[Senate Hearing 115-262]
[From the U.S. Government Publishing Office]
S. Hrg. 115-262
CYBERSECURITY THREATS TO THE U.S. ELECTRIC GRID AND TECHNOLOGY
ADVANCEMENTS TO MINIMIZE SUCH THREATS, AND TESTIMONY ON S. 79, THE
SECURING ENERGY INFRASTRUCTURE ACT
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON ENERGY
OF THE
COMMITTEE ON
ENERGY AND NATURAL RESOURCES
UNITED STATES SENATE
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
MARCH 28, 2017
__________
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Printed for the use of the
Committee on Energy and Natural Resources
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
24-977 WASHINGTON : 2018
----------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON ENERGY AND NATURAL RESOURCES
LISA MURKOWSKI, Alaska, Chairman
JOHN BARRASSO, Wyoming MARIA CANTWELL, Washington
JAMES E. RISCH, Idaho RON WYDEN, Oregon
MIKE LEE, Utah BERNARD SANDERS, Vermont
JEFF FLAKE, Arizona DEBBIE STABENOW, Michigan
STEVE DAINES, Montana AL FRANKEN, Minnesota
CORY GARDNER, Colorado JOE MANCHIN III, West Virginia
LAMAR ALEXANDER, Tennessee MARTIN HEINRICH, New Mexico
JOHN HOEVEN, North Dakota MAZIE K. HIRONO, Hawaii
BILL CASSIDY, Louisiana ANGUS S. KING, JR., Maine
ROB PORTMAN, Ohio TAMMY DUCKWORTH, Illinois
LUTHER STRANGE, Alabama CATHERINE CORTEZ MASTO, Nevada
------
Subcommittee on Energy
CORY GARDNER, Chairman
JAMES E. RISCH JOE MANCHIN III
JEFF FLAKE RON WYDEN
STEVE DAINES BERNARD SANDERS
LAMAR ALEXANDER AL FRANKEN
JOHN HOEVEN MARTIN HEINRICH
BILL CASSIDY ANGUS S. KING, JR.
ROB PORTMAN TAMMY DUCKWORTH
LUTHER STRANGE CATHERINE CORTEZ MASTO
Colin Hayes, Staff Director
Patrick J. McCormick III, Chief Counsel
Brianne Miller, Senior Professional Staff Member and Energy Policy
Advisor
Angela Becker-Dippmann, Democratic Staff Director
Sam E. Fowler, Democratic Chief Counsel
David Gillers, Democratic Senior Counsel
C O N T E N T S
----------
OPENING STATEMENTS
Page
Gardner, Hon. Cory, Subcommittee Chairman and a U.S. Senator from
Colorado....................................................... 1
Manchin III, Hon. Joe, Subcommittee Ranking Member and a U.S.
Senator from West Virginia..................................... 2
King, Jr., Hon. Angus S., a U.S. Senator from Maine.............. 5
Alexander, Hon. Lamar, a U.S. Senator from Tennessee............. 5
Franken, Hon. Al, a U.S. Senator from Minnesota.................. 6
WITNESSES
Bardee, Michael, Director, Office of Electric Reliability,
Federal Energy Regulatory Commission........................... 7
Fowke III, Benjamin, Chairman of the Board, President & Chief
Executive Officer, Xcel Energy Inc............................. 14
Di Stasio, John, President, Large Public Power Council........... 79
Zacharia, Dr. Thomas, Deputy Director for Science and Technology,
Oak Ridge National Laboratory.................................. 88
ALPHABETICAL LISTING AND APPENDIX MATERIAL SUBMITTED
Alexander, Hon. Lamar:
Opening Statement............................................ 5
American Public Power Association, Edison Electric Institute, and
the National Rural Electric Cooperative Association:
Statement for the Record..................................... 147
Bardee, Michael:
Opening Statement............................................ 7
Written Testimony............................................ 9
Responses to Questions for the Record........................ 123
Di Stasio, John:
Opening Statement............................................ 79
Written Testimony............................................ 81
Responses to Questions for the Record........................ 128
Fowke III, Benjamin:
Opening Statement............................................ 14
Written Testimony............................................ 16
Responses to Questions for the Record........................ 127
Franken, Hon. Al:
Opening Statement............................................ 6
Gardner, Hon. Cory:
Opening Statement............................................ 1
King, Jr., Hon. Angus S.:
Opening Statement............................................ 5
Manchin III, Hon. Joe:
Opening Statement............................................ 2
S. 79, the Securing Energy Infrastructure Act.................... 116
U.S. Department of Energy:
Statement for the Record..................................... 151
Zacharia, Dr. Thomas:
Opening Statement............................................ 88
Written Testimony............................................ 90
Responses to Questions for the Record........................ 130
CYBERSECURITY THREATS TO THE U.S. ELECTRIC GRID AND TECHNOLOGY
ADVANCEMENTS TO MINIMIZE SUCH THREATS, AND TESTIMONY ON S. 79, THE
SECURING ENERGY INFRASTRUCTURE ACT
----------
TUESDAY, MARCH 28, 2017
U.S. Senate,
Subcommittee on Energy,
Committee on Energy and Natural Resources,
Washington, DC.
The Subcommittee met, pursuant to notice, at 2:17 p.m. in
Room SD-366, Dirksen Senate Office Building, Hon. Cory Gardner,
Chairman of the Subcommittee, presiding.
OPENING STATEMENT OF HON. CORY GARDNER,
U.S. SENATOR FROM COLORADO
Senator Gardner [presiding]. We will go ahead and get the
Subcommittee started. Senator Manchin will be joining us
shortly, but thank you very much, as we call this Subcommittee
hearing to order.
Good afternoon. This is the Subcommittee on Energy's first
115th Congress hearing. I am honored to chair the Subcommittee
this Congress and look forward to working with the
Subcommittee's Ranking Member, Senator Manchin.
The Energy Subcommittee is certainly important to my home
state of Colorado. In Colorado, we have coal in the
northwestern part of the state, oil on the western slope,
natural gas and wind on the eastern plains and solar in the San
Luis Valley. We are truly an all-of-the-above energy state and
very proud of that fact.
We are also home to the Department of Energy's National
Renewable Energy Laboratory which is instrumental in research
and development for new technologies in advancing grid
modernization, renewable energy and energy efficiency that will
transform the marketplace.
As Chairman, I look forward to promoting a strong and
responsible energy policy that is critical to unleashing the
nation's energy potential, and I look forward to using the
Subcommittee to advance policies that benefit Coloradans and
all Americans.
Today the Subcommittee will examine the cybersecurity
threats to the U.S. electric grid and technology advancements
to minimize such threats and receive testimony on Senate bill
79, the Securing Energy Infrastructure Act. We will discuss the
risks we face and the actions we should follow to protect our
energy infrastructure from the impact of cyberattacks. In
addition to defensive strategies, I am also interested in
discussing whether there is a need to build preparedness and
response capabilities in case of a long-term, widespread
outage.
The American people and American businesses depend on
reliable and affordable electricity. These same customers
expect the over 3,000 utilities in our country to be thinking
ahead, coordinating actions and being responsive to our
evolving demands.
If we are not prepared for cyberattacks, a Ukraine-like
situation could take place in the United States. In 2015 an
attack on power companies in Ukraine resulted in 225,000
Ukrainians losing power. Last December there was an attack in
Ukraine that resulted in another round of power outages but the
strategy on the Ukrainian grid was more complex than the year
before.
Hackers are certainly trying to create that kind of havoc
here in the United States. One U.S. utility CEO has said, ``If
I were to share with you the number of attacks that come into
the network every day, you would be astounded.'' And it is not
from people working out of their garage. It is from nation
states that are trying to penetrate systems.
I am encouraged to see that industry through the
Electricity Sector Coordinating Council is working to
collaborate and create best practices and partnerships with the
government.
The government and industry have also made great strides in
cybersecurity through the creation of the National Institute of
Standard and Technology, or NIST, cybersecurity framework, and
the Electricity Information Sharing and Analysis Center (E-
ISAC).
It is concerning, however, that we continue to hear of
attacks from so many fronts. Hackers are going after personal
information and personal accounts that can be disastrous and
financially painful for those affected. We hear of ransomware
attacks requiring payments to resume access to machines and
controls. We hear of millions of dollars being spent across
industry and government to protect from these ever-changing
threats to our national progress.
The questions that loom, however, are how, when, where is
that next cyberattack going to happen? Are we prepared to
react?
I am hopeful that through this hearing and the opportunity
we have to hear your testimony today and in the coming months
we can strengthen both our preparedness and our response
capabilities.
I already see opportunities to enhance our cyber workforce
and the need to gain clarity on the coordinated response
actions of the Department of Energy Secretary and industry
leaders. I am hopeful that we will uncover additional
opportunities today.
With that, if you are ready, I will turn it over to our
Ranking Member, Senator Manchin, from West Virginia.
