[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]
PROTECTING THE ELECTRIC GRID FROM CYBERSECURITY THREATS
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON ENERGY AND AIR QUALITY
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED TENTH CONGRESS
SECOND SESSION
__________
SEPTEMBER 11, 2008
__________
Serial No. 110-145
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
U.S. GOVERNMENT PRINTING OFFICE
61-860 PDF WASHINGTON : 2008
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON ENERGY AND COMMERCE
JOHN D. DINGELL, Michigan, Chairman
HENRY A. WAXMAN, California JOE BARTON, Texas
EDWARD J. MARKEY, Massachusetts Ranking Member
RICK BOUCHER, Virginia RALPH M. HALL, Texas
EDOLPHUS TOWNS, New York FRED UPTON, Michigan
FRANK PALLONE, Jr., New Jersey CLIFF STEARNS, Florida
BART GORDON, Tennessee NATHAN DEAL, Georgia
BOBBY L. RUSH, Illinois ED WHITFIELD, Kentucky
ANNA G. ESHOO, California BARBARA CUBIN, Wyoming
BART STUPAK, Michigan JOHN SHIMKUS, Illinois
ELIOT L. ENGEL, New York HEATHER WILSON, New Mexico
GENE GREEN, Texas JOHN SHADEGG, Arizona
DIANA DeGETTE, Colorado CHARLES W. ``CHIP'' PICKERING,
Vice Chairman Mississippi
LOIS CAPPS, California VITO FOSSELLA, New York
MIKE DOYLE, Pennsylvania ROY BLUNT, Missouri
JANE HARMAN, California STEVE BUYER, Indiana
TOM ALLEN, Maine GEORGE RADANOVICH, California
JAN SCHAKOWSKY, Illinois JOSEPH R. PITTS, Pennsylvania
HILDA L. SOLIS, California MARY BONO MACK, California
CHARLES A. GONZALEZ, Texas GREG WALDEN, Oregon
JAY INSLEE, Washington LEE TERRY, Nebraska
TAMMY BALDWIN, Wisconsin MIKE FERGUSON, New Jersey
MIKE ROSS, Arkansas MIKE ROGERS, Michigan
DARLENE HOOLEY, Oregon SUE WILKINS MYRICK, North Carolina
ANTHONY D. WEINER, New York JOHN SULLIVAN, Oklahoma
JIM MATHESON, Utah TIM MURPHY, Pennsylvania
G.K. BUTTERFIELD, North Carolina MICHAEL C. BURGESS, Texas
CHARLIE MELANCON, Louisiana MARSHA BLACKBURN, Tennessee
JOHN BARROW, Georgia
DORIS O. MATSUI, California
______
Professional Staff
Dennis B. Fitzgibbons, Chief of Staff
Gregg A. Rothschild, Chief Counsel
Sharon E. Davis, Chief Clerk
Bud Albright, Minority Staff Director
(ii)
Subcommittee on Energy and Air Quality
RICK BOUCHER, Virginia, Chairman
G.K. BUTTERFIELD, North Carolina, FRED UPTON, Michigan
Vice Chairman Ranking Member
CHARLIE MELANCON, Louisiana RALPH M. HALL, Texas
JOHN BARROW, Georgia ED WHITFIELD, Kentucky
HENRY A. WAXMAN, California JOHN SHIMKUS, Illinois
EDWARD J. MARKEY, Massachusetts JOHN B. SHADEGG, Arizona
ALBERT R. WYNN, Maryland CHARLES W. ``CHIP'' PICKERING,
MIKE DOYLE, Pennsylvania Mississippi
JANE HARMAN, California ROY BLUNT, Missouri
TOM ALLEN, Maine MARY BONO MACK, California
CHARLES A. GONZALEZ, Texas GREG WALDEN, Oregon
JAY INSLEE, Washington MIKE ROGERS, Michigan
TAMMY BALDWIN, Wisconsin SUE WILKINS MYRICK, North Carolina
MIKE ROSS, Arkansas JOHN SULLIVAN, Oklahoma
DARLENE HOOLEY, Oregon MICHAEL C. BURGESS, Texas
ANTHONY D. WEINER, New York MARSHA BLACKBURN, Tennessee
JIM MATHESON, Utah JOE BARTON, Texas (ex officio)
DORIS O. MATSUI, California
JOHN D. DINGELL, Michigan (ex
officio)
------
Professional Staff
Sue D. Sheridan, Chief Counsel
John W. Jimison, Counsel
Rachel Bleshman, Legislative Clerk
David McCarthy, Minority Counsel
C O N T E N T S
----------
Page
Hon. Rick Boucher, a Representative in Congress from the
Commonwealth of Virginia, opening statement.................... 1
Hon. Fred Upton, a Representative in Congress from the State of
Michigan, opening statement.................................... 13
Hon. Edward J. Markey, a Representative in Congress from the
Commonwealth of Massachussetts, opening statement.............. 13
Hon. Joe Barton, a Representative in Congress from the State of
Texas, opening statement....................................... 14
Hon. Mike Rogers, a Representative in Congress from the State of
Michigan, prepared statement................................... 16
Hon. John D. Dingell, a Representative in Congress from the State
of Michigan, prepared statement................................ 128
Witnesses
James R. Langevin, Chairman, Subcomittee on Emerging Threats,
Cybersecurity, and Science and Technology, Committee on
Homeland Security.............................................. 19
Prepared statement........................................... 22
Joseph Kelliher, Chairman, Federal Energy Regulatory Commission.. 36
Prepared statement........................................... 39
Answers to submitted questions............................... 145
Kevin M. Kolevar, Assistant Secretary, Office of Electricity
Delivery and Energy Reliability, U.S. Department of Energy..... 45
Prepared statement........................................... 48
Answers to submitted questions............................... 164
Richard P. Sergel, President, North American Electric Reliability
Corporation.................................................... 64
Prepared statement........................................... 67
Answers to submitted questions............................... 176
Susan N. Kelly, Vice President, Policy Analysis, and General
Counsel, American Public Power Association..................... 78
Prepared statement........................................... 81
Answers to submitted questions............................... 178
Steven T. Naumann, Vice President, Wholesale Market Development,
Government and Environmental Affairs and Public Policy, Exelon
Corporation.................................................... 93
Prepared statement........................................... 95
Answers to submitted questions............................... 183
Barry R. Lawson, Manager, Power Delivery, National Rural Electric
Cooperative Association........................................ 107
Prepared statement........................................... 109
Answers to submitted questions............................... 188
Submitted Material
Discussion draft................................................. 4
National Association of Regulatory Utility Commissioners, NARUC,
statement of, submitted by Mr. Boucher......................... 129
Electricity Consumers Resource Council, ELCON, statement of,
submitted by Mr. Boucher....................................... 134
Canadian Electricity Association, CEA, statement of, submitted by
Mr. Boucher.................................................... 138
Subcommittee exhibit binder index................................ 144
PROTECTING THE ELECTRIC GRID FROM CYBERSECURITY THREATS
----------
THURSDAY, SEPTEMBER 11, 2008
House of Representatives,
Subcommittee on Energy and Air Quality,
Committee on Energy and Commerce,
Washington, DC.
The subcommittee met, pursuant to call, at 11:10 a.m., in
room 2322 of the Rayburn House Office Building, Hon. Rick
Boucher (chairman) presiding.
Members present: Representatives Boucher, Melancon, Barrow,
Markey, Upton, Shimkus, Walden, Rogers, and Barton (ex
officio).
Staff present: John Jimison, Richard Miller, Rachel
Bleshman, Alex Haurek, David McCarthy, Andrea Spring, and
Garrett Golding.
OPENING STATEMENT OF HON. RICK BOUCHER, A REPRESENTATIVE IN
CONGRESS FROM THE COMMONWEALTH OF VIRGINIA
Mr. Boucher. The subcommittee will come to order. This
morning we are addressing a means of protecting the Nation's
electricity grid from cybersecurity threats through which
computer hackers could maliciously gain access by way of the
Internet to the computers controlling key components of our
Nation's electricity system and cause either short term system
outages or more serious permanent system damage.
No industry is more essential to the Nation's economy than
is our electricity sector, and its protection is vital to both
our economic security and to our national security. The
Nation's electricity system consists of generators and regional
networks of interconnected transmission lines. The controls
which operate the grid and electricity generators attached to
it are increasingly computer-connected to the Internet.
In fact, increasing the degree of interactive grid
computerization is a major element of the development of a
smart grid which will improve system reliability, optimize
generation, promote load balance, improve consumption
management, and integrate new smart appliances and equipment.
But with increased reliance on interactive digital technology
comes the added risk of computer hackers entering the system
and causing truly extensive damage.
The Idaho National Laboratory conducted tests using the
code name Aurora, demonstrating that standard utility control
systems could be penetrated and adversely affected through
unauthorized computer access. This demonstration showed that a
cyber intruder could manipulate the control systems of a
generation facility resulting in massive physical damage that
could take months to repair.
Cyber attacks on electricity systems have occurred in a
number of nations, and the Federal Energy Regulatory Commission
reports 20 documented cases where hackers have penetrated
networks and were able to affect controls on dams, on a nuclear
reactor, and have disabled backup generation and shut down
power plants. The Defense Science Board reports that U.S. grid
control systems are continuously probed electronically, and
while none has yet been the subject of major damage or grid
outages in the United States, cyber attacks have caused major
grid outages in other nations.
In 2007, the Department of Homeland Security notified the
North American Electricity Reliability Corporation, known as
NERC, of the Aurora vulnerability demonstrated by the Idaho
National Laboratory. Based on this notification, the NERC
issued an advisory to 1,800 owners and operators of facilities
associated with our Nation's power grid and provided a 60-day
schedule for immediate mitigation measures as well as longer
term measures that would be implemented over a 180-day period.
But compliance with this advisory recommendation was
entirely voluntary by these 1,800 owners of facilities that are
components of the national grid. The Federal Energy Regulatory
Commission recently audited compliance with the advisory issued
by the NERC and conducted that audit among 30 utilities. It
found that of the 30 audited, 23 were not in compliance with
the NERC advisory. One utility reportedly had a 10-year
compliance schedule, notwithstanding the fact that 180 days was
the outer limit for compliance in the NERC advisory.
Another utility had never changed the factory-installed
user names and passwords on its computers controlling its
systems, and it was therefore clear that self-interest alone
was not a sufficient motivation to mitigate the Aurora
vulnerability.
Based on the documented threat to the electricity system
and on the noncompliance with voluntary measures which the
audit revealed, the FERC, along with the U.S. Department of
Energy and the Department of Defense, have identified an urgent
need for legislative authority to allow the federal government
to compel implementation of the measures to respond to the
cybersecurity threat to our Nation's electricity grid.
In response to that need, this subcommittee, on a
bipartisan basis, has developed a bipartisan discussion draft.
It requires the FERC to undertake a rulemaking to determine
what measures or actions should be required to protect the bulk
power system against vulnerabilities and then provides the FERC
with the authority to enforce the rule once adopted.
In addition, the FERC would be granted authority to issue
such emergency orders as it deems necessary to protect the
reliability of the bulk power system with regard to potential
new cybersecurity emergencies not identified in the original
rule, which are judged to be imminent threats under
presidential declaration.
While the discussion draft represents an outstanding
bipartisan step toward enactment of the necessary federal
legislation, several questions do remain open, and these
questions will be addressed by our witnesses this morning. The
outstanding issues include whether any legislation should be
limited to cybersecurity threats alone or whether a grant of
authority to address physical attacks on the grid should also
be included.
Another open issue is the exact wording of the specific
definition of cybersecurity threat. A third open issue is the
set of circumstances under which interim measures may be
discontinued once they are activated. And finally the scope of
the bill with regard to whether it includes entities not
technically within our bulk power system, such as the
electricity systems of the States of Hawaii and Alaska, the
territory of Guam, and also core distribution facilities for
electricity in some of our major cities such as New York City
and Washington, D.C. And we will hear from our witnesses with
regard to their sometimes contrasting views on these
outstanding issues.
Today's hearing will feature expert witnesses who will
present information on both the potential threat of
cybersecurity attacks against the electricity system and also
the appropriate legislative response that we should be making
to guard against those threats.
I want to commend the staff on a bipartisan basis for the
outstanding work that they have done during the August recess
on this matter. The staff on both sides of the aisle have
participated together in obtaining briefings from the agencies
I have identified in this statement. They have participated
together in constructing the legislative draft that is the
subject of our hearing this morning, the discussion draft. And
I want to commend them for doing that at a time when Congress
was not here and when they were busily at work attending to
this urgent business.
I also want to say thank you to the ranking member of this
subcommittee, Mr. Upton from Michigan, for his outstanding
efforts and for that of his staff. He and I have had
discussions with regard to this matter. We are participating
jointly in the exercise to move our discussion draft to final
legislation and to markup. Hopefully that will occur perhaps
within the course of the coming week.
And that partnership is a reflection of how this
subcommittee and our full committee operate when it is at its
best, and that is working in a bipartisan fashion to produce
consensus solutions to the major problems that confront us.
Nowhere has that effort been better reflected than in the work
that has been done over August and that we continue here this
morning.
[Discussion draft follows:]
Mr. Boucher. And at this time, I am pleased to recognize
the ranking Republican on the Energy and Air Quality
Subcommittee, Mr. Upton of Michigan, for his remarks.
OPENING STATEMENT OF HON. FRED UPTON, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF MICHIGAN
Mr. Upton. Well, thank you, and I do want to thank you and
the staff on both sides. This is a very important hearing, an
issue that we need to deal with. I appreciate our witnesses
joining us this morning as well.
Many of us know that the House Homeland Security Committee
has examined the issue. They have focused on a vulnerability in
electric generator control systems, which could allow remote
access, enabling a bad actor or terrorist to remotely destroy a
generator.
And today we are going to follow up on those hearings and
seek additional answers with a focus on the most productive way
to ensure the security of our energy infrastructure. Members of
this committee will follow up next week with a classified
briefing on the topic as well. And following that briefing, I
know that we can work together on bipartisan legislation. I
would commend both Mr. Dingell, Mr. Barton in their efforts to
that end.
Major questions do need to be addressed. Is there an actual
threat capable of causing catastrophic damage? Is there a
regulatory gap that needs to be filled? Which agency should
take the lead? And I hope that our witnesses will help address
those questions today.
Security of our Nation's energy infrastructure from attack
is one of these most important issues that our committee will
address. This is not an issue that we can take lightly or cover
it up in just one hearing. Energy has been one of the leading
issues debated in the Congress this year and rightfully so.
Energy literally powers our economy. Even small price spikes in
supply disruptions can have a large, important economic impact.
It is imperative that the security of our Nation's energy
infrastructure gets the attention that it deserves.
I look forward to working with all my colleagues to address
this in a most beneficial way. And, Mr. Chairman, I would yield
back the balance of my time.
Mr. Boucher. Well, thank you very much, Mr. Upton. And
again I thank you for the outstanding cooperation you and your
staff have provided on this matter. The gentleman from
Massachusetts, Mr. Markey, is recognized for 3 minutes for an
opening statement.
OPENING STATEMENT OF HON. EDWARD J. MARKEY, A REPRESENTATIVE IN
CONGRESS FROM THE COMMONWEALTH OF MASSACHUSETTS
Mr. Markey. Thank you, Chairman Boucher, for holding this
important hearing today and having it on 9/11, the seventh
anniversary of that horrific event. It serves as a stark
reminder that addressing the vulnerability of cyber threats is
long overdue.
We have seen the reality of these incidents in various
settings over the years, including the slammer worm at the
Davis Besse Nuclear Power Plant and the Aurora vulnerability
exposed at the Idaho National Laboratory. We know that this
threat is real. We also know the impacts are real and
potentially devastating.
The Northeast blackout in 2003, when an estimated 50
million people lost electricity, is estimated to have cost up
to $10 billion and eight lives. And we also know the impacts of
these events are the same regardless of whether the incident is
caused by someone who wants to do us harm or someone who simply
doesn't know they are about to.
But this hearing is timely for other reasons as well. This
Nation is finally, after years of control and of pocket padding
by the oil industry, gathering the momentum to transition away
from a dependence on foreign oil. It is a long overdue
transition, and every day that we wait to rechart our course is
a lost day. Based on the knowledge we have gained through hours
of hearings in Congress, we know that the grid stands as one of
the best and most immediate solutions to this crisis. With the
surge in interest in alternative energy sources tapping into
the grid and the increasing use and promise of electric
vehicles, the grid is vital to our move towards energy
independence. But it can only serve in this critical role if it
is protected as a crucial asset.
Fundamental changes to the structure of our grid could also
eliminate or reduce cyber threats or diminish the harm
resulting from them. Features offered through the developing
smart grid technology, for example, could be used to reduce
this threat and better position our response to such an event
should such a cyber attack occur. Likewise, more distributed
generation could conceivably reduce the extent of the impacts
of a cyber attack.
I thank you, Chairman Boucher, for having this hearing. It
is obvious that the technologies that affect the two wires or
the three wires that go into everyone's home, the cable, the
phone company, and the electric company are now all merging in
terms of the technologies. And one can help the other, and the
other can help the one as we learn how to use technology, both
to advance our energy independence agenda and at the same time,
ensure that we are being protected from homeland security
threats.
So I thank you for being here. I see Jim Langevin down
there, my good friend. We welcome you here as well, and I yield
back the balance of my time.
Mr. Boucher. I thank you very much, Mr. Markey, and, as you
have noted, this issue is at the focal point of several issues
in which you and I have a common interest, and that is
information technology policy as well as energy policy. And I
very much welcome your remarks today. The gentleman from Texas,
Mr. Barton, the ranking Republican member of the full
committee, is recognized for 5 minutes.
OPENING STATEMENT OF HON. JOE BARTON, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF TEXAS
Mr. Barton. Thank you, Mr. Chairman. I just returned from
the 9/11 ceremony out at the Pentagon. There couldn't be a
better time to hold this hearing on cybersecurity. As we
memorialize those brave men and women who gave their lives on
September 11, both at the Pentagon and at the World Trade
Center and in the fields of Pennsylvania, we have a real threat
against the United States of America.
