[Senate Hearing 115-262] [From the U.S. Government Publishing Office] S. Hrg. 115-262 CYBERSECURITY THREATS TO THE U.S. ELECTRIC GRID AND TECHNOLOGY ADVANCEMENTS TO MINIMIZE SUCH THREATS, AND TESTIMONY ON S. 79, THE SECURING ENERGY INFRASTRUCTURE ACT ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON ENERGY OF THE COMMITTEE ON ENERGY AND NATURAL RESOURCES UNITED STATES SENATE ONE HUNDRED FIFTEENTH CONGRESS FIRST SESSION __________ MARCH 28, 2017 __________ [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] Printed for the use of the Committee on Energy and Natural Resources Available via the World Wide Web: http://www.govinfo.gov __________ U.S. GOVERNMENT PUBLISHING OFFICE 24-977 WASHINGTON : 2018 ---------------------------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Publishing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, [email protected]. COMMITTEE ON ENERGY AND NATURAL RESOURCES LISA MURKOWSKI, Alaska, Chairman JOHN BARRASSO, Wyoming MARIA CANTWELL, Washington JAMES E. RISCH, Idaho RON WYDEN, Oregon MIKE LEE, Utah BERNARD SANDERS, Vermont JEFF FLAKE, Arizona DEBBIE STABENOW, Michigan STEVE DAINES, Montana AL FRANKEN, Minnesota CORY GARDNER, Colorado JOE MANCHIN III, West Virginia LAMAR ALEXANDER, Tennessee MARTIN HEINRICH, New Mexico JOHN HOEVEN, North Dakota MAZIE K. HIRONO, Hawaii BILL CASSIDY, Louisiana ANGUS S. KING, JR., Maine ROB PORTMAN, Ohio TAMMY DUCKWORTH, Illinois LUTHER STRANGE, Alabama CATHERINE CORTEZ MASTO, Nevada ------ Subcommittee on Energy CORY GARDNER, Chairman JAMES E. RISCH JOE MANCHIN III JEFF FLAKE RON WYDEN STEVE DAINES BERNARD SANDERS LAMAR ALEXANDER AL FRANKEN JOHN HOEVEN MARTIN HEINRICH BILL CASSIDY ANGUS S. KING, JR. ROB PORTMAN TAMMY DUCKWORTH LUTHER STRANGE CATHERINE CORTEZ MASTO Colin Hayes, Staff Director Patrick J. McCormick III, Chief Counsel Brianne Miller, Senior Professional Staff Member and Energy Policy Advisor Angela Becker-Dippmann, Democratic Staff Director Sam E. Fowler, Democratic Chief Counsel David Gillers, Democratic Senior Counsel C O N T E N T S ---------- OPENING STATEMENTS Page Gardner, Hon. Cory, Subcommittee Chairman and a U.S. Senator from Colorado....................................................... 1 Manchin III, Hon. Joe, Subcommittee Ranking Member and a U.S. Senator from West Virginia..................................... 2 King, Jr., Hon. Angus S., a U.S. Senator from Maine.............. 5 Alexander, Hon. Lamar, a U.S. Senator from Tennessee............. 5 Franken, Hon. Al, a U.S. Senator from Minnesota.................. 6 WITNESSES Bardee, Michael, Director, Office of Electric Reliability, Federal Energy Regulatory Commission........................... 7 Fowke III, Benjamin, Chairman of the Board, President & Chief Executive Officer, Xcel Energy Inc............................. 14 Di Stasio, John, President, Large Public Power Council........... 79 Zacharia, Dr. Thomas, Deputy Director for Science and Technology, Oak Ridge National Laboratory.................................. 88 ALPHABETICAL LISTING AND APPENDIX MATERIAL SUBMITTED Alexander, Hon. Lamar: Opening Statement............................................ 5 American Public Power Association, Edison Electric Institute, and the National Rural Electric Cooperative Association: Statement for the Record..................................... 147 Bardee, Michael: Opening Statement............................................ 7 Written Testimony............................................ 9 Responses to Questions for the Record........................ 123 Di Stasio, John: Opening Statement............................................ 79 Written Testimony............................................ 81 Responses to Questions for the Record........................ 128 Fowke III, Benjamin: Opening Statement............................................ 14 Written Testimony............................................ 16 Responses to Questions for the Record........................ 127 Franken, Hon. Al: Opening Statement............................................ 6 Gardner, Hon. Cory: Opening Statement............................................ 1 King, Jr., Hon. Angus S.: Opening Statement............................................ 5 Manchin III, Hon. Joe: Opening Statement............................................ 2 S. 79, the Securing Energy Infrastructure Act.................... 116 U.S. Department of Energy: Statement for the Record..................................... 151 Zacharia, Dr. Thomas: Opening Statement............................................ 88 Written Testimony............................................ 90 Responses to Questions for the Record........................ 130 CYBERSECURITY THREATS TO THE U.S. ELECTRIC GRID AND TECHNOLOGY ADVANCEMENTS TO MINIMIZE SUCH THREATS, AND TESTIMONY ON S. 79, THE SECURING ENERGY INFRASTRUCTURE ACT ---------- TUESDAY, MARCH 28, 2017 U.S. Senate, Subcommittee on Energy, Committee on Energy and Natural Resources, Washington, DC. The Subcommittee met, pursuant to notice, at 2:17 p.m. in Room SD-366, Dirksen Senate Office Building, Hon. Cory Gardner, Chairman of the Subcommittee, presiding. OPENING STATEMENT OF HON. CORY GARDNER, U.S. SENATOR FROM COLORADO Senator Gardner [presiding]. We will go ahead and get the Subcommittee started. Senator Manchin will be joining us shortly, but thank you very much, as we call this Subcommittee hearing to order. Good afternoon. This is the Subcommittee on Energy's first 115th Congress hearing. I am honored to chair the Subcommittee this Congress and look forward to working with the Subcommittee's Ranking Member, Senator Manchin. The Energy Subcommittee is certainly important to my home state of Colorado. In Colorado, we have coal in the northwestern part of the state, oil on the western slope, natural gas and wind on the eastern plains and solar in the San Luis Valley. We are truly an all-of-the-above energy state and very proud of that fact. We are also home to the Department of Energy's National Renewable Energy Laboratory which is instrumental in research and development for new technologies in advancing grid modernization, renewable energy and energy efficiency that will transform the marketplace. As Chairman, I look forward to promoting a strong and responsible energy policy that is critical to unleashing the nation's energy potential, and I look forward to using the Subcommittee to advance policies that benefit Coloradans and all Americans. Today the Subcommittee will examine the cybersecurity threats to the U.S. electric grid and technology advancements to minimize such threats and receive testimony on Senate bill 79, the Securing Energy Infrastructure Act. We will discuss the risks we face and the actions we should follow to protect our energy infrastructure from the impact of cyberattacks. In addition to defensive strategies, I am also interested in discussing whether there is a need to build preparedness and response capabilities in case of a long-term, widespread outage. The American people and American businesses depend on reliable and affordable electricity. These same customers expect the over 3,000 utilities in our country to be thinking ahead, coordinating actions and being responsive to our evolving demands. If we are not prepared for cyberattacks, a Ukraine-like situation could take place in the United States. In 2015 an attack on power companies in Ukraine resulted in 225,000 Ukrainians losing power. Last December there was an attack in Ukraine that resulted in another round of power outages but the strategy on the Ukrainian grid was more complex than the year before. Hackers are certainly trying to create that kind of havoc here in the United States. One U.S. utility CEO has said, ``If I were to share with you the number of attacks that come into the network every day, you would be astounded.'' And it is not from people working out of their garage. It is from nation states that are trying to penetrate systems. I am encouraged to see that industry through the Electricity Sector Coordinating Council is working to collaborate and create best practices and partnerships with the government. The government and industry have also made great strides in cybersecurity through the creation of the National Institute of Standard and Technology, or NIST, cybersecurity framework, and the Electricity Information Sharing and Analysis Center (E- ISAC). It is concerning, however, that we continue to hear of attacks from so many fronts. Hackers are going after personal information and personal accounts that can be disastrous and financially painful for those affected. We hear of ransomware attacks requiring payments to resume access to machines and controls. We hear of millions of dollars being spent across industry and government to protect from these ever-changing threats to our national progress. The questions that loom, however, are how, when, where is that next cyberattack going to happen? Are we prepared to react? I am hopeful that through this hearing and the opportunity we have to hear your testimony today and in the coming months we can strengthen both our preparedness and our response capabilities. I already see opportunities to enhance our cyber workforce and the need to gain clarity on the coordinated response actions of the Department of Energy Secretary and industry leaders. I am hopeful that we will uncover additional opportunities today. With that, if you are ready, I will turn it over to our Ranking Member, Senator Manchin, from West Virginia. STATEMENT OF HON. JOE MANCHIN III, U.S. SENATOR FROM WEST VIRGINIA Senator Manchin. Thank you, Mr. Chairman. I want to thank you for scheduling this hearing and for your work on this important issue. Now I want to thank all of you for being here today, and I am looking forward to the quality of discussions ahead. I think our states all have a lot in common, particularly because both of our states are domestic energy exporters. I think we both recognize the importance of that role in this nation. I also want to thank Senators King, Heinrich and Cortez Masto for the roles that they are playing in leadership on this issue. I appreciate that our witnesses are joining us today for this very timely discussion about the critical nature of our electrical grid and the very real cyber and physical threats that we face. The electric grid is essential to our lives and is also the lifeblood of the economy. The grid moves power, hundreds, if not thousands, of miles to our houses, offices, and supplies factories, every day. People and businesses in the northeast and mid-Atlantic states are heavily dependent on a well- functioning grid to access power generated in my home state of West Virginia. The Energy Information Administration (EIA) reports that in 2014 West Virginia produced over 80,000 kilowatt