfortable with that. You also mentioned, rather than that, physical threats. I agree with Mr. Sergel and Ms. Kelly, that is a lower priority, but if, in fact, there is going to be some additional authority beyond cyber, it should be very much tighter language than overall other national security threats, which could be interpreted as having 90-day stockpile of coal or something like that, which we think goes way beyond what---- Mr. Boucher. All right, that point is duly noted. Mr. Naumann [continuing]. Immediate intent. And as far as the sunset, I agree with Ms. Kelly. To the extent there are interim measures for Aurora, to the extent they can be and should be replaced by permanent standards done through industry expertise, that would be our preference. And with respect to the emergency action, again I would prefer that if the requirements still remain, then the President should reissue the directive. As far as the authority on Alaska and Hawaii, we understand that is a special situation. There are very important military installations there that somehow would need to be taken care of, but they are really not part of the schemed that we are dealing with. Mr. Boucher. Major distribution systems in the cities? Mr. Naumann. That is correct. Major distribution system in the city gets very complicated. We would hope that that could be done rather through consultation with the state regulatory agencies who very well understand those systems, which New York is somewhat unique. D.C. is somewhat unique. Chicago is completely different from those systems and served differently. And where do you get the cutoff on the distribution if you don't go all the way? Thank you, Mr. Chairman. Mr. Boucher. All right, thank you. Mr. Lawson? Mr. Lawson. I agree with the comments you have heard from the other panelists. In addition, with regard to going beyond cybersecurity in the legislation, to reiterate what Mr. Naumann stated about the vagueness and broadness of the definition that we were provided, that was problematic, and we would very much want that tightened up before we could agree to anything. Also it is very important to recognize that the industry has been dealing with physical threats for decades and has done an excellent job dealing with physical threats. Cyber threats are the new issues here. That is where the new focus should be, and that is why this legislation should focus on the cyber threats. The industry is doing a very good job with dealing with the physical threats and has for a long, long time. With regard to the sunsets, if an order or a directive needs to continue, there are provisions in the legislation for that, for a certain period of time. However, other than the order or directive, we want the industry, through NERC's standards development process, to take care of those issues with standards. And as I mentioned in my oral statement about the expedited standards development processes that NERC does have, we think that would be an excellent vehicle for addressing some of those issues. With regard to the scope going to the distribution side of things or Alaska and Hawaii, with regard to distribution, of course, the states and local authorities have many regulatory authorities in those areas. It is also important to realize that the bulk power system is where you can have the larger impacts. The distribution system is local, and it is broken up into many small pieces. And those impacts are often shorter in timeframe and much more limited in the numbers of meters that are not in service because of an incident. So we think those are reasons why this legislation should focus on the bulk power system. Mr. Boucher. Mr. Lawson, thank you very much. I would like to, at this time, call on the gentleman from Illinois, Mr. Shimkus, for 5 minutes. Mr. Shimkus. Thank you, Mr. Chairman. Mr. Naumann, please explain how your company has prepared itself for the tested and--I am sorry--and tested its response to cybersecurity threats. Mr. Naumann. Thank you, Congressman. In my testimony, I referenced defense and depth, and that includes--and I guess I am going to use a number of technical words that we do. We segregate the networks that we have. We have a program of patch management, much like in a way to say you get updates on your Microsoft software occasionally when there is a vulnerability found. We do this on a very routine basis, sometimes on an emergency basis. We have intrusion detection sensors that we maintain on our network systems. We have security event monitoring, vulnerability testing. One of the things I mentioned in my testimony is we hire outside firms to do penetration testing. In other words, they act as the red team to try to break into our system, and we then learn from what they tell us. We deal all the time with security vendors, with the FBI, with local law enforcement. And lastly, we have encrypted our data even to the point of, for example, the laptop that I carry with me. The data is encrypted so that if it is stolen, the data is worthless to somebody. Those are some of the measures that we take, Mr.-- Mr. Shimkus. This is a real pressing issue, and I know, based upon the Aurora event and others, I follow the captive nations, the former captive nations of the eastern bloc countries. Russia conducted a cyber attack against Estonia, I guess, a year and a half ago. The prelude into the intervention into Georgia was a cyber attack there. I mean so this is real stuff, and that is why it is important. And I appreciate the chairman identifying it as so. For you again, Mr. Naumann. What resources and/or information would make your efforts to defend against cybersecurity threats more effective? Mr. Naumann. Congressman, probably the most important thing is access to information. As I said, we are actively engaged in protecting our system against those threats that we know and those threats that we can try to figure out. We understand for good security purposes, there is information that we don't have access to, and there needs