STATEMENT OF HON. JOE MANCHIN III,
U.S. SENATOR FROM WEST VIRGINIA
Senator Manchin. Thank you, Mr. Chairman. I want to thank
you for scheduling this hearing and for your work on this
important issue.
Now I want to thank all of you for being here today, and I
am looking forward to the quality of discussions ahead.
I think our states all have a lot in common, particularly
because both of our states are domestic energy exporters. I
think we both recognize the importance of that role in this
nation.
I also want to thank Senators King, Heinrich and Cortez
Masto for the roles that they are playing in leadership on this
issue.
I appreciate that our witnesses are joining us today for
this very timely discussion about the critical nature of our
electrical grid and the very real cyber and physical threats
that we face.
The electric grid is essential to our lives and is also the
lifeblood of the economy. The grid moves power, hundreds, if
not thousands, of miles to our houses, offices, and supplies
factories, every day. People and businesses in the northeast
and mid-Atlantic states are heavily dependent on a well-
functioning grid to access power generated in my home state of
West Virginia.
The Energy Information Administration (EIA) reports that in
2014 West Virginia produced over 80,000 kilowatt hours of
electricity, and the EIA consistently reports that West
Virginia typically exports more electricity than it consumes.
West Virginia's neighbors, Maryland, Virginia, Washington, DC,
and others, depend on us for reliable electric generation, not
to mention coal and natural gas production.
Whether because of a cyber or physical attack or some other
energy disruption, imagine what it would be like if West
Virginia stopped producing and delivering energy. Instances
like the Polar Vortex quickly become even more dangerous and
likely tragic. The secure and reliable transportation of energy
is vitally important to our state's economy and to the safety
and health of our citizens in those neighboring states.
So I believe today's hearing is an important start to a
longer conversation about the security of our grid. As the
electric industry has increased its reliance on digital
technologies to better serve consumers, the grid has grown more
vulnerable to cyberattack.
In December 2015, the first successful cyberattack took
place against part of Ukraine's electric grid, demonstrating
that shutting down the grid is a real possibility. Several
hundred thousand customers were without power for several hours
and many experts suggest that Russia was responsible.
A year later, in December 2016, there was another power
outage, this time in Northern Kiev, Ukraine. For approximately
one hour, according to the affected Ukrainian power company, a
blackout was caused by a cyberattack which was very similar to
the allegedly Russian cyberattack on Ukraine's grid a year
prior.
Many cyber experts have come to the conclusion that it is
not a question of if, but a question of when, a massive attack
on our grid will occur. We must do everything we can to protect
and prepare including hardening our networks to protect the
grid and ensure the continued reliable delivery of electricity.
But we also need to focus on emergency preparedness and
incident response to minimize the effects of a potential
attack. That is why the King/Risch/Collins/Heinrich bill is a
step in the right direction. Senate bill 79 would establish a
two-year pilot program within the national labs to research and
test technology that could be used to isolate and protect the
most critical systems of the electric grid. It would also
establish a working group to evaluate the proposals of the
pilot program and to develop a national cyber-informed
engineering strategy.
Mr. Chairman, the 2013 attack on the Pacific Gas and
Electric Substation in Metcalf, California, reminds us that the
threats to our grid are not limited to cyberspace. According to
press reports, the Federal Energy Regulatory Commission, or
FERC as we know it, has identified a small number of critical
group-related facilities that, if physically attacked, could
significantly impair the ability of utilities to keep the
lights on.
Keeping America's energy network secure from cyber and
physical intrusion is critical as new technologies and threats
continue to emerge from transnational, organized crime,
terrorist groups and hostile foreign governments.
The argument goes that the smarter and more connected the
power grid becomes, the more vulnerable it becomes. I am sure
you are familiar with the scale we are talking about. The
Department of Homeland Security reported that 56 percent of
cyber incidents against critical infrastructure in 2013 were
directed at energy infrastructure, mostly on the electric grid.
While the number has shrunk to 16 percent in 2015, there is
much more to be done.
That is why I supported the Energy Policy Modernization Act
of 2016 that Chairman Murkowski and Ranking Member Cantwell
worked so hard to get passed out of Committee and finally out
of the Senate by a vote of 85 to 12. It does not happen often
here. The bill included a cyber energy section that I supported
when it passed the Senate.
The cyber energy section directed the Secretary of Energy
to carry out an energy/cybersecurity workforce development
program. It also directed the Secretary of Energy to carry out
a supply chain testing program for grid components. As more and
more of our grid's components are both network enabled as well
as manufactured abroad, we need to be sure that every piece of
our national security assets has been rigorously vetted. It
also proposed to double the Department's current investments in
all energy/cybersecurity programs, and encouraged the
Department of Energy to work hand in hand with the private
sector. This recognizes the importance of aligning government
capabilities with the needs of industry actors that are dealing
with potential threats to our grid every day.
Unfortunately, Congress adjourned last year before the
Conference Committee was able to complete its work on this
legislation, but the need to act still remains.
The ability to deliver energy quickly, securely and without
interruption is something that West Virginia prides itself on,
which is why I am particularly appreciative of Senator King's
passion for this issue. Senator Heinrich and Senator Risch's
ongoing efforts on this bill are also to be applauded. I also
want to thank the Chair for holding this hearing, which was
much needed.
I look forward to the testimony of our witnesses.
Senator Gardner. Thank you, Senator Manchin.
Before we introduce the witnesses today, Senator King, if
you would like to say a few words about S. 79, the Securing
Energy and Infrastructure Act.
STATEMENT OF HON. ANGUS S. KING, JR.,
U.S. SENATOR FROM MAINE
Senator King. Thank you, Mr. Chairman.
You both have quite eloquently outlined the need. I, in
addition to this Committee, sit on both the Armed Services and
Intelligence Committees. Over the past four years we have had
dozens, if not hundreds, of warnings of cyberattacks against
critical infrastructure, and the grid certainly qualifies for
that. I characterize what we are looking at now as the longest
windup for a punch in world history. We know it is coming, we
just don't know where and when and the risks are enormous.
The second thing I wanted to say is that there is no single
solution to this problem. The utilities themselves have done
amazing and wonderful work in defending themselves. FERC has
worked with them. There are lots of solutions percolating
around the pilot program that is proposed in S. 79 that
basically came out of work that was a result of the Ukraine
hack in 2015. In this attack they found that one of the reasons
the Ukrainian grid was able to be resilient was that there were
some old-fashioned analog switches, and perhaps even places
where old Dimitri with his dog had to go out and pull a switch,
that saved the grid from a real catastrophe.
What we are talking about here is not rebuilding or
reengineering the entire grid, but to really ask the question,
are there some back to the future answers at critical points
that might protect us from the kind of attack we know is
coming?
It is no coincidence that the four principle sponsors of
this bill, myself, Senator Risch, Senator Heinrich and Senator
Collins are also all on the Intelligence Committee, and our
work on this bill really started in that Committee and has
carried through on to this Committee.
So I look forward to the hearing. I appreciate your calling
it.
The other thing I want to express is that time is running
out. I do not want to go home to my constituents in the middle
of a blackout and say well, we might have gotten to this, but
we had different committees that had jurisdiction and we really
could not quite get at it in the Conference Committee. That is
not going to cut it.
I think this qualifies as an emergency, and I hope that we
can act promptly. I hope that this is a bill that might get the
level of support that it could go through on its own without
waiting for a more comprehensive energy bill because that
endangers, I think, our taking a practical step that could be
of significant help to us.
Thank you, Mr. Chairman.
Senator Gardner. Thank you, Senator King.
Before we do the formal introductions, we have two members
of the Committee that may wish to say a word or two about our
witnesses today.
Senator Alexander.
STATEMENT OF HON. LAMAR ALEXANDER,
U.S. SENATOR FROM TENNESSEE
Senator Alexander. Thank you, Senator Gardner.
I am delighted to welcome Dr. Thomas Zacharia to the
Committee. He is the Deputy Director for Science and Technology
at the Oak Ridge National Laboratory and presides over one of
the largest research budgets in our country. I will say two
things about him.
One is he developed the computer program at Oak Ridge which
has produced the fastest computers in the United States, in any
event. And next year, in 2018, there will be a computer five
times as fast. That was his doing and his leadership. So he can
speak with authority to the question of what can supercomputing
do to help us with cybersecurity, with the grid, with waste
fraud and abuse and Medicaid and Medicare--anything that has to
do with data manipulation, Thomas knows how to build and
operate the fastest computers in the world.
Second, the Oak Ridge Laboratory is the largest science and
energy laboratory, and he works with a lot of people. He is
very well respected by all of the people with whom he works.
So I welcome him here and look forward to his testimony.
Senator Gardner. Thank you, Senator Alexander.
Senator Franken.
STATEMENT OF HON. AL FRANKEN,
U.S. SENATOR FROM MINNESOTA
Senator Franken. Senator Gardner, Xcel may operate in
Colorado, but it is headquartered in Minneapolis.
[Laughter.]
Xcel also serves more than one million people in the Twin
Cities area. So, I want to welcome Ben Fowke here today. Thank
you, sir.