It is not going away, and we need to defend ourselves
against it, both militarily, and as this hearing is going to
show, electronically in terms of protecting the power grid that
provides electricity for our great Nation.
I think we have a lot to learn in this area because the
whole idea of a cyber attack is something that is, quite
frankly, somewhat foreign to most of us, myself included. We
have some feeling for the physical attacks which we have seen
against our Nation time after time. But this is a new type of
attack.
What are the vulnerabilities? Is our electricity grid
adequately protected? Will a one-time cyber reliability rule
solve the problem, or do we have to have redundant systems and
change those over time to upgrade against the continually
changing threat? What are the consequences of a cyber attack if
successful? Is it a matter of losing power in a certain region
for a few hours? Is it a matter of destroying critical
equipment, or is it a matter of losing power all over our great
Nation for long periods of time? We simply don't know.
Should the government write cybersecurity standards in this
case, the Federal Energy Regulatory Commission, because under
current law, the North American Electric Reliability
Corporation, or Council, is simply too slow? If so, where
should we draw the line? Do we address the bulk power system?
What about military installations? What about local
distribution systems? What about rural electric co-ops within
single state boundaries? How do we do those?
What about Canada and Mexico? What are their views giving
the FERC authority for the first time to coordinate and
regulate with these nations that aren't within our own
boundaries? Can we enforce such regulations if we agree that
they are in the interest of these three nations? What about the
views of the Defense Department and the National Security
Council? What do they think about giving FERC the authority
that we are thinking about giving them?
Whatever we do in this subcommittee and next week in the
full committee, this is certainly an issue that needs to be
addressed, and I want to commend you, Mr. Chairman, for
addressing it. I want to welcome our witnesses today. The
distinguished subcommittee chairman of the Homeland Security
Committee, the distinguished chairman of the Federal Energy
Regulatory Committee Commission and the other witnesses.
I do want to say one thing, Mr. Chairman, before I yield
back. It was my understanding that Mr. Kelliher was going to be
on a panel by himself. I see that you have him listed on a
panel with non-elected officials. I think that is unacceptable.
If I had known that was the way it was going to be, I would
have objected strenuously. So I hope that before you actually
begin the hearing, you will give a presidential appointee the
courtesy that we have always given other appointees, and that
is to testify by himself or herself.
Mr. Boucher. Would the gentleman yield?
Mr. Barton. Sure.
Mr. Boucher. I thank the gentleman for making those remarks
and comments, and would advise him that in the interest of
time, Mr. Kelliher has graciously agreed to be a part of the
second panel; although, he will be the first witness on that
panel. Given the fact that we had the memorial today at the
Pentagon this morning, and there is a subsequent one involving
the House of Representatives at 11:45 and the urgency of
addressing this issue, this was the only morning we could do
it.
And given that urgency, Mr. Kelliher has graciously agreed
to help us expedite our proceedings by allowing us just to have
one panel of witnesses following the statement that Mr.
Langevin will make. And I thank him for that and----
Mr. Barton. It is not----
Mr. Boucher. Otherwise, I can assure the gentleman that we
would have done as he suggests.
Mr. Barton. Well, I appreciate the gentleman's--the
chairman's explanation. With that, Mr. Chairman, I yield back.
Mr. Boucher. Thank you very much, Mr. Barton. The gentleman
from Louisiana, Mr. Melancon, is recognized for 3 minutes. Mr.
Melancon waives his opening statement and will have 3 minutes
added to his questioning time for the second panel of
witnesses. The gentleman from Michigan, Mr. Rogers, is
recognized for 3 minutes.
OPENING STATEMENT OF HON. MIKE ROGERS, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF MICHIGAN
Mr. Rogers. Thank you, Mr. Chairman. I happen to serve on
the Intelligence Committee with Mr. Langevin, and so I am at
least glad that he is paying attention to this because I think
he will bring a good perspective from that side of the House.
And I am not sure sometimes if it is a benefit or a hindrance
being on that committee.
And today, I am not sure either because I worry a little
bit about the speed at which we are working here. We watched
through the creation of the Director of National Intelligence
that we were trying to coordinate our activities and our
resources. And in a bipartisan way in this Congress we said
slow down.
The exponential growth was not necessarily serving the
interests of national security. And our cyber infrastructure
goes well beyond the grid. The grid is an incredibly important
part of that protection and security apparatus, but it is a
part of that.
And we have lots of talent and lots of resources spread
across the 16 intelligence agencies and Department of Defense,
who have spent some serious amount of time and accumulated
intellectual capital necessary to defeat what we know is a
growing threat. And it is from terrorist organizations. It is
from extortionists. It is joy riders on the superhighway, if
you will, and it is certainly and very worrisome more
aggressive by nation-states. And we see all of that activity
growing exponentially. So the threat is very, very real.
But my concern is we are doing a ready, shoot, aim approach
to how we are going to solve this problem because what we are
going to do, even if you give authorities, with that will go
people and resources. And then they have to go back and try to
find integration with the very organizations I just mentioned
before.
I am not sure that that is the right way to get where we
want to go, and I want to commend all of you for working on
this. I think it is a very, very important issue, and it is a
serious issue. But I don't think creating a separate group
through separate authorization is likely to get where we want
to go in a timely manner.
We have resources. We have coordination efforts already
that we are trying to work through, and I think Mr. Langevin is
certainly aware of those. And I am not sure this helps it.
Matter of fact, in some cases, I think it might actually hinder
it. So I hope that we take our time and slow down a little bit.
I think it is great that we highlight the problem, but the fact
that we don't have representation from Department of Defense,
from the National Security Council, from the intelligence
community, quite frankly from the DNI. I think the DNI should--
these are exactly the issues of which the director of national
intelligence by this Congress was designated to help us move
through some of these integrated policy issues where there is a
cross spectrum of resources.
So again I hope the hearing is for informational purposes.
I would not be in a hurry, Mr. Chairman, to pass a bill and
move it through the House without the full cooperation and
coordination of those resources. I think it would be critical
to the end here that we do this correctly.
Mr. Boucher. Would the gentleman yield?
Mr. Rogers. Absolutely. Yes, sir.
Mr. Boucher. I thank the gentleman for those remarks, and I
agree with the gentleman completely. There is a great sense of
urgency that we address this need, as our witnesses will tell
us this morning. On a bipartisan basis, we have constructed a
discussion draft which addresses the core concerns that have
been brought to us. There are some open issues which I have
identified. They will be discussed here as well this morning.
We invited the Department of Defense to send a witness to
address the subcommittee this morning, and the Department of
Defense declined to do that. I can tell the gentleman that we
do intend to have a classified briefing for the--an opportunity
offered to members for a classified briefing next week, and the
Central Intelligence Agency. And the director of Central
Intelligence will be a part of that briefing. And so the
gentleman's request will be honored.
I can tell him also that we intend to go through regular
order in processing this legislation. Assuming that we are in a
position to resolve the outstanding issues, and I very much
hope that we will be, we would like to move to a markup next
week. That would be after the classified briefing takes place.
If the issues are resolved to the satisfaction of members,
I see no reason why we shouldn't do that, given the urgency
that exists. And then hopefully we can move to the full
committee rapidly after that and then to the House floor. But I
respect what the gentleman is saying, and he has expressed my
view as well that we need to be very careful as we construct
this measure. And we certainly intend to be.
Mr. Upton. And if the gentleman will just yield. I have had
some discussions with the chairman, Chairman Boucher, on this
issue, and I agree that we ought to have regular order here.
There are a number of witnesses that are not on the list that
ought to be here. Just looking at the brief presentation that
CNN made on the air I want to say it was last year, there are a
number of folks, Homeland Security agency and others, that
really ought to be represented.
We need to do this right. It is critical. I don't have the
luxury as you have, serving on the Intelligence Committee, Mr.
Langevin and others. And as we are prepared to make sure that
this is our level best, we have to have that input which is one
of the reasons why the chairman and I thought it would be wise
to have a classified briefing at the earliest moment which is,
since we don't have votes tomorrow until Monday afternoon,
Tuesday morning was the earliest time that we could do that to
afford all members on both sides of the aisle to be able to ask
questions in a private way.
It will lend us a better understanding of the way that we
should proceed and do it in the right course.
Mr. Rogers. And I commend you for having that classified
briefing. I think hopefully that will give us a different look
at it, and I would understand why DOD might have a hard time
here. Some of the things that our communities are working on
are very, very sensitive.
And because of the aggressive state of nation-states
involved in cyber espionage and cyber terrorism, I can
understand why they might have some reluctance to come here and
not be able to answer questions. It puts it in an awkward
place. So I hope that we take the time to see with this
classified briefing.
And I think it might help us all understand how yes, it is
important, but it is more important that we do it right than we
do something.
Mr. Upton. That is right. And your attendance there will
help all of us in terms of what you have been able to go
through because of your experience on the Intelligence
Committee.
Mr. Boucher. I thank the gentleman for his contributions
this morning. The gentleman from Oregon, Mr. Walden, is
recognized for 3 minutes.
Mr. Walden. Mr. Chairman, I will waive an opening
statement. Thank you, sir.
Mr. Boucher. Thank you very much, Mr. Walden. We now
welcome our first witness this morning, the Honorable Jim
Langevin from Rhode Island, and we appreciate very much your
attendance here. Mr. Langevin is the chairman of the
Subcommittee on Emerging Threat, Cybersecurity, and Science and
Technology of the Committee on Homeland Security, and I know
from my discussions with him, has been actively involved in
examining the question of cybersecurity for his tenure of
chairman of that subcommittee. And he has much useful
information he can share with us this morning.
So, Jim, we welcome you, and your prepared statement will
be made a part of the record. And we would welcome your oral
remarks.
STATEMENT OF JAMES R. LANGEVIN, CHAIRMAN, SUBCOMMITTEE ON
EMERGING THREATS, CYBERSECURITY, AND SCIENCE AND TECHNOLOGY,
COMMITTEE ON HOMELAND SECURITY
Mr. Langevin. Thank you, Mr. Chairman, and good morning. I
would like to thank Chairman Boucher for his invitation to
testify on this critical----
Mr. Boucher. If you could move that microphone a little bit
closer and be sure it is on, that would help us in hearing you.
Thank you.
Mr. Langevin. Is that better?
Mr. Boucher. That is better.
Mr. Langevin. Very good. I want to thank Chairman Boucher
for his invitation to testify on this critical issue of
national security. I very much appreciate the chairman's
interest and that of Ranking Member Upton, and your interest in
cybersecurity relates to the electric grid. And I commend both
these gentlemen, the full committee, and its staff for their
efforts in this area.
I would also like to thank Chairman Thompson of the
Homeland Security Committee for his proactive leadership on
these issues as well.
Mr. Chairman, as you mentioned, I chair the Emerging
Threat, Cybersecurity, and Science and Technology Subcommittee
for the Homeland Security Committee where I have conducted
eight hearings and dozens of investigations on cybersecurity
issues during the 110th Congress. I am also a member of the
House Permanent Subcommittee on Intelligence, and I co-chair
the Center for Strategic and International Studies Commission
on Cybersecurity for the 44th Presidency.
Each of these positions has afforded me the opportunity to
examine the issues that are before this committee today. Now, I
want to clearly state that I believe America is disturbingly
vulnerable to a cyber attack against the electric grid that
could cause significant consequences to our Nation's critical
infrastructure.
Virtually every expert I have consulted shares this
assessment. Though I cannot provide classified details at this
hearing, I hope that my testimony will support this assertion,
encourage you to act on this legislation.
The effective functioning of the bulk power system is
highly dependent on control systems, computer-based systems
used to monitor and control sensitive processes and physical
functions. Once largely closed to the outside world, control
systems are increasingly connected to open networks, and the
risks to these systems is steadily increasing.
Consider what has happened in the last 5 years. Criminal
extortion schemes have exploited control systems for economic
gain. Numerous disruptions from the Davis-Besse Power Plant
incident in 2003 to the Northeast blackout, to the Browns Ferry
Nuclear Power Plant failure in 2006 were caused by
unintentional cyber incidents.
Furthermore, the U.S. has evidence that Al Qaeda is
interested in the vulnerabilities of our public and private
utilities. Additionally, nation-state adversaries have publicly
stated that attacking our domestic critical infrastructure,
including the civilian electric grids, will be part of their
war plans in an engagement with the United States.
Clearly intentional and unintentional control system
failures on the BPS can have a potentially devastating impact
on the economy, public health, and national security of the
United States. Now, for a society that runs on power, the
discontinuity of electricity to chemical plants, banks,
refineries, and water systems presents a terrifying scenario.
These incidents would also severely impact our war-fighting
capability as recognized by the Defense Science Board.
In the interest of national security, we must ensure
effective and reliable energy flows to America's critical
infrastructure facilities. With this in mind, my subcommittee
initiated a review of the Federal Government's efforts and
ability to ensure the security of the BPS from cyber attack.
We became particularly concerned about the private sector's
efforts to mitigate a vulnerability known as Aurora, which the
chairman mentioned in his opening remarks, which if exploited,
could result in catastrophic losses of power for long periods
of time. I was convinced of the seriousness of this
vulnerability and began doing all I could to ensure that we
were fixing it.
In June 2007, the Electric Sector Information Sharing and
Analysis Center introduced a voluntary mitigation document to
the industry. During my review of the electric sector
mitigation efforts, however, it became evident that mitigation
was highly inconsistent. I was surprised and disturbed to see
how dismissive many of the companies were of this
vulnerability, particularly given the significant technical
evidence backing up the test.
Even worse, NERC, the private sector reliability
organization, seemed uninterested in determining the extent of
industry compliance. NERC provided false, confusing, or
misleading testimony to my subcommittee during our
investigation. Now, NERC has since realized their mistakes,
corrected their testimony, and began demonstrating the
leadership that we expect. Nevertheless, I am still worried
about the electric sector's approach towards timely mitigation
of cybersecurity vulnerabilities.
Now, in light of this failure of initiative throughout the
electric sector, my subcommittee made a formal request of FERC
to investigate the extent to which owners and operators were
implementing the Aurora mitigation efforts. Thankfully, FERC
has demonstrated great initiative, and I want to take this
opportunity to publicly thank Chairman Kelliher and his staff
for their efforts.
FERC's initial observations suggest that while no company
completely ignored the advisory, there were varying degrees of
compliance. At this time, the subcommittee also requested that
FERC assess its ability to respond to an imminent cyber attack
under the current legal authorities contained in section 215 of
the Federal Power Act. In testimony before the subcommittee on
May 21, Chairman Kelliher concluded that additional authorities
are necessary to adequately protect the BPS, and I fully
support the chairman's conclusion.
In the interest of national security, a statutory mechanism
is necessary to protect the grid against cybersecurity threats.
I congratulate the subcommittee for its legislative initiative,
and I have several comments on the draft legislation that are
before us.
First, emergency standards should become enforceable upon a
finding by a national security or intelligence agency. I fear
that additional executive determinations would create
unnecessary delays in the protections of the BPS.
Second, FERC should be authorized to act if either one, a
malicious act is likely to occur, or two, there is a
substantial possibility of disruption to the grid due to such
an act. Specific threat information on this subject is
difficult to come by, and it would be very hard to put together
likelihood and consequence. We must not limit the ability of
our federal agencies to act.
Finally, I am concerned that the current legislation does
not cover assets that are outside the definition of the bulk
power system, which, if left unprotected, will keep our Nation
vulnerable. As the committee is aware, and as the chairman had
referred to, the Federal Power Act leaves vulnerable Alaska,
Hawaii, and many other--and many major cities like D.C. and New
York and the Nation's critical infrastructures like our
military installations because they don't fall under the
definition of the BPS.
Generation, transmission, and distribution must be
protected under this legislation, and I would ask the committee
to consider an amendment that would allow FERC to address cyber
threats against all of these areas.
Now, in closing, on this day when we vow to be vigilant in
protecting the country against threats of all kinds, let nobody
accuse us of having a September 10 mindset when it comes to
cybersecurity.
With that, I want to thank you, Mr. Chairman, for allowing
me the opportunity to testify today, and I look forward to
answering your questions. Thank you.
[The prepared statement of Mr. Langevin follows:]
Mr. Boucher. Thank you very much, Mr. Langevin. We
appreciate that testimony, and your comments this morning will
prove very helpful to us as we proceed with our work. I do not
have questions of you, at least not at this time. We may
consult you as we proceed with further steps in this process,
but I do not have questions of you at this moment.
I would ask if there are other members of the panel who
would care to pose questions to Mr. Langevin. Mr. Upton seeks
recognition.
Mr. Upton. I just have one. And, Jim, we appreciate your
testimony and your work on this for sure. You indicated in your
statement that you feared that the presidential secretarial
determination as currently provided in the draft legislation
would create an unnecessary delay in the protection of the BPS,
but you have to have a chain of command.
And one of the issues that may be raised is FERC is
certainly the appropriate agency overseeing the grid and all of
that, but shouldn't you have someone at the White House or
someone at the Pentagon, someone, perhaps the Secretary of
Energy, someone with direct--not that our good friend Joe
doesn't have access to folks like that.
But shouldn't you have some White House command similar to
what happened on 9/11 when the FAA ruled, because of Secretary
Menetta, that all the planes were going to stop wherever they
were. That came in direct consultation with the White House,
and, bingo, it happened. Shouldn't you have that type of chain
of control--chain of command as part of the legislation which
seems to be one of the criticisms that you might have here? Am
I misreading what your comments were?
Mr. Langevin. That is true, but certainly the Secretary of
Homeland Security can be clearly a national emergency----
Mr. Upton. Yes, that would be appropriate too.
Mr. Langevin [continuing]. Along these lines. But we have
to understand that in this day and age of cybersecurity, cyber
attacks, it is one thing if we had days to go through the
process of ultimately getting a presidential directive in
place. But when we have actionable intelligence, these types of
cyber attacks, cyber threats, could actually come in seconds or
minutes or hours. And when we have direct actionable
intelligence, there should be a rapid ability to respond.
