[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]



 
THE CYBER THREAT TO CONTROL SYSTEMS: STRONGER REGULATIONS ARE NECESSARY 
                      TO SECURE THE ELECTRIC GRID

=======================================================================

                                HEARING

                               before the

                        SUBCOMMITTEE ON EMERGING
                      THREATS, CYBERSECURITY, AND
                         SCIENCE AND TECHNOLOGY

                                 of the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED TENTH CONGRESS

                             FIRST SESSION

                               __________

                            OCTOBER 17, 2007

                               __________

                           Serial No. 110-78

                               __________

       Printed for the use of the Committee on Homeland Security
                                     
[GRAPHIC] [TIFF OMITTED]

                                     

  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html

                               __________


                  U.S. GOVERNMENT PRINTING OFFICE
48-973                    WASHINGTON : 2009
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001


                     COMMITTEE ON HOMELAND SECURITY

               BENNIE G. THOMPSON, Mississippi, Chairman

LORETTA SANCHEZ, California,         PETER T. KING, New York
EDWARD J. MARKEY, Massachusetts      LAMAR SMITH, Texas
NORMAN D. DICKS, Washington          CHRISTOPHER SHAYS, Connecticut
JANE HARMAN, California              MARK E. SOUDER, Indiana
PETER A. DeFAZIO, Oregon             TOM DAVIS, Virginia
NITA M. LOWEY, New York              DANIEL E. LUNGREN, California
ELEANOR HOLMES NORTON, District of   MIKE ROGERS, Alabama
Columbia                             BOBBY JINDAL, Louisiana
ZOE LOFGREN, California              DAVID G. REICHERT, Washington
SHEILA JACKSON LEE, Texas            MICHAEL T. McCAUL, Texas
DONNA M. CHRISTENSEN, U.S. Virgin    CHARLES W. DENT, Pennsylvania
Islands                              GINNY BROWN-WAITE, Florida
BOB ETHERIDGE, North Carolina         MARSHA BLACKBURN, Tennessee
JAMES R. LANGEVIN, Rhode Island      GUS M. BILIRAKIS, Florida
HENRY CUELLAR, Texas                 DAVID DAVIS, Tennessee
CHRISTOPHER P. CARNEY, Pennsylvania
YVETTE D. CLARKE, New York
AL GREEN, Texas
ED PERLMUTTER, Colorado
VACANCY

            Rosaline Cohen, Staff Director & General Counsel

                     Rosaline Cohen, Chief Counsel

                     Michael Twinchek, Chief Clerk

                Robert O'Connor, Minority Staff Director

                                 ______

   SUBCOMMITTEE ON EMERGING THREATS, CYBERSECURITY, AND SCIENCE AND 
                               TECHNOLOGY

               JAMES R. LANGEVIN, Rhode Island, Chairman

ZOE LOFGREN, California              MICHAEL T. McCAUL, Texas
DONNA M. CHRISTENSEN, U.S. Virgin    DANIEL E. LUNGREN, California
Islands                              GINNY BROWN-WAITE, Florida
BOB ETHERIDGE, North Carolina        MARSHA BLACKBURN, Tennessee
AL GREEN, Texas                      PETER T. KING, New York (Ex 
VACANCY                              Officio)
BENNIE G. THOMPSON, Mississippi (Ex 
Officio)

                    Jacob Olcott, Director & Counsel

        Dr. Chris Beck, Senior Advisor for Science & Technology

                       Carla Zamudio-Dolan, Clerk

       Dr. Diane Berry, Minority Senior Professional Staff Member

                                  (ii)


                            C O N T E N T S

                              ----------                              
                                                                   Page

                               STATEMENTS

The Honorable James R. Langevin, a Representative in Congress 
  From the State of Rhode Island, Chairman, Subcommittee on 
  Emerging Threats, Cybersecurity, and Science:
  Oral Statement.................................................     1
  Prepared Statement.............................................     3
The Honorable Michael T. McCaul, a Representative in Congress 
  From the State of Texas, Ranking Member, Subcommittee on 
  Emerging Threats, Cybersecurity, and Science and Technology....     4
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Chairman, Committee on 
  Homeland Security..............................................     5
The Honorable Bob Etheridge, a Representative in Congress From 
  the State of North Carolina....................................    68
The Honorable Al Green, a Representative in Congress From the 
  State of Texas.................................................    64
The Honorable Zoe Lofgren, a Representative in Congress From the 
  State of California............................................    27
The Honorable Bill Pascrell, Jr., a Representative in Congress 
  From the State of New Jersey...................................    24
The Honorable Ginny Brown-Waite, a Representative in Congress 
  From the State of Florida......................................    26

                               Witnesses
                                Panel I

Mr. Greg Garcia, Assistant Secretary, Office of Cyber Security 
  and Telecommunication Department of Homeland Security:
  Oral Statement.................................................     6
  Preapred Statement.............................................     9
Mr. Tim Roxey, Technical Assistant to the President CGG/Security, 
  Deputy to the chair, NSCC & PCIS, Constellation Generation 
  Group:
  Oral Statement.................................................    15
  Prepared Statement.............................................    17
Mr. Greg Wilshusen, Director, Information Security Issues, 
  Government Accountability Office...............................    13

                                Panel II

Mr. Joseph McClelland, Director, Office of Electric Reliability, 
  Federal Energy Regulatory Commission:
  Oral Statement.................................................    29
  Prepared Statement.............................................    31
Mr. Joe Weiss, Managing Director, Applied Control Solutions:
  Oral Statement.................................................    46
  Prepared Statement.............................................    48
Mr. David Whiteley, Executive Vice President, North American 
  Electric Reliability Corporation:
  Oral Statement.................................................    36
  Prepared Statement.............................................    38

                               Appendixes

Appendix I: For the Record
  Letter from Mr. David A. Whiteley..............................    77
Appendix II:  Additional Questions and Responses
  Responses from Mr. Greg Garcia.................................    79
  Responses from Mr. Joseph McClelland...........................    85
  Responses from Mr. Joe Weiss...................................    88
  Responses from Mr. David Whiteley..............................    88
  Responses from Mr. Greg Wilshusen..............................    95


THE CYBER THREAT TO CONTROL SYSTEMS: STRONGER REGULATIONS ARE NECESSARY 
                      TO SECURE THE ELECTRIC GRID

                              ----------                              


                      Wednesday, October 17, 2007

             U.S. House of Representatives,
                    Committee on Homeland Security,
           Subcommittee on Emerging Threats, Cybersecurity,
                                and Science and Technology,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 2:16 p.m. in 
Room 311, Cannon House Office Building, Hon. James R. Langevin 
[chairman of the subcommittee], presiding.
    Present: Representatives Langevin, Lofgren, Etheridge, 
Green, Pascrell, Thompson, McCaul, Brown-Waite, and Broun.
    Mr. Langevin. The subcommittee will come to order.
    The subcommittee is meeting today to receive testimony on 
``The Cyber Threat to Control Systems: Stronger Regulations are 
Necessary to Secure the Electric Grid.''
    I will begin by recognizing myself for the purposes of an 
opening statement.
    Today's hearing provides us with a prime opportunity to 
assess the future of cybersecurity and critical infrastructure 
protection in the United States. Today we will discuss two 
major issues: the efforts to implement cybersecurity standards 
within the electric sector and a cyber vulnerability, known as 
Aurora, which was recently made public.
    Now, I will be blunt, if this administration doesn't 
recognize and prioritize these problems soon, the future isn't 
going to be pretty.
    The bulk power system in the United States and Canada has 
more than $1 trillion in asset value, more than 200,000 miles 
of transmission lines, and more than 800 megawatts of 
generating capability, serving over 300 million people. The 
effective functioning of this infrastructure is highly 
dependent on control systems, which a computer-based system is 
used to monitor and control sensitive processes and physical 
functions.
    Once largely proprietary, closed systems, control systems 
are becoming increasingly connected to open networks, such as 
corporate intranets and the Internet itself. As such, the cyber 
risk of these systems is increasing.
    Intentional and unintentional control system failures on 
the bulk power system could have a significant and potentially 
devastating impact on the economy, public health and national 
security of the United States. For a society whose every 
function depends on reliable power, the disruption of 
electricity to chemical plants, banks, refineries, hospitals, 
water systems and military installations presents a terrifying 
scenario.
    Now, we will not accidentally stumble upon a solution to 
these problems. Instead, we must dedicate a lot of hard work 
and resources to secure our systems. To this end, the Federal 
Energy Regulatory Corporation, FERC, has recommended protecting 
the bulk power system against disruptions from cyber attacks by 
approving a set of reliability standards developed by the North 
America Electric Reliability Corporation, or NERC.
    Now, the proposed standards require certain users, owners 
and operators of the grid to establish plans, protocols and 
controls to safeguard physical and electric access to systems, 
to train personnel on security matters, to report security 
incidents, and to be prepared to recover information.
    Two weeks ago, members of this committee, including myself, 
Chairman Thompson, Mr. McCaul, submitted comments to FERC 
Rulemaking. We believe that the standards proposed by NERC do 
not sufficiently ensure the production or delivery of power in 
the event of intentional or unintentional cyber incidents 
involving critical infrastructures. The NERC standards focus on 
the reliability of the bulk power system as a whole, yet 
ignoring the Homeland Security impact that loss of power in a 
region can have. The standards, for example, won't cover a 
significant number of assets that are critical to providing 
power throughout the country.
    As several witnesses will testify today, the NERC standards 
won't require electric-sector owners and operators to secure 
their generation units, distribution units or 
telecommunications equipment. But we know from countless real-
world examples that these units are highly vulnerable to 
intentional or unintentional cyber events. Knocking any of 
these units off could affect the power supply to our Nation's 
critical infrastructure.
    The readiness standards that would preclude these elements 
just isn't good public policy. The technical experts agree with 
this assertion. According to research performed for NIST, the 
NERC standards are inadequate for protecting critical national 
infrastructure. And GAO concurs with those findings.
    Now, I am concerned about the narrow scope of the 
standards, particularly in light of recent events. CNN recently 
reported that DHS researchers at the Idaho National Laboratory 
successfully destroyed a generator through an experimental 
cyber attack. This experiment was code-named ``Aurora.'' And we 
are going to have a brief video at the end of the testimony of 
our witnesses here that are here this afternoon.
    But officials tell me that malicious actors, insider 
terrorists, or nation-states could use the same attack vector 
against larger generators and other critical rotating 
equipment, that they could cause widespread and long-term 
damage to the electric infrastructure. DHS, working through 
Idaho National Labs and DOE, have been deploying mitigation 
measures for many of the critical infrastructure sectors. 
Naturally, we expect owners and operators of critical 
infrastructure would mitigate these vulnerabilities as quick as 
possible. Unfortunately, I have reason to believe that the 
mitigations developed by DHS and DOE have not been fully 
implemented across the electric sector.
    Today, the ranking member and I sent a letter to FERC 
Chairman Joe Kelliher and asked him to commence an 
investigation to determine the extent to which the electric-
sector owners and operators have implemented these mitigation 
efforts.
    Despite the comments from industry that suggest otherwise, 
we in Congress believe that this is a serious problem. This 
subcommittee will continue its vigorous oversight of this 
critical aspect of our Nation's homeland security. These are 
important issues.
    And, without objection, I would like to introduce into the 
record our comments to the FERC Rulemaking that we submitted on 
October 5th, as well as the letter I provided Chairman Kelliher 
yesterday, requesting the investigation.

    Prepared Opening Statement of the Honorable James R. Langevin, 
 Chairman, Subcommittee on Emerging Threats, Cybersecurity, and Science

    Today's hearing provides us with a prime opportunity to asses the 
future of cybersecurity and critical infrastructure protection in the 
United States. We will discuss two major issues today: the efforts to 
implement cybersecurity standards within the electric sector and a 
cyber vulnerability known as ``Aurora'' that was recently made public. 
I'll be blunt--if this Administration doesn't recognize and prioritize 
these problems soon, the future isn't going to be pretty.
    The bulk power system of the United States and Canada has more than 
$1 trillion in asset value, more than 200,000 miles of transmission 
lines, and more than 800,000 megawatts of generating capability serving 
over 300 million people. The effective functioning of this 
infrastructure is highly dependent on control systems, which are 
computer-based systems used to monitor and control sensitive processes 
and physical functions. Once largely proprietary, closed-systems, 
control systems are becoming increasingly connected to open networks, 
such as corporate intranets and the Internet. As such, the cyber risk 
to these systems is increasing.
    Intentional and unintentional control system failures on the bulk 
power system could have a significant and potentially devastating 
impact on the economy, public health, and national security of the U.S. 
For society whose every function depends on reliable power, the 
disruption of electricity to chemical plants, banks, refineries, 
hospitals, water systems, and military installations presents a 
terrifying scenario. We will not accidentally stumble upon a solution 
to these problems. Instead, we must dedicate a lot of hard work and 
resources to secure our systems.
    To this end, the Federal Energy Regulatory Corporation (FERC) has 
recommended protecting the bulk power system against disruptions from 
cyber attacks by approving a set of reliability standards developed by 
the North American Electric Reliability Corporation (NERC). The 
proposed standards require certain users, owners and operators of the 
grid to establish plans, protocols and controls to safeguard physical 
and electronic access to systems, to train personnel on security 
matters, to report security incidents, and to be prepared to recover 
information.
    Two weeks ago Members of this Committee, including myself, Chairman 
Thompson, and Mr. McCaul, submitted comments to the FERC rulemaking. we 
believe that the standards proposed by NERC do not sufficiently ensure 
the production or delivery of power in the event of intentional or 
unintentional cyber incidents involving critical infrastructures. The 
NERC standard focuses on the reliability of the bulk power system as a 
whole, ignoring the homeland security impact that loss of power in a 
region can have.
    The standards won't cover a significant number of assets that are 
critical in providing power throughout the country. As several 
witnesses will testify today, the NERC standards won't require electric 
sector owners and operators to secure their generation units, 
distribution units, or telecommunications equipment. But we know from 
countless real world examples that these units are highly vulnerable to 
intentional and unintentional cyber events. Knocking any of these units 
off could affect the power supply to our nation's critical 
infrastructure.
    Writing a standard that would preclude these elements just isn't 
good public policy. The technical experts agree with this assertion. 
according to research performed for NIST, the NERC standards are 
``inadequate for protecting critical national infrastructure.'' GAO 
concurs with those finds. I'm concerned about the narrow scope of the 
standards, particularly in light of recent events. CNN recently 
reported that DHS researchers at the Idaho National Laboratory 
successfully destroyed a generator through an experimental cyber 
attack. This experiment was code-named ``Aurora.''
    Officials tell me that malicious actors--insiders, terrorists, or 
nation states--could use the same attack vector against larger 
generators and other critical rotating equipment that could cause 
widespread and long-term damage to the electric infrastructure. DHS, 
working through Idaho National Labs, and DOE have been developing 
mitigation measures for many of the critical infrastructure sectors. 
Naturally, we would expect owners and operators of critical 
infrastructure would mitigate these vulnerabilities as quickly as 
possible. Unfortunately, I have reason to believe that the mitigations 
developed by DHS and DOE have not been fully implemented across the 
electric sector.
    Today, the Ranking Member and I sent a letter to FERC Chairman Joe 
Kelleher and asked him to commence an investigation to determine the 
extent to which electric sector owners and operators have implemented 
these mitigation efforts. Despite comments from industry that suggest 
otherwise, we in the Congress believe that this is a serious problem. 
This Subcommittee will continue its vigorous oversight over this 
critical aspect of our nation's homeland security.

    Mr. Langevin. With that, that concludes my opening 
statement. And the Chair now recognizes the ranking member of 
the subcommittee, the gentleman from Texas, Mr. McCaul, for the 
purposes of an opening statement.
    Mr. McCaul. I thank the Chairman. I apologize for being a 
little bit late. It is not every day you see the President 
award the Dalai Lama the Congressional Gold Medal of Honor.
    I want to thank you for holding this hearing. And we have 
been working in a very bipartisan way on this issue because it 
is an issue of national security that impacts the American 
people and the security of the American people.
    The electric power grid and the generation and distribution 
equipment associated with it are amongst the most critical 
pieces of our country's infrastructure. These systems, commonly 
known as the power grid, are the largest, most complex machines 
on the continent, enabling power to be generated, transmitted 
and distributed to millions of individuals and businesses 
across North America.
    Despite the fact that the grid is highly reliable and has 
built-in redundancy, the grid is dependent on its various 
parts. Due to the physics of transmitting electricity, the 
entire bolt power operates at the same frequency, so the grid 
could be vulnerable to cascading failures and long-term outages 
if the systems that control the production and flow of 
electricity are compromised. As we saw with Aurora, these 
systems can be compromised, and they are vulnerable.
    Another example would be the East Coast blackout in 2003, 
when an ordinary power outage, caused by a line coming in 
contact with a tree, was exacerbated by a software bug, leading 
to an alarm system failure that rippled across the East Coast. 
The 2003 blackout was unintentional and, while costly, didn't 
cause major disruption for more than 24 to 36 hours. But it 
does, however, demonstrate that no grid can be threatened, when 
a relatively small number of systems fail. It also demonstrates 
that the grid can be threatened.
    Industrial control systems, computer systems designed to 
monitor and control industrial processes, have been 
increasingly controlled over networks and the Internet. This 
has created a much more efficient and easy-to-use system, but 
has also created a whole host of vulnerabilities. These 
vulnerabilities are exacerbated by the fact that traditional 
cybersecurity solutions are not as easy to implement because 
the systems must run smoothly and continuously.
    Recently, the consequences of these cyber-based attacks 
have come to light, primarily on CNN. And it is crucial and 
critical that we move quickly in this country to secure these 
vulnerable systems.
    The Department of Homeland Security has multiple 
initiatives under way to secure systems, as do a number of 
other agencies, as well as the private sector. The Department 
should take this opportunity to consolidate those initiatives 
and draft an overall strategy that minimizes overlapping 
efforts and prevents gaps so that these critical systems are 
secured as quickly and effectively as possible.
    I look forward to this discussion and the discussion from 
the second panel, who will talk about cybersecurity standards 
and best practices within the industry.
    I believe that we can work together within the existing 
structure to ensure that the industry's assets are adequately 
and safely protected from threats and vulnerabilities.
    With that, I want to thank the witnesses for being here. 
And I yield back.
    Mr. Langevin. I thank the ranking member.
    The Chair now recognizes the chairman of the full 
committee, the gentleman from Mississippi, Mr. Thompson, for an 
opening statement.
    Mr. Thompson. Thank you very much, Mr. Chairman. And I 
thank you for your leadership on cybersecurity in this Congress 
and your continued oversight on this issue.
    Mr. Chairman, I often talk about vacancies within the 
Department of Homeland Security, because I think it affects our 
ability to protect and defend the United States. In that vein, 
I am concerned about the Department's efforts in cybersecurity, 
particularly given the extraordinary number of vacancies that 
have opened up in the National Cybersecurity Division. Three 
critically important individuals--the director of the National 
Cybersecurity Division, the deputy director of outreach and 
awareness, and the director of the Control Systems Security 
Program--have all left the Department in recent months. I hope 
Assistant Secretary Garcia can provide us information today 
about where we are in filling these important positions.
    Of course, this is nothing new for DHS or the Cyber 
Division. The Control Systems Security Program, the subject of 
today's hearing, has gone through countless program managers 
over the years. I believe the high rate of vacancies and 
turnover is affecting the Department's ability to really move 
this country forward on control systems.
    Take the control systems strategy, for example. In 2005, 
DHS started working with interagency partners to develop a 
comprehensive control systems strategy that would encompass the 
public and private sectors, set a national vision to secure 
control systems, describe roles and responsibility, and 
identify future requirements for resources and action. It is 
almost 3 years later, and not one product has been delivered.
    A Department working without key leadership sends a bad 
message to the private-sector owners and operators, who are 
essential to securing critical infrastructure. How is the 
Department supposed to develop long-term relationships with 
these companies and individuals when there is a different DHS 
face in every meeting?
    Similarly, how is the private sector supposed to react to 
the cyber initiative that was reported last month in the 
Baltimore Sun? According to that article, NSA will be working 
with DHS and other Federal agencies to monitor critical 
infrastructure networks to prevent unauthorized intrusions. 
According to the article, up to 2,000 people will be assigned 
to this endeavor.
    I wonder how this initiative is going to impact the public-
private partnership that DHS has been developing. I have asked 
the Department to brief me numerous times on this initiative, 
but we haven't heard a peep. I hope the Assistant Secretary can 
provide us with feedback today.
    Mr. Chairman, the American people deserve better. They 
deserve better leadership on this issue. And I hope that the 
next administration will reverse this unfortunate and dangerous 
path. I thank you for your leadership on this issue, and I 
yield back.
    Mr. Langevin. I thank the gentleman.
    Other members of the subcommittee are reminded, under the 
committee rules, opening statements maybe submitted for the 
record.
    I want to begin now by welcoming our first panel of 
witnesses.
    Our first witness, Mr. Greg Garcia, Assistant Secretary for 
Cybersecurity and Communications. Assistant Secretary Garcia 
oversees the Department of Homeland Security's mission to 
prepare for and respond to incidents that could degrade or 
overwhelm the operation of the Nation's information-technology 
and communications infrastructure.
    I want to welcome you here, Secretary Garcia.
    Our second witness, Gregory Wilshusen, is the director of 
information security issues at GAO, where he leads information-
security-related studies and audits the Federal Government.
    I appreciate you being here, Mr. Wilshusen.
    And our third witness is Mr. Tim Roxey, the technical 
assistant to the president of Constellation Generation Group 
for Security. He is the deputy to the Chairs for both the 
Nuclear Sector Coordinating Council and the Partnership of 
Critical Infrastructure Security, and is the team lead for the 
Aurora mitigation efforts for the private sector.
    Mr. Roxey, thank you for being here, as well.
    Without objection, the witnesses' full statements will be 
inserted into the record. And I now ask each witness to 
summarize their statement for 5 minutes, beginning with 
Assistant Secretary Garcia.
    And, Secretary, with all the vacancies that Chairman 
Thompson mentioned in his opening statement, I am glad to see 
that you are at least still on the job. Welcome. And thank you 
for being here.

  STATEMENT OF GREGORY GARCIA, ASSISTANT SECRETARY, OFFICE OF 
   CYBERSECURITY AND COMMUNICATIONS, DEPARTMENT OF HOMELAND 
                            SECURITY

    Mr. Garcia. Thank you very much, Mr. Chairman.
    Chairman Thompson, Ranking Member McCaul and members of the 
subcommittee, I do appreciate the opportunity to speak with you 
today about DHS efforts to strengthen the security and 
resiliency of our Nation's critical infrastructure.
    It is fitting that you are holding this hearing during 
National Cybersecurity Awareness Month, because it really helps 
to raise public consciousness about the importance of control 
systems security to our economic well-being and to our homeland 
security.
    I would also like to personally thank you and Mr. McCaul 
and your colleagues for your leadership in cosponsoring House 
Resolution 716, which endorses the ideals of National 
Cybersecurity Awareness Month, and for your continued efforts 
to raise awareness of this critical issue.
    Control system--that is a term, a general term that 
encompasses several types of systems, including SCADA, that are 
most often found in the industrial sectors and critical 
infrastructures. The systems typically are remotely controlled 
devices used to operate physical processes in industries such 
as electricity, oil and gas, and water.
    Control systems are particularly important for the security 
of our country's electric grid because of the significant 
interdependencies inherent with the use of energy in all other 
critical-infrastructure sectors. Therefore, securing control 
systems is vital to maintaining our Nation's strategic 
interests, the public safety and economic prosperity.
    It is important to note that, because the private sector 
owns and operates 90 percent or so of the critical 
infrastructure that we need to protect, responsibility for 
securing our Nation's control systems lies heavily with the 
private sector. That said, as lead for coordinating national 
critical infrastructure protection and cybersecurity, DHS 
established a Control Systems Security Program. And the goal is 
simple: to lead a cohesive effort between Government and 
industry, focused on reducing the risks to control systems that 
operate our critical infrastructure.
    How do we do this? We have a comprehensive approach to 
reduce risk by working closely with public and private 
partners. And it looks like this: We work with the control-
systems vendor community to produce more secure systems; we 
work with the owners and operators to better secure their 
systems; and we work with the national labs and the National 
Institute of Standards and Technology to develop technical 
guidance. And we are proud of these efforts to assist our 
public--and private-sector partners to identify and mitigate 
direct risks to control systems.
    We have made significant progress toward this goal, and 
today I would like to highlight just a few of these successes.
    First, a key principle for our mission is that you can't 
enhance security if you don't know where your vulnerabilities 
are. In collaboration with several Department of Energy 
national labs, we developed the first widely available Control 
Systems Cybersecurity Self-Assessment Tool. It employs a 
systematic and repeatable approach for owners and operators to 
assess the cybersecurity posture of their control systems. 
Further, it offers recommendation based on industry standards 
that are customized to the operating characteristics of each 
control systems facility.
    The response to the tool has been tremendous. For instance, 
a key industry association for industrial manufacturing 
professionals has found the tool so valuable that they are 
making it available to their entire membership of over 30,000 
professionals worldwide.
    Second, we sponsor the SCADA Procurement Project to help 
acquisition officials ensure that control systems they are 
buying or upgrading have the best security available. 
Government and industry representatives, including the multi-
State ISAC, the Information Sharing and Analysis Center, the 
SANS Institute, and the DOE Idaho National Lab, developed this 
comprehensive guidance document. It offers standardized 
procurement language that companies can write into their 
contracts when they purchase new control systems. The guidance 
is available at no charge, and over 450 copies have been 
downloaded each month since it was posted in January of 2007.
    Third, people are at the heart of addressing the 
cybersecurity challenge, and control systems are simply no 
different. That is why we are focused on training and educating 
control systems professionals on the best methods for securing 
and maintaining their systems. Since 2005, we have trained 
nearly 7,000 IT and control system professionals through both 
classroom and Web-based instruction modules. We have also 
developed curriculum for master's degree programs to aid 
faculty in teaching our future business leaders the importance 
of control systems security. To date, it has been distributed 
to more than 100 faculty members at universities and related 
institutions.
    Fourth, an important aspect of our work in control systems 
security is in the area of standards. We have worked closely 
with NIST and other partners to improve technical guidance in 
their special publication series. In addition, we are about to 
release a catalog of control systems security standards that 
will serve as a foundational document, available for any 
industry to develop and implement cybersecurity standards 
specific to their operational requirements. The catalog is a 
compilation of practices inventoried from across the industry 
standards bodies and will provide a mechanism to identify gaps 
in existing standards and improve overall security.
    And fifth, applying the risk management and partnership 
framework outlined in the NIPP, the National Infrastructure 
Protection Plan, we lead recent activity to identify, validate 
and mitigate a control systems vulnerability affecting several 
critical-infrastructure sectors. Federal agency partners worked 
with industry, technical experts, to assess the vulnerability 
and to jointly develop sector-specific mitigation plans. This 
enabled owners and operators to take specific actions to reduce 
the risk associated with the vulnerability. And this is a great 
example of collaboration. This is exactly what was envisioned 
in the NIPP process.
    And we have also developed processes for sharing sensitive 
information with Government and industry stakeholders. Our US-
CERT, the Computer Emergency Readiness Team, is charged with 
recording response to cyber attacks and is responsible for 
analyzing and disseminating cyber threat warning information. 
Control systems security program personnel are currently 
collocated and work closely with US-CERT. This close 
relationship benefits the CERT, in terms of having the 
expertise necessary for control systems. And they make 
themselves immediately available for assisting with responses 
to incidents and the management of vulnerabilities related to 
control systems.
    I will wrap up.
    All of these efforts are informing our work to develop a 
comprehensive control systems strategy with our Federal and our 
private-sector partners. The strategy lays out a national 
vision, roles and responsibilities, and identifies feature 
requirements for national control systems security. Our goal is 
to release a final version of this national strategy in the 
first quarter of fiscal year 2009.
    In conclusion, Mr. Chairman, securing control systems 
within our critical infrastructure, specifically within the 
electric grid, is a priority for DHS. The work we have 
accomplished thus far exemplifies a successful collaboration 
model for strengthening the security posture of our Nation's 
control systems. It has also deepened our understanding of the 
challenges that lay before us as we work to enhance the 
security and resiliency of our Nation's critical 
infrastructure. DHS is committed to continuing to work with our 
partners to strengthen our national control systems 
preparedness and our protection posture.
    Thank you for your time today, Mr. Chairman. And I am happy 
to answer any questions from the subcommittee.
    [The statement of Mr. Garcia follows:]

                  Prepared Statement of Gregory Garcia

    Chairman Langevin, Ranking Member McCaul, and Members of the 
Subcommittee, I appreciate the opportunity to speak about the role the 
Department of Homeland Security (DHS) plays in securing control 
systems, including the tools and resources we have made available to 
owners and operators of control systems, our efforts to collaborate and 
share information with both the public and private sectors, and 
analysis of control system vulnerabilities to strengthen the Nation's 
control system security posture. These efforts support one of the 
Department's primary missions of advancing preparedness. As October is 
National Cyber Security Awareness Month, I think it is particularly 
appropriate to highlight the importance of control systems security and 
to discuss our efforts to date to raise awareness of the challenges and 
solutions to securing these important systems. I would also like to 
recognize Chairman Langevin's and Ranking Member McCaul's leadership in 
promoting National Cyber Security Awareness Month's goals, objectives, 
and activities among their colleagues and constituents through their 
Dear Colleague letter and co-sponsorship of the Congressional 
Resolution. Raising awareness about protecting our critical 
infrastructures among home users, academic institutions, and 
businesses, including our control systems owners and operators, is 
fundamental to improving our preparedness posture.
    As the Assistant Secretary for Cybersecurity and Communications 
within DHS' National Protection and Programs Directorate (NPPD), I 
oversee our mission to prepare for and respond to incidents that could 
degrade or overwhelm the operation of our Nation's information 
technology (IT) and communications infrastructure. This responsibility 
includes the goal of ensuring the security, integrity, reliability, and 
availability of our IT and communications networks. Reducing risk to 
that portion of the 17 sectors designated as critical infrastructures 
is among Secretary Chertoff's highest priorities, and I am pleased to 
share with you the Department's ongoing efforts to address this 
priority.
    ``Control system'' is a general term that encompasses several types 
of systems, including supervisory control and data acquisition (SCADA) 
systems, distributed control systems (DCS), and Programmable Logic 
Controllers (PLC) often found in the industrial sectors and critical 
infrastructures. Control systems typically are remotely controlled 
devices used to operate physical processes in industries such as 
electricity, water, oil and gas, chemical, transportation, 
pharmaceutical, pulp and paper, food and beverage, and discrete 
manufacturing (e.g., automotive, aerospace, and durable goods). These 
control systems are critical to the safe and secure operation of our 
highly interconnected and mutually dependent critical infrastructures. 
A successful cyber attack on a control system could potentially result 
in physical damage, loss of service, and/or economic impact.
    Ensuring the security of these systems is essential, and that 
responsibility lies heavily with the private sector, which owns and 
operates over 85 percent of the Nation's critical infrastructures. DHS 
works closely with private sector owners and operators to provide 
expertise, analytical products, and education and training materials 
that help control systems stakeholders identify and reduce direct risks 
for control systems. DHS communicates and collaborates with many 
diverse organizations, including government agencies, industry 
associations, national laboratories, equipment vendors, and asset 
owners and operators to identify improvements and drive their adoption 
across the infrastructure community. Through its involvement in the 
community and public-private partnerships, DHS is able to successfully 
engage with private sector owners and operators on significant control 
systems cyber security challenges and enable their voluntary 
cooperation and participation in implementing improvements to enhance 
the overall preparedness and resilience of the Nation's critical 
infrastructure.
    DHS has three main objectives for reducing cyber risk and securing 
control systems: provide guidance, develop and enhance partnerships, 
and prepare for and respond to incidents. DHS also leverages the 
expertise and activities of operational programs and strategic 
initiatives from across the Department and the U.S. Government and 
integrates these activities to reduce risk, respond to incidents, and 
foster a culture of preparedness within the control systems community.
    DHS utilization of several information sharing mechanisms allows 
the Department to manage effectively the collection and dissemination 
of sensitive vulnerability information, which ultimately enables us to 
raise awareness of vulnerabilities and risk management efforts among 
the control systems community, influence security practices to reduce 
risk, and raise the security bar across all the critical infrastructure 
sectors.
    First, DHS provides guidance to the control systems community 
through several mechanisms and activities, including risk reduction 
products, such as security implementation guidelines and recommended 
practices; outreach and awareness through education and training; and 
technology assessments to identify vulnerabilities.
    One of our recent accomplishments with regard to risk reduction 
products is the development and implementation of the Control Systems 
Cyber Security Self Assessment Tool (CS2SAT), which employs a 
systematic and repeatable approach that allows owners and operators to 
assess the cyber security posture of their control systems. Through the 
CS2SAT, users input facility-specific control system information. The 
tool then provides users with a picture of their control systems 
architecture and an assessment of their cyber security posture. It also 
makes recommendations for improvements. The recommendations are derived 
from industry cyber security standards and are linked to a set of 
specific actions that can be applied to mitigate the identified 
security vulnerabilities. The Instrumentation, Systems and Automation 
Society (ISA), one of the largest global organizations for control 
systems, announced on October 4, 2007 that it will make the CS2SAT 
available to their membership, which consists of over 30,000 automation 
professionals.
    Another risk-reduction tool DHS sponsors for the control systems 
community is the Multi-State Information Sharing and Analysis Center 
(MS-ISAC) SCADA Procurement Project. We have worked closely with the 
MS-ISAC, the SANS Institute, the Department of Energy (DOE) Idaho 
National Laboratory, and representatives from government and industry 
to develop common procurement language that owners and regulators can 
incorporate into contracting mechanisms to ensure the control systems 
they are buying or maintaining have the best available security. The 
long term goal is to raise the level of control systems security 
through the application of robust procurement requirements. The 
Procurement Project has received very positive feedback from users, and 
the document has averaged more than 450 downloads per month from the 
MS-ISAC website where it was posted in January 2007.
    DHS also provides education and training for our industry and 
government partners. Through our control systems security training 
courses, we have provided training to nearly 7,000 IT and control 
systems professionals on a range of topics, such as identifying control 
systems vulnerabilities, conducting risk assessments, and applying 
standards-based mitigation measures to improve security. We offer both 
classroom and web-based instruction modules and will be launching a new 
operations security course later this month. The web-based training has 
been especially popular with our partners with geographically dispersed 
systems and personnel.
    In addition, in coordination with academia we developed a graduate 
school curriculum for Masters of Business Administration and Masters of 
Public Policy programs to aid faculty in developing courses on the 
security of critical infrastructures with an emphasis on control 
systems security. The curriculum provides materials on public policy, 
technical issues, and managerial principles associated with critical 
infrastructure resiliency. To date, the curriculum has been distributed 
to more than 100 faculty members at universities and related 
institutions.
    DHS is working with the National Institute of Standards and 
Technology (NIST) to strengthen Federal standards and guidance 
regarding control systems security. Over the past year, NIST has been 
developing cyber security guidance and a compliance framework 
specifically tailored to control systems. The guidance component, 
Special Publication (SP) 800-82 (2nd draft), ``Guide to Industrial 
Control Systems (ICS) Security,'' provides an overview of control 
systems, identifies typical threats and vulnerabilities to these 
systems, and provides recommended security countermeasures to mitigate 
the associated risks. The compliance component, Special Publication 
(SP) 800-53, ``Recommended Security Controls for Federal Information 
Systems,'' defines the minimum security controls for Federal systems 
and was originally published in 2005 by NIST in accordance with the 
requirements outlined in the Federal Information Security Management 
Act (FISMA). We have worked closely with NIST to develop SP 800-82, and 
to ensure that control systems security was incorporated into the 
updated revised SP 800-53. These NIST standards together will provide 
important baseline security guidance for adoption by Federal owners and 
operators of control systems.
    We are also working with NIST and several of the DOE National 
Laboratories to develop a catalog of control system security standards. 
This comprehensive catalog represents a compilation of practices 
inventoried from across the industry standards bodies and provides 
recommendations for enhancements to standards to increase the security 
of control systems from both cyber and physical attacks. While many of 
today's standards appropriately address security factors, detailed 
guidance is needed to ensure adequate protection from cyber attacks on 
control systems. This catalog is specifically designed to provide a 
framework for developing or enhancing technical aspects of security 
standards. When completed, the catalog will serve as a foundational 
document available for any industry using control systems to develop 
and implement cyber security standards specific to their individual 
operating requirements.
    Second, we are developing and enhancing dynamic, cooperative 
relationships with government, industry, academia, and our 
international counterparts to promote control systems security and 
leverage existing initiatives being conducted by government and 
industry. For example, DHS partners with other agencies to support 
research and development of secure technologies for control systems. 
Public-private partnerships are essential in our efforts to improve the 
security of control systems because, as noted previously, the private 
sector owns and operates most critical infrastructure.
    The National Infrastructure Protection Plan (NIPP) framework and 
supporting Sector-Specific Plans (SSPs) provide a coordinated approach 
to critical infrastructure protection roles and responsibilities for 
Federal, State, local, tribal, international, and industry security 
partners. Utilizing the NIPP framework, DHS directed recent activity to 
validate and mitigate a control systems vulnerability affecting a 
number of critical infrastructure sectors. Numerous Federal agency 
partners worked closely with industry technical experts to assess the 
vulnerability and to develop sector-specific mitigation plans. We are 
pleased with the results of this partnership: it produced jointly 
developed mitigation guidance and allowed owners and operators within 
the affected sectors to take deliberate and decisive actions to reduce 
significantly the risk associated with this vulnerability.
    Recognizing the importance of engagement with industry, DHS 
sponsors a number of groups to foster close collaboration and 
information sharing among the control systems community. The Process 
Control Systems Forum (PCSF) was established to accelerate the design, 
development, and deployment of more secure control systems. The PCSF 
includes a variety of stakeholders including both national and 
international representatives from government, academia, owners and 
operators, systems integrators, and vendors.
    The Control Systems Cyber Security Vendors' Forum, a subgroup under 
the PCSF, facilitates communication in a trusted environment between 
industrial automation and equipment suppliers and control system 
service providers. The Vendors' Forum consists of 50 members from 27 
domestic and international companies comprising 90 percent of the 
market share providing service to all 17 critical infrastructure 
sectors.
    An example of this collaboration occurred earlier this year when 
members of the Vendors' Forum worked together to address the potential 
effects on control systems caused by the date change in the Daylight 
Saving Time (DST) standard. The change in DST impacted control systems 
in over 19 countries. The control systems community recognized the 
importance of this issue and worked with the DHS National Cyber 
Security Division's United States Computer Emergency Readiness Team 
(US-CERT) to develop a Technical Information Paper, ``Daylight Saving 
Time Changes for 2007.'' The paper provided guidance to industry on 
mitigation measures and has been downloaded from the US-CERT website 
more than 500 times between April and July 2007.
    Third, to prepare for and respond to incidents, DHS is improving 
situational awareness, analyzing vulnerabilities, and sharing 
information. Owners and operators can report general cyber incidents 
and vulnerabilities, including those related to control systems, to the 
US-CERT. Control systems technical experts are integrated into the US-
CERT operations center to provide timely situational awareness 
information and assist with incident management.
    DHS has developed processes for sharing sensitive information 
related to control systems vulnerabilities with Federal, State, and 
local governments, and control systems owners, operators, and vendors 
to improve control systems security within and across all critical 
infrastructure sectors. This process addresses the information flow 
from vulnerability discovery, to validation, public and private 
coordination, and outreach and awareness, as well as identifies the 
deliverables and outcomes expected at each step in the process. 
Information sharing between the government and the private sector is 
essential to this process, and it allows both sectors to identify gaps 
in preparedness capabilities among public and private sectors, as well 
as identify policy issues that affect response and recovery.
    The process incorporates existing entities across the public and 
private sectors, including the Government and Industry Sector 
Coordinating Councils, the US-CERT, the Homeland Security Information 
Network (HSIN), and Information Sharing and Analysis Centers (ISAC). It 
also builds on established Departmental practices and procedures for 
the identification, validation, coordination, and communication of 
vulnerabilities across the critical infrastructure sectors.
    As part of this process, DHS relies on three primary mechanisms to 
communicate vulnerability information about control systems to the 
various stakeholders. The US-CERT National Cyber Alert System is 
utilized as a mechanism to share information about vulnerabilities to a 
broader audience. Vulnerability information is conveyed via several 
products, including Vulnerability Notes that are released on a regular 
basis to stakeholders in the control systems community. More detailed 
analyses of cyber vulnerabilities that may impact control systems are 
published via the Quarterly Report on Cyber Vulnerabilities of 
Potential Risk to Control Systems, whose recipients include governments 
and members of the control systems community. Both of these reports are 
posted on the US-CERT Control Systems Portal and are available to all 
portal members with access to the control systems section of the 
website, which encompasses representatives from the Federal, State, and 
local governments, Sector Specific Agencies, and control systems 
owners, operators, and vendors.
    In addition, DHS works with vendors, owners, and operators to 
perform vulnerability assessments of selected systems to identify cyber 
vulnerabilities based on emerging exploits and partners with industry 
to develop mitigation strategies. DHS also works with control systems 
vendors, owners, and operators to share sensitive information through 
the Protected Critical Infrastructure Information (PCII) program so 
that private sector vulnerability data may be appropriately 
safeguarded.
    Finally, in Fiscal Year (FY) 2007, we began working with our 
Federal partners to identify baseline individual agency activities to 
serve as the foundation for developing a comprehensive control systems 
strategy that will encompass the public and private sectors, set a 
national vision to secure control systems, describe roles and 
responsibilities, and identify future requirements for 5para.resources 
and actions. The Department has developed a timeline to complete this 
action, building on work that has already been completed. In the first 
quarter of FY 2008, a draft of the Federal sector portion of the 
strategy will be released for review by government stakeholders. 
Working with sector representatives from the Partnership for Critical 
Infrastructure Security under the NIPP framework, we will then begin to 
develop a private sector component to integrate into the strategy. We 
intend to have a final comprehensive strategy ready for release in the 
first quarter of FY 2009.
Conclusion
    Securing control systems is an important priority for DHS because 
they are unique elements of our critical infrastructure. They are 
deployed ubiquitously and perform such vital functions that their 
disruption could severely impact citizens' daily lives. DHS has 
developed a program that includes the development and dissemination of 
tools, products, and guidance to the controls systems community, 
established mechanisms to work with our partners in both the government 
and industry, and developed capabilities to prepare for and respond to 
incidents.
    Ongoing education and training for the control systems community is 
imperative, as well as regular assessments of systems. We must continue 
to raise awareness of the threats to and vulnerabilities of control 
systems through our information sharing mechanisms and continue to 
incorporate security measures in control systems standards. The 
development, execution, and maintenance of a national control systems 
security strategy is essential to managing our current and future 
efforts. The work we have accomplished so far has deepened our 
understanding of the challenges that lay before us, and we continue to 
work to strengthen our national control systems preparedness and 
protection posture.
    Thank you for your time today, and I am happy to answer any 
questions from the Subcommittee.