I know we are going to be discussing cybersecurity, and I
look forward to hearing your thoughts on that crucial subject
as well as your role on the National Infrastructure Advisory
Council which advises the President on crucial infrastructure
activity.
But first, I want to commend Xcel for being a leader in
generating clean energy and reducing carbon emissions. More
than 50 percent of the electricity you supply in Minnesota
comes from wind, hydro, solar, biomass or nuclear. This helps
us reduce emissions.
Your company is on track to reduce greenhouse emissions to
30 percent of 2005 levels by 2020, and you are not stopping
there. You have just announced that you are going to add an
additional 3,380 megawatts of wind capacity across seven
states.
We are very proud of what Minnesota has done since Governor
Pawlenty signed in our renewable energy standard and our energy
efficiency resource standards.
I want to thank you for Xcel's leadership, for your
personal leadership, and for showing how we can transition to
clean sources of electricity while keeping rates low.
I look forward to your testimony, and I think it is
terrific that you also operate in other states.
[Laughter.]
Senator Gardner. Yes. And I, Mr. Fowke, would echo that.
Thanks for making it clear to me as a kid who grew up on the
eastern plains of Colorado, the dam wind isn't just one word.
You can actually do something with it.
[Laughter.]
So, thank you.
In addition to Mr. Fowke and Dr. Zacharia, we are also
joined by Michael Bardee, the Director of the Office of
Electric Reliability at the Federal Energy Regulatory
Commission (FERC), and Mr. John Di Stasio, President of the
Large Public Power Council.
Thanks to all of you for being here and your time and
testimony today.
Mr. Bardee, if you would like to begin with your testimony?
Thank you.
STATEMENT OF MICHAEL BARDEE, DIRECTOR, OFFICE OF ELECTRIC
RELIABILITY, FEDERAL ENERGY REGULATORY COMMISSION
Mr. Bardee. Thank you, Chairman Gardner.
Chairman and members of the Subcommittee, thank you for the
opportunity to testify. My name is Michael Bardee, and I'm the
Director of FERC's Office of Electric Reliability. I am here
today as a Commission staff witness and my remarks do not
necessarily represent the views of the Commission or any
individual Commissioner.
In the Energy Policy Act of 2005 Congress gave the
Commission a responsibility to oversee mandatory, enforceable
reliability standards for the nation's Bulk-Power System,
excluding Alaska and Hawaii. Cybersecurity is an important part
of this responsibility.
In 2008, the Commission approved NERC's first set of
cybersecurity or CIP standards while also directing NERC to
develop changes. Since then, the Commission has approved
various changes to the CIP standards. Last year, utilities
implemented version five of the CIP standards for high and
medium impact assets. This year, utilities are implementing
version five for low-impact assets.
Last July, the Commission directed NERC to develop a
standard on supply chain risk management. There is no
requirement for any specific controls, nor did FERC seek one
size fits all requirements. Instead, FERC said the standard
should define the objectives while allowing flexibility on how
to meet those objectives. NERC is working on a standard now and
is due to submit it to the Commission in September.
Also in July, FERC sought public comment on whether to
modify the CIP standards for the protection of control centers
used to monitor and control the Bulk-Power System. FERC cited
the 2015 cyberattack on the grid in Ukraine as an example of
how cyber systems used to operate and maintain a grid, unless
protected adequately, can create cyber risks. FERC is reviewing
the comments submitted in response and considering whether
further action is appropriate on these issues.
While mandatory standards are an important part of the
Commission's work on cybersecurity, FERC also worked with
industry in other ways, sharing information, encouraging best
practices and providing assistance when requested, including
through our Office of Energy Infrastructure Security.
The goal of these efforts is to mitigate the risk of a
cyber incident, but if such an event ever does happen, the
industry also needs to be prepared to restore the grid. For
this reason, last year, FERC completed a report with NERC and
its regional entities on grid restoration and recovery. The
report was based on working closely with a number of utilities
and recommended various practices and additional studies. Work
on those additional studies is ongoing.
The work proposed in S. 79 could help utilities to maintain
a secure electric grid. Utilities have come to rely
increasingly on digital tools for operating the Bulk-Power
System. A broad scale reversion to predigital technology is
uneconomic, unjustified and perhaps even impossible.
S. 79 focuses on only the most critical systems of the
covered entities. Also, S. 79 does not require adoption of any
particular technology and instead requires only research and
testing. Any decision on implementation would be made only
after sufficient research and testing.
I would suggest one small change to S. 79 and that is to
add FERC to the list of entities specifically included as a
member of the working group in the bill.
Thank you for allowing me to testify today. I would be glad
to address any questions you may have.
[The prepared statement of Mr. Bardee follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Senator Gardner. Thank you, Mr. Bardee.
Mr. Fowke.
STATEMENT OF BENJAMIN FOWKE III, CHAIRMAN OF THE BOARD,
PRESIDENT & CHIEF EXECUTIVE OFFICER, XCEL ENERGY INC.
Mr. Fowke. Senator Gardner, thank you for the invitation to
speak at this important event. My name is Ben Fowke, and I'm
the CEO of Xcel Energy. We're an energy company serving 3.5
million electric customers and two million natural gas
customers in eight western and mid-western states.
I'm also a member of the Electric Sector Coordinating
Council, or ESCC, and a member of the National Infrastructure
Advisory Council, or NIAC, which advises the President on the
protection of critical infrastructure.
Today I want to give you Xcel Energy's perspective on
cybersecurity. Our modern society depends on electricity. Left
unprotected from cyberthreats, the grid and electric service we
all depend on could be at risk. Fortunately, Xcel Energy and
other utilities have cybersecurity programs designed to adapt
and to respond to this growing threat. And while no program is
perfect, I believe that our industry's approach should give the
Subcommittee increased confidence in the grid security. That
confidence, however, should be taken in context. Attacks on our
grid continue to grow in number and in sophistication, and it's
really easy to fall behind.
It's clear we need better coordination with the DOE, the
DHS and other Federal agencies. We need better, more timely
information sharing, and we need new approaches to protect the
devices that run the grid. Together, these strategies will
enhance our cybersecurity defenses and the reliability of the
power system.
Let me begin by acknowledging a difficult reality, the
cyberthreat is growing. In 2016, Xcel Energy identified over
500,000 individual cyberattacks on our network. And although
we're attacked daily, we're most concerned about potential
attacks targeting the grid control systems.
Grid industrial control systems use digital technology to
do their work and, like anything else that uses digital
technology, these systems could be hacked. Without proper
controls and monitoring a cyberattack of the control system
could force the grid offline.
In response to this threat we work continuously to
implement a flexible, effective, cybersecurity program. Our
program separates and protects the control system from the
Internet. We also use strong passwords and strictly control
employee access to our critical systems. Our network is
monitored by a dedicated team of cyber analysts on a 24/7
basis. We act immediately on actionable threat intelligence
from government and private sources. We routinely install
antivirus and antimalware programs. We also hunt for
indications of compromise in order to detect and eliminate
threats. Finally, we perform third party penetration testing of
the network to test the effectiveness of our defenses.
Now despite these best efforts, no program is perfect;
therefore, system recovery is one of our program's highest
priorities. And while the challenges of system restoration
would be different after a cyberattack, our industry's
experience with system restoration after storms and other
outages does give us a leg up.
So, our cyber programs continue to improve but our program
is and always will be a work in progress. There will always be
more to do. We continue to look for ways technology can help
protect the grid. For example, information sharing tools must
become more sophisticated as the attacks become more
sophisticated, and our arsenal of information sharing tools is
continuously improving. Real-time machine-to-machine
information sharing will further enhance our ability to respond
to grid attacks, and we're working with other sectors to boost
these capabilities. We're also beginning to deploy monitoring
technologies to look for anomalies on the network that could
indicate the presence of malware.
Turning to national cybersecurity policy. The electric
industry, the DOE, the DHS, are working together through the
ESCC to establish robust national cybersecurity efforts. My
written testimony provides an overview of the programs
spearheaded by the ESCC to enhance the nation's cybersecurity
effectiveness; however, as I stated, there's always more to do
and Congress and the Administration can help.
First, in a recent scoping session, NIAC has recommended to
the President that the nation adopt a new transformational
national framework for cybersecurity. The NIAC scoping study
points to a fundamental problem with the current approach and
that despite recent progress, national cybersecurity policy is
often uncoordinated and unfocused. And while not speaking on
the behalf of the Council, I believe the recommendations of the
NIAC scoping study are urgently needed.
Second, in our experience, Federal agencies are often slow
to provide classified information regarding cyberthreats to
utilities. While protection of the nation's secrets is vital, a
better process is needed to ensure that we have the necessary
information in a timely fashion.
Finally, I believe we need both more research into cyber
safeguards and the development of improved standards for
software that controls the operational devices that were on the
grid.
Thank you for the opportunity to be here with you today.
I'd be happy to answer any questions.
[The prepared statement of Mr. Fowke follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Senator Gardner. Thank you, Mr. Fowke.