hours of electricity, and the EIA consistently reports that West Virginia typically exports more electricity than it consumes. West Virginia's neighbors, Maryland, Virginia, Washington, DC, and others, depend on us for reliable electric generation, not to mention coal and natural gas production. Whether because of a cyber or physical attack or some other energy disruption, imagine what it would be like if West Virginia stopped producing and delivering energy. Instances like the Polar Vortex quickly become even more dangerous and likely tragic. The secure and reliable transportation of energy is vitally important to our state's economy and to the safety and health of our citizens in those neighboring states. So I believe today's hearing is an important start to a longer conversation about the security of our grid. As the electric industry has increased its reliance on digital technologies to better serve consumers, the grid has grown more vulnerable to cyberattack. In December 2015, the first successful cyberattack took place against part of Ukraine's electric grid, demonstrating that shutting down the grid is a real possibility. Several hundred thousand customers were without power for several hours and many experts suggest that Russia was responsible. A year later, in December 2016, there was another power outage, this time in Northern Kiev, Ukraine. For approximately one hour, according to the affected Ukrainian power company, a blackout was caused by a cyberattack which was very similar to the allegedly Russian cyberattack on Ukraine's grid a year prior. Many cyber experts have come to the conclusion that it is not a question of if, but a question of when, a massive attack on our grid will occur. We must do everything we can to protect and prepare including hardening our networks to protect the grid and ensure the continued reliable delivery of electricity. But we also need to focus on emergency preparedness and incident response to minimize the effects of a potential attack. That is why the King/Risch/Collins/Heinrich bill is a step in the right direction. Senate bill 79 would establish a two-year pilot program within the national labs to research and test technology that could be used to isolate and protect the most critical systems of the electric grid. It would also establish a working group to evaluate the proposals of the pilot program and to develop a national cyber-informed engineering strategy. Mr. Chairman, the 2013 attack on the Pacific Gas and Electric Substation in Metcalf, California, reminds us that the threats to our grid are not limited to cyberspace. According to press reports, the Federal Energy Regulatory Commission, or FERC as we know it, has identified a small number of critical group-related facilities that, if physically attacked, could significantly impair the ability of utilities to keep the lights on. Keeping America's energy network secure from cyber and physical intrusion is critical as new technologies and threats continue to emerge from transnational, organized crime, terrorist groups and hostile foreign governments. The argument goes that the smarter and more connected the power grid becomes, the more vulnerable it becomes. I am sure you are familiar with the scale we are talking about. The Department of Homeland Security reported that 56 percent of cyber incidents against critical infrastructure in 2013 were directed at energy infrastructure, mostly on the electric grid. While the number has shrunk to 16 percent in 2015, there is much more to be done. That is why I supported the Energy Policy Modernization Act of 2016 that Chairman Murkowski and Ranking Member Cantwell worked so hard to get passed out of Committee and finally out of the Senate by a vote of 85 to 12. It does not happen often here. The bill included a cyber energy section that I supported when it passed the Senate. The cyber energy section directed the Secretary of Energy to carry out an energy/cybersecurity workforce development program. It also directed the Secretary of Energy to carry out a supply chain testing program for grid components. As more and more of our grid's components are both network enabled as well as manufactured abroad, we need to be sure that every piece of our national security assets has been rigorously vetted. It also proposed to double the Department's current investments in all energy/cybersecurity programs, and encouraged the Department of Energy to work hand in hand with the private sector. This recognizes the importance of aligning government capabilities with the needs of industry actors that are dealing with potential threats to our grid every day. Unfortunately, Congress adjourned last year before the Conference Committee was able to complete its work on this legislation, but the need to act still remains. The ability to deliver energy quickly, securely and without interruption is something that West Virginia prides itself on, which is why I am particularly appreciative of Senator King's passion for this issue. Senator Heinrich and Senator Risch's ongoing efforts on this bill are also to be applauded. I also want to thank the Chair for holding this hearing, which was much needed. I look forward to the testimony of our witnesses. Senator Gardner. Thank you, Senator Manchin. Before we introduce the witnesses today, Senator King, if you would like to say a few words about S. 79, the Securing Energy and Infrastructure Act. STATEMENT OF HON. ANGUS S. KING, JR., U.S. SENATOR FROM MAINE Senator King. Thank you, Mr. Chairman. You both have quite eloquently outlined the need. I, in addition to this Committee, sit on both the Armed Services and Intelligence Committees. Over the past four years we have had dozens, if not hundreds, of warnings of cyberattacks against critical infrastructure, and the grid certainly qualifies for that. I characterize what we are looking at now as the longest windup for a punch in world history. We know it is coming, we just don't know where and when and the risks are enormous. The second thing I wanted to say is that there is no single solution to this problem. The utilities themselves have done amazing and wonderful work in defending themselves. FERC has worked with them. There are lots of solutions percolating around the pilot program that is proposed in S. 79 that basically came out of work that was a result of the Ukraine hack in 2015. In this attack they found that one of the reasons the Ukrainian grid was able to be resilient was that there were some old-fashioned analog switches, and perhaps even places where old Dimitri with his dog had to go out and pull a switch, that saved the grid from a real catastrophe. What we are talking about here is not rebuilding or reengineering the entire grid, but to really ask the question, are there some back to the future answers at critical points that might protect us from the kind of attack we know is coming? It is no coincidence that the four principle sponsors of this bill, myself, Senator Risch, Senator Heinrich and Senator Collins are also all on the Intelligence Committee, and our work on this bill really started in that Committee and has carried through on to this Committee. So I look forward to the hearing. I appreciate your calling it. The other thing I want to express is that time is running out. I do not want to go home to my constituents in the middle of a blackout and say well, we might have gotten to this, but we had different committees that had jurisdiction and we really could not quite get at it in the Conference Committee. That is not going to cut it. I think this qualifies as an emergency, and I hope that we can act promptly. I hope that this is a bill that might get the level of support that it could go through on its own without waiting for a more comprehensive energy bill because that endangers, I think, our taking a practical step that could be of significant help to us. Thank you, Mr. Chairman. Senator Gardner. Thank you, Senator King. Before we do the formal introductions, we have two members of the Committee that may wish to say a word or two about our witnesses today. Senator Alexander. STATEMENT OF HON. LAMAR ALEXANDER, U.S. SENATOR FROM TENNESSEE Senator Alexander. Thank you, Senator Gardner. I am delighted to welcome Dr. Thomas Zacharia to the Committee. He is the Deputy Director for Science and Technology at the Oak Ridge National Laboratory and presides over one of the largest research budgets in our country. I will say two things about him. One is he developed the computer program at Oak Ridge which has produced the fastest computers in the United States, in any event. And next year, in 2018, there will be a computer five times as fast. That was his doing and his leadership. So he can speak with authority to the question of what can supercomputing do to help us with cybersecurity, with the grid, with waste fraud and abuse and Medicaid and Medicare--anything that has to do with data manipulation, Thomas knows how to build and operate the fastest computers in the world. Second, the Oak Ridge Laboratory is the largest science and energy laboratory, and he works with a lot of people. He is very well respected by all of the people with whom he works. So I welcome him here and look forward to his testimony. Senator Gardner. Thank you, Senator Alexander. Senator Franken. STATEMENT OF HON. AL FRANKEN, U.S. SENATOR FROM MINNESOTA Senator Franken. Senator Gardner, Xcel may operate in Colorado, but it is headquartered in Minneapolis. [Laughter.] Xcel also serves more than one million people in the Twin Cities area. So, I want to welcome Ben Fowke here today. Thank you, sir. I know we are going to be discussing cybersecurity, and I look forward to hearing your thoughts on that crucial subject as well as your role on the National Infrastructure Advisory Council which advises the President on crucial infrastructure activity. But first, I want to commend Xcel for being a leader in generating clean energy and reducing carbon emissions. More than 50 percent of the electricity you supply in Minnesota comes from wind, hydro, solar, biomass or nuclear. This helps us reduce emissions. Your company is on track to reduce greenhouse emissions to 30 percent of 2005 levels by 2020, and you are not stopping there. You have just announced that you are going to add an additional 3,380 megawatts of wind capacity across seven states. We are very proud of what Minnesota has done since Governor Pawlenty signed in our renewable energy standard and our energy efficiency resource standards. I want to thank you for Xcel's leadership, for your personal leadership, and for showing how we can transition to clean sources of electricity while keeping rates low. I look forward to your testimony, and I think it is terrific that you also operate in other states. [Laughter.] Senator