b"<html>\n<title> - SECURING THE MODERN ELECTRIC GRID FROM PHYSICAL AND CYBER ATTACKS</title>\n<body><pre>[House Hearing, 111 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n   SECURING THE MODERN ELECTRIC GRID FROM PHYSICAL AND CYBER ATTACKS\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                        SUBCOMMITTEE ON EMERGING\n                        THREATS, CYBERSECURITY,\n                       AND SCIENCE AND TECHNOLOGY\n\n                                 of the\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED ELEVENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JULY 21, 2009\n\n                               __________\n\n                           Serial No. 111-30\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n                                     \n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n                                     \n\n  Available via the World Wide Web: http://www.gpoaccess.gov/congress/\n                               index.html\n\n                               __________\n\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n53-425 PDF                WASHINGTON : 2009\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop SSOP, Washington, DC \n20402-0001\n\n\n\n\n\n\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n               Bennie G. Thompson, Mississippi, Chairman\nLoretta Sanchez, California          Peter T. King, New York\nJane Harman, California              Lamar Smith, Texas\nPeter A. DeFazio, Oregon             Mark E. Souder, Indiana\nEleanor Holmes Norton, District of   Daniel E. Lungren, California\n    Columbia                         Mike Rogers, Alabama\nZoe Lofgren, California              Michael T. McCaul, Texas\nSheila Jackson Lee, Texas            Charles W. Dent, Pennsylvania\nHenry Cuellar, Texas                 Gus M. Bilirakis, Florida\nChristopher P. Carney, Pennsylvania  Paul C. Broun, Georgia\nYvette D. Clarke, New York           Candice S. Miller, Michigan\nLaura Richardson, California         Pete Olson, Texas\nAnn Kirkpatrick, Arizona             Anh ``Joseph'' Cao, Louisiana\nBen Ray Lujan, New Mexico            Steve Austria, Ohio\nBill Pascrell, Jr., New Jersey\nEmanuel Cleaver, Missouri\nAl Green, Texas\nJames A. Himes, Connecticut\nMary Jo Kilroy, Ohio\nEric J.J. Massa, New York\nDina Titus, Nevada\nVacancy\n                    I. Lanier Avant, Staff Director\n                     Rosaline Cohen, Chief Counsel\n                     Michael Twinchek, Chief Clerk\n                Robert O'Connor, Minority Staff Director\n                                 ------                                \n\n   SUBCOMMITTEE ON EMERGING THREATS, CYBERSECURITY, AND SCIENCE AND \n                               TECHNOLOGY\n\n                 Yvette D. Clarke, New York, Chairwoman\nLoretta Sanchez, California          Daniel E. Lungren, California\nLaura Richardson, California         Paul C. Broun, Georgia\nBen Ray Lujan, New Mexico            Steve Austria, Ohio\nMary Jo Kilroy, Ohio                 Peter T. King, New York (Ex \nBennie G. Thompson, Mississippi (Ex      Officio)\n    Officio)\n                      Jacob Olcott, Staff Director\n       Dr. Chris Beck, Senior Advisor for Science and Technology\n                         Daniel Wilkins, Clerk\n               Coley O'Brien, Minority Subcommittee Lead\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               Statements\n\nThe Honorable Yvette D. Clark, a Representative in Congress From \n  the State of New York, and Chairwoman, Subcommittee on Emerging \n  Threats, Cybersecurity, and Science and Technology.............     1\nThe Honorable Daniel E. Lungren, a Representative in Congress \n  From the State of California, and Ranking Member, Subcommittee \n  on Emerging Threats, Cybersecurity, and Science and Technology.     4\nThe Honorable Bennie G. Thompson, a Representative in Congress \n  From the State of Mississippi, and Chairman, Committee on \n  Homeland Security..............................................     5\n\n                               WITNESSES\n                                Panel I\n\nDr. William R. Graham, Chairman, Commission to Assess the Threat \n  to the United States From Electromagnetic Pulse:\n  Oral Statement.................................................     8\n  Prepared Statement.............................................     9\nMr. Mark Fabro, President and Chief Security Scientist, Lofty \n  Perch:\n  Oral Statement.................................................    12\n  Prepared Statement.............................................    14\nMr. Michael J. Assante, Chief Security Officer, North American \n  Electric Reliability Corporation:\n  Oral Statement.................................................    20\n  Prepared Statement.............................................    23\nMr. Steven T. Naumann, Vice President, Wholesale Markets, Exelon \n  Corporation; Representing Edison Electric Institute and \n  Electric Power Supply Association:\n  Oral Statement.................................................    27\n  Prepared Statement.............................................    28\n\n                                Panel II\n\nMr. Joseph H. McClelland, Director of Reliability, Federal Energy \n  Regulatory Commission:\n  Oral Statement.................................................    47\n  Prepared Statement.............................................    48\nMs. Patricia A. Hoffman, Acting Assistant Secretary, Office of \n  Electricity Delivery and Energy Reliability, Department of \n  Energy:\n  Oral Statement.................................................    54\n  Prepared Statement.............................................    56\nMr. Sean P. McGurk, Director, Control Systems Security Program, \n  National Cybersecurity Division, Office of Cybersecurity and \n  Communications, National Protection and Programs Directorate, \n  Department of Homeland Security:\n  Oral Statement.................................................    61\n  Prepared Statement.............................................    63\nMs. Cita M. Furlani, Director, Information Technology Laboratory, \n  National Institute of Standards and Technology:\n  Oral Statement.................................................    66\n  Prepared Statement.............................................    68\n\n                               Appendix I\n\nSubmitted for the Record by Chairwoman Yvette D. Clarke:\n  Letter From Michael J. Assante, Chief Security Officer, North \n    American Electric Reliability Corporation....................    85\n  Statement of the National Association of Regulatory Utility \n    Commissioners................................................    86\n  Statement of William Radasky and John Kappenman................    88\n  Statement of Emprimus LLC......................................    95\n  Statement of the EMP Commission................................    99\n  Statement of Applied Control Solutions, LLC....................   101\n  Statement of Advanced Fusion Systems, LLC......................   106\n  Statement of the Canadian Electricity Association..............   108\n  Statement of Industrial Defender, Inc..........................   114\n  Statement of Southern California Edison........................   120\n\n                              Appendix II\n\nQuestions Submitted by Chairwoman Yvette D. Clarke...............   127\n\n \n   SECURING THE MODERN ELECTRIC GRID FROM PHYSICAL AND CYBER ATTACKS\n\n                              ----------                              \n\n\n                         Tuesday, July 21, 2009\n\n             U.S. House of Representatives,\n                    Committee on Homeland Security,\n      Subcommittee on Emerging Threats, Cybersecurity, and \n                                    Science and Technology,\n                                                    Washington, DC.\n    The committee met, pursuant to call, at 2:13 p.m., in Room \n311, Cannon House Office Building, Hon. Yvette D. Clarke \n[Chairwoman of the subcommittee] presiding.\n    Present: Representatives Clarke, Thompson, Richardson, \nLujan, Lungren, and Austria.\n    Also present: Representatives Harman, Lofgren, Langevin, \nJackson Lee, Pascrell, and Bartlett.\n    Ms. Clarke [presiding]. The subcommittee will come to \norder.\n    The subcommittee is meeting today to receive testimony on \nsecuring the modern electric grid from physical and cyber \nattacks. We have been joined here today by many of my \ndistinguished colleagues, who don't sit on this subcommittee, \nbut who are an integral part of the deliberations that we do, \nand I would like to acknowledge them and ask that they be given \nunanimous consent to sit and participate in our hearing today.\n    Hearing no objection, so ordered.\n    I want to recognize some of our colleagues from other \ncommittees who are participating in today's hearing, including \nMr. Bartlett. We would not have a robust road map for \naddressing the EMP threat if it were not for his vision and \nleadership and I thank him for that.\n    I also have my colleagues who serve on the full committee, \nZoe Lofgren, of California, Congresswoman Jackson Lee of Texas, \nand Mr. Bill Pascrell of New Jersey. I thank you for attending \nthis very important hearing.\n    We expect to be joined by many other Members, and I would \nlike to just acknowledge them in absentia for right now; Mr. \nLangevin, who is my predecessor as Chair of this committee. I \nwould like to congratulate him on his new Chairmanship and \nthank him for his leadership on the electric grid security \nissue.\n    I would also be expecting a colleague on the Subcommittee \nfor Intelligence to the Homeland Security Committee, Ms. \nHarman, and thank her for her attendance today.\n    Unfortunately, a number of my colleagues and our friends \nfrom the Energy and Commerce Committee are unable to attend and \nparticipate in today's session due to their work on the health \ncare legislation. We have reached out to Mr. Waxman, Mr. \nMarkey, and Mr. Barrow to ask them to act with urgency on the \nsubject matter we will discuss today.\n    Our national health care delivery system, just like all of \nour critical infrastructure systems, requires secure and \nreliable electric system. That is what this committee has been \ninvestigating for years, and what we will discuss today.\n    The electric grid is fundamental to our lives and our \ncountry's existence. Without electricity, medicines expire, \nbanks shut down, food goes bad, sewage and water plants don't \nfunction. Chaos ensues and our security is compromised.\n    We simply cannot afford to lose broad sections of our grid \nfor days, weeks, or months.\n    It is our very reliance on this infrastructure that makes \nit an obvious target for attack. We know that many of our \nadversaries, from terrorist groups to nation-states, have and \ncontinue to develop capabilities that would allow them to \nattack and destroy our grid, at a time of their choosing.\n    There are two significant threats that will be discussed at \ntoday's hearing. One is the threat of a cyber attack.\n    Many nation-states, like Russia, China, North Korea, and \nIran, have offensive cyber attack capabilities, while terrorist \ngroups like Hezbollah and al Qaeda continue to work to develop \ncapabilities to attack and destroy critical infrastructure, \nlike the electric grid, through cyber means.\n    If you believe intelligence sources, our grid is already \ncompromised. An April 2009 article in the Wall Street Journal \ncited intelligence forces who claim that ``the grid has already \nbeen penetrated by cyber intruders from Russia and China, who \nare positioned to activate malicious code that could destroy \nportions of the grid at their command.''\n    The other significant threat to the grid is the threat of a \nphysical event; that could come in the form of a natural or \nman-made electromagnetic pulse, known as EMP. The potentially \ndevastating affects of an EMP to the grid are well documented.\n    During the Cold War, the U.S. Government simulated the \neffects of EMP on our infrastructure because of the threat of \nnuclear weapons, which emit an EMP after detonation. Though we \nmay no longer fear a nuclear attack from Soviet Russia, rogue \nadversaries including North Korea, and Iran, possess and test \nhigh-altitude missiles that could potentially cause a \ncatastrophic pulse across the grid.\n    These are but two of the significant emerging threats we \nface in the 21st Century. Our adversaries openly discuss using \nthese capabilities against the United States.\n    According to its cyber warfare doctrine, China's military \nstrategy is designed to achieve global electronic dominance by \n2050, to include the capability to disrupt financial markets, \nmilitary and civilian communications capabilities, and the \nelectric grid prior to the initiation of a traditional military \noperation.\n    Cyber and physical attacks against the grid could both be \ncatastrophic and incredibly destructive events. They are not \ninevitable.\n    Protections can, and must, be in place ahead of time to \nmitigate the impact of these attacks. My colleague on the \nHomeland Security Committee, and I, have spent nearly 3 years \nidentifying and reviewing the security protections that are in \nplace to mitigate the affects of any intentional or \nunintentional attack on the electric system.\n    Our goal is to determine whether appropriate protections \nare in place that would mitigate catastrophic incidents on the \ngrid. Our review has required extension discussions and \nassessment with the private sector, which owns, operates and \nsecures the grid.\n    The private sector develops its own security standards, the \nprivate sector also oversees compliance with these standards. \nIn short, the private sector has the responsibility for \nsecuring the grid from electromagnetic events and cyber \nattacks.\n    In the course of our review, we have questioned hundreds of \nexperts, and reviewed thousands of pages of research and \nanalysis. Many have submitted statements for the record today. \nThey have all reached one conclusion. The electric industry has \nfailed to appropriately protect against the threats we face, in \nthe 21st century.\n    In the past, this committee has been deeply critical of the \nstandards that the industry has written. They are, in the words \nof GAO and NIST and other independent analysts, inadequate for \nprotecting critical national infrastructure.\n    The committee has suggested that the industry adopt missed \nstandards for control systems, if it hopes to achieve greater \nsecurity. My understanding is that the industry has not \nembraced this suggestion.\n    The committee has also been critical of the industry's \neffort to timely mitigate the Aurora vulnerability. What should \nhave been an urgent action issue has taken some utilities years \nto fix. Many have not even hardened their assets at all.\n    This is especially troubling given the catastrophic damage \nthat could be caused by an Aurora-style attack. Today, there is \na new problem.\n    Many in the industry are apparently trying to avoid \ncompliance with their own inadequate standards. I am deeply \nconcerned about this irresponsible behavior.\n    A letter dated April 7, 2009, which is attached for the \nrecord, sent to the industry by the NERC chief security \nofficer, Mike Assante, suggests that industry is choosing not \nto identify critical assets in order to avoid securing them.*\n---------------------------------------------------------------------------\n    * The information referred to is included in Appendix I.\n---------------------------------------------------------------------------\n    According to Mr. Assante, only 29 percent of generation \nowners and generation operators reported identifying at least \none critical asset. Sixty-three percent of transmission owners \nidentified at least one critical asset.\n    This effort seems to epitomize the head-in-the-sand \nmentality that seems to permeate broad sections of the electric \nindustry. The committee will be following up with NERC to learn \nwhich utilities have not appropriately identified assets, and \nseek to make this information public.\n    It is amazing that many within the industry would rather \ngamble with our national and economic security, than implement \nprecautionary security measures. What is even more amazing is \nthat utilities have chosen to take this posture, even though \nthey can be reimbursed for these security expenditures in their \nrate cases.\n    I am at a loss as to why the industry isn't apparently \nsecuring its assets. But clearly, the time has come for change.\n    I am pleased to join Chairman Thompson and Ranking Member \nKing and my other colleagues in co-sponsoring H.R. 2195. Given \nthe industry's lackluster approach toward securing its own \nassets, I believe this measure will provide the Federal Energy \nRegulatory Commission with the appropriate authorities to \nensure that our grid is secure and resilient against the \nthreats we face in the 21st Century.\n    This subcommittee will continue to perform rigorous \noversight until we are satisfied that progress is being made.\n    I now recognize my colleague, the gentleman from \nCalifornia, Ranking Member, Mr. Lungren, for his opening \nstatement.\n    Mr. Lungren. Thank you very much, Madame Chairwoman, I \ncommend you for holding this hearing on the security of our \nNation's electric grid.\n    As you know, I share your concern about the continuing \nvulnerability of our electric grid, which many consider the \nmost critical piece of our Nation's infrastructure.\n    As everyone knows, without electricity our banking, \ncommerce, transportation, health and medical services would be \nunavailable or severely limited. Indeed, our economy and the \npublic welfare have become severely dependent on electricity. \nConsequently, securing this grid is a critical national \neconomic priority that Congress must, and I am sure we will, \naddress with urgency.\n    In recent decades, the push towards making our society more \nreliant on electric power has also made us more vulnerable. \nBecause of expanding digital and computerized connections, our \nelectric grid is now, more than ever, vulnerable to cyber and \nphysical attacks. These attacks could disable wide segments of \nthe grid for weeks, months, possibly years.\n    The effective functioning of the electric grid is highly \ndependent on today's control systems, which are computer-based, \nand used to monitor and control sensitive processes and \nphysical functions.\n    You know, once largely proprietary, closed systems, control \nsystems are now increasingly connected to open networks such as \ncorporate intranets and the internet. The expansion of control \nsystems, including supervisory control and data acquisition, \nSCADA systems, and the ability to monitor them via the \ninternet, has increased the vulnerability of our Nation's \ncritical infrastructure to cyber attack.\n    As was mentioned, U.S. adversaries, whether they are \nnation-states or rogue nations, can strike crippling blows to \nour Nation's infrastructure from remote locations around the \nworld.\n    I think these nation-states that have the offensive cyber \nattack capabilities understand that it is far cheaper, and \noftentimes unattributable, to attack and destroy U.S. critical \ninfrastructure through cyberspace rather than risk any type of \nconventional warfare.\n    The other significant threat to our grid, is as mentioned \nby the Chair, that of EMP. My colleague from Maryland, who has \ndone as much work on this as anybody as I know in the House, \nand it is a concept that, unfortunately, I am afraid most \nMembers are not fully aware of.\n    It is because of rogue nations, and their ability now to \ncommand certain missile delivery systems, it seems to me that \nthis is a far more urgent matter than it was just a number of \nyears ago.\n    While we understood the importance of this vulnerability \nduring the Cold War, I am not sure we have visited this subject \nwith the intensity and the urgency that is necessary. So I do \nappreciate what we are doing in this hearing.\n    Because of these increased cyber and EMP threats to our \nelectric grid and the Federal Energy Regulatory Commission's \nlack of authority to address them in an expeditious manner, I \njoin Chairwoman Clarke and the Chair of the full committee and \nthe Ranking Member of the full committee in co-sponsoring H.R. \n2195.\n    I believe our legislation will provide FERC with emergency \nauthority to create mandatory physical and cybersecurity \nstandards to protect the electric power system.\n    I would just like to say, we are all in this together, \nwhether we are in the private sector or the public sector. We \nhave got a lot of catching up to do.\n    I would hope that we would try and strive for solutions. \nNot necessarily be overly critical of all the participants in \nthis. It is just my reflection that we have, in some ways, come \nto this late, both as a Congress, as an Executive branch, as \nthe private sector as well. We need to work together as quickly \nas we can to protect this system.\n    It is a lifeline to so much of our economic life, and \nactually, life period, in this country. The vulnerabilities \nhave to be recognized up front. We can't be embarrassed about \nthem. We have to work with one another to try and solve this \nvery urgent problem.\n    That is why I am very pleased that we have this hearing \ntoday. I think we have a good line-up of witnesses that can \ngive us various perspectives and help us move in the direction \nthat I hope we can move in on a bipartisan basis with some \nurgency.\n    So, I thank the Chairwoman.\n    Ms. Clarke. I thank you.\n    I now recognize prime sponsor of H.R. 2195, Chairman of the \nfull committee, the gentleman from Mississippi, Mr. Thompson.\n    Mr. Thompson. Thank you very much, Chairwoman Clarke. Thank \nyou for holding this critical hearing today.\n    Like you, I am determined to prevent any attack on the \nUnited States homeland. A multitude of failures contributed to \nour inability to prevent the attacks on New York City, and \nWashington, DC on September 11.\n    Mindful of our previous mistakes, let's review the set of \nfacts before us in today's testimony.\n    We have significant vulnerabilities in the grids' \nelectrical infrastructure. The infrastructure is only getting \nmore vulnerable with Smart Grid technology. There is a massive \ncomputer espionage campaign being launched against the United \nStates by our adversaries.\n    Intelligence suggests that countries seek, or have \ndeveloped, weapons capable of destroying our grid. A \ncongressional commission says that our grid, and the critical \ninfrastructure that relies on the grid, is not adequately \nprotected.\n    Our military installations are vulnerable because they rely \non an insecure electric grid. The private sector is in charge \nof writing its own security standards, but experts have judged \nthe standards to be ineffective in securing the infrastructure. \nMany utilities are avoiding compliance with these standards.\n    I ask my colleagues here today, and those who could not \njoin us, what more do we need to hear from, before we act? We \nare more motivated, than we need to. The warning signs are \nflashing red.\n    Now is the time to act to secure the electric grid, not \nafter a major incident has occurred. This committee has a \nbipartisan, bicameral legislative solution to secure the \nelectric grid. Our bill is comprehensive in its scope, because \nthe grid is only as strong as its weakest link.\n    We believe that all elements of the grid, from generation \nto transmission, to distribution, to metering infrastructure, \nshould be included. Our bill covers physical attacks like \nelectromagnetic pulse, as well as cyber attacks. The Critical \nElectric Infrastructure Protection Act will do four things to \nimprove our defensive posture.\n    No. 1, it requires FERC to establish interim measures \ndeemed necessary to protect against physical and cyber threats \nto critical electronic electric infrastructure. This will \nimprove existing mandatory standards.\n    No. 2, it provides FERC with the authorities necessary to \nissue emergency orders to owners and operators of electric grid \nafter receiving a finding from DHD about a credible or imminent \ncyber attack.\n    No. 3, it requires DHS to perform on-going cybersecurity, \nvulnerability and threat assessment, to critical electric \ninfrastructure and provide mitigation recommendations to \neliminate those vulnerabilities and threats.\n    No. 4, it also requires DHS to conduct an investigation to \ndetermine if the security of Federally-owned, critical, \nelectric infrastructure has been compromised by outsiders. I am \nproud of this bill. I know my colleagues are proud also. We \nhave support of both Republican and Democratic co-sponsors.\n    Madame Chairwoman, I look forward to the testimony of our \ntwo panel witnesses today, and I yield back.\n    Ms. Clarke. Thank you. I now recognize Mr. Bartlett, who is \nwidely acknowledged here on the Hill as one who has been a \nvisionary and a leader in providing a robust roadmap for \naddressing the threat of EMP, and I would like to acknowledge \nhim and have him make his comments at this time.\n    Mr. Bartlett. Thank you very much for inviting me to sit \nwith you today. I am very pleased that there is now increasing \nrecognition of the vulnerability of our grid and our country, \nto EMP. I have been concerned about this a number of years. Dr. \nGraham is here, who has chaired the commission that my \nlegislation set up in 2001, and this is probably one of the \nlongest-serving commissions on the Hill. I hope that it will be \nserving for a while yet, because the job is not done.\n    If an EMP attack were vigorous enough, and you know, this \nis kind of tough, because it is said that if it is too good to \nbe true, it is probably not true, and in this case, if it is \ntoo bad to be true, it is probably not true. But in this case, \nI am sorry to say, it could be true.\n    If the EMP lay down were vigorous enough, you could find \nyourself in a world that, essentially the only person you could \ntalk to is the person next to you, unless you were a ham \noperator with a vacuum tube set, which is a million times less \nsusceptible. The only way you could go anywhere, is to walk, \nunless you were the proud owner of a Edsel or similar vintage \nautomobile with coil and distributor.\n    Of course, if you do not have electricity, you do not have \nanything in our world. Our very vulnerability invites attack, \nand it doesn't have to be a nation-state. Anybody who can get a \ntramp steamer, buy a SCUD launcher for $100,000, with a crude \nnuclear weapon, could do an EMP lay down. Not country-wide, but \ncertainly over New England. By the way, if you missed your \ntarget by 100 miles, it is as good as a bull's-eye.\n    So this would obviously be the most asymmetric attack that \ncould be launched against us. My wife says I shouldn't talk \nabout this, because I am giving these people ideas, you know. \nBut it is in all of their literature. It is in all of their war \ngames. Not one out of 50 Americans may know about EMP, but I \nwill assure you that 100 percent of our potential enemies know \nall about EMP.\n    So thank you very much for your vision in holding this \nhearing, and thank you for inviting me to be with you.\n    Ms. Clarke. Other Members of the subcommittee are reminded \nthat under committee rules, opening statements may be submitted \nfor the record.\n    I welcome our first panel of witnesses today. We are joined \nby a distinguished panel of private sector witnesses. Dr. \nWilliam Graham is the chairman of the Commission to Assess the \nThreat to the United States from Electromagnetic Pulse, also \nknown as the EMP Commission.\n    Mr. Fabro is the president and chief security scientist of \nLofty Perch. Mr. Michael Assante, is the chief security officer \nof the North America Electric Reliability Corporation, also \nknown as NERC, and Mr. Steve Naumann, is the vice president of \nwholesale markets at Exelon Corporation. Mr. Naumann is \nproviding testimony on behalf of the Electric Industry \nAssociation, Edison Electric Institute, and the Electric Power \nSuppliers Association.\n    Just to give you an idea of the importance of this topic, \nwe received a number of statements for the record. I have made \nthese statements available to the Members ahead of time, but \nask unanimous consent that the following statements be included \ninto the record. The National Association of Regulatory Utility \nCommissioners; Dr. Bill Rodasky, President of Metatech, and \nJohn Caperman, Metatech consultant. George Anderson and Gail \nNordling of Emprimus. Mike Frankel, executive director of the \nEMP Commission, Joe Weiss, Applied Control Solutions, and \nCurtis Birnbach, president of Advanced Fusion Systems.\n    Hearing no objections, it is so ordered.\n    In the interest of time, I will ask that each of you \nprovide a brief biography of your work without objection. The \nwitnesses' full statement will be inserted in the record. I now \nask you to introduce yourselves, and summarize your testimony \nfor 5 minutes, beginning with Dr. Graham.\n\nSTATEMENT OF WILLIAM R. GRAHAM, CHAIRMAN, COMMISSION TO ASSESS \n   THE THREAT TO THE UNITED STATES FROM ELECTROMAGNETIC PULSE\n\n    Mr. Graham. Thank you, Madame Chairwoman, distinguished \nMembers of the committee, for the opportunity to testify today \non the matter of the nuclear magnetic pulse threat to the \nUnited States, to our forces, our allies and our friends \nworldwide.\n    By way of background, I am an electrical engineer and a \nphysicist, who first served as a junior officer in the Air \nForce in 1962, and encountered the EMP problem as a great \nsurprise to all of us, as a result of the high altitude test \nseries that the United States conducted over the Pacific, \nprimarily Johnston Island, at that time.\n    I continued to work on the problem throughout my career, \nnow some 45 years, including as, among other things, the \ndirector of the Office of Science and Technology Policy in the \nExecutive Office of the President and the science advisor to \nPresident Reagan during his second term.\n    Several potential adversaries have or can acquire the \ncapability to attack the United States with high-altitude \nnuclear weapon-generated electromagnetic pulse. In fact, a \ndetermined adversary can achieve an EMP attack capability \nwithout having a high level of technical sophistication. EMP is \none of a small number of threats that can hold our society at \nrisk of catastrophic consequences.\n    EMP will cover a wide geographic region within line-of-\nsight of a nuclear weapon explosion. It has the capability to \nproduce significant damage to critical infrastructures, and \nthus the very fabric of U.S. society, as well as the ability of \nthe United States and western nations to project influence and \nmilitary power. The common element that can produce such an \nimpact from EMP is primarily electronics, so pervasive in all \naspects of our society and military, coupled with critical \ninfrastructures.\n    An example of this, and the increase in potential \nvulnerability, can be seen in the Smart Grid, where \nconsiderable interest and effort is being made in adding \nelectronics to our electric distribution grid for efficiency, \neffectiveness, and safety. But it can undermine that grid if it \nis not designed properly. This EMP impact is asymmetric in \nrelation to our potential adversaries who are not so dependent \non modern electronics.\n    The current vulnerability of our critical infrastructure \ncan both invite and reward attack, if not corrected. Correction \nis feasible and well within the Nation's means and resources to \naccomplish. In fact, with proper design of protection for both \nphysical and cyber attacks, which should be integrated in our \nelectrical distribution and other critical infrastructure \nsystems, I believe we can actually work to a net economic \nbenefit, because of the improved reliability and performance \nthat we will achieve with these critical infrastructures.\n    However, there is an implicit invitation in the fact that \nthe United States is vulnerable in this area, to adversaries. \nWe know that geomagnetic storms will occur and they will damage \nelectric power distribution systems. The question is not if, \nbut when?\n    Concerning EMP, the logic of the position is upside-down, \nin often-made statements about it being improbable. By ignoring \nlarge-scale catastrophic EMP vulnerabilities, we invite such \nattacks on our infrastructure by adversaries who seek to attack \nus where we are weak, not where we are strong, and to take \nadvantage of that vulnerability.\n    We have prepared two unclassified reports, one on critical \nnational infrastructures, and an executive oversight report by \nthe commission, and I submit those to you as well, Madame \nChairwoman.\n    I would like to say then, while much of our discussion is \ncontained in those, in conclusion I would say that I would like \nto go on the record as supporting H.R. 2195, the bill to amend \nthe Federal Power Act, to provide additional authority to \nadequately protect the electrical infrastructure against cyber \nattack, and for other purposes.\n    At the same time, I would like to strongly recommend that \nvery large-scale electromagnetic threats to the critical \ninfrastructure, both EMP and naturally occurring, be addressed \nexplicitly in the bill, in a manner comparable to and parallel \nwith the cyber threats now contained in the bill. Thank you \nvery much.\n    [The statement of Mr. Graham follows:]\n                Prepared Statement of William R. Graham\n                             July 21, 2009\n    Mr. Chairman, Members of the committee, thank you for the \nopportunity to testify today on the matter of the Nuclear \nElectromagnetic Pulse (EMP) threat to the United States, its forces, \nits allies, and its friends worldwide.\n                                abstract\n    Several potential adversaries have or can acquire the capability to \nattack the United States with a high-altitude nuclear weapon-generated \nelectromagnetic pulse (EMP). A determined adversary can achieve an EMP \nattack capability without having a high level of sophistication.\n    EMP is one of a small number of threats that can hold our society \nat risk of catastrophic consequences. EMP will cover the wide \ngeographic region within line of sight to the nuclear weapon. It has \nthe capability to produce significant damage to critical \ninfrastructures and thus to the very fabric of U.S. society, as well as \nto the ability of the United States and Western nations to project \ninfluence and military power.\n    The common element that can produce such an impact from EMP is \nprimarily electronics, so pervasive in all aspects of our society and \nmilitary, coupled through critical infrastructures. Our vulnerability \nis increasing daily as our use of and dependence on electronics \ncontinues to grow. The impact of EMP is asymmetric in relation to \npotential protagonists who are not as dependent on modern electronics.\n    The current vulnerability of our critical infrastructures can both \ninvite and reward attack if not corrected. Correction is feasible and \nwell within the Nation's means and resources to accomplish.\n                               background\n    I am an Electrical engineer and physicist who has served as a \njunior officer in the Air Force, as Director of the Office of Science \nand Technology Policy in the Executive Office of the President, and in \nthe aerospace industry, together for over 45 years. I have also served \non several Government advisory boards, including as Chairman of the \nPresident's General Advisory Committee, and a member of the Defense \nScience Board, the Department of State's International Security \nAdvisory Board, The National Academies Board on Army Science and \nTechnology, and from 2001 to 2009 as Chairman of the statutorily \nestablished Commission to Assess the Threat to the United States from \nElectromagnetic Pulse (EMP) Attack. While now retired, I have worked on \nproblems related to EMP during much of my career, beginning with my \nservice in the Air Force at the Air Force Weapons Laboratory in 1962.\n    The commission requested and received information from a number of \nFederal agencies and National Laboratories. We received information \nfrom the North American Electric Reliability Corporation, the \nPresident's National Security Telecommunications Advisory Committee, \nthe National Communications System (since absorbed by the Department of \nHomeland Security), the Federal Reserve Board, and the Department of \nHomeland Security.\n                              introduction\n    A high-altitude electromagnetic pulse results from the detonation \nof a nuclear warhead at altitudes of about 40 to 400 kilometers above \nthe Earth's surface. The immediate effects of EMP are disruption of, \nand damage to, electronic systems and electrical infrastructure. EMP is \nnot reported in the scientific literature to have direct effects on \npeople.\n    EMP and its effects were observed during the U.S. and Soviet \natmospheric test programs in 1962. During the U.S. STARFISH nuclear \ntest at an altitude of about 400 kilometers above Johnston Island,, \nsome electrical systems in the Hawaiian Islands, 1,400 kilometers \ndistant, were affected, causing the failure of street lighting systems, \ntripping of circuit breakers, triggering burglar alarms, and damage to \na telecommunications relay facility.\n    In their testing that year, the Soviets executed a series of \nnuclear detonations in which they exploded 300 kiloton weapons at \napproximately 300, 150, and 60 kilometers above their test site in \nSouth Central Asia. They report that on each shot they observed damage \nto overhead and underground buried cables at distances of 600 \nkilometers. They also observed surge arrestor burnout, spark-gap \nbreakdown, blown fuses, and power supply breakdowns.\n    The physical and social fabric of the United States is sustained by \na system of systems; a complex dynamic network of interlocking and \ninterdependent infrastructures (``critical national infrastructures'') \nwhose harmonious functioning enables the myriad services, transactions, \nand information flows that make possible the orderly conduct of civil \nsociety in this country while also supporting our economic strength and \nnational security. The vulnerability of these infrastructures to \nthreats--deliberate, accidental, and acts of nature--is the focus of \nsignificant concern in the current era, a concern heightened by the \nevents of 9/11, major hurricanes, recent wide-area power grid failures, \nand large-scale cyber attacks to date directed at other countries.\n    In November 2008, the commission released an unclassified \nassessment of the effects of a high altitude electromagnetic pulse \n(EMP) attack on our critical national infrastructures and provides \nrecommendations for their mitigation. The assessment entitled Critical \nNational Infrastructures was informed by analytic and test activities \nexecuted under commission sponsorship, as discussed in the report. An \nearlier executive report: Report of the Commission to Assess the Threat \nto the United States from Electromagnetic Pulse (EMP)--Volume 1: \nExecutive Report (2004), provided an earlier unclassified overview of \nthe subject. The commission also prepared and submitted to the Congress \nand the administration several classified reports addressing military, \nnuclear weapon, and intelligence aspects of the subject.\n    The electromagnetic pulse generated by a high altitude nuclear \nexplosion is one of a small number of threats that can hold our society \nat risk of catastrophic consequences. The increasingly pervasive use of \nelectronics of all forms represents the greatest source of \nvulnerability to attack by EMP. Electronics are used to control, \ncommunicate, compute, store, manage, and implement nearly every aspect \nof United States (U.S.) civilian systems. When a nuclear explosion \noccurs at high altitude, the electromagnetic fields it produces will \ncover the geographic region within the line of sight of the \ndetonation.\\1\\ This intense electromagnetic phenomena, when coupled \ninto sensitive electronics through any connected wires or other \nelectrical conductors, has the capability to produce widespread and \nlong lasting disruption and damage to the critical infrastructures that \nunderpin the fabric of U.S. society. Because of the ubiquitous \ndependence of U.S. society on the electrical power system, its \nvulnerability to an EMP attack, together with power grids increasing \ndependence on electronics for efficiency, control, and safety, as \nreflected for example in increasing national interest in ``Smart Grid'' \ndesign and implementation, creates the possibility of long-term, \ncatastrophic consequences.\n---------------------------------------------------------------------------\n    \\1\\ For example, a nuclear explosion at an altitude of 100 \nkilometers would expose 4 million square kilometers, about 1.5 million \nsquare miles, of Earth surface beneath the burst to a range of EMP \nfield intensities.\n---------------------------------------------------------------------------\n                        the implicit invitation\n    Some in Government have taken the position that EMP attack and \ngeomagnetic storm disruption are low-probability events. Of course, we \nknow that geomagnetic storms will occur, and large ones can seriously \ndamage very long-lead components of the electrical system--it is only a \nquestion of when, not if. Concerning EMP, the logic of their position \nis upside-down. By ignoring large-scale, catastrophic EMP \nvulnerability, we invite such attack on our infrastructure by \nadversaries looking to attack us where we are weak, not where we are \nstrong. Our adversaries know how to take advantage of this \nvulnerability, and when coupled with increasing nuclear weapon and \nballistic missile proliferation, it is a serious concern. A single EMP \nattack may effectively instantaneously degrade or shut down a large \npart of the electric power grid in the geographic area of EMP exposure. \nThere is also a possibility of functional collapse of grids beyond the \nexposed area, as electrical effects propagate from one region to \nanother, as has happened in power grid failures over the last 40 years.