b"<html>\n<title> - IMPLICATIONS OF CYBER VULNERABILITIES ON THE RESILIENCE AND SECURITY OF THE ELECTRIC GRID</title>\n<body><pre>[House Hearing, 110 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n \nIMPLICATIONS OF CYBER VULNERABILITIES ON THE RESILIENCE AND SECURITY OF \n                           THE ELECTRIC GRID\n\n=======================================================================\n\n\n                                HEARING\n\n                               before the\n\n                        SUBCOMMITTEE ON EMERGING\n                        THREATS, CYBERSECURITY,\n                       AND SCIENCE AND TECHNOLOGY\n\n                                 of the\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED TENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                              MAY 21, 2008\n\n                               __________\n\n                           Serial No. 110-117\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n                                     \n\n[GRAPHIC] [TIFF OMITTED] CONGRESS.#13\n\n\n\n  Available via the World Wide Web: http://www.gpoaccess.gov/congress/\n                               index.html\n\n                               __________\n\n\n\n                     U.S. GOVERNMENT PRINTING OFFICE\n\n43-177 PDF                 WASHINGTON DC:  2008\n---------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing\nOffice  Internet: bookstore.gpo.gov Phone: toll free (866)512-1800\nDC area (202)512-1800  Fax: (202) 512-2250 Mail Stop SSOP, \nWashington, DC 20402-0001\n\n\n\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n               Bennie G. Thompson, Mississippi, Chairman\n\nLoretta Sanchez, California          Peter T. King, New York\nEdward J. Markey, Massachusetts      Lamar Smith, Texas\nNorman D. Dicks, Washington          Christopher Shays, Connecticut\nJane Harman, California              Mark E. Souder, Indiana\nPeter A. DeFazio, Oregon             Tom Davis, Virginia\nNita M. Lowey, New York              Daniel E. Lungren, California\nEleanor Holmes Norton, District of   Mike Rogers, Alabama\nColumbia                             David G. Reichert, Washington\nZoe Lofgren, California              Michael T. McCaul, Texas\nSheila Jackson Lee, Texas            Charles W. Dent, Pennsylvania\nDonna M. Christensen, U.S. Virgin    Ginny Brown-Waite, Florida\nIslands                              Gus M. Bilirakis, Florida\nBob Etheridge, North Carolina        David Davis, Tennessee\nJames R. Langevin, Rhode Island      Paul C. Broun, Georgia\nHenry Cuellar, Texas                 Candice S. Miller, Michigan\nChristopher P. Carney, Pennsylvania\nYvette D. Clarke, New York\nAl Green, Texas\nEd Perlmutter, Colorado\nBill Pascrell, Jr., New Jersey\n\n       Jessica Herrera-Flanigan, Staff Director & General Counsel\n\n                     Rosaline Cohen, Chief Counsel\n\n                     Michael Twinchek, Chief Clerk\n\n                Robert O'Connor, Minority Staff Director\n\n                                 ______\n\n   SUBCOMMITTEE ON EMERGING THREATS, CYBERSECURITY, AND SCIENCE AND \n                               TECHNOLOGY\n\n               James R. Langevin, Rhode Island, Chairman\n\nZoe Lofgren, California              Michael T. McCaul, Texas\nDonna M. Christensen, U.S. Virgin    Daniel E. Lungren, California\nIslands                              Ginny Brown-Waite, Florida\nBob Etheridge, North Carolina        Paul C. Broun, Georgia\nAl Green, Texas                      Peter T. King, New York (Ex \nBill Pascrell, Jr., New Jersey       Officio)\nBennie G. Thompson, Mississippi (Ex \nOfficio)\n\n                   Jacob Olcott, Director and Counsel\n\n       Dr. Chris Beck, Senior Advisor for Science and Technology\n\n                       Carla Zamudio-Dolan, Clerk\n\n           Kevin Gronberg, Minority Professional Staff Member\n\n                                 ______\n\n                                  (II)\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               Statements\n\nThe Honorable James R. Langevin, a Representative in Congress \n  From the State of Rhode Island, and Chairman, Subcommittee on \n  Emerging Threats, Cybersecurity, and Science and Technology:\n  Oral Statement.................................................     1\n  Prepared Statement.............................................     3\nThe Honorable Ginny Brown-Waite, a Representative in Congress \n  From the State of Florida......................................     4\n\n                               Witnesses\n\nThe Honorable Joseph T. Kelliher, Chairman, Federal Energy \n  Regulatory Commission (FERC), Accompanied by Joseph McClelland, \n  Director, Office of Electric Reliability, FERC:\n  Oral Statement.................................................     6\n  Prepared Statement.............................................     7\nMr. Richard Sergel, President and Chief Executive Officer, North \n  American Electric Reliability Corporation (NERC):\n  Oral Statement.................................................    13\n  Prepared Statement.............................................    14\nMr. Greg Wilshusen, Director, Information Security Issues, \n  Government Accountability Office (GAO), Accompanied by Naba \n  Barkakati, Senior Level Technologist, GAO:\n  Oral Statement.................................................    25\n  Prepared Statement.............................................    26\nMr. William R. McCollum, Jr., Chief Operating Officer, Tennessee \n  Valley Authority (TVA), Accompanied by John Long, Chief \n  Administrative Officer, TVA:\n  Oral Statement.................................................    32\n  Prepared Statement.............................................    34\n\n                             For the Record\n\nMr. Bill Pascrell, Jr., a Representative in Congress From the \n  State of New Jersey:\n  Exhibit A: ES-ISAC Advisory Follow-up Survey...................    45\n  Exhibit B: Letters.............................................    47\n\n                                Appendix\n\nQuestions From Chairman James R. Langevin........................    81\n\n\nIMPLICATIONS OF CYBER VULNERABILITIES ON THE RESILIENCE AND SECURITY OF \n                           THE ELECTRIC GRID\n\n                              ----------                              \n\n\n                        Wednesday, May 21, 2008\n\n             U.S. House of Representatives,\n                    Committee on Homeland Security,\n      Subcommittee on Emerging Threats, Cybersecurity, and \n                                    Science and Technology,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 2:13 p.m., in \nRoom 311, Cannon House Office Building, Hon. James R. Langevin \n[chairman of the subcommittee], presiding.\n    Present: Representatives Langevin, Lofgren, Etheridge, \nGreen, Pascrell, McCaul, and Brown-Waite.\n    Also present: Representative Jackson Lee.\n    Mr. Langevin. The subcommittee will come to order.\n    The subcommittee is meeting today to receive testimony on \nImplications of Cyber Vulnerabilities on the Resiliency and \nSecurity of the Electric Grid.\n    I will begin by recognizing myself for an open statement.\n    Good afternoon. I would like to thank our witnesses for \ntestifying today.\n    Over the last year, this subcommittee has spent a lot of \ntime and energy on improving Federal network security. Today's \nissue, the security of our critical infrastructure networks, is \none that demands equal attention. The effective functioning of \nour critical infrastructure, from dams and water systems to \nfactories and the electric grid, is highly dependent on control \nsystems, computer-based systems that are used to monitor and \ncontrol sensitive processes and physical functions.\n    Once largely proprietary closed systems, control systems \nare becoming increasingly connected to open networks such as \ncorporate intranets and the Internet itself. This connectivity \nplaces these infrastructures at increased risk of intentional \nor unintentional control system failures which can have a \nsignificant and potentially devastating impact on the economy, \npublic health and national security of the United States.\n    There can be no doubt that America's critical \ninfrastructure networks are under constant threat. Pervasive \nvulnerabilities of hardware and software and the connectivity \nof these machines to the Internet make our multi-layered lines \nof defense, meaning anti-virus, firewall and intrusion \ndetection, relatively ineffective in addressing the problem.\n    To compound matters, many organizations prefer to focus on \nthe deployment of new technology without regard for the \nsecurity or integrity of their systems or information. This \noften means that information security officers are \nsimultaneously facing increased responsibility and shrinking \nbudgets.\n    These are overwhelming challenges without clear solutions. \nThe Federal Government and the private sector must act with a \nsense of urgency to address these issues; and yet, as I read \ntoday's testimony, I still do not get the sense that we are \naddressing cybersecurity with the seriousness that it deserves.\n    Today's hearing will focus on two primary issues.\n    First, we will receive an update from the Federal Energy \nRegulatory Commission, FERC, and the North American Electric \nReliability Corporation, NERC, about electric industry efforts \nto mitigate a cyber vulnerability known as Aurora. I think we \ncould search far and wide and not find a more disorganized, \nineffective response to an issue of national security of this \nimport. Everything about the way this vulnerability was \nhandled, from press leaks, to DHS's failure to provide more \ntechnical details to support the results of its test, to NERC's \ndismissive attitude to the industry's halfhearted approach \ntoward mitigation, leaves me with little confidence that we are \nready or willing to deal with the cybersecurity threat.\n    As time passes, I grow particularly concerned by NERC, the \nself-regulating organization responsible for ensuring the \nreliability of the bulk power system. Not only do they propose \ncybersecurity standards that, according to the GAO and NIST, \nare inadequate for protecting critical national infrastructure, \nbut throughout the committee's investigation they continued to \nprovide misleading statements about their oversight of industry \nefforts to mitigate the Aurora vulnerability.\n    If NERC doesn't start getting serious about national \nsecurity, it may be time to find a new electric reliability \norganization. NERC can begin demonstrating its commitment by \nincorporating more of the NIST security controls in the next \niteration of its reliability standards.\n    Now I am thankful today that Chairman Kelliher and his \nstaff at FERC are taking cybersecurity seriously. In earlier \ncorrespondence, Chairman Thompson and I voiced our concern that \nthe Commission not only lacked authority to regulate \npotentially vulnerable cybersecurity assets, but they are not \ncovered in the NERC standards, but also the authority to issue \norders to owners and operators in the event of an imminent \nexploitation of an asset on the grid.\n    The chairman and I fully support FERC's request for \nadditional legal authorities to adequately protect the bulk \npower system, and we certainly look forward to working with you \nand the appropriate committees in the future.\n    Our second issue of discussion today involves the GAO \ninvestigation that this committee commissioned last year. We \nasked GAO to provide insight into the cybersecurity controls of \nthe Nation's largest public power utility, the Tennessee Valley \nAuthority, TVA. The TVA's service area covers 80,000 square \nmiles in the southeastern United States, with a total \npopulation before 8.7 million people.\n    Unfortunately, the GAO found that the TVA security posture \nwas seriously lacking. According to the report, TVA has not \nimplemented appropriate security practices to secure the \ncontrol systems and networks used to operate its critical \ninfrastructures. Until TVA addresses these weaknesses, it risks \na disruption of its operations as a result of a cyber incident \nwhich could impact its customers.\n    Now I am pleased to hear that TVA has taken significant \nsteps toward implementing higher levels of security.\n    But these problems are not unique to TVA. I believe they \nare typical of security practices across the industry; and \ngiven what we have seen with the Aurora mitigation, I have \nlittle confidence that the industry is taking appropriate \nactions.\n    Now, in closing, I would like to challenge each of you here \nand everyone in the industry to, among other things, prove to \nour committee that you are serious about cybersecurity. Show us \nyou are willing to adopt better standards because it will make \nthe entire grid more secure. Leverage the critical \ninfrastructure community to push control system vendors to \nbuild more secure products and commit the manpower and the \nmoney to mitigating your vulnerabilities.\n    I can say this, that we will continue our oversight in this \narea. It will be robust. In the next subcommittee hearing, \nthough, I certainly look forward to talking about all the \nprogress the industry has made in meeting our challenges.\n    [The statement of Chairman Langevin follows:]\n            Prepared Statement of Chairman James R. Langevin\n                              May 21, 2008\n    Good afternoon. I'd like to thank our witnesses for testifying \ntoday. Over the last year, this subcommittee has spent a lot of time \nand energy on improving Federal network security. Today's issue--the \nsecurity of our critical infrastructure networks--is one that demands \nequal attention.\n    The effective functioning of our critical infrastructure--from dams \nand water systems, to factories and the electric grid--is highly \ndependent on control systems, computer-based systems that are used to \nmonitor and control sensitive processes and physical functions. Once \nlargely proprietary, closed systems, control systems are becoming \nincreasingly connected to open networks, such as corporate intranets \nand the Internet. This connectivity places these infrastructures at \nincreased risk of intentional or unintentional control system failures, \nwhich can have a significant and potentially devastating impact on the \neconomy, public health, and national security of the United States.\n    There can be no doubt that America's critical infrastructure \nnetworks are under constant threat. Pervasive vulnerabilities in \nhardware and software, and the connectivity of these machines to the \nInternet make our multilayered lines of defense--anti-virus, firewall, \nand intrusion detection--relatively ineffective in addressing the \nproblem. To compound matters, many organizations prefer to focus on the \ndeployment of new technology without regard for the security or \nintegrity of their systems or information. This often means that \ninformation security officers are simultaneously facing increased \nresponsibilities and shrinking budgets.\n    These are overwhelming challenges without clear solutions. The \nFederal Government and the private sector must act with a sense of \nurgency to address these issues, and yet, as I read today's testimony, \nI still do not get the sense that we are addressing cybersecurity with \nthe seriousness it deserves.\n    Today's hearing will focus on two primary issues. First, we will \nreceive an update from the Federal Energy Regulatory Commission (FERC) \nand the North American Electric Reliability Corporation (NERC) about \nelectric industry efforts to mitigate a cyber vulnerability known as \nAurora. I think we could search far and wide and not find a more \ndisorganized, ineffective response to an issue of national security. \nEverything about the way this vulnerability was handled--from press \nleaks, to DHS's failure to provide more technical details to support \nthe results of its test, to NERC's dismissive attitude, to the \nindustry's half-hearted approach toward mitigation--leaves me with \nlittle confidence that we are ready or willing to deal with the \ncybersecurity threat.\n    As time passes, I grow particularly concerned by NERC, the self-\nregulating organization responsible for ensuring the reliability of the \nbulk power system. Not only did they propose cybersecurity standards \nthat--according to the GAO and NIST--are inadequate for protecting \ncritical national infrastructure, but throughout the committee's \ninvestigation they continued to provide misleading statements about \ntheir oversight of industry efforts to mitigate the Aurora \nvulnerability. If NERC doesn't start getting serious about national \nsecurity, it may be time to find a new electric reliability \norganization. NERC can begin demonstrating its commitment by \nincorporating more of the NIST security controls in the next iteration \nof its reliability standards.\n    I am thankful that Chairman Kelliher and his staff at FERC are \ntaking cybersecurity seriously. In earlier correspondence, Chairman \nThompson and I voiced our concern that the Commission not only lacked \nauthority to regulate potentially vulnerable cybersecurity assets that \nare not covered in the NERC standards, but also the authority to issue \norders to owners and operators in the event of an imminent exploitation \nof an asset on the grid. The Chairman and I fully support FERC's \nrequest for additional legal authorities to adequately protect the bulk \npower system, and we look forward to working with you and the \nappropriate committees in the future.\n    Our second issue of discussion today involves a GAO investigation \nthat this committee commissioned last year. We asked GAO to provide \ninsight into the cybersecurity controls of the Nation's largest public \npower company, the Tennessee Valley Authority (TVA). The TVA's service \narea covers 80,000 square miles in the southeastern United States, with \na total population of about 8.7 million people. Unfortunately, GAO \nfound that TVA's security posture was seriously lacking. According to \nthe report, TVA has not fully implemented appropriate security \npractices to secure the control systems and networks used to operate \nits critical infrastructures. Until TVA addresses these weaknesses, it \nrisks a disruption of its operations as a result of a cyber incident, \nwhich could impact its customers.\n    I am pleased to hear that TVA has taken significant steps toward \nimplementing higher levels of security. But these problems are not \nunique to TVA. I believe they are typical of security practices across \nthe industry. And, given what we've seen with the Aurora mitigation, I \nhave little confidence that the industry is taking the appropriate \nactions.\n    In closing, I'd like to challenge each of you here, and everyone in \nthe industry. Prove to our committee that you are serious about \ncybersecurity. Show us you're willing to adopt better standards because \nit will make the entire grid more secure. Leverage the critical \ninfrastructure community to push control system vendors to build more \nsecure products. And commit the manpower and the money to mitigating \nyour vulnerabilities.\n    We will continue our oversight in this area. At the next \nsubcommittee hearing, I look forward to talking about all the progress \nthe industry has made in meeting our challenges.\n\n    Mr. Langevin. With that, the Chair now recognizes the \nranking member of the subcommittee, standing in for Mr. McCaul \nfrom Texas. The gentlelady from Florida, Ms. Ginny Brown-Waite, \nis recognized 5 minutes.\n    Ms. Brown-Waite. Thank you, Mr. Chairman.\n    I look forward to hearing from Chairman Kelliher today as \nhe provides us with an update on FERC's progress in \nimplementing critical infrastructure protection standards that \nwere issued earlier this year.\n    While I understand the new regulations are not perfect, I \nbelieve that they are a positive step toward ensuring that the \nelectric grid remains available to provide reliable energy \ndespite emerging threats. Clearly, though, more can be done to \nsecure the assets critical to generating, transmitting and \ndelivering power, but I am pleased by efforts that are already \nunder way to increase the focus on security.\n    Regarding TVA's inadequate security posture a lack of \nregulation does not seem to be the issue. There are already \nFederal network security regulations in place, regulations that \nit clearly appears that TVA just has not lived up to. \nRegardless of whether harmful incidents arise from malicious \nattacks or operator error, the effect would be the same, \nserious damage to the critical infrastructure and limited \nability of TVA to provide power to its customers.\n    I understand that TVA actually has agreed with the majority \nof GAO's recommendations and has a plan in place to mitigate \nthe vulnerabilities that GAO identified. Certainly this is good \nnews. But I urge the TVA management to make every possible \neffort to secure their computer systems quickly and to fortify \ntheir critical assets. The increasing interconnectivity of \ncomputer systems and dire economic consequences of a successful \nnetwork-based attack warrant very careful oversight of computer \nsecurity efforts.\n    I look forward to hearing from the witnesses today, and I \nthank you all very much for being here.\n    With that, I yield back.\n    Mr. Langevin. I thank the gentlelady.\n    Other members of the subcommittee at some point are \nreminded of the committee rules that opening statements may be \nsubmitted for the record.\n    I now welcome our distinguished panel of witnesses.\n    Our first witness, Mr. Joseph Kelliher, is the chairman of \nthe Federal Energy Regulatory Commission. Chairman Kelliher was \nnominated by President George W. Bush and was sworn in on \nNovember 20, 2003, for a first term and on December 21, 2007, \nfor his second term. He was designated chairman of the \nCommission by President Bush effective July 9, 2005. Before \nbecoming a Commissioner, Mr. Kelliher was a senior policy \nadviser to Secretary of Energy, Spencer Abraham. In that \ncapacity, he advised the Secretary in a wide range of energy \npolicy matters; and I thank you for being here, Mr. Chairman.\n    Our second witness, Mr. Richard Sergel, has been President \nand Chief Executive Officer of the North American Electric \nReliability Corporation since September 12, 2005. Until 2004, \nMr. Sergel served as President and Chief Executive Officer for \nthe National Grid USA and was National Grid Group PLC Executive \nDirector for North America on the completion of the National \nGrid New England electric system merger in March, 2000.\n    Our third witness is Mr. Greg Wilshusen, Director for \nInformation Security Issues at GAO, where he reads information \nsecurity related studies and audits the Federal Government. Mr. \nWilshusen has testified before the subcommittee on a number of \noccasions, and we certainly welcome you back today.\n    Our fourth witness is Mr. William McCollum, the Chief \nOperating Officer of the Tennessee Valley Authority. He has \nheld that position since April, 2007. He is responsible for the \nmanagement of TVA power's production, transmission, power \ntrading and resources management programs.\n    Welcome to you, Mr. McCollum.\n    Without objection, the witnesses' full statements will be \ninserted into the record; and I now ask each witness to \nsummarize their statement for 5 minutes, beginning with \nChairman Kelliher.\n\n   STATEMENT OF THE HONORABLE JOSEPH T. KELLIHER, CHAIRMAN, \n  FEDERAL ENERGY REGULATORY COMMISSION (FERC), ACCOMPANIED BY \n JOSEPH MC CLELLAND, DIRECTOR, OFFICE OF ELECTRIC RELIABILITY, \n                              FERC\n\n    Mr. Kelliher. Thank you, Mr. Chairman; and I want to \ncommend you and the subcommittee for its interest in these \nimportant issues.\n    I am accompanied today by Joseph McClelland, who is the \nDirector of the FERC Office of Electric Reliability, who \ntestified before the subcommittee last fall; and I appreciate \nthe opportunity to discuss the need to improve cybersecurity \nand to protect the reliability of the power grid against cyber \nattacks.\n    Congress made FERC responsible for overseeing reliability \nof the power grid, guarding the grid against reliability \nattacks, including cyber threats, by establishing and enforcing \nmandatory reliability standards; and that duty was established \nby the Energy Policy Act of 2005.\n    Since then, much progress has been made on grid \nreliability. We have certified the Electric Reliability \nOrganization, established mandatory reliability standards. We \nare working to improve those standards over time and are \nestablishing an enforcement regime. But today I would like to \nfocus my remarks on the cyber threat to the grid and the need \nfor effective defense.\n    In my letter to the subcommittee of November 7 of last \nyear, I stated my view that an effective defense of the power \ngrid from cyber attack has three necessary elements: No. 1, \ntimely and effective identification of cyber vulnerabilities; \nNo. 2, an ability to adopt mandatory reliability standards that \nmitigate the vulnerability on a timely basis; and, No. 3, an \nability to maintain the confidentiality of information \nregarding cyber vulnerability during the standards development \nprocess, during Commission review, and during compliance \nmonitoring and development.\n    In my view, current law is inadequate to mount such a \ndefense and that FERC needs additional legal authority to \neffectively guard the power grid from national security threats \nsuch as cyber attacks.\n    With respect to the first element of an effective defense, \nFERC is not a national security or an intelligence agency; and \nwe are not in the best position to identify cyber threats. U.S. \nGovernment, though, does have the ability to identify cyber \nthreats in a timely and effective manner. FERC cooperates with \nagencies that are in a better position to assess these \nvulnerabilities.\n    With respect to the second element of an effective defense, \ncurrently there is not an adequate means to establish mandatory \nreliability standards in a timely manner. Currently, there are \ntwo basic means to protect the grid against cyber threats: No. \n1, the process in the Energy Policy Act, section 215 of the \nFederal Power Act; or, No. 2, NERC advisories. In my view, \nneither means is adequate. The 215 process produces reliability \nstandards that are mandatory but untimely, given the nature of \ncyber threats, while NERC advisories are timely but voluntary.\n    With respect to the 215 process, FERC is using and will \ncontinue to use the process established by section 215 to set \nreliability standards including cyber standards. Just last \nJanuary, we approved eight critical infrastructure protection \nstandards, with 160 requirements designed to improve \ncybersecurity; and I think those standards will improve \ncybersecurity.\n    But the principal flaw of the 215 process is it simply \ntakes too long. It does not allow for protection of critical \ninformation. Under the 215 process, it can take years to \ndevelop new and modified reliability standards, including cyber \nstandards.\n    If you ask why is there a need for timely action in this \narea, I think it is because the cyber threat is fundamentally \ndifferent from other reliability threats. The section 215 of \nthe Federal Power Act was to designed to address different \nreliability challenges.\n    Most regional blackouts in the past have been caused in \npart by poor vegetation management near power lines, trees. The \nsection 215 process was designed in response to western \nblackouts in the summer of 1996 that involved tree contact. It \nwas not designed with a cyber threat in mind, and I think the \nreliability threat posed by poor vegetation management and \ntrees is a fundamentally different threat than the cyber \nthreat. The cyber threat is a national security threat that may \nbe posed by foreign governments or organized groups, and the \nprocess designed to guard against poor vegetation management is \nnot well-suited to meet national security threats.\n    The second means of protecting the power grid from cyber \nthreats, the alternative to the mandatory reliability standard \nunder 215, is the NERC advisory; and the principal virtue of \nthe advisory is dispatch. Its fundamental flaw is that \ncompliance is voluntary.\n    In the advisory issued last year in response to NERC, I \nwant to commend NERC for acting quickly in response to that \nthreat. As detailed in our testimony, FERC has been reviewing \nthe industry response to the advisory. Significant progress has \nbeen made, but the results have been inconsistent. I think that \nis, frankly, the predictable result of voluntary advisory, but \nthose inconsistencies can weaken the grid because the grid is \ninterconnected.\n    The third element is confidentiality. The third element of \nan effective defense is confidentiality. The standards \ndevelopment process established under 215 typically imposes few \nor no restrictions on dissemination of information. In the case \nof cyber vulnerability, public release of information related \nto cybersecurity can be very harmful.\n    For those reasons, we have concluded that legislation is \nnecessary to address the cyber threat and be able to mount an \neffective defense; and we look forward to working with the \ncommittee and the committee of jurisdiction, the Energy and \nCommerce Committee, to give FERC the authority it needs to be \nable to effectively defend the power grid against cyber \nthreats.\n    With that, I just want to thank the subcommittee for its \ninterest.\n    [The statement of Mr. Kelliher follows:]\n                Prepared Statement of Joseph T. Kelliher\n                              May 21, 2008\n    Mr. Chairman and Members of the subcommittee, thank you for the \nopportunity to speak with you today about the cyber vulnerabilities of \nthe Nation's bulk power system. I appreciate the subcommittee's \nattention to this critically important issue.\n    The Energy Policy Act of 2005 (EPAct 2005) made the Federal Energy \nRegulatory Commission (FERC or Commission) responsible for overseeing \nthe reliability of the bulk power system. EPAct 2005 authorized the \nCommission to approve and enforce mandatory reliability standards, \nincluding cyber security standards, to protect and improve the \nreliability of the Nation's bulk power system. Under the new statutory \nframework, reliability standards are proposed by the Electric \nReliability Organization (ERO) (the North American Electric Reliability \nCorporation or NERC) to the Commission for its review. The Commission \nmust either approve the proposed standards or remand them to NERC. The \nCommission and NERC are well underway in implementing the new law, \nincluding now having in place an initial set of mandatory cyber \nsecurity standards with varying effective dates. Much progress has been \nmade in the past 3 years. However, more work needs to be done, both \nwith respect to improving those cyber security standards and possibly \nadding new ones. In addition, the Commission has made substantial \nprogress in examining whether industry has in place adequate mitigation \nto address the cyber security vulnerability, known as Aurora, which was \nraised at the subcommittee's last hearing on cyber security threats to \nthe transmission grid.\n    Protecting the interstate bulk power system against cyber security \nthreats is critical to the welfare of our Nation's citizens. It is \ntherefore appropriate to examine whether sufficient Federal authority \nexists to take timely and effective action to protect against such \nthreats, particularly in emergency circumstances. In my view, FERC \ncurrently does not have sufficient authority to adequately guard \nagainst cyber security threats to reliability of the bulk power system.\n                               background\n    In EPAct 2005, the Congress entrusted the Commission with a major \nnew responsibility to oversee mandatory, enforceable reliability \nstandards for the Nation's bulk power system (excluding Alaska and \nHawaii). This authority is in section 215 of the Federal Power Act. \nSection 215 requires the Commission to select an ERO that is \nresponsible for proposing, for Commission review and approval, \nreliability standards or modifications to existing reliability \nstandards to help protect and improve the reliability of the Nation's \nbulk power system. The reliability standards apply to the users, owners \nand operators of the bulk power system and become mandatory only after \nCommission approval. The ERO also is authorized to impose, after notice \nand opportunity for a hearing, penalties for violations of the \nreliability standards, subject to Commission review and approval. The \nERO may delegate certain responsibilities to ``Regional Entities,'' \nsubject to Commission approval.\n    The Commission may approve proposed reliability standards or \nmodifications to previously approved standards if it finds them ``just, \nreasonable, not unduly discriminatory or preferential, and in the \npublic interest.'' If the Commission disapproves a proposed standard or \nmodification, section 215 requires the Commission to remand it to the \nERO for further consideration. The Commission, upon its own motion or \nupon complaint, may direct the ERO to submit a proposed standard or \nmodification on a specific matter. The Commission also may initiate \nenforcement on its own motion.\n    The Commission has implemented section 215 diligently. In \nanticipation of reliability legislation being passed, it established a \nreliability group at the agency even before the passage of EPAct 2005. \nWithin 180 days of enactment, the Commission adopted rules governing \nthe reliability program. In the summer of 2006, it approved NERC as the \nERO. In March 2007, the Commission approved the first set of national \nmandatory and enforceable reliability standards. In April 2007, it \napproved eight regional delegation agreements to provide for \ndevelopment of new or modified standards and enforcement of approved \nstandards by Regional Entities. The Commission has since approved eight \nadditional reliability standards.\n    In exercising its new authority, the Commission has interacted \nextensively with NERC and the industry. The Commission also has \ncoordinated with other Federal agencies, such as the Department of \nHomeland Security, the Department of Energy, the Nuclear Regulatory \nCommission, and the Department of Defense. Also, the Commission has \nestablished regular communications with regulators from Canada and \nMexico regarding reliability, since the North American bulk power \nsystem is an interconnected continental system subject to the laws of \nthree nations.\n          cyber security standards approved under section 215\n    Section 215 defines ``reliability standard[s]'' as including \nrequirements for the ``reliable operation'' of the bulk power system \nincluding ``cybersecurity protection.'' Section 215 defines reliable \noperation to mean operating the elements of the bulk power system \nwithin certain limits so instability, uncontrolled separation, or \ncascading failures will not occur ``as a result of a sudden \ndisturbance, including a cybersecurity incident.'' Section 215 also \ndefines a ``cybersecurity incident'' as a ``malicious act or suspicious \nevent that disrupts, or was an attempt to disrupt, the operation of \nthose programmable electronic devices and communication networks \nincluding hardware, software and data that are essential to the \nreliable operation of the bulk power system.''\n    In August 2006, NERC submitted eight new cyber security standards, \nknown as the Critical Infrastructure Protection (CIP) standards, to the \nCommission for approval under section 215. NERC proposed an \nimplementation plan under which certain requirements would be \n``auditably compliant'' beginning by mid-2009 and the others would be \nso by the end of 2010.\n    On January 18, 2008, the Commission issued a Final Rule approving \nthe CIP Reliability Standards and concurrently directed NERC to develop \nmodifications addressing specific concerns.\n    The eight CIP standards contain over 160 requirements and sub-\nrequirements. Generally, the CIP standards will require the following \nactions when fully implemented at the end of 2010:\n  <bullet> Critical Cyber Asset Identification.--Requires the \n        identification of an entity's critical assets and critical \n        cyber assets using a risk-based assessment methodology.\n  <bullet> Security Management Controls.--Requires an entity to develop \n        and implement security management controls to protect critical \n        cyber assets.\n  <bullet> Personnel and Training.--Requires personnel with access to \n        critical cyber assets to go through identity verification, \n        criminal background checks and employee training.\n  <bullet> Electronic Security Perimeters.--Requires the identification \n        and protection of electronic security perimeters and access \n        points. The security perimeters are to encompass the critical \n        cyber assets.\n  <bullet> Physical Security of Critical Cyber Assets.--Requires the \n        creation and maintenance of a physical security plan that \n        ensures all cyber assets within an electronic security \n        perimeter are kept in an identified physical security \n        perimeter.\n  <bullet> Systems Security Management.--Requires an entity to define \n        methods, processes, and procedures for securing the systems \n        identified as critical cyber assets, as well as the non-\n        critical cyber assets within the perimeter.\n  <bullet> Incident Reporting and Response Planning.--Requires the \n        identification, classification and reporting of cyber security \n        incidents related to critical cyber assets.\n  <bullet> Recovery Plans for Critical Cyber Assets.--Requires the \n        establishment of recovery plans for critical cyber assets using \n        established business continuity and disaster recovery \n        techniques and practices.