Mr. Di Stasio.
STATEMENT OF JOHN DI STASIO, PRESIDENT,
LARGE PUBLIC POWER COUNCIL
Mr. Di Stasio. Chairman Gardner, Ranking Member Manchin,
members of the Subcommittee, thank you for the opportunity to
appear before the Subcommittee today.
My name is John Di Stasio, and I'm the President of the
Large Public Power Council. Known as the LPPC, the Council
represents 26 of the largest state-owned and municipal
utilities in the nation, and we provide power to over 30
million people in 13 states.
I'm here to respond to the Committee's interest in
cybersecurity threats facing the U.S. electric grid. I'd also
like to provide input on S. 79, the Securing Energy
Infrastructure Act.
The points I want to emphasize are these. Industry is
engaged. While cybersecurity threats to the electric grid are
fast evolving and they do require quick, adaptive responses,
much is beginning to be known about the threat environment. The
electric industry, working with the standards promulgated and
enforced by the North American Electric Reliability
Corporation, NERC, and also FERC and working with our
governmental partners, has effectively responded to known
threats and we're actively working to anticipate emerging
threats.
Because of the nature of the cybersecurity threats faced by
industry, they're evolving rapidly and they're not static so
the electric industry has repeatedly emphasized the need for
flexible application of cybersecurity regulations that permit
industry agility in responding to threats and the ability to
implement evolving technology solutions. The electric industry
has been grappling with cybersecurity threats for at least a
decade. We've learned a lot about the nature of the threats we
face in a variety of attack vectors. In response to these
threats and with the oversight of FERC, NERC has implemented
and enforced the nation's only mandatory suite of cybersecurity
standards, the CIP protection standards.
The 2015 cyberattack, as was mentioned, on the Ukrainian
grid underscored the electric grid's vulnerability. Although I
don't want to understate the concern, I do want to emphasize
that techniques used by the attackers were generally understood
by the industry and are meaningfully addressed by NERC's
reliability standards. Specifically relevant are those CIP
standards that provide for electronic security perimeters,
access control and malware detection and remediation.
A study by the DHS identified three areas for further
review: air gapping, application whitelisting and risks that
reside within the supply chain. These areas are under current
study by NERC and FERC.
As to air gapping, NERC says, and I agree, that while there
are potential security benefits associated with this approach,
there are reliability and operational considerations too. So
further study is certainly warranted.
Similarly, while application whitelisting is one feasible
way to guard against the operation of malware on utility
systems, it also presents possible unintended consequences that
may include interference with essential reliability and
operational processes. Here again, further study would be
useful.
As to the supply chain, NERC is currently in the process of
developing a standard at FERC direction. Certainly the
procurement of trusted hardware and software is important, but
it's not reasonable to ask utilities to police the compliance
of vendors and their commitments to follow security practices.
We are pressing for an approach to a supply chain standard
which also places onus on the vendors to ensure compliance with
their commitments to implement sound and reliable security
practices.
Because cyberthreats evolve rapidly, it is important that
utilities maintain the agility to respond to threats and the
ability to implement evolving technology solutions. S. 79
promotes government industry partnership in studying evolving
vulnerabilities which will help combat cybersecurity threats;
however, LPPC does caution against converting study findings
into any one-size-fits-all solutions. The electric industry's
response to cybersecurity risk is robust, it's fast evolving
and it's intimately tied to efforts by the government to
enhance the nation's security posture.
I would never claim that all risks are covered, but a great
deal of work is being undertaken in this area. As in any robust
security environment, the focus is appropriately not only on
prevention, but also on response and recovery.
We welcome the opportunity to work with the members of the
Committee to provide further information and receive input on
this joint endeavor.
Thank you.
[The prepared statement of Mr. Di Stasio follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Senator Gardner. Thank you.
Dr. Zacharia.
STATEMENT OF DR. THOMAS ZACHARIA, DEPUTY DIRECTOR FOR SCIENCE
AND TECHNOLOGY, OAK RIDGE NATIONAL LABORATORY
Dr. Zacharia. Chairman Gardner, Ranking Member Cantwell and
members of the Subcommittee, thank you for the opportunity to
appear before you today. And Senator Alexander, thank you for
the kind remarks.
I'm Dr. Thomas Zacharia, Deputy Director of Science and
Technology at the U.S. Department of Energy's Oak Ridge
National Laboratory (ORNL). The focus of our programs at ORNL
is on solving compelling national problems in energy and
security. These problems are connected. Energy security is a
vital component of our national security.
Last Tuesday, a series of powerful storms swept through
East Tennessee. The morning after, I spoke with the Chairman of
the Electric Power Board (EPB) in Chattanooga with whom ORNL
has a long-standing partnership. The Chairman told me that the
severe weather had disrupted services to 65,000 homes in the
EPB service area, but thanks to the state-of-the-art control of
the EPB system, half of those homes experienced nothing more
than just a power flicker and EPB was able to rapidly work to
restore service to the other homes.
We know that these same digital systems that are so
successful at running the electric grid efficiently and
effectively are also vulnerable to cyberattack. The DOE
National Laboratory system recognizes this vulnerability and is
actively pursuing technology advancements to mitigate this
threat.
Often described as the world's largest machine, the U.S.
electric grid is a foundation of our competitive national
economy and, indeed, our way of life. However, as utilities
have increased smart interconnections between grid services to
make the system more agile and adaptive and able to preempt
disturbances, they have also created some access points for
potential cyber disruption.
With the growing sophistication of cyber intrusions, we
need to go beyond today's practices. With DOE and electric
utilities, we've been exploring ways to get critical
infrastructure off the public internet.
Specifically, the following technological advancements and
solutions are needed to ensure reliable, efficient, resilient
and secure grid infrastructure across the country: eliminate
direct connectivity to the internet, implement advanced cyber
defensive measures beyond what's possible on the internet,
develop supply chain components and Internet of Things devices
with security built in, provide wide area situational awareness
and decision support by enhancing grid state monitoring with
advanced sensing and measurements and use living laboratories
in partnerships with utilities and national laboratories to
test functionality and resilience of advanced cyber and cyber
physical solutions to accelerate transition to practice.
ORNL has developed numerous technologies used to counter
cybersecurity threats. These technologies range from hardware
device monitors to software that can detect dormant malicious
code, to platforms that can discover and detect the presence of
advanced persistent threats.
Cyber physical tools and capabilities include Grid Eye
sensors
located across the U.S. for real time systems monitoring and
EAGLE-I which monitors the nation's energy sector in real time.
This can be leveraged with the PNNL-led effort on the
Cybersecurity Risk Information Sharing Program (CRISP) to
provide cyberthreat information to industry partners.
Without our established public/private partnerships, these
technologies will not be adopted by industry. For example, DOE
and ORNL are leveraging the EPB automated smart grid and fiber
optic network infrastructure to develop next generation of
cybersecurity defense systems, including next generation
quantum cybersecurity software that has the potential to
prevent undetected hacker intrusions into the IT networks.
National labs, including ORNL, are uniquely positioned to
address cybersecurity challenges through technology
breakthroughs in partnership with the private sector.
One example of the laboratories, the system of
laboratories, working together on major challenges is the Grid
Modernization Laboratory Consortium, GMLC. This was established
as a strategic partnership between DOE and the national
laboratories to bring together leading experts, technologies
and resources to collaborate on the goal of modernizing the
nation's grid.
Thank you for the opportunity to be here today to share
with you what we see are some of the solutions to minimize
cybersecurity threats to the electric grid and, in turn,
further contribute to the security of the nation.
[The prepared statement of Dr. Zacharia follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Senator Gardner. Thank you, Dr. Zacharia.
I know Senator Alexander has a hard stop, so, Senator
Alexander, I am happy to yield to you if you would like to ask
some questions.
Senator Alexander. Thank you, Mr. Chairman, I appreciate
that very much. So I will just ask one question.
Dr. Zacharia, ever since I have been here, which is now
about 14 years, the Congress and the Administrations have put a
priority on building supercomputers, and I believe you have
built the fastest supercomputing system in our country. Is that
right?
Dr. Zacharia. That is correct, Senator.
Senator Alexander. And it is going to increase in 2018 by a
factor of five, is that correct too?
Dr. Zacharia. Factor five was 2004.
Senator Alexander. Well, let me ask, in fairly specific
terms, what difference does it make if we have the fastest
computer, or the second, or the third, or the fourth, or the
fifth, or the sixth, in terms of cybersecurity and monitoring
our grid?
Dr. Zacharia. Senator Alexander, thank you for the
question.
Like any other system, leadership in supercomputing is
absolutely essential because the Chinese and other nations use
a supercomputer for just the same advantages that we seek to
achieve in this country. So, the Chinese system that is
currently, that the Chinese have two systems that is the
fastest in the world today. Many of the applications that
they're using are for cybersecurity, both defensive and
offensive cybersecurity, as well as other materials and
technologies.
