[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]





   TELECOMMUNICATIONS AND SCADA: SECURE LINKS OR OPEN PORTALS TO THE 
           SECURITY OF OUR NATION'S CRITICAL INFRASTRUCTURE?

=======================================================================

                                HEARING

                               before the

                SUBCOMMITTEE ON TECHNOLOGY, INFORMATION
                POLICY, INTERGOVERNMENTAL RELATIONS AND
                               THE CENSUS

                                 of the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             SECOND SESSION

                               __________

                             MARCH 30, 2004

                               __________

                           Serial No. 108-196

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform


                                 ______

                    U.S. GOVERNMENT PRINTING OFFICE
95-799                      WASHINGTON : 2004
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                     COMMITTEE ON GOVERNMENT REFORM

                     TOM DAVIS, Virginia, Chairman
DAN BURTON, Indiana                  HENRY A. WAXMAN, California
CHRISTOPHER SHAYS, Connecticut       TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York
JOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana              CAROLYN B. MALONEY, New York
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
DOUG OSE, California                 DENNIS J. KUCINICH, Ohio
RON LEWIS, Kentucky                  DANNY K. DAVIS, Illinois
JO ANN DAVIS, Virginia               JOHN F. TIERNEY, Massachusetts
TODD RUSSELL PLATTS, Pennsylvania    WM. LACY CLAY, Missouri
CHRIS CANNON, Utah                   DIANE E. WATSON, California
ADAM H. PUTNAM, Florida              STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia          CHRIS VAN HOLLEN, Maryland
JOHN J. DUNCAN, Jr., Tennessee       LINDA T. SANCHEZ, California
NATHAN DEAL, Georgia                 C.A. ``DUTCH'' RUPPERSBERGER, 
CANDICE S. MILLER, Michigan              Maryland
TIM MURPHY, Pennsylvania             ELEANOR HOLMES NORTON, District of 
MICHAEL R. TURNER, Ohio                  Columbia
JOHN R. CARTER, Texas                JIM COOPER, Tennessee
MARSHA BLACKBURN, Tennessee          ------ ------
PATRICK J. TIBERI, Ohio                          ------
KATHERINE HARRIS, Florida            BERNARD SANDERS, Vermont 
                                         (Independent)

                    Melissa Wojciak, Staff Director
       David Marin, Deputy Staff Director/Communications Director
                      Rob Borden, Parliamentarian
                       Teresa Austin, Chief Clerk
          Phil Barnett, Minority Chief of Staff/Chief Counsel

   Subcommittee on Technology, Information Policy, Intergovernmental 
                        Relations and the Census

                   ADAM H. PUTNAM, Florida, Chairman
CANDICE S. MILLER, Michigan          WM. LACY CLAY, Missouri
DOUG OSE, California                 STEPHEN F. LYNCH, Massachusetts
TIM MURPHY, Pennsylvania             ------ ------
MICHAEL R. TURNER, Ohio

                               Ex Officio

TOM DAVIS, Virginia                  HENRY A. WAXMAN, California
                        Bob Dix, Staff Director
                  Dan Daly, Professional Staff Member
                         Juliana French, Clerk
            Adam Bordes, Minority Professional Staff Member


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on March 30, 2004...................................     1
Statement of:
    Dacey, Robert F., Director, Information Security Issues, U.S. 
      General Accounting Office; and James F. McDonnell, 
      Director, Protective Security Division, Department of 
      Homeland Security..........................................    14
    Weiss, Joseph, executive consultant, KEMA, Inc.; Dan Verton, 
      senior writer, Computerworld Magazine; Gerald S. Freese, 
      director of enterprise information security, American 
      Electric Power; and Jeffrey H. Katz, enterprise IT 
      consultant, PSEG Services Corp.............................    65
Letters, statements, etc., submitted for the record by:
    Clay, Hon. Wm. Lacy, a Representative in Congress from the 
      State of Missouri, prepared statement of...................     8
    Dacey, Robert F., Director, Information Security Issues, U.S. 
      General Accounting Office, prepared statement of...........    16
    Freese, Gerald S., director of enterprise information 
      security, American Electric Power, prepared statement of...    90
    Katz, Jeffrey H., enterprise IT consultant, PSEG Services 
      Corp., prepared statement of...............................    97
    McDonnell, James F., Director, Protective Security Division, 
      Department of Homeland Security, prepared statement of.....    45
    Miller, Hon. Candice S., a Representative in Congress from 
      the State of Michigan, prepared statement of...............    11
    Putnam, Hon. Adam. H., a Representative in Congress from the 
      State of Florida, prepared statement of....................     4
    Verton, Dan, senior writer, Computerworld Magazine, prepared 
      statement of...............................................    80
    Weiss, Joseph, executive consultant, KEMA, Inc., prepared 
      statement of...............................................    68

 
   TELECOMMUNICATIONS AND SCADA: SECURE LINKS OR OPEN PORTALS TO THE 
           SECURITY OF OUR NATION'S CRITICAL INFRASTRUCTURE?

                              ----------                              


                        TUESDAY, MARCH 30, 2004

                  House of Representatives,
   Subcommittee on Technology, Information Policy, 
        Intergovernmental Relations and the Census,
                            Committee on Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 2:05 p.m., in 
room 2154, Rayburn House Office Building, Hon. Adam H. Putnam 
(chairman of the subcommittee) presiding.
    Present: Representatives Putnam, Miller, and Clay.
    Staff present: Bob Dix, staff director; John Hambel, senior 
counsel; Dan Daly, professional staff member and deputy 
counsel; Juliana French, clerk; Suzanne Lightman, fellow; Erik 
Glavich, legislative assistant; David McMillen and Adam Bordes, 
minority professional staff members; and Cecelia Morton, 
minority office manager.
    Mr. Putnam. Good afternoon. A quorum being present, this 
hearing of the Subcommittee on Technology, Information Policy, 
Intergovernmental Relations and the Census will come to order.
    I want to thank everyone for joining us for another 
important hearing on cyber security. I want to welcome all of 
you to this hearing entitled, ``Telecommunications and SCADA: 
Secure Links or Open Portals into the Security of the Nation's 
Critical Infrastructure.''
    Clearly, the issue of protecting the cyber element of our 
Nation's critical infrastructure is of paramount concern to 
this subcommittee and we will continue to examine these matters 
comprehensively.
    This is our second hearing dealing with the issue of SCADA 
or industrial control systems. Our first hearing was a closed 
hearing. Through our hearings and other high level briefings, 
it has become abundantly clear that our Nation is not protected 
sufficiently from cyber attack against our critical 
infrastructure. Given the fact that roughly 80 percent of these 
systems are owned or controlled by the private sector, it is 
important that we work collaboratively and aggressively to 
address this matter. The testimony today will, obviously, not 
reveal specific vulnerabilities; but I hope it will raise the 
alarm so that necessary steps will be taken to secure our 
critical infrastructure from the potential of cyber attack. 
Additionally, this hearing will focus attention on the 
telecommunications that connect SCADA devices to their control 
and monitoring networks and review the associated 
vulnerabilities.
    Industrial control systems, often referred to as SCADA, 
which is an acronym for Supervisory Control and Data 
Acquisition, underlie most of the infrastructure that makes 
everyday life possible in America.
    These systems support the processes that manage our water 
supply and treatment plants; control the pipeline distribution 
system and the electric power grid; operate nuclear and 
chemical power plants; and support the manufacturing of food 
and medicines, just to name a few.
    The Nation's health, wealth, and security rely on these 
systems, but, until recently, computer security for these 
systems was not a major focus. As a result, these systems on 
which we rely so heavily are undeniably vulnerable to cyber 
attack or terrorism.
    When I first began to inquire about this topic, I must say 
that I did not necessarily grasp the scope of the challenge. 
The more I have learned, the more concerned I have become. The 
critical infrastructure of our Nation lies mostly in private 
hands and this Nation is dependent upon their assessment of 
risk and, certainly, profit. Many private sector firms are not 
convinced of the business case to invest their resources in 
information security upgrades. Clearly, there is a much wider 
acknowledgement of potential physical threats at this point. 
But make no mistake, the cyber threat is real, it is 24 x 7, it 
could come from anywhere, and we must take this threat just as 
seriously.
    In a book just published, Thomas Reed, a former Air Force 
Secretary, details how our Government allowed the Soviets to 
steal software used to run gas pipelines. What the Soviets did 
not know is that the United States had sabotaged the software 
to cause explosions in a Siberian natural gas line.
    I became so concerned about the security of our SCADA 
systems, that I have asked the General Accounting Office to 
report to the Congress on the state of SCADA in America. GAO 
has produced an outstanding product and we are releasing the 
report at today's hearing.
    Months ago, at our first SCADA hearing, I said, ``It is 
also apparent to me that we have not developed a comprehensive 
strategy for addressing this weakness in our critical 
infrastructure.''
    In today's GAO report they conclude: ``We are recommending 
that the Secretary of DHS develop and implement a strategy for 
coordinating with the private sector and other government 
agencies to improve control system security, including 
developing an approach for coordinating the various ongoing 
efforts to secure control systems. This strategy should also be 
addressed in the comprehensive national infrastructure plan 
that the department is tasked to complete by December 2004.''
    I look forward to today's GAO testimony as they provide 
more detail on their findings. As a farmer, I rely on SCADA 
systems in local dams to prevent my fields from flooding and 
putting me out of business. It had never occurred to me that 
the potential threat from a computer somewhere half way around 
the world might exceed the harm that could be perpetrated by 
Mother Nature.
    I have learned that today's SCADA systems have been 
designed with little or no attention to computer security. Data 
is often sent as clear text; protocols for accepting commands 
are open, with no authentication required; and communications 
channels are often wireless, leased lines, or the Internet 
itself. Remote access into these systems for vendors and 
maintenance is common. In addition, information about SCADA 
systems is widely available. Not only are they increasingly 
based on common operating systems with well-known 
vulnerabilities, but also information about their 
vulnerabilities has been widely posted on the World Wide Web.
    Contributing to the security challenge is the requirement 
for public disclosure about the use of public airwaves. 
Utilities, factories, and power plants must register the 
frequencies that they use and provide detailed information on 
the location and structure of their communications networks. 
Sensitive information about these critical infrastructure 
systems is easily available. This is a special concern for 
communications systems that are easily interfered with, such as 
wireless.
    Finally, SCADA systems now also seem to be victims of 
common Internet dangers. It has been reported that the blackout 
this summer may have been partially exacerbated due to the 
widespread Blaster worm, which disrupted communications among 
data centers controlling the grid. The Nuclear Regulatory 
Agency has warned nuclear power plants about infiltration by 
the worms and viruses after a nuclear plant's systems were 
infected by a contractor's laptop.
    According to U.S. law enforcement and intelligence 
agencies, SCADA systems, specifically water supply and 
wastewater management systems, have been the targets of probing 
by Al Qaeda terrorists. Some Government experts have concluded 
that terrorists have existing plans to use the Internet as an 
instrument of bloodshed, by attacking the juncture of cyber 
systems and the physical systems they control. A recent 
National Research Council report has identified ``the potential 
for attack on control systems'' as requiring ``urgent 
attention.''
    America must not be so focused on preventing physical 
attacks that we leave our cyber back door wide open and 
unattended. The tragedy of September 11 has taught us that we 
must imagine the unimaginable, prepare for the unthinkable, and 
not leave any stone unturned. To do so could mean devastating 
economic losses and tragic loss of life. The threat is real and 
the time to act has long since passed.
    I look forward to the testimony from today's witnesses and 
I thank you for your contribution to the security of our 
Nation. Today's hearing can be viewed live via Web cast by 
going to Reform.House.Gov and clicking on the link under ``Live 
Committee Broadcast.''
    [The prepared statement of Hon. Adam. H. Putnam follows:]

    [GRAPHIC] [TIFF OMITTED] T5799.001
    
    [GRAPHIC] [TIFF OMITTED] T5799.002
    
    [GRAPHIC] [TIFF OMITTED] T5799.003
    
    Mr. Putnam. I want to welcome the distinguished ranking 
member of the subcommittee from Missouri, Mr. Clay, and 
recognize him for his opening statement. You are recognized.
    Mr. Clay. Thank you, Mr. Chairman, especially for calling 
this hearing. I thank the witnesses for taking the time to 
share their thoughts with us on how we can best prepare to 
secure our Nation's critical infrastructure systems.
    As all of us remember, the electricity blackout on the East 
Coast during August 2003 was another warning sign of the 
trouble which lies ahead should we continue to fail in securing 
the control networks that deliver us the necessary services for 
our daily activity. Although the Federal Government has made 
considerable efforts in producing public-private partnerships 
to improve the cyber security of our critical infrastructure 
control systems, a tremendous amount of work remains in 
coordinating these efforts among Government agencies, private 
entities, and standard-setting bodies.
    Furthermore, if we fail to establish an enforceable public 
policy blueprint for adequate critical infrastructure 
protection, how can we expect the necessary implementation of 
minimal security requirements for control systems throughout 
the private sector.
    Like our hearing last Fall, today's testimony from GAO will 
detail several challenges inherent in security both public and 
private control systems against cyber threats from both foreign 
and domestic sources. They include: our limited technological 
capacities in securing such systems, the economic cost in 
providing such security, and indecision within many 
organizations about making control systems security a priority. 
These problems are exacerbated by the introduction of new 
technologies that are not always accompanied by adequate 
security measures, such as wireless systems. While being both 
economically and operationally efficient, many technology 
professionals still lack a detailed understanding of the 
vulnerabilities contained in wireless systems.
    As the subcommittee seeks to define the most practical 
public policy remedies for these problems, we must be aware of 
all such variables in order to find an appropriate balance for 
both governmental and nongovernmental organizations.
    As I stated during our hearing on SCADA systems last Fall, 
``The solution to cyber security and control systems is similar 
to efforts for resolving security issues in Government 
computers. The efforts require sound management, skilled and 
committed employees, and the understanding that security 
involves all employees in an organization, not just the chief 
information officer or other designated security officials.''
    I hope our witnesses today can provide some further 
insights on how our work should proceed in defining an adequate 
public policy response in this area. Thank you, Mr. Chairman. I 
ask that my written testimony be submitted for the record.
    Mr. Putnam. Without objection.
    [The prepared statement of Hon. Wm. Lacy Clay follows:]

    [GRAPHIC] [TIFF OMITTED] T5799.004
    
    [GRAPHIC] [TIFF OMITTED] T5799.005
    
    Mr. Putnam. Thank you, Mr. Clay.
    The distinguished vice chair of the subcommittee, the 
gentlelady from Michigan is also joining us. You are recognized 
for your opening statement, Mrs. Miller.
    Mrs. Miller. Thank you, Mr. Chairman. I appreciate your 
holding this very important hearing today. I think as we 
examine the security of our Nation's critical infrastructure, 
we certainly are reminded, unfortunately, of our 
vulnerabilities and the importance of securing our Nation's 
control systems.
    These systems were developed when fears of cyber attacks 
were non-existent. Certainly their structure and the lack of 
expansive cyber security frameworks typifies the attitude of 
our Nation, quite frankly, pre-September 11th when we thought 
our Homeland was safe from the act of terrorists. But in 
today's world, the United States is particularly vulnerable 
because the terrorists look to use our freedoms against us. 
They look to disrupt our electrical networks, our financial 
systems, clearly our way of life. These are the things that we 
tend to take for granted. But we have to be proactive so that 
we can prevent future attacks from happening.
    So the question is, obviously, how can we secure these 
systems to the best of our ability. And I am hopeful that the 
witnesses who are testifying today can inform us of how Federal 
agencies are working with one another, how they are working 
with the private sector to provide a reasonable solution to the 
problems that we face. Obviously, building a fail-safe system 
is impossible but we must strive for what is reasonable. Time 
is of the essence because an attack on our critical 
infrastructure can happen from anywhere in the world, at any 
time. Security of control systems must be given the highest 
priority, and new technology must continue to be developed.
    I certainly want to thank all the witnesses for testifying 
here today. I am looking forward to your testimony. Thank you, 
Mr. Chairman.
    [The prepared statement of Hon. Candice S. Miller follows:]

    [GRAPHIC] [TIFF OMITTED] T5799.006
    
    [GRAPHIC] [TIFF OMITTED] T5799.007
    
    [GRAPHIC] [TIFF OMITTED] T5799.008
    
    Mr. Putnam. Thank you, Mrs. Miller.
    I want to welcome our witnesses again. Mr. Dacey is a 
frequent flier to the committee. We gave Karen Evans the week 
off but brought Mr. Dacey back. And as experienced witnesses, 
you understand the light system so I will not rebrief you on 
that. As you know, the subcommittee swears in witnesses, and in 
addition to the seated witnesses, anyone who is joining you who 
will be contributing to your testimony before the subcommittee.
    [Witnesses sworn.]
    Mr. Putnam. I would note for the record that the witnesses 
responded in the affirmative.
    We will move directly into testimony. Our first witness is 
Mr. Dacey. Mr. Dacey is currently Director of Information 
Security Issues at the U.S. General Accounting Office. His 
responsibilities include evaluating information systems 
security in Federal agencies and corporations, assessing the 
Federal infrastructure for managing information security, 
evaluating the Government's efforts to protect our Nation's 
private and public critical infrastructure from cyber threats, 
and identifying best security practices at leading 
organizations and promoting their adoption by Federal agencies.
    You are recognized for 5 minutes. Welcome to the 
subcommittee.
    You may proceed.

