[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]
THE CYBER THREAT TO CONTROL SYSTEMS: STRONGER REGULATIONS ARE NECESSARY
TO SECURE THE ELECTRIC GRID
=======================================================================
HEARING
before the
SUBCOMMITTEE ON EMERGING
THREATS, CYBERSECURITY, AND
SCIENCE AND TECHNOLOGY
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED TENTH CONGRESS
FIRST SESSION
__________
OCTOBER 17, 2007
__________
Serial No. 110-78
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC] [TIFF OMITTED]
Available via the World Wide Web: http://www.gpoaccess.gov/congress/
index.html
__________
U.S. GOVERNMENT PRINTING OFFICE
48-973 WASHINGTON : 2009
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON HOMELAND SECURITY
BENNIE G. THOMPSON, Mississippi, Chairman
LORETTA SANCHEZ, California, PETER T. KING, New York
EDWARD J. MARKEY, Massachusetts LAMAR SMITH, Texas
NORMAN D. DICKS, Washington CHRISTOPHER SHAYS, Connecticut
JANE HARMAN, California MARK E. SOUDER, Indiana
PETER A. DeFAZIO, Oregon TOM DAVIS, Virginia
NITA M. LOWEY, New York DANIEL E. LUNGREN, California
ELEANOR HOLMES NORTON, District of MIKE ROGERS, Alabama
Columbia BOBBY JINDAL, Louisiana
ZOE LOFGREN, California DAVID G. REICHERT, Washington
SHEILA JACKSON LEE, Texas MICHAEL T. McCAUL, Texas
DONNA M. CHRISTENSEN, U.S. Virgin CHARLES W. DENT, Pennsylvania
Islands GINNY BROWN-WAITE, Florida
BOB ETHERIDGE, North Carolina MARSHA BLACKBURN, Tennessee
JAMES R. LANGEVIN, Rhode Island GUS M. BILIRAKIS, Florida
HENRY CUELLAR, Texas DAVID DAVIS, Tennessee
CHRISTOPHER P. CARNEY, Pennsylvania
YVETTE D. CLARKE, New York
AL GREEN, Texas
ED PERLMUTTER, Colorado
VACANCY
Rosaline Cohen, Staff Director & General Counsel
Rosaline Cohen, Chief Counsel
Michael Twinchek, Chief Clerk
Robert O'Connor, Minority Staff Director
______
SUBCOMMITTEE ON EMERGING THREATS, CYBERSECURITY, AND SCIENCE AND
TECHNOLOGY
JAMES R. LANGEVIN, Rhode Island, Chairman
ZOE LOFGREN, California MICHAEL T. McCAUL, Texas
DONNA M. CHRISTENSEN, U.S. Virgin DANIEL E. LUNGREN, California
Islands GINNY BROWN-WAITE, Florida
BOB ETHERIDGE, North Carolina MARSHA BLACKBURN, Tennessee
AL GREEN, Texas PETER T. KING, New York (Ex
VACANCY Officio)
BENNIE G. THOMPSON, Mississippi (Ex
Officio)
Jacob Olcott, Director & Counsel
Dr. Chris Beck, Senior Advisor for Science & Technology
Carla Zamudio-Dolan, Clerk
Dr. Diane Berry, Minority Senior Professional Staff Member
(ii)
C O N T E N T S
----------
Page
STATEMENTS
The Honorable James R. Langevin, a Representative in Congress
From the State of Rhode Island, Chairman, Subcommittee on
Emerging Threats, Cybersecurity, and Science:
Oral Statement................................................. 1
Prepared Statement............................................. 3
The Honorable Michael T. McCaul, a Representative in Congress
From the State of Texas, Ranking Member, Subcommittee on
Emerging Threats, Cybersecurity, and Science and Technology.... 4
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Chairman, Committee on
Homeland Security.............................................. 5
The Honorable Bob Etheridge, a Representative in Congress From
the State of North Carolina.................................... 68
The Honorable Al Green, a Representative in Congress From the
State of Texas................................................. 64
The Honorable Zoe Lofgren, a Representative in Congress From the
State of California............................................ 27
The Honorable Bill Pascrell, Jr., a Representative in Congress
From the State of New Jersey................................... 24
The Honorable Ginny Brown-Waite, a Representative in Congress
From the State of Florida...................................... 26
Witnesses
Panel I
Mr. Greg Garcia, Assistant Secretary, Office of Cyber Security
and Telecommunication Department of Homeland Security:
Oral Statement................................................. 6
Preapred Statement............................................. 9
Mr. Tim Roxey, Technical Assistant to the President CGG/Security,
Deputy to the chair, NSCC & PCIS, Constellation Generation
Group:
Oral Statement................................................. 15
Prepared Statement............................................. 17
Mr. Greg Wilshusen, Director, Information Security Issues,
Government Accountability Office............................... 13
Panel II
Mr. Joseph McClelland, Director, Office of Electric Reliability,
Federal Energy Regulatory Commission:
Oral Statement................................................. 29
Prepared Statement............................................. 31
Mr. Joe Weiss, Managing Director, Applied Control Solutions:
Oral Statement................................................. 46
Prepared Statement............................................. 48
Mr. David Whiteley, Executive Vice President, North American
Electric Reliability Corporation:
Oral Statement................................................. 36
Prepared Statement............................................. 38
Appendixes
Appendix I: For the Record
Letter from Mr. David A. Whiteley.............................. 77
Appendix II: Additional Questions and Responses
Responses from Mr. Greg Garcia................................. 79
Responses from Mr. Joseph McClelland........................... 85
Responses from Mr. Joe Weiss................................... 88
Responses from Mr. David Whiteley.............................. 88
Responses from Mr. Greg Wilshusen.............................. 95
THE CYBER THREAT TO CONTROL SYSTEMS: STRONGER REGULATIONS ARE NECESSARY
TO SECURE THE ELECTRIC GRID
----------
Wednesday, October 17, 2007
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Emerging Threats, Cybersecurity,
and Science and Technology,
Washington, DC.
The subcommittee met, pursuant to call, at 2:16 p.m. in
Room 311, Cannon House Office Building, Hon. James R. Langevin
[chairman of the subcommittee], presiding.
Present: Representatives Langevin, Lofgren, Etheridge,
Green, Pascrell, Thompson, McCaul, Brown-Waite, and Broun.
Mr. Langevin. The subcommittee will come to order.
The subcommittee is meeting today to receive testimony on
``The Cyber Threat to Control Systems: Stronger Regulations are
Necessary to Secure the Electric Grid.''
I will begin by recognizing myself for the purposes of an
opening statement.
Today's hearing provides us with a prime opportunity to
assess the future of cybersecurity and critical infrastructure
protection in the United States. Today we will discuss two
major issues: the efforts to implement cybersecurity standards
within the electric sector and a cyber vulnerability, known as
Aurora, which was recently made public.
Now, I will be blunt, if this administration doesn't
recognize and prioritize these problems soon, the future isn't
going to be pretty.
The bulk power system in the United States and Canada has
more than $1 trillion in asset value, more than 200,000 miles
of transmission lines, and more than 800 megawatts of
generating capability, serving over 300 million people. The
effective functioning of this infrastructure is highly
dependent on control systems, which a computer-based system is
used to monitor and control sensitive processes and physical
functions.
Once largely proprietary, closed systems, control systems
are becoming increasingly connected to open networks, such as
corporate intranets and the Internet itself. As such, the cyber
risk of these systems is increasing.
Intentional and unintentional control system failures on
the bulk power system could have a significant and potentially
devastating impact on the economy, public health and national
security of the United States. For a society whose every
function depends on reliable power, the disruption of
electricity to chemical plants, banks, refineries, hospitals,
water systems and military installations presents a terrifying
scenario.
Now, we will not accidentally stumble upon a solution to
these problems. Instead, we must dedicate a lot of hard work
and resources to secure our systems. To this end, the Federal
Energy Regulatory Corporation, FERC, has recommended protecting
the bulk power system against disruptions from cyber attacks by
approving a set of reliability standards developed by the North
America Electric Reliability Corporation, or NERC.
Now, the proposed standards require certain users, owners
and operators of the grid to establish plans, protocols and
controls to safeguard physical and electric access to systems,
to train personnel on security matters, to report security
incidents, and to be prepared to recover information.
Two weeks ago, members of this committee, including myself,
Chairman Thompson, Mr. McCaul, submitted comments to FERC
Rulemaking. We believe that the standards proposed by NERC do
not sufficiently ensure the production or delivery of power in
the event of intentional or unintentional cyber incidents
involving critical infrastructures. The NERC standards focus on
the reliability of the bulk power system as a whole, yet
ignoring the Homeland Security impact that loss of power in a
region can have. The standards, for example, won't cover a
significant number of assets that are critical to providing
power throughout the country.
As several witnesses will testify today, the NERC standards
won't require electric-sector owners and operators to secure
their generation units, distribution units or
telecommunications equipment. But we know from countless real-
world examples that these units are highly vulnerable to
intentional or unintentional cyber events. Knocking any of
these units off could affect the power supply to our Nation's
critical infrastructure.
The readiness standards that would preclude these elements
just isn't good public policy. The technical experts agree with
this assertion. According to research performed for NIST, the
NERC standards are inadequate for protecting critical national
infrastructure. And GAO concurs with those findings.
Now, I am concerned about the narrow scope of the
standards, particularly in light of recent events. CNN recently
reported that DHS researchers at the Idaho National Laboratory
successfully destroyed a generator through an experimental
cyber attack. This experiment was code-named ``Aurora.'' And we
are going to have a brief video at the end of the testimony of
our witnesses here that are here this afternoon.
But officials tell me that malicious actors, insider
terrorists, or nation-states could use the same attack vector
against larger generators and other critical rotating
equipment, that they could cause widespread and long-term
damage to the electric infrastructure. DHS, working through
Idaho National Labs and DOE, have been deploying mitigation
measures for many of the critical infrastructure sectors.
Naturally, we expect owners and operators of critical
infrastructure would mitigate these vulnerabilities as quick as
possible. Unfortunately, I have reason to believe that the
mitigations developed by DHS and DOE have not been fully
implemented across the electric sector.
Today, the ranking member and I sent a letter to FERC
Chairman Joe Kelliher and asked him to commence an
investigation to determine the extent to which the electric-
sector owners and operators have implemented these mitigation
efforts.
Despite the comments from industry that suggest otherwise,
we in Congress believe that this is a serious problem. This
subcommittee will continue its vigorous oversight of this
critical aspect of our Nation's homeland security. These are
important issues.
And, without objection, I would like to introduce into the
record our comments to the FERC Rulemaking that we submitted on
October 5th, as well as the letter I provided Chairman Kelliher
yesterday, requesting the investigation.
Prepared Opening Statement of the Honorable James R. Langevin,
Chairman, Subcommittee on Emerging Threats, Cybersecurity, and Science
Today's hearing provides us with a prime opportunity to asses the
future of cybersecurity and critical infrastructure protection in the
United States. We will discuss two major issues today: the efforts to
implement cybersecurity standards within the electric sector and a
cyber vulnerability known as ``Aurora'' that was recently made public.
I'll be blunt--if this Administration doesn't recognize and prioritize
these problems soon, the future isn't going to be pretty.
The bulk power system of the United States and Canada has more than
$1 trillion in asset value, more than 200,000 miles of transmission
lines, and more than 800,000 megawatts of generating capability serving
over 300 million people. The effective functioning of this
infrastructure is highly dependent on control systems, which are
computer-based systems used to monitor and control sensitive processes
and physical functions. Once largely proprietary, closed-systems,
control systems are becoming increasingly connected to open networks,
such as corporate intranets and the Internet. As such, the cyber risk
to these systems is increasing.
Intentional and unintentional control system failures on the bulk
power system could have a significant and potentially devastating
impact on the economy, public health, and national security of the U.S.
For society whose every function depends on reliable power, the
disruption of electricity to chemical plants, banks, refineries,
hospitals, water systems, and military installations presents a
terrifying scenario. We will not accidentally stumble upon a solution
to these problems. Instead, we must dedicate a lot of hard work and
resources to secure our systems.
To this end, the Federal Energy Regulatory Corporation (FERC) has
recommended protecting the bulk power system against disruptions from
cyber attacks by approving a set of reliability standards developed by
the North American Electric Reliability Corporation (NERC). The
proposed standards require certain users, owners and operators of the
grid to establish plans, protocols and controls to safeguard physical
and electronic access to systems, to train personnel on security
matters, to report security incidents, and to be prepared to recover
information.
Two weeks ago Members of this Committee, including myself, Chairman
Thompson, and Mr. McCaul, submitted comments to the FERC rulemaking. we
believe that the standards proposed by NERC do not sufficiently ensure
the production or delivery of power in the event of intentional or
unintentional cyber incidents involving critical infrastructures. The
NERC standard focuses on the reliability of the bulk power system as a
whole, ignoring the homeland security impact that loss of power in a
region can have.
The standards won't cover a significant number of assets that are
critical in providing power throughout the country. As several
witnesses will testify today, the NERC standards won't require electric
sector owners and operators to secure their generation units,
distribution units, or telecommunications equipment. But we know from
countless real world examples that these units are highly vulnerable to
intentional and unintentional cyber events. Knocking any of these units
off could affect the power supply to our nation's critical
infrastructure.
Writing a standard that would preclude these elements just isn't
good public policy. The technical experts agree with this assertion.
according to research performed for NIST, the NERC standards are
``inadequate for protecting critical national infrastructure.'' GAO
concurs with those finds. I'm concerned about the narrow scope of the
standards, particularly in light of recent events. CNN recently
reported that DHS researchers at the Idaho National Laboratory
successfully destroyed a generator through an experimental cyber
attack. This experiment was code-named ``Aurora.''
Officials tell me that malicious actors--insiders, terrorists, or
nation states--could use the same attack vector against larger
generators and other critical rotating equipment that could cause
widespread and long-term damage to the electric infrastructure. DHS,
working through Idaho National Labs, and DOE have been developing
mitigation measures for many of the critical infrastructure sectors.
Naturally, we would expect owners and operators of critical
infrastructure would mitigate these vulnerabilities as quickly as
possible. Unfortunately, I have reason to believe that the mitigations
developed by DHS and DOE have not been fully implemented across the
electric sector.
Today, the Ranking Member and I sent a letter to FERC Chairman Joe
Kelleher and asked him to commence an investigation to determine the
extent to which electric sector owners and operators have implemented
these mitigation efforts. Despite comments from industry that suggest
otherwise, we in the Congress believe that this is a serious problem.
This Subcommittee will continue its vigorous oversight over this
critical aspect of our nation's homeland security.
Mr. Langevin. With that, that concludes my opening
statement. And the Chair now recognizes the ranking member of
the subcommittee, the gentleman from Texas, Mr. McCaul, for the
purposes of an opening statement.
Mr. McCaul. I thank the Chairman. I apologize for being a
little bit late. It is not every day you see the President
award the Dalai Lama the Congressional Gold Medal of Honor.
I want to thank you for holding this hearing. And we have
been working in a very bipartisan way on this issue because it
is an issue of national security that impacts the American
people and the security of the American people.
The electric power grid and the generation and distribution
equipment associated with it are amongst the most critical
pieces of our country's infrastructure. These systems, commonly
known as the power grid, are the largest, most complex machines
on the continent, enabling power to be generated, transmitted
and distributed to millions of individuals and businesses
across North America.
Despite the fact that the grid is highly reliable and has
built-in redundancy, the grid is dependent on its various
parts. Due to the physics of transmitting electricity, the
entire bolt power operates at the same frequency, so the grid
could be vulnerable to cascading failures and long-term outages
if the systems that control the production and flow of
electricity are compromised. As we saw with Aurora, these
systems can be compromised, and they are vulnerable.
Another example would be the East Coast blackout in 2003,
when an ordinary power outage, caused by a line coming in
contact with a tree, was exacerbated by a software bug, leading
to an alarm system failure that rippled across the East Coast.
The 2003 blackout was unintentional and, while costly, didn't
cause major disruption for more than 24 to 36 hours. But it
does, however, demonstrate that no grid can be threatened, when
a relatively small number of systems fail. It also demonstrates
that the grid can be threatened.
Industrial control systems, computer systems designed to
monitor and control industrial processes, have been
increasingly controlled over networks and the Internet. This
has created a much more efficient and easy-to-use system, but
has also created a whole host of vulnerabilities. These
vulnerabilities are exacerbated by the fact that traditional
cybersecurity solutions are not as easy to implement because
the systems must run smoothly and continuously.
Recently, the consequences of these cyber-based attacks
have come to light, primarily on CNN. And it is crucial and
critical that we move quickly in this country to secure these
vulnerable systems.
The Department of Homeland Security has multiple
initiatives under way to secure systems, as do a number of
other agencies, as well as the private sector. The Department
should take this opportunity to consolidate those initiatives
and draft an overall strategy that minimizes overlapping
efforts and prevents gaps so that these critical systems are
secured as quickly and effectively as possible.
I look forward to this discussion and the discussion from
the second panel, who will talk about cybersecurity standards
and best practices within the industry.
I believe that we can work together within the existing
structure to ensure that the industry's assets are adequately
and safely protected from threats and vulnerabilities.
With that, I want to thank the witnesses for being here.
And I yield back.
Mr. Langevin. I thank the ranking member.
The Chair now recognizes the chairman of the full
committee, the gentleman from Mississippi, Mr. Thompson, for an
opening statement.
Mr. Thompson. Thank you very much, Mr. Chairman. And I
thank you for your leadership on cybersecurity in this Congress
and your continued oversight on this issue.
Mr. Chairman, I often talk about vacancies within the
Department of Homeland Security, because I think it affects our
ability to protect and defend the United States. In that vein,
I am concerned about the Department's efforts in cybersecurity,
particularly given the extraordinary number of vacancies that
have opened up in the National Cybersecurity Division. Three
critically important individuals--the director of the National
Cybersecurity Division, the deputy director of outreach and
awareness, and the director of the Control Systems Security
Program--have all left the Department in recent months. I hope
Assistant Secretary Garcia can provide us information today
about where we are in filling these important positions.
Of course, this is nothing new for DHS or the Cyber
Division. The Control Systems Security Program, the subject of
today's hearing, has gone through countless program managers
over the years. I believe the high rate of vacancies and
turnover is affecting the Department's ability to really move
this country forward on control systems.
Take the control systems strategy, for example. In 2005,
DHS started working with interagency partners to develop a
comprehensive control systems strategy that would encompass the
public and private sectors, set a national vision to secure
control systems, describe roles and responsibility, and
identify future requirements for resources and action. It is
almost 3 years later, and not one product has been delivered.
A Department working without key leadership sends a bad
message to the private-sector owners and operators, who are
essential to securing critical infrastructure. How is the
Department supposed to develop long-term relationships with
these companies and individuals when there is a different DHS
face in every meeting?
Similarly, how is the private sector supposed to react to
the cyber initiative that was reported last month in the
Baltimore Sun? According to that article, NSA will be working
with DHS and other Federal agencies to monitor critical
infrastructure networks to prevent unauthorized intrusions.
According to the article, up to 2,000 people will be assigned
to this endeavor.
I wonder how this initiative is going to impact the public-
private partnership that DHS has been developing. I have asked
the Department to brief me numerous times on this initiative,
but we haven't heard a peep. I hope the Assistant Secretary can
provide us with feedback today.
Mr. Chairman, the American people deserve better. They
deserve better leadership on this issue. And I hope that the
next administration will reverse this unfortunate and dangerous
path. I thank you for your leadership on this issue, and I
yield back.
Mr. Langevin. I thank the gentleman.
Other members of the subcommittee are reminded, under the
committee rules, opening statements maybe submitted for the
record.
I want to begin now by welcoming our first panel of
witnesses.
Our first witness, Mr. Greg Garcia, Assistant Secretary for
Cybersecurity and Communications. Assistant Secretary Garcia
oversees the Department of Homeland Security's mission to
prepare for and respond to incidents that could degrade or
overwhelm the operation of the Nation's information-technology
and communications infrastructure.
I want to welcome you here, Secretary Garcia.
Our second witness, Gregory Wilshusen, is the director of
information security issues at GAO, where he leads information-
security-related studies and audits the Federal Government.
I appreciate you being here, Mr. Wilshusen.
And our third witness is Mr. Tim Roxey, the technical
assistant to the president of Constellation Generation Group
for Security. He is the deputy to the Chairs for both the
Nuclear Sector Coordinating Council and the Partnership of
Critical Infrastructure Security, and is the team lead for the
Aurora mitigation efforts for the private sector.
Mr. Roxey, thank you for being here, as well.
Without objection, the witnesses' full statements will be
inserted into the record. And I now ask each witness to
summarize their statement for 5 minutes, beginning with
Assistant Secretary Garcia.
And, Secretary, with all the vacancies that Chairman
Thompson mentioned in his opening statement, I am glad to see
that you are at least still on the job. Welcome. And thank you
for being here.
STATEMENT OF GREGORY GARCIA, ASSISTANT SECRETARY, OFFICE OF
CYBERSECURITY AND COMMUNICATIONS, DEPARTMENT OF HOMELAND
SECURITY
Mr. Garcia. Thank you very much, Mr. Chairman.
Chairman Thompson, Ranking Member McCaul and members of the
subcommittee, I do appreciate the opportunity to speak with you
today about DHS efforts to strengthen the security and
resiliency of our Nation's critical infrastructure.
It is fitting that you are holding this hearing during
National Cybersecurity Awareness Month, because it really helps
to raise public consciousness about the importance of control
systems security to our economic well-being and to our homeland
security.
I would also like to personally thank you and Mr. McCaul
and your colleagues for your leadership in cosponsoring House
Resolution 716, which endorses the ideals of National
Cybersecurity Awareness Month, and for your continued efforts
to raise awareness of this critical issue.
Control system--that is a term, a general term that
encompasses several types of systems, including SCADA, that are
most often found in the industrial sectors and critical
infrastructures. The systems typically are remotely controlled
devices used to operate physical processes in industries such
as electricity, oil and gas, and water.
Control systems are particularly important for the security
of our country's electric grid because of the significant
interdependencies inherent with the use of energy in all other
critical-infrastructure sectors. Therefore, securing control
systems is vital to maintaining our Nation's strategic
interests, the public safety and economic prosperity.
It is important to note that, because the private sector
owns and operates 90 percent or so of the critical
infrastructure that we need to protect, responsibility for
securing our Nation's control systems lies heavily with the
private sector. That said, as lead for coordinating national
critical infrastructure protection and cybersecurity, DHS
established a Control Systems Security Program. And the goal is
simple: to lead a cohesive effort between Government and
industry, focused on reducing the risks to control systems that
operate our critical infrastructure.
How do we do this? We have a comprehensive approach to
reduce risk by working closely with public and private
partners. And it looks like this: We work with the control-
systems vendor community to produce more secure systems; we
work with the owners and operators to better secure their
systems; and we work with the national labs and the National
Institute of Standards and Technology to develop technical
guidance. And we are proud of these efforts to assist our
public--and private-sector partners to identify and mitigate
direct risks to control systems.
We have made significant progress toward this goal, and
today I would like to highlight just a few of these successes.
First, a key principle for our mission is that you can't
enhance security if you don't know where your vulnerabilities
are. In collaboration with several Department of Energy
national labs, we developed the first widely available Control
Systems Cybersecurity Self-Assessment Tool. It employs a
systematic and repeatable approach for owners and operators to
assess the cybersecurity posture of their control systems.
Further, it offers recommendation based on industry standards
that are customized to the operating characteristics of each
control systems facility.
The response to the tool has been tremendous. For instance,
a key industry association for industrial manufacturing
professionals has found the tool so valuable that they are
making it available to their entire membership of over 30,000
professionals worldwide.
Second, we sponsor the SCADA Procurement Project to help
acquisition officials ensure that control systems they are
buying or upgrading have the best security available.
Government and industry representatives, including the multi-
State ISAC, the Information Sharing and Analysis Center, the
SANS Institute, and the DOE Idaho National Lab, developed this
comprehensive guidance document. It offers standardized
procurement language that companies can write into their
contracts when they purchase new control systems. The guidance
is available at no charge, and over 450 copies have been
downloaded each month since it was posted in January of 2007.
Third, people are at the heart of addressing the
cybersecurity challenge, and control systems are simply no
different. That is why we are focused on training and educating
control systems professionals on the best methods for securing
and maintaining their systems. Since 2005, we have trained
nearly 7,000 IT and control system professionals through both
classroom and Web-based instruction modules. We have also
developed curriculum for master's degree programs to aid
faculty in teaching our future business leaders the importance
of control systems security. To date, it has been distributed
to more than 100 faculty members at universities and related
institutions.
Fourth, an important aspect of our work in control systems
security is in the area of standards. We have worked closely
with NIST and other partners to improve technical guidance in
their special publication series. In addition, we are about to
release a catalog of control systems security standards that
will serve as a foundational document, available for any
industry to develop and implement cybersecurity standards
specific to their operational requirements. The catalog is a
compilation of practices inventoried from across the industry
standards bodies and will provide a mechanism to identify gaps
in existing standards and improve overall security.
And fifth, applying the risk management and partnership
framework outlined in the NIPP, the National Infrastructure
Protection Plan, we lead recent activity to identify, validate
and mitigate a control systems vulnerability affecting several
critical-infrastructure sectors. Federal agency partners worked
with industry, technical experts, to assess the vulnerability
and to jointly develop sector-specific mitigation plans. This
enabled owners and operators to take specific actions to reduce
the risk associated with the vulnerability. And this is a great
example of collaboration. This is exactly what was envisioned
in the NIPP process.
And we have also developed processes for sharing sensitive
information with Government and industry stakeholders. Our US-
CERT, the Computer Emergency Readiness Team, is charged with
recording response to cyber attacks and is responsible for
analyzing and disseminating cyber threat warning information.
Control systems security program personnel are currently
collocated and work closely with US-CERT. This close
relationship benefits the CERT, in terms of having the
expertise necessary for control systems. And they make
themselves immediately available for assisting with responses
to incidents and the management of vulnerabilities related to
control systems.
I will wrap up.
All of these efforts are informing our work to develop a
comprehensive control systems strategy with our Federal and our
private-sector partners. The strategy lays out a national
vision, roles and responsibilities, and identifies feature
requirements for national control systems security. Our goal is
to release a final version of this national strategy in the
first quarter of fiscal year 2009.
In conclusion, Mr. Chairman, securing control systems
within our critical infrastructure, specifically within the
electric grid, is a priority for DHS. The work we have
accomplished thus far exemplifies a successful collaboration
model for strengthening the security posture of our Nation's
control systems. It has also deepened our understanding of the
challenges that lay before us as we work to enhance the
security and resiliency of our Nation's critical
infrastructure. DHS is committed to continuing to work with our
partners to strengthen our national control systems
preparedness and our protection posture.
Thank you for your time today, Mr. Chairman. And I am happy
to answer any questions from the subcommittee.
[The statement of Mr. Garcia follows:]
Prepared Statement of Gregory Garcia
Chairman Langevin, Ranking Member McCaul, and Members of the
Subcommittee, I appreciate the opportunity to speak about the role the
Department of Homeland Security (DHS) plays in securing control
systems, including the tools and resources we have made available to
owners and operators of control systems, our efforts to collaborate and
share information with both the public and private sectors, and
analysis of control system vulnerabilities to strengthen the Nation's
control system security posture. These efforts support one of the
Department's primary missions of advancing preparedness. As October is
National Cyber Security Awareness Month, I think it is particularly
appropriate to highlight the importance of control systems security and
to discuss our efforts to date to raise awareness of the challenges and
solutions to securing these important systems. I would also like to
recognize Chairman Langevin's and Ranking Member McCaul's leadership in
promoting National Cyber Security Awareness Month's goals, objectives,
and activities among their colleagues and constituents through their
Dear Colleague letter and co-sponsorship of the Congressional
Resolution. Raising awareness about protecting our critical
infrastructures among home users, academic institutions, and
businesses, including our control systems owners and operators, is
fundamental to improving our preparedness posture.
As the Assistant Secretary for Cybersecurity and Communications
within DHS' National Protection and Programs Directorate (NPPD), I
oversee our mission to prepare for and respond to incidents that could
degrade or overwhelm the operation of our Nation's information
technology (IT) and communications infrastructure. This responsibility
includes the goal of ensuring the security, integrity, reliability, and
availability of our IT and communications networks. Reducing risk to
that portion of the 17 sectors designated as critical infrastructures
is among Secretary Chertoff's highest priorities, and I am pleased to
share with you the Department's ongoing efforts to address this
priority.
``Control system'' is a general term that encompasses several types
of systems, including supervisory control and data acquisition (SCADA)
systems, distributed control systems (DCS), and Programmable Logic
Controllers (PLC) often found in the industrial sectors and critical
infrastructures. Control systems typically are remotely controlled
devices used to operate physical processes in industries such as
electricity, water, oil and gas, chemical, transportation,
pharmaceutical, pulp and paper, food and beverage, and discrete
manufacturing (e.g., automotive, aerospace, and durable goods). These
control systems are critical to the safe and secure operation of our
highly interconnected and mutually dependent critical infrastructures.
A successful cyber attack on a control system could potentially result
in physical damage, loss of service, and/or economic impact.
Ensuring the security of these systems is essential, and that
responsibility lies heavily with the private sector, which owns and
operates over 85 percent of the Nation's critical infrastructures. DHS
works closely with private sector owners and operators to provide
expertise, analytical products, and education and training materials
that help control systems stakeholders identify and reduce direct risks
for control systems. DHS communicates and collaborates with many
diverse organizations, including government agencies, industry
associations, national laboratories, equipment vendors, and asset
owners and operators to identify improvements and drive their adoption
across the infrastructure community. Through its involvement in the
community and public-private partnerships, DHS is able to successfully
engage with private sector owners and operators on significant control
systems cyber security challenges and enable their voluntary
cooperation and participation in implementing improvements to enhance
the overall preparedness and resilience of the Nation's critical
infrastructure.
DHS has three main objectives for reducing cyber risk and securing
control systems: provide guidance, develop and enhance partnerships,
and prepare for and respond to incidents. DHS also leverages the
expertise and activities of operational programs and strategic
initiatives from across the Department and the U.S. Government and
integrates these activities to reduce risk, respond to incidents, and
foster a culture of preparedness within the control systems community.
DHS utilization of several information sharing mechanisms allows
the Department to manage effectively the collection and dissemination
of sensitive vulnerability information, which ultimately enables us to
raise awareness of vulnerabilities and risk management efforts among
the control systems community, influence security practices to reduce
risk, and raise the security bar across all the critical infrastructure
sectors.
First, DHS provides guidance to the control systems community
through several mechanisms and activities, including risk reduction
products, such as security implementation guidelines and recommended
practices; outreach and awareness through education and training; and
technology assessments to identify vulnerabilities.
One of our recent accomplishments with regard to risk reduction
products is the development and implementation of the Control Systems
Cyber Security Self Assessment Tool (CS2SAT), which employs a
systematic and repeatable approach that allows owners and operators to
assess the cyber security posture of their control systems. Through the
CS2SAT, users input facility-specific control system information. The
tool then provides users with a picture of their control systems
architecture and an assessment of their cyber security posture. It also
makes recommendations for improvements. The recommendations are derived
from industry cyber security standards and are linked to a set of
specific actions that can be applied to mitigate the identified
security vulnerabilities. The Instrumentation, Systems and Automation
Society (ISA), one of the largest global organizations for control
systems, announced on October 4, 2007 that it will make the CS2SAT
available to their membership, which consists of over 30,000 automation
professionals.
Another risk-reduction tool DHS sponsors for the control systems
community is the Multi-State Information Sharing and Analysis Center
(MS-ISAC) SCADA Procurement Project. We have worked closely with the
MS-ISAC, the SANS Institute, the Department of Energy (DOE) Idaho
National Laboratory, and representatives from government and industry
to develop common procurement language that owners and regulators can
incorporate into contracting mechanisms to ensure the control systems
they are buying or maintaining have the best available security. The
long term goal is to raise the level of control systems security
through the application of robust procurement requirements. The
Procurement Project has received very positive feedback from users, and
the document has averaged more than 450 downloads per month from the
MS-ISAC website where it was posted in January 2007.
DHS also provides education and training for our industry and
government partners. Through our control systems security training
courses, we have provided training to nearly 7,000 IT and control
systems professionals on a range of topics, such as identifying control
systems vulnerabilities, conducting risk assessments, and applying
standards-based mitigation measures to improve security. We offer both
classroom and web-based instruction modules and will be launching a new
operations security course later this month. The web-based training has
been especially popular with our partners with geographically dispersed
systems and personnel.
In addition, in coordination with academia we developed a graduate
school curriculum for Masters of Business Administration and Masters of
Public Policy programs to aid faculty in developing courses on the
security of critical infrastructures with an emphasis on control
systems security. The curriculum provides materials on public policy,
technical issues, and managerial principles associated with critical
infrastructure resiliency. To date, the curriculum has been distributed
to more than 100 faculty members at universities and related
institutions.
DHS is working with the National Institute of Standards and
Technology (NIST) to strengthen Federal standards and guidance
regarding control systems security. Over the past year, NIST has been
developing cyber security guidance and a compliance framework
specifically tailored to control systems. The guidance component,
Special Publication (SP) 800-82 (2nd draft), ``Guide to Industrial
Control Systems (ICS) Security,'' provides an overview of control
systems, identifies typical threats and vulnerabilities to these
systems, and provides recommended security countermeasures to mitigate
the associated risks. The compliance component, Special Publication
(SP) 800-53, ``Recommended Security Controls for Federal Information
Systems,'' defines the minimum security controls for Federal systems
and was originally published in 2005 by NIST in accordance with the
requirements outlined in the Federal Information Security Management
Act (FISMA). We have worked closely with NIST to develop SP 800-82, and
to ensure that control systems security was incorporated into the
updated revised SP 800-53. These NIST standards together will provide
important baseline security guidance for adoption by Federal owners and
operators of control systems.
We are also working with NIST and several of the DOE National
Laboratories to develop a catalog of control system security standards.
This comprehensive catalog represents a compilation of practices
inventoried from across the industry standards bodies and provides
recommendations for enhancements to standards to increase the security
of control systems from both cyber and physical attacks. While many of
today's standards appropriately address security factors, detailed
guidance is needed to ensure adequate protection from cyber attacks on
control systems. This catalog is specifically designed to provide a
framework for developing or enhancing technical aspects of security
standards. When completed, the catalog will serve as a foundational
document available for any industry using control systems to develop
and implement cyber security standards specific to their individual
operating requirements.
Second, we are developing and enhancing dynamic, cooperative
relationships with government, industry, academia, and our
international counterparts to promote control systems security and
leverage existing initiatives being conducted by government and
industry. For example, DHS partners with other agencies to support
research and development of secure technologies for control systems.
Public-private partnerships are essential in our efforts to improve the
security of control systems because, as noted previously, the private
sector owns and operates most critical infrastructure.
The National Infrastructure Protection Plan (NIPP) framework and
supporting Sector-Specific Plans (SSPs) provide a coordinated approach
to critical infrastructure protection roles and responsibilities for
Federal, State, local, tribal, international, and industry security
partners. Utilizing the NIPP framework, DHS directed recent activity to
validate and mitigate a control systems vulnerability affecting a
number of critical infrastructure sectors. Numerous Federal agency
partners worked closely with industry technical experts to assess the
vulnerability and to develop sector-specific mitigation plans. We are
pleased with the results of this partnership: it produced jointly
developed mitigation guidance and allowed owners and operators within
the affected sectors to take deliberate and decisive actions to reduce
significantly the risk associated with this vulnerability.