\n    The time required for full recovery of electrical power service \nwould depend on both the disruption and damage to the electrical power \ninfrastructure and to other national infrastructures. Larger affected \nareas and stronger EMP field strengths would prolong the time to \nrecover. Adding to the recovery time, some critical electrical power \ninfrastructure components, such as large high-voltage transformers, are \nno longer manufactured in the United States, and even in routine \ncircumstances their acquisition requires up to a year of lead time.\n    Damage to or loss of these components could leave significant parts \nof the electrical infrastructure out of service for periods measured in \nmonths to a year or more. There is a point in time at which the \nshortage or exhaustion of sustaining backup systems, including \nemergency power supplies, batteries, standby fuel supplies, \ncommunications, and manpower resources that can be mobilized, \ncoordinated, and dispatched, together would lead to a continuing \ndegradation of critical infrastructures for a prolonged period of time.\n    Electrical power is necessary to support other critical \ninfrastructures, including supply and distribution of fuel, \ncommunications, transport, financial transactions, water, food, \nemergency services, Government services, and all other infrastructures \nsupporting the national welfare, economy, and security. Should \nsignificant parts of the electrical power infrastructure be lost for \nany substantial period of time, the commission believes that the \nconsequences are likely to be catastrophic, and many people may \nultimately die for lack of the basic elements necessary to sustain life \nin dense urban and suburban communities. In fact, the commission is \ndeeply concerned that such impacts are likely in the event of an EMP \nattack unless practical steps are taken to provide protection for \ncritical elements of the electric system and for rapid restoration of \nelectric power, particularly to essential services.\n                            a plan of action\n    It is the consensus of the EMP Commission that the Nation need not \nbe vulnerable to the catastrophic consequences of an EMP attack. As \ndetailed in the commission reports provided to the Congress, the \nNation's vulnerability to EMP that gives rise to potentially large-\nscale, long-term consequences can be reasonably and readily reduced \nbelow the level of a potentially catastrophic national problem by \ncoordinated and focused effort between the private and public sectors \nof our country. The cost for such improved security in the next 3 to 5 \nyears is modest by any standard--and extremely so in relation to both \nthe war on terror and the value of the national infrastructures \nthreatened. In fact, electromagnetic protection of the critical \nnational infrastructures may over time provide a net saving of money \nthrough the more reliable and robust operation of the systems involved.\n    The appropriate response to the EMP threat is a balance of \nprevention, protection, planning, and preparations for recovery. Such \nactions are both feasible and well within the Nation's means and \nresources to accomplish. A number of these actions also reduce \nvulnerabilities to other serious threats to our infrastructures, thus \ngiving multiple benefits.\n    It is not feasible to reduce the consequences of an EMP attack to \nan acceptable level of risk by any single measure. However, in the view \nof the EMP Commission, it is possible to achieve an acceptable level of \nrisk and reduced invitation to an EMP attack with a strategy that \nintegrates several significant measures:\n  <bullet> Pursuing intelligence, interdiction, and deterrence to \n        discourage EMP attack against the United States and its \n        interests;\n  <bullet> Protecting critical components of the infrastructure, with \n        particular emphasis on those that, if damaged, would require \n        long periods of time to repair or replace;\n  <bullet> Maintaining the capability to monitor and evaluate the \n        condition of critical infrastructures;\n  <bullet> Recognizing an EMP attack and understanding how its effects \n        differ from other forms of infrastructure disruption and \n        damage;\n  <bullet> Planning to carry out a systematic recovery of critical \n        infrastructures;\n  <bullet> Training, evaluating, ``Red Teaming,'' and periodically \n        reporting to the Congress;\n  <bullet> Defining the Federal Government's responsibility and \n        authority to act;\n  <bullet> Recognizing the opportunities for shared benefits;\n  <bullet> Conducting research to better understand infrastructure \n        system effects and developing cost-effective solutions to \n        manage these effects.\n    Finally, I would like to state for the record that I support H.R. \n2195, a bill to amend the Federal Power Act to provide additional \nauthorities to adequately protect the critical electric infrastructure \nagainst cyber attack, and for other purposes. At the same time, I \nstrongly recommend that electromagnetic threats to the critical \nelectric infrastructure, both from nuclear EMP attack and from \nnaturally occurring, large-scale geomagnetic storms, be addressed in \nthe bill in a manner explicitly comparable to and in parallel with \ncyber threats as now contained in the bill. It is important to do this \nbecause an integrated approach to protecting critical electrical \ninfrastructure will be much less expensive and more effective and \nexpedient than any fragmented approach to the problem, and unlike the \nDepartment of Defense, the Department of Homeland Security, from its \nestablishment forward, has shown neither an understanding nor a \nwillingness to consider the problem of electromagnetic threats to our \ncountry.\n\n    Mr. Thompson [presiding]. Thank you very much, Dr. Graham. \nChairwoman Clarke had to go and cast votes in a mark-up. She \nwill return shortly.\n    Mr. Fabro, 5 minutes.\n\n     STATEMENT OF MARK FABRO, PRESIDENT AND CHIEF SECURITY \n                     SCIENTIST, LOFTY PERCH\n\n    Mr. Fabro. Thank you to the committee for the opportunity \nto testify today. My name is Mark Fabro and I am the president \nand chief security scientist of Lofty Perch, a company focused \non providing control systems, cybersecurity services and \nresearch. I am a member of the UTC Smart Network Security \nCommittee; the chairman of the Canadian Industrial Cyber \nSecurity Council; and co-chair of ISA-99, Working Group 10.\n    I am here today to provide insight as to what measures can \nbe taken to help protect the modern electric grid from cyber \nattack. There is no doubt as to whether or not our electric \ninfrastructure will continue to converge with internet-based \nsystems, and as it matures, it will inherit cyber \nvulnerabilities.\n    We know there is a problem. We know the cause of the \nproblem. We know what works to correct it. We just need a plan \nto implement. Our challenge is to ensure that, as we go \nforward, we have done our due diligence, improving solutions as \nsecure and reliable, and that we protect what might be the most \nvital of all critical infrastructures.\n    But it is important to note, the findings regarding \ncybersecurity risk are not ubiquitous across all the entities \nsupporting the bulk power system. Moreover, they are not unique \nto single countries, entities or operators, and they most \ncertainly are not indicative of an overall generally poor \nsecurity posture.\n    We continue to witness excellent examples of effective \ncybersecurity activities from many entities and observe \nprogress that does not align with the popular opinion that the \nbulk power system is ripe for total cyber compromise.\n    The complexity of the problem in trying to measure how \nsecure or resilient the grid is from cyber attack, cannot be \noverstated. Often, and erroneously, the cybersecurity problem \nis framed under the assumption that there is simply a single, \nuniform grid, and that a mitigation strategy, be it technical \nor policy-based, should be applicable in all areas.\n    Nothing could be further from the truth. Clearly, the \nstrategy for securing the modern grid requires significant \nutilization of information security technology, security \nresearch, information-sharing capabilities, and the integration \nof these in a manner that meets the challenges associated with \ncurrent and future power delivery requirements.\n    To that end, it becomes important to understand that many \nof the cybersecurity vulnerabilities in the bulk power system \nthat were once only theorized, have indeed been proven. \nSometimes the risk is connected to the core technology, \nvulnerabilities in hardware, and software and various \nprotocols, can manifest in a multitude of attack vectors, even \nones that could involve the compromise of large aggregated \nsystems that could impact millions of consumers simultaneously.\n    But as researchers and subject matter experts, our ability \nto communicate findings in a broad and effective manner is \noften impeded by the absence of an effective information \nsharing system. Thankfully, there is good work being done today \nthat can be leveraged for a secure grid tomorrow.\n    We have seen the NERC standards in action, reducing some \ncybersecurity risk profiles by orders of magnitude.\n    We have seen the creation of non-invasive security \nassessment tools that create usable guidance for securing \nenergy management systems. We have seen extensive energy sector \nroad maps that have provided for the creation of technologies \nthat can be used for security of electricity domain.\n    As proven time and time again, there are public-private \npartnerships already in place contributing to the mitigation of \nsecurity threats to the bulk power system. Rather than develop \nnew plans that are tied to more aggressive standards and \nenforcement, we need to ramp up the efforts in place now and \nsupport the continuation of what has been proven to work.\n    I feel that there are three areas that should be focused on \nto meet the emerging security challenges; research, improved \nstandards, and procurement language.\n    First, research, the research effort regarding the \ncybersecurity of the bulk power system needs to be expanded and \nnurtured. A sanctioned activity that promotes the independent \nassessment of power system technologies without the risk of \nlegal retaliation or negative attribution is necessary.\n    In essence, cybersecurity's researchers must be protected. \nThis research must also include information sharing and cyber \nincident response functions so that we can better prepare for, \ndetect, and respond to incidents unique to bulk power system \narchitectures.\n    Second, refining standards, the continued development of \ncybersecurity standards for grid elements is required. This \neffort should leverage standards that are already in place and \naccepted by the national and international community of \nstakeholders.\n    These standards should be updated to be more flexible so \nthat they can accommodate shared threat and vulnerability \ninformation, but not so flexible to allow for erroneous \nreporting regarding critical assets and cyber assets. The \nstandards should also incorporate instruction regarding how to \nimplement emergency orders related to specific and imminent \ncyber attacks.\n    Third, for procurement guidance, this public-private \nactivity should leverage the existing body of work done for \nindustrial control systems and enhance it with sections \ntailored to the electric sector. Simple refinement of existing \nprocurement guidelines can have a tremendous influence in bulk \npower system cybersecurity and it can be done immediately.\n    To the committee, Madame Chairwoman, Ranking Member, I \nthank you for this opportunity to testify here today and I \ncommend you on your attention to this very important matter. I \nwill be more than happy to answer any questions you may have at \nthis time.\n    [The statement of Mr. Fabro follows:]\n                    Prepared Statement of Mark Fabro\n                             July 21, 2009\n    Madame Chairwoman and Ranking Member, thank you for the opportunity \nto testify today before the Homeland Security Subcommittee on \n``Securing the Modern Electric Grid from Physical and Cyber Attacks.''\n    My name is Mark Fabro and I am the president and chief security \nscientist of Lofty Perch, a company focused on providing cybersecurity \nservices to critical infrastructure organizations such as those in the \nenergy, water, transportation, and oil and gas sectors. I am a member \nof the Utilities Telecom Council Smart Networks Security Committee, the \nchairman of the Canadian Industrial Cyber Security Council, and co-\nchair of ISA SP99 Working Group 10: Governance and Metrics for \nIndustrial Automation and Control Systems Security. For the last \nseveral years I've been a subject matter expert supporting the \nindustrial control systems cybersecurity research effort at the \nDepartment of Energy's Idaho National Laboratory, as well as the \nefforts spearheaded by the Department of Homeland Security and the \nControl Systems Security Program. I have authored several key \nRecommended Practices for securing industrial control systems, and have \nparticipated in the development of specific guidance as it pertains to \nsecuring information technology in critical infrastructure systems. My \nprofessional experience has provided me the privilege of performing \nextensive cybersecurity research as it applies to the electric sector, \nand I have been involved in a multitude of assessments specifically \nperformed to determine the cybersecurity of critical elements of the \nbulk power system.\n    I want to be clear in stating that my testimony today is based on \nmy opinions and mine alone. This testimony was generated using my \nexperiences in working with sector-specific organizations as well as \nmany utilities, researchers, and other international government \nentities facing the same challenges regarding cybersecurity and the \nelectric utility industry. My comments are based on my experience in \nworking with stakeholders, asset owners, vendors, and from detailed \ncybersecurity assessment work specific to the electricity sector. I \nalso want to state that I have reviewed and assessed material from \nother industry and subject matter experts who specialize in the field \nof cybersecurity for electric grid systems, and have vetted my concerns \nwith them to ensure the committee is empowered with actionable \nintelligence.\n                    background and problem statement\n    As we look inwards to the Nation's vital information systems, such \nas those responsible for maintaining our most essential \ninfrastructures, we continue to see, as Madame Chairwoman said in her \nMarch 10, 2009 opening remarks, ``too many vulnerabilities existing on \ntoo many critical networks which are exposed to too many skilled \nattackers who can inflict too many damages to our systems.'' The \nstatement is chillingly accurate and has specific applicability to the \nNorth American power grid. There is no doubt as to whether or not our \nelectric infrastructure will continue to converge with internet-based \nsystems, and as it matures it will inherit cybersecurity \nvulnerabilities. As an example we are well on our way to seeing Smart \nGrid happen; it has already been proven to be successful in many cities \nand funding has been allocated to make it a proven reality. Our \nchallenge is to ensure that as we go forward we have done our due \ndiligence in proving these solutions as secure and reliable, and that \nwe protect what may be the most vital of all critical infrastructures.\n    In the last several years the rate at which critical infrastructure \nentities have embraced modern information technology to enhance their \nbusiness operations has been staggering. This activity is of course a \nnatural progression, as a considerable portion of the Nation's critical \ninfrastructure systems have been found to be significantly aged, have \nbeen built with a single purpose in mind, and deployed assuming \nisolation by both physical and technological means. In an ever-changing \nenvironment that demands businesses operate better, faster, and more \nefficiently these characteristics clearly showcase a need for \nmodernization. With the President directing the National Security \nCouncil to undertake a 60-day review of the U.S. approach to \ncybersecurity it is important to recognize that the issues related to \nthe national critical infrastructure are being investigated, and \nmeasures to protect vital systems are going to be done not unilaterally \nbut with the cooperation of allies. Recently proposed bills have \nspecific intent on augmenting current responsibilities as they pertain \nto protecting the bulk power system from cyber attack, as well as \nrefine security and intelligence practices to specifically address \ncyber threats and vulnerabilities to the power grid. Congressional \nhearings have done an excellent job at highlighting the cybersecurity \nissues associated with the industrial control systems running our \ninfrastructure, and the release of Smart Grid stimulus funds being \nconditional on cybersecurity plans showcases that the issues regarding \ncybersecurity are penetrating relevant communities of concern.\n    But the findings and risks regarding cybersecurity are not \nubiquitous across all entities supporting the bulk power system. \nMoreover, they are not unique to a single country, they are not unique \nto a single type of entity, and they most certainly are not indicative \nof an overall ``generally poor'' security posture. We continue to \nwitness excellent examples of effective cybersecurity activities from \nmany entities, both large and small, and continue to see progress that \ndoes not align with the popular opinion that the bulk power system is \nripe for total cyber compromise.\n    Unfortunately, regardless of how driven we are to address and \nmitigate the larger cybersecurity problem, there is almost an \nunavoidable introduction of cybersecurity vulnerabilities into grid-\nrelated elements. This problem is of course exacerbated by the cultural \nimpediments that often drive reticence and the uncooperativeness of \ninfrastructure asset owners to address cybersecurity. Issues with \ninterdependency and cross-sector reliance mean that a single weak link \nin the cybersecurity chain is a very influential one, and an attack on \neven the smallest participant can have national impact. As \ninteroperability is the cornerstone of the bulk power system, we need \nto ensure our current solutions and path forward are paved with the \nuseable safeguards we implement today. Indeed, robust situational \nawareness and a cohesive response plan are necessary components within \nany cyber risk reduction plan, but we must not forget that a majority \nof the North American critical infrastructure is not owned or operated \nby Government. As such, an understating of the real cybersecurity \nissues within the electric sector community, including those related to \nculture, multi-national interdependency and legacy operations is a \nfundamental requirement in protecting the power grid.\n    Extensive research has been done regarding the risk associated with \nmigrating critical infrastructure systems over to modern IT \narchitectures, with some specific material focused on industrial \ncontrol systems. Numerous organizations, within both the public and \nprivate sector, have for years recognized this problem and have \nestablished several watershed efforts to meet the ever-changing \nchallenges associated with this very important issue. However, \nresulting efforts have been disparate in nature, and only manage to \naccommodate the needs of certain communities of interest and not the \nNation as a whole. As the protection of the North American bulk power \nsystem is not only a national issue it is a multi-national issue, we \nneed to ensure our efforts become unified and provide consideration for \nthe diversified stakeholders dealing with this problem.\n                            knowing the risk\n    Of all the 18 critical sectors recognized by DHS, the security and \nreliability of the bulk power system could be considered the most \ncritical. Studies have repeatedly shown that the ability for the other \n17 to function properly depend on its availability. The realization \nthat the grid is vulnerable to cyber attack is not new, as more than 12 \nyears ago the National Security Telecommunications Advisory Committee's \nInformation Assurance Task Force cited numerous electronic security \nincidents and threats to the grid. In their Electric Power Risk \nAssessment, the IATF referenced the possibility of electronic attack, \ncited technical hackers (including terrorists) as a threat, and \ncautioned on the pervasiveness of open source information that can \nfacilitate the creation of target folders. At that time a majority of \nutility members agreed ``that an electronic attack capable of causing \nregional or widespread disruption lasting in excess of 24 hours is \ntechnically feasible.''\\1\\ Today, we appear to be in the same position, \nand most would agree with the findings as if the report came out last \nweek.\n---------------------------------------------------------------------------\n    \\1\\ National Security Telecommunications Advisory Committee \nInformation Assurance Task Force ``Electric Power Risk Assessment'', \nMarch 1997, www.solarstorms.org/ElectricAssessment.html.\n---------------------------------------------------------------------------\n    The complexity of the problem in trying to measure how ``secure'' \nor ``resilient'' the grid is from cyber attack cannot be overstated. \nOften, and erroneously, the cybersecurity problem is framed under the \nassumption that there is simply a single uniform ``grid'' and that a \nmitigation strategy, be it technical or policy-based, should be \napplicable to all areas. Nothing could be further from the truth. The \nprocesses and technology required to support the reliability and \nfunctionality of the bulk power system, across all entities and \ninterconnects, is incredibly diverse. An immeasurable number of \ndifferent vendor technologies, protocols, operating systems, \ncommunications media, and operating procedures simply cannot facilitate \nfor a security ``silver bullet'' in either the policy or technology \nspace. With the power infrastructure comprised of legacy systems that \ncannot provide for useable event data, and newer systems unable to be \ntuned to account for cybersecurity, it becomes very difficult to \ndiscern between inherent system irregularities and incidents generated \nby malicious cyber attack. Compounding the problem is the fact that \nmodern cybersecurity technologies are not always adaptable to control \nsystem environments, as the need for perpetual system availability \noften precludes even the simplest countermeasure.\n    Clearly, the strategy for securing the modern grid requires \nsignificant utilization of energy technology, information security \ntechnology, research, and the integration of these in a manner that \nmeets the challenges associated with current and future power delivery \nrequirements. As the bulk power system does and will continue to depend \non diverse information technology solutions, many of which possess \ninherent cybersecurity vulnerabilities, we must be diligent in \nunderstanding the cyber risk associated with critical cyber assets. The \npast several years have brought about a significant increase in \nattention to the issue of cybersecurity and industrial control systems \nas well as the development of enforceable cybersecurity standards for \nthe electric sector entities. Indeed, the work both nationally and \ninternationally has been substantial. It is no question that we as a \nsociety are committed to protecting the power grid. But it has become \nvery clear that the security safeguards we have created are often not \ncommensurate with the levels of protection required for a system with \nsuch high value. The economics associated with the energy business has \nin many ways threatened the potential of well-intended cybersecurity \nguidance, and perhaps may have contributed towards many of the recent \nincidents that precipitated this hearing and affiliated bills. We now \nknow that we have a situation that, if left unattended, could have \ncatastrophic results.\n                        specific security issues\n    As a concerned community, we need to ensure that the issues \nregarding cybersecurity in the bulk power system are presented and \nstudied in the appropriate light and not necessarily in the same \ncontext as cybersecurity for general IT systems. Accurately \nunderstanding the threats and vulnerabilities associated with the bulk \npower system will only serve to ensure that future State architectures \nwill have the necessary countermeasures and mitigations properly \nembedded. To that end, it becomes important to understand that many of \nthe cybersecurity issues in the bulk power system (including Smart \nGrid) that were once only theorized have indeed been proven. We have \nbeen able see the impact of hostile mobile code on nuclear facilities, \nwitness hackers tunnel into distribution systems, create attacks that \ncan take over a large metering infrastructure, and watch researchers \ncreate useable exploit code that is specific to a vendors industrial \ncontrol system product. Although we see threats and malicious activity, \nwe still lack reports of any cyber attacks that have directly impacted \nthe bulk power system. Presenting these issues is not intended to \ninstill fear or panic, nor is it intended to question the surety of our \ncurrent and future grid plans as advantageous. Rather, they are \npresented to support the problem statement with facts that can be used \nto structure coordinated and effective mitigation activities. With \nproposals in place to possibly adjust the current landscape of \nauthority as it pertains to the cyber protection of the bulk power \nsystem, familiarization with some of the more core problems is \nrequired. It is intended that such a discussion can facilitate for a \nbetter understanding of key issues, thus empowering the committee to \nmake informed choices going forward.\n    Many elements that make up the bulk power system are not secure \nfrom cyber events, whether they are of malicious intent or not. On a \nregular basis we see cyber incidents impact some aspect of our energy \ninfrastructure, and as connectivity increases, along with hacker \ninterest, we will continue to hear more. Sometimes the risk is \nconnected to the core technology. The bulk power system can be \ndisrupted by using attacks that neither NERC nor FERC can regulate, \nsuch as those that exploit vulnerabilities inherent in vendor \ntechnologies. Vendors that use a single security safeguard across their \nentire solution makes the attacker's work considerably easier, as the \ncompromise of a single device can often mean a compromise of many \ndevices in the command-and-control architecture. This is particularly \napplicable to Smart Metering, and to date various research teams have \nshown vulnerabilities that could be exploited across a metering \ninfrastructure rendering the network inoperable (or under the control \nof an attacker). In some instances vulnerabilities exist within devices \nthat have capability for remote disconnect, suggesting attacks could \ndisable a metering infrastructure, impact utility load forecasting, and \nperhaps impact control. Remote disconnect capability can be deployed to \nthe residential level as well, and compromised meters could lie dormant \nuntil a later date and be used to attack other devices or grid \nelements. One must consider what would happen in the event of an \naggregated attack, where an attacker was able to compromise 5 million \nmeters in a city-wide deployment, and suddenly render those 5 million \nend-points off-line--what is the impact to the bulk power system when \nthe load from 5 million residences suddenly vanishes? I do not know \nwhat that would look like in terms of grid coordination efforts but I \nknow it would definitely be non-trivial and require some expensive \ninvestigation. Consumer trust in Smart Grid would surely be impacted.\n    New vulnerabilities in the embedded systems responsible for the \navailability and integrity of electricity operations continue to be \ndiscovered. An emerging security issues relates to how some critical \nfield technology can be compromised by exploiting methods used for \nupgrading device firmware, such as those for substation and field \noperations. These attacks that can render the device inoperable, make \nthe data collection/submission capabilities useless, or cause \nundesirable impact to control capabilities. Such an attack would \nsignificantly impact a utility's ability to provide market data, impact \nload forecasting, impact ability to accurately control load shedding \noperations, and possibly be used to force improper and unexpected load \nshedding.\n    By creating and deploying control system solutions that utilize \ncommercial radio technologies with tunable antennas, the compromise of \nnetworked grid equipment with embedded vulnerable radios could lead to \nthe creation of an unauthorized broadcast network, causing interference \non almost any radio frequency. This could impact radio communications \nused by transmission operations, as well as integrated water and gas \nsystems, transportation functions, and municipal emergency services. In \naddition to impacting electric grid control, the result could be \nmillions of rogue radio transmitters broadcasting multi-frequency noise \nacross the radio spectrum of a major urban metropolis, with the \npotential to jam vital infrastructure communications. This issue is in \nthe same category as those vulnerabilities recently discovered that, if \nexploited, can lead to a persistent denial of service in some utility \noperations.\n    The suite of protocols that allow our bulk power system to work is \nan extensive one, but many of the more common ones have for many years \nbeen compromised and well understood by hackers and engineers alike. \nWith common industrial control protocols now using modern IT protocols \nas the basis for communication, hacker tools and methods are easily \nused against critical infrastructure systems. Attacks that compromise \navailability, integrity, and confidentiality can easily be launched \nagainst infrastructure systems, and we cite examples such as the worm \nattack on the Davis-Besse nuclear plant and the hacker attack on the \nCalifornia ISO. Considering the fact that many major protocols were \nopenly published (to meet interoperability needs), the practice of \nreverse engineering both proprietary and open protocols has also \nincreased the overall risk to our grid operations. Many of the meshed \nnetworks designed to heal themselves and ensure system communications \nhave been found to be vulnerable to attacks traditionally only known to \nthe IT world. This vastly extends the scope of plausible attacks \nuseable by adversaries, and could lead to the compromise of grid \nintegrity, energy operations, load control, and critical energy \ninfrastructure information.\n    Finally, there is risk associated with the deployment of secure \nsolutions in an insecure manner, a concern shared by many operators \nwithin the bulk power system. The problem is cultural, and is a \nresidual effect from many decades of using control environments \nisolated from internet-based networks. Moving to new modern \ninterconnectivity, supported by the economics associated with energy \nmarkets and customer satisfaction, assessments have shown that energy \nmanagement and even maintenance networks can be quite insecure from a \ncyber perspective. Field engineers using unknowingly compromised \nservice computers, wrought with insecure instant messaging and social \nnetworking applications have authoritative access to vital grid \nelements. These issues, along with requirements for corporate \noperations to have on-demand access to energy management systems, \ncreate new conduits for attackers. The weaknesses that exist in some \npower system deployments can also impact the entire information path \nfrom the SCADA systems to the consumer. In some cases, this has \nactually manifested in attackers compromising utility customer service \nweb portals, and hacking back into the command function of the utility \nto cause loss-of-control situations in the energy management system.\n    We have seen numerous vulnerabilities in our own research \nenvironment, in the assessment environment, and even in emerging Smart \nGrid elements such as Advanced Metering Infrastructure, or AMI. In some \ncases, the results and findings are discouraging. Assessments and \nincident response repeatedly provide alarming information, such as \nproof of qualified threats looking to use cyber means to impact \nelectric grid operations. As a researcher and subject matter expert, my \nability to communicate findings in a broad and effective manner is \noften impeded by the absence of an information sharing system.\n                         positive perspectives\n    There is very good work being done today that needs to be leveraged \nfor a secure grid tomorrow. We have seen the NERC standards in action \nthat, when implemented, have reduced an entities risk profile by orders \nof magnitude. We have seen the creation of non-invasive assessment \ntools and techniques that create useable guidance for securing energy \nsystems. We have seen extensive sector-specific cybersecurity roadmaps \nthat have provided forums for the creation of technologies that can be \nused in the energy domain. As an example, we have the knowledge and \ntechnological capability to shape an early detection and warning system \nthat could be tuned for the bulk power system elements, as we have seen \nsmall-scale solutions deployed with great success. We have proven case \nstudies that can be used to build effective ``deter'' and ``detect'' \ncapabilities ones that can perhaps add completeness to a unified \n``respond'' function. And, as is proven time and time again, the \npublic/private partnerships are in place to ensure cooperative \ncapabilities in mitigating security threats to the bulk power system on \nNorth America.\n    Even though we had warnings in the mid-1990's, in the last 12 \nmonths we have gone from simply knowing about the security concerns of \nthe bulk power system to a widespread understanding that \nvulnerabilities have and continue to be exploited by adversaries. The \nproblem has manifested to the point that DHS, DOE, and members of the \ndefense and intelligence community have taken an interest. We are \ntrying to categorize the threat and use our traditional analysis \nmethods to fit our data into the boxes we are comfortable with. \nHowever, we need to ensure the tactical strategy for defending our bulk \npower system does not require a development runway so long it precludes \nus from defending against the threat today. To ensure we are successful \nin creating security mandates and mobilizing any response capability we \nneed to leverage what is working presently. We do not have the luxury \nof time; we need to leverage and support existing efforts and public/\nprivate programs that are already established and move forward as \nopposed to sideways.\n    Many experts suggest that the realization of a secure bulk power \nsystem is ``blue sky'' wishful thinking. But to say that ``Secure Power \nGrid'' is an oxymoron is a dangerous and erroneous statement. The \nelectric power industry regularly protects the bulk power system using \nadvanced coordination and seamless response activities. Present-day \ncapabilities, research initiatives, and subject matter expertise \ncontinues to facilitate for effective and self-sustaining solutions to \nensure security in electric sector deployments. With appropriate \ndirection, support, and funding the community of interest is more than \ncapable to address these issues and provide for secure solutions. Much \nwork has been done across the stakeholder community, and we need not \nstart from zero. The required direction to mitigate the security \nvulnerabilities that could have an adverse effect on the bulk power \nsystem is well within our reach. Rather than develop new plans that are \ntied to more aggressive standards and enforcement we need to ramp-up \nthe efforts in place now, and support the continuation of what has been \nproven to work. New activities that will attempt to create a secure \nenergy infrastructure through hyper-rigorous compliance mandates is not \nthe right approach. In the past we have seen how the process for \ninstantiating new mandates can bring progress to a grinding halt, and \nany new changes could actually reduce the security posture of the \nelectric system while entities struggle to align with new directives. \nThe stakeholder community may be very unreceptive to new instruction \nand mandates, especially if it could make their historical progress \nobsolete.\n                     suggestions for a path forward\n    While many programs exist that can support a better understanding \nof how to address these issues, certain activities must be undertaken \nto ensure success in protecting key assets. I feel that there are three \nprimary areas that must be focused on to meet the current and emerging \nchallenges associated with protecting the bulk power system from cyber \nattack.\nFirst: SUPPPORTED RESEARCH\n    The research function regarding the cybersecurity of the bulk power \nsystem needs to be expanded and nurtured. As in the traditional IT \ndomain, having well-funded and approved research is vital in making \nsure the user community is safe from malicious cyber attack. A \nsupported and sanctioned activity that promotes the assessment of \nvendor technology without the risk of legal retaliation or negative \nattribution is necessary. In essence, the cybersecurity researchers \nfocusing on critical infrastructure must be protected and, whenever \npossible, empowered by having their efforts embraced by vendors and \nasset owners alike. This would of course contribute to the existing \nwork being done through public sector initiatives. Working to remove \nthe hurdles that prohibit cybersecurity testing for electric system \nsolutions will dissolve a shroud of secrecy that provides for the ever-\nfailing ``security through obscurity''. Believing threat actors do not \nknow how a system works is no grounds to assume it is secure. With a \nwide range of on-line auctions that can be used to purchase systems \nthat are identical to what we would call critical assets, we need to \nenroll our best minds, including private researches, to stay ahead of \nthe threat. This research will provide additional value to those \nvendors that have long understood the impact of cybersecurity on \ncritical infrastructure, as well as assist those that are new to the \ndomain and need support in understanding the impact insecure solutions \ncan have. This would provide specific value to the Smart Meter arena. A \ncoordinated research effort between vendors, researchers, and utility \noperators would help precipitate mitigations that would maximize our \nown security postures and allow for easy integration into electric \nsystem solutions. Failure to do so simply provides the adversary with \nan advantage, and hinders our ability to proactively protect our \nassets. This research must also include the updating of information \nsharing and cyber incident response functions so that we can prepare, \ndetect, and respond to cyber incidents unique to our bulk power system \narchitectures. This action can be put in place today by leveraging \nexisting public/private programs, with assurances that the research \nactivities to date can be used to help protect the solutions being \nmanufactured for delivery in the very near term.\n    The committee is encouraged to support the existing frameworks that \ncan promote cybersecurity research for electric grid elements, and have \nit defined in such a way that both researchers and vendors are driven \nby appropriate incentives to promote the discovery and mitigation of \ncyber vulnerabilities. Specific technological security testing, perhaps \nunder Cooperative Research and Development Agreement initiatives, could \naugment the analysis and processing of cybersecurity incidents that \nimpact the bulk power system. When permitted, the inclusion of results \nfrom Federal research, such as that done by DOE, will provide \nsignificant value to the library of useful findings. As the issues of \ncybersecurity and the power grid are not unique to the United States, \nefforts to maximize the sharing of threat information among allies can \nonly help to precipitate better understanding. The committee is also \nencouraged to facilitate these cooperative efforts by appointing a non-\nregulatory lead organization within the Federal Government to \ncoordinate current research efforts, manage relationships and, when \nfeasible, ensure existing public/private efforts can implement actions \ndefined by research findings.\nSecond: REFINED STANDARDS\n    The continued development of cybersecurity standards is required to \nbe the baseline for driving definitive specifications to protect grid \nelements, and to date we have working standards that are in effect \nacross the sector. With such a broad scope of critical component \nfunctions, standards that define interoperability safeguards must also \nbe provided. Standards must continue to be developed and improved with \nfull support and contribution from the stakeholder community both \nnationally and internationally. Most importantly, these standards \nshould be flexible to accommodate for refinement based on threat \ninformation, but not so flexible that it facilitates erroneous \nreporting regarding critical assets and cyber assets. The reliability \nand security of the bulk power system is the responsibility of the \nUnited States, Canada, and Mexico and as such these standards must be \nenforceable by an integrated an overarching entity that can support \nemergency orders swiftly and with authority. The standards should also \nhave applicability to the vendor community, allowing vendors to be \nempowered with guidance as it relates to building secure energy \nmanagement technology solutions from the start. This must be provided \nso that vendors can insert cybersecurity into their Systems Development \nLife Cycle, and ensure security is built in to the solutions \nproactively. As many experts agree that the fear of regulation or audit \ngreatly exceeds the fear of security breach, we must be careful of \ncreating standards that move organizations in a direction opposite to a \nsecure path, as we have witnessed instances where adherence to strict \nregulations actually decreases the cybersecurity posture of an entity.