And I am concerned about unnecessary delays. Even if this
directive authority I am suggesting that FERC would be given
would be temporary in nature until a more permanent solution
can be addressed would be fine. But I think that we have to
recognize in this day and age of cyber, things don't move in
days or weeks. They move in seconds.
Mr. Upton. I yield back.
Mr. Boucher. Thank you very much, Mr. Upton. Mr. Langevin,
we appreciate your attendance here this morning, and we will
move now to our second panel of witnesses.
Mr. Langevin. Thank you, Mr. Chairman.
Mr. Boucher. We are pleased to welcome on the second panel
the chairman of the Federal Energy Regulatory Commission, Mr.
Joe Kelliher; Mr. Kevin Kolevar, the assistant secretary of the
United States Department of Energy; Mr. Rick Sergel, the
president of the North American Reliability Corporation; Susan
Kelly, vice-president and general counsel of the American
Public Power Association; Steve Naumann, vice-president of the
Exelon Corporation; and Barry Lawson, manager of power delivery
for the National Rural Electric Cooperative Association.
We welcome each of our witnesses and thank you for your
attendance this morning. And your prepared written statements
will be made a part of our record. We would welcome your oral
summaries and ask that in the interest of time, you try to keep
your oral summaries to approximately 5 minutes.
We are going to operate slightly out of order this morning
because both Mr. Kelliher and Mr. Kolevar have expressed a need
to depart rather quickly in order to attend to some rather
urgent outside business. And so we are going to take their
opening statements first. We will ask questions of them, and
then we will proceed to the opening statements and questions of
the balance of our witnesses.
And so with that understanding, Mr. Kelliher, we will be
happy to hear from you, and then Mr. Kolevar.
STATEMENT OF JOSEPH KELLIHER, CHAIRMAN, FEDERAL ENERGY
REGULATORY COMMISSION
Mr. Kelliher. Thank you, Mr. Boucher. Mr. Chairman, Mr.
Upton, members of the subcommittee, I want to thank you for the
invitation to testify here today, and I want to say it is good
to be back before the subcommittee. I appreciate the
opportunity to discuss the need to improve cybersecurity and to
protect the reliability of the power grid against cyber attacks
and other national security threats.
Three years ago, Congress made FERC responsible for
protecting the reliability of the power grid by establishing
and enforcing mandatory reliability standards. Congress
specifically directed FERC to develop cybersecurity standards
to protect the grid, and we have done so.
But I am here today to offer my conclusion that the tools
you gave us 3 years ago are inadequate to the task and that
FERC needs additional legal authority to adequately protect the
grid from cyber attacks and other national security threats.
There has been much progress made on reliability over the
past 3 years. FERC has certified an electric reliability
organization. We have established mandatory reliability
standards including cyber standards. We are working to improve
those standards over time to raise the bar, and we have
established a reliability enforcement regime.
But the grid remains vulnerable to a cyber attack through
communication devices that could secure access control and
remote operation of key components of our electricity system,
such as large generating facilities, substations, transmission
lines, and local distribution facilities. And that through
remote operation, a cyber attack could damage or destroy
generation in other facilities, and because an attack could
damage or destroy facilities that could take weeks or longer to
replace, the effects of a successful cyber attack could be much
greater than a blackout.
In my view, an effective defense of the power grid from
cyber attacks has three necessary elements. First, there is a
need for timely and effective identification of cyber
vulnerabilities. Second, there is a need to have an ability to
require mandatory actions that mitigate those vulnerabilities
on a timely basis, so action that is both rapid and mandatory.
And third, the ability to maintain the confidentiality of
information because current law is inadequate to mount such a
defense.
FERC is not a national security or intelligence agency, and
FERC is not in the best position to identify cyber threats. But
the U.S. government has the ability to identify cyber threats
in a timely and effective manner. FERC cooperates with agencies
that are in that position, including the Department of Energy.
However, there is no adequate means to take mandatory action in
a timely manner under existing law.
Currently, there are two means to protect the power grid
against cyber attacks. The 215 process established by Congress
in the Energy Policy Act of 2005 and also NERC advisories. But
in my view, neither is adequate to defend against cyber
attacks. The 215 process produces reliability standards that
are mandatory but untimely given the nature of cyber threats.
And NERC advisories are timely or can be timely, but they are
also voluntary. Both approaches fail to protect critical
information.
FERC is using and will continue to use the process
established by 215 of the Federal Power Act to set reliability
standards including cyber standards. But the principal flaw of
the 215 process is that it takes too long and does not allow
for the protection of critical information. Under the normal
215 process, it typically takes years to develop new and
modified reliability standards including cyber standards. Even
reliability standards developed under the urgent action process
can take months or longer.
Also FERC cannot modify a proposed standard. We can reject
or remand or approve and direct changes that will occur over
time, but if we reject a standard, it just simply reinitiates a
process that could take months or years.
Why is there a need for timely action in this area? It is
simply because the cyber threat is different from other
reliability threats. The section 215 process was designed
around a fundamentally different reliability challenge, namely
vegetation management or tree growth, relay maintenance, grid
control operations, and operator training. The reliability
threat posed by trees and poor vegetation management is a
passive threat, while the threat posed by cyber attacks is
organized and much more active.
The nature of the cyber threat is different. It is a
national security threat that may be posed by foreign countries
or organized groups. A process designed to guard against poor
vegetation management is poorly suited to meet national
security threats. There is another limitation in that section
215 only authorizes FERC to ultimately establish standards and
that some cyber threats or other national security threats may
require action that are not standards.
NERC advisories also, I think, are an inadequate way to
ensure or to protect cybersecurity. The principal virtue of a
NERC advisory is speed, but the principal flaw is that
compliance with those advisories is voluntary. And there is a
lack of confidentiality.
NERC issued an advisory last year in response to the Aurora
cyber threat, and I commend NERC for acting quickly in response
to that threat. As detailed in my written testimony, FERC has
been reviewing the industry response to that advisory. I have
to say the industry has made progress in response to the NERC
advisory. I think cybersecurity is higher as a result, but our
review indicates that the industry response has not mitigated
the Aurora threat. And to some extent, that response is the
predictable result of reliance on a voluntary advisory.
Now, confidentiality. I think it is also clear that an
effective defense against cyber threats requires
confidentiality. The standards development process under
section 215 of the Federal Power Act typically imposes few or
no restrictions on the dissemination of information related to
development of new standards including cyber standards. The
case of cyber vulnerabilities and public release of information
related to cybersecurity could be very harmful, and that FERC
currently has very limited authority to limit the public
dissemination of information.
So in my view, I think there is a need for legislation. I
think section 215 of the Federal Power Act is an adequate basis
to address reliability threats other than national security
threats, such as cyber attacks. And I, for that reason, do not
believe that section 215 should be amended.
But I do believe there is a need for legislation that would
grant FERC a separate authorization to, number one, immediately
require measures to address known cyber vulnerabilities, such
as related to Aurora, and two, require mandatory actions needed
to protect the power grid from future national security threats
on an interim basis after a finding by the President or the
Secretary of Energy.
I think under this approach, it is clear FERC cannot act
with respect to future cyber and other national security
threats without such a finding by the President or the
Secretary. So I think that it appropriately limits us and
relies on the superior knowledge of the President and the
Secretary with respect to national security threats.
It is also vital that a bill allow FERC to take action
before a cyber attack and not only after the fact. It is
critical that the threshold or trigger for a finding by the
President or the Secretary not be so high as to be
insurmountable, and I think the trigger in the proposed act
discussion draft is appropriate.
There is also a need to address national security threats
other than cyber, but I want to say I do support the staff
discussion draft as is. It strikes the right balance, and I
look forward to working with the subcommittee as you move
towards markup.
And I do recognize the Department of Energy has a proposal
that I think also should be considered as you move to markup in
coming days.
In conclusion, you gave us the duty 3 years ago to protect
reliability of the power grid, to establish and enforce
reliability standards. We are exercising that duty, but we have
come to the conclusion that we don't have the right tools to
address the cyber threat. And the reason is that the nature of
the threat, the reliability threat to the grid is different
than perhaps was anticipated 3\1/2\ years ago.
And so I do ask you to act and legislate, but until and
unless you do that, FERC and NERC will use existing
authorities. We will use the tools we have as best we can. And
with that, I appreciate the opportunity to testify here today.
[The prepared statement of Mr. Kelliher follows:]
Statement of Joseph T. Kelliher
Summary
The Energy Policy Act of 2005 (EPAct 2005) authorized the
Federal Energy Regulatory Commission to approve and enforce
mandatory reliability standards, including cyber security
standards, to protect and improve the reliability of the bulk
power system. These reliability standards are proposed to the
Commission by the Electric Reliability Organization (ERO) (the
North American Electric Reliability Corporation or NERC), after
an open and inclusive stakeholder process. The Commission
cannot author the standards or make any modifications, and
instead must either approve the proposed standards or remand
them to NERC. FERC is well underway in implementing the new
law, including now having in place an initial set of cyber
security standards, for which full compliance is not required
until 2010.
Section 215 is an adequate statutory foundation to protect
the bulk power system against most reliability threats.
However, the threat of cyber attacks or other intentional
malicious acts against the electric grid is different. These
are national security threats that may be posed by foreign
nations or others intent on attacking the U.S. through its
electric grid. The nature of the threat stands in stark
contrast to other major reliability vulnerabilities that have
caused regional blackouts and reliability failures in the past,
such as vegetation management and relay maintenance.
Damage from cyber attacks could be enormous. A coordinated
attack could affect the electrical grid to a greater extent
than the August 2003 blackout and cause much more extensive
damage. Cyber attacks can physically damage the generating
facilities and other equipment such that restoration of power
takes weeks or longer, instead of a few hours or days.
Widespread disruption of electric service can quickly undermine
our government, military readiness and economy, and endanger
the health and safety of millions of citizens. Thus, there may
be a need to act quickly to protect the grid, to act in a
manner where action is mandatory rather than voluntary, and to
protect security-sensitive information from public disclosure.
The Commission's legal authority is inadequate for such
action. This is true of both cyber and non-cyber threats that
pose national security concerns. In the case of such threats to
the electric system, the Commission does not have sufficient
authority to timely protect the reliability of the system.
Legislation should be enacted allowing the Commission to act
promptly to protect against current cyber threats as well as
future cyber or other national security threats.
Testimony
Introduction and Summary
Mr. Chairman and members of the Subcommittee, thank you for
the opportunity to speak here today about cyber and other
national security threats to our Nation's electrical grid, and
the need for legislation allowing the Federal Energy Regulatory
Commission (FERC or the Commission) to address those threats
quickly and effectively. I appreciate the Subcommittee's
attention to this critically important issue.
The Energy Policy Act of 2005 (EPAct 2005) gave the
Commission certain responsibilities for overseeing the
reliability of the bulk power system. The bulk power system is
defined to include facilities and control systems necessary for
operating an interconnected transmission network (or any
portion thereof), and electric energy from generation
facilities needed to maintain transmission system reliability.
EPAct 2005 authorized the Commission to approve and enforce
mandatory reliability standards, including cyber security
standards, to protect and improve the reliability of the bulk
power system. Under this framework, reliability standards are
developed and proposed to the Commission by the Electric
Reliability Organization (ERO) (the North American Electric
Reliability Corporation or NERC) through an open and inclusive
stakeholder process. The Commission cannot author the standards
or make any modifications, and instead must either approve the
proposed standards or remand them to NERC. The Commission is
well underway in implementing the new law, including now having
in place an initial set of cyber security standards with
varying implementation dates. Much progress has been made in
the past 3 years. However, more work needs to be done, both
with respect to improving those cyber security standards and
possibly adding new ones.
In my view, FERC does not have sufficient authority to
guard against national security threats to reliability of the
electric system. Legislation should be enacted allowing the
Commission to act quickly to protect against current cyber
threats as well as future cyber or other national security
threats.
Background
In EPAct 2005, the Congress entrusted the Commission with a
major new responsibility to oversee mandatory, enforceable
reliability standards for the Nation's bulk power system
(excluding Alaska and Hawaii). This authority is in section 215
of the Federal Power Act. section 215 requires the Commission
to select an ERO that is responsible for proposing, for
Commission review and approval, reliability standards or
modifications to existing reliability standards to help protect
and improve the reliability of the Nation's bulk power system.
The reliability standards apply to the users, owners and
operators of the bulk power system and become mandatory only
after Commission approval. The ERO also is authorized to
impose, after notice and opportunity for a hearing, penalties
for violations of the reliability standards, subject to
Commission review and approval. The ERO may delegate certain
responsibilities to ``Regional Entities,'' subject to
Commission approval.
The Commission may approve proposed reliability standards
or modifications to previously approved standards if it finds
them ``just, reasonable, not unduly discriminatory or
preferential, and in the public interest.'' If the Commission
disapproves a proposed standard or modification, section 215
requires the Commission to remand it to the ERO for further
consideration. The Commission, upon its own motion or upon
complaint, may direct the ERO to submit a proposed standard or
modification on a specific matter. The Commission also may
initiate enforcement on its own motion.
The Commission has implemented section 215 diligently.
Within 180 days of enactment, the Commission adopted rules
governing the reliability program. In mid-2006, it approved
NERC as the ERO. In March 2007, the Commission approved the
first set of national mandatory and enforceable reliability
standards. In April 2007, it approved eight regional delegation
agreements to provide for development of new or modified
standards and enforcement of approved standards by Regional
Entities.
In exercising its new authority, the Commission has
interacted extensively with NERC and the industry. The
Commission also has coordinated with other federal agencies,
such as the Department of Homeland Security, the Department of
Energy, the Nuclear Regulatory Commission, and the Department
of Defense. Also, the Commission has established regular
communications with regulators from Canada and Mexico regarding
reliability, since the North American bulk power system is an
interconnected continental system subject to the laws of three
nations.
Cyber Security Standards Approved Under section 215
Section 215 defines ``reliability standard[s]'' as
including requirements for the ``reliable operation'' of the
bulk power system including ``cybersecurity protection.''
section 215 defines reliable operation to mean operating the
elements of the bulk power system within certain limits so
instability, uncontrolled separation, or cascading failures
will not occur ``as a result of a sudden disturbance, including
a cybersecurity incident.'' section 215 also defines a
``cybersecurity incident'' as a ``malicious act or suspicious
event that disrupts, or was an attempt to disrupt, the
operation of those programmable electronic devices and
communication networks including hardware, software and data
that are essential to the reliable operation of the bulk power
system.''
In August 2006, NERC submitted eight new cyber security
standards, known as the Critical Infrastructure Protection
(CIP) standards, to the Commission for approval under section
215. Critical infrastructure, as defined by NERC for purposes
of the CIP standards, includes facilities, systems, and
equipment which, if destroyed, degraded, or otherwise rendered
unavailable, would affect the reliability or operability of the
``Bulk Electric System.'' NERC proposed an implementation plan
under which certain requirements would be ``auditably
compliant'' beginning by mid-2009, and full compliance with the
CIP standards would not be mandatory until 2010.
On January 18, 2008, the Commission issued a Final Rule
approving the CIP Reliability Standards and concurrently
directed NERC to develop modifications addressing specific
concerns, such as the breadth of discretion left to utilities
by the standards. For example, the standards state that
utilities ``should interpret and apply the reliability
standard[s] using reasonable business judgment.'' Similarly,
the standards at times require certain steps ``where
technically feasible,'' but this is defined as not requiring
the utility ``to replace any equipment in order to achieve
compliance.'' Also, the standards would allow a utility at
times not to take certain action if the utility documents its
``acceptance of risk.'' To address this, the Final Rule
directed NERC, among other things: (1) to develop modifications
to remove the ``reasonable business judgment'' language and the
``acceptance of risk'' exceptions; and, (2) to develop specific
conditions that a responsible entity must satisfy to invoke the
``technical feasibility'' exception. A further example of this
discretion involved the utility's ability to determine which of
its facilities would be subject to the cyber security
standards. For these requirements, the Commission addressed its
concerns by requiring independent oversight of a utility's
decisions by industry entities with a ``wide-area view,'' such
as reliability coordinators or the Regional Entities, subject
to the review of the Commission. However, until such time as
the standards are modified by the ERO through its stakeholder
process, approved by the Commission, and implemented by
industry, the discretion remains.
Current Process To Address Cyber or Other National Security Threats to
the Bulk Power System
As an initial matter, it is important to recognize how
mandatory reliability standards are established under section
215. Under section 215, reliability standards are developed by
the ERO through an open, inclusive, and public process. The
Commission can direct NERC to develop a reliability standard to
address a particular reliability matter, including cyber
security threats. However, the NERC process typically takes
years to develop standards for the Commission's review. In
fact, the cyber security standards approved by FERC took the
industry approximately three years to develop.
NERC's procedures for developing standards allow extensive
opportunity for industry comment, are open, and are generally
based on the procedures of the American National Standards
Institute (ANSI). The NERC process is intended to develop
consensus on both the need for the standard and on the
substance of the proposed standard. Although inclusive, the
process is relatively slow and cumbersome.
Key steps in the NERC process include: nomination of a
proposed standard using a Standard Authorization Request (SAR);
public posting of the SAR for comment; review of the comments
by industry volunteers; drafting or redrafting of the standard
by a team of industry volunteers; public posting of the draft
standard; field testing of the draft standard, if appropriate;
formal balloting of the draft standard, with approval requiring
a quorum of votes by 75 percent of the ballot pool and
affirmative votes by two-thirds of the weighted industry sector
votes; re-balloting, if negative votes are supported by
specific comments; voting by NERC's board of trustees; and an
appeals mechanism to resolve any complaints about the standards
process. NERC-approved standards are then submitted to the
Commission for its review.
Generally, the procedures used by NERC are appropriate for
developing and approving reliability standards. The process
allows extensive opportunities for industry and public comment.
The public nature of the reliability standards development
process is a strength of the process as it relates to most
reliability standards. However, it can be an impediment when
measures or actions need to be taken on a timely basis to
effectively address threats to national security.
The procedures used under section 215 for the development
and approval of reliability standards do not provide an
effective and timely means of addressing urgent cyber or other
national security risks to the bulk power system, particularly
in emergency situations. Certain circumstances, such as those
involving national security, may require immediate action. If a
significant vulnerability in the bulk power system is
identified, procedures used so far for adoption of reliability
standards take too long to implement effective corrective
steps.