\n    In the Final Rule, the Commission stated its concern with the \nbreadth of discretion left to utilities by the standards. For example, \nthe standards state that utilities ``should interpret and apply the \nreliability standard[s] using reasonable business judgment.'' \nSimilarly, the standards at times require certain steps ``where \ntechnically feasible,'' but this is defined as not requiring the \nutility ``to replace any equipment in order to achieve compliance.'' \nAlso, the standards would allow a utility at times not to take certain \naction if the utility documents its ``acceptance of risk.'' To address \nthis, the Final Rule directed NERC to, among other things:\n  <bullet> Develop modifications to the CIP reliability standards to \n        remove the ``reasonable business judgment'' language.\n  <bullet> Develop modifications to remove ``acceptance of risk'' \n        exceptions from the CIP reliability standards.\n  <bullet> Develop specific conditions that a responsible entity must \n        satisfy to invoke the ``technical feasibility'' exception. This \n        allows flexibility and customization of implementation of the \n        CIP reliability standards in a controlled manner that includes \n        external oversight and audit.\n  <bullet> Provide additional guidance regarding the development of a \n        risk-based assessment methodology for the identification of \n        critical assets.\n    For certain other requirements in the CIP standards, the Commission \naddressed its concern about discretion by requiring external oversight \nof utility decisions, such as critical assets lists. This oversight \ncould be provided by industry entities with a ``wide-area view,'' such \nas reliability coordinators or the Regional Entities, subject to the \nreview of the Commission.\n     current process to protect cyber security of bulk power system\n    In my view, section 215 is an adequate statutory foundation to \nprotect the bulk power system against most reliability threats. \nHowever, the cyber security threat is different. It is a national \nsecurity threat that may be posed by foreign nations, or others intent \non undermining the United States through its electric grid. The nature \nof the threat stands in stark contrast to other major reliability \nvulnerabilities that have caused regional blackouts and reliability \nfailures in the past, such as vegetation management and relay \nmaintenance. Given the national security dimension to the cyber \nsecurity threat, there may be a need to act quickly to protect the bulk \npower system, to act in a manner where action is mandatory rather than \nvoluntary, and to protect certain information from public disclosure. \nOur legal authority is inadequate for such action.\nSection 215 Process\n    As an initial matter, it is important to recognize how mandatory \nreliability standards are established under section 215. Under section \n215, reliability standards are developed by the ERO through an open and \npublic process. The Commission can direct NERC to develop a reliability \nstandard to address a particular reliability vulnerability, including \ncyber security threats. However, the NERC process can take years to \ndevelop standards for the Commission's review. In fact, the cyber \nsecurity standards approved by the agency last January took the \nindustry approximately 3 years to develop.\n    Section 215 relies on the ERO to develop and submit proposed \nreliability standards. NERC's procedures for doing so allow extensive \nopportunity for industry comment, are open, and are generally based on \nthe procedures of the American National Standards Institute (ANSI). The \nNERC process is intended to develop consensus on both the need for the \nstandard and on the substance of the proposed standard. Although \ninclusive, the process is not nimble.\n    Key steps in the NERC process include: nomination of a proposed \nstandard using a Standard Authorization Request (SAR); public posting \nof the SAR for comment; review of the comments by industry volunteers; \ndrafting or redrafting of the standard by a team of industry \nvolunteers; public posting of the draft standard; field testing of the \ndraft standard, if appropriate; formal balloting of the draft standard, \nwith approval based on 75 percent of total votes and two-thirds of \nweighted industry sector votes; re-balloting, if negative votes are \nsupported by specific comments; voting by NERC's board of trustees; and \nan appeals mechanism to resolve any complaints about the standards \nprocess. NERC-approved standards are then submitted to the Commission \nfor its review.\n    For the first set of reliability standards proposed by NERC and for \nthe CIP standards, the Commission began its process by issuing a staff \nassessment of the proposed standards and allowing public comment on the \nassessment. Based on its consideration of those comments, the \nCommission then issued a Notice of Proposed Rulemaking identifying the \nCommission's proposed actions and allowing additional opportunities for \npublic comment. After considering these additional comments, the \nCommission issued a Final Rule approving the proposed standards and \nrequiring NERC to prospectively modify them using its standards \ndevelopment process, thereby engaging industry.\n    Generally, the procedures used by NERC are appropriate for \ndeveloping and approving reliability standards. The process allows \nextensive opportunities for industry and public comment. The public \nnature of the reliability standards development process is a strength \nof the process as it relates to most reliability standards. However, it \ncan be a weakness in the development of cyber security standards, given \nthe nature of the threat.\n    The procedures used under section 215 for the development and \napproval of reliability standards do not provide an effective and \ntimely means of addressing urgent cyber security risks to the bulk \npower system, particularly in emergency situations. Certain \ncircumstances, such as those involving national security, may require \nimmediate action. If a significant vulnerability in the bulk power \nsystem is identified, procedures used so far for adoption of \nreliability standards take too long to implement effective corrective \nsteps.\n    FERC rules governing review and establishment of reliability \nstandards allow the agency to direct the ERO to develop and propose \nreliability standards under an expedited schedule. For example, FERC \ncould order the ERO to submit a reliability standard to address an \nidentified reliability vulnerability within 60 days. NERC's rules of \nprocedure include a provision for approval of urgent action standards \nthat can be completed within 60 days and which may be further expedited \nby a written finding by the NERC board of trustees that an \nextraordinary and immediate threat exists to bulk power system \nreliability or National security.\n    However, even a reliability standard developed under the urgent \naction provisions would likely be too slow in certain circumstances. \nFaced with a cyber security or other national security threat to \nreliability, FERC may need to act decisively in hours or days, rather \nthan months or years. That would not be feasible under the urgent \naction process. In the meantime, the bulk power system would be left \nvulnerable to a known cyber security threat. Moreover, existing \nprocedures, including the urgent action procedure, would widely \npublicize the vulnerability and the possible solutions, thus increasing \nthe risk of hostile actions before the appropriate solutions are \nimplemented.\n    In addition, the proposed standard submitted to the Commission may \nnot be sufficient to address the vulnerability. As noted above, when a \nproposed reliability standard is submitted to FERC for its review, \nwhether submitted under the urgent action provisions or the usual \nprocess, the agency cannot modify such standard and must either approve \nor remand it. Since the Commission may not modify a proposed \nreliability standard under section 215, we would have the choice of \napproving an inadequate standard and directing changes, which \nreinitiates a process that can take years, or rejecting the standard \naltogether. Under either approach, the bulk power system could remain \nvulnerable for a prolonged period.\nNERC Advisories\n    Currently, the alternative to a mandatory reliability standard is \nfor NERC to issue an advisory encouraging utilities and others to take \naction to guard against cyber vulnerabilities. That approach provides \nfor quicker action, but any such advisory is voluntary, and should be \nexpected to produce inconsistent responses. That was our experience \nwith the response to an advisory issued last year by NERC regarding an \nidentified cyber security threat. Since the grid is interconnected, \nthose inconsistencies can retard cyber security measures. Reliance on \nvoluntary measures to assure cyber security is fundamentally \ninconsistent with the conclusion Congress reached during enactment of \nthe Energy Policy Act, namely that voluntary standards cannot assure \nreliability of the bulk power system.\n    In response to the risk of cyber attack identified last year as \nAurora, this subcommittee convened a hearing on October 17, 2007. Mr. \nJoseph H. McClelland, the Director of the Commission's Office of \nElectric Reliability, testified at that hearing. NERC reported that it \nissued an advisory to generator owners, generator operators, \ntransmission owners, and transmission operators. According to NERC, \nthis advisory identified a number of short-term measures, mid-term \nmeasures and long-term measures designed to mitigate the cyber \nvulnerability. NERC asked the recipients to voluntarily implement the \nmeasures. NERC also sent a data request to industry members to \ndetermine compliance with the advisory. That data request was limited \nin scope, however, asking only that industry members indicate if their \nmitigation plans are ``complete,'' ``in progress,'' or ``not \nperforming.''\n    The Commission determined that the information sought by NERC in \nthe above data request was not sufficient for the Commission to \ndischarge its duties under section 215 because it did not provide \nsufficient details about individual mitigation efforts for the \nCommission to be certain that the threat had been addressed. For \nexample, it did not provide information such as what facilities were \nthe subject of the mitigation plans, what steps to mitigate the cyber \nvulnerability were being taken, and when those steps were planned to be \ntaken--and, if certain actions were not being taken, why not. \nTherefore, on October 23, 2007, the Commission provided notice to the \nOffice of Management and Budget (OMB) that it intended to immediately \nissue a directive requiring all generator owners, generator operators, \ntransmission owners, and transmission operators that are registered by \nNERC and located in the United States to provide to NERC certain \ninformation related to actions they have taken or intend to take to \nprotect against the cyber vulnerability; this would allow the \nCommission to review the mitigation plans at a central location to be \ncertain that the vulnerability had been addressed. The Commission \nrequested emergency processing of this proposed information collection. \nAfter receiving clearance from OMB, the Commission issued a Notice of \nProposed Information Collection and Request for Comments (Notice). \nComments were due on January 14, 2008.\n    The Commission received seven sets of comments in response to the \nNotice, including joint comments filed by four industry trade \nassociations: American Public Power Association, Edison Electric \nInstitute, National Rural Electric Cooperative Association, and the \nElectric Power Supply Association. These trade associations represented \nthe majority of entities that would be required to respond to the \nproposed information collection. A common concern among the commenters \nwas the need to ensure the confidentiality of sensitive information \nthat would be provided in response to the proposed information \ncollection. Commenters urged that the Commission implement additional \nsecurity measures to safeguard the collected information. Commission \nstaff met with trade association representatives to discuss these \nconcerns and how they might be addressed. Rather than experience \nfurther delays by answering these objections to the proposed mandatory \ninformation collection, it was determined that staff would first work \nwith industry groups to develop a plan to informally gather \ninformation, on a voluntary basis, regarding the status of compliance \nwith NERC's Aurora advisory. In February, Commission staff began \nperforming interviews with a stratified sampling of electric utilities \nconcerning their compliance with the Aurora advisory. These interviews \nare continuing as of this date.\n    Commission staff has conducted over 20 detailed interviews with a \nvariety of electric utilities geographically dispersed across the \ncontiguous 48 States, to assess the state of the industry's protection \nagainst remote access cyber vulnerabilities, including the Aurora \nvulnerability. The utilities were selected to encompass both large and \nsmall companies, and a mixture of generating companies, transmission \ncompanies, and mixed-asset companies. The sample of companies included \nboth investor-owned utilities and cooperative organizations. Interviews \nwith publicly owned utilities and municipal organizations are planned \nin the near future. Each interview typically lasted 6 to 8 hours and \nutilities voluntarily participated. The utilities were well prepared \nwith documents to explain their actions, and were very cooperative in \nresponding to staff questions.\n    Topics discussed included the use of passwords and other forms of \naccess controls, means of authenticating users, physical security of \ncyber assets, means of communicating, vendor access, access revocation, \nthe use of firewalls and intrusion detection/prevention devices, \nvulnerability assessments, the ways in which communications devices are \nutilized, as well as the prevalence and functionality of digital \ncontrol devices. Staff found a wide range of equipment, configurations \nand security features implemented by the utilities interviewed. While \nstaff intends to perform more interviews, there are several \nobservations that can be made based on the interviews to date.\n    All of the companies selected by the Commission fully cooperated in \nthe interviews. We learned that no company we interviewed ignored the \nAurora advisory, although we did find there was a broad range of \ncompliance based on individual interpretations of the threat and the \napplication of the recommended mitigation measures. In fact, all of the \nutilities interviewed by the Commission requested additional \ninformation to help understand the technical implications of the attack \nand the specific strategies to mitigate the identified vulnerabilities. \nThrough these selected interviews, FERC staff has determined that \nalthough progress has been made by every entity it interviewed, much \nwork remains to be done.\n    While NERC can issue an alert, as it did in response to the Aurora \nvulnerability, compliance with these alerts is voluntary. Further, as \nCommission staff has found with the Aurora alert, such alerts can cause \nuncertainty about the specific strategies needed to mitigate the \nidentified vulnerabilities.\n                               conclusion\n    The Congress made FERC responsible for overseeing the reliability \nof the bulk power system, but it provided specific restrictions on the \nprocedures to be used to develop and put into effect mandatory \nreliability standards. Section 215 is an adequate basis to protect the \nbulk power system against most reliability threats, and for that reason \nI do not believe there is a need to amend section 215. However, I \nbelieve a different statutory mechanism is needed to protect the grid \nagainst cyber security threats, given the nature of these threats. One \napproach would allow the Commission to directly establish interim \nreliability standards that are mandatory and enforceable upon a finding \nby a national security or intelligence agency that there is a national \nsecurity threat to the bulk power system. This narrowly tailored \napproach would ensure that reliability of the bulk power system can be \nprotected until the ERO reliability standards development process can \ncreate a permanent reliability standard. It also would provide that the \nauthority be used rarely, in instances when other appropriate agencies \ndetermine that a threat is real and the Commission determines existing \nstandards to be inadequate. It also may be necessary to authorize the \nCommission to protect certain information from disclosure, if its \nrelease could have significant adverse effect on the health and safety \nof the public or the common defense or national security.\n    The full range of cyber security risks to the bulk power system are \nnot known, and new risks will continue to arise. I believe we should \nnot allow the Nation's bulk power system to be vulnerable to a known \nnational security threat while waiting months or years for a \nreliability standard to be developed and submitted to the Commission \nfor review. At the same time, reliance on a voluntary alert issued by \nNERC similarly does not provide adequate assurance that steps will be \ntaken in sufficient time to address a known vulnerability. Given the \nnational security dimension to the cyber security threat, there may be \na need to act quickly to protect the bulk power system, to act in a \nmanner where action is mandatory rather than voluntary, and to protect \ncertain information from public disclosure. Our legal authority is \ninadequate for such action.\n    The Commission has taken, and will continue to take, action to \nprotect the bulk power system from cyber vulnerabilities. We continue \nto work with national security agencies to understand the nature of the \nthreats facing the bulk power grid. We have established mandatory cyber \nsecurity standards under the section 215 process and have directed \nimprovements in approved standards over time. We also continue to \nreview the industry response to the NERC advisory on the Aurora threat, \nand may review the response to any future such advisories. But I do not \nwant to leave you under the impression that these steps adequately \nprotect the bulk power system against cyber attacks.\n    Thank you again for the opportunity to testify today. I would be \nhappy to answer any questions you may have.\n\n    Mr. Langevin. Mr. Kelliher, thank you very much for your \ntestimony.\n    I now recognize Mr. Sergel to summarize his statement for 5 \nminutes.\n\n  STATEMENT OF RICHARD SERGEL, PRESIDENT AND CHIEF EXECUTIVE \nOFFICER, NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION (NERC)\n\n    Mr. Sergel. Good afternoon, Mr. Chairman and members of the \nsubcommittee. I am president and chief executive officer of the \nNorth American Electric Reliability Corporation, better known \nas NERC, and appreciate the opportunity to appear here today to \nregain--to begin to regain your trust in NERC and to discuss \nthe progress being made to increase the cybersecurity of the \nelectric grid and to mitigate identified vulnerabilities; and I \nam going to focus on the two things that we have done since the \nlast time we were here.\n    The first is--my testimony will address two major points. \nFirst, the cybersecurity standards for the bulk power system, \nmandatory and enforceable this July, represent a significant \nimprovement in cybersecurity for the electricity industry. \nSecond, NERC has enhanced the process for warning the electric \nindustry of cybersecurity threats and implementing mitigation \nmeasures to address identified vulnerabilities.\n    Now cybersecurity of control systems is an increasing \npriority for every sector of the U.S. economy. NERC and the \nelectricity sector have recognized and responded to this \nchallenge first through the voluntary standards but now through \nmandatory critical infrastructure standards. The standards are \nintended to ensure that the electric industry will devote the \nnecessary resources to securing control systems and related \ncyber assets. The Commission approved those standards in \nJanuary 2008.\n    Now the standards development requires progressive and \ncontinuous improvement. You have mentioned that in your \nstatement, and the improvement of those standards already is \nunder way through NERC's standards development process. In \nimproving the standards, FERC directed NERC to make certain \nmodifications. Those will be made.\n    FERC also directed us to monitor the development and \nimplementation of the NIST standards; and if provisions of the \nNIST standards that would better protect the system are \nidentified, they will be addressed in the standards development \nprocess. NERC originally planned to review the standards in \n2009 but has advanced this review to address the changes \ndirected by the Commission.\n    Now while our protections for the grid are stronger with \nthe standards in place, those standards cannot eliminate the \nthreat of a cyber disruption. Vigilance is required. More is \nrequired.\n    NERC serves as the Electricity Sector Information Sharing \nand Analysis Center, ES-ISAC, which is responsible for promptly \nanalyzing and disseminating threat indications, analyses and \nwarnings to assist the electric industry; and, as the \nsubcommittee is aware, the ES-ISAC issued an advisory on June \n21, 2007, in relation to the vulnerability identified in the \ndemonstration test. Now, since that advisory was issued, \nimportant improvements have been made in the cybersecurity \nalert system.\n    First, NERC now has in place a formal mechanism for issuing \nalerts to the industry about important matters that come either \nfrom NERC's own event analysis or, as was the case with the \nAurora demonstration test, from government agencies with \nspecific information about possible threats.\n    Second, NERC now has developed a contact list for all 1,800 \nowners, operators, and users of the bulk power system. It did \nnot have that at the time.\n    Third, coordination with the Commission on these important \ncommunications is now a requirement of the rules of procedure.\n    None of those were in place. They are in place now. We \nbelieve we have substantially addressed many of the concerns \nexpressed by the Chair and the committee, and we look forward \nto addressing the others in the months ahead.\n    In closing, the mandatory and enforceable standards now in \nplace represent a important milestone to strengthen grid \nreliability; and NERC has strengthened the existing alert \nsystem to advise the industry when a cyber threat is \nidentified.\n    We look forward to answering your questions. Thank you very \nmuch.\n    [The statement of Mr. Sergel follows:]\n                  Prepared Statement of Richard Sergel\n                              May 21, 2008\n    Mr. Chairman and Members of the subcommittee, the North American \nElectric Reliability Corporation \\1\\ (``NERC'') is pleased to provide \nthis testimony on the progress being made to increase the cybersecurity \nof the electric grid and to mitigate identified vulnerabilities.\n---------------------------------------------------------------------------\n    \\1\\ NERC is the corporate successor to the North American Electric \nReliability Council, also called ``NERC,'' formed to serve as the \nelectric reliability organization (``ERO'') authorized by Section 215 \nof the Federal Power Act (``FPA''), as added by Title XII, Subtitle A \nof the Energy Policy Act of 2005, Pub. L. No. 109-58, 119 Stat. 594, \n941 (2005).\n---------------------------------------------------------------------------\n                           executive summary\n    Cyber security of control systems is an increasing priority for \nevery sector of the U.S. economy. On behalf of the electric power \nsector, NERC has recognized and responded to this challenge, first \nthrough a voluntary cybersecurity standard and now through mandatory \nCritical Infrastructure Protection (``CIP'') Reliability Standards for \nthe bulk power grid. CIP Reliability Standards CIP-002-1 through CIP-\n009-1 were approved by the Federal Energy Regulatory Commission \n(``FERC'') in January 2008 and become mandatory and enforceable in \nJuly. The CIP Reliability standards are intended to assure that the \nelectricity industry will devote the necessary resources to securing \ncontrol systems and identifying, responding to and reporting security \nincidents related to critical cyber assets.\n    The CIP Reliability Standards represent a significant improvement \nin cyber security for the electricity industry. The new standards will \nincrease the resiliency of control systems and improve the ability of \nthese critical assets to withstand cyber-based attacks. Cyber security \nrequirements will be applied to companies and assets where they have \nnever before been applied, including substations and generating plants. \nThe bulk power system will be more reliable with the CIP Reliability \nStandards in place.\n    In approving the CIP Reliability Standards, FERC directed NERC to \nmake certain modifications to the standards, and also to monitor the \ndevelopment and implementation of Recommended Security Controls for \nFederal Information Systems under development by the National Institute \nof Standards and Technology (``NIST''). The Commission-required \nmodifications to the CIP Reliability Standards are being addressed \nthrough NERC's American National Standards Institute (``ANSI'') \naccredited Reliability Standards development process. That process also \nprovides the mechanism for NERC to monitor developments in the NIST \nprocess, and to determine whether any provisions of the NIST standards \nwould better protect bulk power system reliability than the CIP \nReliability Standards.\n    The CIP Reliability Standards will be reviewed, modified and \nimproved on an ongoing basis through the NERC Reliability Standards \ndevelopment process. This will result in ever-increasing cyber security \nfor the bulk power system.\n    The CIP Reliability Standards, however, cannot eliminate the threat \nof a cyber disruption of critical national infrastructure. Because NERC \nhas jurisdiction only to propose reliability standards for the bulk \npower system, the CIP Reliability Standards cannot address other \ncritical assets--such as telecommunications systems, for example, or \nelectricity distribution systems. Moreover, the open process by which \nReliability Standards are developed, while demonstrably successful in \nproducing standards that have significantly enhanced the reliability of \nthe grid, may not be ideally suited to situations where, because of the \nsensitive subject matter, confidentiality is required.\n    NERC reviews cybersecurity threats on an ongoing basis. Since 2003, \nNERC, acting through its Critical Infrastructure Protection Committee \n(``CIPC''), has compiled an annual list of the highest priority cyber \nvulnerabilities and their associated mitigation measures.\\2\\ \nAdditionally, NERC serves as the Electricity Sector Information Sharing \nand Analysis Center (``ES-ISAC''),\\3\\ which is responsible for promptly \nanalyzing and disseminating threat indications, analyses and warnings \nto assist the electricity industry.\n---------------------------------------------------------------------------\n    \\2\\ The most recent list is available on the NERC website at: ftp:/\n/ftp.nerc.com/pub/sys/all_updl/cip/\n2007_Top_10_Final_Approved_by_CIPC.pdf.\n    \\3\\ The ES-ISAC has been operated by NERC since it was formed in \n2001. The ES-ISAC was created as a result of action by the U.S. \nDepartment of Energy in response to Presidential Decision Directive 63 \nissued in 1998. The ES-ISAC works with the electricity industry to \nidentify and mitigate cyber vulnerabilities by providing information, \nrecommending mitigation measures, and following up to monitor \nimplementation of recommended measures.\n---------------------------------------------------------------------------\n    As the subcommittee is aware, the ES-ISAC issued an Advisory on \nJune 21, 2007, in relation to the vulnerability identified in the \nAurora demonstration test. Since that Advisory was issued, important \nimprovements have been made in the notification process. First, NERC \nnow has in place a formal mechanism for issuing alerts to the industry \nabout important matters that come either from NERC's own event analysis \nefforts or, as was the case with the Aurora demonstration test, from \ngovernment agencies with specific information about possible threats. \nSecond, NERC has now developed a contact list for every owner, operator \nand user of the bulk power system. This comprehensive list will assure \nthat future Advisories are directed to those officials responsible for \ncybersecurity.\n                             i. background\n    NERC's mission is to ensure that the bulk power system in North \nAmerica is reliable. To achieve this objective, NERC develops and \nenforces reliability standards; monitors the bulk power system; \nassesses and reports on the adequacy of electricity supplies and \ntransmission; evaluates owners, operators, and users for reliability \npreparedness; and educates, trains and certifies industry personnel. \nNERC is a self-regulatory organization that draws upon the collective \nexpertise of the electricity industry. FERC certified NERC as the \nElectric Reliability Organization (``ERO'') in its order issued July \n20, 2006.\\4\\\n---------------------------------------------------------------------------\n    \\4\\ Order Certifying North American Electric Reliability \nCorporation as the Electric Reliability Organization and Ordering \nCompliance Filing, 116 FERC \x0c 61,062 (2006).\n---------------------------------------------------------------------------\n    Because Reliability Standards are applicable to the entire, \ninterconnected North American bulk power system, NERC is subject to \noversight by governmental authorities in both Canada and the United \nStates. In the United States, with oversight from FERC, since June 18, \n2007, NERC has had legal authority to enforce reliability standards \napplicable to all owners, operators, and users of the bulk power \nsystem.\n      ii. critical infrastructure protection reliability standards\n    On January 18, 2008, FERC issued Order No. 706, approving eight \nmandatory Reliability Standards for Critical Infrastructure \nProtection.\\5\\ NERC views the Commission's approval of the CIP \nReliability Standards as another major step forward in ensuring the \nreliability of the electric grid.\n---------------------------------------------------------------------------\n    \\5\\ Mandatory Reliability Standards for Critical Infrastructure \nProtection, Order No. 706, 122 FERC \x0c 61,040 (2008), reh'g denied, \nOrder No. 706-A, 123 FERC \x0c 61,174 (2008).\n---------------------------------------------------------------------------\n    The standards set forth specific requirements that are binding on \nusers, owners and operators of the bulk power system to safeguard \ncritical cyber assets (programmable electronic devices and \ncommunication networks including hardware, software, and data). They \nrequire identification and documentation of cyber risks and \nvulnerabilities, establishment of controls to secure critical cyber \nassets from physical and cyber sabotage, reporting of security \nincidents, and establishment of plans for recovery in the event of an \nemergency. The eight approved CIP Reliability Standards are:\n  <bullet> CIP-002-1--Cyber Security--Critical Cyber Asset \n        Identification.--Requires a responsible entity to identify its \n        critical assets and critical cyber assets using a risk-based \n        assessment methodology.\n  <bullet> CIP-003-1--Cyber Security--Security Management Controls.--\n        Requires a responsible entity to develop and implement security \n        management controls to protect identified critical cyber \n        assets.\n  <bullet> CIP-004-1--Cyber Security--Personnel and Training.--Requires \n        verification of identity for personnel with access to critical \n        cyber assets, a criminal background check, and training.\n  <bullet> CIP-005-1--Cyber Security--Electronic Security Perimeters.--\n        Requires the identification and protection of an electronic \n        security perimeter (which encompass the identified critical \n        cyber assets) and access points.\n  <bullet> CIP-006-1--Cyber Security--Physical Security of Critical \n        Cyber Assets.--Requires a responsible entity to create and \n        maintain a physical security plan that ensures that all cyber \n        assets within an electronic security perimeter are kept in an \n        identified physical security perimeter.\n  <bullet> CIP-007-1--Cyber Security--Systems Security Management.--\n        Requires a responsible entity to define methods, processes, and \n        procedures for securing the systems identified as critical \n        cyber assets, as well as the non-critical cyber assets within \n        an electronic security perimeter.\n  <bullet> CIP-008-1--Cyber Security--Incident Reporting and Response \n        Planning.--Requires a responsible entity to identify, classify, \n        respond to, and report cyber security incidents related to \n        critical cyber assets.\n  <bullet> CIP-009-1--Cyber Security--Recovery Plans for Critical Cyber \n        Assets.--Requires the establishment of recovery plans for \n        critical cyber assets using established business continuity and \n        disaster recovery techniques and practices.\n    The critical infrastructure protection standards approved through \nOrder No. 706 are a sound starting point for the electric industry to \naddress cybersecurity. Order No. 706 is not the end of the process, \nhowever. Standards development requires progressive and continuous \nimprovement. Indeed, improvement of the CIP Reliability Standards \nalready is underway, both in response to directions given by FERC in \nOrder No. 706 and as part of NERC's Reliability Standards development \nprocess, which requires that each Reliability Standard be reviewed at \nleast every 5 years.\nA. Implementation of the Approved CIP Reliability Standards\n    Order No. 706 approved the implementation plan for the CIP \nReliability Standards submitted by NERC, which phases in full \ncompliance with all of the requirements over a 3-year period (July \n2008-December 2010). NERC proposed and FERC approved timelines for \nachieving compliance that afford a reasonable period of time for grid \nusers, owners and operators to acquire and install the necessary \nsoftware and equipment and develop new programs and procedures to \nachieve compliance. Enforcement begins in July for the most urgent \nrequirements, with the implementation of additional requirements \ncontinuing through 2010.\n    NERC has allocated and will continue to devote the resources \nnecessary to administer and enforce the CIP Reliability Standards. \nNERC's 2008 Business Plan and Budget, as approved by FERC,\\6\\ allocates \nnearly $8 million (approximately 30 percent of NERC's overall budget) \nfor compliance enforcement and organization registration and \ncertification activities. To enable NERC to carry out its \nresponsibilities for developing and administering Reliability \nStandards, NERC's total number of full time equivalent employees will \nincrease by approximately 20 percent above 2007 levels in 2008.\n---------------------------------------------------------------------------\n    \\6\\ North American Electric Reliability Corp., FERC \x0c 61,057 \n(2007). The major program elements of NERC's business plan and budget \nare: (1) Reliability Standards; (2) compliance enforcement and \norganization registration and certification; (3) reliability readiness \naudits and improvement; (4) training, education and operator \ncertification; (5) reliability assessment and performance analysis; (6) \nsituational awareness and infrastructure security; and (7) \nadministrative services. P 12. In approving the NERC 2008 Budget and \nBusiness Plan, the Commission considered the adequacy of staffing and \nfunding proposed by NERC in finding that the Budget is reasonable. P \n22. NERC's funding comes primarily from end users based on net energy \nfor load.\n---------------------------------------------------------------------------\n    Additionally, FERC has approved the 2008 budgets for the regional \nReliability Entities, which share enforcement authority with NERC \npursuant to delegation agreements approved by FERC. The Regional \nEntities are in the process of holding regional seminars on the CIP \nReliability Standards.\n    The Commission in Order No. 706 directed NERC to develop \nmodifications to the CIP Reliability Standards to address specific \nmatters through the Reliability Standards development process. The \nCommission provided expressly that the development of modifications was \nnot to affect the implementation of the CIP Reliability Standards as \napproved.\\7\\ NERC originally planned to review the CIP Reliability \nStandards in 2009, but has advanced this review to address the changes \ndirected by FERC in Order No. 706.\n---------------------------------------------------------------------------\n    \\7\\ As the Commission explained in Order No. 706 at P 30: \n``Consistent with section 215 of the FPA, our regulations, and Order \nNo. 693, any modification to a Reliability Standard, including a \nmodification that addresses a Commission directive, must be developed \nand fully vetted through NERC's Reliability Standard development \nprocess. Until the Commission approves NERC's proposed modification to \na Reliability Standard, the preexisting Reliability Standard will \nremain in effect.''