\n    These cybersecurity standards developed must take into \nconsideration current and future states regarding threat intelligence, \ncyber incident reporting, control systems cybersecurity, and legal \nframeworks for information sharing. As such, an effective capability on \nsharing cybersecurity vulnerability and threat data as it relates to \nthe critical electric infrastructure is required. This capability \nshould support a Federal entity responsible for providing accurate and \ntimely data on specific and imminent cyber threat. With that, sanitized \ninformation products can then be used to improve standards and \nproactive defensive activities. Of vital importance is that these \nimproved standards must facilitate for better information sharing \nwithin the stakeholder community.\n    These standards must support a divergence from a culture based \nsimply on compliance and towards one founded on the measurement of \nadherence to research-based best practices. The improved standards, \nusing the stakeholders as leadership and critics, would also help \nmaintain the tremendous success seen in private sector voluntary \nactions.\nThird: PROCUREMENT GUIDANCE\n    To support utilities and asset owners acquiring and deploying \nsecure electric system solutions, specific procurement guidance \nlanguage should be developed. Such language will be a valuable \nfacilitator that will drive vendors and asset owners to work together. \nThis cooperative activity will help shape bulk power system technology \ncybersecurity requirements that can help make informed choices leading \nto better procurement. This public/private activity should leverage the \nexisting body of work done for industrial control systems and enhance \nit with sections tailored to the electric sector.\n    Leveraging the existing procurement language developed to assist in \nthe evaluation, development, and purchase of secure industrial control \nsystems, the guidance to assist in selecting secure gird architecture \nelements, such as AMI, substation, and transmission elements, can be \ncreated using efforts by vendors, security researchers, and results \nfrom Government-led initiatives. It has been verified that vendors find \nsuch a language very useful to ensure future business, as it will guide \nthem to develop secure solutions consumers clearly want and need. As \nproven in the control systems domain, inherent security becomes a \nmarket differentiator for the community as a whole, and that can lead \nto a better and more secure infrastructure. In this case, moderate re-\nengineering of existing procurement guidelines can have a tremendous \ndownstream influence in bulk power system cybersecurity, and it can be \ndone immediately. Recent advances in Smart Grid and Smart Metering \ncybersecurity, such as that done by AMI-SEC Task Force, UtiliSec, and \nNIST, could be easily incorporated.\n    Madame Chairwoman, Ranking Member, and the entire committee I thank \nyou for this opportunity to testify here today. I would be happy to \nanswer any questions you may have at this time.\n\n    Mr. Thompson. Thank you very much. The Chair now recognizes \nMr. Assante for 5 minutes.\n\nSTATEMENT OF MICHAEL J. ASSANTE, CHIEF SECURITY OFFICER, NORTH \n           AMERICAN ELECTRIC RELIABILITY CORPORATION\n\n    Mr. Assante. Thank you. Madame Chairwoman, Chairman of the \nfull committee, Ranking Member, Mr. Lungren, Members of the \nsubcommittee, my name is Michael Assante, I am the chief \nsecurity officer of the North American Electric Reliability \nCorporation.\n    As a designated electric reliability organization in the \nUnited States, and much of Canada, our responsibility and we \nare dedicated to doing so, is to ensure reliability of the bulk \npower system. This is a very sobering responsibility, \nespecially in light of the comments today.\n    The last time our organization testified before this \nsubcommittee, we committed to improving our response to \ncybersecurity. I am here confidently to report that we have \ndone so, but we realize there is much more work to be done.\n    Cyberspace is proving paramount, both as a national and an \neconomic security issue. The compromise of our national through \nthis invisible battleground has cost billions of dollars from \nour economy in terms of theft of both intellectual property and \nthe destruction of information systems.\n    Even though NERC is not aware of any cyber attacks that \nhave directly affected the reliability of power systems in \nNorth America, we have no illusions of immunity, as we are well \naware of both Government systems and business systems that have \nbeen successfully attacked at home and power systems that have \nbeen disrupted abroad.\n    The United States and Canada must be ready to act in the \nevent of a specific and imminent cyber threat. We believe there \nis an important gap in authority when it comes to these \nemergency situations in the United States, and additionally, \nemergency authority should be put into place and put into place \nsoon.\n    NERC and the electric sector have been working to answer \nPresident Obama's broad call to action, stemming from a 60-day \ncyber study completed in May 2009 and we are preparing for \nCanada's forthcoming national strategy and action plan for \ncritical infrastructure and a national cyber strategy.\n    Some of these efforts include on-going revisions to NERC \ncybersecurity standards with the goal of building a stronger \nfoundation. Phase 1 of these revisions was submitted to FERC \nfor approval in May. Work on additional Phase 2 revisions \ncontinues and we are about to complete a thorough evaluation of \nhow we can incorporate portions of this framework into the NERC \nstandards.\n    I personally believe another important element of the \nrevisions will be to consider how best to construct broad \nrequirements for training and awareness programs, in incident \nresponse and reporting, to apply to all entities of the bulk \npower system.\n    We have also instituted and improved our voluntary alert \nmechanism, whereby NERC is able to reach nearly 5,000 \nprofessionals in control rooms, power plants, and engineering \ncenters across North America within hours of being informed of \na vulnerability, or a threat. NERC has issued nine such alerts \nover 2009.\n    Efforts also include expanded work on further assessments \nand deeper analysis of risk. NERC's cyber risk preparedness \nassessment, conducted in close coordination with the industry, \nis designed to evaluate the preparedness in dealing with \nchallenging cyber threats.\n    While the pilot group will be small, the goal of this \nassessment is to develop a toolkit for entities so that they \nmay assess their ability across the industry.\n    NERC is also partnering with the Department of Energy in a \nvery important effort to breathe new life into the previous \nwork to address high-impact, low-frequency risks, such as \nspace, weather, electromagnetic pulse, and pandemics. Many of \nthese are focused on cybersecurity risks, but physical risks in \nthe security of the power system are a very real concern.\n    Our understanding, system redundancies, coupled with \nexisting authorities far exceed what is in place to address a \nvery structured and well resourced cyber adversary.\n    The threat is like no other, and to demonstrate my point, I \nwill compare it to the rash of German U-boat attacks in the \ncoastal waters surrounding the United States that begin in May \n1942 and lasted for almost a year.\n    The submarine threat was a mysterious one, much like the \never-present but more deeply mass cyber attacks of today. The \nthreat is playing out beneath the cyber seas, but unlike \nsubmarine warfare it has not stopped at our shoreline, \nattackers are able to strike without being in harm's way.\n    Cyber weapons are often not flagged and their true origins \nare unknown and therefore unattributable, and most importantly, \nthey have been largely successful in evading the instruments \navailable to prevent and deter it.\n    This is the risk to the power grid, that is the \ninterconnective system of wires, power plants, and digital \ncontrols is still evolving, is still not yet fully understood. \nThe potential for an intelligent attacker to exploit a common \nvulnerability across the system and impact many assets at once \nand from a distance is one of the most concerning aspects of \nthis challenge.\n    This is not unique to the electric sector, but addressing \nit will require better intelligence, and new thinking, on top \nof sound operating and planning analysis. Complicating this \nissue, much of the information about security-related threats \nremain classified in Government communities, with restricted \nopportunity to share information with affected asset owners.\n    From a regulatory perspective, NERC believes the scope of \nSection 215 of the Federal Power Act, under which NERC both \ndevelops and enforces mandatory standards, appropriately places \nthe focus on ensuring the security and reliability of the bulk \npower system.\n    With that said, the increasing adoption of Smart Grid \ntechnology, such as advanced metering systems in the \ndistribution grid, has come with the need to build in more \nsecurity and flexibility to mitigate the emerging risk of \nexploring this new connectedness.\n    While a single device in the distribution system will not \nbe considered material to the bulk power system reliability \naggregate, these assets may become material. There capricious \nmagnitude of the priority of the issue at hand, and supports \nenacting legislation to address this. Moving forward, NERC is \ncommitted to complementing any Federal authority to address \ncybersecurity challenges, regardless of the form it takes. \nThank you.\n    [The statement of Mr. Assante follows:]\n                Prepared Statement of Michael J. Assante\n                             July 21, 2009\n                              introduction\n    My name is Michael Assante and I am the chief security officer for \nthe North American Electric Reliability Corporation (``NERC''). As the \ndesignated Electric Reliability Organization (``ERO'') in the United \nStates and much of Canada, NERC is dedicated to ensuring the \nreliability of the bulk power system in North America. As part of our \nmission, NERC evaluates, assesses, and works with industry to address \nrisks to the bulk power system through study, information sharing, and, \nwhere appropriate, mandatory standards. Cyber- and physical security \nare two such risks.\n    The last time our organization testified before the subcommittee, \nwe committed to improving our response to cybersecurity. I am able to \nconfidently report that we have done so. We certainly have more work to \ndo, but NERC and the industry have made encouraging progress on this \nissue since May 2008. My testimony today will provide an update on our \nactivities, and will also provide some important perspectives for your \nconsideration as you continue your vital work on this subject.\n    Notably, NERC firmly believes that additional, Federal authority is \nneeded to address specific and imminent cybersecurity threats to the \nbulk power system.\n                     risks to the bulk power system\n    Cyber- and physical security are two of many reliability risks \nfaced by bulk power system planners and operators.\n    Unlike other concerns, such as extreme weather, security-related \nthreats can be driven by malicious actors who intentionally manipulate \nor disrupt normal operations as part of a premeditated design to cause \ndamage. Cyber-related threats pose a special set of concerns in that \nthey can arise virtually anytime, anywhere and change and emerge \nwithout warning.\n    While the industry deals with some physical security events, like \ncopper theft, on a regular basis, other technical threats or hazards, \nsuch as electromagnetic pulse and space weather, are a concern and will \nrequire careful consideration to develop appropriate and effective \nmitigations. Cyber threats to control systems are still evolving and \nare not yet fully understood. The potential for an intelligent attacker \nto exploit a common vulnerability that impacts many assets at once, and \nfrom a distance, is one of the most concerning aspects of this \nchallenge. This is not unique to the electric sector, but addressing it \nwill require asset owners to apply additional, new thinking on top of \nsound operating and planning analysis when considering appropriate \nprotections against these threats.\n    Complicating this issue, much of the information about security-\nrelated threats remains classified in the defense and intelligence \ncommunities, with restricted opportunity to share information with \naffected private-sector asset owners. The electric grid is placed at \nsignificant risk as a result of limited information-sharing. NERC is \nnot aware, however, of any cyber attacks that have directly affected \nthe reliability of the power system in North America to date.\n    NERC is presently working to expand the body of analysis of \nphysical and cybersecurity risks on an industry-wide basis. These \nefforts include analysis and consideration of specific risks and \nvulnerabilities as they are identified by a group of security experts \nfrom industry, security researchers, and technology vendors, dubbed \n``Network HYDRA''. This networked group of professionals provides \nimportant insight, feedback, and a communications vehicle to raise \nawareness of important security concerns.\n    Non-traditional risks are also the subject of a working group NERC \nhas recently established in partnership with the Department of Energy \nto analyze ``high-impact, low-probability'' risks--or, more accurately, \nthose risks whose likelihood of occurrence is uncertain relative to \nother threats, but that could significantly impact the system were they \nto occur. Officially launched on July 2, this working group will \nexamine the potential impacts of these events on the bulk power system, \nfocusing on influenza pandemic, space weather, terrorist attacks, and \nelectromagnetic pulse events. The group will host an invitation-only \nworkshop in the coming months to discuss their assessment and develop \nconclusions and recommendations to industry based on their work. These \nrecommendations will be used to drive needed technology research, \ndevelopment, and investment and also to evaluate NERC's current \nstandards and initiatives, potentially driving the creation of new \nstandards to address these issues.\n    In addition to these on-going efforts, NERC is conducting a Cyber \nRisk Preparedness Assessment. This industry-led, voluntary assessment \nwill focus on detection, response, and mitigation capabilities for \ncyber incidents. Coordinated by NERC, the assessment will look beyond \nNERC's current cybersecurity standards for practices, procedures, and \ntechnologies that contribute to cyber preparedness across the industry. \nGeneralized, aggregated results from the assessment will be used to \ninform standards development activities, alert the industry to \npotential areas of concern, and identify areas where research and \ndevelopment investment is needed. For security reasons, specific \nresults of the assessment will remain confidential, a key condition of \nparticipation in the program.\n    Through these and other, more specific assessments, NERC seeks to \nbroaden the understanding of cyber risk concerns facing the \ninterconnected bulk power system and guide industry-wide efforts to \ndevelop prudent approaches to address the most material risks--in both \nthe short-term, through appropriate alerts, and longer-term, through \nappropriate standards.\n                        scope of nerc authority\n    The scope of NERC's authority as the ERO is limited to the ``bulk \npower system,'' as defined below in Section 215(a)(1) of the Federal \nPower Act:\n\n``(A) Facilities and control systems necessary for operating an \ninterconnected electric energy transmission network (or any portion \nthereof); and\n``(B) electric energy from generation facilities needed to maintain \ntransmission system reliability.\n``The term does not include facilities used in the local distribution \nof electric energy.''\n\n    This authority places appropriate focus on the reliability of the \nbulk power system, as outages and disturbances on the bulk system have \nthe potential for far greater impact than those on distribution \nsystems. Elements of the power grid outside this authorization include \ntelecommunications infrastructure and ``local distribution,'' which \ntypically includes the infrastructure within urban areas and that \nserves many military installations.\n    The increasing adoption of ``Smart Grid'' and advanced metering \nsystems on distribution systems has brought renewed focus to the \nappropriate definition of a bulk power system component. As grid \noperators rely on demand-response, rooftop solar panels, and other \ndistribution-level assets in capacity planning and operation, the \nreliability of the bulk power system may become increasingly dependent \non the operation of assets connected at the distribution level. While a \nsingle device would not be considered material to bulk power system \nreliability, in aggregate, these assets may become critical to the bulk \npower system.\n    As a result, NERC is working with the National Institute of \nStandards and Technology (``NIST''), the Department of Energy (``DOE'') \nand the Federal Energy Regulatory Commission (``FERC'') as security and \ninteroperability standards are developed for ``Smart Grid'' \ntechnologies. Additional efforts at NERC include high-level assessment \nby several working groups. NERC's technical committees are presently \nconsidering the formation of a ``Smart Grid Task Force'' to further \nevaluate these issues.\n           nerc mandatory reliability standards & compliance\n    Developing mandatory standards that apply to the more than 1,800 \ndiverse entities that own and operate the North American bulk power \nsystem is a complex undertaking. Standards must apply equally to \ncompanies with thousands of employees and to those with only 20. \nAdditionally, the standards must not do harm. They must take into \naccount unique component configurations and operational procedures that \ndiffer widely across the grid. Given our extensive experience in \nstandards development, NERC firmly believes the level of expertise \nneeded to create standards that achieve security objectives and ensure \nreliability can best be found within the industry itself.\n    NERC develops all its Reliability Standards through an ANSI-\naccredited process, which we believe provides the appropriate framework \nfor ensuring that subject matter expertise is used to create and vet \nthe standards. Though use of an ANSI-accredited process is not \nspecifically required, the Federal Power Act does specify that the \nstandards development process must ``provide for reasonable notice and \nopportunity for public comment, due process, openness, and balance of \ninterests in developing reliability standards . . . .'' (Sec. \n215(c)(2)(D)).\n    In certifying NERC as the ERO, FERC found that NERC's ANSI-\naccredited standards setting process meets these requirements. The \nstandards development process is set forth in NERC's Rules of \nProcedure, which FERC has approved.\n    The ANSI-accredited standards development process has yielded \nimportant results as NERC has revised its Critical Infrastructure \nProtection (``CIP'') Reliability Standards over the past year. NERC's \nBoard of Trustees approved revisions to eight of the nine currently-\napproved CIP Reliability Standards on May 6, 2009, after the standards \npassed industry balloting with an 88 percent approval rating. The high \napproval rating indicates the industry's strong support for these \ndevelopment efforts, which has been vital to their success.\n    These revised standards were filed with FERC for regulatory \napproval in the United States on May 22 and are already mandatory and \nenforceable in parts of Canada.\n    NERC's Critical Infrastructure Protection standards fill a specific \nrole in the protection of the bulk power system. The standards are \ncomprised of roughly 40 specific requirements designed to lay a solid \nfoundation of sound security practices that, if properly implemented, \nwill develop capabilities needed to defend critical infrastructure from \ncybersecurity threats. The standards are not, however, designed to \naddress specific, imminent threats or vulnerabilities.\n    Work on additional, phase-two CIP standards revisions continues, \nwith initial industry validation on track for the fourth quarter of \n2009. Modifications underway as part of the phase-two revisions include \nconsidering the extent to which elements of the Recommended Security \nControls for Federal Information Systems under development by NIST can \nbe incorporated into the CIP Reliability Standards. Also under \nconsideration are broader foundational requirements for training and \npreparedness, specifically with applicability to entities who do not \nown or operate Critical Assets.\n    Additional modifications underway in this phase-two development \nwork were the subject of a letter I sent to industry stakeholders on \nApril 7, 2009. The letter addressed the identification of Critical \nAssets and associated Critical Cyber Assets that support the reliable \noperation of the bulk power system, as required by NERC Reliability \nStandard CIP-002-1. The letter was based on initial data collections \nNERC has used to evaluate the implementation of the standard across the \nindustry prior to the start of formal audits, which began for some \nentities on July 1, 2009. The appropriate prioritization of assets for \nprotection is a critical component of a successful security strategy, \nthough its implementation poses a significant challenge to industry \ngiven the complex nature of the system and the changing nature of cyber \nthreats.\n    In my April 7 letter, I called on users, owners, and operators of \nthe bulk power system to take a fresh look at current risk-based \nassessment models to ensure they appropriately account for new \nconsiderations specific to cybersecurity, such as the need to consider \nmisuse of a cyber asset, not simply the loss of such an asset. The \nletter is part of the iterative process between NERC and industry \nstakeholders as we work together to improve reliability. In this case, \nNERC gathered information about the status of implementation of the \ncritical infrastructure protection standards and fed that information \nand its own insights back to the industry as part of a cycle of \ncontinuous improvement.\n    This effort demonstrates that NERC is working to address a critical \nelement of the cybersecurity challenge: The educational learning curve \nand resulting compliance-related challenges that must be addressed to \nimprove the cybersecurity of the bulk power system. Ensuring that each \nof the more than 1,800 entities that own and operate components of the \nbulk power system understands cybersecurity and the efforts needed to \nadequately protect the security of the bulk power system has been a \npriority for NERC.\n    The standards development and improvement process is producing \nresults; however, NERC recognizes this process is not well-suited to \naddressing more imminent threats. As a result, NERC has been working \nwith its stakeholders over the past year to develop and vet an \nalternate process for standards development to address imminent needs. \nThis process is nearing completion and is expected to be submitted to \nFERC for approval before the end of the year.\n                      addressing imminent threats\n    At NERC, we are working in a number of areas to help provide or \nassist in the provision of the kinds of information that will help the \nindustry better secure critical assets from advanced, well-resourced \nthreats and other known cyber activity on an on-going basis. Strong and \nproactive participation by industry volunteers thus far has been \nencouraging.\n    In these efforts, NERC collaborates with DOE and the U.S. \nDepartment of Homeland Security (``DHS'') on critical infrastructure \nand security matters on an almost daily basis. Additionally, NERC \nserves as the Electricity Sector Information Sharing and Analysis \nCenter (``ES-ISAC''), which is responsible for promptly analyzing and \ndisseminating threat indications, analyses, and warnings to assist the \nelectricity industry.\n    NERC has in place a formal mechanism for issuing alerts to the \nindustry about important matters that come either from NERC's own \nefforts, identified vulnerabilities or attacks, or from Government \nagencies with specific information about possible threats. Alerts \nissued through this mechanism are not mandatory and cannot require an \nentity to perform tasks recommended or advised in the alert. NERC has \nsignificantly improved this system over the past year and continues \nimprovements through the development of a secure alerting portal, due \nto be complete this fall.\n    NERC is now able to provide timely, critical reliability \ninformation to nearly 5,000 security and grid operations professionals \nwithin minutes, and has demonstrated success by conducting training and \nusing the system to send alerts, record acknowledgements and receive \nresponses within several days. NERC has issued nine such alerts in \n2009, with its most recent ``recommendation'' receiving a 94 percent \nresponse rate. The industry has been very supportive as we have worked \nto improve this process.\n    NERC's recent work to alert the industry of the Conficker worm, \nincluding lessons learned on mitigation, involved the issuance of one \nrecommendation, two advisories, and an awareness bulletin over the span \nof 6 months. These efforts significantly contributed to overall \npreparedness and awareness of the underlying vulnerability and cyber \nthreat.\n    We acknowledge and believe, however, that there are circumstances \nwhere NERC's efforts will not be adequate to identify or address \nspecific imminent threats. Threats like those suggested by the April 8 \nWall Street Journal article discussing the existence of ``cyber spies'' \nin the electric grid, for example, have been challenging for the \nindustry to fully evaluate and address. Without more specific \ninformation being appropriately made available to asset owners, they \nare unable to determine whether these concerns exist on their systems \nor develop appropriate mitigation strategies. A mechanism therefore is \nneeded to validate the existence of such threats and ensure information \nis appropriately conveyed to and understood by asset owners and \noperators in order to mitigate or avert cyber vulnerabilities.\n    NERC and the electric industry have been working closely in \nconfidence to evaluate threats such as those described in the article. \nSpecific information about these efforts is bound by confidentiality \nagreements.\n                   emergency federal authority needed\n    Preparedness and awareness efforts like the assessments, alerts, \nand standards discussed above are necessary, but not sufficient, to \nprotect the system against specific and imminent threats. NERC firmly \nbelieves that additional emergency authority is needed at the Federal \nlevel to address these threats, and NERC supports legislation that \nwould give an agency or department of the Federal Government necessary \nauthority to take action in the face of specific and imminent cyber \nthreats.\n    For the reasons discussed above (that reliability standards must do \nno harm, take unique component configurations into account, and apply \nequally to all bulk power system entities--including those in Canada--\nregardless of size or structure), NERC firmly believes the level of \nexpertise needed to create standards that achieve security objectives \nand ensure reliability can best be found within the industry itself. \nNERC believes an industry-based standards development process utilizing \ncross-border subject matter expertise will yield the best results for \nlong-term reliability standards.\n                               conclusion\n    NERC, the electric industry, and the governments of North America \nshare a mutual goal of ensuring threats to the reliability of the bulk \npower system, especially cybersecurity threats, are clearly understood \nand effectively mitigated. NERC has taken a number of actions to \nprotect the bulk power system against cybersecurity threats and NERC \nwill continue its work with Governmental authorities and industry \nstakeholders to do so. We believe these efforts have improved and will \ncontinue to improve the reliability and security of the bulk power \nsystem. We maintain, however, that these efforts cannot be a substitute \nfor additional emergency authority at the Federal level to address \nspecific and imminent cybersecurity threats.\n    NERC appreciates the magnitude and priority of this issue, and \nsupports enactment of legislation to address this gap in authority as \nquickly as possible. Moving forward, NERC is committed to complementing \nFederal authority to address cybersecurity challenges, regardless of \nthe form it may take. We commend this subcommittee for its action to \ndate and look forward to supporting your efforts however possible.\n\n    Mr. Thompson. Thank you very much. Mr. Naumann, for 5 \nminutes.\n\n   STATEMENT OF STEVEN T. NAUMANN, VICE PRESIDENT, WHOLESALE \n   MARKETS, EXELON CORPORATION; REPRESENTING EDISON ELECTRIC \n        INSTITUTE AND ELECTRIC POWER SUPPLY ASSOCIATION\n\n    Mr. Naumann. Thank you. Chairwoman Clarke and Members of \nthe subcommittee. My name is Steve Naumann, and I am vice \npresident of wholesale market development for Exelon \nCorporation. Our utility companies serve 5.4 million customers \nin Chicago and Philadelphia.\n    I also serve as Chairman of the NERC Member Representatives \nCommittee. As was noted, I am appearing on behalf of the Edison \nElectric Institute and the Electric Power Supply Organization. \nWe appreciate the opportunity to testify about cybersecurity in \na critical infrastructure on behalf of these organizations.\n    I would like to discuss three issues relating to securing \ncritical electric infrastructure. First, the success of public-\nprivate partnerships in recognizing and addressing cyber \nthreats and vulnerabilities; second, the need to avoid \nunintended consequences when implementing cybersecurity \nremedies; and third, policy proposals being considered by \nCongress and the administration.\n    The owners, operators, and users of the bulk power system \ntake cybersecurity very seriously. To this end, as \ncybersecurity threats continue to evolve and our adversaries \nbecome more sophisticated, the public sector welcomes even more \ncooperation with, and information from, Government partners.\n    Both the Federal Government and electric utilities have \ndistinct realms of responsibility and expertise in protecting \nthe bulk power system from cyber attack.\n    Ideally, to ensure the cybersecurity of the Nation's \nelectric grid and utilize the vast expertise of both public and \nprivate sectors, we need to, clearly, define these \ncomplementary roles and responsibilities while facilitating \ncooperation and information sharing between Government agencies \nand utilities.\n    Giving you an example of how Exelon operates, we address \nrisks through a defense-and-depth strategy while balancing the \nconsiderations for consequences. This includes preventive \nmonitoring and detective measures to ensure the security of our \nsystems.\n    We regularly perform penetration tests to inform us of \nwhether our preventative strategies are working so we can \nenhance our protection as technologies and capabilities evolve. \nThese tests allow us to practice and enhance our monitoring \ncapabilities while yielding lessons learned that are unique to \nour system.\n    But as was mentioned before, no two utility systems have \nidentical network, hardware, or logistical strengths. No, \nsingle entity, will know the systems strengths or weaknesses \nlike we do.\n    Going on to Smart Grid, one of the issues that was raised \nwas the increased, possible, vulnerability of adding these \ndevices to the distribution system. We believe it is very \nimportant to work with the manufacturers and the vendors to \nensure that security is built into the devices and is \nupgradeable from the devices.\n    We would encourage the development of the security \ncertification program, a good housekeeping seal of approval if \nyou will, through which Smart Grid components and systems could \nundergo independent testing and receive that certification that \nsecurity tests have been passed.\n    This would help the utilities differentiate among vendors \nto select those providing appropriate cybersecurity. The \ncareful consultation with the electric utility industry helps \nensure that Government intervention in protecting the grid from \na cyber attack doesn't have unintended or harmful consequences.\n    As mentioned, the electricity grid is a complex system, \nthere are certain measures that might prevent a particular \ncyber attack, could themselves, have adverse impacts to safe \nand reliable utility operation and service to customers.\n    For this reason, any new legislation that would give \nadditional cybersecurity authority to a Federal agency should \nbe limited to true national emergency situations where there is \na significant national security or public welfare concern and \nshould provide to the extent possible consultation with \nindustry experts.\n    Congress should focus then, on what additional authority is \nneeded in order to promote clarity and focus in response to \nimminent cybersecurity threats.\n    The Section 215, mandatory reliability framework, reflects \nyears of work in broad consensus reached by industry and other \nstakeholders and is a good starting point to go by. EPSO and \nEEI and their member companies remain fully committed to work \nwith the Government and the industry partners to increase \nsecurity.\n    I appreciate the opportunity to appear today and would be \nhappy to answer any questions. Thank you very much.\n    [The statement of Mr. Naumann follows:]\n                Prepared Statement of Steven T. Naumann\n                             July 21, 2009\n    Mr. Chairman and Members of the subcommittee: My name is Steve \nNaumann, and I am vice president for Wholesale Market Development for \nExelon Corporation. I also serve as chairman of the member \nrepresentatives committee of the North American Electric Reliability \nCorporation (NERC). I appreciate your invitation to appear today and \nthe opportunity to testify about protecting the electric grid from \ncybersecurity threats.\n    Exelon is a holding company headquartered in Chicago. Our retail \nutilities, ComEd in Chicago and PECO in Philadelphia, serve 5.4 million \ncustomers, or about 12 million people--more than any other electric \nutility company. Our generation subsidiary, Exelon Generation, owns or \ncontrols approximately 30,000 MW of generating facilities, including \nfossil, hydro, nuclear, and renewable facilities. Our nuclear fleet \nconsists of 17 reactors; it is the largest in the Nation and the third \nlargest in the world.\n    I am appearing today on behalf of the Edison Electric Institute \n(EEI) and the Electric Power Supply Association (EPSA). Exelon is a \nmember of both. EEI is the trade association of U.S. shareholder-owned \nelectric companies and has international affiliate and industry \nassociate members world-wide. EEI's U.S. members serve 95% of the \nultimate customers in the shareholder-owned segment of the industry and \nrepresent about 70% of the U.S. electric power industry. EPSA is the \nnational trade association representing competitive power suppliers, \nincluding generators and marketers. EPSA members own 40 percent of the \ninstalled generating capacity in the United States, providing reliable \nand competitively priced electricity from environmentally responsible \nfacilities.\n    My testimony focuses on the nature of cybersecurity threats to the \nbulk power electric system and the efforts of electric utilities to \nrespond to those threats. At the subcommittee's request, I also will \nshare suggestions and observations regarding the relationship between \nGovernment and the private sector in our efforts to secure the electric \ngrid from cyber attacks.\n    I want to assure the subcommittee that as owners, operators, and \nusers of the bulk power system, electric utilities take cybersecurity \nvery seriously. We are actively engaged in addressing cybersecurity \nthreats as they arise and in employing specific strategies that make \nevery reasonable effort to protect our cyber infrastructure and \nmitigate the risks of cyber threats. As the industry relies \nincreasingly on electronic and computerized devices and connections, \nand the nature of cyber threats continually evolves and becomes more \ncomplex, cybersecurity will remain a constant challenge for the \nindustry. But we believe we are up to the task, building on our \nindustry's historical and deep-rooted commitment to maintaining system \nreliability.\n   industry standards, emergency authority, and legislative proposals\n    The industry believes it is appropriate for Congress to consider \nlegislation providing the Federal Energy Regulatory Commission (FERC) \nnew emergency authority to address imminent cybersecurity threats. I \nwant to emphasize, however, that current law already provides the means \nto address many cybersecurity issues in the electric industry. Section \n215 of the Federal Power Act (FPA), which was enacted by Congress as \npart of the Energy Policy Act of 2005, provides for mandatory and \nenforceable electric reliability rules, specifically including rules to \naddress cybersecurity with FERC oversight.\n    The basic construct of the relationship between FERC and NERC, \nwhich FERC certified as the Electric Reliability Organization (ERO) \nunder FPA Section 215, in developing and enforcing reliability rules is \nsound. In summary, NERC, using a well-defined stakeholder process that \nleverages the vast technical expertise of the owners, users, and \noperators of the North American electric grid (including those in \nCanada with whom we are interconnected) develops reliability standards, \nwhich are then submitted to FERC for review and approval. Once approved \nby FERC, these standards are legally binding and enforceable in the \nUnited States. NERC also submits these standards to regulatory \nauthorities in Canada.\n    I suggest the question on which the subcommittee should focus is, \n``What additional authority should be provided to FERC in order to \npromote clarity and focus in response to imminent cybersecurity threat \nsituations?'' Legislation in this area should complement, not supplant, \nthe mandatory reliability regime already established under FPA Section \n215, and any new FERC authority should be appropriately narrow and \nfocused only on unique problems that cannot be addressed under Section \n215. The FPA Section 215 mandatory reliability framework reflects years \nof work and broad consensus reached by industry and other stakeholders \nin order to ensure a robust, reliable grid. It should not be undermined \nso early in its implementation.\n    Any cybersecurity legislation should promote consultation with \nindustry stakeholders and owner-operators of the bulk power system on \nremediation measures. Consultation is critical to improving \ncybersecurity.\n    Obviously, the scope of the damages that could result from a \ncybersecurity threat depends on the details of any particular incident. \nA carefully planned cyber attack could potentially have serious \nconsequences. In considering the scope of damages that any particular \ncybersecurity threat might inflict, utilities must also consider the \npotential consequences caused by any measures taken to prevent against \ncyber attack. Certain measures that might prevent a particular type of \ncyber attack could themselves have adverse impacts to safe and reliable \nutility operations and service to electricity customers. Examples might \ninclude slower responses during emergency operations, longer times for \nrestoration of outages and disruption of business operations dependent \non internet access. That is why each situation requires careful \nconsultation with utilities to ensure that a measure aimed at \nprotecting the grid from a malicious cyber attack does not instead \ncause other unintended and harmful consequences.\n    Furthermore, every utility operates different equipment in \ndifferent environments, making it difficult to offer generalizations \nabout the impacts to the bulk power system or costs and time required \nto mitigate any particular threat or vulnerability. This complexity \nunderscores the importance of consultation with owners, users, and \noperators to ensure that any mitigation that may be required \nappropriately considers these factors to ensure an efficient and \neffective outcome.\n    For the foregoing reasons, any new legislation giving FERC \nadditional statutory authority should be limited to true emergency \nsituations involving imminent cybersecurity threats where there is a \nsignificant declared national security or public welfare concern. In \nsuch an emergency, it is imperative that the Government provide \nappropriate entities clear direction about actions to be taken, and \nassurance that those actions will not have significant adverse \nconsequences to utility operations or assets, while at the same time \navoiding any possible confusion caused by potential conflicts or \noverlap with existing regulatory requirements.\n    Because of its extraordinary nature and potentially broad impacts \non the electric system, any additional Federal emergency authority in \nthis area should be used judiciously. Legislation granting such \nauthority should be narrowly crafted and limited to address \ncircumstances where the President or his senior intelligence advisors \ndetermine there is an imminent threat to national security or public \nwelfare.\n      public-private partnerships: collaboration and communication\n    The following comments address the specific issues raised by the \nsubcommittee's invitation to testify regarding how Government and the \nprivate sector share information before, during, and after \ncybersecurity attacks.