 STATEMENTS OF ROBERT F. DACEY, DIRECTOR, INFORMATION SECURITY 
ISSUES, U.S. GENERAL ACCOUNTING OFFICE; AND JAMES F. MCDONNELL, 
DIRECTOR, PROTECTIVE SECURITY DIVISION, DEPARTMENT OF HOMELAND 
                            SECURITY

    Mr. Dacey. Mr. Chairman and members of the subcommittee, I 
am pleased to be here today to participate in the 
subcommittee's hearing on the security of control systems. As 
you requested, I will briefly summarize my written statement 
which is based on our report on control systems that you 
released today.
    For several years, security risks have been reported in 
control systems upon which many of the Nation's critical 
infrastructures rely to monitor and control sensitive processes 
and physical functions. In addition to general cyber threats, 
which have been steadily increasing, several factors have 
contributed to the escalation of risks that are specific to 
control systems, including the adoption of standardized 
technologies with known vulnerabilities, connectivity of 
control systems with other networks, insecure remote 
communications, and widespread availability of technical 
information about control systems.
    Control systems can be vulnerable to a variety of attacks. 
These attacks could have devastating consequences--such as 
endangering public health and safety; damaging the environment; 
or causing a loss of production, generation, or distribution by 
public utilities. Control systems have already been subject to 
a number of cyber attacks, including documented attacks on a 
sewage treatment system in Australia in 2000 and, more 
recently, on a nuclear power plant in Ohio.
    Several challenges must be addressed to effectively secure 
control systems, including one, the lack of specialized 
security technologies for such systems; two, the perception 
that securing control systems may not be economically 
justifiable; and three, conflicting priorities within 
organizations regarding the security of control systems.
    The Department of Homeland Security, other Government 
agencies, and the private industry have independently initiated 
several efforts intended to improve the security of control 
systems. These initiatives include efforts to promote research 
and development activities, to develop requirements and 
standards for control systems security, to increase security 
awareness and information sharing, and to implement effective 
security management programs. Our report describes these 
initiatives in greater detail.
    Further, implementation of our recommendation for the 
Department of Homeland Security to develop and implement a 
strategy to improve control system security, including better 
coordination of these initiatives, can accelerate progress in 
securing these critical systems. The department concurred with 
our recommendation and reported that improving the security of 
control systems against cyber attack is a high priority for the 
department.
    Additionally, improvements in implementing existing IT 
technologies and approaches, such as those discussed in our 
recent report to the subcommittee on commercially available 
cyber technologies, can accelerate progress in securing these 
critical systems, including implementing more secure 
architectures with layered security, for example, by segmenting 
process control networks with robust firewalls and strong 
authentication; (2) establishing effective security management 
programs that include appropriate consideration of control 
systems; and (3) developing and testing continuity plans within 
organizations and industries to ensure safe and continued 
operation in the event of an interruption such as a power 
outage or a cyber attack, including consideration of 
interdependencies on other sectors.
    In summary, in the face of increasing cyber risks and 
significant challenges in securing control systems, several 
initiatives are in progress to improve cyber security of these 
systems. However, further efforts are needed to address these 
challenges to carry out and better coordinate such initiatives 
and to improve implementation of existing technologies and 
approaches.
    Mr. Chairman and members of the subcommittee, this 
concludes my statement. I would be pleased to answer any 
questions that you have.
    [The prepared statement of Mr. Dacey follows:]

    [GRAPHIC] [TIFF OMITTED] T5799.009
    
    [GRAPHIC] [TIFF OMITTED] T5799.010
    
    [GRAPHIC] [TIFF OMITTED] T5799.011
    
    [GRAPHIC] [TIFF OMITTED] T5799.012
    
    [GRAPHIC] [TIFF OMITTED] T5799.013
    
    [GRAPHIC] [TIFF OMITTED] T5799.014
    
    [GRAPHIC] [TIFF OMITTED] T5799.015
    
    [GRAPHIC] [TIFF OMITTED] T5799.016
    
    [GRAPHIC] [TIFF OMITTED] T5799.017
    
    [GRAPHIC] [TIFF OMITTED] T5799.018
    
    [GRAPHIC] [TIFF OMITTED] T5799.019
    
    [GRAPHIC] [TIFF OMITTED] T5799.020
    
    [GRAPHIC] [TIFF OMITTED] T5799.021
    
    [GRAPHIC] [TIFF OMITTED] T5799.022
    
    [GRAPHIC] [TIFF OMITTED] T5799.023
    
    [GRAPHIC] [TIFF OMITTED] T5799.024
    
    [GRAPHIC] [TIFF OMITTED] T5799.025
    
    [GRAPHIC] [TIFF OMITTED] T5799.026
    
    [GRAPHIC] [TIFF OMITTED] T5799.027
    
    [GRAPHIC] [TIFF OMITTED] T5799.028
    
    [GRAPHIC] [TIFF OMITTED] T5799.029
    
    [GRAPHIC] [TIFF OMITTED] T5799.030
    
    [GRAPHIC] [TIFF OMITTED] T5799.031
    
    [GRAPHIC] [TIFF OMITTED] T5799.032
    
    [GRAPHIC] [TIFF OMITTED] T5799.033
    
    [GRAPHIC] [TIFF OMITTED] T5799.034
    
    Mr. Putnam. Thank you, Mr. Dacey.
    Our second witness on our first panel is James McDonnell. 
Mr. McDonnell is the Director of the Protective Security 
Division at the Department of Homeland Security. Prior to this 
position, Mr. McDonnell was the Director of Energy Assurance at 
the Department of Energy, and director of national security 
operations at Oak Ridge associate universities. Mr. McDonnell 
has over 25 years of experience managing national security and 
homeland security activities and was a member of the leadership 
team assigned to craft the Department of Homeland Security in 
the White House Transition Planning Office. In 1995, Mr. 
McDonnell completed a 20 year career as an officer in special 
operations and special warfare in the U.S. Navy.
    I want to welcome you to the subcommittee. We appreciate 
the experience that you bring. You are recognized for 5 
minutes.
    Mr. McDonnell. Good afternoon Chairman Putnam and 
distinguished members of the subcommittee. It is an honor to 
appear before you today to discuss activities that the 
Department of Homeland Security is engaged in regarding process 
control systems and our Nation's critical infrastructure. I am 
James McDonnell, Director of the Protective Security Division, 
part of the Information Analysis and Infrastructure Protection 
Directorate within the Department.
    Established by the Homeland Security Act, and directed by 
Homeland Security Presidential Directives, IAIP is responsible 
for reducing the Nation's vulnerability to terrorism by one, 
developing and coordinating plans to protect critical 
infrastructure and key assets; and two, denying the use of the 
infrastructure as a weapon.
    Our goal is to ensure a national capacity to detect 
indicators of terrorist activity, deter attacks, and devalue 
targets, and to defend potential targets against terrorist 
threats to our critical infrastructures.
    To meet this goal, IAIP identifies those sites and 
facilities that may be an attractive target for terrorists 
based on risk and identifies how best to reduce those 
vulnerabilities. Once we know what we should protect and what 
the vulnerabilities are, we conduct risk assessments. We map 
threat and vulnerability information. This information is then 
used to prioritize the implementation of protective measures 
focused on mitigating our Nation's vulnerability to attack and, 
more importantly, sharing in a timely manner that information 
with State and local officials.
    The complexity of the infrastructure requires a 
comprehensive understanding of how this ``system of systems'' 
operates and it is this complexity that adds another dimension 
of vulnerability--the use of complex process control systems.
    Process control systems are industrial measurement and 
control systems used to monitor and control plants and 
equipment. They are utilized in numerous industries, including 
energy, manufacturing, chemical production and storage, food 
processing, and drinking water and water treatment facilities. 
These systems are often referred to generically by one of the 
most prevalent types, SCADA, Supervisory Control and Data 
Acquisition, but there are many other types of these systems.
    The systems vary in function, size, complexity, and age. 
Some function in an automated fashion. Some rely on a human/
machine interface, where the system provides critical 
information upon which an operator bases process control 
decisions. Some digital controls systems can be reprogrammed 
from offsite through dial-up connections or through Web-based 
access. This cyber-physical nexus creates a complexity that 
requires a comprehensive approach for protection.
    To address the protection of these critical systems, IAIP 
has developed a comprehensive strategy to protect each element 
of process control systems. Our focus is on joint Government-
industry efforts to identify key assets, discover 
vulnerabilities, analyze risk, implement effective protective 
measures, conduct joint exercises and training, disseminate 
information, and develop inherently safer technology. Since 
most process control systems reside in the private sector, our 
ability to always effect change is sometimes affected by 
business factors that we cannot control.
    IAIP manages this as a team effort that includes all parts 
of the Directorate, including the Protective Security Division, 
the National Cyber Security Division, the Infrastructure 
Coordination Division, and the National Communication System. 
The bulk of the remediation and protective activities are 
conducted by PSD and National Cyber Security Division.
    Immediate efforts focus on protective measures that can be 
implemented within the as installed/legacy environment, such as 
inexpensive technical or procedural changes that can be 
implemented at the site and in the immediate future. Near term 
efforts include detailed testing and assessment of 
vulnerabilities. In the long term, we will work with the 
private sector on the development of inherently safer 
technology.
    As part of PSD, we have established a Control Systems 
Section that will oversee the SCADA security program. The 
Control Systems Section will identify and reduce 
vulnerabilities critical to domestic security related to 
control systems. This section also includes the development and 
integration of the understanding of offensive capabilities, and 
providing relevant hands-on operational support during DHS 
heightened security events.
    We have identified approximately 1,700 facilities across 
the country that we hope to engage in a major vulnerability 
reduction effort during fiscal year 2004. Of those sites, we 
have identified 565 with process control systems. As 
appropriate, reduction in SCADA vulnerabilities will be 
undertaken just as reductions in physical vulnerabilities are.
    In closing, I would like to reiterate first that SCADA 
vulnerabilities are a fact, just like a hole in a perimeter 
fence. The problem is that the SCADA vulnerability is not seen 
by the casual observer and therefore goes easily unnoticed. 
SCADA vulnerabilities are seen by those who would do us harm 
through their manipulation and it is incumbent upon IAIP to 
ensure that those responsible for protecting America are seeing 
them and doing
something about it. Finally, as earlier stated, the Department 
of Homeland Security views this as a national effort involving 
many directorates within the Department and many organizations, 
both public and private, outside DHS.
    I would be happy to answer any questions you may have.
    [The prepared statement of Mr. McDonnell follows:]