Recognizing the importance of engagement with industry, DHS
sponsors a number of groups to foster close collaboration and
information sharing among the control systems community. The Process
Control Systems Forum (PCSF) was established to accelerate the design,
development, and deployment of more secure control systems. The PCSF
includes a variety of stakeholders including both national and
international representatives from government, academia, owners and
operators, systems integrators, and vendors.
The Control Systems Cyber Security Vendors' Forum, a subgroup under
the PCSF, facilitates communication in a trusted environment between
industrial automation and equipment suppliers and control system
service providers. The Vendors' Forum consists of 50 members from 27
domestic and international companies comprising 90 percent of the
market share providing service to all 17 critical infrastructure
sectors.
An example of this collaboration occurred earlier this year when
members of the Vendors' Forum worked together to address the potential
effects on control systems caused by the date change in the Daylight
Saving Time (DST) standard. The change in DST impacted control systems
in over 19 countries. The control systems community recognized the
importance of this issue and worked with the DHS National Cyber
Security Division's United States Computer Emergency Readiness Team
(US-CERT) to develop a Technical Information Paper, ``Daylight Saving
Time Changes for 2007.'' The paper provided guidance to industry on
mitigation measures and has been downloaded from the US-CERT website
more than 500 times between April and July 2007.
Third, to prepare for and respond to incidents, DHS is improving
situational awareness, analyzing vulnerabilities, and sharing
information. Owners and operators can report general cyber incidents
and vulnerabilities, including those related to control systems, to the
US-CERT. Control systems technical experts are integrated into the US-
CERT operations center to provide timely situational awareness
information and assist with incident management.
DHS has developed processes for sharing sensitive information
related to control systems vulnerabilities with Federal, State, and
local governments, and control systems owners, operators, and vendors
to improve control systems security within and across all critical
infrastructure sectors. This process addresses the information flow
from vulnerability discovery, to validation, public and private
coordination, and outreach and awareness, as well as identifies the
deliverables and outcomes expected at each step in the process.
Information sharing between the government and the private sector is
essential to this process, and it allows both sectors to identify gaps
in preparedness capabilities among public and private sectors, as well
as identify policy issues that affect response and recovery.
The process incorporates existing entities across the public and
private sectors, including the Government and Industry Sector
Coordinating Councils, the US-CERT, the Homeland Security Information
Network (HSIN), and Information Sharing and Analysis Centers (ISAC). It
also builds on established Departmental practices and procedures for
the identification, validation, coordination, and communication of
vulnerabilities across the critical infrastructure sectors.
As part of this process, DHS relies on three primary mechanisms to
communicate vulnerability information about control systems to the
various stakeholders. The US-CERT National Cyber Alert System is
utilized as a mechanism to share information about vulnerabilities to a
broader audience. Vulnerability information is conveyed via several
products, including Vulnerability Notes that are released on a regular
basis to stakeholders in the control systems community. More detailed
analyses of cyber vulnerabilities that may impact control systems are
published via the Quarterly Report on Cyber Vulnerabilities of
Potential Risk to Control Systems, whose recipients include governments
and members of the control systems community. Both of these reports are
posted on the US-CERT Control Systems Portal and are available to all
portal members with access to the control systems section of the
website, which encompasses representatives from the Federal, State, and
local governments, Sector Specific Agencies, and control systems
owners, operators, and vendors.
In addition, DHS works with vendors, owners, and operators to
perform vulnerability assessments of selected systems to identify cyber
vulnerabilities based on emerging exploits and partners with industry
to develop mitigation strategies. DHS also works with control systems
vendors, owners, and operators to share sensitive information through
the Protected Critical Infrastructure Information (PCII) program so
that private sector vulnerability data may be appropriately
safeguarded.
Finally, in Fiscal Year (FY) 2007, we began working with our
Federal partners to identify baseline individual agency activities to
serve as the foundation for developing a comprehensive control systems
strategy that will encompass the public and private sectors, set a
national vision to secure control systems, describe roles and
responsibilities, and identify future requirements for 5para.resources
and actions. The Department has developed a timeline to complete this
action, building on work that has already been completed. In the first
quarter of FY 2008, a draft of the Federal sector portion of the
strategy will be released for review by government stakeholders.
Working with sector representatives from the Partnership for Critical
Infrastructure Security under the NIPP framework, we will then begin to
develop a private sector component to integrate into the strategy. We
intend to have a final comprehensive strategy ready for release in the
first quarter of FY 2009.
Conclusion
Securing control systems is an important priority for DHS because
they are unique elements of our critical infrastructure. They are
deployed ubiquitously and perform such vital functions that their
disruption could severely impact citizens' daily lives. DHS has
developed a program that includes the development and dissemination of
tools, products, and guidance to the controls systems community,
established mechanisms to work with our partners in both the government
and industry, and developed capabilities to prepare for and respond to
incidents.
Ongoing education and training for the control systems community is
imperative, as well as regular assessments of systems. We must continue
to raise awareness of the threats to and vulnerabilities of control
systems through our information sharing mechanisms and continue to
incorporate security measures in control systems standards. The
development, execution, and maintenance of a national control systems
security strategy is essential to managing our current and future
efforts. The work we have accomplished so far has deepened our
understanding of the challenges that lay before us, and we continue to
work to strengthen our national control systems preparedness and
protection posture.
Thank you for your time today, and I am happy to answer any
questions from the Subcommittee.
Mr. Langevin. Thank you, Mr. Secretary.
I will now recognize Mr. Wilshusen to summarize his
statement for 5 minutes.
GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION SECURITY ISSUES,
GOVERNMENT ACCOUNTABILITY OFFICE
Mr. Wilshusen. Chairman Langevin, Ranking Member McCaul and
members of the subcommittee, thank you for the opportunity to
testify at today's hearing on the cyber threats to control
systems.
Control systems are computer-based systems that are used in
many industries to monitor and control sensitive processes and
physical functions. These systems provide vital functions in
many of our Nation's critical infrastructures, including
electric power generation, transmission and distribution.
Today I will discuss the cyber threats, vulnerabilities and
impact of attacks on control systems, as well as private-sector
and Federal initiatives to strengthen the security of these
systems.
Mr. Chairman, critical infrastructure control systems face
increasing risk to cyber threats, vulnerabilities and the
potentially severe impact of an attack. Cyber threats can be
intentional or unintentional, targeted or nontargeted, and can
come from a variety of sources. Intentional threats include
both targeted and nontargeted attacks, while unintentional
threats can be caused by software upgrades or system
maintenance procedures that inadvertently disrupt systems.
Sources of these threats include foreign nation-states
engaged in information warfare, domestic criminals, hackers,
virus writers, and disgruntled insiders working inside or
within an organization. Federal and industry experts believe
that critical infrastructure control systems are more
vulnerable today than in the past, due to the increased
standardization of technologies, the increased connectivity of
control systems to other computer networks and the Internet,
insecure connections, and the widespread availability of
technical information about control systems.
The impact of a serious attack could be devastating, as the
following examples demonstrate. In an intentional targeted
attack, an individual who is rejected for a job opening
reportedly used a radio transmitter to remotely break in to the
controls of an Australian sewage-treatment system. He altered
electronic data for sewage pumping stations, which subsequently
resulted in them to malfunction, ultimately releasing about
264,000 gallons of raw sewage into nearby rivers and parks.
A foreign hacker penetrated security at a Harrisburg,
Pennsylvania, water-filtering plant and installed malicious
software that was capable of infecting the plant's water-
treatment operations. The infection occurred through the
Internet and did not seem to be an attack that specifically
targeted the control system.
And in an unintentional incident, two circulation pumps at
Unit 3 of the Browns Ferry, Alabama, nuclear power plant
failed, forcing the plant to be shut down manually. The failure
of the pumps was traced to excessive traffic on the control
system network, possibly caused by the failure of another
control system device.
The private sector and Federal agencies have multiple
initiatives under way to help secure control systems. Industry-
specific organizations in various sectors, including the
electricity, oil and gas, and water sectors, have ongoing
initiatives to develop standards, publish guidance and host
workshops.
Federal agencies, including DHS, DOE and others, have also
initiated efforts to improve the security of critical
infrastructure control systems. These include coordinating with
the US-CERT to provide timely information about vulnerabilities
and incidents, developing a Control System Cybersecurity Self-
Assessment Tool for control system owners and operators,
establishing the National SCADA Test Bed Program and publishing
security guidance.
However, DHS has not yet established a strategy to
coordinate the various control systems activities across
Federal agencies and the private sector. In addition, more can
be done to address specific weaknesses in DHS's ability to
share information on control system vulnerabilities.
In a report being released today, we recommend that the
Secretary of Homeland Security develop an overarching strategy
to guide efforts for security control systems and establish a
rapid and secure process for sharing sensitive vulnerability
information with control system stakeholders.
Until DHS implements these actions, increased risk exists
that the Federal Government and private sector will with invest
in duplicative efforts, miss opportunities to learn from the
activities of others, and not be timely informed about key
vulnerabilities that expose control systems to an increased
risk of disruption.
Mr. Chairman, this concludes my statement, and I would be
happy to answer any questions that you or members of the
subcommittee may have.
[The statement of Mr. Wilshusen follows:] \1\
---------------------------------------------------------------------------
\1\ See committee file.
---------------------------------------------------------------------------
Mr. Langevin. Thank you, Mr. Wilshusen.
I want to now recognize Mr. Roxey to summarize your
statement for 5 minutes.
STATEMENT OF TIMOTHY E. ROXEY, TECHNICAL ASSISTANT TO THE
PRESIDENT OF CONSTELLATION GENERATION GROUP
Mr. Roxey. Chairman Langevin, Ranking Member McCaul and
members of the subcommittee, thank you very much for allowing
me the opportunity to come and talk to you today.
As previously indicated, I am the team lead for the Aurora
mitigation efforts in the private sector, and that is part of
my hat for deputy to the Partnership for Critical
Infrastructure Security.
I am here today to discuss the successful private-public
partnership model of the national infrastructure plan and how
this partnership brought about successful mitigation without
any need for significant regulatory action by any Federal
agency. My discussion will fall into three areas: actions taken
within the private-public partnership model, preliminary
lessons learned and some concluding remarks.
The actions taken started when the private sector was
approached in late February by Department of Homeland Security.
The information being conveyed to us at that time was stressed
as being very sensitive, and we were also told the Department
of Homeland Security was keeping this information at the FOUA
level, rather than classified, because, in recognition of the
fact that 85 to 90 percent of the Nation's critical
infrastructure is owned, operated and secured by the private
sector, the classification of such information would make it
very difficult, if not impossible, to rapidly move forward to
mitigation.
Mitigation actions were developed by my team and the
electric sector team, with the partnership of Homeland Security
and the Idaho National Labs subject-matter experts. And they
fell into basically two categories: the short-term, mid-term,
long-term mitigation strategies, which are things that you can
do to step through and reduce and mitigate exposure; and then a
set of immediate actions that, had this risk been brought out
into the public a lot earlier, we may have had a threat,
therefore we may have had to step briskly into some immediate
actions. It is gratifying to state right now that that has not
been the case.
Support from DHS, DOE and the national labs was essential
in the development of these strategies. In addition, DHS has
maintained a very strong presence within the nuclear sector
throughout the mitigation strategy's implementation phase. This
effort is, in our opinion, a very strong example of effective
public-private partnership.
When the mitigation documents were completed, roughly June,
June 13th I believe, of this year--so between March and June
13th, we developed these documents. They were approved by the
Nuclear Sector Coordinating Council, the Electric Sector
Coordinating Council, and transmitted through those councils to
the sectors on June 20th and 21st.
The NRC also put out a letter on June 20th, and coordinated
with the nuclear sector document, requesting that at 60 days
and 180 days we report back to the NRC the progress that we had
made in implementing those developed strategies. Each of the
sector mitigation strategies, like I said, identified a 60--and
180-day requirement in the nuclear sector. And the NRC's letter
was their regulatory footprint on this issue to try and drive
an understanding of the concern to get mitigation accomplished.
Some have asked why the nuclear sector took this initiative
on as a commitment. The nuclear power sector, one of the 18
critical infrastructures within the Partnership for Critical
Infrastructure Security, is probably the most bounded sector in
the United States. There are 65 physical sites, 104 power
plants and a well-organized Nuclear Energy Institute, our
industry association. We have a strong regulator in our area,
the Nuclear Regulatory Commission. So it is a very tight box,
and we can driving solutions on this very quickly. And it was
felt that we could make these actions a commitment on ourselves
and execute them within a time frame.
On June 20th, these actions started off. September 20th,
these actions were 100 percent successfully mitigated in the
nuclear sector and all electric-sector assets that are adjacent
to nuclear-sector assets. That is a very substantial
accomplishment.
A few lessons learned, if I could.
Effective, voluntary public-private partnership is the key
to timely mitigation of security vulnerabilities. Proactive
industry actions, endorsed by a Federal agency with oversight
responsibilities, led to reducing the risk to our Nation's
nuclear infrastructure in a timely manner.
Trust the technical experts and involve them in all
communications. Bring them along to meetings and briefings.
Bring a vetted industry group into the conversation as soon
as possible to validate and partner with researchers. Sector
leads from PCIS may be an appropriate group, along with their
technical experts. PCIS is an appropriate vehicle to ensure
that there is a broad review across many sectors.
Consistent common messaging provides consistent common
mitigation, a common message that all affected sectors
received. In this case, there are some mixed messages, but we
worked very hard to fix that.
Single point of contact facilitates effective coordination.
We did have a single point of contact within the Department of
Homeland Security, and that was a very effective tool for us to
use as we stepped through.
Concluding remarks: I would like to just jump right to the-
additionally, the public-private partnership model should be
nurtured and continued. Early engagement of private-sector
leadership through interaction between DHS, PCIS and the
vulnerability researchers is an excellent way to fully vet the
emerging vulnerability with both DHS and the SMEs from other
Federal agencies and the private sector.
These efforts should start with effective awareness
campaigns to educate all sectors about the risks that they
currently face, followed with clear guidance on appropriate
mitigation measures for the newly discovered risk. This
guidance should contemplate all aspects of the technology life
cycle, including improved development standards, implementation
guidelines, operating procedures and incident response.
Good progress has been made by progressive asset owners,
industry-initiated infrastructure protection leadership, and by
vendors willing to anticipate larger market-driven requirements
for more security. Security, including cybersecurity, is best
enhanced by continuing to build trust relationships and
voluntary coordination and cooperation using the sector
partnership framework. The nimbleness that effective security
requires in the modern world makes these trust relationships
our best defense.
Finally, the nuclear sector, in close coordination with our
Government coordinating council partners, did mitigate and
close off this vulnerability before the threat became known and
without new regulations.
Thank you very much. I would be happy to answer any
questions.
[The statement of Mr. Roxey follows:]
Prepared Statement of Timothy E. Roxey
Mr. Chairman and Members of the Subcommittee:
I am Tim Roxey, Technical Assistant to the President of
Constellation Generation Group for security and Deputy to the Chairs
for both the Nuclear Sector Coordinating Council (NSCC) and the
Partnership for Critical Infrastructure Security (PCIS). I am also the
team lead for the Aurora mitigation efforts for the Private Sector.
In this last role I collaborate with subject matter experts (SME)
(Research Engineers from Idaho National Labs (INL) and their
contractors. . .who discovered the present vulnerability, Industry SME
from all of the impacted Critical Infrastructure Sectors, Department of
Homeland Security (DHS) and Department of Energy (DOE) SME and
officials) in order to develop mitigation strategies to thwart the
exploitation of the cyber vulnerability which threatens our critical
infrastructure. Before becoming a Technical Assistant and Deputy to the
Chairs of NSCC and PCIS I was a director of IT at one of our Nation's
Nuclear Power Plants. In this role I was responsible for all
telecommunications, IT applications and Cyber Security for the entire
nuclear fleet. In addition, I was the nuclear sector's Chairman of a
standing committee dedicated to Cyber Security. I was a founding member
of the Nuclear Energy Institute's (NEI) cyber security task force;
formed shortly after 9/11, the task force's purpose was to write an
assessment and mitigation guidance document for nuclear power plants.
This document, NEI 04-04: Cyber Security Program for Power Reactors was
endorsed by the NRC and found an acceptable method to address cyber
security. Since the endorsement of NEI 04-04 the NRC has proposed
regulations for cyber security that are consistent with NEI 04-04.
I have also had former senior level governmental interactions when
I worked with Vice President Al Gores' National Performance Review as a
private sector Industry Sector Liaison. In this capacity I was charged
with bringing Industry's requirements for regulatory interactions into
a discussion with various federal sector agencies.
I am here today however, to discuss the successful use of the
Public-Private Partnership model discussed in the National
Infrastructure Protection Plan (NIPP). This partnership brought about
the mitigation of the recently identified control system vulnerability
(CSV) without the need for significant regulatory action by any federal
agency. My discussion will fall into two areas as they relate to the
present vulnerability. These areas are:
(1) Actions taken within the Public-Private partnership -
structures and processes which reduce risk of vulnerability
(2) Preliminary lessons learned--a look back on this effort to
help improve the performance of the Public/Private Partnership
model's performance.
(3) Concluding Remarks
Actions Taken
The Nuclear Sector was approached by DHS about the Aurora
vulnerability in February of 2007. At this initial briefing it was
decided that a more through briefing would be given to a select sub-
group of the NSCC. It was also stressed that this subject is very
sensitive and hence needed to be protected from disclosure.
To this final point DHS worked very hard to make sure that the
Aurora issue remained at a FOUO level rather than being classified at a
higher level. This decision was based on the fact that it is the
private sector that owns, operates, and secures roughly 85% of all of
our nation's critical infrastructure and key resources. By having the
knowledge of this vulnerability classified it would have been difficult
if not impossible for the private sector to develop and implement
mitigation strategies as rapidly as it has.
In late February DHS officials from Infrastructure Protection
briefed the details of the Aurora vulnerability to the NSCC. At this
meeting the nuclear sector decided to take aggressive action to develop
and implement mitigations that would reduce the exposure of the nuclear
power facilities to this vulnerability.
A multilevel structure was developed within the nuclear sector and
individuals assigned. The structure consisted of an Executive Review
Board that reported to the NSCC and a Technical Task Team that was
charged with development of guidance document for industry to use to
perform mitigation activities.
The nuclear sectors' Aurora Technical Team worked in close
coordination with the Electric Sectors' technical team in the
development of mitigation documents. The nuclear sectors Technical Team
also worked in close coordination with its government partners
including strong coordination with the NRC.
The various mitigation actions that were developed were divided
into two areas. One area was short-term, mid-term, and long-term
actions and the second area was a set of actions designed to be
implemented immediately if the specific vulnerability was actually
being exploited. It is gratifying to say that the immediate actions
have not been needed. The shortest term actions were targeted at
substantially reducing the exposure to the vulnerably and the longest
term actions were designed to make improvements in the supply chain and
stand up programmatic actions.
The support from DHS, DOE, and the national labs (such as Idaho
National Labs) in the rapid development and implementation of these
mitigation documents was essential. In addition DHS has maintained a
strong presence with the nuclear sector throughout these mitigation
efforts. This effort is an example of the very effective Public-Private
partnership.
When the mitigation documents were completed they were routed
through the NSCC and ESCC for approval and then scheduled for release
to industry. The release of the Nuclear Sectors mitigation document was
coordinated with the release of the Electric Sectors (ES) Information
Sharing and Analysis Centers (ISAC) Advisory which was released one day
after the Nuclear Sector mitigation document.
Based on the endorsement of the NSCC, the Nuclear Sector Technical
Task Team added additional resources such as a Project Manager to
manage the actual implementation phase of the mitigation work. A kick
off meeting was held in Washington DC on June 13 with a final release
to the industry of mitigation documents made the following week.
Within the nuclear sector a series of weekly meetings between the
nuclear sector Technical Team (comprised of representatives from INL,
DHS, and Industry) and the various points of contact for all of the
nation's nuclear power plants was convened and mitigation efforts
began. To monitor the sectors performance the Technical Task Teams' PM
prepared status reports for the Executive Review Board and DHS. These
reports were updated every week based on the weekly meeting report out
by all of the nuclear utility participants.
Each of the sector mitigation documents urged that actions be taken
within 60 days and then again different actions within 180 days. The
NRC in a letter, coordinated for release along with the sectors'
mitigation document, requested that the nuclear sector licensees
provide an update to the NRC on progress made at the completion of the
60 days and 180 day efforts.
Why did Nuclear take this initiative on as a requirement? The
nuclear power sector took this opportunity to demonstrate its
commitment to security. The sector recognized the validity of the
vulnerability, and because the sector is well structured to handle
these types of emergent issues, with only 65 physical sites and 104
power plants and a well organized industry association (the Nuclear
Energy Institute), it was feasible to develop a uniform mitigation plan
that sector members could implement within the desired time frame.
Lessons Learned
1. An effective, voluntary public-private partnership is the
key to timely mitigation of security vulnerabilities. Proactive
industry actions, endorsed by a federal agency with oversight
responsibilities, are effective in reducing the risk to our
nation's nuclear infrastructure in a timely manner without the
delays or exposure of sensitive information that the due
process requirements of regulatory action could necessitate.
2. Trust the technical experts and involve them in all
communications. Bring them along to meetings and briefings for
support. Several times it seemed that the message changed as it
moved from the technical experts to the policy experts. When
non-technical people brief on technical aspects to technical
people there is a high risk of losing credibility and it
becomes difficult to recover.
3. Bring in a vetted industry group ASAP to validate and
partner with researchers. This group will validate the
conclusions of the researchers and facilitate expedient
response by private sector owners and operators, because their
involvement lends credibility to the message. Sector leads from
PCIS may be an appropriate group, as long as they bring their
technical experts to the table as well. In this regard, PCIS is
an appropriate vehicle to ensure that there is a broad review
across many sectors.
4. A multi-sector implementation plan is needed to provide
cross-sector coordination. An implementation plan should be
developed that addresses the sequence of sector engagement
based upon a full discussion between the public sector and
private sector. Although in the present effort this was
performed successfully this step needs to be institutionalized
so that future discoveries can benefit from this step. This
plan should address the sector and assets to address first then
second then third, etc.
5. Consistent common messaging provides consistent common
mitigation. There should be a common message that all effected
sectors receive. In this particular case there are mixed
messages. After 16 months of research and 5 months of multi-
sector mitigation strategy development there are still some
messages saying this is not a significant issue because of the
difficulty of exploiting it and others saying it is.
6. Single point of contact facilitiates effective coordination.
The establishment of a single point of contact within DHS was
of great utility to the Private Sector. This single point of
DHS contact provide for consistent and sustained coordination
with the subject matter experts of INL and the private sector
team of subject matter experts and the Aurora Technical Team's
lead. This support was instrumental in the achievement of
nuclear sectors 60 day mitigation and the electric sectors
mitigation of nearby electric sector assets.
Concluding Remarks
The course of action that is recommended for any future discovered
vulnerability, in light of the success of the present mitigation
efforts, leads to the conclusion that continued decisive and
coordinated private sector partnerships leads to a better vetting of
vulnerabilities and a faster response via mitigation. In addition,
these actions can take place much faster than the regulatory rule
making process. This was shown to be the case within the nuclear
sector.
Additionally, the course of action that is recommended for any
future discovered vulnerability, in light of the success of the present
mitigation efforts, leads to the conclusion that continued decisive,
coordinated, and committed effort by government, and private sector
leadership within the framework of the Public Private Partnership model
should be nurtured and continued. Early engagement of private sector
leadership through interaction between DHS, PCIS and the vulnerability
researchers is an excellent way to fully vet the emerging vulnerability
with both DHS (and SME's from other federal agency's) and the private
sector.
These efforts should start with effective awareness campaigns to
educate all sectors about the risks that they currently face, followed
with clear guidance on appropriate mitigation measures for the newly
discovered risk. This guidance should contemplate all aspects of the
technology lifecycle, including improved development standards,
implementation guidelines, operations procedures, and incident
response. Good progress has been made by progressive asset owners,
industry-initiated infrastructure protection leadership and by vendors
willing to anticipate larger market-driven requirements for more
security. Security, including cyber security, is best enhanced by
continuing to build trust relationships and voluntary coordination and
cooperation using the sector partnership framework. The nimbleness that
effective security requires in the modern world makes these trust
relationships our best defense.
Mr. Langevin. I want to thank the witnesses for their
testimony.
And I will remind the members that each member will have 5
minutes to question the panel.
And I recognize myself now for the purpose of asking
questions.
Secretary Garcia, I would like to start with you. In your
written statement, it says that you were pleased with the
results of the public-private partnership on Aurora because you
developed mitigation guidance. Now, guidance is good, but this
committee is most concerned about mitigation implementation.
So my question is, what percentage of the electric-sector
owners and operators do you believe implemented the Aurora
recommendations issued by NERC?
Mr. Garcia. Yes, Mr. Chairman, we would rely on the
industry sector leads to collect that information, as that is
something that we don't collect nor compel. But we do
understand that the mitigation strategies were sent out to
hundreds of electric-sector owners and operators. And, as Mr.
Roxey indicated for the nuclear sector, he reported about 100
percent mitigation.
So we are looking to continue the partnership with the
private-sector leads to monitor how well that implementation is
going. But for specific numbers, I don't have that for you
today.
Mr. Langevin. But Mr. Roxey, in the comments that he was
making, was speaking specifically about the nuclear sector and
not the electric grid. So we may have had success on the
nuclear side and in securing SCADA systems, but not necessarily
on the electric side.
Now, I think that is an area where Homeland Security has to
be much more proactive, in making sure that the mitigation
strategies were actually implemented.
Mr. Garcia. Absolutely, sir.
Mr. Langevin. We clearly don't want to find out that we
knew there was a problem, we expected mitigation to take place,
and yet it wasn't. And we don't want to find that out only
after something were to happen, an attack occurs or, whether it
is intentional or unintentional, something shuts down the power
grid.
Mr. Garcia. Yes, sir. And we also rely heavily on our
Federal partner on this, FERC, who you will be hearing from in
the next panel, who is keeping up that close relationship with
the electric sector to monitor progress in that area.
But this is something that DHS takes very seriously. And we
continue to push on this with all sectors, because we are
concerned with common vulnerabilities, control systems
vulnerabilities, across all the critical sectors. So we are
trying to raise awareness of this not just in the electric
sector and nuclear, but to many other critical sectors.
Mr. Langevin. Well, Assistant Secretary Garcia and Mr.
Wilshusen, have you reviewed our comments to the FERC
Rulemaking? And, if so, do you agree with our assessment that
the narrow definition of critical assets allows the electric
industry to avoid securing many connective devices?
Mr. Wilshusen. Yes, we have taken a preliminary look at
your comments, as well as those of the requirements that NERC
has established and the reliability standards. And, yes, we do
have some concerns about the extent to which these standards
and regulations apply to those types of assets.
We believe that, in many cases, that they do not appear to
consider, one, the interdependencies of critical infrastructure
on the bulk electrical system. And they also appear to identify
only those assets which could have an impact on the
availability or reliability of the bulk electrical system, and
does not necessarily identify those assets or cover those
assets that, while they may not have an impact on the overall
bulk electrical system, they could have a significant localized
impact on critical infrastructures that are supported by the
bulk electrical system.
Mr. Langevin. Yes, that is an important point.
Secretary Garcia?
Mr. Garcia. Mr. Chairman, we are trying to get standards
that all industry sectors can deploy against vulnerabilities to
their control systems. And certainly, the NIST standards ought
to be heavily considered in all critical infrastructure control
systems standards development, in addition to sector-specific
operational requirements.
So while we don't have specific guidance on each sector for
what standards they ought to deploy, we think that they ought
to be able to effectively combine the NIST standards with those
that are specific to their sector.
And on the electric sector, I think our friends in FERC may
have more comment on that.
Mr. Langevin. But do you agree that our assessment that the
narrow definition of critical assets allows electric industry
to avoid securing many connected devices?
Mr. Garcia. I would actually prefer, on a question of that
specific detail, to defer to FERC on making the judgment about
the sectors implementation.
Mr. Langevin. Mr. Wilshusen, the committee asked GAO to
compare the NERC standards with NIST 800-53. Can you briefly
describe your conclusion?
Mr. Wilshusen. Yes. We found that the NERC reliability
standards contained less stringent security requirements and
guidelines than the NIST guidance. The NERC standards do not
provide levels of protection from cyber attacks commensurate
with the mandatory minimum low-baseline level of protection
required by NIST.
For example, NERC standards addressed only a subset of a
low--and moderate-baseline control set specified in 800-53. And
this subset may not be adequate for protecting critical
national infrastructure control systems, especially when
considering the interdependencies of the critical
infrastructures. And further, it may not be adequate for all
electrical energy systems when the impact of regional and
national power outages is considered.
Mr. Langevin. I thank you, Mr. Wilshusen.
The Chair now recognizes the--before I turn it over to the
ranking member, I think this is something we are going to have
to take a harder look at. Because why NERC would have standards
that are below NIST when the Federal Government has to comply
with NIST standards and the larger impact potentially would be
in the private sector and why NERC would adopt standards which
aren't on par to NIST is beyond me. And this is something we
are going to pay particularly close attention to. If need be,
legislation would be required to require that standard to be on
par.
With that, the Chair now recognizes the ranking member for
5 minutes.
Mr. McCaul. I thank the Chairman. And, as you know, we are
in agreement on that issue.
I recall being briefed, I think it was last January--we had
just got sworn into the new Congress, and we got briefed on
this significant vulnerability--and at that time, it was a
closed-door session; it has come out on the news now--but the
vulnerability that could potentially shut down our power grids
in this country and bring tremendous destruction.
We know that 25 nations have developed cyber warfare
programs, so the capability, this type of capability in the
wrong hands of a rogue nation or a terrorist state could be
devastating.
But I also believe that credit is due where it is due. And
I think that the fact that we discovered this, through the
Idaho National Labs, on our own, proactively, and Mr. Garcia,
working with the Department Homeland Security, and, Mr. Roxey,
your coordination on the mitigation strategy with the private
sector, is to be commended.
And that is really what, I think, in the Congress, we want
to see, is instead of being behind the curve and catching up--
and we know the vulnerabilities are huge and the intrusions
happen all the time. This was actually a good-news story and an
example of where we discovered the vulnerability, not some
foreign entity or some criminal. We found it first. We fixed
it. And then by June, Mr. Roxey, you put your plan of action,
mitigation strategy into action. Within 60 days, the nuclear
sector was protected. The electricity, I think it will take 120
days.
But I think that is an important point to make. I mean, you
are really to be commended for what you did. I know sharing
information, which we require you do with the Congress, always
makes you a little nervous, because you don't know what is
going to happen with that information. But this was a good-news
story. I mean, we really stopped a serious thing from being a
serious threat to the United States. And I think it is great
news.
And, Mr. Wilshusen, I agree with you. I think an
overarching strategy is what we need at the Department of
Homeland Security.
Mr. Garcia, I know you are working on that.
And I think the coordination with the stakeholders through
the private sector is critically important. And, Mr. Roxey,
through your testimony, I think you've demonstrated that, in
large part, that is working, through the ISACs, the Information
Sharing Analysis Centers. That is what was actually put into
place through the mitigation strategy, and it is working.
My question, without going into a sermon up here, is, what
can we do to see more of this?
What can you do, Mr. Garcia, at the Department of Homeland
Security to proactively find vulnerabilities that are out
there, before our enemies do, and then fix them and then
mitigate the potential damage that can be done?
And that is for the entire panel.
Mr. Garcia. Congressman, thank you for the question and for
the compliment. I very much appreciate it.
My response as to what you can do is, you are doing it
right now. Having public hearings like this that are raising
the issue and raising the awareness about the range of
vulnerabilities that we face to our critical infrastructure
really is the first step to get people to sit up and pay
attention, particularly the owners and operators of the
infrastructures that they have responsibility for protecting.
You are correct that this was a vulnerability that we
initially identified, hypothesized that this could actually
happen. We understood that, as Mr. Wilshusen has pointed out,
that the control systems vulnerability--we have known for some
time that there are vulnerabilities in control systems. What
made this one different is that the vulnerability was
susceptible to cyber attack that would have a physical impact
on a structure such as a generator.
And since the time that we had gone through the mitigation
strategy with the private sector, with nuclear and electric, we
learned quite a lot about how to work this process. I mean,
this case, this really was the first instance that we had put
the National Infrastructure Protection Plan, the sector-
specific plans to work. This was a model for how Federal
agencies work together, to work with their private-sector
counterparts. So DOE, Defense Department, DHS, several other
agencies worked very closely with their industry counterparts.
We have a number of lessons learned out of that process
that I can tell you we are only going to be more effective and
more expeditious as we continue to look for and discover,
identify vulnerabilities to various other control systems. And
since nuclear and electric, we have worked with the private
sectors from chemical, oil and natural gas, dams and water. And
last month, in September, those industry sectors sent out
mitigation strategies for their control systems.
So we are moving apace, with all due diligence and good
speed, to attack these vulnerabilities very quickly.
Mr. McCaul. Thank you.
And Just very briefly, Mr. Roxey.
Mr. Roxey. I would like to add to what Mr. Garcia just
said, that, by pursuing and nuturing the public-private
partnership model, you are going to be doing exactly what you
are after. The other sectors, the water/dam, chemical, oil and
gas sector, that are out there right now on their 60-day
clock--that is where the 180-day clock for electric is--they
are going to be calling their electric sectors in to mitigate
those assets as well.
So I think that this was--and we appreciate the kudos.
Thank you very much. By looking at the lessons learned from
this and implementing those, I think we are only going to get
better from here. Thank you.
Mr. Wilshusen. And I would just like to add, too, that one
of the key things that both the public and private sector will
need to do as they increasingly use IP protocols, in terms of
being able to connect to their control systems with other
company networks on the Internet, to be aware of the risk of
the increased accessibility and interconnectivity. And then to
learn from the examples that are legion in the regular Federal
IT space, that there are significant risks and vulnerabilities
associated with interconnecting systems, and to take the
appropriate steps to mitigate those risks by developing the
policies, procedures and controls, and then testing those
techniques and controls to make sure that they are effectively
implemented and operating as designed.
And then, once you have that, as we have discussed and the
other members have mentioned, is to make sure to keep the lines
of communication open and share this information of
vulnerabilities and of new threats among all the parties within
this space.
Mr. McCaul. Just in closing, Mr. Chairman, I think this is
a great exercise and experience that we can really draw upon to
have lessons learned but also use as a model for future cases.
And I want to commend the gentlemen again. Thank you.
Mr. Langevin. I thank the gentleman.
And briefly, to comment on the ranking member's opening
comments, in many ways there are elements of this being a good-
news story. First of all, I commend the gentleman from Idaho
National Labs who first detected the problem and then brought
it to the attention of the Congress and also Department of
Homeland Security. And then the Department of Homeland Security
did put in place the Tiger Teams to try to address this.
Where we want to make sure this continues to be a good-news
story is that we actually, in coming up with the mitigation
strategies, that we see these strategies actually implemented.
We need to have a high degree of confidence that when something
of this seriousness and magnitude is identified, mitigation
procedures are prescribed, that there is follow-through and not
left to just hoping that it is not going to happen them or a
particular sector; that they actually take it seriously, and
that the electric or gas or oil sectors actually follow through
and implement the strategies.
With that, the Chair now recognizes other members for
questions they may wish to ask of the witnesses. In accordance
with our committee rules and practice, I will now recognize
members who were present at the start of the hearing, based on
the seniority on the subcommittee, alternating between minority
and majority. Those members coming later will be recognized in
order of their arrival.
With that, the Chair now recognizes the gentleman from New
Jersey for 5 minutes.
Mr. Pascrell. Thank you, Mr. Chairman.