\n    Both the Federal Government and electric utilities have distinct \nrealms of responsibility and expertise in protecting the bulk power \nsystem from cyber attack. The optimal approach to utilizing the \nconsiderable knowledge of both Government intelligence specialists and \nelectric utilities in ensuring the cybersecurity of the Nation's \nelectric grid is to promote a regime that clearly defines these \ncomplementary roles and responsibilities and provides for on-going \nconsultation and sharing of information between Government agencies and \nutilities.\n    Information about cybersecurity vulnerabilities and attempts to \nexploit those vulnerabilities is shared with electric industry owners, \nusers, and operators through a number of channels every day. Federal \nagencies that communicate this information to the private sector, such \nas the United States Computer Emergency Readiness Team (US-CERT), as \nwell as cybersecurity hardware and software vendors, classify \nvulnerabilities in terms of the generalized risk to systems. Factors \nsuch as the seriousness of consequences of a successful attack, the \nsophistication required to conduct the attack, and how widely used the \npotentially affected assets are within an industry are used to rank \nvulnerabilities as ``high'', ``medium'', or ``low'' risk.\n    Fundamentally, however, the private sector can sometimes be \ndisadvantaged in assessing the degree and urgency of possible or \nperceived cyber threats because of inherent limitations on its access \nto intelligence information. The Government is entrusted with national \nsecurity responsibilities and has access to volumes of intelligence to \nwhich electric utilities are not privy. On the other hand, electric \nutilities are experienced and knowledgeable about how to provide \nreliable electric service at a reasonable cost to their customers, and \nwe understand how our complex systems are designed and operate. Owners, \nusers, and operators of the bulk power system are in a unique position \nto understand the consequences of a potential malicious act as well as \nproposed actions to prevent such exploitation. Greater cooperation, \ncoordination, and intelligence sharing between Government and the \nprivate sector should be encouraged, consistent with the public-private \npartnership model endorsed by the President's 60-day cybersecurity \nreview.\n    Exelon, for example, is addressing the risks we know about through \na ``defense-in-depth'' strategy while appropriately balancing \nconsiderations of potential consequences. This defense-in-depth \nstrategy includes preventive monitoring and detective measures to \nensure the security of our systems. We perform penetration tests where \na contractor attempts to find and exploit vulnerabilities. The results \nof these regular penetration tests inform us about whether our \npreventive strategies are working so that we can enhance our protection \nas technologies and capabilities evolve. These penetration tests, which \nallow us to practice and enhance our monitoring capabilities, also \nyield lessons learned that are unique to our system. Because no two \nutility companies have identical network, hardware or logistical \nconfigurations, no single entity will know our system's strengths or \nweaknesses quite like we do.\n    NERC, which functions as the Electric Sector Information Sharing \nand Analysis Center (ISAC), disseminates alerts to provide information \nto the electric industry. With the input of its members, NERC has \nrevised its procedures significantly over the past 2 years to improve \nthe ability to quickly and securely provide this critical information \nto industry. This should ensure that when new vulnerabilities are \nuncovered, that users, owners, and operators will receive the needed \ninformation in a timely manner to take corrective action. Thus, we \nbelieve that the ISAC is providing timely and relevant analysis and \nalerts to the industry. Many of us have been frustrated with NERC's \nhistorically slow information-sharing process. I am pleased to note \nthey have improved and we are getting information in a much more timely \nmanner, though like anything else, there is always room for more \nimprovement.\n                               smart grid\n    As grid technologies continue to evolve and become ``Smarter,'' \nthey inevitably will include greater use of digital controls. Congress \nrecognized the potential cybersecurity vulnerabilities, as well as \nbenefits, that could result from greater digitization of the grid when \nit directed DOE to study these issues in Section 1309 of the Energy \nIndependence and Security Act of 2007. Manufacturers of critical grid \nequipment and systems must fulfill their security responsibilities by \nadopting good security practices in their organizations, building \nsecurity into their products, and establishing effective programs so \nthat, as new vulnerabilities are discovered, they can inform customers \nand provide technical assistance with mitigation. As new Smart Grid \ntechnologies are developed, it is imperative for the industry to work \nclosely with vendors and manufacturers to ensure they understand that \ncybersecurity is essential so that protections are incorporated into \ndevices as much as possible.\n    It is equally critical that cybersecurity solutions be incorporated \ninto the architecture being developed for Smart Grid solutions, so that \nthe great benefits new Smart Grid technologies will provide are \nimplemented in a secure fashion. With Smart Grid solutions in the early \nstages of development, opportunities exist to ensure this vision is \nfulfilled. EEI supports the process currently underway at the National \nInstitute of Standards and Technology (NIST) to develop a framework of \nstandards that will become the foundation of a secure, interoperable \nSmart Grid. It is imperative that NIST proceed boldly and expeditiously \nto establish standards applicable to all.\n    EEI is encouraging the development of a security certification \nprogram, through which Smart Grid components and systems could undergo \nindependent testing and receive a certification that security tests had \nbeen passed. Such a program would help utilities differentiate among \ndifferent vendor solutions to select those providing appropriate \ncybersecurity.\n    Finally, I would like to provide the subcommittee information on \nadvanced metering implementation by Exelon's operating utilities. ComEd \nwill be installing Advanced Metering Infrastructure under an Illinois \nCommerce Commission approved pilot program. PECO is installing Smart \nMeters in accordance with Pennsylvania law that requires distribution \ncompanies to deploy Smart Meters for all customers over 15 years. \nCybersecurity has been a cornerstone of Exelon's Smart Grid/Advanced \nMeter Strategy from its inception in early 2008. Exelon understands and \nrecognizes the potential risks associated with the deployment of such \ntechnologies throughout its service territories and treats \ncybersecurity with the utmost importance. To ensure security of these \ninstallations, Exelon is following internally developed security \nrequirements and documenting them in requests for proposals to vendors \nfor the supply of Smart Grid/Advanced Meter solutions. This includes \nthe requirement to enumerate vendor security capabilities that ensures \nconfidentiality, integrity, and availability. Exelon maintains a \nvulnerability management program which requires a documented \npenetration test to demonstrate that controls are implemented as \ndesigned. Third-party vendor audits are also performed to ensure vendor \ndesign & manufacturing controls are adequate. From an industry \ncommunity and vendor perspective, Exelon is an active participant in \nthe NIST Smart Grid Roadmap and Security Strategy development \ninitiative and actively participates in other industry groups. ComEd \nand PECO will seek recovery of 100% of their costs of metering \ninfrastructure in rate cases--as they do for all other infrastructure--\nexcept to the extent ComEd and PECO receive stimulus funding for \nadvance meters. ComEd and PECO both plan to apply to DOE for Smart Grid \nInvestment Grant (SGIG) funds to support their overall Smart Grid \ndeployment efforts. Greater security is one of the benefits of the \nSmart Grid that DOE has articulated. Pursuant to this, SGIG \napplications are required to detail the cybersecurity implications of \nany project seeking funding. Cybersecurity has been a key consideration \nin the development of ComEd and PECO's Smart Grid plans and will be \nfurther detailed in their respective grant applications.\n                               conclusion\n    While many cybersecurity issues are already being addressed under \ncurrent law, we believe it is appropriate to provide FERC with explicit \nstatutory authority to address cybersecurity in a situation deemed \nsufficiently serious to require a Presidential declaration of \nemergency. In such a situation, the legislation should clarify the \nrespective roles, responsibilities, and procedures of the Federal \nGovernment and the industry, including those for handling confidential \ninformation, to facilitate an expeditious response.\n    Any new authority should be complementary to existing authorities \nunder Section 215 of the Federal Power Act, which rely on industry \nexpertise as the foundation for developing reliability standards. Any \nnew authority should also be narrowly tailored to deal with real \nemergencies; overly broad authority would undermine the collaborative \nframework that is needed to further enhance security.\n    Promoting clearly defined roles and responsibilities, as well as \non-going consultation and sharing of information between Government and \nthe private sector, is the best approach to improving cybersecurity. \nEach cybersecurity situation requires careful, collaborative assessment \nand consultation regarding the potential consequences of complex \nthreats, as well as mitigation and preventive measures, with owners, \nusers, and operators of the bulk power system.\n    Exelon and other electric utilities remain fully committed to \nworking with the Government and industry partners to increase \ncybersecurity.\n    I appreciate the opportunity to appear today and would be happy to \nanswer any questions.\n\n    Mr. Thompson. Thank you very much, and I thank all the \nwitnesses for their testimony. I will remind each Member that \nhe or she will have 5 minutes to question the panel. I will now \nrecognize myself for the first set of questions.\n    Each of you have talked about this attack in one capacity \nor another. Starting with Dr. Graham and going to his left, can \nthe panel tell this committee in their professional opinion if \nthe electric industry has appropriate protections, today, to \nprotect against a cyber or an EMP attack?\n    Mr. Graham. Mr. Chairman, the electric industry today does \nnot have adequate protection in place, or as far as I can tell, \nany protection in place for the power distribution and the \npower generation systems of this country.\n    Given that the power grids are in a state of \ntransformation, I believe this is a particularly appropriate \ntime to build that protection in and it will help not only with \nEMP but with such problems as grid collapse, as we saw on \nAugust 13, 2003 and earlier times as well.\n    So it could be very effective. It is very timely and I \nbelieve, very needed.\n    Mr. Thompson. Mr. Fabro.\n    I have to admit, also, I love the name of your company too.\n    Mr. Fabro. Thank you, sir. Thank you, sir. The question \nthat you are asking is one that is quite difficult, because you \nare trying to encapsulate a very, very large problem with one \nsingle question.\n    Is the bulk power system of the electric grid completely \nimmune and protected from cyber attack? No, but there are \nsignificant pockets, significant pockets, and significant \npockets of progress that have shown that the overall \ncybersecurity risk profile of the bulk power system in North \nAmerica, not just within the United States, within North \nAmerica, because it is a multi-national issue, has improved \nsubstantially. Substantially. It is very easy to go and look at \nthe things that are notably bad; reports from the press or \nother issues that we hear in various news outlets.\n    But overall, from someone who experiences on a day-to-day \nbasis, who lives and works in the trenches of this, I actually \nsee standards and work and cooperative engagements and what is \nbeing done by public-private partnerships in action and they \nwork.\n    I cannot comment on EMP. I will just leave that, of course, \nto Dr. Graham.\n    Mr. Thompson. Thank you. Mr. Assante.\n    Mr. Assante. I have been very encouraged by the progress in \nindustry to secure vital systems to protect the bulk power \nsystem. It is a very complex problem in order to wrestle. I \nwill tell you this: I have been working for years and looking \nat the underlying technology, the vulnerabilities that exist in \nthe unique operating environments in which the technology \nexists.\n    We do believe that there are vulnerabilities in the system. \nWe know that we are not immune from these attacks. We are \ncommitted to this call to action. My letter, made on April 7, \nwas a, I think, very important in that it brought out the \ndialogue that was necessary to talk about how to prioritize \nassets for protection.\n    There are some important issues to consider when you look \nat how one can manipulate technology in such a way to cause an \nimpact. The misuse of technology is a very important thing to \nconsider. The ability to exploit technology horizontally is \nimportant.\n    Industry, I believe, is up for that challenge. I don't \nthink there is an easy answer, and it won't happen very \nquickly, or enhancing the standards. We are putting in place \nall the mechanisms necessary to be able to communicate about \nthreats and warnings, so that we can take quicker action. We \nare dedicated to public and private partnerships to learn more \ninformation.\n    Very briefly on EMP, I again, believe that the \nelectromagnetic pulse, is a high-impact concern is something \nthat we are concerned in the electric power system. We are \npartnering with the Department of Energy. We have consumed the \nEMP Commissions report. We supported it, not only staff, but \nalso industry experts, in the deliberation. We intend to look \nat these risks alongside of other risks to evaluate them and \nprioritize them and to take a look at what mechanisms we have \nto further mitigate the system for these types of threats.\n    Mr. Thompson. Mr. Naumann.\n    Mr. Naumann. Thank you.\n    My belief is that in general, the North American grid is \nwell-protected against cyber attacks; at least those threats \nthat we know about.\n    The biggest problem, we believe, we face is the lack of \ninformation because of the security nature of that information \nand it is hard to devise mitigation against something you don't \nknow.\n    That is something that is on-going. We are trying to work \nwith the Federal agencies. But that, to us, is the No. 1 thing \nthat we need to work on.\n    As far as EMP attack, as Mr. Assante has said, and as Dr. \nGraham said, that this is a low-probability, high-impact event. \nIt is something that the industry will pay attention to, wants \nto work with the Federal Government to devise mitigation and \nresponses. But what we need to know is what is the design \nthreat that needs to be dealt with? What are the mitigations \nfrom that that we need to work out? What are the consequences \nof that mitigation? What is the priority of this particular \nthreat compared to the other low-probability, high-impact \nthreats that have been mentioned?\n    Thank you.\n    Mr. Thompson. My time has expired. I recognize the \ngentleman from California, Mr. Lungren.\n    Mr. Lungren. Thank you very much, Mr. Chairman. Again, I \nwould like to congratulate the panel, not only on their verbal \ntestimony, but their written testimony. It is very helpful. We \ncould spend hours here and we have got two really serious \nsubjects. One, the EMP and one cybersecurity, and I think it is \ngood that we have them here together, but also there is a \nproblem because we can't go in depth as to where we want to go \non this.\n    First of all, Mr. Naumann, you talked about the problem \nwith the industry not knowing the threat because of the \nsecurity nature of the information from the Federal Government. \nAre we beginning to attack that problem? How would you suggest \nthat we try and resolve that problem?\n    Mr. Naumann. I believe we need to have a more formal \ncollaborative, where a certain set of industry people are given \nsufficient clearance. This is something that NERC is working \non, where the Federal Government can give us high-level \nsecurity information. Those experts can then, working with the \nFederal Government, devise the mitigation and then essentially \ncensor the information, but send out the mitigation to the \nindustry, so that we could implement that.\n    Mr. Lungren. Mr. Assante.\n    Mr. Assante. We have been working hard, I think, and it is \na critical impasse. I think it gets back to the Aurora \nvulnerability. What is needed to devise the best mitigation \nstrategies is accurate information in order to support the \ndevelopment of those strategies. We have been working very hard \nwith the Department of Energy, the Department of Homeland \nSecurity, and even through the intelligence community, to be \nable to share information.\n    To be able to validate information as we see it in the \nprinted and public press, of the Wall Street Journal, to be \nable to understand the success and tactics that adversaries \nhave been able to use to compromise systems, whether they be \nGovernment or private sector and being able to appropriately \nadjust our defense postures. Importantly, going past \ninformation sharing, we are working on the elements to share \nthe information.\n    So within our industry, we can get that information to \npeople who need to take action. We are also working on \ndeveloping the ability to respond to and to contain and to \nminimize the consequences of a successful attack. We are not \ngoing to put all our effort into simply prevention. That has \nfailed us as a Nation. Prevention is important, but it is not \nthe only part of it and we are dedicated to working with \nentities to be able to put more focus on it.\n    Mr. Lungren. Let me ask you this, when we usually do a risk \nanalysis, we talk about threat vulnerability and consequence. \nYou obviously know the consequence, your companies would know \nthe consequence of a problem; a disastrous or consequential \ninterruption.\n    Are you saying what you need more from the Federal \nGovernment is information with respect to the threat only? Or \nalso that the Federal Government has an ability to tell you \nwhat the vulnerabilities are above and beyond what you know \nyour vulnerabilities to be?\n    Mr. Assante. They are, actually, it is on both accounts. As \nfar as it relates to threats, when the Federal Government can \nobserve and analyze successful attacks. It is important for us \nto understand how those attacks looked and how we would respond \nto those attacks. But importantly, as you address \nvulnerabilities, control systems are very complex, the \nimplementation of that technology is complex and the ability of \nany one asset owner utility to understand the inner workings of \nthat technology to all the underlying weaknesses that might be \nthere, it is very difficult for the asset owner to do that.\n    Mr. Lungren. So who would you look to for that? The Federal \nGovernment? Both?\n    Mr. Assante. It is the Government. The Department of Energy \nand the Department of Homeland Security have two very \nsuccessful programs that have been testing control system \ntechnology. The discovery of vulnerability is very helpful for \nus to be able to enhance the security of those systems.\n    Mr. Lungren. Does that need to be somewhat made more \nrobust? Or is there a problem with getting security ratings for \nyour people? I mean, where is the problem there?\n    Mr. Assante. Well, some of the problem has to do with the \npartnership that is required in this global supply chain of \nworking with these vendors that supply the technology. A lot of \ntimes, they are willing to look at the technology, but under \ncontract agreements, so that the information wouldn't be made \npublic. That information then goes to the vendor to address. It \nis, in many cases, shared with the utilities. But that progress \nhas been limited by the scope of those programs. We do believe \nthey provide a lot of value.\n    We have been heavily participating----\n    Mr. Lungren. Well, if you need any additional legislative \numbrella for that, let us know.\n    Dr. Graham, can you tell me, are there any other countries \nhardening their critical infrastructure to defend against EMP?\n    Mr. Graham. Yes. In fact, we have helped some of our allies \nin that direction. We know that at least the Soviet Union, now \nRussia, has also worked on that. We know that China is \nextremely interested in EMP, has a large number of people \nthere, engineers, scientists, working on it. There is enough \ntraffic among these communities that deal with high-tech and \nnuclear subjects, outside the United States, that are among our \nadversaries that it is widely spread.\n    Mr. Lungren. Just one real short question. That is, are any \ncountries ahead of us in terms of our efforts to either \nrecognize our problem or react to it by hardening our critical \ninfrastructure?\n    Mr. Graham. They are all ahead of us in one way, which is \nthey are less dependent upon computer-controlled information, \ndominant systems, than we are, and therefore less vulnerable.\n    In terms of number of people working on the subject, I \nthink China is far ahead of us. In terms of the implementation \nin civilian systems, most of the European countries are ahead \nof us.\n    Mr. Thompson. Thank you very much. The Chair now recognizes \nthe gentlelady from California for 5 minutes. Ms. Lofgren.\n    Ms. Lofgren. Thank you, Mr. Chairman, and thanks for this \nhearing. I think the fact that we are here today speaks of our \nbipartisan intention to pay attention to this. Our new \nChairwoman, Ms. Clarke, is joined, of course, by the Chairman \nof the full committee. Mr. Lungren has had a full interest in \nthis for some time.\n    I notice Mr. Langevin, who chaired the subcommittee with \njurisdiction over cyber was earlier here. A long time ago, I \nwas the Ranking Member on the Cyber Security Subcommittee, when \nit was chaired by Mr. Thornberry. So it is many years of \nfrustration over this situation that has brought us here today \nand I am happy to be an original co-sponsor of this bill.\n    I think back to the last Congress, at a hearing that we \nhad, and we all knew, because we had been briefed in a \nclassified setting, about some things that needed to be done to \nmake the Nation secure and it was not happening. When we turned \nto FERC, they were unable to make it happen. We asked them if \nthey wanted the authority to require the steps to keep the \nNation secure? They basically saw--so they couldn't do it, and \nthey didn't want to do it, which I thought was a pretty weird \nanswer, in all honesty.\n    Because the comments made today about the need for \ncollaboration, we agree with. The comments made about the role \nof the ISECs, we agree with. The need, and if there are \nsuggestions, and that is my question, to add some additional \nsteps so that the private sector has consultation, that will \njust enhance the matter.\n    But when all is said and done, the infrastructure that is \nowned, primarily, by the private sector is relied on by the \nentire country. If a SCADA system has a vulnerability that we \nknow about, and steps are not taken to secure it, and the whole \ngrid goes down, the Government has the right to be interested \nin that matter and right to, really, to require that steps be \ntaken to protect the Nation.\n    So I am interested in specific comments that any of the \nwitnesses may have about how you believe that collaboration \nmight be enhanced in this bill. I don't think it precludes \nanything actually. I don't think there is a need to enhance it \nbecause it doesn't preclude the things that you have discussed. \nBut if you have specific suggestions on how to involve the \nprivate sector, I would be interested in hearing them.\n    Before I turn to you, I didn't want to neglect Mr. \nBartlett, who of course has been known for some time on the \nlog, focusing on cyber, that is the issue he has focused in on \nfor some time; that also needs attention.\n    So anybody who has a suggestion on private sector \ncollaboration, I am all ears.\n    Mr. Graham.\n    Mr. Graham. I believe in the line of collaboration, one of \nthe first things that needs to be done is the Department of \nHomeland Security needs to be informed and take an interest in \nthe subject of EMP and I presume cyber attack.\n    To give you an example, trying to--we have been, as a \ncommission, unsuccessful in engaging Department of Homeland \nSecurity in this area. Today, I went to the Homeland Security \nwebsite, I put in EMP, it took me to FEMA and there it told me \nthat EMP was a form of radioactive fallout and it said ``only \nthose who rely on electronically-driven life support systems \nare at risk.''\n    Ms. Lofgren. Could I--very good. So you at DHS, pay more \nattention, our new Secretary, I think, will be paying \nattention. Mr. Fabro.\n    Mr. Fabro. I think that the questions, the statement that \nyou have made is exceptionally accurate. That we have all the \npieces in place, from what I see, from what my experience \nindicates, is that the element of robustness, as it relates to \nwhat is coming upwards from independent research, what is \nactually being discovered and found within the operational \nenvironment of the private sector itself isn't coming upwards.\n    There is no sharing mechanism for that information to come \nupwards to either, validate, substantiate, disprove, or have \nsome other impact on what is being done by the Federal research \ncommunity. Make no mistake, the work that is being done with \nDHS and DOE, absolutely valuable, absolutely valuable. The \ncapabilities for FERC----\n    Ms. Lofgren. So, the research world needs to be brought in.\n    Mr. Fabro. It needs to be brought in. Has been spoken about \nearlier, the complexities involved with the fact that there is \nso much vendor-specific issues related to securing this, the \nvendors are often exceptionally reticent to accept the \nindependent research, because it may impact a variety of \ndifferent things from----\n    Ms. Lofgren. Right.\n    Mr. Fabro [continuing]. From a business perspective.\n    Ms. Lofgren. I don't know if I have time, Mr. Chairman, to \nget a few quick comments from the other two witnesses, under a \nminute total?\n    Mr. Thompson. You have a minute.\n    Mr. Fabro. I do believe our interests are well aligned \nhere, in terms of what to protect. One of the obligations that \nwe have is that we enhance our security incident reporting.\n    As incidents occur within the private sector, it is very \nimportant they quickly be shared. The incidents be absolutely \nanalyzed. And information, lessons learned, be shared back, so \nothers could protect themselves.\n    It is something we feel very strongly about. I think we \ndemonstrated that recently.\n    We also believe in terms of research, that better cyber \nawareness tools, of what actually is occurring across the \ninternet and large networks, is very important. This is an area \nthat the Government can contribute greatly.\n    Ms. Lofgren. Couldn't ES-ISAC be used to that effect?\n    Mr. Fabro. We absolutely believe the ES-ISACs can affect, \nand they probably need some analytical support in the ability \nto----\n    Ms. Lofgren. Mr. Naumann, you have 15 seconds.\n    Mr. Naumann. That much. Thank you. Very briefly, just to \nadd on. We think the most important thing is clear and concise \ncommunication. So that if there is a threat out there, that \nthreat gets down to the users, owners and operators, who \nunderstand our system and equipment, so that we can take \nappropriate mitigation.\n    If we don't know about the threat, it is very hard to \nmitigate against it.\n    Ms. Lofgren. So, this bill will certainly let you know \nabout that threat.\n    Mr. Naumann. Yes, but if there is an emergency, to the \nextent there is time, it is very important that rather than \nissuing a directive, there be as much consultation as is \npossible under the circumstances, else our concern about \nunintended consequences of those directives.\n    Ms. Lofgren. Thank you, Mr. Chairman, I appreciate the \nextra minute.\n    Mr. Thompson. Thank you very much. The Chair recognizes the \ngentleman from Maryland, Mr. Bartlett, for 5 minutes.\n    Mr. Bartlett. Thank you very much. I want to thank you \nagain for inviting me to be here.\n    EMP attack may be a low probability, it is certainly a \nhigh-impact event. But when you have such a potential like your \nhouse burning, you buy an insurance policy. You do something \nthat will make you whole in the event that that happens.\n    I would submit that in our country, we have done \nessentially, nothing, that would make us whole, if this were to \nhappen.\n    Dr. Graham, it is my understanding that electromagnetic \npulse is an unavoidable accompaniment of any and every nuclear \ndetonation. That if it occurs at ground level, that the area of \nthe fireball and the EMP area, are not all that much different, \nthat we have had little attention to EMP when it is a ground \nlevel attack.\n    But if it is at altitude, and if it is extra atmospheric, \nit is line of sight. A detonation 300 miles high above \nNebraska, Iowa, would cover our whole country? Is that \nessentially correct?\n    Mr. Graham. Yes, with a footnote that even for a surface, \nor near-surface nuclear burst, if there are things like power \nlines or conductors going into the fireball, that fireball acts \nlike a tremendous battery. And will drive electrical signals \nmiles and miles beyond its perimeter, but along the line.\n    Mr. Bartlett. It is my understanding that in your work on \nthe commission that you interrogated two Russian generals, who \ntold you that the Soviets had developed, and they have enhanced \nEMP weapons that would produce 200 kilovolts per meter. That is \ncorrect?\n    Mr. Graham. Yes, that is correct.\n    Mr. Bartlett. That would be 100 kilovolts per meter at the \nmargins of our country?\n    Mr. Graham. It depends--it is somewhat north, south \ndependent affect, but in some directions, yes.\n    Mr. Bartlett. It is my understanding that the most we have \never built and tested to is sometimes 30 and sometimes 50 \nkilovolts per meter. Is that correct?\n    Mr. Graham. Yes, that is correct. The upper figure was used \nearlier, and now the lower.\n    Mr. Bartlett. If in fact we could be exposed to 100 or 200 \nkilovolts per meter, protecting to 50 kilovolts per meter is \nlittle better than doing nothing, is--or 30, it is now 30. Is \nthat correct?\n    Mr. Graham. Well, it is unknown as to how good the \nprotection would be above that, because, it would be an \nuntested regime. In general, the test, the protection could \nfail at the higher levels.\n    Mr. Bartlett. What proportion, what part of our electronic \nworld would you expect to be affected by 200 kilovolts per \nmeter?\n    Mr. Graham. Essentially, every thing that wasn't in a \nconductive package, everything from PCs on up through power \ngrids.\n    Mr. Bartlett. It would have to be in a Faraday cage and \ngrounded if it were to survive. Is that correct?\n    Mr. Graham. Yes, individual components that are wrapped up \nin protective packages might survive it. But anything that is \nfunctional, or connected to other systems, would not.\n    Mr. Bartlett. In a former life, I was a scientist. I am \nalways amazed at scientists and their ability to understate. I \nam now kind of a recovering scientist.\n    But Dr. Graham is a scientist, and he says that ``EMP is \none of a small number of threats that can hold our society at \nrisk of catastrophic consequences.''\n    In other words, ``that could end life as we know it.'' Is \nthat correct?\n    Mr. Graham. Certainly as we know it in the United States. I \ndon't think North Korea would find it a shock if they had an \nEMP event, because, they have so little infrastructure to begin \nwith.\n    But, our country has many times the population it had say \nin 1900. Yet, our facilities could be driven back to the pre-\n1900 level by an EMP attack. The country could just not support \nthat population.\n    Mr. Bartlett. This has been described as a high-level EMP, \nrobust EMP lay down, as a giant time machine that would move us \nback a century in technology. That is roughly correct?\n    Mr. Graham. Yes, maybe a little more than a century affect.\n    Mr. Bartlett. So, this is such a horrendous consequence. \nWhy are we not paying more attention to it?\n    One of the great experts in this area, Lowell Wood, says \n``it is just too hard. They don't want to deal with it.'' Is \nthat the problem?\n    Mr. Graham. That is probably a better question for a social \nscientist to answer. But, I have heard it characterized as a \nlow-probability, high-impact affect. The commission would not \nassign a probability to it.\n    However, we do know that all of our adversaries across \ntheir whole reach have all the capability necessary to execute \nthis kind of attack. They know our vulnerability to it.\n    So, it seems to me that we cannot assign it a low \nprobability of occurring. It won't happen every day. But, it \nwould take us by surprise if it happened today.\n    Mr. Bartlett. Thank you very much, Mr. Chairman.\n    Mr. Thompson. Thank you very much. For a recovering \nscientist, you do all right.\n    Ms. Jackson Lee for 5 minutes.\n    Ms. Jackson Lee. I want to thank the Chairwoman and the \nRanking Member for holding this committee. Thank you, Chairman.\n    Dr. Graham, I assume, and I am making the statement that \nyou feel comfortable with your statement, and as chairperson of \nthe commission to assess the threat to the United States from \nEMP. The research of that commission gives you comfort to make \nthe statements you are making today. Is that correct?\n    Mr. Graham. Yes, that is correct. Three other members of \nthe commission are here as well.\n    Ms. Jackson Lee. Let me thank them for their work. Let me \njust read the opening of your comments: ``EMP is one of a small \nnumber of threats that we can hold our society at risk from \ncatastrophic consequences.''\n    Then you make mention of the fact that several potential \nadversaries have, or can acquire, the capability to attack the \nUnited States with a high-altitude, nuclear weapon-generated \nelectromagnetic pulse, EMP. A determined adversary can achieve \nan EMP attack capability without a high level of \nsophistication.\n    Would you make these comments right at the front of your \nstatement without substance and being able to substantiate it?\n    Mr. Graham. Well, I would make those statements. We have \nsubstantiated them.\n    Ms. Jackson Lee. Yes, and you would not make them without \nthem being substantiated. Is that correct?\n    Mr. Graham. Absolutely not.\n    Ms. Jackson Lee. Why did you make those statements, Dr. \nGraham?\n    Mr. Graham. We have issued several classified reports as \nwell, that go into these in much more detail, which are \navailable to the Congress. We have explored the subject with \nthe intelligence community, and with the Department of Energy, \nand its nuclear weapon design laboratories, at great length. We \nbase our conclusions on that.\n    Ms. Jackson Lee. Let me ask the three gentlemen, I think to \nyour right, if I am correct. A simple hurricane that most \npeople don't know anything about called, ``Hurricane Ike,'' \nwhich obviously is a natural disaster, had a catastrophic \nimpact, or an exponential impact. Because in fact, after the \nstorm was over, the community that it impacted, was without \nelectricity for some 6 weeks-plus.\n    It is probably the most costliest hurricane in that Gulf \nregion, short of Hurricane Katrina, and possibly Rita. But more \nimportantly, the suffering was enormous.\n    Can you explain to me the basis of the self-regulation of \nyour industry, Mr. Naumann? Why you wouldn't want more intense \nregulation? Because a potential attack, or impact of EMP, as \nDr. Graham has said, ``would be enormously catastrophic.'' In \nfact, whole communities could be wiped out.\n    Mr. Naumann.\n    Mr. Naumann. Thank you, I don't believe it is an issue of \nregulation. I believe it is an issue of getting together, \nsetting the priorities, determining what the threat is and \nthen----\n    Ms. Jackson Lee. You don't think that you could do it \nbetter with a Government partnership? Having more stringent \nregulations as it relates to EMP?\n    Mr. Naumann. I don't believe the regulation itself would \nmake the difference. The partnership would.\n    Ms. Jackson Lee. So, you agree with Dr. Graham that we have \nthe potential of a catastrophic impact with the EMP?\n    Mr. Naumann. I don't have access to the classified \ninformation Dr. Graham does.\n    Ms. Jackson Lee. But I just asked Dr. Graham, whether he \ncould substantiate it. So, based on his being able to \nsubstantiate, would you agree that it could have a catastrophic \nimpact?\n    Mr. Naumann. I absolutely agree.\n    Ms. Jackson Lee. I thank you.\n    Mr. Assante.\n    I think you are NERC, N-E-R-C, and I think that is the \ngroup that self-regulates and allows electric companies to go \nout during a hurricane, and have no criteria for getting back \non.\n    What is your description of self-regulation? Do you feel \nthere needs to be more regulation and partnership between the \nGovernment and its industry to protect it against EMP, as Dr. \nGraham has mentioned?\n    Mr. Assante. Certainly, EMP as a threat is disturbing in \nthat, different from Ike, it destroys components of the power \nsystem that will be difficult to restore from----\n    Ms. Jackson Lee. Ike, is only an example, I mean it holds \nelectricity.\n    Mr. Assante. I absolutely understand. I do believe that, \nand we had the meeting with the commission, and we have met \nwith experts that has provided testimony----\n    Ms. Jackson Lee. So would you support more Government \nregulation and partnership?\n    Mr. Assante. I would suggest partnership is really \nimportant to understand the problem----\n    Ms. Jackson Lee. Regulation you would look at?\n    Mr. Assante. I do believe Section 215, is an appropriate \nvehicle to----\n    Ms. Jackson Lee. Is or is not?\n    Mr. Assante. I think it could be and it is an appropriate--\n--\n    Ms. Jackson Lee. Let me go to--thank you very much.\n    The few minutes that I have, Mr. Fabro.\n    You heard my comments and Dr. Graham's comments. We have a \nreal problem.\n    Do you believe that we need to have a greater enhancement \nof Government partnership? I call it regulation to ensure \nagainst this disaster?\n    Mr. Fabro. Absolutely, if the findings from Dr. Graham and \nhis commission are accurate, as a scientist myself, I firmly \nagree that these issues are very important.\n    I think that the partnership, with involvement from the \nFederal Government is critical, to fully understand the issues. \nI think that the findings from that must be incorporated into \nfuture State standards.\n    From a regulation perspective, I don't know if it has to be \na regulatory function, but I certainly do agree involvement \nfrom the Federal Government is required for a full picture.\n    Ms. Jackson Lee. I thank you. I think without regulation, \nwe don't get enforcement and implementation.\n    I thank you, and I yield back to the Chairman.\n    Mr. Thompson. Thank you very much.\n    Now, your 5 minutes, the gentleman from New Jersey.\n    Mr. Pascrell. Thank you, Mr. Chairman.\n    Mr. Chairman, this legislation did not come out of the \nblue. It didn't materialize itself.\n    I want to associate myself with the comments of Mr. \nBartlett. We should all be very seriously concerned. I guess \nthat is why we are here.\n    But I remember last May, when NERC's CEO, Rick Sergel, sat \nin that seat over there. He admitted to this committee that we, \nthe committee, had been lied to by the electric industry. Maybe \nyou will remember that.\n    For those Members who were not here last year, NERC told us \nin October 2007, that three-quarters of the industry had \nmitigated a vulnerability known as Aurora. NERC claimed that \nthey sent the survey out to industry, and they had received, \nobviously, responses back.\n    We finally got the truth out, and found out that the survey \nhadn't been sent. NERC had no hard numbers. NERC just made them \nup to get us off their back. We found that out last year.\n    So we learned then to be suspicious. After the hearing, and \nto his credit, Mr. Sergel, brought in Mr. Assante to restore \nthe credibility of NERC. The committee--and I believe he has \nchosen a very, fine person for this position.\n    I would like to ask Mr. Naumann a question.\n    You are here representing the Edison Electric Institute and \nthe Electric Power Supply Association, Mr. Naumann, is that \ncorrect?\n    Mr. Naumann. Yes, Congressman.\n    Mr. Pascrell. A question about September 11, your 2008 \nmeeting of the NERC Critical Infrastructure Protection \nCommittee. At the committee meeting, the NERC Infrastructure \nProtection Committee received a briefing on the report of the \ncommission to assess the threat to the United States from the \nEMP. This is the report. Have you seen that report, Mr. \nNaumann?\n    Mr. Naumann. I have skimmed--scanned the report on-line, \nyes.\n    Mr. Pascrell. Then you know, basically, what is in here \nthen, right?\n    Mr. Naumann. I do.\n    Mr. Pascrell. This report was written by the congressional \ncommission that Dr. Graham chairs. The commission has been \nreviewing our electric grid security against an intentional, or \nunintentional, event for years. The commission found, Mr. \nChairman, and Mr. Ranking Member, ``a single EMP attack may \nseriously degrade or shut down a large part of the electric \npower grid in the geographic area of the EMP exposure, \neffectively instantaneously.''\n    The commission came up with a number of steps that the \nprivate sector can take to help significantly reduce the threat \nof EMP. They were good recommendations. I do not believe they \nwere prohibitively costly.