It's absolutely essential that we maintain the ability to
match and deter cybersecurity threats. The way the
supercomputer comes into play is that as the grid system
particularly as the nation's electric grid system have deployed
new technologies to make them more smart so they can deliver
better services to their consumers.
They've also become much more data aware. They produce a
lot of data. There are lots of sensors. What supercomputers
allows us to do is to monitor the data real time, analyze it,
do some of the deep data analysis and just like you might have
heard, IBM Watson, to be able to actually make decisions on the
fly, to do cognitive computing.
The summit system that is going to be deployed in 2018,
even though it's going to be five times faster, it also has a
co-processor that allows you to do real time data analysis and
decision-making. So these are some of the advantages in terms
of being able to stay at the leading edge to make sure that the
nation's grid system is protected and we have the necessary
tools and capabilities to do that.
Senator Alexander. Thank you, Dr. Zacharia, and thank you,
Mr. Chairman, for your courtesy.
Senator Gardner. Thank you, Senator Alexander. I will now
turn to the Ranking Member of the Committee, Senator Cantwell.
Senator Cantwell. Thank you.
I am also happy you have the fastest supercomputer.
[Laughter.]
When every particle in a storm can be put into an algorithm
and you can process that information so the United States can
have more data, instead of going to the Europeans, who right
now have a faster or at least, in my understanding, have
better, more accurate information on Sandy than we did in the
United States--we need to keep going. We need to give you all
the capacity for that and more because this weather aspect is
so, so important.
I see your colleague is nodding because when utilities know
that that level of damage is going to occur, they can better
plan for it. They can relocate assets, get them there in time,
all sorts of things.
So anyway, on the cyber front, Dr. Zacharia, you mentioned
the supply chain. We also had a hearing on cybersecurity in the
Commerce Committee, which I found very interesting because a
lot of the discussion focused on private sector entities. I
definitely believe in collaboration here between the
universities, the utilities and the private sector on where we
go forward. But we did not get too much into the supply chain.
We talked a lot about education, how we need to have these
various two-year and four-year academic degrees on
cybersecurity. We do not, currently, have enough focus on that.
But we did not talk enough about the supply chain and supply
chain risk. Could you elaborate on that?
Dr. Zacharia. So, it is, Senator Cantwell, thank you very
much for the question.
It's certainly clear that the supply chain is vulnerable
and there is clear evidence that the supply chain, some of the
key components that are used, is vulnerable for cyber
intrusion. I think it is really important for laboratories like
the DOE lab system working with private sector and university
partners to have the ability to test and validate the
components that go into our grid system, because they are so
essential to maintaining the security of the system while
delivering the kind of services the consumer expects today.
Senator Cantwell. So are you worried about a direct threat
or just not understanding the supply chain and the dynamics of
products?
Dr. Zacharia. Well, I think that it is really important for
us to ensure that we understand the supply chain of critical
components on what we consider as an essential part of our U.S.
economy which is the electric grid.
And so, while I cannot speak to specific issues about a
particular component, I think it's essential that we pay
attention to the security threats and vulnerabilities
associated with the supply chain.
Senator Cantwell. Okay.
Anybody else?
Mr. Fowke. I would just add that these operating
technologies are increasingly converging with IT technologies.
And so, when you think about the hardware that we use to run
the grid, there's chips and other IT type technologies embedded
in that and without standards that protect and make sure that
we have the necessary cybersecurity overlays that equipment and
the ability to monitor that equipment, then we're really flying
blind.
I think there's a lot of work that can be done in making
sure that what's on the grid and, quite frankly, ultimately
what's in somebody's home, in the interim of things is secured
in a way that, I think, we all would come to expect.
Senator Cantwell. And that is a group discussion as well?
Mr. Fowke. Yes.
Senator Cantwell. To get there, it is everybody discussing
and participating in that?
Mr. Fowke. Yup.
Senator Cantwell. Well we definitely need to think about
that and the recommendations from the Quadrennial Energy Review
on cybersecurity, and we definitely need to get those
implemented.
Thank you, Mr. Chairman.
Senator Gardner. Thank you, Senator Cantwell.
Throughout the testimony and in your written testimony, I
have seen a number of acronyms. I think, if you just look at
what is involved in cybersecurity, so far, we have covered DOE,
NIST, DHS, NSA, CIP, E-ISAC, is that how you say it, I, S, A,
C, E-ISAC, FS-ISAC, ESCC, NIAC, NERC and FERC. It is clear
where we go in cyber, so I think that is part of the challenge
that we have.
Senator Cantwell mentioned that she had a Commerce
Committee hearing on cyber. Later this week I am going to be
holding a Foreign Relations hearing where we are going to talk
about cyber. Here in Energy Committee, we are talking about
cyber and all these acronyms.
Mr. Fowke, you mentioned at the beginning of your testimony
one of the things that we need to work on is better
coordination with the Department of Energy, Department of
Homeland Security and the other agencies that we highlighted
here.
I have introduced a bipartisan bill to create a Senate
Select Committee on Cybersecurity, trying to answer some of
these jurisdictional questions. Over half of the Committees in
the United States Senate have some jurisdiction, either in the
rules or self-claimed jurisdiction, over cybersecurity. I think
nine committees have held 20 hearings on some cyber element.
What are your thoughts on creating a Senate Select
Committee on Cybersecurity that would have jurisdiction over
cybersecurity, cyberspace, which would oversee and strengthen
U.S. data prevention, data breach prevention strategy, other
cyber activities? Would it have a value, the Select Committee
on Cybersecurity, that would help the energy industry organize
government rules and responsibilities?
Mr. Fowke. Yes, Senator Gardner, I think it would.
And let me apologize for the use of the acronyms. That's
how you get your testimony in in five minutes.
Senator Gardner. It wasn't just you.
[Laughter.]
Mr. Fowke. Oh.
As I said in my testimony and as the NIAC scoping study
points out, we just need to coordinate better. I mean, there's
a lot of work being done, but it's being done by a lot of
agencies. It's being done by a lot of Congressional committees,
and there's a lot of industry work that's being done as well.
I think we're getting better at coordinating, but the bad
actors are getting better at attacking us at the same time.
So, to the extent we can have a more coordinated, focused
effort, you know, it doesn't--it reminds me a little bit about
the difference between watching a professional soccer team and
kids that are six years old. Everybody is going to the ball,
but you've got to play in your swim lanes and as a team. I
think that's what you're suggesting.
I would caution that sometimes we rush to pass the
legislation and we ought to make sure that there isn't
unintended consequences with that legislation too. And I really
think the tone at the top is where we start and then we work
our way down. And that way we can have a coordinated response.
Senator Gardner. Mr. Fowke, follow up on that too.
Is there any kind of coordination that Congress can help
provide industry, or in the various organizations that you are
a member of? Will you, through industry and your partners in
government, come up with the correct coordination on your own
or is it something that Congress needs to provide guidance
with?
Mr. Fowke. We need help getting the information.
As I mentioned in my testimony, quite often, by the time we
hear about a potential threat or a threat from the government,
we've known about it for quite a long time through private
sources or industry communication, et cetera. And I think the
reason for that is we struggle on taking what could be
classified information, declassifying it and getting it out
quickly.
The second thing we struggle with is where there is a need
to keep it classified. I think we've got a six to eight-month
backlog per individual to try to get classified status. So you
might want to share the classified information, but you can't
share it because the people aren't cleared.
In an age where we're talking machine to machine, that is,
that's quite a hindrance. We need to do better with that
because we have the tools in place, another acronym, CRISP, the
detection software. That's a good system and right now the
information is going right into the lab and it's basically
where it stays. So, we need to start getting a two-way flow of,
what I think, could be very valuable information.
Senator Gardner. So if I understand the problem, there's a
twofold challenge, right?
You have the challenge of getting the information from the
Federal Government, information that you need to protect the
grid, the system, your power system. And secondly, of course,
is getting people who can then receive that information with
the proper classification. Is that correct?
Mr. Fowke. That's correct.
Senator Gardner. There is a story that I wanted to share
with you. I am sure on the Committee, you have all heard this
story. It was reported in E&E news. It is a story of, I guess
it was a security test, where they had a person come into the
utility, basically to audit their security. Apparently the
security auditor told him that he had seen equipment in the
utility, in the utility control room, that would not be allowed
in a federal installation because it is vulnerable to hackers.
The security auditor said, in a federal installation that piece
of equipment would not be allowed to be in it because of its
vulnerability. The head of the utility company asked, what is
that equipment? And the response was, I can't tell you, it's
classified.
[Laughter.]
So, that is the problem.
Senator Cortez Masto.
Senator Cortez Masto. Thank you, Mr. Chair, and I
appreciate the comments today.
This is an area that I worked in as the Attorney General of
the State of Nevada and something that I saw from a state
perspective that we needed to address but was always concerned
about the federal interaction. Now I am on the federal side and
I see the same, kind of, bifurcation where there is a lack of
communication, not only at the federal level, but the
communication at the federal level and the states. And that is
the question I have from the very beginning.