\n---------------------------------------------------------------------------\nB. Modifications to Approved CIP Reliability Standards and Additional \n        Directives to NERC\n    The Commission in Order No. 706 directed NERC to modify the CIP \nReliability Standards to remove ``reasonable business judgment'' \\8\\ \nand ``acceptance of risk'' \\9\\ language. The Commission also directed \nNERC to better define the circumstances under which exceptions to the \nstandards based on technical infeasibility would be allowed.\\10\\ \nAdditional changes pertaining to each of the eight CIP Reliability \nStandards were ordered by the Commission.\n---------------------------------------------------------------------------\n    \\8\\ Order No. 706 at P 128. ``Reasonable business judgment'' would \nhave been used as a guide in determining what constituted compliance \nwith the CIP Reliability Standards.\n    \\9\\ Order No. 706 at P 150. The acceptance of risk language would \nhave permitted entities subject to the CIP Reliability Standards to \naccept the risk of non-compliance.\n    \\10\\ Order No. 706 at P 178.\n---------------------------------------------------------------------------\n    Of particular interest to the subcommittee, the Commission did not \ndirect NERC to incorporate provisions of NIST Special Publication (SP) \n800-53 into the CIP Reliability Standards. Order No. 706, P 232. The \nCommission did direct NERC to ``monitor the development and \nimplementation of the NIST standards to determine if they contain \nprovisions that will protect the Bulk-Power System better than the CIP \nReliability Standards.'' Order No. 706, P 233. Any provisions of the \nNIST standards that are determined to better protect bulk power system \nreliability are to be addressed in the NERC Reliability Standards \ndevelopment process. Id.\n    FERC further directed NERC to consult with Federal entities \nrequired to comply with both the NIST standards and the CIP Reliability \nStandards on implementation and effectiveness issues. Id. This \nconsultation is underway. NERC personnel spoke at the recent Federal \nPower Marketing Agencies Cyber Security Conference and are working on \nthis issue with representatives from the Bonneville Power \nAdministration and the Tennessee Valley Authority.\n    Another issue raised in the Subcommittee's comments on the NOPR \nconcerned interdependencies with other critical infrastructure. The \nCommission addressed this issue in Order No. 706, concluding that \nSection 215 of the Federal Power Act, which authorizes the \nestablishment of mandatory Reliability Standards, does not extend \nbeyond assets critical to the bulk power system:\n\n    Section 215 of the FPA authorizes the Commission to approve \n        Reliability Standards that ``provide for the reliable operation \n        of the bulk-power system,'' which the statute defines as the \n        facilities and control systems necessary for operation of an \n        interconnected electric energy transmission network and the \n        electric energy needed to maintain transmission system \n        reliability. In addition, section 215(a)(1) specifically \n        excludes from the definition of Bulk-Power System ``facilities \n        used in the local distribution of electric energy.'' Moreover, \n        given the complexities surrounding this issue and the \n        aggressive timeline that will be necessary merely to meet the \n        more modest task of developing and implementing cyber security \n        standards capable of protecting the reliability of the Bulk-\n        Power System, we will follow the approach that we described in \n        the CIP NOPR of approving CIP Reliability Standards designed to \n        safeguard the reliability of the Bulk-Power System.\n\n    Order No. 706 at P 340. The Commission identified a need for \ncoordination with stakeholders of other infrastructures and with other \ngovernment agencies in order to address interdependencies. NERC is \npursuing this through the Information Sharing and Analysis Center \n(``ISAC'') Council, which is made up of representatives from critical \ninfrastructure sectors, including telecom, water, oil and natural gas, \nemergency services, and maritime, in addition to the electricity \nsector. The ISAC Council routinely shares information about \ninterdependencies. Also, NERC participates in the Partnership for \nCritical Infrastructure Security (``PCIS'') and is actively working \nthrough the PCIS Cross Sector Cyber Security Working Group to \nfacilitate information sharing about cyber vulnerabilities and \nsuccessful mitigation strategies.\nC. CIP Reliability Standards Improvement Is Underway\n    On March 20, the NERC Standards Committee \\11\\ authorized the \nposting for comments of a Standard Authorization Request (``SAR'') \nproposing modifications to the CIP Reliability Standards to address the \ndirectives from FERC in Order No. 706. The comment period closed on \nApril 19, and the Standards Committee appointed a SAR Drafting Team on \nApril 24 to review and respond to the 30 comments received on the first \ndraft of the SAR.\\12\\ There is active Federal agency input to this \nprocess: NIST was among the entities submitting comments on the SAR, \nand a representative of the Bureau of Reclamation serves on the SAR \nDrafting Team.\n---------------------------------------------------------------------------\n    \\11\\ The NERC Standards Committee reports to the NERC Board of \nTrustees and is responsible for overseeing the development of \nReliability Standards.\n    \\12\\ Detailed information on the proposed modifications is \navailable on the NERC Web site at: http://www.nerc.com/%7Efilez/\nstandards/Project_2008-06_Cyber_Security.html.\n---------------------------------------------------------------------------\n    The SAR, once approved by the Standards Committee, will become the \nframework upon which the Standard Drafting Team develops the specific \nrevisions to the CIP Reliability Standards. The process of improving \nthe CIP Reliability Standards will likely be structured in multiple \nphases to address priority items and measures such as removal of the \n``reasonable business judgment'' language first, while recognizing that \nother improvements will require more time. Application of the NIST \nstandards will be considered during the drafting of the revisions to \nthe CIP Reliability Standards.\n    Another of the key topics identified in Order No. 706 is for NERC \nto develop guidance documents to help entities know what is expected to \ncomply with certain aspects of the CIP Reliability Standards. The \nStandard Drafting Team will work closely with CIPC to develop these \nguidelines or examples.\n    In summary, NERC's Reliability Standards development process \nenables the progressive and continuous improvement of Reliability \nStandards. Going forward, NERC will address the Commission's directives \nand continually evaluate how these standards are executed in practice, \nutilizing this experience as the basis for further improvements. NERC \nalso will monitor key industry and technology developments related to \nthe CIP Reliability Standards, in order to ensure that the bulk power \nsystem in North America remains as reliable as possible.\n     iii. enhanced mechanisms to communicate emerging threats and \n                          cybersecurity issues\n    As noted above, the CIP Reliability Standards in and of themselves \ncannot eliminate the possibility of a cyber disruption of critical \nnational infrastructure. The limitation on NERC's jurisdiction to \npropose reliability standards only for the bulk power system means that \nthe CIP Reliability Standards cannot address other critical assets--\nsuch as telecommunications systems or electricity distribution systems. \nMoreover, the Reliability Standards development process is by design a \npublic and transparent one. That public process--while demonstrably \nsuccessful in producing standards that have significantly enhanced the \nreliability of the grid--may not be ideally suited to situations where \nconfidentiality is required (such as the response to the Aurora \ndemonstration test).\n    NERC recognizes the subcommittee's continuing interest in the \nresponse to the Aurora demonstration test. Attachment 1 contains a \ndescription of the actions taken by NERC, in its role as the ES-ISAC, \nto notify the industry of the identified vulnerability, define \nmitigation measures and assess the industry's implementation of those \nmeasures. NERC believes the industry is cooperating in completing the \nimplementation of the recommended mitigation measures contained in the \nAdvisory regarding cybersecurity vulnerabilities issued on June 21, \n2007 by the ES-ISAC.\n    NERC as the ES-ISAC continues to respond to inquiries regarding the \nmeasures contained in the June 21 Advisory. Additionally, NERC meets \nwith government agencies as requested to discuss the Aurora \ndemonstration test. On April 25, NERC met with the Department of \nDefense, the Department of Energy, FERC and other agencies to review \nDOD installations and determine what additional actions should be taken \nby DOD to address vulnerabilities resulting from the Aurora \ndemonstration test.\n    Lessons Learned: Among the key lessons learned from the Aurora \ndemonstration test was the need to improve the alert mechanism by which \nthe industry is made aware of significant vulnerabilities and \nrecommended mitigation measures. While ES-ISAC alerts are, by their \nvery nature, advisory only, with careful oversight of the \nimplementation of recommended measures, these alerts can be effective \nin eliciting responses to identified cyber vulnerabilities that are not \naddressed by the Reliability Standards.\n    Additionally, the Aurora demonstration test highlighted the \nimportance of having in place a comprehensive contact list for all \nusers, owners and operators of the bulk power system to facilitate \nrapid communication of ES-ISAC advisories.\n    Notwithstanding the limitations on NERC's ability to deal with all \naspects of the cybersecurity issue, we are acting to address \neffectively those aspects of the critical infrastructure cybersecurity \nchallenge that are within our control. If a cyber exploit of an \nidentified vulnerability is imminent, NERC as the ES-ISAC will take the \nfollowing actions:\n  <bullet> Obtain approval from the Electricity Sector Coordinating \n        Council to escalate the Cyber Threat Alert Level to Red;\n  <bullet> Post the escalated level on the ES-ISAC Web site;\n  <bullet> Issue an industry advisory with recommended mitigation \n        measures/essential actions to respond to the identified \n        vulnerability;\n  <bullet> Send e-mail notifications to the electric industry through \n        distribution lists designed for notification purposes \n        recommending that the industry promptly complete the immediate \n        mitigation measures identified in the ES-ISAC Advisory; and\n  <bullet> Follow-up to monitor progress in implementing the immediate \n        mitigation measures and report to appropriate government \n        agencies.\n    Since the Aurora demonstration test, this notification system has \nbeen significantly enhanced. First, NERC now has in place a formal \nmechanism for issuing alerts to the industry about important matters \nthat come either from NERC's own event analysis efforts or, as was the \ncase with the Aurora demonstration test, from government agencies with \nspecific information about possible threats. The alert system is set \nout in Rule 810 of NERC's Rules of Procedure \\13\\ and has three levels:\n---------------------------------------------------------------------------\n    \\13\\ Rule 810, ``Information Exchange and Issuance of NERC \nAdvisories, Recommendations and Essential Actions.'' See ftp://\nftp.nerc.com/pub/sys/all_updl/rop/\nNERC_Rules_of_Procedure_EFFECTIVE_20080321.pdf at pp. 69-70. NERC's \nRules of Procedure have been approved by FERC. See Rules Concerning \nCertification of the Electric Reliability Organization; and Procedures \nfor the Establishment, Approval and Enforcement of Electric Reliability \nStandards, Order No. 672, FERC Stats. & Regs. \x0c 31,204, at P 672; order \non reh'g, Order No. 672-A, FERC Stats. & Regs. \x0c 31,212 (2006); see \nalso North American Electric Reliability Council, et al., 122 FERC \x0c \n61,245 (2008).\n---------------------------------------------------------------------------\n  <bullet> (1) ``Advisories'' are purely informational and are intended \n        to advise certain owners, operators and users of the bulk power \n        system of findings and lessons learned.\n  <bullet> (2) ``Recommendations'' are specific actions that NERC is \n        recommending be considered on a particular topic by certain \n        owners, operators, and users of the bulk power system, \n        according to each entity's facts and circumstances.\n  <bullet> (3) ``Essential Actions'' are specific actions that NERC has \n        determined are essential to be taken by certain owners, \n        operators, or users of the bulk power system to ensure the \n        reliability of the bulk power system. Essential Actions require \n        NERC board approval before issuance.\n    ``Recommendations'' and ``Essential Actions'' have mandatory \nreporting requirements on how each entity responds to the alert. This \nreporting will allow NERC to determine whether further actions may be \nnecessary. FERC requires that NERC provide at least 5 business days' \nnotice to the Commission before an alert is issued, with provision for \nshorter times in the event that faster action is necessary. The Rules \nof Procedure further provide that a report will be filed with the \nCommission (and other government agencies, as appropriate) no later \nthan 30 days after the date on which bulk power system owners, users \nand operators are required to report to NERC on their actions taken in \nresponse to the notification.\n    These alerts are not the same as reliability standards--they are \nnot enforceable with financial penalties and other sanctions. NERC \nbelieves, however, that the alerts offer an effective and expeditious \nmeans of communicating vital information to all owners, operators, and \nusers of the bulk power system who have a need to know. When the NERC \nBoard of Trustees determines that certain actions are essential for \nowners, operators, and users to take to ensure the reliability of the \nbulk power system, NERC believes those entities will do what is \nnecessary.\n    Second, NERC has now developed a contact list for every owner, \noperator and user of the bulk power system. At present, there are over \n1,800 entities on the list. The list was initially developed as NERC's \ncompliance registry, to identify the entities that are responsible for \ncomplying with the mandatory reliability standards. This list is more \ncomprehensive than the ES-ISAC list used to distribute the June 21 \nAdvisory.\n    NERC is presently using this expanded contact list for alerts, \nincluding an alert that relates to cyber security. Each alert is \ntargeted to the types of entities to which it applies (e.g., \nReliability Coordinators, Transmission Operators, Generation Owners) \nand identifies the types of employees within the entity (e.g., system \nplanners, information technology workers) who need to be informed of \nthe alert. NERC is working with the Regional Reliability Entities and \nindustry trade associations to expand the contact list, so that we have \nspecific contacts for executive officers, cyber security, physical \nsecurity, and operations within each entity on the list.\n iv. government's ability to share information with the private sector\n    As described above, NERC, working with the FERC, has enhanced the \nformal cybersecurity alerts/communication processes. However, these \nprocesses are only as good as the information being distributed. In its \nroles as the ERO and the ES-ISAC, NERC operates as an information \nbridge to the electric industry. NERC collects information from users, \nowners, or operators of the bulk power system, commonly about events on \nthe power system, and shares that information throughout the industry \nand with government agencies. In addition to this ``bottom up'' flow of \ninformation, NERC also receives information from government agencies in \nthe United States and Canada, which is also shared with the industry. \nThe information regarding the Aurora demonstration test addressed in \nthe June 21 ES-ISAC Advisory is an example of this ``top down'' \ncommunication.\n    Effective communication with the private sector that will trigger \nan immediate and comprehensive response to an identified vulnerability \nrequires an ability to articulate the seriousness of the threat. NERC \nunderstands that the subcommittee has concerns regarding whether the \nDepartment of Homeland Security, in the case of the Aurora \ndemonstration test, shared enough information with the private sector \nto reveal the magnitude of the agency's concern. Where to draw the line \nbetween releasing information that is necessary to inform private \naction and information that actually expands the vulnerability is a \nconcern for both the public and private sectors.\n    The formality of the information sharing process now in place has \nimproved the flow of information between the government, NERC and the \nindustry. Under Rule 810.5 of NERC's Rules of Procedure, NERC advises \nFERC and other applicable governmental authorities of its intent to \nissue advisories, recommendations and essential actions 5 days prior to \ntheir issuance. The benefits of this notification have already been \nseen with several alerts. Moreover, NERC will report to FERC on the \nactions taken by the relevant grid users, owners, and operators in \nresponse to an alert and the success of those actions in correcting \nvulnerabilities or deficiencies.\n    Another example of formalized information exchange is the \nmemorandum of agreement (``MOA'') between the U.S. Nuclear Regulatory \nCommission (``NRC'') and NERC, which describes how the two \norganizations will communicate and cooperate in sharing of information \non grid reliability in general and specifically on the analysis of \nevents that occur on the grid that have the potential to affect nuclear \npower plants. First executed in 2004, the MOA was updated in 2007. \nUnder the coordination plan for communications and information sharing \nduring or immediately following emergencies, NERC as the ES-ISAC will \ncontact the NRC Headquarters Operations Officer when NERC becomes aware \nof a significant grid disturbance or an unusual grid event that has \naffected or may affect the reliability of offsite power to one or more \nnuclear power plants. In turn, when the NRC learns through reports from \nits licensees or other sources about grid events or conditions that \nhave affected or could potentially affect the reliability of offsite \npower to one or more nuclear power plants, the NRC will contact NERC \nthrough the ES-ISAC.\n    With this structure in place, Federal agencies, including the \nDepartment of Energy and the Department of Homeland Security, should \nhave increased confidence in NERC's ability to notify the industry \nexpeditiously about vulnerabilities identified by the government and \nthe appropriate actions to be taken in response.\n    Beyond these formal processes, CIPC meetings offer one venue for \nthe technical discussion of vulnerabilities between government agencies \nand the industry. Even within these established mechanisms, however, \nchallenges will still arise when (as in the case of the Aurora \ndemonstration test) the information is classified or there are tight \ncontrols on the distribution of the information that needs to be \ncommunicated to the industry.\n                               conclusion\n    The mandatory and enforceable CIP Reliability Standards represent \nan important milestone to help ensure grid reliability by improving the \nresiliency of control system cyber assets and enhancing their ability \nto withstand cyber-based attacks. The NERC Reliability Standards \nDevelopment Procedure provides a systematic approach to continuously \nimproving the standards and documenting the basis for those \nimprovements. In addition to providing the mechanism to respond to the \ndirections given by FERC in Order No. 706 to modify the 8 CIP \nReliability Standards, this process provides the opportunity to monitor \ntechnical and other developments--including the further development of \nthe NIST guidance--and reflect those developments, where appropriate, \nin the CIP Reliability Standards. NERC will continue to place a high \npriority on assuring that robust CIP Reliability Standards are adhered \nto by all responsible entities associated with the bulk power system.\n    Not all cybersecurity vulnerabilities, however, can be addressed \nthrough the CIP Reliability Standards. While NERC's enforcement \nauthority is limited to the measures that are contained in the CIP \nReliability Standards, we are committed to analyzing the electric grid \nto identify vulnerabilities, and working with government agencies and \nindustry through the ES-ISAC and otherwise to support the rapid \ndissemination of information and mitigation measures for identified \nvulnerabilities.\n   Attachment 1.--Assessment of the Implementation of the Mitigation \n       Measures Recommended in the June 21, 2007 ES-ISAC Advisory\n                              introduction\n    The June 21, 2007 ES-ISAC Advisory regarding cybersecurity \nvulnerabilities (ES-ISAC Advisory) was sent to generation owners, \ngeneration operators, transmission owners, and transmission operators. \nIt was distributed broadly through the industry trade associations \n(American Public Power Association; Canadian Electricity Association; \nEdison Electric Institute (EEI); Electric Power Supply Association; and \nthe National Rural Electric Cooperative Association).\n    The ES-ISAC Advisory consisted of three parts. The first part \ncontained the recommended short- and mid-range (0-180 days) mitigation \nmeasures.\\1\\ Part two was the longer term (greater than 180 days) \nmeasures.\\2\\ Part three contained recommendations for immediate \nmeasures.\\3\\ The ES-ISAC Advisory recommended the development of plans \nto implement the immediate measures in the event that a vulnerability \nis being exploited, but did not recommend that the immediate measures \nbe put into practice.\n---------------------------------------------------------------------------\n    \\1\\ These measures are designated as numbers 1, 2.1, 2.1.1, 2.1.2, \n2.1.3, 2.1.4, 3.1 and 3.2 in the ES-ISAC Advisory.\n    \\2\\ These measures are designated as numbers 4.1, 4.2, 4.2.1, \n4.2.2, 4.2.3, 5, 6, 7 and 8 in the ES-ISAC Advisory.\n    \\3\\ These immediate measures are designated as numbers 1, 2, 3, 4, \nand 5 in the ES-ISAC Advisory.\n---------------------------------------------------------------------------\n    After the ES-ISAC Advisory was issued, numerous conference calls \nwere held with industry participants to explain the Advisory. Calls \nwere convened by trade associations, reliability regions, and \ntransmission owner and operator forums. ES-ISAC representatives also \nresponded to inquiries from a large number of companies. In general, \nthe industry response was constructive and demonstrated a commitment to \nmitigating the vulnerability. In communications with the industry, the \nES-ISAC acknowledged its lack of authority to require completion of the \nmitigation measures, and the fact that the Advisory was not part of the \nNERC Reliability Standards mandatory compliance program. ES-ISAC \nrepresentatives also discussed the ``For Official Use Only'' \nclassification on the Advisory, which was established by the \nDepartments of Homeland Security and Energy and the Nuclear Regulatory \nCommission, and the need for maintenance of the confidentiality of \ninformation.\n    The ES-ISAC conducted both an initial assessment of the \nimplementation of the recommended measures and a formal, written survey \nto measure industry progress in completing the mitigation measures. The \ninitial assessment was conducted in September and early October 2007 \nand was performed by gathering information with sector entities in \nphone conversations and at meetings. No formalized survey instrument \nwas used. In addition, a small number of entities submitted unsolicited \nreports on their progress to the ES-ISAC.\n    Based on the information gathered in the discussions, the submitted \nreports, and expert knowledge of the ownership and geography of the \nbulk power system, the ES-ISAC concluded that approximately 75 percent \nof the transmission grid had received mitigation measures or such \nmeasures were in progress.\n    The October 19, 2007 survey was sent to a list of 65 contacts \nrepresenting major entities in the bulk power system developed by the \nES-ISAC with assistance from EEI. The written survey focused on the \nimplementation of the short- and mid-range measures only. The survey \ndid not measure progress on the long-term measures. A blank copy of the \nsurvey and cover letter is attached.\n    One hundred thirty-three entities responded to the survey. The \nrespondents ranged from small municipally-owned utilities to very \nlarge, multistate, investor-owned utilities. More responses were \nreceived than surveys were distributed because in some cases, \nrecipients further distributed the survey to affected entities. As an \nexample, surveys were sent to reliability regions and the regions \npassed the survey on to multiple entities in the region. Responses to \nthe survey were requested by November 2, 2007.\n    Survey respondents were assured the information submitted would be \nkept confidential. The following paragraph was included in the survey \ninstrument:\n\n    Information supplied in this response will be kept confidential by \n        the ES-ISAC, and will not be shared in any attributable manner \n        with any other entity or government agency, unless the ES-ISAC \n        first provides notice of its intention to do so. Statistical \n        summary information will be calculated from the results, and \n        that information will be shared with select agencies in the \n        U.S. and Canadian governments to indicate an overall state of \n        completeness.\n                    general summary of responses \\4\\\n---------------------------------------------------------------------------\n    \\4\\ Detailed information on the survey responses was submitted by \nletter dated December 5, 2007, from David A. Whiteley, Executive Vice \nPresident of NERC, to Chairman Langevin.\n---------------------------------------------------------------------------\n    The October 19 survey results indicated that 94 percent of the \nshort- and mid-range mitigation measures recommended in the ES-ISAC \nAdvisory, including the recommendation to establish a plan to implement \nimmediate measures when and if needed, were completed or were in \nprogress. This 94 percent consisted of 60 percent completed and 34 \npercent in progress. The remaining 6 percent were not being performed \nfor a variety of reasons (not applicable due to characteristics of \nequipment; work being done by another entity; the measure could \ncomprise reliability rather than help reliability).\n    In addition, the information received from the nuclear sector \nconfirmed that the electricity sector worked diligently to complete \nmitigation measures on the bulk power system near nuclear facilities. \nThe electricity sector took a prioritized approach to completing the \nmitigation measures, working in the early stages with the nuclear \nfacilities and then continuing to work on other less critical \nfacilities on a prioritized basis. In general, electricity sector \nentities weighed the risks associated with the vulnerability addressed \nin the ES-ISAC Advisory against risks associated with other \nvulnerabilities and worked to balance multiple demands for resources, \nperform routine maintenance, repair damage caused by weather, build new \nfacilities for a growing economy, and replace obsolete facilities, \nwhile mitigating vulnerabilities.\n    Several key observations regarding the survey responses:\n  <bullet> The survey results were encouraging and positive and major \n        electricity sector entities representing over 75 percent of the \n        geography and ownership of the bulk power system were proactive \n        in this mitigation effort.\n  <bullet> A significant portion (25 percent to 30 percent) of the \n        sectors' entities did not have the vulnerability due to how \n        they installed their protective systems.\n  <bullet> Respondents were very concerned about the confidentiality of \n        information submitted.\n  <bullet> The results demonstrated a responsible and appropriate \n        response to the ES-ISAC Advisory.\n       summary of survey responses by measure (see table 1 below)\n    A total of 105 responses were received on behalf of 133 entities. \nIn certain cases, a single response was provided on behalf of multiple \naffiliated independent power producers. Of the 105 responses received, \n32 entities indicated that none of the vulnerabilities or \nrecommendations contained in the ES-ISAC Advisory was applicable to \ntheir facilities. This ``non-applicable'' response was very common for \nthe independent power producers and a number of the smaller entities \nthat responded their facilities did not have any remotely accessible \ndigital protective control devices (DPCD). The remaining 73 respondents \nidentified at least one of the recommendations in the ES-ISAC Advisory \nthat applied to their facilities, and reported on the implementation of \nall of the measures that were deemed applicable.\n    The percentages shown in the grid below are calculated by adding \nthe number of responses that the measure is ``complete'' or ``in-\nprogress'' and dividing by the total number of responding entities that \nhave the vulnerability. Entities classified as ``not applicable'' on \nTable 1 because they determined that their facilities did not have the \nvulnerability the measure was meant to address are not included in \nfiguring the percentage. The narrative in the grid is based on the \nspecific survey results as shown in Table 1. Both the grid and the \ntable are keyed to the order in which the recommendations were included \nin the ES-ISAC Advisory.\n\n------------------------------------------------------------------------\n                  Measure                         Response Analysis\n------------------------------------------------------------------------\n1    Plan Immediate Action................  Seventy of 71 respondents to\n                                             which these measures are\n                                             applicable indicated this\n                                             is complete or in progress.\n                                             This 98 percent (70/71)\n                                             rate represented a strong\n                                             effort by the sector to\n                                             develop the plans to\n                                             complete the five immediate\n                                             actions if required.\n2.1    Enhance Security Remote Access.....  This measure is a summary of\n                                             the four below it. The\n                                             compliance rate was 97\n                                             percent rate (62/64).\n2.1.1    Security.........................  This measure required\n                                             strengthening the\n                                             protections to reduce\n                                             unauthorized remote access.\n                                             The compliance rate was 98\n                                             percent (63/64).\n2.1.2    Training.........................  This measure is to provide\n                                             security training to\n                                             employees with access to\n                                             DPCD. While the overall\n                                             compliance rate was 98\n                                             percent (63/64), more of\n                                             the entities reported this\n                                             as ``in progress'' (35)\n                                             rather than ``completed''\n                                             (28).\n2.1.3    Information Protection...........  Respondents indicated 100\n                                             percent (64/64) took\n                                             measures to protect DPCD\n                                             access information,\n                                             although 28 of 64, almost\n                                             half, were still in\n                                             progress.\n2.1.4    Seal Unused Ports................  This action was more\n                                             problematic for some\n                                             respondents due to the\n                                             virtual impossibility of\n                                             sealing unused ports in\n                                             some equipment. Fifty-seven\n                                             of 62 respondents to which\n                                             this measure applied were\n                                             completed or in progress,\n                                             while five believed sealing\n                                             unused ports is not\n                                             possible or is counter\n                                             productive.\n3.1    Control Center Authentication......  Fifty-five of 59 respondents\n                                             considered this\n                                             configuration that requires\n                                             an operator in the control\n                                             center to authenticate a\n                                             DPCD access. This measure\n                                             was not feasible in some\n                                             configurations nor\n                                             practical if the entity was\n                                             small and did not have a\n                                             control room.\n3.2    Situation Awareness Process........  Forty-seven of 66\n                                             respondents reported that\n                                             they had not performed this\n                                             measure or that the measure\n                                             was not applicable. This\n                                             was an expected response\n                                             because performance of this\n                                             measure is the\n                                             responsibility of\n                                             Independent System\n                                             Operators, Regional\n                                             Transmission Organizations,\n                                             and reliability\n                                             coordinators, and thus not\n                                             the responsibility of many\n                                             of the recipients of the\n                                             October 19 survey.\n1.1 to 1.5    Specific Immediate Measures.  As discussed above, the\n                                             respondents indicated a\n                                             high degree of attention to\n                                             developing the plans\n                                             necessary to complete these\n                                             measures if necessary.\n                                             There was a higher degree\n                                             of variation in the\n                                             responses in this category\n                                             due to different DPCD and\n                                             equipment configurations.\n------------------------------------------------------------------------\n\n\n  TABLE 1.--SURVEY RESPONSES SHOWING IMPLEMENTATION OF RECOMMENDATIONS FOR SHORT-TERM AND MID-TERM MEASURES AND\n                                           IMMEDIATE MEASURE PLANNING\n----------------------------------------------------------------------------------------------------------------\n                                                                           In        Not         Not\n                     Mitigation Measure                       Complete  Progress  Performed  Applicable   Total\n----------------------------------------------------------------------------------------------------------------\n1. Plan immediate actions...................................        55        15         1           2        73\n2.1 Enhance security-remote access..........................        38        24         2           9        73\n    2.1.1 Security..........................................        38        25         1          10        74\n    2.1.2 Training..........................................        28        35         1           5        69\n    2.1.3 Information protection............................        36        28         0           5        69\n    2.1.4 Seal unused ports.................................        33        24         5           8        70\n3.1 Control center authentication...........................        26        29         4           9        68\n3.2 Situational awareness process...........................         