    Mr. Langevin. Thank you, Mr. Secretary.
    I will now recognize Mr. Wilshusen to summarize his 
statement for 5 minutes.

 GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION SECURITY ISSUES, 
                GOVERNMENT ACCOUNTABILITY OFFICE

    Mr. Wilshusen. Chairman Langevin, Ranking Member McCaul and 
members of the subcommittee, thank you for the opportunity to 
testify at today's hearing on the cyber threats to control 
systems.
    Control systems are computer-based systems that are used in 
many industries to monitor and control sensitive processes and 
physical functions. These systems provide vital functions in 
many of our Nation's critical infrastructures, including 
electric power generation, transmission and distribution.
    Today I will discuss the cyber threats, vulnerabilities and 
impact of attacks on control systems, as well as private-sector 
and Federal initiatives to strengthen the security of these 
systems.
    Mr. Chairman, critical infrastructure control systems face 
increasing risk to cyber threats, vulnerabilities and the 
potentially severe impact of an attack. Cyber threats can be 
intentional or unintentional, targeted or nontargeted, and can 
come from a variety of sources. Intentional threats include 
both targeted and nontargeted attacks, while unintentional 
threats can be caused by software upgrades or system 
maintenance procedures that inadvertently disrupt systems.
    Sources of these threats include foreign nation-states 
engaged in information warfare, domestic criminals, hackers, 
virus writers, and disgruntled insiders working inside or 
within an organization. Federal and industry experts believe 
that critical infrastructure control systems are more 
vulnerable today than in the past, due to the increased 
standardization of technologies, the increased connectivity of 
control systems to other computer networks and the Internet, 
insecure connections, and the widespread availability of 
technical information about control systems.
    The impact of a serious attack could be devastating, as the 
following examples demonstrate. In an intentional targeted 
attack, an individual who is rejected for a job opening 
reportedly used a radio transmitter to remotely break in to the 
controls of an Australian sewage-treatment system. He altered 
electronic data for sewage pumping stations, which subsequently 
resulted in them to malfunction, ultimately releasing about 
264,000 gallons of raw sewage into nearby rivers and parks.
    A foreign hacker penetrated security at a Harrisburg, 
Pennsylvania, water-filtering plant and installed malicious 
software that was capable of infecting the plant's water-
treatment operations. The infection occurred through the 
Internet and did not seem to be an attack that specifically 
targeted the control system.
    And in an unintentional incident, two circulation pumps at 
Unit 3 of the Browns Ferry, Alabama, nuclear power plant 
failed, forcing the plant to be shut down manually. The failure 
of the pumps was traced to excessive traffic on the control 
system network, possibly caused by the failure of another 
control system device.
    The private sector and Federal agencies have multiple 
initiatives under way to help secure control systems. Industry-
specific organizations in various sectors, including the 
electricity, oil and gas, and water sectors, have ongoing 
initiatives to develop standards, publish guidance and host 
workshops.
    Federal agencies, including DHS, DOE and others, have also 
initiated efforts to improve the security of critical 
infrastructure control systems. These include coordinating with 
the US-CERT to provide timely information about vulnerabilities 
and incidents, developing a Control System Cybersecurity Self-
Assessment Tool for control system owners and operators, 
establishing the National SCADA Test Bed Program and publishing 
security guidance.
    However, DHS has not yet established a strategy to 
coordinate the various control systems activities across 
Federal agencies and the private sector. In addition, more can 
be done to address specific weaknesses in DHS's ability to 
share information on control system vulnerabilities.
    In a report being released today, we recommend that the 
Secretary of Homeland Security develop an overarching strategy 
to guide efforts for security control systems and establish a 
rapid and secure process for sharing sensitive vulnerability 
information with control system stakeholders.
    Until DHS implements these actions, increased risk exists 
that the Federal Government and private sector will with invest 
in duplicative efforts, miss opportunities to learn from the 
activities of others, and not be timely informed about key 
vulnerabilities that expose control systems to an increased 
risk of disruption.
    Mr. Chairman, this concludes my statement, and I would be 
happy to answer any questions that you or members of the 
subcommittee may have.
    [The statement of Mr. Wilshusen follows:] \1\
---------------------------------------------------------------------------
    \1\ See committee file.
---------------------------------------------------------------------------
    Mr. Langevin. Thank you, Mr. Wilshusen.
    I want to now recognize Mr. Roxey to summarize your 
statement for 5 minutes.

   STATEMENT OF TIMOTHY E. ROXEY, TECHNICAL ASSISTANT TO THE 
          PRESIDENT OF CONSTELLATION GENERATION GROUP

    Mr. Roxey. Chairman Langevin, Ranking Member McCaul and 
members of the subcommittee, thank you very much for allowing 
me the opportunity to come and talk to you today.
    As previously indicated, I am the team lead for the Aurora 
mitigation efforts in the private sector, and that is part of 
my hat for deputy to the Partnership for Critical 
Infrastructure Security.
    I am here today to discuss the successful private-public 
partnership model of the national infrastructure plan and how 
this partnership brought about successful mitigation without 
any need for significant regulatory action by any Federal 
agency. My discussion will fall into three areas: actions taken 
within the private-public partnership model, preliminary 
lessons learned and some concluding remarks.
    The actions taken started when the private sector was 
approached in late February by Department of Homeland Security. 
The information being conveyed to us at that time was stressed 
as being very sensitive, and we were also told the Department 
of Homeland Security was keeping this information at the FOUA 
level, rather than classified, because, in recognition of the 
fact that 85 to 90 percent of the Nation's critical 
infrastructure is owned, operated and secured by the private 
sector, the classification of such information would make it 
very difficult, if not impossible, to rapidly move forward to 
mitigation.
    Mitigation actions were developed by my team and the 
electric sector team, with the partnership of Homeland Security 
and the Idaho National Labs subject-matter experts. And they 
fell into basically two categories: the short-term, mid-term, 
long-term mitigation strategies, which are things that you can 
do to step through and reduce and mitigate exposure; and then a 
set of immediate actions that, had this risk been brought out 
into the public a lot earlier, we may have had a threat, 
therefore we may have had to step briskly into some immediate 
actions. It is gratifying to state right now that that has not 
been the case.
    Support from DHS, DOE and the national labs was essential 
in the development of these strategies. In addition, DHS has 
maintained a very strong presence within the nuclear sector 
throughout the mitigation strategy's implementation phase. This 
effort is, in our opinion, a very strong example of effective 
public-private partnership.
    When the mitigation documents were completed, roughly June, 
June 13th I believe, of this year--so between March and June 
13th, we developed these documents. They were approved by the 
Nuclear Sector Coordinating Council, the Electric Sector 
Coordinating Council, and transmitted through those councils to 
the sectors on June 20th and 21st.
    The NRC also put out a letter on June 20th, and coordinated 
with the nuclear sector document, requesting that at 60 days 
and 180 days we report back to the NRC the progress that we had 
made in implementing those developed strategies. Each of the 
sector mitigation strategies, like I said, identified a 60--and 
180-day requirement in the nuclear sector. And the NRC's letter 
was their regulatory footprint on this issue to try and drive 
an understanding of the concern to get mitigation accomplished.
    Some have asked why the nuclear sector took this initiative 
on as a commitment. The nuclear power sector, one of the 18 
critical infrastructures within the Partnership for Critical 
Infrastructure Security, is probably the most bounded sector in 
the United States. There are 65 physical sites, 104 power 
plants and a well-organized Nuclear Energy Institute, our 
industry association. We have a strong regulator in our area, 
the Nuclear Regulatory Commission. So it is a very tight box, 
and we can driving solutions on this very quickly. And it was 
felt that we could make these actions a commitment on ourselves 
and execute them within a time frame.
    On June 20th, these actions started off. September 20th, 
these actions were 100 percent successfully mitigated in the 
nuclear sector and all electric-sector assets that are adjacent 
to nuclear-sector assets. That is a very substantial 
accomplishment.
    A few lessons learned, if I could.
    Effective, voluntary public-private partnership is the key 
to timely mitigation of security vulnerabilities. Proactive 
industry actions, endorsed by a Federal agency with oversight 
responsibilities, led to reducing the risk to our Nation's 
nuclear infrastructure in a timely manner.
    Trust the technical experts and involve them in all 
communications. Bring them along to meetings and briefings.
    Bring a vetted industry group into the conversation as soon 
as possible to validate and partner with researchers. Sector 
leads from PCIS may be an appropriate group, along with their 
technical experts. PCIS is an appropriate vehicle to ensure 
that there is a broad review across many sectors.
    Consistent common messaging provides consistent common 
mitigation, a common message that all affected sectors 
received. In this case, there are some mixed messages, but we 
worked very hard to fix that.
    Single point of contact facilitates effective coordination. 
We did have a single point of contact within the Department of 
Homeland Security, and that was a very effective tool for us to 
use as we stepped through.
    Concluding remarks: I would like to just jump right to the-
additionally, the public-private partnership model should be 
nurtured and continued. Early engagement of private-sector 
leadership through interaction between DHS, PCIS and the 
vulnerability researchers is an excellent way to fully vet the 
emerging vulnerability with both DHS and the SMEs from other 
Federal agencies and the private sector.
    These efforts should start with effective awareness 
campaigns to educate all sectors about the risks that they 
currently face, followed with clear guidance on appropriate 
mitigation measures for the newly discovered risk. This 
guidance should contemplate all aspects of the technology life 
cycle, including improved development standards, implementation 
guidelines, operating procedures and incident response.
    Good progress has been made by progressive asset owners, 
industry-initiated infrastructure protection leadership, and by 
vendors willing to anticipate larger market-driven requirements 
for more security. Security, including cybersecurity, is best 
enhanced by continuing to build trust relationships and 
voluntary coordination and cooperation using the sector 
partnership framework. The nimbleness that effective security 
requires in the modern world makes these trust relationships 
our best defense.
    Finally, the nuclear sector, in close coordination with our 
Government coordinating council partners, did mitigate and 
close off this vulnerability before the threat became known and 
without new regulations.
    Thank you very much. I would be happy to answer any 
questions.
    [The statement of Mr. Roxey follows:]

                 Prepared Statement of Timothy E. Roxey

    Mr. Chairman and Members of the Subcommittee:
    I am Tim Roxey, Technical Assistant to the President of 
Constellation Generation Group for security and Deputy to the Chairs 
for both the Nuclear Sector Coordinating Council (NSCC) and the 
Partnership for Critical Infrastructure Security (PCIS). I am also the 
team lead for the Aurora mitigation efforts for the Private Sector.
    In this last role I collaborate with subject matter experts (SME) 
(Research Engineers from Idaho National Labs (INL) and their 
contractors. . .who discovered the present vulnerability, Industry SME 
from all of the impacted Critical Infrastructure Sectors, Department of 
Homeland Security (DHS) and Department of Energy (DOE) SME and 
officials) in order to develop mitigation strategies to thwart the 
exploitation of the cyber vulnerability which threatens our critical 
infrastructure. Before becoming a Technical Assistant and Deputy to the 
Chairs of NSCC and PCIS I was a director of IT at one of our Nation's 
Nuclear Power Plants. In this role I was responsible for all 
telecommunications, IT applications and Cyber Security for the entire 
nuclear fleet. In addition, I was the nuclear sector's Chairman of a 
standing committee dedicated to Cyber Security. I was a founding member 
of the Nuclear Energy Institute's (NEI) cyber security task force; 
formed shortly after 9/11, the task force's purpose was to write an 
assessment and mitigation guidance document for nuclear power plants. 
This document, NEI 04-04: Cyber Security Program for Power Reactors was 
endorsed by the NRC and found an acceptable method to address cyber 
security. Since the endorsement of NEI 04-04 the NRC has proposed 
regulations for cyber security that are consistent with NEI 04-04.
    I have also had former senior level governmental interactions when 
I worked with Vice President Al Gores' National Performance Review as a 
private sector Industry Sector Liaison. In this capacity I was charged 
with bringing Industry's requirements for regulatory interactions into 
a discussion with various federal sector agencies.
    I am here today however, to discuss the successful use of the 
Public-Private Partnership model discussed in the National 
Infrastructure Protection Plan (NIPP). This partnership brought about 
the mitigation of the recently identified control system vulnerability 
(CSV) without the need for significant regulatory action by any federal 
agency. My discussion will fall into two areas as they relate to the 
present vulnerability. These areas are:
        (1) Actions taken within the Public-Private partnership - 
        structures and processes which reduce risk of vulnerability
        (2) Preliminary lessons learned--a look back on this effort to 
        help improve the performance of the Public/Private Partnership 
        model's performance.
        (3) Concluding Remarks

Actions Taken
    The Nuclear Sector was approached by DHS about the Aurora 
vulnerability in February of 2007. At this initial briefing it was 
decided that a more through briefing would be given to a select sub-
group of the NSCC. It was also stressed that this subject is very 
sensitive and hence needed to be protected from disclosure.
    To this final point DHS worked very hard to make sure that the 
Aurora issue remained at a FOUO level rather than being classified at a 
higher level. This decision was based on the fact that it is the 
private sector that owns, operates, and secures roughly 85% of all of 
our nation's critical infrastructure and key resources. By having the 
knowledge of this vulnerability classified it would have been difficult 
if not impossible for the private sector to develop and implement 
mitigation strategies as rapidly as it has.
    In late February DHS officials from Infrastructure Protection 
briefed the details of the Aurora vulnerability to the NSCC. At this 
meeting the nuclear sector decided to take aggressive action to develop 
and implement mitigations that would reduce the exposure of the nuclear 
power facilities to this vulnerability.
    A multilevel structure was developed within the nuclear sector and 
individuals assigned. The structure consisted of an Executive Review 
Board that reported to the NSCC and a Technical Task Team that was 
charged with development of guidance document for industry to use to 
perform mitigation activities.
    The nuclear sectors' Aurora Technical Team worked in close 
coordination with the Electric Sectors' technical team in the 
development of mitigation documents. The nuclear sectors Technical Team 
also worked in close coordination with its government partners 
including strong coordination with the NRC.
    The various mitigation actions that were developed were divided 
into two areas. One area was short-term, mid-term, and long-term 
actions and the second area was a set of actions designed to be 
implemented immediately if the specific vulnerability was actually 
being exploited. It is gratifying to say that the immediate actions 
have not been needed. The shortest term actions were targeted at 
substantially reducing the exposure to the vulnerably and the longest 
term actions were designed to make improvements in the supply chain and 
stand up programmatic actions.
    The support from DHS, DOE, and the national labs (such as Idaho 
National Labs) in the rapid development and implementation of these 
mitigation documents was essential. In addition DHS has maintained a 
strong presence with the nuclear sector throughout these mitigation 
efforts. This effort is an example of the very effective Public-Private 
partnership.
    When the mitigation documents were completed they were routed 
through the NSCC and ESCC for approval and then scheduled for release 
to industry. The release of the Nuclear Sectors mitigation document was 
coordinated with the release of the Electric Sectors (ES) Information 
Sharing and Analysis Centers (ISAC) Advisory which was released one day 
after the Nuclear Sector mitigation document.
    Based on the endorsement of the NSCC, the Nuclear Sector Technical 
Task Team added additional resources such as a Project Manager to 
manage the actual implementation phase of the mitigation work. A kick 
off meeting was held in Washington DC on June 13 with a final release 
to the industry of mitigation documents made the following week.
    Within the nuclear sector a series of weekly meetings between the 
nuclear sector Technical Team (comprised of representatives from INL, 
DHS, and Industry) and the various points of contact for all of the 
nation's nuclear power plants was convened and mitigation efforts 
began. To monitor the sectors performance the Technical Task Teams' PM 
prepared status reports for the Executive Review Board and DHS. These 
reports were updated every week based on the weekly meeting report out 
by all of the nuclear utility participants.
    Each of the sector mitigation documents urged that actions be taken 
within 60 days and then again different actions within 180 days. The 
NRC in a letter, coordinated for release along with the sectors' 
mitigation document, requested that the nuclear sector licensees 
provide an update to the NRC on progress made at the completion of the 
60 days and 180 day efforts.
    Why did Nuclear take this initiative on as a requirement? The 
nuclear power sector took this opportunity to demonstrate its 
commitment to security. The sector recognized the validity of the 
vulnerability, and because the sector is well structured to handle 
these types of emergent issues, with only 65 physical sites and 104 
power plants and a well organized industry association (the Nuclear 
Energy Institute), it was feasible to develop a uniform mitigation plan 
that sector members could implement within the desired time frame.

Lessons Learned
        1. An effective, voluntary public-private partnership is the 
        key to timely mitigation of security vulnerabilities. Proactive 
        industry actions, endorsed by a federal agency with oversight 
        responsibilities, are effective in reducing the risk to our 
        nation's nuclear infrastructure in a timely manner without the 
        delays or exposure of sensitive information that the due 
        process requirements of regulatory action could necessitate.
        2. Trust the technical experts and involve them in all 
        communications. Bring them along to meetings and briefings for 
        support. Several times it seemed that the message changed as it 
        moved from the technical experts to the policy experts. When 
        non-technical people brief on technical aspects to technical 
        people there is a high risk of losing credibility and it 
        becomes difficult to recover.
        3. Bring in a vetted industry group ASAP to validate and 
        partner with researchers. This group will validate the 
        conclusions of the researchers and facilitate expedient 
        response by private sector owners and operators, because their 
        involvement lends credibility to the message. Sector leads from 
        PCIS may be an appropriate group, as long as they bring their 
        technical experts to the table as well. In this regard, PCIS is 
        an appropriate vehicle to ensure that there is a broad review 
        across many sectors.
        4. A multi-sector implementation plan is needed to provide 
        cross-sector coordination. An implementation plan should be 
        developed that addresses the sequence of sector engagement 
        based upon a full discussion between the public sector and 
        private sector. Although in the present effort this was 
        performed successfully this step needs to be institutionalized 
        so that future discoveries can benefit from this step. This 
        plan should address the sector and assets to address first then 
        second then third, etc.
        5. Consistent common messaging provides consistent common 
        mitigation. There should be a common message that all effected 
        sectors receive. In this particular case there are mixed 
        messages. After 16 months of research and 5 months of multi-
        sector mitigation strategy development there are still some 
        messages saying this is not a significant issue because of the 
        difficulty of exploiting it and others saying it is.
        6. Single point of contact facilitiates effective coordination. 
        The establishment of a single point of contact within DHS was 
        of great utility to the Private Sector. This single point of 
        DHS contact provide for consistent and sustained coordination 
        with the subject matter experts of INL and the private sector 
        team of subject matter experts and the Aurora Technical Team's 
        lead. This support was instrumental in the achievement of 
        nuclear sectors 60 day mitigation and the electric sectors 
        mitigation of nearby electric sector assets.

Concluding Remarks
    The course of action that is recommended for any future discovered 
vulnerability, in light of the success of the present mitigation 
efforts, leads to the conclusion that continued decisive and 
coordinated private sector partnerships leads to a better vetting of 
vulnerabilities and a faster response via mitigation. In addition, 
these actions can take place much faster than the regulatory rule 
making process. This was shown to be the case within the nuclear 
sector.
    Additionally, the course of action that is recommended for any 
future discovered vulnerability, in light of the success of the present 
mitigation efforts, leads to the conclusion that continued decisive, 
coordinated, and committed effort by government, and private sector 
leadership within the framework of the Public Private Partnership model 
should be nurtured and continued. Early engagement of private sector 
leadership through interaction between DHS, PCIS and the vulnerability 
researchers is an excellent way to fully vet the emerging vulnerability 
with both DHS (and SME's from other federal agency's) and the private 
sector.
    These efforts should start with effective awareness campaigns to 
educate all sectors about the risks that they currently face, followed 
with clear guidance on appropriate mitigation measures for the newly 
discovered risk. This guidance should contemplate all aspects of the 
technology lifecycle, including improved development standards, 
implementation guidelines, operations procedures, and incident 
response. Good progress has been made by progressive asset owners, 
industry-initiated infrastructure protection leadership and by vendors 
willing to anticipate larger market-driven requirements for more 
security. Security, including cyber security, is best enhanced by 
continuing to build trust relationships and voluntary coordination and 
cooperation using the sector partnership framework. The nimbleness that 
effective security requires in the modern world makes these trust 
relationships our best defense.