Mr. Bardee, it is a two-part question relating to how
information, with respect to threats and remediation, is
conveyed to state officials? And it goes back to some of the
concerns that we have talked about with acronyms and the number
of committees and commissions that are out there.
I understand that the Electricity ISAC is responsible for
situational awareness, incident management and communications
regarding cyberthreats to the grid. But the Electricity ISAC is
only one of 20 different ISACs. States participate directly in
only one which is the multi-state ISAC. So, how does the
cyberthreat information regarding the electric grid get to
those state officials?
Mr. Bardee. There are a number of informal mechanisms by
which that information can be shared. Our agency, for example,
particularly in our Office of Energy Infrastructure Security,
reaches out to the states and tries to work with them and share
information and assist them, as appropriate. I know the
Department of Energy does, too.
And the more sensitive information, the classified
information, generally, it originates in other parts of the
Federal Government, Department of Homeland Security, for
example. And we are a recipient of that sometimes, but we're
not the source of it.
So I would say that it is a challenge to ensure that the
states are getting all of the information they need, given the
ways in which that information may come into the government.
But it's an ongoing effort and we are looking for ways to
improve that. I, for example, and some of my colleagues are
going to be meeting with NARUC, I think in about two weeks, to
discuss cybersecurity. And this, I would expect, to be part of
the conversation.
Senator Cortez Masto. Yes.
I would appreciate more of a direct interaction at the
state level and not through different task forces or multi-
levels. I know the state counterparts would appreciate that. I
think this is an effort that we have to look beyond, not just
the federal level, but at the state level. Everybody should be
working to address the cyberthreats that we see, so I
appreciate your comments.
Let me just open this up. I understand that the second
installment of the QER noted that the traditional definition of
reliability may be insufficient to ensure system integrity and
available electric power in the face of physical attacks and
cyberthreats, among other things, and that the security of the
systems, particularly cybersecurity, is a growing concern.
Would you agree with that assessment from the QER?
I will open that up to anyone.
Mr. Di Stasio. I would say, I think, FERC addressed part of
this as a--it was mentioned previously about the 2013 Metcalf
attack in California. At that time, I was a CEO of a
neighboring utility in California, so that was a very real
incident for us.
FERC added a standard on physical security that really
directed utilities to make a risk-based assessment of where to
harden the system from both physical attacks and we've already
got the CIP standards that are focused on doing the same for
cyber.
But again, these risks are evolving. They're emerging.
They're not static. So it becomes more of a prioritization of
which of the systems and which of the components within the
system are going to provide the greatest risk mitigation and
doing those first. And that's what we're really in the midst of
undertaking right now.
Senator Cortez Masto. I appreciate that.
One final question, Dr. Zacharia. You mentioned a
suggestion that one way to answer the concern about
cybersecurity threats is that we eliminate the grid or any type
of critical infrastructure from the internet. Can you expand on
that? Do you think that is possible, particularly with the
evolution of technology, the Internet of Things and everybody
being connected, including smart meters, which we have in the
State of Nevada?
Dr. Zacharia. Senator, what I meant to say was that it
should be disconnected from the commercial internet. So let me
expand on that.
Our own experience is that when Oak Ridge National
Laboratory, about a dozen or so years ago, was deploying one of
the fastest supercomputers in the world, we did not have very
high speed network connectivity into the laboratory. And the
way that we solved that problem was that there is actually dark
fiber that most of the major utilities have in the right of
way. Generally it is usually used with control systems and it
has redundant pairs of fiber. We were able to work with the
utilities, in this case, TVA, to get a pair of fiber that is
completely separate and isolated from the commercial internet
provider.
One of the suggestions is that there is a tremendous amount
of dark fiber that is available on the right of way--using
these dark fiber as a way to create a separate, you know, sort
of air-gapped, network connectivity because I think it is
really important that the consumers are used to a certain level
of service and it's not good to go back. And one way to provide
that service is to actually have dedicated network and using
dark fiber that is already available in the ground today.
Senator Cortez Masto. Thank you. Thank you very much.
Senator Gardner. Thank you.
Senator King.
Senator King. Thank you, Mr. Chairman.
First, a sort of basic question.
Mr. Bardee, is there one national grid? My understanding is
that the entire nation is not connected. There are regional
grids. Am I correct?
Mr. Bardee. The best way to describe it is that there are
three interconnections in the United States.
One, basically within Texas, not fully congruent but
basically one for the western third of the United States, and
the rest in the East.
Senator King. Are those three connected? In other words,
could you bring down the entire nation at one time or would you
have to do three?
Mr. Bardee. There are very limited connections between
those three. So generally, if there is a problem in one of the
interconnections it does not affect the other two.
Senator King. Let me talk about the sophistication of the
attacks. My understanding is that the level of sophistication
is going up.
Mr. Fowke, you mentioned 500,000 attacks. That is
astonishing. A lot of those are poking and prodding and testing
and trying to find vulnerabilities and that these attacks are
getting more sophisticated all the time. Is that correct?
Mr. Fowke. Yes, I would not say the 500,000 are
sophisticated, all sophisticated nation states, but the problem
with trying to categorize what might just be something like,
you know, a benign, well it's not benign, but a phishing
attempt. Something we all get is that there might be more
behind what looks like run of the mill type, you know, virus or
malware that's trying to be implanted.
And what happens is if you get phished and it's allowed to
get onto your network, that virus, that malware, will hunt
around for as long as it takes, searching out weaknesses that
can get it into something more important, like your----
Senator King. And it can also lie dormant for some period
of time.
Mr. Fowke. Yes.
I believe that is another acronym. I think it is called
APT, but Advanced----
Dr. Zacharia. Persistent Threat.
Mr. Fowke. There, thank you.
Senator King. Advanced Persistent Threat.
Mr. Fowke. Right.
Senator King. But what we are seeing here is the nature of
warfare changing before our eyes. And the Russians,
particularly, are playing a weak hand, very effectively, and it
is on the cheap. For the cost of one tank they can hire 500
hackers or trolls or whatever.
We know that this is a part of their foreign policy
strategy in terms of elections, in terms of other kinds of
disruptions to western countries. And this is, really, a threat
that the likes we have not seen.
By the way, Mr. Chair, I like the idea of the Select
Committee on Cybersecurity. You get to tell Senator McCain that
you are taking cyber away from Armed Services.
[Laughter.]
Senator Gardner. He co-sponsored it.
I don't know if he knows the full implication of that.
[Laughter.]
Senator King. I think that is an important idea.
Well again, several of you mentioned S. 79. We are not
trying to do anything prescriptive here, but we are trying to
test hopeful, promising technology to link the utility
community with the national labs. What I hear many of you
saying is coordination is one of the key elements of this and I
am talking, we are talking, about coordination on a specific
project.
But on the broader sense, I think, good coordination is one
of the most important things that we can try to develop. We
need this country to develop a cyber strategy, Deterrents 2.0,
so that we are not being purely defensive, that there is an
offensive capability and that our adversaries understand that
and that there is some kind of risk involved with their
continuing to prod our grid.
I really appreciate the testimony here today and look
forward to working with you. If you have suggestions or input
how we can--and I take your suggestion, Mr. Bardee, that FERC
should be part of that committee that analyzes what the labs
and the utilities come up with. So, I think that's a good
suggestion. We will add that to the bill.
Thank you.
Thank you, Gentlemen.
Senator Gardner. Thank you.
Senator Franken.
Senator Franken. Thank you, Mr. Chairman.
Earlier this month, President Trump released his budget
blueprint which calls for an overall cut of $1.7 billion to the
Energy Department. The budget slashes investment in both basic
and applied energy research and development, including the
complete elimination of ARPA-E.
More broadly, these cuts would threaten the expertise found
at our national labs, a resource that is the envy of the world.
One of the programs specifically mentioned for significant cuts
is the Office of Electricity Delivery and Energy Reliability.
Now, both our national labs in the Office of Electricity are
engaged in critical work regarding cybersecurity.
Mr. Di Stasio, your testimony mentions close coordination
between your industry and the DOE Office of Electricity. Can
you elaborate on that collaboration and what severe cuts to
that office would mean from an industry perspective?
Mr. Di Stasio. Yes, Senator.
We've worked closely with the Office of Energy Delivery and
Reliability, both on the development of smart technologies to
advance smart grid and so forth, but also on reliability risks
related to cyber.
It was mentioned earlier one of the acronyms of CRISP is
essentially a tool to allow the triangulation of threat trends
across multiple systems versus individual systems dealing with
it by themselves, and we worked with the Office of Energy
Delivery and Reliability to help better understand that and
also to get it with our members so that we could get more folks
to join up.
We have also worked closely, their office has been
instrumental, in developing the request that came out of the
FAST Act that was passed in 2015 that directed us to have an
essential transformer spare system and also to deal with
transportation.
Senator Franken. How is that working?
Mr. Di Stasio. Well, it's yet to be communicated back to
the office.
Senator Franken. Because we had the physical assault on the
transformers and----
Mr. Di Stasio. Well, so the issue is that there's a
discreet number of very large transformers that pose, kind of,
a disproportionate impact on the grid, should they be impacted.