FERC rules governing review and establishment of
reliability standards allow the agency to direct the ERO to
develop and propose reliability standards under an expedited
schedule. For example, FERC could order the ERO to submit a
reliability standard to address a reliability vulnerability
within 60 days. Also, NERC's rules of procedure include a
provision for approval of urgent action standards that can be
completed within 60 days and which may be further expedited by
a written finding by the NERC board of trustees that an
extraordinary and immediate threat exists to bulk power system
reliability or national security. However, it is not clear NERC
could meet this schedule in practice.
Even a reliability standard developed under the urgent
action provisions would likely be too slow in certain
circumstances. Faced with a cyber security or other national
security threat to reliability, there may be a need to act
decisively in hours or days, rather than weeks, months or
years. That would not be feasible under the urgent action
process. In the meantime, the bulk power system would be left
vulnerable to a known national security threat. Moreover,
existing procedures, including the urgent action procedure,
would widely publicize both the vulnerability and the proposed
solutions, thus increasing the risk of hostile actions before
the appropriate solutions are implemented.
In addition, the proposed standard submitted to the
Commission may not be sufficient to address the vulnerability.
As noted above, when a proposed reliability standard is
submitted to FERC for its review, whether submitted under the
urgent action provisions or the usual process, the agency
cannot modify such standard and must either approve or remand
it. Since the Commission may not modify a proposed reliability
standard under section 215, we would have the choice of
approving an inadequate standard and directing changes, which
reinitiates a process that can take years, or rejecting the
standard altogether. Under either approach, the bulk power
system would remain vulnerable for a prolonged period.
NERC's ``Aurora'' Advisory and Subsequent Actions
Currently, the alternative to a mandatory reliability
standard is for NERC to issue an advisory encouraging utilities
and others to take voluntary action to guard against cyber or
other vulnerabilities. That approach provides for quicker
action, but any such advisory is not mandatory, and should be
expected to produce inconsistent and potentially ineffective
responses. That was our experience with the response to an
advisory issued last year by NERC regarding an identified cyber
security threat referred to as the ``Aurora'' threat. Reliance
on voluntary measures to assure national security is
fundamentally inconsistent with the conclusion Congress reached
during enactment of EPAct 2005, that voluntary standards cannot
assure reliability of the bulk power system.
In response to the Aurora threat, NERC issued an advisory
to certain generator owners, generator operators, transmission
owners, and transmission operators. According to NERC, this
advisory identified a number of short-term measures, mid-term
measures and long-term measures designed to mitigate the cyber
vulnerability. NERC asked the recipients to voluntarily
implement the measures within specific time periods. NERC also
sent a data request to industry members to determine compliance
with the advisory. That data request was limited in scope,
however, asking only that industry members indicate if their
mitigation plans are ``complete,'' ``in progress,'' or ``not
performing.''
The Commission determined that the information sought by
NERC in the above data request was not sufficient for the
Commission to discharge its duties under section 215 because it
did not provide sufficient details about individual mitigation
efforts for the Commission to be certain that the threat had
been addressed. For example, it did not provide information
such as what facilities were the subject of the mitigation
plans, what steps to mitigate the cyber vulnerability were
being taken, and when those steps were planned to be taken--
and, if certain actions were not being taken, why not.
In October 2007, the Commission sought emergency processing
by the Office of Management and Budget (OMB) of a proposed
directive to require utilities to provide information
immediately on their mitigation efforts. OMB posted the
proposal for public comment in December 2007, and received
several comments raising issues about the Commission's ability
to protect sensitive information from public disclosure. The
Commission ultimately asked OMB to hold the proposal in
abeyance while Commission staff asked a sampling of generation
and transmission entities to voluntarily discuss with staff
their compliance with the Aurora advisory. In February,
Commission staff began interviewing them. Commission staff has
conducted 30 detailed interviews with a variety of electric
utilities geographically dispersed across the contiguous 48
states, to assess the state of the industry's protection
against remote access cyber vulnerabilities, including the
Aurora vulnerability. Each interview typically lasted six to
eight hours and utilities voluntarily participated. The
utilities were well prepared with documents to explain their
actions, and were very cooperative in responding to staff
questions. Staff found a wide range of equipment,
configurations and security features implemented by the
utilities. Several observations can be made based on the
interviews.
All of the companies selected by the Commission fully
cooperated in the interviews. We learned that there was a broad
range of compliance based on individual interpretations of the
threat that affected the application of the recommended
mitigation measures. In fact, all of the utilities interviewed
by the Commission requested additional information to help
understand the technical implications of the attack and the
specific strategies to mitigate the identified vulnerabilities.
Through these selected interviews, FERC staff has determined
that although progress has been made by almost every entity it
interviewed, much work remains to be done and, in large part,
the Aurora threat remains.
While NERC can issue an alert, as it did in response to the
Aurora vulnerability, compliance with these alerts is voluntary
and subject to the interpretation of the individual utilities.
Because an alert is voluntary, it may tend to be general in
nature, and lack specificity. Further, as Commission staff has
found with the Aurora alert, such alerts can cause uncertainty
about the specific strategies needed to mitigate the identified
vulnerabilities and the assets to which they apply.
Damage from cyber attacks could be enormous. All of the
electric system is potentially subject to cyber attack,
including power plants, substations, transmission lines, and
local distribution lines. A coordinated attack could affect the
electrical grid to a greater extent than the August 2003
blackout and cause much more extensive damage. Cyber attacks
can physically damage the generating facilities and other
equipment such that restoration of power takes weeks or longer,
instead of a few hours or days. The harm could extend not only
to the economy and the health and welfare of our citizens, but
even to the ability of our military forces to defend us, since
many military installations rely on the bulk power system for
their electricity. The cost of protecting against cyber attacks
is difficult to estimate but, undoubtedly, is much less than
the damages and disruptions that could be incurred if we do not
protect against them.
The need for vigilance may increase as new technologies are
added to the bulk power system. For example, ``smart grid''
technology may provide significant benefits in the use of
electricity. These include the ability to manage not only
energy sources, but also energy consumption, in the reliable
operation of the Nation's electric grid. However, smart grid
technology will also introduce many potential access points to
the computer systems used by the electric industry to operate
the electric grid. Security features must be an integral
consideration. To some degree, this is similar to the banking
industry allowing its customers to bank on line, but only with
appropriate security protections in place. As the ``smart
grid'' effort moves forward, steps will need to be taken to
ensure that cyber security protections are in place prior to
its implementation. The challenge will be to focus not only on
general approaches but, importantly, on the details of specific
technologies and the risks they may present.
Key Elements of Needed Legislation
In my view, section 215 is an adequate statutory foundation
to protect the bulk power system against most reliability
threats. However, the threat of cyber attacks or other
intentional malicious acts against the electric grid is
different. These are national security threats that may be
posed by foreign nations or others intent on attacking the U.S.
through its electric grid. The nature of the threat stands in
stark contrast to other major reliability vulnerabilities that
have caused regional blackouts and reliability failures in the
past, such as vegetation management and relay maintenance.
Though the nature of the threat is different, the consequences
are identical. Widespread disruption of electric service can
quickly undermine the U.S. government and economy and endanger
the health and safety of millions of citizens. Given the
national security dimension to this threat, there may be a need
to act quickly to protect the grid, to act in a manner where
action is mandatory rather than voluntary, and to protect
certain information from public disclosure. Our legal authority
is inadequate for such action. This is true of both cyber and
non-cyber threats that pose national security concerns. In the
case of such threats to the electric system, the Commission
does not have sufficient authority to timely protect the
reliability of the system.
I ask Congress to enact legislation, outside of section
215, containing the following major elements. The bill should
direct the Commission to establish, after notice and
opportunity for comment, interim reliability measures to
protect against the threats identified in NERC's ``Aurora''
advisory and related remote access issues. These interim
measures could later be replaced by reliability standards
developed, approved and implemented under the section 215
process. The bill also should allow the Commission, upon
directive by the President (directly or through the Secretary
of Energy), to issue emergency orders directing actions
necessary to protect the reliability of the bulk power system
against an imminent cyber security or other national security
threat. Significantly, FERC could only act upon such a
directive. This reflects the reality that the President and
national security and intelligence agencies such as DOE are in
a better position than the Commission to determine the nature
of a national security threat, while the Commission has the
expertise to develop appropriate interim reliability measures.
I emphasize that the latter authority should apply not only
to cyber security threats but also to other national security
threats. Intentional physical malicious acts (targeting, for
example, critical substations and generating stations) can
cause equal or greater destruction than cyber attacks and the
Commission should have no less ability to address them when an
emergency arises. This additional authority would not displace
other means of protecting the grid, such as action by federal,
state and local law enforcement and the National Guard, but the
Commission has unique expertise regarding the reliability of
the grid, the consequences of threats to it and the measures
necessary to safeguard it. If particular circumstances cause
both FERC and other governmental authorities to require action
by utilities, FERC will coordinate with other authorities as
appropriate.
The bill should allow measures or actions that might be
imposed under this new authority to be replaced by standards
developed under section 215 where applicable. For example,
there may be circumstances in which use of the section 215
process would not be applicable, such as when targeted and/or
temporary measures are necessary based on specific threat
information. Also, the Commission should be allowed to maintain
appropriate confidentiality of any security-sensitive
information submitted or developed through the exercise of this
authority.
The bill also should address the following details. First,
the bill should allow the Commission to take emergency action
before a cyber or other national security incident has
occurred, if there is a likelihood of a malicious act or a
substantial possibility of disruption due to such an act. In
order to protect the grid, it is vital that the Commission be
authorized to act before a cyber attack. It is equally
necessary that the threshold for a threat determination not be
so high as to be insurmountable. Second, with respect to the
Aurora and related cyber threats of which we are aware today,
the Commission should be permitted and directed, after notice
and comment, to require owners, users and operators of the bulk
power system to take adequate measures to address those
threats, and those measures should remain in effect until the
measures are no longer necessary, for example, if replacement
standards are approved and implemented under section 215.
Third, with respect to other actions or measures the Commission
might order to address future imminent threats to reliability,
any time-triggered sunset provision applicable to emergency
actions ordered by the Commission should allow an exception if
the President (directly or through the Secretary of Energy)
reaffirms the continuing nature of the threat. In the event
that the action is determined to be no longer necessary or if
the measures or actions ordered by the Commission are replaced
by standards approved and implemented under section 215, the
Commission should issue a ``discontinuance'' order.
Finally, Congress should be aware of the fact that if
additional reliability authority is limited to the ``bulk power
system,'' as defined in the FPA, it would exclude protection
against reliability threats and emergency actions involving
Alaska and Hawaii and possibly the territories, including any
federal installations located therein. The current
interpretation of ``bulk power system'' also would exclude some
transmission and all local distribution facilities, including
virtually all of the grid facilities in large cities such as
New York and Washington, D.C., thus precluding possible
Commission action to mitigate imminent cyber or other national
security threats to reliability that involve such facilities
and major population areas.
Conclusion
The Commission's authority is not adequate to address
urgent cyber or other national security threats. These types of
threats pose an increasing risk to our Nation's electric grid,
which undergirds our government and economy and helps ensure
the health and welfare of our citizens. Congress should address
this risk now.
Thank you again for the opportunity to testify today. I
would be happy to answer any questions you may have.
----------
Mr. Boucher. Thank you very much, Mr. Kelliher. Mr.
Kolevar, we will be happy to hear from you.
STATEMENT OF KEVIN M. KOLEVAR, ASSISTANT SECRETARY, OFFICE OF
ELECTRICITY DELIVERY AND ENERGY RELIABILITY, U.S. DEPARTMENT OF
ENERGY
Mr. Kolevar. Thank you, Mr. Chairman, members of the
committee, for the opportunity to testify before you today on
this critically important matter. Let me just note at the
beginning that, as you would expect, the chairman and I and our
staff have discussed this issue on a number of occasions. I
would like to associate myself with his remarks. I think that
as we move forward, you will find broad agreement between the
Department of Energy and the FERC.
This hearing addresses more than just a reliability
concern. It addresses a national security concern. The
Department of Energy and FERC and the electric sector must work
cooperatively toward eliminating cyber vulnerabilities in
control systems and preventing malicious cyber attacks on our
electric infrastructure. Our Nation's electric power grid must
be better protected. We must harden our power system.
The Department of Energy regularly discovers new
vulnerabilities in the control systems employed by many
utilities. This is not hyperbole. Let me assure you that cyber
attacks against control systems have occurred, and they are
becoming increasingly sophisticated.
The director of National Intelligence only underscored
these concerns when he acknowledged earlier this year that
cyber exploitation has not only grown more sophisticated but
more targeted and more serious. Embedded processes and
controllers in critical sectors are being targeted for
exploitation and potentially for disruption or destruction with
increasing frequency by a growing number of adversaries, not
all of whom are in the pay of foreign governments.
According to one senior CIA analyst, some cyber intrusions
in utilities have been followed by extortion demands. Cyber
attacks have been used to disrupt power equipment in regions
outside the United States, and in at least one case, a cyber-
based disruption caused an outage that affected multiple
cities.
Let me for a moment drill down on one point, and this
actually speaks to Congressman Rogers's point. The following
text is drawn from the intelligence community assisting us in
preparation of this draft. For a nation-state to execute a
coordinated attack across the Nation with certainty at a point
in time chosen have geopolitical or military effect would
require considerable planning and would require sustained
access during an extensive preparation period to numerous
points in the control systems that help operate the national
grid.
Planning this type of attack would require extensive
collection of information, expertise on both cyber and power
systems, probably some type of extensive modeling to be sure of
the effect, and then gaining and maintaining access to the
actual target systems. Even maintaining reliable clandestine
access requires resources and constant attention because system
software and configurations change over time, and the adversary
must be careful not to tip his hand with obvious activity.
Gaining initial access to particular systems may require
the recruitment of insiders or conducting supply chain attacks,
which might require months or years of preparation. Even
gathering the necessary detailed information needed to identify
targets and possible points of access may require some form of
long-term clandestine operations.
As a matter of risk management, we need to make sure that
we are not facilitating each of these critical steps for our
adversaries by leaving ourselves open to collection of target
information, open to easy access and reconnaissance or
vulnerable by virtue of leaving systems misconfigured or
unpatched.
The Departments of Energy and Homeland Security have been
working with industry to increase awareness and to help them
make sensible risk management choices. And, Mr. Chairman, I
think this also speaks to the confidentiality requirements that
the chairman mentioned.
To be clear, however, notwithstanding the many difficulties
associated with the execution of a very serious cyber attack on
the electric sector, the potential consequences are
significant. For that reason, a limited role for the federal
government is warranted if the Nation's energy infrastructure
is to be protected.
The Department has been substantively engaged on this issue
for some time. In 2003, DOE's Office of Energy Assurance, the
predecessor program to the Office of Electricity Delivery and
Energy Reliability, was designated to work directly with the
energy owners and operators to protect energy infrastructures
from all hazards and make them become more resilient.
DOE does this by selectively conducting vulnerability
assessments and applying sound risk management practices at
critical facilities, and we implement physical and cyber
solutions to mitigate the risks based on the vulnerabilities we
identify. To date, the department and its national laboratories
have conducted test bed and onsite field assessments of 15
common control systems used widely across the energy sector.
These assessments have revealed vulnerabilities ranging in
severity from minimal to high impact. With 17 testing
facilities from five Department of Energy national
laboratories, we are also constantly leveraging an extensive
intelligence gathering network, proving methodologies, and
highly skilled professionals from across the national security
and intelligence communities, in particular DHS, to assess an
interpret threat information.
Nevertheless, we need to do more and be thoughtful. The
cyber threat to electric power systems is certainly among the
most critical in our Nation's infrastructure. However,
cyberspace has become critical to all of our other
infrastructures as well with potential national security,
economic, and safety concerns. As a Nation, we need to make
sure that we are addressing risk management across all of our
infrastructures in a holistic manner and that we not solve one
problem only to create new problems or restrain solutions
elsewhere.
As a result, we believe any legislation should be carefully
coordinated across the executive branch. We need to move
expeditiously to protect the power grid, but let us get this
right. The administration is continuing to examine what
additional authorities are appropriate for DOE and the FERC.
To the extent that Congress acts in this area, we recommend
that it consider the following: allow the FERC to establish
interim reliability standards for the purpose of rapidly
responding to specific electric sector vulnerabilities. When
presented with a credible cyber threat against the bulk power
system, such interim reliability standards could provide an
effective bridge until being replaced by cybersecurity
reliability standards developed, approved, and implemented
pursuant to section 215.
With respect to potential measures in the face of an
imminent threat to the bulk power system, allow the Department
of Energy to issue an order for immediate remedial action. That
order could stand until new FERC interim standards or standards
developed pursuant to section 215 were put into place.
Mr. Chairman, that concludes my statement. I am prepared to
take any questions.
[The prepared statement of Mr. Kolevar follows:]
Mr. Boucher. Thank you very much, Mr. Kolevar. Mr.
Kelliher, I am going to direct my questions to you, and I would
appreciate your turning, if you have the information there, to
the audit, which the NERC conducted of the 1,200 entities
connected to the bulk power system that received the FERC
advisory recommending certain steps that should be taken to
enhance protection against cybersecurity threats and outlining
a schedule of either 90 days in the case of some steps or 180
days in the case of other steps, by which those protections
should be put in place.
You audited a number of those 1,200 entities. As I recall,
that number was 30. Is that correct?
Mr. Kelliher. Yes sir.
Mr. Boucher. With regard to those 30 audited companies, how
many did you find that were at the time of your audit in full
compliance with the advisory that had been issued by the NERC?
Mr. Kelliher. Seven of the 30, sir.
Mr. Boucher. So seven of the 30 were in full compliance? Of
the remaining 23, had some of those taken some steps toward
compliance but were not in full compliance? Or were there any
among those 23 that had taken no steps at all?
Mr. Kelliher. I believe all of the 23 took some steps. It
varied on how many they took.
Mr. Boucher. How many would you classify, based on your
audit, as still being vulnerable to the Aurora vulnerability
determined by the Idaho laboratory?