    [GRAPHIC] [TIFF OMITTED] T5799.035
    
    [GRAPHIC] [TIFF OMITTED] T5799.036
    
    [GRAPHIC] [TIFF OMITTED] T5799.037
    
    [GRAPHIC] [TIFF OMITTED] T5799.038
    
    [GRAPHIC] [TIFF OMITTED] T5799.039
    
    Mr. Putnam. Thank you, Mr. McDonnell. Let me begin with one 
of the last things that you said--it is a national issue with 
many directorates of the Department of Homeland Security 
involved. What one directorate is ultimately accountable for 
the successful protection of this critical infrastructure?
    Mr. McDonnell. Sir, I am the accountable executive at the 
Department of Homeland Security for this effort.
    Mr. Putnam. OK. And how do you coordinate then with Amit 
Yoran and the cyber security folks?
    Mr. McDonnell. Well, Amit and I both work for Bob 
Liscouski, who is the Assistant Secretary for Infrastructure 
Protection. We talk daily. This is one of the many issues we 
deal with. We are in the process of developing a joint package 
to understand how we both deal with each part of cyber. When 
you look at SCADA, we have Amit looking at the ones and zeroes, 
and that is how the hacker is going to come in, some guy 
sitting in an Internet cafe in Paris being able to hack in 
there or even locally coming in and affecting the code, 
rewriting the code. We also have to look at what are the 
systems themselves, how can they be intercepted. We are moving 
toward wireless technology, that has already been mentioned, 
and that adds another dimension of an avenue into the systems.
    My teams when they are in the field look at all of the 
security considerations at a site. The vulnerability of their 
SCADA systems is one of the things that the teams look at. I 
have had teams just since the Department stood up the 226 sites 
around the country, as mentioned in my opening statement, we 
are going to be at another 1,700 during this year, at every one 
of those we are looking at the physical nexus for is there a 
control box that somebody can get into and tap into, are there 
wires set that use an induction system, you can get in and take 
over the controls.
    So Amit and I have to work extremely closely to make sure 
we understand what each arm of the organization is doing. But 
we are doing it from a different level. He is at a global 
level, looking at how people are using the Internet globally, 
not just the Internet, but other malicious code types of 
attacks, where I am at the local level, looking at what is at 
the site, what are the vulnerabilities there that could be 
taken advantage of. It is an ongoing process. We talk literally 
all the time about this as well other issues.
    Mr. Putnam. Thank you. The users of SCADA seem divided by 
their lines of business. The electrical industry does not 
necessarily talk to oil and gas industries, does not 
necessarily talk to the chemical industry. But according to the 
testimony provided by Siemens at our last SCADA hearing, SCADA 
systems are largely the same from industry to industry. What 
role does the lack of coordination within the private sector 
play as you work to solve these problems? I will begin with Mr. 
McDonnell and then go to Mr. Dacey.
    Mr. McDonnell. Thank you, Mr. Chairman. When PD No. 63 was 
written back in 1997, infrastructure protection was stovepiped, 
so to speak. It was a Federal agency overseeing the care and 
feeding of all the different business sectors out there. So, 
for example, prior to the Department of Homeland Security, I 
was the Director of Energy Assurance. My responsibility was the 
energy sector, there was another department that had the 
chemical sector, Treasury had banking and finance, etc.
    What has happened now with the President signing HSPD No. 7 
several months ago and the creation of the Department is we now 
at the Department of Homeland Security are responsible for the 
coordination across all of the sectors, with all of the Federal 
agencies to ensure that the good things that are happening in 
one get to the others.
    To your point, SCADA systems, there may be one manufacturer 
and maybe one patch that Nork found for the electric grid folks 
that may apply in the chemical sector. That is exactly the same 
in the other systems that we are dealing with out there. I may 
find a physical vulnerability that is common across many 
different business sectors.
    So the way we are addressing that is my office produces 
common vulnerability reports. When I have teams out that are 
looking at these things, what are common in different sectors, 
at different facilities, and then how do we ensure that folks 
that need to do something about it can track those things down 
and see if they have the same problem and fix them. We will be 
doing that--and we do that to some extent in SCADA right now 
but it is still, quite frankly, in its early stages of 
development. I have a SCADA common vulnerability report in the 
works that I should see before too long that will just be part 
of the package along side chemical site security and other 
types of things.
    The whole concept of this is the Department has to know 
where we have specific vulnerabilities. Then we have to pull 
back from where that specific vulnerability is, ask the 
question, where else are those vulnerabilities, and make sure 
that fixes that apply to a specific site in, say, New Jersey 
get to the guy in Florida or California that need the same 
information.
    Mr. Putnam. Mr. Dacey.
    Mr. Dacey. As we discussed in our report, when we were 
doing our work in research and talking to a lot of experts in 
SCADA field, the general consensus continued to come back that 
there needed to be more coordination. There are a lot of 
activities taking place. It, quite frankly, took us quite a bit 
of effort to try to put together all of the initiatives we 
described in our appendix because they were not readily 
available in one central place.
    So I think in terms of the interest in the industry, there 
is an interest to get together because these SCADA systems 
share common vulnerabilities and common problems and some of 
the solutions, quite frankly, are common as well. So I think 
that is an important area and that is what led to our 
recommendation that the Department, in its role as laid out in 
the strategy to secure cyber space, put together a strategy for 
developing and coordinating those activities in one central 
place. And I am pleased to hear today that they are taking 
efforts to do that of late. Again, we have not been in and 
looking at the Department since we did our report, and I 
believe your section was set up sometime in December, if I 
recall. So it is good that action is taking place. It is a very 
critical element that needs to be carried forward.
    The other part of that is the research and development. I 
think it is very critical that the folks that are affected by 
SCADA systems get together and try to sort out what research 
and development needs to be done and needs to be accomplished 
to help secure these systems, because, as you discussed in your 
opening statement and as we discussed in our report, there is 
some inherent insecurity in these systems and they do not have 
a lot of capacity to lay on encryption and things of that 
nature. So I think that is another area that needs to be looked 
at carefully, again through a coordinated effort, which the 
Department should be working with the private sector and other 
Government agencies.
    Mr. Putnam. Do you have a breakdown, either of you, for 
what percent of SCADA systems are in private sector hands 
versus Government? But then within the Government, what I am 
concerned with is municipalities versus counties versus 
regional governments like flood control districts, water 
management districts, mosquito control districts, whatever, and 
States. If you are talking about a small county on the banks of 
the Mississippi River that is managing a very important piece 
of the flood control structure, that maybe the Corps does not 
have the money to upgrade SCADA systems, certainly, in south 
Florida we are dealing with it around Lake Okeechobee and the 
Everglades, control structures that are quasi-governmental. Do 
they even hit your radar screen, or are you really kind of 
focused on the bigger, more visible ones at this point?
    Mr. McDonnell. Those absolutely hit our radar screen. The 
first part of the process in the Protective Security Division 
is what we call the asset identification shot. It is 
essentially a domestic targeting branch where we work with 
State and local officials, with private industry, with sector-
specific agencies and say what are the things out there we 
should be concerned about protecting. We do that absent a 
vulnerability analysis initially because we need to know what 
are the things, the systems, the specific facilities, the 
systems of facilities, that, if affected, would have an impact 
that is unacceptable. Now we look at that in four different 
ways: First is public health and safety, what is the prompt 
effects of an attack on a facility; the second is economic 
impact; third is a symbolic nature; and fourth is national 
security, and that is the ability to support military 
mobilization and those types of things.
    We are in the process, for example, of building a new set 
of data for fiscal year 2005 and fiscal year 2005 activities 
and we have had 13,000 items already submitted to us by the 
States after looking at their systems. I have a team, it is the 
Asset Identification Section, who is sitting down with their 
counterpart agencies and saying, OK, for example, that levee on 
the Mississippi, just for the sake of argument, it gets on the 
list, the State says this is critically important for crop 
protection, or it floods the town. It is incumbent on us then 
to help them identify what that is vulnerable to. It may be a 
physical attack or it may be a cyber attack. If it is a cyber 
attack, then the next step in the process is what can we do 
about it.
    It sets up a process where we are actually going to 
operate, and we are operating now, based on if anyone thinks 
that something should be considered for protection, it will be 
considered for protection. How far down the road we go of 
actually implementing protective actions will depend on the 
analysis between that nomination of a facility for protective 
actions and the actual implementation of protective measures. 
Who does what protective measures will be a collaborative 
effort. We have inside the gate activities that need to take 
place, for example, where owners and operators have to do 
fixes, and we have outside the gate. A major effort underway 
now is to create buffer zone security plans. It is taking the 
operational environment away from the terrorists in the 
vicinity of the targets. We could build fences as high as we 
want and we could make a static security environment inside of 
a facility be impregnable or seem to be, but if we leave the 
area around it open for people to operate in, we leave the 
people vulnerable that are trying to protect our facilities.
    It is exactly the same in SCADA. We have to know what is 
there. We have to know the ways a terrorist could get in. And 
then we have to figure out how we plug that hole, so to speak.
    Mr. Putnam. Thank you very much. I would like to now 
recognize Mrs. Miller for 10 minutes.
    Mrs. Miller. Thank you, Mr. Chairman. Mr. McDonnell, if I 
could followup a bit. I tried to take some notes there. You 
were saying that the DHS had identified about 1,700 different 
facilities thus far. Did you actually do that work yourself? 
How did you coordinate and cooperate with the States? Now it is 
my understanding that each State was responsible to deliver to 
DHS a State plan, their own assessment plan of the kinds of 
soft targets that they might find within their respective 
States. So I guess my first question is, did you actually do 
that work, or was that done by the States?
    Mr. McDonnell. It was done in combination. The plan that 
the States had to submit was due in at the end of December of 
this year. For the grant process for putting funds out to the 
States in the fiscal year 2004 appropriations, we were required 
by October 15 to brief leadership on the Hill of what we were 
going to use for infrastructure protection grants and what 
strategy we went through picking facilities. So we actually 
this year had to pick facilities pre-dating the inputs that 
were coming in through the strategic planning process that the 
States were in the process of submitting.
    Now that being said, what we did is, over the last year we 
have collected a lot of information, we have consolidated that 
into a list. I then took that and I met with the Homeland 
Security advisors and I said here are the 1,700, what do you 
think? For example, there was a shopping mall that ended up on 
there that was in the Meadowlands in New Jersey that does not 
exist yet. It is licensed, you look at all the business records 
and it shows that it is there, but nobody got around to 
building it. So we decided to take that off. We are not going 
to pour a lot of protection into that. But it was critically 
important in that case because Syd Casper, in New Jersey, said, 
hey, Jim, we do not have that here, but there is something else 
there that does need to be protected. And so it is an iterative 
process.
    I think, quite frankly, it is going to be another probably 
two cycles before we really have a very good handle on all the 
different things that are out there that need to be protected. 
But it is going to take continuous dialog. Hearings like this 
are good. Any time we can get people together to talk about 
this and get people thinking about getting the information back 
and forth so we can put good plans around things, I think we 
win.
    The 1,700 sites will probably, by the time we get done with 
this cycle with the State, be closer to 2,000 for actions 
during this year. We already see a little bit of a bump up. 
They are not the top 2,000 critical sites in the country, per 
se. But a big part of it is soft targets. We are putting a lot 
of effort right now into those areas that do not have any 
protection and looking at places where people are gathering and 
we could have low level attacks outside of the critical 
infrastructures, stadiums, shopping malls, those types of 
things. So there is quite a bit of movement in that area as 
well as the traditional sites. Included on the list at the top 
tier are chemical facilities, the most hazardous facilities, 
nuclear plants, rail, bridges, those types of things. And of 
that 1,700, there is somewhere in the range of 560 that have 
digital control systems that, as we put these buffer zone plans 
in place, will be part of the consideration.
    Mrs. Miller. Have all the States complied? Where are you 
nationwide? Have all the States complied with the requirement 
to have their State plan in? And then when they were doing 
their State plan, did DHS actually set a criteria? I mean, if 
you have some State telling you you are going to have a 
shopping mall in 5 years and they have that on their plan as 
opposed to an existing nuclear facility, there should have been 
some criteria as the States were doing their own assessments I 
suppose.
    Mr. McDonnell. Right. I will have to get back to you on the 
specific number. I know we are very near everyone having 
submitted those.
    Quite frankly, the process that we used in asking the 
States to do the submission pre-dates the development of the 
division that I run and a lot of the other parts of the 
Department. What we did not want to do was, the States were 
pretty far down the road getting a strategic plan done, and so 
we did not to stop them and ask them to start all over again. 
So that process has continued. What we did in parallel is 
engaged with the States to say now let us start talking more 
specifically about what criteria we want to use for identifying 
critical infrastructure and then how we go forward with that.
    So it is an ongoing process. We have the dialog underway, 
we have common goals and objectives, we still have to work out 
details as far as what is the best reporting scheme going to 
be, how do I make sure that one State looks at things the same 
way another State does. Honestly, they are going to look at 
them differently. I have to understand their perspective and 
figure out how I support them and try to get a national 
picture.
    Mrs. Miller. There has to be a standard I think. And the 
States have to look to us, the Federal Government, through you, 
to set those standards. And I asked this because you also 
mentioned about grants to the States. My State of Michigan I am 
aware has submitted their plan, although I do not know what the 
plan looks like. We have been told it is not for us to see, 
quite frankly. So I am hoping the plan is fine. We did have 
Secretary Ridge in my district most recently, and we were 
talking about appropriations to DHS based on some of the 
criteria as the States were doing their assessments.
    I guess I would ask you if you have any comment on this. 
For instance, in regards to some of the grants, a big part of 
the criteria there is based on population, which makes sense at 
first blush. But we have a situation in my district. As I 
mentioned, Secretary Ridge came in and we took him on a 
helicopter tour--if you can think of Michigan as a mitten, I am 
talking about this area here, which is the St. Clair River. We 
share a very long liquid border with Canada there and we have 
the third busiest border crossing on the Northern tier there 
called the Blue Water Bridge, which is the only commercial 
corridor on the Northern tier that can accept hazardous 
material across, unlike either Buffalo or the Ambassador Bridge 
in the city of Detroit. We have the CN rail tunnel there. We 
have what we call chemical valley. Sarnia in Canada there has a 
number of chemical plants across there. And yet this is a 
county that has a very small population base but, obviously, 
some unique characteristics in regards to a soft target. So I 
do not know if you are able to assist in this, but I certainly 
want to keep talking about that, that the criteria for the 
grants has to take into consideration a much more global 
perspective I think. And it is so important that your 
Department continues to work with the States. So I guess my 
question would be then, when you get these plans from the 
States, what are you doing with them?
    Mr. McDonnell. What we are doing now with the States is we 
are actually taking their inputs, we are refining what the 
lists are, and then we are going out and providing them support 
for buffer zone security planning and so on. The population and 
population density piece of the formula was used in the Urban 
Area Security Initiative which, by definition, was focused on 
the large cities. The selection of critical infrastructure 
assets for the other grant programs and the activities that my 
division is leading does not consider that they have to be in a 
city.
    So what I would expect in that case, and I will go back and 
check on the Blue Water Bridge, is I would expect the Michigan 
Homeland Security advisor, if that was not already on the list, 
would come back and say, hey, you need to add this, and we 
would do so. And then that would just be part of the process of 
my teams would be working with the State and assisting the 
State in developing those security plans, identifying where we 
can help, and just doing a better job nationally of dealing 
with the problem.
    Mrs. Miller. I just keep going on about setting the 
standards. I think it is so important that the Federal 
Government, through your agency, sets the standards, whether it 
is for as they are making their analysis throughout the States 
for their soft targets, or whether they are talking about 
setting up communications systems in all the various counties. 
The Secretary and many others have mentioned and almost 
everybody has agreed that is a priority in every county, right? 
Every municipality has such antiquated communication systems 
and everybody is running around trying to get grant money to 
put into communications systems to talk to one another. There 
is sort of a lack of standards, I think, on communications 
towers, all of these things. So I mention that to you as well.
    Once you have identified, and I do not know if you have 
gone this far, but as you have assessed where all of your soft 
targets are and that, how will you provide oversight for the 
States? How does that part of it work? Would you do that from a 
centralized location, from Washington? Would you do that 
through your proposed regional homeland security centers 
through the DHS? Do you have any next step there on how you 
would oversight that?
    Mr. McDonnell. Yes. I would use the term verification as 
opposed to oversight in that I am not directing the States or 
sort of telling them what to do. It is more of an assist role. 
And that being said, it is very effective. I do not have any 
real problems in dealing with the States in that area.
    I inherited a program from the FBI in the transition called 
the Key Asset Program, which was a field agent in all 56 of the 
field divisions who was responsible for critical infrastructure 
protection. I am in the process of hiring new replacement 
agents to be in the Secret Service offices throughout the 
country who would do sort of the daily care and feeding of 
those sites. This is very similar to the way MI-5 does it in 
the U.K. I went over and worked with those guys quite a bit to 
figure out how they handled this on a national scale.
    Say the person I have in Detroit will have a set number of 
sites, jurisdictions they have to work with. Their job will be 
on a daily basis to visit those places, talk to them, see how 
things are going, identify if vulnerabilities have been 
plugged, just spot checking, if you will. And those folks, 
prior to the regional offices being stood up, will report 
directly to my office at headquarters. I have a Secret Service 
agent detailed to me to manage that. And then over a period of 
time, as the Department's regional offices mature, we will have 
protective security detachments in each. Right now, everything 
is being run out of headquarters because I do not have regional 
and local activities yet. But as that evolves, then those local 
guys will work for the regional folks who will work for our 
headquarters policy oversight shop in Washington.
    But we really want the protective security activities to be 
community-based activities, much like the disaster recovery. 
The security at a site is not just the company, it is not just 
the local sheriff or law enforcement, it is a team effort and 
everybody has to be part of that team. So we are trying to push 
these activities to the local level. And this again gets to the 
difference between Amit Yoran's organization looking at global 
activities where there are not people necessarily local, to my 
shop really working at boots on the ground, talking face to 
face, knowing the people, having a relationship, and being able 
to be a reach-back capability for those local folks that need 
help.
    Mrs. Miller. Just one more question. Both of you gentlemen 
are trying to talk about what the necessary safeguards would 
be. Obviously, we are talking about dollars here, whether that 
be a local municipality, local sheriff's department, or whether 
it is a public utility, or what have you. Do you have any ideas 
at all about how the private sector might try to pay for some 
of these things? A utility, for instance, would have to go 
through their State's public service commission, that is what 
we call it in Michigan, I do not know what they call it in 
every State, to look for rate increases. Or do you think that 
some of these utilities or what have you would be looking to 
the Federal Government to set sort of a standard, some way of 
recouping some of these costs? Are you thinking about that at 
all or getting any feedback on that?
    Mr. Dacey. In terms of working on our report, again, the 
message we heard consistently from a variety of sources, 
vendors of SCADA and control systems, industry representatives, 
was a concern that it may not be economically feasible for them 
to proceed and invest the additional dollars in control systems 
security. And as a result of that, some of the vendors 
indicated they were not promoting heavily advances in that 
area. So we heard that a lot. Again, this is assertions that 
were made to us by a wide variety of people.
    But I think the issue becomes what level of security is 
appropriate. Some of the efforts that are underway to do 
research and development to develop standards and some kind of 
a basis for expectations, if you will, on what should be done 
to secure these technologies I think would be helpful out 
there. And then it becomes upon the private sector and the 
States to determine whether or not they are going to be 
financially able to afford whatever that level or standard 
might be. And I believe in the strategy it talks about the 
Department coordinating with the private sector to work on 
developing some type of standards. So I think that is an 
important area.
    We reported in the past, relating to CIP and general 
critical infrastructure protection, that the Department now 
needs to look at and consider the need for public policy tools 
to determine whether or not they are going to be necessary, 