Gardner. Yes. And I, Mr. Fowke, would echo that. Thanks for making it clear to me as a kid who grew up on the eastern plains of Colorado, the dam wind isn't just one word. You can actually do something with it. [Laughter.] So, thank you. In addition to Mr. Fowke and Dr. Zacharia, we are also joined by Michael Bardee, the Director of the Office of Electric Reliability at the Federal Energy Regulatory Commission (FERC), and Mr. John Di Stasio, President of the Large Public Power Council. Thanks to all of you for being here and your time and testimony today. Mr. Bardee, if you would like to begin with your testimony? Thank you. STATEMENT OF MICHAEL BARDEE, DIRECTOR, OFFICE OF ELECTRIC RELIABILITY, FEDERAL ENERGY REGULATORY COMMISSION Mr. Bardee. Thank you, Chairman Gardner. Chairman and members of the Subcommittee, thank you for the opportunity to testify. My name is Michael Bardee, and I'm the Director of FERC's Office of Electric Reliability. I am here today as a Commission staff witness and my remarks do not necessarily represent the views of the Commission or any individual Commissioner. In the Energy Policy Act of 2005 Congress gave the Commission a responsibility to oversee mandatory, enforceable reliability standards for the nation's Bulk-Power System, excluding Alaska and Hawaii. Cybersecurity is an important part of this responsibility. In 2008, the Commission approved NERC's first set of cybersecurity or CIP standards while also directing NERC to develop changes. Since then, the Commission has approved various changes to the CIP standards. Last year, utilities implemented version five of the CIP standards for high and medium impact assets. This year, utilities are implementing version five for low-impact assets. Last July, the Commission directed NERC to develop a standard on supply chain risk management. There is no requirement for any specific controls, nor did FERC seek one size fits all requirements. Instead, FERC said the standard should define the objectives while allowing flexibility on how to meet those objectives. NERC is working on a standard now and is due to submit it to the Commission in September. Also in July, FERC sought public comment on whether to modify the CIP standards for the protection of control centers used to monitor and control the Bulk-Power System. FERC cited the 2015 cyberattack on the grid in Ukraine as an example of how cyber systems used to operate and maintain a grid, unless protected adequately, can create cyber risks. FERC is reviewing the comments submitted in response and considering whether further action is appropriate on these issues. While mandatory standards are an important part of the Commission's work on cybersecurity, FERC also worked with industry in other ways, sharing information, encouraging best practices and providing assistance when requested, including through our Office of Energy Infrastructure Security. The goal of these efforts is to mitigate the risk of a cyber incident, but if such an event ever does happen, the industry also needs to be prepared to restore the grid. For this reason, last year, FERC completed a report with NERC and its regional entities on grid restoration and recovery. The report was based on working closely with a number of utilities and recommended various practices and additional studies. Work on those additional studies is ongoing. The work proposed in S. 79 could help utilities to maintain a secure electric grid. Utilities have come to rely increasingly on digital tools for operating the Bulk-Power System. A broad scale reversion to predigital technology is uneconomic, unjustified and perhaps even impossible. S. 79 focuses on only the most critical systems of the covered entities. Also, S. 79 does not require adoption of any particular technology and instead requires only research and testing. Any decision on implementation would be made only after sufficient research and testing. I would suggest one small change to S. 79 and that is to add FERC to the list of entities specifically included as a member of the working group in the bill. Thank you for allowing me to testify today. I would be glad to address any questions you may have. [The prepared statement of Mr. Bardee follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Senator Gardner. Thank you, Mr. Bardee. Mr. Fowke. STATEMENT OF BENJAMIN FOWKE III, CHAIRMAN OF THE BOARD, PRESIDENT & CHIEF EXECUTIVE OFFICER, XCEL ENERGY INC. Mr. Fowke. Senator Gardner, thank you for the invitation to speak at this important event. My name is Ben Fowke, and I'm the CEO of Xcel Energy. We're an energy company serving 3.5 million electric customers and two million natural gas customers in eight western and mid-western states. I'm also a member of the Electric Sector Coordinating Council, or ESCC, and a member of the National Infrastructure Advisory Council, or NIAC, which advises the President on the protection of critical infrastructure. Today I want to give you Xcel Energy's perspective on cybersecurity. Our modern society depends on electricity. Left unprotected from cyberthreats, the grid and electric service we all depend on could be at risk. Fortunately, Xcel Energy and other utilities have cybersecurity programs designed to adapt and to respond to this growing threat. And while no program is perfect, I believe that our industry's approach should give the Subcommittee increased confidence in the grid security. That confidence, however, should be taken in context. Attacks on our grid continue to grow in number and in sophistication, and it's really easy to fall behind. It's clear we need better coordination with the DOE, the DHS and other Federal agencies. We need better, more timely information sharing, and we need new approaches to protect the devices that run the grid. Together, these strategies will enhance our cybersecurity defenses and the reliability of the power system. Let me begin by acknowledging a difficult reality, the cyberthreat is growing. In 2016, Xcel Energy identified over 500,000 individual cyberattacks on our network. And although we're attacked daily, we're most concerned about potential attacks targeting the grid control systems. Grid industrial control systems use digital technology to do their work and, like anything else that uses digital technology, these systems could be hacked. Without proper controls and monitoring a cyberattack of the control system could force the grid offline. In response to this threat we work continuously to implement a flexible, effective, cybersecurity program. Our program separates and protects the control system from the Internet. We also use strong passwords and strictly control employee access to our critical systems. Our network is monitored by a dedicated team of cyber analysts on a 24/7 basis. We act immediately on actionable threat intelligence from government and private sources. We routinely install antivirus and antimalware programs. We also hunt for indications of compromise in order to detect and eliminate threats. Finally, we perform third party penetration testing of the network to test the effectiveness of our defenses. Now despite these best efforts, no program is perfect; therefore, system recovery is one of our program's highest priorities. And while the challenges of system restoration would be different after a cyberattack, our industry's experience with system restoration after storms and other outages does give us a leg up. So, our cyber programs continue to improve but our program is and always will be a work in progress. There will always be more to do. We continue to look for ways technology can help protect the grid. For example, information sharing tools must become more sophisticated as the attacks become more sophisticated, and our arsenal of information sharing tools is continuously improving. Real-time machine-to-machine information sharing will further enhance our ability to respond to grid attacks, and we're working with other sectors to boost these capabilities. We're also beginning to deploy monitoring technologies to look for anomalies on the network that could indicate the presence of malware. Turning to national cybersecurity policy. The electric industry, the DOE, the DHS, are working together through the ESCC to establish robust national cybersecurity efforts. My written testimony provides an overview of the programs spearheaded by the ESCC to enhance the nation's cybersecurity effectiveness; however, as I stated, there's always more to do and Congress and the Administration can help. First, in a recent scoping session, NIAC has recommended to the President that the nation adopt a new transformational national framework for cybersecurity. The NIAC scoping study points to a fundamental problem with the current approach and that despite recent progress, national cybersecurity policy is often uncoordinated and unfocused. And while not speaking on the behalf of the Council, I believe the recommendations of the NIAC scoping study are urgently needed. Second, in our experience, Federal agencies are often slow to provide classified information regarding cyberthreats to utilities. While protection of the nation's secrets is vital, a better process is needed to ensure that we have the necessary information in a timely fashion. Finally, I believe we need both more research into cyber safeguards and the development of improved standards for software that controls the operational devices that were on the grid. Thank you for the opportunity to be here with you today. I'd be happy to answer any questions. [The prepared statement of Mr. Fowke follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Senator Gardner. Thank you, Mr. Fowke. Mr. Di Stasio. STATEMENT OF JOHN DI STASIO, PRESIDENT, LARGE PUBLIC POWER COUNCIL Mr. Di Stasio. Chairman Gardner, Ranking Member Manchin, members of the Subcommittee, thank you for the opportunity to appear before the Subcommittee today. My name is John Di Stasio, and I'm the President of the Large Public Power Council. Known as the LPPC, the Council represents 26 of the largest state-owned and municipal utilities in the nation, and we provide power to over 30 million people in 13 states. I'm here to respond to the Committee's interest in cybersecurity threats facing the U.S. electric grid. I'd also like to provide input on S. 79, the Securing Energy Infrastructure Act. The points I want to emphasize are these. Industry is engaged. While cybersecurity threats to the electric grid are fast evolving and they do require quick, adaptive responses, much is beginning to be known about the threat environment. The electric industry, working with the standards promulgated and enforced by the North American Electric Reliability Corporation, NERC, and also FERC and working with our governmental partners, has effectively responded