to be a way that the industry can work with the government and the government can work with the industry so that we can have access to that information so that we understand what the vulnerabilities are and so that we can agree on mitigation measures to do that. Without that, we feel like we are fighting this battle with one hand tied behind our backs. Mr. Shimkus. Yes, let me ask about the emergency and interim authority issues and with our border friends, the Canadians and Mexico. And what do we think their response would be? And is there some optimism? And this is for the panel as a whole, so why don't we just start from left to right. My left, your right. Mr. Sergel. We work very effectively with our partners in Canada and to a lesser extent with Mexico as well. NERC has a relationship with each of the eight provinces as they have decentralized responsibility for this in Canada, and those relationships are different. I think the single most important thing to keep that relationship positive as it is today is to separate the standard setting process, which is what we do through section 215 as enabled by you in the United States, to keep that separated from the emergency measures that one would take because of an imminent threat. As long as we keep those separate, then I think we will be successful. So we support the bill, support a bill here to take emergency action. Lots of discussion of that this morning. There needs to be a handoff of that to the standards process. If we do that, then we will work very effectively with our neighbors. Ms. Kelly. I would just like to note that the Canadian Electricity Association submitted a statement for the record, which I would recommend for your review. I would note also that I was somewhat disturbed by Mr. Kolevar's discussion about giving FERC interim standards writing authority. That is the first that we have heard of that. It goes exactly to the issue that Mr. Sergel just identified, which is the way the 215 scheme is set up is that industry and NERC together write the standards. That is not a government activity. So that, I think, in particular would alarm the Canadians because they have to be--they have to abide by NERC's standards. So in effect, what is happening there is they are being asked to abide by standards written by a Federal Government U.S. agency. And that is a problem, I believe. I will let them speak for themselves, but just based upon what I know during our negotiations, I think that would be a concern. Mr. Shimkus. And you all can chime in if you want, but it is probably not a concern that you all would have. So what are our vulnerabilities? Is our grid adequately protected by firewalls and passwords? Will a one-time cyber reliability rule solve the problem? Or will we have to constantly change and upgrade to keep up with the changing threats? Then, this is a one over the world question. Won't government authority to constantly change protections and systems risk express an unpredictable cost on system operators? Well, it is really for all because the question is, as we firewall and protect, bad guys evolve, which is for you. But then the question is for industry or for the rural, at what cost? How do we manage both, and we try to get it as right as we can? Mr. Sergel. I think standards can take you just so far because there is an opportunity to harden the system, to defend against those things which we understand like passwords and firewalls and have those be as effective as possible. We have done that with the standards in the past. They were developed cooperatively with the industry, and that process needs to evolve. But I think it also suggests that a standard is out there to be seen. Everyone knows what we are doing, how we are proposing to implement it, and therefore, it is suggested that we have to be constantly vigilant and adapt as new problems arise. Mr. Shimkus. Thank you. Ms. Kelly. Ms. Kelly. I would just add to that that we are concerned on an ongoing basis about the cost of compliance. There is no question about that. That was one of the reasons why our definition of cybersecurity threat is a little tighter than that that the commission supports because, for example, we would not want to be spending unknown amounts of time on new hardware, new software, new hardening, that kind of thing, for something which may not have a substantial possibility of disrupting the operation of the bulk power system. And since theirs is phrased in the disjunctive, I believe that could possibly be the case. So I just note that for you. Mr. Shimkus. OK, thank you. Mr. Naumann. Mr. Naumann. Congressman, I have two things to add. The first is we are always on our own trying to protect against new threats and upgrading our equipment. And, as Mr. Sergel said, a standard can only take you so far when something new is discovered. Mr. Shimkus. And plus you have the risk of great loss. Mr. Naumann. We have our self-interest here. Mr. Shimkus. Right. Mr. Naumann. But what I would say is that that is where the consultation between the government agencies and the users, owners, and operators is useful in both working out the mitigation and dealing with the cost effectiveness as we do have experience in how to do this and we will do it. Obviously we don't want an incident, but to work together to try to design the best way to do this and protect the electric power system. Mr. Shimkus. And Mr. Lawson. Mr. Lawson. Just to add, I think it is important to understand that utilities deal with cyber issues every day because it is important to their business, and it is important to the service they are providing to their customers. It is not something that we deal with only because we have cybersecurity standards. It is because it is the right thing to do. It is the important thing to do. Mr. Shimkus. That is all I have, Mr. Chairman. Thank you. Mr. Boucher. Thank you very much, Mr. Shimkus. I am going to ask unanimous consent--Mr. Shimkus and Mr. Upton have already approved this--that we insert