\n    Now, here are the minutes of the meeting. Have you seen \nthis, Mr. Naumann?\n    Mr. Naumann. No, sir.\n    Mr. Pascrell. You never saw the minutes of the meeting?\n    Mr. Naumann. I am not a member of that committee.\n    Mr. Pascrell. I know you are not. But I asked you if you \nsaw the meeting--the minutes. Did you see the minutes, Dr. \nGraham?\n    Mr. Graham. No.\n    Mr. Pascrell. Okay.\n    I currently have in my hands, the minutes from the meeting. \nI ask for unanimous consent to introduce these minutes into the \nrecord, Mr. Chairman.\n    Mr. Thompson. Without objection.*\n---------------------------------------------------------------------------\n    * The information referred to has been retained in committee files.\n---------------------------------------------------------------------------\n    Mr. Pascrell. You would think that an issue as serious as \nan electromagnetic pulse, which has catastrophic consequences, \nis not terribly expensive to fix, would have spurred the \nelectric industry into action. You would think that an at-risk \nindustry would want to fix its vulnerabilities. You would think \nthat after not fixing the Aurora vulnerability for years, the \nindustry would want to show some proactive security efforts, \nsend a message that at least they are moving in the right \ndirection.\n    But this is not what happened, Mr. Chairman, on September \n11 of last year. According to the minutes, ``there are no \nactions expected by the Critical Infrastructure Protection \nCommittee or NERC to this rep.''\n    No actions. Nothing. The industry, which is, as Chairwoman \nClarke stated, ``responsible for operating security grid plans \nare doing nothing to secure its infrastructure or to mitigate \nthis threat.''\n    Now, Mr. Naumann, why aren't your colleagues doing more to \nsecure your infrastructure against an intentional or \nunintentional EMP event or cyber attack? Mr. Naumann.\n    Mr. Naumann. Congressman, as I said, we want to work with \nNERC and the industry in identifying what needs to be done, \nwhat the design threat is. I just heard from Congressman \nBartlett, for example, whether the threat is 200 volts per \nmeter or 50 volts per meter----\n    Mr. Pascrell. Mr. Naumann, Mr. Naumann, excuse me. Why \naren't you doing anything right now to secure the \ninfrastructure?\n    Mr. Naumann. In order to----\n    Mr. Pascrell. You are telling me something, everybody knows \nin this room. We listen.\n    Mr. Naumann. I----\n    Mr. Pascrell. Well, then please answer my question?\n    Mr. Naumann. In order to secure the infrastructure, we \nfirst have to determine what threat to protect against and then \ndesign mitigation. As I understand it, through NERC, Mr. \nAssante is taking this up as one of the action items. But it \nhas to be done in a thoughtful manner.\n    Mr. Pascrell. So the industry--these are the minutes. I \nmean, I didn't make it up.\n    Mr. Naumann. I was testifying----\n    Mr. Pascrell. I yield back.\n    Mr. Thompson. Thank you very much. I appreciate your--we \nhave Ms. Richardson and Mr. Lujan and we have four votes to \ntake after that. Ms. Richardson.\n    Ms. Richardson. Mr. Chairman, I will be very brief so I can \ngive my colleague an opportunity to speak before our break.\n    Is Mr. Sean McGurk present, from the Department? Okay. I \nwould like to recommend during the break, Dr. Graham, since you \nhave said ``you have had an unsuccessful engagement of speaking \nwith the Department,'' he is right here, I think, in the third \nrow. For the record, Mr. Chairman, I would like to recommend \nthat maybe we submit the testimony to the new Secretary and \nurge her and her appropriate Department to review the \ninformation and give them an opportunity to come forward.\n    Mr. Thompson. I would be happy to do it.\n    Ms. Richardson. My last point, and I do want to be brief, \nas I said, for my colleague. Having reviewed the bill that we \nhave on the table, I would just like to work with the Chairman, \npossibly in a Manager's Amendment, as I listen to the testimony \ntoday, one of the things that I think we could add is in Mr. \nFabro's testimony, in the very back, he gives three points that \nwe could focus on. One is ``research,'' which has been much \ndiscussed, much discussed today.\n    Second, ``redefining standards,'' which there is the \nability to do some of that in the bill. But what we don't talk \nabout is he talked about ``procurement guidance.'' Specifically \nfrom his testimony, he says ``in the case moderate \nreengineering of existing procurement guidelines can have \ntremendous downstream influence, in both power systems, \ncybersecurity and it can be done immediately.''\n    So I will work with my staff and in conjunction with some \nof the folks that have been here today to see if there is any \nway that we can help to strengthen it even further.\n    With that, I yield back the balance of my time.\n    Mr. Thompson. Thank you very much.\n    The gentleman from New Mexico for 5 minutes.\n    Mr. Lujan. Thank you very much, Mr. Chairman and thanks to \nmy colleague, Ms. Richardson, for being so kind with her time.\n    Mr. Assante, did I hear you correctly that when there was a \nreference to cybersecurity that prevents--did you say something \nalong the lines ``prevention is not necessarily the answer?''\n    Mr. Assante. I don't think we should put our full faith in \npreventing attacks. It is very important that we also address \ninvestments in being able to categorize, observe them, and \nrespond to them, and minimize their consequences in the system. \nSo we would like to take a comprehensive approach to cyber \nattacks, not just installing more cybersecurity solutions that \nhave failed in the past. Some of the advanced threats are \ncapable of getting around those solutions. We want to make sure \nthat we have got the full capabilities to be able to handle \nthis important challenge.\n    Mr. Lujan. Do any of the bulk power systems have a \nresponsibility to report to NERC, or the body, if there is a \ncyber attack?\n    Mr. Assante. They do. Under the CIP standards today, they \nhave to report security incidents affecting critical cyber \nassets to NERC. NERC will take that information, analyze it and \npass it on for warnings for other organizations.\n    Mr. Lujan. To date, have there been any reports to NERC?\n    Mr. Assante. Yes. We have received reports of security \nincidents to the bulk power system.\n    Mr. Lujan. So is the grid safe today?\n    Mr. Assante. I would tell you that it is--I believe that \nthe grid is not immune from attack. We have seen the attacks \noccur. What we can do is try to respond to those attacks, \nenhance our security and ability to respond to them. It is \ndefinitely a concern. It is why we are asking for, immense \nauthorities from the Federal Government to very specific and \nimminent cyber threats.\n    Mr. Lujan. So, Mr. Naumann, with that being said, I stand \ncorrected, but I thought I heard you say earlier that you feel \nthat the grid is safe today?\n    Mr. Naumann. I believe I said ``it is relatively secure \nfrom the threats that we know of.''\n    But it----\n    Mr. Lujan. Okay.\n    Mr. Naumann [continuing]. May not be secure from the \nthreats we don't know of, which is why we support the emergency \nlegislation.\n    Mr. Lujan. Mr. Assante, with that being said, I think that \nwe heard from Ms. Richardson and others the importance of \nmaking sure that we are able to provide the information \nnecessary so that you can prepare for any cyber attacks that do \nexist. But there was a Wall Street Journal article in April of \nthis year that highlighted threats that we do know, that \noccurred, that I don't know if they have been addressed or not, \nbut in your testimony you state ``that there has been progress \nmade through NERC with the bulk power systems.''\n    Mr. Assante. Yes.\n    Mr. Lujan. Can you just highlight those quickly?\n    Mr. Assante. Sure. I absolutely can. Most importantly, our \nability to communicate effectively with the 1,800-plus entities \nthat comprise the bulk power system is an important capability \nthat we work very hard to achieve.\n    The second piece is that we have been working in great \npartnership with the Department of Homeland Security and the \nDepartment of Energy to be able to analyze advanced threats. So \nwhen we become aware of them, and I will give you a quick \nexample, we have seen suspicious activity against power system \nnetworks. They have reported that to me at the ES-ISAC. I \nshared that information with our Government partners and then \nprovided excellent analysis of what it looked like, what it \nwas, and we went back and we were able to notify and warn other \nentities of the suspicious activity.\n    So those are the types of progress that I think is very \nimportant. I think it--we are working full force in the \ncollaborative side. But if a cyber threat was imminent and \nspecific, we believe the necessity to have emergency \nauthorities to deal with that and deal with it in a mandatory \nway are appropriate.\n    Mr. Lujan. Yes. With that being said, Mr. Naumann, there \nwas a reference made earlier that there is not a set of \nstandards in place for utilities across the country today, that \neveryone has their own platforms that they operate on and it \nwould be difficult to institute a fix that would reach \neveryone. With that being said, is there a need to go to \nstandard platforms, as utilities are making investments into \nthe future? Understanding that this is a threat that does exist \ntoday?\n    Mr. Naumann. I think there is a need to go to standard \nprotocols. For example, on the Smart Grid, dealing with Smart \nGrid, FERC has just issued a final rule that said ``any Smart \nGrid devices that are attached to the system should follow \nprotocols that are being developed under the auspices of \nthis.'' So it is the protocols as to how they communicate and \nhow they interact with the system, that it is very important; \nthat they be common; and that they be secure.\n    Mr. Lujan. The last question I have, Mr. Chairman, is that \nas we go forward and we understand the direction where Smart \nGrid will take us and how broadband applications are going to \nbe critical to achieving the efficiencies that we need with \ndistribution and transmission.\n    Understanding that NERC's sole responsibility is with bulk \npower systems and does not include distributed generation or \nsettlement, industrial utilities or applications, even within \nsome of our rural cooperatives: Who is overseeing that aspect \nand is there anybody--are there any, I guess, large umbrella \nsupport systems other than State regulatory bodies that are \nworking directly with them? Are those actually reported?\n    Mr. Lujan. Mr. Chairman, we can get back to that one later, \nif need be.\n    Mr. Thompson. The gentleman can answer.\n    Mr. Naumann. To answer very quickly, it is important that \nunder U.S. legislation, that as it relates to Smart Grid in \nparticular, that NIST, and the Department of Energy, in working \nwith FERC, and NERC is then engaged in this activity, do \naddress system standards, so that they can build security into \nthis technology before it gets deployed in great numbers. But \nmost of the jurisdiction and regulation of the system has been \ndone at the local level and the State level. However, in a lot \nof cases, that can be very appropriate, based on local issues.\n    But NERC is concerned about the bulk power system and in \nthe future, as devices in aggregate might cause a material \nissue to reliability, we would actively engage in those \nefforts.\n    Mr. Lujan. Mr. Chairman, just want to suggest quickly \nthere, we may want to work with NARUC, the National Association \nof Regulatory Utility Commissions, to truly get an inventory of \nhow many utilities, investor-run utilities across the country, \nhave been working with their State partners. Having come to \nCongress as a former regulator, from the utility commission, in \nNew Mexico, I can tell you that there is a concern that I have \nthere and to make sure that we are working with our colleagues \nacross the country that this information is truly being \ncompiled.\n    Mr. Thompson. Mr. Lujan, as you can see, once this \nlegislation is brought up for mark-up, you will see some \nadditions to it.\n    Let me thank our first panel of witnesses for excellent \ntestimony and answers to the questions. We have four votes, \nplus 111th Congress photograph that will probably take about 35 \nor 40 minutes. But we release the first panel. Thank you for \nyour testimony. The committee will recess and reconvene at the \nend of the votes.\n    [Recess.]\n    Ms. Clarke. [Presiding.] I welcome the second panel of \nwitnesses. We are joined by Joe McClelland, the director of \nreliability at the Federal Energy Regulatory Commission, also \nknown as FERC. Our second witness is Patricia Hoffman, acting \nassistant secretary at the Office of Electricity Delivery and \nEnergy Reliability, Department of Energy.\n    Our third witness is Sean McGurk, director of the Control \nSystems Security Program at the Department of Homeland \nSecurity. Welcome. Finally, Cita Furlani, is the director of \nthe Information Technology Laboratory, National Institute of \nStandards and Technology at NIST.\n    I want to welcome you all here. Without objection, the \nwitnesses' full statements will be entered into the record. \nHearing no objection, so ordered.\n    I now ask each of the witnesses to introduce yourself and \nsummarize your statement for 5 minutes, beginning with Mr. \nMcClelland.\n\n  STATEMENT OF JOSEPH H. MCCLELLAND, DIRECTOR OF RELIABILITY, \n              FEDERAL ENERGY REGULATORY COMMISSION\n\n    Mr. McClelland. Chairwoman Clarke, thank you. Member \nLungren, and distinguished guests. Thank you for the privilege \nto appear before you today to discuss the security of the \nelectric grid.\n    My name is Joe McClelland, and I am the director of Office \nof Electric Reliability at the Federal Energy Regulatory \nCommission. I am here today as a commission staff witness and \nmy remarks do not necessarily represent the views of the \ncommission or any individual commissioner.\n    In the Energy Policy Act of 2005, Congress entrusted the \ncommission with a major new responsibility, to oversee \nmandatory enforceable reliability standards for the Nation's \nfull power system. This authority is in new Section 215 of the \nFederal Power Act.\n    Under the new authority, FERC cannot author or modify \nreliability standards. It must select an electric reliability \norganization, or ERO, to perform this task. The ERO develops \nand proposes reliability standards or modifications for the \ncommission's review, which it can either then remand or approve \nthem.\n    If the commission approves the proposed reliability \nstandards, it applies to the users, owners, and operators of \nthe bulk power system, and becomes mandatory in the United \nStates. If the commission remands a proposed standard, it is \nsent back to the ERO for further consideration.\n    The commission selected the North American Electric \nReliability Corporation or NERC as its ERO. It is important to \nnote that NERC's jurisdiction and reliability authority is \nlimited to the, ``bulk power system,'' as defined in the \nFederal Power Act, which excludes Alaska and Hawaii, \ntransmission facilities in certain large cities, such as New \nYork, and distribution systems.\n    In addition to the reliability authority, FERC is also \ncharged with the oversight of cybersecurity of the bulk power \nsystem. As is the case with non-security issues, FERC's \nauthority in Section 215 over cybersecurity is to exercise the \nreliability standards developed by the ERO and approved by \nFERC.\n    Pursuant to this duty, FERC approved eight cybersecurity \nstandards known as the Critical Infrastructure Protection, or \nCIP standards, proposed by NERC, while concurrently directing \nmodifications to them in January 2008. Although the existing \nCIP standards are approved, full implementation of these \nstandards by all entities will not be mandatory until 2010.\n    The first of several batches of modification responding to \nthe commission's directives was received from the ERO in May \n2009, and they are now under review.\n    On a related note, as Smart Grid technology is added to the \nbulk power system greater cybersecurity protections will be \nrequired. Given that this technology provides more access \npoints to attackers, and increases the grid's cyber \nvulnerability. The CIP standards will apply to some, but not \nall Smart Grid applications.\n    Physical attacks against the power grid can cause equal or \neven greater destruction than cyber attacks. One example of a \nphysical threat is an electromagnetic pulse or EMP event. In \n2001, Congress established a commission to assess the threat \nfrom EMP. In 2004, and again in 2008, the EMP Commission issues \nits reports.\n    Among the findings in the reports were that a single EMP \nattack could seriously degrade or shut down a large part of the \nelectric power grid. Depending upon the attack, significant \nparts of the electric infrastructure could be, ``out of service \nfor periods measured in months to a year or more.''\n    In addition to man-made attacks, EMP events are also \nnaturally generated, caused by solar flares and storms \ndisrupting the earth's magnetic field. Such events can be \npowerful and can also cause significant and prolonged \ndisruptions to the power grid.\n    The standards development system utilized under FTA215, \ninvolved mandatory reliability standards using an open and \ninclusive process based on consensus. Although it can be an \neffective mechanism when dealing with the routine requirements \nof the power grid, it is inadequate when addressing threats to \nthe power grid that endanger national security.\n    Despite its active role in approving reliability standards, \nFERC's current legal authority is insufficient to assure \ndirect, timely, and mandatory action to protect the grid, \nparticularly where certain information should not be publicly \ndisclosed.\n    Any new legislation should address several key concerns. \nFirst, FERC should be permitted to take direct action before a \ncyber- or physical national security incident has occurred.\n    Second, FERC should be allowed to maintain appropriate \nconfidentiality of security-sensitive information.\n    Third, the limitations of the term ``bulk power system'' \nshould be considered, as FERC cannot act to protect against \nattacks involving Alaska and Hawaii as well as some \ntransmission, and all local distribution, facilities in \npopulation areas.\n    Finally, entities should be permitted to recover costs they \nincur to mitigate vulnerabilities and threats. Thank you for \nyour attention today and I am available to address any \nquestions that you may have.\n    [The statement of Mr. McClelland follows:]\n               Prepared Statement of Joseph H. McClelland\n                             July 21, 2009\n    Mr. Chairman and Members of the subcommittee: Thank you for this \nopportunity to appear before you to discuss the security of the \nelectric grid. My name is Joseph McClelland. I am the director of the \nOffice of Electric Reliability (OER) of the Federal Energy Regulatory \nCommission (FERC or commission). The commission's role with respect to \nreliability is to help protect and improve the reliability of the \nNation's bulk power system through effective regulatory oversight as \nestablished in the Energy Policy Act of 2005. I am here today as a \ncommission staff witness and my remarks do not necessarily represent \nthe views of the commission or any individual commissioner.\n    My testimony summarizes the commission's oversight of the \nreliability of the electric grid under section 215 of the Federal Power \nAct, and some of the limitations in Federal authority to protect the \ngrid against physical and cybersecurity threats. The commission \ncurrently does not have sufficient authority to require effective \nprotection of the grid against cyber or physical attacks. If adequate \nprotection is to be provided, legislation is needed and my testimony \ndiscusses the key elements that should be included in any new \nlegislation in this area.\n                               background\n    In the Energy Policy Act of 2005 (EPAct 2005), Congress entrusted \nthe commission with a major new responsibility to oversee mandatory, \nenforceable reliability standards for the Nation's bulk power system \n(excluding Alaska and Hawaii). This authority is in section 215 of the \nFederal Power Act. Section 215 requires the commission to select an \nElectric Reliability Organization (ERO) that is responsible for \nproposing, for commission review and approval, reliability standards or \nmodifications to existing reliability standards to help protect and \nimprove the reliability of the Nation's bulk power system. The \ncommission has certified the North American Electric Reliability \nCorporation (NERC) as the ERO. The reliability standards apply to the \nusers, owners, and operators of the bulk power system and become \nmandatory in the United States only after commission approval. The ERO \nalso is authorized to impose, after notice and opportunity for a \nhearing, penalties for violations of the reliability standards, subject \nto commission review and approval. The ERO may delegate certain \nresponsibilities to ``Regional Entities,'' subject to commission \napproval.\n    The commission may approve proposed reliability standards or \nmodifications to previously approved standards if it finds them ``just, \nreasonable, not unduly discriminatory or preferential, and in the \npublic interest.'' The commission itself does not have authority to \nmodify proposed standards. Rather, if the commission disapproves a \nproposed standard or modification, section 215 requires the commission \nto remand it to the ERO for further consideration. The commission, upon \nits own motion or upon complaint, may direct the ERO to submit a \nproposed standard or modification on a specific matter but it does not \nhave the authority to modify or author a standard and must depend upon \nthe ERO to do so.\nLimitations of Section 215 and the Term ``Bulk Power System''\n    Currently, the commission's jurisdiction and reliability authority \nis limited to the ``bulk power system,'' as defined in the FPA, and \ntherefore excludes Alaska and Hawaii, including any Federal \ninstallations located therein. The current interpretation of ``bulk \npower system'' also excludes some transmission and all local \ndistribution facilities, including virtually all of the grid facilities \nin certain large cities such as New York, thus precluding commission \naction to mitigate cyber- or other national security threats to \nreliability that involve such facilities and major population areas.\nCritical Infrastructure Protection Reliability Standards\n    An important part of the commission's current responsibility to \noversee the development of reliability standards for the bulk power \nsystem involves cybersecurity. In August 2006, NERC submitted eight \nproposed cybersecurity standards, known as the Critical Infrastructure \nProtection (CIP) standards, to the commission for approval under \nsection 215. Critical infrastructure, as defined by NERC for purposes \nof the CIP standards, includes facilities, systems, and equipment \nwhich, if destroyed, degraded, or otherwise rendered unavailable, would \naffect the reliability or operability of the ``Bulk Electric System.'' \nNERC proposed an implementation plan under which certain requirements \nwould be ``auditably compliant'' beginning by mid-2009, and full \ncompliance would be mandatory in 2010. Pursuant to NERC's \nimplementation plan for the CIP standards, the term ``auditably \ncompliant'' means ``the entity meets the full intent of the requirement \nand can demonstrate compliance to an auditor, including 12-calendar-\nmonths of auditable `data,' `documents,' `documentation,' `logs,' and \n`records.' '' At the end of July 2009, responsible entities will \nprovide responses to NERC's self-certification survey. Those responses \nwill include information on their progress towards compliance with the \nCIP standards.\n    On January 18, 2008, the commission issued a Final Rule approving \nthe CIP reliability standards while concurrently directing NERC to \ndevelop significant modifications addressing specific concerns. The \ncommission set a deadline of July 1, 2009 for NERC to resolve certain \nissues in the CIP reliability standards, including deletion of the \n``reasonable business judgment'' and ``acceptance of risk'' language in \neach of the standards. NERC concluded that this deadline would create a \nvery compressed schedule for its stakeholder process. Therefore, it \ndivided all of the changes directed by the commission into phases, \nbased on their complexity. NERC opted to resolve the simplest changes \nin the first phase, while putting off more complex changes for later \nversions.\n    NERC filed the first phase of the modifications to the CIP \nReliability Standards (Version 2) on May 22, 2009 and the filing is \ncurrently under review by commission staff. The filing includes removal \nfrom the standards of the terms ``reasonable business judgment'' and \n``acceptance of risk,'' which the commission found problematic, the \naddition of a requirement for a ``single senior manager'' responsible \nfor CIP compliance, and certain other administrative and clarifying \nchanges. The remaining phases of the CIP reliability standard revisions \nto respond to the commission's directives are still under development \nby NERC. Currently, there are no set time frames for the remaining \nphases.\nIdentification of Critical Assets\n    As currently written, the CIP reliability standards allow utilities \nsignificant discretion to determine which of their facilities are \n``critical assets and the associated critical cyber assets,'' and \ntherefore are subject to the protection requirements of the standards. \nIn the Final Rule, the commission directed NERC to revise the standards \nto require independent oversight of a utility's decisions by industry \nentities with a ``wide-area view,'' such as reliability coordinators or \nthe Regional Entities, subject to the review of the commission. This \nrevision to the standards, like all revisions, is subject to approval \nby the affected stakeholders in the standards development process and \nhas not yet been developed or presented to the commission. We expect \nthis revision to be part of the remaining phases of CIP reliability \nstandard revisions, as discussed above.\n    When the commission approved the CIP reliability standards in \nJanuary 2008, it also required entities under those standards to self-\ncertify their compliance progress every 6 months. In December 2008, \nNERC conducted a self-certification study, asking each entity to report \nlimited information on its critical assets and the associated critical \ncyber assets identified in compliance with reliability standard CIP-\n002-1. As the commission stated in the Final Rule, the identification \nof critical assets is the cornerstone of the CIP standards. If that \nidentification is not done well, the CIP standards will be ineffective \nat protecting the bulk power system. The results of NERC's self-\ncertification request showed that 31% of responsible entities \nresponding to the survey, and only 29% of generation owners and \noperators, identified at least one critical asset, while about 63% of \ntransmission owners identified at least one critical asset. NERC \nexpressed its concern with these results in a letter to industry \nstakeholders dated April 7, 2009. In addition, NERC is working on a \nguidance document that will help industry to identify their critical \nassets. That document is still under development, and should be \ncompleted in approximately 6 months. Another self-certification by \nindustry is due to NERC at the end of July, and includes additional \nquestions designed to obtain a better understanding of the results from \nindustry's critical asset identification process. Those results will \nhelp gauge how widely the CIP reliability standards have been applied.\n    The results of the NERC survey demonstrate that it is not clear, \neven today, what percentage of critical assets and their associated \ncritical cyber assets has been identified and therefore made subject to \nthe protection requirements of the CIP standards. It is clear, however, \nthat this issue is serious and represents a significant gap in \ncybersecurity protection.\n                            the nerc process\n    As an initial matter, it is important to recognize how mandatory \nreliability standards are established. Under section 215, reliability \nstandards must be developed by the ERO through an open, inclusive, and \npublic process. The commission can direct NERC to develop a reliability \nstandard to address a particular reliability matter, including \ncybersecurity threats or vulnerabilities. However, the NERC process \ntypically requires years to develop standards for the commission's \nreview. In fact, the existing CIP standards took approximately 3 years \nto develop.\n    NERC's procedures for developing standards allow extensive \nopportunity for industry comment, are open, and are generally based on \nthe procedures of the American National Standards Institute. The NERC \nprocess is intended to develop consensus on both the need for, and the \nsubstance of, the proposed standard. Although inclusive, the process is \nrelatively slow, open, and unpredictable in its responsiveness to the \ncommission's directives.\n    Key steps in the NERC process include: Nomination of a proposed \nstandard using a Standard Authorization Request (SAR); public posting \nof the SAR for comment; review of the comments by industry volunteers; \ndrafting or redrafting of the standard by a team of industry \nvolunteers; public posting of the draft standard; field testing of the \ndraft standard, if appropriate; formal balloting of the draft standard, \nwith approval requiring a quorum of votes by 75 percent of the ballot \npool and affirmative votes by two-thirds of the weighted industry \nsector votes; re-balloting, if negative votes are supported by specific \ncomments; approval by NERC's board of trustees; and an appeals \nmechanism to resolve any complaints about the standards process. This \nprocess requires public disclosure regarding the reason for the \nproposed standard, the manner in which the standard will address the \nissues, and any subsequent comments and resulting modifications in the \nstandards as the affected stakeholders review the material and provide \ncomments. NERC-approved standards are then submitted to the commission \nfor its review.\n    Generally, the procedures used by NERC are appropriate for \ndeveloping and approving reliability standards. The process allows \nextensive opportunities for industry and public comment. The public \nnature of the reliability standards development process can be a \nstrength of the process. However, it can be an impediment when measures \nor actions need to be taken to address threats to national security \nquickly, effectively and in a manner that protects against the \ndisclosure of security-sensitive information. The current procedures \nused under section 215 for the development and approval of reliability \nstandards do not provide an effective and timely means of addressing \nurgent cyber- or other national security risks to the bulk power \nsystem, particularly in emergency situations. Certain circumstances, \nsuch as those involving national security, may require immediate \naction, while the reliability standard procedures take too long to \nimplement efficient and timely corrective steps.\n    FERC rules governing review and establishment of reliability \nstandards allow the agency to direct the ERO to develop and propose \nreliability standards under an expedited schedule. For example, FERC \ncould order the ERO to submit a reliability standard to address a \nreliability vulnerability within 60 days. Also, NERC's rules of \nprocedure include a provision for approval of ``urgent action'' \nstandards that can be completed within 60 days and which may be further \nexpedited by a written finding by the NERC board of trustees that an \nextraordinary and immediate threat exists to bulk power system \nreliability or national security. However, it is not clear NERC could \nmeet this schedule in practice. Moreover, faced with a national \nsecurity threat to reliability, there may be a need to act decisively \nin hours or days, rather than weeks, months, or years. That would not \nbe feasible even under the urgent action process. In the mean time, the \nbulk power system would be left vulnerable to a known national security \nthreat. Moreover, existing procedures, including the urgent action \nprocedure, would widely publicize both the vulnerability and the \nproposed solutions, thus increasing the risk of hostile actions before \nthe appropriate solutions are implemented.\n    In addition, a reliability standard submitted to the commission by \nNERC may not be sufficient to address the identified vulnerability or \nthreat. Since FERC may not modify a proposed reliability standard under \nsection 215 and must either approve or remand it, FERC would have the \nchoice of approving an inadequate standard and directing changes, which \nreinitiates a process that can take years, or rejecting the standard \naltogether. Under either approach, the bulk power system would remain \nvulnerable for a prolonged period.\n    Finally, the open and inclusive process required for standards \ndevelopment is not consistent with the need to protect security-\nsensitive information. For instance, a Standard Authorization Request \nwould normally detail the need for the standard as well as the proposed \nmitigation to address the issue, and the NERC-approved version of the \nstandard would be filed with the commission for review. This public \ninformation could help potential adversaries in planning attacks.\nNERC's ``Aurora'' Advisory\n    Currently, the alternative to a mandatory reliability standard is \nfor NERC to issue an advisory encouraging utilities and others to take \nvoluntary action to guard against cyber or other vulnerabilities. That \napproach allows for quicker action, but compliance with an advisory is \nnot mandatory, and may produce inconsistent and potentially ineffective \nresponses. Also, an alert can be general in nature and lack \nspecificity. For example, the issuance of an advisory in 2007 by NERC, \nregarding an identified cybersecurity vulnerability referred to as \n``Aurora,'' caused uncertainty about the specific strategies needed to \nmitigate the identified vulnerabilities and the assets to which they \napply. Reliance on voluntary measures to assure national security is \nfundamentally inconsistent with the conclusion Congress reached during \nenactment of EPAct 2005, that voluntary standards cannot assure \nreliability of the bulk power system.\n                               smart grid\n    The need for vigilance may increase as new technologies are added \nto the bulk power system. For example, Smart Grid technology promises \nsignificant benefits in the use of electricity. These include the \nability to better manage not only energy sources but also energy \nconsumption. However, a smarter grid would permit two-way communication \nbetween the electric system and a large number of devices located \noutside of controlled utility environments, which will introduce many \npotential access points.\n    Smart Grid applications will automate many decisions on the supply \nand use of electricity to increase efficiencies and ultimately to allow \ncost savings. Without adequate physical and cyber protections, however, \nthis level of automation may allow adversaries to gain unauthorized \naccess to the rest of the company's data and control systems and cause \nsignificant harm. Security features must be an integral consideration \nwhen developing Smart Grid technology. The challenge will be to focus \nnot only on general approaches but, importantly, on the details of \nspecific technologies and the risks they may present.\n    Regarding data, there are multiple ways in which Smart Grid \ntechnologies may introduce new cyber vulnerabilities into the system. \nFor example an attacker could gain access to a remote or intermediate \nSmart Grid device and change data values monitored or received from \ndown-stream devices, and pass the incorrect data up-stream to cause \noperators or automatic programs to take incorrect actions. As was \nmentioned previously, the potential exists for off-grid equipment to \nadversely affect the bulk power system through corrupted \ncommunications.\n    In regard to control systems, an attacker that gains access to the \ncommunication channels could order metering devices to disconnect \ncustomers, order previously shed load to come back on-line prematurely, \nor order dispersed generation sources to turn off during periods when \nload is approaching generation capacity, causing instability and \noutages on the bulk power system. One of the potential capabilities of \nthe Smart Grid is the ability to remotely disconnect service using \nadvanced metering infrastructure (AMI). If insufficient security \nmeasures are implemented in a company's AMI application, an adversary \nmay be able to access the AMI system and could conceivably disconnect \nevery customer with an AMI device. If such an attack is widespread \nenough, the resultant disconnection of load on the distribution system \ncould result in impacts to the bulk power system. If an adversary \nfollows this disconnection event with a subsequent and targeted cyber \nattack against remote meters, the restoration of service could be \ngreatly delayed.\n    The CIP standards will apply to some, but not all, Smart Grid \napplications. The standards require users, owners, and operators of the \nbulk power system to protect cyber assets, including hardware, \nsoftware, and data, which would affect the reliability or operability \nof the bulk power system. These assets are identified using a risk-\nbased assessment methodology that identifies electric assets that are \ncritical to the reliable operation of the bulk power system. If a Smart \nGrid device were to control a critical part of the bulk power system, \nit would be considered a critical cyber asset subject to the protection \nrequirements of the CIP standards.\n    Many of the Smart Grid applications will be deployed at the \ndistribution and end-user level so they may incorrectly be viewed as \nnot affecting the bulk power system. For example, some applications may \nbe targeted at improving market efficiency in ways that may not have a \nreliability impact on the bulk power system, such that the protection \nrequirements of the CIP standards, as they are currently written, may \nnot apply. However, as discussed above, these applications either \nindividually or in the aggregate could affect the bulk power system.\n    The commission and its staff currently are coordinating with a \nnumber of Governmental and private sector organizations on \ncybersecurity issues surrounding Smart Grid technology, including the \nDOE Smart Grid Task Force, the NIST Domain Expert Working Groups, the \nGridwise Architecture Council, and the FERC-NARUC Smart Grid \nCollaborative. The commission has issued a policy statement that would \nstrongly encourage interoperability of Smart Grid technologies, \nrecognizing that cybersecurity is essential to the operation of the \nSmart Grid. The Policy Statement stated that the commission will \nrequire a demonstration of sufficient cybersecurity protections in the \nproposed Smart Grid standards to be considered in rulemaking \nproceedings under the Energy Independence and Security Act of 2007 \n(EISA), including, where appropriate, a proposed Smart Grid standard \napplicable to local distribution-related components of Smart Grid. The \ncommission also encouraged NERC to work with NIST in the development of \nthe standards.\n    While the commission is doing what it can under its jurisdiction, \nEISA does not make any standards mandatory and does not give the \ncommission authority to make or enforce any such standards. Under \ncurrent law, the commission's authority, if any, to make Smart Grid \nstandards mandatory must derive from the FPA.\n           physical security and other threats to reliability\n    The commission's current reliability authority does not extend to \nphysical threats to the grid, but physical threats can cause equal or \ngreater destruction than cyber attacks and the Federal Government \nshould have no less ability to act to protect against such potential \ndamage. One example of a physical threat is an electromagnetic pulse \n(EMP) event. In 2001, Congress established a commission to assess the \nthreat from EMP, with particular attention to be paid to the nature and \nmagnitude of high-altitude EMP threats to the United States; \nvulnerabilities of U.S. military and civilian infrastructure to such \nattack; capabilities to recover from an attack; and the feasibility and \ncost of protecting military and civilian infrastructure, including \nenergy infrastructure. In 2004, the commission issued a report \ndescribing the nature of EMP attacks, vulnerabilities to EMP attacks, \nand strategies to respond to an attack.\\1\\ A second report was produced \nin 2008 that further investigated vulnerabilities of the Nation's \ninfrastructure to EMP.\n---------------------------------------------------------------------------\n    \\1\\ Graham, Dr. William R. et al, Report of the Commission to \nAssess the Threat to the United States from Electromagnetic Pulse (EMP) \nAttack (2004).\n---------------------------------------------------------------------------\n    An EMP may also be a naturally-occurring event caused by solar \nflares and storms disrupting the Earth's magnetic field. In 1859, a \nmajor solar storm occurred, causing auroral displays and significant \nshifts of the Earth's magnetic fields. As a result, telegraphs were \nrendered useless and several telegraph stations burned down. The \nimpacts of that storm were muted because very little electronic \ntechnology existed at the time. Were the storm to happen today, \naccording to an article in Scientific American, it could ``severely \ndamage satellites, disable radio communications, and cause continent-\nwide electrical black-outs that would require weeks or longer to \nrecover from.''