Mr. Kelliher. Well, that is a more difficult question
because full compliance with the advisory itself, in our view,
wouldn't necessarily mitigate the Aurora threat. So you are
really asking, which companies went beyond the advisory to take
steps broader than what NERC had recommended. And that we would
say two of the 30 had mitigated the Aurora threat.
Mr. Boucher. Leaving 28 still vulnerable in FERC's view?
Mr. Kelliher. Yes, sir.
Mr. Boucher. OK, talk a little bit about what you found in
terms of the compliance schedules that had been adopted by the
various utilities. Did some of them have truly extraordinary
schedules extending over many years as compared to the NERC
advisory, which was that these steps be put in place within 180
days?
Mr. Kelliher. Yes sir, and I think there was some confusion
in some of the companies between the timelines in the NERC
advisory and the scope of facilities affected covered by the
NERC advisory with the rules that the Commission issued, the
cyber standards that the Commission approved in January, which
envisioned a longer time frame than the NERC advisory. Some
companies incorrectly assumed that the longer timelines in the
FERC rule govern their compliance with the NERC advisory.
Mr. Boucher. So they really didn't understand the NERC
advisory?
Mr. Kelliher. Some of them certainly did not understand the
timelines of when their actions were supposed to take place.
Mr. Boucher. All right, did you find that there were
utilities that had done little or nothing in compliance with
the NERC advisory other than simply preparing for the FERC
interview that was a part of your audit?
Mr. Kelliher. They readily participated in our review, so I
think the industry gets credit for openly participating. They
did ask for some confidentiality, and because they are
providing this information voluntarily, we agreed to that. In
some cases, I don't think there was a sufficient understanding
of what facilities really should be covered by the NERC
advisory. I think companies thought they could freely determine
if facilities were not part of the bulk power system and were
therefore not covered by the advisory, and then shrink the
scope of facilities where they might have to act to protect
cybersecurity.
In other cases, there was a lack of appreciation for the
communication among their facilities. Many and really most
electric facilities are capable of remote operation, and some
utilities didn't seem to appreciate how interconnected some of
their facilities were.
Mr. Boucher. And so I gather from that answer that there
were utilities that incorrectly assumed that their equipment
was not vulnerable to the Aurora vulnerability, when, in fact,
you could readily see that that equipment was subject to that
vulnerability?
Mr. Kelliher. Yes, sir.
Mr. Boucher. Did you find any entities that excluded
critical assets from the implementation to the extent they were
implementing the NERC advisory that should have, in fact, been
covered and been a part of that implementation?
Mr. Kelliher. Yes, sir, we think some facilities should
have been included that were not.
Mr. Boucher. Let me ask for your reasoning, briefly stated,
on some of the key issues that we have detected as remaining
outstanding where there is some difference of opinion among
interested parties with regard to the discussion draft that we
have put forward. Specifically the definition of what
constitutes a cybersecurity threat, whether or not the
authority that is extended to the FERC should go beyond
protecting against cybersecurity attacks to protecting against
physical attacks to those facilities, whether or not--I am
sorry--the conditions under which there should be a sunset on
the emergency powers that would be granted upon a Presidential
or Secretary of Energy designated emergency?
And then finally, the scope of the authority granted to you
in terms of its basic coverage. Should it extend beyond the
continental bulk power system to the States of Alaska and
Hawaii? Should it extend to major distribution systems in our
largest cities such as New York and Washington, D.C.? And I
realize that is a question that could occupy a half hour in
response. What I am asking for is maybe a 3-minute response if
you could.
Mr. Kelliher. OK, I will do my best. In terms of threshold,
I think the threshold in the bill is appropriate. If the
threshold is set so high that it is virtually impossible for
the President or the Secretary to make a threat determination,
then it is probably better not to legislate in the first place
because you will end up with a statute that becomes somewhat of
a dead letter.
With respect to scope of facilities, we think the scope is
appropriate, but it is important for the subcommittee to
understand that it is not true that the only cyber threat to
the U.S. electricity system is directed at the bulk power
system. It can be directed towards other transmission
facilities that are not part of the bulk power system. It can
be directed towards local distribution facilities.
In part, we support the current scope because from FERC's
point of view, that is what you entrusted to us 3\1/2\ years
ago. You said FERC, you are responsible to assure reliability
of the bulk power system, not the entire electricity system of
the United States. We are sticking with what you entrusted to
us 3 years ago. We think that scope is appropriate, but we
don't want the subcommittee to think that is the only part of
the U.S. electricity system that is at risk.
You had four questions. That was only two of them. The----
Mr. Boucher. Well, also the conditions under which there
could be a sunset on the emergency power.
Mr. Kelliher. The sunset? I frankly don't think a sunset is
appropriate because we are talking about emergency powers and
national security law. And FERC isn't usually associated with
emergency powers, and I think a sunset is inconsistent with the
exercise of emergency power.
Mr. Boucher. Well, if the emergency subsides, then
obviously the powers associated with addressing that emergency
would no longer be necessary.
Mr. Kelliher. Yes, sir, but I think part of it is how
likely do you think the President or the Secretary of Energy
would be to declare a threat? If the threat subsided, I think
the President and the Secretary would be ready to acknowledge
that the threat had subsided. And then the FERC action would
terminate.
Mr. Boucher. Well, it sounds like your answer to that
question is upon a Presidential or Secretary of Energy
determination that the threat has ended--because some of the
other proposals would have automatic termination----
Mr. Kelliher. Yes, sir.
Mr. Boucher [continuing]. Upon a period of 1 year----
Mr. Kelliher. Yes, sir.
Mr. Boucher [continuing]. As an example unless the
emergency was reviewed by affirmative action of the executive.
And so your thought on that would be what?
Mr. Kelliher. I think a sunset is workable, but I think it
is inconsistent generally with national security law and the
exercise of emergency powers. And you have one more question I
haven't gotten to, sir, but I----
Mr. Boucher. The definition of what constitutes an
emergency----
Mr. Kelliher. OK.
Mr. Boucher [continuing]. And the notion of substantially
as a part of the statutory definition.
Mr. Kelliher. We support the ``or'' configuration not the
``and'' configuration because we think the ``and''
configuration just sets the bar too high.
Mr. Boucher. That is too limiting in your view?
Mr. Kelliher. Yes, sir.
Mr. Boucher. All right, thank you. One other question I
have.
Mr. Kelliher. Yes, sir.
Mr. Boucher. Did you estimate while you were undertaking
your audit of entities attached to the bulk power system what
the cost of complying with the FERC advisory would be for the
typical attached entity? That is a key consideration. If it is
a minor cost, then there would be little reason for
noncompliance to have occurred certainly to the extent that it
did.
If it is a major cost, then obviously a different set of
considerations begin to apply, and that would necessarily
affect timeframes that you would want to have in your order or
that we might want to have in the statute for obtaining
compliance. So the question of cost is relevant. As a part of
your audit, did you address that question? And if so, do you
have an estimate of what the cost of compliance per covered
facility would be?
Mr. Kelliher. We do not have a good estimate of what the
cost of compliance would be. One aspect of FERC being the actor
in this area is that FERC is a regulatory agency, and we can
provide for cost recovery. And I think that is an important
consideration to industry. And we don't regulate all parts of
the electricity industry--I wanted to make sure Sue Kelly heard
me say that.
Mr. Boucher. It is an important concern to industry, but a
larger concern that we take into consideration is the ultimate
cost to the energy----
Mr. Kelliher. Yes, sir.
Mr. Boucher [continuing]. User as well.
Mr. Kelliher. Yes, sir.
Mr. Boucher. And cost recovery simply shifts it downward--
--
Mr. Kelliher. I agree.
Mr. Boucher [continuing]. To the ultimate user, and that is
something we would need to consider. So----
Mr. Kelliher. Yes, sir.
Mr. Boucher [continuing]. One thing that I would be very
interested in learning, and perhaps other witnesses in their
opening statements could address this, is what that estimated
cost would be. My time has been grossly exceeded here. Mr.
Kelliher, you have been very helpful. I thank you and recognize
the gentleman from Michigan for his questions.
Mr. Upton. Thank you again for your testimony this morning.
I do have a couple of questions. And for me again, I am very
anxious for our classified briefing with perhaps a few more
parties that can help us with this issue so that we can
appropriately so come up with the absolute best vehicle.
And of course, as I think back, it was the blackout through
much of the Midwest that really prompted the '05 bill. That was
the engine that drove the train, bringing about those
reliability standards which passed on a pretty broad bipartisan
basis. Both Mr. Dingell and Mr. Barton had key roles. They
supported the bill. The same thing was in the Senate. I was a
part of that conference, and we are glad to see it happen.
And I guess if I had to use an analogy, I raised about the
FAA towers, the FAA control back on 9/11 today ordering all the
planes to come down. In essence, you all can send out
advisories, but you can't enforce what you have to say. So it
would be very much along what American Airlines was told a few
months ago when they literally had to shut down their airline
as they had to rebundle all of those wiring packages in their
planes because the advisory came out. And those planes couldn't
fly until it was done. And in essence, I would think that we
need to make sure that you have the power to, as you issue
those advisories, to make sure that they are completed in a
timely manner.
And in response to Mr. Boucher's question about cost, I
suppose as part of that advisory, you could ask the utilities
what they anticipate those costs to be. Is that not something
that you do now then in terms of the advisories that go out or
not?
Mr. Kelliher. Certainly with respect to any action we take
to mitigate the Aurora threat, that would be through a notice
and comment rulemaking, and the industry would certainly raise
cost in the context of that rulemaking.
Mr. Upton. What type of trigger would you mean? As we think
about Jim Langevin, our colleague who spoke earlier in terms of
the chain of command. And one of the issues that he raised was
that it may happen so fast, cyber seconds, you may not have
time to go to the whatever chain of command that you have,
whether it be the NSA, the President, the Secretary of Energy.
What type of pre-trigger would you suggest be employed for you
to I would suppose, what shut down a utility or shut down part
of the grid to make sure that it doesn't expand? Is that the
type of threat that you would envision would happen?
Mr. Kelliher. Let me try to come up with a hypothetical
that could try to put it in place, and hypotheticals are
sometimes useful, sometimes not helpful. But I will take the
risk. Let us assume that the Department of Energy or the
President or somewhere in the National Security Agency, they
identified some threat to substations in a city. There was some
effort to destroy substations, and the President or the
Secretary made a finding consistent with the statute, that
there is a credible--I don't actually remember the exact
words--but the President or the Secretary made a finding
consistent with the statute.
FERC would not be in a position to make that finding
because we are not an intelligence agency. But upon that
finding, we could theoretically identify where there are spare
transformers in a country. We could theoretically order them to
be relocated to that metropolitan area in anticipation of a
possible attack. And we could also allow for cost recovery for
the owners of those transformers, if they are regulated
entities. And we could try to come up with a creative approach
to address cost recovery if they are not.
That is the kind of thing that conceivably we could do
under this scenario. In an urban area, we could order
generators to have higher spinning--to operate their system
differently to basically have more generation on call in the
event some facilities were damaged or destroyed.
So there are operational changes that we could order. We
could order the relocation of spare transformers, and there
would be other hypotheticals as well.
Mr. Upton. That would take time though. I mean that would
actually be something--by the time you located a generator and
move it to the right spot, it could----
Mr. Kelliher. Not the second one. Ordering generators to
have higher spinning reserve levels, that is something that
could be done immediately.
Mr. Upton. You know, as I think about what happened back in
'05--and remember I am from Michigan----
Mr. Kelliher. Yes, sir.
Mr. Upton [continuing]. So go like this. And I live over
here, and we have two nuclear plants, and I can remember one of
our plants, the Palisades plants, they were within less than a
minute of shutting that facility down because of the drain on
the network from Columbus and Ohio and other places. It was
just sucking the power through the grid, and had that shut that
plant down, it would have gone right around the horn over to
Chicago. And it would have been even far worse. So they had to
make the decision as to whether they were going to keep it
online. And thank goodness they didn't have to hit the shutoff
button, which who knows how long. It would have been much
longer, much more in damages in terms of what would have
happened.
But that was their own independent decision as to whether
they were going to--and I think it was Consumers Energy then
owned it. It could have been Entergy, but it was that nuclear
plant that, because it stayed on, actually prevented it from
going and hitting even more of the Midwest than what happened.
But as I recall that was their own independent decision. It
wasn't FERC that told them to shut it down or somebody else.
And I don't know if the '05 act would change that, who would
enforce it. If it was a cyber act, you would think that again
it would be pretty--whoever the president would be would take
almost immediate action to try and prevent damages or loss from
expanding beyond perhaps individual facilities which would
trigger even broader blackout for who knows how long.
Mr. Kelliher. That kind of scenario in terms of the 2003
blackout, that might--I am not familiar with the particular
circumstances of that nuclear plant. But that is something that
could be covered by the reliability standards that the
Commission approved a year-and-a-half ago. But if----
Mr. Upton. But who would give that order? I mean would
you--are you able now to enforce----
Mr. Kelliher. I think----
Mr. Upton [continuing]. Have some enforcement action?
Mr. Kelliher. I can't say with certainty that there is a
current reliability standard that would govern the decision by
a nuclear plant whether or not to continue to operate because
nuclear plants--there are standards that the NERC establishes,
the governing loss of offsite power. And nuclear plants, I
think they generally do shut down when they lose offsite power.
So we have tried to synch up our reliability standards with
NERC standards, and we wouldn't want to interfere with NERC
safety standards.
Mr. Upton. Yes, I wonder if we should have the NERC as a
participant in our meeting next week. Probably should. So I
have gone beyond my time as well, so I yield.
Mr. Kolevar. Mr. Chairman, if I can respond to the
Congressman's question as well. When we look at this, there are
really probably three situations that we need to think about
when we are talking about threats to the grid and then
immediate reliability implications and long-term reliability
implications.
Congressman, I think the situation you described falls into
the latter category. Those are actions that the utilities would
take or that the operators at that nuclear facility would take
as a result of the standards development process.
When we are looking at the draft legislation today at the
Department of Energy, we really seek two other scenarios. One
is you have a credible threat probably against a specific
facility or a portion of the grid that requires immediate
action. The Department of Energy does exercise some similar
emergency authorities for the purposes of interconnection in
particular. And that can be issued in about an hour. I think
the FERC actually has some similar authorities to 202C that are
able to be executed very quickly.
So that is your imminent immediate threat to which the
Federal Government must take action and respond and give
direction to the sector.
The second is the situation that I think Aurora
exemplifies, and that is a vulnerability. But the risk of
exploitation of that vulnerability is relatively low. You don't
have a player. You don't have a time. You don't have a specific
threat. And in that type of situation, that does speak to an
interim authority at the FERC over a period of 90 days, 120
days, 6 months, whatever it is that the commission of the
utilities decide is most appropriate to speak to that threat
and identify the interim standards that are going to be
employed to ensure that that threat can't be exploited.
Mr. Upton. Thank you.
Mr. Boucher. Thank you very much, Mr. Upton. The gentleman
from Oregon, Mr. Walden, is recognized for 5 minutes.
Mr. Walden. Thank you very much, Mr. Chairman. I think it
is appropriate we are having this hearing today because I think
for some of us this issue really came to life in a post-9/11
environment, some of the briefings that we had at that time.
And for those of us in the West with the long interconnection
ties, I think of my district in Oregon where we ship the power
from the hydro system through those big DC converter lines down
to California at all. That there are enormous vulnerabilities
and opportunities for mischief, if not downright destruction.
And I guess, Mr. Kelliher, I would like to ask a couple of
questions. One involves this--and I have had no classified
briefings on this. So if I stumble into an area I don't belong,
shut me down. That is fine. But it would seem to me that, if
there is a cyber threat, is the issue that they can do a phase
shift then and modify the power itself and cause disruption in
the transformers. Is that part of it? Can they do voltage
spikes? Blow up the transformers? What sorts of issues do we
need to be aware of here?
Mr. Kelliher. It is probably better to say they can cause
physical damage and actually destroy facilities like
transformers, and there are different ways they can--a cyber
attack could cause that damage.
Mr. Walden. And then when it comes to the destruction of
transformers, because that could be done with a explosive
device. I mean today somebody could go out out to one of those
substations and do damage. Have we in the interceding 7 years
taken stock of sort of our transformer supply? Because my
understanding is that it could take months if not perhaps
longer than that to replace some of these transformers if you
had to start over from scratch and build them. Is that correct?
Mr. Kelliher. We have taken the first steps at FERC to
encourage the development of spare transformers.
Mr. Walden. OK.
Mr. Kelliher. Because, as you say, transformers, they can
take months, perhaps a year or longer actually to manufacture.
And there generally are not very many spare transformers in the
United States.
Mr. Walden. They are very expensive.
Mr. Kelliher. They are very expensive. So we have issued an
order that would provide for cost recovery to the extent
regulated companies develop spare transformers so that they
could then be pooled for use.
Mr. Walden. And do you know are there companies taking
advantage of that?
Mr. Kelliher. I don't know the status of whether there has
been an increase in the purchase of transformers. We have an
order that allows for cost recovery. I don't know what has
followed the issuance of our order.
Mr. Walden. Because I can see an oversight hearing post
some event where we question the utilities about why they
didn't take advantage of that and have at least some sort of
backup. I realize you are not going to have one for one. I
fully understand that, but it would seem to me that is an area
where we would need backup because isn't the alternative that
the grid could be down for a long period of time?
Mr. Kelliher. Certain facilities can be damaged or
destroyed, and that is different than a blackout scenario where
you can recover relatively quickly. Recovery could take longer
in the wake of a successful cyber attack.
Mr. Walden. Or a physical attack.
Mr. Kelliher. Yes, sir.
Mr. Walden. Either one. So it would seem to me that, one,
we need to investigate more in terms of where utilities are in
backup transformers because that just seems logical to me. Just
as you have generators ready to go in case there is a hurricane
somewhere or any other disaster. This notion of having backup
transformers would certainly make sense.
This other issue about having to have a presidential
declaration and all. It would strike me--and perhaps, Mr.