    Mr. Langevin. I want to thank the witnesses for their 
testimony.
    And I will remind the members that each member will have 5 
minutes to question the panel.
    And I recognize myself now for the purpose of asking 
questions.
    Secretary Garcia, I would like to start with you. In your 
written statement, it says that you were pleased with the 
results of the public-private partnership on Aurora because you 
developed mitigation guidance. Now, guidance is good, but this 
committee is most concerned about mitigation implementation.
    So my question is, what percentage of the electric-sector 
owners and operators do you believe implemented the Aurora 
recommendations issued by NERC?
    Mr. Garcia. Yes, Mr. Chairman, we would rely on the 
industry sector leads to collect that information, as that is 
something that we don't collect nor compel. But we do 
understand that the mitigation strategies were sent out to 
hundreds of electric-sector owners and operators. And, as Mr. 
Roxey indicated for the nuclear sector, he reported about 100 
percent mitigation.
    So we are looking to continue the partnership with the 
private-sector leads to monitor how well that implementation is 
going. But for specific numbers, I don't have that for you 
today.
    Mr. Langevin. But Mr. Roxey, in the comments that he was 
making, was speaking specifically about the nuclear sector and 
not the electric grid. So we may have had success on the 
nuclear side and in securing SCADA systems, but not necessarily 
on the electric side.
    Now, I think that is an area where Homeland Security has to 
be much more proactive, in making sure that the mitigation 
strategies were actually implemented.
    Mr. Garcia. Absolutely, sir.
    Mr. Langevin. We clearly don't want to find out that we 
knew there was a problem, we expected mitigation to take place, 
and yet it wasn't. And we don't want to find that out only 
after something were to happen, an attack occurs or, whether it 
is intentional or unintentional, something shuts down the power 
grid.
    Mr. Garcia. Yes, sir. And we also rely heavily on our 
Federal partner on this, FERC, who you will be hearing from in 
the next panel, who is keeping up that close relationship with 
the electric sector to monitor progress in that area.
    But this is something that DHS takes very seriously. And we 
continue to push on this with all sectors, because we are 
concerned with common vulnerabilities, control systems 
vulnerabilities, across all the critical sectors. So we are 
trying to raise awareness of this not just in the electric 
sector and nuclear, but to many other critical sectors.
    Mr. Langevin. Well, Assistant Secretary Garcia and Mr. 
Wilshusen, have you reviewed our comments to the FERC 
Rulemaking? And, if so, do you agree with our assessment that 
the narrow definition of critical assets allows the electric 
industry to avoid securing many connective devices?
    Mr. Wilshusen. Yes, we have taken a preliminary look at 
your comments, as well as those of the requirements that NERC 
has established and the reliability standards. And, yes, we do 
have some concerns about the extent to which these standards 
and regulations apply to those types of assets.
    We believe that, in many cases, that they do not appear to 
consider, one, the interdependencies of critical infrastructure 
on the bulk electrical system. And they also appear to identify 
only those assets which could have an impact on the 
availability or reliability of the bulk electrical system, and 
does not necessarily identify those assets or cover those 
assets that, while they may not have an impact on the overall 
bulk electrical system, they could have a significant localized 
impact on critical infrastructures that are supported by the 
bulk electrical system.
    Mr. Langevin. Yes, that is an important point.
    Secretary Garcia?
    Mr. Garcia. Mr. Chairman, we are trying to get standards 
that all industry sectors can deploy against vulnerabilities to 
their control systems. And certainly, the NIST standards ought 
to be heavily considered in all critical infrastructure control 
systems standards development, in addition to sector-specific 
operational requirements.
    So while we don't have specific guidance on each sector for 
what standards they ought to deploy, we think that they ought 
to be able to effectively combine the NIST standards with those 
that are specific to their sector.
    And on the electric sector, I think our friends in FERC may 
have more comment on that.
    Mr. Langevin. But do you agree that our assessment that the 
narrow definition of critical assets allows electric industry 
to avoid securing many connected devices?
    Mr. Garcia. I would actually prefer, on a question of that 
specific detail, to defer to FERC on making the judgment about 
the sectors implementation.
    Mr. Langevin. Mr. Wilshusen, the committee asked GAO to 
compare the NERC standards with NIST 800-53. Can you briefly 
describe your conclusion?
    Mr. Wilshusen. Yes. We found that the NERC reliability 
standards contained less stringent security requirements and 
guidelines than the NIST guidance. The NERC standards do not 
provide levels of protection from cyber attacks commensurate 
with the mandatory minimum low-baseline level of protection 
required by NIST.
    For example, NERC standards addressed only a subset of a 
low--and moderate-baseline control set specified in 800-53. And 
this subset may not be adequate for protecting critical 
national infrastructure control systems, especially when 
considering the interdependencies of the critical 
infrastructures. And further, it may not be adequate for all 
electrical energy systems when the impact of regional and 
national power outages is considered.
    Mr. Langevin. I thank you, Mr. Wilshusen.
    The Chair now recognizes the--before I turn it over to the 
ranking member, I think this is something we are going to have 
to take a harder look at. Because why NERC would have standards 
that are below NIST when the Federal Government has to comply 
with NIST standards and the larger impact potentially would be 
in the private sector and why NERC would adopt standards which 
aren't on par to NIST is beyond me. And this is something we 
are going to pay particularly close attention to. If need be, 
legislation would be required to require that standard to be on 
par.
    With that, the Chair now recognizes the ranking member for 
5 minutes.
    Mr. McCaul. I thank the Chairman. And, as you know, we are 
in agreement on that issue.
    I recall being briefed, I think it was last January--we had 
just got sworn into the new Congress, and we got briefed on 
this significant vulnerability--and at that time, it was a 
closed-door session; it has come out on the news now--but the 
vulnerability that could potentially shut down our power grids 
in this country and bring tremendous destruction.
    We know that 25 nations have developed cyber warfare 
programs, so the capability, this type of capability in the 
wrong hands of a rogue nation or a terrorist state could be 
devastating.
    But I also believe that credit is due where it is due. And 
I think that the fact that we discovered this, through the 
Idaho National Labs, on our own, proactively, and Mr. Garcia, 
working with the Department Homeland Security, and, Mr. Roxey, 
your coordination on the mitigation strategy with the private 
sector, is to be commended.
    And that is really what, I think, in the Congress, we want 
to see, is instead of being behind the curve and catching up--
and we know the vulnerabilities are huge and the intrusions 
happen all the time. This was actually a good-news story and an 
example of where we discovered the vulnerability, not some 
foreign entity or some criminal. We found it first. We fixed 
it. And then by June, Mr. Roxey, you put your plan of action, 
mitigation strategy into action. Within 60 days, the nuclear 
sector was protected. The electricity, I think it will take 120 
days.
    But I think that is an important point to make. I mean, you 
are really to be commended for what you did. I know sharing 
information, which we require you do with the Congress, always 
makes you a little nervous, because you don't know what is 
going to happen with that information. But this was a good-news 
story. I mean, we really stopped a serious thing from being a 
serious threat to the United States. And I think it is great 
news.
    And, Mr. Wilshusen, I agree with you. I think an 
overarching strategy is what we need at the Department of 
Homeland Security.
    Mr. Garcia, I know you are working on that.
    And I think the coordination with the stakeholders through 
the private sector is critically important. And, Mr. Roxey, 
through your testimony, I think you've demonstrated that, in 
large part, that is working, through the ISACs, the Information 
Sharing Analysis Centers. That is what was actually put into 
place through the mitigation strategy, and it is working.
    My question, without going into a sermon up here, is, what 
can we do to see more of this?
    What can you do, Mr. Garcia, at the Department of Homeland 
Security to proactively find vulnerabilities that are out 
there, before our enemies do, and then fix them and then 
mitigate the potential damage that can be done?
    And that is for the entire panel.
    Mr. Garcia. Congressman, thank you for the question and for 
the compliment. I very much appreciate it.
    My response as to what you can do is, you are doing it 
right now. Having public hearings like this that are raising 
the issue and raising the awareness about the range of 
vulnerabilities that we face to our critical infrastructure 
really is the first step to get people to sit up and pay 
attention, particularly the owners and operators of the 
infrastructures that they have responsibility for protecting.
    You are correct that this was a vulnerability that we 
initially identified, hypothesized that this could actually 
happen. We understood that, as Mr. Wilshusen has pointed out, 
that the control systems vulnerability--we have known for some 
time that there are vulnerabilities in control systems. What 
made this one different is that the vulnerability was 
susceptible to cyber attack that would have a physical impact 
on a structure such as a generator.
    And since the time that we had gone through the mitigation 
strategy with the private sector, with nuclear and electric, we 
learned quite a lot about how to work this process. I mean, 
this case, this really was the first instance that we had put 
the National Infrastructure Protection Plan, the sector-
specific plans to work. This was a model for how Federal 
agencies work together, to work with their private-sector 
counterparts. So DOE, Defense Department, DHS, several other 
agencies worked very closely with their industry counterparts.
    We have a number of lessons learned out of that process 
that I can tell you we are only going to be more effective and 
more expeditious as we continue to look for and discover, 
identify vulnerabilities to various other control systems. And 
since nuclear and electric, we have worked with the private 
sectors from chemical, oil and natural gas, dams and water. And 
last month, in September, those industry sectors sent out 
mitigation strategies for their control systems.
    So we are moving apace, with all due diligence and good 
speed, to attack these vulnerabilities very quickly.
    Mr. McCaul. Thank you.
    And Just very briefly, Mr. Roxey.
    Mr. Roxey. I would like to add to what Mr. Garcia just 
said, that, by pursuing and nuturing the public-private 
partnership model, you are going to be doing exactly what you 
are after. The other sectors, the water/dam, chemical, oil and 
gas sector, that are out there right now on their 60-day 
clock--that is where the 180-day clock for electric is--they 
are going to be calling their electric sectors in to mitigate 
those assets as well.
    So I think that this was--and we appreciate the kudos. 
Thank you very much. By looking at the lessons learned from 
this and implementing those, I think we are only going to get 
better from here. Thank you.
    Mr. Wilshusen. And I would just like to add, too, that one 
of the key things that both the public and private sector will 
need to do as they increasingly use IP protocols, in terms of 
being able to connect to their control systems with other 
company networks on the Internet, to be aware of the risk of 
the increased accessibility and interconnectivity. And then to 
learn from the examples that are legion in the regular Federal 
IT space, that there are significant risks and vulnerabilities 
associated with interconnecting systems, and to take the 
appropriate steps to mitigate those risks by developing the 
policies, procedures and controls, and then testing those 
techniques and controls to make sure that they are effectively 
implemented and operating as designed.
    And then, once you have that, as we have discussed and the 
other members have mentioned, is to make sure to keep the lines 
of communication open and share this information of 
vulnerabilities and of new threats among all the parties within 
this space.
    Mr. McCaul. Just in closing, Mr. Chairman, I think this is 
a great exercise and experience that we can really draw upon to 
have lessons learned but also use as a model for future cases.
    And I want to commend the gentlemen again. Thank you.
    Mr. Langevin. I thank the gentleman.
    And briefly, to comment on the ranking member's opening 
comments, in many ways there are elements of this being a good-
news story. First of all, I commend the gentleman from Idaho 
National Labs who first detected the problem and then brought 
it to the attention of the Congress and also Department of 
Homeland Security. And then the Department of Homeland Security 
did put in place the Tiger Teams to try to address this.
    Where we want to make sure this continues to be a good-news 
story is that we actually, in coming up with the mitigation 
strategies, that we see these strategies actually implemented. 
We need to have a high degree of confidence that when something 
of this seriousness and magnitude is identified, mitigation 
procedures are prescribed, that there is follow-through and not 
left to just hoping that it is not going to happen them or a 
particular sector; that they actually take it seriously, and 
that the electric or gas or oil sectors actually follow through 
and implement the strategies.
    With that, the Chair now recognizes other members for 
questions they may wish to ask of the witnesses. In accordance 
with our committee rules and practice, I will now recognize 
members who were present at the start of the hearing, based on 
the seniority on the subcommittee, alternating between minority 
and majority. Those members coming later will be recognized in 
order of their arrival.
    With that, the Chair now recognizes the gentleman from New 
Jersey for 5 minutes.
    Mr. Pascrell. Thank you, Mr. Chairman.
    Mr. Garcia, a cybersecurity attack on our energy grid is 
certainly one of the emerging threats and security 
vulnerabilities that need to be thoroughly studied, addressed 
through the proper security regulations to hear what the 
private sector has to say about it, to hear what regulations or 
recommendations will come out of the Federal Government, and so 
we can have a meeting of the minds. We are not trying to 
impose, but we want to protect.
    So I have had many concerns about the management over at 
the Department of Homeland Security. Specifically, this 
committee has discovered that, as was mentioned earlier, many 
of the most important areas within the Department are unfilled 
at the senior-management level, leaving critical security areas 
with what we would consider to be less-than-adequate 
leadership.
    My question is, how many program managers have been in 
charge of the Control Systems Security Program in the last 3 
years?
    Mr. Garcia. Congressman, I am not certain of the number. 
Our last control systems manager had been with us for more than 
a year.
    But we at CSMC and my component, National Cybersecurity 
Division, take very seriously our need to retain our talent and 
to recruit additional talents. I am happy to report that we are 
aggressively filling the control systems director position. The 
job has been posted, and we will move aggressively to fill 
that, as with the other vacancies in the organization.
    Mr. Pascrell. Would you get back to me on that?
    Mr. Garcia. I would be happy to. Thank you.
    Mr. Pascrell. How much is being spent on the control 
systems security at DHS?
    Mr. Garcia. Our fiscal year 2008 budget is currently $12 
million. And it is important to note that we are leveraging the 
resources not just within the control systems program but 
across NCSD that provides input and expertise with other 
aspects of the control systems issue. And additionally, we are 
leveraging our partnership with----
    Mr. Pascrell. What was the 2007 budget, fiscal year budget?
    Mr. Garcia. I will have to get back to you on that number. 
It does represent an increase.
    Mr. Pascrell. Who was in charge of this program, and at 
what grade is this person?
    Mr. Garcia. This is a GS-15, and this is the individual we 
expect to have the post filled, backfilled very quickly.
    Mr. Pascrell. There is no person there?
    Mr. Garcia. That person left for personal reasons; that is 
correct.
    Mr. Pascrell. Mr. Chairman--
    Mr. Garcia. It is now being handled by our acting director 
of the National Cybersecurity Division.
    Mr. Pascrell. My last question is this. DHS issued 
regulations in 2007 on chemical security. This committee, on a 
bipartisan basis, was very clear on what it wanted. It also 
added a cybersecurity component to existing regulations. Was 
your office consulted on this?
    Mr. Garcia. Oh, absolutely. We were part of that 
development, and we currently are working with all the private 
sectors to consider specific mitigation strategies for all of 
their control systems, rather than try to apply a regulatory 
overlay on all of the other----
    Mr. Pascrell. So, at least in this area, one hand knows 
what the other is doing?
    Mr. Garcia. That is correct.
    Mr. Pascrell. That is healthy. That is very healthy.
    Mr. Wilshusen, in your statement, you asserted that the 
annual cost to the energy sector for maintaining control 
systems, to maintain the networks, to maintaining equipment and 
personnel, was around $400 million. You said that in your 
statement.
    Can you speculate how much more would it cost if the 
proposed recommendations in the National Science and Tech 
Standards--that is 800-53--if they were adopted instead of the 
NERC-proposed standards, do you have any idea what the 
difference in cost would be? And is that relevant?
    Mr. Wilshusen. No, sir, I don't have that information on 
how much that would cost.
    Mr. Pascrell. Is it relevant?
    Mr. Wilshusen. Certainly. Relevant in terms of its 
consideration in implementation of controls, because when you 
determine whether or not to implement a particular control, you 
need to make sure that that control cost-effectively will 
reduce the risk to an acceptable level. And so, certainly, cost 
is a factor.
    Mr. Pascrell. So, if one set of standards implement--and I 
am giving an example here. Cost would be simply be one of the 
factors that would be involved to decide which one we would try 
to implement. Is that a fair statement?
    Mr. Wilshusen. I would say cost is a factor in the 
determination of which controls to implement, sure. But so is 
the adverse impact or harm that could occur should that control 
not be implemented and such a vulnerability or weakness be 
exploited.
    Mr. Pascrell. Thank you very much.
    Thank you, Mr. Chairman.
    Mr. Langevin. The Chair now recognizes the gentlelady from 
Florida, Ms. Ginny Brown-Waite.
    Ms. Brown-Waite. Thank you very much.
    I still remember when we first learned about the problem, 
and I couldn't help but think about whether it was TVA, with 
the dams, or even in Florida, where we have control structures 
that, you know, would have a wide range of repercussions if 
anything happened.
    And I would like to address this to Mr. Wilshusen. While I 
understand the grave risks facing our control grid, could you 
elaborate on how the countless power and energy providers would 
be impacted by having to comply?
    And I am sorry, you may have answered this before I got 
here. I apologize.
    Mr. Wilshusen. Well, one of the things--if they are now in 
compliance with the NERC reliability standards, and they were 
to try to go implement the controls to be in compliance with 
the NIST standards, because the NERC reliability standards 
contain just a subset of the NIST standards, it would impact 
them to the extent that they would need to implement additional 
controls in order to be in compliance with those standards.
    In some cases, it is also important to realize that the 
NIST standards and minimum security requirements, in certain 
cases, may not be appropriate or practical or feasible for 
certain control systems because of the environment that it is, 
but that----
    Ms. Brown-Waite. Would you give me an example of one that 
it wouldn't be appropriate for?
    Mr. Wilshusen. Here is one that the industry 
representatives have identified. For example, one would be 
having password controls over some of the control systems. 
Their thinking was that, in the event of an emergency, it is 
imperative that the operator be able to log on to their system 
and react immediately, and that the use of passwords could 
potentially disrupt that or make it more difficult for that 
individual to log on in a timely manner.
    Ms. Brown-Waite. Are nuclear power plants--and I happen to 
have one in my district. Some people consider it a blessing; 
others consider it less of a blessing. Are nuclear power plants 
certainly at the top of the risk category?
    Mr. Wilshusen. I would say--well, it depends on which 
perspective, but in terms of a security breach or 
vulnerability, I would say that they are probably near the top. 
But I really couldn't say that without specific evidence that 
we haven't really looked at that to see which of the industries 
are most at risk.
    Ms. Brown-Waite. Okay. I appreciate that. Thank you.
    And I yield back, Mr. Chairman.
    Mr. Langevin. I thank the gentlelady.
    The gentlelady from California, Ms. Lofgren, is recognized 
now for 5 minutes.
    Ms. Lofgren. Thank you very much, Mr. Chairman, and to the 
witnesses.
    I just have a couple of questions. Actually, the GAO report 
makes me very anxious. One of the concerns that we have had 
here is our exposure in the cyber area. And that is why, when 
Mr. Thornberry was on this committee, he and I worked together, 
and it was really one of those high points of my career in 
Congress to work in such a collaborative fashion, in a 
bipartisan fashion, to create the position that you now hold, 
Mr. Garcia, with the idea that we really needed the kind of 
attention that this threat was not getting.
    And here is my concern, that the GAO really identifies the 
same deficiencies that the outside critics have identified in 
the scope of the NERC CIP standards and specifically on the 
interconnections and the possibility of cascading failures.
    Ms. Lofgren. [Continuing.] And so the question is, what are 
you going to do about it? What leadership are you going to show 
to make sure that these gaps are remedied?
    Mr. Garcia. First of all, Congresswoman, thank you very 
much. Thank you very much for creating the position that I now 
fill. I am very eager to demonstrate some very tangible 
accomplishments throughout my tenure here, and I think control 
systems rank amongst the highest.
    I think we have already shown tremendous progress in 
control systems across the board, not just in the electric and 
nuclear sectors, but in the other sectors that I have mentioned 
that we are now taking action on. And I go back to the point 
that as 85 to 90 percent----
    Ms. Lofgren. Could I interrupt to follow up on that point? 
Are you suggesting that the points that the GAO has made and 
that some of the outside--I see Mr. Weiss--I always see him on 
the airplane--sitting in the audience--have made that you have 
already started the remedies on those and that you are well 
under way?
    Mr. Garcia. Are you talking about the electric sector 
specifically or just generally?
    Ms. Lofgren. Yes.
    Mr. Garcia. On the electric sector and through our private 
sector partners in the electric sector; and our Federal 
partners developed collectively mitigation strategies----
    Ms. Lofgren. So the criticism that the GAO is making on the 
deficiencies in the NERC standards, that is no longer accurate?
    Mr. Garcia. On the specific standards, I think that the 
FERC witness coming up in the next panel will have more to 
discuss about specific standards. Our role at DHS is one as a 
coordinator, to try to bring together the various parties who--
--
    Ms. Lofgren. Well, if I may, I don't believe that is the 
case, and it is certainly not what we intended in Congress. 
Clearly, we have a collaborative and coordinating role to play, 
but part of the problem is that we haven't made any progress on 
the cybersecurity front, or haven't for a long, long time; and 
we expect the Department to show some leadership.
    I mean, I don't want to pick on the power industry, but 
this is true in any sector that is not the tech sector. They 
are looking at what they see, but they may not see the whole 
picture. And so that is our job, to see the interconnections, 
to see the possibilities of interconnecting, cascading 
failures; and to insist that measures be taken to secure the 
cyber space that that sector may not see because the public's 
interest is larger than just their narrow interest. And I don't 
mean to diminish their narrow interest, but we have a broader 
scope here.
    So the question really isn't to FERC. It is to you. What 
are you going to do about it?
    Mr. Garcia. Absolutely, Congresswoman. We take very 
seriously every sector's responsibility for securing their 
infrastructure. Absent regulatory authority, we are relying on 
the framework devised in the National Infrastructure Protection 
Plan and their component, sector-specific plans and our 
partnerships with the Federal agencies that have specific 
responsibility, regulatory or otherwise, to specific sectors.
    Ms. Lofgren. Let me ask you this because my time is about 
to run out and we also have votes on the floor.
    I would like to get in follow-up to this meeting kind of 
where we are on the specific issues raised by the GAO and to 
the extent it is different from the outside critics; and then 
get from you your assessment of what you can do to meet the 
standard identified by GAO in terms of scope; and then, if you 
can't do it with the tools that you currently have, recommend 
what additional tools you think would be necessary.
    Could you do that?
    Mr. Garcia. Yes, ma'am. We would be happy to come up and go 
through this in much more detail.
    Ms. Lofgren. Thank you very much.
    I thank you, Mr. Chairman.
    Mr. Langevin. I thank the gentlelady for her questions. And 
on that very point, we are in lockstep. I agree that you should 
have the tools to make sure that we have these strategies put 
in place and acted upon. And if not, whether it is--I am not at 
all satisfied that enough is being done here, and if we need to 
give additional tools either to DHS or FERC to make sure that--
particularly, when if you are talking about actionable 
intelligence or information that needs to be acted on quickly--
that the tools are in place and we actually make sure that they 
have them. So the steps--that the mitigation factors take 
place.
    So, with that, I am going to--since there are votes on, I 
am going to dismiss this panel. We will recess for about 20 
minutes and then call up the second panel.
    I thank the witnesses for their testimony.
    And the subcommittee now stands in recess.
    [Recess.]
    Mr. Langevin. The subcommittee will come to order. Let me 
begin by thanking the second panel of witnesses for being here 
today. And let me just begin by introducing and welcoming Mr. 
Joe McClelland, the Director of Electric Reliability for the 
Federal Energy Regulatory Commission. Mr. McClelland was 
previously Director of the Division of Reliability at FERC 
since 2004. He came to the Commission with more than 20 years 
of experience in the electric utility industry.
    Thank you for being here.
    Our second witness is Mr. David Whiteley, the Executive 
Vice President of North American Electric Reliability 
Corporation. Mr. Whiteley is responsible for overseeing the 
performance of four NERC program standards: reliability, 
readiness training, education and personal certification, and 
members' forums. Thank you for coming.
    And our third witness is Mr. Joe Weiss, Managing Partner of 
Applied Control Solutions. Mr. Weiss is a nuclear engineer who 
spent more than 30 years working in the commercial power 
industry. He is a member of many groups working to improve the 
reliability and availability of critical infrastructures and 
their control systems.
    Without objection, the witnesses' full statements will be 
inserted in the record.
    Mr. Langevin. Before I go to Mr. McClelland for his 
testimony, we had hoped to air a brief video before the start 
of the first panel, that just testified. The video was not 
ready. I am told that it is now ready to be shown. This will 
give members of the committee a visual understanding of the 
degree of concern I and many others have and how serious the 
potential problem could be with respect to the control systems 
being corrupted.
    So, with that, I am going to ask the technical people to 
begin the video. I am told that everything is in order and 
should work. So, with that, we can start the video.
    [Video plays.]
    Mr. Langevin. Well, that just, as I said, puts a visual to 
how potentially serious this problem could be if not addressed 
quickly.
    I take this seriously; I know the ranking member does as 
well, and we are going to do all we can to exercise maximum 
oversight to ensure the worst-case scenario that was 
potentially spoken about in that piece we just saw never 
occurs.
    With that, I now ask each witness to summarize their 
statement for 5 minutes, beginning with Mr. McClelland.
    Mr. McClelland, thank you for your testimony and for being 
here today. Welcome.

 STATEMENT OF JOSEPH MCCLELLAND, DIRECTOR, OFFICE OF ELECTRIC 
       RELIABILITY, FEDERAL ENERGY REGULATORY COMMISSION

    Mr. McClelland. Thank you, Mr. Chairman, Ranking Member 
McCaul and subcommittee members for providing this opportunity 
to appear today.
    I am the Director of the Federal Energy Regulatory 
Commission's newest office, the Office of Electric Reliability. 
My office's mission is to help protect and improve the 
reliability and security of the Nation's bulk power system 
under authority granted to the Commission in the Energy Policy 
Act of 2005.
    I am here today as a Commission staff witness. My remarks 
do not necessarily represent the views of the Commission or of 
any individual commissioner.
    New section 215 of the Federal Power Act, or FPA, requires 
that the users, owners and operators of the Nation's bulk power 
system abide by mandatory reliability standards. Under the new 
statutory framework, these standards are developed and proposed 
by the Electric Reliability Organization, or ERO, to the 
Commission. Standards become mandatory only after they are 
approved by the Commission.
    To meet its obligations under section 215, the Commission 
has certified the North American Electric Reliability 
Corporation, or NERC, as the ERO. We have approved eight 
delegation agreements for the regional entities that will be 
assisting NERC in its efforts and approved 83 of 107 proposed 
reliability standards while simultaneously directing that 56 of 
the approved standards be improved.
    The approved standards became mandatory on June 18, 2007. 
Violations of these new mandatory rules can trigger significant 
penalties and enforcement actions by the Commission itself, or 
more typically by the ERO, subject to the Commission's 
oversight.
    Section 215 of the FPA specifically covers cybersecurity 
for the bulk power system. In August 2006, NERC proposed eight 
cybersecurity standards for the Commission's approval, 
requesting that auditable compliance not begin until mid-2009, 
continuing through 2010.
    We have been reviewing NERC's proposed cybersecurity 
standards in our rulemaking proceeding, thereby engaging all of 
the affected industry and stakeholders. Using this process, the 
Commission has issued both a staff preliminary assessment and a 
notice of proposed rulemaking, considering over 1,300 pages of 
comments from over 100 industry and stakeholder entities.
    Although the Commission has proposed to approve the 
standards in the Notice of Proposed Rulemaking, it has also 
expressed a need for immediate revisions to the standards, such 
as the elimination of the overly broad, quote, ``reasonable 
business judgment,'' end quote, approach and narrowing of the 
term, quote, ``technical feasibility,'' end quote.
    Stakeholder comments on the rulemaking proceeding have 
raised issues concerning equipment operating costs and the 
appropriate scope of industry discretion. Other commenters, 
such as Members of Congress, including members of this 
subcommittee, have asked that the Commission consider and 
incorporate features from the standards being developed by the 
National Institute of Standards and Technology, or NIST. The 
Commission currently is considering all the comments it has 
received.
    With respect to the NIST standards, I note that the 
Commission has indicated in the NOPR, or Notice of Proposed 
Rulemaking, that it expects the ERO to evaluate any provisions 
in the NIST standards that would better protect the bulk power 
system. If there are NIST provisions that would improve 
cybersecurity protection, the Commission can order the ERO to 
initiate a standards development process, or the ERO on its own 
can initiate a standards development process to incorporate 
such NIST provisions in the mandatory reliability standards.
    In response to recent events and news reports, the 
Commission is examining its options for timely responses to 
urgent cybersecurity risks to the bulk power system. By law, 
the reliability standards process used by the ERO has to 
provide for reasonable notice, the opportunity for public 
comment, due process, openness and balance of interests in 
developing the standards.
    In practice, this has meant that the reliability standards 
proposed by the ERO are based on consensus from industry. 
Consequently, the process is not nimble and can take years to 
develop proposed standards.
    The Commission is assessing ways to more promptly address 
urgent cybersecurity risks while protecting sensitive 
information involving national security. If the Commission 
determines that it needs additional authority to accomplish 
this task, it will recommend appropriate legislation to meet 
its responsibilities under EPAct 2005.
    To protect the Nation's bulk power system, the Commission 
is encountering new staffing and program needs. In particular, 
the Commission needs more engineering to review and help 
develop proposed reliability standards, conduct bulk power 
event analyses and investigate potential violations. The 
Commission has requested additional funds for 2008 to be 
recovered through the Commission's self-funding process. I 
encourage you to support the Commission's efforts to obtain 
more funding.
    In conclusion, I stress that the Commission is taking all 
the steps it can under its new reliability authority to protect 
the bulk power system and is dedicated to fulfilling Congress' 
goals.
    Thank you again for the opportunity to testify today. And I 
would be happy to answer any questions that you may have.
    Mr. Langevin. Thank you, Mr. McClelland.
    [The statement of Mr. McClelland follows:]

                Prepared Statement of Joesph McClelland

    Mr. Chairman and Members of the Subcommittee:
    Thank you for this opportunity to appear before you to discuss the 
cyber threat to the electric grid's control systems. My name is Joseph 
McClelland. I am the Director of the new Office of Electric Reliability 
(OER) of the Federal Energy Regulatory Commission (Commission). The 
OER's mission is to help protect and improve the reliability and 
security of the Nation's bulk-power system through effective regulatory 
oversight as established in the Energy Policy Act of 2005 (EPAct 2005). 
I am here today as a Commission staff witness and my remarks do not 
necessarily represent the views of the Commission or any individual 
Commissioner.
    My testimony summarizes the Commission's recent efforts to improve 
the security of the Nation's electric power system. Congress's recent 
legislation has greatly expanded the Commission's ability to anticipate 
and respond to cybersecurity threats to a critical component of the 
Nation's infrastructure, the interstate bulk-power system. The 
Commission has met its statutory deadlines and provided a solid 
foundation for ongoing regulatory efforts. Ongoing efforts focus on the 
approval of Reliability Standards governing the planning and operation 
of the interstate bulk-power system as mandatory rules with appropriate 
penalties, subject to the Commission's oversight and approval.
    The Commission continues to work with the North American Electric 
Reliability Corporation (NERC) to protect the bulk-power system from 
cybersecurity threats. NERC has proposed cybersecurity standards for 
the industry and the Commission has issued a notice of proposed 
rulemaking addressing these standards. The Commission is reviewing 
comments on these standards and is committed to ensuring that the 
resulting standards are consistent with and effectively implement 
recommendations proposed in response to the 2003 blackout affecting the 
Northeast United States and Canada.
    The Commission is assessing its options for immediately and 
effectively addressing urgent cybersecurity risks to the electric 
system. The Reliability Standards process, which focuses on consensus 
from industry representatives, typically takes considerable time to 
implement. If the Commission determines that its authority to promptly 
address cybersecurity risks is inadequate, it will seek additional 
legislation.
    As the Commission meets its responsibilities under EPAct 2005 to 
protect the Nation's bulk-power system, it is encountering new staffing 
and program needs. In particular, the Commission needs to hire more 
engineers to review and enforce Reliability Standards affecting the 
hundreds of entities that use the bulk-power system. Therefore, the 
Commission has requested additional budget authority for 2008, the 
costs of which would be recovered through the Commission's existing 
self-funding process.

Background
    In August 2005, Congress enacted EPAct 2005 entrusting the 
Commission with a major new responsibility to oversee mandatory, 
enforceable Reliability Standards for the electric grid. This authority 
is in section 215 of the Federal Power Act (FPA). Section 215 requires 
the Commission to select an Electric Reliability Organization (ERO). 
The ERO is responsible for proposing, for Commission review and 
approval, Reliability Standards or modifications to existing 
Reliability Standards to help protect and improve the reliability of 
the Nation's bulk-power system. The Reliability Standards apply to the 
users, owners and operators of the bulk-power system. The ERO also is 
authorized to impose, after notice and opportunity for a hearing, 
penalties for violations of the Reliability Standards, subject to 
Commission review. The ERO may delegate certain responsibilities to 
``Regional Entities,'' subject to Commission approval.
    The Commission may approve proposed Reliability Standards or 
modifications if it finds them ``just, reasonable, not unduly 
discriminatory or preferential, and in the public interest.'' If the 
Commission disapproves a proposed standard or modification, FPA section 
215 requires the Commission to remand it to the ERO for further 
consideration. The Commission, upon its own motion or upon complaint, 
may direct the ERO to submit a proposed standard or modification on a 
specific matter. The Commission also may initiate enforcement on its 
own motion but, for most violations, will only review the enforcement 
actions of the ERO.
    The Commission is qualified to perform all of these tasks and, in 
anticipation of reliability legislation being passed, it established a 
reliability group at the agency even before the passage of EPAct 2005. 
Commission staff played a key role in the U.S.-Canada Power System 
Outage Task Force formed to investigate the August 2003 blackout that 
affected eight states, one province and an estimated 50 million people 
in the U.S. and Canada. When the Task Force issued its report in April 
2004 (Blackout Report), the Commission acted quickly to implement the 
report's recommendations addressed to the Commission. For example, the 
Commission announced that no new independent system operator or 
regional transmission organization would be approved until its 
reliability capabilities were functional. The Commission also adopted a 
policy statement on several other issues, such as recovery of prudent 
reliability costs, cooperation with the States, and the interpretation 
of reliability-related provisions in transmission tariffs. On this last 
point, the Commission stated that tariff requirements to follow ``good 
utility practice'' would include compliance with the then-voluntary 
standards developed by NERC's predecessor, the North American Electric 
Reliability Council.
    With this experience, the Commission has been able to implement FPA 
section 215 diligently. Within 180 days of enactment, the Commission 
adopted rules governing the reliability program. In the summer of 2006, 
it approved NERC as the ERO. In March 2007, the Commission approved the 
first set of national mandatory and enforceable Reliability Standards. 
In April 2007, it approved eight regional delegation agreements to 
provide for development of new or modified standards and enforcement of 
approved standards by Regional Entities. And, just last month, the 
Commission's Division of Reliability in the Office of Energy Markets 
and Reliability was established as its own program office, the OER, to 
reflect the growing importance of the Commission's reliability 
responsibilities.
    In exercising its new authority, the Commission has interacted 
extensively with NERC and the industry. The Commission also has 
coordinated with other federal agencies, such as the Department of 
Homeland Security, the Department of Energy and the Nuclear Regulatory 
Commission. And, the Commission has established regular communications 
with regulators from Canada and Mexico regarding reliability, since the 
North American bulk-power system is an interconnected continental 
system subject to the laws of three nations.

The Commission's Proposed Cybersecurity Regulations
    FPA section 215 defines ``reliability standard[s]'' as including 
requirements for the ``reliable operation'' of the bulk-power system 
and for ``cybersecurity protection.'' Section 215 defines reliable 
operation to mean operating the elements of the BPS within certain 
limits so instability, or uncontrolled separation, or cascading 
failures will not occur ``as a result of a sudden disturbance, 
including a cybersecurity incident.'' Section 215 also defines a 
``cybersecurity incident'' as a ``malicious act or suspicious event 
that disrupts, or was an attempt to disrupt, the operation of those 
programmable electronic devices and communication networks including 
hardware, software and data that are essential to the reliable 
operation of the bulk power system.''
    In 2003, before the passage of EPAct 2005, NERC approved the 
``Urgent Action 1200'' standard (UA 1200), the first comprehensive, 
although temporary, cybersecurity standard for the electric industry. 
This voluntary standard applied to control areas (i.e., balancing 
authorities responsible for ensuring that a specific area's supply 
matches demand at any moment in time), transmission owners and 
operators, and generation owners and operators that perform certain 
functions. Specifically, UA 1200 established a self-certification 
process relating to the security of system control centers.
    In May 2006, NERC approved eight new cybersecurity standards to 
supersede UA 1200. These new standards, known as the Critical 
Infrastructure Protection (CIP) standards and discussed below, are 
broader in scope and applicability than UA 1200 and, if approved by the 
Commission, would be mandatory. In August 2006, NERC submitted the new 
standards to the Commission for approval under FPA section 215. Citing 
the expanded scope of facilities and entities covered by the CIP 
standards, and the investment in security upgrades required in many 
cases, NERC proposed an implementation plan under which certain 
requirements would be ``auditably compliant'' by 2009 and the others 
would be so by 2010.
    In December 2006, the Commission issued an assessment by its staff 
of NERC's proposed CIP standards, and allowed 60 days for public 
comments. The staff's assessment was limited to a technical review, and 
made no final determinations on compliance with FPA section 215's legal 
requirements.
    After receiving and analyzing the nearly 500 pages of comments from 
38 entities, the Commission issued a Notice of Proposed Rulemaking in 
July 2007 proposing to adopt the CIP standards subject to further 
comment from the public. The Commission also proposed to concurrently 
direct NERC to develop modifications addressing specific concerns 
identified by the Commission.
    The eight CIP standards contain over 160 requirements. Generally, 
the CIP standards would require the following actions:
    Critical Cyber Asset Identification: requires the identification of 
an entity's critical assets and critical cyber assets using a risk-
based assessment methodology.
    Security Management Controls: requires an entity to develop and 
implement security management controls to protect critical cyber 
assets.
    Personnel and training: requires personnel with access to critical 
cyber assets to go through identity verification, criminal background 
checks and employee training.
    Electronic Security Perimeters: requires the identification and 
protection of electronic security perimeters and access points. The 
security perimeters are to encompass the critical cyber assets.
    Physical Security of Critical Cyber Assets: requires the creation 
and maintenance of a physical security plan that ensures all cyber 
assets within an electronic security perimeter are kept in an 
identified physical security perimeter.
    Systems Security Management: requires an entity to define methods, 
processes, and procedures for securing the systems identified as 
critical cyber assets, as well as the non-critical cyber assets within 
the perimeter.
    Incident Reporting and Response Planning: requires the 
identification, classification and reporting of cyber security 
incidents related to critical cyber assets.
    Recovery Plans for Critical Cyber Assets: requires the 
establishment of recovery plans for critical cyber assets using 
established business continuity and disaster recovery techniques and 
practices.
    Public comments comprising more than 800 pages from 69 entities on 
the Commission's proposed actions were filed as of October 5. The 
Commission's staff has begun reviewing these comments, and the 
Commission intends to take final action expeditiously.
    One of the Commission's goals is to ensure that the cybersecurity 
standards are consistent with the lessons learned from the August 2003 
blackout. Thirteen of the 46 Blackout Report recommendations relate to 
cybersecurity. See the Blackout Report at pp. 163--69. They address 
topics such as strict control of physical and electronic access to 
operationally sensitive equipment; capability to detect wireless and 
remote wireline intrusion and surveillance; and improvement and 
maintenance of cyber forensic and diagnostic capabilities. The Blackout 
Report recommendations are a sound basis for action.
    The Commission recognizes that the CIP standards must strike a 
reasonable balance. Overly prescriptive standards may become a ``one 
size fits all'' solution despite the significant differences in system 
architecture, technology and risk profile. However, CIP standards 
lacking sufficient detail will provide little useful direction, make 
compliance and enforcement difficult, allow flawed implementation and 
result in inadequate protection.
    A major concern with cybersecurity is the prevalence in the 
industry of ``legacy equipment'' which may not be readily adaptable for 
purposes of cybersecurity protection. If this equipment is left 
vulnerable, it could be the focal point of efforts to disrupt the grid. 
Replacing this equipment or retrofitting it to incorporate 
cybersecurity protection could be costly. But a successful cyber attack 
could damage our bulk-power system and economy in ways that cost far 
more. This risk often may justify retrofitting the legacy equipment, 
adding a perimeter of defensive security measures or replacing the 
equipment before its useful life ends.
    In its July 2007 Notice of Proposed Rulemaking, the Commission 
stated its concern with the breadth of discretion left to utilities by 
NERC's proposed CIP standards. For example, NERC's standards state that 
utilities ``should interpret and apply the Reliability Standard[s] 
using reasonable business judgment.'' Similarly, the standards at times 
require certain steps ``where technically feasible,'' but this is 
defined as not requiring the utility ``to replace any equipment in 
order to achieve compliance.'' Also, NERC's proposal would allow a 
utility at times not to take certain action if the utility documents 
its ``acceptance of risk.'' The Commission proposed to direct NERC to 
modify the standards to remove the terms ``reasonable business 
judgment'' and ``acceptance of risk'' while narrowing ``technically 
feasible.''
    For certain other requirements in the CIP standards, the Commission 
proposed to address this concern about discretion by requiring external 
oversight of utility decisions. This oversight could be provided by 
industry entities with a ``wide-area view,'' such as reliability 
coordinators or the Regional Entities subject to the review of the 
Commission.
    The National Institute of Standards and Technology (NIST) has 
commented that its cybersecurity standards are more advanced and could 
provide a model for improvements to the CIP standards. NIST has 
recommended that the Commission consider a transition to standards 
identical to, consistent with, or based on NIST standards and 
guidelines. The Commission's proposal so far is to not require 
incorporation of the NIST standards and guidelines. However, the 
Commission has said it would expect NERC to monitor the development and 
implementation of the NIST standards to determine if they would provide 
better protection. Certain federal entities, such as the Tennessee 
Valley Authority and Western Area Power Administration, are required to 
comply with both the NIST standards and the CIP standards, and thus may 
be able to provide unique insights on this issue. The Commission 
expressed its expectation that NERC will seek and consider comments 
from these federal entities on the effectiveness of the NIST standards 
versus the CIP standards. Any provisions in the NIST standards that 
will better protect the bulk-power system should subsequently be 
addressed in the standards development process as improvements to the 
CIP standards. In addition to this consideration, the Commission 
proposes to revisit this issue in future proceedings as part of a 
continuing evaluation of existing standards, the need for new 
standards, or as part of assessing NERC's performance as the ERO.

Confronting Urgent Risks
    The procedures used so far for adoption of Reliability Standards 
have allowed multiple opportunities for industry and public input and 
taken significant time, as explained below. However, urgent risks may 
at times require immediate action, and the Commission currently is 
exploring the scope of its authority under existing law to take swift 
and effective action to prevent opportunities for cyber attacks or 
address other critical matters.
    FPA section 215 relies on the ERO to develop and submit proposed 
Reliability Standards. NERC's procedures for doing so allow extensive 
opportunity for industry comment, generally based on the procedures of 
the American National Standards Institute (ANSI). The NERC process is 
intended to develop consensus on both the need for the standard and on 
the substance of the proposed standard. Although inclusive, the process 
is not nimble and can take years to develop standards for the 
Commission's review.
    Key steps in the NERC process include: nomination of a proposed 
standard using a Standard Authorization Request (SAR); public posting 
of the SAR for comment; review of the comments by NERC staff; drafting 
or redrafting of the standard by an assigned team; public posting of 
the draft standard; field testing of the draft standard, if 
appropriate; formal balloting of the draft standard, with approval 
based on 75 percent of total votes and two-thirds of weighted industry 
sector votes; re-balloting, if negative votes are supported by specific 
comments; voting by NERC's board of trustees; and an appeals mechanism 
to resolve any complaints about the standards process. NERC-approved 
standards are then submitted to the Commission for its review.
    For the first set of Reliability Standards proposed by NERC and for 
the CIP standards currently under consideration, the Commission began 
its process by issuing a staff assessment of the proposed standards and 
allowing public comment on the assessment. Based on its consideration 
of those comments, the Commission then issued a ``Notice of Proposed 
Rulemaking'' identifying the Commission's proposed actions and allowing 
additional opportunities for public comment. After considering these 
additional comments, the Commission will issue a ``Final Rule,'' 
adopting or modifying its proposed actions.
    Generally, the procedures used by NERC and the Commission are 
appropriate in allowing extensive opportunities for industry and public 
comment. The public and our economy depend critically on having a 
reliable supply of electricity, and Reliability Standards usually 
should be adopted only after thorough and open vetting of all relevant 
considerations.
    Certain circumstances, however, may require immediate action. If a 
significant vulnerability in the bulk-power system is identified, 
procedures used so far for adoption of Reliability Standards may take 
too long to implement corrective steps. Also, those procedures would 
widely publicize the vulnerability and the possible solutions, thus 
increasing the risk of hostile actions before the appropriate solutions 
are implemented.
    Recently, CNN broadcast a story alleging the existence of a 
cybervulnerability on the electric grid. The story included video of a 
small generating unit allegedly being damaged by a cyber attack, and 
also showed an economist stating that there could be a $700 billion 
dollar impact to our economy if generating facilities serving one-third 
of our Nation's electric load were disabled for three months through 
such attacks.
    This story has prompted the Commission to reexamine its authority 
to quickly mitigate verified cybervulnerability risks and to protect 
security-sensitive information from inappropriate disclosure. If the 
Commission determines that it does not have adequate authority to 
promptly address cybersecurity risks and adequately protect security-
sensitive information, or that its authority needs to be clarified, it 
will seek additional legislation.

The Commission Needs More Funding for Reliability
    As noted above, the Commission has certified NERC as the ERO; 
approved the first set of mandatory and enforceable Reliability 
Standards (83 of NERC's initial 107 while calling for significant 
modifications to 56 of the 83); and approved delegation agreements 
between NERC and eight Regional Entities. With these steps, the 
Commission is well positioned to implement FPA section 215. However, 
more resources are needed by the Commission in all areas of 
reliability, including physical and cyber standards development, 
compliance and enforcement, investigation and analysis, and reports and 
assessments. In addition, the new Reliability Standards, including 
cybersecurity standards, will take significant work by the Commission, 
the ERO and the industry, and thus competition for experienced 
personnel, particularly engineers, is strong. Oversight of the 
reliability of the Nation's bulk-power system is one of the most 
important functions ever undertaken by the Commission and the 
Congress's budget support in providing necessary resources is critical.
    The Commission will continue to work with the ERO and industry to 
strengthen Reliability Standards. Our staff will monitor and engage in 
the standards development process to provide timely feedback to 
stakeholders. NERC and industry stakeholders have requested the 
Commission's staff to be involved in the standards development process. 
We believe the process will work better if the Commission's staff is 
involved from the beginning, to help ensure that necessary improvements 
to the standards are made timely and comport with Commission 
directives. This is important because section 215 does not give the 
Commission explicit authority to revise or write the standards. 
Instead, the Commission can only direct the ERO to submit a standard on 
a specific matter or remand a proposed standard to the ERO with 
directions for modification, and the standards development and revision 
process is lengthy.
    In addition, Commission staff will participate with the Regional 
Entities in a number of regular compliance audits and in analyzing 
selected incidents on the bulk-power system. Staff also will analyze 
and/or prepare reports on various issues concerning the reliability and 
security of the bulk-power system.
    The Commission has moved quickly to fulfill the Congressional 
intent of FPA section 215. However, after we completed the actions 
cited above, we came to understand better the resource needs for our 
new reliability responsibilities. For example, approximately 1500 U.S. 
utilities or users of the bulk-power system are now ``registered'' by 
NERC to comply with the Reliability Standards. The Commission's 
jurisdiction to implement and enforce FPA section 215 for such a large 
number of entities serving the entire United States bulk-power system 
is a significant responsibility and requires a significant commitment 
of resources.
    Thus, in June of this year, the Commission's Chairman wrote to the 
Chairmen and Ranking Members of the House and Senate Appropriations 
Committees, seeking an additional $9 million for our reliability work 
in fiscal year 2008. This would provide for an additional 55 Full-Time 
Equivalents (FTEs) to support its reliability program. These FTEs would 
consist primarily of electrical engineers, power system experts, 
auditors and lawyers. The Commission's Chairman also asked for 
authorization to hire electrical engineers non-competitively up to the 
GS-15 level, and to hire six additional executive senior level (SL) 
staff in support of its reliability program. As you may know, the 
Commission is a self-supporting agency and would recover the additional 
appropriations through fees and annual charges, as it does all of its 
costs, and will operate at no net cost to the taxpayer. I encourage you 
to support these requests by the Commission.

Conclusion
    I stress that the Commission is taking all the steps it can to 
protect the bulk-power system and is dedicated to fulfilling Congress's 
goals. Thank you again for the opportunity to testify today. I would be 
happy to answer any questions you may have.

    Mr. Langevin. The Chair now recognizes Mr. Whiteley to 
summarize your statement for 5 minutes.