whether it be grants, tax incentives, or whatever might be 
appropriate, to consider the need for those to provide 
additional incentives for the private sector to proceed. There 
have been a couple of situations where EPA has provided funding 
to do vulnerability assessments at water treatment facilities 
for major municipalities, for example.
    So there has been some activity. But what we had 
recommended was more of a broad based needs assessment to try 
to figure out what would be the best incentives for the private 
sector and State and local governments. But part of that I 
think is really setting an expectation about the level that 
needs to be attained and whether or not they are willing to do 
that without additional public policy tools.
    Mr. McDonnell. Just to followup on that. As I mentioned, I 
was at Energy Department before I started the office at 
Department of Homeland Security. In my 2\1/2\ years, my 
experience has been that corporate leadership wants to do the 
right thing if they are given the right information. And, quite 
frankly, the Federal Government becomes a holder of the 
information quite a bit.
    And a big part of what we are seeking to do at the 
Department of Homeland Security is build the pipes to get the 
information out to people so they can make intelligent 
decisions. We need to get the specifics of SCADA 
vulnerabilities, for example, out of rhetoric and into, hey, 
here is a specific thing that is out there. One way to do that 
is the development of standards. We are working with the 
American Society of Mechanical Engineers, for one, to help us 
develop industry-based standards for risk assessment in the 
various sectors. SCADA will be a part of that.
    The other is setting expectations. One thing that we can 
help to do, and we are exploring this right now, is something 
like a DHS seal of approval, an underwriters laboratory, if you 
will, for if somebody comes out with a new software package for 
digital control systems, it goes to our test bed, the guys take 
a look at it and they say here is an assessment of it. I think 
from a business model, what you end up with then is you have a 
vendor who says, hey, this has been vetted, they have looked at 
this based on knowing what the vulnerabilities are, what the 
adversaries might try, and I am selling you something that is 
secure. The corporate executive then can go to his board and 
say, look, we are making the right decision. It frees them up 
from litigation for not using due diligence. There are good 
ways to build this but we have to build a baseline where there 
is actionable information in the hands of the executives and 
decisionmakers in the companies and an option. If we can move 
toward a particular system, and we are not saying this is a 
better system than this one, it is just an honest assessment of 
its vulnerabilities versus another, then that company can say I 
am going to buy that one and not the other. And I think that 
starts driving the business case for across the board 
improvement in security of the systems.
    Mrs. Miller. Thank you.
    Mr. Putnam. Thank you, Mrs. Miller.
    Let me followup on her line of questioning about standards 
and assistance. I do not know that I ever got an answer on the 
breakdown of municipal, State, county versus private sector so 
that we have a handle on who is actually going to be 
responsible for paying the bills. But once you have this 1,700 
list finalized, then presumably we would have the price tag for 
bringing them into a higher level of preparedness or security. 
So then the question is who bears the cost. And if it is the 
private sector, and we know that 80 percent of the critical 
infrastructure is in private hands, then they are expected to 
bear the cost, but they are not mandated to bear the cost. Is 
that correct?
    Mr. McDonnell. In most cases, yes, sir.
    Mr. Putnam. So if they are presented with the options, as 
you illustrated, of a more secure system versus a less secure 
system, or upgrading versus not upgrading, there is no 
compulsion to act in the law. Is that correct?
    Mr. McDonnell. I think that is fair if it is strictly a 
question of investment. So, say, if I come in and say you have 
a whole year, if you do not fix it, somebody might attack you, 
and they say, yeah, yeah, whatever, thank you very much, I am 
not going to do anything about it anyway, what my experience 
has been to date is that is not a real problem right now. Now 
it may be a problem that evolves over time, but people are 
very, very sensitive to being vulnerable to attack. Some of the 
fixes that we are talking about are literally unplugging a 
phone line. Not all of the fixes are very complex.
    The key is to make the decisionmakers aware of where they 
are vulnerable. That is where the nexus between the Government 
operations, understanding the intelligence that is out there, 
the threat that is out there, and the vulnerabilities of the 
systems, and then being able to look a corporate executive in 
the eye and say you have this vulnerability, I am on record for 
telling you you have it, that it is your choice whether you do 
something about it right now, but if you do not, you are liable 
to be dealing with regulation down the road, if you do not, you 
are liable to be dealing with litigation if something goes 
wrong. So there is a coercive element to this.
    Now, that being said, in the energy sector, for example, 
the FERC has a lot of ability to help push these types of 
things. There is a question about rate recovery. The FERC, for 
example, can put out a rule that says if you are going to 
operate in the interstate transmission of electricity, here are 
some minimum standards that you have to follow, and then can 
encourage the State public utility commissions to allow rate 
recovery for those activities.
    Mr. Putnam. That is true. They are a legal monopoly and 
they have a price fix regulated by State legislatures or FERC 
or whomever. But what if it is a private chemical company that 
does not have the benefit of all of that and they have to make 
decisions about their bottom line? And in the real world, as 
you know better than any of us, the threat matrix is changing 
every day. You find some scrap of paper in a cave and it has 
got a picture of a chemical plant. The next week you find a 
picture of a dam. The next week you find a picture of a bridge. 
And you are expecting businesses, if you go make this pitch, 
well, this week is chemical plant week, or next week is bridge 
week, and next week is tourist attraction week, then how do 
they really make informed decisions.
    And correct me if I am wrong, there is no safe harbor. You 
were using this liability issue as a threat, that I am on 
record telling you that you have a vulnerability, I am telling 
you this is a problem, you can act or not act. If they choose 
to act, is there a reward by saying we put them on notice, they 
made use of the best practices and technology of the day, 
therefore they are protected?
    Mr. McDonnell. I think, as you point out, it is extremely 
complicated in how we actually push this down the road. It 
really gets to what is the consequences of failure. If, in 
fact, a dam, for example, has a SCADA vulnerability that we 
identify that risks the lives of thousands of people, I think 
with that piece of information it is pretty easy to ensure that 
dam does something about it.
    Mr. Putnam. OK. Let's stop right there.
    Mr. McDonnell. Sure.
    Mr. Putnam. Perfect example. Who pays for it? It is a 
county in the Midwest or in south Florida in the middle of the 
glades, their total county budget is $30 million a year and it 
is going to cost them $5 million to fix the dam. Who pays for 
it?
    Mr. McDonnell. I have the ability to sit down with the 
State Homeland Security advisor and say you need to take some 
of that grant money and fix that problem at that dam. And we 
have done that. So there is a process. There is plenty of money 
in place to do specific things. Now where you run into a 
problem is when people say, well, the sector needs to be fixed. 
Well, not all the dams are equal. All the dams may have the 
exact same problem but what we have to do is say that is an 
unacceptable risk. It is a risk-based decision, it may be a 
public health and safety decision, but we can find a way to fix 
it when we get to that specificity. And that is the challenge 
for our organization is to get to that specificity.
    Mr. Putnam. Here is my couple of concerns, and then I need 
to move to a few other questions that we need to get down for 
the record. But human nature being what it is, and the threat 
being as complicated as it is--and it is far more complicated 
than us just saying we are going to go make everything prepared 
for any threat. It just does not work that way. You have 
basically identified 1,700 sites. You and your colleagues 
around the country and in the States have basically said there 
is a top 1,700 list. My thinking, being a little bit cynical, 
is that the people who did not make the list are going to say, 
oh, but wait, we are vulnerable too. Look at all these things 
that we have that we need grant moneys to fix. Just like every 
police department in America wants to have first responder 
equipment equal to and greater than New York and L.A. and 
Washington. I mean, you see it. It is a feeding frenzy.
    I see there are certain sites particularly that meet 
Category III of your rubric, which are symbolic sites, that 
probably would just as soon not be there. But I can see a lot 
of sites saying, hey, this is the spot we need to be in, we 
cannot even afford to meet EPA water quality standards now 
because we have a plant that was built in the 1940's, but if we 
say that we are at risk of poisoning a half a million people, 
we will get a brand new sewer treatment plant, or we are going 
to get a brand new weir, or we are going to get a brand new 
whatever. So that is my concern in the real world process of 
how all this stuff works. And it is never ending because you 
cannot be more prepared than the terrorists' imagination.
    And I commend you for making a first step by saying these 
are the top 1,700, 560 of them have process control systems. At 
some point I hope you will be able to say the price of bringing 
these to an acceptable level is X amount. You, Congress, can 
decide whether you want to do it all in 1 year, whether you 
want to put it on a 5-year phase-in, but that is our call to 
make. And put it on sort of a milestone and task-oriented 
funding plan. But those are my concerns.
    The other issue is that GAO says in their report that these 
are the folks involved in SCADA security--DHS, Energy, Defense, 
5 different national labs, EPA, FDA, NIST, 2 multiagency 
working groups, the NSF, 11 private sector groups, and 1 
government-private partnership, for a total of 26 players. How 
does all that work, Mr. Dacey?
    Mr. Dacey. That gets back to our recommendation again. 
Sorry to get back to that, but the bottom line is that is what 
we recognized is that a lot of these efforts were initiated 
independently of each other. It was a need recognized by that 
particular group or sector to deal with a specific issue. DOD 
did work on determining what the effect of weaknesses in SCADA 
had on their ability to carry out military operations. And each 
one had its own genesis. That is why there is a need to 
coordinate these efforts so that we are getting the most 
leverage out of the activities and resources that are being put 
into this to get to the best answer as quickly as possible. I 
think that is a key issue in coordinating these efforts, again, 
something we heard consistently throughout discussions with 
those.
    Mr. Putnam. We wrestle with this on corporate information 
security and we put together a working group and we spent 
several months working through all those issues. It came about 
as a result of industry saying there is not any one law that 
you can pass that is going to solve this, it has to be 
collaborative and it has to be voluntary, and we need to have 
this underwriter's laboratory type model, very similar to what 
you are talking about for SCADA. But at the end of the day, 
there has to be some compelling reason for everybody to work 
and play well with others. I do not know what the proper 
formula there is, whether it is a safe harbor in the liability 
issues, whether it is tax credits, or whether it is just a cold 
hard law, but these are the issues we have to deal with to make 
these systems more secure.
    Mr. McDonnell, both the Science and Technology Directorate 
and the National Cyber Security Directorate at DHS have 
initiated several activities in the area of SCADA security. How 
are you coordinating their efforts? We talked about the 26 
outside of there. Even within DHS you have all this going on. 
Do you expect there to be one overriding plan that comes out in 
this SCADA vulnerability report that you referred to earlier?
    Mr. McDonnell. Yes, sir. We are in the process of taking 
the President's Directive on Infrastructure Protection, HSPD 
No. 7, and putting in place now how we operationalize that 
across all the sectors, across all the departments, and truly 
build a national plan. It is our intent that SCADA activity 
will be working to a common goal through a common process. Now, 
there will always be outside of government competitive folks 
out there that want to be doing their own thing. That being 
said, we absolutely are starting to pull all that stuff 
together and we will have a single national effort led by the 
Federal Government for SCADA.
    It is going to take some time to pull all this in. As my 
colleague mentioned, there are some equities in there, Defense, 
for example, has very specific reasons for looking at SCADA, 
the Department of Energy has a totally separate shop that is 
looking at SCADA and the processes in the nuclear control 
systems at the laboratories, the nuclear weapons processes, and 
they are never going to just kick that into a big interagency 
collaborative effort. But what we do have to make sure is that 
we understand what is going on in these sort of compartmented 
areas and we are not duplicating effort, that I am not paying 
for an R&D program that kicks out something that has already 
been invented over at the Defense Department but I just did not 
know about it. So that is absolutely part of the plan, sir.
    Mr. Putnam. As you know, we have a very open records policy 
in this country and even more openness depending on the States 
that involve the availability of design and blueprints, 
specific site locations, wiring configurations, frequencies. 
Could each of you speak to the risk or the lack of risk that is 
associated with public access to this type of information.
    Mr. Dacey. Certainly, there is definitely increased risk 
when there is more information about the security of specific 
systems that people could use. If you look at some of the stuff 
that is on the Internet, there are operations manuals, there is 
just a lot of information out there that is publicly available 
to understand how these systems operate and what is being done 
with them. There are even many other sites, vendor sites which 
even tell you where their equipment is installed and how it is 
installed, or at least a general idea of how it is installed. 
So there is a lot of information out there that could be used 
by someone if they wanted to do some damage to learn and 
prepare themselves for a potential cyber attack on SCADA 
systems.
    I think that combined with some of the other risks we 
talked about, such as the combination of these networks with 
other enterprise networks, exposes a real threat for hackers 
using just general purpose hacking tools to get into a network 
that is in one of these companies and use that opportunity to 
then get access to the SCADA systems if they are not 
compartmentalized and secured. That is where we saw in the 
Davis-Bessey plant where, as you mentioned in your opening 
statement, there a worm, the slammer worm migrated apparently 
from a vendor system through a trusted VPN, if I recall, right 
on into the nuclear power plant's main enterprise system and 
interfered with the traffic running in the control systems. So 
you have real issues there.
    So you combine the two with the fact that you can go in, 
there is clear text going across these things, it does not take 
a lot of imagination to think someone who is really studying 
and intent on doing something could not start to get a pretty 
good understanding of how these systems work, how the messages 
flowed, what they look like, and so forth and so on, if they 
could get into these systems. So I think there is a real risk. 
But it is not just the fact that the data is out there and 
available, that it is the other things which are really 
compounding that risk I think.
    Mr. Putnam. Does the access to information present a risk 
such that we should consider policy changes to public access to 
those plans and designs and operations and sites?
    Mr. Dacey. A lot of these systems, particularly newer ones 
which are moving to some of the common protocols, communication 
protocols and networks that we see out there and using the 
Internet as well, I think a lot of that information is public 
knowledge now. I think the bigger key is to better secure these 
networks and systems so that people cannot get to them through 
defense in-depth and other means. In other words, if a lot of 
these systems are adopting these current technologies, it does 
not take a lot to imagine getting in. Even if the information 
was not out there, one could still get in and gain a lot of 
insights if you could break into these systems. So I think the 
real key gets back to protecting the systems adequately so 
people cannot get in and start looking at traffic, you know, 
so-called sniffer software you can put in if you break into a 
system that looks at all the traffic going through, and you can 
use those to identify a lot of information on specific traffic 
that the control systems are using. So, again, it would help if 
that were not there, but I think there are a lot of other 
issues that need to be addressed that are just as important, if 
not more important.
    Mr. Putnam. Mr. McDonnell.
    Mr. McDonnell. Yes, sir. You asked specifically about 
change of public policy. Within the Homeland Security Act was 
the Critical Infrastructure Information Act, and that does 
provide an avenue for a company to submit information to the 
Department of Homeland Security, have it stamped as critical 
infrastructure information, and it is exempt from FOIA. And it 
is preemptive legislation and it is therefore exempt from State 
sunshine laws and so on. So there is an avenue for newly 
submitted information.
    Mr. Putnam. Prospective.
    Mr. McDonnell. Yes, sir. But once a barn door is open, it 
is open. There is an unbelievable amount of information that is 
available out there. You cannot get it back. The best thing 
that we can hope for is more discipline in what gets put on Web 
sites and controlled. And over time, a good operational 
security program will have better and better controls on those 
critical information. Quite frankly, if someone has information 
out there already and they have to go back and do something to 
change it, they have to physically change the system, they are 
not going to get the information back. The only way to mitigate 
that. My worst nightmare is somebody doing all of their 
planning from an Internet cafe in Paris. They can sit overseas 
and look at the floor plan of a chemical site, see what kind of 
control system it has, see what defenses look like, see what 
the local response capabilities are by going to the city's Web 
site. We have to influence that and we have to do that by the 
originator stopping posting public records, management, those 
types of things. So we have to identify the information we want 
to protect, and we do have a way to protect it now, but it is 
going to take some time to get people to sort of turn that and 
start putting it into the system.
    Mr. Putnam. When I was a kid, which was not all that long 
ago, but you would go to the encyclopedias. And you can go to 
the Internet and you get the encyclopedia and learn how to 
build a bomb. That does not mean you could actually build an 
atomic bomb just because it showed you how to do it. But today, 
you are talking about not just the chemical plant or the 
nuclear power plant's blueprints, which I think, frankly, are 
inherently fairly secure by their nature, people knew when they 
built a nuclear power plant long before Al Qaeda that it was 
something that needed to be protected, but rather the isolated 
valve 12 miles away, or switching station, or router, or 
whatever that is in the middle of nowhere with maybe nothing 
but a chain link fence around it, if that. That is the kind of 
stuff that concerns me, not a $50 million factory or facility 
or whatever. Anyway, that is what bothers me about the access. 
And I appreciate your input on that.
    According to your testimony in October 2003, the Science 
and Technology Directorate began a study of the current 
security state. When do you expect that study to be completed, 
Mr. Dacey?
    Mr. Dacey. Let me check my notes. I do not recall if we 
have a date for when that statement of work was supposed to be 
concluded.
    Mr. Putnam. And Mr. McDonnell, are you aware of the study?
    Mr. McDonnell. Not specifically, no, sir.
    Mr. Dacey. The statement of work called for delivery on 
about 90 days after beginning performance with an interim draft 
report, with a final draft report about 150 days after 
beginning performance. So that is kind of a general timeframe. 
So you are talking about 5 months. And I am not sure exactly 
when the study began.
    Mr. Putnam. Mr. McDonnell, are you more concerned about, 
with regard to SCADA system threats, not everything else that 
is on your plate, do you worry more about an international 
threat, as you put it, from an Internet cafe in Paris, or do 
you worry more about domestic home-grown type threats?
    Mr. McDonnell. I think international.
    Mr. Putnam. Mr. Dacey, do you have an opinion on that?
    Mr. Dacey. I think they are a significant threat. The thing 
I would add to my prior statement too is that there are not 
that many types of different control systems out there and they 
are used throughout the world. So it would not take much for 
someone potentially to get access to someone who had 
significant knowledge of operating systems in other countries 
that might be available to assist in some kind of attacks that 
might occur.
    But it could be virtually anywhere. If you look at some of 
these SCADA systems for some of the large institutions that 
carry them out, you will see that for operational purposes and 
better management a lot of these SCADA screens can be pulled up 
from virtually anywhere in the world. Now several of the 
institutions we talked to have implemented stringent controls 
to authenticate everybody going in there. But, quite frankly, 
it is conceivable that if it was not secured and you broke into 
the system, you could literally see right in front of you the 
operator's screen for the SCADA system. It is a frightening 
thought.
    Mr. Putnam. The DOE has not adequately funded the SCADA 
test bed. Is this something that DHS plans to fund, or is it 
still limping along in Energy?
    Mr. McDonnell. That is something DHS intends to do.
    Mr. Putnam. OK. Mrs. Miller, do you have additional 
questions?
    Mrs. Miller. I do not.
    Mr. Putnam. We are expecting votes between 3:30 and 3:45. 
So at this point, I would like to excuse our first panel and 
seat the second one as quickly as possible and at least begin 
testimony before we have to leave to vote.
    Gentlemen, I want to thank you for your responses and your 
candor and your interest in this very important issue. The 
subcommittee is grateful for your testimony.
    Mr. McDonnell. Thank you, Mr. Chairman.
    Mr. Putnam. With that, the committee will stand in recess. 
The first panel is excused. We will seat the second panel as 
quickly as possible.
    [Recess.]
    Mr. Putnam. The subcommittee will reconvene.
    We will seat the second panel of witnesses and move 
immediately into the administration of the oath and then we 
will get into your testimony.
    [Witnesses sworn.]
    Mr. Putnam. Note for the record that all of the witnesses 
responded in the affirmative.
    I will precede my introduction of our witnesses by saying 
that we are expecting votes very shortly. We would like to ask 
you to keep your remarks to 5 minutes. We will undoubtedly be 
interrupted for votes. I believe we have two votes, so we 
should be away for approximately 30 minutes and will return 
immediately. So we apologize beforehand. We will keep things 
going as quickly as possible.
    Our first witness for the second panel is Joseph Weiss. Mr. 
Weiss is an industry expert on control systems and electronic 
security of control systems, with more than 30 years of 
experience in the energy industry. He serves as KEMA's leading 
expert on control systems cyber security. He spent more than 14 
years at the Electric Power Research Institute where he led a 
variety of programs, the last of which was cyber security for 
digital control systems.
    Welcome to the subcommittee. You are recognized for 5 
minutes.