Kolevar, you can address this as well--that if a utility or
grid manager got word that there is some potential cyber
attack, wouldn't they want to react instantly to stop any
damage to their systems?
Mr. Kolevar. I would expect they would.
Mr. Walden. And I heard some reference that it could take
upwards of an hour perhaps. Why would it take that long?
Mr. Kolevar. Your question goes to the actions that the
utility----
Mr. Walden. Right.
Mr. Kolevar [continuing]. Upon information----
Mr. Walden. Like shutting down a nuclear plant.
Mr. Kolevar [continuing]. Would take. My experience with
the electric sector is they would take immediate actions to
protect their system. They do that now when they have anomalies
on the grid. To the extent that you are talking about an
emergency order issued by the Federal Government--and for our
purposes, we think the analogous order is a section 202C order
under the Federal Power Act where the Secretary of Energy finds
that an emergency exists in the sector, and that might be
because of a natural disaster. The hurricanes that hit in
2005----
Mr. Walden. Right.
Mr. Kolevar [continuing]. Caused one. Or we have a
reliability emergency, which was the case in the order that was
issued for the local Mirin plant on the Potomac River. And the
point is to say that where there is a need to act quickly with
Federal orders speaking to the operation of a system, that
there is a history of the Federal Government moving very
quickly from administration to administration in preparing and
releasing an order to the electric sector to respond
accordingly.
Mr. Walden. All right, Mr. Chairman, I know my time has
expired, and I know we have been joined by my colleague from
Illinois. So I would thank you for your indulgence.
Mr. Boucher. Thank you very much, Mr. Walden. The gentleman
from Illinois is welcomed to the subcommittee today, and Mr.
Shimkus is recognized for 5 minutes.
Mr. Shimkus. Thank you, Mr. Chairman. I was on the floor,
as you know, fighting for coal. Thought you would appreciate
that.
Mr. Boucher. Did you bring some with you?
Mr. Shimkus. Right here. It is good southern Illinois coal.
Mr. Boucher. We talked about coal a lot in this
subcommittee. I am not aware we have actually had it here
before.
Mr. Shimkus. Well ----
Mr. Boucher. I thank the gentleman.
Mr. Shimkus. We need a new good electric grid for all that
Illinois coal to be used in electricity generation and spread
to lower prices for all over the country, Chairman. I am
unprepared to follow up with concise questions. So I will just
yield back, Mr. Chairman.
Mr. Boucher. Well, you will have your opportunity on the
second panel, and I thank the gentleman. Mr. Kelliher, did you
care to make another remark?
Mr. Kelliher. Mr. Chairman, I just wanted to clarify my
earlier comments about the sunset. I do think generally a
sunset is inconsistent with the use of emergency powers, but
FERC has, in our discussions with industry groups and with
others, agreed to a sunset in the scenario where if there would
be a Presidential finding or a finding by the Secretary, FERC
would be directed to act. We have agreed to a 1-year sunset in
the course of discussions in order to develop the broadest
possible consensus. So I just wanted to clarify my comments on
sunset.
Mr. Boucher. And then on the question, Mr. Kelliher, of the
basic powers that the statute would confer upon FERC, that
would not be subject to a sunset? The basic requirements that
the facilities connected to the grid take certain steps, all of
them take certain steps as a basic protection against
cybersecurity would not be subject to sunset. It would only be
the emergency powers that are granted pursuant to special
Federal finding, Presidential finding that there is a unique
emergency that would be subject to some sunset?
Mr. Kelliher. Yes sir, and the permanent standards that we
have established under section 215 would not sunset, would not
be affected. It would be the emergency actions, if you will.
Mr. Boucher. Thank you for that clarification. It is very
helpful. Mr. Kolevar, Mr. Kelliher, I know that both of you
have urgent obligations elsewhere. We thank you for your
attendance this morning, and you are excused.
We now turn to our remaining witnesses on the panel who
have already been introduced. And we would ask that your oral
statements be kept to approximately 5 minutes, and that will
leave us ample time for questions. Mr. Sergel, we will be happy
to begin with you.
STATEMENT OF RICHARD P. SERGEL, PRESIDENT, NORTH AMERICAN
ELECTRIC RELIABILITY CORPORATION
Mr. Sergel. Thank you, Mr. Chairman and members of the
subcommittee. My name is Rick Sergel, and I am the president of
the North American Electrical Reliability Corporation, known
here as NERC. I appreciate the opportunity to appear before you
today on this very special day and on this very important
topic.
Let me be clear: the risk to the operation of the Nation's
electricity system from potential intrusion through the
Internet into computerized system control capabilities, AKA
cybersecurity attacks, is real. It is not new. The Energy
Policy Act of 2005 in which this committee played a major role
and which, for the first time, authorized the promulgation and
enforcement of mandatory reliability standards to protect the
bulk power system defined reliability standards as specifically
including cybersecurity protection. You identified that early
on.
But at the same time, the nature of the threat is new every
day because it changes all the time. And as the entity
entrusted with protecting the reliability of the North American
bulk power system, subject to FERC oversight in the United
States, NERC takes very seriously its responsibilities for
protecting the cybersecurity of the North American bulk power
system and meeting this ever-evolving threat.
NERC now has the ability to enforce over 100 reliability
standards, including nine dealing with cybersecurity. These
standards have improved the reliability of the system,
including its cybersecurity.
However, cybersecurity threats are different from other
reliability concerns. Potential threats can arise very quickly,
requiring rapid, effective, and often confidential responses.
Cybersecurity threats are more likely to be driven by
intentional manipulation of devices as opposed to operational
events in the bulk power system, such as lightning or equipment
malfunctions.
When there is an imminent cybersecurity threat, the
response must be immediate. It must provide for confidential
treatment of critical information, rapid threat analysis, and
directed actions necessary to address the threat.
NERC develops reliability standards using a transparent
process that provides for full participation of interested
parties and draws heavily on industry expertise, but this takes
time, and it takes transparent exchanges of data and views that
are not well suited for a cybersecurity threat.
For these reasons, it is NERC's position that in the event
of an imminent cybersecurity threat, the U.S. Government should
be authorized to act immediately. With emergency
responsibilities in the hand of government, NERC will be better
able to do what it does best. That is develop and implement
cybersecurity reliability standards that will harden the grid
against intrusion and aid in responding effectively to
cybersecurity incidents.
NERC is committed to ensuring the reliability of the system
and assuring that NERC's efforts will be complementary to those
of government and industry with regard to cybersecurity
protection. Finally, NERC is committed to assuring that there
are no gaps and that responsibility is clear for execution of
cybersecurity protection initiatives.
With helpful guidance from Chairman Langevin, NERC has
elevated the importance and the urgency of understanding and
addressing cybersecurity threats. Key elements of this strategy
include consolidating responsibility for coordination of all
cybersecurity matters across all NERC activities into a single
responsibility area lead by our new chief security officer,
Michael Assante, who is here with me today.
Improving our standards and developing processes to enable
us to set standards on a more expedited basis are also
important, as well as: raising the importance of the issue
within the industry by engaging CEOs at the strategic and
policy setting level; communicating more effectively with
industry on critical infrastructure security matters; and
coordinating effectively with the multiple government
stakeholders involved in protecting the grid from cybersecurity
attacks. You have talked about that several times this morning.
In summary, cybersecurity threats to the bulk power system
are real. Working with the government and industry, NERC is
committed to addressing these threats; however, in order to
address an imminent cybersecurity threat, the Federal
Government must have emergency authority to act.
NERC commends the subcommittee's efforts to develop
appropriate emergency legislation and pledges to assist in this
effort in any way that we can.
Several times this morning, you have discussed our actions
with respect to responding to Aurora, I think it is fair to say
that when we acted with respect to Aurora by issuing our
advisory, we did do some good. There has been progress as a
result of sending that out, and we did the right thing to send
it out. We also demonstrated, and for NERC painfully, the
limitations of that process. There are limitations with respect
to every aspect of it, including who did it go to. You
mentioned numbers here today, 1,200, 1,500. I am uncomfortable
with all of those because we know so much better who the
individuals are that should get that advisory today than we did
at that time.
But the most important thing that we demonstrated was the
limitation of trying to use a voluntary standards process and
thinking that it could deal with an emergency threat. We
recognize that there is a better way to do that and would ask
you to establish legislation that can make that happen. Thank
you very much.
[The prepared statement of Mr. Sergel follows:]
Mr. Boucher. Thank you very much, Mr. Sergel. Ms. Kelly.
STATEMENT OF SUSAN N. KELLY, VICE PRESIDENT, POLICY ANALYSIS,
AND GENERAL COUNSEL, AMERICAN PUBLIC POWER ASSOCIATION
Ms. Kelly. Thank you. I am Susan Kelly. I am the Vice
President of Policy Analysis and the General Counsel of APPA.
And I have with me Alan Mosher, who is our Senior Director of
reliability. We represent the interests of more than 2,000
publicly-owned electric systems in 49 States, and we serve 45
million Americans.
Those of you who know our industry know it is rare for our
trade associations to speak with one voice on a federal energy
policy issue, for legitimate reasons. We generally have very
different views. But on the issue of protecting the bulk power
system from cybersecurity emergencies, we have come together.
APPA, the Canadian Electricity Association, the Edison Electric
Institute, the Electric Consumers Resource Counsel, the
Electric Power Supply Association, the Large Public Power
Counsel, the National Association of Regulatory Utility
Commissioners, the National Rural Electric Cooperative
Association, and the Transmission Access Policy Study Group all
support carefully crafted specific legislation as the basis to
deal with the discrete issue of cyber system emergencies.
We understand the seriousness of the issue and the need to
deal with it, but at the same time, we think that legislation
needs to be carefully crafted and narrowly drawn.
The subcommittee has asked me to address several issues
regarding the House discussion draft. The full answers are in
my written testimony, and I will just hit the highlights here.
The associations support the House discussion draft with the
specific language options that the associations have proposed.
As so modified, we think it provides the commission with
sufficient authority to deal with cyber system security
emergencies.
The draft would fill a narrow gap in the mandatory
reliability standards regime that has been set up under section
215. Under that section, FERC has certified NERC as the ERO.
With the help of hundreds of industry volunteers, NERC develops
and enforces mandatory reliability standards for the bulk power
system to keep our lights on. FERC oversees NERC's activities
in the United States.
But NERC's standards also apply to utilities in Canada and
northern Mexico. This industry-based framework is working to
assure the reliable planning and operation of the bulk power
system.
Cybersecurity emergencies present a special case for three
different reasons. First, they require protection against
deliberate, malicious attacks intended to disrupt bulk power
system operations. Second, new and unforeseen threats can arise
very quickly, leaving little time to react. Third, there is a
need for confidentiality, at least until the initial measures
are in place. For these reasons, the association supports
specific legislation to deal with such emergencies, but it must
not undermine the section 215 framework. That framework needs
to be able to continue to develop and mature.
The House discussion draft dovetails with section 215. It
is limited to the users, owners, and operators of the bulk
power system. As NERC has applied that term in practice with
FERC's approval, retail customers, local distribution
facilities, small generators, and small utilities are generally
excluded from the scheme. Any new cybersecurity legislation
should apply to the same universe of facilities and entities.
To do otherwise would raise jurisdictional and implementation
issues that could greatly complicate consideration of this
legislation.
State regulatory commissions regulate local distribution
facilities. The state's authority to regulate the reliability
of local distribution networks and service should be preserved.
I was specifically asked to discuss the remaining
differences between the associations and FERC on the House
discussion draft. The associations negotiated at length with
FERC staff regarding this draft. We reached closure on many
issues. We thank the FERC staff for the constructive and
positive attitude it displayed throughout the negotiations. We
were unable to reach closure on three issues, but that should
not undermine the very substantial progress that we did make.
The three areas are, first, the definition of a
cybersecurity threat, as you have already heard. The
associations and FERC agreed on most elements of that
definition, but we think our proposed language limits the
legislation to true cybersecurity emergencies, meaning threats
that have a substantial likelihood of happening and that could
substantially disrupt operations if they do happen. FERC's
proposed definition is broader.
The second issue is the inclusion of national security
threats. FERC wants to expand the legislation to include
``other national security threats'' as well as cybersecurity
threats. Our associations believe that other government
entities, both State and Federal, have more direct
responsibility in the general area of national security.
Moreover, this additional authority is quite vague in its
wording and potentially all-encompassing in nature. We think
including this language would spark an intense discussion that
could slow the legislation down.
Third, the sunset of interim measures that FERC enacts. We
negotiated at length with FERC on the sunset provisions, and we
reached closure on all issues except one. And that has to do
with whether the sunset after 1 year unless there is an
indication from DOE or the President that it should continue,
should apply to both the interim measures under subsection B
and the emergency measures under subsection C. Subsection B
deals with Aurora. Subsection C deals with what happens
thereafter on a going forward basis. We think those measures
and orders should be either time limited by their natures or
replaced by NERC reliability standards because in the long run,
we think the standards should deal with this. FERC doesn't
agree with this position.
We couldn't reach closure, but we do think that we made a
lot of progress on legislation. As this process moves forward,
we strongly urge Congress to retain the carefully crafted
language that the associations support. We thank you very much,
and we stand ready to answer questions.
[The prepared statement of Ms. Kelly follows:]
Mr. Boucher. Thank you very much, Ms. Kelly. Mr. Naumann.
STATEMENT OF STEVEN T. NAUMANN, VICE PRESIDENT, WHOLESALE
MARKET DEVELOPMENT, GOVERNMENT AND ENVIRONMENTAL AFFAIRS AND
PUBLIC POLICY, EXELON CORPORATION
Mr. Naumann. Thank you, Mr. Chairman, members of the
subcommittee. My name is Steven Naumann. I am Vice President
for Wholesale Market Development for Exelon Corporation. I
serve as Vice Chairman of the Members Representative Committee
of NERC. I am also accompanied by Mr. Dan Hill, Exelon Senior
Vice President and Chief Information Officer. I appreciate the
opportunity to testify about protecting the electric grid from
cybersecurity threats.
I am appearing today on behalf of the Edison Electric
Institute and the Electric Power Supply Association, and Exelon
is a member of both these groups. My testimony focuses
primarily on the nature of cybersecurity threats to the bulk
power electric system and the efforts of electric utilities to
respond to those threats, but it will also touch on proposed
legislation before the subcommittee.
I want to start, however, by assuring the subcommittee that
Exelon and other electric utilities take cybersecurity very
seriously. Electric utilities routinely monitor for and detect
electronic probing of their systems from a variety of sources,
confirming the likelihood of real cybersecurity threats.
However utilities and other private sector entities are at a
disadvantage in assessing the degree and the urgency of
possible or perceived cyber threats because of their limited
access to intelligence possessed only by the government.
Many cybersecurity issues are already being addressed under
current law. Critical infrastructure protection standards have
been implemented under section 215 of the Federal Power Act,
which provide for mandatory and enforceable reliability rules.
However, the current reliability regime has limitations in
its ability to be responsive to emergencies requiring
immediate, focused, and confidential actions. Therefore it is
appropriate for Congress to provide FERC with explicit
authority to address cybersecurity in certain emergency
situations.
Any new FERC authority should be complementary to the
existing authorities under section 215 of the Federal Power
Act, which rely on the industry expertise as the foundation for
developing reliability standards. Legislation should clarify
the respective roles, responsibilities, and procedures of the
Federal government and of industry; be narrowly tailored to
deal with real emergencies; and promote consultation with
industry stakeholders and owner-operators of the bulk power
system on remediation measures.
The scope of damages that could result from a cybersecurity
threat depends on the details of any particular incident, but a
carefully planned cyber attack could have potentially serious
consequences. In mitigating a particular cybersecurity
vulnerability, electric utilities must also consider the
potential consequences caused by any mitigation measure on safe
and reliable utility operations.
For these reasons, for ensuring the cybersecurity of the
bulk power system, the best framework is one that utilizes the
respective strengths of both the government and the electric
companies. It is critically important that as much as possible,
any cybersecurity framework provide for ongoing consultation
and sharing of information between government agencies and
utilities to the extent possible.
In conclusion, I want to reassure the subcommittee that
owners, operators, and users of the bulk power system take
cybersecurity very seriously. We are actively engaged in
addressing threats as they arise, and in employing specific
strategies that make every reasonable effort to protect our
cyber infrastructures and mitigate the risks of cyber threats.
As the industry relies increasingly on electronic and
computerized devices and connections and the nature of cyber
threats continually evolves and becomes more complex,
cybersecurity will remain a constant challenge. But we believe
we are up to the task of building on the industry's historical
and deep-rooted commitment to maintaining system reliability.
I appreciate the opportunity to appear today and would be
happy to answer any questions. Thank you.
[The prepared statement of Mr. Naumann follows:]
Mr. Boucher. Thank you very much, Mr. Naumann. Mr. Lawson.
STATEMENT OF BARRY R. LAWSON, MANAGER, POWER DELIVERY, NATIONAL
RURAL ELECTRIC COOPERATIVE ASSOCIATION
Mr. Lawson. Chairman Boucher, Ranking Member Upton, and
members of the subcommittee, thank you for the opportunity to
testify today on cybersecurity issues and their potential
impacts on the bulk power system. My name is Barry Lawson, and
I am the manager of power delivery for the National Rural
Electric Cooperative Association. NRECA is a trade association
consisting of nearly 1,000 cooperatives, providing electricity
to 41 million consumers in 47 States.
One of my primary areas of responsibility at NRECA is
reliability, including cybersecurity. NRECA and its members
understand the importance of cybersecurity. To arrive at the
draft bill before you today, NRECA has worked closely with its
industry counterparts and with FERC and NERC.
NRECA commends FERC under Chairman Kelliher's leadership
for its proactive outreach on the topics we are discussing
today. Provisions in this draft bill can provide swift,
effective emergency protection to the bulk power system in
those limited circumstances when NERC cannot. NRECA supports
the House discussion draft with the specific language options
proposed by the associations.
NRECA has been actively engaged with NERC from its origin
over 35 years ago, to its transition into the industry ERO and
as it issues reliability standards, including the cybersecurity
standards FERC approved earlier this year.