Mr. Garcia, a cybersecurity attack on our energy grid is
certainly one of the emerging threats and security
vulnerabilities that need to be thoroughly studied, addressed
through the proper security regulations to hear what the
private sector has to say about it, to hear what regulations or
recommendations will come out of the Federal Government, and so
we can have a meeting of the minds. We are not trying to
impose, but we want to protect.
So I have had many concerns about the management over at
the Department of Homeland Security. Specifically, this
committee has discovered that, as was mentioned earlier, many
of the most important areas within the Department are unfilled
at the senior-management level, leaving critical security areas
with what we would consider to be less-than-adequate
leadership.
My question is, how many program managers have been in
charge of the Control Systems Security Program in the last 3
years?
Mr. Garcia. Congressman, I am not certain of the number.
Our last control systems manager had been with us for more than
a year.
But we at CSMC and my component, National Cybersecurity
Division, take very seriously our need to retain our talent and
to recruit additional talents. I am happy to report that we are
aggressively filling the control systems director position. The
job has been posted, and we will move aggressively to fill
that, as with the other vacancies in the organization.
Mr. Pascrell. Would you get back to me on that?
Mr. Garcia. I would be happy to. Thank you.
Mr. Pascrell. How much is being spent on the control
systems security at DHS?
Mr. Garcia. Our fiscal year 2008 budget is currently $12
million. And it is important to note that we are leveraging the
resources not just within the control systems program but
across NCSD that provides input and expertise with other
aspects of the control systems issue. And additionally, we are
leveraging our partnership with----
Mr. Pascrell. What was the 2007 budget, fiscal year budget?
Mr. Garcia. I will have to get back to you on that number.
It does represent an increase.
Mr. Pascrell. Who was in charge of this program, and at
what grade is this person?
Mr. Garcia. This is a GS-15, and this is the individual we
expect to have the post filled, backfilled very quickly.
Mr. Pascrell. There is no person there?
Mr. Garcia. That person left for personal reasons; that is
correct.
Mr. Pascrell. Mr. Chairman--
Mr. Garcia. It is now being handled by our acting director
of the National Cybersecurity Division.
Mr. Pascrell. My last question is this. DHS issued
regulations in 2007 on chemical security. This committee, on a
bipartisan basis, was very clear on what it wanted. It also
added a cybersecurity component to existing regulations. Was
your office consulted on this?
Mr. Garcia. Oh, absolutely. We were part of that
development, and we currently are working with all the private
sectors to consider specific mitigation strategies for all of
their control systems, rather than try to apply a regulatory
overlay on all of the other----
Mr. Pascrell. So, at least in this area, one hand knows
what the other is doing?
Mr. Garcia. That is correct.
Mr. Pascrell. That is healthy. That is very healthy.
Mr. Wilshusen, in your statement, you asserted that the
annual cost to the energy sector for maintaining control
systems, to maintain the networks, to maintaining equipment and
personnel, was around $400 million. You said that in your
statement.
Can you speculate how much more would it cost if the
proposed recommendations in the National Science and Tech
Standards--that is 800-53--if they were adopted instead of the
NERC-proposed standards, do you have any idea what the
difference in cost would be? And is that relevant?
Mr. Wilshusen. No, sir, I don't have that information on
how much that would cost.
Mr. Pascrell. Is it relevant?
Mr. Wilshusen. Certainly. Relevant in terms of its
consideration in implementation of controls, because when you
determine whether or not to implement a particular control, you
need to make sure that that control cost-effectively will
reduce the risk to an acceptable level. And so, certainly, cost
is a factor.
Mr. Pascrell. So, if one set of standards implement--and I
am giving an example here. Cost would be simply be one of the
factors that would be involved to decide which one we would try
to implement. Is that a fair statement?
Mr. Wilshusen. I would say cost is a factor in the
determination of which controls to implement, sure. But so is
the adverse impact or harm that could occur should that control
not be implemented and such a vulnerability or weakness be
exploited.
Mr. Pascrell. Thank you very much.
Thank you, Mr. Chairman.
Mr. Langevin. The Chair now recognizes the gentlelady from
Florida, Ms. Ginny Brown-Waite.
Ms. Brown-Waite. Thank you very much.
I still remember when we first learned about the problem,
and I couldn't help but think about whether it was TVA, with
the dams, or even in Florida, where we have control structures
that, you know, would have a wide range of repercussions if
anything happened.
And I would like to address this to Mr. Wilshusen. While I
understand the grave risks facing our control grid, could you
elaborate on how the countless power and energy providers would
be impacted by having to comply?
And I am sorry, you may have answered this before I got
here. I apologize.
Mr. Wilshusen. Well, one of the things--if they are now in
compliance with the NERC reliability standards, and they were
to try to go implement the controls to be in compliance with
the NIST standards, because the NERC reliability standards
contain just a subset of the NIST standards, it would impact
them to the extent that they would need to implement additional
controls in order to be in compliance with those standards.
In some cases, it is also important to realize that the
NIST standards and minimum security requirements, in certain
cases, may not be appropriate or practical or feasible for
certain control systems because of the environment that it is,
but that----
Ms. Brown-Waite. Would you give me an example of one that
it wouldn't be appropriate for?
Mr. Wilshusen. Here is one that the industry
representatives have identified. For example, one would be
having password controls over some of the control systems.
Their thinking was that, in the event of an emergency, it is
imperative that the operator be able to log on to their system
and react immediately, and that the use of passwords could
potentially disrupt that or make it more difficult for that
individual to log on in a timely manner.
Ms. Brown-Waite. Are nuclear power plants--and I happen to
have one in my district. Some people consider it a blessing;
others consider it less of a blessing. Are nuclear power plants
certainly at the top of the risk category?
Mr. Wilshusen. I would say--well, it depends on which
perspective, but in terms of a security breach or
vulnerability, I would say that they are probably near the top.
But I really couldn't say that without specific evidence that
we haven't really looked at that to see which of the industries
are most at risk.
Ms. Brown-Waite. Okay. I appreciate that. Thank you.
And I yield back, Mr. Chairman.
Mr. Langevin. I thank the gentlelady.
The gentlelady from California, Ms. Lofgren, is recognized
now for 5 minutes.
Ms. Lofgren. Thank you very much, Mr. Chairman, and to the
witnesses.
I just have a couple of questions. Actually, the GAO report
makes me very anxious. One of the concerns that we have had
here is our exposure in the cyber area. And that is why, when
Mr. Thornberry was on this committee, he and I worked together,
and it was really one of those high points of my career in
Congress to work in such a collaborative fashion, in a
bipartisan fashion, to create the position that you now hold,
Mr. Garcia, with the idea that we really needed the kind of
attention that this threat was not getting.
And here is my concern, that the GAO really identifies the
same deficiencies that the outside critics have identified in
the scope of the NERC CIP standards and specifically on the
interconnections and the possibility of cascading failures.
Ms. Lofgren. [Continuing.] And so the question is, what are
you going to do about it? What leadership are you going to show
to make sure that these gaps are remedied?
Mr. Garcia. First of all, Congresswoman, thank you very
much. Thank you very much for creating the position that I now
fill. I am very eager to demonstrate some very tangible
accomplishments throughout my tenure here, and I think control
systems rank amongst the highest.
I think we have already shown tremendous progress in
control systems across the board, not just in the electric and
nuclear sectors, but in the other sectors that I have mentioned
that we are now taking action on. And I go back to the point
that as 85 to 90 percent----
Ms. Lofgren. Could I interrupt to follow up on that point?
Are you suggesting that the points that the GAO has made and
that some of the outside--I see Mr. Weiss--I always see him on
the airplane--sitting in the audience--have made that you have
already started the remedies on those and that you are well
under way?
Mr. Garcia. Are you talking about the electric sector
specifically or just generally?
Ms. Lofgren. Yes.
Mr. Garcia. On the electric sector and through our private
sector partners in the electric sector; and our Federal
partners developed collectively mitigation strategies----
Ms. Lofgren. So the criticism that the GAO is making on the
deficiencies in the NERC standards, that is no longer accurate?
Mr. Garcia. On the specific standards, I think that the
FERC witness coming up in the next panel will have more to
discuss about specific standards. Our role at DHS is one as a
coordinator, to try to bring together the various parties who--
--
Ms. Lofgren. Well, if I may, I don't believe that is the
case, and it is certainly not what we intended in Congress.
Clearly, we have a collaborative and coordinating role to play,
but part of the problem is that we haven't made any progress on
the cybersecurity front, or haven't for a long, long time; and
we expect the Department to show some leadership.
I mean, I don't want to pick on the power industry, but
this is true in any sector that is not the tech sector. They
are looking at what they see, but they may not see the whole
picture. And so that is our job, to see the interconnections,
to see the possibilities of interconnecting, cascading
failures; and to insist that measures be taken to secure the
cyber space that that sector may not see because the public's
interest is larger than just their narrow interest. And I don't
mean to diminish their narrow interest, but we have a broader
scope here.
So the question really isn't to FERC. It is to you. What
are you going to do about it?
Mr. Garcia. Absolutely, Congresswoman. We take very
seriously every sector's responsibility for securing their
infrastructure. Absent regulatory authority, we are relying on
the framework devised in the National Infrastructure Protection
Plan and their component, sector-specific plans and our
partnerships with the Federal agencies that have specific
responsibility, regulatory or otherwise, to specific sectors.
Ms. Lofgren. Let me ask you this because my time is about
to run out and we also have votes on the floor.
I would like to get in follow-up to this meeting kind of
where we are on the specific issues raised by the GAO and to
the extent it is different from the outside critics; and then
get from you your assessment of what you can do to meet the
standard identified by GAO in terms of scope; and then, if you
can't do it with the tools that you currently have, recommend
what additional tools you think would be necessary.
Could you do that?
Mr. Garcia. Yes, ma'am. We would be happy to come up and go
through this in much more detail.
Ms. Lofgren. Thank you very much.
I thank you, Mr. Chairman.
Mr. Langevin. I thank the gentlelady for her questions. And
on that very point, we are in lockstep. I agree that you should
have the tools to make sure that we have these strategies put
in place and acted upon. And if not, whether it is--I am not at
all satisfied that enough is being done here, and if we need to
give additional tools either to DHS or FERC to make sure that--
particularly, when if you are talking about actionable
intelligence or information that needs to be acted on quickly--
that the tools are in place and we actually make sure that they
have them. So the steps--that the mitigation factors take
place.
So, with that, I am going to--since there are votes on, I
am going to dismiss this panel. We will recess for about 20
minutes and then call up the second panel.
I thank the witnesses for their testimony.
And the subcommittee now stands in recess.
[Recess.]
Mr. Langevin. The subcommittee will come to order. Let me
begin by thanking the second panel of witnesses for being here
today. And let me just begin by introducing and welcoming Mr.
Joe McClelland, the Director of Electric Reliability for the
Federal Energy Regulatory Commission. Mr. McClelland was
previously Director of the Division of Reliability at FERC
since 2004. He came to the Commission with more than 20 years
of experience in the electric utility industry.
Thank you for being here.
Our second witness is Mr. David Whiteley, the Executive
Vice President of North American Electric Reliability
Corporation. Mr. Whiteley is responsible for overseeing the
performance of four NERC program standards: reliability,
readiness training, education and personal certification, and
members' forums. Thank you for coming.
And our third witness is Mr. Joe Weiss, Managing Partner of
Applied Control Solutions. Mr. Weiss is a nuclear engineer who
spent more than 30 years working in the commercial power
industry. He is a member of many groups working to improve the
reliability and availability of critical infrastructures and
their control systems.
Without objection, the witnesses' full statements will be
inserted in the record.
Mr. Langevin. Before I go to Mr. McClelland for his
testimony, we had hoped to air a brief video before the start
of the first panel, that just testified. The video was not
ready. I am told that it is now ready to be shown. This will
give members of the committee a visual understanding of the
degree of concern I and many others have and how serious the
potential problem could be with respect to the control systems
being corrupted.
So, with that, I am going to ask the technical people to
begin the video. I am told that everything is in order and
should work. So, with that, we can start the video.
[Video plays.]
Mr. Langevin. Well, that just, as I said, puts a visual to
how potentially serious this problem could be if not addressed
quickly.
I take this seriously; I know the ranking member does as
well, and we are going to do all we can to exercise maximum
oversight to ensure the worst-case scenario that was
potentially spoken about in that piece we just saw never
occurs.
With that, I now ask each witness to summarize their
statement for 5 minutes, beginning with Mr. McClelland.
Mr. McClelland, thank you for your testimony and for being
here today. Welcome.
STATEMENT OF JOSEPH MCCLELLAND, DIRECTOR, OFFICE OF ELECTRIC
RELIABILITY, FEDERAL ENERGY REGULATORY COMMISSION
Mr. McClelland. Thank you, Mr. Chairman, Ranking Member
McCaul and subcommittee members for providing this opportunity
to appear today.
I am the Director of the Federal Energy Regulatory
Commission's newest office, the Office of Electric Reliability.
My office's mission is to help protect and improve the
reliability and security of the Nation's bulk power system
under authority granted to the Commission in the Energy Policy
Act of 2005.
I am here today as a Commission staff witness. My remarks
do not necessarily represent the views of the Commission or of
any individual commissioner.
New section 215 of the Federal Power Act, or FPA, requires
that the users, owners and operators of the Nation's bulk power
system abide by mandatory reliability standards. Under the new
statutory framework, these standards are developed and proposed
by the Electric Reliability Organization, or ERO, to the
Commission. Standards become mandatory only after they are
approved by the Commission.
To meet its obligations under section 215, the Commission
has certified the North American Electric Reliability
Corporation, or NERC, as the ERO. We have approved eight
delegation agreements for the regional entities that will be
assisting NERC in its efforts and approved 83 of 107 proposed
reliability standards while simultaneously directing that 56 of
the approved standards be improved.
The approved standards became mandatory on June 18, 2007.
Violations of these new mandatory rules can trigger significant
penalties and enforcement actions by the Commission itself, or
more typically by the ERO, subject to the Commission's
oversight.
Section 215 of the FPA specifically covers cybersecurity
for the bulk power system. In August 2006, NERC proposed eight
cybersecurity standards for the Commission's approval,
requesting that auditable compliance not begin until mid-2009,
continuing through 2010.
We have been reviewing NERC's proposed cybersecurity
standards in our rulemaking proceeding, thereby engaging all of
the affected industry and stakeholders. Using this process, the
Commission has issued both a staff preliminary assessment and a
notice of proposed rulemaking, considering over 1,300 pages of
comments from over 100 industry and stakeholder entities.
Although the Commission has proposed to approve the
standards in the Notice of Proposed Rulemaking, it has also
expressed a need for immediate revisions to the standards, such
as the elimination of the overly broad, quote, ``reasonable
business judgment,'' end quote, approach and narrowing of the
term, quote, ``technical feasibility,'' end quote.
Stakeholder comments on the rulemaking proceeding have
raised issues concerning equipment operating costs and the
appropriate scope of industry discretion. Other commenters,
such as Members of Congress, including members of this
subcommittee, have asked that the Commission consider and
incorporate features from the standards being developed by the
National Institute of Standards and Technology, or NIST. The
Commission currently is considering all the comments it has
received.
With respect to the NIST standards, I note that the
Commission has indicated in the NOPR, or Notice of Proposed
Rulemaking, that it expects the ERO to evaluate any provisions
in the NIST standards that would better protect the bulk power
system. If there are NIST provisions that would improve
cybersecurity protection, the Commission can order the ERO to
initiate a standards development process, or the ERO on its own
can initiate a standards development process to incorporate
such NIST provisions in the mandatory reliability standards.
In response to recent events and news reports, the
Commission is examining its options for timely responses to
urgent cybersecurity risks to the bulk power system. By law,
the reliability standards process used by the ERO has to
provide for reasonable notice, the opportunity for public
comment, due process, openness and balance of interests in
developing the standards.
In practice, this has meant that the reliability standards
proposed by the ERO are based on consensus from industry.
Consequently, the process is not nimble and can take years to
develop proposed standards.
The Commission is assessing ways to more promptly address
urgent cybersecurity risks while protecting sensitive
information involving national security. If the Commission
determines that it needs additional authority to accomplish
this task, it will recommend appropriate legislation to meet
its responsibilities under EPAct 2005.
To protect the Nation's bulk power system, the Commission
is encountering new staffing and program needs. In particular,
the Commission needs more engineering to review and help
develop proposed reliability standards, conduct bulk power
event analyses and investigate potential violations. The
Commission has requested additional funds for 2008 to be
recovered through the Commission's self-funding process. I
encourage you to support the Commission's efforts to obtain
more funding.
In conclusion, I stress that the Commission is taking all
the steps it can under its new reliability authority to protect
the bulk power system and is dedicated to fulfilling Congress'
goals.
Thank you again for the opportunity to testify today. And I
would be happy to answer any questions that you may have.
Mr. Langevin. Thank you, Mr. McClelland.
[The statement of Mr. McClelland follows:]
Prepared Statement of Joesph McClelland
Mr. Chairman and Members of the Subcommittee:
Thank you for this opportunity to appear before you to discuss the
cyber threat to the electric grid's control systems. My name is Joseph
McClelland. I am the Director of the new Office of Electric Reliability
(OER) of the Federal Energy Regulatory Commission (Commission). The
OER's mission is to help protect and improve the reliability and
security of the Nation's bulk-power system through effective regulatory
oversight as established in the Energy Policy Act of 2005 (EPAct 2005).
I am here today as a Commission staff witness and my remarks do not
necessarily represent the views of the Commission or any individual
Commissioner.
My testimony summarizes the Commission's recent efforts to improve
the security of the Nation's electric power system. Congress's recent
legislation has greatly expanded the Commission's ability to anticipate
and respond to cybersecurity threats to a critical component of the
Nation's infrastructure, the interstate bulk-power system. The
Commission has met its statutory deadlines and provided a solid
foundation for ongoing regulatory efforts. Ongoing efforts focus on the
approval of Reliability Standards governing the planning and operation
of the interstate bulk-power system as mandatory rules with appropriate
penalties, subject to the Commission's oversight and approval.
The Commission continues to work with the North American Electric
Reliability Corporation (NERC) to protect the bulk-power system from
cybersecurity threats. NERC has proposed cybersecurity standards for
the industry and the Commission has issued a notice of proposed
rulemaking addressing these standards. The Commission is reviewing
comments on these standards and is committed to ensuring that the
resulting standards are consistent with and effectively implement
recommendations proposed in response to the 2003 blackout affecting the
Northeast United States and Canada.
The Commission is assessing its options for immediately and
effectively addressing urgent cybersecurity risks to the electric
system. The Reliability Standards process, which focuses on consensus
from industry representatives, typically takes considerable time to
implement. If the Commission determines that its authority to promptly
address cybersecurity risks is inadequate, it will seek additional
legislation.
As the Commission meets its responsibilities under EPAct 2005 to
protect the Nation's bulk-power system, it is encountering new staffing
and program needs. In particular, the Commission needs to hire more
engineers to review and enforce Reliability Standards affecting the
hundreds of entities that use the bulk-power system. Therefore, the
Commission has requested additional budget authority for 2008, the
costs of which would be recovered through the Commission's existing
self-funding process.
Background
In August 2005, Congress enacted EPAct 2005 entrusting the
Commission with a major new responsibility to oversee mandatory,
enforceable Reliability Standards for the electric grid. This authority
is in section 215 of the Federal Power Act (FPA). Section 215 requires
the Commission to select an Electric Reliability Organization (ERO).
The ERO is responsible for proposing, for Commission review and
approval, Reliability Standards or modifications to existing
Reliability Standards to help protect and improve the reliability of
the Nation's bulk-power system. The Reliability Standards apply to the
users, owners and operators of the bulk-power system. The ERO also is
authorized to impose, after notice and opportunity for a hearing,
penalties for violations of the Reliability Standards, subject to
Commission review. The ERO may delegate certain responsibilities to
``Regional Entities,'' subject to Commission approval.
The Commission may approve proposed Reliability Standards or
modifications if it finds them ``just, reasonable, not unduly
discriminatory or preferential, and in the public interest.'' If the
Commission disapproves a proposed standard or modification, FPA section
215 requires the Commission to remand it to the ERO for further
consideration. The Commission, upon its own motion or upon complaint,
may direct the ERO to submit a proposed standard or modification on a
specific matter. The Commission also may initiate enforcement on its
own motion but, for most violations, will only review the enforcement
actions of the ERO.
The Commission is qualified to perform all of these tasks and, in
anticipation of reliability legislation being passed, it established a
reliability group at the agency even before the passage of EPAct 2005.
Commission staff played a key role in the U.S.-Canada Power System
Outage Task Force formed to investigate the August 2003 blackout that
affected eight states, one province and an estimated 50 million people
in the U.S. and Canada. When the Task Force issued its report in April
2004 (Blackout Report), the Commission acted quickly to implement the
report's recommendations addressed to the Commission. For example, the
Commission announced that no new independent system operator or
regional transmission organization would be approved until its
reliability capabilities were functional. The Commission also adopted a
policy statement on several other issues, such as recovery of prudent
reliability costs, cooperation with the States, and the interpretation
of reliability-related provisions in transmission tariffs. On this last
point, the Commission stated that tariff requirements to follow ``good
utility practice'' would include compliance with the then-voluntary
standards developed by NERC's predecessor, the North American Electric
Reliability Council.
With this experience, the Commission has been able to implement FPA
section 215 diligently. Within 180 days of enactment, the Commission
adopted rules governing the reliability program. In the summer of 2006,
it approved NERC as the ERO. In March 2007, the Commission approved the
first set of national mandatory and enforceable Reliability Standards.
In April 2007, it approved eight regional delegation agreements to
provide for development of new or modified standards and enforcement of
approved standards by Regional Entities. And, just last month, the
Commission's Division of Reliability in the Office of Energy Markets
and Reliability was established as its own program office, the OER, to
reflect the growing importance of the Commission's reliability
responsibilities.
In exercising its new authority, the Commission has interacted
extensively with NERC and the industry. The Commission also has
coordinated with other federal agencies, such as the Department of
Homeland Security, the Department of Energy and the Nuclear Regulatory
Commission. And, the Commission has established regular communications
with regulators from Canada and Mexico regarding reliability, since the
North American bulk-power system is an interconnected continental
system subject to the laws of three nations.
The Commission's Proposed Cybersecurity Regulations
FPA section 215 defines ``reliability standard[s]'' as including
requirements for the ``reliable operation'' of the bulk-power system
and for ``cybersecurity protection.'' Section 215 defines reliable
operation to mean operating the elements of the BPS within certain
limits so instability, or uncontrolled separation, or cascading
failures will not occur ``as a result of a sudden disturbance,
including a cybersecurity incident.'' Section 215 also defines a
``cybersecurity incident'' as a ``malicious act or suspicious event
that disrupts, or was an attempt to disrupt, the operation of those
programmable electronic devices and communication networks including
hardware, software and data that are essential to the reliable
operation of the bulk power system.''
In 2003, before the passage of EPAct 2005, NERC approved the
``Urgent Action 1200'' standard (UA 1200), the first comprehensive,
although temporary, cybersecurity standard for the electric industry.
This voluntary standard applied to control areas (i.e., balancing
authorities responsible for ensuring that a specific area's supply
matches demand at any moment in time), transmission owners and
operators, and generation owners and operators that perform certain
functions. Specifically, UA 1200 established a self-certification
process relating to the security of system control centers.
In May 2006, NERC approved eight new cybersecurity standards to
supersede UA 1200. These new standards, known as the Critical
Infrastructure Protection (CIP) standards and discussed below, are
broader in scope and applicability than UA 1200 and, if approved by the
Commission, would be mandatory. In August 2006, NERC submitted the new
standards to the Commission for approval under FPA section 215. Citing
the expanded scope of facilities and entities covered by the CIP
standards, and the investment in security upgrades required in many
cases, NERC proposed an implementation plan under which certain
requirements would be ``auditably compliant'' by 2009 and the others
would be so by 2010.
In December 2006, the Commission issued an assessment by its staff
of NERC's proposed CIP standards, and allowed 60 days for public
comments. The staff's assessment was limited to a technical review, and
made no final determinations on compliance with FPA section 215's legal
requirements.
After receiving and analyzing the nearly 500 pages of comments from
38 entities, the Commission issued a Notice of Proposed Rulemaking in
July 2007 proposing to adopt the CIP standards subject to further
comment from the public. The Commission also proposed to concurrently
direct NERC to develop modifications addressing specific concerns
identified by the Commission.
The eight CIP standards contain over 160 requirements. Generally,
the CIP standards would require the following actions:
Critical Cyber Asset Identification: requires the identification of
an entity's critical assets and critical cyber assets using a risk-
based assessment methodology.
Security Management Controls: requires an entity to develop and
implement security management controls to protect critical cyber
assets.
Personnel and training: requires personnel with access to critical
cyber assets to go through identity verification, criminal background
checks and employee training.
Electronic Security Perimeters: requires the identification and
protection of electronic security perimeters and access points. The
security perimeters are to encompass the critical cyber assets.
Physical Security of Critical Cyber Assets: requires the creation
and maintenance of a physical security plan that ensures all cyber
assets within an electronic security perimeter are kept in an
identified physical security perimeter.
Systems Security Management: requires an entity to define methods,
processes, and procedures for securing the systems identified as
critical cyber assets, as well as the non-critical cyber assets within
the perimeter.
Incident Reporting and Response Planning: requires the
identification, classification and reporting of cyber security
incidents related to critical cyber assets.
Recovery Plans for Critical Cyber Assets: requires the
establishment of recovery plans for critical cyber assets using
established business continuity and disaster recovery techniques and
practices.
Public comments comprising more than 800 pages from 69 entities on
the Commission's proposed actions were filed as of October 5. The
Commission's staff has begun reviewing these comments, and the
Commission intends to take final action expeditiously.
One of the Commission's goals is to ensure that the cybersecurity
standards are consistent with the lessons learned from the August 2003
blackout. Thirteen of the 46 Blackout Report recommendations relate to
cybersecurity. See the Blackout Report at pp. 163--69. They address
topics such as strict control of physical and electronic access to
operationally sensitive equipment; capability to detect wireless and
remote wireline intrusion and surveillance; and improvement and
maintenance of cyber forensic and diagnostic capabilities. The Blackout
Report recommendations are a sound basis for action.
The Commission recognizes that the CIP standards must strike a
reasonable balance. Overly prescriptive standards may become a ``one
size fits all'' solution despite the significant differences in system
architecture, technology and risk profile. However, CIP standards
lacking sufficient detail will provide little useful direction, make
compliance and enforcement difficult, allow flawed implementation and
result in inadequate protection.
A major concern with cybersecurity is the prevalence in the
industry of ``legacy equipment'' which may not be readily adaptable for
purposes of cybersecurity protection. If this equipment is left
vulnerable, it could be the focal point of efforts to disrupt the grid.
Replacing this equipment or retrofitting it to incorporate
cybersecurity protection could be costly. But a successful cyber attack
could damage our bulk-power system and economy in ways that cost far
more. This risk often may justify retrofitting the legacy equipment,
adding a perimeter of defensive security measures or replacing the
equipment before its useful life ends.
In its July 2007 Notice of Proposed Rulemaking, the Commission
stated its concern with the breadth of discretion left to utilities by
NERC's proposed CIP standards. For example, NERC's standards state that
utilities ``should interpret and apply the Reliability Standard[s]
using reasonable business judgment.'' Similarly, the standards at times
require certain steps ``where technically feasible,'' but this is
defined as not requiring the utility ``to replace any equipment in
order to achieve compliance.'' Also, NERC's proposal would allow a
utility at times not to take certain action if the utility documents
its ``acceptance of risk.'' The Commission proposed to direct NERC to
modify the standards to remove the terms ``reasonable business
judgment'' and ``acceptance of risk'' while narrowing ``technically
feasible.''
For certain other requirements in the CIP standards, the Commission
proposed to address this concern about discretion by requiring external
oversight of utility decisions. This oversight could be provided by
industry entities with a ``wide-area view,'' such as reliability
coordinators or the Regional Entities subject to the review of the
Commission.
The National Institute of Standards and Technology (NIST) has
commented that its cybersecurity standards are more advanced and could
provide a model for improvements to the CIP standards. NIST has
recommended that the Commission consider a transition to standards
identical to, consistent with, or based on NIST standards and
guidelines. The Commission's proposal so far is to not require
incorporation of the NIST standards and guidelines. However, the
Commission has said it would expect NERC to monitor the development and
implementation of the NIST standards to determine if they would provide
better protection. Certain federal entities, such as the Tennessee
Valley Authority and Western Area Power Administration, are required to
comply with both the NIST standards and the CIP standards, and thus may
be able to provide unique insights on this issue. The Commission
expressed its expectation that NERC will seek and consider comments
from these federal entities on the effectiveness of the NIST standards
versus the CIP standards. Any provisions in the NIST standards that
will better protect the bulk-power system should subsequently be
addressed in the standards development process as improvements to the
CIP standards. In addition to this consideration, the Commission
proposes to revisit this issue in future proceedings as part of a
continuing evaluation of existing standards, the need for new
standards, or as part of assessing NERC's performance as the ERO.
Confronting Urgent Risks
The procedures used so far for adoption of Reliability Standards
have allowed multiple opportunities for industry and public input and
taken significant time, as explained below. However, urgent risks may
at times require immediate action, and the Commission currently is
exploring the scope of its authority under existing law to take swift
and effective action to prevent opportunities for cyber attacks or
address other critical matters.
FPA section 215 relies on the ERO to develop and submit proposed
Reliability Standards. NERC's procedures for doing so allow extensive
opportunity for industry comment, generally based on the procedures of
the American National Standards Institute (ANSI). The NERC process is
intended to develop consensus on both the need for the standard and on
the substance of the proposed standard. Although inclusive, the process
is not nimble and can take years to develop standards for the
Commission's review.
Key steps in the NERC process include: nomination of a proposed
standard using a Standard Authorization Request (SAR); public posting
of the SAR for comment; review of the comments by NERC staff; drafting
or redrafting of the standard by an assigned team; public posting of
the draft standard; field testing of the draft standard, if
appropriate; formal balloting of the draft standard, with approval
based on 75 percent of total votes and two-thirds of weighted industry
sector votes; re-balloting, if negative votes are supported by specific
comments; voting by NERC's board of trustees; and an appeals mechanism
to resolve any complaints about the standards process. NERC-approved
standards are then submitted to the Commission for its review.
For the first set of Reliability Standards proposed by NERC and for
the CIP standards currently under consideration, the Commission began
its process by issuing a staff assessment of the proposed standards and
allowing public comment on the assessment. Based on its consideration
of those comments, the Commission then issued a ``Notice of Proposed
Rulemaking'' identifying the Commission's proposed actions and allowing
additional opportunities for public comment. After considering these
additional comments, the Commission will issue a ``Final Rule,''
adopting or modifying its proposed actions.
Generally, the procedures used by NERC and the Commission are
appropriate in allowing extensive opportunities for industry and public
comment. The public and our economy depend critically on having a
reliable supply of electricity, and Reliability Standards usually
should be adopted only after thorough and open vetting of all relevant
considerations.
Certain circumstances, however, may require immediate action. If a
significant vulnerability in the bulk-power system is identified,
procedures used so far for adoption of Reliability Standards may take
too long to implement corrective steps. Also, those procedures would
widely publicize the vulnerability and the possible solutions, thus
increasing the risk of hostile actions before the appropriate solutions
are implemented.
Recently, CNN broadcast a story alleging the existence of a
cybervulnerability on the electric grid. The story included video of a
small generating unit allegedly being damaged by a cyber attack, and
also showed an economist stating that there could be a $700 billion
dollar impact to our economy if generating facilities serving one-third
of our Nation's electric load were disabled for three months through
such attacks.
This story has prompted the Commission to reexamine its authority
to quickly mitigate verified cybervulnerability risks and to protect
security-sensitive information from inappropriate disclosure. If the
Commission determines that it does not have adequate authority to
promptly address cybersecurity risks and adequately protect security-
sensitive information, or that its authority needs to be clarified, it
will seek additional legislation.
The Commission Needs More Funding for Reliability
As noted above, the Commission has certified NERC as the ERO;
approved the first set of mandatory and enforceable Reliability
Standards (83 of NERC's initial 107 while calling for significant
modifications to 56 of the 83); and approved delegation agreements
between NERC and eight Regional Entities. With these steps, the
Commission is well positioned to implement FPA section 215. However,
more resources are needed by the Commission in all areas of
reliability, including physical and cyber standards development,
compliance and enforcement, investigation and analysis, and reports and
assessments. In addition, the new Reliability Standards, including
cybersecurity standards, will take significant work by the Commission,
the ERO and the industry, and thus competition for experienced
personnel, particularly engineers, is strong. Oversight of the
reliability of the Nation's bulk-power system is one of the most
important functions ever undertaken by the Commission and the
Congress's budget support in providing necessary resources is critical.
The Commission will continue to work with the ERO and industry to
strengthen Reliability Standards. Our staff will monitor and engage in
the standards development process to provide timely feedback to
stakeholders. NERC and industry stakeholders have requested the
Commission's staff to be involved in the standards development process.
We believe the process will work better if the Commission's staff is
involved from the beginning, to help ensure that necessary improvements
to the standards are made timely and comport with Commission
directives. This is important because section 215 does not give the
Commission explicit authority to revise or write the standards.
Instead, the Commission can only direct the ERO to submit a standard on
a specific matter or remand a proposed standard to the ERO with
directions for modification, and the standards development and revision
process is lengthy.
In addition, Commission staff will participate with the Regional
Entities in a number of regular compliance audits and in analyzing
selected incidents on the bulk-power system. Staff also will analyze
and/or prepare reports on various issues concerning the reliability and
security of the bulk-power system.
The Commission has moved quickly to fulfill the Congressional
intent of FPA section 215. However, after we completed the actions
cited above, we came to understand better the resource needs for our
new reliability responsibilities. For example, approximately 1500 U.S.
utilities or users of the bulk-power system are now ``registered'' by
NERC to comply with the Reliability Standards. The Commission's
jurisdiction to implement and enforce FPA section 215 for such a large
number of entities serving the entire United States bulk-power system
is a significant responsibility and requires a significant commitment
of resources.
Thus, in June of this year, the Commission's Chairman wrote to the
Chairmen and Ranking Members of the House and Senate Appropriations
Committees, seeking an additional $9 million for our reliability work
in fiscal year 2008. This would provide for an additional 55 Full-Time
Equivalents (FTEs) to support its reliability program. These FTEs would
consist primarily of electrical engineers, power system experts,
auditors and lawyers. The Commission's Chairman also asked for
authorization to hire electrical engineers non-competitively up to the
GS-15 level, and to hire six additional executive senior level (SL)
staff in support of its reliability program. As you may know, the
Commission is a self-supporting agency and would recover the additional
appropriations through fees and annual charges, as it does all of its
costs, and will operate at no net cost to the taxpayer. I encourage you
to support these requests by the Commission.
Conclusion
I stress that the Commission is taking all the steps it can to
protect the bulk-power system and is dedicated to fulfilling Congress's
goals. Thank you again for the opportunity to testify today. I would be
happy to answer any questions you may have.
Mr. Langevin. The Chair now recognizes Mr. Whiteley to
summarize your statement for 5 minutes.
STATEMENT OF DAVID WHITELEY, EXECUTIVE VICE PRESIDENT, NORTH
AMERICAN ELECTRIC RELIABILITY CORPORATION
Mr. Whiteley. Thank you, Mr. Chairman, Ranking Member
McCaul and members of the subcommittee. I am pleased to appear
on behalf of the North American Electric Reliability
Corporation to explain how we and the electric industry are
working to protect the security of the control systems of the
bulk power grid.