 STATEMENTS OF JOSEPH WEISS, EXECUTIVE CONSULTANT, KEMA, INC.; 
 DAN VERTON, SENIOR WRITER, COMPUTERWORLD MAGAZINE; GERALD S. 
 FREESE, DIRECTOR OF ENTERPRISE INFORMATION SECURITY, AMERICAN 
ELECTRIC POWER; AND JEFFREY H. KATZ, ENTERPRISE IT CONSULTANT, 
                      PSEG SERVICES CORP.

    Mr. Weiss. Thank you very much. Good afternoon Mr. 
Chairman, Ranking Member Clay, and members of the committee. I 
would like to thank the subcommittee for your commitment to a 
comprehensive examination of cyber security of the control 
systems utilized in our Nation's critical infrastructure. I 
also want to thank you for the opportunity to be here today to 
discuss this very important topic. My remarks will provide 
details on one, control systems design considerations and 
cultural issues; two, control systems cyber vulnerabilities; 
and three, key activities that need to be addressed and funded 
to secure control systems.
    Control systems form the backbone of our critical 
infrastructures. A control system controls a process such as 
regulating the flow of water in a power plant or opening a 
breaker in a substation. I have been working with the key 
organizations that have a role to play in this area, including 
the Government, end-users, equipment suppliers, standards 
organizations, and others, none of which have been adequately 
coordinated. My formal testimony has been reviewed by 
representatives of DOE's Office of Energy Assurance and the 
National Energy Technology Lab, DHS' Cyber Security and 
Protective Security Divisions, the Idaho National Lab, the 
Sandia National Lab, the General Accounting Office, Carnegie 
Mellon Software Engineering Institute, the United Telecom 
Council, and a utility member of the NERC Critical 
Infrastructure Protection Committee which is responsible for 
issuing the utility industry cyber security standard.
    Cyber security has been viewed as an information and IT, or 
Internet, concern. The basic design assumptions inherent in 
control systems are they would be stand alone and all control 
system users would be trusted users. However, competitive 
pressures have forced businesses to interconnect office and 
electronic commerce systems with control systems. This has 
exposed control systems directly to the Internet, Intranets, 
and remote dial-ups. Additionally, there is also a tradeoff 
between security and control system performance.
    There are only a handful of control systems suppliers and 
they supply industrial applications worldwide. The control 
systems architectures and default passwords are common to each 
vendor. Consequently, if one industry is vulnerable, they all 
could be. Additionally, utilities in North America and 
elsewhere are able to obtain the source code for electric 
industry SCADA systems.
    There have been more than 40 cases where control systems 
have been impacted by electronic means. These events have 
occurred in electric power transmission and distribution 
systems, power generation including fossil, hydro, gas turbine, 
and nuclear, there have been three commercial nuclear plants 
with denial of service events, water, oil, gas, chemicals, 
paper, and agribusiness. Some of these events have actually 
resulted in damage. Actual damage from cyber intrusions have 
included opening valves resulting in discharge of millions of 
liters of sewage, opening electric distribution breaker 
switches, tampering with boiler control settings resulting in 
shutdown of utility boilers, shutdown of combustion turbine 
power plants, and shutdown of industrial facilities.
    The traditional Internet vulnerability tracking 
organization, such as the Computer Emergency Response Team 
[CERT], SANS, and the Computer Security Institute, are focused 
on traditional Internet and business system exploits and 
damage. The events and statistics quoted by these organizations 
do not specifically address control systems. Additionally, none 
of the control system impacts have been identified by these 
organizations. This lack of awareness is keeping executives 
from identifying cyber security as a business imperative.
    This also results in a quandary, as you brought up earlier. 
Control systems suppliers are not building secure control 
systems because they do not believe there is a market, and end-
users are not specifying secure control systems because they do 
not exist and would be more expensive. This lack of awareness 
concerning control system vulnerabilities and impacts is a gap 
that needs to be addressed.
    Consequently, DOE's OEA tasked KEMA and Carnegie Mellon's 
CERT/CC to perform a scoping study for establishing a CERT for 
control systems, which we called e-CERT. The funding for 
establishing and conducting the e-CERT function would be 
approximately $3 million a year. The investment would 
substantially improve the reliability and availability of the 
critical infrastructure as well as providing the awareness 
necessary.
    Existing cyber security technology has been developed for 
business functions and the Internet. Control systems require a 
degree of timing and reliability not critical for business 
systems. Because of this, employing existing IT security 
technology in a control system can range from lack of 
protection to creating a denial of service condition in and of 
itself. This has actually occurred in attempting to employ 
encryption in control systems. We do not know the true 
vulnerabilities of control systems. Penetration testing of 
business and control systems can lead to system interruption or 
require the system to be rebooted. Consequently, this testing 
must stop at confirming control systems can be accessed.
    The National SCADA Test Bed allows vulnerability testing of 
control systems to help identify the actual vulnerabilities. 
This testing will also enable test bed personnel to identify 
the necessary technologies to mitigate the vulnerabilities. 
Several suppliers of SCADA systems have already provided 
systems to the test bed. Adequate funding is lacking, however, 
to enable the test bed to function in a complete and timely 
manner. A significant multiyear investment is required, and you 
will hear from others as to what those estimates are.
    In summary, there are two key areas that require modest 
funding to help secure control systems throughout the 
industrial infrastructure--e-CERT and the National SCADA Test 
Bed. If these two activities are adequately funded, they can 
address awareness, minimize vulnerabilities, and evaluate and 
develop technology to secure control systems. This will 
minimize the threat of extended blackouts, like what happened 
on August 14th, and impacts on industrial production which will 
have a positive impact on the quality of life and security of 
the American population.
    Thank you for your time and interest. I would be happy to 
answer any questions, including about industry coordination.
    [The prepared statement of Mr. Weiss follows:]

    [GRAPHIC] [TIFF OMITTED] T5799.040
    
    [GRAPHIC] [TIFF OMITTED] T5799.041
    
    [GRAPHIC] [TIFF OMITTED] T5799.042
    
    [GRAPHIC] [TIFF OMITTED] T5799.043
    
    [GRAPHIC] [TIFF OMITTED] T5799.044
    
    [GRAPHIC] [TIFF OMITTED] T5799.045
    
    [GRAPHIC] [TIFF OMITTED] T5799.046
    
    [GRAPHIC] [TIFF OMITTED] T5799.047
    
    [GRAPHIC] [TIFF OMITTED] T5799.048
    
    [GRAPHIC] [TIFF OMITTED] T5799.049
    
    Mr. Putnam. Thank you, Mr. Weiss. You will undoubtedly get 
some questions on that.
    Our next witness is Dan Verton. Mr. Verton is a senior 
writer and investigative reporter with ComputerWold Magazine 
based in Washington, DC, where he covers homeland security, 
critical infrastructure protection, and Government. Prior to 
joining ComputerWorld, Mr. Verton was the associate editor for 
defense at Federal Computer Week. He entered the journalism 
field after 7 years in the military intelligence community as 
an intelligence officer in the U.S. Marine Corps. He has a 
master's degree in journalism from American University in 
Washington.
    You are recognized for 5 minutes. Welcome to the 
subcommittee.
    Mr. Verton. Thank you, Mr. Chairman. In the interest of 
time, obviously, I am going to summarize my remarks today, but 
actually I am going to diverge a little bit from what I had 
planned to say based on what I have already heard from the 
previous panel. I think what I have heard so far has been quite 
instructive for your work in this area.
    This hearing is supposed to be about SCADA systems security 
and telecommunications. But, surprisingly, what I heard from 
the first panel was that we are, in fact, at this current time 
erecting fences and digging moats around physical facilities 
that house SCADA systems. So where does this disconnect come 
from? I have a feeling it comes from the one individual from 
the Government that I do not see here that I think you would 
very much benefit from hearing from, which is Amit Yoran. I sat 
behind Mr. Yoran a few weeks ago in the Senate and listened as 
we were discussing the National Intelligence Estimate that was 
recently released or was supposed to have been released on the 
cyber threat to the United States stemming from, specifically, 
terrorist organizations around the world. And I was a little 
bit surprised that our director of national cyber security 
could not answer any general questions about the terrorist 
threat to the United States in the cyber realm.
    So I do not think it is necessarily doing anything for us 
to be creating layered defense in depth in a physical sense 
when the electronic infrastructure that powers these systems 
knows no borders. This also I think stems from what I think is 
a very dangerous approach to countering terrorism in 
cyberspace, which is the threat independent model. DHS takes a 
threat independent approach to threats in cyberspace. And what 
does that mean? That means that we approach terrorist incidents 
the same way we might approach a hurricane or a flood or an 
earthquake. And I think the danger that lies in this is that it 
presents us with a possibility of having the lowest common 
denominator for security when in fact you are talking about, 
for example, a hurricane which is very indiscriminate and 
random, whereas terrorist incidents are very much a highly 
targeted, very specific incident that might be indiscriminate 
in the killing and destruction, but it is very much a highly, 
well-planned incident that we are talking about. And I think we 
need to take that into consideration when we talk about these 
critical facilities.
    Finally, just briefly, I think there is some questions that 
should be asked about the funding for cyber security in the 
grant process. We were talking in the first panel about the 
money that has been made available to the States and 
localities. But I think there has been some questions raised 
out there about how that money can be used. So while the money 
may be used to build fences and dig moats around these 
facilities, I think there is some question out there about how 
much of it, if any of it, can be used to fund cyber security 
improvements for the SCADA systems.
    Basically, I think our challenge today stems from two 
perspectives. I think we need to try to reverse the 
intellectual rigidity that surrounds the issues of cyber 
terrorism. We already knew from evidence prior to August 14th 
that Al Qaeda had been studying SCADA systems from some of the 
evidence that we had picked up on the battlefield in the war on 
terrorism. If there was any doubt in the minds of the 
terrorists who are also trying to kill us that they should be 
studying SCADA systems, the international demonstration 
effective August 14th pretty much eliminated that doubt in 
their minds.
    Second, I think if we insist on continuing to refer to 
these facilities, as we have here today, as critical to 
national security, we should treat them as such. I am aware of 
anecdotal evidence from people who are very much involved on 
the inside of the energy industry that not all people with 
authorized access to critical control systems are necessarily 
subjected to background investigations, and this is across the 
board, it is not just the energy industry. These are 
individuals with authorized access to the systems that both 
touch SCADA systems and to SCADA systems themselves. That is a 
vastly different picture from any national security 
infrastructure that I have been aware of in my time as an 
intelligence officer.
    And just one final point on the Web content, which you were 
asking about earlier. I wrote an entire book on the fact that 
the information we make available to the people who are trying 
to do us harm is really, as was mentioned, beyond the pale. It 
is unbelievable what you can find on the Internet. Now the 
genie may be out of the bottle already. But let me give you an 
example of just what I was able to dig up during my research.
    There are Web sites that provide interactive maps of the 
entire natural gas pipeline system in the United States. And 
they are not flat files. They give you latitude and longitude 
for every critical interconnection point in the United States, 
including the most critical interconnection point for the 
natural gas industry in the country. Some 40-plus percent of 
the entire GDP of natural gas passes through this one 
interconnection point. And you can not only find the latitude 
and longitude, but you can find the terrain features 
surrounding the particular point. And you can do this for the 
entire United States. I found that on the Internet during my 
research, including long-haul telecommunications termination 
points along the entire Eastern Seaboard, so on and so forth. 
So I think there is an argument to be made for a public policy 
approach to what we provide on the Internet, who we provide it 
to, and whether or not there is a business case for any of this 
information being out there.
    So with that, Mr. Chairman, I will be happy to answer any 
questions.
    [The prepared statement of Mr. Verton follows:]