a---- Mr. Shimkus. You don't want me messing with you, right? Mr. Boucher. Well, yes, that was the implication of the question. These are statements from the National Association of Regulatory Utility Commissioners, the Electric Consumers Resource Counsel, and the Canadian Electricity Association, all addressing the issue before the subcommittee today, to be included in the record. Without objection, so ordered. [The information appears at the conclusion of the hearing.] Mr. Boucher. That was perfect. Thank you so much. I want to thank our witnesses for their attendance today, for their very helpful testimony. We appreciate the time you have taken with us. We will look forward to your submission of the information that you have said you will supply to us. And as we take further steps in this process, we will be consulting with you. With that and thanks to the witnesses, this hearing is adjourned. [Whereupon, at 1:27 p.m., the subcommittee was adjourned.] [Material submitted for inclusion in the record follows:] Prepared statement of Hon. John D. Dingell Today's hearing focuses on how to help ensure the reliability of our Nation's electricity grid in the face of its vulnerabilities to cybersecurity attacks. A successful remote cyber attack on a power plant's utility control systems could do more than cause a brief black out or brown out. The Idaho National Laboratories has shown how a hacker can remotely turn a large generator into a smoldering piece of scrap metal in minutes. Known as the ``Aurora'' Vulnerability, this type of attack could destroy generating equipment and impair the generation and delivery of electricity across North America for weeks or months, its consequences cascading on consumers, our economy, our health care system, and our national defense assets. These concerns are more than theoretical. A 2005 Federal Energy Regulatory Commission staff report identified 20 separate domestic and foreign instances of cyber attacks on electricity systems including hydroelectric dams and nuclear power plants. The Defense Science Board reports that U.S. grid control systems are continuously probed electronically, and ``there have been numerous attempted attacks on the Supervisory Control and Data Acquisition (SCADA) systems that operate the grid.'' We have been fortunate that the United States has not experienced a major power outage from a cyber attack. However, the CIA has identified cyber attacks on the electrical systems in major cities overseas which caused significant blackouts. CIA has reported that criminal enterprises have broken into utility control systems overseas as part of extortion schemes. Since many of these same control systems used in the United States are also used in plants around the world, the knowledge about how these systems work is globalized. In response to Department of Homeland Security's warnings about the Aurora vulnerability, the North American Electric Reliability Corporation (NERC) issued an advisory in June 2007 which outlined immediate and longer term mitigation measures for utilities. Compliance, however, was voluntary. A FERC audit of 30 utilities found that only two or three had adequately mitigated the Aurora vulnerability and the vast majority had not complied with NERC's advisory. For some of the Nation's largest utilities, there has been woeful inaction some 15 months later. As the Electricity Reliability Organization designated under section 215 of the Energy Policy Act of 2005, NERC is developing consensus cyber protection standards. However, this process is not responsive to the immediacy of the vulnerability or the threat. Both the Department of Energy and FERC have urged that Congress extend Federal authority to take emergency actions to protect the grid. I commend Chairman Boucher for holding this hearing, and tackling the job of building a bipartisan consensus on legislation which will ensure that the Federal Government has the necessary powers to intervene when there are emergencies that threaten our Nation's electricity supply. I welcome Representative Jim Langevin, Chairman of the Homeland Security Committee's Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, and commend him for his leadership and cooperation in working with this Committee on cyber vulnerabilities in the utility grid. I also welcome our panel of witnesses. I hope they can inform us on whether emergency powers should extend beyond the Bulk Power System to utility systems in Alaska, Hawaii, or Guam, and to what extent these powers should also be able to reach critical distribution systems in places like the District of Columbia or New York City. We want to be sure that legislation addresses threats to the electrical system, and that the Federal Government is not improperly hobbled by legal and jurisdictional boundaries in the case of an emergency. ----------
Richard P. Sergel, Responses to Questions from Hon. John D. Dingell Question No. 1: The Federal Energy Regulatory Commission (FERC) testified that 23 of 30 utilities that it audited had not complied with the June 2007 North American Electric Reliability Corporation (NERC) Advisory on the Aurora Vulnerability. To what factors do you attribute this level of compliance? Response: NERC has not, at this time, been given access to the results of FERC's evaluation of industry efforts to comply with the mitigation measures set out in NERC's June 2007 Advisory, beyond what was discussed publicly at the September 11 hearing. Therefore, NERC is not in a position to analyze those results. Based on discussions with industry representatives, NERC believes that one important factor affecting the ability of the industry to implement mitigation measures is that industry recipients require more detailed and comprehensive engineering data on specific vulnerabilities than could be provided in NERC's Aurora Advisory. Efforts are underway to close this gap while managing the risk of disclosing a ``road map'' to potential adversaries. Question No. 2: Do you believe FERC's audit