 STATEMENT OF DAVID WHITELEY, EXECUTIVE VICE PRESIDENT, NORTH 
           AMERICAN ELECTRIC RELIABILITY CORPORATION

    Mr. Whiteley. Thank you, Mr. Chairman, Ranking Member 
McCaul and members of the subcommittee. I am pleased to appear 
on behalf of the North American Electric Reliability 
Corporation to explain how we and the electric industry are 
working to protect the security of the control systems of the 
bulk power grid.
    My comments this afternoon will focus on three points: 
first, that NERC takes very seriously its responsibility in 
protecting the overall reliability of the bulk power system; 
second, that NERC's critical infrastructure protection, or CIP, 
reliability standards will enhance the cybersecurity of control 
systems and grid reliability; and third, that continuous 
improvement in NERC's reliability standards will allow for 
further coordination with cybersecurity standards and 
guidelines, such as the NIST guidelines, that are relevant for 
control systems.
    NERC was established in 1968 with a mission to develop and 
implement standards to ensure the reliable operation of the 
bulk power system in North America. When Congress passed the 
Energy Policy Act of 2005, it codified this responsibility in 
the Federal Power Act, and Congress charged FERC with 
certifying an Electric Reliability Organization, or ERO, that 
will develop and enforce reliability standards to provide for 
the reliable operation of the bulk power system but only the 
bulk power system.
    NERC is committed to exercising to the fullest extent the 
authority to ensure grid reliability within the limits provided 
in the law.
    The Energy Policy Act expressly excluded local distribution 
facilities from the definition of bulk power system. That said, 
NERC has worked diligently to implement the reliability 
authority as FERC's certified ERO.
    The system of voluntary standards administered by NERC for 
more than 30 years was replaced on June 18 with a new set of 
mandatory reliability standards applicable to all users, owners 
and operators of the bulk power system.
    NERC realizes that cybersecurity of grid control systems is 
an important element of the overall reliability of the system 
and has been an increasing priority for every sector of the 
U.S. economy since the turn of the century. NERC has recognized 
and responded to this challenge first through the voluntary 
cybersecurity standard and now through proposed mandatory CIP 
reliability standards. FERC approval of the standards, along 
with parallel action by Canadian authorities, will enhance the 
reliability of the transmission grid in North America. These 
standards will improve the resiliency of control systems' cyber 
assets and increase the ability of these systems to withstand 
cyber-based attacks. Cybersecurity requirements will be applied 
to functions and to companies that have never been subject to 
standards in the past.
    In the course of developing the CIP standards, NERC 
evaluated NIST's ongoing work to apply its recommended security 
controls for Federal information systems along with other NIST 
work to the bulk power system. NERC determined, and FERC 
agreed, that the NIST guidelines cannot substitute for 
reliability standards developed specifically for the bulk power 
grid. The existing guidelines from NIST for information 
security are not directly applicable to control systems.
    NIST has continued to work in this area and has released 
additional draft guidance. However, because mandatory 
cybersecurity standards to secure grid reliability are needed 
now, issuance of the CIP reliability standards could not be 
delayed in order to await completion of the NIST process. In 
addition, the substitution of NIST guideline development for 
information systems into a mandatory reliability standard for 
electric grid control systems would not meet the requirements 
of the Federal Power Act that governed the process and 
procedures developed by NERC.
    Another consideration is that the bulk power system is 
interconnected within North America. This means that the bulk 
power system reliability standards must also be recognized in 
Canada, and the NERC standards development process requires 
Canadian input. Because the NIST guideline development process 
does not have to take into account the international aspect of 
the bulk power grid, they would not necessarily be applicable 
for cross-border application.
    We will evaluate how all of our reliability standards work 
in practice, will monitor industry and technology developments 
and determine on an ongoing basis whether these standards 
should be improved or new standards should be developed.
    In summary, the key to improving the reliability of the 
North American power system is to put good standards in place 
as soon as possible and then make them better. The CIP 
reliability standards are a sound starting point for the 
electric industry, and with regard to cybersecurity issues, a 
sound starting point as well. They can and should be made 
effective promptly.
    This concludes my prepared remarks, and I look forward to 
answering your questions.
    Mr. Langevin. Thank you, Mr. Whiteley.
    [The statement of Mr. Whiteley follows:]

                Prepared Statement of David A. Whiteley

    Mr. Chairman and Members of the Subcommittee, the North American 
Electric Reliability Corporation \1\ (``NERC'') is pleased to provide 
this testimony on how we and the electric industry are working to 
protect the security of the control systems for the bulk power grid 
throughout North America pursuant to the authority set forth in Section 
215 of the Federal Power Act (``FPA''), as enacted through the Energy 
Policy Act of 2005 (``EPAct 2005'').\2\ Protecting the overall 
reliability of the bulk power system, including ensuring the security 
and reliability of grid control systems, has been a high priority for 
NERC since well before the enactment of EPAct 2005, and we take this 
matter very seriously. As the Committee is aware, under the authority 
of FPA Section 215, NERC has proposed eight Critical Infrastructure 
Protection Reliability Standards for approval by the Federal Energy 
Regulatory Commission (``FERC'' or ``Commission''). FERC approval of 
the standards that NERC has proposed in this area, along with parallel 
action by appropriate governmental authorities in Canada, will enhance 
the cybersecurity of these control systems and the reliability of the 
interconnected electric transmission grid.
---------------------------------------------------------------------------
    \1\ NERC is the corporate successor to the North American Electric 
Reliability Council, also called ``NERC,'' formed to serve as the 
electric reliability organization (``ERO'') authorized by Section 215 
of the FPA.
    \2\ Energy Policy Act of 2005, Pub. L. No. 109-58, Title XII, 
Subtitle A, 119 Stat. 594, 941 (2005).
---------------------------------------------------------------------------

                           EXECUTIVE SUMMARY

    Cyber security of control systems is an increasing priority for 
every sector of the U.S. economy. On behalf of the electric power 
sector, NERC has recognized and responded to this challenge, first 
through a voluntary cybersecurity standard and now through proposed 
mandatory Critical Infrastructure Protection (``CIP'') Reliability 
Standards for the bulk power grid. These mandatory standards are 
intended to assure that the electricity industry will devote the 
necessary organizational resources to securing control systems, and 
that the industry will identify, respond to and report cyber security 
incidents related to critical cyber assets.
    Since its establishment in 1968, NERC's mission has been the 
development and implementation of standards to ensure the reliable 
operation of the interconnected North American bulk power electric grid 
in the U.S. and Canada and Mexico. The system of voluntary standards 
administered by NERC for more than 30 years was replaced on June 18, 
2007, with a new set of mandatory Reliability Standards applicable to 
all users, owners and operators of the ``bulk power system.'' NERC 
stands ready to take additional steps as warranted to protect the 
reliability and cybersecurity of the grid.
    Mandatory and enforceable Reliability Standards under Section 215 
of the FPA are to provide for the reliable operation of the bulk power 
system only. Section 215 expressly excludes local distribution 
facilities from the definition of ``bulk power system.'' Moreover, 
Section 215 does not extend any authority for the regulation of 
reliability or cybersecurity beyond that which is necessary for 
reliable operations of the transmission grid. While critical 
infrastructures in various sectors of the U.S. economy are dependent 
upon the bulk power system, NERC's authority to propose and enforce 
reliability standards is confined to a single sector of the economy.
    We will evaluate how all of our Reliability Standards work in 
practice, monitor industry and technology developments, and determine 
on an ongoing basis whether these Standards should be improved, or new 
standards should be promulgated. The key to improving the reliability 
of the North American bulk power system is to put in place good 
standards, as soon as possible. The CIP Reliability Standards are a 
sound starting point for the electric industry. They can and should be 
made effective promptly so that they can be implemented now.
    In the course of developing the CIP Reliability Standards, NERC 
evaluated the National Institute of Standards and Technology's 
(``NIST'') ongoing work to apply its Special Publication (SP) 800-53, 
Recommended Security Controls for Federal Information Systems, to 
control systems, and other work underway at NIST to develop guidance on 
securing control systems. However, the need for mandatory cybersecurity 
standards to secure grid reliability is immediate, and issuance of the 
CIP Reliability Standards could not be delayed in order to await 
completion of the NIST process.
    Importantly, bulk power system reliability standards also must be 
acceptable to regulators in Canada and Mexico. We are not addressing 
only U.S. facilities with these standards. The NERC standards 
development process provides a carefully crafted mechanism designed to 
ensure that final standards proposals have been developed with Canadian 
(and Mexican, where appropriate) input. Because the NIST guideline 
development process does not have to take into account the 
international aspect of the bulk power grid, the U.S. government 
standards for U.S. government facilities resulting from that process 
would not necessarily be acceptable.
    Moreover, there are also important substantive and process-related 
reasons why any future final NIST guidelines cannot substitute for 
Reliability Standards developed specifically for the bulk power grid. 
First, the guidelines available from NIST for information security when 
the CIP Reliability Standards were being developed were not appropriate 
for control systems. Second, Section 215 of the FPA sets forth 
requirements for the process and procedures through which NERC, as the 
ERO, may establish Reliability Standards. FERC has approved the NERC 
standards-setting process. The conversion of a NIST guideline developed 
for information systems directly into a mandatory Reliability Standard 
for electric grid control systems would not comply with the statutory 
procedural requirements under which NERC operates.
    NERC will continue to monitor the progress of the NIST process, and 
as CIP Reliability Standards continue to evolve, there will be future 
opportunities to continue to reflect NIST documents and guidance as 
appropriate.

                             I. BACKGROUND

    A. NERC.
    NERC's mission is to ensure the bulk power system in North America 
is reliable. To achieve this objective, NERC develops and enforces 
reliability standards; monitors the bulk power system; assesses and 
reports on future adequacy; evaluates owners, operators, and users for 
reliability preparedness; and educates, trains and certifies industry 
personnel. NERC is a self-regulatory organization that relies on the 
diverse and collective expertise of industry participants. FERC 
certified NERC as the electric reliability organization (``ERO'') in 
July 2006.\3\
---------------------------------------------------------------------------
    \3\ See Order Certifying North American Electric Reliability 
Corporation as the Electric Reliability Organization and Ordering 
Compliance Filing, 116 FERC  61,062 (2006).
---------------------------------------------------------------------------
    Because Reliability Standards are applicable to the entire, 
interconnected North American bulk power system, NERC is subject to 
oversight by the governmental authorities in both Canada and the United 
States. In the U.S., with oversight from FERC, as of June 18, 2007, 
NERC has legal authority to enforce reliability standards applicable to 
all owners, operators, and users of the bulk power system, rather than 
relying on voluntary compliance. NERC is seeking similar recognition by 
governmental authorities in Canada, including eight provinces and the 
National Energy Board, and will seek recognition in Mexico at the 
appropriate time.

    B. Statutory Authority Over Bulk Power System Reliability.
    Section 215 of the Federal Power Act establishes the framework for 
mandatory and enforceable Reliability Standards applicable to all 
users, owners and operators of the bulk power system. Section 215 
assigns to the Commission the duties of approving and enforcing rules 
to ensure the reliability of the Nation's bulk power system. Section 
215 requires the Commission to issue rules for the certification of an 
ERO charged with developing and enforcing mandatory Reliability 
Standards, subject to Commission approval. Section 215 also gives the 
Commission the regulatory responsibility to approve standards that 
protect the reliability of the bulk power system.
    Consistent with the law, the development and enforcement of 
Reliability Standards is now the responsibility of the ERO. As noted 
above, FERC's certification of NERC as the ERO places this 
responsibility squarely on NERC. However, NERC's authority pursuant to 
Section 215 relates solely to ensuring the reliability of the bulk 
power system. FPA Section 215(a)(1) defines the term ``bulk power 
system'' to mean
        (A) facilities and control systems necessary for operating an 
        interconnected electric energy transmission network (or any 
        portion thereof); and
        (B) electric energy from generation facilities needed to 
        maintain transmission system reliability.
    The statutory definition expressly excludes ``facilities used in 
the local distribution of electric energy.''
        FPA Section 215 defines the term ``Reliability Standard'' to 
        mean:
    a requirement, approved by the Commission. . .to provide for 
reliable operation of the bulk-power system. The term includes 
requirements for the operation of existing bulk-power system 
facilities, including cybersecurity protection, and the design of 
planned additions or modifications to such facilities to the extent 
necessary to provide for reliable operation of the bulk-power system, 
but the term does not include any requirement to enlarge such 
facilities or to construct new transmission capacity or generation 
capacity.
    FPA Section 215(a)(3). Under FPA Section 215(a)(4), ``reliable 
operation,'' as used in the definition of Reliability Standard, means 
operating the elements of the bulk-power system within equipment and 
electric system thermal, voltage and stability limits so that 
instability, uncontrolled separation, or cascading failures of such 
system will not occur as a result of a sudden disturbance, including a 
cybersecurity incident, or unanticipated failure of system elements.
    The statute also defines a ``cybersecurity incident'' that the 
Reliability Standards developed by the ERO are to guard against:
    ``cybersecurity incident'' means a malicious act or suspicious 
event that disrupts, or was an attempt to disrupt, the operation of 
those programmable electronic devices and communication networks 
including hardware, software and data that are essential to the 
reliable operation of the bulk power system.
    FPA Section 215(a)(8) (emphasis supplied).
    Congress spent eight years considering the need for reliability 
legislation and refining the legislative language, choosing its words 
carefully to be very specific about the extent of and limitations on 
the jurisdiction of FERC and the ERO with respect to enforceable 
reliability standards. Congress also was clear that it wanted to 
capture the expertise of the industry in developing Reliability 
Standards and in monitoring and enforcing compliance with Standards 
through an audited self-regulatory system. For this reason, and because 
Reliability Standards apply not only in the U.S. but also in Canada, 
FERC's role is one of approving standards, not developing them in the 
first place, and in overseeing the activities of the ERO. FPA Section 
215(d)(2) provides that in executing its responsibilities to review, 
approve and enforce mandatory reliability standards, the Commission is 
authorized to approve those proposed standards that the Commission 
finds are just, reasonable, not unduly discriminatory or preferential, 
and in the public interest. Moreover, the Commission ``shall give due 
weight to the technical expertise of the Electric Reliability 
Organization with respect to the content of a proposed reliability 
standard. . . .'' Further, the statute requires that in applying its 
expertise and developing Reliability Standards, the ERO certified by 
the Commission must have established rules that ``provide for 
reasonable notice and opportunity for public comment, due process, 
openness, and balance of interests in developing reliability standards. 
. . .'' See FPA section 215(c)(2)(D).

           II. RESPONSE TO ISSUES IDENTIFIED BY THE COMMITTEE

    A. NERC's Authority To Prescribe Critical Infrastructure Protection 
Rules Is Limited To The Electric Power Sector Only And Does Not Extend 
To Regulation Of Distribution Systems Or Other Infrastructures.
    As described above, the authority granted to the ERO pursuant to 
Section 215 of the Federal Power Act is not unlimited. FPA Section 215 
does not convey authority to apply mandatory and enforceable 
reliability standards to the distribution system. The authority of the 
ERO extends only to elements of the bulk power system as defined in the 
statute. The only entities that under the law must comply with ERO-
developed reliability standards are ``users, owners and operators of 
the bulk-power system.'' Subject to FERC's approval, NERC has developed 
a compliance registry that identifies these entities, consistent with 
the statutory requirements.
    The standards that NERC has proposed to the Commission are 
consistent with Section 215 of the FPA. We believe those standards, 
when taken as a whole and as they develop over time, will continue to 
provide a level of reliability that is commensurate with the statutory 
requirements.

    B. The CIP Reliability Standards Were Developed Through A Rigorous 
Process That Took The NIST Guidance Into Account.
    Section 39.5(a) of the Commission's regulations requires the ERO to 
file with the Commission for approval each reliability standard the ERO 
proposes to become mandatory and enforceable in the United States, and 
each proposed modification to a reliability standard. NERC and the 
Commission have made substantial progress in proposing and approving 
reliability standards to be mandatory and enforceable in the United 
States. NERC filed a petition for approval of 102 existing Reliability 
Standards in FERC Docket No. RM06-16 on April 4, 2006. NERC filed a 
second petition for the approval of proposed reliability standards 
August 28, 2006, submitting 16 new standards for approval and revisions 
to 11 of the reliability standards previously submitted. Of the 16 new 
standards submitted, eight were Critical Infrastructure Protection 
cyber security standards.
    On December 11, 2006, the Commission Staff issued an assessment of 
the cyber security standards as a basis to solicit comments on those 
proposed standards. On July 20, 2007, the Commission issued a Notice of 
Proposed Rulemaking (``NOPR'') generally proposing to approve the CIP 
Reliability Standards as mandatory and enforceable, while also 
proposing to require NERC to make specific modifications to certain of 
the standards.\4\ The deadline for comments on the NOPR was October 5, 
2007, and the Commission has received approximately 100 comments on the 
staff assessment and the proposed standards.
---------------------------------------------------------------------------
    \4\ Mandatory Reliability Standards for Critical Infrastructure 
Protection, Docket No. RM06-22, 120 FERC  61,077 (2007). FERC's NOPR 
described the proposed CIP Reliability Standards as ``the most thorough 
attempt to date to address cyber security issues that relate to the 
Bulk-Power System.'' NOPR, P 13. Given the nature of the cyber security 
threat, the Commission acknowledged that ``cyber security strategies 
must comprise a layered, interwoven approach to vigilantly protect the 
Bulk-Power System against evolving cyber security threats.'' NOPR, P 
15. FERC proposed to approve NERC's proposed Implementation Plan for 
the CIP Reliability Standards, which sets forth ``a timeline by 
calendar quarters for completing various tasks and prescribes 
milestones for when a responsible entity must: (1) ``begin work;'' (2) 
``be substantially compliant'' with a requirement; (3) ``be compliant'' 
with a requirement; and (4) ``be auditably compliant'' with a 
requirement.'' NOPR, PP 43,47. FERC also proposed to approve the 162 
proposed Violation Risk Factor assignments proposed by NERC that 
correspond to the requirements of the CIP Reliability Standards and to 
direct NERC to revise 43 of them, as well as to assign Violation Risk 
Factors to additional requirements under the CIP Reliability Standards. 
NOPR, P 325. Violation Risk Factors indicate the potential or expected 
impact to the reliability of the Bulk-Power System of the violation of 
a particular Reliability Standard requirement. Violation Risk Factors 
are used by NERC in setting penalty amounts for violations of a 
Reliability Standard.

          1. Background of Proposed Cyber Security Standards.

    The initial work on the proposed cyber security standards dates 
back to 2002 when NERC's Critical Infrastructure Protection Advisory 
Group (``CIPAG'') \5\ drafted cyber security language that ultimately 
appeared in Appendix G of the Commission's ``Standard Market Design' 
NOPR.\6\ Since then, NERC has continued to raise the bar on cyber 
security, first by adopting Cyber Security Urgent Action Standard 1200 
in 2003,\7\ and again with the proposed standards filed with the 
Commission in August 2006.
---------------------------------------------------------------------------
    \5\ The CIPAG was a predecessor organization to NERC's current 
Critical Infrastructure Protection Committee (``CIPC'').
    \6\ Remedying Undue Discrimination through Open Access Transmission 
Service and Standard Electricity Market Design, Notice of Proposed 
Rulemaking, 67 Fed. Reg. 55,452 (Aug. 29, 2002), FERC Stats. & Regs.  
32,563 (2002). The Standard Market Design NOPR was never finalized.
    \7\ Cyber Security Urgent Action Standard 1200 was a voluntary 
standard that applied to control areas, transmission owners and 
operators, and generation owners and operators performing certain 
specific functions. The voluntary standard established a self-
certification process relating to the security of system control 
centers of covered entities. The Urgent Action 1200 standard was 
effective on a voluntary basis until June 1, 2006, when it was replaced 
by the eight CIP Reliability Standards that are the subject of the 
current FERC rulemaking.
---------------------------------------------------------------------------
    Reflecting Congress's objective in FPA Section 215 that industry 
expertise should be brought to bear in the development of Reliability 
Standards, the proposed cyber security standards have been crafted with 
significant industry input by experts in the area and a debate of key 
issues through a process accredited by the American National Standards 
Institute (``ANSI''). The Standard Authorization Request (``SAR'') for 
the cyber security standards was submitted to NERC on May 2, 2003. 
After two public comment periods, the industry reached a consensus on 
the scope and justification for the standards. The Standards 
Authorization Committee (``SAC'') appointed a drafting team of security 
experts to begin development of these standards in May 2004.
    Drafting team members brought significant experience and expertise 
from a broad spectrum of security related disciplines including 
information technology security, physical security, compliance 
auditing, personnel and training, energy management systems (``EMS''), 
and system control and data acquisition (``SCADA'') system operations. 
Drafting team members also brought expert knowledge of existing 
government regulations affecting security such as Sarbanes-Oxley and 
the Federal Information Security Management Act of 2002 (``FISMA''), as 
well as existing security related standards such as International 
Standards Organization (``ISO'') Standard 17799 and the body of work 
promulgated by NIST. A number of members of the drafting team held 
professional security certifications. Membership on the drafting team 
fairly represented ownership segments in the electric industry and a 
balance between U.S. and Canadian participation.
    Throughout the development process, the drafting team insisted on 
looking beyond generally accepted ``best practices.'' They sought to 
establish relevant, thorough requirements with unambiguous measures for 
determining compliance. Three versions of the cyber security standards 
were posted to solicit input from the industry and other interested 
parties. More than 2,500 pages of comments and responses to the 
comments were provided in response to the three postings of the draft 
standards. The fourth and final version was submitted to ballot of the 
stakeholders. The number and volume of comments received represented an 
extraordinary level of involvement by the industry during the 
development process.

    2. NERC's CIP Reliability Standards Proposal.
    In the August 2006 submission to FERC, NERC proposed eight new 
cybersecurity standards (CIP-002-1 to CIP-009-1) to provide a 
comprehensive set of requirements to protect the bulk power system from 
malicious cyber attacks. Because there are unique aspects of cyber 
protection for each entity and its assets, the standards require bulk 
power system owners, operators, and users to step through a sequence of 
establishing a risk-based vulnerability assessment method and using 
that method to identify and prioritize critical assets and critical 
cyber assets. Once the critical cyber assets are identified, the 
standards require the responsible entities to establish plans, 
protocols, and controls to safeguard physical and electronic access, to 
train personnel on security matters, to report security incidents, and 
to be prepared for recovery actions. The proposed cyber security 
standards propose the most comprehensive set of requirements ever 
utilized on a widespread basis in the electric industry.
    Because of the expanded scope of facilities and entities covered by 
these standards, and the investment in security upgrades required in 
many cases, the implementation plan calls for a three-year phase-in to 
achieve full compliance with all requirements. The transition builds 
progressively from the requirements that were previously in place with 
the 1200 Urgent Action Standard. In other words, the industry is 
improving its security measures in stages from the level established in 
2003 with the interim standard to an extraordinarily robust set of 
auditable requirements by end of year 2009.
    The proposed standards will apply to 11 categories of ``Responsible 
Entities,'' including NERC itself, the Regional Reliability Entities, 
reliability coordinators [which may include Regional Transmission 
Organizations or Independent System Operators], balancing authorities, 
interchange authorities, transmission service providers, transmission 
owners, transmission operators, generator owners, generator operators, 
and load serving entities. As set forth in the NOPR, the proposed 
standards address:
         CIP-002-1--Cyber Security--Critical Cyber Asset 
        Identification:
        Requires a responsible entity to identify its critical assets 
        and critical cyber assets using a risk-based assessment 
        methodology.
         CIP-003-1--Cyber Security--Security Management 
        Controls:
        Requires a responsible entity to develop and implement security 
        management controls to protect critical cyber assets identified 
        pursuant to CIP-002-1.
         CIP-004-1--Cyber Security--Personnel & Training:
        Requires personnel with access to critical cyber assets to have 
        an identity verification and a criminal check. Also requires 
        employee training.
         CIP-005-1--Cyber Security--Electronic Security 
        Perimeters:
        Requires the identification and protection of an electronic 
        security perimeter and access points. The electronic security 
        perimeter is to encompass the critical cyber assets identified 
        pursuant to the risk-based assessment methodology required by 
        CIP-002-1.
         CIP-006-1--Cyber Security--Physical Security of 
        Critical Cyber Assets:
        Requires a responsible entity to create and maintain a physical 
        security plan that ensures that all cyber assets within an 
        electronic security perimeter are kept in an identified 
        physical security perimeter.
         CIP-007-1--Cyber Security--Systems Security 
        Management:
        Requires a responsible entity to define methods, processes, and 
        procedures for securing the systems identified as critical 
        cyber assets, as well as the non-critical cyber assets within 
        an electronic security perimeter.
         CIP-008-1--Cyber Security--Incident Reporting and 
        Response Planning:
        Requires a responsible entity to identify, classify, respond 
        to, and report cyber security incidents related to critical 
        cyber assets.
         CIP-009-1--Cyber Security--Recovery Plans for Critical 
        Cyber Assets:
        Requires the establishment of recovery plans for critical cyber 
        assets using established business continuity and disaster 
        recovery techniques and practices.
    The cyber security standards proposed by NERC provide firm 
requirements that can be implemented by all participants in the 
electricity sector regardless of size, staffing levels, or levels of 
sophistication. Some members of the electricity sector already meet or 
exceed the proposed standards. However, the standards may be a 
significant burden on some entities that have not heretofore been 
required to implement cyber security programs. Throughout the 
development process, the drafting team attempted to push the bar beyond 
the generally accepted industry best practices, and to ensure that 
every component part has at least the minimum protection necessary to 
protect the reliability of the bulk power system as a whole. The 
resulting standards represent a balanced set of outcomes in a diverse 
industry. These standards are rigorous, but compliance can be achieved 
by all ``owners, operators and users'' of the bulk power system.
    The proposed cyber security standards fulfill relevant portions of 
Recommendations 32 and 32.A of the United States/Canada Power System 
Outage Task Force report. These recommendations state, in part, that 
NERC should finalize and implement the CIP-002-1 to CIP-009-1 
standards, that NERC standards related to physical and cyber security 
should be made mandatory and enforceable, and that NERC should take 
actions to better communicate and enforce these standards. To help the 
industry understand and implement these standards, NERC held a series 
of ten industry workshops on the standards for bulk power system 
owners, operators, and users that were conducted across North America.
    NERC also believes that these cyber security standards are a 
landmark for the implementation of mandatory cyber security in a non-
business environment. These standards represent, for the first time, a 
set of mandatory security requirements for an entire industry. Other 
statutory and regulatory attempts have not been as proscriptive or as 
specific as these standards.
    These proposed standards are different from traditional information 
technology security standards. The CIP Reliability Standards apply 
information technology security principles, which are commonly accepted 
in the business environment, to bulk power system control systems which 
were not designed with these security principles in mind. As such, the 
security principles must be carefully applied to ensure that there are 
no unintended consequences that undermine bulk power system 
reliability. These standards must prescribe what is required of real-
time critical bulk power system operating systems. This differs from 
what can be prescribed for secured business systems.
    Promulgating standards for the bulk power system that draw too 
closely on the standards appropriate for secured business systems could 
result in a less reliable bulk power system, either because of 
decreased operations or decreased security. Two examples of this are 
(1) the use of password-protected screen savers on computers, and (2) 
automatic lockout of accounts following invalid passwords. Both of 
these are accepted business system security practices, but they lead 
directly to reduced ability to reliably operate a real-time control 
system, and thus to a less reliable bulk power system. In the case of a 
password-protected screensaver, the business justification is to reduce 
the release of confidential information or misuse of the computing 
resources; in a control system, it results in a lack of visibility of 
key real-time operating parameters that must be constantly observed to 
ensure reliable operations. In the case of password lockout, business 
systems use the lockout as a preventative measure to ensure that 
information and computer resources cannot be used following an 
concerted attack; in a control system the need to rapidly be able to 
get access to a system under all circumstances may result in mis-typed 
passwords, which could lead to the complete inability to monitor or 
take corrective actions to maintain reliable operations. In both cases, 
control systems implement alternate mitigating controls, including 
increased physical security and additional personnel that the business 
systems cannot assume, to ensure that the systems are not misused.
    The proposed cyber security standards will increase the reliability 
of the bulk power system by improving the resiliency of the control 
system cyber assets and improving their ability to withstand cyber-
based attacks. Cyber security requirements will be applied to functions 
and companies where they have never before been applied. NERC has 
applied cyber security standards to control centers through prior 
standards; however, the Standards currently before the Commission are 
the first to require cyber security in either a substation or 
generating plant environment.

            3. Interaction Between NERC and NIST Processes.

    The FERC NOPR addresses the relationship between the CIP 
Reliability Standards and other existing standards for cyber security, 
both governmental standards and industrial standards. See NOPR, PP 87--
88. Specifically, the Commission received a recommendation that Federal 
Information Processing Standards (``FIPS'') 199, FIPS 200, and NIST 
Special Publication 800-53 Revision 1, Recommended Security Controls 
for Federal Information Systems (``SP 800-53'') be used as the basis 
for cyber security requirements applicable to the electric power 
sector. The National Institute of Standards and Technology recommended 
that FERC consider a transition to cyber security standards identical 
to, consistent with or based on SP 800-53 and related guidelines.
        The Commission declined to propose such a transition in the 
        NOPR:
        The Commission declines to propose at this time that NERC 
        incorporate any provisions of the NIST standards into the CIP 
        Reliability Standards. However, the Commission expects NERC to 
        monitor the development and implementation of the NIST 
        standards to determine if they contain provisions that will 
        better protect the Bulk-Power System. Several federal entities, 
        such as the Tennessee Valley Authority and Western Area Power 
        Administration, are subject to both the NIST standards and the 
        Reliability Standards, and therefore are likely to have unique 
        insights into the NIST standards. The Commission expects the 
        ERO to seek and consider comments from those federal entities 
        on the effectiveness of the NIST standards and on any 
        implementation issues. Any provisions that will better protect 
        the Bulk-Power System should be addressed in the ERO's 
        Reliability Standards development process. The Commission may 
        revisit this issue in future proceedings as part of an 
        evaluation of existing Reliability Standards or the need for 
        new Reliability Standards, or as part of assessing NERC's 
        performance of its responsibilities as the ERO.

NOPR, P 88 (footnote omitted).
    NERC agrees fully with the Commission's determination. During the 
development of the CIP Reliability Standards discussed above, 
participants in the standards development process acknowledged that 
NIST's existing FISMA guidance is not appropriate for control systems. 
NIST has continued its work in this area, and has developed guidance, 
which is still in the draft stage, on applicable actions to be 
performed in support of FISMA compliance to control systems. To date, 
NIST has released two public draft versions of its revised guidance (in 
July 2005 and June 2007). As of this date, however, the guidance has 
not been approved by NIST, nor issued in final form. Given the 
importance of the cybersecurity standards and the critical need to have 
standards in place and enforceable as soon as possible, it would not 
have been appropriate to delay the NERC standards development process 
in order to await the final outcome of the NIST process.
    Additionally, as described above, NERC's procedures for the 
development of reliability standards are governed by the Federal Power 
Act. In certifying NERC as the ERO, FERC approved NERC's ANSI-approved 
standards development process as consistent with the statutory 
requirements. This ANSI-approved process is essentially the same as 
that used by other standards organizations, including the IEEE, ISA, 
and ANSI itself. In contrast, the NIST process is not an ANSI-
accredited process, and does not include a stakeholder ballot. As all 
of the Reliability Standards developed by NERC and submitted to FERC 
for approval must be developed through the FERC-approved ANSI process, 
NERC cannot simply adopt a NIST guideline as a Reliability Standard. 
While the NIST proposals can be (and have been) considered in the ERO 
standards development process, the resulting standard cannot be the 
NIST document or guideline.

 C. While Interdependency Is A Significant Issue, The CIP Reliability 
 Standards Can Only Address Critical Assets In The Electricity Sector.

    Another issue addressed in the NOPR, and in the FERC staff 
assessment proposed CIP-002-1 regarding the identification of critical 
assets, concerned the ``interdependency'' with other infrastructures. 
The staff assessment asked for comments on whether CIP-002-1 should 
address this matter, and whether there should be coordination and 
collaboration in the future with other industries and government 
agencies. In the NOPR, FERC concluded that:
        While broader interdependency issues cannot be ignored, the 
        Commission intends to revisit this matter through future 
        proceedings and with other agencies. This work will help to 
        inform the electric sector and this Commission about the need 
        for future Reliability Standards, especially when the 
        interdependent infrastructures affect generating capabilities, 
        such as through fuel transportation.

NOPR, P 118.
    NERC concurs that the interdependency issue raised in the NOPR is 
an important one; however, the issue is too broad to be restricted to a 
single agency or industry sector. We believe that it is best raised 
through direct cooperation with other critical infrastructure sectors 
through existing cross-sector initiatives such as the Partnership for 
Critical Infrastructure Security (``PCIS'') and the Information Sharing 
and Analysis Center Council (``ISAC Council''), with the lead federal 
government agency being the U.S. Department of Homeland Security. Once 
specific issues directly relating to the reliability of the bulk-power 
system are identified through these organizations, standards creation 
activities can be initiated through the ERO to address them.

                            III. CONCLUSION

    The approval by FERC of the proposed CIP Reliability Standards will 
represent an important milestone in the transition to the system of 
mandatory and enforceable reliability standards envisioned by Congress 
in the Energy Policy Act of 2005, that will ensure grid reliability by 
improving the resiliency of the control system cyber assets and 
improving their ability to withstand cyber-based attacks.
    Going forward, standards development requires progressive and 
continuous improvement. NERC's rules, and a condition of accreditation 
by the American National Standards Institute, require that each 
standard be reviewed at least every five years. NERC anticipates 
completing the review and upgrade of all standards over a three-year 
period, beginning with the highest priority standards in 2007. NERC's 
standards development procedure provides a systematic approach to 
improving to the standards and documenting the basis for those 
improvements, and should serve as the mechanism for achieving those 
improvements.
    These CIP Reliability Standards already represent a significant 
improvement of cyber security for the electricity industry. Since our 
process requires that standards be continuously improved, the standards 
will be reviewed, modified and improved by necessity of the process. 
This will result in an ever-increasing improvement to the level of 
cyber security throughout the electricity industry. However, the 
process must start somewhere with a set of standards. Based on NERC's 
development process, and the demonstrated broad base of support, the 
standards currently before the Commission represent the most 
appropriate starting point for today's environment.



    Mr. Langevin. The Chair now recognizes Mr. Weiss to 
summarize your statement in 5 minutes.