7        12        12          35        66\n----------------------------------------------------------------------------------------------------------------\n1.1 Attachment A (only) Planning Access.....................        47        17         0           7        71\n1.2 Disable remote change...................................        45        14         5           4        68\n1.3 Disable auto reclose....................................        41        11         2          14        68\n1.4 Add time delay..........................................        29        12         5          25        71\n1.5 Disable remote close....................................        38        10         7          15        70\n----------------------------------------------------------------------------------------------------------------\n      Totals................................................       461       256        45         148   .......\n----------------------------------------------------------------------------------------------------------------\n\n    Mr. Langevin. I thank you for your testimony.\n    I will now recognize Mr. Wilshusen to summarize his \nstatement for 5 minutes.\n    Welcome, Mr. Wilshusen.\n\n  STATEMENT OF GREG WILSHUSEN, DIRECTOR, INFORMATION SECURITY \nISSUES, GOVERNMENT ACCOUNTABILITY OFFICE (GAO), ACCOMPANIED BY \n         NABA BARKAKATI, SENIOR LEVEL TECHNOLOGIST, GAO\n\n    Mr. Wilshusen. Thank you. Mr. Chairman and members of the \nsubcommittee, thank you for the opportunity to participate in \ntoday's hearing to discuss control systems security.\n    I am accompanied today by Naba Barkakati, GAO's acting \ntechnologist.\n    As you know, we have previously reported and testified \nbefore this subcommittee that critical infrastructure control \nsystems face increasing risks due to cyber threats, system \nvulnerabilities and the serious potential impact of attacks, as \ndemonstrated by several reported incidents. If control systems \nare not adequately secured, their vulnerabilities could be \nexploited and our critical infrastructures could be disrupted \nor disabled, possibly resulting in loss of life, physical \ndamage or economic losses.\n    Mr. Chairman, at your request, GAO examined the information \nsecurity controls for the control systems and networks used to \noperate TVA's critical infrastructure. In reports being issued \ntoday on the results of our examination, we determined that TVA \nhad not fully implemented appropriate security controls to \nproperly protect its networks and control systems.\n    On TVA's corporate network, for example, many of the work \nstations and servers that we examined lacked key security \npatches or were insecurely configured. In addition, certain \nnetwork protocols and devices provided limited protections; and \nTVA's ability to monitor its network using its intrusion \ndetection system was limited. On certain control systems and \nnetworks, passwords or other equivalent documented controls \nwere not effectively implemented, user activity was not logged, \nsoftware patches were not current, and viruses protection \nsoftware was not consistently implemented.\n    The interconnectivity between the corporate network and \ncontrol systems networks at certain facilities provided \nopportunities for weaknesses on one network to potentially \naffect systems on other networks. Physical security weaknesses \nalso introduced risk to control systems at certain facilities. \nFor example, live network jacks connected to TVA's internal \nnetwork were publicly accessible.\n    An underlying reason for these weaknesses is that TVA had \nnot fully implemented its information security program. \nAlthough TVA had implemented program activities related to \ncontingency planning and incident response, it had not \nconsistently conducted key activities related to, among other \nthings, developing an inventory of systems, assessing risks, \ncompleting appropriate training for individuals with \nsignificant security responsibilities, testing and monitoring \nthe effectiveness of security controls and identifying and \ntracking remedial actions to mitigate known uncontrolled \nweaknesses. As a result, systems and networks that operate \nTVA's critical infrastructures were at increased risk of \nunauthorized modification or disruption by both internal and \nexternal threats.\n    Accordingly, opportunities exist for TVA to enhance the \nsecurity of its control systems networks. In reports being \nissued today, we are making a total of 92 recommendations to \nstrengthen security controls and implement an effective \ninformation security program that can provide TVA with a solid \nfoundation for ensuring sufficient protection of its control \nsystems. TVA has concurred with most of our recommendations.\n    In summary, TVA's power generation and transmission \ncritical infrastructures are important to the economy of the \nsoutheastern United States and the safety, security and welfare \nof millions of people. However, multiple weaknesses in both the \nagency's corporate network and control systems networks place \nthese infrastructures at increased risk. If TVA does not take \nsufficient steps to secure its control systems and fully \nimplement its security program, it risks not being able to \nprevent or respond properly to a disruption caused by either \nmalicious or unintended cyber incident.\n    Mr. Chairman, this concludes our statement. We would be \nhappy to answer questions at this time.\n    [The statement of Mr. Wilshusen follows:]\n               Prepared Statement of Gregory C. Wilshusen\n                              May 21, 2008\n    information security: tva needs to enhance security of critical \n              infrastructure control systems and networks\n   gao highlights: highlights of gao-08-775t, a testimony before the \n   subcommittee on emerging threats, cybersecurity, and science and \n  technology, committee on homeland security, house of representatives\nWhy GAO Did This Study\n    The control systems that regulate the Nation's critical \ninfrastructures face risks of cyber threats, system vulnerabilities, \nand potential attacks. Securing these systems is therefore vital to \nensuring national security, economic well-being, and public health and \nsafety. While most critical infrastructures are privately owned, the \nTennessee Valley Authority (TVA), a Federal corporation and the \nNation's largest public power company, provides power and other \nservices to a large swath of the American Southeast.\n    GAO was asked to testify on its public report being released today \non the security controls in place over TVA's critical infrastructure \ncontrol systems. In doing this work, GAO examined the security \npractices in place at TVA facilities; analyzed the agency's information \nsecurity policies, plans, and procedures in light of Federal law and \nguidance; and interviewed agency officials responsible for overseeing \nTVA's control systems and their security.\nWhat GAO Recommends\n    In public and limited distribution reports being issued today, GAO \nis recommending that TVA take steps to improve implementation of the \nagency's information security program and to correct specific security \nweaknesses identified at TVA facilities.\n    In comments on drafts of GAO's reports, TVA provided information on \nsteps it is taking to implement these recommendations.\nWhat GAO Found\n    TVA had not fully implemented appropriate security practices to \nsecure the control systems used to operate its critical infrastructures \nat facilities GAO reviewed. Multiple weaknesses within the TVA \ncorporate network left it vulnerable to potential compromise of the \nconfidentiality, integrity, and availability of network devices and the \ninformation transmitted by the network. For example, almost all of the \nworkstations and servers that GAO examined on the corporate network \nlacked key security patches or had inadequate security settings. \nFurthermore, TVA did not adequately secure its control system networks \nand devices on these networks, leaving the control systems vulnerable \nto disruption by unauthorized individuals. Network interconnections \nprovided opportunities for weaknesses on one network to potentially \naffect systems on other networks. For example, weaknesses in the \nseparation of network segments could allow an individual who gained \naccess to a computing device connected to a less secure portion of the \nnetwork to compromise systems in a more secure portion of the network, \nsuch as the control systems. In addition, physical security at multiple \nlocations that GAO reviewed did not sufficiently protect the control \nsystems. For example, live network jacks connected to TVA's internal \nnetwork at certain facilities GAO reviewed had not been adequately \nsecured from unauthorized access. As a result, TVA's control systems \nwere at increased risk of unauthorized modification or disruption by \nboth internal and external threats.\n    An underlying reason for these weaknesses was that TVA had not \nconsistently implemented significant elements of its information \nsecurity program. For example, the agency lacked a complete and \naccurate inventory of its control systems and had not categorized all \nof its control systems according to risk, limiting assurance that these \nsystems are adequately protected. In addition, TVA's patch management \nprocess lacked a mechanism to effectively prioritize vulnerabilities. \nAs a result, patches that were identified as critical, meaning they \nshould be applied immediately to vulnerable systems, were not applied \nin a timely manner.\n    Numerous opportunities exist for TVA to improve the security of its \ncontrol systems. For example, TVA can strengthen logical access \ncontrols, improve physical security, and fully implement its \ninformation security program. If TVA does not take sufficient steps to \nsecure its control systems and fully implement an information security \nprogram, it risks not being able to respond properly to a major \ndisruption that is the result of an intended or unintended cyber \nincident.\n    Mr. Chairman and Members of the subcommittee, thank you for the \nopportunity to participate in today's hearing to discuss control \nsystems security. We have previously reported and testified before this \nsubcommittee that critical infrastructure control systems face \nincreasing risks due to cyber threats, system vulnerabilities, and the \nserious potential impact of attacks as demonstrated by reported \nincidents.\\1\\ If control systems are not adequately secured, their \nvulnerabilities could be exploited, and our critical infrastructures \ncould be disrupted or disabled, possibly resulting in loss of life, \nphysical damage, or economic losses.\n---------------------------------------------------------------------------\n    \\1\\ GAO, Critical Infrastructure Protection: Federal Efforts to \nSecure Control Systems Are Under Way, but Challenges Remain, GAO-07-\n1036 (Washington, D.C.: September 2007) and GAO, Critical \nInfrastructure Protection: Multiple Efforts to Secure Control Systems \nAre Under Way, but Challenges Remain. GAO-08-119T (Washington, D.C.: \nOctober 2007).\n---------------------------------------------------------------------------\n    The majority of our Nation's critical infrastructures are owned by \nthe private sector; however, the Federal Government owns and operates \ncritical infrastructure facilities including ones used for energy, \nwater treatment and distribution, and transportation. One such entity, \nthe Tennessee Valley Authority (TVA)--a Federal corporation and the \nNation's largest public power company--generates electricity using its \n52 fossil, hydro, and nuclear facilities, all of which use control \nsystems. As a wholly owned government corporation, TVA is to comply \nwith the Federal Information Security Management Act of 2002 \\2\\ \n(FISMA) by developing a risk-based information security program and \nimplementing appropriate information security controls for its computer \nsystems.\n---------------------------------------------------------------------------\n    \\2\\ FISMA was enacted as title III, E-Government Act of 2002, Pub. \nL. No. 107-347 (Dec.17, 2002).\n---------------------------------------------------------------------------\n    In our testimony today, we will summarize the results of our review \nof the security controls over TVA's critical infrastructure control \nsystems. We are issuing two reports today, one publicly available and \none with limited distribution, which provide additional details on the \nresults of our review.\\3\\ Our objective was to determine whether TVA \nhas effectively implemented appropriate information security practices \nfor its control systems. In preparing for this testimony, we relied on \nour work supporting these reports, which discuss the details of our \nscope and methodology. The information in this testimony is \nspecifically based on our public report, which has been reviewed for \nsensitivity by TVA.\n---------------------------------------------------------------------------\n    \\3\\ GAO, Information Security: TVA Needs to Address Weaknesses in \nControl Systems and Networks, GAO-08-459SU and GAO-08-526 (Washington, \nD.C.: May 2008).\n---------------------------------------------------------------------------\n    Our testimony is based on the work done for our reports from March \n2007 to May 2008. The work on which this testimony is based was \nconducted in accordance with generally accepted government auditing \nstandards, which require that we plan and perform the audit to obtain \nsufficient, appropriate evidence to provide a reasonable basis for our \nfindings and conclusions based on our audit objectives. We believe that \nthe evidence obtained provides a reasonable basis for our findings and \nconclusions based on our audit objectives.\n                            results in brief\n    TVA had not fully implemented appropriate security practices to \nsecure the control systems used to operate its critical infrastructures \nat facilities we reviewed. Specifically, network interconnections \nprovided opportunities for weaknesses on one network to potentially \naffect systems on other networks. For example, weaknesses in the \nseparation of network segments could allow an individual who gained \naccess to a computing device connected to a less secure portion of the \nnetwork to compromise systems in a more secure portion of the network, \nsuch as the control systems. In addition, physical security at multiple \nlocations that we reviewed did not sufficiently protect the control \nsystems. As a result, TVA's control systems were at increased risk of \nunauthorized modification or disruption by both internal and external \nthreats.\n    An underlying reason for these weaknesses was that TVA had not \nconsistently implemented significant elements of its information \nsecurity program. For example, the agency lacked a complete and \naccurate inventory of its control systems and it had not categorized \nall of its control systems according to risk, limiting assurance that \nthese systems were adequately protected. In addition, TVA's patch \nmanagement process lacked a mechanism to effectively prioritize \nvulnerabilities. Until TVA fully and consistently implements its \ninformation security program, it risks a disruption of its operations, \nwhich could impact both TVA and its customers.\n    In the reports being issued today,\\4\\ we are making 19 \nrecommendations to the Chief Executive Officer of TVA to improve the \nimplementation of its agencywide information security program and 73 \nrecommendations to correct specific information security weaknesses.\n---------------------------------------------------------------------------\n    \\4\\ GAO-08-526 and GAO-08-459SU.\n---------------------------------------------------------------------------\n    In its comments on our reports, TVA concurred with all of our \nrecommendations regarding its information security program and the \nmajority of our recommendations regarding specific information security \nweaknesses and provided information on steps the agency was taking to \nimplement our GAO recommendations.\n                               background\n    Information security is a critical consideration for any \norganization that depends on information systems and computer networks \nto carry out its mission or business. Of particular importance is the \nsecurity of information and systems supporting critical \ninfrastructures--physical or virtual systems and assets so vital to the \nNation that their incapacitation or destruction would have a \ndebilitating impact on national and economic security and on public \nhealth and safety. Although the majority of our Nation's critical \ninfrastructures are owned by the private sector, the Federal Government \nowns and operates key facilities that use control systems, including \noil, gas, water, electricity, and nuclear facilities. In the electric \npower industry, control systems can be used to manage and control the \ngeneration, transmission, and distribution of electric power. For \nexample, control systems can open and close circuit breakers and set \nthresholds for preventive shutdowns.\n    Critical infrastructure control systems face increasing risks due \nto cyber threats, system vulnerabilities, and the potential impact of \nattacks as demonstrated by reported incidents.\\5\\ Control systems are \nmore vulnerable to cyber threats and unintended incidents now than in \nthe past for several reasons, including their increasing \nstandardization and connectivity to other systems and the Internet. For \nexample, in August 2006, two circulation pumps at Unit 3 of the Browns \nFerry, Alabama, nuclear power plant operated by TVA failed, forcing the \nunit to be shut down manually. The failure of the pumps was traced to \nan unintended incident involving excessive traffic on the control \nsystem's network.\n---------------------------------------------------------------------------\n    \\5\\ See GAO, Critical Infrastructure Protection: Multiple Efforts \nto Secure Control Systems Are Under Way, but Challenges Remain, GAO-07-\n1036 (Washington, D.C.: Sept. 10, 2007).\n---------------------------------------------------------------------------\n    To address this increasing threat to control systems governing \ncritical infrastructures, both Federal and private organizations have \nbegun efforts to develop requirements, guidance, and best practices for \nsecuring those systems. For example, FISMA outlines a comprehensive \nrisk-based approach to securing Federal information systems, which \ninclude control systems. Federal organizations, including the National \nInstitute of Standards and Technology (NIST), the Federal Energy \nRegulatory Commission (FERC), and the Nuclear Regulatory Commission \n(NRC), have used a risk-based approach to develop guidance and \nstandards to secure control systems. NIST guidance has been developed \nthat currently applies to Federal agencies; however, much of the \nguidance and standards developed by FERC and NRC has not yet been \nfinalized. Once implemented, FERC and NRC standards will apply to both \npublic and private organizations that operate covered critical \ninfrastructures.\nTVA Provides Power to the Southeastern United States\n    The TVA is a Federal corporation and the Nation's largest public \npower company. TVA's power service area includes almost all of \nTennessee and parts of Mississippi, Kentucky, Alabama, Georgia, North \nCarolina, and Virginia. It operates 11 coal-fired fossil plants, 8 \ncombustion turbine plants, 3 nuclear plants, and a hydroelectric system \nthat includes 29 hydroelectric dams and one pumped storage facility.\\6\\ \nTVA also owns and operates one of the largest transmission systems in \nNorth America.\n---------------------------------------------------------------------------\n    \\6\\ A pumped-storage plant uses two reservoirs, with one located at \na much higher elevation than the other. During periods of low demand \nfor electricity, such as nights and weekends, energy is stored by \nreversing the turbines and pumping water from the lower to the upper \nreservoir. The stored water can later be released to turn the turbines \nand generate electricity as it flows back into the lower reservoir.\n---------------------------------------------------------------------------\n    Control systems are essential to TVA's operation because it uses \nthem to both generate and deliver power. To generate power, control \nsystems are used within power plants to open and close valves, control \nequipment, monitor sensors, and ensure the safe and efficient operation \nof a generating unit. Many control systems networks connect with other \nagency networks to transmit system status information. To deliver \npower, TVA monitors the status of its own and surrounding transmission \nfacilities from two operations centers.\n tva had not fully implemented appropriate controls to protect control \n                    systems from unauthorized access\n    TVA had not fully implemented appropriate security practices to \nsecure the networks on which its control systems rely. Specifically, \nthe interconnected corporate and control systems networks at certain \nfacilities that we reviewed did not have sufficient information \nsecurity safeguards in place to adequately protect control systems. In \naddition, TVA did not always implement controls adequate to restrict \nphysical access to control system areas and to protect these systems--\nand their operators--from fire damage or other hazards. As a result \nTVA, control systems were at increased risk of unauthorized \nmodification or disruption by both internal and external threats.\nWeaknesses in TVA's Corporate Network Controls Placed Network Devices \n        at Risk\n    Multiple weaknesses within the TVA corporate network left it \nvulnerable to potential compromise of the confidentiality, integrity, \nand availability of network devices and the information transmitted by \nthe network. For example:\n  <bullet> Almost all of the workstations and servers that we examined \n        on the corporate network lacked key security patches or had \n        inadequate security settings.\n  <bullet> TVA had not effectively configured host firewall controls on \n        laptop computers we reviewed, and one remote access system that \n        we reviewed had not been securely configured.\n  <bullet> Network services had been configured across lower- and \n        higher-security network segments, which could allow a malicious \n        user to gain access to sensitive systems or modify or disrupt \n        network traffic.\n  <bullet> TVA's ability to use its intrusion detection system \\7\\ to \n        effectively monitor its network was limited.\n---------------------------------------------------------------------------\n    \\7\\ An intrusion detection system detects inappropriate, incorrect, \nor anomalous activity that is aimed at disrupting the confidentiality, \navailability, or integrity of a protected network and its computer \nsystems.\n---------------------------------------------------------------------------\nWeaknesses in TVA Control Systems Networks Jeopardized the Security of \n        its Control Systems\n    The access controls implemented by TVA did not adequately secure \nits control systems networks and devices, leaving the control systems \nvulnerable to disruption by unauthorized individuals. For example:\n  <bullet> TVA had implemented firewalls to segment control systems \n        networks from the corporate network. However, the configuration \n        of certain firewalls limited their effectiveness.\n  <bullet> The agency did not have effective passwords or other \n        equivalent documented controls to restrict access to the \n        control systems we reviewed. According to agency officials, \n        passwords were not always technologically possible to \n        implement, but in the cases we reviewed there were no \n        documented compensating controls.\n  <bullet> TVA had not installed current versions of patches for key \n        applications on computers on control systems networks. In \n        addition, the agencywide policy for patch management did not \n        apply to individual plant-level control systems.\n  <bullet> Although TVA had implemented antivirus software on its \n        transmission control systems network, it had not consistently \n        implemented antivirus software on other control systems we \n        reviewed.\nPhysical Security Did Not Sufficiently Protect Sensitive Control \n        Systems\n    TVA had not consistently implemented physical security controls at \nseveral facilities that we reviewed. For example:\n  <bullet> Live network jacks connected to TVA's internal network at \n        certain facilities we reviewed had not been adequately secured \n        from unauthorized access.\n  <bullet> At one facility, sufficient emergency lighting was not \n        available, a server room had no smoke detectors, and a control \n        room contained a kitchen (a potential fire and water hazard).\n  <bullet> The agency had not always ensured that access to sensitive \n        computing and industrial control systems resources had been \n        granted to only those who needed it to perform their jobs. At \n        one facility, about 75 percent of facility badgeholders had \n        access to a plant computer room, although the vast majority of \n        these individuals did not need access. Officials stated that \n        all of those with access had been through the required \n        background investigation and training process. Nevertheless, an \n        underlying principle for secure computer systems and data is \n        that users should be granted only those access rights and \n        permissions needed to perform their official duties.\n     information security management program was not consistently \n            implemented across tva's critical infrastructure\n    An underlying reason for TVA's information security control \nweaknesses was that it had not consistently implemented significant \nelements of its information security program, such as: documenting a \ncomplete inventory of systems; assessing risk of all systems \nidentified; developing, documenting, and implementing information \nsecurity policies and procedures; and documenting plans for security of \ncontrol systems as well as for remedial actions to mitigate known \nvulnerabilities. As a result of not fully developing and implementing \nthese elements of its information security program, TVA had limited \nassurance that its control systems were adequately protected from \ndisruption or compromise from intentional attack or unintentional \nincident.\nTVA's Inventory of Systems Did Not Include Many Control Systems\n    TVA's inventory of systems did not include all of its control \nsystems as required by agency policy. In its fiscal year 2007 FISMA \nsubmission, TVA included the transmission and the hydro automation \ncontrol systems in its inventory. However, the plant control systems at \nits nuclear and fossil facilities had not been included in the \ninventory. At the conclusion of our review, agency officials stated \nthey planned to develop a more complete and accurate system inventory \nby September 2008.\nTVA Had Not Assessed Risks to Its Control Systems\n    TVA had not completed categorizing risk levels or assessing the \nrisks to its control systems. FISMA mandates that agencies assess the \nrisk and magnitude of harm that could result from the unauthorized \naccess, use, disclosure disruption, modification, or destruction of \ntheir information and information systems. However, while the agency \nhad categorized the transmission and hydro automation control systems \nas high-impact systems,\\8\\ its nuclear division and fossil business \nunit, which includes its coal and combustion turbine facilities, had \nnot assigned risk levels to its control systems. TVA had also not \ncompleted risk assessments for the control systems at its \nhydroelectric, nuclear, coal, and combustion turbine facilities. \nAccording to TVA officials, the agency plans to complete the \nhydroelectric and nuclear control systems risk assessments by June 2008 \nand they plan to complete the security categorization of remaining \ncontrol systems throughout TVA by September 2008, except for fossil \nsystems, for which no date has been set.\n---------------------------------------------------------------------------\n    \\8\\ Federal Information Processing Standard 199 provides criteria \nfor categorizing risk to systems as high, moderate, or low.\n---------------------------------------------------------------------------\nInconsistent Application of TVA's Policies and Procedures Contributed \n        to Program Weaknesses\n    Several shortfalls in the development, documentation, and \nimplementation of TVA's information security policies contributed to \nmany of the inadequacies in TVA's security practices. For example:\n  <bullet> TVA had not consistently applied agencywide information \n        security policies to its control systems, and TVA business unit \n        security policies were not always consistent with agencywide \n        information security policies.\n  <bullet> Cyber security responsibilities for interfaces between TVA's \n        transmission control system and its hydroelectric and fossil \n        generation units had not been documented.\n  <bullet> Physical security standards for control system sites had not \n        been finalized or were in draft form.\nPatch Management Weaknesses Left TVA's Control Systems Vulnerable\n    Weaknesses in TVA's patch management process hampered the efforts \nof TVA personnel to identify, prioritize, and install critical software \nsecurity patches to TVA systems in a timely manner. For a 15-month \nperiod, TVA documented its analysis of 351 reported vulnerabilities, \nwhile NIST's National Vulnerability Data base \\9\\ reported about 2,000 \nvulnerabilities rated as high or medium risk for the types of systems \nin operation at TVA for the same time period. In addition, upon release \nof a patch by the software vendor, the agency had difficulty in \ndetermining the patch's applicability to the software applications in \nuse at the agency because it did not have a mechanism in place to \nprovide timely access to software version and configuration information \nfor the applications. Furthermore, TVA's written guidance on patch \nmanagement provided only limited guidance on how to prioritize \nvulnerabilities. The guidance did not refer to the criticality of IT \nresources or specify situations in which it was acceptable to upgrade \nor downgrade a vulnerability's priority from that given by its vendors \nor third-party patch tracking services. For example, agency staff had \nreduced the priority of three vulnerabilities identified as critical or \nimportant by the vendor or a patch tracking service and did not provide \nsufficient documentation of the basis for this decision. As a result, \npatches that were identified as critical were not applied in a timely \nmanner; in some cases, a patch was applied more than 6 months past TVA \ndeadlines for installation.\n---------------------------------------------------------------------------\n    \\9\\ The National Vulnerability Data base is the U.S. government \nrepository of standards based vulnerability management data. This data \nenables automation of vulnerability management, security measurement, \nand compliance.\n---------------------------------------------------------------------------\nTVA Had Not Developed System Security and Remedial Action Plans for All \n        Control Systems\n    TVA had not developed system security or remedial action plans for \nall control systems as required under Federal law and guidance. \nSecurity plans document the system environment and the security \ncontrols selected by the agency to adequately protect the system. \nRemedial action plans document and track activities to implement \nmissing controls such as missing system security plans and other \ncorrective actions necessary to mitigate vulnerabilities in the system. \nAlthough TVA had developed system security and remedial action plans \nfor its transmission control system, it had not done so for control \nsystems at the hydroelectric, nuclear, or fossil facilities. According \nto agency officials, TVA plans to develop a system security plan for \nits hydroelectric automation and nuclear control systems by June 2008, \nbut no timeframe has been set to complete development of a security \nplan for control systems at fossil facilities. Until the agency \ndocuments security plans and implements a remediation process for all \ncontrol systems, it will not have assurance that the proper controls \nwill be applied to secure control systems or that known vulnerabilities \nwill be properly mitigated.\n    opportunities exist to improve security of tva's control systems\n    Numerous opportunities exist for TVA to improve the security of its \ncontrol systems. Specifically, strengthening logical access controls \nover agency networks can better protect the confidentiality, integrity, \nand availability of control systems from compromise by unauthorized \nindividuals. In addition, fortifying physical access controls at its \nfacilities can limit entry to TVA restricted areas to only authorized \npersonnel, and enhancing environmental safeguards can mitigate losses \ndue to fire or other hazards. Further, establishing an effective \ninformation security program can provide TVA with a solid foundation \nfor ensuring the adequate protection of its control systems.\n    Because of the interconnectivity between TVA's corporate network \nand certain control systems networks, we recommend that TVA implement \neffective patch management practices, securely configure its remote \naccess system, and appropriately segregate specific network services. \nWe also recommend that the agency take steps to improve the security of \nits control systems networks, such as implementing strong passwords or \nequivalent authentication mechanisms, implementing antivirus software, \nrestricting firewall configuration settings, and implementing \nequivalent compensating controls when such steps cannot be taken.\n    To prevent unauthorized physical access to restricted areas \nsurrounding TVA's control systems, we recommend that the agency take \nsteps to toughen barriers at points of entry to these facilities. In \naddition, to protect TVA's control systems operators and equipment from \nfire damage or other hazards, we also recommend that the agency improve \nenvironmental controls by enhancing fire suppression capabilities and \nphysically separating cooking areas from system equipment areas.\n    Finally, to improve the ability of TVA's information security \nprogram to effectively secure its control systems, we are recommending \nthat the agency improve its configuration management process and \nenhance its patch management policy. We also recommend that TVA \ncomplete a comprehensive system inventory that identifies all control \nsystems, perform risk assessments and security risk categorization of \nthese systems, and document system security and remedial action plans \nfor these systems. Further, we recommend improvements to agency \ninformation security policies.\n    In commenting on drafts of our reports, TVA concurred with all of \nour recommendations regarding its information security program and the \nmajority of our recommendations regarding specific information security \nweaknesses. The agency agreed on the importance of protecting critical \ninfrastructures and stated that it has taken several actions to \nstrengthen information security for control systems, such as \ncentralizing responsibility for cyber security within the agency. It \nalso provided information on steps the agency was taking to implement \ncertain GAO recommendations.\n    In summary, TVA's power generation and transmission critical \ninfrastructures are important to the economy of the southeastern United \nStates and the safety, security, and welfare of millions of people. \nControl systems are essential to the operation of these \ninfrastructures; however, multiple information security weaknesses \nexist in both the agency's corporate network and individual control \nsystems networks and devices. An underlying cause for these weaknesses \nis that the agency had not consistently implemented its information \nsecurity program throughout the agency. If TVA does not take sufficient \nsteps to secure its control systems and implement an information \nsecurity program, it risks not being able to respond properly to a \nmajor disruption that is the result of an intended or unintended cyber \nincident.\n    Mr. Chairman, this concludes our statement. We would be happy to \nanswer questions at this time.\n\n    Mr. Langevin. Thank you, Mr. Wilshusen.\n    The Chair now recognizes Mr. McCollum to summarize your \nstatement for 5 minutes. Welcome.\n\nSTATEMENT OF WILLIAM R. McCOLLUM, JR., CHIEF OPERATING OFFICER, \n  TENNESSEE VALLEY AUTHORITY (TVA), ACCOMPANIED BY JOHN LONG, \n               CHIEF ADMINISTRATIVE OFFICER, TVA\n\n    Mr. McCollum. Good afternoon, Chairman Langevin, Ranking \nMember Ms. Brown-Waite and members of the subcommittee.\n    I am Bill McCollum, Chief Operating Officer of the \nTennessee Valley Authority. I am accompanied today by TVA's \nChief Administrative Officer, John Long.\n    I appreciate this opportunity to appear before you to \ndiscuss the Government Accountability Office report on the \nsecurity of the computer networks and control system used in \nTVA's operations.\n    As TVA's Chief Operating Officer, I am responsible for the \nsafe and reliable operation of the TVA power system which \ngenerates and distributes electricity for a region of the \nsoutheast which covers the State of Tennessee and adjacent \nparts of six neighboring States. All of our operations are \nfinanced by revenues from the sale of electricity. TVA does not \nreceive any annual congressional appropriations.\n    I am also pleased to note that earlier this week we \nobserved the 75th anniversary of the TVA. As we have for 75 \nyears, we remain focused on carrying out our three-part mission \nin energy, economic development and environmental stewardship. \nEach part of this mission has contributed significantly to the \nprogress of our 80,000-square-mile service region.