In January 2008, I began a 2-year chairmanship of the NERC
critical infrastructure protection committee. The CIPC is a
NERC standing committee that advises the NERC board of trustees
on issues related to critical infrastructure protection
including cybersecurity. My position on the CIPC requires me to
interact with NERC, DOE, and DHS staff on an ongoing basis and
contributes to the viewpoints I will share with you today.
As both a participant in NERC and an interested observer of
its role as the ERO, NRECA believes that the self-regulatory
model is the best means of maintaining a strong, reliable bulk
power system. The model recognizes that the electric industry
addresses events and threats every day, including those posed
by natural disasters, vandalism, and equipment failures.
Last fall, many Members of Congress and the public were
introduced to cybersecurity when news outlets ran a story and
video showing a small electric generator that was damaged
during a test. The news report said a government lab had
demonstrated that computer hackers could cause physical damage
to equipment through cyber means. The government labeled this
vulnerability Aurora.
Today, almost no one outside the intelligence community has
been able to examine the technical and engineering details of
the Aurora vulnerability. Key information about the
vulnerability is still classified.
Members of the NERC CIPC first received limited,
unclassified information about the Aurora vulnerability from
DHS in March of 2007. We were strictly prohibited from sharing
this information, meaning I could not inform member
cooperatives.
In June 2007, DHS placed limited information and mitigation
measures into a document that NERC utilized as an industry
advisory. Although these measures did not reveal specifics
about the vulnerability, cooperatives and other utilities that
own or operate bulk power system facilities used their
collective expertise to implement the measures on their
individual systems.
Aurora demonstrated the need for utilities to receive more
timely and detailed information from intelligence sources about
threats and vulnerabilities and their engineering, cyber, and
mechanical implications.
Under the existing rules and procedures created by NERC and
approved by FERC, NERC can deal with a wide range of cyber
threats. NERC's standards development process can sometimes be
lengthy to accommodate the highly technical nature of the
subject matter. But it can also be shortened when expediency
demands.
NERC has two special procedures for developing standards
more quickly. The urgent action process was developed to
approve standards within a few months, and the emergency action
process was developed to approve standards within a few weeks.
Both processes should be used whenever needed for the expedient
development of reliability standards, including those related
to cybersecurity.
As Mr. Sergel explained to you, NERC recently wrote its
board of trustees and industry stakeholders to explain changes
and improvements it plans regarding its focus on cybersecurity.
This NERC initiative is critically important to the reliability
of the bulk power system, and we support these efforts.
NRECA is working closely with its counterparts across the
industry and agrees there is potential for some cyber threats
and vulnerabilities so imminent and substantial that even
revised and strengthened NERC procedures cannot assure the
timely distribution of information and direction to industry to
effectuate an adequate industry response to protect the bulk
power system.
In those limited circumstances when the President of the
United States has determined emergency action is warranted,
FERC should be able, after consulting industry and government
authorities in Canada and Mexico to issue, orders addressing
the emergency.
In conclusion, NRECA supports the House discussion draft
with the specific language options proposed by the
associations. Like our industry counterparts, NRECA is prepared
to assist the subcommittee and full committee with advancing
this legislation. NRECA also looks forward to continued
cooperation with FERC.
I am happy to answer any questions you have.
[The prepared statement of Mr. Lawson follows:]
Mr. Boucher. Thank you very much, Mr. Lawson, and we thank
each of the witnesses for their testimony here today. Mr.
Naumann, maybe you can answer the question about cost of
implementation. Using the NERC advisory as the standard,
realizing that Mr. Kelliher is suggesting that it probably
didn't go far enough and that he thinks to completely address
the Aurora vulnerability that steps beyond that should be
taken.
But leaving that aside, just use the NERC advisory as the
foundation. What would it cost a typical investor-owned utility
to comply with that NERC advisory?
Mr. Naumann. Mr. Chairman, could I have one second to
consult with Mr. Hill who probably can get me that answer?
Mr. Boucher. In the interest of getting the information, of
course.
Mr. Naumann. Thank you, Mr. Chairman. Mr. Chairman, to
comply with the Aurora vulnerability as we were told, and we
believe we are fully compliant, was a relatively minor cost for
across the entire Exelon Company, and that included the nuclear
stations, which technically were not part of the advisory.
Having said that, we understand from listening to Chairman
Kelliher that they believe that there are additional
vulnerabilities too that were not covered by the advisory and
that we don't really know about. It would be very hard to
estimate the cost without knowing what the vulnerability is,
nor what the recommended mitigation is and----
Mr. Boucher. Which is why I phrased the question only in
terms of the NERC advisory.
Mr. Naumann. Yes, sir.
Mr. Boucher. Well, I am pleased by your answer that it is a
relatively minor cost. Is there a dollar figure attached to
that relatively minor estimate?
Mr. Naumann. We don't have it now. If you want, we can try
to obtain that.
Mr. Boucher. It would be helpful. If you could just send us
a letter addressed to the subcommittee following this hearing
that states what you think the dollar cost to Exelon would have
been across your company to meet the recommended security
measures contained in the NERC advisory. That would be very
helpful to us.
Let me extend that question to others on the panel who
might want to respond on behalf of their associations. Ms.
Kelly, Mr. Lawson, do you have any answer to what the cost per
covered entity would be?
Ms. Kelly. I do not have any such answer for you at this
time. We could obviously provide that for the record.
Mr. Boucher. It would be helpful if you could. Mr. Lawson.
Ms. Kelly. And we will look to primarily the three
utilities that came in and met, from our membership, with FERC
to discuss the vulnerability and what they had done. But I
would like to state, and I think Mr. Lawson may be able to
elaborate, that there really is a question even as to the NERC
advisory as to what constituted compliance and it was not
necessarily as clear as it might have been. And so, there was
certain--we weren't sure what bar we were being asked to meet.
And I think that was a concern.
Mr. Boucher. Well, I am trying to get as broad an estimate
as possible. We are in the posture now of statutory drafting
where we are going to be making some decisions in the very near
term about how we empower FERC to move forward with its
rulemaking on this subject.
Now, a key part of those considerations will be timeframes
under which we expect that actions will be taken, actions taken
by the FERC, yet advancing its rulemaking process to
conclusion. And then actions that would be taken by the covered
entities to comply with the rules that FERC puts forward. We
may or may not have specifications within the statute that
address the latter part of that. But having some understanding
of cost and to the extent that you would want to comment on it,
other kinds of implementation challenges that you might foresee
would assist us in that.
Now, as Mr. Naumann pointed out, I fully realize that
making definitive decisions about this are difficult at this
stage because we really don't know what FERC would choose to do
beyond the NERC advisory in terms of steps that would be
required for covered entities. So probably our decision will be
to simply empower FERC to set the timeframes for compliance by
the covered entities.
It would be difficult for us to establish that statutorily,
but there may be those on our panel who want to do that. So
having some information about what the cost to you would be,
what other implementation issues you see, just using the NERC
advisory itself as a foundation would be helpful to us.
Mr. Lawson, would you have any comment about this?
Mr. Lawson. Similar to Susan Kelly's comments in that we
don't have cost info from the individual cooperatives. I think
the best we could do would be to talk to the cooperatives that
did meet with FERC on the Aurora advisory and see if they have
that kind of information that they can provide us.
It is important to understand that cost can vary depending
on the scope of the assets at each utility. It is going to be
very difficult to have a typical cost. And also what I would be
asking the cooperatives would be their cost associated with the
language specifically in the NERC advisory.
Mr. Boucher. OK, that would be fine. Let me move to one
other question, and again I will ask you as I have asked Mr.
Kelliher to be somewhat brief in this answer. I would be
interested in your views, succinctly spoken, on three
questions. Number one, do you believe that the authority that
we will be conferring on the FERC to guard against
cybersecurity attacks should go beyond the cybersecurity and
actually cover physical attacks that might be made on the
covered facilities? That is number one.
Number two, address, if you will, the question of sunsets
on FERC actions, FERC orders. In the first category would be
the basic steps that all covered entities would have to take in
order to address the Aurora vulnerability specifically. I can
tell you my own view is that ought to be permanent in nature.
But if you disagree with that, I would like to hear a reason
why.
And the second category is steps that would have to be
taken by the covered entities under FERC order pursuant to a
presidentially declared unique emergency. Should there be a
sunset on those orders? And if so, what should be the
conditions that trigger the sunset?
And then number three, what should be the basic scope of
the authority that we extend to FERC with regard to the covered
entities themselves? Should it just be the continental United
States bulk power system? Or should it extend to Alaska and
Hawaii and their separate electrical systems? And should it
extend to the distribution systems in our larger cities? And I
know, Ms. Kelly, you addressed that at some length in your
testimony, but I would like to hear what other witnesses have
to say.
So in view of the fact that Mr. Shimkus is eagerly awaiting
his question time, let me ask you to be as succinct as you can
in providing that answer. And who would like to begin? Mr.
Sergel?
Mr. Sergel. Address a couple of those for you. Our role
here is to make sure that we can seamlessly and effectively
implement whatever legislation you pass and do that and further
the good work that was established when you enacted section 215
and created an ERO. So that is where I come from.
I think with respect to how broad is the authority, the
highest priority is the bulk power system. That doesn't mean
there aren't important things in the distribution system. There
are, and let me be clear to the extent that the bill doesn't
cover that, that will leave open something. That will make me
uncomfortable that that is uncovered, but the higher priority
is the bulk power system.
Hawaii and Alaska are special considerations, and maybe
that is independent of distribution. And potentially you could
look at it that way because that is even a greater concern.
With respect to the sunset provisions, we are going to be
able to implement that successfully regardless of what those
provisions are. With respect to the authority and how it is
granted, we will seek to implement it effectively as written.
But the clearer that authority is, and the better that that is
laid out, certainly we will be able to implement it better.
And finally I would say with respect to--and I think the
language in the draft that I looked at was ``and other national
security treats.'' Again with respect to that, clearly
cybersecurity is the highest priority here. It is the simple
one that is most important. It is what we have been focusing
on. It is not to minimize other national security here in this
context, but we understand those better. We have other ways of
doing those things. It is not the highest priority for me.
Mr. Boucher. Thank you, Mr. Sergel. Ms. Kelly.
Ms. Kelly. Thank you. Your first question had to do with
the physical attacks, and I will start there. The association
position is no, that they should not be covered in this
legislation and in part for the reason that Mr. Sergel just
stated is that there are other governmental authorities and
entities. And I would just note the FBI, the Department of
Energy, state and local law enforcement that are all involved
in those activities. And we already have to answer to a
substantial number of masters in that regard.
Second, the sunset question you asked. The association
position is that that should apply to both the interim
authorities that are exercised under B, and the emergency
authorities under C. Our reasoning for that was that--I am
sorry?
Mr. Boucher. Go ahead.
Ms. Kelly. OK, our reasoning behind that was that we
regarded this as stopgap emergency authority for events that
would either be time limited and thus would expire by their own
terms or should be replaced by NERC set reliability standards.
For that reason, we wanted the sunset to apply in both cases.
We negotiated with the FERC over that. They did not like the
so-called hard sunset. We reached, you know, OK, well, we
understand that position. And for that reason, we agreed that
it could continue past the year so long as there was a
determination that a problem was still existing. Our thought
was in most cases that NERC reliability standards should be in
place by the end of that year, and therefore it would be a moot
question.
But we understand that there is a difference of opinion,
and that is legitimate.
Mr. Boucher. Well, with regard to these interim standards
that are designed to address the Aurora vulnerability, the
Aurora vulnerability is not going to go away as a security
threat. And steps will need to be taken therefore on an ongoing
basis to address that threat. And I gather from your testimony
that you are suggesting that the FERC should not be the
perpetual agency to impose the requirements for what those
steps ought to be.
And I gather from what you are saying that you think that
the NERC, through its consensus-based rulemaking process,
should take a hand off of that authority after some period of
time. Have I correctly interpreted your comments?
Ms. Kelly. I think that is, yes, that is correct. Our view
is that we understand the need for FERC to step in to act
quickly, but we believe that that needs to then be run through
the NERC standard setting process. In part, one of the reasons
is, we in the industry, we think we actually have some
expertise to offer on the best way to implement these
standards.
And we are also concerned about cost. Let me just say that.
And we want to make sure that these standards, you know,
especially if they are going to be in effect for a long time,
are done in the most cost effective manner possible. And that
is one of the things that the industry can bring to bear. Its
expertise can come to bear during the NERC standard setting
process. So we are not kicking about FERC getting this
authority under B to, you know, act to do this rulemaking on an
expedited basis, but we are saying it should then be handed off
to NERC.
Mr. Boucher. All right, thank you. That is very clear. Mr.
Naumann?
Mr. Naumann. Yes, Mr. Chairman, on your first question, the
draft now has the words ``other national security threats.'' We
believe that is an extremely vague term and are uncomfortable
with that. You also mentioned, rather than that, physical
threats. I agree with Mr. Sergel and Ms. Kelly, that is a lower
priority, but if, in fact, there is going to be some additional
authority beyond cyber, it should be very much tighter language
than overall other national security threats, which could be
interpreted as having 90-day stockpile of coal or something
like that, which we think goes way beyond what----
Mr. Boucher. All right, that point is duly noted.
Mr. Naumann [continuing]. Immediate intent. And as far as
the sunset, I agree with Ms. Kelly. To the extent there are
interim measures for Aurora, to the extent they can be and
should be replaced by permanent standards done through industry
expertise, that would be our preference. And with respect to
the emergency action, again I would prefer that if the
requirements still remain, then the President should reissue
the directive.
As far as the authority on Alaska and Hawaii, we understand
that is a special situation. There are very important military
installations there that somehow would need to be taken care
of, but they are really not part of the schemed that we are
dealing with.
Mr. Boucher. Major distribution systems in the cities?
Mr. Naumann. That is correct. Major distribution system in
the city gets very complicated. We would hope that that could
be done rather through consultation with the state regulatory
agencies who very well understand those systems, which New York
is somewhat unique. D.C. is somewhat unique. Chicago is
completely different from those systems and served differently.
And where do you get the cutoff on the distribution if you
don't go all the way? Thank you, Mr. Chairman.
Mr. Boucher. All right, thank you. Mr. Lawson?
Mr. Lawson. I agree with the comments you have heard from
the other panelists. In addition, with regard to going beyond
cybersecurity in the legislation, to reiterate what Mr. Naumann
stated about the vagueness and broadness of the definition that
we were provided, that was problematic, and we would very much
want that tightened up before we could agree to anything.
Also it is very important to recognize that the industry
has been dealing with physical threats for decades and has done
an excellent job dealing with physical threats. Cyber threats
are the new issues here. That is where the new focus should be,
and that is why this legislation should focus on the cyber
threats. The industry is doing a very good job with dealing
with the physical threats and has for a long, long time.
With regard to the sunsets, if an order or a directive
needs to continue, there are provisions in the legislation for
that, for a certain period of time. However, other than the
order or directive, we want the industry, through NERC's
standards development process, to take care of those issues
with standards. And as I mentioned in my oral statement about
the expedited standards development processes that NERC does
have, we think that would be an excellent vehicle for
addressing some of those issues. With regard to the scope going
to the distribution side of things or Alaska and Hawaii, with
regard to distribution, of course, the states and local
authorities have many regulatory authorities in those areas.
It is also important to realize that the bulk power system
is where you can have the larger impacts. The distribution
system is local, and it is broken up into many small pieces.
And those impacts are often shorter in timeframe and much more
limited in the numbers of meters that are not in service
because of an incident.
So we think those are reasons why this legislation should
focus on the bulk power system.
Mr. Boucher. Mr. Lawson, thank you very much. I would like
to, at this time, call on the gentleman from Illinois, Mr.
Shimkus, for 5 minutes.
Mr. Shimkus. Thank you, Mr. Chairman. Mr. Naumann, please
explain how your company has prepared itself for the tested
and--I am sorry--and tested its response to cybersecurity
threats.
Mr. Naumann. Thank you, Congressman. In my testimony, I
referenced defense and depth, and that includes--and I guess I
am going to use a number of technical words that we do. We
segregate the networks that we have. We have a program of patch
management, much like in a way to say you get updates on your
Microsoft software occasionally when there is a vulnerability
found. We do this on a very routine basis, sometimes on an
emergency basis.
We have intrusion detection sensors that we maintain on our
network systems. We have security event monitoring,
vulnerability testing. One of the things I mentioned in my
testimony is we hire outside firms to do penetration testing.
In other words, they act as the red team to try to break into
our system, and we then learn from what they tell us.
We deal all the time with security vendors, with the FBI,
with local law enforcement. And lastly, we have encrypted our
data even to the point of, for example, the laptop that I carry
with me. The data is encrypted so that if it is stolen, the
data is worthless to somebody.
Those are some of the measures that we take, Mr.--
Mr. Shimkus. This is a real pressing issue, and I know,
based upon the Aurora event and others, I follow the captive
nations, the former captive nations of the eastern bloc
countries. Russia conducted a cyber attack against Estonia, I
guess, a year and a half ago. The prelude into the intervention
into Georgia was a cyber attack there. I mean so this is real
stuff, and that is why it is important. And I appreciate the
chairman identifying it as so.
For you again, Mr. Naumann. What resources and/or
information would make your efforts to defend against
cybersecurity threats more effective?
Mr. Naumann. Congressman, probably the most important thing
is access to information. As I said, we are actively engaged in
protecting our system against those threats that we know and
those threats that we can try to figure out.
We understand for good security purposes, there is
information that we don't have access to, and there needs to be
a way that the industry can work with the government and the
government can work with the industry so that we can have
access to that information so that we understand what the
vulnerabilities are and so that we can agree on mitigation
measures to do that. Without that, we feel like we are fighting
this battle with one hand tied behind our backs.
Mr. Shimkus. Yes, let me ask about the emergency and
interim authority issues and with our border friends, the
Canadians and Mexico. And what do we think their response would
be? And is there some optimism? And this is for the panel as a
whole, so why don't we just start from left to right. My left,
your right.
Mr. Sergel. We work very effectively with our partners in
Canada and to a lesser extent with Mexico as well. NERC has a
relationship with each of the eight provinces as they have
decentralized responsibility for this in Canada, and those
relationships are different.