   STATEMENT OF JOSEPH M. WEISS, MANAGING DIRECTOR, APPLIED 
                       CONTROL SOLUTIONS

    Mr. Weiss. Good afternoon, Mr. Chairman, Ranking Member 
McCaul and members of the committee. I would like to thank the 
committee for your commitment to a comprehensive examination of 
the cybersecurity of control systems utilized in our Nation's 
electric grid. I also want to thank you for the opportunity to 
be here today to discuss this very important topic.
    As you mentioned, I am a nuclear engineer that has been 
involved in control systems for over 35 years and control 
systems cybersecurity specifically for over 7 years. I have 
been part of the NERC cybersecurity standards process since its 
inception. I have been working with government organizations, 
end users, equipment suppliers, domestic and international 
standards organizations and others. I am also a utility 
stockholder and ratepayer, both of which can be affected by 
what we are discussing today.
    The issue at hand is the protection of the interdependent 
critical infrastructures of electric power, water, oil, gas, et 
cetera. Control systems form the backbone of these 
infrastructures, and the threat of a cyber attack is the 
central issue. There are only a handful of control systems 
suppliers, and they supply industrial applications worldwide.
    The control systems architectures and default passwords are 
common to each other. Consequently, if one industry is 
vulnerable, they all could be. I am aware of more than 90, 9-0, 
cases where control systems have been impacted by either 
intentional or unintentional incidents. These incidents have 
occurred in electric power transmission and distribution 
systems, power generation including fossil, hydro, gas turbine 
and nuclear, water, oil, gas, chemicals, paper and 
agribusiness. The damage from the cyber incidents has ranged 
from trivial to significant environmental releases to 
significant equipment damage to even deaths.
    When the NERC cybersecurity standards process originated, 
it was meant to address utility control systems with the only 
exclusion being mainstream business applications. Over time, 
the scope significantly narrowed. The approach has resulted in 
the following shortcomings: the ambiguousness and exclusions of 
the NERC CIP process, and this includes telecom, electric 
distribution, market systems, serial communications, nuclear 
plants; and even the fact of not requiring actual appropriate 
control systems policies would not meet a cybersecurity 
assessment of the human resources computer system, yet we are 
using this as a basis for our most important critical cyber 
assets. The banking industry is concerned about the security of 
a single open access point on a laptop. On the other hand, the 
electric industry is determined by using the NERC substandards 
that an entire section of the United States has no critical 
generation assets. How can this be considering NERC's input on 
the aurora vulnerability?
    In my written testimony, I have provided four actual 
control system cyber events the NERC substandards would not 
have addressed, including one that was identified in an 
electric sector ISAC advisory in 2003. This is not aurora. As 
can be seen, this lack of any real security being addressed by 
NERC is alarming at best and negligent at worst.
    There is a better approach that, in fact, is already 
mandatory for all Federal agencies, which includes TVA, BPA, 
and the Bureau of Reclamation among others. This approaches the 
NIST framework, which has been expanded to specifically address 
control systems. We have conducted a line-by-line review 
between the NERC CIPs and NIST 800-53; the results were that 
NIST 800-53 is more comprehensive.
    Why should Federal power agencies be held to a higher 
standard? But, more so, why should they be placed at risk where 
non-Federal agencies connect with them using a less 
comprehensive approach? This doesn't make any sense.
    My recommendation is, Congress should empower FERC with the 
authority and responsibility for development of control systems 
cybersecurity requirements and compliance criteria similar to 
the role of the Nuclear Regulatory Commission. In so doing, 
Congress should also provide FERC with the authority to 
separate ERO functions so that NERC is responsible for 
traditional electric system reliability standards, and have a 
separate organization, very possibly ISA, be responsible for 
the cybersecurity aspects of critical infrastructure 
protection.
    Finally, Congress should take action so that the ERO 
function is funded by the government, not by industry as is now 
the case, to better ensure that conflicts of interest do not 
interfere with doing what is right and necessary and not just 
what is convenient.
    Thank you for allowing me to provide my thoughts and 
concerns, and I would be happy to answer any questions.
    [The statement of Mr. Weiss follows:]

                 Prepared Statement of Joseph M. Weiss

    Good afternoon Mr. Chairman and Members of the Committee. I would 
like to thank the Committee for your invitation to discuss the need for 
appropriate cyber security of the control systems utilized in our 
nation's critical infrastructure, in particular, the electric 
infrastructure.
    I am a nuclear engineer who has spent more than thirty years 
working in the commercial power industry designing, developing, 
implementing, and analyzing industrial instrumentation and control 
systems. I have performed cyber security vulnerability assessments of 
power plants, substations, electric utility control centers, and water 
systems. I am a member of many groups working to improve the 
reliability and availability of critical infrastructures and their 
control systems, including the North American Electric Reliability 
Council's (NERC) Control Systems Security Working Group (CSSWG), the 
Instrumentation Systems and Automation Society (ISA) S99 Manufacturing 
and Control Systems Security Committee, the National Institute of 
Standards and Technology (NIST) Process Control Security Requirements 
Forum (PCSRF), Institute for Electrical and Electronic Engineers (IEEE) 
Power Engineering Society Substations Committee, International 
ElectroTechnical Commission (IEC) Technical Committee 57 Working Group 
15, and Council on Large Electric Systems (CIGRE) Joint Working Group 
D2.22. As a control system cyber security expert, citizen, stockholder, 
and ratepayer, I am very concerned about the electric industry's 
approach to securing the electric grid. I would like to state for the 
record that the views expressed in this testimony are mine. I am not 
representing any of the groups in which I am involved.
    Until 2000, my focus strictly was to design and develop control 
systems that were efficient, flexible, cost-effective, and remotely 
accessible, without concern for cyber security. At about that time, the 
idea of interconnecting control systems with other networked computing 
systems started to gain a foothold as a means to help lower costs and 
improve efficiency, by making available operations-related data for 
management ``decision support.'' Systems of all kinds that were not 
interconnected with others and thereby could not share information 
(``islands of automation'') became viewed as an outmoded philosophy. 
But at the same time, there was no corresponding appreciation for the 
cyber security risks created. To a considerable extent, a lack of 
appreciation for the potential security pitfalls of highly 
interconnected systems is still prevalent today, as can be witnessed in 
a recent article in the September 2007 issue of Power Magazine.\1\ As 
such, the need for organizations to obtain information from operational 
control system networks to enable ancillary business objectives has 
often unknowingly led to increased cyber vulnerability of control 
system assets themselves.
---------------------------------------------------------------------------
    \1\ Makansi, Jason, ``Integrated Software Platform Eludes Many 
Owner/Operators'', Power Magazine, September 2007.
---------------------------------------------------------------------------
    Generally cyber security has been the purview of the Information 
Technology (IT) department, while electric control system departments 
have focused on grid and plant operations efficiency and reliability--
not cyber security. This has led to the current situation where some 
parts of the organization are now sensitized to security while others 
are not as yet aware of the need. Industry has made progress in 
identifying control system cyber security as an issue while not 
appreciating the full gravity of the matter. In other ways, 
particularly concerning the proposed NERC Critical Infrastructure 
Protection (CIP) cyber security standards,\2\ I believe we have fallen 
short of the mark. The timing of this hearing is fortuitous as more 
than 70 organizations have recently submitted commentary responses to 
the Federal Energy Regulatory Commission's (FERC) Notice of Proposed 
Rulemaking (NOPR) RM06-22.\3\ These submittals provide a detailed view 
into the electric power industry's intended approach to securing the 
cyber assets used to operate the grid.
---------------------------------------------------------------------------
    \2\ NERC Cyber Security Standards, http://www.nerc.com/filez/
StandardsStandards/Cyber-Security-Permanent.html
    \3\ Federal Energy Regulatory Commission Docket RM06-22, http://
www.ferc.gov/docs-filing/elibrary.asp

How Mainstream IT and Control System Cyber Security are Different
    Control systems include distributed control systems (DCS), 
programmable logic controllers (PLC), supervisory control and data 
acquisition (SCADA) systems, and related networked-computing systems. 
Control systems are designed and operated differently than mainstream 
IT business systems. Traditionally, the emphasis in securing business 
IT systems is to employ the best practices associated with the well-
established ``Confidentiality, Integrity, Availability'' (CIA) triad 
model--in that order of importance. Typically extra emphasis is placed 
on rigorous human end user access control and data encryption to 
satisfy the important function of confidentiality. In control systems, 
however, confidentiality has less urgency than system availability and 
data integrity, because in actual control system operation, the typical 
``users'' are other computer-based devises (e.g. PLCs and field 
devices), not humans. This distinction, and the fact that most extant 
control systems are outfitted with older microprocessors with little 
compute power, lies at the heart of the issue of securing control 
systems in a manner appropriate to current need.
    Unfortunately, today very few people possess thorough understanding 
of control system cyber security. This understanding requires prior 
detailed knowledge of the control system application, how it is 
designed and operated, as well as how it communicates and is 
interconnected with other systems and ancillary computing assets, 
before appreciation of cyber vulnerabilities of the system as a whole 
can begin. Figure 1 generally characterizes the relationship of the 
different types of specialty technical skills needed for control system 
cyber security expertise, and also reflects the relative quantities of 
each at work in industry today. Most people now becoming involved with 
control system cyber security typically come from a mainstream IT 
background and not that of control systems. This has, in some cases, 
inadvertently resulted in making control systems less reliable without 
providing increased security, such as the example of the uninformed use 
of mainstream IT port scanners on older generation PLC networks. 


FiGure 1--Relationship and Relative Availability of Control System 
Cyber Security Expertise
    It is often mistakenly assumed that a cyber security incident is 
always a premeditated targeted attack. However, NIST defines a Cyber 
Incident \4\ as: ``An occurrence that actually or potentially 
jeopardizes the confidentiality, integrity, or availability (CIA) of an 
information system or the information the system processes, stores, or 
transmits or that constitutes a violation or imminent threat of 
violation of security policies, security procedures, or acceptable use 
policies. Incidents may be intentional or unintentional.'' 
Unintentional compromises of CIA are significantly more prevalent and 
can have severe consequences. In fact, statistics collected over 
roughly the past 20 years in mainstream IT have consistently shown that 
about two-thirds of all cyber security incidents originate from within 
an organization, and that the cause of most of those are unintentional 
human error. This phenomenon must also be addressed by cyber security 
standards if they are to be effective.
---------------------------------------------------------------------------
    \4\ National Institute of Standards and Technology Federal 
Information Processing Standards Publication 200, Minimum Security 
Requirements for Federal Information and Information Systems, March 
2006. http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-
march.pdf
---------------------------------------------------------------------------
    Use of mainstream operating system environments such as Windows and 
UNIX for running control system applications leave them just as 
vulnerable as these operating systems are when used anywhere else, and 
application of mainstream IT security technical solutions and/or 
methods can be applied to help secure our more modern control system 
host computers and operator consoles (i.e., PCs). At the same time, 
however, application of mainstream IT security technologies and methods 
can also adversely affect the operation of control systems, such as 
causing components on networks of older generation PLCs to freeze-up 
upon use of port scanning tools, as noted. Furthermore, DOE's Idaho 
National Laboratory (INL) has conducted demonstrations of how a hacker 
can manipulate widely used ``middleware'' software running on very 
current mainstream computer systems without a great deal of difficulty, 
e.g., using vulnerabilities in OPC code (``OLE for Process Control''). 
In this sobering demonstration the system appears to be functioning 
properly even though it is not; while displaying incorrect information 
to, or withholding correct information from, system operator consoles.

Inadequacy of NERC CIP Standards as Effective Regulation
    Prior to NERC becoming the Electric Reliability Organization (ERO), 
NERC was an industry sponsored, industry-led, and industry-funded 
organization, and they still are today. Contrary to popular belief, 
NERC as ERO is still funded by the industry, thereby creating potential 
for conflict of interest. It was a secret to no one involved that the 
objective in drafting the Critical Infrastructure Protection (CIP) 
Standards was for the industry, through NERC, to put something in place 
to its liking before the Federal Government did so in its behalf. Thus, 
the CIP Standards were developed by a trade association.
    Because NERC employs an American National Standards Institute 
(ANSI)-approved standards development process, it is required to follow 
certain rules including balloting of its standards to obtain approval 
from constituent industry member organizations. Consequently, as the 
CIP Standards went through the balloting process, they became less 
inclusive, more ambiguous, and created more exemptions to 
applicability. It should also be noted that prior to industry 
acceptance of the final version, the CIP Standards went though three 
rounds of drafting and subsequent industry comment of approximately 
1000 pages each (with some redundancy), and the NERC Drafting Team 
could accept or reject recommendations unilaterally as they deemed 
appropriate, with but modest explanation as to rationale. NERC and many 
utility representatives recognized the limitations of this effort, but 
felt anything more rigorous in terms of requirements would not be 
acceptable to enough utility organizations to pass ballot.
    As the NERC CIP Standards moved to their final revision, the focus 
was shifted entirely to bulk power grid reliability in and of itself, 
rather than on societal welfare and safety from a homeland security or 
economic perspective. The reliable operation of a small substation that 
supports a major oil or gas pipeline in a remote locale is not salient 
to grid stability, but failure of same could very well have profound 
adverse consequences for the health of the US economy. Likewise, under 
the CIP Standards, the importance of continuity of electric power to 
municipal water works, manufacturing plants, refineries, hospitals, and 
military installations, etc., is not a factor requiring consideration 
in determining the importance (or ``Criticality'') of the electric 
system assets which serve them.
    Perhaps the biggest issue with the CIP Standards as a set is CIP-
002, which establishes the scope of applicability for all of the other 
CIP Standards: identification of ``Critical Assets.'' These are 
individual pieces of electric system equipment such as electric 
generating units, substation transformers and digital protective 
relays, and though not explicitly stated, presumably though not 
explicitly the control system hosts, related servers, and operator 
consoles as well. Per CIP-002, deciding exactly which electric system 
assets are critical to reliable operation of the bulk electric system 
is left up to each individual organization to determine for itself, 
using a ``risk based assessment methodology'' of its own choosing or 
design. It is only the network-computing control systems components 
used to operate these specific Critical Assets--thereby deemed 
``Critical Cyber Assets''--that must be protected under the CIP 
Standards. For all other non-Critical electric and control system 
assets, the CIP Standards simply do not apply and may be ignored. As 
CIP-002 is currently written, allowing an organization to choose its 
own methodology permits the documented results from the flip of the 
coin as a perfectly valid and compliant approach to self-determination 
of Critical Assets. FERC has expressed consternation with this 
``flexibility'' in its Notice of Public Rulemaking (NOPR) comments, and 
in its Final Rule will in all likelihood remand this Standard back to 
the NERC Standards process for re-conception. Unfortunately, the NERC 
standards development process takes a great deal of time, and our 
enemies are not constrained to only take advantage of our 
vulnerabilities after our schedule for securing them has run its 
course. The industry has been in the process of developing cyber 
security standards for over four years, and yet the matter remains 
unconcluded.
    As noted, the CIP Standards apply only to those electric system 
components self-identified by asset owners themselves to be critical to 
their ability to maintain reliability for that part of the bulk 
electric grid falling under the aegis of each. The process does not 
embrace intra-region, inter-region, or a national viewpoint of the grid 
as a system, but rather only parochial considerations, each in 
isolation to the others. Additionally, there is no requirement to take 
into consideration the potential for multiple contingency threat 
scenarios that can involve more than one sphere of interest, such as 
interdependency of critical natural gas pumping stations and the 
greater electric power system. What's more, because utilities are 
interconnected, they often share equipment where the utilities conjoin 
(e.g., ``dual ported Remote Terminal Units-RTUs''), to say nothing 
about network-to-network data router interconnections. Accordingly, 
because utilities will apply the CIP Standards in a non-uniform 
fashion, one utility's less rigorous application of the CIP 
requirements will make it a ``weak link'' relative to its neighbor 
utility, to the detriment of the cyber security of both organizations 
and any others to which there are further data network 
interconnections. Also note that all major electric sector control 
systems in North America communicate over the common ``NERCnet'', 
further exacerbating the situation. Worse yet, these days most control 
networks are also interconnected with their corporate IT networks, 
which themselves are connected to the Internet. A chain is only as 
strong as its weakest link.
    Technically, the CIP Standards were conceived primarily from the 
frame of reference of protecting control center host systems and 
operator consoles, rather than field and plant floor controls equipment 
(``Other Facilities'') at work in substations, switchyards, and power 
plants. The data systems in use within control centers generally 
utilize current computing and networking technology, requiring 
protective measures akin to those used in mainstream business and 
Internet computing. Conversely, most field PCS (e.g., substation 
equipment) and power plant DCS controller equipment still in use today 
employ technology that generally is obsolete and has little in the way 
of built-in cyber defenses, with little potential for upgrade or 
augmentation. But since the CIP Standards are intended to apply for 
both data center and intelligent field assets, they had to be written 
in a way that would be relevant for advanced current and future 
computing technologies, while at the same time accommodating what is 
essentially `ancient' field and plant controls equipment. The result is 
milquetoast one-size fits all standards that are not rigorous enough 
for current and future cyber security challenges on the one hand, and 
by and large are overkill for the older field and plant cyber assets 
still in use. What's more, major gaps in CIP Standards' effectiveness 
are created by a number of explicit exclusions from applicability--in 
essence, loopholes.
    Ironically, some of the most important contributors to grid 
reliability, nuclear power plants, are excluded from the scope of 
consideration as to criticality. While the Nuclear Regulatory 
Commission (NRC) has robust physical security standards for nuclear 
plants, the interconnection of nuclear power plant cyber control assets 
with those used to manage the bulk electric grid currently is not 
addressed in either NERC or NRC Standards. Also, while physical 
security requirements are specified by NRC for nuclear power plants, a 
little appreciated subtlety is that the CIP Standards specify physical 
security requirements for Critical Cyber Assets only. There is no 
existing NERC standard governing physical security of the Critical 
Assets themselves, or any other grid assets for that matter.
    Since electric distribution systems have been excluded from CIP 
Standards' scope, so too are the controls used to operate them. This is 
true even though distribution assets are in operation within many 
transmission substations. Regardless of this, while many distribution 
systems employ no control system at all, the ones that do are 
electronically interconnected with transmission control systems, 
thereby creating a direct pathway into the networked-controls 
infrastructure of the greater bulk electric grid. Independent System 
Operator (ISO) and Regional Transmission Operator (RTO) energy 
management systems (EMS) are intrinsically data networks, 
interconnected one with another via NERCnet. Also via NERCnet, each is 
also interconnected with ``downstream'' control systems operated by 
more localized distribution operators, including cooperatives and 
municipal utilities. With control systems of all ownership becoming 
increasingly interconnected to one another, while also being 
interconnected with general-purpose corporate data networks and the 
Internet, control system exposure to cyber threats is greatly 
increased. Accordingly, the frame of reference concerning standards for 
control system cyber security supporting grid reliability purposes must 
be expanded to account for at least those operational control systems 
that need to be directly interconnected. This means expanding the scope 
of the standards to include smaller control area systems which 
routinely exchange data--and potentially viruses, worms, or other 
possibly compromised data--with ISO/RTO systems directly. Smaller 
control area systems can be attractive points of entry and through-
navigation paths employed in common hacker ``island hopping'' 
technique. By analogy, at least some of the 9/11 terrorists entered the 
air transit system through feeder airports on that fateful day.
    Another exception to applicability of the CIP Standards are control 
systems' data communication infrastructure per se. Currently, the 
electric industry has a huge investment in serial communications that 
will not be replaced and/or upgraded to routable communications such as 
Internet Protocol (IP) for many years. These serial communication 
systems have been demonstrated by the National Laboratories to be cyber 
vulnerable, e.g., through induction coil passive wiretapping or war 
dialing, and there have been instances where serial communications have 
been compromised. However, legacy protocol serial communications are 
excluded from the CIP Standards' scope simply because they employ non-
routable protocols.
    A further dubious exclusion from the scope of CIP Standards' 
applicability involves the Open Access Same-Time Information System 
(OASIS). These distributed market trading systems are excluded from CIP 
scope, even though they are routinely connected to energy management 
systems (EMS) and/or SCADA reliability systems on one side, and the 
Internet on the other. There is no existing regulation currently 
governing the cyber security of market systems, which many large 
systems operators will tell, at least privately, are paramount to their 
ability to dispatch their reliability responsibilities. In fact, aside 
from OASIS systems becoming entirely unavailable, an operations manager 
for a large transmission organization recently offered in confidence 
that ``the thing that scares [him] most in terms of maintaining 
reliability is spoofed [OASIS] schedules and tags'' through cyber 
means.
    Finally, while some electric industry organizations are using 
ambiguities within the CIP Standards to minimize the number of Critical 
Cyber Assets to which the Standards must be applied, without realizing 
it they may be greatly increasing their liability in other ways. At the 
ISA Expo2007 in Houston,\5\ a panel session was held on October 2, 
2007, covering NERC CIP implementation. The NERC representative in 
attendance explicitly stated that a utility would be CIP-compliant 
merely by establishing cyber security policies of some kind, even if 
they are poorly conceived or effectively inadequate to need. During the 
CIP Standards drafting process a less vocal but substantial number of 
electric industry representatives complained about the absence of 
``adequacy metrics'' pertaining to the Standards' requirements in 
general across the board, which was not remedied prior to their 
balloted approval by the industry. This demonstrates how conception of 
the CIP Standards has missed the mark of thoughtfully effecting genuine 
cyber security, but rather has resulted in the framing of a compliance 
exercise in essence amounting to adherence to a checklist. This at once 
elevates the need for technically competent auditors who can review the 
checklists and ask the right questions, while at the same time there 
are very few auditors who have requisite experience in the context of 
control systems. What's more, during a panel session at the ISA 
Expo2005 in Chicago, one utility industry representative presented the 
following slide: ``In the Electric Sector, the Business Case for CIP & 
Reliability initiatives in today's landscape must be based on the 
surety that your company will be financially impacted if it is found to 
be noncompliant.'' \6\ That is, if the amount of the fine would be less 
than the cost to become secure, the utility would pay the fine.
---------------------------------------------------------------------------
    \5\ Panel Session on NERC Compliance, ISAExpo2007, Houston, TX, 
October 2, 2007.
    \6\ Thomas Flowers, ``The Business Case for Being Auditably 
Compliant'', ISAExpo2005, Chicago, IL, October 25, 2005.

Case Histories Which Reveal NERC CIP Standards' Inadequacies
    Contacts throughout industry have shared with me the details and 
adverse affects of more than 90 confirmed control system cyber security 
incidents to date. This information has been shared with me by 
individuals from the affected organizations, and from government 
sources such as the Nuclear Regulatory Commission (NRC), the DOE 
National Laboratories, the National Transportation Safety Board (NTSB), 
and the National Institute of Standards and Technology (NIST). Note use 
of the term ``incident'', not ``attack'', as most of these events have 
been unintentional. The incidents are international in scope (North 
America, Europe, and Asia) and span several industrial infrastructures 
including electric power, water, oil/gas, chemical, and manufacturing. 
With respect to the electric power industry, cyber incidents have 
occurred in transmission, distribution, and generation including 
fossil, hydro, and nuclear power plants. Impacts, whether intentional 
or unintentional, range from trivial to significant environmental 
discharges, serious equipment damage, and even death. Figure 2 shows 
the result of a Bellingham, WA, pipe rupture,\7\ which an investigation 
concluded was not caused by an intentional act. Figure 3 is a picture 
from the Idaho National Laboratory (INL) demonstration of the ability 
to intentionally destroy an electric generator by simulating a cyber 
attack.\8\
---------------------------------------------------------------------------
    \7\ ``Pipeline Accident Report Pipeline Rupture and Subsequent Fire 
in Bellingham, Washington June 10, 1999'', National Transmission Safety 
Board Report NTSB/PAR-02/02 PB2002-916502.
    \8\ http://news.yahoo.com/s/ap/20070927/ap_on_go_ca_st_pe/
hacking_the_grid_13
[GRAPHIC] [TIFF OMITTED] T1078.002

Figure 2 Bellingham, WA Gasoline      Figure 3 INL Cyber Demonstration
  Pipeline Rupture

    The deficiencies in the NERC CIP can be demonstrated by the 
exercise of applying them to historical cyber events. In each 
historical case discussed below, adherence to CIP Standards' 
requirements would have failed to address the underlying causes. I have 
chosen events that are all publicly documented by government (US and 
Australian) reports. I have also included references to the Final 
Report of the 2003 Northeast Blackout.\9\ The reason for including this 
reference example is because there were several cyber issues associated 
with the Northeast Blackout including co-temporal release of the 
Blaster worm and the First Energy SCADA system alarm problem. These 
issues resulted in 13 (of the 46) recommendations contained in the 
Northeast Blackout Report being cyber-related. The Northeast Outage 
Final Report was issued approximately two years before the NERC CIP 
Standards were approved. Not including the Blackout Report's 
recommendations is inexcusable.
---------------------------------------------------------------------------
    \9\ Final Report of the August 14, 2003 Blackout in the United 
States and Canada: Causes and Recommendations, April 2004, https://
reports.energy.gov/BlackoutFinal-Web.pdf

Case (1) June 20, 2003 ``SQL Slammer Worm Lessons Learned. . .''.\10\
---------------------------------------------------------------------------
    \10\ SQL Slammer Worm Lessons Learned for Consideration by the 
Electric Sector, June 20, 2003, nerc.com.
---------------------------------------------------------------------------
    The control network at issued employed a frame relay data network 
service that interfaces with both the utility's host control system on 
one side of the network, and field components on the other. This 
network service, vended by a large telecommunications carrier, 
supported many diverse business organizations simultaneously. As is 
common, this network service utilized a high speed Asynchronous 
Transfer Mode (ATM) core network backbone at the center of the frame 
relay network. With the release and rapid spread of the Slammer worm 
across businesses of all kinds serviced by the frame network, the core 
ATM infrastructure became choked by the worm's multiplying replication 
and propagation. This resulted in blockage of SCADA traffic between the 
utility controls host and remote controls equipment in field 
substations. Note that NERCnet is a shared frame relay network.
    Issues: The telecom network was in essence shut down by Slammer 
worm traffic. The Final Report on the Northeast Blackout recommends the 
development of a capability to detect wireless and remote wire line 
intrusion and surveillance, and this report was issued prior to the 
adoption of the NERC CIP Standards. NERC should have heeded this 
recommendation, but inexplicably, the CIP Standards exclude 
availability requirements for telecom networking, which is intrinsic to 
control system operations. As will be discussed later, the NIST SP800-
53 standard does not allow a scope exclusion concerning 
telecommunications network availability--the CIP Standards do.

    Case (2) Tempe, Arizona Area Outage of June 29, 2007. \11\
---------------------------------------------------------------------------
    \11\ ``Computer Problem Causes Brief Outage to as Many as 100,000 
SRP Customers in Arizona'', Energy Assurance Daily, Friday June 29, 
2007, http://www.oe.netl.doe.gov/docs/eads/ead062907.pdf
---------------------------------------------------------------------------
    The outage lasted 46 minutes and affected 98,700 customers, 
representing 399 Megawatts (MW) of load. It was caused by the 
unexplained activation of the distribution load shedding program in the 
energy management system (EMS) at the Salt River Project (SRP), the 
utility affected. A total of 141 distribution circuit breakers were 
opened by the EMS unexpectedly.
    Issues: Most of the automation used in electric transmission and 
distribution systems is used to manage the distribution function. 
Distribution systems can be directly connected to transmission systems, 
and distribution system failures can be precursors to cascading outages 
resulting from runaway load shedding. However, the NERC CIP excludes 
distribution automation from scope, because they are not deemed to be 
part of the bulk electric system per se (i.e., the grid). NIST SP800-53 
does not allow exclusion from scope of distribution automation assets.

Case (3) Australian Wireless Network Hack \12\
---------------------------------------------------------------------------
    \12\ Supreme Court of Queensland r v Boden, Vitek 2002, CA Number 
324 of 2001 DC Number 340 of 2001, http://www.courts.qld.gov.au/
qjudgment/QCA%202002/QCA02-164.pdf.
---------------------------------------------------------------------------
    A disgruntled former consultant to an Australian firm that used 
radio-controlled SCADA sewage processing equipment packed his car with 
stolen radio equipment and attached it to a computer. He drove around 
the area on at least 46 occasions from February 28 to April 23, 2000, 
issuing radio commands to open discharge valves, resulting in sewage 
spills. This attack became the first widely known example of someone 
maliciously breaking into a control system.
    Issues: Aware of this event, the task force that issued The Final 
Report of the Northeast Blackout recommended the development of 
capabilities to detect wireless and remote wire line intrusion and 
surveillance. The Blackout Report and the Australian sewage attack 
report were issued prior to the issuance of the NERC CIPs. 
Inexplicably, the NERC CIP Standards exclude non-routable protocols and 
do not explicitly address wireless communications. NIST SP800-53 does 
not have these scope exclusions concerning non-routable protocols, and 
addresses wireless communications explicitly.

Case (4) Nuclear Power Plant Cyber Incident \13\
---------------------------------------------------------------------------
    \13\ NRC Information Notice: 2007-15: Effects of Ethernet-Based, 
Non Safety Related Controls on the Safe and Continued Operation of 
Nuclear Power Stations, April 17, 2007.
---------------------------------------------------------------------------
    On August 19, 2006, operators at Browns Ferry nuclear generating 
facility, had to manually scram (shut down) Unit 3 following a loss of 
both primary and secondary reactor water recirculation pumps. Plant 
procedures specified that the manual scram was required following the 
loss of recirculation flow. The NRC issued an Information Notice (IN) 
to alert licensees about recent operating experience related to the 
effects of potential interactions and unanticipated failures of 
Ethernet connected non-safety equipment on the safety and performance 
systems in use at nuclear power stations.
    Issues: Nuclear plants represent approximately 20% of US electric 
power generation. Widespread shutdown of nuclear facilities would have 
significant adverse impact on the reliability of the bulk electric 
grid. The NRC is responsible for the safety of nuclear plants, that is, 
safe shutdown. NRC does not however ``regulate'' the continued 
operation of nuclear plants in relation to grid reliability, as 
witnessed in the NRC Information Notice. The NERC CIP Standards exclude 
nuclear power facilities from scope, while NIST SP800-53 does not allow 
such exclusions for nuclear plants.

Early Repercussions from Establishment of the CIP Standards
    As noted above, each organization in the electric industry with 
responsibility for maintaining the reliability of the bulk electric 
system is free to adopt a risk based assessment methodology of its own 
choosing or design to determine which cyber controls apparatus must be 
protected. Discussion across the industry has born witness to an 
interesting phenomenon which has yet to be formally documented 
anywhere. It so happens that many of the largest electric utilities 
have determined in their risk assessments that they have no--zero--
critical generation assets. In fact, within one of the largest regions 
in the US, the southeast, virtually none of the large operators have 
identified any of their generation assets--nuclear included--as being 
critical to reliability of the bulk electric system. The reason for 
this is offered forthrightly, that their systems have been designed to 
withstand ``N-1 contingencies,'' meaning that they can withstand the 
loss of any single unit without adverse impact on reliability. What is 
not being considered is the potential for simultaneous multiple 
contingencies. With the greater controls infrastructure being as cyber-
interconnected as observed earlier, it is by no means beyond the realm 
of possibility of just such an occurrence taking place. Without 
digression into potential permutations, while Slammer and Blaster worms 
were propagated via email, and email is generally not used in 
operational control systems, an analogous threat vector could be 
sculpted for widespread attack on the greater assemblage of control 
systems used to operate the grid. What if a Trojan Horse planted in 
numerous generation control systems should awaken at the appointed hour 
and simultaneously trip a whole collection of plants in a region 
offline at once? The effect would look very much like the Northeast 
Blackout. Very possible scenarios such as this are being discounted out 
of hand by people in positions of authority who really do not 
understand cyber security.
    Second, we are also witnessing an unfortunate and unexpected 
phenomenon concerning the CIP Standards that leaves us at cross 
purposes with other needed electric system management improvements. 
Many of the more recent utility controls automation upgrades have been 
motivated by the goal of improving electric system reliability, but at 
the same time to also aid reduction in operation and maintenance costs. 
Many of these new systems enhancements are predicated upon the use of 
modern digital networking technologies (e.g., employing routable 
protocols such as IP), and in so doing these assets explicitly fall 
within scope of NERC CIP Standards' compliance. Consequently, because 
of concerns about potentially being ``caught by the CIP Standards'' in 
a state of noncompliance thereby resulting in potentially large fines, 
a number of utilities have started to disconnect, or have ceased 
implementation of, these modern networked-systems improvements--
motivated explicitly by the goal of CIP Standards compliance-
requirements avoidance. This tactic results in leaving certain existing 
cyber vulnerabilities unaddressed through exploitation of loopholes in 
the CIP Standards, as now written. At the same time, new ``time and 
distance compression'' operating efficiencies that can be garnered 
through use of modern networked remote control and telemetry are 
thereby lost by this step backward. The potential for improved 
operational efficiency could at least temporarily contain if not indeed 
reduce gross operating costs, which in turn holds the line on electric 
rates experienced by society. So, it appears that the industry is at 
cross-purposes in its response to the need to both secure and modernize 
the existing control systems infrastructure. This ironic industry 
response to the CIP Standards serves neither purpose in any discernable 
positive way.

An Alternative to the NERC CIP Standards
    The NIST ``Security Risk Management Framework'' (hereafter referred 
to as ``Framework'') has been developed by the Department of Commerce, 
and its use is mandatory for all federal agencies under the Federal 
Information Security Management Act (FISMA).\14\ It is devoid of 
conflict of interest and has been broadly and publicly vetted. There is 
nothing `onerous' about the NIST Framework, as it applies specifically 
for systems that do not have national security significance, and 
recently it has been augmented to address the unique needs of 
industrial control systems. In a study performed by MITRE Corporation 
for NIST, a line-by-line comparison of controls and countermeasures 
within NIST SP800-53 \15\ and the NERC CIP Standards \16\ was 
undertaken. The results indicated the NERC CIP Standards were less 
rigorous than even the low-baseline security controls established in 
the NIST Framework. In the final analysis, if U.S. Fish and Wildlife 
must comply with the low-baseline NIST Framework, from the perspective 
of societal wellbeing and economic stability, in good conscience is it 
prudent to require less from the operators of the electric grid.
---------------------------------------------------------------------------
    \14\ The Federal Information Security Management Act of 2002 
(``FISMA'', 44 U.S.C. Sec. 3541, et seq.)
    \15\ National Institute of Standards and Technology Special 
Publication 800-53, Revision 1, Recommended Security Controls for 
Federal Information Systems, December 2006.
    \16\ MITRE Technical Report (MTR070050): Addressing Industrial 
Control Systems in NIST Special Publication 800-53; http://
csrc.nist.gov/groups/SMA/fisma/ics/documents/papers/ICS-in-SP800-
53_final_21Mar07.pdf
---------------------------------------------------------------------------
    A recurrent theme in the FERC NOPR is the need for greater 
granularity and detailed specificity in the CIP Standards. Part of the 
problem is the manner in which the CIP Standards are written--broadly 
brushed and highly generalized; so it's easy to understand FERC's 
desire for more specificity. This desire is at least in part motivated 
by the need to conduct compliance audits. The high-level abstraction of 
the NERC CIP Standards requirements language can leave the auditor 
struggling with shades of grey in interpretation (especially those 
auditors that come from a mainstream IT background exclusively), to say 
nothing as to grey-area impact in appeals to findings of non-
compliance. In contrast, NIST SP800-53 is far more granular and 
provides clear requirements that have much less room for 
misunderstanding. Furthermore, the companion NIST SP800-53A \17\ 
provides guidelines for determining the effectiveness of cyber security 
controls; that is, the extent to which the controls are implemented 
correctly, operating as intended, and producing the desired outcome 
with respect to meeting the security needs of the organization. 
Additionally, NIST has also produced a detailed guidance document for 
industrial control system (ICS) security, NIST SP800-82,\18\ which 
provides instruction on securing ICSs while at the same time satisfying 
their unique performance, reliability, and safety requirements.
---------------------------------------------------------------------------
    \17\ National Institute of Standards and Technology Special 
Publication 800-53A, Guide for Assessing the Security Controls in 
Federal Information Systems (Third Public Draft), June 2007.
    \18\ National Institute of Standards and Technology Special 
Publication 800-82 (2nd draft), Guide to Industrial Control Systems 
(ICS) Security, http://csrc.nist.gov/publications/drafts/800-82/2nd-
Draft-SP800-82-clean.pdf
---------------------------------------------------------------------------
    One of the major problems in control system cyber security is the 
culture clash between an organizations' mainstream IT department and 
that responsible for the operating critical infrastructure and related 
control systems. The NIST Framework, specifically NIST SP 800-53 
extended for Industrial Control Systems (ICS), is the only document of 
which I am aware of that addresses both IT and control systems security 
in the same document. Consequently, it is my belief that this is a key 
tool that can help bridge the organizational divide between mainstream 
IT and control system operations functions; which in and of itself can 
help to untangle many of the existing control system cyber security 
issues.
    Adoption of the NIST Framework for the electric sector will 
eliminate the requirement for redundant effort faced by a number of 
quasi-federal organizations such as the Tennessee Valley Authority 
(TVA) and the Bonneville Power Authority (BPA), who are now required to 
prepare different sets of documentation and endure dual audits for both 
FISMA and NERC CIP Standards compliance. Is this duplication a good use 
of ratepayer dollars?
    The electric sector is arguably the most interdependent of all the 
critical infrastructures, and it's also the first of the private 
industrial sectors (health and financial excluded) to move toward 
establishment of cyber security standards. Without digression, it would 
appear wise for all of our industrial sectors to adopt a consistent set 
of methodologies for cyber security of distributed and process 
industrial control systems. The vulnerability demonstration shown by 
CNN (reference 5) provides a clear justification. The advisory notice 
about the demonstrated vulnerability was issued to the electric 
industry, including dams, and was also released to the chemical and 
water industries as they use similar systems and networks and thereby 
similar cyber vulnerabilities. Additionally, having consistent 
requirements across industries can minimize the potential for having to 
modify control systems to meet individual sector security requirements.
    One way to move towards cross-sector convergence in cyber security 
ways and means is for all stakeholders to use the same terminology and 
to eliminate duplicative or overlapping sets of security standards' 
requirements. NIST offers a set of high-quality publications addressing 
most of the relevant managerial, administrative, operational, 
procedural, and technical considerations. Each of these publications, 
such as SP 800-53, have been put through a significant public vetting 
process by all sectors, including, to the extent possible, by 
authorities in the national security domain. NIST offers its documents 
to all organizations interested in using them as a basis for developing 
common Standards within the ICS community.

Summary Opinion
    NERC is now FERC's Electric Reliability Organization (ERO) and as 
such should no longer be acting as an industry-representative 
organization. However, much evidence reveals NERC still exhibiting 
vestiges of its role as an industry advocate, at least in so far as 
concerns its attempts to minimize the urgency of the matter of cyber 
security. Rather than be attentive to and supportive of the FERC NOPR 
and move to assure its implementation, NERC has chosen to issue 
rebuttal comments.\19\ What's more, the dubious act of NERC submitting 
a rebuttal to FERC is exacerbated by the poor technical quality of its 
comments. NERC has not had previous experience with control system 
cyber security, and I do not believe that NERC as constituted is 
capable of providing adequate oversight of cyber security of the grid.
---------------------------------------------------------------------------
    \19\ NERC Comments on the FERC NOPR dated October 5, 2007, Comments 
on the North American Electric Reliability Corporation on the Notice of 
Proposed Rulemaking for Mandatory Reliability Standards for Critical 
Infrastructure Protection, nerc.com
---------------------------------------------------------------------------
    For the reasons stated above, the existing NERC CIP Standards are 
not adequate for cyber-securing the electric grid. There are other 
approaches that can provide a higher level of security without 
incurring significant incremental cost. My principal recommendation is 
that the NIST Framework's requirements should be incorporated into 
standards for industry that are currently being developed by the ISA99 
Standards Development Committee, Security for Industrial Automation and 
Control Systems.\20\ As is NERC, ISA is an accredited member 
organization of the American National Standards Institute, and the 
ISA99 committee brings together security experts from across industry, 
government, and academia. DHS has already provided valuable support by 
allowing experts from NIST and the National Laboratories to contribute 
in this ISA99 initiative, and it is vital that this support continue. I 
recommend further that the NIST Framework requirements form the basis 
of compliance audits to be conducted by a new and related entity, the 
ISA Security Compliance Institute. Any resulting fines or other 
findings should be addressed by NERC. A single set of Standards for 
industrial automation and control systems is more cost effective than a 
patchwork of standards conceived independently by each industrial 
sector. This would provide the leading practitioners on control systems 
cyber security to bring their expertise to bear and provide comparable 
levels of protection across the interdependent critical 
infrastructures.
---------------------------------------------------------------------------
    \20\ ISA99, Security for Industrial Automation and Control Systems

Recommendation to Congress
    Congress should empower FERC with the authority and responsibility 
for development of control system cyber security requirements and 
compliance criteria similar to role of NRC in these matters. In so 
doing, Congress should also provide FERC with the authority to separate 
ERO functions so that NERC is responsible for traditional electric 
system reliability Standards, and have a separate organization be 
responsible for the cyber security aspects of critical infrastructure 
protection. Finally, Congress should take action so that the ERO 
function is funded by the government, not by industry as is now the 
case, to better ensure that conflicts of interest do not interfere with 
doing what is right and necessary, and not just what is convenient.