\n    In performing our mission, the safety of our employees and \nthe public is paramount in all of our operations, including \nspecialized security requirements to protect the computerized \ncontrol systems involved in the generation and transmission of \nelectricity.\n    On behalf of TVA, we appreciate the substantial time and \nresources that the GAO allotted to examining and evaluating our \ncomputer security. As you know, the report made public today \nlisted 19 recommendations for improving the security of our \ncomputer systems. We concur with all of these recommendations, \nand we have either completed or are aggressively moving to \nimplement remedial actions for all 19.\n    It is important to note that TVA was already in the process \nof addressing 17 of the 19 recommendation areas when GAO's \nfield work began at TVA last October. We also initiated several \nactions to address other aspects of our security while the \nfield team was conducting its evaluation. These actions were \nthe result of ongoing assessments by TVA staff and the \nindependent TVA office of the Inspector General, which had \ninitiated planning for an audit of our information technology \nsecurity by Science Applications International Corporation. \nGAO's work has been very helpful in affirming and focusing the \nneed for these and other measures that we are taking.\n    Some of the security issues identified by the GAO report \ninvolved instances that have been addressed by the \ncentralization of our cybersecurity policy, its administration \nand its oversight activities into a corporate-level \norganization. The centralization of this responsibility was \ncompleted in February, which now gives TVA a uniform security \nset of procedures to be followed by all its organizations and \ncovers all control systems.\n    In conjunction with our implementation of additional \nmeasures to strengthen our defense-in-depth security posture, \nwe commissioned a third-party consultant to perform penetration \ntesting of our infrastructure to identify any immediate \nweaknesses. Testing involved both informed and uninformed \ncircumstances in which the third party made attempts to \npenetrate our networks. We are pleased to note that the \nconsultant's team was unable to gain access to any of the \ntargeted process control networks in either type of test. While \nthe test failed to penetrate our control network security, the \nprocess identified several opportunities to further insulate \nand protect our security systems. We are now implementing those \nadditional measures.\n    In closing, the TVA fully understands that it has a solemn \nresponsibility to ensure the safety and security of the systems \nthat are vital to our Nation's critical infrastructure, our \nregion and the Nation's economy and the health and safety of \nthe public. One of my responsibilities is ensuring that we \nembrace safety as a value in all aspects of our operations to \nprotect the health and well-being of our work force and the \npublic. We are moving as quickly as possible to complete \nremedial measures for all 19 of the GAO's recommendations, \nalong with other steps that have been identified to elevate \nevery level of our security and computer network security.\n    As a Federal entity, we are cognizant of our special \nresponsibility to provide leadership in this important aspect \nof our electric system operations. We assure the subcommittee \nand the public at large that TVA is committed to ensuring that \nthe infrastructure entrusted to our responsibility meets or \nexceeds the best accepted practices in government and in the \nelectric utility industry.\n    Thank you for this opportunity to provide our perspectives \nand experiences as you continue this subcommittee's important \nwork in assessing the adequacy of security measures within the \nNation's critical electric power infrastructure.\n    [The statement of Mr. McCollum follows:]\n             Prepared Statement of William R. McCollum, Jr.\n                              May 21, 2008\n    Good afternoon Chairman Langevin, Ranking Member McCaul, and \nMembers of the subcommittee. I am Bill McCollum, Chief Operating \nOfficer of the Tennessee Valley Authority (TVA). I am accompanied today \nby TVA's Chief Administrative Officer, John Long.\n    I appreciate this opportunity to appear before you to discuss the \nGovernment Accountability Office (GAO) report on the security of the \ncomputer networks and control systems used in TVA's operations.\n    As TVA's Chief Operating Officer, I am responsible for the safe and \nreliable operation of the TVA power system, which generates and \ndistributes electricity for a region of the Southeast which covers \nTennessee and adjacent parts of six neighboring States. All of our \noperations--the generation and distribution of electricity and our \nstewardship of the Nation's fifth largest river system and economic \ndevelopment work--are financed by revenue from the sale of electricity. \nTVA does not receive any annual congressional appropriations.\n    I am pleased to note that earlier this week we observed the 75th \nAnniversary of TVA in Muscle Shoals, Alabama. As we have for 75 years, \nwe remain focused carrying out our historic three-part mission in \nenergy, economic development and environmental stewardship. Each part \nof our mission has contributed significantly to the progress of our \n80,000-square-mile service region, which is centered on the watershed \nof the Tennessee River.\n    In performing our mission, the safety of our employees and the \npublic is paramount in all of our operations, including the specialized \nsecurity requirements to protect the computerized control systems \ninvolved in the generation and transmission of electricity.\n    On behalf of TVA, we appreciate the substantial time and resources \nthat the GAO allotted to examining and evaluating our computer \nsecurity. As you know, the report made public today by the GAO listed \n19 recommendations for improving the security of our computer systems. \nWe concur with all of those recommendations, and we have either \ncompleted or are aggressively moving to implement remedial actions for \nall 19.\n    It is important to note that TVA was already in the process of \naddressing 17 of the 19 recommendation areas when GAO's field work \nbegan at TVA last October. We also initiated several actions to address \nother aspects of our security while the field team was conducting its \nevaluation. These actions were the result of on-going assessments by \nTVA staff and the independent TVA Office of Inspector General, which \nhad initiated planning for an audit of our Information Technology \nSecurity by Science Applications International Corporation. GAO's work \nhas been very helpful in affirming and focusing the need for these and \nother measures that we are taking.\n    Some of the security issues identified by the GAO report involved \ninstances that have been addressed by the centralization of our cyber \nsecurity policy, its administration and its oversight activities into a \ncorporate-level organization. The centralization of this responsibility \nwas completed in February, which now gives TVA uniform security \nprocedures to be followed by all of its organizations and covers all \ncontrol systems.\n    In conjunction with our implementation of additional measures to \nstrengthen our defense-in-depth security posture, we commissioned a \nthird-party consultant to perform penetration testing of our \ninfrastructure to identify any immediate weaknesses. The testing \ninvolved both ``informed'' and ``uninformed'' circumstances in which \nthis third party made attempts to penetrate our networks. We are \npleased to note that the consultant's team was unable to gain access to \nany of the targeted Process Control Networks in either type of test. \nWhile the tests failed to penetrate our control network security, the \nprocess identified several opportunities to further insulate and \nprotect the security of our systems. We are now implementing those \nadditional measures.\n    In closing, TVA fully understands that it has a solemn \nresponsibility to ensure the safety and security of systems that are \nvital to the Nation's critical infrastructure, our region and Nation's \neconomy, and the health and safety of the public. As the Chief \nOperating Officer, one of my responsibilities is ensuring that we \nembrace safety as a value in all aspects of our operations to protect \nthe health and well-being of our work force and the public. We are \nmoving as quickly as possible to complete remedial measures for all 19 \nof GAO's recommendations, along with other steps we have identified, to \nelevate every level of our computer and network security.\n    As a Federal entity, we are cognizant of our special responsibility \nto provide leadership in this important aspect of electric system \noperations. We assure the subcommittee and the public at-large that TVA \nis committed to assuring that the infrastructure entrusted to our \nresponsibility meets or exceeds the best accepted practices in \ngovernment and in the electric utility industry.\n    Thank you for this opportunity to provide our perspectives and \nexperiences as you continue the subcommittee's important work in \nassessing the adequacy of security measures within the Nation's \ncritical electric power infrastructure.\n\n    Mr. Langevin. Thank you, Mr. McCollum.\n    I want to thank the witnesses for their testimony.\n    I remind each member that he or she will have 5 minutes to \nquestion the panel, and I now recognize myself for questions.\n    Last October, this committee was told that 75 percent of \nthe transmission grid has either taken appropriate actions or \nis in the process of implementing those actions for Aurora. In \nNERC's testimony today, they suggest 94 percent of the short \nmidrange mitigation measures have been completed or in \nprogress. Yet, on the other hand, Chairman Kelliher is telling \nus in testimony that there is a broad range--there is a broad \nrange of compliance based only on individual interpretations of \nthe threat and the application of the recommended mitigation \nmeasures.\n    My question for the panel is, who is right? What are we--\nwhat do these varying assessments tell us about the industry's \nreadiness or ability to comply with the reliability standards?\n    Mr. Kelliher. I think both answers might be true and that \nwe are actually asking different questions. So we are coming to \nsomewhat different answers. We are conducting a subjective \nreview of some of the utility plans in response to the \nadvisory, whereas NERC is really asking a different question. \nSo I think, actually, both can be true at the same time.\n    Mr. Sergel. Chairman, there are three different sources for \nthat information. The first would have been done immediately \nafter our advisory last year. It involved going out and doing \ninterviews and gathering information with respect to the \nstatus. We did that at that time because we did not have in \nplace a data base to get the entirety of the users and owners \nand operators, and I know that was some source of confusion. \nFor that we apologize. The responsibility, to be clear, is ours \nand ours entirely; and we will do better the next time.\n    The second data that you refer to, the 94 percent, is from \na written survey that we sent out. It is the data that came \nback from it. But I will tell you that we recognized and the \nCommission recognized and took action that that type of survey \nwas limited, and we provided it to you with that knowledge.\n    I think the third that has been done and is ongoing is \nbeing done by the Commission. It is both the most recent, it is \nthe most comprehensive, and it is the one that is the best \ninformation at this point in time.\n    Mr. Langevin. I am surely troubled by the last time that \nNERC appeared before us; and, you know, at best, the answers \nthat were given were confusing. At worst, it was highly \nmisleading. I am glad to hear that you have worked to clarify \nsome of that today, but I hope never to hear that kind of \ntestimony or lead us to be misled ever in the future.\n    I mentioned in my opening statement that I have real doubts \nabout NERC's ability to regulate these new reliability \nstandards. From where I sit, I would say that NERC seems either \nnot to take their authority as the electric reliability office \nseriously--for instance, NERC was responsible for following up \nwith industry to see how they implemented the Aurora \nmitigation, but, according to FERC, the NERC survey was much \ntoo limited in scope to make a real determination about how far \nthe industry had come in mitigating the Aurora vulnerability. \nIt is hard to understand why the regulatory body responsible \nfor the security and the safety of the bulk power system would \ntake such a laissez faire approach to this critical issue.\n    Chairman Kelliher, based on your findings, do you think \nthat NERC will, in fact, be able to carry out its duty as the \nERO and how are you working with them to fix the shortcomings?\n    Mr. Sergel, given this first halfhearted effort to oversee \nthe industry, how does your organization plan on fulfilling its \nenforcement authority role and what specific lessons have you \nlearned and what structures are in place to address my \nconcerns?\n    Chairman Kelliher, please.\n    Mr. Kelliher. I think NERC is doing a job under a law that \nis very imperfect, particularly with regard to this kind of \nthreat. As I already said, there are two means to address to \ndefend the grid against cyber attacks. The only quick means is \nan advisory. It is purely voluntary. I think a voluntary by its \nnature is always going to produce inconsistent results.\n    That is what led Congress to legislate on reliability 2\\1/\n2\\ years ago. The industry historically has relied on voluntary \ncompliance with unenforceable standards. Congress ultimately \nconcluded--correctly, in my judgment--that that was \nfundamentally flawed, that you needed to have mandatory \nstandards.\n    Now, we can develop mandatory standards on cybersecurity, \nbut it takes time. It can take years. That is the dilemma that \nwe have right now. We have a threat just by whose nature \nrequires quick action and mandatory action, mandatory \ncompliance with that action. We actually have to choose one or \nthe other right now. We can choose quick action, where \ncompliance is purely voluntary, or we can go down the path of \nmandatory standards that can take years.\n    I think NERC realized there was a need for quick action in \nresponse to Aurora and took the only course that it had \navailable, an advisory. The results haven't been consistent, \nbut I actually think that is predictable and perhaps \nunavoidable.\n    Mr. Sergel. Mr. Chairman, again, the responsibility for \nbeing clear is entirely ours, and our failure to do that is \nnoted, and we intend to do better going forward.\n    With respect to lessons learned, talk about two things. The \nfirst is that we have put in a formal system of advising the \nindustry. That system has been approved by the Commission. It \ncomes in levels. We have--the first level is simply an \nadvisory. Then we have a second level, which is a \nrecommendation; and the third is an essential action. Each of \nthose we notify the Commission in advance and coordinate with \nthem before we issue it. We would coordinate with any other \nappropriate government agency if it was on a topic relative to \nthem.\n    We now have in place the list of 1,800 users, owners and \noperators to communicate with. They understand the system. They \nhave been notified in advance. They understand what an advisory \nis and a recommendation. We didn't have that before. So we are \nin a much better position going forward to communicate better \nand be more effective within the limited authority that we \nhave. It is limited.\n    Then, with respect to enforcement of these standards, we \nnow have a standard. We will enforce it. We have been very \nactive in the last few months. We have put out a guidance on \nwhat it means, the fact that it is effective beginning in July \nfor those for whom the voluntary standards were in place, and \nthey understood those. We will enforce the standard up to the \nparameters included in the law.\n    Mr. Langevin. In our last hearing, we discussed the \nstandards problem. NIST standards which apply to Federal \nentities are much more robust than the NERC standards which \napply to private entities. Unfortunately, publicly and \nprivately owned infrastructure on the grid are so \ninterconnected weak security controls in one utility can pose a \nharm to another utility that shares a connection.\n    My question is, Mr. McCollum, you are required to implement \nNIST, yet you are connected to folks who implement NERC; and \nare you concerned that a weakness on a NERC-compliant \ninfrastructure can affect your network?\n    Mr. McCollum. We are moving aggressively to be in \ncompliance and remain in compliance or exceed the requirements \nof all of those standards in terms of the security of our \ncritical infrastructure and networks. This is going to be an \nincreasing challenge going forward. As you noted in your \nopening testimony, the deployment of technology has resulted in \nincreased interconnectivity; and we are moving aggressively to \nstay ahead of this issue and skate to where the puck is going \nto be in the future in terms of implementing sufficient \ncontrols.\n    I believe that through a defense-in-depth posture and \ncompliance with all of these controls and protocols which meet \nor exceed these standards, we will provide adequate protection \nfor all of the critical infrastructure.\n    Mr. Langevin. Finally, Mr. Sergel, could you please tell us \nwhat steps are being taken to transition the NERC reliability \nstandards toward NIST and why should the scope of CIP-002 be \nchanged to include all equipment that is electronically \nconnected?\n    Mr. Sergel. Let me deal with the second part of that first, \nwhich is that standard two requires that the users, owners and \noperators identify the critical assets that they have on the \nsystem and then those become the ones that are then accountable \nto the remaining standards.\n    The identification of critical assets is a requirement, and \nI want to begin with that. It is often you hear that, well, \nthat means someone can just not identify any and they are in \ncompliance. Doesn't meet my test of what it means to identify \nyour critical assets. So the identification of critical assets \nis one in which we expect the list to be inclusive of all those \nthat are, in fact, critical.\n    So going to the question of, well, why then didn't we just \nstart with all assets, I think the answer to that is there are \nso many in the industry at this point in time, the challenge is \nso great, that we believe that the priority is to start with \nthose that are critical, identify those, and move forward. We \nwill continuously evaluate the standard and continuously \nevaluate whether more is required; and if it is, we will do \nthat. But it is a matter of prioritization.\n    Mr. Langevin. But specifically to NIST, do you see that as \nthe--do you recognize that, as most of us do, as being the gold \nstandard of standards and are you--tell me about your \ntransition efforts.\n    Mr. Sergel. Well, we have a process in place--it has been \ndone already--to review and propose new standards that will \nincorporate any of the NIST requirements that are appropriate \nto real-time power system operating systems.\n    We have been directed to do that by the Commission, and we \nwill do that. We have begun that work. We, in fact, have \naccelerated it by a year. So what you are looking for is now \npart of our work plan, but, beyond that, it has been directed \nto us that we it be done by the Commission.\n    Mr. Langevin. Thank you, and as far as I am concerned the \nsooner the better.\n    With that, at this time I would yield to the ranking \nmember, but he has asked me to yield to the gentlelady from \nFlorida, first, Ms. Ginny Brown-Waite, which I will do at this \ntime, to pose some questions.\n    Ms. Brown-Waite. Thank you very much, Mr. Chairman.\n    Actually, I am following up on the questions of the \nchairman.\n    There was an article in today's Washington Post. Now \neveryone up here knows and we regularly tell our constituents \ndon't believe everything you read in the paper, but let me just \nkind of summarize something that should be of concern.\n    It says, security experts, however, contend that existing \nNERC standards contain loopholes and don't adequately protect \ncritical power systems. For example, telecommunication \nequipment is excluded, even though there are documented cases \nof computer worms shutting off service from control systems to \nsubstations.\n    It goes on to say, you have got a whole bunch of utilities \nwho claim they have no critical cyber assets, which means they \ndon't have to do anything else to secure their current cyber \nsystem.\n    The person also went on to say, we have some very big \nelectric utilities who claim they just have 10 cyber assets, \nwhen most companies have more critical relays like that in a \nsingle substation.\n    Mr. Sergel, if you could respond to that, and perhaps Mr. \nKelliher.\n    Mr. Sergel. That is a specific statement on the issue I \njust mentioned before, and it is an interpretation of the \nstandard which requires that they identify their critical \nassets, and it implies that someone can merely say I don't have \nany and now they don't have to comply with the standards, all \nof the other standards.\n    As of July 1, for the most important parts of that industry \nand all those that have been subject to the voluntary standards \nin the past, they will have a requirement to have identified \nthe critical assets. I can assure you if they have critical \nassets and put down zero that we will begin to evaluate whether \nthey are in compliance with that standard, and their audit \nwould identify that.\n    So I believe that there is not a weakness in these \nstandards with respect to the notion that the identification of \ncritical assets simply leaves it to them to decide they don't \nhave any. I just disagree with that.\n    The second issue is that we at NERC by statute are limited \nto the bulk power system. Now to the extent that those \ntelecommunications providers are part of the protection \nmechanisms that they are relying on to meet the standards, then \nwe have some reach for those. But I can't understand why \nsomeone would say you have not gone far enough. There are \ntelecommunications issues you should direct.\n    Those are beyond the scope of the law that we have. We are \nrestricted to the users, owners and operators of the bulk power \nsystem. We do not have any jurisdiction to require a \ntelecommunications company to make a change, for example, or to \nset a standard for them.\n    Ms. Brown-Waite. Mr. Kelliher, do you think that \ntelecommunications should be included?\n    Mr. Kelliher. The SCADA systems are so interrelated that it \nis hard to draw a line if you were to--FERC only has the \nauthority that the Congress gave us. We have the authority to \noversee reliability of the bulk power system. That is a defined \nterm, and it typically does not extend into the telecom \nindustry.\n    I do, though, with respect to the issue about critical \nfacilities, I think the industry is doing a faithful job \nimplementing and respecting reliability standards. I don't see \nwidespread noncompliance in that kind of approach. But we don't \nnecessarily accept the representation of a company. If the \ncompany were to come in and say we have zero critical \nfacilities, we don't have to accept that representation.\n    Ms. Brown-Waite. I have one more question for Mr. Sergel; \nand that is, could you share with the committee some examples \nof when an expedited process has been used in an urgent \nsituation?\n    Mr. Sergel. Probably the best example is the original \nestablishment of the cyber standards. Now this is before my \ntime as the CEO, so it is difficult for me to answer that. But \nthe cyber ones were put in under a process of moving, of \nexpediting the schedule.\n    We have three levels of speed at which we operate. The \nfirst is the normal speed, and typically in that category we \nare operating in an environment in which all of the information \nis well-known, and it is a significant process of bringing \ntogether the technical talent to evaluate the standards so \nthere is no horizons of time. We can expedite it, which means \nit is important enough that we ought to do it more quickly; and \nthere are rules, procedure that do that. Then we can also \nestablish it in an emergency period of time. So we can speed up \nthe time that we can create a standard.\n    But what we can't do is we can't speed it up and not have \nit be a public process; and that is why the chairman is here \nasking for additional authority, I believe, more fundamentally \nthan the time. Because we can act quickly, but we can't act \nquickly and confidentially. Everything we do has to be posted \nin an opportunity for notice and evaluation and comment. We can \nask people to do that very quickly, right, but we can't do that \nquickly and confidentially simultaneously, and therefore I see \nthat as a significant reason why they are asking for additional \nauthority.\n    Ms. Brown-Waite. Thank you very much; and, with that, I \nyield back the balance of my time.\n    Mr. Langevin. I thank the gentlelady for her very \ninsightful questions. I think that it raises a lot of questions \nin my mind and poses some challenges, given the fact of how \ninterrelated SCADA--it really is and how do we, in fact, tie in \nthe regulation of telecom in this area. It is going to pose a \nchallenge for us.\n    With that, the Chair now recognizes the gentleman from \nTexas, Mr. Green, for 5 minutes.\n    Mr. Green. Thank you, Mr. Chairman.\n    Mr. Wilshusen, is that correct?\n    Mr. Wilshusen. Yes.\n    Mr. Green. You mentioned a total, I believe, of 92 \nrecommendations that were made to TVA, is that correct?\n    Mr. Wilshusen. That's correct.\n    Mr. Green. And the representative from TVA, I think you \nresponded to 19 of the 92.\n    Mr. Wilshusen. Yes. The difference is because we are \nissuing two reports to them, one that is publicly available, \nand that report has 19 recommendations in it. We are also \nissuing a limited official-use-only report which contains more \ndetails and specifics about the individual findings that we \nidentified, and in that report we are making 73 \nrecommendations.\n    Mr. Green. My assumption is that you believe that all 92 of \nthem should be addressed.\n    Mr. Wilshusen. Yes, sir.\n    Mr. Green. Okay, so let me go over to Mr. McCollum. Is that \ncorrect, sir?\n    Mr. McCollum. That's correct.\n    Mr. Green. Mr. McCollum, if there is something about this \nthat you can't say publicly, I understand, but you addressed \nonly 19 of the 92?\n    Mr. McCollum. In my opening statement, I referred to the 19 \nrecommendations in the public report. However, we have \nresponded to and are addressing or have already addressed all \nof the recommendations in both of those reports that were just \nreferred to.\n    Mr. Green. Could you kindly define ``addressed'', please? \n``Addressed'' could simply mean that you looked at it and you \ndecided that it was something that you will get around to, or \nit could mean that you completely corrected the situation. \nThere are 73 recommendations concerning specific information \nsecurity weaknesses that should be corrected. So how do you \naddress them?\n    Mr. McCollum. We have an action plan in place. A number of \nthose recommendation actions have already been closed on those \nto complete the actions necessary to remediate those \nrecommendations. We have others in progress that will be \ncomplete shortly. By the end of this fiscal year and calendar \nyear, we will have completed a majority of the actions.\n    Some of the recommendations address items in the standards \nthat relate to longer-term assessments and documentation and \nother actions that will take a little longer. But we have an \naction plan in place to address and remediate all of those \nrecommendations on a priority basis, as noted in some of the \nearlier testimony in responses to questions. It is important \nthat we address those most important----\n    Mr. Green. If I may, let me go back to Mr. Wilshusen.\n    Sir, have you had an opportunity to see the proposed action \nplan?\n    Mr. Wilshusen. Not the specific action plans. We have \nreceived responses from TVA that they made in response to our \nreport, which is included in our reports. But as a matter of \nGAO policies and, of course, the government auditing standards \nwe will go back later to verify the corrective actions that TVA \nhas taken or will take on these actions on our recommendations.\n    Mr. Green. Are these actions that should be taken with the \nnext 10 years?\n    Mr. Wilshusen. I would hope so. I think many of them should \nbe taken immediately. As Mr. McCollum indicated some already \nhave been taken and they have been completed actions on some of \nthem already.\n    Mr. Green. Should they all be finished within the next 10 \nyears?\n    Mr. Wilshusen. I would think so, yes.\n    Mr. Green. Should they be finished within the next 5 years? \nWithin the next 3 years?\n    Mr. Wilshusen. Probably so, the recommendations we are \nmaking.\n    Mr. Green. Will you, in continuing your audit, provide \ninformation as to how the action plan is progressing? Is that \ninformation that we can receive?\n    Mr. Wilshusen. We can certainly work with your staff to \nprovide that information, yes.\n    Mr. Green. Those things that should be done immediately, I \nassume will make them priority No. 1. I assume that they are \npriority No. 1 for a reason. Are you finding that any of these \npriority No. 1 items are not being addressed what we will call \ntimely?\n    Mr. Wilshusen. At this point, we have not gone back to \nverify the actions taken by TVA on our recommendations. So I \ncan't comment as to whether or not the actions have been \ncompleted. All we have at this point are assertions by TVA that \nthey have taken action or plan to take actions.\n    Mr. Green. I have about 8 seconds. How long do you think it \nwill take you to verify what has been indicated has been done \ncurrently?\n    Mr. Wilshusen. It would not take us too long if we were to \ngo out and conduct our tests.\n    Mr. Green. It is not too long, 2 weeks; or is it 2 months?\n    Mr. Wilshusen. It could be 2 weeks to do the work, but we \nwould not necessarily be able to go out in 2 weeks to do that, \ngiven our other workload and activities and commitments that we \nhave.\n    Mr. Green. Thank you.\n    I yield back, Mr. Chairman.\n    Mr. Langevin. I thank the gentleman.\n    The chairman now recognizes the ranking member, the \ngentleman from Texas, Mr. McCaul, for 5 minutes.\n    Mr. McCaul. I thank the chairman.\n    This is really kind of a follow-up hearing to the hearing \nthat we had after the story of Aurora broke on national \ntelevision on CNN. We had had closed briefings on that, and it \nraised kind of a specter of what could happen if we had a cyber \nattack on our power grids. It revealed a major vulnerability in \nthis Nation to our security, the idea that the power grid could \nbe shut down by the use of intrusions through computer \nnetworks. Of course, everything is tied to computer networks. \nThis raises a broader specter.\n    I think the Commission that Chairman Langevin and I formed \nto study this issue hopefully will provide good recommendations \nfor the next administration.\n    But I have just a couple of questions. One is, in your \ndealings--and this is directed to Mr. Kelliher and Mr. Sergel. \nIn your dealings with the private sector, how serious do you \nthink they are really taking this threat, which so many of us \nin Congress believe is a serious threat to the not only \neconomic viability but security of this Nation?\n    Mr. Kelliher. I think they are taking it very seriously.\n    Mr. McCaul. Mr. Sergel.\n    Mr. Sergel. I believe they are taking it very seriously as \nwell.\n    I do believe that understanding the complexity of the \nthreat, you described one part of it, which is that somebody \ncould attack the grid itself. I think many of us are \nincreasingly concerned that the attack would come from the grid \nto a private facility, to a critical facility, which is an \nentirely different issue. I think for that reason, as we \nwrestle with the complexity of it, we often find that folks \nsay, well, I have taken care of it, and then learn that they \nhaven't. It is not they aren't working at it hard and taking it \nseriously, but, rather, it is because, as we dig deeper, we \nfind more. It doesn't make our concern go away. It makes our \nconcern go up.\n    Mr. McCaul. I appreciate that response.\n    Mr. Sergel, do you believe that you have enough authority \nto adequately address this issue in the private sector?\n    Mr. Sergel. So, at NERC, we are a not-for-profit. We are \ndesignated by the Federal Energy Regulatory Commission as the \nERO, subject to our application and subject to their continuing \njurisdiction. As such, we are limited to the bulk power system. \nWe do not have authority over distribution, so there is a \nlimitation there. We do not have authority over \ntelecommunications. There is a limitation there. The structure \nof the law and because we are not a government agency suggests \nthat we do everything publicly. We post for comment, and we \nevaluate it and then take action. So all of those are \nlimitations on what we can do.\n    What I can assure you is that we have a great challenge in \nthis area, but we will continue to do everything we can within \nthe jurisdiction that we do have, and that includes within the \nstandards. We will push as far as we can to get as much done on \nthe telecommunications side within the standard, and we will \npush as hard as we can to get as much of the bulk power system \ncovered and protected.\n    Mr. McCaul. Thank you.\n    My understanding is you have jurisdiction over the bulk \npower system, as you said.\n    With respect to telecom and oil and gas and banking and all \nof the other sectors in the private sector, that would be \nwithin the jurisdiction of the Department of Homeland Security?\n    Mr. Kelliher. And other agencies, yes.\n    Mr. McCaul. And other agencies.\n    What is your relationship with DHS? Do you have a good \nworking relationship with them?\n    Mr. Kelliher. Yes, it is a very cooperative relationship, \nin part because we realize we are not in the best position to \nassess the nature of a cyber threat, particularly if it is a \nthreat posed by a foreign country or an organized group. That \nis really the province of the national security or intelligence \nagency. So we think they are the ones best suited to identify \nthe threat, and we might be the best suited to actually act \nupon that threat.\n    Mr. McCaul. So they are in the best position to deal with \nthe nature of this type of threat.\n    Is the coordination positive and productive?\n    Mr. Kelliher. Yes, it has been very positive and \nproductive. I am tempted to say ``seamless,'' but there are \nprobably always some seams between government agencies.\n    Mr. McCaul. Mr. Sergel, do you have a response?\n    Mr. Sergel. We also have a very positive relationship with \nboth the Department of Homeland Services and the Department of \nEnergy.\n    Mr. McCaul. Okay.\n    I yield back. Thank you.\n    Mr. Langevin. I thank the ranking member.\n    I wanted to clarify something. You know, we are talking \nabout not the entire telecommunications industry; we are \ntalking about telecommunications equipment on the bulk power \nsystem. I think that that is an important distinction to be \nmade, and there has got to be a mechanism to allow for some \noversight or regulation in that area with respect to FERC and \nNERC, and we are going to explore those avenues with you. If it \nrequires involvement of other committees and jurisdictions, we \nwill involve them as well.\n    With that, Ms. Jackson Lee, a member of the full committee, \nhas asked to participate in the hearing. I ask unanimous \nconsent that she be allowed to participate.\n    Hearing none, Ms. Jackson Lee will be recognized for \nquestions after the members of the subcommittee are recognized.\n    We welcome you here to the participation, and we appreciate \nthe work that you are doing on your subcommittee with respect \nto infrastructure protection.\n    With that, the Chair now recognizes the gentleman from New \nJersey for 5 minutes, Mr. Pascrell.\n    Mr. Pascrell. Thank you, Mr. Chairman.\n    Mr. Chairman, this is an issue of compliance. We had the \nsame pushback from the chemical industry when we were deciding \nin a bipartisan fashion how we can protect the chemical \nindustry and, hence, protect our families because that is what \nit comes down to, homeland security. Knowing what the mission \nof this committee--this subcommittee--is, its having been \nformed from two previous committees, our mission is pretty \nclear, Mr. Chairman, as far as I am concerned. We are not the \nenemy, this committee. The enemy are those who wish to attack \nAmerica and to put our families in jeopardy.\n    So, Mr. Sergel, I have some questions to ask of you. I have \nto clarify something for the record. We are trying to figure \nout who has mitigated the Aurora vulnerability. We have gone \nthrough all of the nomenclature--CIP, NERC, FERC, BPS, ERO. I \nam frustrated because your organization has provided this \ncommittee with so many conflicting and inaccurate statements \nthat I have to question how seriously NERC takes its \nresponsibility as the electric liability organization.