My comments this afternoon will focus on three points:
first, that NERC takes very seriously its responsibility in
protecting the overall reliability of the bulk power system;
second, that NERC's critical infrastructure protection, or CIP,
reliability standards will enhance the cybersecurity of control
systems and grid reliability; and third, that continuous
improvement in NERC's reliability standards will allow for
further coordination with cybersecurity standards and
guidelines, such as the NIST guidelines, that are relevant for
control systems.
NERC was established in 1968 with a mission to develop and
implement standards to ensure the reliable operation of the
bulk power system in North America. When Congress passed the
Energy Policy Act of 2005, it codified this responsibility in
the Federal Power Act, and Congress charged FERC with
certifying an Electric Reliability Organization, or ERO, that
will develop and enforce reliability standards to provide for
the reliable operation of the bulk power system but only the
bulk power system.
NERC is committed to exercising to the fullest extent the
authority to ensure grid reliability within the limits provided
in the law.
The Energy Policy Act expressly excluded local distribution
facilities from the definition of bulk power system. That said,
NERC has worked diligently to implement the reliability
authority as FERC's certified ERO.
The system of voluntary standards administered by NERC for
more than 30 years was replaced on June 18 with a new set of
mandatory reliability standards applicable to all users, owners
and operators of the bulk power system.
NERC realizes that cybersecurity of grid control systems is
an important element of the overall reliability of the system
and has been an increasing priority for every sector of the
U.S. economy since the turn of the century. NERC has recognized
and responded to this challenge first through the voluntary
cybersecurity standard and now through proposed mandatory CIP
reliability standards. FERC approval of the standards, along
with parallel action by Canadian authorities, will enhance the
reliability of the transmission grid in North America. These
standards will improve the resiliency of control systems' cyber
assets and increase the ability of these systems to withstand
cyber-based attacks. Cybersecurity requirements will be applied
to functions and to companies that have never been subject to
standards in the past.
In the course of developing the CIP standards, NERC
evaluated NIST's ongoing work to apply its recommended security
controls for Federal information systems along with other NIST
work to the bulk power system. NERC determined, and FERC
agreed, that the NIST guidelines cannot substitute for
reliability standards developed specifically for the bulk power
grid. The existing guidelines from NIST for information
security are not directly applicable to control systems.
NIST has continued to work in this area and has released
additional draft guidance. However, because mandatory
cybersecurity standards to secure grid reliability are needed
now, issuance of the CIP reliability standards could not be
delayed in order to await completion of the NIST process. In
addition, the substitution of NIST guideline development for
information systems into a mandatory reliability standard for
electric grid control systems would not meet the requirements
of the Federal Power Act that governed the process and
procedures developed by NERC.
Another consideration is that the bulk power system is
interconnected within North America. This means that the bulk
power system reliability standards must also be recognized in
Canada, and the NERC standards development process requires
Canadian input. Because the NIST guideline development process
does not have to take into account the international aspect of
the bulk power grid, they would not necessarily be applicable
for cross-border application.
We will evaluate how all of our reliability standards work
in practice, will monitor industry and technology developments
and determine on an ongoing basis whether these standards
should be improved or new standards should be developed.
In summary, the key to improving the reliability of the
North American power system is to put good standards in place
as soon as possible and then make them better. The CIP
reliability standards are a sound starting point for the
electric industry, and with regard to cybersecurity issues, a
sound starting point as well. They can and should be made
effective promptly.
This concludes my prepared remarks, and I look forward to
answering your questions.
Mr. Langevin. Thank you, Mr. Whiteley.
[The statement of Mr. Whiteley follows:]
Prepared Statement of David A. Whiteley
Mr. Chairman and Members of the Subcommittee, the North American
Electric Reliability Corporation \1\ (``NERC'') is pleased to provide
this testimony on how we and the electric industry are working to
protect the security of the control systems for the bulk power grid
throughout North America pursuant to the authority set forth in Section
215 of the Federal Power Act (``FPA''), as enacted through the Energy
Policy Act of 2005 (``EPAct 2005'').\2\ Protecting the overall
reliability of the bulk power system, including ensuring the security
and reliability of grid control systems, has been a high priority for
NERC since well before the enactment of EPAct 2005, and we take this
matter very seriously. As the Committee is aware, under the authority
of FPA Section 215, NERC has proposed eight Critical Infrastructure
Protection Reliability Standards for approval by the Federal Energy
Regulatory Commission (``FERC'' or ``Commission''). FERC approval of
the standards that NERC has proposed in this area, along with parallel
action by appropriate governmental authorities in Canada, will enhance
the cybersecurity of these control systems and the reliability of the
interconnected electric transmission grid.
---------------------------------------------------------------------------
\1\ NERC is the corporate successor to the North American Electric
Reliability Council, also called ``NERC,'' formed to serve as the
electric reliability organization (``ERO'') authorized by Section 215
of the FPA.
\2\ Energy Policy Act of 2005, Pub. L. No. 109-58, Title XII,
Subtitle A, 119 Stat. 594, 941 (2005).
---------------------------------------------------------------------------
EXECUTIVE SUMMARY
Cyber security of control systems is an increasing priority for
every sector of the U.S. economy. On behalf of the electric power
sector, NERC has recognized and responded to this challenge, first
through a voluntary cybersecurity standard and now through proposed
mandatory Critical Infrastructure Protection (``CIP'') Reliability
Standards for the bulk power grid. These mandatory standards are
intended to assure that the electricity industry will devote the
necessary organizational resources to securing control systems, and
that the industry will identify, respond to and report cyber security
incidents related to critical cyber assets.
Since its establishment in 1968, NERC's mission has been the
development and implementation of standards to ensure the reliable
operation of the interconnected North American bulk power electric grid
in the U.S. and Canada and Mexico. The system of voluntary standards
administered by NERC for more than 30 years was replaced on June 18,
2007, with a new set of mandatory Reliability Standards applicable to
all users, owners and operators of the ``bulk power system.'' NERC
stands ready to take additional steps as warranted to protect the
reliability and cybersecurity of the grid.
Mandatory and enforceable Reliability Standards under Section 215
of the FPA are to provide for the reliable operation of the bulk power
system only. Section 215 expressly excludes local distribution
facilities from the definition of ``bulk power system.'' Moreover,
Section 215 does not extend any authority for the regulation of
reliability or cybersecurity beyond that which is necessary for
reliable operations of the transmission grid. While critical
infrastructures in various sectors of the U.S. economy are dependent
upon the bulk power system, NERC's authority to propose and enforce
reliability standards is confined to a single sector of the economy.
We will evaluate how all of our Reliability Standards work in
practice, monitor industry and technology developments, and determine
on an ongoing basis whether these Standards should be improved, or new
standards should be promulgated. The key to improving the reliability
of the North American bulk power system is to put in place good
standards, as soon as possible. The CIP Reliability Standards are a
sound starting point for the electric industry. They can and should be
made effective promptly so that they can be implemented now.
In the course of developing the CIP Reliability Standards, NERC
evaluated the National Institute of Standards and Technology's
(``NIST'') ongoing work to apply its Special Publication (SP) 800-53,
Recommended Security Controls for Federal Information Systems, to
control systems, and other work underway at NIST to develop guidance on
securing control systems. However, the need for mandatory cybersecurity
standards to secure grid reliability is immediate, and issuance of the
CIP Reliability Standards could not be delayed in order to await
completion of the NIST process.
Importantly, bulk power system reliability standards also must be
acceptable to regulators in Canada and Mexico. We are not addressing
only U.S. facilities with these standards. The NERC standards
development process provides a carefully crafted mechanism designed to
ensure that final standards proposals have been developed with Canadian
(and Mexican, where appropriate) input. Because the NIST guideline
development process does not have to take into account the
international aspect of the bulk power grid, the U.S. government
standards for U.S. government facilities resulting from that process
would not necessarily be acceptable.
Moreover, there are also important substantive and process-related
reasons why any future final NIST guidelines cannot substitute for
Reliability Standards developed specifically for the bulk power grid.
First, the guidelines available from NIST for information security when
the CIP Reliability Standards were being developed were not appropriate
for control systems. Second, Section 215 of the FPA sets forth
requirements for the process and procedures through which NERC, as the
ERO, may establish Reliability Standards. FERC has approved the NERC
standards-setting process. The conversion of a NIST guideline developed
for information systems directly into a mandatory Reliability Standard
for electric grid control systems would not comply with the statutory
procedural requirements under which NERC operates.
NERC will continue to monitor the progress of the NIST process, and
as CIP Reliability Standards continue to evolve, there will be future
opportunities to continue to reflect NIST documents and guidance as
appropriate.
I. BACKGROUND
A. NERC.
NERC's mission is to ensure the bulk power system in North America
is reliable. To achieve this objective, NERC develops and enforces
reliability standards; monitors the bulk power system; assesses and
reports on future adequacy; evaluates owners, operators, and users for
reliability preparedness; and educates, trains and certifies industry
personnel. NERC is a self-regulatory organization that relies on the
diverse and collective expertise of industry participants. FERC
certified NERC as the electric reliability organization (``ERO'') in
July 2006.\3\
---------------------------------------------------------------------------
\3\ See Order Certifying North American Electric Reliability
Corporation as the Electric Reliability Organization and Ordering
Compliance Filing, 116 FERC � 61,062 (2006).
---------------------------------------------------------------------------
Because Reliability Standards are applicable to the entire,
interconnected North American bulk power system, NERC is subject to
oversight by the governmental authorities in both Canada and the United
States. In the U.S., with oversight from FERC, as of June 18, 2007,
NERC has legal authority to enforce reliability standards applicable to
all owners, operators, and users of the bulk power system, rather than
relying on voluntary compliance. NERC is seeking similar recognition by
governmental authorities in Canada, including eight provinces and the
National Energy Board, and will seek recognition in Mexico at the
appropriate time.
B. Statutory Authority Over Bulk Power System Reliability.
Section 215 of the Federal Power Act establishes the framework for
mandatory and enforceable Reliability Standards applicable to all
users, owners and operators of the bulk power system. Section 215
assigns to the Commission the duties of approving and enforcing rules
to ensure the reliability of the Nation's bulk power system. Section
215 requires the Commission to issue rules for the certification of an
ERO charged with developing and enforcing mandatory Reliability
Standards, subject to Commission approval. Section 215 also gives the
Commission the regulatory responsibility to approve standards that
protect the reliability of the bulk power system.
Consistent with the law, the development and enforcement of
Reliability Standards is now the responsibility of the ERO. As noted
above, FERC's certification of NERC as the ERO places this
responsibility squarely on NERC. However, NERC's authority pursuant to
Section 215 relates solely to ensuring the reliability of the bulk
power system. FPA Section 215(a)(1) defines the term ``bulk power
system'' to mean
(A) facilities and control systems necessary for operating an
interconnected electric energy transmission network (or any
portion thereof); and
(B) electric energy from generation facilities needed to
maintain transmission system reliability.
The statutory definition expressly excludes ``facilities used in
the local distribution of electric energy.''
FPA Section 215 defines the term ``Reliability Standard'' to
mean:
a requirement, approved by the Commission. . .to provide for
reliable operation of the bulk-power system. The term includes
requirements for the operation of existing bulk-power system
facilities, including cybersecurity protection, and the design of
planned additions or modifications to such facilities to the extent
necessary to provide for reliable operation of the bulk-power system,
but the term does not include any requirement to enlarge such
facilities or to construct new transmission capacity or generation
capacity.
FPA Section 215(a)(3). Under FPA Section 215(a)(4), ``reliable
operation,'' as used in the definition of Reliability Standard, means
operating the elements of the bulk-power system within equipment and
electric system thermal, voltage and stability limits so that
instability, uncontrolled separation, or cascading failures of such
system will not occur as a result of a sudden disturbance, including a
cybersecurity incident, or unanticipated failure of system elements.
The statute also defines a ``cybersecurity incident'' that the
Reliability Standards developed by the ERO are to guard against:
``cybersecurity incident'' means a malicious act or suspicious
event that disrupts, or was an attempt to disrupt, the operation of
those programmable electronic devices and communication networks
including hardware, software and data that are essential to the
reliable operation of the bulk power system.
FPA Section 215(a)(8) (emphasis supplied).
Congress spent eight years considering the need for reliability
legislation and refining the legislative language, choosing its words
carefully to be very specific about the extent of and limitations on
the jurisdiction of FERC and the ERO with respect to enforceable
reliability standards. Congress also was clear that it wanted to
capture the expertise of the industry in developing Reliability
Standards and in monitoring and enforcing compliance with Standards
through an audited self-regulatory system. For this reason, and because
Reliability Standards apply not only in the U.S. but also in Canada,
FERC's role is one of approving standards, not developing them in the
first place, and in overseeing the activities of the ERO. FPA Section
215(d)(2) provides that in executing its responsibilities to review,
approve and enforce mandatory reliability standards, the Commission is
authorized to approve those proposed standards that the Commission
finds are just, reasonable, not unduly discriminatory or preferential,
and in the public interest. Moreover, the Commission ``shall give due
weight to the technical expertise of the Electric Reliability
Organization with respect to the content of a proposed reliability
standard. . . .'' Further, the statute requires that in applying its
expertise and developing Reliability Standards, the ERO certified by
the Commission must have established rules that ``provide for
reasonable notice and opportunity for public comment, due process,
openness, and balance of interests in developing reliability standards.
. . .'' See FPA section 215(c)(2)(D).
II. RESPONSE TO ISSUES IDENTIFIED BY THE COMMITTEE
A. NERC's Authority To Prescribe Critical Infrastructure Protection
Rules Is Limited To The Electric Power Sector Only And Does Not Extend
To Regulation Of Distribution Systems Or Other Infrastructures.
As described above, the authority granted to the ERO pursuant to
Section 215 of the Federal Power Act is not unlimited. FPA Section 215
does not convey authority to apply mandatory and enforceable
reliability standards to the distribution system. The authority of the
ERO extends only to elements of the bulk power system as defined in the
statute. The only entities that under the law must comply with ERO-
developed reliability standards are ``users, owners and operators of
the bulk-power system.'' Subject to FERC's approval, NERC has developed
a compliance registry that identifies these entities, consistent with
the statutory requirements.
The standards that NERC has proposed to the Commission are
consistent with Section 215 of the FPA. We believe those standards,
when taken as a whole and as they develop over time, will continue to
provide a level of reliability that is commensurate with the statutory
requirements.
B. The CIP Reliability Standards Were Developed Through A Rigorous
Process That Took The NIST Guidance Into Account.
Section 39.5(a) of the Commission's regulations requires the ERO to
file with the Commission for approval each reliability standard the ERO
proposes to become mandatory and enforceable in the United States, and
each proposed modification to a reliability standard. NERC and the
Commission have made substantial progress in proposing and approving
reliability standards to be mandatory and enforceable in the United
States. NERC filed a petition for approval of 102 existing Reliability
Standards in FERC Docket No. RM06-16 on April 4, 2006. NERC filed a
second petition for the approval of proposed reliability standards
August 28, 2006, submitting 16 new standards for approval and revisions
to 11 of the reliability standards previously submitted. Of the 16 new
standards submitted, eight were Critical Infrastructure Protection
cyber security standards.
On December 11, 2006, the Commission Staff issued an assessment of
the cyber security standards as a basis to solicit comments on those
proposed standards. On July 20, 2007, the Commission issued a Notice of
Proposed Rulemaking (``NOPR'') generally proposing to approve the CIP
Reliability Standards as mandatory and enforceable, while also
proposing to require NERC to make specific modifications to certain of
the standards.\4\ The deadline for comments on the NOPR was October 5,
2007, and the Commission has received approximately 100 comments on the
staff assessment and the proposed standards.
---------------------------------------------------------------------------
\4\ Mandatory Reliability Standards for Critical Infrastructure
Protection, Docket No. RM06-22, 120 FERC � 61,077 (2007). FERC's NOPR
described the proposed CIP Reliability Standards as ``the most thorough
attempt to date to address cyber security issues that relate to the
Bulk-Power System.'' NOPR, P 13. Given the nature of the cyber security
threat, the Commission acknowledged that ``cyber security strategies
must comprise a layered, interwoven approach to vigilantly protect the
Bulk-Power System against evolving cyber security threats.'' NOPR, P
15. FERC proposed to approve NERC's proposed Implementation Plan for
the CIP Reliability Standards, which sets forth ``a timeline by
calendar quarters for completing various tasks and prescribes
milestones for when a responsible entity must: (1) ``begin work;'' (2)
``be substantially compliant'' with a requirement; (3) ``be compliant''
with a requirement; and (4) ``be auditably compliant'' with a
requirement.'' NOPR, PP 43,47. FERC also proposed to approve the 162
proposed Violation Risk Factor assignments proposed by NERC that
correspond to the requirements of the CIP Reliability Standards and to
direct NERC to revise 43 of them, as well as to assign Violation Risk
Factors to additional requirements under the CIP Reliability Standards.
NOPR, P 325. Violation Risk Factors indicate the potential or expected
impact to the reliability of the Bulk-Power System of the violation of
a particular Reliability Standard requirement. Violation Risk Factors
are used by NERC in setting penalty amounts for violations of a
Reliability Standard.
1. Background of Proposed Cyber Security Standards.
The initial work on the proposed cyber security standards dates
back to 2002 when NERC's Critical Infrastructure Protection Advisory
Group (``CIPAG'') \5\ drafted cyber security language that ultimately
appeared in Appendix G of the Commission's ``Standard Market Design'
NOPR.\6\ Since then, NERC has continued to raise the bar on cyber
security, first by adopting Cyber Security Urgent Action Standard 1200
in 2003,\7\ and again with the proposed standards filed with the
Commission in August 2006.
---------------------------------------------------------------------------
\5\ The CIPAG was a predecessor organization to NERC's current
Critical Infrastructure Protection Committee (``CIPC'').
\6\ Remedying Undue Discrimination through Open Access Transmission
Service and Standard Electricity Market Design, Notice of Proposed
Rulemaking, 67 Fed. Reg. 55,452 (Aug. 29, 2002), FERC Stats. & Regs. �
32,563 (2002). The Standard Market Design NOPR was never finalized.
\7\ Cyber Security Urgent Action Standard 1200 was a voluntary
standard that applied to control areas, transmission owners and
operators, and generation owners and operators performing certain
specific functions. The voluntary standard established a self-
certification process relating to the security of system control
centers of covered entities. The Urgent Action 1200 standard was
effective on a voluntary basis until June 1, 2006, when it was replaced
by the eight CIP Reliability Standards that are the subject of the
current FERC rulemaking.
---------------------------------------------------------------------------
Reflecting Congress's objective in FPA Section 215 that industry
expertise should be brought to bear in the development of Reliability
Standards, the proposed cyber security standards have been crafted with
significant industry input by experts in the area and a debate of key
issues through a process accredited by the American National Standards
Institute (``ANSI''). The Standard Authorization Request (``SAR'') for
the cyber security standards was submitted to NERC on May 2, 2003.
After two public comment periods, the industry reached a consensus on
the scope and justification for the standards. The Standards
Authorization Committee (``SAC'') appointed a drafting team of security
experts to begin development of these standards in May 2004.
Drafting team members brought significant experience and expertise
from a broad spectrum of security related disciplines including
information technology security, physical security, compliance
auditing, personnel and training, energy management systems (``EMS''),
and system control and data acquisition (``SCADA'') system operations.
Drafting team members also brought expert knowledge of existing
government regulations affecting security such as Sarbanes-Oxley and
the Federal Information Security Management Act of 2002 (``FISMA''), as
well as existing security related standards such as International
Standards Organization (``ISO'') Standard 17799 and the body of work
promulgated by NIST. A number of members of the drafting team held
professional security certifications. Membership on the drafting team
fairly represented ownership segments in the electric industry and a
balance between U.S. and Canadian participation.
Throughout the development process, the drafting team insisted on
looking beyond generally accepted ``best practices.'' They sought to
establish relevant, thorough requirements with unambiguous measures for
determining compliance. Three versions of the cyber security standards
were posted to solicit input from the industry and other interested
parties. More than 2,500 pages of comments and responses to the
comments were provided in response to the three postings of the draft
standards. The fourth and final version was submitted to ballot of the
stakeholders. The number and volume of comments received represented an
extraordinary level of involvement by the industry during the
development process.
2. NERC's CIP Reliability Standards Proposal.
In the August 2006 submission to FERC, NERC proposed eight new
cybersecurity standards (CIP-002-1 to CIP-009-1) to provide a
comprehensive set of requirements to protect the bulk power system from
malicious cyber attacks. Because there are unique aspects of cyber
protection for each entity and its assets, the standards require bulk
power system owners, operators, and users to step through a sequence of
establishing a risk-based vulnerability assessment method and using
that method to identify and prioritize critical assets and critical
cyber assets. Once the critical cyber assets are identified, the
standards require the responsible entities to establish plans,
protocols, and controls to safeguard physical and electronic access, to
train personnel on security matters, to report security incidents, and
to be prepared for recovery actions. The proposed cyber security
standards propose the most comprehensive set of requirements ever
utilized on a widespread basis in the electric industry.
Because of the expanded scope of facilities and entities covered by
these standards, and the investment in security upgrades required in
many cases, the implementation plan calls for a three-year phase-in to
achieve full compliance with all requirements. The transition builds
progressively from the requirements that were previously in place with
the 1200 Urgent Action Standard. In other words, the industry is
improving its security measures in stages from the level established in
2003 with the interim standard to an extraordinarily robust set of
auditable requirements by end of year 2009.
The proposed standards will apply to 11 categories of ``Responsible
Entities,'' including NERC itself, the Regional Reliability Entities,
reliability coordinators [which may include Regional Transmission
Organizations or Independent System Operators], balancing authorities,
interchange authorities, transmission service providers, transmission
owners, transmission operators, generator owners, generator operators,
and load serving entities. As set forth in the NOPR, the proposed
standards address:
CIP-002-1--Cyber Security--Critical Cyber Asset
Identification:
Requires a responsible entity to identify its critical assets
and critical cyber assets using a risk-based assessment
methodology.
CIP-003-1--Cyber Security--Security Management
Controls:
Requires a responsible entity to develop and implement security
management controls to protect critical cyber assets identified
pursuant to CIP-002-1.
CIP-004-1--Cyber Security--Personnel & Training:
Requires personnel with access to critical cyber assets to have
an identity verification and a criminal check. Also requires
employee training.
CIP-005-1--Cyber Security--Electronic Security
Perimeters:
Requires the identification and protection of an electronic
security perimeter and access points. The electronic security
perimeter is to encompass the critical cyber assets identified
pursuant to the risk-based assessment methodology required by
CIP-002-1.
CIP-006-1--Cyber Security--Physical Security of
Critical Cyber Assets:
Requires a responsible entity to create and maintain a physical
security plan that ensures that all cyber assets within an
electronic security perimeter are kept in an identified
physical security perimeter.
CIP-007-1--Cyber Security--Systems Security
Management:
Requires a responsible entity to define methods, processes, and
procedures for securing the systems identified as critical
cyber assets, as well as the non-critical cyber assets within
an electronic security perimeter.
CIP-008-1--Cyber Security--Incident Reporting and
Response Planning:
Requires a responsible entity to identify, classify, respond
to, and report cyber security incidents related to critical
cyber assets.
CIP-009-1--Cyber Security--Recovery Plans for Critical
Cyber Assets:
Requires the establishment of recovery plans for critical cyber
assets using established business continuity and disaster
recovery techniques and practices.
The cyber security standards proposed by NERC provide firm
requirements that can be implemented by all participants in the
electricity sector regardless of size, staffing levels, or levels of
sophistication. Some members of the electricity sector already meet or
exceed the proposed standards. However, the standards may be a
significant burden on some entities that have not heretofore been
required to implement cyber security programs. Throughout the
development process, the drafting team attempted to push the bar beyond
the generally accepted industry best practices, and to ensure that
every component part has at least the minimum protection necessary to
protect the reliability of the bulk power system as a whole. The
resulting standards represent a balanced set of outcomes in a diverse
industry. These standards are rigorous, but compliance can be achieved
by all ``owners, operators and users'' of the bulk power system.
The proposed cyber security standards fulfill relevant portions of
Recommendations 32 and 32.A of the United States/Canada Power System
Outage Task Force report. These recommendations state, in part, that
NERC should finalize and implement the CIP-002-1 to CIP-009-1
standards, that NERC standards related to physical and cyber security
should be made mandatory and enforceable, and that NERC should take
actions to better communicate and enforce these standards. To help the
industry understand and implement these standards, NERC held a series
of ten industry workshops on the standards for bulk power system
owners, operators, and users that were conducted across North America.
NERC also believes that these cyber security standards are a
landmark for the implementation of mandatory cyber security in a non-
business environment. These standards represent, for the first time, a
set of mandatory security requirements for an entire industry. Other
statutory and regulatory attempts have not been as proscriptive or as
specific as these standards.
These proposed standards are different from traditional information
technology security standards. The CIP Reliability Standards apply
information technology security principles, which are commonly accepted
in the business environment, to bulk power system control systems which
were not designed with these security principles in mind. As such, the
security principles must be carefully applied to ensure that there are
no unintended consequences that undermine bulk power system
reliability. These standards must prescribe what is required of real-
time critical bulk power system operating systems. This differs from
what can be prescribed for secured business systems.
Promulgating standards for the bulk power system that draw too
closely on the standards appropriate for secured business systems could
result in a less reliable bulk power system, either because of
decreased operations or decreased security. Two examples of this are
(1) the use of password-protected screen savers on computers, and (2)
automatic lockout of accounts following invalid passwords. Both of
these are accepted business system security practices, but they lead
directly to reduced ability to reliably operate a real-time control
system, and thus to a less reliable bulk power system. In the case of a
password-protected screensaver, the business justification is to reduce
the release of confidential information or misuse of the computing
resources; in a control system, it results in a lack of visibility of
key real-time operating parameters that must be constantly observed to
ensure reliable operations. In the case of password lockout, business
systems use the lockout as a preventative measure to ensure that
information and computer resources cannot be used following an
concerted attack; in a control system the need to rapidly be able to
get access to a system under all circumstances may result in mis-typed
passwords, which could lead to the complete inability to monitor or
take corrective actions to maintain reliable operations. In both cases,
control systems implement alternate mitigating controls, including
increased physical security and additional personnel that the business
systems cannot assume, to ensure that the systems are not misused.
The proposed cyber security standards will increase the reliability
of the bulk power system by improving the resiliency of the control
system cyber assets and improving their ability to withstand cyber-
based attacks. Cyber security requirements will be applied to functions
and companies where they have never before been applied. NERC has
applied cyber security standards to control centers through prior
standards; however, the Standards currently before the Commission are
the first to require cyber security in either a substation or
generating plant environment.
3. Interaction Between NERC and NIST Processes.
The FERC NOPR addresses the relationship between the CIP
Reliability Standards and other existing standards for cyber security,
both governmental standards and industrial standards. See NOPR, PP 87--
88. Specifically, the Commission received a recommendation that Federal
Information Processing Standards (``FIPS'') 199, FIPS 200, and NIST
Special Publication 800-53 Revision 1, Recommended Security Controls
for Federal Information Systems (``SP 800-53'') be used as the basis
for cyber security requirements applicable to the electric power
sector. The National Institute of Standards and Technology recommended
that FERC consider a transition to cyber security standards identical
to, consistent with or based on SP 800-53 and related guidelines.
The Commission declined to propose such a transition in the
NOPR:
The Commission declines to propose at this time that NERC
incorporate any provisions of the NIST standards into the CIP
Reliability Standards. However, the Commission expects NERC to
monitor the development and implementation of the NIST
standards to determine if they contain provisions that will
better protect the Bulk-Power System. Several federal entities,
such as the Tennessee Valley Authority and Western Area Power
Administration, are subject to both the NIST standards and the
Reliability Standards, and therefore are likely to have unique
insights into the NIST standards. The Commission expects the
ERO to seek and consider comments from those federal entities
on the effectiveness of the NIST standards and on any
implementation issues. Any provisions that will better protect
the Bulk-Power System should be addressed in the ERO's
Reliability Standards development process. The Commission may
revisit this issue in future proceedings as part of an
evaluation of existing Reliability Standards or the need for
new Reliability Standards, or as part of assessing NERC's
performance of its responsibilities as the ERO.
NOPR, P 88 (footnote omitted).
NERC agrees fully with the Commission's determination. During the
development of the CIP Reliability Standards discussed above,
participants in the standards development process acknowledged that
NIST's existing FISMA guidance is not appropriate for control systems.
NIST has continued its work in this area, and has developed guidance,
which is still in the draft stage, on applicable actions to be
performed in support of FISMA compliance to control systems. To date,
NIST has released two public draft versions of its revised guidance (in
July 2005 and June 2007). As of this date, however, the guidance has
not been approved by NIST, nor issued in final form. Given the
importance of the cybersecurity standards and the critical need to have
standards in place and enforceable as soon as possible, it would not
have been appropriate to delay the NERC standards development process
in order to await the final outcome of the NIST process.
Additionally, as described above, NERC's procedures for the
development of reliability standards are governed by the Federal Power
Act. In certifying NERC as the ERO, FERC approved NERC's ANSI-approved
standards development process as consistent with the statutory
requirements. This ANSI-approved process is essentially the same as
that used by other standards organizations, including the IEEE, ISA,
and ANSI itself. In contrast, the NIST process is not an ANSI-
accredited process, and does not include a stakeholder ballot. As all
of the Reliability Standards developed by NERC and submitted to FERC
for approval must be developed through the FERC-approved ANSI process,
NERC cannot simply adopt a NIST guideline as a Reliability Standard.
While the NIST proposals can be (and have been) considered in the ERO
standards development process, the resulting standard cannot be the
NIST document or guideline.
C. While Interdependency Is A Significant Issue, The CIP Reliability
Standards Can Only Address Critical Assets In The Electricity Sector.
Another issue addressed in the NOPR, and in the FERC staff
assessment proposed CIP-002-1 regarding the identification of critical
assets, concerned the ``interdependency'' with other infrastructures.
The staff assessment asked for comments on whether CIP-002-1 should
address this matter, and whether there should be coordination and
collaboration in the future with other industries and government
agencies. In the NOPR, FERC concluded that:
While broader interdependency issues cannot be ignored, the
Commission intends to revisit this matter through future
proceedings and with other agencies. This work will help to
inform the electric sector and this Commission about the need
for future Reliability Standards, especially when the
interdependent infrastructures affect generating capabilities,
such as through fuel transportation.
NOPR, P 118.
NERC concurs that the interdependency issue raised in the NOPR is
an important one; however, the issue is too broad to be restricted to a
single agency or industry sector. We believe that it is best raised
through direct cooperation with other critical infrastructure sectors
through existing cross-sector initiatives such as the Partnership for
Critical Infrastructure Security (``PCIS'') and the Information Sharing
and Analysis Center Council (``ISAC Council''), with the lead federal
government agency being the U.S. Department of Homeland Security. Once
specific issues directly relating to the reliability of the bulk-power
system are identified through these organizations, standards creation
activities can be initiated through the ERO to address them.
III. CONCLUSION
The approval by FERC of the proposed CIP Reliability Standards will
represent an important milestone in the transition to the system of
mandatory and enforceable reliability standards envisioned by Congress
in the Energy Policy Act of 2005, that will ensure grid reliability by
improving the resiliency of the control system cyber assets and
improving their ability to withstand cyber-based attacks.
Going forward, standards development requires progressive and
continuous improvement. NERC's rules, and a condition of accreditation
by the American National Standards Institute, require that each
standard be reviewed at least every five years. NERC anticipates
completing the review and upgrade of all standards over a three-year
period, beginning with the highest priority standards in 2007. NERC's
standards development procedure provides a systematic approach to
improving to the standards and documenting the basis for those
improvements, and should serve as the mechanism for achieving those
improvements.
These CIP Reliability Standards already represent a significant
improvement of cyber security for the electricity industry. Since our
process requires that standards be continuously improved, the standards
will be reviewed, modified and improved by necessity of the process.
This will result in an ever-increasing improvement to the level of
cyber security throughout the electricity industry. However, the
process must start somewhere with a set of standards. Based on NERC's
development process, and the demonstrated broad base of support, the
standards currently before the Commission represent the most
appropriate starting point for today's environment.
Mr. Langevin. The Chair now recognizes Mr. Weiss to
summarize your statement in 5 minutes.
STATEMENT OF JOSEPH M. WEISS, MANAGING DIRECTOR, APPLIED
CONTROL SOLUTIONS
Mr. Weiss. Good afternoon, Mr. Chairman, Ranking Member
McCaul and members of the committee. I would like to thank the
committee for your commitment to a comprehensive examination of
the cybersecurity of control systems utilized in our Nation's
electric grid. I also want to thank you for the opportunity to
be here today to discuss this very important topic.
As you mentioned, I am a nuclear engineer that has been
involved in control systems for over 35 years and control
systems cybersecurity specifically for over 7 years. I have
been part of the NERC cybersecurity standards process since its
inception. I have been working with government organizations,
end users, equipment suppliers, domestic and international
standards organizations and others. I am also a utility
stockholder and ratepayer, both of which can be affected by
what we are discussing today.
The issue at hand is the protection of the interdependent
critical infrastructures of electric power, water, oil, gas, et
cetera. Control systems form the backbone of these
infrastructures, and the threat of a cyber attack is the
central issue. There are only a handful of control systems
suppliers, and they supply industrial applications worldwide.
The control systems architectures and default passwords are
common to each other. Consequently, if one industry is
vulnerable, they all could be. I am aware of more than 90, 9-0,
cases where control systems have been impacted by either
intentional or unintentional incidents. These incidents have
occurred in electric power transmission and distribution
systems, power generation including fossil, hydro, gas turbine
and nuclear, water, oil, gas, chemicals, paper and
agribusiness. The damage from the cyber incidents has ranged
from trivial to significant environmental releases to
significant equipment damage to even deaths.
When the NERC cybersecurity standards process originated,
it was meant to address utility control systems with the only
exclusion being mainstream business applications. Over time,
the scope significantly narrowed. The approach has resulted in
the following shortcomings: the ambiguousness and exclusions of
the NERC CIP process, and this includes telecom, electric
distribution, market systems, serial communications, nuclear
plants; and even the fact of not requiring actual appropriate
control systems policies would not meet a cybersecurity
assessment of the human resources computer system, yet we are
using this as a basis for our most important critical cyber
assets. The banking industry is concerned about the security of
a single open access point on a laptop. On the other hand, the
electric industry is determined by using the NERC substandards
that an entire section of the United States has no critical
generation assets. How can this be considering NERC's input on
the aurora vulnerability?
In my written testimony, I have provided four actual
control system cyber events the NERC substandards would not
have addressed, including one that was identified in an
electric sector ISAC advisory in 2003. This is not aurora. As
can be seen, this lack of any real security being addressed by
NERC is alarming at best and negligent at worst.
There is a better approach that, in fact, is already
mandatory for all Federal agencies, which includes TVA, BPA,
and the Bureau of Reclamation among others. This approaches the
NIST framework, which has been expanded to specifically address
control systems. We have conducted a line-by-line review
between the NERC CIPs and NIST 800-53; the results were that
NIST 800-53 is more comprehensive.
Why should Federal power agencies be held to a higher
standard? But, more so, why should they be placed at risk where
non-Federal agencies connect with them using a less
comprehensive approach? This doesn't make any sense.
My recommendation is, Congress should empower FERC with the
authority and responsibility for development of control systems
cybersecurity requirements and compliance criteria similar to
the role of the Nuclear Regulatory Commission. In so doing,
Congress should also provide FERC with the authority to
separate ERO functions so that NERC is responsible for
traditional electric system reliability standards, and have a
separate organization, very possibly ISA, be responsible for
the cybersecurity aspects of critical infrastructure
protection.