\\2\\ Although storms of this magnitude occur rarely, \nstorms and flares of lesser intensity occur more frequently. Storms of \nabout half the intensity of the 1859 storm occur every 50 years or so \naccording to the authors of the Scientific American article, and the \nlast such storm occurred in November 1960, leading to world-wide \ngeomagnetic disturbances and radio outages.\n---------------------------------------------------------------------------\n    \\2\\ Odenwald, Sten F. and Green, James L., Bracing the Satellite \nInfrastructure for a Solar Superstorm, Scientific American Magazine \n(Jul. 28, 2008).\n---------------------------------------------------------------------------\n    Further, the power grid is particularly vulnerable to solar storms, \nas transformers are electrically grounded to the Earth and susceptible \nto damage from geomagnetically induced power spikes. The collapse of \nnumerous transformers across the country could result in reduced grid \nfunctionality or even prolonged power outages.\n    FERC staff has no data on how well the bulk power system is \nprotected against an EMP event, and the existing reliability standards \ndo not address EMP vulnerabilities. Further, the commission currently \ndoes not have any specific authority to order owners and operators of \nthe transmission grid, generation facilities and other electric \nfacilities to protect their facilities from EMP-related events, other \nthan the general authority to order NERC to develop a reliability \nstandard addressing EMP. Protecting the electric generation, \ntransmission, and distribution systems from severe damage due to an EMP \nwould involve vulnerability assessments at every level of electric \ninfrastructure. In addition, as the reports point out, the reliable \noperation of the electric grid requires other infrastructure systems, \nsuch as communications, natural gas pipelines and transportation, which \nwould also be affected by such an attack or event.\n                        the need for legislation\n    In my view, section 215 of the Federal Power Act provides an \nadequate statutory foundation for the ERO to develop most reliability \nstandards for the bulk power system. However, the nature of a national \nsecurity threat by entities intent on attacking the United States \nthrough vulnerabilities in its electric grid stands in stark contrast \nto other major reliability vulnerabilities that have caused regional \nblackouts and reliability failures in the past, such as vegetation \nmanagement and protective relay maintenance practices. Widespread \ndisruption of electric service can quickly undermine the U.S. \nGovernment, its military, and the economy, as well as endanger the \nhealth and safety of millions of citizens. Given the national security \ndimension to this threat, there may be a need to act quickly to protect \nthe grid, to act in a manner where action is mandatory rather than \nvoluntary, and to protect certain information from public disclosure.\n    The commission's current legal authority is inadequate for such \naction. This is true of both cyber and non-cyber physical threats to \nthe bulk power system that pose national security concerns. This lack \nof authority results in the electric grid being vulnerable to attacks, \nboth physical and cyber.\n    Any new legislation should address several key concerns. First, to \nprevent a significant risk of disruption to the grid, legislation \nshould allow the commission to take action before a cyber or physical \nnational security incident has occurred. In order to protect the grid, \nit is vital that the commission be authorized to act before an attack \nto address vulnerabilities and threats. Second, any legislation should \nallow the commission to maintain appropriate confidentiality of \nsensitive information submitted, developed or issued under this \nauthority. Third, it is important that Congress be aware that if \nadditional reliability authority is limited to the bulk power system, \nas that term is currently defined in the FPA, it would exclude \nprotection against attacks involving Alaska and Hawaii, including any \nFederal installations located therein. The current interpretation of \nthe term bulk power system also excludes some transmission and all \nlocal distribution facilities, including virtually all of the \nfacilities in certain large cities such as New York, thus precluding \npossible commission action to mitigate cyber or other national security \nthreats to reliability that involve such facilities and major \npopulation areas. Finally, it is important that entities be permitted \nto recover costs they incur to mitigate vulnerabilities and threats. \nThe commission currently has authority to allow recovery by entities \nthat meet the FPA definition of ``public utility.'' If Congress \nbelieves it appropriate, it could include in legislation a directive \nthat the commission establish a cost recovery mechanism for the costs \nassociated with compliance with any FERC order issued pursuant to the \nemergency authority.\n    Finally, any legislation on national security threats to \nreliability should address not only cybersecurity threats but also \nintentional physical malicious acts (targeting, for example, critical \nsubstations and generating stations) and threats from an \nelectromagnetic pulse. FERC should be granted authority to address both \ncyber and physical threats and vulnerabilities, primarily because FERC \nis the one Federal agency with any statutory responsibility to oversee \nreliability of the grid. This additional authority would not displace \nother means of protecting the grid, such as action by Federal, State, \nand local law enforcement and the National Guard. If particular \ncircumstances cause both FERC and other Governmental authorities to \nrequire action by utilities, FERC would coordinate with other \nauthorities as appropriate. Additionally, any FERC authority to address \nthreats to the grid would be based on a determination by the President \nor a national security agency that national security is endangered.\n                               conclusion\n    The commission's current authority is not adequate to address cyber \nor other national security threats to the reliability of our \ntransmission and power system. These types of threats pose an \nincreasing risk to our Nation's electric grid, which undergirds our \nGovernment and economy and helps ensure the health and welfare of our \ncitizens. Congress should address this risk now. Thank you again for \nthe opportunity to testify today. I would be happy to answer any \nquestions you may have.\n\n    Ms. Clarke. Thank you very much, Mr. McClelland. Ms. \nHoffman.\n\n STATEMENT OF PATRICIA A. HOFFMAN, ACTING ASSISTANT SECRETARY, \n    OFFICE OF ELECTRICITY DELIVERY AND ENERGY RELIABILITY, \n                      DEPARTMENT OF ENERGY\n\n    Ms. Hoffman. Thank you, Chairwoman Clarke, Members of the \nsubcommittee, for this opportunity to testify before you on \nelectric sector vulnerabilities and cybersecurity issues.\n    For more than a decade, the Department of Energy has been \nengaged with the private sector to secure the electric grid. \nThe Homeland Security Presidential Directive 7 designated the \nDepartment of Energy as the Energy Sector-specific agency and \nprovided authorization to collaborate with all Federal \nagencies, State and local governments, and the private sector \nto conduct vulnerability assessments of the energy sector, and \nto encourage risk management strategies.\n    Securing the critical infrastructure is a shared \nresponsibility and requires public-private partnerships. Asset \nowners bear the main responsibility for ensuring that key \nresources are secure and for making the appropriate \ninvestments, for reporting emergency information to the \nGovernment, and for implementing protective practices and \nprocedures.\n    With an economy that is in the process of recovering, it is \neven more critical that all energy sector stakeholders \nunderstand the available options, their associated costs, and \nthe roadmap or path to a more secure energy infrastructure.\n    As we deploy Smart Grid technology, load management \ntechnology, plug in hybrid electric vehicles, distributed \ngeneration, micro grid, we may find that some measures may not \nbe necessary, while new ones may emerge. The energy sectors \nthreat analysis encompasses natural events, hurricanes, \ncriminal acts, insider threats, and both foreign and domestic \nterrorism.\n    Because of the diversity of assets in the systems in the \nenergy sector, a multitude of methodologies have been used to \nassess risks, vulnerabilities, and consequences. No single \nmethodology or tool has been used to assess risk in the energy \nsector assets, such as what the Nuclear Regulatory Commission \ndoes with design basis threats.\n    Lessons learned from DBD analysis, in the nuclear industry \ncould be applied to the electric industry, especially for large \ngenerating stations, large substations and major control \ncenters.\n    To address the advancing capabilities of the global cyber \nthreat as well as implementation of Smart Grid, the Department \nof Energy has requested an increase in our 2010 research budget \nfor cybersecurity and energy delivery systems, from $12 million \nin 2009, to $50 million in 2010.\n    Activities proposed under this budget include, expanding \nour national SCADA test bed activities and cybersecurity \nassessments of control systems, utilizing existing control \nsystems simulators as hosts for cyber training, develop trusted \nanchors to build trustworthy networks from untrusted \ncomponents, and development of a cybersecurity Smart Grid test \nbed.\n    Currently, a laboratory industry and research effort to \nenhance the cybersecurity of the energy infrastructure has \nproduced results in four areas. We have identified \nvulnerabilities, cyber vulnerabilities in energy control \nsystems, and have worked with vendors to develop hardened \nsystems that mitigate the risk.\n    Develop more secure communication methods between energy \ncontrol systems in field devices. We have developed tools and \nmethods to help utilities assess their security posture, and we \nhave provided extensive cybersecurity training for energy \nowners and operators to help them prevent, detect, and mitigate \ncyber penetration.\n    The Department is working collaboratively with the private \nsector on several activities to ensure that cybersecurity is \nbaked into the Smart Grid. Over the past year, the Department \nhas been working collaboratively with the utilities \ncommunication architecture user group to develop security \nrequirements for advanced metering infrastructure, a key \napplication to the Smart Grid.\n    The Department is now working to leverage this effort in \ncooperation with the UCS user group to develop cybersecurity \nrequirements for the full suite of Smart Grid technologies. \nAdditionally, the Department is working on procurement \nstandards as a part of this effort.\n    The Office of Electricity Delivery and Energy Reliability \nreceived $4.5 billion in the American Recovery and Reinvestment \nAct, of which about $3.4 billion is for grants for Smart Grid \ndevelopment and $650 million is for Smart Grid demonstration.\n    Cybersecurity should be addressed in every phase of the \nprojects awarded under this funding, and includes design \nthrough on-going maintenance and support. The technical \napproach to cybersecurity should include in the proposals, a \nsummary of cybersecurity risks and how they will be mitigated \nat each stage of the life cycle, a summary of the cybersecurity \ncriteria utilized by vendor and device selection, a summary of \nthe relevant cybersecurity standards or best practices that \nwill be followed, a summary of how the projects support \nemerging cybersecurity standards.\n    In conclusion, the United States needs a comprehensive \nframework to ensure a coordinated response. The Government, in \npartnership with key stakeholders, should design an effective \nmechanism that integrates information from the Government and \nthe private sector, and serves as a basis for informed and \nprioritized vulnerability mitigation efforts and incident \nresponse decisions.\n    This concludes my statement, Chairwoman Clarke. Thank you \nfor the opportunity to speak. I look forward to answering any \nquestions you or your colleagues may have.\n    [The statement of Ms. Hoffman follows:]\n               Prepared Statement of Patricia A. Hoffman\n                             July 21, 2009\n    Thank you Chairwoman Clark and Members of the subcommittee for this \nopportunity to testify before you on electric sector vulnerabilities \nand cybersecurity issues.\n    All of us here today share a common concern that vulnerabilities \nexist within the electric system and that the Department of Energy, in \npartnership with the rest of the Federal Government and industry, \nshould address the full spectrum of events, from high-impact, low-\nprobability (HILP) to high-impact, high-probability. This is \nparticularly true for Smart Grid systems, which by their very nature \ninvolve the use of information and communication technologies in areas \nand applications on the electric system where they have not been used \nbefore.\n    For more than a decade, the Department has been substantively \nengaged with the private sector to secure the electric grid. In \nDecember 2003, the Homeland Security Presidential Directive 7 (HSPD-7) \ndesignated the Department as the sector-specific agency (SSA) for the \nenergy sector and provided authorization to collaborate with all \nFederal agencies, State and local governments, and the private sector, \nto conduct vulnerability assessments of the sector, and to encourage \nrisk management strategies for critical energy infrastructure.\n    Securing critical infrastructure is a shared responsibility. Asset \nowners bear the main responsibility for ensuring that key resources are \nsecure, for making the appropriate investments, for reporting threat \ninformation to the Government, and for implementing protective \npractices and procedures. As the SSA, the Department works closely with \nthe private sector and State/Federal regulators to provide secure \nsharing of threat information and collaborates with industry to \nidentify and fund gaps in infrastructure research, development, and \ntesting efforts.\n    With an economy in the process of recovering, it is even more \ncritical that all energy sector stakeholders understand the available \noptions, their associated costs, and the roadmap or path to a more \nsecure energy infrastructure. As we deploy Smart Grid technologies, \nload management technologies, plug-in hybrid electric vehicles and \ndistributed generation/microgrids, we may find some measures may not \nbecome necessary, while new ones may emerge.\n    critical infrastructure protection and risk management framework\n    Since the energy sector is characterized by very diverse assets and \nsystems, prioritization of sector assets and systems is highly \ndependent upon changing threats and consequences. The significance of \nmany individual components in the network is highly variable, depending \non location, time of day, day of the week, and season of the year.\n    The energy sector's threat analysis encompasses natural events, \ncriminal acts, and insider threats, as well as foreign and domestic \nterrorism. Because of the diversity of assets and systems in the energy \nsector, a multitude of methodologies have been used to assess risks, \nvulnerabilities, and consequences. No single methodology or tool has \nbeen used to assess risks to energy sector assets, such as the Nuclear \nRegulatory Commission's design-basis threat (DBT) which is used to \ndesign safeguards and systems to protect against acts of radiological \nsabotage and to prevent the theft of special nuclear material. Lessons \nlearned from DBT analysis in the nuclear industry could be applied to \nthe electric industry especially for large generating stations, large \nsubstations, and major control centers.\n    The exploitation of unintentional vulnerabilities has become one of \nthe greatest concerns for potential disruption and high-consequence \nevents. Control systems networks provide great efficiency and are \nwidely used. However, they also present a security risk, if not \nadequately protected. Many of these networks were initially designed to \nmaximize functionality, with little attention paid to security. With \nconnections to the internet, internal local area and wide area \nnetworks, wireless network devices, and modems, some networks are \npotentially vulnerable to disruption of service, process redirection, \nor manipulation of operational data that could cause disruptions to the \nNation's critical infrastructure.\n    The Department is planning to work with the Federal Energy \nRegulatory Commission and the North American Reliability Corporation \n(NERC) to examine the effects of HILP events on the bulk power system. \nThe effort will focus on HILP events such as influenza pandemic, space \nweather, terrorist attacks, and electromagnetic pulses. The purpose of \nthis effort will be to develop a framework to look at causes and \nconsequences and provide a tool to summarize preparedness, response, \nrecovery, and mitigation measures.\n    DOE does not have a program that would allow for private or \npublicly-owned utilities to receive Federal grants for hardening their \nequipment against an intentional or unintentional electromagnetic \npulse.\n   cybersecurity--information sharing and early detection and warning\n    The Roadmap to Secure Control Systems in the Energy Sector (2006) \nidentified the need to improve information sharing between the \nGovernment and the private sector as a high priority. In their 2008 \nAnnual Report, the Energy Sector Control Systems Working Group (ESCWG), \nwhich has worked in partnership with the Department to implement the \nRoadmap, stated that most information protection and sharing issues \nbetween the U.S. Government and industry still have not been resolved.\n    The Department of Homeland Security (DHS) receives the most \ncomplete intelligence related to critical infrastructure protection \nbecause of its cross-sector responsibilities. DHS's Homeland \nInfrastructure Threat and Risk Analysis Center (HITRAC) develops early \nintelligence warnings, which it shares with the Department. DHS alerts \nthe US-Computer Emergency Readiness Team (US-CERT) and the North \nAmerican Electric Reliability Corporation (NERC).\n    DOE does not have a separate alert system. DOE does, however, have \nmandatory reporting requirements for electric emergency incidents and \ndisturbances (including cyber incidents) in the United States. Form OE-\n417, ``Electric Emergency Incident and Disturbance Report,'' is used to \nalert DOE to electrical emergency incidents and disruptions within a 1-\nhour or 6-hour period depending on the type of emergency. This \ninformation allows the Department to quickly respond to energy \nemergencies that may impact the Nation's infrastructure. The \ninformation, collected from the electric power industry, helps DOE meet \nits overall national security and Federal Emergency Management Agency's \nNational Response Framework responsibilities. DOE uses the data from \nthis form to obtain situational awareness of energy emergencies of U.S. \nelectric supply systems. DOE's Energy Information Administration (EIA) \npublishes the electric power emergency incidents and disturbances in \nits monthly EIA reports. The data may also be used to develop \nlegislative recommendations, reports to Congress and as a basis for DOE \ninvestigations. When appropriate, information is shared with FERC.\n    Early intelligence warnings provide the industry and Government \nsome insight into a potential attack but may not allow for timely \ndefense against many of them. Besides early intelligence warnings, the \nDepartment recommends that the industry develop its own capabilities \nfor monitoring rogue, malicious behavior on their systems. The industry \nshould monitor communications on their systems just as they monitor \nsystem performance. Diligence in upgrading security software and \nprotocols are essential to minimizing the impact of these events.\n    One of the challenges in creating an effective information sharing \nsystem is how to share classified intelligence information with State \nagencies and utility operators not cleared to receive this information. \nThe DHS has been working to grant clearances to appropriate members of \nthe community. An additional difficulty is the means by which the \ninformation can be communicated. For example, a security chief at a \nRegional Transmission Organization (RTO) may have a clearance, but not \nhave any means of communication or storage to receive the classified \ninformation except through face-to-face communications.\n                            cyber standards\n    Improving the security of the electric sector will require \ncoordination and cooperation between regulatory agencies and industry. \nBecause the security of the electric grid does not rely solely on \nvoluntary private-sector measures, much work is being done to develop \nnecessary cybersecurity standards. The Federal Energy Regulatory \nCommission through the NERC Critical Infrastructure Protection (CIP) \nhas mandated standards CIP-002 through CIP-009 to provide a security \nframework for the identification and protection of critical cyber \nassets that support reliable operation. In addition, the International \nElectrotechnical Commission (IEC) Working Group 15 of Technical \nCommittee 57 is developing IEC 62351, focusing on power systems \ncontrol, data communications, and security. The Power Engineering \nSociety Substations workgroup is developing P1689, a trial use standard \nfor retrofitting cybersecurity of serial Supervisory Control and Data \nAcquisition (SCADA) links in intelligent electronic devices for remote \naccess. International Society of Automation security standard ISA99 \naddresses cybersecurity for control systems. The National Institute of \nStandards and Technology (NIST) is also developing specific \nrecommendations and guidance for securing Smart Grid and other \nindustrial control systems. It is clear that standards development is a \npriority, and this activity should be monitored closely for progress, \nimplementation, and gaps.\n                         doe cyber r&d program\n    Our efforts to enhance the cybersecurity of the energy \ninfrastructure have produced results in four areas. We have:\n    1. Identified cyber vulnerabilities in energy control systems and \n        worked with vendors to develop hardened systems that mitigate \n        the risks;\n    2. Developed more secure communications methods between energy \n        control systems and field devices;\n    3. Developed tools and methods to help utilities assess their \n        security posture; and\n    4. Provided extensive cybersecurity training for energy owners and \n        operators to help them prevent, detect, and mitigate cyber \n        penetration.\n    In 2003, the Department launched its National SCADA Test Bed \n(NSTB), a state-of-the-art national resource designed to aid Government \nand industry in securing their control systems against cyber attack \nthrough vulnerability assessments, mitigation research, security \ntraining, and focused R&D efforts. The Department has expanded the NSTB \nto include resources and capabilities from five national laboratories.\n    To date, researchers have assessed 90% of the current market \noffering of SCADA/Energy Management Systems (SCADA/EMS) in the electric \nsector, and 80% of the current market offering in the oil and gas \nsector. Twenty NSTB and on-site field assessments of common control \nsystems from vendors including ABB, Areva, GE, OSI, Siemens, Telvent, \nand others, have led vendors to develop 11 hardened control system \ndesigns. Vendors have released countless software patches to better \nsecure legacy systems, which are now being used by 82 system \napplications in the sector. Findings from NSTB vulnerability \nassessments have also been generalized by Idaho National Laboratory \ninto its Common Vulnerabilities Report, which includes mitigation \nstrategies asset owners across the sector can use to better secure \ntheir systems.\n    In 2005, the Department, in cooperation with the DHS and Natural \nResources Canada, worked directly with experts in the oil, gas, and \nelectricity industries to develop a detailed, prioritized plan for \ncybersecurity improvements over the next 10 years, including best \npractices, new technology, and risk assessment. The results of this \nwork were published in the 2006 Roadmap to Secure Control Systems in \nthe Energy Sector, which lays out a vision that in 10 years, controls \nsystems for critical applications will be designed, installed, \noperated, and maintained to survive an intentional cyber assault with \nno loss of critical function. Industry members defined goals, \nmilestones, and priorities to guide the industry toward this vision.\n    Let me highlight two such projects that the Department is cost-\nsharing with the private sector to support the Roadmap:\n  <bullet> The Bandolier project, led by Digital Bond, is developing \n        automated checklists of security configuration baselines, \n        which, when deployed, can enable the audit of actual \n        configuration settings against these baselines. Downloadable \n        checklists have been developed and are now available for \n        Siemens, Telvent, ABB, and SNC systems, and Digital Bond has \n        worked to make its product available immediately and at a low \n        cost to utilities by offering it as subscriber content on its \n        website.\n  <bullet> The Hallmark project, led by Schweitzer Engineering \n        Laboratories, is working to commercialize the Secure SCADA \n        Communications Protocol originally developed by Pacific \n        Northwest National Laboratory. The technology allows utilities \n        to secure data communications between remote devices and \n        control centers--a critical cyber access path. The technology \n        will be available in a hardware device by mid-year.\n    The Department is also supporting research in academia through a \nmulti-university R&D project entitled ``Trustworthy Critical \nInfrastructure for the Power Grid (TCIP).'' This project is led by the \nUniversity of Illinois and includes Dartmouth College, Cornell \nUniversity, Washington State University, and companies representing the \nspectrum of the electric power industry including utilities, vendors, \nregulatory bodies, control center operators, reliability coordinators, \nand market operators. TCIP is funded mainly by the National Science \nFoundation with supporting funds from the Department and the Department \nof Homeland Security, Science and Technology Directorate.\n    In addition to R&D and NSTB assessments, the Department supports \nextensive cybersecurity training to help asset owners learn security \nmethods they can implement immediately to better secure their \nutilities. So far, the Department has trained more than 1,800 \nindividuals in the energy sector and is also ramping up its new \nadvanced Red Team/Blue Team training through Idaho National Laboratory. \nThis week-long course invites asset owners to participate in a \nsimulated attack scenario on an actual control systems environment, \ngiving them hands-on attack and mitigation training.\n    In collaboration with the North American Electric Reliability \nCorporation (NERC), Critical Infrastructure Protection Committee \n(CIPC), the Department leveraged its expertise and experience in \ncybersecurity assessments to develop foundational, intermediate, and \nadvanced mitigations for the NERC ``Top 10'' vulnerabilities associated \nwith control systems commonly used in the electric sector. The list was \ndeveloped by NERC members including small, medium, and large entities \nacross North America. The list is comprised of the most prevalent, most \nexploited, or highest-consequence vulnerabilities that a typical \nutility might find in their facilities. Utilities are encouraged to use \nthis list to augment their risk management processes. Utilities also \nused the list as means to select vendors and purchase systems that had \nsecurity ``built-in.''\n    In addition to its R&D and partnership initiatives, the Department \nis working collaboratively with the private sector on several \nactivities to ensure that cybersecurity is ``baked in'' to the Smart \nGrid. Over the past year, the Department has been working \ncollaboratively with the Utilities Communications Architecture (UCA) \nUsers Group (including utilities, vendors, et al) to develop \ncybersecurity requirements for advanced metering infrastructure (AMI)--\na key application for the Smart Grid. The group produced a document \ntitled ``AMI System Security Specifications'' which will help utilities \nprocure secure AMI systems. The Department is now working to leverage \nthis effort in cooperation with the UCA User Group to develop \ncybersecurity requirements for the full suite of Smart Grid \ntechnologies.\n    The Department is also working with the ESCSWG to update the 2006 \nRoadmap. The update will incorporate new information and lessons \nlearned, update end-states and milestones, and establish priorities \nthat have come to the forefront since 2006, such as Smart Grid and \nwireless technologies. So far, the ESCSWG has identified gaps in the \n2006 Roadmap, reviewed the Roadmap vision and goal structure, assessed \nchanges in the control systems landscape, and collected ideas for \nimplementation. In September 2009, the ESCSWG will bring together a \nbroad section of asset owners and operators, researchers, technology \ndevelopers, security specialists, and equipment vendors to establish \nnew goals and prioritize control systems security needs in the energy \nsector. The ESCSWG plans to release the new roadmap in January 2010.\n american recovery and reinvestment act (arra)--title xiii, smart grid\n    A Smart Grid uses information and communications technologies to \nimprove the reliability, availability, and efficiency of the electric \nsystem. With Smart Grid, these technologies are being applied to \nelectric grid applications, including devices at the consumer level \nthrough the transmission level, to make our electric system more \nresponsive and more flexible.\n    Enhanced grid functionality enables multiple devices to interact \nwith one another via a communications network. These interactions make \nit easier and more cost-effective, in principle, for a variety of clean \nenergy alternatives to be integrated with electric system planning and \noperations, as well as for improvements in the speed and efficacy of \ngrid operations to boost electric reliability and the overall security \nand resiliency of the grid. The communications network, and the \npotential for it to enhance grid operational efficiency and bring new \nclean energy into the system, are key distinguishing features of the \nSmart Grid compared to the existing system.\n    The Office of Electricity Delivery and Energy Reliability received \n$4.5 billion in the ARRA, of which about $3.4 billion is for grants for \nSmart Grid development and $615 million is for Smart Grid \ndemonstrations. In order to gain the greatest return on investment, \nthis grant money will be disbursed in six areas: Equipment \nmanufacturing, customer systems, advanced metering infrastructure, \nelectric distribution systems, electric transmission systems, and \nintegrated and/or crosscutting systems. The Federal funds for this \nprogram have been divided into two categories:\n  <bullet> Smaller projects in which the Federal share would be in the \n        range of $300,000 to $20,000,000;\n  <bullet> Larger projects in which the Federal cost share would be in \n        the range of $20,000,000 to $200,000,000.\n    Approximately 40% of Smart Grid Investment Grant (SGIG) funding \nwill be allocated for smaller projects, while approximately 60% will be \nallocated for larger projects. DOE reserves the right to revise these \nallocations depending on the quantity and quality of the applications \nreceived.\n    DOE is working to reduce cybersecurity risks by including the \nfollowing language in the grant announcement:\n\n``Cybersecurity should be addressed in every phase of the engineering \nlifecycle of the project, including design and procurement, \ninstallation and commissioning, and the ability to provide on-going \nmaintenance and support. Cybersecurity solutions should be \ncomprehensive and capable of being extended or upgraded in response to \nchanges to the threat or technological environment. The technical \napproach to cybersecurity should include:\n  <bullet> ``A summary of the cybersecurity risks and how they will be \nmitigated at each stage of the lifecycle (focusing on vulnerabilities \nand impact).\n  <bullet> ``A summary of the cybersecurity criteria utilized for \nvendor and device selection.\n  <bullet> ``A summary of the relevant cybersecurity standards and/or \nbest practices that will be followed.\n  <bullet> ``A summary of how the project will support emerging Smart \nGrid cybersecurity standards.''\n\n    DOE intends to work with those selected for award, but may not make \nan award to an otherwise meritorious application if that applicant \ncannot provide reasonable assurance that their cybersecurity efforts \nwill provide protection against broad-based systemic failures in the \nelectric grid in the event of a cybersecurity breach.\n    The following technical merit review criteria will be used in the \nevaluation of applications and in the determination of the SGIG project \nawards. The relative importance of the four criteria is provided in \npercentages in parentheses:\n    1. Adequacy of the Technical Approach for Enabling Smart Grid \n        Functions (40%);\n    2. Adequacy of the Plan for Project Tasks, Schedule, Management, \n        Qualifications, and Risks (25%);\n    3. Adequacy of the Technical Approach for Addressing \n        Interoperability and Cyber Security (20%); and\n    4. Adequacy of the Plan for Data Collection and Analysis of Project \n        Costs and Benefits (15%).\n    DOE's programs do not include grants to private or publicly-owned \nutilities for hardening their equipment against an intentional or \nunintentional electromagnetic pulse.\n                               conclusion\n    The United States needs a comprehensive framework to ensure a \ncoordinated response by the Federal, State, local, and Tribal \ngovernments, the private sector, and international allies to \nsignificant incidents related to the Nation's electric power grid, \nparticularly cyber. Implementation of this framework will require \ndeveloping reporting thresholds, adaptable response and recovery plans, \nand the coordination, information sharing, and incident reporting \nmechanisms needed for those plans to succeed. The Government, working \nwith key stakeholders, should design an effective mechanism to achieve \na true common operating picture that integrates information from the \nGovernment and the private sector and serves as the basis for informed \nand prioritized vulnerability mitigation efforts and incident response \ndecisions.\n    The focus should be on addressing the full range of threats and \nvulnerabilities to critical infrastructure versus the bulk power system \nand requires public-private and international partnerships.\n    Priority should be placed on deploying sensors for complete and \ngreater depth in monitoring and diagnostics of physical and cyber \nevents.\n    The Federal Government and industry must develop a security \nbaseline and benchmark milestones for securing critical infrastructure.\n    As the capabilities of the threat continue to outpace our ability \nto develop and implement countermeasures, it is critical that control \nsystems for critical applications be designed, installed, operated, and \nmaintained to survive an intentional cyber assault with no loss of \ncritical functions.\n    This concludes my statement, Chairwoman Clarke. Thank you for the \nopportunity to speak. I look forward to answering any questions you and \nyour colleagues may have.\n\n    Ms. Clarke. Thank you very much, Ms. Hoffman.\n    Mr. McGurk.\n\nSTATEMENT OF SEAN P. MCGURK, DIRECTOR, CONTROL SYSTEMS SECURITY \n      PROGRAM, NATIONAL CYBERSECURITY DIVISION, OFFICE OF \n   CYBERSECURITY AND COMMUNICATIONS, NATIONAL PROTECTION AND \n     PROGRAMS DIRECTORATE, DEPARTMENT OF HOMELAND SECURITY\n\n    Mr. McGurk. Thank you, Chairwoman Clarke, thank you, Member \nLungren, distinguished Members of the subcommittee. I am Sean \nMcGurk, the director of the Department of Homeland Security's \nControl Systems Security Program, and the director of the \nIndustrial Control Systems Cyber Emergency Response Team, or \nthe ICF CERT.\n    I am pleased to appear before you here today, to discuss \nthe importance of securing control systems that operate our \ncritical infrastructure including the Smart Grid. Control \nsystem electric power to operate the physical processes which \nproduce the goods and services that we rely upon on a daily \nbasis. Therefore assessing risk and effectively securing \nindustrial control systems, is vital to maintaining our \nNation's strategic interests, public safety, and economic \nprosperity.\n    In 2003, the Department of Homeland Security was designated \nas the lead agency for cybersecurity. Since then, several \nHomeland Security Presidential directives have established \nnational policy and further outlined the Department's \nresponsibility to collaborate with public and private sector \nentities to evaluate emerging technologies.\n    In May 2004, DHS created the control system security \nprogram. To further this mission and lead a cohesive effort \nfocused on reducing the risk to control systems that operate \nthe critical infrastructure. The CSSP recognizes that leading \nin these activities, such as understanding threats, \nvulnerabilities, and subsequent mitigation strategies, is \nessential to securing these systems.\n    To support our leadership role, CSSP funding for fiscal \nyear 2009, is $22 million. This was an increase from a previous \nyear's budget of $12 million that enabled us to expand and \nenhance our vulnerability discovery facility. This facility \nprovides advanced capabilities that will aid in identifying the \ninterdependencies of the critical infrastructures.\n    Additionally, the Federal workforce was increased from one \nposition to an authorization of nine Federal employees. For \nfiscal year 2010, the President's budget request included an \nincrease of $5.56 million for CSSP. Even with these \nenhancements, the requirements to evaluate new technologies and \nthe ability to assess risk across the 18 critical \ninfrastructures presents a challenge.\n    In order to understand the risk, it is important to \nunderstand the threats, including those actors and motivations, \nnot only to control systems, but to digital computing in \ngeneral. Common crackers or hackers comprise the most prevalent \ngroup of cyber attackers. They attempt to break in, in order to \nhack into computer systems to exploit flaws.\n    Often, motivation is data exfiltration for financial gain. \nOf greater concern are the hackers who install back doors such \nas trojans or root kits that enable them to remotely access the \nsystems or the devices. The knowledgeable insider is probably \nthe most dangerous threat to systems operation and security \nbecause this is someone who is trusted and has access to the \nnetworks and other important company information.\n    Cyber terrorists or, hacktivists, are those who seek to \ndisrupt internet activity in the name of personal, political, \nor social cause or shared ideology. These individuals \ncollaborate via cyberspace and work as an organized group \nagainst their target.\n    These challenges to security offer several opportunities \nfor malicious actors to attempt to penetrate our systems, using \nthe vulnerabilities and the advanced technologies that control \nour critical infrastructure. The CSSP evaluates risk, conducts \noperational risk management, and develops mitigation plans to \nmanage risk to an acceptable level.\n    These activities include control system sector analysis, \nscenario development and the development of various tools and \ntraining products. In 2006, CSSP conducted the analysis based \non the premise of using the electric grid to attack a facility. \nWe demonstrated how a perpetrator could use the electric grid \nsystem to produce significant physical damage to the equipment \nand the systems.\n    The Aurora analysis highlights the importance of assessing \nrisk, interdependencies, and the need to secure industrial \ncontrol systems in order to maintain our Nation's strategic \ninterests. While these efforts result in cybersecurity \nstrategies that help to increase the overall security of the \ngrid, they do not protect the grid from attack.\n    DHS works closely with responsible Federal agencies such as \nthe Department of Energy and the Federal Energy Regulatory \nCommission, as well as the private sector, with the North \nAmerican Electrical Liability Corporation, to provide \nmitigation measures that reduce the risk of cyber attack. The \nSecretary of Homeland Security takes these issues of securing \nour critical infrastructure very seriously.\n    Since 2004, this Department has conducted 148 assessments \nof electric sector facilities through the office of \ninfrastructure protection. To further our mission, we lead a \ncohesive effort between Government and industry and the program \ncreated the Industrial Control Systems CERT to analyze and \nrespond to private sector reports of control systems incidents.\n    We also engage with our Federal partners, such as the \nDepartment of Defense, the Department of Energy, and the \nintelligence community to address equities and mitigate the \nrisks as we move forward. We also work closely with industry \npartners, such as NERC, to provide detailed analysis of cyber \nevents in order to identify the risks and provide real-time, \nactionable information for asset owners.\n    Chairwoman Clarke, Ranking Member Lungren, and \ndistinguished Members, I have outlined the role of the \nDepartment's Control Systems Security Program, and the role it \nwill play in addressing the risk to technologies, including the \nSmart Grid. With your assistance, we will help the Department \nto continue to protect America.\n    Thank you again for this opportunity to testify, and I will \nbe happy to answer your questions.