\n    I was here on October 17 last year when your colleague \nDavid Whiteley testified before the subcommittee. The Chairman \nasked Mr. Whiteley to describe the survey that your \norganization claimed to have sent to the owners and the \noperators of the grid. Mr. Whiteley stated for the record that \napproximately 75 percent of the transmission grid either took \nor was in the process of implementing mitigation. When asked if \nthese were anecdotal numbers, Mr. Whiteley told us that these \nwere hard numbers. After the hearing, we asked you to provide \nus a copy of the survey.\n    Mr. Chairman, this is exhibit A, electric sector \ntransmission owner-operators, generation owner-operators.\n    This is what you submitted on October 19, 2007.\n    I want to enter this into the record with your permission, \nMr. Chairman.\n    Mr. Langevin. Without objection.\n    [The information referred to follows:]\n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    Mr. Pascrell. That is what we got back. So I have a copy of \nthis survey, and it is dated October 19. It was 2 days, I \nthink, after the hearing. So you misled this committee back in \nOctober by claiming that you sent a survey out and received \nhard numbers back. That did not happen.\n    Unfortunately, this was not the last time, Mr. Chairman, \nthat this committee was misled.\n    When we got a copy of the survey back, we asked the staff \nhow you could have hard numbers at the hearing when you had not \nsent the survey out yet. I think that is a pretty reasonable \nquestion. The story changed. We were told that NERC received \ndetailed information about the industry's efforts during a \nmeeting in St. Louis back in September. Having been misled \nonce, the committee requested information from all of the \nparticipants at that meeting. This is exhibit B.\n    Exhibit B, which I have in my hand, Mr. Chairman, has \nalmost 20 response letters from the attendees at that meeting. \nEach one of them was asked to provide a narrative of the \nconversation they had with NERC, the North American Energy \nReliability Corporation, the organization which has the job of \nendorsing the regulations. None of them claim to have discussed \nthese mitigation efforts with you. None of them.\n    Mr. Chairman, I ask unanimous consent to enter these \nletters into the record as well as exhibit B.\n    Mr. Langevin. Without objection.\n    [The information referred to follows:]\n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    Mr. Pascrell. So let us get to the bottom of this.\n    I want you, the CEO of NERC, to clarify for all of us what \nyou have been doing since June 21 of last year when the initial \nadvisory went out. As you explain to us what happened, please \ntell us in answers to these two following questions:\n    Why did your company provide false and misleading \ninformation to this committee?\n    Second, if you did not send a survey out until 2 days after \nthe hearing and you did not talk to the folks at the St. Louis \nmeeting, which you claimed, where did you get the numbers that \nyou cited in October?\n    Mr. Sergel. As I indicated to the subcommittee, first, the \nresponsibility for being clear is entirely ours, and we have \nfailed to do that. That is clear. Going forward, we will do \nbetter. Let me take you back----\n    Mr. Pascrell. Excuse me. This is not a question of doing \nbetter. This is not a question of doing better. This is a \nquestion of telling the truth as to the best of your knowledge \nlike any human being on the face of this Earth. We are all \nfallible. Only God is perfect. But you and your company two \ntimes told us fibs. Why?\n    Mr. Sergel. In June, we sent out the initial advisory. \nBetween that time and the committee hearing, we conducted a \nseries of oral interviews. I will have to get to the bottom of \nwhether they took place in St. Louis or in other locations, but \nI do believe that those interviews took place, but I will have \nto go back and look at that.\n    Mr. Pascrell. Mr. Sergel, you are the electrical \nreliability organization for this country; is that not correct?\n    Mr. Sergel. Yes, sir.\n    Mr. Pascrell. In listening to your answer, how is this \ncommittee supposed to believe that you are taking the job \nseriously? FERC had to do a new survey because they thought \nyours was inadequate. Do you think NERC is really ready to \ncarry out such duties?\n    We are talking about, Mr. Chairman, life and death. We are \nnot talking about misplaced adverbs here. We are talking about \nserious business as we were talking about serious business when \nwe looked at the chemical industry.\n    We want to be friends. We want to be partners with the \nelectrical companies, with the utilities. We want to be \npartners, but you are not going to sit there and waste my time \nand tell me that we are doing the job that we were directed to \ndo. At the same time, you have no real answer for these two \ndocuments that you sent us. What do you think we are, a bunch \nof jerks?\n    Now, let me tell you. I am from Paterson, New Jersey. It is \nnot the most perfect place in the world, but the one thing we \ndo not tolerate on the streets is people telling fibs. If I ask \nyou a question and you do not know what the answer is, fine. \nThat is fair. It is very fair.\n    Mr. Chairman, considering what we already know about these \nmisleading statements, I think we should look into the \nprocesses for holding the--let me get it straight, Mr. \nChairman--the North American Energy Reliability Corporation. \n``Slowly I turn.'' Do you remember that one? ``Slowly I turn.'' \nI would like to look into the process for holding this \norganization in contempt of this committee. I am serious about \nthis, Mr. Chairman. I was just as serious when we went after \ntruth in the chemical industry, and we should be just as \nserious today because the American people deserve no less.\n    Would you agree with me or disagree with me?\n    Mr. Langevin. Well, I certainly agree with the gentleman. I \nshare his anger and frustration over not getting accurate \ninformation. I will certainly look into the gentleman's request \nand recommendation about contempt.\n    As I have made clear, I do not ever want to hear that kind \nof testimony, that unclear or misleading testimony, before this \nsubcommittee or the full committee ever, ever again. When \nsomeone does not know an answer, the proper response is, ``We \nwill take that for the record,'' or ``I am unsure,'' but not to \njust, it seems, make up information or to present unclear \ninformation as fact.\n    I heard the gentleman, Mr. Sergel, in his testimony today \nsay that they will do better in the future. They have \nacknowledged the mistake. Again, it does not change the fact \nthat there was unclear information that was presented as fact \nto this committee. I will certainly look into the gentleman's \nrequest.\n    With that, the Chair now recognizes the gentleman from \nNorth Carolina, Mr. Etheridge, for 5 minutes.\n    Mr. Etheridge. Thank you, Mr. Chairman. Thank you for \nholding this hearing today.\n    Let me ask a question. All of us remember in 2003 when the \nblackout covered much of northeastern United States. We have \nbeen fortunate we have not had that in recent years, but that \nblackout was from causes that are still not totally clear but \nwhich seem to come to rest on the failure of three transmission \nlines in Cleveland. We have pretty much come to that \nrealization.\n    My question is, with utility uses and prices likely to hit \nrecord peaks this year, we really cannot afford disruptions \nthat could create additional burdens on business, and all of us \nknow what happens if we lose power with all of the major \ncomputer systems that we have. The interconnected nature of our \nelectric grid means that a single point of failure can cause a \ncascading event that can be devastating, and that certainly \nshows us what could happen.\n    So my question is, how likely is it that a single cyber \nattack on a controlled system could cause a massive disruption \nof our electrical grid?\n    Let me go ahead and get a couple more questions in the loop \nso we will have it all out there.\n    Second, how would you compare the cyber risks to the \nelectrical sector to other risks?\n    Finally, are public utilities--this has been touched on a \nlittle bit earlier. Are public utilities and private companies \ntaking this threat as seriously as they should before people \nstart paying attention to it? People always pay attention to it \nwhen they have a problem. Then once the problem is over with, \nthey figure it is solved, and they move on to something else.\n    It is in whatever order you want to take those three. How \nlikely is it to cause a massive disruption? No. 2, compare the \nrisks to the electrical sector to other risks. Then public-\nprivate utilities in working together.\n    Mr. Kelliher. There is some risk that you could be faced \nwith a large regional blackout like we saw in August 2003. \nAugust 2003 really was, at least by one count, one of eight \nlarge regional blackouts. It was the one that affected the most \nnumber of people, but there were blackouts in the summer of \n2002 and in the summer of 1996, and they really stretched back \nto the 1960's. So that is always a risk.\n    Now, the cyber risk, I am not sure we could qualitatively \nsay the consequence of a cyber attack would be greater than \nother reliability risks, but the nature of it is very \ndifferent. It is a national security risk, a national security \nthreat. So the origin of threat is fundamentally different from \nthe other reliability threats. That is why we think at FERC we \nneed to have a different statutory tool, a different way to \nguard against that specific risk. We do think current law is \nadequate to address other reliability threats and that it \nshould not be amended. Section 215 of the Federal Power Act, I \ndo not think, should be amended.\n    Mr. Etheridge. Let me interrupt you for a moment, please, \nsince you have raised that issue.\n    What additional authority does FERC need in order to ensure \nthat the utilities and private companies do, in fact, take it \nseriously and deal with it? That is what this committee is \nreally all about.\n    Mr. Kelliher. On your third point, I do think utilities are \nand utilities and others are taking reliability standards \nseriously. They are making great efforts to comply, and they \nare positively trying to comply. We do have enforcement \nauthorities. FERC has penalty authority that Congress gave us \njust 2\\1/2\\ years ago, and that allows us to impose penalties \nof up to $1 million a day, and that applies to reliability \nviolations as well as others. So I think utilities are taking \nit seriously currently, but we do think we need legislative \nauthority that, I think, would operate, roughly, in the \nfollowing way:\n    If a national security or intelligence agency identifies a \nthreat, only then could FERC act to establish on its own an \ninterim reliability standard to guard against that national \nsecurity threat such as a cyber threat. That interim standard \nwould stay in place until the threat disappears or until a \npermanent standard is developed under the 215 process. I view \nthat as a limited grant because I do not think it would be used \nvery often, and I think it recognizes that 215 is adequate to \ndeal with other reliability threats.\n    Mr. Etheridge. Mr. Sergel and Mr. McCollum, how do you \nthink the industry should react to FERC's having this \nadditional authority?\n    Mr. Sergel. I think there is a gap in what we can do. We \nare limited to doing things in public. We are not confidential. \nWe are limited to the bulk power system. We cannot act quickly \nenough in those kinds of circumstances, so there is clearly a \ngap. I see the Commission as kind of our authorizing agency, \nand therefore, they would be the appropriate ones, at least \nwith respect to NERC, to have that authority despite the fact \nthat we have a very good relationship with Homeland Security \nand with the Department of Energy. We have a tighter \nrelationship with the FERC. I think there is a last part of \nthis, which is public policy, which is not kind of a NERC \nresponsibility to comment on.\n    Mr. Etheridge. So I take that as supportive.\n    Mr. Sergel. On the two things that we are responsible for, \non those two.\n    Quickly, to your other question on kind of measuring this \nrisk to the others in the system, they are just fundamentally \ndifferent. You know, we spend a lot of time on trees and on \nmaintenance and on training and on all the kinds of things that \nare essential to a reliable bulk power system. It is not the \nsame as someone attacking you, and as a consequence, it is just \nfundamentally different, fundamentally different.\n    Mr. McCollum. TVA is committed to the security of our \nnetworks and control systems, and we have moved aggressively to \nincrease the security and to make those controls even more \nrobust, and we certainly will continue to move ahead to \nstrengthen our defense in depth on our networks to meet or to \nexceed the requirements of any standards or authority that \nCongress chooses to put in place.\n    Mr. Etheridge. So that is an affirmative?\n    Mr. McCollum. Yes.\n    Mr. Etheridge. Okay. Thank you.\n    Thank you, Mr. Chairman. I yield back.\n    Mr. Langevin. I thank the gentleman.\n    The Chair now recognizes the gentlelady from Texas, Ms. \nJackson Lee, for 5 minutes.\n    Ms. Jackson Lee. Mr. Chairman, thank you so very much for \nthe courtesies of this committee and to the ranking member, Mr. \nMcCaul, my colleague from Texas.\n    I think it is important that our respective committees--the \nTransportation Security and Critical Infrastructure--continue \nto cross-pollinate on these very crucial issues, and I thank \nyou for your leadership.\n    I think it is important to note whether or not the \nwitnesses respectively feel that they are on an ongoing hot \nseat. We are very much aware that intelligence, classified and \nnonclassified, suggest that terrorists will not act the same, \nthat they will not be redundant, that they will not be \nrepetitive. To a certain extent, they will look for new and \ncreative ways.\n    We are well aware of the complete shock and collapse of our \nintelligence communications that generated the horrific tragedy \nof \n9/11. As one of the early members of the Select Committee on \nHomeland Security, I am reminded of the constant chatter about \nwhat we did not do and how we did not follow up with the \nlinkage of our intelligence to know the potential of these 19 \nterrorists who did this dastardly act.\n    So we find ourselves here in 2008 with a new, enormous and \ngrowing loophole that has been evidenced by the GAO, which \nfound that the Tennessee Valley Authority had significant \nproblems with cybersecurity, with the Aurora loophole. The idea \nof this hearing--I hope and view as very important--is to not \nput your finger in the dam for what could be a horrific and \ndevastating act equaling and surpassing the tragic earthquake \nthat just occurred in China and the horrible cyclone in Burma. \nThis is about life and death. This is about Americans' dying. I \nknow that there is a thought that this may be about the idea of \nlights going out, but it may also be about the ability to, in \nessence, shut down a system that would impact the very lifeline \nof this country.\n    So I am disturbed as well as a nonmember of this committee \nto hear of the misrepresentation of materials, and it causes me \nto think, Mr. Chairman, as we did in chemical security--and I \nthink we worked together on that legislation. There were \ncomponents of both of our committees as we moved on the \nchemical security legislation out of the Transportation \nSecurity committee and out of this committee. That legislation \nis imperative. I know that there are initiatives that we have \nspoken about, but let me raise this question as I raise it for \nall of the witnesses.\n    To the Tennessee Valley Authority: Can you tell me why--and \nforgive me if you have answered it, and I would love a brief \nanswer--you are called the Nation's largest power company, and \nwe are quite proud of the technology of the Tennessee Valley \nAuthority. In fact, we are probably, on the floor of the House, \ndiscussing this question of hydropower. Can you tell me why it \nseems that you have not fully implemented security measures \nthat would operate against a catastrophic event for your \nentity?\n    For the other witnesses, speak to the point of legislation \nwith punitive measures--criminal and fines--as an incentive in \nwhat is, I think, a very challenging question.\n    Mr. McCollum, I believe, for the Tennessee Valley \nAuthority, where are you in the implementation of these \nsecurity measures?\n    Mr. McCollum. We have been taking and are taking aggressive \naction to maintain the security of our networks and \ninfrastructure and to improve those on an ongoing basis. We, in \nfact, had many actions underway in areas associated with the \nrecommendations of the GAO report prior to the GAO's audit, and \nwe are continuing to move ahead and to take actions on those \nareas. So we are committed to strengthening on an ongoing basis \nin a continuous improvement fashion and in a prioritized \nfashion all of the defense in-depth approach and infrastructure \nto guard against cybersecurity threats.\n    Ms. Jackson Lee. Mr. McCollum, do you think you are going \nfast enough?\n    Mr. McCollum. Yes, I do. I believe that we have taken much \naction on this issue, and we continue to move ahead.\n    As Chairman Kelliher noted in his testimony, in order to \naggressively move against these threats, we have to understand \nthe threats, understand the issues involved and the mitigation \nstrategies and move quickly to implement those, and that is \nwhat I believe we are doing. The GAO report is beneficial to us \nin terms of clarifying some of the issues around compliance and \nmitigation strategies, and that is very helpful to us.\n    Ms. Jackson Lee. Let me thank you because I have the three \nwitnesses, and I must move quickly, but I do not think, from my \nperspective, we are moving fast enough and you are moving fast \nenough.\n    I know that the representative from the GAO probably does \nnot want to comment--and if you do, please do, but let me just \nsay, do you see the landscape of utilities moving fast enough, \nfrom your perspective?\n    Mr. Wilshusen. Overall, I cannot really comment on that \nbecause the scope of our work dealt with just TVA.\n    Ms. Jackson Lee. Do you see them moving fast enough?\n    Mr. Wilshusen. We have received the responses to our \nrecommendations and the actions that we recommend they do. We \nhave not yet verified their assertions. What we have at this \npoint are assertions.\n    Ms. Jackson Lee. And you will provide us a report on that. \nWas the response timely?\n    Mr. Wilshusen. Yes.\n    Ms. Jackson Lee. Thank you.\n    Mr. Sergel, in light of the unfortunate misstatements that \nhave occurred from the reliability corporation, do we need--\nwell, I am not going to ask whether you need it.\n    Wouldn't it be helpful to have incentives that were fairly \nstrong, that were fairly harsh about compliance?\n    Mr. Sergel. We have standards that we have put in place, \nand we will enforce them up to the $1 million a day per \nviolation, so we will do that.\n    I think what is clear to me--and it was clear before, but \nit is even more so after today--is that, as to the particular \nnature of our organization, setting standards in an industry \npublic way is not adequate to deal with the issues that have \nbeen presented by this committee.\n    Ms. Jackson Lee. Maybe your enforcement is not adequate as \nwell.\n    Mr. Sergel. Our enforcement of what we have will be as it \nis limited by the law. Today, it is limited by the law.\n    Ms. Jackson Lee. Maybe the law needs to be expanded.\n    I will conclude, Mr. Chairman, by asking the FERC chairman, \nand will thank him for his presence here.\n    Give me a little bit more detail on how you work closely \nwith the Department of Homeland Security. Are you all in \nperiodic dialog? Is there oversight that is done in a combined \nmethod? What is your assessment of the grid from your \nregulatory perspective?\n    Would you see the value, if you will--and I guess I am \nasking a regulator because you are civil, if you will--for \ncriminal penalties for those who violate and/or for those who \nare not adhering to the urgency of this matter?\n    Mr. Kelliher. We coordinate with the national security \nagencies, including Homeland Security, the Department of \nDefense, the Department of Energy, and others, really, more in \nthe area that is the focus of the hearing today--in the area of \ncybersecurity--than on other reliability issues.\n    I just want to reassure you that we can impose penalties \nfor violations of cyber standards as well as other reliability \nstandards. We can impose civil penalties up to $1 million per \nday per violation. I do not think maximum penalties will be the \nnorm for all reliability violations. I think we would tend to \nreserve them for the most serious violations. We also want to \nknow not just whether a violation occurred but why it occurred. \nWe are really in the first stages.\n    Reliability standards became enforceable on June 18 of last \nyear. So we have had less than 1 year of experience with \nmandatory reliability standards. I think we are developing \nenforcement programs at the regional level. We have a process \nthat is slow, but it is designed to be slow, frankly, by \nCongress in the 215 process. That is what we think does not \nwork so well with this cyber threat, and there is the \npossibility of criminal penalties as well for violations of the \nFederal Power Act.\n    Ms. Jackson Lee. Mr. Chairman, I will yield back with a \ncommitment to review with you these standards that you have \nbrought to our attention. I, frankly, believe that there is the \nframework of reliability, and then there is the framework of \npiercing the system by those who would desire to do us harm. \nThat, I guess, is the question I raise, which is whether or not \nthe system is secure enough to rebuff that and whether or not \nwe need to expand the concept of reliability to the concept of \nrebuffing and intrusion through cybersecurity and otherwise and \nwhether or not the penalties, whether by the Federal Power Act, \nare criminal.\n    I am not trying to lasso you in, but I am trying to \nemphasize the urgency and the importance of such as to whether \nor not they are sufficient, as to whether or not the industry \nis listening, as to whether or not the industry is moving fast \nenough, and as to whether or not the industry realizes that \ntheir challenge is alongside of reliability. It is life and \ndeath for Americans who are impacted by your industry.\n    With that, Mr. Chairman, I yield back. Thank you, and thank \nyou to the ranking member for your courtesies.\n    Mr. Langevin. I thank the gentlelady for her questions and \nfor her input.\n    Clearly, this is an area where, I believe, stronger \nauthorities, more comprehensive authorities are needed. I \ncertainly look forward to working with you and with the members \nof this subcommittee and with the members of the full committee \nto see how we strengthen those authorities. It is not just \nenough to have some standards in place; they have to be the \nright standards. If they are not broad enough or if they are \nnot strong enough--and that is what I believe is the case \nhere--then they do not go far enough. That is why I have \nstronger confidence in this, in these standards, and the sooner \nwe can move in that direction in adopting those standards, the \nbetter off we will be.\n    These are the kinds of things that keep me up at night, our \nelectric grid, which we all rely on for our way of life, for \nour national security. Our families depend on the reliability \nof the electric grid. When we identify a vulnerability such as \nhas been identified in this data threat and particularly in the \nAurora threat, it is something that we need to move \naggressively to close. This is, again, one of those things of \nmany that this subcommittee deals with that keeps me up at \nnight, and I am not going to be satisfied until we have \naggressively moved to close the vulnerability and that our \nelectric grid is 100 percent secure.\n    With that, the vote has been called. I want to thank the \nmembers for their questions. I want to thank the witnesses for \ntheir testimony.\n    Members of the subcommittee may have additional questions \nthat they would ask of the witnesses, and we would ask that you \nrespond expeditiously in writing.\n    Hearing no further business, the subcommittee stands \nadjourned.\n    [Whereupon, at 3:40 p.m., the subcommittee was adjourned.]\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n   Questions From Chairman James R. Langevin for Honorable Joseph T. \n    Kelliher, Chairman, Federal Energy Regulatory Commission (FERC)\n    Question 1. One of our witnesses from the October panel, Joe Weiss, \nrecently commented in the press that ``some generation managers \nconsidered NERC Reliability Standard compliance a `game' to remove \nassets from the standards definition without addressing the reliability \nthreat.'' For instance, according to Weiss, one manager of a coal-fired \npower plant was specifically charged by his upper management to ensure \nthat his plant was not considered a critical cyber asset. Another plant \nmanager whose plant had black start capability was subject to CIP-002; \nhowever, the company considered it more cost-effective to simply remove \nits black start capability. They determined that the cost of NERC \nReliability Standard compliance, and possible fines, was too much for \ntheir facilities. Is there concern on your part that this is becoming a \ncompliance game? What are you preparing to do to address this problem?\n    Answer. In Order No. 706, issued in January 2008, the Commission \ndirected two actions to ensure proper identification of critical \nassets. First, we believe that a lack of uniformity in the performance \nof risk-based assessments of critical assets could make it difficult to \ncompare companies and to check for adequate critical asset lists. \nTherefore, the Commission directed NERC to develop guidance on the \ndevelopment of a risk-based assessment methodology to identify critical \nassets. NERC has that effort underway and is expected to post a draft \nfor comments in the fourth quarter of 2008. Second, we directed NERC to \nrevise the reliability standards to require an oversight mechanism for \nan entity with a wide-area perspective to examine the critical asset \nlists in order to ensure critical assets were listed. Upon identifying \na missing critical asset, the oversight entity could require that the \nmissing asset be added to the list and protected according to the CIP \nreliability standards. This review procedure will be developed through \nNERC's reliability standards development process and is expected to be \nfiled for the Commission's review in the second quarter of 2011. Also, \nthe Commission intends to spot check critical asset lists and their \ndeterminations by actively participating in some compliance audits of \nthe CIP reliability standards. This is the most direct way for the \nCommission to not only examine the specific details for the company \nunder consideration, but also to assess the effectiveness of the \ncritical asset identification requirement.\n    Question 2. Are you familiar with the Aurora mitigation technology \nthat is manufactured by Cooper Industries? Do you know how many \ncompanies have purchased this technology? In conversations with \nindustry owners and operators, have you gathered an understanding of \nhow many people have purchased this technology?\n    Answer. The Commission is aware of the Cooper technology. Based \nupon discussions with industry members, Commission staff believes that \nthe technology is not being widely used by industry. Their use is \nlimited by industry's need to test the reliability and operation of the \ndevices, as well as by supply issues.\n    Question 3. Under the Cyber Initiative, all Federal agencies will \nuse a service provided by the US-CERT known as EINSTEIN to monitor \ntheir connections to the Internet. EINSTEIN is an automated process for \ncollecting, correlating, analyzing, and sharing computer security \ninformation across the Federal civilian government. As a Federal \nentity, the TVA already deploys several EINSTEIN boxes on its networks \nto monitor traffic. TVA also reports computer incidents to the US-CERT. \nIn the future, do you envision a role for the Federal Government to \nprovide a similar monitoring service for the private sector? To what \nextent has FERC had these conversations with NERC, DHS, or other \nintelligence agencies?\n    Answer. To date, FERC has not been involved with the EINSTEIN \nproject and has not had discussions with NERC, DHS, other intelligence \nagencies, or TVA about the subject. I note, however, that during the \ncourse of the Commission's rulemaking regarding proposed Critical \nInfrastructure Protection reliability standards and during our attempts \nto assess industry's mitigation steps regarding the Aurora \nvulnerability, industry has expressed very strong concerns about \nsharing sensitive security-related information with Federal entities, \nsince the latter have limited legal authority to ensure that \ninformation is disclosed only to those who have a need to know the \ninformation.\n    Question 4. Please elaborate on your request for new authority. \nWould this require legislation? What intelligence agencies would be \ninvolved? What is the next step for requesting or establishing this \nauthority?\n    Answer. I believe new legislation is needed to protect the grid \nagainst cyber security threats, given the nature of these threats. I \nanticipate that the Commission would coordinate with other Federal \nagencies, as appropriate, such as the Department of Energy, the \nDepartment of Defense, the Department of Homeland Security, the Central \nIntelligence Agency, the National Security Agency, or the Federal \nBureau of Investigation. We have been engaging in discussions with \naffected entities to get input as we consider how to craft legislation \nappropriately. We have received constructive input from these \ndiscussions and are incorporating that input into draft legislative \ntext.\n    Question 5. In your opinion, do America's intelligence agencies \nhave adequate situational awareness throughout the public and private \nsector to provide FERC with the appropriate intelligence that would \nallow FERC to immediately issue temporary mandatory reliability \nstandards to prevent or mitigate a cyber attack launched against the \nNation's bulk power system? If not, what could be done to better \nimprove this situational awareness?\n    Answer. I believe that the intelligence agencies are best suited to \nassess adversaries, their capabilities, and their intents. The \nCommission has the knowledge and experience necessary to issue orders \naddressing needed reliability measures or actions. To the extent \nfeasible, the Commission plans to consult with the relevant entities in \norder to gain their input regarding the design and implementation of \nany measures or actions needed to prevent or mitigate a cyber attack \nlaunched against the Nation's bulk power system.\n    Question 6. An article in the National Journal dated May 31, 2008 \nsuggests that the Chinese government may have been responsible for the \n2003 New York City blackout and the 2008 Florida Power and Light \nblackout. Please provide a detailed narrative explaining your position \non this article. Please also explain whether such an attack could \npotentially be carried out. Please explain the cause of the 2008 \nFlorida Power and Light blackout.\n    Answer. The Commission took part in the investigation and \nsubsequent report on the 2003 blackout. In summary, the Security \nWorking Group analysis provided no evidence that a malicious cyber \nattack was a direct or indirect cause of the August 14, 2003, power \noutage.\\1\\ The Commission has no reason to think otherwise today. As \nfor the 2008 Florida blackout, on March 19, 2008, the Commission \ninitiated a non-public, formal investigation into whether any mandatory \nFederal reliability standards were violated during the Florida \nblackout. Because the investigation is ongoing and the information \ngained during the investigation is still non-public, I cannot discuss \nany causes of the Florida blackout at this time.\n---------------------------------------------------------------------------\n    \\1\\ U.S.-Canada Power System Outage Task Force, Final Report on the \nAugust 14, 2003 Blackout in the United States and Canada: Causes and \nRecommendations, April 2004, page 132.\n---------------------------------------------------------------------------\n    Question 7. A common criticism of the NERC standards is that there \nis not an adequate definition of critical cyber assets for CIP-002, \nand, as a result, many companies are struggling to determine exactly \nwhat is/is not covered under the reliability standards. To what extent \nhas FERC engaged industry in this discussion? What is your guidance to \nthe industry?\n    Answer. NERC's Glossary of Terms Used in Reliability Standards \ndefines critical cyber assets as cyber assets ``essential to the \nreliable operation'' of critical assets. Cyber assets are defined as \n``[p]rogrammable electronic devices and communication networks \nincluding hardware, software, and data.'' As a result of these \ndefinitions, the identification of critical cyber assets involves a \ntwo-step process. First, the critical assets must be identified. Then, \nthe associated critical cyber assets must also be identified. Most of \nthe discussions between industry and the Commission on this process \nhave focused on identifying critical assets. See the response to \nquestion one above. Regarding the second step, most of the discussions \non that aspect of the process have been about the ``data'' component. \nThat discussion culminated in the Commission's direction in Order No. \n706 that NERC consider the designation of various types of data as a \ncritical asset or a critical cyber asset. We also directed NERC to \ndevelop guidance on the steps that would be required to apply the CIP \nreliability standards to such data and to consider whether this also \ncovers the computer systems that produce the data. The Commission also \nexpects that best practices used to identify critical cyber assets will \nbe identified during the process of auditing responsible entities for \ncompliance with CIP-002. At that point, the Commission will consider \nwhether additional guidance is called for, or whether the reliability \nstandard needs to be modified.\n    Question 8. Does FERC have the authority to require companies \noperating on the bulk power system to undergo ``red team'' efforts \ninvolving remote or onsite attackers? Does FERC have any, operational \nauthority to run ``red team'' exercises against these companies?\n    Answer. The CIP reliability standards require responsible entities \nto conduct vulnerability tests, but not actual ``red team'' efforts. In \ntheory, a reliability standard could require a ``red team'' exercise, \nbut there would be associated reliability risks with conducting such \nexercises. The Commission does not have authority to run such ``red \nteam'' exercises against industry companies.\n    Question 9. The Nuclear Regulatory Commission documents all unusual \ncyber-related events, in contrast to non-nuclear electric facilities \nthat do not make these events public. Does FERC intend to create a \ncatalogue of events on grid facilities to allow for the monitoring of \nthis kind of activity? If not, why not?\n    Answer. The Commission has no plans at this time to create a public \ncatalog of cyber security incidents. The CIP reliability standards do \nrequire responsible entities to report cyber security incidents to the \nelectricity sector information sharing and analysis center (operated by \nthe North American Electric Reliability Corporation), but that \ninformation is not all public. At this point, the Commission is more \nfocused on having incidents reported rather than making them public. In \nfact, the Commission's Order No. 672 indicated a preference for keeping \nproceedings involving a cybersecurity incident nonpublic because it is \npossible that bulk-power system security and reliability would be \nfurther jeopardized by the public dissemination of information \ninvolving incidents that compromise the cybersecurity of a specific \nuser, owner or operator of the bulk-power system. If such information \nis made public, careful attention will be necessary to be sure \nsensitive information that could jeopardize the reliability of the \nbulk-power system is not disclosed.\nQuestions From Chairman James R. Langevin to Richard Sergel, President \n        and CEO, North American Electric Reliability Corporation\n                             June 23, 2008\n    Question 1. For the record, please provide a detailed timeline that \nexplains the steps that you took to distribute the industry survey \nregarding the Aurora mitigation. Please note the discrepancies that \nwere discussed during the hearing, and provide explanations for those \ndiscrepancies.\n    Answer. The responsibility to provide consistent, coordinated, \nclear and effective communication lies entirely with NERC. We apologize \nfor the confusing, unclear, and misleading communications with the \nsubcommittee. A detailed timeline that describes the steps taken by \nNERC to distribute the October 19, 2007 written survey to the industry \nregarding the implementation of the mitigation measures contained in \nthe June 21, 2007 ES-ISAC Advisory is attached (Attachment 1).\n    The discrepancies discussed during the May 21 hearing appear to us \nto fall into two categories: (1) the timing and means by which NERC \nassessed the industry's compliance with the June 21 Advisory, and (2) \nthe representation to the subcommittee of NERC's assessments of \ncompliance with the Advisory. These are discussed below, beginning with \nthe October 17 hearing.\nA. The October 17, 2007 testimony of David Whiteley regarding NERC's \n        assessment of the industry's implementation of the mitigation \n        measures identified in the Advisory.