I think the single most important thing to keep that
relationship positive as it is today is to separate the
standard setting process, which is what we do through section
215 as enabled by you in the United States, to keep that
separated from the emergency measures that one would take
because of an imminent threat. As long as we keep those
separate, then I think we will be successful.
So we support the bill, support a bill here to take
emergency action. Lots of discussion of that this morning.
There needs to be a handoff of that to the standards process.
If we do that, then we will work very effectively with our
neighbors.
Ms. Kelly. I would just like to note that the Canadian
Electricity Association submitted a statement for the record,
which I would recommend for your review. I would note also that
I was somewhat disturbed by Mr. Kolevar's discussion about
giving FERC interim standards writing authority. That is the
first that we have heard of that. It goes exactly to the issue
that Mr. Sergel just identified, which is the way the 215
scheme is set up is that industry and NERC together write the
standards. That is not a government activity.
So that, I think, in particular would alarm the Canadians
because they have to be--they have to abide by NERC's
standards. So in effect, what is happening there is they are
being asked to abide by standards written by a Federal
Government U.S. agency. And that is a problem, I believe. I
will let them speak for themselves, but just based upon what I
know during our negotiations, I think that would be a concern.
Mr. Shimkus. And you all can chime in if you want, but it
is probably not a concern that you all would have. So what are
our vulnerabilities? Is our grid adequately protected by
firewalls and passwords? Will a one-time cyber reliability rule
solve the problem? Or will we have to constantly change and
upgrade to keep up with the changing threats? Then, this is a
one over the world question. Won't government authority to
constantly change protections and systems risk express an
unpredictable cost on system operators?
Well, it is really for all because the question is, as we
firewall and protect, bad guys evolve, which is for you. But
then the question is for industry or for the rural, at what
cost? How do we manage both, and we try to get it as right as
we can?
Mr. Sergel. I think standards can take you just so far
because there is an opportunity to harden the system, to defend
against those things which we understand like passwords and
firewalls and have those be as effective as possible. We have
done that with the standards in the past. They were developed
cooperatively with the industry, and that process needs to
evolve.
But I think it also suggests that a standard is out there
to be seen. Everyone knows what we are doing, how we are
proposing to implement it, and therefore, it is suggested that
we have to be constantly vigilant and adapt as new problems
arise.
Mr. Shimkus. Thank you. Ms. Kelly.
Ms. Kelly. I would just add to that that we are concerned
on an ongoing basis about the cost of compliance. There is no
question about that. That was one of the reasons why our
definition of cybersecurity threat is a little tighter than
that that the commission supports because, for example, we
would not want to be spending unknown amounts of time on new
hardware, new software, new hardening, that kind of thing, for
something which may not have a substantial possibility of
disrupting the operation of the bulk power system.
And since theirs is phrased in the disjunctive, I believe
that could possibly be the case. So I just note that for you.
Mr. Shimkus. OK, thank you. Mr. Naumann.
Mr. Naumann. Congressman, I have two things to add. The
first is we are always on our own trying to protect against new
threats and upgrading our equipment. And, as Mr. Sergel said, a
standard can only take you so far when something new is
discovered.
Mr. Shimkus. And plus you have the risk of great loss.
Mr. Naumann. We have our self-interest here.
Mr. Shimkus. Right.
Mr. Naumann. But what I would say is that that is where the
consultation between the government agencies and the users,
owners, and operators is useful in both working out the
mitigation and dealing with the cost effectiveness as we do
have experience in how to do this and we will do it. Obviously
we don't want an incident, but to work together to try to
design the best way to do this and protect the electric power
system.
Mr. Shimkus. And Mr. Lawson.
Mr. Lawson. Just to add, I think it is important to
understand that utilities deal with cyber issues every day
because it is important to their business, and it is important
to the service they are providing to their customers. It is not
something that we deal with only because we have cybersecurity
standards. It is because it is the right thing to do. It is the
important thing to do.
Mr. Shimkus. That is all I have, Mr. Chairman. Thank you.
Mr. Boucher. Thank you very much, Mr. Shimkus. I am going
to ask unanimous consent--Mr. Shimkus and Mr. Upton have
already approved this--that we insert a----
Mr. Shimkus. You don't want me messing with you, right?
Mr. Boucher. Well, yes, that was the implication of the
question. These are statements from the National Association of
Regulatory Utility Commissioners, the Electric Consumers
Resource Counsel, and the Canadian Electricity Association, all
addressing the issue before the subcommittee today, to be
included in the record. Without objection, so ordered.
[The information appears at the conclusion of the hearing.]
Mr. Boucher. That was perfect. Thank you so much.
I want to thank our witnesses for their attendance today,
for their very helpful testimony. We appreciate the time you
have taken with us. We will look forward to your submission of
the information that you have said you will supply to us.
And as we take further steps in this process, we will be
consulting with you. With that and thanks to the witnesses,
this hearing is adjourned.
[Whereupon, at 1:27 p.m., the subcommittee was adjourned.]
[Material submitted for inclusion in the record follows:]
Prepared statement of Hon. John D. Dingell
Today's hearing focuses on how to help ensure the
reliability of our Nation's electricity grid in the face of its
vulnerabilities to cybersecurity attacks.
A successful remote cyber attack on a power plant's utility
control systems could do more than cause a brief black out or
brown out. The Idaho National Laboratories has shown how a
hacker can remotely turn a large generator into a smoldering
piece of scrap metal in minutes. Known as the ``Aurora''
Vulnerability, this type of attack could destroy generating
equipment and impair the generation and delivery of electricity
across North America for weeks or months, its consequences
cascading on consumers, our economy, our health care system,
and our national defense assets.
These concerns are more than theoretical. A 2005 Federal
Energy Regulatory Commission staff report identified 20
separate domestic and foreign instances of cyber attacks on
electricity systems including hydroelectric dams and nuclear
power plants. The Defense Science Board reports that U.S. grid
control systems are continuously probed electronically, and
``there have been numerous attempted attacks on the Supervisory
Control and Data Acquisition (SCADA) systems that operate the
grid.''
We have been fortunate that the United States has not
experienced a major power outage from a cyber attack. However,
the CIA has identified cyber attacks on the electrical systems
in major cities overseas which caused significant blackouts.
CIA has reported that criminal enterprises have broken into
utility control systems overseas as part of extortion schemes.
Since many of these same control systems used in the United
States are also used in plants around the world, the knowledge
about how these systems work is globalized.
In response to Department of Homeland Security's warnings
about the Aurora vulnerability, the North American Electric
Reliability Corporation (NERC) issued an advisory in June 2007
which outlined immediate and longer term mitigation measures
for utilities. Compliance, however, was voluntary.
A FERC audit of 30 utilities found that only two or three
had adequately mitigated the Aurora vulnerability and the vast
majority had not complied with NERC's advisory. For some of the
Nation's largest utilities, there has been woeful inaction some
15 months later.
As the Electricity Reliability Organization designated
under section 215 of the Energy Policy Act of 2005, NERC is
developing consensus cyber protection standards. However, this
process is not responsive to the immediacy of the vulnerability
or the threat. Both the Department of Energy and FERC have
urged that Congress extend Federal authority to take emergency
actions to protect the grid.
I commend Chairman Boucher for holding this hearing, and
tackling the job of building a bipartisan consensus on
legislation which will ensure that the Federal Government has
the necessary powers to intervene when there are emergencies
that threaten our Nation's electricity supply.
I welcome Representative Jim Langevin, Chairman of the
Homeland Security Committee's Subcommittee on Emerging Threats,
Cybersecurity and Science and Technology, and commend him for
his leadership and cooperation in working with this Committee
on cyber vulnerabilities in the utility grid.
I also welcome our panel of witnesses. I hope they can
inform us on whether emergency powers should extend beyond the
Bulk Power System to utility systems in Alaska, Hawaii, or
Guam, and to what extent these powers should also be able to
reach critical distribution systems in places like the District
of Columbia or New York City. We want to be sure that
legislation addresses threats to the electrical system, and
that the Federal Government is not improperly hobbled by legal
and jurisdictional boundaries in the case of an emergency.
----------
Richard P. Sergel, Responses to Questions from Hon. John D. Dingell
Question No. 1: The Federal Energy Regulatory Commission
(FERC) testified that 23 of 30 utilities that it audited had
not complied with the June 2007 North American Electric
Reliability Corporation (NERC) Advisory on the Aurora
Vulnerability. To what factors do you attribute this level of
compliance?
Response: NERC has not, at this time, been given access to
the results of FERC's evaluation of industry efforts to comply
with the mitigation measures set out in NERC's June 2007
Advisory, beyond what was discussed publicly at the September
11 hearing. Therefore, NERC is not in a position to analyze
those results. Based on discussions with industry
representatives, NERC believes that one important factor
affecting the ability of the industry to implement mitigation
measures is that industry recipients require more detailed and
comprehensive engineering data on specific vulnerabilities than
could be provided in NERC's Aurora Advisory. Efforts are
underway to close this gap while managing the risk of
disclosing a ``road map'' to potential adversaries.
Question No. 2: Do you believe FERC's audit results are
representative of the extent of compliance by most utilities
with the NERC Advisory?
Response: As stated in the response to question number one,
NERC has not, at this time, been given access to specific
responses made by utilities during the FERC interview process,
nor are we aware of the criteria used to determine the adequacy
of implemented mitigation measures. In his testimony, Chairman
Kelliher described a detailed interview process by FERC staff
with a sampling of geographically dispersed utilities of
different sizes across the contiguous 48 states. We have no
reason to believe that the results of that process are not
likely to be representative of the extent of compliance by most
utilities with the Aurora mitigation measures.
Question No. 3: FERC indicated that some utilities which
had complied with the NERC Advisory were still vulnerable to
Aurora. Please explain whether the NERC Advisory was inadequate
to fully guide utilities in mitigating the Aurora
Vulnerability. Please explain whether NERC has modified its
advisory to address any deficiencies?
Response: The Aurora mitigation measures included in NERC's
Advisory were assembled through a process that included
researchers involved in the government's vulnerability
demonstration project and industry subject matter experts.
Clear challenges were presented in the need to utilize only
information approved for distribution and the identification of
measures that could be applied to a variety of different cases
and unique settings. Industry recipients generally report that
they require more detailed and comprehensive engineering data
on specific vulnerabilities than was provided in NERC's Aurora
Advisory in order to fully address a vulnerability. NERC has
not, at this time, received additional information from the
Federal government regarding the properties of the
vulnerability or on any threat intent on exploiting the
vulnerability. Consequently NERC is not, at this time, in a
position to modify the Advisory.
Question No. 4: Who should have authority to implement
emergency requirements: the Department of Energy or FERC?
Response: As I testified at the September 11 hearing, NERC
supports legislation granting the U.S. federal government
authority to act immediately in the event of an imminent cyber
security threat. NERC has a strong working relationship with
both the Department of Energy and the FERC. Under the Energy
Policy Act of 2005, FERC certified NERC as the Electric
Reliability Organization to develop and enforce mandatory
reliability standards to protect and improve the reliability of
the bulk power system. NERC works closely with FERC in
implementing the statutory mandate. NERC also works closely
with the Department of Energy, as the Sector Specific Agency
for Energy, in the execution of NERC's responsibilities as the
Electricity Sector Information Sharing and Analysis Center (ES-
ISAC). NERC was designated as the electricity sector
coordinator for critical infrastructure protection and has
served in that role for several years. The agency assigned
responsibility for acting in emergency situations should
consult with NERC and industry experts to the maximum extent
feasible in carrying out any emergency authority.
Question No. 5: How effective have Canadian utilities been
in complying with the NERC Advisory on the Aurora
Vulnerability? Has there been a governmental audit of
compliance in Canada similar to that conducted by FERC on the
Aurora Vulnerability?
Response: Canadian entities participate in NERC committees
including the Critical Infrastructure Protection Committee
(CIPC), and also receive information from the ES-ISAC. When the
Advisory was sent to NERC-registered Canadian entities the
Canadian Electricity Association (CEA) requested and was
granted permission to post the Advisory and the attached
questionnaire on CEA's secure Intranet for CIP with a request
that organizations review and complete it as appropriate. We
are told that this was to ensure a broader dissemination of the
Advisory because a limited number of Canadian organizations
were on the distribution list to which the Advisory was sent
directly.
Based on our discussions with Canadian utilities and
Canadian government officials, NERC understands that when
information about the preliminary results of the Idaho National
Laboratory simulation was brought to the attention of the
Canadian Cyber Incident Response Centre of Public Safety
Canada, the Centre met with other government agencies with
responsibility in the area to determine appropriate action. It
was decided that the Energy Infrastructure Protection Division
of Natural Resources Canada should arrange a meeting with
energy and utilities stakeholders. In March 2007 a detailed
briefing was convened for Canadian energy interests including
electricity, oil and gas, and nuclear. Officials from Public
Safety Canada, Natural Resources Canada, the RCMP and the
Integrated Threat Assessment Centre participated and
disseminated the DHS warning and information package. There was
also a briefing of Canadian utility participants by staff from
the Idaho National Laboratory. Industry participants had
security clearances and received a confidential briefing that
they say helped them understand the nature of the problem and
the appropriate action to take.
The Advisory and identification and mitigation of
vulnerabilities were subsequently discussed at two CEA Security
and Critical Infrastructure Committee meetings. In addition,
there were further contacts between Canadian government
officials and DOE and DHS. Public Safety Canada advises that
they coordinated actions with DHS, including the provision of
sector briefings, technical advice, analysis activities at
Idaho National Laboratory, and public communications
strategies. To NERC's knowledge, no audit has been undertaken
by Canadian government agencies of actions taken by utilities.
----------
Barry R. Lawson, Responses to Questions from Hon. Edward J. Markey
Question No. 1: There was a suggestion at the hearing that
one way to address the cyber-security of the grid system beyond
that of the bulk power system would be through a consultation
process. If the cyber threat to the bulk power system demands
an increased federal authority in order to permit an immediate
response to any security incident or threat thereof, how would
a consultation process provide the same level of protection for
those on the grid beyond the bulk power system? If it would
not, why is it appropriate to settle for only limited
protection of the grid?
Response:
A consultation process is appropriate regarding electric
system facilities that are beyond the bulk power system. These
facilities are in most cases considered to be the distribution
system. The bulk power system is significantly different from
the distribution system. There are clear reasons why these
distribution facilities should not be treated the same as the
bulk power system in cyber security legislation.
Giving FERC or any other federal agency
jurisdiction over the distribution elements of the electric
utility system causes complications with state and local
regulatory authorities.
o Most distribution facilities are beyond the jurisdiction
of FERC. The FPA expressly reserves jurisdiction over
distribution facilities to the states.
o The regulation of the distribution system is imbued with
a number of local economic and political issues that are best
handled at the local level, not the federal level.
o FERC is not as familiar and will never be as familiar as
the individual states are with the structure and design of the
local distribution system in their states.
o State PUCs and other state/local regulatory authorities
have traditionally dealt with distribution service reliability
issues. These authorities best understand local distribution
system characteristics and conditions, which differ
substantially from those of the bulk power system. Local
distributions systems vary widely in their specific
configurations and designs, making utilities and state/local
officials best positioned to take protective steps when
necessary.
When comparing the bulk power system to the
distribution system, it is important to understand several
distinctions.
o An incident on the bulk power system can potentially
impact a larger geographical area and a corresponding potential
larger number of consumers. An incident on the distribution
system impacts a smaller area and a lesser number of consumers.
That means protection of the bulk power system is a higher
priority for the electric utility industry, and that the
distribution system will pose a much lower priority target.
o Distribution facilities are typically quicker and easier
to restore than bulk power system facilities. A distribution
circuit can often be easily restored merely by replacing a
single failed element and then re-energizing the circuit.
Restoring the bulk power system, however, is much more
complicated. Because of the large number of components and
integrated network nature of the bulk power system, it can
require significant regional coordination and considerable time
for re-energizing.
o Many distribution system elements are not automated/
controlled remotely with programmable devices and therefore not
necessarily vulnerable to cyber issues.
o The distribution system is separated from the bulk power
system through protection protocols and equipment.
Distribution circuits fail without any cyber
attacks. Automobile accidents and animal-related interruptions
are some of the most common causes of outages and they cannot
be completely prevented. Utilities have a long history of
successfully demonstrating that they are well-prepared to
respond to these and other incidents on their distribution
system.
Because of these differences, the distribution
system does not require the same level of protection as the
bulk power system.
o Where an uncontrolled failure of the bulk power system
can potentially lead to a ``cascading'' failure potentially
affecting a large number of consumers, an uncontrolled failure
of a distribution circuit is unlikely to affect a large number
of consumers and is limited to those consumers on a particular
distribution circuit.
o Distribution circuits are seldom material to the
reliability of the bulk power system and, when they are
material, they currently fall within the definition of the bulk
power system.
Accordingly, with the preceding information being
understood, it is not necessary or appropriate, and can in fact
be disruptive, for distribution facilities to be addressed in a
similar manner as bulk power system facilities.
Question No. 2: This Congress has heard hours of testimony
on some pressing grid issues and some promising grid solutions,
including those centered around ``smart grid'' technology. Your
testimony reported that in 2006, cooperatives lead the industry
in installation of smart meters. Moreover, you offered
testimony regarding the need to ensure that whatever grid
solutions we implement in the smart grid realm appropriately
capture cyber security protections. I am glad to hear both the
progress demonstrated by the cooperatives with smart grid
initiatives and the industry's recognition of the importance of
integrating policy, practice and technology in this emerging
field. Can you provide me with specific examples of how the
industry is working toward the goal of ensuring appropriate
integration in the field of smart grid technology? If not, can
you explain why not and what would need to happen to have a
more integrated approach pursued?
Response:
``Smart Grid'' technology often uses the internet
and other automated equipment. Therefore, it is potentially
vulnerable to cyber issues. Implementation of this technology
should always include cyber protection related to the
equipment/devices that are being utilized.
Cyber security should be a part of an entity's due
diligence when considering the use of such technology. I
understand that this is addressed by entities when they
consider using ``smart grid'' technology.