Finally, Congress should take action so that the ERO
function is funded by the government, not by industry as is now
the case, to better ensure that conflicts of interest do not
interfere with doing what is right and necessary and not just
what is convenient.
Thank you for allowing me to provide my thoughts and
concerns, and I would be happy to answer any questions.
[The statement of Mr. Weiss follows:]
Prepared Statement of Joseph M. Weiss
Good afternoon Mr. Chairman and Members of the Committee. I would
like to thank the Committee for your invitation to discuss the need for
appropriate cyber security of the control systems utilized in our
nation's critical infrastructure, in particular, the electric
infrastructure.
I am a nuclear engineer who has spent more than thirty years
working in the commercial power industry designing, developing,
implementing, and analyzing industrial instrumentation and control
systems. I have performed cyber security vulnerability assessments of
power plants, substations, electric utility control centers, and water
systems. I am a member of many groups working to improve the
reliability and availability of critical infrastructures and their
control systems, including the North American Electric Reliability
Council's (NERC) Control Systems Security Working Group (CSSWG), the
Instrumentation Systems and Automation Society (ISA) S99 Manufacturing
and Control Systems Security Committee, the National Institute of
Standards and Technology (NIST) Process Control Security Requirements
Forum (PCSRF), Institute for Electrical and Electronic Engineers (IEEE)
Power Engineering Society Substations Committee, International
ElectroTechnical Commission (IEC) Technical Committee 57 Working Group
15, and Council on Large Electric Systems (CIGRE) Joint Working Group
D2.22. As a control system cyber security expert, citizen, stockholder,
and ratepayer, I am very concerned about the electric industry's
approach to securing the electric grid. I would like to state for the
record that the views expressed in this testimony are mine. I am not
representing any of the groups in which I am involved.
Until 2000, my focus strictly was to design and develop control
systems that were efficient, flexible, cost-effective, and remotely
accessible, without concern for cyber security. At about that time, the
idea of interconnecting control systems with other networked computing
systems started to gain a foothold as a means to help lower costs and
improve efficiency, by making available operations-related data for
management ``decision support.'' Systems of all kinds that were not
interconnected with others and thereby could not share information
(``islands of automation'') became viewed as an outmoded philosophy.
But at the same time, there was no corresponding appreciation for the
cyber security risks created. To a considerable extent, a lack of
appreciation for the potential security pitfalls of highly
interconnected systems is still prevalent today, as can be witnessed in
a recent article in the September 2007 issue of Power Magazine.\1\ As
such, the need for organizations to obtain information from operational
control system networks to enable ancillary business objectives has
often unknowingly led to increased cyber vulnerability of control
system assets themselves.
---------------------------------------------------------------------------
\1\ Makansi, Jason, ``Integrated Software Platform Eludes Many
Owner/Operators'', Power Magazine, September 2007.
---------------------------------------------------------------------------
Generally cyber security has been the purview of the Information
Technology (IT) department, while electric control system departments
have focused on grid and plant operations efficiency and reliability--
not cyber security. This has led to the current situation where some
parts of the organization are now sensitized to security while others
are not as yet aware of the need. Industry has made progress in
identifying control system cyber security as an issue while not
appreciating the full gravity of the matter. In other ways,
particularly concerning the proposed NERC Critical Infrastructure
Protection (CIP) cyber security standards,\2\ I believe we have fallen
short of the mark. The timing of this hearing is fortuitous as more
than 70 organizations have recently submitted commentary responses to
the Federal Energy Regulatory Commission's (FERC) Notice of Proposed
Rulemaking (NOPR) RM06-22.\3\ These submittals provide a detailed view
into the electric power industry's intended approach to securing the
cyber assets used to operate the grid.
---------------------------------------------------------------------------
\2\ NERC Cyber Security Standards, http://www.nerc.com/filez/
StandardsStandards/Cyber-Security-Permanent.html
\3\ Federal Energy Regulatory Commission Docket RM06-22, http://
www.ferc.gov/docs-filing/elibrary.asp
How Mainstream IT and Control System Cyber Security are Different
Control systems include distributed control systems (DCS),
programmable logic controllers (PLC), supervisory control and data
acquisition (SCADA) systems, and related networked-computing systems.
Control systems are designed and operated differently than mainstream
IT business systems. Traditionally, the emphasis in securing business
IT systems is to employ the best practices associated with the well-
established ``Confidentiality, Integrity, Availability'' (CIA) triad
model--in that order of importance. Typically extra emphasis is placed
on rigorous human end user access control and data encryption to
satisfy the important function of confidentiality. In control systems,
however, confidentiality has less urgency than system availability and
data integrity, because in actual control system operation, the typical
``users'' are other computer-based devises (e.g. PLCs and field
devices), not humans. This distinction, and the fact that most extant
control systems are outfitted with older microprocessors with little
compute power, lies at the heart of the issue of securing control
systems in a manner appropriate to current need.
Unfortunately, today very few people possess thorough understanding
of control system cyber security. This understanding requires prior
detailed knowledge of the control system application, how it is
designed and operated, as well as how it communicates and is
interconnected with other systems and ancillary computing assets,
before appreciation of cyber vulnerabilities of the system as a whole
can begin. Figure 1 generally characterizes the relationship of the
different types of specialty technical skills needed for control system
cyber security expertise, and also reflects the relative quantities of
each at work in industry today. Most people now becoming involved with
control system cyber security typically come from a mainstream IT
background and not that of control systems. This has, in some cases,
inadvertently resulted in making control systems less reliable without
providing increased security, such as the example of the uninformed use
of mainstream IT port scanners on older generation PLC networks.
FiGure 1--Relationship and Relative Availability of Control System
Cyber Security Expertise
It is often mistakenly assumed that a cyber security incident is
always a premeditated targeted attack. However, NIST defines a Cyber
Incident \4\ as: ``An occurrence that actually or potentially
jeopardizes the confidentiality, integrity, or availability (CIA) of an
information system or the information the system processes, stores, or
transmits or that constitutes a violation or imminent threat of
violation of security policies, security procedures, or acceptable use
policies. Incidents may be intentional or unintentional.''
Unintentional compromises of CIA are significantly more prevalent and
can have severe consequences. In fact, statistics collected over
roughly the past 20 years in mainstream IT have consistently shown that
about two-thirds of all cyber security incidents originate from within
an organization, and that the cause of most of those are unintentional
human error. This phenomenon must also be addressed by cyber security
standards if they are to be effective.
---------------------------------------------------------------------------
\4\ National Institute of Standards and Technology Federal
Information Processing Standards Publication 200, Minimum Security
Requirements for Federal Information and Information Systems, March
2006. http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-
march.pdf
---------------------------------------------------------------------------
Use of mainstream operating system environments such as Windows and
UNIX for running control system applications leave them just as
vulnerable as these operating systems are when used anywhere else, and
application of mainstream IT security technical solutions and/or
methods can be applied to help secure our more modern control system
host computers and operator consoles (i.e., PCs). At the same time,
however, application of mainstream IT security technologies and methods
can also adversely affect the operation of control systems, such as
causing components on networks of older generation PLCs to freeze-up
upon use of port scanning tools, as noted. Furthermore, DOE's Idaho
National Laboratory (INL) has conducted demonstrations of how a hacker
can manipulate widely used ``middleware'' software running on very
current mainstream computer systems without a great deal of difficulty,
e.g., using vulnerabilities in OPC code (``OLE for Process Control'').
In this sobering demonstration the system appears to be functioning
properly even though it is not; while displaying incorrect information
to, or withholding correct information from, system operator consoles.
Inadequacy of NERC CIP Standards as Effective Regulation
Prior to NERC becoming the Electric Reliability Organization (ERO),
NERC was an industry sponsored, industry-led, and industry-funded
organization, and they still are today. Contrary to popular belief,
NERC as ERO is still funded by the industry, thereby creating potential
for conflict of interest. It was a secret to no one involved that the
objective in drafting the Critical Infrastructure Protection (CIP)
Standards was for the industry, through NERC, to put something in place
to its liking before the Federal Government did so in its behalf. Thus,
the CIP Standards were developed by a trade association.
Because NERC employs an American National Standards Institute
(ANSI)-approved standards development process, it is required to follow
certain rules including balloting of its standards to obtain approval
from constituent industry member organizations. Consequently, as the
CIP Standards went through the balloting process, they became less
inclusive, more ambiguous, and created more exemptions to
applicability. It should also be noted that prior to industry
acceptance of the final version, the CIP Standards went though three
rounds of drafting and subsequent industry comment of approximately
1000 pages each (with some redundancy), and the NERC Drafting Team
could accept or reject recommendations unilaterally as they deemed
appropriate, with but modest explanation as to rationale. NERC and many
utility representatives recognized the limitations of this effort, but
felt anything more rigorous in terms of requirements would not be
acceptable to enough utility organizations to pass ballot.
As the NERC CIP Standards moved to their final revision, the focus
was shifted entirely to bulk power grid reliability in and of itself,
rather than on societal welfare and safety from a homeland security or
economic perspective. The reliable operation of a small substation that
supports a major oil or gas pipeline in a remote locale is not salient
to grid stability, but failure of same could very well have profound
adverse consequences for the health of the US economy. Likewise, under
the CIP Standards, the importance of continuity of electric power to
municipal water works, manufacturing plants, refineries, hospitals, and
military installations, etc., is not a factor requiring consideration
in determining the importance (or ``Criticality'') of the electric
system assets which serve them.
Perhaps the biggest issue with the CIP Standards as a set is CIP-
002, which establishes the scope of applicability for all of the other
CIP Standards: identification of ``Critical Assets.'' These are
individual pieces of electric system equipment such as electric
generating units, substation transformers and digital protective
relays, and though not explicitly stated, presumably though not
explicitly the control system hosts, related servers, and operator
consoles as well. Per CIP-002, deciding exactly which electric system
assets are critical to reliable operation of the bulk electric system
is left up to each individual organization to determine for itself,
using a ``risk based assessment methodology'' of its own choosing or
design. It is only the network-computing control systems components
used to operate these specific Critical Assets--thereby deemed
``Critical Cyber Assets''--that must be protected under the CIP
Standards. For all other non-Critical electric and control system
assets, the CIP Standards simply do not apply and may be ignored. As
CIP-002 is currently written, allowing an organization to choose its
own methodology permits the documented results from the flip of the
coin as a perfectly valid and compliant approach to self-determination
of Critical Assets. FERC has expressed consternation with this
``flexibility'' in its Notice of Public Rulemaking (NOPR) comments, and
in its Final Rule will in all likelihood remand this Standard back to
the NERC Standards process for re-conception. Unfortunately, the NERC
standards development process takes a great deal of time, and our
enemies are not constrained to only take advantage of our
vulnerabilities after our schedule for securing them has run its
course. The industry has been in the process of developing cyber
security standards for over four years, and yet the matter remains
unconcluded.
As noted, the CIP Standards apply only to those electric system
components self-identified by asset owners themselves to be critical to
their ability to maintain reliability for that part of the bulk
electric grid falling under the aegis of each. The process does not
embrace intra-region, inter-region, or a national viewpoint of the grid
as a system, but rather only parochial considerations, each in
isolation to the others. Additionally, there is no requirement to take
into consideration the potential for multiple contingency threat
scenarios that can involve more than one sphere of interest, such as
interdependency of critical natural gas pumping stations and the
greater electric power system. What's more, because utilities are
interconnected, they often share equipment where the utilities conjoin
(e.g., ``dual ported Remote Terminal Units-RTUs''), to say nothing
about network-to-network data router interconnections. Accordingly,
because utilities will apply the CIP Standards in a non-uniform
fashion, one utility's less rigorous application of the CIP
requirements will make it a ``weak link'' relative to its neighbor
utility, to the detriment of the cyber security of both organizations
and any others to which there are further data network
interconnections. Also note that all major electric sector control
systems in North America communicate over the common ``NERCnet'',
further exacerbating the situation. Worse yet, these days most control
networks are also interconnected with their corporate IT networks,
which themselves are connected to the Internet. A chain is only as
strong as its weakest link.
Technically, the CIP Standards were conceived primarily from the
frame of reference of protecting control center host systems and
operator consoles, rather than field and plant floor controls equipment
(``Other Facilities'') at work in substations, switchyards, and power
plants. The data systems in use within control centers generally
utilize current computing and networking technology, requiring
protective measures akin to those used in mainstream business and
Internet computing. Conversely, most field PCS (e.g., substation
equipment) and power plant DCS controller equipment still in use today
employ technology that generally is obsolete and has little in the way
of built-in cyber defenses, with little potential for upgrade or
augmentation. But since the CIP Standards are intended to apply for
both data center and intelligent field assets, they had to be written
in a way that would be relevant for advanced current and future
computing technologies, while at the same time accommodating what is
essentially `ancient' field and plant controls equipment. The result is
milquetoast one-size fits all standards that are not rigorous enough
for current and future cyber security challenges on the one hand, and
by and large are overkill for the older field and plant cyber assets
still in use. What's more, major gaps in CIP Standards' effectiveness
are created by a number of explicit exclusions from applicability--in
essence, loopholes.
Ironically, some of the most important contributors to grid
reliability, nuclear power plants, are excluded from the scope of
consideration as to criticality. While the Nuclear Regulatory
Commission (NRC) has robust physical security standards for nuclear
plants, the interconnection of nuclear power plant cyber control assets
with those used to manage the bulk electric grid currently is not
addressed in either NERC or NRC Standards. Also, while physical
security requirements are specified by NRC for nuclear power plants, a
little appreciated subtlety is that the CIP Standards specify physical
security requirements for Critical Cyber Assets only. There is no
existing NERC standard governing physical security of the Critical
Assets themselves, or any other grid assets for that matter.
Since electric distribution systems have been excluded from CIP
Standards' scope, so too are the controls used to operate them. This is
true even though distribution assets are in operation within many
transmission substations. Regardless of this, while many distribution
systems employ no control system at all, the ones that do are
electronically interconnected with transmission control systems,
thereby creating a direct pathway into the networked-controls
infrastructure of the greater bulk electric grid. Independent System
Operator (ISO) and Regional Transmission Operator (RTO) energy
management systems (EMS) are intrinsically data networks,
interconnected one with another via NERCnet. Also via NERCnet, each is
also interconnected with ``downstream'' control systems operated by
more localized distribution operators, including cooperatives and
municipal utilities. With control systems of all ownership becoming
increasingly interconnected to one another, while also being
interconnected with general-purpose corporate data networks and the
Internet, control system exposure to cyber threats is greatly
increased. Accordingly, the frame of reference concerning standards for
control system cyber security supporting grid reliability purposes must
be expanded to account for at least those operational control systems
that need to be directly interconnected. This means expanding the scope
of the standards to include smaller control area systems which
routinely exchange data--and potentially viruses, worms, or other
possibly compromised data--with ISO/RTO systems directly. Smaller
control area systems can be attractive points of entry and through-
navigation paths employed in common hacker ``island hopping''
technique. By analogy, at least some of the 9/11 terrorists entered the
air transit system through feeder airports on that fateful day.
Another exception to applicability of the CIP Standards are control
systems' data communication infrastructure per se. Currently, the
electric industry has a huge investment in serial communications that
will not be replaced and/or upgraded to routable communications such as
Internet Protocol (IP) for many years. These serial communication
systems have been demonstrated by the National Laboratories to be cyber
vulnerable, e.g., through induction coil passive wiretapping or war
dialing, and there have been instances where serial communications have
been compromised. However, legacy protocol serial communications are
excluded from the CIP Standards' scope simply because they employ non-
routable protocols.
A further dubious exclusion from the scope of CIP Standards'
applicability involves the Open Access Same-Time Information System
(OASIS). These distributed market trading systems are excluded from CIP
scope, even though they are routinely connected to energy management
systems (EMS) and/or SCADA reliability systems on one side, and the
Internet on the other. There is no existing regulation currently
governing the cyber security of market systems, which many large
systems operators will tell, at least privately, are paramount to their
ability to dispatch their reliability responsibilities. In fact, aside
from OASIS systems becoming entirely unavailable, an operations manager
for a large transmission organization recently offered in confidence
that ``the thing that scares [him] most in terms of maintaining
reliability is spoofed [OASIS] schedules and tags'' through cyber
means.
Finally, while some electric industry organizations are using
ambiguities within the CIP Standards to minimize the number of Critical
Cyber Assets to which the Standards must be applied, without realizing
it they may be greatly increasing their liability in other ways. At the
ISA Expo2007 in Houston,\5\ a panel session was held on October 2,
2007, covering NERC CIP implementation. The NERC representative in
attendance explicitly stated that a utility would be CIP-compliant
merely by establishing cyber security policies of some kind, even if
they are poorly conceived or effectively inadequate to need. During the
CIP Standards drafting process a less vocal but substantial number of
electric industry representatives complained about the absence of
``adequacy metrics'' pertaining to the Standards' requirements in
general across the board, which was not remedied prior to their
balloted approval by the industry. This demonstrates how conception of
the CIP Standards has missed the mark of thoughtfully effecting genuine
cyber security, but rather has resulted in the framing of a compliance
exercise in essence amounting to adherence to a checklist. This at once
elevates the need for technically competent auditors who can review the
checklists and ask the right questions, while at the same time there
are very few auditors who have requisite experience in the context of
control systems. What's more, during a panel session at the ISA
Expo2005 in Chicago, one utility industry representative presented the
following slide: ``In the Electric Sector, the Business Case for CIP &
Reliability initiatives in today's landscape must be based on the
surety that your company will be financially impacted if it is found to
be noncompliant.'' \6\ That is, if the amount of the fine would be less
than the cost to become secure, the utility would pay the fine.
---------------------------------------------------------------------------
\5\ Panel Session on NERC Compliance, ISAExpo2007, Houston, TX,
October 2, 2007.
\6\ Thomas Flowers, ``The Business Case for Being Auditably
Compliant'', ISAExpo2005, Chicago, IL, October 25, 2005.
Case Histories Which Reveal NERC CIP Standards' Inadequacies
Contacts throughout industry have shared with me the details and
adverse affects of more than 90 confirmed control system cyber security
incidents to date. This information has been shared with me by
individuals from the affected organizations, and from government
sources such as the Nuclear Regulatory Commission (NRC), the DOE
National Laboratories, the National Transportation Safety Board (NTSB),
and the National Institute of Standards and Technology (NIST). Note use
of the term ``incident'', not ``attack'', as most of these events have
been unintentional. The incidents are international in scope (North
America, Europe, and Asia) and span several industrial infrastructures
including electric power, water, oil/gas, chemical, and manufacturing.
With respect to the electric power industry, cyber incidents have
occurred in transmission, distribution, and generation including
fossil, hydro, and nuclear power plants. Impacts, whether intentional
or unintentional, range from trivial to significant environmental
discharges, serious equipment damage, and even death. Figure 2 shows
the result of a Bellingham, WA, pipe rupture,\7\ which an investigation
concluded was not caused by an intentional act. Figure 3 is a picture
from the Idaho National Laboratory (INL) demonstration of the ability
to intentionally destroy an electric generator by simulating a cyber
attack.\8\
---------------------------------------------------------------------------
\7\ ``Pipeline Accident Report Pipeline Rupture and Subsequent Fire
in Bellingham, Washington June 10, 1999'', National Transmission Safety
Board Report NTSB/PAR-02/02 PB2002-916502.
\8\ http://news.yahoo.com/s/ap/20070927/ap_on_go_ca_st_pe/
hacking_the_grid_13
[GRAPHIC] [TIFF OMITTED] T1078.002
Figure 2 Bellingham, WA Gasoline Figure 3 INL Cyber Demonstration
Pipeline Rupture
The deficiencies in the NERC CIP can be demonstrated by the
exercise of applying them to historical cyber events. In each
historical case discussed below, adherence to CIP Standards'
requirements would have failed to address the underlying causes. I have
chosen events that are all publicly documented by government (US and
Australian) reports. I have also included references to the Final
Report of the 2003 Northeast Blackout.\9\ The reason for including this
reference example is because there were several cyber issues associated
with the Northeast Blackout including co-temporal release of the
Blaster worm and the First Energy SCADA system alarm problem. These
issues resulted in 13 (of the 46) recommendations contained in the
Northeast Blackout Report being cyber-related. The Northeast Outage
Final Report was issued approximately two years before the NERC CIP
Standards were approved. Not including the Blackout Report's
recommendations is inexcusable.
---------------------------------------------------------------------------
\9\ Final Report of the August 14, 2003 Blackout in the United
States and Canada: Causes and Recommendations, April 2004, https://
reports.energy.gov/BlackoutFinal-Web.pdf
Case (1) June 20, 2003 ``SQL Slammer Worm Lessons Learned. . .''.\10\
---------------------------------------------------------------------------
\10\ SQL Slammer Worm Lessons Learned for Consideration by the
Electric Sector, June 20, 2003, nerc.com.
---------------------------------------------------------------------------
The control network at issued employed a frame relay data network
service that interfaces with both the utility's host control system on
one side of the network, and field components on the other. This
network service, vended by a large telecommunications carrier,
supported many diverse business organizations simultaneously. As is
common, this network service utilized a high speed Asynchronous
Transfer Mode (ATM) core network backbone at the center of the frame
relay network. With the release and rapid spread of the Slammer worm
across businesses of all kinds serviced by the frame network, the core
ATM infrastructure became choked by the worm's multiplying replication
and propagation. This resulted in blockage of SCADA traffic between the
utility controls host and remote controls equipment in field
substations. Note that NERCnet is a shared frame relay network.
Issues: The telecom network was in essence shut down by Slammer
worm traffic. The Final Report on the Northeast Blackout recommends the
development of a capability to detect wireless and remote wire line
intrusion and surveillance, and this report was issued prior to the
adoption of the NERC CIP Standards. NERC should have heeded this
recommendation, but inexplicably, the CIP Standards exclude
availability requirements for telecom networking, which is intrinsic to
control system operations. As will be discussed later, the NIST SP800-
53 standard does not allow a scope exclusion concerning
telecommunications network availability--the CIP Standards do.
Case (2) Tempe, Arizona Area Outage of June 29, 2007. \11\
---------------------------------------------------------------------------
\11\ ``Computer Problem Causes Brief Outage to as Many as 100,000
SRP Customers in Arizona'', Energy Assurance Daily, Friday June 29,
2007, http://www.oe.netl.doe.gov/docs/eads/ead062907.pdf
---------------------------------------------------------------------------
The outage lasted 46 minutes and affected 98,700 customers,
representing 399 Megawatts (MW) of load. It was caused by the
unexplained activation of the distribution load shedding program in the
energy management system (EMS) at the Salt River Project (SRP), the
utility affected. A total of 141 distribution circuit breakers were
opened by the EMS unexpectedly.
Issues: Most of the automation used in electric transmission and
distribution systems is used to manage the distribution function.
Distribution systems can be directly connected to transmission systems,
and distribution system failures can be precursors to cascading outages
resulting from runaway load shedding. However, the NERC CIP excludes
distribution automation from scope, because they are not deemed to be
part of the bulk electric system per se (i.e., the grid). NIST SP800-53
does not allow exclusion from scope of distribution automation assets.
Case (3) Australian Wireless Network Hack \12\
---------------------------------------------------------------------------
\12\ Supreme Court of Queensland r v Boden, Vitek 2002, CA Number
324 of 2001 DC Number 340 of 2001, http://www.courts.qld.gov.au/
qjudgment/QCA%202002/QCA02-164.pdf.
---------------------------------------------------------------------------
A disgruntled former consultant to an Australian firm that used
radio-controlled SCADA sewage processing equipment packed his car with
stolen radio equipment and attached it to a computer. He drove around
the area on at least 46 occasions from February 28 to April 23, 2000,
issuing radio commands to open discharge valves, resulting in sewage
spills. This attack became the first widely known example of someone
maliciously breaking into a control system.
Issues: Aware of this event, the task force that issued The Final
Report of the Northeast Blackout recommended the development of
capabilities to detect wireless and remote wire line intrusion and
surveillance. The Blackout Report and the Australian sewage attack
report were issued prior to the issuance of the NERC CIPs.
Inexplicably, the NERC CIP Standards exclude non-routable protocols and
do not explicitly address wireless communications. NIST SP800-53 does
not have these scope exclusions concerning non-routable protocols, and
addresses wireless communications explicitly.
Case (4) Nuclear Power Plant Cyber Incident \13\
---------------------------------------------------------------------------
\13\ NRC Information Notice: 2007-15: Effects of Ethernet-Based,
Non Safety Related Controls on the Safe and Continued Operation of
Nuclear Power Stations, April 17, 2007.
---------------------------------------------------------------------------
On August 19, 2006, operators at Browns Ferry nuclear generating
facility, had to manually scram (shut down) Unit 3 following a loss of
both primary and secondary reactor water recirculation pumps. Plant
procedures specified that the manual scram was required following the
loss of recirculation flow. The NRC issued an Information Notice (IN)
to alert licensees about recent operating experience related to the
effects of potential interactions and unanticipated failures of
Ethernet connected non-safety equipment on the safety and performance
systems in use at nuclear power stations.
Issues: Nuclear plants represent approximately 20% of US electric
power generation. Widespread shutdown of nuclear facilities would have
significant adverse impact on the reliability of the bulk electric
grid. The NRC is responsible for the safety of nuclear plants, that is,
safe shutdown. NRC does not however ``regulate'' the continued
operation of nuclear plants in relation to grid reliability, as
witnessed in the NRC Information Notice. The NERC CIP Standards exclude
nuclear power facilities from scope, while NIST SP800-53 does not allow
such exclusions for nuclear plants.
Early Repercussions from Establishment of the CIP Standards
As noted above, each organization in the electric industry with
responsibility for maintaining the reliability of the bulk electric
system is free to adopt a risk based assessment methodology of its own
choosing or design to determine which cyber controls apparatus must be
protected. Discussion across the industry has born witness to an
interesting phenomenon which has yet to be formally documented
anywhere. It so happens that many of the largest electric utilities
have determined in their risk assessments that they have no--zero--
critical generation assets. In fact, within one of the largest regions
in the US, the southeast, virtually none of the large operators have
identified any of their generation assets--nuclear included--as being
critical to reliability of the bulk electric system. The reason for
this is offered forthrightly, that their systems have been designed to
withstand ``N-1 contingencies,'' meaning that they can withstand the
loss of any single unit without adverse impact on reliability. What is
not being considered is the potential for simultaneous multiple
contingencies. With the greater controls infrastructure being as cyber-
interconnected as observed earlier, it is by no means beyond the realm
of possibility of just such an occurrence taking place. Without
digression into potential permutations, while Slammer and Blaster worms
were propagated via email, and email is generally not used in
operational control systems, an analogous threat vector could be
sculpted for widespread attack on the greater assemblage of control
systems used to operate the grid. What if a Trojan Horse planted in
numerous generation control systems should awaken at the appointed hour
and simultaneously trip a whole collection of plants in a region
offline at once? The effect would look very much like the Northeast
Blackout. Very possible scenarios such as this are being discounted out
of hand by people in positions of authority who really do not
understand cyber security.
Second, we are also witnessing an unfortunate and unexpected
phenomenon concerning the CIP Standards that leaves us at cross
purposes with other needed electric system management improvements.
Many of the more recent utility controls automation upgrades have been
motivated by the goal of improving electric system reliability, but at
the same time to also aid reduction in operation and maintenance costs.
Many of these new systems enhancements are predicated upon the use of
modern digital networking technologies (e.g., employing routable
protocols such as IP), and in so doing these assets explicitly fall
within scope of NERC CIP Standards' compliance. Consequently, because
of concerns about potentially being ``caught by the CIP Standards'' in
a state of noncompliance thereby resulting in potentially large fines,
a number of utilities have started to disconnect, or have ceased
implementation of, these modern networked-systems improvements--
motivated explicitly by the goal of CIP Standards compliance-
requirements avoidance. This tactic results in leaving certain existing
cyber vulnerabilities unaddressed through exploitation of loopholes in
the CIP Standards, as now written. At the same time, new ``time and
distance compression'' operating efficiencies that can be garnered
through use of modern networked remote control and telemetry are
thereby lost by this step backward. The potential for improved
operational efficiency could at least temporarily contain if not indeed
reduce gross operating costs, which in turn holds the line on electric
rates experienced by society. So, it appears that the industry is at
cross-purposes in its response to the need to both secure and modernize
the existing control systems infrastructure. This ironic industry
response to the CIP Standards serves neither purpose in any discernable
positive way.
An Alternative to the NERC CIP Standards
The NIST ``Security Risk Management Framework'' (hereafter referred
to as ``Framework'') has been developed by the Department of Commerce,
and its use is mandatory for all federal agencies under the Federal
Information Security Management Act (FISMA).\14\ It is devoid of
conflict of interest and has been broadly and publicly vetted. There is
nothing `onerous' about the NIST Framework, as it applies specifically
for systems that do not have national security significance, and
recently it has been augmented to address the unique needs of
industrial control systems. In a study performed by MITRE Corporation
for NIST, a line-by-line comparison of controls and countermeasures
within NIST SP800-53 \15\ and the NERC CIP Standards \16\ was
undertaken. The results indicated the NERC CIP Standards were less
rigorous than even the low-baseline security controls established in
the NIST Framework. In the final analysis, if U.S. Fish and Wildlife
must comply with the low-baseline NIST Framework, from the perspective
of societal wellbeing and economic stability, in good conscience is it
prudent to require less from the operators of the electric grid.
---------------------------------------------------------------------------
\14\ The Federal Information Security Management Act of 2002
(``FISMA'', 44 U.S.C. Sec. 3541, et seq.)
\15\ National Institute of Standards and Technology Special
Publication 800-53, Revision 1, Recommended Security Controls for
Federal Information Systems, December 2006.
\16\ MITRE Technical Report (MTR070050): Addressing Industrial
Control Systems in NIST Special Publication 800-53; http://
csrc.nist.gov/groups/SMA/fisma/ics/documents/papers/ICS-in-SP800-
53_final_21Mar07.pdf
---------------------------------------------------------------------------
A recurrent theme in the FERC NOPR is the need for greater
granularity and detailed specificity in the CIP Standards. Part of the
problem is the manner in which the CIP Standards are written--broadly
brushed and highly generalized; so it's easy to understand FERC's
desire for more specificity. This desire is at least in part motivated
by the need to conduct compliance audits. The high-level abstraction of
the NERC CIP Standards requirements language can leave the auditor
struggling with shades of grey in interpretation (especially those
auditors that come from a mainstream IT background exclusively), to say
nothing as to grey-area impact in appeals to findings of non-
compliance. In contrast, NIST SP800-53 is far more granular and
provides clear requirements that have much less room for
misunderstanding. Furthermore, the companion NIST SP800-53A \17\
provides guidelines for determining the effectiveness of cyber security
controls; that is, the extent to which the controls are implemented
correctly, operating as intended, and producing the desired outcome
with respect to meeting the security needs of the organization.
Additionally, NIST has also produced a detailed guidance document for
industrial control system (ICS) security, NIST SP800-82,\18\ which
provides instruction on securing ICSs while at the same time satisfying
their unique performance, reliability, and safety requirements.
---------------------------------------------------------------------------
\17\ National Institute of Standards and Technology Special
Publication 800-53A, Guide for Assessing the Security Controls in
Federal Information Systems (Third Public Draft), June 2007.
\18\ National Institute of Standards and Technology Special
Publication 800-82 (2nd draft), Guide to Industrial Control Systems
(ICS) Security, http://csrc.nist.gov/publications/drafts/800-82/2nd-
Draft-SP800-82-clean.pdf
---------------------------------------------------------------------------
One of the major problems in control system cyber security is the
culture clash between an organizations' mainstream IT department and
that responsible for the operating critical infrastructure and related
control systems. The NIST Framework, specifically NIST SP 800-53
extended for Industrial Control Systems (ICS), is the only document of
which I am aware of that addresses both IT and control systems security
in the same document. Consequently, it is my belief that this is a key
tool that can help bridge the organizational divide between mainstream
IT and control system operations functions; which in and of itself can
help to untangle many of the existing control system cyber security
issues.
Adoption of the NIST Framework for the electric sector will
eliminate the requirement for redundant effort faced by a number of
quasi-federal organizations such as the Tennessee Valley Authority
(TVA) and the Bonneville Power Authority (BPA), who are now required to
prepare different sets of documentation and endure dual audits for both
FISMA and NERC CIP Standards compliance. Is this duplication a good use
of ratepayer dollars?
The electric sector is arguably the most interdependent of all the
critical infrastructures, and it's also the first of the private
industrial sectors (health and financial excluded) to move toward
establishment of cyber security standards. Without digression, it would
appear wise for all of our industrial sectors to adopt a consistent set
of methodologies for cyber security of distributed and process
industrial control systems. The vulnerability demonstration shown by
CNN (reference 5) provides a clear justification. The advisory notice
about the demonstrated vulnerability was issued to the electric
industry, including dams, and was also released to the chemical and
water industries as they use similar systems and networks and thereby
similar cyber vulnerabilities. Additionally, having consistent
requirements across industries can minimize the potential for having to
modify control systems to meet individual sector security requirements.
One way to move towards cross-sector convergence in cyber security
ways and means is for all stakeholders to use the same terminology and
to eliminate duplicative or overlapping sets of security standards'
requirements. NIST offers a set of high-quality publications addressing
most of the relevant managerial, administrative, operational,
procedural, and technical considerations. Each of these publications,
such as SP 800-53, have been put through a significant public vetting
process by all sectors, including, to the extent possible, by
authorities in the national security domain. NIST offers its documents
to all organizations interested in using them as a basis for developing
common Standards within the ICS community.
Summary Opinion
NERC is now FERC's Electric Reliability Organization (ERO) and as
such should no longer be acting as an industry-representative
organization. However, much evidence reveals NERC still exhibiting
vestiges of its role as an industry advocate, at least in so far as
concerns its attempts to minimize the urgency of the matter of cyber
security. Rather than be attentive to and supportive of the FERC NOPR
and move to assure its implementation, NERC has chosen to issue
rebuttal comments.\19\ What's more, the dubious act of NERC submitting
a rebuttal to FERC is exacerbated by the poor technical quality of its
comments. NERC has not had previous experience with control system
cyber security, and I do not believe that NERC as constituted is
capable of providing adequate oversight of cyber security of the grid.
---------------------------------------------------------------------------
\19\ NERC Comments on the FERC NOPR dated October 5, 2007, Comments
on the North American Electric Reliability Corporation on the Notice of
Proposed Rulemaking for Mandatory Reliability Standards for Critical
Infrastructure Protection, nerc.com
---------------------------------------------------------------------------
For the reasons stated above, the existing NERC CIP Standards are
not adequate for cyber-securing the electric grid. There are other
approaches that can provide a higher level of security without
incurring significant incremental cost. My principal recommendation is
that the NIST Framework's requirements should be incorporated into
standards for industry that are currently being developed by the ISA99
Standards Development Committee, Security for Industrial Automation and
Control Systems.\20\ As is NERC, ISA is an accredited member
organization of the American National Standards Institute, and the
ISA99 committee brings together security experts from across industry,
government, and academia. DHS has already provided valuable support by
allowing experts from NIST and the National Laboratories to contribute
in this ISA99 initiative, and it is vital that this support continue. I
recommend further that the NIST Framework requirements form the basis
of compliance audits to be conducted by a new and related entity, the
ISA Security Compliance Institute. Any resulting fines or other
findings should be addressed by NERC. A single set of Standards for
industrial automation and control systems is more cost effective than a
patchwork of standards conceived independently by each industrial
sector. This would provide the leading practitioners on control systems
cyber security to bring their expertise to bear and provide comparable
levels of protection across the interdependent critical
infrastructures.