results are representative of the extent of compliance by most utilities with the NERC Advisory? Response: As stated in the response to question number one, NERC has not, at this time, been given access to specific responses made by utilities during the FERC interview process, nor are we aware of the criteria used to determine the adequacy of implemented mitigation measures. In his testimony, Chairman Kelliher described a detailed interview process by FERC staff with a sampling of geographically dispersed utilities of different sizes across the contiguous 48 states. We have no reason to believe that the results of that process are not likely to be representative of the extent of compliance by most utilities with the Aurora mitigation measures. Question No. 3: FERC indicated that some utilities which had complied with the NERC Advisory were still vulnerable to Aurora. Please explain whether the NERC Advisory was inadequate to fully guide utilities in mitigating the Aurora Vulnerability. Please explain whether NERC has modified its advisory to address any deficiencies? Response: The Aurora mitigation measures included in NERC's Advisory were assembled through a process that included researchers involved in the government's vulnerability demonstration project and industry subject matter experts. Clear challenges were presented in the need to utilize only information approved for distribution and the identification of measures that could be applied to a variety of different cases and unique settings. Industry recipients generally report that they require more detailed and comprehensive engineering data on specific vulnerabilities than was provided in NERC's Aurora Advisory in order to fully address a vulnerability. NERC has not, at this time, received additional information from the Federal government regarding the properties of the vulnerability or on any threat intent on exploiting the vulnerability. Consequently NERC is not, at this time, in a position to modify the Advisory. Question No. 4: Who should have authority to implement emergency requirements: the Department of Energy or FERC? Response: As I testified at the September 11 hearing, NERC supports legislation granting the U.S. federal government authority to act immediately in the event of an imminent cyber security threat. NERC has a strong working relationship with both the Department of Energy and the FERC. Under the Energy Policy Act of 2005, FERC certified NERC as the Electric Reliability Organization to develop and enforce mandatory reliability standards to protect and improve the reliability of the bulk power system. NERC works closely with FERC in implementing the statutory mandate. NERC also works closely with the Department of Energy, as the Sector Specific Agency for Energy, in the execution of NERC's responsibilities as the Electricity Sector Information Sharing and Analysis Center (ES- ISAC). NERC was designated as the electricity sector coordinator for critical infrastructure protection and has served in that role for several years. The agency assigned responsibility for acting in emergency situations should consult with NERC and industry experts to the maximum extent feasible in carrying out any emergency authority. Question No. 5: How effective have Canadian utilities been in complying with the NERC Advisory on the Aurora Vulnerability? Has there been a governmental audit of compliance in Canada similar to that conducted by FERC on the Aurora Vulnerability? Response: Canadian entities participate in NERC committees including the Critical Infrastructure Protection Committee (CIPC), and also receive information from the ES-ISAC. When the Advisory was sent to NERC-registered Canadian entities the Canadian Electricity Association (CEA) requested and was granted permission to post the Advisory and the attached questionnaire on CEA's secure Intranet for CIP with a request that organizations review and complete it as appropriate. We are told that this was to ensure a broader dissemination of the Advisory because a limited number of Canadian organizations were on the distribution list to which the Advisory was sent directly. Based on our discussions with Canadian utilities and Canadian government officials, NERC understands that when information about the preliminary results of the Idaho National Laboratory simulation was brought to the attention of the Canadian Cyber Incident Response Centre of Public Safety Canada, the Centre met with other government agencies with responsibility in the area to determine appropriate action. It was decided that the Energy Infrastructure Protection Division of Natural Resources Canada should arrange a meeting with energy and utilities stakeholders. In March 2007 a detailed briefing was convened for Canadian energy interests including electricity, oil and gas, and nuclear. Officials from Public Safety Canada, Natural Resources Canada, the RCMP and the Integrated Threat Assessment Centre participated and disseminated the DHS warning and information package. There was also a briefing of Canadian utility participants by staff from the Idaho National Laboratory. Industry participants had security clearances and received a confidential briefing that they say helped them understand the nature of the problem and the appropriate action to take. The Advisory and identification and mitigation of vulnerabilities were subsequently discussed at two CEA Security and Critical Infrastructure Committee meetings. In addition, there were further contacts between Canadian government officials and DOE and DHS. Public Safety Canada advises that they coordinated actions with DHS, including the provision of sector briefings, technical advice, analysis activities at Idaho National Laboratory, and public communications strategies. To NERC's knowledge, no audit has been undertaken by Canadian government agencies of actions taken by utilities. ----------