\n    [The statement of Mr. McGurk follows:]\n                  Prepared Statement of Sean P. McGurk\n                             July 21, 2009\n    Chairwoman Clarke, Ranking Member Lungren, and distinguished \nMembers, I am Sean McGurk, the Director of the Department of Homeland \nSecurity (DHS) Control Systems Security Program (CSSP) at the National \nProtection and Programs Directorate. I am pleased to appear before you \ntoday to discuss the importance of securing the control systems that \noperate our critical infrastructure.\n    A control system is a general term that encompasses several types \nof systems, including Supervisory Control and Data Acquisition (SCADA), \nprocess control, and other automated systems that are found in the \nindustrial sectors and critical infrastructure. These systems are used \nto operate physical processes that produce the goods and services that \nwe rely upon such as electricity, drinking water, and manufacturing. \nControl systems security in our electric power grid is particularly \nimportant because of the significant interdependencies inherent with \nthe use of energy in all other sectors. Additionally, we rely on the \nelectric grid to operate the Federal, State, and local, Tribal \ngovernments; therefore, assessing risk and effectively securing \nindustrial control systems are vital actions to maintaining our \nNation's strategic interests, public safety, and economic prosperity.\n    In 2003, the National Strategy to Secure Cyberspace designated DHS \nas the lead agency for cybersecurity. Since then, Homeland Security \nPresidential Directives (HSPD) 7 and 23 have established national \npolicies and further outlined the Department's responsibility to \ncollaborate with public and private sector entities to evaluate \nemerging technologies. Additionally, various Government Accountability \nOffice (GAO) reports (e.g., GAO report: Critical Infrastructure \nProtection: Challenges and Efforts to Secure Control Systems) have \nfurther shaped Federal activities to improve the security of critical \ninfrastructure and key resources (CIKR) by identifying the risks that \ncould impact the networks that operate our critical infrastructure. In \nMay 2004, DHS created the Control Systems Security Program (CSSP) to \nfurther this mission and lead a cohesive effort focused on reducing the \ncyber risks to the control systems that operate the CIKR.\n    To establish a framework to secure the CIKR, DHS issued the \nNational Infrastructure Protection Plan (NIPP). This plan identifies \nthe CSSP as responsible for leading activities to reduce the likelihood \nof success and severity of impact of cyber attacks against our Nation's \ncontrol systems. The CSSP recognizes that understanding the threats, \nvulnerabilities, and subsequent mitigation strategies is essential in \nsecuring industrial control systems.\n    The CSSP funding for fiscal year 2009 is $22 million, an increase \nfrom the previous year's budget of $12 million that enabled us to \nexpand and enhance the Advanced Vulnerability Discovery facility. This \nfacility provides advanced modeling and simulation capabilities that \nwill aid in identifying the interdependencies of the infrastructures. \nAdditionally, the Federal workforce increased from one position to an \nauthorization for nine Federal employees. For fiscal year 2010, the \nPresident's budget request included an increase of $5.56 million for \nthe CSSP. With these enhancements, DHS will be able to evaluate new \ntechnologies and begin assessing risk across additional CIKR sectors. \nCSSP continues to build a culture of reliability and security by \npartnering with Government agencies, industry, and the international \ncommunity to reduce the cyber risks to U.S.-based control systems and \nevaluate emerging technologies such as the Advanced Metering \nInfrastructure and the Smart Grid for the energy sector.\n    In order to understand the risks, it is important to understand the \nthreats, including actors and motivations, not only to control systems, \nbut to digital computing in general.\n  <bullet> Common hackers comprise the most prevalent group of cyber \n        attackers. They attempt to break-in or hack into computer \n        systems or exploit flaws in software to circumvent systems \n        security. Often the motivation is data exfiltration for \n        financial gain. Other hackers install backdoors such as Trojans \n        or other software such as rootkits that enable them to remotely \n        access the system or device at a later date to perform a \n        variety of nefarious actions.\n  <bullet> The insider is a dangerous threat to control systems because \n        the individual has internal knowledge to processes and \n        components. Insiders can defeat security measures put in place \n        even when entities follow best practices and procedures.\n  <bullet> Cyber-terrorists or hacktivists are those who seek to \n        disrupt internet activity in the name of a shared ideology or \n        personal, political, or social cause. These actors collaborate \n        via cyberspace and work as an organized group against their \n        targets to further their political or social agenda. Web \n        defacements, denial of service attacks, and redirects are the \n        most common acts carried out against a target or targets.\n    These security challenges offer opportunities for malicious actors \nto attempt to penetrate our critical infrastructure using the \nvulnerabilities in advanced technologies such as the Smart Grid.\n    The CSSP evaluates risk and serves as the focal point for \ncoordinating numerous resources to assist all critical infrastructure \nentities, including the members of the electric power grid. The CSSP \nconducts operational cyber risk management activities and leads \nstrategic initiatives to develop the mitigation plans to manage cyber \nrisk to an acceptable level. These activities include: Control systems \nsector analysis of vulnerabilities and interdependencies; scenario \ndevelopment; vendor product assessments; incident response activities; \nand the development of assessment tools, information products, and \ntraining.\n    In 2006, CSSP conducted an analysis based on the premise of using \nthe electric grid to attack a nuclear facility (originally this was the \n``PANDORA'' analysis that later became ``AURORA''). This analysis was \nperformed at the Control Systems Analysis Center (CSAC) operated by the \nDepartment of Energy's Idaho National Laboratory. The CSAC's analysis \ndemonstrated how a perpetrator could use the electric utility system to \nproduce significant nuclear plant apparatus and systems. It is \nimportant to note that this vulnerability was not related to a specific \nor imminent threat, and that the vulnerable control system and the \nequipment which could be damaged by an attack are often owned by two \ndifferent entities. The analysis highlights the importance of assessing \nrisk, interdependencies, and the need to secure industrial control \nsystems in order to maintain our Nation's strategic interests, public \nsafety, and economic prosperity.\n    While these efforts result in cybersecurity strategies that help to \nincrease the overall security of the electric grid, they do not protect \nthe grid from attacks. DHS works closely with the Department of Energy \nin providing mitigation measures that reduce the risk of cyber attacks, \nsuch as those exploiting the AURORA vulnerability. DHS works directly \nwith the sector specific agencies such as the Departments of Defense \nand Energy, The Federal Energy Regulatory Commission (FERC) and the \nNuclear Regulatory Commission (NRC), as well as with our private sector \npartners such as the North American Electric Reliability Corporation \n(NERC) to help them secure their infrastructure assets through \nvoluntary programs.\n    The Secretary of Homeland Security takes the issue of securing our \nNation's critical infrastructure very seriously and continues to \nemphasize an all-hazards approach to a safe and secure homeland. The \nCSSP focuses on a broad range of strategic cybersecurity initiatives \nrelated to securing the systems that operate the Nation's critical \ninfrastructure, regardless of the cause.\n    Since 2004 the Department has conducted 148 assessments of electric \nsector facilities through the Office of Infrastructure Protection. \nThese include cybersecurity assessments conducted by CSSP, which \nutilize several tools that we developed, such as the Control Systems \nCyber Security Self Assessment Tool (CS2SAT) and the Cyber Security \nVulnerability Analysis (CSVA). DHS and the other sector-specific \nagencies perform these vulnerability assessments as directed in HSPD 7, \nwhich states that in accordance with guidance provided by the Secretary \nof Homeland Security, sector-specific agencies shall:\n    (a) collaborate with all relevant Federal Departments and Agencies, \n        State and local governments, and the private sector, including \n        with key persons and entities in their infrastructure sector;\n    (b) conduct or facilitate vulnerability assessments of the sector; \n        and\n    (c) encourage risk management strategies to protect against and \n        mitigate the effects of attacks against critical infrastructure \n        and key resources.\n    In addition to performing vulnerability analyses and assessments, \nthe CSSP also created a series of recommended practices and \ninformational products to assist owner-operators in improving the \nsecurity of their control systems. These information resources are \npublicly available on-line at http://www.us-cert.gov/control_systems/ \nand also are promoted through the monthly meetings held by the Cross-\nSector Cyber Security Working Group, the Industrial Control Systems \nJoint Working Group's (ICSJWG) quarterly meetings, and other sector \nforums.\n    While products and tools allow asset owners and operators to \nunderstand the cyber risk to their control systems, it is essential \nthat all stakeholders have knowledge of the fundamental principles of \ncontrol systems security. To that end, we developed an advanced \ntraining center at the Idaho National Laboratory which includes \nfunctional models of critical infrastructure equipment. This center \nprovides award-winning, hands-on training that ranges from introductory \nweb-based courses to advanced, hands-on ``Red Team/Blue Team'' \nexercises and instructor-led classes. This effort has trained more than \n14,000 professionals through both classroom and web-based instruction.\n    To further our mission and lead a cohesive effort between \nGovernment and industry, the Program created two overarching \ninitiatives: the Industrial Control Systems Cyber Emergency Response \nTeam (ICS-CERT) and the ICSJWG.\n    The ICS-CERT, in coordination with the Department's United States \nComputer Emergency Readiness Team (US-CERT), responds to and analyzes \ncontrol systems-related incidents, conducts analyses of vulnerabilities \nand malicious software (malware), and disseminates cybersecurity \nguidance to all sectors through informational products and alerts. The \nICS-CERT provides a more efficient coordination of control system-\nrelated security incidents and information sharing with Federal, State, \nand local agencies and organizations, the intelligence community, and \nprivate sector constituents including vendors, owner-operators, and \ninternational and private sector computer emergency response teams \n(CERTs).\n    Recently, the ICS-CERT responded to an incident at a public water \nutility, conducting on-site analysis of an event and providing \nrecommendations to increase the security posture of the facility. \nAdditionally, we conducted detailed digital media analysis of the \nsystem hard drive in order to determine the root cause of the incident. \nI am available to provide details of the incident in a classified brief \nat a later date. The CSSP and ICS-CERT regularly identify \nvulnerabilities and work with the vendors, owners, and operators of \ncontrol systems to develop mitigation strategies tailored to their use \nand application in each of the critical sectors. We recognize there can \nbe a gap between identification of a vulnerability and development of a \nvendor patch or full solution. To address this, the CSSP developed a \nVulnerability Management Process operated by the ICS-CERT, in \nconjunction with trusted partners, to identify interim mitigation and \nconsequence management approaches. We also engage with our Federal \npartners, such as the Departments of Defense and Energy as well as the \nintelligence community, to address equities and mitigate risks as we \nmove from vulnerability identification, to risk assessment, to \nmitigation development and promulgation. These efforts help us evaluate \nnew and emerging technologies such as Smart Grid, and the cyber risks \nthat they introduce to control systems.\n    The ICSJWG follows a structured approach in accordance with the \nNIPP partnership framework and the Critical Infrastructure Partnership \nAdvisory Council to continue the successful efforts of the Process \nControl System Forum to accelerate the design, development, and \ndeployment of more secure industrial control systems. The ICSJWG is \ncomprised of industry representatives from both private sector and \nGovernment coordinating councils and provides a vehicle for \ncommunicating and partnering across all CIKR sectors among Federal, \nState, and local agencies, and private asset owner-operators of \nindustrial control systems. The ICSJWG and ICS-CERT collaborate with \none another to leverage partnerships for information sharing and \nawareness of current threats and vulnerabilities. CSSP is also \ncollaborating with the DHS Science & Technology Directorate (S&T) to \nensure that their planned research and development in this area is \nwell-informed and complements CSSP's related work with industry and \nowners/operators.\n    Implementation of the Smart Grid will include the deployment of \nmany new technologies, such as advanced sensors to improve situational \nawareness, advanced metering, automatic meter reading, and integration \nof distributed generation resources. These new technologies will \nrequire the addition of multiple communication mechanisms and \ninfrastructures that must be coordinated with the developing \ntechnologies and existing systems. Smart Grid deployment is likely to \nincrease the complexity of the existing power grid system. Increased \ncomplexity and expanded communication paths could lead to an increase \nin vulnerability to cyber attack unless there is a coordinated effort \nto enforce security standards for design, implementation, and \noperation. As the lead agency for cybersecurity and preparedness, DHS \nis evaluating the risks and developing guidance to increase the \nsecurity of control systems with the implementation of new \ntechnologies.\n    Chairwoman Clarke, Ranking Member Lungren, and distinguished \nMembers, I have outlined the role the Department's Control Systems \nSecurity Program will play in addressing the risks that Smart Grid \ntechnologies will introduce to control systems. With your assistance, \nwe will help the Department continue to protect America. Thank you \nagain for this opportunity to testify. I will be happy to answer your \nquestions.\n\n    Ms. Clarke. Thank you, Mr. McGurk.\n    Our next testimony comes from Ms. Cita Furlani.\n\nSTATEMENT OF CITA M. FURLANI, DIRECTOR, INFORMATION TECHNOLOGY \n   LABORATORY, NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY\n\n    Ms. Furlani. Member Lungren, and Members of the \nsubcommittee. I am Cita Furlani, the director of the \nInformation Technology Laboratory, at the Department of \nCommerce's National Institute of Standards and Technology.\n    Thank you for the opportunity to appear before you today, \nto discuss NIST's role in ensuring the cybersecurity and \nreliability of the information and communication aspect of the \nSmart Grid.\n    As the Nation's measurement and standards institute, NIST \nhas earned a reputation as an impartial, technically \nknowledgeable third-party, with a long history of working \ncollaboratively with industry and with other Government \nagencies. These strengths allow NIST to make a unique \ncontribution to the establishment of the Smart Grid.\n    Recognizing the benefit of focusing this technical \nexpertise in industry-oriented mission, on what is one of the \nNation's most pressing issues, Congress, and the Energy \nIndependence and Security Act of 2007, called on NIST to take a \nleadership role in ensuring an interoperable, secure, and open \nenergy infrastructure, that will enable all electric resources, \nincluding demand-side resources, to contribute to an efficient, \nreliable electricity network.\n    NISTs three-phase approach is to build on the relationship \nwith DOE, FERC, DHS, and other Federal agencies to engage \nstakeholders to achieve consensus on Smart Grid standards.\n    By early fall, the process will deliver the Smart Grid \narchitecture framework, priorities for interoperability, and \ncybersecurity standards, and an initial set of standards to \nsupport implementation. In addition, plans to meet remaining \nstandards needs.\n    Second, to launch a formal public-private partnership to \nfacilitate development of additional standards to address \nremaining gaps and integrate new technologies.\n    Third, develop a plan for testing and certification to \nensure that Smart Grid equipment and systems conform to \nstandards for security and interoperability.\n    NIST views its role as accelerating the process by which \nthe standards development can occur. The actual standards \ndevelopment work is a process that takes place largely in the \nprivate sector, with standards development organizations \nutilities, and other stakeholders.\n    NIST is reaching out to the private sector, and is using \nour expertise to identify where the barriers exist, where \nrelevant standards currently exit, where standards exist but \nare not interoperable, and where gaps exist that require \nstandards to be developed.\n    I would like to caution, however, that the process of \ncreating comprehensive and effective standards can be time-\nconsuming and difficult. To be effective, standards must be \ndeveloped with broad representation and buy-in from all key \nstakeholders.\n    It can take time to do this right. But, NIST is \nestablishing an agile framework that will meet the urgent \nnational need for specific Smart Grid standards. For the \nreliability of the electric power industry to be fully \nrealized, cybersecurity concerns must be addressed, in addition \nto assuring interoperability.\n    Congress recognizes, and is specifically calling out the \nissue of cybersecurity in the ESA legislation. This is a \ncritical issue due to the increasing potential of cyber attacks \nand incidents against this critical sector, as it becomes more \nand more interconnected.\n    The need to address potential vulnerabilities has been \nacknowledged across the Federal Government. This need has also \nbeen cited in the 60-day cyberspace policy review.\n    With the adoption and implementation of the Smart Grid, the \nIT and telecommunications sectors will be more directly \ninvolved. These sectors have existing cybersecurity standards \nto address vulnerabilities, conformity assessment programs to \nevaluate cybersecurity products, and assessment programs to \nidentify known vulnerabilities in systems.\n    Another issue for the Smart Grid, and the implementation of \ncybersecurity standards, is the concern that legacy equipment \nmight be difficult to modify to meet new standards. Smart Grid \ncybersecurity strategy must address the addition and continual \nupgrade of cybersecurity controls.\n    The cybersecurity strategy will require the development of \nan overall cybersecurity architecture to address potential \npoints of failure, conformity assessment procedures, and \ncertification criteria for personnel and processes.\n    To achieve secure interoperability, products and systems \nwill require conformity assessment that can be developed by \nNIST. Conformity assessment verifies that products adhere to \nthe specifications define in the standards.\n    Once a standard has been published, conformity assessment \ncan accelerate product development by giving vendors well-\ndefined criteria to meet. Such testing should ensure that \ncybersecurity standards are affected and do not adversely \nimpact interoperability.\n    NIST is proud to have been given such an important role in \nSmart Grid cybersecurity through the ESA legislation. We \nbelieve with the continued cooperation and collective expertise \nof the industry in this effort, we will be able to establish \nthe cybersecurity standards to ensure the Smart Grid vision \nbecomes a reality.\n    Thank you for the opportunity to testify today. I would be \nhappy to answer any questions you may have.\n    [The statement of Ms. Furlani follows:]\n                 Prepared Statement of Cita M. Furlani\n                             July 21, 2009\n                              introduction\n    Madame Chairwoman Clarke, Ranking Member Lungren, and Members of \nthe subcommittee, I am Cita Furlani, the Director of the Information \nTechnology Laboratory at the Department of Commerce's National \nInstitute of Standards and Technology (NIST). Thank you for the \nopportunity to appear before you today to discuss NIST's role in \nensuring the cybersecurity and reliability of the information and \ncommunication aspects of the Smart Grid as well as its physical \nsecurity.\n    As the Nation's measurement and standards institute, NIST has \nearned a reputation as an impartial, technically knowledgeable third \nparty with a long history of working collaboratively with industry and \nother Government agencies. These strengths allow NIST to make a unique \ncontribution to the establishment of the Smart Grid.\n    Recognizing the benefit of focusing NIST's technical expertise and \nindustry-oriented mission on what is one of the Nation's most pressing \nissues, Congress, in the Energy Independence and Security Act of 2007 \n(EISA) called on NIST to take a leadership role in ensuring an \ninteroperable, secure, and open energy infrastructure that will enable \nall electric resources, including demand-side resources, to contribute \nto an efficient, reliable electricity network. Specifically, EISA gave \nNIST ``primary responsibility to coordinate development of a framework \nthat includes protocols and model standards for information management \nto achieve interoperability of Smart Grid devices and systems . . . ''. \nCybersecurity and associated standards are being addressed as part of \nthis Smart Grid Interoperability Framework that is under development.\n    NIST's three-phase approach is to:\n  <bullet> Build on the relationship with the Department of Energy \n        (DOE), Federal Energy Regulatory Commission (FERC), the \n        Department of Homeland Security (DHS), and other Federal \n        stakeholders to further engage utilities, equipment suppliers, \n        consumers, standards developers and other stakeholders to \n        achieve consensus on Smart Grid standards. By early fall, the \n        process will deliver:\n    <bullet> the Smart Grid architecture framework;\n    <bullet> priorities for interoperability and cybersecurity \n            standards, and an initial set of standards to support \n            implementation; and\n    <bullet> plans to meet remaining standards needs.\n  <bullet> Launch a formal public-private partnership to facilitate \n        development of additional standards to address remaining gaps \n        and integrate new technologies.\n  <bullet> Develop a plan for testing and certification to ensure that \n        Smart Grid equipment and systems conform to standards for \n        security and interoperability.\n    After issuing the initial set of priorities, standards, and action \nplans in early fall, NIST will initiate the partnership and complete a \ntesting-and-certification plan by the end of the year.\n    NIST views its role as accelerating the process by which the \nstandards development can occur. NIST plans to implement the above-\nmentioned public-private partnership to serve as a mechanism to \norganize stakeholders and drive priority-setting of the standards. The \nactual standards development work is a process that takes place largely \nin the private sector, with standards development organizations, \nutilities, and other stakeholders. The duration of those processes will \ndepend on the complexity of the specific problem. In some cases, it \nwill occur very quickly--months--and in other cases, if it's \ntechnically very challenging, it may take considerably longer. But in \nthe case of Smart Grid, NIST is moving as expeditiously as possible to \nget the framework set and move the standards development process along.\n    NIST is reaching out to the private sector and is using our \nexpertise to identify where the barriers exist, where relevant \nstandards currently exist, where standards exist but are not \ninteroperable, and where gaps exist that require standards to be \ndeveloped. With appropriations from the American Recovery and \nReinvestment Act (Pub. L. 111-05), NIST is significantly expanding the \npublic-private coordination so we can move more rapidly to make needed \nprogress in Smart Grid interoperability standards. We are working \nclosely at the interagency level to develop the detailed actions to \nsupport this expanded effort. This will allow us to define the \ninteroperability framework (system architecture); establish standards \ndevelopment priorities; support standards assessments; identify \nstandards and conformity testing gaps; and accelerate standards \ndevelopment and harmonization efforts to provide the secure and \nreliable interchange of information that is necessary to accomplish the \nSmart Grid mission.\n    NIST will use the EPRI report in drafting the NIST Smart Grid \nInteroperability Standards Framework. The NIST document will describe a \nhigh-level architecture, identify an initial set of key standards, and \nprovide a roadmap for developing new or revised standards needed to \nrealize the Smart Grid. The first release of the NIST-prepared \nframework is planned to be available in September. In a Federal \nRegister notice published on June 9, NIST released for public comment \nan Initial List of Smart Grid Interoperability Standards. This \npreliminary set of standards and specifications is identified for \ninclusion in the Smart Grid Interoperability Standards Framework, \nRelease 1.0, and additional standards and specifications are \nanticipated to be included based on analyses of workshop input and \npublic comments.\n    An initial step in this process is the release of a draft report, \nReport to NIST on the Smart Grid Interoperability Standards Roadmap, \nthat identifies issues and priorities for developing interoperability \nstandards for the Smart Grid. In a Federal Register notice published on \nJune 30, 2009, NIST formally announced the availability for public \ncomment of this nearly 300-page report, prepared under contract by the \nElectric Power Research Institute (EPRI).\n    I would like to caution, however, that the process of creating \ncomprehensive and effective standards can be time-consuming and \ndifficult. To be effective, standards must be developed with broad \nrepresentation and buy-in from all key stakeholders. It can take time \nto do this right, but NIST is establishing an agile framework that will \nmeet the urgent national need for specific Smart Grid standards. The \nproposed approach will provide that type of expert input through a \nvoluntary consensus standards development process, while maintaining \nthe aggressive schedule needed to develop the Smart Grid.\n                         understanding the risk\n    For the reliability of the electric power industry to be fully \nrealized, cybersecurity and physical security concerns must be \naddressed in addition to assuring interoperability. Congress recognized \nthis in specifically calling out the issue of cybersecurity in the EISA \nlegislation. This is a critical issue due to the increasing potential \nof cyber attacks and incidents against this critical sector as it \nbecomes more and more interconnected. Existing vulnerabilities might \nallow an attacker to penetrate a network, gain access to control \nsoftware, and alter load conditions to destabilize the grid in \nunpredictable ways.\n    Additional risks to the grid include:\n  <bullet> Increasing the complexity of the grid that could introduce \n        vulnerabilities and disruptions and increase exposure to \n        potential malicious attackers and unintentional errors;\n  <bullet> Linked networks can introduce common vulnerabilities;\n  <bullet> Increasing vulnerabilities to communication and software \n        disruptions that could result in denial of service or \n        compromise the integrity of software and systems;\n  <bullet> Increased number of entry points and paths for potential \n        adversaries to exploit;\n  <bullet> Potential for compromise of data confidentiality, including \n        the breach of customer privacy; and\n  <bullet> Increasing vulnerabilities to potential physical attacks or \n        disruptions, such as those due to Electromagnetic Pulse (EMP), \n        Electromagnetic Interference (EMI), and Geomagnetically-Induced \n        Currents (GICs).\n    The need to address potential vulnerabilities has been acknowledged \nacross the Federal Government including by NIST, DHS, DOE, and FERC. \nThis need has also been cited in the 60-Day Cyberspace Policy Review, \nwhich states that `` . . . as the United States deploys new Smart Grid \ntechnology, the Federal Government must ensure that security standards \nare developed and adopted to avoid creating unexpected opportunities \nfor adversaries to penetrate these systems or conduct large-scale \nattacks.'' With the adoption and implementation of the Smart Grid, the \nIT and telecommunication sectors will be more directly involved. These \nsectors have existing cybersecurity standards to address \nvulnerabilities, conformity assessment programs to evaluate \ncybersecurity products, and assessment programs to identify known \nvulnerabilities in systems. These vulnerabilities need to be assessed \nin the context of the Smart Grid.\n    Another issue for the Smart Grid and the implementation of \ncybersecurity standards is the concern that legacy equipment may be \ndifficult to modify to meet the new standards developed. The issue of \nlegacy equipment is not unique to the Smart Grid. There are many \nindustrial control systems and IT systems that do not employ the most \ncurrent suite of cybersecurity controls. In addition, the life cycle \nfor information technology, particularly for software is very short--as \nshort as 6 months for many applications--and the knowledge and skill \nlevel of adversaries to attack these systems continues to increase. To \naddress this issue, the Smart Grid cybersecurity strategy must address \nthe addition and continual upgrade of cybersecurity controls and \ncountermeasures to meet increasing threats. These new controls and \ncountermeasures may be allocated to stand-alone components within the \noverall Smart Grid architecture.\n    The overall cybersecurity strategy for the Smart Grid must examine \nboth domain-specific and common requirements when developing a \nmitigation strategy to ensure interoperability of solutions across \ndifferent parts of the infrastructure. The following is a preliminary \nlist of cybersecurity requirements applicable to the Smart Grid as a \nwhole:\n  <bullet> Identification and authentication to components of the grid \n        to system entities;\n  <bullet> Physical and logical access control to protect critical \n        information;\n  <bullet> Integrity to ensure that modification of data or commands is \n        detected;\n  <bullet> Confidentiality to protect sensitive information, including \n        Personally Identifiable Information (PII) and proprietary \n        information;\n  <bullet> Availability to ensure that intentional attacks, \n        unintentional events, and natural disasters do not disrupt the \n        entire Smart Grid or result in cascading effects;\n  <bullet> Techniques and technologies for isolating and repairing \n        compromised components of the Smart Grid;\n  <bullet> Auditing to monitor changes in the Smart Grid;\n  <bullet> Supply chain security to ensure that products and services \n        are not compromised at any point in the life cycle, a defense-\n        in-breadth strategy; and\n  <bullet> Availability to ensure that intentional attacks, whether \n        physical or cyber, unintentional events, and natural disasters \n        do not disrupt the entire Smart Grid or result in cascading \n        effects.\n    The cybersecurity strategy will require the development of an \noverall cybersecurity architecture to address potential single points \nof failure, conformity assessment procedures for Smart Grid devices and \nsystems, and certification criteria for personnel and processes.\n                 the cybersecurity standards landscape\n    In addition to understanding and assessing the risks related to the \nSmart Grid's information and communications networks, it is important \nto gauge the applicability of existing and new cybersecurity standards \nto the Smart Grid. Several standards activities are on-going including:\n  <bullet> The North American Electric Reliability Corporation (NERC) \n        Critical Infrastructure Protection (CIP) Cyber Security \n        Standards CIP-002 through CIP-009, which provide a \n        cybersecurity framework for the identification and protection \n        of Critical Cyber Assets to support reliable operation of the \n        Bulk Power System;\n  <bullet> The International Society for Automation (ISA) 99/\n        International Electrotechnical Commission (IEC) 62443 suite of \n        standards that address Security for Industrial Control Systems;\n  <bullet> The Advanced Metering Infrastructure Security task force \n        (AMI-SEC), formed to define common requirements and produce \n        standardized specifications for securing AMI system elements. \n        These requirements are for electric utilities, vendors, and \n        stakeholders; and\n  <bullet> NIST Special Publication (SP) 800-53, Recommended Security \n        Controls for Federal Information Systems. This SP provides \n        guidance for Federal agencies on cybersecurity controls with \n        one section of the SP specifically addressing industrial \n        control systems.\n    Although these standards are being developed by different standards \nbodies, there is significant interaction among the working groups. For \nexample, there are current efforts to harmonize the NERC CIP, ISA99/IEC \n62443, and NIST SP 800-53.\n    Standards are being assessed for applicability and interoperability \nacross the domains of the Smart Grid, rather than developing a single \nset of cybersecurity requirements applicable to all elements of the \nSmart Grid. That is, the cybersecurity requirements of different \ndomains, such as home-to-grid and transmission and distribution, may \nnot be the same. For example, there are significant cybersecurity \nrequirements to ensure the confidentiality of Personally Identifiable \nInformation (PII) in the home-to-grid domain that may not be required \nat the transmission and distribution domain.\n    To achieve secure interoperability, products and systems will \nrequire conformity assessment that can be developed by NIST. Conformity \nassessment verifies that products adhere to the specifications defined \nin the standards. Once a standard has been published, conformity \nassessment can accelerate product development by giving vendors well-\ndefined criteria to meet. Such testing should ensure that cybersecurity \nstandards are effective and do not adversely impact interoperability.\n                         community partnership\n    NIST is working with the International Society of Automation (ISA), \nthe International Electrotechnical Commission (IEC), and the North \nAmerican Electric Reliability Corporation (NERC) on current \ncybersecurity standards. NIST also works with other standards bodies, \nsuch as ISO, IEEE, and Internet Engineering Task Force (IETF) on \ncybersecurity standards. We will continue to coordinate with all these \nstandards bodies in the development/revision of cybersecurity standards \napplicable to the Smart Grid.\n    To help ensure that we are addressing the cybersecurity \nrequirements of the Smart Grid as part of the NIST Smart Grid \nInteroperability Framework, NIST has established a Cyber Security \nCoordination Task Group (CSCTG), including members from the Domain \nExpert Working Groups (DEWG) as well as cybersecurity and control \nsystems experts from academia and the IT and telecommunications \ncommunities. The DEWGs are groups of technical experts established by \nNIST and the GridWise Architecture Council (GWAC) for information \nsharing on Smart Grid standards and interoperability issues in \nidentified Smart Grid domains: Transmission and distribution, home-to-\ngrid, business-to-grid, and industry-to-grid.\n    The CSCTG will coordinate among the DEWGs so that cybersecurity is \naddressed consistently and comprehensively in the DEWG discussions and \nwork products. The focus of the CSCTG is to leverage the expertise of \nthe members to identify the overall threats, vulnerabilities and risks \nto the proposed Smart Grid. In addition to cybersecurity, some physical \nsecurity issues, including threat assessments related to \nelectromagnetic pulse (EMP), electromagnetic interference (EMI) and \ngeomagnetically induced currents (GIC), related to threat assessments, \nare also being considered within the CSCTG. This information will be \nused to identify the appropriate cybersecurity controls that will be \nallocated to various domains of the Smart Grid. The CSCTG is also \nconsidering a layered approach to cybersecurity to ensure that if one \nlevel is compromised, the next layer remains secure--a defense-in-depth \nstrategy. These cybersecurity controls will be assessed by CSCTG \nmembers for effectiveness, scalability, and impacts on cost and the \nreliability of the Smart Grid, and will be integrated into the Smart \nGrid architecture from initiation. Interest is significant, and over \n150 individuals have joined the CSCTG to date.\n    NIST will also coordinate closely with DOE, DHS, and FERC in the \ndevelopment of all Smart Grid cybersecurity products, and is also \nworking closely with DOE, FCC and others to examine potential Smart \nGrid electromagnetic interference issues.\n                               conclusion\n    NIST is proud to have been given such an important role in Smart \nGrid cybersecurity through the EISA legislation. We believe that with \nthe continued cooperation and collective expertise of the industry in \nthis effort, we will be able to establish the cybersecurity standards, \nwithin the interoperability and standards framework, to ensure that the \nSmart Grid vision becomes a reality.\n    Thank you for the opportunity to testify today on NIST's work on \nSmart Grid cybersecurity. I would be happy to answer any questions you \nmay have.\n\n    Ms. Clarke. I would like to thank you, as well.\n    Ranking Member Lungren, and Members of the subcommittee, \nlet me take a moment to request unanimous consent to insert \nadditional written reports in testimony from the Canadian \nElectricity Association, the Industrial Defender Incorporated, \nMr. Brian M. Ahern, and the Southern California Edison into the \nrecord.\n    Hearing no objections, so ordered.\n    I thank the witnesses for their testimony, and I will \nremind each Member that he or she will have 5 minutes to \nquestion the panel.\n    I will now recognize myself, for 5 minutes for questions.\n    Do any of you on the panel believe that the current FERC/\nNERC standard-setting process, where industry writes standards \nand self-selects what assets it wants to secure, makes sense in \nthe context of our national security?\n    We can start.\n    Mr. McClelland. No, the commission, the prior chairman and \nthis chairman, and certainly this staff member, has been on \nrecord to say that the standards development process is \nadequate for routine matters attached to this power grid, the \nreliability of the power grid.\n    But for matters it would attack the bulk power systems, the \npower grid if you will, it is inadequate to protect against \nnational security threats and vulnerabilities.\n    Ms. Clarke. Anyone else's perspective on this?\n    Ms. Hoffman.\n    Ms. Hoffman. The standard-setting process is a process that \ndoes involve public and private partnerships in looking at \nbaseline requirements for the system. The standard process can \nnot be the only mechanism that is viewed as an opportunity to \nprovide input into emergency and emergency requirements.\n    Ms. Clarke. Mr. McGurk.\n    Mr. McGurk. Madame Chairwoman, I concur with my colleagues. \nThe challenge of coming up with operational or interoperability \nstandards is usually followed through one process. But to \nrespond to a threat, or respond to a vulnerability, requires \nemergency action, that may or may not be available given the \ncurrent construct.\n    So, some challenges present themselves. Getting that \ninformation into the hands of the operators, and the authority \nneeds to be there for the Government to direct that activity.\n    Ms. Clarke. Yes.\n    Ms. Furlani.\n    Ms. Furlani. I agree also, that when you start talking \nabout interconnected systems, wherever the different types of \nsystems touch is a vulnerable spot. There is not a--you really \nneed an overarching understanding of the network and the \narchitecture. You can't do it in isolated pieces.\n    Ms. Clarke. Thank you, all. Let me direct my next question \nto Mr. McClelland and Mr. McGurk.\n    Can you please explain what additional authority you feel \nare necessary for FERC? And whether you think the language in \nH.R. 2195 is in line with what you are asking for?\n    Mr. McClelland. The commission requested, actually the \nchairman arrived at the position and again, staff concurred, \nthat the commission needed additional authority in order to be \nable to direct action, measures to the industry to be able to \ncommunicate in a confidential manner.\n    Because the communications now, the information would have \nto have some assurance that the information would be protected \nthere, regards cybersecurity or physical threats of our power \nsystem.