And actually, an analysis, and I was complementing Dr.
Zacharia, was done by Oak Ridge labs to identify what the
threat landscape looked like in utility planning terms. That
technical analysis then went to DOE, who in fact, is then
supposed to come back to Congress, through House Energy and
Commerce, to provide a report on what we should do. So those
are just two examples where this office has been a critical
interface for us as utilities, with the Federal Government and
that capacity. If it didn't exist in that office, it needs to
exist somewhere because it's very important work.
Senator Franken. So, again, what do these kinds of
Draconian cuts, what will that mean to your work, Mr. Fowke?
Mr. Fowke. I don't know, Senator, but I can give you a
definitive answer on that. I know the research is important and
if these budget cuts cut some of the research out that we're
talking about here, I think the whole----
Senator Franken. They are going to.
Mr. Fowke. ----would suffer for it.
Senator Franken. Okay.
The majority of severe power outages are weather related.
Heat waves diminish the performance of our electrical system
and at the same time cause extreme loads as people run their
air conditioners. Droughts cause outages because they impact
lower hydropower reserves and smaller supply of cooling water
for coal and nuclear plants. Hurricanes and flooding can cause
widespread outages, damaging both the grid and generation
facilities.
The Transportation bill we passed in 2015 provides the
Energy Secretary with the authority to address grid-related
security emergencies caused by cyberattacks, physical attacks,
electromagnetic pulses or geomagnetic disturbances.
Conspicuously, conspicuously absent is the biggest actual
threat to the grid, outages by extreme weather which we will be
seeing more as climate changes.
The recently released Quadrennial Energy Review notes that
cyber terrorists are likely to use natural disasters as force
multipliers, to quote the report, ``By timing grid attacks to
correspond with natural disasters, intelligent multi-site
attacks by knowledgeable attackers targeting the specialized
components, could result in widespread, long-term, power
outages from which it could take several weeks to recover.''
How well is your industry prepared to deal with multiple,
simultaneous problems? How might timing a cyberattack to
correspond with a weather-related problem amplify the impact of
the attack?
That is for anyone.
Mr. Fowke. Senator, I think that's a great question, and I
think it would be naive to think that the bad guys would only
attack us on a good day.
And so, what our industry is drilling constantly around is
exactly that, a physical or a storm outage, natural disaster,
combined with a cyberattack because if you then take out
communications you start to get to a situation where you're not
sure if it's cyber or if it's physical or if you can count on
the signals that you're getting from your grid.
So, it gets back to how do we operate this grid blind? How
do we coordinate with each other? How do we assume the telecom,
telecommunications will be operating?
We did it an elaborate grid exercise a couple years ago,
and I think we learned a lot. But I think we also found that
there's a lot of resilience built into the grid too. But we
can't drill enough on that.
Senator Gardner. Senator Heinrich.
Senator Heinrich. Thank you, Chairman.
For either or both, Mr. Fowke or Mr. Di Stasio, one of the
issues we follow very closely on the Intelligence Committee is
how we monitor individuals that are suspected of being already
involved in terrorist activities. You can imagine these are
exactly the people that you do not want running your critical
control centers.
What personnel controls does the utility industry have in
place when conducting security clearances, background checks,
and do you think they are sufficient? In addition, are there
additional federal resources, like the FBI's Terrorist
Screening Center, that could potentially improve that process
for the industry, if you had access to those?
Mr. Di Stasio. Senator, that is a concern because the human
resources element of cyber is a significant risk as well.
Most all of us, by requirements of standards and also our
personnel policies, make sure that we tightly control ingress
and egress. We do have advanced background checks for certain
sensitive classifications.
I will say in the recent past our national association, the
American Public Power Association, as well as others, have been
working with the FBI to get access to advanced background
screening for certain personnel. And that language is being
considered and developed now.
Senator Heinrich. Great.
Mr. Di Stasio. I think, I do think, it's an important point
not to overlook that while some progress has been made, more
needs to be made and especially given the fact that there's
diversity of state policy around this.
Again, I represent municipal utilities, so we also have
different sunshine laws in different states and different
statutes.
Senator Heinrich. Yes.
Mr. Di Stasio. And so, trying to harmonize all of that into
something coherent is a fairly significant undertaking. But it
is on the radar screen, if you will, as how to best deal with
some of the human resource issues.
Senator Heinrich. Mr. Fowke, I believe you mentioned the
time-based challenge of getting security clearances. Was that
you?
Mr. Fowke. Yes.
Senator Heinrich. The bottleneck there, is it personnel or
funding to do the analysis for those clearances and is that all
on the Federal Government side of the ledger?
Mr. Fowke. Well, it's an elaborate process, as you know,
and so I think it's a time-based manual effort. It's the
manpower which translates to the funding, I would assume.
Senator Heinrich. If that funding is reduced over the
course of the budget process, what would that mean for being
able to adequately manage that risk?
Mr. Fowke. Well, if the funding came out of that aspect of
the security clearance, then I would suspect it would slow it
down. And right now, as I mentioned, it's six to eight months.
Senator Heinrich. Pretty slow as it is.
Mr. Fowke. Yes.
Senator Heinrich. Okay.
Mr. Bardee, I am pretty excited about FERC's proposed rule
on energy storage and distributed energy resources,
participating in organized wholesale markets. With these
additional players from the distribution side participating in
the bulk power market, does the Federal Power Act provide FERC
sufficient authority to assure both security and reliability of
the grid?
Mr. Bardee. Senator, that's an issue we need to do more
work on.
Those types of resources bring value to the markets because
they diversify our sources of supply, but at the same time,
ensuring that the grid can be operated reliably by having
visibility of what those resources will do under certain
circumstances and having control, if necessary, is difficult
under the structure we have now where FERC is responsible for
the Bulk-Power System and states are responsible for the local
distribution systems that many of these resources connect to.
So, I think we are very much looking at that issue, trying
to be creative about ways we can address that issue. And I know
the industry is too, because they're as much focused on that
issue as we are. Solutions are not easy though.
Senator Heinrich. I think that is going to be particularly
important. It is pretty clear that that is the direction
markets are headed.
And I think we are going to see more DERs. We are going to
see more demand response. We are going to see more storage. All
aggregated in, you know, spread across the grid and getting the
rules of the road worked out at the front end rather than
responding to issues as they arise is going to be particularly
important.
Thank you, Mr. Chairman.
Senator Gardner. Thank you very much.
If members want to stick around, we will go ahead and have
another round of questions, if you do not mind.
I wanted to just highlight a couple of things based on what
has already been brought up.
Mr. Fowke, you mentioned you have about 100 people working
in cybersecurity or security areas where just a short time ago
you didn't really have any. Is that correct?
Mr. Fowke. That's correct.
Senator Gardner. Mr. Bardee, how many people at FERC have
expertise in cyber?
Mr. Bardee. On my staff, about 25 and in other places,
maybe another 20.
Senator Gardner. And what is the total staff?
Mr. Bardee. Total staff of the agency is about 1,400.
Senator Gardner. Fourteen hundred.
What would it have been two or three years ago?
Mr. Bardee. Cybersecurity was a smaller part. If you went
back several years, a very small part.
Senator Gardner. Yes.
Mr. Di Stasio, the Cyber Mutual Assistance Program that you
talked about in your testimony and others talked about in their
testimony, 10 years ago today in Holly, Colorado, there was a
tornado, a very devastating tornado. We saw a lot of utilities
from around the region, around the country, come together to
fix the physical damage that had occurred, the power lines, the
telephone poles, utilities, you name it.
This Cyber Mutual Assistance Program seems to be the same
thing, but in a digital sense. But yet, we seem to only have
about 100 members participating today out of the 3,000
utilities in the country. Why is that? Why don't we see more
people involved?
Mr. Di Stasio. I think, Senator, or Chairman, I think it
will continue to grow. The reality is across those 93 utilities
that are current members to the Cyber Mutual Assistance Task
Force, they probably represent a significant number of
customers in states.
And again, if you think about this issue of prioritizing
the risk, just as we've done with NERC where we have both high,
medium and low risks and as Mr. Bardee mentioned, we're now
getting to the low risks, but the high and medium have been
addressed first. And I would suggest that we could certainly
provide it in the record the numbers of customers and systems
that are represented across those 93. So, it's not a straight
calculation.
Senator Gardner. Thank you.
Mr. Bardee, Mr. Fowke, in terms of the numbers of people
working in cyber, is there a workforce need that you see that
Congress could help with in terms of developing a greater
workforce in cyber?
Mr. Fowke. Well, it's not an easy position to fill, I can
tell you that, Mr. Chairman. And where we are typically filling
it or quite often we're filling it for the military ranks. It's
one of the things we're focused on at Xcel Energy, just on the
broad sense.