    Mr. Langevin. Mr. Weiss, I want to thank you for your 
testimony. You had some very salient points in there, and I 
agree with your testimony.
    I want to again thank all the witnesses for their testimony 
here today. And I now recognize myself for the purpose of 
questions. Let's get right to it.
    Mr. Whiteley, as you are aware, we are very concerned about 
the aurora mitigation efforts ongoing in the electric sector. 
In a briefing with staff on Friday, DHS described a survey that 
NERC sent out in August 2007 to determine how many owners and 
operators were implementing the mitigation efforts.
    Can you describe the survey and tell us its findings?
    Mr. Whiteley. The survey was the follow-up to the guidance 
that was issued earlier in the spring, and we have determined 
that approximately, at this point, 75 percent of the 
transmission grid has either taken appropriate actions or is in 
the process of implementing those actions. And we continue to 
follow up with the remaining 25 percent of the grid that either 
has not reported or that hasn't started to take action to find 
out what the status is.
    So in terms of ongoing work, we continue to follow up; to 
eventually reach a 100 percent reporting is our goal.
    Mr. Langevin. Why don't you have 100 percent compliance at 
this point? What is the remaining 25 percent? Why are they 
dragging their feet?
    Mr. Whiteley. Well, I don't have--I don't have information 
on whether they are dragging their feet or whether we just have 
not received the report. We are in the process of following up 
with them at the present time to determine just exactly that.
    Mr. Langevin. On that 75 percent you say is in compliance, 
this is not just anecdotal. You are talking about, these are 
hard answers to the issue of having implemented all the 
mitigation strategies?
    Mr. Whiteley. This is a follow-up with most of the large 
utilities in the country and many of the intermediate-size 
utilities as well. And it is hard evidence or hard data that we 
have asked, and they have explained what has been done. So we 
have direct information.
    Mr. Langevin. Well, I don't have as high a degree of 
confidence, and I have to say I am a bit skeptical that the 
entire electric sector is well on its way to having mitigated 
the problem and implemented strategies.
    Mr. McClelland, would FERC determine an investigation to 
consider whether the level to which electric sector owners and 
operators have implemented these mitigation efforts?
    Mr. McClelland. Yes. Yes. We agree that in order to 
determine whether or not there have been sufficient mitigation 
measures employed, it would be very important--in fact, 
essential--to have information that would validate what those 
mitigation measures were and who has conducted those mitigation 
measures.
    Mr. Langevin. Thank you.
    Mr. McClelland and Mr. Whiteley, under today's regime that 
is, frankly, the option of the cyber standards, if a cyber 
exploit of the aurora vulnerability is imminent, how will the 
electric sector, ISAC or the Department of Homeland Security 
ensure the immediate implementation of mitigation efforts?
    And doesn't the fact that this is an advisory document 
hamper the mitigation?
    Mr. Whiteley. NERC has issued it as an advisory because it 
falls outside of our present authority in terms of standards 
that have already been approved. Had they been approved 
standards, then we would have additional mechanisms to follow 
up with the industry. And so to the extent we could, we have 
issued the advisory, explained it, and we are following up.
    Mr. McClelland. The Commission issued an order on September 
20 to clarify, that required action alerts, as issued by NERC 
in this circumstance, are not required because they are not 
based on an approved reliability standard, the standard that 
has been through the open and inclusive process required by 
EPAct and then approved--subsequently approved by the 
Commission. However, the Commission encourages--we applaud NERC 
and encourage these types of advisories to be put into place.
    We have also now directed that--following a required action 
alert, the Commission has directed that within 30 days of the 
compliance date on such an alert, the Commission will receive a 
report from the ERO that will detail who has complied, who has 
not complied with what the level of compliance is, so that the 
Commission can evaluate whether further action--and that would 
include action to call for a reliability standard--is 
warranted.
    Mr. Langevin. Thank you.
    Mr. Weiss, do you care to comment on any of the questions 
and, in particular, if, in fact, there was a need to move 
quickly as a result of actionable intelligence, some knowledge 
that there is a vulnerability that existed, A, does the current 
structure lend itself to closing loopholes quickly? And what is 
the best strategy or the best entity to make sure that if we 
have a situation that arises, that we can move quickly to close 
gaps, close vulnerabilities?
    Mr. Weiss. I would like to address one other point, and 
that is, aurora is obviously a very critical vulnerability. It 
is the not only one; there are several others out there, 
probably of equal significance. And one of the things that I am 
very concerned about is that people focus so much on aurora 
that they don't look at other things.
    I had a phone call from a friend from the oil/gas industry 
when they got that ISAC advisory. Their first question to me 
was, what about the other vulnerabilities? So the first thing I 
really want to get across is, we are not trying to address one 
and only one issue. What we are trying to address is the cyber 
vulnerability of the grid, and for that matter, the 
interconnections to the grid.
    The second point is that what I have found personally over 
time is that there is a tendency for private industry to be 
very reticent to provide information to the government. Several 
years ago we prepared a scoping study. We did this under a DOE 
contract. It was Carnegie Mellon and my previous employer. It 
was a scoping study for setting up a cert for control systems, 
and one of the most important aspects on that was that we felt 
that that initial entity, where the information goes in, should 
not be a government entity. It should be somewhere that it 
could be sanitized and then sent off further to actually have 
the work done.
    But the other point I want to get across, because I think 
this gets missed, is what I said to begin with. All of these 
industries use exactly the same equipment; that same, identical 
programmable logic controller that is used in a power plant or 
a substation is used in a steel mill, in a chemical plant, in a 
water plant, et cetera. So if they have problems or cyber 
issues, we need to know that.
    One of the things I see that is missing, you could call it 
an ISAC, call it what you will, but there should be something 
that is focused on the control systems because that is what we 
are looking at. That is what cuts across.
    Mr. Langevin. Thank you, Mr. Weiss.
    My time has expired. The Chair now recognizes the Ranking 
Member for 5 minutes.
    Mr. McCaul. I thank you, Mr. Chairman.
    You know, since 9/11 we have been very focused on physical 
threats. But in my view, not enough attention has been paid to 
virtual threats and cyber threats, and yet we have known about 
these threats out there.
    I think aurora kind of highlighted it and brought it even 
more so to our attention, not only to the panelists, but to 
Members of Congress when we had that briefing. We have a 
responsibility in a bipartisan way to do everything we can to 
protect the American people.
    First and foremost, when you look at 25 nations that have 
cyber warfare programs out there, it causes me great concern. 
And Mr. Weiss, you mentioned other vulnerabilities. My question 
was going to be--and I do want to ask a question about NIST, if 
I can, as well. But as I said to the prior panel, some credit 
deserves to be made to Idaho National Lab and DHS for actually 
proactively finding a vulnerability, then fixing it, then 
mitigating it.
    Mr. Weiss. Absolutely.
    Mr. McCaul. But there are other vulnerabilities.
    To the extent you can comment on those, Mr. Weiss, can you 
tell us what those are? And what do we need to be doing at the 
Federal level in the government to address those in the most 
practical way?
    Mr. Weiss. Again, following up on what you just said, the 
Idaho National Lab and, for that matter, the other national 
labs have been doing this type of research for several years. 
Aurora, because it actually showed damage to equipment, is the 
first one that, if you will, really made a splash. But they 
have shown that you could damage equipment, that you can open 
valves, that you can open and close breakers. They have been 
showing that for the past 3 or 4 years; it just hasn't gotten 
the attention it has needed.
    Part of the issue that we have is in the control systems 
world, we have designed our systems for performance, and we 
have never assumed anybody would intentionally want to do harm. 
And so when I talk to people, it is the people that, if you 
will, own these systems that are the most knowledgeable, and if 
they thought about it, could cause the greatest harm. They are 
the people we need at the table because they could come up 
with, if you will, the worst cases and the things we really 
need to address.
    Mr. McCaul. Of course, any country that has that capability 
also could use it against us.
    Mr. Weiss. Sure.
    Mr. McCaul. And has a mitigation strategy with respect to 
aurora helped protect us from some of these other 
vulnerabilities in these other areas?
    Mr. Weiss. It can because part of what aurora did was look 
at a remote access vulnerability. That covers more than just 
aurora. So in that sense, it has done, incrementally, good. 
There are other things out there, there are other 
vulnerabilities that are totally independent, if you will, of 
the aurora vulnerability.
    Mr. McCaul. That was sort of in my thoughts as well.
    We sent a letter, a bipartisan letter, basically stating 
that we believe that the reliability of the Nation's bulk power 
system, BPS, would be better protected by a cybersecurity 
standard that incorporates additional security measures of the 
National Institute of Standards and Technology under the 
special publication 800-53.
    Where are you three on this?
    Mr. Weiss. Well, I have to be a bit careful because I was 
part of the process. What I can tell you is what we did.
    We had a member from the NERC drafting team, myself, 
somebody from MITRE and several people from NIST where we went 
and we spent 2, 3 days going through, line by line, the 
comparison between the NERC CIPs and 800-53; and in addition to 
that, looking at 800-53 to make sure we are extended to cover 
control systems.
    What NIST then did is, it held several meetings with 
Federal agencies that were bound by Federal law to use that. So 
they also got feedback coming in from the end-users.
    I believe personally that the--like I say, I am biased--I 
believe, far and away, that is the best document that is out 
there. And it does one other thing I would like to make a point 
of.
    One of the biggest problems we have today is a conflict 
between the IT organization and the control systems 
organizations, that is, throughout any industry or any company. 
The NIST document is about the only one that can address it 
because it is the only document that essentially was IT to 
start with. So IT is there, and it has now been extended to 
cover control systems. So we have one document that both 
organizations can share or have to share.
    Mr. McCaul. And Mr. Whiteley?
    Mr. Whiteley. Well, certainly I would suggest that the CIP 
standards that we filed with the Commission are simply a 
starting point. And I think I have referenced that in my 
testimony. That it is a good starting point, and our intention 
is to make them better as time goes on.
    Certainly, the evidence that NIST standards may be more 
applicable today to control systems than they were when these 
were originally drafted and that there is additional guidance 
from the cybersecurity community, it would be very appropriate 
for us to put them back through our standards process and make 
appropriate revisions.
    And, in fact, I can tell you that in our normal cycle of 
revising our standards, the cybersecurity standards are already 
in our work plan within the next 3 years for their first round 
of revisions, and they haven't even been approved yet. So we 
know they will get better; they have to get better over time.
    Mr. McCaul. Mr. McClelland.
    Mr. McClelland. I should begin by explaining, or at least 
clarifying, the Commission's authority. The Commission can 
approve a proposed--the Commission can't author a reliability 
standard; it can only approve or remand a reliability standard. 
Simultaneous with the approval, the Commission can call for 
immediate modifications to the standard.
    The comments we received from Congress ask us to consider 
the NIST standards instead of the CIP standards the Commission 
had proposed in its Notice of Proposed Rulemaking. 
Understanding the Commission could not substitute the standards 
for the CIP standards, the Commission proposed to evaluate NERC 
on its performance by NERC's evaluation of the NIST standards.
    There are entities, such as TVA, that will be under both 
NIST and CIP standards. The best elements of the NIST standards 
can and should be incorporated into the CIP standards. If the 
ERO doesn't initiate that motion on its own, the Commission can 
and will initiate that motion.
    I should also say that the CIP standards in their current 
state, the Commission is concerned. There are exclusions for 
reasonable business judgment. There are also exclusions for 
technical feasibility. An example would be if a piece of 
equipment is not capable of accepting a multicharacter 
password, a longer password with multicharacters, one might be 
able to claim under the current CIP standards that it is not 
technically feasible and be excused from that requirement.
    So the Commission has expressed these concerns and is 
proposing to call for immediate modifications to the CIP 
standards. So on that basis, the CIP standards in their current 
form, the Commission feels needs improvement.
    Mr. McCaul. Okay. Thank you very much.
    Thank you, Mr. Chairman.
    Mr. Langevin. I thank the gentleman. And just as a follow 
up to Mr. McCaul's questions, a comment with respect to the 
vulnerability discovered in control systems, the aurora issue 
in particular.
    I just wanted to mention how important Mike Assanty and 
Barry Coonley, Idaho National Labs, were to this effort, very 
critical to this effort. Talk about two guys thinking outside 
the box and discovered this problem. They did a--as far as I am 
concerned, a great service to the Nation and should be 
applauded for their hard work. And I received their brief back 
in January, as did the Department of Homeland Security, and 
then we got the committee briefing to this as well. And again, 
it did a great service to the country on this issue.
    With that, the Chair now recognizes the gentlewoman from 
California, Ms. Lofgren, for 5 minutes.
    Ms. Lofgren. Thank you, Mr. Chairman.
    Mr. Weiss, I mentioned earlier, when you were in the 
audience, it is nice to see you in a room instead of on a plane 
like we usually do. And I am glad that you were able to come 
out and share your thoughts, which are very helpful.
    In the first panel, one of my colleagues asked how much 
more it would cost if the NIST standards were adopted instead 
of NERC. Do you have an opinion on what that cost would be, 
what the increment would be?
    Mr. Weiss. The issue--it is a two-part answer. If the NERC 
CIPs were to cover as comprehensive a scope as the NIST 
standard, there would be no incremental cost.
    The incremental cost is because, with the NERC's CIP 
standards, utilities can exclude----
    Ms. Lofgren. Right.
    Mr. Weiss. --all kinds of equipment.
    Ms. Lofgren. Well, let's assume--I mean, the defects have 
been outlined by GAO and yourself in terms of scope. So let's 
use that as the baseline.
    Mr. Weiss. Yeah. Then the answer, there should be really no 
difference, because what you are talking about is doing a 
cybersecurity assessment. And if you meet what would be a good, 
comprehensive cybersecurity assessment, it should be with 
either one. So there really shouldn't be any incremental cost.
    Ms. Lofgren. I have a question, and I guess it is for FERC 
because we have struggled now with this whole cybersecurity 
exposure issue for a considerable period of time; and I must 
say that despite sustained interest, I am not yet convinced 
that we have made the progress that we should have.
    And the question is, who is going to have the 
responsibility to insist? And especially--you know, it is one 
thing for the Federal Government, that is not necessarily in a 
lead position technologically, to come into the tech sector and 
say, you have got to do this, because we probably don't know 
what we are talking about.
    But it is quite a different thing to insist that at least 
industries that are not the tech industry use what is available 
and what is identified.
    And we heard earlier today that our assistant secretary 
doesn't have the authority really to insist; and you are saying 
you don't have the ability really to insist. I have a sense of 
urgency about this, and I don't feel that sense of urgency from 
the testimony.
    So the question is, you know, maybe one structure would 
be--and we are going to have--Mr. Garcia is going to get back 
to us. But when you have an assessment here such as we have now 
from NIST, and you know, I think they are widely acknowledged 
as a pretty reputable and efficient organization--you know, 
shouldn't we have the cybersecurity division have the ability 
to go to the regulator--for example, yourself in this case--and 
say, this has got to be done in this time frame for the 
national security?
    Mr. McClelland. The Commission does have the ability to 
compel the return of a reliability standard within a 
predetermined period of time. It can be within days, if such 
urgency exists.
    The difficulty when it involves national security issues, 
which I mentioned in the opening statement, is that the process 
is open and inclusive. It is participatory.
    So folks are convened. They vote for a standard. They 
return the standard.
    Ms. Lofgren. I understand.
    Mr. McClelland. The Commission then solicits comments. The 
Commission goes through Notice of a Proposed Rulemaking, 
considers the comments and then issues a final rule.
    The cybersecurity provisions, however, were part of the 
Energy Policy Act, and they are the Commission's 
responsibility. With that in mind, the Commission now is 
actively reviewing its options in light of its authority and in 
light of recent developments.
    Ms. Lofgren. Well, I guess you know I just feel some sense 
of frustration because, as Mr. Weiss has outlined--and we don't 
want to go into all the details here; I mean, some of these 
vulnerabilities have been well known for some time. And if you 
take a look at the interconnection and cascading catastrophe 
that we are open to--and we haven't done anything about it; we 
haven't done anything about it in 4 or 5 years. And I just 
can't understand why.
    And, you know, it is not something the Congress can enact 
because the vulnerabilities change as the technology does to 
some extent, although the stuff that we never fixed remains 
vulnerable.
    You know, it has really got to be done administratively, 
and yet here we are just as bare as we ever were. And I just 
feel--you know, how do we instill a sense of urgency here?
    Mr. McClelland. The aurora issue has heightened the sense 
of urgency. And, again, the Commission can compel a reliability 
standard. But it cannot compel action of users, owners and 
operators without a reliability--or it is not clear that the 
Commission can compel action of users, owners and operators 
without a reliability standard to base it on.
    The process itself is open and inclusive. So, there again, 
I understand your concern, and there is a tension between an 
open and inclusive process.
    Ms. Lofgren. Well, I wonder if--I know my time is up, Mr. 
Chairman--but if you could get back to us on any suggestions 
that you would make for something like this. Because you know, 
we are all for openness, we are all for a process, and there is 
a role for that. But I don't particularly think that the energy 
sector is necessarily, you know, the leading edge on 
cybersecurity.
    And we have a roadmap. And aurora was spectacular. I want 
to give credit to people who took action.
    But there are things that Mr. Weiss has said, incidents and 
things that haven't even been reported, that if you look at the 
implications could be as dire or worse. They are out there, and 
they have not been attended to, and I don't see any plan to 
attend to them.
    Mr. McClelland. We will be delighted to work with your 
staff on that information. Thank you.
    Ms. Lofgren. Thank you very much.
    Mr. Langevin. I thank the gentlelady.
    The Chair now recognizes the gentleman from Texas, Mr. 
Green, for 5 minutes.
    Mr. Green. Thank you, Mr. Chairman. I thank you and the 
ranking member for convening this meeting.
    I suppose I should say, in a sense, thank God for CNN, 
because CNN has made what was clear to some transpicuously 
clear to others. They brought great popularity to this issue. 
And I suppose at some point we have to ask ourselves, is there 
anything in that CNN report that we take issue with?
    Dr. Weiss, is there anything in that report that you take 
issue with?
    Mr. Weiss. No, there isn't. I thought it was well done.
    The other thing I thought was well done is, the real 
details of the vulnerability were really not made public to 
those that we don't want to know about them.
    Mr. Green. Yes, sir.
    Does anyone take issue with any aspect of the CNN report.
    Mr. Whiteley. I certainly don't take issue with the CNN 
report on its face.
    I just will point out that NERC has responsibly developed 
and filed with the Commission for approval CIP standards that 
will expand the cybersecurity protection of critical assets, as 
was exposed in the aurora videos.
    Mr. Green. And Mr. McClelland?
    Mr. McClelland. No, sir.
    Mr. Green. Mr. McClelland, am I pronouncing that correctly, 
sir?
    Mr. McClelland. It is McClelland.
    Mr. Green. All right. Mr. McClelland, you indicated that it 
may take you a while to determine whether you need additional 
authority, or ``new authority'' I think is a term that you 
used. Is this correct?
    Mr. McClelland. We are in the process of making those 
decisions now. We are evaluating our options under our 
authority in 215.
    Mr. Green. Yes, sir.
    Mr. McClelland. I don't know that I would say ``a while,'' 
Representative, but we are evaluating.
    Mr. Green. In Texas, we call this ``fixin' to do'' 
something. And about how long will you be fixing to do this?
    The CNN report causes my constituents to have a great 
degree of consternation. So about how long do you think it will 
take before you can announce whether you need new authority? 
And if indeed you do, what new authority do you need?
    Mr. McClelland. This is a difficult answer to provide, but 
I will put it forward.
    As a staff member of the Commission, I cannot reveal 
pending Commission actions. I can say matters are under 
consideration. I can say they are important to the Commission. 
And I can say we are working diligently on them. But I cannot 
say that the Commission will take action within some period of 
time.
    Mr. Green. Well, that is understandable.
    I must tell you, I am appreciative that you did not use the 
words, ``all deliberate speed``--for obvious reasons, 
hopefully.
    Let me go to the next question. You said that you need more 
engineers.
    Mr. McClelland. Yes, sir.
    Mr. Green. You did not say how many more. So how many?
    Mr. McClelland. The Commission has asked for an 
additional--a supplemental request in the 2008 budget for $9 
million. The $9 million would be allocated towards 55 full-time 
employees. The majority of those employees would be engineers 
and bulk power system experts.
    There are also auditors and some lawyers in the 
allocations.
    Mr. Green. This will give you the number that you will 
need? Or will this give you a number that will benefit you?
    Mr. McClelland. The Commission's authority changed 
substantially with EPAct 2005. For the first time, the 
Commission had direct authority over the reliability of the 
bulk power system.
    That said, we are discovering--or we are now verifying, we 
are documenting needs for personnel.
    Mr. Green. I have to ask you--let me just say this, 
sometimes when persons finish, I don't know whether they said 
``yes'' or ``no.''
    Mr. McClelland. I understand.
    Mr. Green. May I just ask you again? And you would kindly 
give me a ``yes'' or ``no''?
    Will this give you the number that you need? Or will this 
give you a number that will be of benefit to you?
    Mr. McClelland. It will be a number of benefit, subject to 
further review.
    Mr. Green. Well, we will be honored to know the number that 
you will need, because if there is a need, I think we want to 
make sure that the need is met. Because this is critical.
    Final question, Dr. Weiss--and may I call you Doctor?
    Mr. Weiss. It is actually Mister.
    Mr. Green. You look like a Doctor, so you are promoted 
today.
    Dr. Weiss has indicated that ERO should be funded by the 
government. Is that what you said, Dr. Weiss?
    Mr. Weiss. Yes. Yes.
    Mr. Green. All right.
    Let me ask you, friends, does anyone differ with Dr. Weiss 
on his basic premise that the ERO should be funded by the 
government?
    Mr. Whiteley. NERC's position is that the present funding 
mechanism, which is to take NERC's expenses and divide them 
equally amongst all users of electricity in the United States 
on a net-energy-for-load basis is reasonable and appropriate.
    Mr. McClelland. I agree that at this time the Commission 
couldn't support the proposition that the ERO should be funded 
by the government. So I agree that the current funding 
mechanism is acceptable.
    Mr. Green. If I may, Mr. Chairman--Dr. Weiss, you will have 
the last word from me, anyway.
    Give the rationale for having the government fund it, 
please.
    Mr. Weiss. For the simple fact that if the industry funds 
them, they are an industry-driven organization.
    My concern, when you look at this--I mean, just the fact 
that NERC sent detailed rebuttal comments to the FERC NOPR, my 
view is that the ERO should be like in the nuclear world where 
you have INPO, the Institute for Nuclear Power Operations, that 
it should be an organization looking out for the public good, 
not for the industry good. So if it were funded by the 
government, not by industry, it would not be beholden to have 
to come up with recommendations that meet industry needs.
    That is where I was coming from.
    Mr. Green. Thank you, Mr. Chairman. I owe you 1 minute and 
21 seconds.
    Mr. Langevin. I am calculating now. The Chair now 
recognizes the gentleman from New Jersey, Mr. Pascrell, for 5 
minutes.
    Mr. Pascrell. Mr. Chairman, if there is any history here, 
and you know history tells tales about the Federal Energy 
Regulatory Commission. I know, Mr. McClelland, you are not on 
board too long, but my relationship with FERC has not been a 
good one. I had to drag 10 Congressmen from both sides of the 
aisle down there to stop an impending move 4 years ago, 5 years 
ago, which was successful, plus we all joined together in this. 
And FERC could not define what its responsibilities were.
    If you remember at the end of the 90s and the early part of 
this century, FERC was trying to disassociate itself from any 
responsibility it had in the marketplace with energy problems. 
So this is not hyperbole here. I am not making this stuff up. 
There was quite a clash and conflict in the Congress' ability 
to have oversight of FERC, is something that we need to take a 
look at another time.
    So when I hear the answers to the questions and when I read 
carefully your testimony, there is a lot of if's in here, and I 
don't know when these things are going to be accomplished. And 
I agree with the gentlelady from California that I don't see or 
hear any sense of urgency.
    This is critical, I think you would agree. You have a great 
background, so I hope you will bring some sensibility to what I 
consider an organization that has been dysfunctional for many 
years. And I don't want to go into the people who were put on 
there, because you don't want to hear that now.
    Mr. Weiss, your testimony is quite interesting here. You 
know that NERC and FERC have been talking to each other, they 
have had a good relationship. We hope what will come out of 
that is pretty quickly some standards that we can agree on.
    And I am sure, Mr. Mcclelland, that you couldn't answer the 
question for the gentleman from Texas, but you are going to go 
back to your superiors, get an answer to that question and give 
it to the committee if it is at all possible. I mean for you to 
tell us that you can't tell this committee when you are going 
to come forth with action. We didn't even ask you what the 
action was. You know, I find that to be very interesting. Boy, 
if that isn't political jargon down in Washington, D.C., I 
don't know what is. That is unacceptable to this chairman.
    Mr. Weiss, I want to ask you this, as the NERC CIP 
standards, those infrastructure standards that we have talked 
about here today, you said as they moved to their final 
revision the focus was shifted entirely to bulk power grid 
reliability.
    Mr. Weiss. Yes.
    Mr. Pascrell. In and of itself.
    Mr. Weiss. Yes.
    Mr. Pascrell. Rather than on societal welfare. That is a 
powerful statement there. That is my words.
    Mr. Weiss. Yes.
    Mr. Pascrell. In safety from a Homeland Security or 
economic perspective, the reliable operation--I think this is 
an example you give of a small substation that supports a major 
oil or gas pipeline in a remote local is not salient to grid 
stability, but failure of same could very well have profound 
adverse consequences for the health of the United States 
economy. Would you explain that?
    Mr. Weiss. Yes.
    Mr. Pascrell. That a pretty potent statement you made.
    Mr. Weiss. In fact, that was one of the two examples I 
could bring. But the point is for the bulk power grid the loss 
of a particular power plant or a particular substation will 
have no impact, if you will, on that local power grid. But if 
that particular substation or that particular power plant is 
providing the power to a natural gas pumping station, I know of 
one, for example, that provides about 60 percent of the natural 
gas to the entire northeastern United States. But that plant is 
in a sense meaningless to the local grid.
    Mr. Pascrell. Right.
    Mr. Weiss. But if you lose that pumping station, you have 
lost all your natural gas.
    Mr. Pascrell. Right.
    Mr. Weiss. So what is happening is in version 3 of the NERC 
CIPs, version 4 was the one that was finally accepted. In 
version 3 it had, I believe, either three or four criterion. 
One was bulk electric, the other was economy, and there was 
also health and safety. All of those were explicitly in version 
3 of the NERC CIPs and then also removed as it went to version 
4.
    Mr. Pascrell. Why?
    Mr. Weiss. I can't explain that.
    Mr. Pascrell. Well, who removed this?
    Gentlemen? Mr. Whiteley, who removed them and why?
    Mr. Whiteley. My understanding is that the changes that are 
made through the standard drafting process are made by the 
standard drafting team, which is comprised of the industry 
experts in the area that is being developed into a standard. 
And it was their judgment to make the revisions, whatever they 
were in to from version 3 to version 4, and eventually now that 
standard, recognizing that the authority that NERC has is 
limited to the bulk power system and that is a very----
    Mr. Pascrell. Your power is limited and FERC's power is 
limited, and we are talking about societal welfare, we are 
talking about the health of our community, the safety of the 
community, and you take all of those out before the final 
report. That to me makes no sense and we can't find out who 
took it out.
    Can I ask one more question?
    Thank you. Why wasn't the blackout report included in the 
final report, as you point out, Mr. Weiss, when we were dealing 
with NERC and CIP standards? Why was that taken out, Mr. Weiss?
    Mr. Weiss. I don't know.
    Mr. Pascrell. That wasn't in there either. Give us some 
options why was it taken out? Come on, let's get to the meat 
and potatoes here. Why was it taken out? Who took it out? Give 
us some ideas of why.
    Mr. Weiss. I can only tell you I was not on the drafting 
team. The comments that I put out, that ISA put out, were not 
accepted. That is all I can say.
    Mr. Pascrell. Well, we know why they weren't accepted.
    Mr. Chairman, I think I have heard some interesting things 
this afternoon, and I think that this committee with your 
leadership and Michael's leadership and Mr. McCaul from Texas' 
leadership, I think we can get to the bottom of this. I am 
telling you, Mr. Chairman, nothing is going to get done if we 
leave it to chance. FERC is not a responsible public entity. It 
will not be until it is pushed by this Congress.
    Thank you, Mr. Chairman.
    Mr. Langevin. I thank the gentleman for his questions and 
his comments, and I can assure you and the other members of the 
committee that the ranking member and I will continue, we are 
very close to this, and this is not the last hearing of its 
kind on the issue of cyber security. Whether it is Aurora or 
other security vulnerabilities, this is one of many where I 
plan to exercise intense oversight. And I thank the gentleman 
for his passion. As usual, it is great to have you back on the 
committee.
    The Chair now recognizes Mr. Etheridge for 5.
    Mr. Etheridge. Thank you, Mr. Chairman, I am going to 
follow some of that same line for just a minute in a little 
different way.
    In 1996, power was out across a wide range of western 
States because, as I remember, a squirrel got burned out on a 
transformer at a very crucial time. And then in 1998 there were 
two power failures. An ice storm took out power in eastern 
Canada and the United States. New Zealand lost power, as I 
remember, for a couple of months due to a transmission line 
failure.
    2003, a blackout covered much of northeastern United 
States, and that was caused by failure of a transmission line, 
as I remember, in Cleveland. It sort of cascaded across a whole 
host of areas. And the interconnectivity of the nature of the 
grid means that a single point can have a significant impact.
    So let me ask my question this way. Some of the testimony 
of folks here is that the possibility of a coordinated attack 
on multiple control systems can be a devastating event. Can we 
all agree with that?
    Mr. McClelland. Yes.
    Mr. Whiteley. [Nonverbal response.]
    Mr. Weiss. [Nonverbal response.]
    Mr. Etheridge. Would a massive effort be required to have a 
large impact.
    Mr. Whiteley. Massive effort and large impact. It would be 
a significant effort to attack all of those cyber assets 
simultaneously. Is it hypothetically possible? I presume so.
    Mr. Etheridge. Well, I raise that question because if a 
squirrel can have that kind of impact, a squirrel is not very 
high tech. I mean I am not trying to be funny; I am being very 
deadly serious about this issue.
    Mr. Whiteley. And if I can respond on the blackouts or 
outages that you have talked about, in each of those cases 
there is a single failure that leads back to other failures of 
the system. And that is precisely why the standards that we put 
forward, and many of which are now actually mandatory and 
enforceable, address issues like vegetation management so that 
the trees don't grow into the lines. And when there are single 
points of failure that they don't cascade----
    Mr. Etheridge. Okay.
    Mr. Whiteley. So we are addressing them in our existing 
standards.
    Mr. Etheridge. Okay, I understand that. Well, how likely is 
it that a single cyber attack on a control system could take 
out a regional power system that then would have a major 
impact?
    Mr. Weiss. Let me try and answer it this way, a cyber event 
can be targeting multiple systems at one time. So part of what 
I am asking, I am not trying to be too much of an engineer, but 
the issue is you are talking about targeting multiple entities, 
and it is also a function of when you do it. If you do it 
during the summer when the system is at its highest stress, and 
systems are out, it won't take that many more systems to create 
a larger failure. When the system isn't stressed as much, it 
would take more.
    Just so you know, 4 years ago I gave a presentation at the 
Georgia Tech Protective Relay Conference. It was kind of a 
precursor to Aurora. It was essentially laying out a scenario 
that I ran by Sandia, Idaho, and PNNL as well as several other 
utilities, how simply using cyber alone you could bring the 
grid down for a significant time, strictly on the transmission 
and distribution side. Fairly simple. Can you do it? Yes.
    Mr. Etheridge. Well, that leads to the next question then, 
somewhat similar. You said you can, but I guess my question is 
are control systems within the distribution grid that 
vulnerable to attack? And if so, what effect might that attack 
have and how catastrophic could it potentially be? I think that 
is important for us to have some sense of in this committee.
    Mr. Whiteley. I will just add from NERC's standpoint 
distribution systems are outside of our purview. However, you 
are talking about very similar kinds of systems that utilities 
protect in a very similar kind of manner. And if they are 
protecting their transmission assets, they are also protecting 
their distribution assets.
    Mr. McClelland. I would like to add to that. I didn't 
understand the question to be distribution assets per se, but 
the wires associated with a bulk power system. Again to echo 
Mr. Weiss's comment, it would depend on the unit, how large is 
the generating unit that is being attacked or what is the 
combination of output from those generating units, what is the 
peak load on the system at the time, how sophisticated is the 
adversary.
    There is a level of sophistication in order to be able to 
pull off a coordinated cyber attack against critical facilities 
in a critical time. And then to also say, perhaps take Mr. 
Whitely's comment and put that forward and put a twist on it, 
the level of cyber protection that one exercises is critical. 
The harder it is to penetrate someone's assets, there are 
easier targets around the corner.
    So if the basic level of cyber protection is elevated, if 
the CIP standards are in place and the requirements are passed 
as mandatory and enforced or with real penalties behind those, 
one would expect the level of compliance to rise and make it 
more difficult but not impossible for a sophisticated adversary 
to carry out an attack against the bulk power system. So the 
threat is real.
    Mr. Weiss. Can I add one other point?
    Mr. Etheridge. Please.
    Mr. Weiss. It is the reason why I have been talking about 
distribution. Distribution is normally outside the purview, but 
there are two issues here. One is it is generally where money 
is being spent to upgrade the systems. And so they are going 
from the old, if you will, cyber dumb to very cyber alive 
systems.
    The second point is those distribution systems 
electronically talk to transmission. In the past when you dealt 
with reliability you generally dealt with each one 
individually. The point about cyber is they talk to each other. 
That is what is so different here, the silos don't work 
anymore. So that is why market systems all of a sudden become 
an issue. They talk to SCADA systems. It is why telecom is 
important. It is why small facilities are important. It is, if 
you will, what happened on 9/11. The hijackers that came into 
Boston that boarded the plane did not board it from Boston, 
they boarded it from a smaller airport. If you don't take care 
of the smaller, the bigger is going to be a vehicle.
    Mr. Etheridge. Thank you, Mr. Chairman. I appreciate your 
indulgence. I yield back.
    Mr. Langevin. I thank the gentleman and, in consultation 
with the ranking member, we are going to ask each one question 
before we conclude.
    And with respect to the distribution system, this is a 
timely question, can the panel answer this, under a future 
regime after the NERC standards are adopted, NERC will be able 
to regulate companies who don't comply with approved cyber 
standards, but as we pointed out in the committee's comments, 
NERC's definitions will exclude a lot of critical assets.
    The way I read the NERC definition, the assets at issue in 
the Aurora vulnerability would not be considered critical 
assets. In other words, you have major vulnerability out there, 
but NERC isn't going to able to regulate the mitigation efforts 
of the industry even after the standards are passed.
    Can the panel provide feedback on my interpretation?
    Mr. Whiteley. Perhaps I can start and maybe clarify my 
earlier comment, that it is certainly NERC's intention to reach 
through to any part of any system that has to do ultimately 
with reliability of the bulk power system. And if that means 
that something that is in an individual residence somehow is 
connected to the system that would threaten the bulk power 
system, then certainly we would use all of our authorities that 
we have to reach through and assure reliability and protection 
of those assets.
    So from the standpoint of distribution or not, yes, if 
indeed the case is there, what the situation is is the line is 
drawn between distribution and transmission and that is where 
essentially the system stops the issue that may come up from 
the distribution system. But if indeed there is a problem on 
the distribution system, it would be our intention to use 
whatever authority we have to reach those issues, those 
problems, because they affect the bulk power system and that is 
within our purview.
    Mr. Langevin. But even if you wanted to, is NERC going to 
have the ability to actually have some teeth in that regulation 
or is it some other entity that has to impose it?
    Mr. Whiteley. In our view, if it impacts the reliability of 
the bulk power system, then we can reach it.
    Mr. Langevin. Other members of the panel?
    Mr. McClelland. I agree to your point about critical 
assets. Again this was a major point in the Commission's notice 
for proposed rulemaking. The Commission thought and expresses 
and proposes therefore to direct NERC to develop a risk-based 
assessment to provide guidelines to industry to help 
standardize or at least put commonality in the definition of 
critical based assets.
    In addition, the Commission has proposed to direct NERC 
that all critical assets be submitted on a regional basis. In 
other words, the folks within a reliability coordinator's area 
or regional entities area would have to determine what the 
critical assets were, submit it to that entity, and then those 
lists would be subject to the Commission's review.
    So we share your concern concerning the determination of 
critical assets and propose to tighten the definition of 
critical assets significantly.
    Mr. Langevin. Thanks. Mr. Weiss, any final thought?
    Mr. Weiss. [Nonverbal response.]
    Mr. Langevin. Thank you. The Chair now yields to the 
ranking member.
    Mr. McCaul. Thank you, Mr. Chairman. A two-part question to 
the panel as a whole, the Information Sharing Analysis Centers, 
or ISACs, coordination with the private sector. I think it 
really pivots on the ability of the private sector wanting to 
share the information. Do you believe that under current law 
there are enough protections for private industry to do so? I 
mean recognizing that a company is not going to want to share 
the fact that they are vulnerable. They have a fiduciary duty 
to their shareholders that could obviously impact the company. 
Under current law, are there enough protections in place so 
that they will freely share that information?
    And then the second part of my question is with respect to 
the Department of Defense we have a cyber warfare program. It 
seems to me there is great expertise in the U.S. military in 
terms of how somebody else could penetrate us; in addition, how 
we would better work hopefully with the DOD to better protect 
our critical infrastructure. Is that currently happening? I 
know I am throwing out two questions at you, but if could you 
tackle those.
    Mr. Whiteley. Well, the answer to the first question is at 
least it has been our experience that we are not having, we, 
NERC, are not having trouble receiving information from users, 
owners and operators when we ask the questions of how they are 
complying with standards that are in place or gaining 
information on our assessments so that we do overall 
reliability, all the way through into the alerts that have been 
put out. So far the history has been that we have not run into 
a significant problem along those lines.
    On the second part, I am not directly aware whether or not 
we have engaged DOD in any kind of liaison or not. We can 
certainly get back to you on that and explain what level.
    Mr. McCaul. Mr. Weiss may have more expertise on that 
issue.
    Mr. Weiss. Let me try and answer both of the questions you 
asked. The first one I would actually modify a little bit, is 
there an incentive for industry to share that information? And 
one of the things that is happening is there has been very 
little, and that is why there has been very little of that 
information shared. Like I say, my database I have got, you 
know, 90 cases. There are not 90 cases, these are just control 
systems. None of these are IT. You don't have 90 cases in the 
ES, ISAC or any of the other ISACs. Part of it is there needs 
to be the expertise with the ISACs to deal with control systems 
and generally they are not there.
    Like I said, the other thing is the incentive, why would an 
entity want to provide that information, even if they had it, 
because the other point is that a lot of these events are not 
even identified or known to be cyber. It is one thing for the 
light to go out, it is another for someone to realize it was 
cyber for why it occurred. Let me start with that.
    The second thing, dealing with DOD, I have had a little bit 
of dealings, I have given a lecture at the naval post-grad 
school in Monterey. It was kind of interesting because they 
hadn't really been focusing on protecting cyber assets, they 
were looking at attacking the cyber assets. There is a big 
difference between protection and defense. What we need here is 
the defense.
    And the other point I want to make is our systems in the 
commercial world, be they electric, chemicals, you name it, are 
different than DOD. I came from that after having come from 
nuclear. If you have got cyber safety-related equipment, that 
is very much more expensive, very different than is used 
elsewhere. So part of this is how do we get DOD working with 
us, and we kind of have in the sense that right now there is an 
individual who used to be on the DOD side who is now on the 
regulatory side.
    Mr. McCaul. It seems to me you are relying a lot on Sandia 
and Idaho National Lab. We have a cyber warfare program that 
knows how to attack, and it seems to me they would know best, 
you know, in learning where to penetrate than equally where how 
we can defend. This is in my view.
    Mr. Weiss. The only reason, again, I don't mean to be 
technical about this, but the systems that are used in the 
commercial-industrial world are different than IT systems and 
they are different than DOD systems. What DOD is used to in 
terms of trying to mitigate what they would do we don't have. 
And honestly if we tried to put them in, it would probably hurt 
us very, very deeply in terms of how these systems can perform. 
So it is not as straightforward as most people would like it to 
be.
    Mr. McCaul. That is insightful. Mr. McClelland?
    Mr. McClelland. The current process is open and inclusive. 
In order to compel entities to abide by reliability standards 
they have to be developed in an open, inclusive process. There 
is a conflict with national security issues. So if there is an 
issue such as Aurora, there is a concern if the mitigation 
measures are disclosed too fully and the information is 
disclosed publicly would you have done more harm than good. If 
we received mitigation plans, we send an agency mitigation plan 
for specifics in order that they can audit or they can 
determine compliance with a standard, will that information 
then be subject to public disclosure? That is a real concern 
and it is the intention of the Federal Power Act. Section 215 
has worked very well for us to establish an ERO, to approve and 
critique reliability standards and check some or pen some in 
some cases and also to certify the regional entities to assist 
the ERO. When it comes to national security issues, this is an 
important subject. It is critical and it is under review, and 
we will move forward on this issue.
    Mr. McCaul. I thank you, Mr. Chairman.
    Mr. Langevin. I thank the gentleman. Does the gentleman 
from New Jersey have any final questions?
    Mr. Pascrell. Yes, sir.
    I want to thank the gentlemen for their patience this 
afternoon. I have a question that I hope you all would respond 
to. I want to talk about the 2003 northeast blackout. That 
blackout was a massive power outage that occurred through parts 
of the northeast and the midwestern United States and Ontario, 
Canada in August of 2003, August the 14th. It was the largest 
blackout in North American history. It affected 10 million 
people, 10 million people in the Province of Ontario, about 
one-third of the population of Canada, 40 million people in 
eight States, which is about one-seventh of the total 
population. This is pretty big. In the end the outage-related 
financial losses were estimated at a staggering $6 billion.
    My question to all the witnesses is this, really two 
questions. Have we learned all the lessons about our 
vulnerability from that blackout? And part B, do the proposed 
NERC regulations properly take into account those lessons?
    Why don't we start with Mr. Weiss and go to Mr. Whiteley 
and to Mr. McClelland?
    Mr. Weiss. The NERC or, excuse me, the northeast blackout 
report, 13 of the 46 recommendations in that report were cyber. 
At least a couple of them were explicitly excluded from the 
NERC CIPs.
    Mr. Pascrell. Right.
    Mr. Weiss. Wire line, et cetera. I cannot tell you why. I 
can tell you we certainly knew about it. I can also tell you 
the day of the northeast outage was also contemporary with it 
was the Blaster worm and that there was or were other 
facilities not in the northeast that had cyber events that day. 
You won't find that in the northeast blackout report because 
they weren't in the northeast.
    So the issue is have we learned? I don't believe so.
    Mr. Pascrell. Thank you. Mr. Whiteley?
    Mr. Whiteley. I will address both parts. First, I would 
respectfully disagree with Mr. Weiss' connotation that the 
northeast blackout report recommendations on cyber security 
were not included in the CIP standards. I would be happy to get 
back with you on our analysis of those CIP standards and the 
fact that they addressed every one of the blackout 
recommendations.
    As to the other standards that we have in place, each one 
of the standards, if followed on that day, would have resulted 
in nothing more than a single line outage in northeast Ohio and 
not a cascading outage. So I think the evidence is clear that 
our reliability standards, as they have been passed, once the 
industry follows them and we believe the industry is following 
them to the greatest extent, will result in a more reliable 
system than we had back in 2003, and yes, we have learned a lot 
from the 2003 blackout and we have taken a lot of action since 
that time.
    Mr. Pascrell. Thank you. Mr. McClelland.
    Mr. McClelland. If you mean by the question are we finished 
or is it impossible for another blackout like this to happen, 
will it not be prevented? The answer is no. The standards are 
based on a continuing improvement process. The Commission's 
responsibility is to review those standards and call for 
modifications or reject the standards where the standards are 
not adequate.
    As an example, NERC submitted 107 reliable standards to the 
Commission for approval. If things were perfect and everything 
was done we would have accepted 107 standards. The Commission 
approved 83 of those standards and called for major or 
significant modifications to 56 of the 83 standards we 
approved.
    In addition, prior to June 18th, 2007--the standards became 
mandatory and enforceable on June 18th, 2007. Prior to that 
time there was a period of self-reporting where entities would 
say, I am not in compliance with these standards, I have got 
some problems, some or most of those problems may be 
characterized as potentially having low impact to the bulk 
power system, but some would have a high impact to the bulk 
power system and be on a parallel with the incident that caused 
the 2003 blackout.
    The Commission is aware that over 4,000 self-reported 
violations have been reported to NERC, and the Commission is 
expecting mitigation plans to be submitted to correct those 
self-reported violations. The process is not done, blackouts 
can still occur. There has been substantial and significant 
progress by the industry to try to prevent another occurrence, 
but much work remains to be done.
    Mr. Pascrell. Thank you. Thank you, Mr. Chairman.
    Mr. Langevin. I thank the gentlemen. I want to thank the 
panel for their testimony and the answers you provided to the 
questions. I thought this was very productive. I thought your 
answers were very insightful. It has certainly given us a lot 
to think about. Clearly, there is much work to be done and we 
look forward to continued oversight in this area and continued 
efforts of working with you, but you have been very helpful and 
I do appreciate your testimony.
    Again, I thank the witnesses for the valuable testimony and 
the members for the questions. The members of the subcommittee 
may have additional questions for the witnesses, and we ask 
that you respond as expeditiously in writing to those 
questions.
    Hearing no further business, the subcommittee stands 
adjourned.
    [Whereupon, at 5:30 p.m., the subcommittee was adjourned.]