Barry R. Lawson, Responses to Questions from Hon. Edward J. Markey Question No. 1: There was a suggestion at the hearing that one way to address the cyber-security of the grid system beyond that of the bulk power system would be through a consultation process. If the cyber threat to the bulk power system demands an increased federal authority in order to permit an immediate response to any security incident or threat thereof, how would a consultation process provide the same level of protection for those on the grid beyond the bulk power system? If it would not, why is it appropriate to settle for only limited protection of the grid? Response: A consultation process is appropriate regarding electric system facilities that are beyond the bulk power system. These facilities are in most cases considered to be the distribution system. The bulk power system is significantly different from the distribution system. There are clear reasons why these distribution facilities should not be treated the same as the bulk power system in cyber security legislation.
Giving FERC or any other federal agency jurisdiction over the distribution elements of the electric utility system causes complications with state and local regulatory authorities. o Most distribution facilities are beyond the jurisdiction of FERC. The FPA expressly reserves jurisdiction over distribution facilities to the states. o The regulation of the distribution system is imbued with a number of local economic and political issues that are best handled at the local level, not the federal level. o FERC is not as familiar and will never be as familiar as the individual states are with the structure and design of the local distribution system in their states. o State PUCs and other state/local regulatory authorities have traditionally dealt with distribution service reliability issues. These authorities best understand local distribution system characteristics and conditions, which differ substantially from those of the bulk power system. Local distributions systems vary widely in their specific configurations and designs, making utilities and state/local officials best positioned to take protective steps when necessary. When comparing the bulk power system to the distribution system, it is important to understand several distinctions. o An incident on the bulk power system can potentially impact a larger geographical area and a corresponding potential larger number of consumers. An incident on the distribution system impacts a smaller area and a lesser number of consumers. That means protection of the bulk power system is a higher priority for the electric utility industry, and that the distribution system will pose a much lower priority target. o Distribution facilities are typically quicker and easier to restore than bulk power system facilities. A distribution circuit can often be easily restored merely by replacing a single failed element and then re-energizing the circuit. Restoring the bulk power system, however, is much more complicated. Because of the large number of components and integrated network nature of the bulk power system, it can require significant regional coordination and considerable time for re-energizing. o Many distribution system elements are not automated/ controlled remotely with programmable devices and therefore not necessarily vulnerable to cyber issues. o The distribution system is separated from the bulk power system through protection protocols and equipment. Distribution circuits fail without any cyber attacks. Automobile accidents and animal-related interruptions are some of the most common causes of outages and they cannot be completely prevented. Utilities have a long history of successfully demonstrating that they are well-prepared to respond to these and other incidents on their distribution system. Because of these differences, the distribution system does not require the same level of protection as the bulk power system. o Where an uncontrolled failure of the bulk power system can potentially lead to a ``cascading'' failure potentially affecting a large number of consumers, an uncontrolled failure of a distribution circuit is unlikely to affect a large number of consumers and is limited to those consumers on a particular distribution circuit. o Distribution circuits are seldom material to the reliability of the bulk power system and, when they are material, they currently fall within the definition of the bulk power system. Accordingly, with the preceding information being understood, it is not necessary or appropriate, and can in fact be disruptive, for distribution facilities to be addressed in a similar manner as bulk power system facilities. Question No. 2: This Congress has heard hours of testimony on some pressing grid issues and some promising grid solutions, including those centered around ``smart grid'' technology. Your testimony reported that in 2006, cooperatives lead the industry in installation of smart meters. Moreover, you offered testimony regarding the need to ensure that whatever grid solutions we implement in the smart grid realm appropriately capture cyber security protections. I am glad to hear both the progress demonstrated by the cooperatives with smart grid initiatives and the industry's recognition of the importance of integrating policy, practice and technology in this emerging field. Can you provide me with specific examples of how the industry is working toward the goal of ensuring appropriate integration in the field of smart grid technology? If not, can you explain why not and what would need to happen to have a more integrated approach pursued? Response: ``Smart Grid'' technology often uses the internet and other automated equipment. Therefore, it is potentially vulnerable to cyber issues. Implementation of this technology should always include cyber protection related to the equipment/devices that are being utilized. Cyber security should be a part of an entity's due diligence when considering the use of such technology. I understand that this is addressed by entities when they consider using ``smart grid'' technology.