But I think a program within the military that would help
transition vets to civilian and give them those cyber type
training, that they will be able to apply in the civil world,
would be an absolutely great program. If you think about it,
many of them already have a security clearance, as some of the
other problems that I was suggesting that could be readily
transferred over, it's my understanding. So, that, to me, is a
great opportunity.
Senator Gardner. Thank you.
Dr. Zacharia, exascale computing is the next big step in
advanced computational research efforts led by the DOE labs.
Would these expanded national lab capabilities enable critical
infrastructure cyberattack scenario evaluation and protection
plan evaluation? And if so, could you talk about the labs that
would be involved in that exercise?
Dr. Zacharia. Thank you, Mr. Chairman.
Exascale computing program is actually a program that is
led by multiple laboratories. The leadership is actually six
labs and Oak Ridge National Laboratory has a responsibility to
deliver the project.
One of the things that the department has done in terms of
deploying the exascale is simultaneously there is a program to
deliver up the applications that will run on these machines
when these machines are deployed.
And so, these are, sort of, called codex signs and in the
area of cybersecurity there are a number of such programs that
have been started, like typically what DOE Office of Science
does, is that there is RFP and the peer review, call for
proposals peer review, and the selection of the best proposals.
And I can tell you that in the area of cyber there is a co-
design project that is led by your laboratory, the National
Renewable Energy Laboratory.
Senator Gardner. Could you say that again? I am sorry, what
was that?
[Laughter.]
Dr. Zacharia. I think one of her finest actually is the
Director of NREL, so NREL and PNNL are co-leading that activity
for us, for the exascale computing project, and it's really
critical.
And if I may add, Senator, early on there was a discussion
about the Office of Electricity. One of things that the Office
of Electricity, one of the programs that they have is EAGLE-I,
which is a situational awareness program that actually gets
information in a region that services about 100 million users.
The other thing that exascale computers allow you to do is
to take that information, real time, digest that information
and be part of a proactive way of both understanding the
vulnerability of the grid as well as unloads on that so you can
make preventative measures and be aware, grid aware strategy,
for cybersecurity.
Senator Gardner. Great. Thank you.
Senator Cortez Masto, if you would like to go a second
round?
Senator Cortez Masto. Thank you, Mr. Chair.
And very quickly because, obviously, this is a complicated,
complicated issue that we are dealing with here, and I am
struck by what I am hearing. Mr. Fowke, I think you said it
clearly in your speaking points when you said the national
policy on cybersecurity is uncoordinated and unfocused. That
has been my concern from a state perspective watching what is
happening.
I am curious, and I am going to open this up to the panel.
Is there a model out there? Is there something that we should
be looking at that the states may have come up with that is a
great model for us to be looking at at the federal level? Or is
there something that you can give us hope where we should be
looking to address cybersecurity in general across this
country?
Mr. Fowke. I think we should look at state level. I think
that the fusion centers that you might have heard about,
Senator. I think they can work very well.
I also think we ought to look overseas. I mean, there are
nations, albeit, much smaller than the USA that, I think,
coordinate much better than we do in the United States. And I
think we should be open to best practices wherever they are.
Senator Cortez Masto. Thank you.
Mr. Di Stasio. Senator, one of the things that we also got
a lot of value out of was undertaking after a Presidential
Order or Directive in 2014, to talk about coordination across
the federal agencies. We responded to that and developed what
was called, and worked with DOE, actually, on what was called a
maturity model.
And so, part of that is, I think, we would prefer to--we've
got a very robust cyber compliance and enforcement program
through the NERC standards, directed by FERC. We would like to
be able to build upon that regime.
We also talked about the Electric Subsector Coordinating
Council, the work with DOE, the work with DHS, some of the
suggestions in S. 79.
I do think we've come a long way. We certainly have a
greater ways to go, but I feel like we've got some of the
essential building blocks in place dealing with some of these
things like clearances, timely and actionable information
sharing and the work that the labs can do to enhance
situational awareness. All of those, to me, provide the next
rounding out of the current state of mitigation of these risks.
Senator Cortez Masto. Thank you. I appreciate the comments.
Thank you, Mr. Chair.
Senator Gardner. Senator King.
Senator King. I have a very quick follow-up on that.
Is there a central clearinghouse of hacks where there is
one place where a grid operator can look and say, okay, here is
what is going on in Pennsylvania? Here is what is going on in
California? Is there a central website? I hesitate to use the
term because maybe that is not what you want in this situation,
but someplace where this--I am after how good the communication
and coordination really is.
Mr. Di Stasio. The place that's most closely associated
with that type of a description is really the E-ISAC which is
the information center and clearinghouse. They actually----
Senator King. Is that government or is that private sector?
Mr. Di Stasio. It's government, and they actually have a
watch floor program that operators can go and participate. I've
actually had the opportunity to go in there myself. And they
look at a variety of, not just cyber, but all types of
potential threats and disruptions to the grid and that becomes,
probably, the most robust information sharing source we have.
Mr. Fowke. I might just add, I think, the gold standard for
ISACs is the FS-ISAC. That's the financial services ISAC, and
they actually are now talking machine to machine. It's much
more private sector versus government-oriented.
But we recently joined it and we were the first electric
utility to do that. I think there will be more because it's one
more channel and one more sector coordination, where we talk
about coordination, that's right available to us and we're
already getting good information from that.
But to me, it also pushes the issues that I've been saying
before, we're not, not only it's federal agencies not
coordinating. We're not coordinating across sectors as well as
we should too. And these ISACs, if they were better coordinated
together, I think that would be a great opportunity.
Senator King. I think that is a very good point because if
there is going to be an attack it probably will not be just one
sector, it could be electricity, gas, financial and
coordinating across sectors, I think, would be very important.
Mr. Chairman, I want to thank you for this hearing, and I
want to thank our witnesses.
This has been very illuminating. Hopefully our discussion
doesn't have to end today. As you are going home and you think,
I should have said this or here is a suggestion, please pass it
back to the Committee because this is an area of absolutely
vital concern and could not be more important to the people
that we all represent. So thank you very much for your
testimony.
Thank you, Mr. Chairman.
Senator Gardner. Thank you.
The good news is for all of you the record will remain open
for two weeks if you would like to add that additional thought.
For the information of members, questions for the record
are due tomorrow by close of business, and we would appreciate
your responses as soon as possible.
A final question, or maybe comments, if I could, starting
with you, Mr. Bardee.
As we close this hearing today, and I do truly appreciate
your time and testimony today because this is a very useful
exercise as we learn more about the problem ourselves and
challenge ourselves and try to do our best to coordinate the
moving pieces of this.
If each of you could give one or two things to summarize
your top recommendations of Congressional action that would
enhance our grid cybersecurity preparedness or response
capabilities, what would it be? You have talked a lot about it
here at the hearing, but maybe you can summarize that again,
the top two recommendations.
Mr. Bardee. I think from my perspective dealing with
electric reliability. One of them is actually bills like S. 79,
ensuring that we can get the research that it is difficult for
the private sector to commit as much in the way of resources
for.
Senator Gardner. Thank you for that.
Mr. Bardee. And the other would be if there are ways to
improve the kind of personnel training that Mr. Fowke was
discussing earlier to get us people who have skills, not just
in cybersecurity, but also in power system engineering. Those
people are very valuable.
Senator Gardner. Mr. Fowke?
Mr. Fowke. Well, I said a lot about information sharing so
I'll say something I didn't say yet. We talk about
sophisticated cyberattacks and they are growing, but you know
how most attacks occur? Not following basic cyber hygiene. And
that's how a lot of this gets started. So I think we need to
start thinking about how we can educate and, I dare say,
mandate some basic cyber standards across industry and
government which, I think, is long overdue.
Senator Gardner. Mr. Di Stasio?
Mr. Di Stasio. I would suggest that we build upon the
regulatory framework and the coordination that is starting to
occur. We have been at this for 10 years and I will say 2009 in
the House, I testified on the Grid Act. And we have come a very
long way since then but still have quite a bit to do.
But if we could deal with some of the issues that have been
mentioned around clearances, human resource training, getting a
certain level of maturity and understanding of the risks and
then increase coordination with the government, whether that
becomes through some consolidation of jurisdictions or whether
we do it as we have.
Senator Gardner. Dr. Zacharia?
Dr. Zacharia. Let me echo the sentiment I think that the
Senate bill 79 has it exactly right. In that based on our
experience with working with the Electric Power Board Utility
in Chattanooga, I think having a pilot where you bring together
the Federal Government, industry and the national laboratories,
the best of these three entities together to have a two-year
pilot to really explore what is possible to get out in front of
this evolving challenge is probably the best thing that we can
do because bringing those three players together, getting them
to work together, share information, understand each other's
both capabilities and challenges, I think would allow us to
make significant progress.
So, thank you very much for this opportunity.
Senator Gardner. Well, thanks again to members of the
Committee. As I said, the QFRs are due tomorrow by close of
business.
We appreciate your time and testimony today.
With that, we will adjourn the Committee.
[Whereupon, at 3:42 p.m. the hearing was adjourned.]
APPENDIX MATERIAL SUBMITTED
----------
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]