to known threats and we're actively working to anticipate emerging threats. Because of the nature of the cybersecurity threats faced by industry, they're evolving rapidly and they're not static so the electric industry has repeatedly emphasized the need for flexible application of cybersecurity regulations that permit industry agility in responding to threats and the ability to implement evolving technology solutions. The electric industry has been grappling with cybersecurity threats for at least a decade. We've learned a lot about the nature of the threats we face in a variety of attack vectors. In response to these threats and with the oversight of FERC, NERC has implemented and enforced the nation's only mandatory suite of cybersecurity standards, the CIP protection standards. The 2015 cyberattack, as was mentioned, on the Ukrainian grid underscored the electric grid's vulnerability. Although I don't want to understate the concern, I do want to emphasize that techniques used by the attackers were generally understood by the industry and are meaningfully addressed by NERC's reliability standards. Specifically relevant are those CIP standards that provide for electronic security perimeters, access control and malware detection and remediation. A study by the DHS identified three areas for further review: air gapping, application whitelisting and risks that reside within the supply chain. These areas are under current study by NERC and FERC. As to air gapping, NERC says, and I agree, that while there are potential security benefits associated with this approach, there are reliability and operational considerations too. So further study is certainly warranted. Similarly, while application whitelisting is one feasible way to guard against the operation of malware on utility systems, it also presents possible unintended consequences that may include interference with essential reliability and operational processes. Here again, further study would be useful. As to the supply chain, NERC is currently in the process of developing a standard at FERC direction. Certainly the procurement of trusted hardware and software is important, but it's not reasonable to ask utilities to police the compliance of vendors and their commitments to follow security practices. We are pressing for an approach to a supply chain standard which also places onus on the vendors to ensure compliance with their commitments to implement sound and reliable security practices. Because cyberthreats evolve rapidly, it is important that utilities maintain the agility to respond to threats and the ability to implement evolving technology solutions. S. 79 promotes government industry partnership in studying evolving vulnerabilities which will help combat cybersecurity threats; however, LPPC does caution against converting study findings into any one-size-fits-all solutions. The electric industry's response to cybersecurity risk is robust, it's fast evolving and it's intimately tied to efforts by the government to enhance the nation's security posture. I would never claim that all risks are covered, but a great deal of work is being undertaken in this area. As in any robust security environment, the focus is appropriately not only on prevention, but also on response and recovery. We welcome the opportunity to work with the members of the Committee to provide further information and receive input on this joint endeavor. Thank you. [The prepared statement of Mr. Di Stasio follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Senator Gardner. Thank you. Dr. Zacharia. STATEMENT OF DR. THOMAS ZACHARIA, DEPUTY DIRECTOR FOR SCIENCE AND TECHNOLOGY, OAK RIDGE NATIONAL LABORATORY Dr. Zacharia. Chairman Gardner, Ranking Member Cantwell and members of the Subcommittee, thank you for the opportunity to appear before you today. And Senator Alexander, thank you for the kind remarks. I'm Dr. Thomas Zacharia, Deputy Director of Science and Technology at the U.S. Department of Energy's Oak Ridge National Laboratory (ORNL). The focus of our programs at ORNL is on solving compelling national problems in energy and security. These problems are connected. Energy security is a vital component of our national security. Last Tuesday, a series of powerful storms swept through East Tennessee. The morning after, I spoke with the Chairman of the Electric Power Board (EPB) in Chattanooga with whom ORNL has a long-standing partnership. The Chairman told me that the severe weather had disrupted services to 65,000 homes in the EPB service area, but thanks to the state-of-the-art control of the EPB system, half of those homes experienced nothing more than just a power flicker and EPB was able to rapidly work to restore service to the other homes. We know that these same digital systems that are so successful at running the electric grid efficiently and effectively are also vulnerable to cyberattack. The DOE National Laboratory system recognizes this vulnerability and is actively pursuing technology advancements to mitigate this threat. Often described as the world's largest machine, the U.S. electric grid is a foundation of our competitive national economy and, indeed, our way of life. However, as utilities have increased smart interconnections between grid services to make the system more agile and adaptive and able to preempt disturbances, they have also created some access points for potential cyber disruption. With the growing sophistication of cyber intrusions, we need to go beyond today's practices. With DOE and electric utilities, we've been exploring ways to get critical infrastructure off the public internet. Specifically, the following technological advancements and solutions are needed to ensure reliable, efficient, resilient and secure grid infrastructure across the country: eliminate direct connectivity to the internet, implement advanced cyber defensive measures beyond what's possible on the internet, develop supply chain components and Internet of Things devices with security built in, provide wide area situational awareness and decision support by enhancing grid state monitoring with advanced sensing and measurements and use living laboratories in partnerships with utilities and national laboratories to test functionality and resilience of advanced cyber and cyber physical solutions to accelerate transition to practice. ORNL has developed numerous technologies used to counter cybersecurity threats. These technologies range from hardware device monitors to software that can detect dormant malicious code, to platforms that can discover and detect the presence of advanced persistent threats. Cyber physical tools and capabilities include Grid Eye sensors located across the U.S. for real time systems monitoring and EAGLE-I which monitors the nation's energy sector in real time. This can be leveraged with the PNNL-led effort on the Cybersecurity Risk Information Sharing Program (CRISP) to provide cyberthreat information to industry partners. Without our established public/private partnerships, these technologies will not be adopted by industry. For example, DOE and ORNL are leveraging the EPB automated smart grid and fiber optic network infrastructure to develop next generation of cybersecurity defense systems, including next generation quantum cybersecurity software that has the potential to prevent undetected hacker intrusions into the IT networks. National labs, including ORNL, are uniquely positioned to address cybersecurity challenges through technology breakthroughs in partnership with the private sector. One example of the laboratories, the system of laboratories, working together on major challenges is the Grid Modernization Laboratory Consortium, GMLC. This was established as a strategic partnership between DOE and the national laboratories to bring together leading experts, technologies and resources to collaborate on the goal of modernizing the nation's grid. Thank you for the opportunity to be here today to share with you what we see are some of the solutions to minimize cybersecurity threats to the electric grid and, in turn, further contribute to the security of the nation. [The prepared statement of Dr. Zacharia follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Senator Gardner. Thank you, Dr. Zacharia. I know Senator Alexander has a hard stop, so, Senator Alexander, I am happy to yield to you if you would like to ask some questions. Senator Alexander. Thank you, Mr. Chairman, I appreciate that very much. So I will just ask one question. Dr. Zacharia, ever since I have been here, which is now about 14 years, the Congress and the Administrations have put a priority on building supercomputers, and I believe you have built the fastest supercomputing system in our country. Is that right? Dr. Zacharia. That is correct, Senator. Senator Alexander. And it is going to increase in 2018 by a factor of five, is that correct too? Dr. Zacharia. Factor five was 2004. Senator Alexander. Well, let me ask, in fairly specific terms, what difference does it make if we have the fastest computer, or the second, or the third, or the fourth, or the fifth, or the sixth, in terms of cybersecurity and monitoring our grid? Dr. Zacharia. Senator Alexander, thank you for the question. Like any other system, leadership in supercomputing is absolutely essential because the Chinese and other nations use a supercomputer for just the same advantages that we seek to achieve in this country. So, the Chinese system that is currently, that the Chinese have two systems that is the fastest in the world today. Many of the applications that they're using are for cybersecurity, both defensive and offensive cybersecurity, as well as other materials and technologies. It's absolutely essential that we maintain the ability to match and deter cybersecurity threats. The way the supercomputer comes into play is that as the grid system particularly as the nation's electric grid system have deployed new technologies to make them more smart so they can deliver better services to their consumers. They've also become much more data aware. They produce a lot of data. There are lots of sensors. What supercomputers allows us to do is to monitor the data real time, analyze it, do some of the deep data analysis and just like you might have heard, IBM Watson, to be able to actually make decisions on the fly, to do cognitive computing. The summit system that is going to be deployed in 2018, even though it's going to be five times faster, it also has a co-processor that allows you to do real time data analysis and decision-making. So these are some of the advantages in terms of being able to stay at the leading edge to make sure that the nation's grid system is protected and we have the necessary tools and capabilities to do that. Senator Alexander. Thank