---------------------------------------------------------------------------
\20\ ISA99, Security for Industrial Automation and Control Systems
Recommendation to Congress
Congress should empower FERC with the authority and responsibility
for development of control system cyber security requirements and
compliance criteria similar to role of NRC in these matters. In so
doing, Congress should also provide FERC with the authority to separate
ERO functions so that NERC is responsible for traditional electric
system reliability Standards, and have a separate organization be
responsible for the cyber security aspects of critical infrastructure
protection. Finally, Congress should take action so that the ERO
function is funded by the government, not by industry as is now the
case, to better ensure that conflicts of interest do not interfere with
doing what is right and necessary, and not just what is convenient.
Mr. Langevin. Mr. Weiss, I want to thank you for your
testimony. You had some very salient points in there, and I
agree with your testimony.
I want to again thank all the witnesses for their testimony
here today. And I now recognize myself for the purpose of
questions. Let's get right to it.
Mr. Whiteley, as you are aware, we are very concerned about
the aurora mitigation efforts ongoing in the electric sector.
In a briefing with staff on Friday, DHS described a survey that
NERC sent out in August 2007 to determine how many owners and
operators were implementing the mitigation efforts.
Can you describe the survey and tell us its findings?
Mr. Whiteley. The survey was the follow-up to the guidance
that was issued earlier in the spring, and we have determined
that approximately, at this point, 75 percent of the
transmission grid has either taken appropriate actions or is in
the process of implementing those actions. And we continue to
follow up with the remaining 25 percent of the grid that either
has not reported or that hasn't started to take action to find
out what the status is.
So in terms of ongoing work, we continue to follow up; to
eventually reach a 100 percent reporting is our goal.
Mr. Langevin. Why don't you have 100 percent compliance at
this point? What is the remaining 25 percent? Why are they
dragging their feet?
Mr. Whiteley. Well, I don't have--I don't have information
on whether they are dragging their feet or whether we just have
not received the report. We are in the process of following up
with them at the present time to determine just exactly that.
Mr. Langevin. On that 75 percent you say is in compliance,
this is not just anecdotal. You are talking about, these are
hard answers to the issue of having implemented all the
mitigation strategies?
Mr. Whiteley. This is a follow-up with most of the large
utilities in the country and many of the intermediate-size
utilities as well. And it is hard evidence or hard data that we
have asked, and they have explained what has been done. So we
have direct information.
Mr. Langevin. Well, I don't have as high a degree of
confidence, and I have to say I am a bit skeptical that the
entire electric sector is well on its way to having mitigated
the problem and implemented strategies.
Mr. McClelland, would FERC determine an investigation to
consider whether the level to which electric sector owners and
operators have implemented these mitigation efforts?
Mr. McClelland. Yes. Yes. We agree that in order to
determine whether or not there have been sufficient mitigation
measures employed, it would be very important--in fact,
essential--to have information that would validate what those
mitigation measures were and who has conducted those mitigation
measures.
Mr. Langevin. Thank you.
Mr. McClelland and Mr. Whiteley, under today's regime that
is, frankly, the option of the cyber standards, if a cyber
exploit of the aurora vulnerability is imminent, how will the
electric sector, ISAC or the Department of Homeland Security
ensure the immediate implementation of mitigation efforts?
And doesn't the fact that this is an advisory document
hamper the mitigation?
Mr. Whiteley. NERC has issued it as an advisory because it
falls outside of our present authority in terms of standards
that have already been approved. Had they been approved
standards, then we would have additional mechanisms to follow
up with the industry. And so to the extent we could, we have
issued the advisory, explained it, and we are following up.
Mr. McClelland. The Commission issued an order on September
20 to clarify, that required action alerts, as issued by NERC
in this circumstance, are not required because they are not
based on an approved reliability standard, the standard that
has been through the open and inclusive process required by
EPAct and then approved--subsequently approved by the
Commission. However, the Commission encourages--we applaud NERC
and encourage these types of advisories to be put into place.
We have also now directed that--following a required action
alert, the Commission has directed that within 30 days of the
compliance date on such an alert, the Commission will receive a
report from the ERO that will detail who has complied, who has
not complied with what the level of compliance is, so that the
Commission can evaluate whether further action--and that would
include action to call for a reliability standard--is
warranted.
Mr. Langevin. Thank you.
Mr. Weiss, do you care to comment on any of the questions
and, in particular, if, in fact, there was a need to move
quickly as a result of actionable intelligence, some knowledge
that there is a vulnerability that existed, A, does the current
structure lend itself to closing loopholes quickly? And what is
the best strategy or the best entity to make sure that if we
have a situation that arises, that we can move quickly to close
gaps, close vulnerabilities?
Mr. Weiss. I would like to address one other point, and
that is, aurora is obviously a very critical vulnerability. It
is the not only one; there are several others out there,
probably of equal significance. And one of the things that I am
very concerned about is that people focus so much on aurora
that they don't look at other things.
I had a phone call from a friend from the oil/gas industry
when they got that ISAC advisory. Their first question to me
was, what about the other vulnerabilities? So the first thing I
really want to get across is, we are not trying to address one
and only one issue. What we are trying to address is the cyber
vulnerability of the grid, and for that matter, the
interconnections to the grid.
The second point is that what I have found personally over
time is that there is a tendency for private industry to be
very reticent to provide information to the government. Several
years ago we prepared a scoping study. We did this under a DOE
contract. It was Carnegie Mellon and my previous employer. It
was a scoping study for setting up a cert for control systems,
and one of the most important aspects on that was that we felt
that that initial entity, where the information goes in, should
not be a government entity. It should be somewhere that it
could be sanitized and then sent off further to actually have
the work done.
But the other point I want to get across, because I think
this gets missed, is what I said to begin with. All of these
industries use exactly the same equipment; that same, identical
programmable logic controller that is used in a power plant or
a substation is used in a steel mill, in a chemical plant, in a
water plant, et cetera. So if they have problems or cyber
issues, we need to know that.
One of the things I see that is missing, you could call it
an ISAC, call it what you will, but there should be something
that is focused on the control systems because that is what we
are looking at. That is what cuts across.
Mr. Langevin. Thank you, Mr. Weiss.
My time has expired. The Chair now recognizes the Ranking
Member for 5 minutes.
Mr. McCaul. I thank you, Mr. Chairman.
You know, since 9/11 we have been very focused on physical
threats. But in my view, not enough attention has been paid to
virtual threats and cyber threats, and yet we have known about
these threats out there.
I think aurora kind of highlighted it and brought it even
more so to our attention, not only to the panelists, but to
Members of Congress when we had that briefing. We have a
responsibility in a bipartisan way to do everything we can to
protect the American people.
First and foremost, when you look at 25 nations that have
cyber warfare programs out there, it causes me great concern.
And Mr. Weiss, you mentioned other vulnerabilities. My question
was going to be--and I do want to ask a question about NIST, if
I can, as well. But as I said to the prior panel, some credit
deserves to be made to Idaho National Lab and DHS for actually
proactively finding a vulnerability, then fixing it, then
mitigating it.
Mr. Weiss. Absolutely.
Mr. McCaul. But there are other vulnerabilities.
To the extent you can comment on those, Mr. Weiss, can you
tell us what those are? And what do we need to be doing at the
Federal level in the government to address those in the most
practical way?
Mr. Weiss. Again, following up on what you just said, the
Idaho National Lab and, for that matter, the other national
labs have been doing this type of research for several years.
Aurora, because it actually showed damage to equipment, is the
first one that, if you will, really made a splash. But they
have shown that you could damage equipment, that you can open
valves, that you can open and close breakers. They have been
showing that for the past 3 or 4 years; it just hasn't gotten
the attention it has needed.
Part of the issue that we have is in the control systems
world, we have designed our systems for performance, and we
have never assumed anybody would intentionally want to do harm.
And so when I talk to people, it is the people that, if you
will, own these systems that are the most knowledgeable, and if
they thought about it, could cause the greatest harm. They are
the people we need at the table because they could come up
with, if you will, the worst cases and the things we really
need to address.
Mr. McCaul. Of course, any country that has that capability
also could use it against us.
Mr. Weiss. Sure.
Mr. McCaul. And has a mitigation strategy with respect to
aurora helped protect us from some of these other
vulnerabilities in these other areas?
Mr. Weiss. It can because part of what aurora did was look
at a remote access vulnerability. That covers more than just
aurora. So in that sense, it has done, incrementally, good.
There are other things out there, there are other
vulnerabilities that are totally independent, if you will, of
the aurora vulnerability.
Mr. McCaul. That was sort of in my thoughts as well.
We sent a letter, a bipartisan letter, basically stating
that we believe that the reliability of the Nation's bulk power
system, BPS, would be better protected by a cybersecurity
standard that incorporates additional security measures of the
National Institute of Standards and Technology under the
special publication 800-53.
Where are you three on this?
Mr. Weiss. Well, I have to be a bit careful because I was
part of the process. What I can tell you is what we did.
We had a member from the NERC drafting team, myself,
somebody from MITRE and several people from NIST where we went
and we spent 2, 3 days going through, line by line, the
comparison between the NERC CIPs and 800-53; and in addition to
that, looking at 800-53 to make sure we are extended to cover
control systems.
What NIST then did is, it held several meetings with
Federal agencies that were bound by Federal law to use that. So
they also got feedback coming in from the end-users.
I believe personally that the--like I say, I am biased--I
believe, far and away, that is the best document that is out
there. And it does one other thing I would like to make a point
of.
One of the biggest problems we have today is a conflict
between the IT organization and the control systems
organizations, that is, throughout any industry or any company.
The NIST document is about the only one that can address it
because it is the only document that essentially was IT to
start with. So IT is there, and it has now been extended to
cover control systems. So we have one document that both
organizations can share or have to share.
Mr. McCaul. And Mr. Whiteley?
Mr. Whiteley. Well, certainly I would suggest that the CIP
standards that we filed with the Commission are simply a
starting point. And I think I have referenced that in my
testimony. That it is a good starting point, and our intention
is to make them better as time goes on.
Certainly, the evidence that NIST standards may be more
applicable today to control systems than they were when these
were originally drafted and that there is additional guidance
from the cybersecurity community, it would be very appropriate
for us to put them back through our standards process and make
appropriate revisions.
And, in fact, I can tell you that in our normal cycle of
revising our standards, the cybersecurity standards are already
in our work plan within the next 3 years for their first round
of revisions, and they haven't even been approved yet. So we
know they will get better; they have to get better over time.
Mr. McCaul. Mr. McClelland.
Mr. McClelland. I should begin by explaining, or at least
clarifying, the Commission's authority. The Commission can
approve a proposed--the Commission can't author a reliability
standard; it can only approve or remand a reliability standard.
Simultaneous with the approval, the Commission can call for
immediate modifications to the standard.
The comments we received from Congress ask us to consider
the NIST standards instead of the CIP standards the Commission
had proposed in its Notice of Proposed Rulemaking.
Understanding the Commission could not substitute the standards
for the CIP standards, the Commission proposed to evaluate NERC
on its performance by NERC's evaluation of the NIST standards.
There are entities, such as TVA, that will be under both
NIST and CIP standards. The best elements of the NIST standards
can and should be incorporated into the CIP standards. If the
ERO doesn't initiate that motion on its own, the Commission can
and will initiate that motion.
I should also say that the CIP standards in their current
state, the Commission is concerned. There are exclusions for
reasonable business judgment. There are also exclusions for
technical feasibility. An example would be if a piece of
equipment is not capable of accepting a multicharacter
password, a longer password with multicharacters, one might be
able to claim under the current CIP standards that it is not
technically feasible and be excused from that requirement.
So the Commission has expressed these concerns and is
proposing to call for immediate modifications to the CIP
standards. So on that basis, the CIP standards in their current
form, the Commission feels needs improvement.
Mr. McCaul. Okay. Thank you very much.
Thank you, Mr. Chairman.
Mr. Langevin. I thank the gentleman. And just as a follow
up to Mr. McCaul's questions, a comment with respect to the
vulnerability discovered in control systems, the aurora issue
in particular.
I just wanted to mention how important Mike Assanty and
Barry Coonley, Idaho National Labs, were to this effort, very
critical to this effort. Talk about two guys thinking outside
the box and discovered this problem. They did a--as far as I am
concerned, a great service to the Nation and should be
applauded for their hard work. And I received their brief back
in January, as did the Department of Homeland Security, and
then we got the committee briefing to this as well. And again,
it did a great service to the country on this issue.
With that, the Chair now recognizes the gentlewoman from
California, Ms. Lofgren, for 5 minutes.
Ms. Lofgren. Thank you, Mr. Chairman.
Mr. Weiss, I mentioned earlier, when you were in the
audience, it is nice to see you in a room instead of on a plane
like we usually do. And I am glad that you were able to come
out and share your thoughts, which are very helpful.
In the first panel, one of my colleagues asked how much
more it would cost if the NIST standards were adopted instead
of NERC. Do you have an opinion on what that cost would be,
what the increment would be?
Mr. Weiss. The issue--it is a two-part answer. If the NERC
CIPs were to cover as comprehensive a scope as the NIST
standard, there would be no incremental cost.
The incremental cost is because, with the NERC's CIP
standards, utilities can exclude----
Ms. Lofgren. Right.
Mr. Weiss. --all kinds of equipment.
Ms. Lofgren. Well, let's assume--I mean, the defects have
been outlined by GAO and yourself in terms of scope. So let's
use that as the baseline.
Mr. Weiss. Yeah. Then the answer, there should be really no
difference, because what you are talking about is doing a
cybersecurity assessment. And if you meet what would be a good,
comprehensive cybersecurity assessment, it should be with
either one. So there really shouldn't be any incremental cost.
Ms. Lofgren. I have a question, and I guess it is for FERC
because we have struggled now with this whole cybersecurity
exposure issue for a considerable period of time; and I must
say that despite sustained interest, I am not yet convinced
that we have made the progress that we should have.
And the question is, who is going to have the
responsibility to insist? And especially--you know, it is one
thing for the Federal Government, that is not necessarily in a
lead position technologically, to come into the tech sector and
say, you have got to do this, because we probably don't know
what we are talking about.
But it is quite a different thing to insist that at least
industries that are not the tech industry use what is available
and what is identified.
And we heard earlier today that our assistant secretary
doesn't have the authority really to insist; and you are saying
you don't have the ability really to insist. I have a sense of
urgency about this, and I don't feel that sense of urgency from
the testimony.
So the question is, you know, maybe one structure would
be--and we are going to have--Mr. Garcia is going to get back
to us. But when you have an assessment here such as we have now
from NIST, and you know, I think they are widely acknowledged
as a pretty reputable and efficient organization--you know,
shouldn't we have the cybersecurity division have the ability
to go to the regulator--for example, yourself in this case--and
say, this has got to be done in this time frame for the
national security?
Mr. McClelland. The Commission does have the ability to
compel the return of a reliability standard within a
predetermined period of time. It can be within days, if such
urgency exists.
The difficulty when it involves national security issues,
which I mentioned in the opening statement, is that the process
is open and inclusive. It is participatory.
So folks are convened. They vote for a standard. They
return the standard.
Ms. Lofgren. I understand.
Mr. McClelland. The Commission then solicits comments. The
Commission goes through Notice of a Proposed Rulemaking,
considers the comments and then issues a final rule.
The cybersecurity provisions, however, were part of the
Energy Policy Act, and they are the Commission's
responsibility. With that in mind, the Commission now is
actively reviewing its options in light of its authority and in
light of recent developments.
Ms. Lofgren. Well, I guess you know I just feel some sense
of frustration because, as Mr. Weiss has outlined--and we don't
want to go into all the details here; I mean, some of these
vulnerabilities have been well known for some time. And if you
take a look at the interconnection and cascading catastrophe
that we are open to--and we haven't done anything about it; we
haven't done anything about it in 4 or 5 years. And I just
can't understand why.
And, you know, it is not something the Congress can enact
because the vulnerabilities change as the technology does to
some extent, although the stuff that we never fixed remains
vulnerable.
You know, it has really got to be done administratively,
and yet here we are just as bare as we ever were. And I just
feel--you know, how do we instill a sense of urgency here?
Mr. McClelland. The aurora issue has heightened the sense
of urgency. And, again, the Commission can compel a reliability
standard. But it cannot compel action of users, owners and
operators without a reliability--or it is not clear that the
Commission can compel action of users, owners and operators
without a reliability standard to base it on.
The process itself is open and inclusive. So, there again,
I understand your concern, and there is a tension between an
open and inclusive process.
Ms. Lofgren. Well, I wonder if--I know my time is up, Mr.
Chairman--but if you could get back to us on any suggestions
that you would make for something like this. Because you know,
we are all for openness, we are all for a process, and there is
a role for that. But I don't particularly think that the energy
sector is necessarily, you know, the leading edge on
cybersecurity.
And we have a roadmap. And aurora was spectacular. I want
to give credit to people who took action.
But there are things that Mr. Weiss has said, incidents and
things that haven't even been reported, that if you look at the
implications could be as dire or worse. They are out there, and
they have not been attended to, and I don't see any plan to
attend to them.
Mr. McClelland. We will be delighted to work with your
staff on that information. Thank you.
Ms. Lofgren. Thank you very much.
Mr. Langevin. I thank the gentlelady.
The Chair now recognizes the gentleman from Texas, Mr.
Green, for 5 minutes.
Mr. Green. Thank you, Mr. Chairman. I thank you and the
ranking member for convening this meeting.
I suppose I should say, in a sense, thank God for CNN,
because CNN has made what was clear to some transpicuously
clear to others. They brought great popularity to this issue.
And I suppose at some point we have to ask ourselves, is there
anything in that CNN report that we take issue with?
Dr. Weiss, is there anything in that report that you take
issue with?
Mr. Weiss. No, there isn't. I thought it was well done.
The other thing I thought was well done is, the real
details of the vulnerability were really not made public to
those that we don't want to know about them.
Mr. Green. Yes, sir.
Does anyone take issue with any aspect of the CNN report.
Mr. Whiteley. I certainly don't take issue with the CNN
report on its face.
I just will point out that NERC has responsibly developed
and filed with the Commission for approval CIP standards that
will expand the cybersecurity protection of critical assets, as
was exposed in the aurora videos.
Mr. Green. And Mr. McClelland?
Mr. McClelland. No, sir.
Mr. Green. Mr. McClelland, am I pronouncing that correctly,
sir?
Mr. McClelland. It is McClelland.
Mr. Green. All right. Mr. McClelland, you indicated that it
may take you a while to determine whether you need additional
authority, or ``new authority'' I think is a term that you
used. Is this correct?
Mr. McClelland. We are in the process of making those
decisions now. We are evaluating our options under our
authority in 215.
Mr. Green. Yes, sir.
Mr. McClelland. I don't know that I would say ``a while,''
Representative, but we are evaluating.
Mr. Green. In Texas, we call this ``fixin' to do''
something. And about how long will you be fixing to do this?
The CNN report causes my constituents to have a great
degree of consternation. So about how long do you think it will
take before you can announce whether you need new authority?
And if indeed you do, what new authority do you need?
Mr. McClelland. This is a difficult answer to provide, but
I will put it forward.
As a staff member of the Commission, I cannot reveal
pending Commission actions. I can say matters are under
consideration. I can say they are important to the Commission.
And I can say we are working diligently on them. But I cannot
say that the Commission will take action within some period of
time.
Mr. Green. Well, that is understandable.
I must tell you, I am appreciative that you did not use the
words, ``all deliberate speed``--for obvious reasons,
hopefully.
Let me go to the next question. You said that you need more
engineers.
Mr. McClelland. Yes, sir.
Mr. Green. You did not say how many more. So how many?
Mr. McClelland. The Commission has asked for an
additional--a supplemental request in the 2008 budget for $9
million. The $9 million would be allocated towards 55 full-time
employees. The majority of those employees would be engineers
and bulk power system experts.
There are also auditors and some lawyers in the
allocations.
Mr. Green. This will give you the number that you will
need? Or will this give you a number that will benefit you?
Mr. McClelland. The Commission's authority changed
substantially with EPAct 2005. For the first time, the
Commission had direct authority over the reliability of the
bulk power system.
That said, we are discovering--or we are now verifying, we
are documenting needs for personnel.
Mr. Green. I have to ask you--let me just say this,
sometimes when persons finish, I don't know whether they said
``yes'' or ``no.''
Mr. McClelland. I understand.
Mr. Green. May I just ask you again? And you would kindly
give me a ``yes'' or ``no''?
Will this give you the number that you need? Or will this
give you a number that will be of benefit to you?
Mr. McClelland. It will be a number of benefit, subject to
further review.
Mr. Green. Well, we will be honored to know the number that
you will need, because if there is a need, I think we want to
make sure that the need is met. Because this is critical.
Final question, Dr. Weiss--and may I call you Doctor?
Mr. Weiss. It is actually Mister.
Mr. Green. You look like a Doctor, so you are promoted
today.
Dr. Weiss has indicated that ERO should be funded by the
government. Is that what you said, Dr. Weiss?
Mr. Weiss. Yes. Yes.
Mr. Green. All right.
Let me ask you, friends, does anyone differ with Dr. Weiss
on his basic premise that the ERO should be funded by the
government?
Mr. Whiteley. NERC's position is that the present funding
mechanism, which is to take NERC's expenses and divide them
equally amongst all users of electricity in the United States
on a net-energy-for-load basis is reasonable and appropriate.
Mr. McClelland. I agree that at this time the Commission
couldn't support the proposition that the ERO should be funded
by the government. So I agree that the current funding
mechanism is acceptable.
Mr. Green. If I may, Mr. Chairman--Dr. Weiss, you will have
the last word from me, anyway.
Give the rationale for having the government fund it,
please.
Mr. Weiss. For the simple fact that if the industry funds
them, they are an industry-driven organization.
My concern, when you look at this--I mean, just the fact
that NERC sent detailed rebuttal comments to the FERC NOPR, my
view is that the ERO should be like in the nuclear world where
you have INPO, the Institute for Nuclear Power Operations, that
it should be an organization looking out for the public good,
not for the industry good. So if it were funded by the
government, not by industry, it would not be beholden to have
to come up with recommendations that meet industry needs.
That is where I was coming from.
Mr. Green. Thank you, Mr. Chairman. I owe you 1 minute and
21 seconds.
Mr. Langevin. I am calculating now. The Chair now
recognizes the gentleman from New Jersey, Mr. Pascrell, for 5
minutes.
Mr. Pascrell. Mr. Chairman, if there is any history here,
and you know history tells tales about the Federal Energy
Regulatory Commission. I know, Mr. McClelland, you are not on
board too long, but my relationship with FERC has not been a
good one. I had to drag 10 Congressmen from both sides of the
aisle down there to stop an impending move 4 years ago, 5 years
ago, which was successful, plus we all joined together in this.
And FERC could not define what its responsibilities were.
If you remember at the end of the 90s and the early part of
this century, FERC was trying to disassociate itself from any
responsibility it had in the marketplace with energy problems.
So this is not hyperbole here. I am not making this stuff up.
There was quite a clash and conflict in the Congress' ability
to have oversight of FERC, is something that we need to take a
look at another time.
So when I hear the answers to the questions and when I read
carefully your testimony, there is a lot of if's in here, and I
don't know when these things are going to be accomplished. And
I agree with the gentlelady from California that I don't see or
hear any sense of urgency.
This is critical, I think you would agree. You have a great
background, so I hope you will bring some sensibility to what I
consider an organization that has been dysfunctional for many
years. And I don't want to go into the people who were put on
there, because you don't want to hear that now.
Mr. Weiss, your testimony is quite interesting here. You
know that NERC and FERC have been talking to each other, they
have had a good relationship. We hope what will come out of
that is pretty quickly some standards that we can agree on.
And I am sure, Mr. Mcclelland, that you couldn't answer the
question for the gentleman from Texas, but you are going to go
back to your superiors, get an answer to that question and give
it to the committee if it is at all possible. I mean for you to
tell us that you can't tell this committee when you are going
to come forth with action. We didn't even ask you what the
action was. You know, I find that to be very interesting. Boy,
if that isn't political jargon down in Washington, D.C., I
don't know what is. That is unacceptable to this chairman.
Mr. Weiss, I want to ask you this, as the NERC CIP
standards, those infrastructure standards that we have talked
about here today, you said as they moved to their final
revision the focus was shifted entirely to bulk power grid
reliability.
Mr. Weiss. Yes.
Mr. Pascrell. In and of itself.
Mr. Weiss. Yes.
Mr. Pascrell. Rather than on societal welfare. That is a
powerful statement there. That is my words.
Mr. Weiss. Yes.
Mr. Pascrell. In safety from a Homeland Security or
economic perspective, the reliable operation--I think this is
an example you give of a small substation that supports a major
oil or gas pipeline in a remote local is not salient to grid
stability, but failure of same could very well have profound
adverse consequences for the health of the United States
economy. Would you explain that?
Mr. Weiss. Yes.
Mr. Pascrell. That a pretty potent statement you made.
Mr. Weiss. In fact, that was one of the two examples I
could bring. But the point is for the bulk power grid the loss
of a particular power plant or a particular substation will
have no impact, if you will, on that local power grid. But if
that particular substation or that particular power plant is
providing the power to a natural gas pumping station, I know of
one, for example, that provides about 60 percent of the natural
gas to the entire northeastern United States. But that plant is
in a sense meaningless to the local grid.
Mr. Pascrell. Right.
Mr. Weiss. But if you lose that pumping station, you have
lost all your natural gas.
Mr. Pascrell. Right.
Mr. Weiss. So what is happening is in version 3 of the NERC
CIPs, version 4 was the one that was finally accepted. In
version 3 it had, I believe, either three or four criterion.
One was bulk electric, the other was economy, and there was
also health and safety. All of those were explicitly in version
3 of the NERC CIPs and then also removed as it went to version
4.
Mr. Pascrell. Why?
Mr. Weiss. I can't explain that.
Mr. Pascrell. Well, who removed this?
Gentlemen? Mr. Whiteley, who removed them and why?
Mr. Whiteley. My understanding is that the changes that are
made through the standard drafting process are made by the
standard drafting team, which is comprised of the industry
experts in the area that is being developed into a standard.
And it was their judgment to make the revisions, whatever they
were in to from version 3 to version 4, and eventually now that
standard, recognizing that the authority that NERC has is
limited to the bulk power system and that is a very----
Mr. Pascrell. Your power is limited and FERC's power is
limited, and we are talking about societal welfare, we are
talking about the health of our community, the safety of the
community, and you take all of those out before the final
report. That to me makes no sense and we can't find out who
took it out.
Can I ask one more question?
Thank you. Why wasn't the blackout report included in the
final report, as you point out, Mr. Weiss, when we were dealing
with NERC and CIP standards? Why was that taken out, Mr. Weiss?
Mr. Weiss. I don't know.
Mr. Pascrell. That wasn't in there either. Give us some
options why was it taken out? Come on, let's get to the meat
and potatoes here. Why was it taken out? Who took it out? Give
us some ideas of why.
Mr. Weiss. I can only tell you I was not on the drafting
team. The comments that I put out, that ISA put out, were not
accepted. That is all I can say.
Mr. Pascrell. Well, we know why they weren't accepted.
Mr. Chairman, I think I have heard some interesting things
this afternoon, and I think that this committee with your
leadership and Michael's leadership and Mr. McCaul from Texas'
leadership, I think we can get to the bottom of this. I am
telling you, Mr. Chairman, nothing is going to get done if we
leave it to chance. FERC is not a responsible public entity. It
will not be until it is pushed by this Congress.
Thank you, Mr. Chairman.
Mr. Langevin. I thank the gentleman for his questions and
his comments, and I can assure you and the other members of the
committee that the ranking member and I will continue, we are
very close to this, and this is not the last hearing of its
kind on the issue of cyber security. Whether it is Aurora or
other security vulnerabilities, this is one of many where I
plan to exercise intense oversight. And I thank the gentleman
for his passion. As usual, it is great to have you back on the
committee.
The Chair now recognizes Mr. Etheridge for 5.
Mr. Etheridge. Thank you, Mr. Chairman, I am going to
follow some of that same line for just a minute in a little
different way.
In 1996, power was out across a wide range of western
States because, as I remember, a squirrel got burned out on a
transformer at a very crucial time. And then in 1998 there were
two power failures. An ice storm took out power in eastern
Canada and the United States. New Zealand lost power, as I
remember, for a couple of months due to a transmission line
failure.
2003, a blackout covered much of northeastern United
States, and that was caused by failure of a transmission line,
as I remember, in Cleveland. It sort of cascaded across a whole
host of areas. And the interconnectivity of the nature of the
grid means that a single point can have a significant impact.
So let me ask my question this way. Some of the testimony
of folks here is that the possibility of a coordinated attack
on multiple control systems can be a devastating event. Can we
all agree with that?
Mr. McClelland. Yes.
Mr. Whiteley. [Nonverbal response.]
Mr. Weiss. [Nonverbal response.]
Mr. Etheridge. Would a massive effort be required to have a
large impact.
Mr. Whiteley. Massive effort and large impact. It would be
a significant effort to attack all of those cyber assets
simultaneously. Is it hypothetically possible? I presume so.
Mr. Etheridge. Well, I raise that question because if a
squirrel can have that kind of impact, a squirrel is not very
high tech. I mean I am not trying to be funny; I am being very
deadly serious about this issue.
Mr. Whiteley. And if I can respond on the blackouts or
outages that you have talked about, in each of those cases
there is a single failure that leads back to other failures of
the system. And that is precisely why the standards that we put
forward, and many of which are now actually mandatory and
enforceable, address issues like vegetation management so that
the trees don't grow into the lines. And when there are single
points of failure that they don't cascade----
Mr. Etheridge. Okay.
Mr. Whiteley. So we are addressing them in our existing
standards.
Mr. Etheridge. Okay, I understand that. Well, how likely is
it that a single cyber attack on a control system could take
out a regional power system that then would have a major
impact?
Mr. Weiss. Let me try and answer it this way, a cyber event
can be targeting multiple systems at one time. So part of what
I am asking, I am not trying to be too much of an engineer, but
the issue is you are talking about targeting multiple entities,
and it is also a function of when you do it. If you do it
during the summer when the system is at its highest stress, and
systems are out, it won't take that many more systems to create
a larger failure. When the system isn't stressed as much, it
would take more.
Just so you know, 4 years ago I gave a presentation at the
Georgia Tech Protective Relay Conference. It was kind of a
precursor to Aurora. It was essentially laying out a scenario
that I ran by Sandia, Idaho, and PNNL as well as several other
utilities, how simply using cyber alone you could bring the
grid down for a significant time, strictly on the transmission
and distribution side. Fairly simple. Can you do it? Yes.
Mr. Etheridge. Well, that leads to the next question then,
somewhat similar. You said you can, but I guess my question is
are control systems within the distribution grid that
vulnerable to attack? And if so, what effect might that attack
have and how catastrophic could it potentially be? I think that
is important for us to have some sense of in this committee.
Mr. Whiteley. I will just add from NERC's standpoint
distribution systems are outside of our purview. However, you
are talking about very similar kinds of systems that utilities
protect in a very similar kind of manner. And if they are
protecting their transmission assets, they are also protecting
their distribution assets.
Mr. McClelland. I would like to add to that. I didn't
understand the question to be distribution assets per se, but
the wires associated with a bulk power system. Again to echo
Mr. Weiss's comment, it would depend on the unit, how large is
the generating unit that is being attacked or what is the
combination of output from those generating units, what is the
peak load on the system at the time, how sophisticated is the
adversary.
There is a level of sophistication in order to be able to
pull off a coordinated cyber attack against critical facilities
in a critical time. And then to also say, perhaps take Mr.
Whitely's comment and put that forward and put a twist on it,
the level of cyber protection that one exercises is critical.
The harder it is to penetrate someone's assets, there are
easier targets around the corner.
So if the basic level of cyber protection is elevated, if
the CIP standards are in place and the requirements are passed
as mandatory and enforced or with real penalties behind those,
one would expect the level of compliance to rise and make it
more difficult but not impossible for a sophisticated adversary
to carry out an attack against the bulk power system. So the
threat is real.
Mr. Weiss. Can I add one other point?
Mr. Etheridge. Please.
Mr. Weiss. It is the reason why I have been talking about
distribution. Distribution is normally outside the purview, but
there are two issues here. One is it is generally where money
is being spent to upgrade the systems. And so they are going
from the old, if you will, cyber dumb to very cyber alive
systems.
The second point is those distribution systems
electronically talk to transmission. In the past when you dealt
with reliability you generally dealt with each one
individually. The point about cyber is they talk to each other.
That is what is so different here, the silos don't work
anymore. So that is why market systems all of a sudden become
an issue. They talk to SCADA systems. It is why telecom is
important. It is why small facilities are important. It is, if
you will, what happened on 9/11. The hijackers that came into
Boston that boarded the plane did not board it from Boston,
they boarded it from a smaller airport. If you don't take care
of the smaller, the bigger is going to be a vehicle.
Mr. Etheridge. Thank you, Mr. Chairman. I appreciate your
indulgence. I yield back.
Mr. Langevin. I thank the gentleman and, in consultation
with the ranking member, we are going to ask each one question
before we conclude.
And with respect to the distribution system, this is a
timely question, can the panel answer this, under a future
regime after the NERC standards are adopted, NERC will be able
to regulate companies who don't comply with approved cyber
standards, but as we pointed out in the committee's comments,
NERC's definitions will exclude a lot of critical assets.
The way I read the NERC definition, the assets at issue in
the Aurora vulnerability would not be considered critical
assets. In other words, you have major vulnerability out there,
but NERC isn't going to able to regulate the mitigation efforts
of the industry even after the standards are passed.
Can the panel provide feedback on my interpretation?
Mr. Whiteley. Perhaps I can start and maybe clarify my
earlier comment, that it is certainly NERC's intention to reach
through to any part of any system that has to do ultimately
with reliability of the bulk power system. And if that means
that something that is in an individual residence somehow is
connected to the system that would threaten the bulk power
system, then certainly we would use all of our authorities that
we have to reach through and assure reliability and protection
of those assets.
So from the standpoint of distribution or not, yes, if
indeed the case is there, what the situation is is the line is
drawn between distribution and transmission and that is where
essentially the system stops the issue that may come up from
the distribution system. But if indeed there is a problem on
the distribution system, it would be our intention to use
whatever authority we have to reach those issues, those
problems, because they affect the bulk power system and that is
within our purview.
Mr. Langevin. But even if you wanted to, is NERC going to
have the ability to actually have some teeth in that regulation
or is it some other entity that has to impose it?
Mr. Whiteley. In our view, if it impacts the reliability of
the bulk power system, then we can reach it.
Mr. Langevin. Other members of the panel?
Mr. McClelland. I agree to your point about critical
assets. Again this was a major point in the Commission's notice
for proposed rulemaking. The Commission thought and expresses
and proposes therefore to direct NERC to develop a risk-based
assessment to provide guidelines to industry to help
standardize or at least put commonality in the definition of
critical based assets.
In addition, the Commission has proposed to direct NERC
that all critical assets be submitted on a regional basis. In
other words, the folks within a reliability coordinator's area
or regional entities area would have to determine what the
critical assets were, submit it to that entity, and then those
lists would be subject to the Commission's review.
So we share your concern concerning the determination of
critical assets and propose to tighten the definition of
critical assets significantly.
Mr. Langevin. Thanks. Mr. Weiss, any final thought?
Mr. Weiss. [Nonverbal response.]
Mr. Langevin. Thank you. The Chair now yields to the
ranking member.
Mr. McCaul. Thank you, Mr. Chairman. A two-part question to
the panel as a whole, the Information Sharing Analysis Centers,
or ISACs, coordination with the private sector. I think it
really pivots on the ability of the private sector wanting to
share the information. Do you believe that under current law
there are enough protections for private industry to do so? I
mean recognizing that a company is not going to want to share
the fact that they are vulnerable. They have a fiduciary duty
to their shareholders that could obviously impact the company.