    [GRAPHIC] [TIFF OMITTED] T5799.050
    
    [GRAPHIC] [TIFF OMITTED] T5799.051
    
    [GRAPHIC] [TIFF OMITTED] T5799.052
    
    [GRAPHIC] [TIFF OMITTED] T5799.053
    
    [GRAPHIC] [TIFF OMITTED] T5799.054
    
    [GRAPHIC] [TIFF OMITTED] T5799.055
    
    [GRAPHIC] [TIFF OMITTED] T5799.056
    
    [GRAPHIC] [TIFF OMITTED] T5799.057
    
    Mr. Putnam. Thank you very much.
    Our next witness is Gerald Freese. Mr. Freese is the 
director of enterprise information security at American 
Electric Power. In this capacity, he is responsible for 
defining, developing, and executing all information security 
programs to effectively protect AEP data and systems. He is 
responsible for regulatory compliance and critical 
infrastructure protection for cyber security, and has been 
instrumental in the development of the NERC cyber security 
standards for the energy industry. He is a recognized security 
and infrastructure protection expert. He is American Electric 
Power's primary data security architect.
    You are recognized for 5 minutes. Welcome to the 
subcommittee.
    Mr. Freese. Good afternoon, Chairman Putnam, and members of 
the subcommittee. Thank you for offering me the opportunity to 
speak with you today. I am testifying as a representative of 
American Electric Power, as the director of enterprise 
information security of one of the largest utilities in the 
United States with over 11 States of operation and 5 million 
customers. Today I will be discussing issues of supervisory 
control and data acquisition, telecom interdependencies, and 
critical infrastructure protection.
    Energy utilities use a number of communications media to 
connect various SCADA system components, from private microwave 
to fiber networks and public networks. Each of these transport 
methods enables the data flow to and from SCADA networks and 
also creates the potential pathways of attacks. In telecom 
network interface roles, there are a number of device exploits 
of instances of malicious code that can effectively disable 
SCADA information flow. The point to take away from this is 
basically that SCADA and telecom vulnerabilities are not 
mutually exclusive.
    The growth of open systems is compounding the SCADA/telecom 
vulnerability issue. By use of common technology sets, public 
telecom providers are increasing the susceptibility of SCADA 
and telecom resources to multiple attacks from anywhere in the 
world. The open systems, with lower cost, ease of use, provide 
attackers with the same benefits as legitimate users enjoy. 
While we cannot effectively halt the move toward open system, 
we can work to establish best practices in security to 
counteract potential exploitation.
    Availability of engineering and data system expertise is 
another factor. In Pakistan, American energy companies and 
vendors helped design the Pakistani infrastructure based on the 
U.S. model. In Afghanistan, analysis of recovered computers, as 
Mr. Verton mentioned, show that terrorists were engaged in 
research on software and programming instructions for 
distributed control and SCADA systems. This and the vast amount 
of data on energy SCADA and telecommunications available 
through open sources, such as the electric industry 
publications, FERC filings, and on the Internet strongly 
support the assumption that there are few, if any, SCADA or 
telecom system unknowns and no boundaries on accessibility to 
the information. The growth of open systems technology and 
increasing ranks of the computer skilled show us that there is 
no logical basis for discounting the possibility of cyber 
attacks against targeted telecommunications and SCADA systems 
or components.
    The U.S.-Canadian task force investigation following the 
August 14, 2003 blackout concluded in its interim report that 
the outage across a large portion of the United States and 
Canada was not caused by malicious cyber events. If we 
substitute some well-known forms of intentional attack as the 
cause of the initial line malfunction, we can see that many 
forms of internal or external intrusion could bring the same 
net result. If we take that concept one step further, 
coordinated attacks against multiple vulnerable systems and 
networks over the Internet and other telecom resources could 
redirect processes, manipulate data and equipment, and 
eventually disrupt service across entire regions.
    The foundation of critical infrastructure protection lies, 
first of all, in awareness that it is a responsibility across 
both private and Government domains. It must be a priority in 
industry backed by executive support and viewed as an incentive 
to investment, not a roadblock. For example, at AEP security 
implementation is listed in the third paragraph of the annual 
report, which is quite an accomplishment. Industry, with 
government support, must take the lead in information sharing. 
This is one of the critical aspects of critical infrastructure 
protection.
    To that end, there must be a greater protection of 
information from public disclosure. The ISACs, the Information 
Sharing and Analysis Centers, through public and private 
collaboration, must work toward consolidating information on 
risk-based vulnerability assessments and remediation and 
extending security best practices across all critical 
infrastructure sectors. Cost recovery initiatives with similar 
information protection must be supported at the State level 
with the possibility of Federal tax incentives for industry to 
defray the significant cost of current and future security. All 
of these activities will provide the necessary backdrop for the 
diverse U.S. critical infrastructure to comply with voluntary 
industry standards and eliminate the need for Federal 
regulation.
    Mr. Chairman, that concludes my statement. I would be happy 
to answer any questions.
    [The prepared statement of Mr. Freese follows:]

    [GRAPHIC] [TIFF OMITTED] T5799.058
    
    [GRAPHIC] [TIFF OMITTED] T5799.059
    
    [GRAPHIC] [TIFF OMITTED] T5799.060
    
    [GRAPHIC] [TIFF OMITTED] T5799.061
    
    Mr. Putnam. Thank you, Mr. Freese.
    Our fourth, and final, witness for the second panel is 
Jeffrey Katz. Mr. Katz is the enterprise IT consultant for PSEG 
Services Corp., a subsidiary of Public Service Enterprise 
Group, Inc., in Newark, NJ, which, among other things, serves 
77 percent of New Jersey's population and is the State's 
largest utility. Mr. Katz has held a number of management 
positions within PSEG and PSEG Services Corp. in his 34 years 
with the companies. For the last 7, Mr. Katz has concentrated 
exclusively on wireless telecommunications projects and 
systems. Mr. Katz is also the former two-term mayor of his 
community.
    Welcome to the subcommittee. You are recognized for 5 
minutes.
    Mr. Katz. Thank you, Mr. Chairman, and members of the 
committee. I am here today testifying on behalf of the United 
Telecom Council as the Chair of its Public Policy Division. I 
will discuss the impact of Federal and State policies on 
critical infrastructures [CI] SCADA systems. UTC is the 
association that represents the telecom interests of America's 
CI entities. UTC and its association partners represent 
virtually every electric, gas, and water utility, and every 
communications network used to operate, control, and maintain 
our Nation's critical infrastructure.
    Today our Nation depends upon reliable and available 
services provided by CI SCADA supported systems. They are 
critical and essential to the health, safety, and welfare of 
our Nation and our people. Just as our Nation depends upon CI 
services, every CI entity depends upon telecommunication 
systems for SCADA, telemetry, command and control, remote 
actuation, and protective relaying operations. In addition, for 
both routine communications and during disasters and outages, 
CI entities depend upon private internal data and voice 
networks to direct the work force and to restore service.
    From a broad policy perspective, we ask the committee and 
Congress to consider this question. What Federal or State 
policies, laws, or regulations impact negatively upon CI's 
ability to avoid service interruptions, to reduce their 
duration and scope, and to make CI, including SCADA systems, 
less vulnerable to attack by non-physical intrusion? For a 
detailed discussion on that issue, I would refer the committee 
to my written testimony. However, in a nutshell, UTC asks the 
committee to consider these five points.
    First, public access to sensitive radio frequency data 
provides information useful to those who would do us harm. The 
Federal system of record, the FCC's universal licensing system, 
is available to the general public through the Internet. 
Wireless CI, SCADA, telemetry, command and control, voice and 
data systems can be compromised using information contained 
within the FCC's public data bases. This information must be 
made less public, either through creation of a confidential 
licensing category, or by providing the FCC with other 
authorities, such as that enjoyed by NTIA, to make confidential 
certain CI spectrum use data. UTC also encourages providing 
NTIA with authority to share spectrum with non-Federal CI 
entities to assure greater confidentiality of spectrum use 
data.
    Second, CI data is made public unnecessarily through the 
FCC's pole attachment regulations with little regard to 
infrastructure safety. Pursuant to FCC rules, maps of utility 
infrastructure must be made available to potential attachers 
upon the most minimal of showings. Moreover, those who would 
attach fiber optic cable or other equipment to utility 
infrastructure are permitted to employ third party contractors 
rather than personnel trained to observe strict safety 
regulations. The FCC's original limited jurisdiction over 
utility infrastructure is being stretched to the point of 
endangering worker and public safety. That authority should be 
balanced by safety-based jurisdiction elsewhere in the Federal 
Government.
    Third, CI investment to improve and better secure 
communications systems is discouraged because such investments 
often are not immediately recoverable in rates and because the 
spectrum in which SCADA systems operate is not exclusive. 
Regulated entities recover capital investment costs through 
rate relief. Rate cases are time consuming, tedious, costly, 
and must be filed in each State in which the utility serves 
customers. However, most utilities have a multistate presence 
that would require consistent cost recovery schemes between and 
among the States involved.
    SCADA systems are system-wide and not limited to the 
borders of a single State. Prudent and necessary investments in 
enhanced security, reliability, and functionality should be 
recoverable immediately in rates, without the need to file a 
rate case in each State, and the specifics of the investment 
should be privileged and confidential. Furthermore, the 
investment must be protected. CI entities are reluctant to 
invest in new wireless SCADA systems because the spectrum is 
not exclusive. This subjects SCADA systems to interference that 
can compromise effectiveness.
    Fourth, State and local governments should receive guidance 
from the Federal Government as to what security expenditures 
and investments should be considered reasonable. UTC does not 
advocate that additional mandates be imposed on CI to ensure 
SCADA and/or telecommunications system security. This panel has 
heard my colleague's testimony about industry efforts already 
underway and the ideal role that the Federal Government should 
play. However, in an area as complex as homeland security, 
State and local governments and regulators look to the Federal 
Government for guidance on what constitutes reasonable 
investment. CI entities that invest in security measures 
meeting defined guidelines should expect to win cost recovery 
approval from State regulators. Federal guidance would 
facilitate investments not only by larger investor-owned 
utilities, but also by co-ops and municipals, all of which are 
faced with severe budget constraints and are under constant 
pressure to control rates.
    Fifth, and finally----
    Mr. Putnam. If you could just summarize.
    Mr. Katz. The plain fact, there is also a push on the part 
of many Federal agencies who believe that commercial wireless 
services can substitute for private internal networks. Quite 
frankly, they are even more vulnerable than anything that we 
could build ourselves. When power fails, it is commercial 
networks that go down first. Plus, they do not have a 
ubiquitous presence throughout an operating territory for any 
particular critical infrastructure
entity, and they just cannot be relied upon. There is no 
exclusivity, no reliability, and no availability that is 
guaranteed to us.
    This basically summarizes my comments, Mr. Chairman. I 
would be happy to answer any questions that you may have.
    [The prepared statement of Mr. Katz follows:]