you, Dr. Zacharia, and thank you, Mr. Chairman, for your courtesy. Senator Gardner. Thank you, Senator Alexander. I will now turn to the Ranking Member of the Committee, Senator Cantwell. Senator Cantwell. Thank you. I am also happy you have the fastest supercomputer. [Laughter.] When every particle in a storm can be put into an algorithm and you can process that information so the United States can have more data, instead of going to the Europeans, who right now have a faster or at least, in my understanding, have better, more accurate information on Sandy than we did in the United States--we need to keep going. We need to give you all the capacity for that and more because this weather aspect is so, so important. I see your colleague is nodding because when utilities know that that level of damage is going to occur, they can better plan for it. They can relocate assets, get them there in time, all sorts of things. So anyway, on the cyber front, Dr. Zacharia, you mentioned the supply chain. We also had a hearing on cybersecurity in the Commerce Committee, which I found very interesting because a lot of the discussion focused on private sector entities. I definitely believe in collaboration here between the universities, the utilities and the private sector on where we go forward. But we did not get too much into the supply chain. We talked a lot about education, how we need to have these various two-year and four-year academic degrees on cybersecurity. We do not, currently, have enough focus on that. But we did not talk enough about the supply chain and supply chain risk. Could you elaborate on that? Dr. Zacharia. So, it is, Senator Cantwell, thank you very much for the question. It's certainly clear that the supply chain is vulnerable and there is clear evidence that the supply chain, some of the key components that are used, is vulnerable for cyber intrusion. I think it is really important for laboratories like the DOE lab system working with private sector and university partners to have the ability to test and validate the components that go into our grid system, because they are so essential to maintaining the security of the system while delivering the kind of services the consumer expects today. Senator Cantwell. So are you worried about a direct threat or just not understanding the supply chain and the dynamics of products? Dr. Zacharia. Well, I think that it is really important for us to ensure that we understand the supply chain of critical components on what we consider as an essential part of our U.S. economy which is the electric grid. And so, while I cannot speak to specific issues about a particular component, I think it's essential that we pay attention to the security threats and vulnerabilities associated with the supply chain. Senator Cantwell. Okay. Anybody else? Mr. Fowke. I would just add that these operating technologies are increasingly converging with IT technologies. And so, when you think about the hardware that we use to run the grid, there's chips and other IT type technologies embedded in that and without standards that protect and make sure that we have the necessary cybersecurity overlays that equipment and the ability to monitor that equipment, then we're really flying blind. I think there's a lot of work that can be done in making sure that what's on the grid and, quite frankly, ultimately what's in somebody's home, in the interim of things is secured in a way that, I think, we all would come to expect. Senator Cantwell. And that is a group discussion as well? Mr. Fowke. Yes. Senator Cantwell. To get there, it is everybody discussing and participating in that? Mr. Fowke. Yup. Senator Cantwell. Well we definitely need to think about that and the recommendations from the Quadrennial Energy Review on cybersecurity, and we definitely need to get those implemented. Thank you, Mr. Chairman. Senator Gardner. Thank you, Senator Cantwell. Throughout the testimony and in your written testimony, I have seen a number of acronyms. I think, if you just look at what is involved in cybersecurity, so far, we have covered DOE, NIST, DHS, NSA, CIP, E-ISAC, is that how you say it, I, S, A, C, E-ISAC, FS-ISAC, ESCC, NIAC, NERC and FERC. It is clear where we go in cyber, so I think that is part of the challenge that we have. Senator Cantwell mentioned that she had a Commerce Committee hearing on cyber. Later this week I am going to be holding a Foreign Relations hearing where we are going to talk about cyber. Here in Energy Committee, we are talking about cyber and all these acronyms. Mr. Fowke, you mentioned at the beginning of your testimony one of the things that we need to work on is better coordination with the Department of Energy, Department of Homeland Security and the other agencies that we highlighted here. I have introduced a bipartisan bill to create a Senate Select Committee on Cybersecurity, trying to answer some of these jurisdictional questions. Over half of the Committees in the United States Senate have some jurisdiction, either in the rules or self-claimed jurisdiction, over cybersecurity. I think nine committees have held 20 hearings on some cyber element. What are your thoughts on creating a Senate Select Committee on Cybersecurity that would have jurisdiction over cybersecurity, cyberspace, which would oversee and strengthen U.S. data prevention, data breach prevention strategy, other cyber activities? Would it have a value, the Select Committee on Cybersecurity, that would help the energy industry organize government rules and responsibilities? Mr. Fowke. Yes, Senator Gardner, I think it would. And let me apologize for the use of the acronyms. That's how you get your testimony in in five minutes. Senator Gardner. It wasn't just you. [Laughter.] Mr. Fowke. Oh. As I said in my testimony and as the NIAC scoping study points out, we just need to coordinate better. I mean, there's a lot of work being done, but it's being done by a lot of agencies. It's being done by a lot of Congressional committees, and there's a lot of industry work that's being done as well. I think we're getting better at coordinating, but the bad actors are getting better at attacking us at the same time. So, to the extent we can have a more coordinated, focused effort, you know, it doesn't--it reminds me a little bit about the difference between watching a professional soccer team and kids that are six years old. Everybody is going to the ball, but you've got to play in your swim lanes and as a team. I think that's what you're suggesting. I would caution that sometimes we rush to pass the legislation and we ought to make sure that there isn't unintended consequences with that legislation too. And I really think the tone at the top is where we start and then we work our way down. And that way we can have a coordinated response. Senator Gardner. Mr. Fowke, follow up on that too. Is there any kind of coordination that Congress can help provide industry, or in the various organizations that you are a member of? Will you, through industry and your partners in government, come up with the correct coordination on your own or is it something that Congress needs to provide guidance with? Mr. Fowke. We need help getting the information. As I mentioned in my testimony, quite often, by the time we hear about a potential threat or a threat from the government, we've known about it for quite a long time through private sources or industry communication, et cetera. And I think the reason for that is we struggle on taking what could be classified information, declassifying it and getting it out quickly. The second thing we struggle with is where there is a need to keep it classified. I think we've got a six to eight-month backlog per individual to try to get classified status. So you might want to share the classified information, but you can't share it because the people aren't cleared. In an age where we're talking machine to machine, that is, that's quite a hindrance. We need to do better with that because we have the tools in place, another acronym, CRISP, the detection software. That's a good system and right now the information is going right into the lab and it's basically where it stays. So, we need to start getting a two-way flow of, what I think, could be very valuable information. Senator Gardner. So if I understand the problem, there's a twofold challenge, right? You have the challenge of getting the information from the Federal Government, information that you need to protect the grid, the system, your power system. And secondly, of course, is getting people who can then receive that information with the proper classification. Is that correct? Mr. Fowke. That's correct. Senator Gardner. There is a story that I wanted to share with you. I am sure on the Committee, you have all heard this story. It was reported in E&E news. It is a story of, I guess it was a security test, where they had a person come into the utility, basically to audit their security. Apparently the security auditor told him that he had seen equipment in the utility, in the utility control room, that would not be allowed in a federal installation because it is vulnerable to hackers. The security auditor said, in a federal installation that piece of equipment would not be allowed to be in it because of its vulnerability. The head of the utility company asked, what is that equipment? And the response was, I can't tell you, it's classified. [Laughter.] So, that is the problem. Senator Cortez Masto. Senator Cortez Masto. Thank you, Mr. Chair, and I appreciate the comments today. This is an area that I worked in as the Attorney General of the State of Nevada and something that I saw from a state perspective that we needed to address but was always concerned about the federal interaction. Now I am on the federal side and I see the same, kind of, bifurcation where there is a lack of communication, not only at the federal level, but the communication at the federal level and the states. And that is the question I have from the very beginning. Mr. Bardee, it is a two-part question relating to how information, with respect to threats and remediation, is conveyed to state officials? And it goes back to some of the concerns that we have talked about with acronyms and the number of committees and commissions that are out there. I understand that the Electricity ISAC is responsible for situational awareness, incident management and communications regarding cyberthreats to the grid. But the Electricity ISAC is only one of 20 different ISACs. States participate directly in only one which is the multi-state ISAC. So, how does the cyberthreat information regarding the electric grid get to those state officials? Mr. Bardee. There are a number of informal mechanisms by which that information can be shared. Our agency, for