\n    At the October 17 hearing, Chairman Langevin told Mr. Whiteley that \nstaff of the Department of Homeland Security had described to committee \nstaff ``a survey that NERC sent out in August 2007 to determine how \nmany owners and operators were implementing the mitigation efforts'' \nidentified in the June 21 Advisory. Mr. Langevin then asked Mr. \nWhiteley to ``describe the survey and tell us its findings.''\n    Mr. Whiteley failed to inform Mr. Langevin that the Chairman's \nunderstanding was incorrect and that NERC had NOT sent out a formal \nwritten survey of the industry's compliance with the Advisory in August \n2007. As depicted on the timeline, NERC had prepared a formal survey \nthat was approved by NERC senior management. NERC received FERC's \nassent to distribute that survey in August. However, the survey had not \nbeen sent out at the time of the hearing. By not advising the \nsubcommittee that no written survey had been sent out, Mr. Whiteley's \ntestimony was inaccurate and misleading.\n    Mr. Whiteley responded as though the survey had been distributed, \nstating that it was a follow-up to the ``guidance that was issued \nearlier in the spring,'' and that ``we've determined that \napproximately, at this point, 75 percent of the transmission grid has \neither taken appropriate actions or is in the process of implementing \nthose actions.'' This discussion of ``75 percent of the transmission \ngrid'' appears to have been misunderstood by the subcommittee. Mr. \nWhiteley's use of the 75 percent number referred to the portion of the \ntransmission grid owned by companies that had been contacted by NERC \nstaff and for which Mr. Whiteley believed that mitigation measures had \nbeen implemented, based on information provided to Mr. Whiteley by \nNERC's Manager, Situation Awareness and Infrastructure Security (NERC \nSAIS Manager). Mr. Whiteley did not intend by use of this number, as \nthe subcommittee may reasonably have assumed, to state that 75 percent \nof all transmission users, owners or operators had implemented \nmitigation measures.\n    In response to a further question from Chairman Langevin at the \nOctober 17 hearing, Mr. Whiteley stated that NERC had ``hard data'' \nshowing the extent of the industry's compliance with the June 21 \nAdvisory.\\1\\ The basis for Mr. Whiteley's response to Chairman \nLangevin's inquiry was an e-mail sent to NERC management on October 10 \nby the NERC SAIS Manager that reported on the status of implementation \nof the short- and mid-term mitigation measures recommended in the \nAdvisory. That e-mail stated that the ``data'' gathered from voluntary \nsubmissions and from discussions with NERC Critical Infrastructure \nProtection Committee (CIPC) contacts at ``the large transmission owners \nand operators'' ``covers at least 75 percent of the BPS in the U.S.''\n---------------------------------------------------------------------------\n    \\1\\ ``Mr. Langevin: . . . 75 percent you say is in compliance, . . \n. this is not just anecdotal? You are talking about this as hard \nanswers to the issue of having implemented all the mitigation \nstrategies?'' ``Mr. Whiteley: This is a follow-up with most of the \nlarge utilities in the country and many of the intermediate-size \nutilities as well. And it is hard evidence or hard data that we've \nasked, and they've explained what's been done. So we have direct \ninformation.''\n---------------------------------------------------------------------------\n    Because the only information NERC had at the time of the October 17 \nhearing was the information the NERC SAIS Manager obtained in a few \nvoluntary written submissions and his informal discussions with company \nrepresentatives, it was inaccurate to characterize the information as \n``hard'' or ``direct.'' A complete answer would have described what had \nbeen done, i.e., to tell the subcommittee that NERC staff conducted \ndiscussions with industry representatives that collectively own or \noperate 75 percent of the total transmission grid. The response also \nshould have said that NERC had not verified the reports received in \nthese discussions regarding the status of mitigation measures.\nB. Responses to follow-up inquiries from the committee.\n    In responding to follow-up questions for the record of the October \n17 hearing on November 20, NERC submitted a copy of the formal written \nsurvey sent out on October 19 to assess the status of compliance with \nthe mitigation measures recommended in the Advisory. On December 5, \nNERC provided a narrative overview of the implementation of the \nmitigation measures recommended in the June 21 Advisory, along with the \nsurvey responses themselves (with the identity of the specific \nrespondents concealed), in response to a further request of the \nsubcommittee.\\2\\\n---------------------------------------------------------------------------\n    \\2\\ This further request was made on November 16 in a letter from \nChairman Langevin to Mr. Sergel. The narrative overview document was \nentitled ``Assessment of the Implementation of the Mitigation Measures \nrecommended in the June 21, 2007 ES-ISAC Advisory.''\n---------------------------------------------------------------------------\n    The narrative overview provided on December 5 stated that:\n\n    The ES-ISAC conducted both an initial assessment of the \n        implementation of the recommended measures and a formal, \n        written survey to measure industry progress in completing the \n        mitigation measures. The initial assessment was conducted in \n        September and early October and was performed by gathering \n        information with sector entities in phone conversations and at \n        meetings. No formalized survey instrument was used. In \n        addition, a small number of entities submitted unsolicited \n        reports on their progress to the ES-ISAC.\n    Based on the information gathered in the discussions, the submitted \n        reports, and expert knowledge of the ownership and geography of \n        the bulk power system, the ES-ISAC concluded that approximately \n        75 percent of the transmission grid had received mitigation \n        measures or such measures were in progress.\n\n    Following this submission to the subcommittee, the subcommittee \ncounsel contacted NERC on December 6 to schedule a face-to-face meeting \nand request further detail regarding the September/October ``initial \nassessment'' of the industry compliance with the mitigation measures in \nthe June 21 Advisory. On December 20, NERC representatives met with \nsubcommittee staff and provided a letter in response to the staff's \nrequest for ``a list of phone conversations and meetings that these \nindividuals had with sector entities. Please include dates and any \ninformation/notes prepared.''\n    The December 20 letter, submitted by NERC's SAIS Manager, stated \nthat ``[a]fter issuance of the Advisory on June 21, 2007, I \ncommunicated regularly with industry representatives to explain and \ndiscuss the Advisory. Beginning in September and October, my \ncommunication efforts shifted from explanation of the Advisory to \ndetermination of how well the Advisory was being implemented. A \nreconstructed list of the discussions, to the best of my recollection, \nis listed below.'' Contacts made at the September 27-28 CIPC meeting in \nSt. Louis were listed in this letter, as well as phone calls with other \nindividuals conducted in September and October. The letter also \nprovided copies of the three voluntary written submissions that NERC \nreceived. In addition to this written response, NERC representatives \nand subcommittee staff discussed the nature of the information \ngathering process prior to the distribution of the written survey on \nOctober 19.\n    Committee Chairman Thompson and subcommittee Chairman Langevin sent \nletters on January 8, 2008 to attendees at the September 27-28 CIPC \nmeeting identified in the December 20 letter. The letter from Messrs. \nThompson and Langevin said:\n\n    ``The committee recently requested and received documentation from \n        the North American Electric Reliability Corporation (NERC) to \n        help determine the extent of the sector's efforts to implement \n        the security recommendations contained in the June 21, 2007 \n        NERC Advisory. According to these documents, NERC staff met \n        with you individually at the NERC Critical Infrastructure \n        Protection Committee meeting, held from September 27-28 in St. \n        Louis, Missouri, to discuss your company's implementation \n        efforts.\n    ``During this meeting with NERC staff, you answered questions \n        regarding the clarity of the recommendations contained in the \n        NERC Advisory, the extent of your company's efforts to mitigate \n        the Aurora vulnerability, and existence of your company's \n        cybersecurity training program for employees. Please provide \n        the committee with a detailed narrative explaining this \n        discussion with NERC.''\n\n    The January 8 letter reveals the subcommittee's view that the \ndiscussions at the CIPC meeting in St. Louis were more formal than they \nwere. As NERC's December 5 submission indicated, no formal survey was \nconducted. Although NERC's December 5 narrative overview indicated that \ninformation was gathered from sector entities ``in phone conversations \nand at meetings,'' NERC understands from subcommittee counsel that the \nsubcommittee's January 8 inquiry was sent only to the CIPC meeting \nattendees.\n    The responses provided to the subcommittee's January 8 letter do \nnot support Mr. Whiteley's reference to ``hard data'' showing \ncompliance by 75 percent of the transmission grid in his response to \nChairman Langevin at the October hearing. However, several of the \nresponses sent to the subcommittee do describe company interactions \nwith NERC staff at the CIPC meeting and discussions of company \ncompliance with the recommended mitigation measures:\n  <bullet> One company stated the Aurora advisory was discussed during \n        the general CIPC meeting in September, not in an individual \n        meeting. It stated that at the initiation of NERC there was \n        discussion by many attendees in the open forum about the \n        response of their companies to the NERC advisory; details of \n        the response to the advisory were not provided at the meeting \n        due to the sensitive nature of the information on mitigation of \n        the vulnerability.\n  <bullet> Another company submitted detailed affidavits, which \n        reported, among other things, that the company representative \n        recalled talking to NERC staff about the Aurora vulnerability \n        and the company's efforts to address it. The company \n        representative also told NERC that the company had taken action \n        to eliminate the Aurora vulnerability.\n  <bullet> Another company stated it told NERC it had addressed the \n        vulnerability.\n  <bullet> A few companies reported that there was some (limited) \n        discussion of the Aurora vulnerability at the CIPC meeting.\n    Taken together, the responses the subcommittee received to its \nJanuary 8 letter would not lead to a conclusion that there was ``hard \ndata'' for David Whiteley to rely on at the October 17 hearing.\nC. Other missed opportunities to correct the record and clarify the \n        status of the implementation of the mitigation measures \n        contained in the Advisory.\n  <bullet> October 15.--NERC received a request from subcommittee staff \n        for information about the August 2007 survey. NERC failed to \n        advise the staff that a survey was NOT sent in August 2007.\n  <bullet> November 20.--NERC submitted responses to the subcommittee's \n        follow-up questions from the October 17 hearing. The first \n        question asked, ``What were the results of the August 2007 NERC \n        survey sent to owners and operators regarding the status of the \n        sector's implementation of the Aurora mitigation efforts,'' and \n        also requested a copy of the survey and a narrative of the \n        results. The NERC response enclosed a copy of the October 19 \n        survey and a narrative of the results, as requested, but failed \n        to advise the subcommittee that a formal written survey was NOT \n        sent out in August. By letter dated December 12, 2007 and \n        delivered on December 14, NERC clarified its responses for the \n        record of the October 17 hearing and stated definitively that \n        no survey was sent in August 2007.\n  <bullet> December 5.--NERC's response to Chairman Langevin's November \n        16 letter requesting a copy of the survey and its results \n        failed to clarify that the reference to 75 percent of the grid \n        having mitigation measures completed or in progress was a \n        reference to the percentage of the physical transmission grid, \n        by ownership, not to the percentage of users, owners or \n        operators that had completed mitigation measures.\n    In summary, NERC did not rigorously survey the implementation of \nthe mitigation measures it had recommended and did not accurately \ncommunicate with the subcommittee about what NERC had done. As I \ntestified on May 21, 2008, NERC now has a structure in place--with a \nformal FERC-approved, three-level system of alerts; a comprehensive \nlist of owners, operators and users of the bulk power system; and \nmandatory reporting regarding implementation of recommendations and \nessential actions--to assure that a rigorous and timely analysis of the \nimplementation of recommended measures in future Advisories will be \nconducted.\n    Question 2. Publicly and privately owned infrastructures on the \ngrid are so interconnected, weak security controls in one utility can \npose harm to another utility that shares a connection. Yet publicly and \nprivately owned infrastructures are subject to different security \nstandards. According to a NIST-sponsored review published in March \n2007, an organization conforming to the baseline set of security \ncontrols in PS 800-53 will also comply with the management, operational \nand technical security requirements of the NERC Reliability Standards, \nthough the converse may not be true. For instance, the NERC Reliability \nStandards allow for the exclusions of telecommunications and \ndistribution equipment from the ``critical assets'' list. Under the SP \n800-53 requirements, however, there is no similar exclusion. This \ncommittee--along with NIST and GAO--has suggested that the NERC \nstandards should be more aligned with the NIST 800-53 standards that \napply to federally owned infrastructure. What steps are being taken to \ntransition the NERC Reliability Standards toward NIST? Why shouldn't \nthe scope of CIP-002 be changed to include ``all equipment that is \nelectronically connected''?\n    Answer. In Order 706, FERC directed NERC to consult with Federal \nagencies on the effectiveness of NIST standards and implementation \nissues, and using the standards development process, address any \nprovisions that would better protect the bulk power system.\n    In response to this direction, a Standard Authorization Request \n(SAR) was initiated and posted for a 30-day public comment period from \nMarch 20 to April 19, 2008. A SAR drafting team comprised of well \nregarded subject matter experts from a broad range of industry segments \nwas assembled to review and respond to the comments received during \nthat initial SAR posting. This team includes a representative from a \nFederal agency that must comply with both NERC and NIST standards.\n    Presently, the drafting team is considering all comments on the \nSAR, including those submitted by NIST. The drafting team must prepare \nwritten responses to all comments. The end work product will be a SAR \nthat specifies the work scope for the Standard Drafting Team that will \nultimately develop the revisions to the standards.\n    NERC management has formally invited NIST to continue its \nparticipation in the standards drafting effort as a formal team member. \nNIST has agreed.\n    Regarding the scope of CIP-002, it does not include ``all equipment \nthat is electronically connected'' for jurisdictional as well as \nreliability reasons.\n  <bullet> Section 215 of the Federal Power Act limits the ERO's \n        jurisdiction to bulk power system users, owners, and operators. \n        By definition, the bulk power system excludes distribution \n        assets. Similarly, telecommunications common carriers are not \n        users, owners or operators of the bulk power system.\n  <bullet> Section 215 of the Federal Power Act also defines a \n        reliability standard as a requirement that provides for the \n        reliable operation of the bulk power system. The process \n        required in CIP-002 determines which assets of the bulk power \n        system provide for its reliable operations. Those assets are \n        identified through an analysis of the impact that the loss of \n        an asset poses to reliable operation of the bulk power system. \n        Those assets found to provide for the reliable operation of the \n        bulk power system are critical assets.\n  <bullet> The CIP-002--CIP-009 standards drafting team intentionally \n        focused requirements on cyber assets that were: (1) Essential \n        to the reliable operation of critical assets; (2) whose impact \n        to reliable operation of the bulk power system, if compromised, \n        could be significant; and, (3) had a great number of attack \n        vectors. Cyber assets meeting these criteria are critical cyber \n        assets.\n    An electronic perimeter, as required in CIP-005, shields critical \n        cyber assets from potential adverse impacts from external \n        sources such as non-critical cyber assets.\n    NERC's CIP standards represent the first set of reliability \nstandards requiring a uniform level of cyber security for all users, \nowners, and operators of the bulk power system. These standards \nintentionally focus the efforts of those users, owners, and operators \non assets most critical to the reliable operation of the bulk power \nsystem. The CIP standards expanded the scope of assets beyond those \naddressed in Urgent Action 1200. The process of focusing resources on \nthose assets with the greatest impact on reliable operations, and \nprotecting them as required in the remaining standards (specifically \nincluding the provision of electronic security perimeters), mitigates \nthe need for protection of every other asset that is connected to them. \nSubsequent cyber security standards may include other assets within the \nscope of the ERO's jurisdiction.\n    Question 3. In April 2000, Vitek Boden, an employee at an \nAustralian firm that installed SCADA radio-controlled sewage equipment, \npacked his car with stolen radio equipment attached to a computer. He \ndrove around issuing radio commands to the sewage equipment that \nresulted in sewage spills. This is the first widely known example of \nsomeone maliciously breaking into a control system. Please explain how \na company demonstrating auditable compliance with the NERC CIP \nstandards prevents this incident from occurring, when they are not \nrequired to follow any mandatory reliability standards for \ntelecommunications equipment.\n    Answer. If the referenced event had occurred on the North American \nbulk power system, it would represent a breach of the ``electronic \nsecurity perimeter,'' which is required by present NERC Cyber Security \nstandard CIP-005-1. In this particular instance, communications from an \ninvalid source were allowed to be transmitted to, received by, and \nacted upon by the control equipment for the sewage system. As required \nby the NERC standards, the system control equipment would be contained \nwithin an electronic security perimeter. Any communications across that \nperimeter (wireless or not) would have to pass through the protections \nof the electronic security perimeter prior to being sent to the system \ncontrol equipment.\n    The electronic security perimeter is implemented using the concept \nof ``mutual distrust'', as described in the requirements of CIP-005, \nwhich includes requirements to implement a ``deny by default'' stance, \nand requires ``specific access permissions be specified''. It also \nrequires ``only ports and services required for operations and \nmonitoring'' be allowed to cross the perimeter. In the Boden example, \nhad CIP-005 been implemented, the perimeter controls would have been \nimplemented to disallow control actions from being delivered from \naddresses not associated with the control center, and would therefore \nbe flagged as suspicious, requiring investigation and reporting of said \nsuspicious activities following the requirements of NERC Standard CIP-\n008-1.\n    In this particular case, if the entity in the Boden example \nfollowed the change management procedures required by CIP-003-1, the \nequipment disposal procedures required by CIP-007-1, and the access \ncontrol review and revocation requirements required by CIP-003-1, CIP-\n004-1, CIP-005-1, CIP-006-1, and CIP-007-1, the stolen equipment used \nby Mr. Boden would have been removed from the valid access list, and \nthe illicit communications would have been disallowed at the perimeter.\n    Question 4. You stated during the hearing that NERC ``will push as \nfar as we can to get as much done on the telecommunications side within \nthe standard.'' However, as it currently stands, the NERC reliability \nstandard excludes telecommunications and non-routable protocols and \ndoes not explicitly address wireless systems in the definition of \n``critical cyber assets.'' What steps is NERC taking to ensure that \ntelecommunications equipment is covered in the next revision of the \nstandard?\n    Answer. Section 215 of the Federal Power Act limits the scope of \nFERC's and the ERO's jurisdiction to only the bulk power system. FERC \nand NERC standards cannot enforce requirements upon telecommunications \nproviders and their equipment.\n    However, a Standard Authorization Request (SAR) drafting team is \ncurrently considering alternative approaches to address how data and \ninformation are received through wired and wireless telecommunications \nequipment owned or operated by owners, operators and users of the bulk \npower system. Specifically, it is discussing the merits of protecting \nthe data being transmitted, rather than protecting the transmission \nmedia. This change in philosophy from the initial set of standards will \nextend the protections to wireless data transmission, will lessen the \nneed for requirements for protecting the transmission media itself, and \nallow the standards to be enforced regardless of whether the \ntelecommunications system is owned by the jurisdictional entity or a \ntelecommunications provider.\n    The draft SAR was posted for a 30-day public comment period from \nMarch 20 to April 19, 2008. The SAR drafting team met on May 5-6, 2008 \nto consider comments and refine the SAR. Further refinement took place \nduring a conference call and WebEx on May 30, 2008. Continued \nrefinement is scheduled to take place on a July 2, 2008 conference call \nand WebEx. The end work product will be a SAR that specifies the work \nscope for the Standard Drafting Team that will ultimately develop the \nrevisions to the standards.\n    Question 5. Are you familiar with the Aurora mitigation technology \nthat is manufactured by Cooper Industries? Do you know how many \ncompanies have purchased this technology?\n    Answer. Yes, NERC is aware of this technology. The U.S. Department \nof Homeland Security informed NERC of the development of the device. \nNERC subsequently invited Richard Hein of Cooper Industries to \nparticipate in a panel discussion during the December 13, 2007 Critical \nInfrastructure Protection Committee meeting in Orlando, Florida, where \nhe presented information about the rotating equipment isolation device \n(REID). NERC has supplied Cooper Industries' Web site information to \nAmeren Corporation who had asked for assistance to learn more about the \ndevice.\n    According to Cooper Industries, only the Department of Defense, to \ndate, has purchased REID devices. The number of devices sold was not \ndisclosed to NERC staff.\n    Question 6. Under the Cyber Initiative, all Federal agencies \n(including, for instance, the TVA) will use a service provided by the \nUS-CERT known as EINSTEIN to monitor their connections to the Internet. \nEINSTEIN is an automated process for collecting, correlating, \nanalyzing, and sharing computer security information across the Federal \ncivilian government. As a Federal entity, the TVA already deploys \nseveral EINSTEIN boxes on its networks to monitor traffic.\n    TVA also reports computer incidents to the US-CERT. In the future, \ndo you envision a role for the Federal Government to provide a similar \nmonitoring service for the private sector? To what extent has NERC had \nconversations with either DHS or FERC about this issue? To what extent \nhave you discussed this possibility privately with your members?\n    Answer. Neither the Department of Homeland Security, of which US-\nCERT is a part, nor FERC has briefed NERC management or ES-ISAC staff \nabout a service named EINSTEIN. NERC has not consulted subject matter \nexperts within industry on the subject of EINSTEIN or the potential \nbenefits this government-run monitoring service could provide for the \nelectricity sector.\n    NERC is aware that in 2004 DHS sponsored a project involving \nseveral ISO/RTOs to evaluate intrusion detection system (IDS) tools and \nanalytical capabilities. The 1-year pilot, called the Cyber Log \nAnalysis Project, was conducted by EWA-Canada and Dartmouth College. \nThe results suggested that aggregation of IDS log data could be useful \nin improving the incident and warning (I&W) capability in the \nelectricity sector and recommended that DHS continue developing more \nsophisticated and automated shared information analysis techniques and \ndevelop open source software for this purpose.\n    NERC's Reliability Standard CIP-005 requires monitoring of network \ntraffic across the electronic security perimeter to provide early \nwarning of possible unauthorized access attempts. As such, NERC would \nbe open to exploring with FERC and DHS the benefits of implementing an \nEINSTEIN-like project within the electricity sector.\n    Question 7. To what extent has NERC involved either NIST or the ISA \nin the standards-setting process? Will you be inviting individuals from \nboth entities to participate in the new CIP-706 Standard Drafting Team \n(SDT)?\n\n  <bullet> Answer. ISA became involved with the standards development \n        effort in 2005 through review and comment on draft three of \n        CIP-002--CIP-009.\n    The co-chair of ISA SP99 is a named, formal member of the drafting \n        team charged with scoping the future development of the CIP \n        standards pursuant to FERC Order 706. NERC management has \n        formally invited the co-chair to continue ISA SP99's \n        involvement in the CIP standards drafting process. He has \n        agreed to participate.\n  <bullet> NIST's participation in NERC's standards-setting process \n        began this year. NIST has contributed comments to the current \n        scoping effort, which must be considered and responded to in \n        accordance with the NERC process. Those comments are attached \n        (Attachment 2).\n    NERC management has formally requested NIST's continued involvement \n        in the CIP standards drafting process. NIST has agreed to \n        participate.\n  <bullet> Federal agencies required to follow both NIST guidance and \n        NERC Standards have been involved in the Cyber Security \n        standards setting process since 2003.\n    <bullet> An employee of Western Area Power Administration was a \n            named, formal member of the CIP-002--CIP-009 standards \n            drafting team.\n    <bullet> Bonneville Power Administration, Tennessee Valley \n            Authority, United States Bureau of Reclamation, and the \n            Western Area Power Administration have participated in the \n            review and comment process for CIP-002--CIP-009. The United \n            States Army Corps of Engineers provided comments, as well.\n    <bullet> An employee of the U.S. Bureau of Reclamation is a named, \n            formal member of the drafting team charged with scoping the \n            future development of the CIP standards pursuant to FERC \n            Order 706. NERC management has formally requested the \n            Bureau's continued participation in the CIP standards \n            drafting process.\n\n   ATTACHMENT 1.--TIMELINE OF STEPS TAKEN BY NERC (AS THE ES-ISAC) TO\n         DISTRIBUTE THE INDUSTRY SURVEY OF THE AURORA MITIGATION\n------------------------------------------------------------------------\n              2007\n------------------------------------------------------------------------\nJune 7.........................  FERC issues order on NERC compliance\n                                  filing that states, ``the Commission\n                                  believes that NERC should issue an\n                                  operations and equipment alert\n                                  requiring specific actions only under\n                                  NERC's remedial power.''\nJune 21........................  NERC acting as the ES-ISAC issues\n                                  advisory regarding the Aurora\n                                  Demonstration Test following\n                                  discussions with Department of Energy\n                                  and Department of Homeland Security.\n                                  At the direction of DOE and DHS, the\n                                  advisory is designated ``For Official\n                                  Use Only''. The Advisory states the ES-\n                                  ISAC would be distributing a follow-up\n                                  survey to measure the progress made in\n                                  the electricity sector in implementing\n                                  the recommended mitigation measures.\nJuly 9.........................  NERC files request for clarification or\n                                  rehearing of FERC's June 7 order\n                                  stating that NERC should issue an\n                                  operations and equipment alert\n                                  requiring specific actions only under\n                                  NERC's remedial power.\nJuly 30........................  NERC General Counsel (GC) prepares\n                                  draft cover letter for survey.\nAugust 1.......................  Discussions between NERC staff and FERC\n                                  staff regarding the survey.\n                                 NERC agrees to coordinate with FERC\n                                  before sending out the survey.\nAugust 3.......................  NERC GC sends a copy of a draft follow-\n                                  up survey and cover letter to FERC (to\n                                  the Director, Office of Electric\n                                  Reliability (Director), and to the\n                                  then-General Counsel) via e-mail. NERC\n                                  proposes that the ES-ISAC would\n                                  distribute the survey and the cover\n                                  letter, to be signed by the NERC\n                                  President and CEO. The draft survey\n                                  proposes a response date of August 24;\n                                  NERC informs FERC of its desire to\n                                  send the survey out ``by the middle of\n                                  next week'' [week of August 6].\n                                 The e-mail implemented NERC's\n                                  commitment made August 1 to coordinate\n                                  with FERC before sending out the\n                                  follow-up survey. NERC solicited\n                                  FERC's suggestions on the draft letter\n                                  and the survey. NERC also asked FERC\n                                  staff ``if you have had further\n                                  thoughts about whether the ES-ISAC\n                                  should send this letter.''\nSometime after August 3 and      The Director of the FERC Office of\n before August 15.                Electric Reliability and the NERC CEO\n                                  discussed the draft ES-ISAC cover\n                                  letter and survey.\nAugust 16......................  NERC's GC sends an e-mail to FERC's GC\n                                  following up on the Director-CEO\n                                  discussion.\nAugust 21......................  NERC's GC and FERC's GC discuss FERC\n                                  staff concerns with the proposed cover\n                                  letter and survey.\nAugust 21......................  E-mail from NERC GC to FERC GC\n                                  acknowledges the Director's concerns\n                                  regarding ``the penultimate paragraph\n                                  on the instruction sheet to the\n                                  survey'' dealing with the\n                                  circumstances under which the ES-ISAC\n                                  would make information available about\n                                  the status of the mitigation efforts\n                                  to government agencies.\nAugust 21......................  NERC GC and FERC GC further discuss the\n                                  survey/cover letter, and NERC GC\n                                  recommends a modification to the\n                                  confidentiality language in the survey\n                                  instructions. According to an e-mail\n                                  from the NERC GC to the CEO, the FERC\n                                  GC said that the ``edit solved the\n                                  immediate problem and we can get the\n                                  letter out.'' NERC's GC said that he\n                                  would work with NERC's Manager,\n                                  Situation Awareness and Infrastructure\n                                  Security (SAIS Manager) on getting the\n                                  survey out.\nAugust 21......................  NERC's GC transmits the change in\n                                  language worked out with the FERC GC\n                                  to the NERC SAIS Manager via e-mail.\n                                  The NERC GC advises the NERC SAIS\n                                  Manager that the FERC GC ``said that\n                                  with the change, we can send out the\n                                  letter.'' The NERC GC also advises\n                                  that the proposed August 24 due date\n                                  for the survey responses would need to\n                                  be extended by a reasonable amount to\n                                  account for the delay in distribution\n                                  of the survey.\nAugust 21......................  CEO comments on wording of the\n                                  instructions to the survey in an e-\n                                  mail to the NERC SAIS Manager, and\n                                  approves the letter.\nAugust 21......................  The NERC GC advises the NERC SAIS\n                                  Manager that ``I'm leaving this with\n                                  you, unless you have further\n                                  questions, or something else comes\n                                  up.''\nSeptember......................  NERC SAIS Manager has informal, off the\n                                  record telephone conversations with\n                                  representatives of major bulk power\n                                  system entities regarding the\n                                  implementation of the Advisory. No\n                                  notes of the discussions were taken.\nSeptember 20...................  FERC issues order granting NERC's\n                                  request for clarification that NERC\n                                  has the authority to issue industry\n                                  alerts in a broader set of\n                                  circumstances than just violations of\n                                  reliability standards. FERC requires\n                                  NERC to change the term ``Required\n                                  Actions'' to something else and\n                                  imposes requirements that NERC must\n                                  give notice to the Commission prior to\n                                  issuing alerts and must report back to\n                                  the Commission on the status of\n                                  implementing the recommendations of\n                                  the alerts.\nSeptember 27-28................  CIPC meeting in St. Louis. One agenda\n                                  item during the meeting was a\n                                  discussion of the June 21 advisory:\n\n\nOctober 8......................  NERC SAIS Manager has an informal, off\n                                  the record discussion of the\n                                  implementation of the Advisory on a\n                                  call with ERCOT. No notes of the\n                                  discussion were taken.\nOctober........................  