    [GRAPHIC] [TIFF OMITTED] T5799.062
    
    [GRAPHIC] [TIFF OMITTED] T5799.063
    
    [GRAPHIC] [TIFF OMITTED] T5799.064
    
    [GRAPHIC] [TIFF OMITTED] T5799.065
    
    [GRAPHIC] [TIFF OMITTED] T5799.066
    
    Mr. Putnam. Thank you very much, and I appreciate your 
patience with the bells. And I appreciate all of your patience 
with the fact that we have three votes pending which will take 
about 30 minutes to handle. So with that, the subcommittee will 
recess. Feel free to get something cold to drink or hang loose 
and we will be back in approximately 30 minutes.
    The subcommittee is in recess.
    [Recess.]
    Mr. Putnam. The subcommittee will reconvene.
    I want to thank the witnesses for their patience and 
tolerance of the congressional voting schedule. We will go 
right into questions since we did complete the opening 
testimony before we recessed.
    Let me begin with Mr. Weiss. When communication systems are 
installed in SCADA systems, how much consideration is given to 
security, in your opinion?
    Mr. Weiss. Let me respond to the question with a question. 
What do you mean by ``communication systems?''
    Mr. Putnam. The method of transmission of instructions, the 
network connections.
    Mr. Weiss. OK. In general, and I am going to give you a 
general statement that may not apply to everybody, and I am 
also phrasing it as a control system, not just a specific 
SCADA, usually security is not a critical aspect in a design of 
a control system. The implementation is usually most concerned 
with meeting performance specs. And the other thing that it is 
usually very much concerned with is the ability to communicate 
with the different systems that are being identified in that 
specification. There are very few specifications that include 
security.
    Mr. Putnam. So very few considerations then are given to 
eavesdropping, disruption, issues like that?
    Mr. Weiss. Correct.
    Mr. Putnam. Mr. Freese, Mr. Katz, or Mr. Verton, would you 
like to add anything to that question? Mr. Freese.
    Mr. Freese. Yes, Mr. Chairman, I would. Although it is true 
historically that when it came to developing SCADA digital 
control systems, there was not security planned up front. But I 
know, speaking for AEP and a lot of other companies, we have 
since integrated security into all of those applications, as 
many SCADA systems as we possibly can because we do understand 
the need to secure those resources. So it has become now 
commonplace for a lot of companies to introduce security up 
front in the planning process, and then retrofitting on those 
areas that we did not have security prior to this.
    Mr. Putnam. Mr. Katz.
    Mr. Katz. Thank you, Mr. Chairman. I think what we need to 
do is delineate a difference between then and now. A lot of 
legacy systems that are installed and still in place probably 
do not have a lot of security on them. To upgrade them would 
either mean replacing them or redesigning them and investing 
considerable dollars to do so. Newer systems that are being 
implemented take into account security concerns. They are 
generally taken into account in the RFP stage and all the way 
through.
    But I am more concerned about the legacy systems and the 
fact that if we are going to upgrade, we do need to make a 
significant investment in that. And in the utility business 
every investment competes with every other one. Hierarchy is a 
priority. A substation transformer in danger of failure may 
cost $2.5 million to replace and that may end up displacing 
another project, because if you cannot capture the investment 
cost through a rate increase, then you need to do it either 
with cash-flow or bonds or stock and none of them is a 
particularly great alternative. But if it increases the 
reliability of the utility plant, it is something that we would 
rather see the ratepayers--I think any utility would rather see 
the ratepayers pay. But that takes a rate case and many BPUs 
and public utility commissions are reluctant to entertain rate 
cases except once every 5 or 6, or 7 or 8 years.
    Mr. Putnam. What is the average age of a control system? 
Whomever may answer that one.
    Mr. Weiss. The average age of a control system in a power 
plant is probably on the order of maybe 5 years old. SCADA 
systems in utilities, not in, if you will, the independent 
system operators because the ISOs are fairly new, but SCADAs in 
electric utilities are probably, again, just a rough order, 
probably 7 to 10 years old.
    Mr. Putnam. And what about non-electric utilities--water 
control systems, flood control structures, things of that 
nature?
    Mr. Weiss. At least in those that I have dealt with, a lot 
of these industries, particularly water, flood control, etc., 
in a sense just recently put in automation and so they have, if 
you will, newer systems. But here is the other thing I think 
that maybe is important to point out. In a control system, 
there are really two aspects. One is where the operator sits, 
that is usually a MicroSoft-based or a Unix-based operator 
screen. And in a spec, it is pretty straightforward, if you 
will, to specify that type of security. The other part of the 
control system is where you have the field devices, those 
things that actually measure temperatures, voltages, currents, 
and do the real-time calculations. That is where we really do 
not have the security technology at all yet. So putting that in 
a spec does not help. It does where you have the operator 
interface but not at the actual control. That is part of what I 
am hoping, and I am not speaking for anybody but myself, this 
is what I am hoping will come out of the National SCADA Test 
Bed.
    Mr. Putnam. That was a point that I made in panel I, that 
the main facility is of less concern to me than the field 
facilities at the weir, at the dam, at the valve or the pump or 
whatever.
    Let me followup on your point. A lot of those non-electric 
utility systems are only recently automated, meaning that they 
are newer, perhaps have more security hopefully built into 
them. But as a consequence, if there is a failure of those 
systems, have they removed the ability to manually override 
whatever it is, and are people adequately trained to do it the 
old fashioned way? Or are they out there with their palm pilots 
or their wireless or their computer and they are being told 
exactly which valve, which line, which wire, and, absent 
electronic assistance, they are unable to make whatever 
corrective actions they need to make?
    Mr. Freese. Mr. Chairman, if I may. In our remote 
substations, for example, we have a lot of them that require 
either an in person interface or some other type of control 
that can be used at a short range or short distance to be 
effective. Our people are trained in both the electronic means 
and the manual means. The problem with security, as you were 
mentioning at the remote substations, for example, or any of 
the substations that are equipped with data concentrators or 
RTUs are using computers. The problem with the more remote you 
get, the more difficult it is to keep security up to date; for 
example, antivirus, operating system patches, those types of 
things. So there is always kind of a lag between what needs to 
be done and what is done. And that is one of the focuses of the 
energy industry right now is to try to remedy that.
    Mr. Putnam. Mr. Verton, you were very blunt in your 
assessment of where we are. Walk us through a plausible 
scenario for a terrorist act against using one of these control 
systems or SCADA systems, if you would.
    Mr. Verton. Well, Mr. Chairman, we have already seen some 
examples in recent history where disgruntled insiders have done 
things like let loose raw sewage by hacking into sewage 
treatment facilities in Australia. But my biggest point, I 
think the best example would be the August 14th blackout which, 
while it was not a deliberate act of terrorism, it was most 
likely a self-inflicted wound, if you will. The demonstration 
effect of what happened afterwards and the fact that these 
systems are vulnerable to electronic disruption means that we 
cannot discount a scenario that includes a deliberate 
disruption of electric power throughout a major metropolitan 
area of the country that is quickly followed up by a preplanned 
series of physical traditional terrorist attacks. For example, 
we saw thousands of people caught in the subway systems in 
Manhattan who were sitting ducks for a chemical or biological 
attacks. We saw people coalescing by the thousands on the 
streets who could have been the targets of a suicide bomber or 
something of that nature. So these types of scenarios are by no 
means what you might consider a Hollywood movie script. They 
are very much possible.
    Also I might add, we started in the first panel talking 
about the physical vulnerabilities of these systems. The 
physical aspects of cyber terrorism are something that we have 
not paid a lot of attention to. But you can conduct the same 
sorts of denial of service attacks in an electronic sense by 
physically destroying key nodes in the electronic 
infrastructure. When certain nodes are taken off line, it could 
ripple out of control throughout other various portions of the 
infrastructure and other sectors of the economy. So you do not 
necessarily have to conduct an electronic attack sitting there 
with a computer, but you can, if you have access, physically 
destroy certain nodes and cause similar effects that you can 
then go ahead and take advantage of. Does that answer your 
question, Mr. Chairman?
    Mr. Putnam. Yes. The counter argument to adequate 
preparation has been that the economic case just is not there 
for a number of local governments, municipalities, States, and 
private sector to invest in the security upgrades. Is that a 
flawed economic model, or is it an accurate economic model? And 
what could we do to encourage those investments in those 
upgrades? And I will begin with Mr. Katz and then work my way 
back toward Mr. Weiss.
    Mr. Katz. Speaking on behalf of the UTC and the industry in 
general, I think one of the things that the industry would not 
encourage are specific mandates to the industry about how to 
proceed with regard to investments in infrastructure. 
Certainly, if the industry were asked to come up with specific 
plans and guidelines or industry standards and best practices, 
that ought to happen within some reasonable timeframe.
    But the real dichotomy here is that investment needs to be 
recaptured, money has to be spent, and it is real dollars. So 
you have to spend money and you better have the money to spend. 
So where do you get the money? If it is not through rate 
relief, or the sale of bonds, or the sale of stock, no one is 
going to just come over and hand us a bundle of money, and we 
are not asking for specific grants from the Federal Government 
either because we are the private sector. But if it takes that, 
we are certainly not going to turn it down.
    The thing is that nobody really wants to be subject to 
mandated standards because the industry itself, the entire 
critical infrastructure component of the Nation is so diverse. 
A set of standards for a water company, a set of standards for 
electric companies, chemical, railroad, pipelines, you cannot 
adopt the same exact standard across the entire industry range. 
It is going to take some kind of voluntary cooperative effort 
on the part of Government and private sector in order to come 
up with a set of standards. That is the first thing.
    The other thing is that if there is an uncertain regulatory 
environment with regard to the technologies that we implement, 
we do not want our assets or our investments to be stranded. 
So, for example, if there is really some good technology out 
there for wireless SCADA control, because we have point-to-
point, end-to-end control over the infrastructure itself, as 
communications medium is independent of the common carrier, it 
is owned entirely by the critical infrastructure entity that is 
going to use it, so it is private wireless facilities, then the 
problem arises as to why was it exclusive, is it going to be 
subject to interference. Could some future regulation end up 
forcing us to compromise the security of that system simply 
because it is not really ours to use, it is part of some grant 
from a Federal agency, either the NTIA or the FCC. So it is a 
combination of factors and I am not really sure what the real 
answer is. But I think the industry itself needs to be given a 
chance to come up with a set of standards and best practices 
first, and perhaps a major investment in the INL labs is going 
to be very helpful that regard.
    Mr. Putnam. Mr. Freese.
    Mr. Freese. I will go back to the budget question, the 
economic question. There are many companies, ours is one of 
them, who have expended millions in the last couple of years to 
improve security. Of course, we are going after cost recovery 
options with the States on these things and, again, we are 
trying to get people to listen to us based on tax incentives, 
things like that. However, I kind of go back to this is an 
awareness issue, first off. A company has to first of all have 
executive support for security, understand its responsibilities 
in the critical infrastructure organization. It is also an 
investor-incentive. At some point we are going to be judged on 
how secure is our company and how safe an investment is it in 
the face of all of the potential threats that are out there. To 
that end, we are following the NERC cyber security standards, 
first iteration of those, industry-based standards, and hoping 
to get other companies on board with those standards as well so 
we can all work toward information sharing, collaboration on 
security. I think budget is an important issue but a company 
that is serious about infrastructure protection will allocate 
funds for security, for both a business case and a security 
case.
    Mr. Putnam. Does the cyber security take a backseat to 
physical security?
    Mr. Freese. It does not take a back seat. In our 
organization, we moved security out of IT and out of 
facilities, to both under risk management. So we are part of 
enterprise risk management right now. The budget is pretty much 
allocated among the two sectors and we have been doing a very 
comprehensive program of physical security upgrades for our 
substations and plants as well as cyber security upgrades of 
our SCADA systems. So we try to split it fairly equitably among 
both of those sectors.
    Mr. Putnam. Mr. Weiss.
    Mr. Weiss. I see three areas. Again, I am trying to answer 
more as a technologist, if you will. The first one is the 
business case. One of the most difficult things I have seen is 
that it is difficult for an executive to justify protecting a 
system if he does not think it is at risk. And that is such a 
great importance to the CERT for control systems. If an 
executive realizes that his system is at risk and systems like 
his have been compromised, there is much more of a reason that 
he would be willing to spend the money.
    The second thing is that as technology stands today, there 
is not technology, as I mentioned, to secure the control system 
itself. What there is are, as mentioned, best practices. They 
are policies, they are procedures, they are audit functions, if 
you will, the low hanging fruit. The longer term is the work 
with the test bed to develop the technology.
    The other piece, and I think this is important too because 
it is a big issue in the cyber world, we have a culture issue 
in many companies--this is not electric power, this is across 
the board--and the culture issue is between the IT organization 
and the operational organization. We need to figure out how to 
resolve that because many operational organizations feel that 
IT is more of a menace to them than somebody from the outside. 
And we need to be able to address that because IT has that 
security expertise. So it is, if you will, a multifaceted 
problem.
    Mr. Putnam. Mr. Verton, what policies can be enacted that 
would encourage businesses to make the investment in security?
    Mr. Verton. Mr. Chairman, just to answer that question 
directly, I think the insurance industry in other sectors of 
the economy is already making great strides to offer favorable 
insurance rates to companies that meet certain standards and 
guidelines. There are one or two companies now that are 
offering those types of incentives. That is a type of effort 
that would do the one thing that is not happening right now, 
which is the national strategy to protect cyberspace only works 
if all of the infrastructure sectors are moving simultaneously 
forward. You cannot have one sector of the economy moving ahead 
of the others. So that is a type of a very simple way to get 
companies to apply these simple standards and practices.
    Now if I could answer the previous question. My opinion is 
that the current economic model is flawed. I believe that the 
sellers will continue to sell what the buyers are buying. And 
the problem is that too much of the burden has been shifted to 
the end-user and the consumer of the technology as opposed to 
the developers. Right now the buyers are buying a lot of junk 
and they are being told to bear the burden to secure it after 
the fact. I know you are doing a lot of work on that particular 
type of issue, working with both the vendor and the end-user 
community.
    Standards and best practices are fine but they only work 
when they are applied equally across the board. You cannot have 
a standard or a best practice that is not mandatory for 
everybody involved in this particular infrastructure. Somebody 
is always going to be somebody else's weakest link. So if they 
opt out, you have not really improved security for the entire 
infrastructure. In that regard, suggestions that cost money go 
nowhere unless you have some sort of mandatory requirement to 
meet some sort of standard. I find it very ironic that the only 
thing from what I can see that has resulted in an across the 
board, cross industry, cross sector improvement in security has 
been the one thing that the software industry and the hardware 
industry pretty much have been dead set against, which is 
regulation. Sarbanes-Oxley, HIPPA, and some other regulations 
have been the only thing that have really driven an across the 
board substantive improvement in security. And I think it is 
very ironic that the one thing that the developers of software 
and other technologies are dead set against is the only thing 
that seems to have worked so far.
    Mr. Putnam. So you do not see an industry-based, volunteer, 
collaborative effort as being successful?
    Mr. Verton. No, I do not think I would go that far. But my 
opinion is that the private sector, when faced with tough 
choices, when it comes to making a choice between spending a 
lot of money that they cannot afford to secure the systems 
because they are being told that they own and operate a 
national security infrastructure, they need somebody to help 
them with that. The Government cannot tell them that it is 
their responsibility without saying and here is how we are 
willing to help you. Because private sector is not in the 
business of being defenders of America. This is an 
unprecedented situation in American history, in my opinion, 
that so much of our national security and our economic 
stability is in the hands of private companies. So if you are 
going to ask the private sector to bear the burden, you also 
have to come to the table with some practical suggestions on 
how that burden is going to be shared.
    Mr. Freese. Mr. Chairman, may I add something to that?
    Mr. Putnam. You may.
    Mr. Freese. From the energy industry's perspective, we are 
not asking the Government to do everything for us or to give us 
all the money for all the security implementation we need to 
have done. We are asking to help prepare us for the 
extraordinary security event, extraordinary threat and attack 
on the energy industry. The other things we will take care of 
ourselves. But we try to get some assistance on the major 
upgrades, major changes across the industry.
    Mr. Putnam. I hear what you are saying. But as somebody who 
is in business, granted, you have to meet a higher standard 
when you are a public utility or a private utility.
    Mr. Freese. Right.
    Mr. Putnam. But at the end of the day, we have to strike 
some balance between addressing vulnerabilities and doing a 
good, thorough risk assessment and then trying to be all things 
for all potential threats. And I do not know where that line 
is. You squeeze the balloon here and you tighten up there, you 
dig deeper moats and you build taller fences, and then you have 
the cyber threat and so you move to the cyber threat, and in 
the meantime your fences have gotten rusty and your moats have 