Under current law, are there enough protections in place so
that they will freely share that information?
And then the second part of my question is with respect to
the Department of Defense we have a cyber warfare program. It
seems to me there is great expertise in the U.S. military in
terms of how somebody else could penetrate us; in addition, how
we would better work hopefully with the DOD to better protect
our critical infrastructure. Is that currently happening? I
know I am throwing out two questions at you, but if could you
tackle those.
Mr. Whiteley. Well, the answer to the first question is at
least it has been our experience that we are not having, we,
NERC, are not having trouble receiving information from users,
owners and operators when we ask the questions of how they are
complying with standards that are in place or gaining
information on our assessments so that we do overall
reliability, all the way through into the alerts that have been
put out. So far the history has been that we have not run into
a significant problem along those lines.
On the second part, I am not directly aware whether or not
we have engaged DOD in any kind of liaison or not. We can
certainly get back to you on that and explain what level.
Mr. McCaul. Mr. Weiss may have more expertise on that
issue.
Mr. Weiss. Let me try and answer both of the questions you
asked. The first one I would actually modify a little bit, is
there an incentive for industry to share that information? And
one of the things that is happening is there has been very
little, and that is why there has been very little of that
information shared. Like I say, my database I have got, you
know, 90 cases. There are not 90 cases, these are just control
systems. None of these are IT. You don't have 90 cases in the
ES, ISAC or any of the other ISACs. Part of it is there needs
to be the expertise with the ISACs to deal with control systems
and generally they are not there.
Like I said, the other thing is the incentive, why would an
entity want to provide that information, even if they had it,
because the other point is that a lot of these events are not
even identified or known to be cyber. It is one thing for the
light to go out, it is another for someone to realize it was
cyber for why it occurred. Let me start with that.
The second thing, dealing with DOD, I have had a little bit
of dealings, I have given a lecture at the naval post-grad
school in Monterey. It was kind of interesting because they
hadn't really been focusing on protecting cyber assets, they
were looking at attacking the cyber assets. There is a big
difference between protection and defense. What we need here is
the defense.
And the other point I want to make is our systems in the
commercial world, be they electric, chemicals, you name it, are
different than DOD. I came from that after having come from
nuclear. If you have got cyber safety-related equipment, that
is very much more expensive, very different than is used
elsewhere. So part of this is how do we get DOD working with
us, and we kind of have in the sense that right now there is an
individual who used to be on the DOD side who is now on the
regulatory side.
Mr. McCaul. It seems to me you are relying a lot on Sandia
and Idaho National Lab. We have a cyber warfare program that
knows how to attack, and it seems to me they would know best,
you know, in learning where to penetrate than equally where how
we can defend. This is in my view.
Mr. Weiss. The only reason, again, I don't mean to be
technical about this, but the systems that are used in the
commercial-industrial world are different than IT systems and
they are different than DOD systems. What DOD is used to in
terms of trying to mitigate what they would do we don't have.
And honestly if we tried to put them in, it would probably hurt
us very, very deeply in terms of how these systems can perform.
So it is not as straightforward as most people would like it to
be.
Mr. McCaul. That is insightful. Mr. McClelland?
Mr. McClelland. The current process is open and inclusive.
In order to compel entities to abide by reliability standards
they have to be developed in an open, inclusive process. There
is a conflict with national security issues. So if there is an
issue such as Aurora, there is a concern if the mitigation
measures are disclosed too fully and the information is
disclosed publicly would you have done more harm than good. If
we received mitigation plans, we send an agency mitigation plan
for specifics in order that they can audit or they can
determine compliance with a standard, will that information
then be subject to public disclosure? That is a real concern
and it is the intention of the Federal Power Act. Section 215
has worked very well for us to establish an ERO, to approve and
critique reliability standards and check some or pen some in
some cases and also to certify the regional entities to assist
the ERO. When it comes to national security issues, this is an
important subject. It is critical and it is under review, and
we will move forward on this issue.
Mr. McCaul. I thank you, Mr. Chairman.
Mr. Langevin. I thank the gentleman. Does the gentleman
from New Jersey have any final questions?
Mr. Pascrell. Yes, sir.
I want to thank the gentlemen for their patience this
afternoon. I have a question that I hope you all would respond
to. I want to talk about the 2003 northeast blackout. That
blackout was a massive power outage that occurred through parts
of the northeast and the midwestern United States and Ontario,
Canada in August of 2003, August the 14th. It was the largest
blackout in North American history. It affected 10 million
people, 10 million people in the Province of Ontario, about
one-third of the population of Canada, 40 million people in
eight States, which is about one-seventh of the total
population. This is pretty big. In the end the outage-related
financial losses were estimated at a staggering $6 billion.
My question to all the witnesses is this, really two
questions. Have we learned all the lessons about our
vulnerability from that blackout? And part B, do the proposed
NERC regulations properly take into account those lessons?
Why don't we start with Mr. Weiss and go to Mr. Whiteley
and to Mr. McClelland?
Mr. Weiss. The NERC or, excuse me, the northeast blackout
report, 13 of the 46 recommendations in that report were cyber.
At least a couple of them were explicitly excluded from the
NERC CIPs.
Mr. Pascrell. Right.
Mr. Weiss. Wire line, et cetera. I cannot tell you why. I
can tell you we certainly knew about it. I can also tell you
the day of the northeast outage was also contemporary with it
was the Blaster worm and that there was or were other
facilities not in the northeast that had cyber events that day.
You won't find that in the northeast blackout report because
they weren't in the northeast.
So the issue is have we learned? I don't believe so.
Mr. Pascrell. Thank you. Mr. Whiteley?
Mr. Whiteley. I will address both parts. First, I would
respectfully disagree with Mr. Weiss' connotation that the
northeast blackout report recommendations on cyber security
were not included in the CIP standards. I would be happy to get
back with you on our analysis of those CIP standards and the
fact that they addressed every one of the blackout
recommendations.
As to the other standards that we have in place, each one
of the standards, if followed on that day, would have resulted
in nothing more than a single line outage in northeast Ohio and
not a cascading outage. So I think the evidence is clear that
our reliability standards, as they have been passed, once the
industry follows them and we believe the industry is following
them to the greatest extent, will result in a more reliable
system than we had back in 2003, and yes, we have learned a lot
from the 2003 blackout and we have taken a lot of action since
that time.
Mr. Pascrell. Thank you. Mr. McClelland.
Mr. McClelland. If you mean by the question are we finished
or is it impossible for another blackout like this to happen,
will it not be prevented? The answer is no. The standards are
based on a continuing improvement process. The Commission's
responsibility is to review those standards and call for
modifications or reject the standards where the standards are
not adequate.
As an example, NERC submitted 107 reliable standards to the
Commission for approval. If things were perfect and everything
was done we would have accepted 107 standards. The Commission
approved 83 of those standards and called for major or
significant modifications to 56 of the 83 standards we
approved.
In addition, prior to June 18th, 2007--the standards became
mandatory and enforceable on June 18th, 2007. Prior to that
time there was a period of self-reporting where entities would
say, I am not in compliance with these standards, I have got
some problems, some or most of those problems may be
characterized as potentially having low impact to the bulk
power system, but some would have a high impact to the bulk
power system and be on a parallel with the incident that caused
the 2003 blackout.
The Commission is aware that over 4,000 self-reported
violations have been reported to NERC, and the Commission is
expecting mitigation plans to be submitted to correct those
self-reported violations. The process is not done, blackouts
can still occur. There has been substantial and significant
progress by the industry to try to prevent another occurrence,
but much work remains to be done.
Mr. Pascrell. Thank you. Thank you, Mr. Chairman.
Mr. Langevin. I thank the gentlemen. I want to thank the
panel for their testimony and the answers you provided to the
questions. I thought this was very productive. I thought your
answers were very insightful. It has certainly given us a lot
to think about. Clearly, there is much work to be done and we
look forward to continued oversight in this area and continued
efforts of working with you, but you have been very helpful and
I do appreciate your testimony.
Again, I thank the witnesses for the valuable testimony and
the members for the questions. The members of the subcommittee
may have additional questions for the witnesses, and we ask
that you respond as expeditiously in writing to those
questions.
Hearing no further business, the subcommittee stands
adjourned.
[Whereupon, at 5:30 p.m., the subcommittee was adjourned.]
Appendix I: Letter from David Whiteley
COMMITTEE ON HOMELAND SECURITY
House of Representatives,
Subcommittee on Emerging Threats, Cybersecurity,
and Science and Technology
Washington, DC, December 12, 2007
Hon. James R. Langevin:
Chairman, Committee on Homeland Security, U.S. House of
Representatives, Washington, D.C. 20515
Dear Mr . Chairman: In the questions for the record you
submitted to NERC following the Subcommittee's October 17,
hearing, you asked, ``What were the results of the August 2007
NERC survey sent to owners and operators regarding the status
of the sector's implementation of the Aurora mitigation
efforts?'' I am writing to correct any misimpression that my
November 20 response may have given regarding the timing of the
written survey.
My answer to your question did not make clear that the
survey of owners and operators regarding the implementation of
mitigation measures was sent in October 2007, not in august
2007 as indicated in your question. The response provided a
narrative discussion of the results of the October survey. As
you requested, a copy of the survey itself, dated October 19,
2007, was included with my response.
I recognize that the way the response was written may
inadvertently appear to confirm that the survey was sent in
August. Enclosed is an amended copy of the response to Question
No. 1 that clarifies the timing of the written survey. I would
be grateful if this material could be substituted for my
November 20 response to No. 1 in the written hearing record.
I apologize for any inconvenience this may have caused.
Sincerely.
David A. Whiteley,
Executive Vice President
APPENDIX II: Additional Questions and Responses
----------
Questions from the Honorable James R. Langevin, Chairman, Subcommittee
on Emerging threats, Cybersecurity, and Science and Technology
Responses from Mr. Greg Garcia
Question 1.: What percentage of electric sector owners and
operators do you believe implemented the Aurora recommendations issued
by NERC?
Response: The Electric Sector Information Sharing and Analysis
Center (ES-ISAC) distributed the advisory to 3,000 electric utilities.
As part of individual corporate risk management and critical
infrastructure protection planning efforts, Electric Sector owners and
operators consider known vulnerabilities and identify and implement
mitigation activities to address them. It is the responsibility of
owners and operators to implement the recommendations issued by the
North American Electric Reliability Corporation. The Department of
Homeland Security (DHS) is working with the Electric Sector, the
Department of Energy (DOE), and the Federal Energy Regulatory
Commission (FERC) to raise awareness and promote implementation of the
recommendations. DHS is also working with DOE and FERC to determine
what actions the private sector has implemented.
Question 2.: If a cyber exploit of the Aurora vulnerability is
imminent, how will the Electric Sector ISAC or the Department of
Homeland Security ensure the immediate implementation of mitigation
efforts?
Response: Under the National Infrastructure Protection Plan (NIPP)
Partnership Framework, public--and private-sector security partners
collaborate on national critical infrastructure protection. The
Department of Homeland Security (DHS) currently has several mechanisms
in place to communicate with vendors, owners, and operators to
facilitate information sharing about exploits and vulnerabilities, as
well as incident management and appropriate mitigation efforts. For
example, the United States Computer Emergency Readiness Team National
Cyber Alert System facilitates information sharing about
vulnerabilities to a broad audience; the Control Systems Cyber Security
Vendors' Forum meets monthly to discuss emerging issues affecting
control systems security; and DHS works directly with the control
systems stakeholder community to exchange information by leveraging the
Protected Critical Infrastructure Information program, which safeguards
sensitive information shared by industry with the government.
In the case of the Aurora vulnerability, DHS worked with the
private sector through the NIPP Framework to alert the control systems
community. Federal agency partners worked with industry technical
experts to assess the vulnerability and to develop sector-specific
mitigation plans. The jointly developed mitigation guidance allowed
owners and operators within the affected sectors to take deliberate and
decisive actions to reduce significantly the risk associated with this
vulnerability.
Question 3.: How many program managers have been in charge of the
Control Systems Security Program in the last 3 years? What was the FY
2007 budget? Who is in charge of this program, and what grade is that
person?
Response: Four individuals have served as the National Cyber
Security Division (NCSD) Control Systems Security Program Director
since May 2004. The Program Director position, within Cybersecurity and
Communications at NPPD, is currently vacant and posted at the GS-15
level. In the interim, Cheri McGuire, GS-15, is serving as the Acting
Control Systems Security Program Director.
The FY07 budget for the NCSD Control Systems Security Program was
$9.3 million.
How has your office developed a process to formalize and improve
information sharing regarding control system vulnerabilities with
critical infrastructure owners and operators?
Response: The Department of Homeland Security (DHS) coordinates
efforts among Federal, State, and local governments, as well as control
systems owners, operators, and vendors, to improve control systems
security within and across all critical infrastructure sectors by
reducing cyber security vulnerabilities. DHS has developed a process to
formalize the sharing of sensitive information related to control
systems vulnerabilities. This process describes the information flow
from vulnerability discovery to validation, public and private
coordination, and outreach and awareness, and also identifies the
deliverables and outcomes expected at each step in the process.
The process includes existing entities across the public and
private sectors, such as the Federal Control Systems Security Working
Group, the Process Control Systems Forum, Sector Specific Agencies,
Government Coordinating Councils and Sector Coordinating Councils, the
United States Computer Emergency Readiness Team (US-CERT), and
Information Sharing and Analysis Centers. It also builds on established
DHS practices and procedures for the identification, validation,
coordination, and communication of vulnerabilities across the critical
infrastructure and key resources (CI-KR) spectrum.
As part of this process, DHS uses three primary mechanisms to
communicate vulnerability information about control systems to various
stakeholders:
1. US-CERT shares information about vulnerabilities via several
products. These products include Vulnerability Notes, which are
released on a regular basis, and the Quarterly Report on Cyber
Vulnerabilities of Potential Risk to Control Systems, which
includes more detailed analyses of cyber vulnerabilities that
may impact control systems.
2. DHS partners with vendors, owners, and operators to perform
vulnerability assessments of selected systems to identify cyber
vulnerabilities based on emerging exploits and works with
industry to develop mitigation strategies. DHS also works with
control systems vendors, owners, and operators as they share
sensitive information through the Protected Critical
Infrastructure Information program so that private-sector
vulnerability data may be appropriately safeguarded.
3. DHS facilitates information sharing among control systems
vendors through its sponsorship of the Control Systems Cyber
Security Vendors' Forum established in 2006. The Forum holds
monthly meetings at which control systems vendors share
information and discuss emerging issues affecting control
systems security. The Forum has served as a basis for building
a trusted information sharing community and comprises more than
90 percent of the vendors who manufacture and provide support
services to the CI-KR control systems market in the U.S.
Are all government-owned assets compliant with NIST 800-53 as
applied to control systems?
Response: Under the Federal Information Security Management Act,
all Federal agencies must meet minimum security requirements for
information and information systems in accordance with National
Institute of Standards and Technology (NIST) Special Publication 800-
53, Recommended Security Controls for Federal Information Systems, as
amended. NIST 800-53 is currently undergoing revisions to include
security guidelines specific to control systems. Federal agencies have
up to one year from the date of final publication to fully comply. DHS
is working closely with NIST on these revisions.
Question 4.: According to the GAO, DHS has 13 different initiatives
focused on securing control systems. The Department of Energy, the
Federal Energy Regulatory Commission (FERC), and the National Institute
of Standards and Technology (NIST) also have initiatives in this field.
In 2004, the GAO recommended DHS create an overall strategy to
coordinate various control systems activities across federal agencies
and the private sector. Please provide a copy of this strategy.
Response: To reduce cyber risks to control systems within and
across all critical infrastructure sectors, the Department of Homeland
Security (DHS) coordinates efforts among Federal, State, local, and
tribal governments, as well as control system owners, operators, and
vendors. Coordinating efforts to secure control systems is paramount to
an effective protective posture for all critical infrastructure and key
resources.
DHS is working with its partners to baseline activities to serve as
the foundation for developing a comprehensive strategy that will
encompass the public and private sectors, set a vision to secure
control systems, describe roles and responsibilities, and identify
future requirements for resources and actions.
The Department has developed a timeline to complete this action
building on work that has already been completed. In the first quarter
of Fiscal Year 2008, a draft of the Federal sector portion of the
strategy will be released for review by government stakeholders. In
cooperation with the Partnership for Critical Infrastructure Security,
the private industry component will be integrated into the strategy,
with a draft available for review in the third quarter of FY 2008.
After the review and comment period is completed, a final comprehensive
strategy will be released in the first quarter of FY 2009.
Question 5.: How is the Science and Technology control systems
program--Project LOGIIC--being used to help mitigate vulnerabilities in
the control systems of the oil and gas sector?
Response: LOGIIC is a collaborative forum for government and
industry to focus on cyber security issues for the oil and gas
industry. Infrastructure owner and operator needs determine projects,
which are supported by both government and independent experts.
Projects examine needs and solutions for correlating and analyzing
abnormal events to provide indications and warnings of cyber security
threats. LOGIIC enables informed response to threats by taking
corrective action. LOGIIC's goal is to achieve the ability to correlate
abnormal events from the process control network and its interfaces to
the business network with alerts from sources on the business network
(intrusion detection systems, firewalls, etc.).
LOGIIC is helping to mitigate vulnerabilities by identifying and
adapting new types of security sensors for process control networks,
adapting a best-of-breed correlation engine to this environment, and
integrating and demonstrating the technology suite in a test bed
environment.
Question 6.: Did the Multi-State Information Sharing and Analysis
Center (MS-ISAC) receive any more un-obligated funds for FY 2008?
Response: Yes, the Multi-State Information Sharing and Analysis
Center (MS-ISAC) received funding using the available Fiscal Year 2007
carryover funds in the amount of approximately $1.4 million.
The MS-ISAC procurement was not awarded by the end of FY 2007
(September 30, 2007). DHS initiated a replacement procurement action
that used both the committed $974,849.72 of FY 2007 funds and an
additional $465,976.03 of FY 2007 carryover funds that had not been
obligated by the close of FY 2007. FY 2007 carryover funds for cyber
security are available for obligation until September 30, 2008, as
stipulated in the DHS Appropriations Act of 2007 (H.R. 5441).
Questions from the Honorable Michael McCaul, Ranking Member,
Subcommittee on Emerging Threats, Cybersecurity, and Science and
Technology
Question 7.: I understand there is a hardware device that can be
used in conjunction with other proposed mitigations that is currently
being developed by engineers out at Idaho National Labs. I have been
told that currently only one vendor is marketing a hardware fix despite
there being multiple vendors that sell this sort of equipment. What in
your opinion is preventing other vendors from moving forward with this
mitigation device? Similarly has the department engaged in any
discussion of the use of its authorities granted under the Defense
Production Act to ensure that those government customers that need
these devices are accommodated?
Response: Battelle Energy Alliance (BEA), the contractor
responsible for operating the Department of Energy (DOE) Idaho National
Laboratory (INL) and owner of INL intellectual property, has filed an
application with the US Patent and Trademark Office for a method to
mitigate the Aurora vulnerability. Multiple vendors have expressed
interest in licensing the technology from INL. The technology transfer
process conforms to standards for all DOE National Laboratories.
Regarding the Defense Production Act (DPA), the Department of
Homeland Security has assessed the use of the DPA as a potential avenue
for ensuring that certain technologies are developed and produced to
meet national defense needs, including critical infrastructure
protection needs; however, at this time the technology necessary to
mitigate the threat related to control systems security is available to
customers. A shortage in supply would drive further exploration of the
use of the DPA.
Installing a hardware device with technology licensed from the BEA-
pending patent can provide critical infrastructure and key resource
asset owners and operators with endpoint security. The sector-specific
mitigation plans, however, are based on industry best practices and
contribute to comprehensive risk reduction from cyber security
vulnerabilities to control systems.
Question 8.: In Mr. Roxey's testimony he mentioned the need for
technical experts to be engaged from the very start. Since the
engineers at Idaho National Labs discovered this vulnerability have
they been involved in developing the mitigations and briefing the
private sector?
Response: Yes. Technical experts, including experts from the
National Laboratories, supported efforts undertaken by the Sector
Coordinating Councils, Information Sharing and Analysis Centers, and
the Sector Specific Agencies to develop mitigation plans and provided
briefings to critical infrastructure and key resource owners and
operators on the control systems vulnerability. The Department of
Energy National Laboratories, including the Idaho National Laboratory,
provide subject-matter expertise to the Department of Homeland Security
to improve control systems security.
Question 9.: What is the action plan to minimize overlapping
efforts at DHS?
Response: The Department of Homeland Security coordinates efforts
among a variety of stakeholders from both the public and private
sectors to secure control systems. To prioritize activities and
minimize overlapping of efforts, the Department is working with its
partners to baseline activities to serve as the foundation for
developing a comprehensive strategy that will encompass the public and
private sectors, set a vision to secure control systems, describe roles
and responsibilities, and identify future requirements for resources
and actions.
Question 10.: What is being done to utilize private sector
companies that have significant process control and SCADA cyber
security experience to assist in the area of critical infrastructure
cyber security protection?
Response: Recognizing the expertise the private sector has to
offer, the Department of Homeland Security (DHS) sponsors a number of
groups to foster close collaboration and information sharing among the
control systems stakeholder community. The Cross Sector Cyber Security
Working Group (CSCSWG), which was established in May 2007 by DHS and
the Partnership for Critical Infrastructure Security, brings together
government and private-sector cyber security experts to address
systemic cyber risk collaboratively across the critical infrastructure
and key resource sectors. The CSCSWG facilitates the sharing of
information across the sectors about cyber security issues, such as
common vulnerabilities and protective measures, as well as the policy
implications of cross-sector cyber dependencies and interdependencies.
Public and private sector representatives from all 17 sectors
participate in the CSCSWG.
The Process Control Systems Forum (PCSF) is one of three standing
groups under the CSCSWG that provide monthly updates on their work so
that CSCSWG members can benefit from or engage in activities as
appropriate. The PCSF was established to accelerate the design,
development, and deployment of more secure control systems. It is the
Department's primary vehicle for engaging with the private sector on
control systems security and includes a variety of stakeholders
including government, academia, owners and operators, systems
integrators, and vendors. More than 200 people attended the PCSF's most
recent annual meeting, at which the control systems stakeholder
community gathered to discuss cyber security challenges and issues,
deliver training resources, and provide technical subject matter
expertise.
PCSF's Control Systems Cyber Security Vendors' Forum facilitates
communication in a trusted environment between industrial automation
and equipment suppliers and control system service providers. The Forum
consists of 50 members from 27 domestic and international companies
comprising 90 percent of the market share providing service to all 17
critical infrastructure sectors. Recent collaboration occurred earlier
this year when members of the Vendors' Forum worked together to address
the potential effects on control systems caused by the date change in
the Daylight Saving Time (DST) standard. The change in DST impacted
control systems in more than 19 countries. The control systems
community recognized the importance of this issue and worked with the
U.S. Computer Emergency Readiness Team (US-CERT) to develop a Technical
Information Paper, ``Daylight Saving Time Changes for 2007.'' This
guidance to industry on mitigation measures was downloaded from the US-
CERT website more than 500 times between April and July 2007.
DHS is also working with the Multi-State Information Sharing and
Analysis Center (MS-ISAC), the SANS Institute, the Department of Energy
Idaho National Laboratory, and representatives from government and
industry on the SCADA Procurement Project. The Procurement Project
seeks to develop common procurement language that owners and regulators
can incorporate into contracting mechanisms to ensure the control
systems they are buying or maintaining have the best available
security. The long-term goal is to raise the level of control systems
security through the application of robust procurement requirements.
The Procurement Project has received very positive feedback from users,
and the document has averaged more than 450 downloads per month from
the MS-ISAC website where it was posted in January 2007.
DHS will continue to work closely with public--and private-sector
security partners through the CSCSWG and PCSF to coordinate our
activities and develop a National Strategy to Secure Control Systems.
Question 11.: What is being done to coordinate a standard control
system cyber security policy across each of the 17 Sector Specific
Plans (SSP) defined by DHS?
Response: Under the National Infrastructure Protection Plan Risk
Management Framework, all sectors must address the physical, cyber, and
human elements of infrastructure in their preparedness and protection
efforts. Securing control systems is part of the sectors' efforts to
secure their cyber infrastructure. In support of the cross-sector cyber
responsibility, the National Cyber Security Division is working closely
with the Office of Infrastructure Protection (IP), the Sector Specific
Agencies (SSAs), and other security partners to develop guidance and
approaches to reduce cyber risk and integrate cyber security into the
critical infrastructure and key resource (CI-KR) sectors' protection
and preparedness efforts.
During the Sector-Specific Plan (SSP) development process, the
Department of Homeland Security (DHS) provided cyber expertise to the
sectors, including reviews of draft SSPs and participation in sector-
specific cyber security meetings. Specifically, as sectors were
developing their SSPs, DHS developed and provided information to SSAs
on resources for cyber security practices and protective programs that
are applicable across all sectors, as well as some that are more
focused on individual sectors, to help identify cyber security-related
protective programs. For each protective program, a brief description
with the specific activities they supported within the preparedness
spectrum was provided. DHS also developed information on cyber research
and development (R&D) requirements and priorities to help SSAs identify
cyber-related R&D priorities. DHS provided a description of Federal
organizations that support cyber R&D and several references to R&D
documents that outline specific cyber security initiatives. DHS also
offered to work directly with any sector that requested assistance and
worked with responding sectors to develop and review cyber security
content for the SSPs. These resources identified control systems cyber
security where appropriate.
DHS also developed a comprehensive SSP Cyber Guidance Checklist,
which provided sectors with a framework for integrating cyber security
throughout each section of their SSPs. The checklist complemented DHS'
2006 CI-KR Protection SSP Guidance developed by OIP and was intended to
provide a starting point for SSAs as they integrated cyber into their
SSPs. The checklist included an outline and guidance for the
development of cyber content for the SSPs. DHS shared the checklist in
IP-sponsored technical assistance sessions with SSAs to provide
expertise and answer questions regarding the inclusion of cyber
security in the SSPs. DHS personnel also met individually with those
SSA representatives who expressed an interest in determining approaches
for incorporating cyber security into their SSPs and sector risk
management efforts.
DHS will continue to work with the SSAs as the 17 CI-KR SSPs are
updated in the future and will provide additional guidance on cyber
security-related goals, security partners, risk assessment approaches,
protective programs, R&D priorities, and measures. These materials will
continue to include control systems security and will help to ensure
that sectors address control systems security in a consistent manner
across the 17 CI-KR SSPs.
Question 12.: Are there any plans to increase the reach of the
cyber security language in DHS 6 CFR Part 27, Section 550 for the
chemical industry? If so what is anticipated and if not, why not?
Response: The Department of Homeland Security (DHS) does not intend
to change any of the regulatory language contained in the Chemical
Facility Anti-Terrorism Standard (6 CFR Part 27) regarding cyber
security. Section 27.230(a)(8) makes cyber security a performance
standard for high-risk chemical facilities. DHS is in the process of
developing guidance to help high-risk chemical facilities identify and
implement cyber security measures that may be appropriate given their
unique circumstances and levels of risk. This guidance document, which
is currently under development, will provide guidance on all of the
risk-based performance standards established in 6 CFR Part 27. Some of
the cyber security areas that will be addressed in the guidance
document include cyber security policy, access control, personnel
security, awareness and training, monitoring and incident response,
disaster recovery and business continuity, system development and
acquisition, configuration management, and audits.
Question 13.: What is the DHS going to do in order to drive
collaboration and cooperation between the public sector and private
sector?
Response: The National Infrastructure Protection Plan (NIPP)
Partnership Framework supports the establishment and maintenance of
Sector Coordinating Councils (SCCs) that enable private-sector owners
and operators to interact on a wide range of sector-specific
strategies, policies, activities, and issues. SCCs serve as principal
sector policy coordination and planning entities. Sectors also rely on
Information Sharing and Analysis Centers (ISACs), which provide
operational and tactical capabilities for information sharing and, in
some cases, support for incident response activities. The ISACs, as
well as other information sharing mechanisms, provide a means for the
government and private sector to exchange information. In addition to
the SCCs, the NIPP Partnership Framework enables sectors to establish
and maintain Government Coordinating Councils (GCCs) comprising
representatives across various levels of government (i.e., Federal,
State, local, or tribal) so sector-specific strategies, activities,
policy, and communications can be coordinated. SCCs and GCCs meet
jointly to discuss sector activities, shape priorities for the future,
and collaboratively develop and review critical infrastructure
protection planning documentation.
The Cross Sector Cyber Security Working Group (CSCSWG) facilitates
collaboration and coordination between government and private sector
security partners with cyber security expertise from each of the 17
critical infrastructure and key resource (CI-KR) sectors on cross-
cutting cyber issues. The CSCSWG, which held its inaugural meeting on
May 30, 2007, meets monthly and includes more than 90 representatives
from the SCCs and GCCs of the 17 CI-KR sectors.
The Department of Homeland Security coordinates efforts among
government and private-sector members of the control systems community
to improve security within and across all critical infrastructure
sectors by reducing cyber security vulnerabilities. This coordination
includes enhancing public-private partnerships through the Process
Control Systems Forum and the Partnership for Critical Infrastructure
Security, as well as using a process to formalize the sharing of
sensitive information related to control systems vulnerabilities.
Questions from the Honorable Paul Broun, Jr., a Representative in
Congress from the State of Georgia
Question 14.: How is the Department facilitating long term
mitigation efforts with vendors of control systems? What sort of
contact does the Department have with the manufacturers of these
devices?
Response: Assessing technologies is one of the Department's core
long-term efforts and assists in identifying vulnerabilities,
developing mitigation strategies, and sharing information to reduce
risk to the Nation's critical infrastructure and key resources. The
Department performs vulnerability assessments of selected vendor
systems to identify cyber vulnerabilities based on emerging
exploitations. This effort is accomplished by leveraging the
infrastructure and test beds of Department of Energy National
Laboratories, vendor facilities, and other existing end user
facilities.
To date, the Department has completed eight control systems
vulnerability assessments in cooperation with control systems vendors
who provide the hardware, software, and training necessary to run the
control system. Based largely on the results of these assessments,
vendors have developed system patches, reconfigured system
architectures, and built enhanced systems. The results of the vendor
assessments have also helped inform other Federal control systems
efforts, such as developing a self assessment tool for industry owners
and operators to further reduce cyber risk associated with control
systems. In addition, the Department has provided owners and operators
with strategies for mitigating existing system security risks.
The Department sponsors the Process Control Systems Forum (PCSF), a
public-private partnership which leverages the experience,
capabilities, and contributions of international stakeholders from
government; academia; industry users, owner/operators, and systems
integrators; and the vendor community through meetings and working
groups to develop and adopt common architectures, protocols, and
practices. The PCSF's Control Systems Cyber Security Vendors' Forum
facilitates communication in a trusted environment between industrial
automation and equipment suppliers and control system service
providers. The Vendors' Forum comprises 50 active members from 27
global manufacturers representing 90 percent of the control systems
marketplace.
Question from the Honorable James R. Langevin, Chairman, Subcommittee
on Emerging Threats, Cybersecurity and Science
Response from Joseph McClelland
Question 1.: It is my understanding that many security managers in
the industry were interested in submitting comments to the FERC
rulemaking on critical infrastructure protection, but felt that they
could not do so for fear of retribution by their own management. Is
this a problem, and if so, what is FERC doing to allow for anonymous
comments for future rulemakings?
Response: In a rulemaking proceeding, the Commission's ex parte
rules do not apply. Thus, a person wishing to remain anonymous could
informally talk to Commission staff about his or her concerns without
having to formally intervene and identify his or her name. Staff could
pursue the concerns raised to the extent warranted. However, the
Commission's Rules of Procedure require that a filing submitted to the
Commission identify the name of the person making the filing. I believe
that is appropriate as the public process of a rulemaking should
include the willingness of formal commenters to identify their name in
their comments.
Questions from the Honorable Michael T. McCaul, Ranking Member,
Subcommittee on Emerging Threats, Cybersecurity , and Science
Question 2.: Why does the Notice of Proposed Rulemaking posted by
NERC ignore for now the major infrastructure dependencies on the bulk
power system? Should not every responsible entity be held to the same
standards for securing critical assets?
Response: Section 215 of the Federal Power Act (FPA) authorizes the
Commission to approve reliability standards that ``provide for the
reliable operation of the bulk power system,'' which the statute
defines as the facilities and control systems necessary for operation
of an interconnected electric energy transmission network and the
electric energy need to maintain transmission system reliability. The
Commission's authority under FPA section 215 does not extend to other
infrastructure such as natural gas pipelines, oil pipelines, or
railways, although such infrastructure can have a significant impact on
the bulk power system.
Question 3.: As director of reliability do you support
strengthening security and the SCADA control systems? With regard to
the comments that FERC has received thus far on the CIP standards how
do you see the regulations being promulgated?
Response: Yes, I do support strengthening security and control
systems. Historically, control systems have been built with a focus on
operations, with little or no focus on security, as many
infrastructures have not been viewed as targets in the past. At the
same time, these control systems are migrating towards the standard IT
platforms and internet communications, making them even more vulnerable
to attack by increasing the connectivity to the outside world. Pursuant
to its authority and responsibilities, the Commission is in the process
of analyzing public comments and evaluating the Notice of Proposed
Rulemaking (NOPR) in light of those comments. The comments of the House
Subcommittee on Emerging Threats, Cybersecurity and Science and
Technology are among those being considered. The NOPR proposed dozens
of significant modifications to the CIP standards to make them stronger
and more effective, thereby increasing security of SCADA control
systems. They addressed, among other things, increased oversight of the
implementation of the CIP standards, controls on the discretion
exercised by responsible entities, and increased penalty levels for
failure to comply with the CIP standards. I can assure you that the
final rule will be based on a careful consideration of all comments
submitted.
Question 4: Please describe what authority FERC currently has in
the area of cyber security. Do you think the Commission should have the
authority to modify a NERC standard?
Response: Pursuant to section 215(d) of the FPA, the Commission is
authorized to approve a reliability standard developed by the North
American Electric Reliability Corporation or NERC, the Commission-
certified electric reliability organization. Section 215 of the FPA
defines ``reliability standard'' to include ``requirements for the
operation of existing bulk-power system facilities, including
cybersecurity protection. . .'' Thus, section 215 explicitly allows for
the development of reliability standards that relate to cyber security.
Pursuant to section 215(d)(3) of the FPA, the Commission has authority
to order compliance with a reliability standard and may impose
penalties for non-compliance.
As you are aware, NERC submitted to the Commission eight proposed
reliability standards, referred to as the ``CIP'' standards, which
would require certain users, owners and operators of the nation's bulk
power system to comply with specific requirements to safeguard critical
cyber assets. In July 2007, the Commission issued a notice of proposed
rulemaking that proposes to approve the proposed CIP standards. The
NOPR also proposes to direct NERC to develop modifications to the
proposed reliability standards to address specific concerns identified
by the Commission. The Commission received public comment on the NOPR
in October 2007 and intends to issue a final rule in a timely manner.
If the Commission, in the final rule, approves the reliability
standards as proposed in the NOPR, they will become mandatory and
enforceable. The Commission would then have authority to order
compliance with the CIP standards and impose penalties for non-
compliance with the cyber security requirements. It is important to
understand that NERC has proposed an implementation plan that would
require that entities begin compliance no earlier than mid-2009, with
full compliance being achieved by the end of 2010. NERC represents that
the long lead time is necessary to achieve compliance with many of the
requirements of the proposed reliability standards; the NOPR proposed
to approve NERC's implementation plan.