example, particularly in our Office of Energy Infrastructure Security, reaches out to the states and tries to work with them and share information and assist them, as appropriate. I know the Department of Energy does, too. And the more sensitive information, the classified information, generally, it originates in other parts of the Federal Government, Department of Homeland Security, for example. And we are a recipient of that sometimes, but we're not the source of it. So I would say that it is a challenge to ensure that the states are getting all of the information they need, given the ways in which that information may come into the government. But it's an ongoing effort and we are looking for ways to improve that. I, for example, and some of my colleagues are going to be meeting with NARUC, I think in about two weeks, to discuss cybersecurity. And this, I would expect, to be part of the conversation. Senator Cortez Masto. Yes. I would appreciate more of a direct interaction at the state level and not through different task forces or multi- levels. I know the state counterparts would appreciate that. I think this is an effort that we have to look beyond, not just the federal level, but at the state level. Everybody should be working to address the cyberthreats that we see, so I appreciate your comments. Let me just open this up. I understand that the second installment of the QER noted that the traditional definition of reliability may be insufficient to ensure system integrity and available electric power in the face of physical attacks and cyberthreats, among other things, and that the security of the systems, particularly cybersecurity, is a growing concern. Would you agree with that assessment from the QER? I will open that up to anyone. Mr. Di Stasio. I would say, I think, FERC addressed part of this as a--it was mentioned previously about the 2013 Metcalf attack in California. At that time, I was a CEO of a neighboring utility in California, so that was a very real incident for us. FERC added a standard on physical security that really directed utilities to make a risk-based assessment of where to harden the system from both physical attacks and we've already got the CIP standards that are focused on doing the same for cyber. But again, these risks are evolving. They're emerging. They're not static. So it becomes more of a prioritization of which of the systems and which of the components within the system are going to provide the greatest risk mitigation and doing those first. And that's what we're really in the midst of undertaking right now. Senator Cortez Masto. I appreciate that. One final question, Dr. Zacharia. You mentioned a suggestion that one way to answer the concern about cybersecurity threats is that we eliminate the grid or any type of critical infrastructure from the internet. Can you expand on that? Do you think that is possible, particularly with the evolution of technology, the Internet of Things and everybody being connected, including smart meters, which we have in the State of Nevada? Dr. Zacharia. Senator, what I meant to say was that it should be disconnected from the commercial internet. So let me expand on that. Our own experience is that when Oak Ridge National Laboratory, about a dozen or so years ago, was deploying one of the fastest supercomputers in the world, we did not have very high speed network connectivity into the laboratory. And the way that we solved that problem was that there is actually dark fiber that most of the major utilities have in the right of way. Generally it is usually used with control systems and it has redundant pairs of fiber. We were able to work with the utilities, in this case, TVA, to get a pair of fiber that is completely separate and isolated from the commercial internet provider. One of the suggestions is that there is a tremendous amount of dark fiber that is available on the right of way--using these dark fiber as a way to create a separate, you know, sort of air-gapped, network connectivity because I think it is really important that the consumers are used to a certain level of service and it's not good to go back. And one way to provide that service is to actually have dedicated network and using dark fiber that is already available in the ground today. Senator Cortez Masto. Thank you. Thank you very much. Senator Gardner. Thank you. Senator King. Senator King. Thank you, Mr. Chairman. First, a sort of basic question. Mr. Bardee, is there one national grid? My understanding is that the entire nation is not connected. There are regional grids. Am I correct? Mr. Bardee. The best way to describe it is that there are three interconnections in the United States. One, basically within Texas, not fully congruent but basically one for the western third of the United States, and the rest in the East. Senator King. Are those three connected? In other words, could you bring down the entire nation at one time or would you have to do three? Mr. Bardee. There are very limited connections between those three. So generally, if there is a problem in one of the interconnections it does not affect the other two. Senator King. Let me talk about the sophistication of the attacks. My understanding is that the level of sophistication is going up. Mr. Fowke, you mentioned 500,000 attacks. That is astonishing. A lot of those are poking and prodding and testing and trying to find vulnerabilities and that these attacks are getting more sophisticated all the time. Is that correct? Mr. Fowke. Yes, I would not say the 500,000 are sophisticated, all sophisticated nation states, but the problem with trying to categorize what might just be something like, you know, a benign, well it's not benign, but a phishing attempt. Something we all get is that there might be more behind what looks like run of the mill type, you know, virus or malware that's trying to be implanted. And what happens is if you get phished and it's allowed to get onto your network, that virus, that malware, will hunt around for as long as it takes, searching out weaknesses that can get it into something more important, like your---- Senator King. And it can also lie dormant for some period of time. Mr. Fowke. Yes. I believe that is another acronym. I think it is called APT, but Advanced---- Dr. Zacharia. Persistent Threat. Mr. Fowke. There, thank you. Senator King. Advanced Persistent Threat. Mr. Fowke. Right. Senator King. But what we are seeing here is the nature of warfare changing before our eyes. And the Russians, particularly, are playing a weak hand, very effectively, and it is on the cheap. For the cost of one tank they can hire 500 hackers or trolls or whatever. We know that this is a part of their foreign policy strategy in terms of elections, in terms of other kinds of disruptions to western countries. And this is, really, a threat that the likes we have not seen. By the way, Mr. Chair, I like the idea of the Select Committee on Cybersecurity. You get to tell Senator McCain that you are taking cyber away from Armed Services. [Laughter.] Senator Gardner. He co-sponsored it. I don't know if he knows the full implication of that. [Laughter.] Senator King. I think that is an important idea. Well again, several of you mentioned S. 79. We are not trying to do anything prescriptive here, but we are trying to test hopeful, promising technology to link the utility community with the national labs. What I hear many of you saying is coordination is one of the key elements of this and I am talking, we are talking, about coordination on a specific project. But on the broader sense, I think, good coordination is one of the most important things that we can try to develop. We need this country to develop a cyber strategy, Deterrents 2.0, so that we are not being purely defensive, that there is an offensive capability and that our adversaries understand that and that there is some kind of risk involved with their continuing to prod our grid. I really appreciate the testimony here today and look forward to working with you. If you have suggestions or input how we can--and I take your suggestion, Mr. Bardee, that FERC should be part of that committee that analyzes what the labs and the utilities come up with. So, I think that's a good suggestion. We will add that to the bill. Thank you. Thank you, Gentlemen. Senator Gardner. Thank you. Senator Franken. Senator Franken. Thank you, Mr. Chairman. Earlier this month, President Trump released his budget blueprint which calls for an overall cut of $1.7 billion to the Energy Department. The budget slashes investment in both basic and applied energy research and development, including the complete elimination of ARPA-E. More broadly, these cuts would threaten the expertise found at our national labs, a resource that is the envy of the world. One of the programs specifically mentioned for significant cuts is the Office of Electricity Delivery and Energy Reliability. Now, both our national labs in the Office of Electricity are engaged in critical work regarding cybersecurity. Mr. Di Stasio, your testimony mentions close coordination between your industry and the DOE Office of Electricity. Can you elaborate on that collaboration and what severe cuts to that office would mean from an industry perspective? Mr. Di Stasio. Yes, Senator. We've worked closely with the Office of Energy Delivery and Reliability, both on the development of smart technologies to advance smart grid and so forth, but also on reliability risks related to cyber. It was mentioned earlier one of the acronyms of CRISP is essentially a tool to allow the triangulation of threat trends across multiple systems versus individual systems dealing with it by themselves, and we worked with the Office of Energy Delivery and Reliability to help better understand that and also to get it with our members so that we could get more folks to join up. We have also worked closely, their office has been instrumental, in developing the request that came out of the FAST Act that was passed in 2015 that directed us to have an essential transformer spare system and also to deal with transportation. Senator Franken. How is that working? Mr. Di Stasio. Well, it's yet to be communicated back to the office. Senator Franken. Because we had the physical assault on the transformers and---- Mr. Di Stasio. Well, so the issue is that there's a discreet number of very large transformers that pose, kind of, a disproportionate impact on the grid, should they be impacted. And actually, an analysis, and I was complementing Dr. Zacharia, was done by Oak Ridge labs to identify what the threat landscape looked like in utility planning terms. That technical analysis then went to DOE, who in fact, is then supposed to come back to Congress, through House Energy and Commerce, to provide a report on what