                Appendix I:  Letter from David Whiteley

                     COMMITTEE ON HOMELAND SECURITY

                          House of Representatives,
           Subcommittee on Emerging Threats, Cybersecurity,
                                 and Science and Technology
                                  Washington, DC, December 12, 2007
Hon. James R. Langevin:
Chairman, Committee on Homeland Security, U.S. House of 
        Representatives, Washington, D.C. 20515
    Dear Mr . Chairman: In the questions for the record you 
submitted to NERC following the Subcommittee's October 17, 
hearing, you asked, ``What were the results of the August 2007 
NERC survey sent to owners and operators regarding the status 
of the sector's implementation of the Aurora mitigation 
efforts?'' I am writing to correct any misimpression that my 
November 20 response may have given regarding the timing of the 
written survey.
    My answer to your question did not make clear that the 
survey of owners and operators regarding the implementation of 
mitigation measures was sent in October 2007, not in august 
2007 as indicated in your question. The response provided a 
narrative discussion of the results of the October survey. As 
you requested, a copy of the survey itself, dated October 19, 
2007, was included with my response.
    I recognize that the way the response was written may 
inadvertently appear to confirm that the survey was sent in 
August. Enclosed is an amended copy of the response to Question 
No. 1 that clarifies the timing of the written survey. I would 
be grateful if this material could be substituted for my 
November 20 response to No. 1 in the written hearing record.
    I apologize for any inconvenience this may have caused.

        Sincerely.

                                 David A. Whiteley,
                                   Executive Vice President


            APPENDIX II:  Additional Questions and Responses

                              ----------                              


Questions from the Honorable James R. Langevin, Chairman, Subcommittee 
     on Emerging threats, Cybersecurity, and Science and Technology

                     Responses from Mr. Greg Garcia

    Question 1.: What percentage of electric sector owners and 
operators do you believe implemented the Aurora recommendations issued 
by NERC?
    Response: The Electric Sector Information Sharing and Analysis 
Center (ES-ISAC) distributed the advisory to 3,000 electric utilities. 
As part of individual corporate risk management and critical 
infrastructure protection planning efforts, Electric Sector owners and 
operators consider known vulnerabilities and identify and implement 
mitigation activities to address them. It is the responsibility of 
owners and operators to implement the recommendations issued by the 
North American Electric Reliability Corporation. The Department of 
Homeland Security (DHS) is working with the Electric Sector, the 
Department of Energy (DOE), and the Federal Energy Regulatory 
Commission (FERC) to raise awareness and promote implementation of the 
recommendations. DHS is also working with DOE and FERC to determine 
what actions the private sector has implemented.

    Question 2.: If a cyber exploit of the Aurora vulnerability is 
imminent, how will the Electric Sector ISAC or the Department of 
Homeland Security ensure the immediate implementation of mitigation 
efforts?
    Response: Under the National Infrastructure Protection Plan (NIPP) 
Partnership Framework, public--and private-sector security partners 
collaborate on national critical infrastructure protection. The 
Department of Homeland Security (DHS) currently has several mechanisms 
in place to communicate with vendors, owners, and operators to 
facilitate information sharing about exploits and vulnerabilities, as 
well as incident management and appropriate mitigation efforts. For 
example, the United States Computer Emergency Readiness Team National 
Cyber Alert System facilitates information sharing about 
vulnerabilities to a broad audience; the Control Systems Cyber Security 
Vendors' Forum meets monthly to discuss emerging issues affecting 
control systems security; and DHS works directly with the control 
systems stakeholder community to exchange information by leveraging the 
Protected Critical Infrastructure Information program, which safeguards 
sensitive information shared by industry with the government.
    In the case of the Aurora vulnerability, DHS worked with the 
private sector through the NIPP Framework to alert the control systems 
community. Federal agency partners worked with industry technical 
experts to assess the vulnerability and to develop sector-specific 
mitigation plans. The jointly developed mitigation guidance allowed 
owners and operators within the affected sectors to take deliberate and 
decisive actions to reduce significantly the risk associated with this 
vulnerability.

    Question 3.: How many program managers have been in charge of the 
Control Systems Security Program in the last 3 years? What was the FY 
2007 budget? Who is in charge of this program, and what grade is that 
person?
    Response: Four individuals have served as the National Cyber 
Security Division (NCSD) Control Systems Security Program Director 
since May 2004. The Program Director position, within Cybersecurity and 
Communications at NPPD, is currently vacant and posted at the GS-15 
level. In the interim, Cheri McGuire, GS-15, is serving as the Acting 
Control Systems Security Program Director.
    The FY07 budget for the NCSD Control Systems Security Program was 
$9.3 million.

    How has your office developed a process to formalize and improve 
information sharing regarding control system vulnerabilities with 
critical infrastructure owners and operators?
    Response: The Department of Homeland Security (DHS) coordinates 
efforts among Federal, State, and local governments, as well as control 
systems owners, operators, and vendors, to improve control systems 
security within and across all critical infrastructure sectors by 
reducing cyber security vulnerabilities. DHS has developed a process to 
formalize the sharing of sensitive information related to control 
systems vulnerabilities. This process describes the information flow 
from vulnerability discovery to validation, public and private 
coordination, and outreach and awareness, and also identifies the 
deliverables and outcomes expected at each step in the process.
    The process includes existing entities across the public and 
private sectors, such as the Federal Control Systems Security Working 
Group, the Process Control Systems Forum, Sector Specific Agencies, 
Government Coordinating Councils and Sector Coordinating Councils, the 
United States Computer Emergency Readiness Team (US-CERT), and 
Information Sharing and Analysis Centers. It also builds on established 
DHS practices and procedures for the identification, validation, 
coordination, and communication of vulnerabilities across the critical 
infrastructure and key resources (CI-KR) spectrum.
    As part of this process, DHS uses three primary mechanisms to 
communicate vulnerability information about control systems to various 
stakeholders:
        1. US-CERT shares information about vulnerabilities via several 
        products. These products include Vulnerability Notes, which are 
        released on a regular basis, and the Quarterly Report on Cyber 
        Vulnerabilities of Potential Risk to Control Systems, which 
        includes more detailed analyses of cyber vulnerabilities that 
        may impact control systems.
        2. DHS partners with vendors, owners, and operators to perform 
        vulnerability assessments of selected systems to identify cyber 
        vulnerabilities based on emerging exploits and works with 
        industry to develop mitigation strategies. DHS also works with 
        control systems vendors, owners, and operators as they share 
        sensitive information through the Protected Critical 
        Infrastructure Information program so that private-sector 
        vulnerability data may be appropriately safeguarded.
        3. DHS facilitates information sharing among control systems 
        vendors through its sponsorship of the Control Systems Cyber 
        Security Vendors' Forum established in 2006. The Forum holds 
        monthly meetings at which control systems vendors share 
        information and discuss emerging issues affecting control 
        systems security. The Forum has served as a basis for building 
        a trusted information sharing community and comprises more than 
        90 percent of the vendors who manufacture and provide support 
        services to the CI-KR control systems market in the U.S.
    Are all government-owned assets compliant with NIST 800-53 as 
applied to control systems?
    Response: Under the Federal Information Security Management Act, 
all Federal agencies must meet minimum security requirements for 
information and information systems in accordance with National 
Institute of Standards and Technology (NIST) Special Publication 800-
53, Recommended Security Controls for Federal Information Systems, as 
amended. NIST 800-53 is currently undergoing revisions to include 
security guidelines specific to control systems. Federal agencies have 
up to one year from the date of final publication to fully comply. DHS 
is working closely with NIST on these revisions.

    Question 4.: According to the GAO, DHS has 13 different initiatives 
focused on securing control systems. The Department of Energy, the 
Federal Energy Regulatory Commission (FERC), and the National Institute 
of Standards and Technology (NIST) also have initiatives in this field. 
In 2004, the GAO recommended DHS create an overall strategy to 
coordinate various control systems activities across federal agencies 
and the private sector. Please provide a copy of this strategy.
    Response: To reduce cyber risks to control systems within and 
across all critical infrastructure sectors, the Department of Homeland 
Security (DHS) coordinates efforts among Federal, State, local, and 
tribal governments, as well as control system owners, operators, and 
vendors. Coordinating efforts to secure control systems is paramount to 
an effective protective posture for all critical infrastructure and key 
resources.
    DHS is working with its partners to baseline activities to serve as 
the foundation for developing a comprehensive strategy that will 
encompass the public and private sectors, set a vision to secure 
control systems, describe roles and responsibilities, and identify 
future requirements for resources and actions.
    The Department has developed a timeline to complete this action 
building on work that has already been completed. In the first quarter 
of Fiscal Year 2008, a draft of the Federal sector portion of the 
strategy will be released for review by government stakeholders. In 
cooperation with the Partnership for Critical Infrastructure Security, 
the private industry component will be integrated into the strategy, 
with a draft available for review in the third quarter of FY 2008. 
After the review and comment period is completed, a final comprehensive 
strategy will be released in the first quarter of FY 2009.

    Question 5.: How is the Science and Technology control systems 
program--Project LOGIIC--being used to help mitigate vulnerabilities in 
the control systems of the oil and gas sector?
    Response: LOGIIC is a collaborative forum for government and 
industry to focus on cyber security issues for the oil and gas 
industry. Infrastructure owner and operator needs determine projects, 
which are supported by both government and independent experts. 
Projects examine needs and solutions for correlating and analyzing 
abnormal events to provide indications and warnings of cyber security 
threats. LOGIIC enables informed response to threats by taking 
corrective action. LOGIIC's goal is to achieve the ability to correlate 
abnormal events from the process control network and its interfaces to 
the business network with alerts from sources on the business network 
(intrusion detection systems, firewalls, etc.).
    LOGIIC is helping to mitigate vulnerabilities by identifying and 
adapting new types of security sensors for process control networks, 
adapting a best-of-breed correlation engine to this environment, and 
integrating and demonstrating the technology suite in a test bed 
environment.

    Question 6.: Did the Multi-State Information Sharing and Analysis 
Center (MS-ISAC) receive any more un-obligated funds for FY 2008?
    Response: Yes, the Multi-State Information Sharing and Analysis 
Center (MS-ISAC) received funding using the available Fiscal Year 2007 
carryover funds in the amount of approximately $1.4 million.
    The MS-ISAC procurement was not awarded by the end of FY 2007 
(September 30, 2007). DHS initiated a replacement procurement action 
that used both the committed $974,849.72 of FY 2007 funds and an 
additional $465,976.03 of FY 2007 carryover funds that had not been 
obligated by the close of FY 2007. FY 2007 carryover funds for cyber 
security are available for obligation until September 30, 2008, as 
stipulated in the DHS Appropriations Act of 2007 (H.R. 5441).

     Questions from the Honorable Michael McCaul, Ranking Member, 
   Subcommittee on Emerging Threats, Cybersecurity, and Science and 
                               Technology

    Question 7.: I understand there is a hardware device that can be 
used in conjunction with other proposed mitigations that is currently 
being developed by engineers out at Idaho National Labs. I have been 
told that currently only one vendor is marketing a hardware fix despite 
there being multiple vendors that sell this sort of equipment. What in 
your opinion is preventing other vendors from moving forward with this 
mitigation device? Similarly has the department engaged in any 
discussion of the use of its authorities granted under the Defense 
Production Act to ensure that those government customers that need 
these devices are accommodated?
    Response: Battelle Energy Alliance (BEA), the contractor 
responsible for operating the Department of Energy (DOE) Idaho National 
Laboratory (INL) and owner of INL intellectual property, has filed an 
application with the US Patent and Trademark Office for a method to 
mitigate the Aurora vulnerability. Multiple vendors have expressed 
interest in licensing the technology from INL. The technology transfer 
process conforms to standards for all DOE National Laboratories.
    Regarding the Defense Production Act (DPA), the Department of 
Homeland Security has assessed the use of the DPA as a potential avenue 
for ensuring that certain technologies are developed and produced to 
meet national defense needs, including critical infrastructure 
protection needs; however, at this time the technology necessary to 
mitigate the threat related to control systems security is available to 
customers. A shortage in supply would drive further exploration of the 
use of the DPA.
    Installing a hardware device with technology licensed from the BEA-
pending patent can provide critical infrastructure and key resource 
asset owners and operators with endpoint security. The sector-specific 
mitigation plans, however, are based on industry best practices and 
contribute to comprehensive risk reduction from cyber security 
vulnerabilities to control systems.

    Question 8.: In Mr. Roxey's testimony he mentioned the need for 
technical experts to be engaged from the very start. Since the 
engineers at Idaho National Labs discovered this vulnerability have 
they been involved in developing the mitigations and briefing the 
private sector?
    Response: Yes. Technical experts, including experts from the 
National Laboratories, supported efforts undertaken by the Sector 
Coordinating Councils, Information Sharing and Analysis Centers, and 
the Sector Specific Agencies to develop mitigation plans and provided 
briefings to critical infrastructure and key resource owners and 
operators on the control systems vulnerability. The Department of 
Energy National Laboratories, including the Idaho National Laboratory, 
provide subject-matter expertise to the Department of Homeland Security 
to improve control systems security.

    Question 9.: What is the action plan to minimize overlapping 
efforts at DHS?
    Response: The Department of Homeland Security coordinates efforts 
among a variety of stakeholders from both the public and private 
sectors to secure control systems. To prioritize activities and 
minimize overlapping of efforts, the Department is working with its 
partners to baseline activities to serve as the foundation for 
developing a comprehensive strategy that will encompass the public and 
private sectors, set a vision to secure control systems, describe roles 
and responsibilities, and identify future requirements for resources 
and actions.

    Question 10.: What is being done to utilize private sector 
companies that have significant process control and SCADA cyber 
security experience to assist in the area of critical infrastructure 
cyber security protection?
    Response: Recognizing the expertise the private sector has to 
offer, the Department of Homeland Security (DHS) sponsors a number of 
groups to foster close collaboration and information sharing among the 
control systems stakeholder community. The Cross Sector Cyber Security 
Working Group (CSCSWG), which was established in May 2007 by DHS and 
the Partnership for Critical Infrastructure Security, brings together 
government and private-sector cyber security experts to address 
systemic cyber risk collaboratively across the critical infrastructure 
and key resource sectors. The CSCSWG facilitates the sharing of 
information across the sectors about cyber security issues, such as 
common vulnerabilities and protective measures, as well as the policy 
implications of cross-sector cyber dependencies and interdependencies. 
Public and private sector representatives from all 17 sectors 
participate in the CSCSWG.
    The Process Control Systems Forum (PCSF) is one of three standing 
groups under the CSCSWG that provide monthly updates on their work so 
that CSCSWG members can benefit from or engage in activities as 
appropriate. The PCSF was established to accelerate the design, 
development, and deployment of more secure control systems. It is the 
Department's primary vehicle for engaging with the private sector on 
control systems security and includes a variety of stakeholders 
including government, academia, owners and operators, systems 
integrators, and vendors. More than 200 people attended the PCSF's most 
recent annual meeting, at which the control systems stakeholder 
community gathered to discuss cyber security challenges and issues, 
deliver training resources, and provide technical subject matter 
expertise.
    PCSF's Control Systems Cyber Security Vendors' Forum facilitates 
communication in a trusted environment between industrial automation 
and equipment suppliers and control system service providers. The Forum 
consists of 50 members from 27 domestic and international companies 
comprising 90 percent of the market share providing service to all 17 
critical infrastructure sectors. Recent collaboration occurred earlier 
this year when members of the Vendors' Forum worked together to address 
the potential effects on control systems caused by the date change in 
the Daylight Saving Time (DST) standard. The change in DST impacted 
control systems in more than 19 countries. The control systems 
community recognized the importance of this issue and worked with the 
U.S. Computer Emergency Readiness Team (US-CERT) to develop a Technical 
Information Paper, ``Daylight Saving Time Changes for 2007.'' This 
guidance to industry on mitigation measures was downloaded from the US-
CERT website more than 500 times between April and July 2007.
    DHS is also working with the Multi-State Information Sharing and 
Analysis Center (MS-ISAC), the SANS Institute, the Department of Energy 
Idaho National Laboratory, and representatives from government and 
industry on the SCADA Procurement Project. The Procurement Project 
seeks to develop common procurement language that owners and regulators 
can incorporate into contracting mechanisms to ensure the control 
systems they are buying or maintaining have the best available 
security. The long-term goal is to raise the level of control systems 
security through the application of robust procurement requirements. 
The Procurement Project has received very positive feedback from users, 
and the document has averaged more than 450 downloads per month from 
the MS-ISAC website where it was posted in January 2007.
    DHS will continue to work closely with public--and private-sector 
security partners through the CSCSWG and PCSF to coordinate our 
activities and develop a National Strategy to Secure Control Systems.

    Question 11.: What is being done to coordinate a standard control 
system cyber security policy across each of the 17 Sector Specific 
Plans (SSP) defined by DHS?
    Response: Under the National Infrastructure Protection Plan Risk 
Management Framework, all sectors must address the physical, cyber, and 
human elements of infrastructure in their preparedness and protection 
efforts. Securing control systems is part of the sectors' efforts to 
secure their cyber infrastructure. In support of the cross-sector cyber 
responsibility, the National Cyber Security Division is working closely 
with the Office of Infrastructure Protection (IP), the Sector Specific 
Agencies (SSAs), and other security partners to develop guidance and 
approaches to reduce cyber risk and integrate cyber security into the 
critical infrastructure and key resource (CI-KR) sectors' protection 
and preparedness efforts.
    During the Sector-Specific Plan (SSP) development process, the 
Department of Homeland Security (DHS) provided cyber expertise to the 
sectors, including reviews of draft SSPs and participation in sector-
specific cyber security meetings. Specifically, as sectors were 
developing their SSPs, DHS developed and provided information to SSAs 
on resources for cyber security practices and protective programs that 
are applicable across all sectors, as well as some that are more 
focused on individual sectors, to help identify cyber security-related 
protective programs. For each protective program, a brief description 
with the specific activities they supported within the preparedness 
spectrum was provided. DHS also developed information on cyber research 
and development (R&D) requirements and priorities to help SSAs identify 
cyber-related R&D priorities. DHS provided a description of Federal 
organizations that support cyber R&D and several references to R&D 
documents that outline specific cyber security initiatives. DHS also 
offered to work directly with any sector that requested assistance and 
worked with responding sectors to develop and review cyber security 
content for the SSPs. These resources identified control systems cyber 
security where appropriate.
    DHS also developed a comprehensive SSP Cyber Guidance Checklist, 
which provided sectors with a framework for integrating cyber security 
throughout each section of their SSPs. The checklist complemented DHS' 
2006 CI-KR Protection SSP Guidance developed by OIP and was intended to 
provide a starting point for SSAs as they integrated cyber into their 
SSPs. The checklist included an outline and guidance for the 
development of cyber content for the SSPs. DHS shared the checklist in 
IP-sponsored technical assistance sessions with SSAs to provide 
expertise and answer questions regarding the inclusion of cyber 
security in the SSPs. DHS personnel also met individually with those 
SSA representatives who expressed an interest in determining approaches 
for incorporating cyber security into their SSPs and sector risk 
management efforts.
    DHS will continue to work with the SSAs as the 17 CI-KR SSPs are 
updated in the future and will provide additional guidance on cyber 
security-related goals, security partners, risk assessment approaches, 
protective programs, R&D priorities, and measures. These materials will 
continue to include control systems security and will help to ensure 
that sectors address control systems security in a consistent manner 
across the 17 CI-KR SSPs.

    Question 12.: Are there any plans to increase the reach of the 
cyber security language in DHS 6 CFR Part 27, Section 550 for the 
chemical industry? If so what is anticipated and if not, why not?
    Response: The Department of Homeland Security (DHS) does not intend 
to change any of the regulatory language contained in the Chemical 
Facility Anti-Terrorism Standard (6 CFR Part 27) regarding cyber 
security. Section 27.230(a)(8) makes cyber security a performance 
standard for high-risk chemical facilities. DHS is in the process of 
developing guidance to help high-risk chemical facilities identify and 
implement cyber security measures that may be appropriate given their 
unique circumstances and levels of risk. This guidance document, which 
is currently under development, will provide guidance on all of the 
risk-based performance standards established in 6 CFR Part 27. Some of 
the cyber security areas that will be addressed in the guidance 
document include cyber security policy, access control, personnel 
security, awareness and training, monitoring and incident response, 
disaster recovery and business continuity, system development and 
acquisition, configuration management, and audits.

    Question 13.: What is the DHS going to do in order to drive 
collaboration and cooperation between the public sector and private 
sector?
    Response: The National Infrastructure Protection Plan (NIPP) 
Partnership Framework supports the establishment and maintenance of 
Sector Coordinating Councils (SCCs) that enable private-sector owners 
and operators to interact on a wide range of sector-specific 
strategies, policies, activities, and issues. SCCs serve as principal 
sector policy coordination and planning entities. Sectors also rely on 
Information Sharing and Analysis Centers (ISACs), which provide 
operational and tactical capabilities for information sharing and, in 
some cases, support for incident response activities. The ISACs, as 
well as other information sharing mechanisms, provide a means for the 
government and private sector to exchange information. In addition to 
the SCCs, the NIPP Partnership Framework enables sectors to establish 
and maintain Government Coordinating Councils (GCCs) comprising 
representatives across various levels of government (i.e., Federal, 
State, local, or tribal) so sector-specific strategies, activities, 
policy, and communications can be coordinated. SCCs and GCCs meet 
jointly to discuss sector activities, shape priorities for the future, 
and collaboratively develop and review critical infrastructure 
protection planning documentation.
    The Cross Sector Cyber Security Working Group (CSCSWG) facilitates 
collaboration and coordination between government and private sector 
security partners with cyber security expertise from each of the 17 
critical infrastructure and key resource (CI-KR) sectors on cross-
cutting cyber issues. The CSCSWG, which held its inaugural meeting on 
May 30, 2007, meets monthly and includes more than 90 representatives 
from the SCCs and GCCs of the 17 CI-KR sectors.
    The Department of Homeland Security coordinates efforts among 
government and private-sector members of the control systems community 
to improve security within and across all critical infrastructure 
sectors by reducing cyber security vulnerabilities. This coordination 
includes enhancing public-private partnerships through the Process 
Control Systems Forum and the Partnership for Critical Infrastructure 
Security, as well as using a process to formalize the sharing of 
sensitive information related to control systems vulnerabilities.

   Questions from the Honorable Paul Broun, Jr., a Representative in 
                   Congress from the State of Georgia

    Question 14.: How is the Department facilitating long term 
mitigation efforts with vendors of control systems? What sort of 
contact does the Department have with the manufacturers of these 
devices?
    Response: Assessing technologies is one of the Department's core 
long-term efforts and assists in identifying vulnerabilities, 
developing mitigation strategies, and sharing information to reduce 
risk to the Nation's critical infrastructure and key resources. The 
Department performs vulnerability assessments of selected vendor 
systems to identify cyber vulnerabilities based on emerging 
exploitations. This effort is accomplished by leveraging the 
infrastructure and test beds of Department of Energy National 
Laboratories, vendor facilities, and other existing end user 
facilities.
    To date, the Department has completed eight control systems 
vulnerability assessments in cooperation with control systems vendors 
who provide the hardware, software, and training necessary to run the 
control system. Based largely on the results of these assessments, 
vendors have developed system patches, reconfigured system 
architectures, and built enhanced systems. The results of the vendor 
assessments have also helped inform other Federal control systems 
efforts, such as developing a self assessment tool for industry owners 
and operators to further reduce cyber risk associated with control 
systems. In addition, the Department has provided owners and operators 
with strategies for mitigating existing system security risks.
    The Department sponsors the Process Control Systems Forum (PCSF), a 
public-private partnership which leverages the experience, 
capabilities, and contributions of international stakeholders from 
government; academia; industry users, owner/operators, and systems 
integrators; and the vendor community through meetings and working 
groups to develop and adopt common architectures, protocols, and 
practices. The PCSF's Control Systems Cyber Security Vendors' Forum 
facilitates communication in a trusted environment between industrial 
automation and equipment suppliers and control system service 
providers. The Vendors' Forum comprises 50 active members from 27 
global manufacturers representing 90 percent of the control systems 
marketplace.

 Question from the Honorable James R. Langevin, Chairman, Subcommittee 
             on Emerging Threats, Cybersecurity and Science

                    Response from Joseph McClelland

    Question 1.: It is my understanding that many security managers in 
the industry were interested in submitting comments to the FERC 
rulemaking on critical infrastructure protection, but felt that they 
could not do so for fear of retribution by their own management. Is 
this a problem, and if so, what is FERC doing to allow for anonymous 
comments for future rulemakings?
    Response: In a rulemaking proceeding, the Commission's ex parte 
rules do not apply. Thus, a person wishing to remain anonymous could 
informally talk to Commission staff about his or her concerns without 
having to formally intervene and identify his or her name. Staff could 
pursue the concerns raised to the extent warranted. However, the 
Commission's Rules of Procedure require that a filing submitted to the 
Commission identify the name of the person making the filing. I believe 
that is appropriate as the public process of a rulemaking should 
include the willingness of formal commenters to identify their name in 
their comments.

    Questions from the Honorable Michael T. McCaul, Ranking Member, 
     Subcommittee on Emerging Threats, Cybersecurity , and Science

    Question 2.: Why does the Notice of Proposed Rulemaking posted by 
NERC ignore for now the major infrastructure dependencies on the bulk 
power system? Should not every responsible entity be held to the same 
standards for securing critical assets?
    Response: Section 215 of the Federal Power Act (FPA) authorizes the 
Commission to approve reliability standards that ``provide for the 
reliable operation of the bulk power system,'' which the statute 
defines as the facilities and control systems necessary for operation 
of an interconnected electric energy transmission network and the 
electric energy need to maintain transmission system reliability. The 
Commission's authority under FPA section 215 does not extend to other 
infrastructure such as natural gas pipelines, oil pipelines, or 
railways, although such infrastructure can have a significant impact on 
the bulk power system.

    Question 3.: As director of reliability do you support 
strengthening security and the SCADA control systems? With regard to 
the comments that FERC has received thus far on the CIP standards how 
do you see the regulations being promulgated?
    Response: Yes, I do support strengthening security and control 
systems. Historically, control systems have been built with a focus on 
operations, with little or no focus on security, as many 
infrastructures have not been viewed as targets in the past. At the 
same time, these control systems are migrating towards the standard IT 
platforms and internet communications, making them even more vulnerable 
to attack by increasing the connectivity to the outside world. Pursuant 
to its authority and responsibilities, the Commission is in the process 
of analyzing public comments and evaluating the Notice of Proposed 
Rulemaking (NOPR) in light of those comments. The comments of the House 
Subcommittee on Emerging Threats, Cybersecurity and Science and 
Technology are among those being considered. The NOPR proposed dozens 
of significant modifications to the CIP standards to make them stronger 
and more effective, thereby increasing security of SCADA control 
systems. They addressed, among other things, increased oversight of the 
implementation of the CIP standards, controls on the discretion 
exercised by responsible entities, and increased penalty levels for 
failure to comply with the CIP standards. I can assure you that the 
final rule will be based on a careful consideration of all comments 
submitted.

    Question 4: Please describe what authority FERC currently has in 
the area of cyber security. Do you think the Commission should have the 
authority to modify a NERC standard?
    Response: Pursuant to section 215(d) of the FPA, the Commission is 
authorized to approve a reliability standard developed by the North 
American Electric Reliability Corporation or NERC, the Commission-
certified electric reliability organization. Section 215 of the FPA 
defines ``reliability standard'' to include ``requirements for the 
operation of existing bulk-power system facilities, including 
cybersecurity protection. . .'' Thus, section 215 explicitly allows for 
the development of reliability standards that relate to cyber security. 
Pursuant to section 215(d)(3) of the FPA, the Commission has authority 
to order compliance with a reliability standard and may impose 
penalties for non-compliance.
    As you are aware, NERC submitted to the Commission eight proposed 
reliability standards, referred to as the ``CIP'' standards, which 
would require certain users, owners and operators of the nation's bulk 
power system to comply with specific requirements to safeguard critical 
cyber assets. In July 2007, the Commission issued a notice of proposed 
rulemaking that proposes to approve the proposed CIP standards. The 
NOPR also proposes to direct NERC to develop modifications to the 
proposed reliability standards to address specific concerns identified 
by the Commission. The Commission received public comment on the NOPR 
in October 2007 and intends to issue a final rule in a timely manner.
    If the Commission, in the final rule, approves the reliability 
standards as proposed in the NOPR, they will become mandatory and 
enforceable. The Commission would then have authority to order 
compliance with the CIP standards and impose penalties for non-
compliance with the cyber security requirements. It is important to 
understand that NERC has proposed an implementation plan that would 
require that entities begin compliance no earlier than mid-2009, with 
full compliance being achieved by the end of 2010. NERC represents that 
the long lead time is necessary to achieve compliance with many of the 
requirements of the proposed reliability standards; the NOPR proposed 
to approve NERC's implementation plan.
    You also ask whether the Commission should have the authority to 
modify a NERC reliability standard. Section 215(d) of the FPA provides 
that the electric reliability organization, NERC, will develop proposed 
reliability standards and submit the standards to the Commission. The 
Commission has the options of approving or remanding a reliability 
standard. The Commission, however, does not have authority to develop a 
reliability standard on its own. Likewise, while section 215(d)(5) of 
the FPA authorizes the Commission to order the electric reliability 
organization to submit to the Commission a new or modified reliability 
standard to address a specific matter, the Commission does not have 
authority to independently authorize or modify a standard. While this 
is a significant limitation of the use of the section 215 process, The 
Commission has not yet reached the conclusion that legislation is 
needed at this time.