You also ask whether the Commission should have the authority to
modify a NERC reliability standard. Section 215(d) of the FPA provides
that the electric reliability organization, NERC, will develop proposed
reliability standards and submit the standards to the Commission. The
Commission has the options of approving or remanding a reliability
standard. The Commission, however, does not have authority to develop a
reliability standard on its own. Likewise, while section 215(d)(5) of
the FPA authorizes the Commission to order the electric reliability
organization to submit to the Commission a new or modified reliability
standard to address a specific matter, the Commission does not have
authority to independently authorize or modify a standard. While this
is a significant limitation of the use of the section 215 process, The
Commission has not yet reached the conclusion that legislation is
needed at this time.
Question 5.: How will you oversee and ensure the security process
goes forward? How will you work with the industry to ensure that
security risks are addressed?
Response Once Commission-approved CIP standards are in place,
Commission staff will participate in the audit of entities to determine
the security posture of the industry. Commission staff also will work
with NERC to continue to improve the CIP standards, requiring
modifications to existing standards and new standards as appropriate.
In addition, we will monitor and evaluate the number and types of
assets that are being protected as critical assets. We will closely
follow the standard development efforts that NIST and ISA are leading.
In addition, the Commission proposed in the NOPR to require NERC to
seek and consider comments from federal entities, such as Tennessee
Valley Authority, that are subject to both the NIST standards and CIP
standards to assist NERC in determining which elements of the NIST
standards may be more advantageous to protect the Bulk Power System so
that NERC may consider including such provisions into the CIP
standards.
Question 6.: Does the Commission have enough resources to promote
reliability and protection from cybersecurity threats?
Response: Based on our workload projections, the Commission is
seeking to add more engineers and personnel with bulk power system
experience, including cyber security and control system expertise.
Thus, in June 2007, Chairman Kelliher wrote to the Chairmen and Ranking
Members of the House and Senate Appropriations Committees, seeking an
additional $9 million for our reliability work in fiscal year 2008.
This would provide for an additional 55 Full-Time Equivalents (FTEs) to
support the Commission's reliability program. These FTEs would consist
primarily of electrical engineers, power system experts, auditors and
lawyers. The Commission's Chairman also asked for authorization to hire
electrical engineers non-competitively up to the GS-15 level, and to
hire six additional executive senior level (SL) staff in support of its
reliability program. As you may know, the Commission is a self-
supporting agency and would recover the additional appropriations
through fees and annual charges, as it does all of its costs, and will
operate at no net cost to the taxpayer. I encourage you to support
these requests by the Commission.
Question 7.: NERC said there has been 100% compliance with its
action alert on cybersecurity. Does the Commission agree?
Response: The Commission has no information on whether there has
been 100% compliance with NERC's action alert. To determine the level
of compliance and the effectiveness of such compliance, the Commission
intends to issue an order directing submission of certain cyber
security information from each generator owner and operator and
transmission owner and operator in the United States registered by
NERC. As a first step toward that end, the Commission, in an October
23, 2007 letter, informed the Office of Management and Budget (OMB) of
the Commission's intended action, and requested OMB's emergency
approval of the Commission's information collection request. This
emergency approval, if granted, would expedite the OMB approval
process, which in ordinary circumstances allows a sixty-day comment
period on the proposed information collection before OMB approval. OMB
has not acted on the Commission's request at this time.
NERC, following the Subcommittee's October 17, 2007 hearing, issued
a survey regarding mitigation efforts, with responses due on November
2, 2007. Although we support NERC taking the actions it believes are
necessary as ES-ISAC, we do not believe NERC's survey provides
sufficient information for the Commission to determine whether further
action is appropriate. For example, it does not provide information on
what facilities are the subject of the mitigation plans, what steps to
mitigate the cyber vulnerability are being taken, when those steps are
planned to be taken, and, if certain actions are not being taken, why
not. Nor is it clear that NERC has received a complete set of responses
to its data request. Thus, it is important for the Commission to issue
an order seeking information that would supplement NERC's action and
provide more detailed information on which to assess the status of
mitigation efforts.
If the OMB authorizes the Commission to collect this information,
the Commission intends to issue the order and direct the submission of
this information to NERC. Following Commission review of the
information, the Commission will determine whether further action is
necessary or appropriate. For example, the Commission may consider
adopting an order that requires, pursuant to section 215 of the FPA,
the expedited development of a reliability standard to ensure that
mitigation measures are promptly and effectively implemented. However,
Commission review of this information may also indicate that no further
action is necessary or appropriate.
Question 8.: How will FERC ensure the implementation of higher
standards for cyber security? Will you investigate the mitigation
efforts performed by owners and operators of the Aurora issue?
Response: Please see responses to questions 5 and 7.
Questions from the Honorable Paul Broun, Jr., a Representative in
Congress from the State of Georgia
Question 9.: Please describe what authority FERC currently has in
the area of cyber security. Do you think the Commission should have the
authority to modify a NERC standard? How will you oversee and ensure
the security process goes forward? How will you work with the industry
to ensure that security risks are addressed? Does the Commission have
enough resources to promote reliability and protection from
cybersecurity threats?
Response: Please see responses to questions 4, 5 and 7.
Question 10.: Can you describe the role that FERC is taking while
working with the Department of Energy and the Department of Homeland
Security?
Response: The Commission has been collaborating with both DHS and
DOE as required by Homeland Security Presidential Directive/Hspd-7
(Critical Infrastructure Identification, Prioritization, and
Protection) that established DHS as the lead in protecting the critical
infrastructure of the United States and DOE as the Sector Specific
Agency for electric power. In this regard, Commission staff have
supported and participated in DOE and DHS security initiatives. For
example, we participated in the DOE-led effort that produced the
Roadmap to Secure Control Systems in the Energy Sector. We also
participate in the electric sector Government Coordinating Council co-
chaired by DOE and DHS personnel. We supported and participated in the
efforts that developed the National Infrastructure Protection Plan and
the Electric Sector Specific Plan. With DOE's cooperation, we have
utilized the expertise found in the national laboratories to better
understand control system cyber vulnerabilities. Commission staff
participated in an interagency team, which included DHS and DOE, formed
to address the Aurora vulnerability. Currently, we continue to
cooperate with DOE and DHS and share information concerning threats. As
the only agency with authority to approve mandatory reliability
standards regarding the nation's electric grid, the Commission can
direct the ERO to develop any needed standard in an expedited
timeframe.
Question from the Honorable Michael T. McCaul, Ranking Member,
Subcommittee on Emerging Threats, Cybersecurity, and Science and
Technology
Responses from Joe Weiss
Question 1.: What are the principal differences between the ISA 99
standards and the NIST best practices found in Special Publication 800-
53?
Response: Although the developmental processes were different for
NIST 800-53 and the ISA 99 standards, the results are harmonious. There
has been a significant amount of cross-pollination of people between
the NIST and ISA standards which will provide for a seamless transition
between the standards. Both ISA and NIST address multiple industries
and have similar content in those areas where the development is
essentially complete. It should be noted that neither ISA nor NIST
include the exceptions and exclusions found in the NERC CIP cyber
security standards. Specifically, NIST SP 800-53 security controls
address the management, operational, and technical safeguards,
countermeasures, and/or compensating measures prescribed for an
information system to protect the confidentiality, integrity, and
availability of the system and its information. ISA 99 Part 2 covers
the management and operational requirements. NIST will be performing a
mapping between ISA 99 Part 2 and the NIST SP 800-53 management and
operational security controls. ISA 99 Part 4 will cover the technical
requirements. NIST has provided SP 800-53 to the ISA 99 Part 4 Working
Group for consideration in the development of the Part 4 standard. No
significant differences are expected.
Question from the Honorable Paul C. Broun, a Representative in Congress
from the State of Georgia
Question 2.: What, in your opinion, is the most egregious element
of the NERC CIP standards? If they had to change one particular element
to be in line with your recommendations, what would it be?3
The most egregious element of the NERC CIP standards is the scope,
particularly the limitations and vagueness in NERC CIP-002. To be in
line with my recommendations, there would need to be two changes. The
first change would be to eliminate the exclusions of telecom, market
functions, electric distribution, non-routable protocols, and nuclear
power plants. The systems and protocols that have been excluded by the
NERC CIP process have vulnerabilities that could affect the reliability
of the electric grid. The second change would be to require all systems
that are electronically connected (e.g., digital or analog connection
of information or control systems) to be considered critical. These
changes would result in the utilities addressing all systems throughout
the enterprise that could be pathways into or out of the control system
networks. These changes are consistent with what is required for
securing business Information Technology applications and would make
the NERC CIPs more consistent with the NIST framework.
Question from the Honorable Bennie G. Thompson, Committeee on Homeland
Security
Response from David A. Whiteley
Amended December 12, 2007
Question 1.: What were the results of the August 2007 NERC survey
sent to owners and operators regarding the status of the sector's
implementation of the Aurora mitigation efforts? Please provide the
Committee with a copy of the survey and a narrative of the results.
Response: Survey responses were received from 133 entities. The
respondents included generating plant owners, generating plant
operators, transmission owners, transmission operators, and load-
serving entities. The respondents ranged from very large, multistate
investor-owned utilities to small municipal utilities. Responses were
received from all eight reliability regions.
The results of the survey indicate 94% of the mitigation measures
recommended in the June 21 ES-ISAC advisory are completed or are in
progress. This 94% consists of 60% completed and 34% in progress. The
remaining 6% are not being performed for a variety of reasons (not
applicable due to nature of equipment, being done by another entity,
could compromise reliability rather than help reliability).
The respondents indicated they are taking a prioritized approach to
the mitigation measures in applying them to their facilities. All
respondents with nuclear facilities indicated they have completed the
mitigation measures associated with those facilities and are working on
other, smaller facilities on a prioritized basis.
A copy of survey is enclosed.\1\
---------------------------------------------------------------------------
\1\ See to committee file.
Question 2.: If a cyber exploit of the Aurora vulnerability is
imminent, how will the Electric Sector ISAC ensure the immediate
implementation of mitigation efforts?
Response: The Electricity Sector (ES) ISAC would initiate the
following notification steps:
Obtain approval from the Electricity Sector
Coordinating Council to escalate the Cyber Threat Alert Level
to Red.
Post the escalated level on the ES-ISAC Web site.
Send e-mail notifications to the electric industry
through distribution lists designed for notification purposes.
The NERC regional entities, the reliability coordinators, and
all Independent System Operators (ISOs) and Regional
Transmission Organizations (RTOs) are included on the lists.
Also included on the lists are government agencies (NRC, DOE,
DHS, FERC, Public Safety Canada), other critical infrastructure
sector ISACs, and industry trade associations.
The notification would recommend that the industry
promptly complete the immediate mitigation measures identified
in the ES-ISAC Advisory. In the case of the June 21, 2007 ES-
ISAC Advisory, those mitigation measures included:
1. Robust cyber access mechanisms
2. Disable remote configuration change capability
3. Disable automatic re-close function
4. Add time delay to close function
5. Disable remote close function
Following notification to the industry, the ES-ISAC would follow-up
to monitor progress in implementing the immediate measures. The
progress would be tabulated and reported to appropriate government
agencies.
Question 3.: One of the NERC standards requires an entity to
identify its ``critical assets'' and ``critical cyber assets,'' with
the goal of ensuring that these assets are adequately protected from
any potential cyber incident. Under the NERC definition, would the
assets at issue in the Aurora vulnerability be considered ``critical
assets''?
Response: Critical assets determined using the methodology from
NERC standard CIP-002-1 would include generation assets which are
subject to the Aurora vulnerability. These typically will be large
generators and ``blackstart'' generators (i.e., those generators used
to restart the bulk power system following a large blackout). However,
not all generators are essential to the reliable operation of the bulk
electric system, and therefore would not be included on a list of
critical assets.
Question 4.: Are the NERC CIP standards consistent with the lessons
learned document issued after the August 2003 blackout?
Response: Yes. The NERC CIP Standards are consistent with the
recommendations in the August 2003 blackout report.\1\ There were 13
recommendations (R32 through R44) in the ``physical and cyber
security'' section of the recommendations list in the blackout report.
Of these, all of the recommendations that could properly be addressed
through Reliability Standards are addressed by requirements of the CIP
standards, as shown in the table below. Recommendation 36 is not a
standards issue, and recommendations 37 and 39 will require research
before standards can be written to fully address the recommendation.
---------------------------------------------------------------------------
\1\ Final Report on the August 14, 2003 ``Blackout in the United
States and Canada: Causes and Recommendations'', U.S.-Canada Power
System Outage Task Force, April 5, 2004. The recommendations regarding
physical and cyber security appear at pages 163-169 of the Report,
which is available at: http://www.oe.energy.gov/DocumentsandMedia/
BlackoutFinal-Web.pdf.
------------------------------------------------------------------------
Recommendation Relevant CIP Standard
------------------------------------------------------------------------
32--Implement NERC IT Standards CIP 002-009
------------------------------------------------------------------------
33--IT Management Procedures CIP 003, 007
------------------------------------------------------------------------
34--Corporate Level IT Governance CIP 003
------------------------------------------------------------------------
35--Manage IT System Monitoring CIP 005, 007, 008, 009
------------------------------------------------------------------------
36--US-Canada Risk Management Study Government Study recommendation
------------------------------------------------------------------------
37--IT Forensics and Diagnostics CIP 004, 009 Research
recommendation
------------------------------------------------------------------------
38--Assess Risk and Vulnerability CIP 002, 005, 007
------------------------------------------------------------------------
39--Wireless and Remote Intrusion CIP 005, Research recommendation
------------------------------------------------------------------------
40--Control Access CIP 006
------------------------------------------------------------------------
41--Guidance for Background Checks CIP 004
------------------------------------------------------------------------
42--Confirm Role of NERC ES-ISAC CIP 008
------------------------------------------------------------------------
43--Establish Clear Authority CIP 003
------------------------------------------------------------------------
44--Prevent Information Disclosure CIP 003
------------------------------------------------------------------------
Not all the recommendations in the report address topics that are
relevant to NERC standards development. Recommendation R36 deals with
an intergovernmental action (initiation of a U.S.-Canada risk
management study), not a performance standard requirement appropriate
for incorporation into a Reliability Standard. Recommendation R41 is
addressed in CIP 004, although there are significant legal and
jurisdictional issues contained in its implementation that would need
to be resolved outside the standards development process. The subject
matter of that recommendation, moreover, is addressed by an existing
NERC security guideline (scheduled for update in 2008). Recommendation
R42 (confirmation of NERC ES-ISAC as the central point for sharing
security information and analysis) is addressed in CIP 008. The
recommendation also has been addressed outside NERC's standards process
through the use of an incident reporting guideline. The guideline
approach is better suited for this issue due to the frequent change in
reporting procedures and protocols.
Question 5.: Do you agree with your NERC colleague Stan Johnson,
who stated that this test ``is not a realistic representation of how
the power system would operate''?
Response: Yes. The test completed at Idaho National Lab (INL) and
depicted in the video was a 30-second edited version of over three
minutes of actual test. The generator in the test was a stand-alone
diesel generator rated at 3.5 MW. While it is true that generators like
the one in the test are connected to the grid in North America, they
are not the backbone of the system and represent a very small portion
of the total generating resources available. The true backbone of the
system is large generators rated at 300 to 1,100 MW. These large
generating units have more sophisticated protection systems that would
most likely isolate the generators from the attack long before the
effects (black smoke, repetitive shaking, parts falling off) shown in
the video. The test at INL was conducted with the power system in an
optimal configuration for an attacker to be successful. In the real
power system, the power flows in a highly complex network make a
successful attack much more difficult. The power flows on the network
vary from day to day depending on what equipment is in-service or out-
of-service. The direction and magnitude of the flows would have to be
understood and taken advantage of by the attacker. While the test at
INL helped demonstrate the feasibility of a cyber attack resulting in
physical damage, a more comprehensive test would be very difficult, if
not impossible to conduct.
Question 6.: Can NERC effectively conduct oversight over electric
sector owners and operators, considering that NERC operates under dues
received by these same companies?
Response: Yes. NERC does not operate under a system of dues, which
suggests an element of voluntariness in the payments. Rather, Section
215 of the Federal Power Act, the regulations of the Federal Energy
Regulatory Commission, and NERC's bylaws and rules were specifically
written to preclude undue influence by electricity sector stakeholders.
Within the United States, NERC is funded through assessments to load
serving entities that are approved annually by FERC. Once approved,
those assessments constitute a legally binding obligation to pay that
is enforceable, ultimately, through federal law. FERC also approves
NERC's budget each year, which specifies how funds raised by assessment
will be used for NERC's various responsibilities, including
enforcement. While electric sector owners and operators, along with all
other electricity sector stakeholders, have the opportunity to express
their views about NERC's annual budget and assessment, electricity
sector stakeholders do not have decisional authority over NERC's budget
or assessments. NERC's annual budget and assessments are approved, in
the first instance, by NERC's independent board of trustees, and
thereafter by FERC.
Question 7.: In his testimony, Mr. Weiss recommends that NERC
incorporate the NIST Framework into its CIP standards. My understanding
is that the NIST Framework is still a work in progress that is still
subject to further amendment, and that it is intended to serve as model
guidelines for federal government agencies, not mandatory standards
applicable to the private sector with enforcement and penalty
provisions. If this is true, please comment on whether the NIST
Framework is actually an appropriate model for electric industry CIP
standards that are required under the Federal Power Act (as amended by
the Energy Policy Act of 2005) to be mandatory and enforceable? Please
also comment on other reasons why the NIST Framework may not be an
appropriate model for the NERC standards, including the lack of a
formal stakeholder process required by Sec. 215 of the Federal Power
Act, enacted by Congress in 2005 to govern the development of the NERC
CIP standards.
Response: The NIST Framework \2\ consists of a number of documents,
including Federal Information Processing Standards (FIPS) 199 and 200
(standards) and NIST Special Publications (SP) 800-60, 800-53, 800-30,
800-18, 800-53A, and 800-37 (guidance and recommendations). As with
other NIST SP800 documents, NIST SP800-53, Recommended Security
Controls for Federal Information Systems, is self-described as
``guidance documents and recommendations'' \3\ to be used in support of
federal agencies' compliance activities with the mandatory Federal
Information Processing Standards (FIPS) that implement the Federal
Information Security Management Act (FISMA) of 2002.
---------------------------------------------------------------------------
\2\ See document references available from http://
www.csrc.nist.gov/groups/SMA/fisma/framework.html.
\3\ NIST Special Publication 800-53 rev 1, page iv, available at
http://www.csrc.nist.gov/publications/nistpubs/800-53-Rev1/800-53-rev1-
final-clean-sz.pdf.
---------------------------------------------------------------------------
The NIST guidance, as it exists in its approved format, was
developed in support of FISMA for conventional IT security issues
relating to conventional IT use of computers--the approved NIST
guidance was not developed for industrial control systems. NIST is
developing revised guidance for applicability to industrial control
systems (ICS), but that has not been finalized. The revised guidance is
in its `final' public draft, with comments on the draft due on December
14, 2007. NIST plans on publishing the fully revised document within
two weeks of the close of the comment period. As such, the revised ICS
guidance does not yet formally exist, and therefore, could not today be
included in any NERC CIP standards.
One major issue with the application of the NIST standards and
guidance to the private sector deals with the assessment of impact,
based on a significantly broader scope than the specific focus of the
NERC Standards on the reliable operation of the bulk power system. The
NIST standards and guidance process requires that all computer-based
processes be considered, even those that have no bearing on reliable
operations (and which are outside the scope of Section 215 of the FPA),
including administrative functions and market functions. While these
may have bearing on the business processes of the effected entities,
they cannot be made mandatory under the auspices of reliability
standards within the scope of Section 215.
Another issue with the application of the NIST standards and
guidance is the level of technical detail included in the guidance,
much of which does not directly relate to bulk power system
reliability. The FIPS-199 concept of a ``high water mark'' for security
classification requires, for example, that if any one component of a
system requires a medium or high level of confidentiality, all
components of that system must be implemented with a high
confidentiality without regard to the resultant impact to operations,
even if that result were detrimental to reliable operations. This will
result in significantly more work required to achieve and maintain
compliance with the standards, without any reliability-based benefit.
While there is a formal approval process for NIST standards, which
require the approval of the Secretary of Commerce, there does not
appear to be any formal documented process for creating, revising or
approving NIST guidance. Further, the NIST (FIPS) standards allow the
inclusion by reference of other documents (e.g., SP800-53). These
referenced documents do not have the same level of approval required as
the formal text of the standards.
In contrast, Section 215 of the FPA requires that ``reasonable
notice and opportunity for public comment, due process, openness, and
balance of interests in developing reliability standards'' be provided
by the Electric Reliability Organization certified by FERC (i.e., NERC)
in developing Reliability Standards. These requirements are
incorporated in FERC's rules for certification of the ERO, and in the
NERC rules of procedure as approved by FERC. The NERC process requires
that ``[a]ll mandatory requirements of a reliability standard shall be
within an element of the standard,'' \4\ thereby ensuring that all
mandatory and enforceable standards follow the same rigorous review and
approval process approved by FERC as consistent with the statutory
requirements. The NERC process allows the development of guidance, but
cannot make those documents binding as mandatory and enforceable
standards.
---------------------------------------------------------------------------
\4\ NERC Reliability Standards Development Procedure, Version 6.1,
available at ftp://ftp.nerc.com/pub/sys/all_updl/oc/stp/
RSDP_V6_1_12Mar07.pdf.
Question 8.: Concerns have been raised regarding the potential that
one or more isolated cyber failures or attacks to electric distribution
system assets could directly lead to more widespread failures or
electric outages in the bulk power system. Please explain if the
standard radial design of electric distribution systems makes such a
scenario unlikely, and if it in fact enhances the ability of electric
utilities to isolate the impact of such events.
Response: The distribution system is primarily a point-to-point
system, with lines emanating in a radial pattern, from the local
substation to the consumer. When a distribution line is taken out of
service by a falling tree in an ice storm, for example, electricity no
longer flows on that spoke and the consumers' lights go out. However,
the problem is limited and localized. That is the nature of the
distribution system--it is local and affects a limited area.
One or more isolated cyber attacks or failures on the distribution
system will have a localized and limited effect. In addition, the
isolation and protection requirements of the NERC CIP standards protect
the bulk power system from intrusion reaching through the distribution
system to bulk power system assets. For one or more isolated cyber
failures or attacks to impact the bulk power system would require a
very complex, coordinated, synchronized action. It would require a
knowledgeable and determined attacker to exploit a vulnerability. While
technically feasible, the likelihood is low of such a scenario
successfully occurring.
Question 9.: My understanding is that the current ISA security
standards and technical reports that Mr. Weiss recommends for
incorporation in the NERC CIP standards are intended to be used as
guidance, not to establish expectations for auditable compliance, and
there are no measures or levels of noncompliance currently associated
with ISA99. Levels of noncompliance would need to be created and
approved before the standards could be used as mandatory and
enforceable. Do you think that such measures could be developed, if
such measures are even possible, and how much time would it take to
develop those measures?
Response: Much like the status of the NIST guidance for industrial
control systems, the ISA standards are still a work in progress. To
date, only two ``technical reports'' which do not contain any
requirements (i.e., they are ``informative'' and not ``normative'' in
nature) have been approved. Because these approved documents do not
contain any ``normative'' requirements, quantifiable measures cannot be
developed for them. The ISA standards themselves are being developed in
at least four parts (or volumes), and of the four publicly documented
parts, one deals with establishing terminology, concepts and models,
and two deal with the establishment and operations of a security
program. Only the fourth part deals with ``Specific Security
Requirements for Industrial Automation and Control Systems.''
This fourth part has just been started, so it is impossible to
determine how measures, levels of noncompliance, or violation risk
factors (all of which are required elements of NERC standards, and are
required for the compliance program activities) could be developed for
any explicit requirements contained in that standard. It is unknown how
long the process to develop those measures would require.
Question 10.: Appendix F of the NIST 800-53 standards lists at
least 25 instances where an exception to compliance for Industrial
Control Systems (ICS) may be taken when ``the organization determines
it is not feasible or advisable (e.g., adversely impacting performance,
safety, reliability)''. FERC has indicated that exemptions under
``technically feasible'' should be as limited as possible, yet it
appears that incorporation of the NIST standards would allow for a very
broad exemption under technical feasibility. Can you comment on this?
Response: The NIST standards do not meet the Commission's
expectations.
Question 11.: What would be the result if the electric industry was
forced to implement the NIST best practices for control systems based
upon SP 800-53?
Response: Any change now in cybersecurity requirements for the bulk
power system would significantly retard progress toward more robust
cybersecurity protections.
A requirement to adopt NIST ``best practices'' now would result in
a suspension of the current efforts to implement the proposed NERC
cybersecurity standards pending a review of the NIST standards. The
result of the review would require new implementation plans and
additional time.
The loss of industry compliance momentum and the delay in
implementing mandatory bulk power system cybersecurity standards would
be detrimental to the reliability of the bulk power system.
Question 12.: Are owners and operators of distribution facilities
included within the NERC membership? If so, regardless of the authority
extended in the Energy Policy Act, doesn't it make sense that
distribution facilities be included in reliability considerations?
Response: Within the United States there are approximately 3,000
entities that own or operate distribution facilities. Approximately 375
of those entities are NERC members. NERC's authority to set and enforce
reliability standards is not contingent on NERC membership, but extends
to owners, operators and users of the bulk power system, whether or not
they are a member of NERC. NERC can and does take account of the impact
of distribution facilities on the reliability of the bulk power system.
NERC can exercise jurisdiction over owners, operators, and users of the
bulk power system.
Question 13.: How does NERC ensure that its members are making
efforts to mitigate the Aurora vulnerability that we know exists within
control systems?
Response: The Electricity Sector Information Sharing and Analysis
Center (ES-ISAC) has been operated by NERC since it was formed in 2001.
The ES-ISAC was created as a result of action by the U.S. Department of
Energy in response to Presidential Decision Directive 63 issued in
1998. The ES-ISAC is working with the electricity sector entities to
mitigate the vulnerabilities in the system by providing information
about the vulnerability, recommending mitigation measures, and
following up to monitor successful completion.
The ES-ISAC has worked closely with all segments and all levels in
the industry to mitigate the vulnerabilities. Meetings have been held
with representatives of all the major trade associations (EEI, APPA,
NRECA), the CEOs of the largest companies, the Electricity Sector
Coordinating Council, numerous operating level committees, and groups
of technical experts.
Because the steps needed to mitigate the Aurora vulnerability are
not reflected in approved reliability standards, NERC has no authority
to compel those actions. Not all subjects are the appropriate topic for
standards. The standards development process is by design a public and
transparent one, and matters such as the Aurora vulnerability do not
lend themselves to that public process. However, NERC believes the
industry is demonstrating excellent judgment and cooperation in
completing the implementation of the mitigation measures.
Question 14.: In your testimony you mention that NERC as the
Electric Reliability Organization (ERO) was not given authority over
facilities used for distribution of electric power. Who has authority
to enforce regulations over such facilities?
Response: NERC as the electric reliability organization only has
enforcement authority over the bulk power system. The definition of
``bulk power system'' in Section 215(a)(1) of the Federal Power Act
expressly excludes facilities used for local distribution. Authority
over facilities used for local distribution is generally reserved to
the states, and the scope of that authority varies from state to state.
State public utility commissions exercise such authority to the extent
the utilities are within their jurisdiction. In a number of states,
municipal utilities are not within the jurisdiction of state
commissions.
Question 15.: NERC has proposed its own set of cybersecurity
standards--will these standards make a difference, i.e. will they make
us safer than we are today without these standards? Will there be more
to do after these standards are accepted by FERC in their current form?
Response: The answer to both these questions is ``yes.'' These
standards represent a first step in a process of continually increasing
the cybersecurity of the electricity industry. While some companies
already meet or exceed the requirements of these standards, the vast
majority of the industry is working very hard right now to meet both
the letter and intent of the standards as they are written (and
expected to be approved by FERC). Essentially every company has had to
do some work in order to meet either the technical requirements, or
provide sufficient documentation to prove during an audit that they
have met the requirements. Many companies are analyzing their systems,
and implementing policy-based and technical controls to significantly
increase the cyber security posture, especially at their substations
and power plants.
Since these standards represent a first step, there will be
additional steps. Making the modifications proposed by FERC in the
pending NOPR to approve the NERC Reliability Standards will be among
the additional steps to be taken in this area. As the industry gains
experience and confidence in implementing cybersecurity protections,
and as the vendors of control systems begin to implement increased
cybersecurity protections into their systems, the cybersecurity posture
of the industry will increase, and additional standards can be written
to ensure that all industry participants are continuing to ``raise the
bar'' in their cybersecurity protections. NERC's rules, and a condition
of accreditation by the American National Standards Institute, require
that each standard be reviewed at least every five years. NERC
anticipates completing the review and upgrade of all standards over a
three-year period. The cybersecurity standards are scheduled for review
in 2009 to asses them based on lessons learned to that point. NERC's
standards development procedure provides a systematic approach to
improving to the standards and documenting the basis for those
improvements, and should serve as the mechanism for achieving those
improvements.
The future revisions to the NERC cyber security standards will take
place after the NIST guidance on security to Industrial Control Systems
has been finalized, and it is likely that some of the recommendations
in that guidance will be included in revised Reliability Standards.
These recommendations will be analyzed and included (or not) based on
their impact on the reliable operation of the bulk power system.
Question 16.: You mentioned in your testimony that the CIP
standards were developed in a rigorous process. How does NERC plan on
operating if and when it must develop security standards much quicker
than the rigorous standard process allows? Are there any contingency
plans in place for when immediate action is necessary?
Response: NERC operates according to its Rules of Procedure that
have been approved by the Federal Energy Regulatory Commission. Section
300 of the Rules of Procedure discusses the reliability standards
development processes. Rule 308 acknowledges that the current
Reliability Standards Development Procedure (Version 6.1) includes a
provision for approval of urgent action standards that can be completed
within 60 days and emergency actions that may be further expedited.
Further, Rule 309.3, Directives to Develop Standards Under
Extraordinary Circumstances, stipulates the urgent approval action
procedure may be utilized if necessary to meet a timetable for action
required by governmental authorities or circumstances, respecting to
the extent possible the provisions in the standards development process
for reasonable notice and opportunity for public comment, due process,
openness, and a balance of interests in developing reliability
standards. After making a written finding that an extraordinary and
immediate threat exists to bulk power system reliability or national
security, the NERC independent Board of Trustees has discretion to
substantially reduce the public notice and balloting periods, thus
expediting the development timeframe.
When standards are implemented using the urgent action or emergency
process, one of the following three actions must occur:
--If the urgent or emergency action standard is to be made
permanent without substantive changes, then the standard must
proceed through the regular standards development process
within one year of the urgent or emergency action approval.
--If the urgent or emergency action standard is to be
substantively revised or replaced by a new standard, then a
request for the new or revised standard must be initiated as
soon as practical after the urgent or emergency action ballot,
and the standard must proceed through the regular standards
development process as soon as practical within two years of
the urgent or emergency action approval.
--The urgent or emergency action standard may be withdrawn
through the regular standards development process within two
years.
To address immediate threats, NERC can issue an ``Essential
Action'' alert as proposed and currently pending before FERC in Rule
808.10 of NERC's Rules of Procedure. An ``Essential Action'' alert
identifies specific actions that NERC has determined are essential for
certain segments of owners, operators, or users of the bulk power
system to take to ensure the reliability of the bulk power system. Such
alerts require NERC Board approval before issuance. These alerts are
not mandatory, and NERC has no enforcement authority regarding these
alerts, but NERC believes they can be a very useful tool in
communicating to industry participants actions that are needed on an
immediate basis to protect bulk system reliability.
Amendment
Question 1. What were the results of the August 2007 NERC survey
sent to owners and operators regarding the status of the sector's
implementation of the Aurora mitigation efforts? Please provide the
Committee with a copy of the survey and a narrative of the results.
Response: The written follow-up survey was distributed on October
19, 2007. Survey responses were received from 133 entities. The
respondents included generating plant owners, generating plant
operators, transmission owners, transmission operators, and load-
serving entities. the respondents ranged from very large, multistate
investor-owned utilities to small municipal utilities. Responses were
received from all eight reliability regions.
The results of the survey indicate 94% of the mitigation measures
recommended in the June 21 ES-ISAC advisory are completed or are in
progress. This 94% consists of 60% completed and 34% in progress. The
remaining 6% are not being performed for a variety of reasons (not
applicable due to nature of equipment, being done by another entity,
could compromise reliability rather than help reliability).
The respondents indicated they are taking a prioritized approach to
the mitigation measures in applying them to their facilities. All
respondents with nuclear facilities indicated they have completed the
mitigation measures associated with those facilities and are working on
other, smaller facilities on a prioritized basis.
Note: ES-ISAC, ELECTRICITY SECTOR, INFORMATION SHARING AND ANALYSIS
CENTER, OPERATED BY NERC, ``ESISAC Advisory Follow-up Survey'', October
19, 2007, see committee file.
Questions from the Honorable Paul Broun, Jr., a Representative in
Congress from the State of Georgia
Responses Submitted by Greg Wilshusen
Responses from David A. Powner
Director, Information Technology Management Issues
Questions: In your review of the various programs in the federal
government and the private sector to secure control systems, (1) do you
identify any clear gaps in efforts? (2) As well are there any clearly
duplicative programs working in parallel? (3) Are there initiatives
that don't exist that should?
Responses: (1) We have identified gaps in programs in the federal
government and private sector to secure control systems. As we reported
in September 2007,\1\ The National Strategy to Secure Cyberspace \2\
directs the Department of Homeland Security, in coordination with the
Department of Energy and other agencies, to work in partnership with
private industry in increasing awareness of the importance of efforts
to secure control systems, developing standards, and improving policies
with respect to control systems security. However, we reported that the
federal government does not yet have an overall strategy for guiding
and coordinating control systems security efforts across the multiple
agencies and sectors. In addition, more can be done to coordinate
related control system activities within and across sectors and across
the government. For example, while the Department of Energy has led the
development of an industry road map to secure control systems for the
energy sector, we have not seen evidence that other sectors, such as
transportation, have developed such road maps. Another gap we reported
is that the Department of Homeland Security lacks a rapid, efficient
process for disseminating sensitive information to private industry
owners and operators of critical infrastructures.
---------------------------------------------------------------------------
\1\ GAO, Critical Infrastructure Protection: Multiple Efforts to
Secure Control Systems Are Under Way, but Challenges Remain, GAO-07-
1036 (Washington, D.C.: Sept. 10, 2007)..
\2\ The White House, The National Strategy to Secure Cyberspace
(Washington, D.C.: February 2003).
---------------------------------------------------------------------------
(2) We reported that overlapping and possibly duplicative control
systems security activities may exist. For example, there are multiple
efforts underway to develop standards for control systems security.
These include industry specific standards, such as the North American
Electric Reliability Corporation standards and the American Gas
Association standards, as well as more general standards, such as the
ISA (formerly the Instrumentation, Systems, and Automation Society)
standards and, within the federal government, the National Institute of
Standards and Technology standards. Each has different levels of
specificity, and the opportunity exists to better coordinate and
harmonize these standards.
(3) With respect to your question on initiatives, actions could be
taken to reduce or eliminate gaps and duplicative activities discussed
above. For example, we previously recommended that the Department of
Homeland Security develop a governmentwide strategy for securing
control systems. As it moves forward with this effort, it should take
the opportunity to identify and coordinate the activities described
above and other control systems activities. In addition, industry
experts spoke of the beneficial value of the activities of the national
laboratories in working with control systems vendors and operators and
the benefit of possibly expanding such activities.
-----
In responding to these questions, we relied on previous audit work
we preformed in developing our report on critical infrastructure
control systems, as well as ongoing work examining security of control
systems.