we should do. So those are just two examples where this office has been a critical interface for us as utilities, with the Federal Government and that capacity. If it didn't exist in that office, it needs to exist somewhere because it's very important work. Senator Franken. So, again, what do these kinds of Draconian cuts, what will that mean to your work, Mr. Fowke? Mr. Fowke. I don't know, Senator, but I can give you a definitive answer on that. I know the research is important and if these budget cuts cut some of the research out that we're talking about here, I think the whole---- Senator Franken. They are going to. Mr. Fowke. ----would suffer for it. Senator Franken. Okay. The majority of severe power outages are weather related. Heat waves diminish the performance of our electrical system and at the same time cause extreme loads as people run their air conditioners. Droughts cause outages because they impact lower hydropower reserves and smaller supply of cooling water for coal and nuclear plants. Hurricanes and flooding can cause widespread outages, damaging both the grid and generation facilities. The Transportation bill we passed in 2015 provides the Energy Secretary with the authority to address grid-related security emergencies caused by cyberattacks, physical attacks, electromagnetic pulses or geomagnetic disturbances. Conspicuously, conspicuously absent is the biggest actual threat to the grid, outages by extreme weather which we will be seeing more as climate changes. The recently released Quadrennial Energy Review notes that cyber terrorists are likely to use natural disasters as force multipliers, to quote the report, ``By timing grid attacks to correspond with natural disasters, intelligent multi-site attacks by knowledgeable attackers targeting the specialized components, could result in widespread, long-term, power outages from which it could take several weeks to recover.'' How well is your industry prepared to deal with multiple, simultaneous problems? How might timing a cyberattack to correspond with a weather-related problem amplify the impact of the attack? That is for anyone. Mr. Fowke. Senator, I think that's a great question, and I think it would be naive to think that the bad guys would only attack us on a good day. And so, what our industry is drilling constantly around is exactly that, a physical or a storm outage, natural disaster, combined with a cyberattack because if you then take out communications you start to get to a situation where you're not sure if it's cyber or if it's physical or if you can count on the signals that you're getting from your grid. So, it gets back to how do we operate this grid blind? How do we coordinate with each other? How do we assume the telecom, telecommunications will be operating? We did it an elaborate grid exercise a couple years ago, and I think we learned a lot. But I think we also found that there's a lot of resilience built into the grid too. But we can't drill enough on that. Senator Gardner. Senator Heinrich. Senator Heinrich. Thank you, Chairman. For either or both, Mr. Fowke or Mr. Di Stasio, one of the issues we follow very closely on the Intelligence Committee is how we monitor individuals that are suspected of being already involved in terrorist activities. You can imagine these are exactly the people that you do not want running your critical control centers. What personnel controls does the utility industry have in place when conducting security clearances, background checks, and do you think they are sufficient? In addition, are there additional federal resources, like the FBI's Terrorist Screening Center, that could potentially improve that process for the industry, if you had access to those? Mr. Di Stasio. Senator, that is a concern because the human resources element of cyber is a significant risk as well. Most all of us, by requirements of standards and also our personnel policies, make sure that we tightly control ingress and egress. We do have advanced background checks for certain sensitive classifications. I will say in the recent past our national association, the American Public Power Association, as well as others, have been working with the FBI to get access to advanced background screening for certain personnel. And that language is being considered and developed now. Senator Heinrich. Great. Mr. Di Stasio. I think, I do think, it's an important point not to overlook that while some progress has been made, more needs to be made and especially given the fact that there's diversity of state policy around this. Again, I represent municipal utilities, so we also have different sunshine laws in different states and different statutes. Senator Heinrich. Yes. Mr. Di Stasio. And so, trying to harmonize all of that into something coherent is a fairly significant undertaking. But it is on the radar screen, if you will, as how to best deal with some of the human resource issues. Senator Heinrich. Mr. Fowke, I believe you mentioned the time-based challenge of getting security clearances. Was that you? Mr. Fowke. Yes. Senator Heinrich. The bottleneck there, is it personnel or funding to do the analysis for those clearances and is that all on the Federal Government side of the ledger? Mr. Fowke. Well, it's an elaborate process, as you know, and so I think it's a time-based manual effort. It's the manpower which translates to the funding, I would assume. Senator Heinrich. If that funding is reduced over the course of the budget process, what would that mean for being able to adequately manage that risk? Mr. Fowke. Well, if the funding came out of that aspect of the security clearance, then I would suspect it would slow it down. And right now, as I mentioned, it's six to eight months. Senator Heinrich. Pretty slow as it is. Mr. Fowke. Yes. Senator Heinrich. Okay. Mr. Bardee, I am pretty excited about FERC's proposed rule on energy storage and distributed energy resources, participating in organized wholesale markets. With these additional players from the distribution side participating in the bulk power market, does the Federal Power Act provide FERC sufficient authority to assure both security and reliability of the grid? Mr. Bardee. Senator, that's an issue we need to do more work on. Those types of resources bring value to the markets because they diversify our sources of supply, but at the same time, ensuring that the grid can be operated reliably by having visibility of what those resources will do under certain circumstances and having control, if necessary, is difficult under the structure we have now where FERC is responsible for the Bulk-Power System and states are responsible for the local distribution systems that many of these resources connect to. So, I think we are very much looking at that issue, trying to be creative about ways we can address that issue. And I know the industry is too, because they're as much focused on that issue as we are. Solutions are not easy though. Senator Heinrich. I think that is going to be particularly important. It is pretty clear that that is the direction markets are headed. And I think we are going to see more DERs. We are going to see more demand response. We are going to see more storage. All aggregated in, you know, spread across the grid and getting the rules of the road worked out at the front end rather than responding to issues as they arise is going to be particularly important. Thank you, Mr. Chairman. Senator Gardner. Thank you very much. If members want to stick around, we will go ahead and have another round of questions, if you do not mind. I wanted to just highlight a couple of things based on what has already been brought up. Mr. Fowke, you mentioned you have about 100 people working in cybersecurity or security areas where just a short time ago you didn't really have any. Is that correct? Mr. Fowke. That's correct. Senator Gardner. Mr. Bardee, how many people at FERC have expertise in cyber? Mr. Bardee. On my staff, about 25 and in other places, maybe another 20. Senator Gardner. And what is the total staff? Mr. Bardee. Total staff of the agency is about 1,400. Senator Gardner. Fourteen hundred. What would it have been two or three years ago? Mr. Bardee. Cybersecurity was a smaller part. If you went back several years, a very small part. Senator Gardner. Yes. Mr. Di Stasio, the Cyber Mutual Assistance Program that you talked about in your testimony and others talked about in their testimony, 10 years ago today in Holly, Colorado, there was a tornado, a very devastating tornado. We saw a lot of utilities from around the region, around the country, come together to fix the physical damage that had occurred, the power lines, the telephone poles, utilities, you name it. This Cyber Mutual Assistance Program seems to be the same thing, but in a digital sense. But yet, we seem to only have about 100 members participating today out of the 3,000 utilities in the country. Why is that? Why don't we see more people involved? Mr. Di Stasio. I think, Senator, or Chairman, I think it will continue to grow. The reality is across those 93 utilities that are current members to the Cyber Mutual Assistance Task Force, they probably represent a significant number of customers in states. And again, if you think about this issue of prioritizing the risk, just as we've done with NERC where we have both high, medium and low risks and as Mr. Bardee mentioned, we're now getting to the low risks, but the high and medium have been addressed first. And I would suggest that we could certainly provide it in the record the numbers of customers and systems that are represented across those 93. So, it's not a straight calculation. Senator Gardner. Thank you. Mr. Bardee, Mr. Fowke, in terms of the numbers of people working in cyber, is there a workforce need that you see that Congress could help with in terms of developing a greater workforce in cyber? Mr. Fowke. Well, it's not an easy position to fill, I can tell you that, Mr. Chairman. And where we are typically filling it or quite often we're filling it for the military ranks. It's one of the things we're focused on at Xcel Energy, just on the broad sense. But I think a program within the military that would help transition vets to civilian and give them those cyber type training, that they will be able to apply in the civil world, would be an absolutely great program. If you think about it, many of them already have a security clearance, as some of the other problems that I was suggesting that could be readily transferred over, it's my understanding. So, that, to me, is a great opportunity. Senator Gardner. Thank you. Dr. Zacharia, exascale computing is the next big step in advanced computational research efforts led by the DOE labs. Would these expanded national lab capabilities enable critical