filled in with sand and so you have to go back and dig those 
out deeper and replace the fence, and then technology has 
changed and everybody has gotten ahead of themselves, and then 
terrorists give up on attacking a new plant when all they 
really have to do is go into a shopping mall and use low tech 
devices that are being used in the Middle East on a regular 
basis.
    As we wade through all this stuff and you start adding up 
what it would take to secure the magic 1,700 that DHS has now 
identified, knowing how many tens of thousands are not on that 
list, you are going to go out of business making yourself 
secure. You are not investing in R&D, you are not investing in 
upgrades of the service that is your core mission because every 
ounce of profit is going back into something that is not 
generating economic growth. It is a dead-end issue 
economically. So I do not know where the line is. You have an 
obligation to do certain things. But I do not know that you 
have an obligation to imagine every conceivable bad threat, 
malicious attack that a gazillion people are out there trying 
to think of against the United States. It just makes your head 
hurt, doesn't it?
    What is the role of the Department of Homeland Security in 
this effort? And are they the right group of folks to fill this 
mission on the cyber threat, particularly on control systems?
    Mr. Verton. I will take that, Mr. Chairman.
    Mr. Putnam. Go right ahead.
    Mr. Verton. Since I started the frontal attack, if you 
will, on DHS. My opinion has been pretty much the same as that 
of Mr. Richard Clark, you might have heard of him recently, 
that the position of cyber security has been, not the 
individual but the position, demoted. I think that right now 
the position is several layers down below where it needs to be. 
Basically, it has been removed from a Presidential advisor role 
to an advisor to an Assistant Secretary level. And I do not 
think that Mr. Yoran at the moment has the ability to see 
things that need to be fixed and take immediate action. So I 
think there are still some thought that needs to be given to 
the current organizational structure of DHS, particularly with 
respect to the role of cyber.
    Mr. Putnam. Is there a Presidential level advisor on 
chemical-biological-radiological-nuclear devices?
    Mr. Verton. I believe there is still a Presidential level 
advisor for terrorism. The problem being, if I know the history 
correct, as Mr. Clark has told it, a special position was 
created for cyber terrorism that was recommended by Mr. Clark 
and he I think had every intention of remaining a Presidential 
level advisor until the DHS proposal came around and it was 
placed in the DHS, unfortunately not up at the secretary level 
but several layers below.
    Mr. Putnam. I think it is real easy to get hung up on what 
the flow chart is instead of what the mission is.
    Any other thoughts on that, Mr. Weiss?
    Mr. Weiss. Yes. My thoughts are a little bit different. 
Control systems are not unique to any single industry. To be 
able to protect control systems, that function needs to reside 
in whatever organization has the widest breadth to cover the 
most industries. DOE's function is really energy. But the same, 
for example, Honeywell control system that is in a power plant 
is also in a refinery, it is also in a water plant, it is in a 
chemical plant, it is in a paper mill. So I am really giving 
you more of a question back. But the real issue in where this 
needs to reside is what is the organization that will really 
cover the industrial infrastructure because that is where the 
vulnerability lies.
    Mr. Putnam. Within the overall universe of cyber threats, 
are threats to SCADA systems the greatest of cyber threats 
because of their connection to the physical infrastructure?
    Mr. Weiss. Again, I am going to answer this as a control 
system engineer. The reason I believe that cyber threats are, 
if you will, critical to control systems, our control systems 
were not designed to be protected from them. So what is 
happening is you have a much less resistant system. It is also 
a system that has a lot higher consequence if something happens 
to it. I hope, because I am not a policy person, that the 
number of threats to these systems are much less than they are 
to other places. But the other systems, in general, have been 
designed or supposedly have been designed to resist those other 
threats.
    Mr. Putnam. Mr. Verton.
    Mr. Verton. Mr. Chairman, I will answer that question from 
a terrorism perspective. I think the answer is absolutely yes, 
only because any time you have computers that control real 
things in the real world that have public safety implications, 
they inherently immediately become a potential target for 
terrorists. So I think my technical colleagues on the panel 
would agree that description fits the bill for SCADA systems, 
if you will, across industries. So, yes, I think from a 
terrorism perspective, they are a primary national security 
concern.
    Mr. Putnam. Mr. Freese.
    Mr. Freese. I agree with Mr. Verton. Again, a lot of the 
energy industry agrees with Mr. Verton because they are trying 
to secure their control systems as much as they can. It is a 
huge task and it is going to take a long time.
    Mr. Katz. I would agree with that, too. From the 
perspective of critical infrastructure industries, the threat 
to SCADA systems and command and control systems is probably 
much greater and would have greater consequences than threats 
to our standard traditional data processing systems.
    Mr. Putnam. How helpful would a SCADA-specific cert be?
    Mr. Weiss. I believe from all of the meetings I have had 
with different industries, through ISA, through IEEE, through 
all of these different organizations, when the concept of a 
cert from control systems is brought up, it is almost always on 
the top of the list of what they think would be most helpful.
    Mr. Putnam. Does everyone agree with that? OK. Let the 
record reflect that everyone agrees with that.
    Let us talk about public disclosure. I am going to start 
with the reporter on this one. I always love hearing their 
views on open records. Telecom systems use control systems that 
require the public spectrum, that is an FCC issue, disclosure 
is an important part of it. As you know, blueprints, plans, 
designs, electrical wiring, circuitry, everything is generally 
available and easily accessible. What are your thoughts on 
restricting that?
    Mr. Verton. Mr. Chairman, I am obviously interested as a 
journalist, somebody who would be interested in finding this 
information and publishing it. But there have been many cases 
where I have not published information because of my own 
concerns and understanding of the damage it could do. Now I may 
be unique among journalists in that respect.
    I think there is a lot that can be done about restricting 
not necessarily the disclosure of the information, but how it 
is communicated to the people that need to know it. Let me give 
you some examples of some very recent post-September 11 
security assessments that were done just on public Web sites 
for major, major corporations in, of all places, Lower 
Manhattan. A CIA psychological profiler was hired to do a study 
of the Web sites of various large Fortune 500 companies to find 
out to what extent the content of their Web sites would make 
them targets of Al Qaeda. This particular survey found detailed 
maps and drawings of air conditioning and ventilation systems 
for large office complexes, it found the load bearing 
capacities of elevators, it found private data on some of the 
senior executives, the number of people present at any one 
office facility and where they worked, some banks had posted, 
for example, notices that they had frozen Al Qaeda related bank 
accounts for the world to see, support for globalization issues 
which we know has been known to stimulate portions of the Al 
Qaeda network.
    So there needs to be a business case and a balance struck 
between what you post on the Internet and maybe how you 
communicate it to the people who need to know certain 
information. For example, a local community has every right to 
know that they are living within striking distance of a 
dangerous chemical facility. They want to know that their 
children are potentially in danger. But do we need to post, for 
example, detailed information on that facility to the people in 
that particular community. Do we need, for example, to post 
detailed information on a uranium mining facility so that a 
potential terrorist could figure out how to do the most harm. 
And that is the balance that needs to be struck.
    From a private sector perspective, the companies that own 
and operate the critical infrastructures need to take a look at 
what they are putting out in the public to determine whether or 
not it serves their business. If it does not serve their 
business, they need to start asking themselves hard questions 
as to why are we putting it out there to begin with. And a lot 
of these companies fall into that first category of putting our 
air conditioning and ventilation diagrams for their office 
complexes. It makes absolutely no sense from a sales or a 
marketing perspective.
    Mr. Putnam. Does the public have a right to know that there 
is a site in their community that is 1 of the 1,700 identified 
lead targets?
    Mr. Verton. I think a community has a right to know if that 
1 of 1,700 is a dangerous chemical facility or a nuclear 
reactor of some sort. Certainly, they have a right to know that 
they are living within a danger zone. The question becomes how 
do you communicate that to the public and to what level do you 
communicate that information. I found, for example, I found a 
map of the entire United States with the locations of all spent 
nuclear fuel storage facilities on the Internet. Did that need 
to be up there post-September 11? I am not sure. To my 
knowledge, it was eventually taken down by the Department of 
Energy. So that is the type of balance we need to strike, in my 
opinion.
    Mr. Putnam. Our right to know in the past, particularly 
with the types of sites we are talking about here, was driven 
by environmental concerns. And now we are talking about terror 
threat-based concerns which are somewhat different. You have a 
right to know if a particular chemical plant is discharging X 
number of pounds of sulfur per year that has been known to have 
a connection to higher incidents of cancer or whatever. All 
that kind of stuff that is imbedded in our environmental law. 
But what are the consequences of letting the world know what we 
think the top 1,700 are; meaning that everything that is not on 
the top 1,700 has a lesser degree of preparation or prevention, 
and what effect does that have on your business. Obviously, if 
you run a nuclear plant, I do not think being on the top 1,700 
is going to be a surprise to anyone. It is not going to affect 
your insurance rate and it is not going to affect who your 
neighbors are; they are pretty well aware of what they bought 
into when they moved to the neighborhood. But the rubric that 
they used was public health and safety, economic, which is very 
nebulous, symbolic, which is extraordinarily subjective and 
nebulous, and national security, which that ought to be fairly 
identifiable. But people living next to a tourist attraction 
might think that is a pretty good thing, not realizing that it 
also might be a target for terrorists.
    So, as we move down this road, and I wish there were 
Members here from the other side of the aisle because they have 
an outstanding record, as do most Members of Congress, pushing 
for increased public disclosure, a very rigid FOIA law. But as 
we deal with these new issues, we have to have this debate. And 
I do not know where we end up.
    Mr. Katz.
    Mr. Katz. Thank you, sir. It is part of the dichotomy of 
the entire process; and that is, yes, the public is entitled to 
know certain things that may harm them, and at the same time 
there is certain information that we make available because it 
is required to be made available that can fall into the wrong 
hands and be used against us. For example, Mr. Verton refers to 
why would a utility market anything that deals with its 
infrastructure and its office building about air conditioning 
systems. Well, it does not do that. If we are building an 
office building, at least in my State, we are probably going to 
have to get local land-use approval, we are going to be before 
a planning board or a zoning board of adjustment. Once that is 
approved, now we are going to have to file plans with the 
building department and secure all proper permits. So all of 
those mechanical drawings, all of the electrical 
infrastructure, everything about that building is now public 
record because it is in the building department in the 
municipality that is issuing the permits. So that is a public 
record. Anybody who wants to find that can go get it.
    We have Federal agencies that we need to deal with that 
also discloses information to the public. At the same time, we 
all comply with SARA Title III. And in the local level, every 
business and industry in a community has to report to its local 
Office of Emergency Management once each year all of the 
chemicals and hazardous substances that it has onsite. That is 
available to the public and it is also available to anybody who 
wants to go break in to those facilities to be able to steal 
harmful materials and use them against us.
    So, yes, I agree that there is a need for public 
disclosure. As a former chief executive officer of a 
municipality, yes, the public should know these things. But to 
what extent do we let them know about certain things that could 
be used against us in a manner that hurts a lot of people. And 
that is a wonderful policy issue for Congress to deal with, 
and, Mr. Chairman, I wish you an awful lot of luck with that. 
But, yes, it is there and I think we all recognize it.
    Mr. Putnam. At what point does disclosure become harmful in 
and of itself.
    Mr. Katz. Exactly.
    Mr. Putnam. Disclosure is intended to protect the public 
from harm. But at what point does disclosure become harmful. 
And that is clearly something we are going to have to deal 
with. I do not know what ill purpose the public is served by 
not having access to the blueprint of a nuclear power plant. I 
cannot think of how the public is poorly served by not knowing 
that, or knowing the precise latitude and longitude of switches 
and valves and everything else. But I am sure that there are 
plenty of people who would be happy to tell me what they are.
    At this point, we are going to bring this in for a landing. 
I want to give all of you the opportunity to give closing 
remarks, deal with any issue that you came prepared to discuss 
that we did not get to, or add your closing thoughts on the 
topic in general. We will begin with Mr. Weiss and move down 
the table.
    Mr. Weiss, you are recognized.
    Mr. Weiss. First of all, I wanted to thank you for inviting 
me here. I very much appreciate that. I also appreciate that 
this discussion itself took place. I just want to reiterate 
three things. One is that control systems are truly important 
but security was never a basic premise when they were designed. 
They need to be protected. The second part is that there really 
needs to be a business case for their protection. And that is 
part of where that e-cert comes in. The third part is we need 
an adequately funded test bed for, if you will, the entire 
infrastructure to be able to evaluate and develop and 
demonstrate technologies to secure these, and, to me, that is 
the SCADA test bed. So, thank you.
    Mr. Putnam. Thank you. Mr. Verton.
    Mr. Verton. Mr. Chairman, thank you very much again for 
having me here today. I will just close by saying that I feel 
that these are very dangerous times for us post-September 11 
because I think we are entering a phase where we are 
potentially becoming dangerously complacent because of the fact 
that nothing has happened since September 11. Particularly in 
electronic realm of this problem, the threat of cyber 
terrorism, as we have been discussing today, faces a very 
significant perception problem because people do not think that 
people who are trying to kill us are interested in these 
tactics, they do not think that they are capable of it. I have 
documented plenty of instances arguing the opposite point of 
view in that. I will just say that I think this is an urgent 
national security matter. Also, I would hope that the private 
sector gets some sort of real practical assistance in this 
effort to make sure that these systems are secured in a way 
that works for everybody.
    Mr. Putnam. Thank you. Mr. Freese.
    Mr. Freese. Taking the information disclosure one step 
further, a lot of the discussions earlier from the Government 
side focused on industry and Government cooperation, providing 
information to each other to help secure the critical 
infrastructure. But I think it needs to go further. Right now, 
I think there needs to be a better awareness between Government 
and industry of what the scope of the threat really is. I think 
they have to make a joint commitment that they have to work 
together, not just lip service like we have always heard, but 
something that is concrete, some kind of a plan that we will 
work together. This will require better information protection 
for information submitted from utilities, between utilities, to 
the States. All of those things have to be addressed. Right 
now, a lot of the blockage on getting things done--for example, 
the 1,700 list from the States is derived in a lot of cases 
without energy companies or other infrastructure organizations 
providing what they consider to be critical. The State says I 
think that is critical, let's send it in. They ask the 
infrastructure organizations for information. How can you 
protect my information if I give it to you? If you cannot, I 
cannot provide it. So there is kind of a roadblock there. We 
need to eliminate that roadblock as soon as possible.
    Mr. Putnam. Mr. Katz.
    Mr. Katz. I agree, gentlemen. So I am not going to 
duplicate that. On behalf of UTC, I would just like to thank 
the committee for its time and attention to this matter. I 
think it is extremely important to all of us. It is certainly 
important to the critical infrastructure industries. And one of 
the areas in which the Federal Government could really be 
helpful is if there could be just one Federal agency with 
accountability and responsibility to push this effort through. 
Right now, DHS is still organizing itself, the other 
independent Federal agencies do not see a lot of these issues 
as in their ballpark or part of their jurisdiction. So it would 
be very, very helpful if there was one point of contact within 
the Federal Government for all of this in cyber security.
    And I agree with Mr. Verton. I think the level of attention 
that needs to be paid to cyber security at the Executive level 
probably needs to be raised. With the departure of a cyber 
security czar, it probably is not there anymore. And I realize 
there are a number of national priorities and this is just one 
of them. But it is an important one and you have the folks here 
who are involved with that on a day-to-day basis and we 
recognize it as being important. But we do need some Federal 
leadership on this and the public sector will help and the 
private sector will cooperate to the extent that it needs to in 
order to get the job done because it helps all of us.
    Mr. Putnam. Thank you, all of you for your comments. I 
would urge you to keep DHS' feet to the fire and help us do the 
same. At some point the excuse that they are a new department 
will cease to be valid. It has already reached that point with 
me. It is no longer an issue. They have had their 1 year 
anniversary, they have cut the cake, and now no more excuses.
    So we thank all of you very much for your candor and 
insight and for your patience with the disjointed nature of 
this hearing. I also want to thank Mr. Clay and Mrs. Miller for 
their participation and interest in this issue.
    In the event that there may be additional questions that we 
did not have time for today, the record will remain open for 2 
weeks for submitted questions and answers.
    With that, the subcommittee stands adjourned.
    [Whereupon, at 5:17 p.m., the subcommittee was adjourned, 
to reconvene at the call of the Chair.]
    [Additional information submitted for the hearing record 
follows:]

[GRAPHIC] [TIFF OMITTED] T5799.067

[GRAPHIC] [TIFF OMITTED] T5799.068

[GRAPHIC] [TIFF OMITTED] T5799.069

[GRAPHIC] [TIFF OMITTED] T5799.070

[GRAPHIC] [TIFF OMITTED] T5799.071

                                 