NERC SAIS Manager has informal, off the\n                                  record telephone conversations with\n                                  representatives of major bulk power\n                                  system entities regarding the\n                                  implementation of the Advisory. No\n                                  notes of the discussions were taken.\nOctober 10.....................  NERC SAIS Manager sends an e-mail to\n                                  NERC's CEO, NERC's General Counsel,\n                                  NERC's Executive Vice President, and\n                                  NERC's Chief Information Officer\n                                  setting forth the status of the\n                                  mitigation measures contained in the\n                                  Advisory. The e-mail reported:\n\n                                 ``Mitigation         Status\n                                  Measure\n                                ----------------------------------------\n                                 Short Term--0 to 60\n                                  days:\n\n                                 1. Plan for taking   100%\n                                  immediate, drastic\n                                  action.\n                                 2.1.1 Security for   100%\n                                  remote access.\n                                 2.1.2 Personnel      85%\n                                  Security.\n                                 2.1.3 Sensitive      90%\n                                  Information.\n                                 2.1.4 Seal Off open  99%\n                                  ports.\n\n                                 Mid Term--60 to 180\n                                  days:\n\n                                 3.1 Authentication.  65%\n                                 3.2 Situation        30%\n                                  Awareness.\n\n                                 Long Term--180 days\n                                  plus:\n\n                                 4.1 Remote Monitor.\n                                 4.2 Vendors........\n                                 4.2.1 Separate\n                                  Functionality.\n                                 4.2.2 Seal Breaker\n                                  Close Function.\n                                 4.2.3 Secure\n                                  Firmware and\n                                  Software.\n                                 5. Superfast\n                                  Protective Device.\n                                 6. Shadow Device...\n                                 7. Government\n                                  Intelligence\n                                  Agencies.\n                                 8. CIP 002-009''\n\n                                 The NERC SAIS Manager further advises\n                                  in the e-mail that this information\n                                  ``has been gathered from voluntary\n                                  submission by 10 entities (all major\n                                  players) and from discussions with\n                                  CIPC contacts at the large\n                                  transmission owners and operators. The\n                                  data is current as of last week. The\n                                  data covers at least 75 percent of the\n                                  BPS in the U.S.''\n                                 The NERC SAIS Manager's e-mail also\n                                  states that no written survey had yet\n                                  been sent out to assess the\n                                  implementation of the measures in the\n                                  Advisory:\n                                 ``I have not sent out the formal survey\n                                  for the following reasons:\n                                 1. I do not have a good list to send\n                                  this kind of survey to.\n                                 2. NERC received a great deal of\n                                  criticism for how the initial advisory\n                                  was distributed to and who it was not\n                                  distributed to. Many key entities did\n                                  not receive it until several weeks\n                                  afterward.\n                                 3. I have been working with the\n                                  [Regional Reliability Entities] and\n                                  the trade associations to compile a\n                                  list but it has not been successful.\n                                  At the last CIPC meeting in late\n                                  September, a consensus was reached to\n                                  use the NERC Compliance Registry and I\n                                  have been pursuing that option.''\nOctober 17.....................  Subcommittee Hearing.\nOctober 19.....................  NERC, acting as the ES-ISAC, sends the\n                                  Follow-up Survey to ``Electric Sector\n                                  Transmission Owner/Operators and\n                                  Generation Owner/Operators,'' asking\n                                  for a response by November 2. The\n                                  survey was sent to ``major entities in\n                                  the bulk power system.''\n                                 The cover letter accompanying the\n                                  survey recommends that a ``coordinated\n                                  effort be made at each entity to\n                                  compile a single response rather than\n                                  multiple responses from the same\n                                  entity.'' The letter stated further\n                                  that ``The ES-ISAC is working with the\n                                  regional reliability organizations,\n                                  EEI, and the [Canadian Electricity\n                                  Association] to deliver the survey\n                                  instrument to the right people in the\n                                  right entities.''\nOctober 23.....................  FERC requests approval from the Office\n                                  of Management and Budget to send its\n                                  own survey requesting detailed\n                                  information on the status of\n                                  implementation of the Aurora\n                                  mitigation measures by owners,\n                                  operators, and users of the bulk power\n                                  system.\n                                 NOTE: NERC did not learn of this\n                                  request by FERC until December 5.\nNovember 2.....................  Deadline for responses to the October\n                                  19 survey. A total of 133 entities\n                                  respond to the survey.\nNovember 8.....................  NERC circulates questions for the\n                                  record submitted to David Whiteley as\n                                  follow-up to the October 17 hearing.\n                                  NERC GC designates responsibility for\n                                  the draft responses among NERC staff.\nNovember 9.....................  Chairman Kelliher replies to an October\n                                  17 letter from the subcommittee. The\n                                  letter notes that FERC had directed\n                                  NERC to report to FERC on the level of\n                                  compliance with future Advisories\n                                  within 30 days. The letter discusses\n                                  FERC's views of NERC's October 19\n                                  survey: ``[a]lthough we support NERC\n                                  taking the actions it believes are\n                                  necessary as ES-ISAC, we do not\n                                  believe NERC's survey provides\n                                  sufficient information for the\n                                  Commission to determine whether\n                                  further action is appropriate. For\n                                  example, it does not provide\n                                  information on what facilities are the\n                                  subject of the mitigation plans, what\n                                  steps to mitigate the cyber\n                                  vulnerability are being taken, when\n                                  those steps are planned to be taken,\n                                  and, if certain actions are not being\n                                  taken, why not. Nor is it clear to the\n                                  Commission that NERC has received a\n                                  complete set of responses to its data\n                                  request.'' FERC therefore planned to\n                                  conduct its own survey that would\n                                  ``supplement NERC's action and provide\n                                  more detailed information on which to\n                                  assess the status of mitigation\n                                  efforts.''\n                                 NOTE: NERC did not become aware of this\n                                  letter until December 5.\nNovember 15....................  NERC staff sends an e-mail reporting on\n                                  a call on November 14 from\n                                  subcommittee counsel requesting a face-\n                                  to-face meeting and ``a copy of all\n                                  the docs we sent re: esisac cyber recs\n                                  and surveys.''\nNovember 16....................  Chairman Langevin sends a letter to\n                                  NERC CEO requesting the results from\n                                  the ES-ISAC Advisory follow-up survey,\n                                  with the response due by November 28.\n                                 NOTE: The letter did not come to light\n                                  until the CEO returned to the office\n                                  on November 28. NERC subsequently\n                                  received an extension of the deadline\n                                  to submit the materials until December\n                                  5.\nNovember 20....................  NERC submits responses to questions for\n                                  the record to the subcommittee.\nDecember 5.....................  NERC GC prepares draft cover letter for\n                                  a second survey of the status of\n                                  industry efforts to implement the\n                                  Aurora mitigation measures, in\n                                  preparation for coordination with FERC\n                                  staff.\nDecember 5.....................  While edits were still being made on\n                                  the NERC response to Mr. Langevin's\n                                  November 16 letter, NERC staff obtains\n                                  a copy of the letter dated November 9\n                                  from FERC Chairman Kelliher to the\n                                  subcommittee in response to the\n                                  October 17 letter [see November 9\n                                  entry above].\nDecember 5.....................  Based on information in Chairman\n                                  Kelliher's November 9 letter, NERC\n                                  General Counsel obtains a copy of\n                                  FERC's request to OMB seeking approval\n                                  to send survey to owners, operators,\n                                  and users of the bulk power system\n                                  requesting detailed information on the\n                                  status of implementation of the Aurora\n                                  mitigation measures. After discussions\n                                  between NERC GC and FERC staff\n                                  regarding the status of FERC's request\n                                  to OMB, NERC's plans to send a second\n                                  follow-up survey in December are put\n                                  on hold, and references in the NERC\n                                  response to the November 16 letter to\n                                  the second survey are deleted.\nDecember 5.....................  NERC submits the final response to\n                                  November 16 letter to the House\n                                  Subcommittee, signed by David\n                                  Whiteley:\n                                 ``Following the issuance of the\n                                  Advisory, many of the larger\n                                  transmission owners and operators were\n                                  contacted by an ES-ISAC representative\n                                  to help the ES-ISAC make an assessment\n                                  of the response to the June 21\n                                  Advisory and measure the progress in\n                                  completing mitigation. Additional\n                                  entities made unsolicited information\n                                  submissions to the ES-ISAC. Through\n                                  this process, the ES-ISAC determined\n                                  that approximately 75 percent of the\n                                  transmission grid had mitigation\n                                  measures completed or in progress.\n                                  This was the basis for my testimony at\n                                  the October 17 subcommittee hearing.\n                                 ``A follow-up written survey to\n                                  formally measure the progress in\n                                  implementing the recommended\n                                  mitigation measures was distributed to\n                                  major entities in the bulk power\n                                  system on October 19 and responses\n                                  were requested by November 2. The\n                                  following information regarding the\n                                  October 19 survey is enclosed: (1) an\n                                  overview of the implementation\n                                  assessment process, which summarizes\n                                  the survey responses; (2) a blank copy\n                                  of the survey; (3) the forms supplied\n                                  by the respondents; and (4) an\n                                  alphabetical listing of the\n                                  respondents. To preserve the security\n                                  and confidentiality of this\n                                  information, which is a commitment\n                                  made to the respondents by the ES-\n                                  ISAC, all entity identification was\n                                  removed from these forms and a\n                                  separate listing of the respondents\n                                  was created. The information submitted\n                                  confirms the conclusion reached by the\n                                  ES-ISAC that 75 percent of the\n                                  transmission grid has implemented the\n                                  recommended mitigation.''\nDecember 6.....................  Subcommittee staff sends an e-mail to\n                                  NERC staff requesting times for a face-\n                                  to-face meeting and asking NERC to\n                                  bring to the meeting: ``1. The name\n                                  and position of the individual/s who\n                                  conducted the `initial assessment' on\n                                  behalf of NERC in September/October;\n                                  2. A list of phone conversations and\n                                  meetings that these individuals had\n                                  with sector entities. Please include\n                                  dates and any information/notes\n                                  prepared; 3. The unsolicited reports\n                                  issued to the ES-ISAC during this\n                                  time, including the names of the\n                                  sector entities who submitted the\n                                  unsolicited reports.''\nDecember 14....................  Letter dated December 12, 2007 sent to\n                                  the subcommittee by NERC Executive\n                                  Vice President clarifying the question\n                                  of when NERC's survey was sent\n                                  (October 2007 not in August 2007) and\n                                  apologizing for any misimpression that\n                                  the November 20 response may have\n                                  given regarding the timing of the\n                                  written survey.\nDecember 20....................  At a meeting with NERC representatives,\n                                  subcommittee staff is given a letter\n                                  from the NERC SAIS Manager formally\n                                  responding to the 3 questions set out\n                                  in subcommittee staff's December 6 e-\n                                  mail. In response to question 2 (list\n                                  of phone conversations and meetings\n                                  that these individuals had with sector\n                                  entities, including dates and\n                                  information/notes prepared), the\n                                  letter stated:\n                                 ``After issuance of the Advisory on\n                                  June 21, 2007, I communicated\n                                  regularly with industry\n                                  representatives to explain and discuss\n                                  the Advisory. Beginning in September\n                                  and October, my communication efforts\n                                  shifted from explanation of the\n                                  Advisory to determination of how well\n                                  the Advisory was being implemented. A\n                                  reconstructed list of the discussions,\n                                  to the best of my recollection, is\n                                  listed below.'' The list identified\n                                  contacts made at the September 27, 28\n                                  CIPC meeting as well as phone calls\n                                  with other individuals conducted in\n                                  September and October.\nDecember-January 2008..........  NERC learns from FERC staff that FERC\n                                  has changed its plan to send the\n                                  formal written survey regarding the\n                                  status of Aurora mitigation measures\n                                  to all owners and operators; instead,\n                                  FERC teams are conducting interviews\n                                  in the field with selected utilities\n                                  to learn the status of their efforts\n                                  to mitigate the Aurora\n                                  vulnerabilities.\n------------------------------------------------------------------------\n\n   Attachment 2.--NIST Comments on Standards Development for Future \n                        Version SAR (06/11/2008)\n    NIST agrees with the proposed changes in FERC Order 706 and \nproposes several additional items for consideration listed in the \ncomments section of Question 5 of this comment form.\n                        general comments summary\n    NIST believes that if the changes specified in FERC Order 706 and \nthe recommendations below are implemented, NERC will have made a \npositive step toward making the CIPs commensurate with the NIST SP 800-\n53, Rev 2 moderate baseline. However, there are still differences in \ncoverage and in the level of specificity of the security requirements \nthat need to be addressed. NIST would also like to point out that many \nof the Federal agencies that own/operate industrial control systems in \nthe bulk electric sector are classifying their systems as High impact \nsystems that implement the High baseline requirements in SP 800-53. \nNIST is willing and has the resources to work on the NERC standards \nteam in developing the next revision to the standard.\n                                approach\n    Critical Assets vs. Information System.--NIST understands that in \nthe electric sector, protecting critical assets has been the \npredominant paradigm, but recommends for future revisions of the \nstandards that an information systems approach rather than critical \nasset approach be considered.\n    Our rationale for this suggestion is as follows: While it is \nimportant to identify critical assets using a risk-based assessment \nmethodology, NIST suggests that NERC consider applicability of the CIPs \nat an information system level rather than at the critical asset level. \nAn information system view provides a more natural context for the \napplication of information technology security across an industrial \ncontrol system composed of multiple components, where some subset of \nthe components is supported by information technology.\n    Under the current scope of the CIPs, all of the CIP security \nrequirements would be applied to every critical cyber asset. In some \ncases, application of all of the CIP security requirements to a \ncritical cyber asset may not make sense or may be excessive due to the \nnature of the asset. When an information system view is adopted, the \nCIP security requirements would be applied at the information system \nlevel, resulting in the allocation of CIP requirements to specific \ncomponents. All components of the information system are not required \nto support every information system security requirement? Just those \nthat are identified as a result of the requirement allocations; thus \nresulting in significant cost savings.\n    Using the information system view, there is no need to distinguish \nbetween cyber assets and critical cyber assets as all cyber assets \nwithin the information system are protected. Comments on Specific \nRequirements CIP 002 R3.1 NIST strongly recommends that a clear \nunambiguous definition of ``routable protocol'' be developed and, based \non that definition, all routable protocols currently within the scope \nof the CIPs should be identified. All data encapsulated within a \nroutable protocol should also be within the scope of the CIPs. CIP 002 \nR3.2 NIST recommends that ``control center'' should be replaced by \n``electronic security perimeter.''\n    Nuclear Facility Exemption.--In reference to section 4.2.1 of each \nCIP, NIST observes that the electric side of nuclear power plants can \nhave an impact on the bulk electric sector. NIST suggests that the \ncontinuity of power aspects of nuclear facilities should be included in \nthe scope of these standards. Therefore NIST recommends that the \nexemption statement: ``Facilities regulated by the U.S. Nuclear \nRegulatory Commission or the Canadian Nuclear Safety Commission be \nchanged to--Specific systems that are regulated by the U.S. Nuclear \nRegulatory Commission or the Canadian Nuclear Safety Commission (e.g., \nsafety systems).''\n    Wireless.--NIST observes that the CIPs do not sufficiently address \nthe security of wireless technologies, which include, but are not \nlimited to, microwave, satellite, packet radio (UHF/VHF), 802.11x, and \nBluetooth. There appears to be an assumption in the CIPs that \ncommunication occurs solely over media. Consequently, NIST recommends \nthat a clear, unambiguous definition of wireless technology be \ndeveloped and security requirements for wireless technologies be \nincluded in the CIPs.\n    Media Protection.--NIST recommends that the CIPs media protection \nrequirements be expanded to cover all types of media. Because of the \nminiaturization and increased portability of digital media, protection \nof this media by a physical security perimeter is no longer adequate. \nInformation system media includes both digital media (e.g., diskettes, \nmagnetic tapes, external/removable hard drives, flash/thumb drives, \ncompact disks, digital video disks) and non-digital media (e.g., paper, \nmicrofilm). Information system media are also components of portable \nand mobile computing and communications devices (e.g., notebook \ncomputers, personal digital assistants, cellular telephones). The \norganization should have policy and procedures to protect and control \ninformation system media during transport outside the physical \nperimeter and restrict the activities associated with transport of such \nmedia to authorized personnel. For example, many organizations today \nprohibit removing laptop computers with unencrypted hard drives from \nthe physical protection perimeter, and enforce this policy with \nunannounced inspection at the exits. Information system media is also a \ncomponent of telephone systems that have the capability to store \ninformation (e.g., voice-mail systems). Since telephone systems do not \nhave, in most cases, the identification, authentication, and access \ncontrol mechanisms typically employed in other information systems, \npolicy should address the types of information stored on telephone \nvoice-mail systems that are accessible outside of physically protected \nareas.\n   Questions From Chairman James R. Langevin to Mr. Greg Wilshusen, \nDirector, Information Security Issues, Government Accountability Office \n                                 (GAO)\n    Question 1. Please verify that, since the hearing, you have had the \nopportunity to review TVA's proposed action plan.\n    Answer. We have not yet received TVA's formal action plan for \nreview. In its written comments to our draft reports, TVA informed us \nof several actions that it plans to take to address our recommendations \nto strengthen the security of its control systems but we have not \nperformed audit work to verify that these actions are under way or \neffective. Agencies are permitted 60 days from the date of an audit \nreport's issuance to submit their action plan to us.\n    Question 2. Explain the process you will undertake to verify that \nthe corrective actions are underway.\n    Answer. As part of our audit responsibilities under generally \naccepted government auditing standards, after conducting and reporting \nthe results of an audit, we follow up with the audited entity to \ndetermine the extent to which it has implemented our recommendations. \nIn doing so, we request that the agency provide a copy of the agency's \nstatement of action to serve as preliminary information on the status \nof open recommendations and we discuss the status of the \nrecommendations with cognizant agency officials; we obtain copies of \nagency documents supporting the recommendations' implementation or \ninformation from the agency's Office of the Inspector General; and we \nperform sufficient audit work to verify that the recommended actions \nare being taken and, to the extent possible, that the desired results \nare being achieved.\n    We track the status of agency efforts to implement our \nrecommendations in a publicly available database, which is updated \nroutinely and made available to all Members of Congress, their staffs, \nand audited agencies. A recommendation is closed when it has been \nimplemented, when actions have been taken that essentially meet the \nrecommendation's intent, or when circumstances have changed and the \nrecommendation is no longer valid.\n Questions From Chairman James R. Langevin to Mr. William R. McCollum, \n     Jr., Chief Operating Officer, Tennessee Valley Authority (TVA)\n    Question 1. Publicly and privately owned infrastructures on the \ngrid are so interconnected, weak security controls in one utility can \npose harm to another utility that shares a connection. Yet publicly and \nprivately owned infrastructures are subject to different security \nstandards. According to a NIST-sponsored review published in March \n2007, an organization conforming to the baseline set of security \ncontrols in SP 800-53 will also comply with the management, operational \nand technical security requirements of the NERC Reliability Standards, \nthough the converse may not be true. For instance, the NERC Reliability \nStandards allow for the exclusions of telecommunications and \ndistribution equipment from the ``critical assets'' list. Under the SP \n800-53 requirements, however, there is no similar exclusion. This \ncommittee--along with NIST and GAO--has suggested that the NERC \nstandards should be more aligned with the NIST 800-53 standards that \napply to federally owned infrastructure. Are you concerned that a \nweakness on a privately owned infrastructure would affect your network?\n    Answer. TVA understands the importance of protecting its systems \nand takes that responsibility seriously. Good security practice \nrequires that the higher security zone consider connections to other \nsecurity zones as potentially hostile.\n    Accordingly, we treat all external connections as potentially \nhostile in order to appropriately protect our systems.\n    TVA does not believe that a security weakness at other electric \nutilities could impact the security or integrity of TVA's control \nsystems. Computer network connections to control systems require \nmultiple layers of security, as addressed by both NIST and NERC \nstandards. The security controls in these layers must be, and in TVA's \ncase are, sufficiently strong to compensate for any weaknesses in the \nother network.\n    Question 2. As control systems are becoming more connected, the \nmore vulnerabilities are exposed. For instance, several months ago, a \npenetration-testing consultant named Ira Winkler gave a presentation at \na conference describing an attack that he performed on a power company. \nWinkler was hired by the company to test the security of its network \nand the power grid it oversees. He set up an attack that paired social \nengineering with corrupting browsers on a power company's desktops. By \nthe end of a full day of the attack, they had taken over several \nmachines, giving the team the ability to hack into the control network \noverseeing power production and distribution. According to GAO, the \ninterconnections between your control system networks and the corporate \nnetwork mean that security weaknesses on the corporate network could \naffect control systems networks. As a result, TVA's control systems \nwere at an increased risk of unauthorized access or disruption via \naccess from the corporate network. Why shouldn't all control systems be \nisolated from the business network? How is TVA addressing this issue?\n    Answer. TVA agrees that control systems should be isolated from the \nbusiness network. To the largest possible extent, this isolation should \nbe a physical separation. In cases where there is a strong business or \nregulatory basis for interconnection with other networks, segmentation \nmust be implemented through network architectural schemes that include \nlayered security controls and effective intrusion detection systems.\n    TVA has implemented and will continue to strengthen a defense in \ndepth strategy. This plan includes isolation and/or levels of \nsegmentation that meet or exceed NIST, NERC, and other applicable \nstandards.\n    Question 3. What specific efforts are underway to address the GAO \nreport? Please provide the committee with a timeline for completing the \nrecommendations.\n    Answer. TVA will continue to remediate the GAO recommendations \naccording to our scheduled commitments in our response to the GAO \nreport. Effective February 2008, cyber security is positioned at the \nenterprise level and is responsible for all management, administration, \nand control of cyber security at TVA including control systems. The GAO \nreport made 19 recommendations that focused on our need to improve and \nextend our existing security program for process control systems. TVA \nwas already addressing 17 of the 19 recommendations prior to the GAO \naudit. The other two were completed in April. The LOUO GAO report \nidentified 73 additional recommendations. Fifty percent of those \nrecommendations will be complete by September 30, 2008. Seventy-five \npercent will be complete by December 31, 2008. Most of the remaining \nrecommendations will be complete by September 30, 2009.\n    Question 4. Has the TVA performed all mitigations recommended by \nthe ES-ISAC advisory for the Aurora vulnerability? Have you met with \nFERC staff to discuss these mitigations?\n    Answer. TVA has implemented all the mitigations from the ES-ISAC \nadvisory that were determined to be necessary, based on a June 2007 \nassessment. Given that it has been a full year since TVA responded to \nthe ES-ISAC advisory, we have conducted a fresh, zero-based assessment \nand have validated that currently digital relays on TVA's generation \nunits either have no wiring installed for reclosing or have no remote \ncommunications connections. In accordance with the ES-ISAC advisory, \nTVA completed an emergency plan in August 2007. TVA's Nuclear Power \nGroup (NPG) completed the required assessments consistent with these \nrequirements on August 20, 2007.\n    TVA and FERC representatives spoke via conference call prior to the \nhearing to discuss the mitigations. At the conclusion of the call, both \nagencies agreed that a good next step is to meet in person. TVA is \nworking with FERC to schedule this meeting.\n    Question 5. There is at least one company that manufactures a \ndevice that specifically mitigates the Aurora vulnerability. Has the \nTVA purchased this protective device?\n    Answer. No, TVA has not purchased this protective device, which is \ndesigned for those systems in which relays are capable of reclosing \nbreakers, thereby damaging generation units. Since TVA relays dedicated \nto generation units have remote communication disconnected or are \nconfigured in a way that cannot reclose breakers, TVA has no need for \nthis particular device.\n    TVA believes the best general solution is that digital relays, like \nthe one used in the Aurora experiment, must be protected by strong \ncyber security controls if they must be connected to a computer \nnetwork.\n    Question 6. Has DHS provided you with more EINSTEIN boxes since \nyour previous discussions with the committee? How many boxes are you \ndeploying in total?\n    Answer. TVA has four primary external connections and has installed \nor will be installing a device at each connection in support of the \nEINSTEIN initiative. DHS has provided TVA with the four EINSTEIN boxes \nwith the exception of a card for one of these boxes. The installation \nof three of the four boxes is complete and the final installation will \nbe scheduled based on the arrival of the necessary card.\n    Question 7. The committee is concerned not only with the security \nof the electric sector, but also the nuclear sector. Brown's Ferry \nnuclear plant is operated by the TVA. In August 2006, two circulation \npumps at Unit 3 failed, forcing the unit to be shut down manually. The \nfailure of the pumps was traced to an unintended incident involving \nexcessive traffic on the control system's network. In 2007, the \ncommittee wrote to the NRC requesting an investigation into the source \nof this data storm; unfortunately, to this day, the NRC has been unable \nto conclusively determine the cause. Why don't we know what happened at \nBrown's Ferry? What has TVA done to determine what happened?\n    Answer. Consistent with our Nuclear Power Group (NPG) procedures, a \nroot cause analysis using the Kepner-Tregoe methodology was performed \nby a multi-disciplinary team at the Browns Ferry following the \nincident.\n    The root cause analysis determined that excessive network traffic \non the Unit 2 and 3 Integrated Computer System network caused the pumps \nto fail. TVA had network intrusion devices monitoring the connection \nbetween the business network and the internet at the time of the \nincident. Examination of logs from those devices for the August 2006 \nevent showed no indication of outside influence. As stated in the NRC's \nletter to Chairman of the Committee on Homeland Security dated July 20, \n2007, ``The licensee [TVA] determined that the cause of the event was a \nmalfunction of the recirculation pump variable frequency drive (VFD) \nmicroprocessor-based controller. The controller failure was attributed \nto excessive traffic on the internal network. Since the control network \nis physically and electrically independent of networks that interface \noutside the plant, the NRC is confident that the failure was not the \nresult of a cyber attack.''\n    TVA will continue to strengthen the security of our control \nsystems. In performing our mission, the safety of our employees and the \npublic is paramount in all of our operations.\n\n                                 <all>\n\x1a\n</pre></body></html>\n"