infrastructure cyberattack scenario evaluation and protection plan evaluation? And if so, could you talk about the labs that would be involved in that exercise? Dr. Zacharia. Thank you, Mr. Chairman. Exascale computing program is actually a program that is led by multiple laboratories. The leadership is actually six labs and Oak Ridge National Laboratory has a responsibility to deliver the project. One of the things that the department has done in terms of deploying the exascale is simultaneously there is a program to deliver up the applications that will run on these machines when these machines are deployed. And so, these are, sort of, called codex signs and in the area of cybersecurity there are a number of such programs that have been started, like typically what DOE Office of Science does, is that there is RFP and the peer review, call for proposals peer review, and the selection of the best proposals. And I can tell you that in the area of cyber there is a co- design project that is led by your laboratory, the National Renewable Energy Laboratory. Senator Gardner. Could you say that again? I am sorry, what was that? [Laughter.] Dr. Zacharia. I think one of her finest actually is the Director of NREL, so NREL and PNNL are co-leading that activity for us, for the exascale computing project, and it's really critical. And if I may add, Senator, early on there was a discussion about the Office of Electricity. One of things that the Office of Electricity, one of the programs that they have is EAGLE-I, which is a situational awareness program that actually gets information in a region that services about 100 million users. The other thing that exascale computers allow you to do is to take that information, real time, digest that information and be part of a proactive way of both understanding the vulnerability of the grid as well as unloads on that so you can make preventative measures and be aware, grid aware strategy, for cybersecurity. Senator Gardner. Great. Thank you. Senator Cortez Masto, if you would like to go a second round? Senator Cortez Masto. Thank you, Mr. Chair. And very quickly because, obviously, this is a complicated, complicated issue that we are dealing with here, and I am struck by what I am hearing. Mr. Fowke, I think you said it clearly in your speaking points when you said the national policy on cybersecurity is uncoordinated and unfocused. That has been my concern from a state perspective watching what is happening. I am curious, and I am going to open this up to the panel. Is there a model out there? Is there something that we should be looking at that the states may have come up with that is a great model for us to be looking at at the federal level? Or is there something that you can give us hope where we should be looking to address cybersecurity in general across this country? Mr. Fowke. I think we should look at state level. I think that the fusion centers that you might have heard about, Senator. I think they can work very well. I also think we ought to look overseas. I mean, there are nations, albeit, much smaller than the USA that, I think, coordinate much better than we do in the United States. And I think we should be open to best practices wherever they are. Senator Cortez Masto. Thank you. Mr. Di Stasio. Senator, one of the things that we also got a lot of value out of was undertaking after a Presidential Order or Directive in 2014, to talk about coordination across the federal agencies. We responded to that and developed what was called, and worked with DOE, actually, on what was called a maturity model. And so, part of that is, I think, we would prefer to--we've got a very robust cyber compliance and enforcement program through the NERC standards, directed by FERC. We would like to be able to build upon that regime. We also talked about the Electric Subsector Coordinating Council, the work with DOE, the work with DHS, some of the suggestions in S. 79. I do think we've come a long way. We certainly have a greater ways to go, but I feel like we've got some of the essential building blocks in place dealing with some of these things like clearances, timely and actionable information sharing and the work that the labs can do to enhance situational awareness. All of those, to me, provide the next rounding out of the current state of mitigation of these risks. Senator Cortez Masto. Thank you. I appreciate the comments. Thank you, Mr. Chair. Senator Gardner. Senator King. Senator King. I have a very quick follow-up on that. Is there a central clearinghouse of hacks where there is one place where a grid operator can look and say, okay, here is what is going on in Pennsylvania? Here is what is going on in California? Is there a central website? I hesitate to use the term because maybe that is not what you want in this situation, but someplace where this--I am after how good the communication and coordination really is. Mr. Di Stasio. The place that's most closely associated with that type of a description is really the E-ISAC which is the information center and clearinghouse. They actually---- Senator King. Is that government or is that private sector? Mr. Di Stasio. It's government, and they actually have a watch floor program that operators can go and participate. I've actually had the opportunity to go in there myself. And they look at a variety of, not just cyber, but all types of potential threats and disruptions to the grid and that becomes, probably, the most robust information sharing source we have. Mr. Fowke. I might just add, I think, the gold standard for ISACs is the FS-ISAC. That's the financial services ISAC, and they actually are now talking machine to machine. It's much more private sector versus government-oriented. But we recently joined it and we were the first electric utility to do that. I think there will be more because it's one more channel and one more sector coordination, where we talk about coordination, that's right available to us and we're already getting good information from that. But to me, it also pushes the issues that I've been saying before, we're not, not only it's federal agencies not coordinating. We're not coordinating across sectors as well as we should too. And these ISACs, if they were better coordinated together, I think that would be a great opportunity. Senator King. I think that is a very good point because if there is going to be an attack it probably will not be just one sector, it could be electricity, gas, financial and coordinating across sectors, I think, would be very important. Mr. Chairman, I want to thank you for this hearing, and I want to thank our witnesses. This has been very illuminating. Hopefully our discussion doesn't have to end today. As you are going home and you think, I should have said this or here is a suggestion, please pass it back to the Committee because this is an area of absolutely vital concern and could not be more important to the people that we all represent. So thank you very much for your testimony. Thank you, Mr. Chairman. Senator Gardner. Thank you. The good news is for all of you the record will remain open for two weeks if you would like to add that additional thought. For the information of members, questions for the record are due tomorrow by close of business, and we would appreciate your responses as soon as possible. A final question, or maybe comments, if I could, starting with you, Mr. Bardee. As we close this hearing today, and I do truly appreciate your time and testimony today because this is a very useful exercise as we learn more about the problem ourselves and challenge ourselves and try to do our best to coordinate the moving pieces of this. If each of you could give one or two things to summarize your top recommendations of Congressional action that would enhance our grid cybersecurity preparedness or response capabilities, what would it be? You have talked a lot about it here at the hearing, but maybe you can summarize that again, the top two recommendations. Mr. Bardee. I think from my perspective dealing with electric reliability. One of them is actually bills like S. 79, ensuring that we can get the research that it is difficult for the private sector to commit as much in the way of resources for. Senator Gardner. Thank you for that. Mr. Bardee. And the other would be if there are ways to improve the kind of personnel training that Mr. Fowke was discussing earlier to get us people who have skills, not just in cybersecurity, but also in power system engineering. Those people are very valuable. Senator Gardner. Mr. Fowke? Mr. Fowke. Well, I said a lot about information sharing so I'll say something I didn't say yet. We talk about sophisticated cyberattacks and they are growing, but you know how most attacks occur? Not following basic cyber hygiene. And that's how a lot of this gets started. So I think we need to start thinking about how we can educate and, I dare say, mandate some basic cyber standards across industry and government which, I think, is long overdue. Senator Gardner. Mr. Di Stasio? Mr. Di Stasio. I would suggest that we build upon the regulatory framework and the coordination that is starting to occur. We have been at this for 10 years and I will say 2009 in the House, I testified on the Grid Act. And we have come a very long way since then but still have quite a bit to do. But if we could deal with some of the issues that have been mentioned around clearances, human resource training, getting a certain level of maturity and understanding of the risks and then increase coordination with the government, whether that becomes through some consolidation of jurisdictions or whether we do it as we have. Senator Gardner. Dr. Zacharia? Dr. Zacharia. Let me echo the sentiment I think that the Senate bill 79 has it exactly right. In that based on our experience with working with the Electric Power Board Utility in Chattanooga, I think having a pilot where you bring together the Federal Government, industry and the national laboratories, the best of these three entities together to have a two-year pilot to really explore what is possible to get out in front of this evolving challenge is probably the best thing that we can do because bringing those three players together, getting them to work together, share information, understand each other's both capabilities and challenges, I think would allow us to make significant progress. So, thank you very much for this opportunity. Senator Gardner. Well, thanks again to members of the Committee. As I said, the QFRs are due tomorrow by close of business. We appreciate your time and testimony today. With that, we will adjourn the Committee. [Whereupon, at 3:42 p.m. the hearing was adjourned.] APPENDIX MATERIAL SUBMITTED ---------- [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] [all]