    Question 5.: How will you oversee and ensure the security process 
goes forward? How will you work with the industry to ensure that 
security risks are addressed?
    Response Once Commission-approved CIP standards are in place, 
Commission staff will participate in the audit of entities to determine 
the security posture of the industry. Commission staff also will work 
with NERC to continue to improve the CIP standards, requiring 
modifications to existing standards and new standards as appropriate. 
In addition, we will monitor and evaluate the number and types of 
assets that are being protected as critical assets. We will closely 
follow the standard development efforts that NIST and ISA are leading. 
In addition, the Commission proposed in the NOPR to require NERC to 
seek and consider comments from federal entities, such as Tennessee 
Valley Authority, that are subject to both the NIST standards and CIP 
standards to assist NERC in determining which elements of the NIST 
standards may be more advantageous to protect the Bulk Power System so 
that NERC may consider including such provisions into the CIP 
standards.

    Question 6.: Does the Commission have enough resources to promote 
reliability and protection from cybersecurity threats?
    Response: Based on our workload projections, the Commission is 
seeking to add more engineers and personnel with bulk power system 
experience, including cyber security and control system expertise. 
Thus, in June 2007, Chairman Kelliher wrote to the Chairmen and Ranking 
Members of the House and Senate Appropriations Committees, seeking an 
additional $9 million for our reliability work in fiscal year 2008. 
This would provide for an additional 55 Full-Time Equivalents (FTEs) to 
support the Commission's reliability program. These FTEs would consist 
primarily of electrical engineers, power system experts, auditors and 
lawyers. The Commission's Chairman also asked for authorization to hire 
electrical engineers non-competitively up to the GS-15 level, and to 
hire six additional executive senior level (SL) staff in support of its 
reliability program. As you may know, the Commission is a self-
supporting agency and would recover the additional appropriations 
through fees and annual charges, as it does all of its costs, and will 
operate at no net cost to the taxpayer. I encourage you to support 
these requests by the Commission.

    Question 7.: NERC said there has been 100% compliance with its 
action alert on cybersecurity. Does the Commission agree?
    Response: The Commission has no information on whether there has 
been 100% compliance with NERC's action alert. To determine the level 
of compliance and the effectiveness of such compliance, the Commission 
intends to issue an order directing submission of certain cyber 
security information from each generator owner and operator and 
transmission owner and operator in the United States registered by 
NERC. As a first step toward that end, the Commission, in an October 
23, 2007 letter, informed the Office of Management and Budget (OMB) of 
the Commission's intended action, and requested OMB's emergency 
approval of the Commission's information collection request. This 
emergency approval, if granted, would expedite the OMB approval 
process, which in ordinary circumstances allows a sixty-day comment 
period on the proposed information collection before OMB approval. OMB 
has not acted on the Commission's request at this time.
    NERC, following the Subcommittee's October 17, 2007 hearing, issued 
a survey regarding mitigation efforts, with responses due on November 
2, 2007. Although we support NERC taking the actions it believes are 
necessary as ES-ISAC, we do not believe NERC's survey provides 
sufficient information for the Commission to determine whether further 
action is appropriate. For example, it does not provide information on 
what facilities are the subject of the mitigation plans, what steps to 
mitigate the cyber vulnerability are being taken, when those steps are 
planned to be taken, and, if certain actions are not being taken, why 
not. Nor is it clear that NERC has received a complete set of responses 
to its data request. Thus, it is important for the Commission to issue 
an order seeking information that would supplement NERC's action and 
provide more detailed information on which to assess the status of 
mitigation efforts.
    If the OMB authorizes the Commission to collect this information, 
the Commission intends to issue the order and direct the submission of 
this information to NERC. Following Commission review of the 
information, the Commission will determine whether further action is 
necessary or appropriate. For example, the Commission may consider 
adopting an order that requires, pursuant to section 215 of the FPA, 
the expedited development of a reliability standard to ensure that 
mitigation measures are promptly and effectively implemented. However, 
Commission review of this information may also indicate that no further 
action is necessary or appropriate.

    Question 8.: How will FERC ensure the implementation of higher 
standards for cyber security? Will you investigate the mitigation 
efforts performed by owners and operators of the Aurora issue?
    Response: Please see responses to questions 5 and 7.

   Questions from the Honorable Paul Broun, Jr., a Representative in 
                   Congress from the State of Georgia

    Question 9.: Please describe what authority FERC currently has in 
the area of cyber security. Do you think the Commission should have the 
authority to modify a NERC standard? How will you oversee and ensure 
the security process goes forward? How will you work with the industry 
to ensure that security risks are addressed? Does the Commission have 
enough resources to promote reliability and protection from 
cybersecurity threats?
    Response: Please see responses to questions 4, 5 and 7.

    Question 10.: Can you describe the role that FERC is taking while 
working with the Department of Energy and the Department of Homeland 
Security?
    Response: The Commission has been collaborating with both DHS and 
DOE as required by Homeland Security Presidential Directive/Hspd-7 
(Critical Infrastructure Identification, Prioritization, and 
Protection) that established DHS as the lead in protecting the critical 
infrastructure of the United States and DOE as the Sector Specific 
Agency for electric power. In this regard, Commission staff have 
supported and participated in DOE and DHS security initiatives. For 
example, we participated in the DOE-led effort that produced the 
Roadmap to Secure Control Systems in the Energy Sector. We also 
participate in the electric sector Government Coordinating Council co-
chaired by DOE and DHS personnel. We supported and participated in the 
efforts that developed the National Infrastructure Protection Plan and 
the Electric Sector Specific Plan. With DOE's cooperation, we have 
utilized the expertise found in the national laboratories to better 
understand control system cyber vulnerabilities. Commission staff 
participated in an interagency team, which included DHS and DOE, formed 
to address the Aurora vulnerability. Currently, we continue to 
cooperate with DOE and DHS and share information concerning threats. As 
the only agency with authority to approve mandatory reliability 
standards regarding the nation's electric grid, the Commission can 
direct the ERO to develop any needed standard in an expedited 
timeframe.

    Question from the Honorable Michael T. McCaul, Ranking Member, 
   Subcommittee on Emerging Threats, Cybersecurity, and Science and 
                               Technology

                        Responses from Joe Weiss

    Question 1.: What are the principal differences between the ISA 99 
standards and the NIST best practices found in Special Publication 800-
53?
    Response: Although the developmental processes were different for 
NIST 800-53 and the ISA 99 standards, the results are harmonious. There 
has been a significant amount of cross-pollination of people between 
the NIST and ISA standards which will provide for a seamless transition 
between the standards. Both ISA and NIST address multiple industries 
and have similar content in those areas where the development is 
essentially complete. It should be noted that neither ISA nor NIST 
include the exceptions and exclusions found in the NERC CIP cyber 
security standards. Specifically, NIST SP 800-53 security controls 
address the management, operational, and technical safeguards, 
countermeasures, and/or compensating measures prescribed for an 
information system to protect the confidentiality, integrity, and 
availability of the system and its information. ISA 99 Part 2 covers 
the management and operational requirements. NIST will be performing a 
mapping between ISA 99 Part 2 and the NIST SP 800-53 management and 
operational security controls. ISA 99 Part 4 will cover the technical 
requirements. NIST has provided SP 800-53 to the ISA 99 Part 4 Working 
Group for consideration in the development of the Part 4 standard. No 
significant differences are expected.

Question from the Honorable Paul C. Broun, a Representative in Congress 
                       from the State of Georgia

    Question 2.: What, in your opinion, is the most egregious element 
of the NERC CIP standards? If they had to change one particular element 
to be in line with your recommendations, what would it be?3
    The most egregious element of the NERC CIP standards is the scope, 
particularly the limitations and vagueness in NERC CIP-002. To be in 
line with my recommendations, there would need to be two changes. The 
first change would be to eliminate the exclusions of telecom, market 
functions, electric distribution, non-routable protocols, and nuclear 
power plants. The systems and protocols that have been excluded by the 
NERC CIP process have vulnerabilities that could affect the reliability 
of the electric grid. The second change would be to require all systems 
that are electronically connected (e.g., digital or analog connection 
of information or control systems) to be considered critical. These 
changes would result in the utilities addressing all systems throughout 
the enterprise that could be pathways into or out of the control system 
networks. These changes are consistent with what is required for 
securing business Information Technology applications and would make 
the NERC CIPs more consistent with the NIST framework.

Question from the Honorable Bennie G. Thompson, Committeee on Homeland 
                                Security

                    Response from David A. Whiteley

                       Amended December 12, 2007

    Question 1.: What were the results of the August 2007 NERC survey 
sent to owners and operators regarding the status of the sector's 
implementation of the Aurora mitigation efforts? Please provide the 
Committee with a copy of the survey and a narrative of the results.
    Response: Survey responses were received from 133 entities. The 
respondents included generating plant owners, generating plant 
operators, transmission owners, transmission operators, and load-
serving entities. The respondents ranged from very large, multistate 
investor-owned utilities to small municipal utilities. Responses were 
received from all eight reliability regions.
    The results of the survey indicate 94% of the mitigation measures 
recommended in the June 21 ES-ISAC advisory are completed or are in 
progress. This 94% consists of 60% completed and 34% in progress. The 
remaining 6% are not being performed for a variety of reasons (not 
applicable due to nature of equipment, being done by another entity, 
could compromise reliability rather than help reliability).
    The respondents indicated they are taking a prioritized approach to 
the mitigation measures in applying them to their facilities. All 
respondents with nuclear facilities indicated they have completed the 
mitigation measures associated with those facilities and are working on 
other, smaller facilities on a prioritized basis.
    A copy of survey is enclosed.\1\
---------------------------------------------------------------------------
    \1\ See to committee file.

    Question 2.: If a cyber exploit of the Aurora vulnerability is 
imminent, how will the Electric Sector ISAC ensure the immediate 
implementation of mitigation efforts?
    Response: The Electricity Sector (ES) ISAC would initiate the 
following notification steps:
         Obtain approval from the Electricity Sector 
        Coordinating Council to escalate the Cyber Threat Alert Level 
        to Red.
         Post the escalated level on the ES-ISAC Web site.
         Send e-mail notifications to the electric industry 
        through distribution lists designed for notification purposes. 
        The NERC regional entities, the reliability coordinators, and 
        all Independent System Operators (ISOs) and Regional 
        Transmission Organizations (RTOs) are included on the lists. 
        Also included on the lists are government agencies (NRC, DOE, 
        DHS, FERC, Public Safety Canada), other critical infrastructure 
        sector ISACs, and industry trade associations.
         The notification would recommend that the industry 
        promptly complete the immediate mitigation measures identified 
        in the ES-ISAC Advisory. In the case of the June 21, 2007 ES-
        ISAC Advisory, those mitigation measures included:
        1. Robust cyber access mechanisms
        2. Disable remote configuration change capability
        3. Disable automatic re-close function
        4. Add time delay to close function
        5. Disable remote close function
    Following notification to the industry, the ES-ISAC would follow-up 
to monitor progress in implementing the immediate measures. The 
progress would be tabulated and reported to appropriate government 
agencies.

    Question 3.: One of the NERC standards requires an entity to 
identify its ``critical assets'' and ``critical cyber assets,'' with 
the goal of ensuring that these assets are adequately protected from 
any potential cyber incident. Under the NERC definition, would the 
assets at issue in the Aurora vulnerability be considered ``critical 
assets''?
    Response: Critical assets determined using the methodology from 
NERC standard CIP-002-1 would include generation assets which are 
subject to the Aurora vulnerability. These typically will be large 
generators and ``blackstart'' generators (i.e., those generators used 
to restart the bulk power system following a large blackout). However, 
not all generators are essential to the reliable operation of the bulk 
electric system, and therefore would not be included on a list of 
critical assets.

    Question 4.: Are the NERC CIP standards consistent with the lessons 
learned document issued after the August 2003 blackout?
    Response: Yes. The NERC CIP Standards are consistent with the 
recommendations in the August 2003 blackout report.\1\ There were 13 
recommendations (R32 through R44) in the ``physical and cyber 
security'' section of the recommendations list in the blackout report. 
Of these, all of the recommendations that could properly be addressed 
through Reliability Standards are addressed by requirements of the CIP 
standards, as shown in the table below. Recommendation 36 is not a 
standards issue, and recommendations 37 and 39 will require research 
before standards can be written to fully address the recommendation.
---------------------------------------------------------------------------
    \1\ Final Report on the August 14, 2003 ``Blackout in the United 
States and Canada: Causes and Recommendations'', U.S.-Canada Power 
System Outage Task Force, April 5, 2004. The recommendations regarding 
physical and cyber security appear at pages 163-169 of the Report, 
which is available at: http://www.oe.energy.gov/DocumentsandMedia/
BlackoutFinal-Web.pdf.


------------------------------------------------------------------------
           Recommendation                   Relevant CIP Standard
------------------------------------------------------------------------
32--Implement NERC IT Standards                          CIP 002-009
------------------------------------------------------------------------
   33--IT Management Procedures                         CIP 003, 007
------------------------------------------------------------------------
                 34--Corporate Level IT Governance           CIP 003
------------------------------------------------------------------------
35--Manage IT System Monitoring               CIP 005, 007, 008, 009
------------------------------------------------------------------------
36--US-Canada Risk Management Study  Government Study recommendation
------------------------------------------------------------------------
37--IT Forensics and Diagnostics               CIP 004, 009 Research
                                                      recommendation
------------------------------------------------------------------------
38--Assess Risk and Vulnerability                  CIP 002, 005, 007
------------------------------------------------------------------------
39--Wireless and Remote Intrusion    CIP 005, Research recommendation
------------------------------------------------------------------------
             40--Control Access                              CIP 006
------------------------------------------------------------------------
41--Guidance for Background Checks                           CIP 004
------------------------------------------------------------------------
42--Confirm Role of NERC ES-ISAC                             CIP 008
------------------------------------------------------------------------
  43--Establish Clear Authority                              CIP 003
------------------------------------------------------------------------
44--Prevent Information Disclosure                           CIP 003
------------------------------------------------------------------------

    Not all the recommendations in the report address topics that are 
relevant to NERC standards development. Recommendation R36 deals with 
an intergovernmental action (initiation of a U.S.-Canada risk 
management study), not a performance standard requirement appropriate 
for incorporation into a Reliability Standard. Recommendation R41 is 
addressed in CIP 004, although there are significant legal and 
jurisdictional issues contained in its implementation that would need 
to be resolved outside the standards development process. The subject 
matter of that recommendation, moreover, is addressed by an existing 
NERC security guideline (scheduled for update in 2008). Recommendation 
R42 (confirmation of NERC ES-ISAC as the central point for sharing 
security information and analysis) is addressed in CIP 008. The 
recommendation also has been addressed outside NERC's standards process 
through the use of an incident reporting guideline. The guideline 
approach is better suited for this issue due to the frequent change in 
reporting procedures and protocols.

    Question 5.: Do you agree with your NERC colleague Stan Johnson, 
who stated that this test ``is not a realistic representation of how 
the power system would operate''?
    Response: Yes. The test completed at Idaho National Lab (INL) and 
depicted in the video was a 30-second edited version of over three 
minutes of actual test. The generator in the test was a stand-alone 
diesel generator rated at 3.5 MW. While it is true that generators like 
the one in the test are connected to the grid in North America, they 
are not the backbone of the system and represent a very small portion 
of the total generating resources available. The true backbone of the 
system is large generators rated at 300 to 1,100 MW. These large 
generating units have more sophisticated protection systems that would 
most likely isolate the generators from the attack long before the 
effects (black smoke, repetitive shaking, parts falling off) shown in 
the video. The test at INL was conducted with the power system in an 
optimal configuration for an attacker to be successful. In the real 
power system, the power flows in a highly complex network make a 
successful attack much more difficult. The power flows on the network 
vary from day to day depending on what equipment is in-service or out-
of-service. The direction and magnitude of the flows would have to be 
understood and taken advantage of by the attacker. While the test at 
INL helped demonstrate the feasibility of a cyber attack resulting in 
physical damage, a more comprehensive test would be very difficult, if 
not impossible to conduct.
    Question 6.: Can NERC effectively conduct oversight over electric 
sector owners and operators, considering that NERC operates under dues 
received by these same companies?
    Response: Yes. NERC does not operate under a system of dues, which 
suggests an element of voluntariness in the payments. Rather, Section 
215 of the Federal Power Act, the regulations of the Federal Energy 
Regulatory Commission, and NERC's bylaws and rules were specifically 
written to preclude undue influence by electricity sector stakeholders. 
Within the United States, NERC is funded through assessments to load 
serving entities that are approved annually by FERC. Once approved, 
those assessments constitute a legally binding obligation to pay that 
is enforceable, ultimately, through federal law. FERC also approves 
NERC's budget each year, which specifies how funds raised by assessment 
will be used for NERC's various responsibilities, including 
enforcement. While electric sector owners and operators, along with all 
other electricity sector stakeholders, have the opportunity to express 
their views about NERC's annual budget and assessment, electricity 
sector stakeholders do not have decisional authority over NERC's budget 
or assessments. NERC's annual budget and assessments are approved, in 
the first instance, by NERC's independent board of trustees, and 
thereafter by FERC.

    Question 7.: In his testimony, Mr. Weiss recommends that NERC 
incorporate the NIST Framework into its CIP standards. My understanding 
is that the NIST Framework is still a work in progress that is still 
subject to further amendment, and that it is intended to serve as model 
guidelines for federal government agencies, not mandatory standards 
applicable to the private sector with enforcement and penalty 
provisions. If this is true, please comment on whether the NIST 
Framework is actually an appropriate model for electric industry CIP 
standards that are required under the Federal Power Act (as amended by 
the Energy Policy Act of 2005) to be mandatory and enforceable? Please 
also comment on other reasons why the NIST Framework may not be an 
appropriate model for the NERC standards, including the lack of a 
formal stakeholder process required by Sec. 215 of the Federal Power 
Act, enacted by Congress in 2005 to govern the development of the NERC 
CIP standards.
    Response: The NIST Framework \2\ consists of a number of documents, 
including Federal Information Processing Standards (FIPS) 199 and 200 
(standards) and NIST Special Publications (SP) 800-60, 800-53, 800-30, 
800-18, 800-53A, and 800-37 (guidance and recommendations). As with 
other NIST SP800 documents, NIST SP800-53, Recommended Security 
Controls for Federal Information Systems, is self-described as 
``guidance documents and recommendations'' \3\ to be used in support of 
federal agencies' compliance activities with the mandatory Federal 
Information Processing Standards (FIPS) that implement the Federal 
Information Security Management Act (FISMA) of 2002.
---------------------------------------------------------------------------
    \2\ See document references available from http://
www.csrc.nist.gov/groups/SMA/fisma/framework.html.
    \3\ NIST Special Publication 800-53 rev 1, page iv, available at 
http://www.csrc.nist.gov/publications/nistpubs/800-53-Rev1/800-53-rev1-
final-clean-sz.pdf.
---------------------------------------------------------------------------
    The NIST guidance, as it exists in its approved format, was 
developed in support of FISMA for conventional IT security issues 
relating to conventional IT use of computers--the approved NIST 
guidance was not developed for industrial control systems. NIST is 
developing revised guidance for applicability to industrial control 
systems (ICS), but that has not been finalized. The revised guidance is 
in its `final' public draft, with comments on the draft due on December 
14, 2007. NIST plans on publishing the fully revised document within 
two weeks of the close of the comment period. As such, the revised ICS 
guidance does not yet formally exist, and therefore, could not today be 
included in any NERC CIP standards.
    One major issue with the application of the NIST standards and 
guidance to the private sector deals with the assessment of impact, 
based on a significantly broader scope than the specific focus of the 
NERC Standards on the reliable operation of the bulk power system. The 
NIST standards and guidance process requires that all computer-based 
processes be considered, even those that have no bearing on reliable 
operations (and which are outside the scope of Section 215 of the FPA), 
including administrative functions and market functions. While these 
may have bearing on the business processes of the effected entities, 
they cannot be made mandatory under the auspices of reliability 
standards within the scope of Section 215.
    Another issue with the application of the NIST standards and 
guidance is the level of technical detail included in the guidance, 
much of which does not directly relate to bulk power system 
reliability. The FIPS-199 concept of a ``high water mark'' for security 
classification requires, for example, that if any one component of a 
system requires a medium or high level of confidentiality, all 
components of that system must be implemented with a high 
confidentiality without regard to the resultant impact to operations, 
even if that result were detrimental to reliable operations. This will 
result in significantly more work required to achieve and maintain 
compliance with the standards, without any reliability-based benefit.
    While there is a formal approval process for NIST standards, which 
require the approval of the Secretary of Commerce, there does not 
appear to be any formal documented process for creating, revising or 
approving NIST guidance. Further, the NIST (FIPS) standards allow the 
inclusion by reference of other documents (e.g., SP800-53). These 
referenced documents do not have the same level of approval required as 
the formal text of the standards.
    In contrast, Section 215 of the FPA requires that ``reasonable 
notice and opportunity for public comment, due process, openness, and 
balance of interests in developing reliability standards'' be provided 
by the Electric Reliability Organization certified by FERC (i.e., NERC) 
in developing Reliability Standards. These requirements are 
incorporated in FERC's rules for certification of the ERO, and in the 
NERC rules of procedure as approved by FERC. The NERC process requires 
that ``[a]ll mandatory requirements of a reliability standard shall be 
within an element of the standard,'' \4\ thereby ensuring that all 
mandatory and enforceable standards follow the same rigorous review and 
approval process approved by FERC as consistent with the statutory 
requirements. The NERC process allows the development of guidance, but 
cannot make those documents binding as mandatory and enforceable 
standards.
---------------------------------------------------------------------------
    \4\ NERC Reliability Standards Development Procedure, Version 6.1, 
available at ftp://ftp.nerc.com/pub/sys/all_updl/oc/stp/
RSDP_V6_1_12Mar07.pdf.

    Question 8.: Concerns have been raised regarding the potential that 
one or more isolated cyber failures or attacks to electric distribution 
system assets could directly lead to more widespread failures or 
electric outages in the bulk power system. Please explain if the 
standard radial design of electric distribution systems makes such a 
scenario unlikely, and if it in fact enhances the ability of electric 
utilities to isolate the impact of such events.
    Response: The distribution system is primarily a point-to-point 
system, with lines emanating in a radial pattern, from the local 
substation to the consumer. When a distribution line is taken out of 
service by a falling tree in an ice storm, for example, electricity no 
longer flows on that spoke and the consumers' lights go out. However, 
the problem is limited and localized. That is the nature of the 
distribution system--it is local and affects a limited area.
    One or more isolated cyber attacks or failures on the distribution 
system will have a localized and limited effect. In addition, the 
isolation and protection requirements of the NERC CIP standards protect 
the bulk power system from intrusion reaching through the distribution 
system to bulk power system assets. For one or more isolated cyber 
failures or attacks to impact the bulk power system would require a 
very complex, coordinated, synchronized action. It would require a 
knowledgeable and determined attacker to exploit a vulnerability. While 
technically feasible, the likelihood is low of such a scenario 
successfully occurring.

    Question 9.: My understanding is that the current ISA security 
standards and technical reports that Mr. Weiss recommends for 
incorporation in the NERC CIP standards are intended to be used as 
guidance, not to establish expectations for auditable compliance, and 
there are no measures or levels of noncompliance currently associated 
with ISA99. Levels of noncompliance would need to be created and 
approved before the standards could be used as mandatory and 
enforceable. Do you think that such measures could be developed, if 
such measures are even possible, and how much time would it take to 
develop those measures?
    Response: Much like the status of the NIST guidance for industrial 
control systems, the ISA standards are still a work in progress. To 
date, only two ``technical reports'' which do not contain any 
requirements (i.e., they are ``informative'' and not ``normative'' in 
nature) have been approved. Because these approved documents do not 
contain any ``normative'' requirements, quantifiable measures cannot be 
developed for them. The ISA standards themselves are being developed in 
at least four parts (or volumes), and of the four publicly documented 
parts, one deals with establishing terminology, concepts and models, 
and two deal with the establishment and operations of a security 
program. Only the fourth part deals with ``Specific Security 
Requirements for Industrial Automation and Control Systems.''
    This fourth part has just been started, so it is impossible to 
determine how measures, levels of noncompliance, or violation risk 
factors (all of which are required elements of NERC standards, and are 
required for the compliance program activities) could be developed for 
any explicit requirements contained in that standard. It is unknown how 
long the process to develop those measures would require.

    Question 10.: Appendix F of the NIST 800-53 standards lists at 
least 25 instances where an exception to compliance for Industrial 
Control Systems (ICS) may be taken when ``the organization determines 
it is not feasible or advisable (e.g., adversely impacting performance, 
safety, reliability)''. FERC has indicated that exemptions under 
``technically feasible'' should be as limited as possible, yet it 
appears that incorporation of the NIST standards would allow for a very 
broad exemption under technical feasibility. Can you comment on this?
    Response: The NIST standards do not meet the Commission's 
expectations.

    Question 11.: What would be the result if the electric industry was 
forced to implement the NIST best practices for control systems based 
upon SP 800-53?
    Response: Any change now in cybersecurity requirements for the bulk 
power system would significantly retard progress toward more robust 
cybersecurity protections.
    A requirement to adopt NIST ``best practices'' now would result in 
a suspension of the current efforts to implement the proposed NERC 
cybersecurity standards pending a review of the NIST standards. The 
result of the review would require new implementation plans and 
additional time.
    The loss of industry compliance momentum and the delay in 
implementing mandatory bulk power system cybersecurity standards would 
be detrimental to the reliability of the bulk power system.

    Question 12.: Are owners and operators of distribution facilities 
included within the NERC membership? If so, regardless of the authority 
extended in the Energy Policy Act, doesn't it make sense that 
distribution facilities be included in reliability considerations?
    Response: Within the United States there are approximately 3,000 
entities that own or operate distribution facilities. Approximately 375 
of those entities are NERC members. NERC's authority to set and enforce 
reliability standards is not contingent on NERC membership, but extends 
to owners, operators and users of the bulk power system, whether or not 
they are a member of NERC. NERC can and does take account of the impact 
of distribution facilities on the reliability of the bulk power system. 
NERC can exercise jurisdiction over owners, operators, and users of the 
bulk power system.

    Question 13.: How does NERC ensure that its members are making 
efforts to mitigate the Aurora vulnerability that we know exists within 
control systems?
    Response: The Electricity Sector Information Sharing and Analysis 
Center (ES-ISAC) has been operated by NERC since it was formed in 2001. 
The ES-ISAC was created as a result of action by the U.S. Department of 
Energy in response to Presidential Decision Directive 63 issued in 
1998. The ES-ISAC is working with the electricity sector entities to 
mitigate the vulnerabilities in the system by providing information 
about the vulnerability, recommending mitigation measures, and 
following up to monitor successful completion.
    The ES-ISAC has worked closely with all segments and all levels in 
the industry to mitigate the vulnerabilities. Meetings have been held 
with representatives of all the major trade associations (EEI, APPA, 
NRECA), the CEOs of the largest companies, the Electricity Sector 
Coordinating Council, numerous operating level committees, and groups 
of technical experts.
    Because the steps needed to mitigate the Aurora vulnerability are 
not reflected in approved reliability standards, NERC has no authority 
to compel those actions. Not all subjects are the appropriate topic for 
standards. The standards development process is by design a public and 
transparent one, and matters such as the Aurora vulnerability do not 
lend themselves to that public process. However, NERC believes the 
industry is demonstrating excellent judgment and cooperation in 
completing the implementation of the mitigation measures.

    Question 14.: In your testimony you mention that NERC as the 
Electric Reliability Organization (ERO) was not given authority over 
facilities used for distribution of electric power. Who has authority 
to enforce regulations over such facilities?
    Response: NERC as the electric reliability organization only has 
enforcement authority over the bulk power system. The definition of 
``bulk power system'' in Section 215(a)(1) of the Federal Power Act 
expressly excludes facilities used for local distribution. Authority 
over facilities used for local distribution is generally reserved to 
the states, and the scope of that authority varies from state to state. 
State public utility commissions exercise such authority to the extent 
the utilities are within their jurisdiction. In a number of states, 
municipal utilities are not within the jurisdiction of state 
commissions.

    Question 15.: NERC has proposed its own set of cybersecurity 
standards--will these standards make a difference, i.e. will they make 
us safer than we are today without these standards? Will there be more 
to do after these standards are accepted by FERC in their current form?
    Response: The answer to both these questions is ``yes.'' These 
standards represent a first step in a process of continually increasing 
the cybersecurity of the electricity industry. While some companies 
already meet or exceed the requirements of these standards, the vast 
majority of the industry is working very hard right now to meet both 
the letter and intent of the standards as they are written (and 
expected to be approved by FERC). Essentially every company has had to 
do some work in order to meet either the technical requirements, or 
provide sufficient documentation to prove during an audit that they 
have met the requirements. Many companies are analyzing their systems, 
and implementing policy-based and technical controls to significantly 
increase the cyber security posture, especially at their substations 
and power plants.
    Since these standards represent a first step, there will be 
additional steps. Making the modifications proposed by FERC in the 
pending NOPR to approve the NERC Reliability Standards will be among 
the additional steps to be taken in this area. As the industry gains 
experience and confidence in implementing cybersecurity protections, 
and as the vendors of control systems begin to implement increased 
cybersecurity protections into their systems, the cybersecurity posture 
of the industry will increase, and additional standards can be written 
to ensure that all industry participants are continuing to ``raise the 
bar'' in their cybersecurity protections. NERC's rules, and a condition 
of accreditation by the American National Standards Institute, require 
that each standard be reviewed at least every five years. NERC 
anticipates completing the review and upgrade of all standards over a 
three-year period. The cybersecurity standards are scheduled for review 
in 2009 to asses them based on lessons learned to that point. NERC's 
standards development procedure provides a systematic approach to 
improving to the standards and documenting the basis for those 
improvements, and should serve as the mechanism for achieving those 
improvements.
    The future revisions to the NERC cyber security standards will take 
place after the NIST guidance on security to Industrial Control Systems 
has been finalized, and it is likely that some of the recommendations 
in that guidance will be included in revised Reliability Standards. 
These recommendations will be analyzed and included (or not) based on 
their impact on the reliable operation of the bulk power system.

    Question 16.: You mentioned in your testimony that the CIP 
standards were developed in a rigorous process. How does NERC plan on 
operating if and when it must develop security standards much quicker 
than the rigorous standard process allows? Are there any contingency 
plans in place for when immediate action is necessary?
    Response: NERC operates according to its Rules of Procedure that 
have been approved by the Federal Energy Regulatory Commission. Section 
300 of the Rules of Procedure discusses the reliability standards 
development processes. Rule 308 acknowledges that the current 
Reliability Standards Development Procedure (Version 6.1) includes a 
provision for approval of urgent action standards that can be completed 
within 60 days and emergency actions that may be further expedited. 
Further, Rule 309.3, Directives to Develop Standards Under 
Extraordinary Circumstances, stipulates the urgent approval action 
procedure may be utilized if necessary to meet a timetable for action 
required by governmental authorities or circumstances, respecting to 
the extent possible the provisions in the standards development process 
for reasonable notice and opportunity for public comment, due process, 
openness, and a balance of interests in developing reliability 
standards. After making a written finding that an extraordinary and 
immediate threat exists to bulk power system reliability or national 
security, the NERC independent Board of Trustees has discretion to 
substantially reduce the public notice and balloting periods, thus 
expediting the development timeframe.
    When standards are implemented using the urgent action or emergency 
process, one of the following three actions must occur:
        --If the urgent or emergency action standard is to be made 
        permanent without substantive changes, then the standard must 
        proceed through the regular standards development process 
        within one year of the urgent or emergency action approval.
        --If the urgent or emergency action standard is to be 
        substantively revised or replaced by a new standard, then a 
        request for the new or revised standard must be initiated as 
        soon as practical after the urgent or emergency action ballot, 
        and the standard must proceed through the regular standards 
        development process as soon as practical within two years of 
        the urgent or emergency action approval.
        --The urgent or emergency action standard may be withdrawn 
        through the regular standards development process within two 
        years.
    To address immediate threats, NERC can issue an ``Essential 
Action'' alert as proposed and currently pending before FERC in Rule 
808.10 of NERC's Rules of Procedure. An ``Essential Action'' alert 
identifies specific actions that NERC has determined are essential for 
certain segments of owners, operators, or users of the bulk power 
system to take to ensure the reliability of the bulk power system. Such 
alerts require NERC Board approval before issuance. These alerts are 
not mandatory, and NERC has no enforcement authority regarding these 
alerts, but NERC believes they can be a very useful tool in 
communicating to industry participants actions that are needed on an 
immediate basis to protect bulk system reliability.

                               Amendment

    Question 1. What were the results of the August 2007 NERC survey 
sent to owners and operators regarding the status of the sector's 
implementation of the Aurora mitigation efforts? Please provide the 
Committee with a copy of the survey and a narrative of the results.
    Response: The written follow-up survey was distributed on October 
19, 2007. Survey responses were received from 133 entities. The 
respondents included generating plant owners, generating plant 
operators, transmission owners, transmission operators, and load-
serving entities. the respondents ranged from very large, multistate 
investor-owned utilities to small municipal utilities. Responses were 
received from all eight reliability regions.
    The results of the survey indicate 94% of the mitigation measures 
recommended in the June 21 ES-ISAC advisory are completed or are in 
progress. This 94% consists of 60% completed and 34% in progress. The 
remaining 6% are not being performed for a variety of reasons (not 
applicable due to nature of equipment, being done by another entity, 
could compromise reliability rather than help reliability).
    The respondents indicated they are taking a prioritized approach to 
the mitigation measures in applying them to their facilities. All 
respondents with nuclear facilities indicated they have completed the 
mitigation measures associated with those facilities and are working on 
other, smaller facilities on a prioritized basis.
    Note: ES-ISAC, ELECTRICITY SECTOR, INFORMATION SHARING AND ANALYSIS 
CENTER, OPERATED BY NERC, ``ESISAC Advisory Follow-up Survey'', October 
19, 2007, see committee file.

   Questions from the Honorable Paul Broun, Jr., a Representative in 
                   Congress from the State of Georgia

                 Responses Submitted by Greg Wilshusen

Responses from David A. Powner
Director, Information Technology Management Issues

    Questions: In your review of the various programs in the federal 
government and the private sector to secure control systems, (1) do you 
identify any clear gaps in efforts? (2) As well are there any clearly 
duplicative programs working in parallel? (3) Are there initiatives 
that don't exist that should?
    Responses: (1) We have identified gaps in programs in the federal 
government and private sector to secure control systems. As we reported 
in September 2007,\1\ The National Strategy to Secure Cyberspace \2\ 
directs the Department of Homeland Security, in coordination with the 
Department of Energy and other agencies, to work in partnership with 
private industry in increasing awareness of the importance of efforts 
to secure control systems, developing standards, and improving policies 
with respect to control systems security. However, we reported that the 
federal government does not yet have an overall strategy for guiding 
and coordinating control systems security efforts across the multiple 
agencies and sectors. In addition, more can be done to coordinate 
related control system activities within and across sectors and across 
the government. For example, while the Department of Energy has led the 
development of an industry road map to secure control systems for the 
energy sector, we have not seen evidence that other sectors, such as 
transportation, have developed such road maps. Another gap we reported 
is that the Department of Homeland Security lacks a rapid, efficient 
process for disseminating sensitive information to private industry 
owners and operators of critical infrastructures.
---------------------------------------------------------------------------
    \1\ GAO, Critical Infrastructure Protection: Multiple Efforts to 
Secure Control Systems Are Under Way, but Challenges Remain, GAO-07-
1036 (Washington, D.C.: Sept. 10, 2007)..
    \2\ The White House, The National Strategy to Secure Cyberspace 
(Washington, D.C.: February 2003).
---------------------------------------------------------------------------
    (2) We reported that overlapping and possibly duplicative control 
systems security activities may exist. For example, there are multiple 
efforts underway to develop standards for control systems security. 
These include industry specific standards, such as the North American 
Electric Reliability Corporation standards and the American Gas 
Association standards, as well as more general standards, such as the 
ISA (formerly the Instrumentation, Systems, and Automation Society) 
standards and, within the federal government, the National Institute of 
Standards and Technology standards. Each has different levels of 
specificity, and the opportunity exists to better coordinate and 
harmonize these standards.
    (3) With respect to your question on initiatives, actions could be 
taken to reduce or eliminate gaps and duplicative activities discussed 
above. For example, we previously recommended that the Department of 
Homeland Security develop a governmentwide strategy for securing 
control systems. As it moves forward with this effort, it should take 
the opportunity to identify and coordinate the activities described 
above and other control systems activities. In addition, industry 
experts spoke of the beneficial value of the activities of the national 
laboratories in working with control systems vendors and operators and 
the benefit of possibly expanding such activities.
-----
    In responding to these questions, we relied on previous audit work 
we preformed in developing our report on critical infrastructure 
control systems, as well as ongoing work examining security of control 
systems.

                                 