\n    The commission would have a mechanism to engage industries, \npropose and direct to engage, industry and get a directive \nestablished to mitigate either a physical or a cyber threat.\n    The process under 215, by law, is open. So, if a standard \nwere to be developed, it would have to be developed in an open \nforum. So, not only the vulnerability or the threat would have \nto be disclosed, within the proposed mitigation.\n    It is not necessarily timely, because it is a very \ninclusive process that gets everyone to participate. It is not \nnecessarily responsive, because the commission can't author a \nstandard. It can't direct a specific measure.\n    It can make a directive to a specific mitigation. But it \nhas no control over what might come back from industry.\n    So in that context, it is totally insufficient to assure \nthat a vulnerability or a threat, either physical or cyber, has \nbeen addressed.\n    Mr. McGurk. Yes, ma'am, from the standpoint of Department, \nwe look at all the pending legislation and we look at \nopportunities to identify the best method to move forward. Of \nkey concern, from our standpoint is, I go back to some of my \nprevious experience as an arms control inspector under the \nSTART Treaty and INF Treaty.\n    We were directed to trust, but verify. There lies the key. \nI can issue a directive, but unless I have the ability to \nfollow up and determine whether those actions were taken, I \nhave no firm understanding whether or not the threat has been, \nor the risk has been mitigated.\n    So subsequently, language that addresses that opportunity, \nfor whatever appropriate agency, will take those necessary \nsteps, feel is vital to continuing the mission.\n    Ms. Clarke. I am going to yield back the balance of my time \nand now recognize the Ranking Member of the subcommittee, the \ngentleman from California, Mr. Lungren, for his questions.\n    Mr. Lungren. Thank you very much, I would address this to \nall of you.\n    We talk about the Smart Grid. In some ways, it reminds me \nof some of the issues we had when we went to on-line banking. \nIt is only going to be utilized by people. People are only \ngoing to have confidence in it if they feel that it is secure.\n    Are we doing what we need to do to make sure, as we develop \nthe Smart Grid proposals at various levels, to build security \ninto it?\n    Ms. Hoffman. Within the funding opportunity announcement, \nthe Department of Energy did put very strict requirements for \nproposers to document and look at their cybersecurity aspect. \nThey will have to include that in the proposals. So, we feel \nvery comfortable with the language put in there that any \nproposers are going to have to address some of the elements \nthat I have mentioned in my testimony as part of their Smart \nGrid projects.\n    Mr. Lungren. Let me put it another way. For other kind of \nenterprises, we have insurers who assess risk, and make \ninsurance rates based on that risk. Obviously to mitigate those \nrates, you do certain things.\n    There are sometimes tax incentives. There are a whole host \nof things.\n    Is regulation the only and most effective way we can make \nsure that security is built into the Smart Grid? Or do we need \nto look at some of these other mechanisms as well?\n    Ms. Hoffman. If I may start, security is a service. It is a \nprocess that has to be included within the utility or within \nthe Smart Grid infrastructure.\n    So, it is a service that must be maintained, just like we \nhave service on our computers. So, it is a way to--it should be \ndeveloped within the electric industry, so that there are \ncompanies, such as the ones you have heard of in the first \npanel, to provide the service to the industry as well as to the \ncustomers.\n    Mr. Lungren. Is there something we need to do to make sure \nthat the rate structure allows for this?\n    Ms. Hoffman. Within the Smart Grid technologies, we are in \nwithin specific aspects of utility infrastructure. The rate \nstructures can be used to support that.\n    For national security events, which is a public good, there \nare probably maybe other mechanisms that could be investigated.\n    Mr. Lungren. Well, let me ask you this, Mr. McClelland.\n    This goes to the question of EMP. We have heard low-\nprobability, high-consequence. I would say the highest \nconsequence.\n    Mr. McClelland. Yes.\n    Mr. Lungren. Almost. How do we ensure? Or, how do we \nprovide incentives that the private sector and the--let's just \nconcentrate on the private sector. The private sector will take \nseriously these sorts of things.\n    What I mean by that is this: If you are going to go to your \nwhatever authority it is you have to go to for your rates, rate \napproval, and they say, ``well, to justify your rates, you have \nto show us that there is a reasonableness to what you are \ndoing, and what you want to charge for.''\n    They go in and they say, ``Well, low-probability, high-\nconsequence.'' Does a rate-making organization authority in a \nState, or even a regional area, understand that? Do we need the \nfocus of the Federal Government to actually have us take it \nseriously?\n    The reason I say that is, I just don't think we are taking \nthis seriously enough. When you hear the testimony of the \nconsequences, I mean, it makes ``Katrina'' look like a day in \nthe park.\n    Mr. McClelland. Yes.\n    Mr. Lungren. Yet, after Katrina, we said, ``Oh my god, we \nwill never let that happen again. We have got to be more \nfocused on it. We will put billions of dollars in to make sure \nthat kind of thing doesn't occur.''\n    Yet I don't sense that in terms of EMP. You seem to take \nEMP seriously.\n    Mr. McClelland. Yes.\n    Mr. Lungren. You seem to accept the argument that it could \nhave devastating consequence.\n    Mr. McClelland. Yes.\n    Mr. Lungren. But yet it does not appear to me that we, \neither in the Congress or the Executive branch, have taken it \nseriously enough to make it the kind of priority that I would \nhave. So I guess I would ask you, what do we need to do so that \nthe range of costs that we have seen, the EMP Commission said \nthat the range of costs to protect critical infrastructure \ncomponents would range--could be from $150 million to $9 \nbillion. That is a lot of change.\n    Do you believe Congress should provide cost recovery to \nutilities to cover these expenses through reimbursement by the \nrate payers? Is that reasonable? Is it something that Congress \nneeds to do in terms of subsidies? Tax incentives? I mean, what \ndo we need to do to make this happen?\n    Mr. McClelland. I would like to begin by--I will jump back \nfor a second to your prior question about Smart Grid. Last \nweek, the commission issued a policy statement under EISA. The \ncommission's responsibility after NIST develops the standards, \nto codify the standard, to put the standards into place, to set \nthe standards and in order that interoperability is \nestablished.\n    One of the key elements in the policy statement last week \nwas that the commission would provide rate recovery and would \neven consider stranded costs for an entity that began to \ninstall Smart Grid equipment, but then the equipment was \nobsolete. It turned out to be obsolete, if the entity built in \ncybersecurity, that was one of the four elements.\n    So there is a cost recovery mechanism. The same application \ncan and should be applied to EMP. It is unrealistic to think \nthat entities, that utilities, will move forward on EMP \nmitigation measures in the context of high-risk low-\nprobability.\n    If I just might say something about that, on the last panel \nthere were two different witnesses, and I won't say who they \nare, but it was very telling. One witness classified it as \nhigh-risk, low-probability. A second witness, however, said \nhigh-risk low-frequency. There is a very big difference.\n    Mr. Lungren. Yes.\n    Mr. McClelland. Probability is not an assessment and I \nthink you heard that very clearly, that without intelligence, \nwithout information, it is not an assessment that an entity or \na person is qualified to make. That should be left to the folks \nthat deal with intelligence.\n    So high-risk, low-frequency is a better way to classify it, \ncoupled with a rate recovery mechanism. On the very end, I mean \npartnership is great, and we all hope that partnership works. \nBut in the absence of a regulatory mechanism, to Mr. McGurk's \npoint about trust and verify, in the absence of some regulatory \nmechanism to force an entity to take action, some entities just \nsimply will not take action. Regulation is there for the \nentities that won't take action.\n    So I really believe, a personal perspective on this, and I \nwas in the electric utility industry for 20 years before I came \nto Government for the past 5, that we knew about EMP, we knew \nabout EMP mitigation measures. I saw a declassified report that \nshowed a very specific attack vector and we were asked to \nevaluate that. I was asked as a controls and relays engineer. \nWe did our job.\n    But the chance that industry would move forward, if it \nconsiders it to be a low probability of event, with everything \nelse that is happening, is really not realistic.\n    Mr. Lungren. Thank you.\n    Ms. Clarke. I now recognize Ms. Richardson, of California, \na Member of the subcommittee, for her questions at this time.\n    Ms. Richardson. Thank you, Madame Chairwoman.\n    Mr. McGurk, as you saw, I introduced you to one of the \nwitnesses, who seemed to have made some attempts to reach out \nto the Department, but had not been successful. How long have \nyou been in your position?\n    Mr. McGurk. [Inaudible.]\n    Ms. Richardson. Could you turn your microphone on?\n    Mr. McGurk. Pardon me, Congresswoman.\n    I joined the Department in January 2008. In September 2008, \nI participated in a brief, hosted by the Department of Defense, \nfor the cross-sector cybersecurity working group on the EMP \nprocess.\n    We also engaged with the doctors' group to evaluate the \nimpacts on the critical infrastructure and produced a report in \nNovember, recognizing the importance of not only the impacts on \nthe electric grid, but the other critical infrastructures \nacross our country.\n    So we have been engaging across the board. The doctor has \nmet with individuals from our infrastructure protection branch, \nso the comment about FEMA may have been miscommunications. But \nwe have been engaged and engaging with his organization, \nfocusing on EMP.\n    Ms. Richardson. How much of your time, would you say, is \nspent on the issue of what we are talking about today? \nCybersecurity within your jurisdiction?\n    Mr. McGurk. I have the luxury, if you will, to focus my \nentire time on control systems, cybersecurity. That is what my \nprogram was created to do. So in all of the Department of \nHomeland Security, my organization focused specifically on \ncybersecurity and physical security threats to industrial \ncontrol systems.\n    Ms. Richardson. Who do you report directly to?\n    Mr. McGurk. I report to the director of the national \ncybersecurity division.\n    Ms. Richardson. Which eventually, who reports to the \nSecretary?\n    Mr. McGurk. The under secretary for national preparedness \nand protection.\n    Ms. Richardson. Is how far away from you?\n    Mr. McGurk. Two steps removed. It is the director of the \nnational cybersecurity division reports to the assistant \nsecretary for cybersecurity and communications, who reports to \nthe under secretary for NPPD, who reports to the Secretary.\n    Ms. Richardson. So how often do you have an opportunity to \nreport to the under secretary or Secretary, if at all?\n    Mr. McGurk. I have briefed both the previous under \nsecretary and Secretary and I have had the opportunity to brief \nthe current deputy under secretary. I have not had an \nopportunity to brief the current Under Secretary Beers.\n    Ms. Richardson. Okay. Did you have an opportunity to read \nthe testimony of Dr. Graham and Mr. Fabro?\n    Mr. McGurk. No, I did not have an opportunity prior to this \nmeeting.\n    Ms. Richardson. Do you have a copy of their testimony?\n    Mr. McGurk. I do not.\n    Ms. Richardson. Okay. I will make sure that you personally \nget it. I would be curious for you to read both of their \ntestimonies. Towards the end of Mr. Fabro, he gives several \nspecific recommendations and Mr. Graham, on page 5, he gives \nvery specific recommendations. Would you be willing to read \nthose?\n    Mr. McGurk. Oh, absolutely, Congresswoman.\n    Ms. Richardson. Okay.\n    Mr. McGurk. Thank you.\n    Ms. Richardson. Based upon what you heard so far today, is \nthere anything that you would be in opposition to of what folks \nshared, things that we could do better?\n    Mr. McGurk. I do want to emphasize that the previous \npanel's comments on public-private partnership, I think that is \nthe key element. As was previously mentioned, regulation is \njust part of the equation. It is not the final solution. So \nthere has to be an understanding and a collaborative effort \nbetween the private sector and the Federal Government to ensure \nthat we address these issues.\n    We often focus on the critical asset owners. We miss the \nresponsibility and the opportunity of dealing with the vendor \ncommunity.\n    We actually have a subgroup in the industrial control joint \nworking group that focuses on the vendors and brings the \nvendors to the table so that we can incentivize the development \nof more secure products for the future. That was a key part in \ndeveloping our procurement standards, which we published in \nAugust of last year, identifying those steps necessary to \ndevelop and distribute and integrate more secure devices.\n    Ms. Richardson. So do you reach out to traditional \npartners, the same ones you have always had? Or what do you use \nto reach out to some others? Because unfortunately, the \ntestimony today was not consistent with what you have said.\n    Mr. McGurk. We are attempting to reach out. The industrial \ncontrol systems working group is following on the efforts that \nwere established by the process control systems forum. So we \nare maturing and growing that activity. Again, much of our \nfocus in the past was on primarily the energy sector, \nspecifically the electric sector. Unfortunately, we need to \nfocus on all 18 critical infrastructures.\n    So we have invested heavily in developing the partnerships \nwith water, chemical, transportation, critical manufacturing, \nacross the board, because when it really comes down to it, \nthese industrial control systems are pretty much the same \nacross all these industries.\n    The components that we use have the same vulnerabilities, \nwhether it is moving a robotic arm that builds the car or \ngenerating power.\n    Ms. Richardson. Okay. My last question, I have got 13 \nseconds, so if you could be brief in your reply.\n    Mr. McGurk. Yes.\n    Ms. Richardson. One of the things that stuck out to me was \nthe procurement process that we have, many private enterprises \nthat own many aspects of this whole area for us, and yet we are \nreally not putting the things in place to ensure that they are \ndoing the security aspect as well. Do you see improvements that \ncould be made?\n    Mr. McGurk. Absolutely. We can definitely improve that \nprocurement process.\n    Ms. Richardson. So could you provide those comments to this \ncommittee?\n    Mr. McGurk. I--yes, I can.\n    Ms. Richardson. Thank you very much. I yield back. Fifteen \nseconds.\n    Ms. Clarke. I now recognize the gentleman from Maryland, \nMr. Bartlett, for 5 minutes.\n    Mr. Bartlett. Thank you very much, and thank you again for \nconvening this hearing.\n    Mr. McClelland, I would like you to help me clear up a \ndefinition problem. On page 2 of your testimony, written \ntestimony, on page 2 of Mr. Assante's written testimony, there \nare definitions of bulk prices and they seem to be different. \nYou have a fairly restrictive one that exempts all local \ndistribution facilities, including virtually all of the grid \nfacilities in certain large cities.\n    The definition in Mr. Assante's written testimony says bulk \npower system is defined by, and he gives the section of the \nlaw, distributes and controls systems necessary for operating \nan interconnected electric energy transmission network or any \nportion thereof. Electric energy from generation facility \nneeded to maintain transmission system facilities.\n    So his would appear to include anything and everything and \nyours would appear to exclude large portions of the system. \nWhich one is correct?\n    Mr. McClelland. The NERC definition for bulk power system \nis defined as generally 100 kv and above. It is actually bulk \nelectric system.\n    When EPAct 2005 was passed, it used a new term. Bulk power \nsystem. The commission, as you are probably aware, the \ncommission issues a notice of proposal making, collects \ncomments, considers the comments and then issues a final rule.\n    This was a section or a definition that was heavily \ncommented on in the industry----\n    Mr. Bartlett. Could you help us in getting, for your two \nagencies, a consistent definition, so we know what we are \ndealing with? I would appreciate that. Thank you very much.\n    I want to make a brief comment about a comment that Dr. \nGraham made about a robust EMP attack bringing down the power \ngrid, and it might be out for several months or a year or more, \nand some might wonder how could that be? That is because if the \ngrid comes down, it is very likely to take out large \ntransformers. We don't make them. There are no spares. They are \nmade somewhere overseas. If you order one, they will deliver \none in a year or 18 months or so. That is how long it takes to \nmake them, which is why that observation--why that observation.\n    Mr. McClelland, don't you think this might have been a good \nplace to use the stimulus money, in hardening the grid? \nWouldn't it make a lot of pretty good jobs?\n    Mr. McClelland. It sounds like a good idea.\n    Mr. Bartlett. Thank you, sir. I agree. I agree. Okay.\n    Ms. Hoffman, you had mentioned that--does not have a \nprogram that would allow for private or publicly-owned \nfacilities to receive Federal grants. What do we need to do to \nfix it? Could you fix it administratively? Or does that need \nlegislation to fix that? Because we certainly ought to be \nhelpful, don't you think? How much--do we have to do something \nor can you do it?\n    Ms. Hoffman. Within the Department, we set our priorities \nand there is no priority at this--or there is no activity at \nthis time for that effort.\n    Mr. Bartlett. Well, I would hope after this hearing that \nthere would be. I would hope.\n    Mr. McGurk, this strikes me as a great idea, but the \nreality is that the more effective we are in producing a Smart \nGrid, the less secure we are from an EMP attack. Because that \njust increases our vulnerability. We really do need to do \nsomething about that.\n    You mentioned the state of units that are out there that \nare controlling all of this. Many of those components, nobody \nis around who made them. I have no idea where we get new ones.\n    Mr. McGurk. Yes.\n    Mr. Bartlett. They are saying that those are really, really \nold.\n    You mentioned national strategy to secure cyberspace. Sir, \nif there is, if Dr. Graham is correct, then there is a robust \nEMP lay down, there will be no cyberspace to secure. Do you \nthink he is wrong?\n    Mr. McGurk. Oh, absolutely not, sir.\n    Mr. Bartlett. Good. Well, then, I hope we are doing \nsomething more than we are now doing because I see us doing--if \nit is zero to 100, I see us doing something about 0.05 in terms \nof hardening our system.\n    Ms. Furlani, how is EMP incorporated among the factors for \ndeveloping Smart Grid standards? Are you doing that? Is this \nnew grid going to be hardened for EMP?\n    Ms. Furlani. It is one of the areas that we have in our \nlong list. We are certainly taking it under consideration with \nour partners in BOE and SBC to understand where the standards \nneeds might be.\n    Mr. Bartlett. Well, I hope that this gets higher priority \nthan it has had because as the testimony today indicated, we \nare enormously vulnerable here. Vulnerability encourages \nattack. It doesn't have to be a state actor, it could be a non-\nstate actor.\n    I had a guy from the Department of Defense tell me there \nwere no platforms out there from which these guys could launch \nthis. Any tramp steamer is an adequate platform. A scud \nlauncher goes up 180 miles apogee, that is plenty high enough \nto take out all of New England or all of California and other \nterritories. A crude nuclear weapon, if you miss the target by \n100 miles, it is just as good as a bull's eye. This is clearly, \nclearly, the most asymmetric weapon that any potential foe has.\n    Thank you very much. I yield back.\n    Ms. Clarke. Thank you, Mr. Bartlett. You certainly have \nraised some very key and critical points that we must be \nvigilant around. Ms. Hoffman, you may not--we are telling you \nthat this is really a priority. We want to ask you to please, \ntake this back to Secretary Chu.\n    I now recognize, the gentleman from New Mexico, Mr. Lujan \nfor 5 minutes.\n    Mr. Lujan. Thank you very much, Madame Chairwoman. My \nquestions go along the same questions that I asked the first \npanel. Around, my question is to if all G&T, generation and \ntransmission companies, all distribution networks, and best-run \nutilities, rural cooperatives are included in this broad \ndefinition of bulk power system, knowing that they are not.\n    With that being said, what are we doing to prepare to be \nable to address all those needs that fall outside of NERC's \nauthority? I would pose that to the panel.\n    Mr. McClelland. I guess I would like to start by asking a \nclarifying question.\n    Is the premise that bulk power system includes all the G&T \nand distribution facilities?\n    Mr. Lujan. Well, for the most part, most G&Ts do fall under \nbulk power systems, with the exception of, I would say, a few \nthat do fall out. But, the specific question is, for those that \nare not included under the definition of a bulk power system, \nG&Ts, IOUs, rural cooperatives, wherever they may be, including \ntheir distribution networks, what is occurring for the \ncoordination there?\n    Because, according to some of the testimony from the last \npanel, that has already seems to have fallen, to some extent, \nunder NERC. But, the remaining authority is presumed to fall \nupon Fed regulatory authorities or other entities, depending on \nthe make-up of the utility.\n    So, what are we doing to include them as we begin to deploy \nsome of the Smart Grid technologies that will be invested in?\n    Mr. McClelland. I guess, I would like to start with the \nbulk power system definition, is defined per region. So, the \ndefinition of bulk power system is very different in New \nEngland, for instance, than it is in the West that excludes \nmany more facilities.\n    Now having said that, even the CIP standard, the NERC CIP \nstandards for cybersecurity, it is this staff members' position \nand our Chairman's position, that Section 215 of the Federal \nPower Act, which is the reliability standard, is inadequate to \nprotect the grid from a national security threat.\n    It is fine for everyday reliability matters. But, if there \nis an emergency action that is necessary to protect the grid \nfrom either a physical or a cyber attack, it is inadequate. \nThat is why the commission has advocated, the Chairman has \nadvocated, that the commission receive additional authority if \nthe expectation is that the commission could protect it.\n    On the facilities that could fall outside of the bulk power \nsystem, the commission did issue a policy statement last week. \nIt did say that, one of the items necessary for rate recovery \nis its Smart Grid appliances and devices must demonstrate \nconformity to cybersecurity. They must be protected from a \ncybersecurity standpoint.\n    So, the commission has used its authority that is \nadvocating for additional authority to protect against national \nsecurity threats.\n    Mr. Lujan. With that, Ms. Hoffman, if you could address \nthat question as well? And go on to--based on the position that \nhas been put out by FERC, with the position that Smart Grid \ninvestments have to comply with cybersecurity technology. Can \ngrants also be applied for those reasons?\n    Or, can the funds be used in that way to make sure that \nthey are investing in necessary cybersecurity preparation, or \ntools, platforms, software, whatever the application may be, or \ntechnology may be included in so many investments they will be \nmaking?\n    Ms. Hoffman. Yes, Congressman, your first question, the \nDepartment of Energy's program does not distinguish between the \nbulk power system. So, we are indifferent. So, we look at \nprojects that will get the cybersecurity for the energy sector, \nlooks at the energy sector as a whole.\n    As well as the Smart Grid activity does not distinguish \nprojects between the bulk power system. We look at the bulk \nsystem as a whole, with respect to the Smart Grid. With respect \nto the Smart Grid, projects must look at cybersecurity aspects. \nSo, it will be baked in, or as part of their proposal.\n    Mr. Lujan. Mr. McGurk.\n    Anything that you would like to add in regard there?\n    Mr. McGurk. Congressman, I would just like to add that we \nare working with both the Department of Energy and also with \nthe private industry to identify those requirements, doing the \nend-to-end.\n    As Ms. Hoffman had identified, we also, in the Department, \nlook from the end-user, home delivery system back up without \nhaving a regard to any defined division between bulk power or \nthe distribution networks.\n    So, we work across the board along with the Department of \nEnergy to assist in identifying those cybersecurity \nvulnerabilities.\n    Mr. Lujan. Just a clarifying question, Ms. Hoffman. Does \nEMP also fall under what can be included with some of the \ndollars associated with the Smart Grid implementation? Do those \nsafety standards, can they be included in some of the \ninvestments that will be made?\n    Ms. Hoffman. Right now, the Department does not have any \nactivities for EMP hardening.\n    Mr. Lujan. Okay, thank you very much.\n    Then, Madame Chairwoman, just one question that I would \nlike to pose to Ms. Furlani, and maybe she could submit it into \nthe record in a written format?\n    But, just the same question I posed to the panel earlier as \nfar as the lack of standards that do exist for the platforms, \nfrom a cybersecurity perspective, or some of the data systems \nthat exist for energy companies. Should some standards be \nincluded there?\n    What is the Department looking at in order to be able to \nfacilitate or respond to some of those questions? Or how do \nthey evaluate them?\n    Thank you very much, Madame Chairwoman.\n    Ms. Clarke. Thank you, we will do that.\n    I now recognize the gentleman from Ohio, Mr. Austria, for \nquestions.\n    Mr. Austria. Thank you, Madame Chairwoman. Let me--I will \nkeep my remarks brief. I know we have votes going on right now.\n    But, I think we all agree here today in this panel, that \nthe electric grid remains highly vulnerable to the cyber and \nphysical attack. That it could possibly disable a wide portion \nof the grid for weeks, months, and even possibly years.\n    As we move into the 21st century, moving towards new \ntechnology, and we push towards making electric infrastructure, \nelectronic and digital, on the one hand, we are saving money, \nbillions of dollars possibly, and we are making it much more \nquicker, much more reliable, a much more reliable system.\n    But on the other hand, we are also creating cyber and \nphysical making vulnerable--the word just wouldn't come out, \nbecoming more vulnerable.\n    I am, concerned that we don't have a comprehensive plan in \nplace with that protection in place right now. Today, most of \nthe critical electric infrastructure is owned and operated by \nthe private sector.\n    Regulators of the electric grid currently have limited \nauthority and require these electric utilities to secure their \nsystems against cyber and physical attacks. This hearing has \nbeen very informative and eye-opening.\n    Just to recap on a couple of things, I want to ask Mr. \nMcClelland first, and recap on what the Ranking Member started \nto go down this route, as far as--first of all, what should \nutilities do to better identify those critical cyber assets \nthat are out there?\n    Then, the question has come up multiple times, as far as \nincentives. Should there be--are statutory requirements \nnecessary to put those incentives in place to move to that \ndirection?\n    Mr. McClelland. I will start starting with the \nidentification of critical assets, which subsequent comes the \nidentification of critical cyber assets, which then puts the \nfacilities under the CIP standards.\n    NERC, itself, has begun the process to rectify this \nproblem. The amount of critical assets that were identified was \nlow. So, Mr. Assante, who is on the power panel, wrote a letter \nto industry saying, ``Hey, rather than assume that your one \nparticular facility in isolation on the whole power grid is not \ncritical, you need to start from the assumption that you have \nto justify that it isn't critical.''\n    In other words, you have to opt it out of the mix.\n    NERC is also preparing guidance documents to help entities \nreview in aggregate, what everyone else is doing, a guidance \ndocument to identify critical assets.\n    Finally, when the commission approves its CIP standards, \nthe commission identified this as a deficient area. So, it is \nnot going to work if the utilities that are under regulation \nget to identify what is a critical asset, a critical cyber \nasset and what isn't.\n    Therefore, the commission directed BER to rewrite the \nstandard, and bring the standards back to the commission. From \nthat point on, from the time the standards would be revised, \nthere will be a regional review process. Then those \ndeterminations will be subject to the commissions review.\n    Unfortunately, it is going to use the standards development \nprocess which can take years for it to get through, ballot \nthrough, and then come back to the commission. It may not be \nentirely responsive to the commissions directive.\n    That is the process under Federal Power Act----\n    Mr. Austria. I appreciate that. From a time constraint, let \nme have, Ms. Hoffman, your perspective on, since acting \nassistant secretary for the electricity delivery and energy \nreliability, DOE, as a specific sector agency for the energy \nsector, are you getting industry member cooperation for \ndeveloping risk management strategies? And implementing \nsecurity measures to protect their critical infrastructures?\n    Ms. Hoffman. My apologies. We are getting cooperation. We \nhave focused on the vendor communities. We have taken several \ndifferent approaches to looking at security improvements within \nthe sector, working with the vendors, and working with the \nelectric or energy companies directly, in assessing the \ntechnology for vulnerabilities, as well as improving the \ntechnology.\n    Mr. Austria. Madame Chairwoman, I am going to yield back my \ntime. Because I know we have votes going. We don't want to miss \nthe votes.\n    Ms. Clarke. I want to thank each of you for your valuable \ntestimony here today. I want to thank the Members for their \nquestions.\n    Mr. Bartlett, thank you for your wisdom on this matter. \nAlso, let the Members of the subcommittee know that if you have \nadditional questions for the witnesses, we will ask for you to, \nyou can submit them, and we will get it to you.\n    We ask that you will respond to us expeditiously in writing \nto those questions.\n    Hearing no further business, I want to thank you once again \nfor your testimony here today. I know that there is a lot of \ninquiry coming from the membership with regard to this matter, \na lot of interest and concern.\n    So, this is probably what we would call Part 1 of what will \nbe a number of other hearings around this matter during this \nsession. So, I want to thank you and just alert you to that.\n    This meeting is adjourned.\n    [Whereupon, at 5:42 p.m., the subcommittee was adjourned.]\n\n\n                           A P P E N D I X  I\n\n                              ----------                              \n\nLetter From Michael J. Assante, Chief Security Officer, North American \n                    Electric Reliability Corporation\n                                                     April 7, 2009.\nTO: Industry Stakeholders\nRE: Critical Cyber Asset Identification\n\n    Ladies and Gentlemen: In the interests of supporting NERC's mission \nto ensure the reliability of the bulk power system in North America, \nI'd like to take this opportunity to share my perspectives with you on \nthe results of NERC's recently completed self-certification compliance \nsurvey for NERC Reliability Standard CIP-002-1--Critical Cyber Asset \nIdentification for the period July 1-December 31, 2008 along with our \nplans for responding to the survey results. As you may already be \naware, compliance audits on this standard will begin July 1, 2009.\n    The survey results, on their surface, raise concern about the \nidentification of Critical Assets (CA) and the associated Critical \nCyber Assets (CCA) which could be used to manipulate them. In this \nsecond survey, only 31 percent of separate (i.e. non-affiliated) \nentities responding to the survey reported they had at least one CA and \n23 percent a CCA. These results are not altogether unexpected, because \nthe majority of smaller entities registered with NERC do not own or \noperate assets that would be deemed to have the highest priority for \ncyber protection. In that sense, these figures are indicative of \nprogress toward one of the goals of the existing CIP standards: To \nprioritize asset protection relative to each asset's importance to the \nreliability of the bulk electric system. On-going standards development \nwork on the CIP standards seeks to broaden the net of assets that would \nbe included under the mandatory standards framework in the future, but \nthis prioritization is an important first step to ensuring reliability.\n    Closer analysis of the data, however, suggests that certain \nqualifying assets may not have been identified as ``Critical.'' Of \nparticular concern are qualifying assets owned and operated by \nGeneration Owners and Generation Operators, only 29 percent of which \nreported identifying at least one CA, and Transmission Owners, fewer \nthan 63 percent of which identified at least one CA.\n    Standard CIP-002 ``requires the identification and documentation of \nthe Critical Cyber Assets associated with the Critical Assets that \nsupport the reliable operation of the Bulk Electric System.'' The \nstandard goes on to specify that these assets are to be ``identified \nthrough the application of a risk-based assessment.'' Although \nsignificant focus has been placed on the development of risk-based \nassessments, the ultimate outcome of those assessments must be a \ncomprehensive list of all assets critical to the reliability of the \nbulk electric system.\n    A quick reference to NERC's glossary of terms defines a CA as those \n``facilities, systems, and equipment which, if destroyed, degraded, or \notherwise rendered unavailable, would affect the reliability or \noperability of the Bulk Electric System.''\n    Most of us who have spent any amount of time in the industry \nunderstand that the bulk power system is designed and operated in such \na way to withstand the most severe single contingency, and in some \ncases multiple contingencies, without incurring significant loss of \ncustomer load or risking system instability. This engineering construct \nworks extremely well in the operation and planning of the system to \ndeal with expected and random unexpected events. It also works, \nalthough to a lesser extent, in a physical security world. In this \ntraditional paradigm, fewer assets may be considered ``critical'' to \nthe reliability of the bulk electric system.\n    But as we consider cybersecurity, a host of new considerations \narise. Rather than considering the unexpected failure of a digital \nprotection and control device within a substation, for example, system \nplanners and operators will need to consider the potential for the \nsimultaneous manipulation of all devices in the substation or, worse \nyet, across multiple substations. I have intentionally used the word \n``manipulate'' here, as it is very important to consider the misuse, \nnot just loss or denial, of a cyber asset and the resulting \nconsequences, to accurately identify CAs under this new \n``cybersecurity'' paradigm. A number of system disturbances, including \nthose referenced in NERC's March 30 advisory on protection system \nsingle points of failure, have resulted from similar, non-cyber-related \nevents in the past 5 years, clearly showing that this type of failure \ncan significantly ``affect the reliability (and) operability of the \nbulk electric system,'' sometimes over wide geographic areas.\n    Taking this one step further, we, as an industry, must also \nconsider the effect that the loss of that substation, or an attack \nresulting in the concurrent loss of multiple facilities, or its \nmalicious operation, could have on the generation connected to it.\n    One of the more significant elements of a cyber threat, \ncontributing to the uniqueness of cyber risk, is the cross-cutting and \nhorizontal nature of networked technology that provides the means for \nan intelligent cyber attacker to impact multiple assets at once, and \nfrom a distance. The majority of reliability risks that challenge the \nbulk power system today result in probabilistic failures that can be \nstudied and accounted for in planning and operating assumptions. For \ncybersecurity, we must recognize the potential for simultaneous loss of \nassets and common modal failure in scale in identifying what needs to \nbe protected. This is why protection planning requires additional, new \nthinking on top of sound operating and planning analysis.\n    ``Identification and documentation of the Critical Cyber Assets \nassociated with the Critical Assets that support the reliable operation \nof the Bulk Electric System'' necessitates a comprehensive review of \nthese considerations. The data submitted to us through the survey \nsuggests entities may not have taken such a comprehensive approach in \nall cases, and instead relied on an ``add-in'' approach, starting with \nan assumption that no assets are critical. A ``rule-out'' approach \n(assuming every asset is a CA until demonstrated otherwise) may be \nbetter suited to this identification process.\n    Accordingly, NERC is requesting that entities take a fresh, \ncomprehensive look at their risk-based methodology and their resulting \nlist of CAs with a broader perspective on the potential consequences to \nthe entire interconnected system of not only the loss of assets that \nthey own or control, but also the potential misuse of those assets by \nintelligent threat actors.\n    Although it is the responsibility of the Registered Entities to \nidentify and safeguard applicable CAs, NERC and the Regional Entities \nwill jointly review the significant number of Table 3 and 4 entities \n\\1\\ that reported having no CAs to determine the root cause(s) and \nsuggest appropriate corrective actions, if necessary. We will also \ncarry out more detailed analyses to determine whether it is possible \nthat 73 percent of Table 3 and 4 Registered Entities do not possess any \nassets that, ``if destroyed, degraded, or otherwise rendered \nunavailable, would affect the reliability or operability of the Bulk \nElectric System.''\n---------------------------------------------------------------------------\n    \\1\\ Table 3 and 4 entities refers to those entities identified in \nthe Implementation Plan for Cyber Security Standards CIP-002-1 through \nCIP-009-1.\n---------------------------------------------------------------------------\n    Additionally, NERC plans to host a series of educational webinars \nin the coming weeks to help Registered Entities understand CIP \nstandards requirements and what will be required of them to demonstrate \ncompliance with the standards once audits begin in July. NERC also \nplans to incorporate a set of informational sessions into this series, \ndesigned to allow the industry to share practices and ask questions of \neach other in an open, but facilitated, dialogue.\n    We expect to see a shift in the current self-certification survey \nresults as entities respond to the next iteration of the survey \ncovering the period of January 1-June 30, 2009 and when the Regional \nEntities begin to conduct audits in July.\n    I look forward to an on-going dialogue with you on these important \nissues. As always, please do not hesitate to contact me, or any of my \nstaff, with any questions or concerns.\n            Sincerely,\n                                           Michael Assante,\n                                            Chief Security Officer.\n                                 ______\n                                 \n      Statement of the National Association of Regulatory Utility \n                             Commissioners\n                             July 17, 2005\n    The National Association of Regulatory Utility Commissioners \n(NARUC) was requested to provide responses to a number of questions \npresented to NARUC staff by the subcommittee. The responses provided \nbelow are an attempt by the NARUC staff to provide factual responses to \nthe questions posed by the subcommittee and do not necessarily reflect \nthe official policy positions or views of NARUC and or its membership. \nWe respectfully request that these responses be placed into the record \nof these proceedings.\nWhat assets do State utility commissioners have jurisdiction over? How \n        does this differ from the jurisdiction of FERC? Is there any \n        cross-over?\n    The Federal Power Act gives FERC authority over the sale of \nelectricity in inter-State commerce (``bulk power'') and inter-State \ntransmission. The States retain jurisdiction over unbundled \ntransmission, generation, distribution, and retail rates.\n    There is some jurisdictional overlap. For example, the States and \nFERC have concurrent jurisdiction over reliability. Section 215 of the \nFederal Power Act provides FERC and NERC authority over reliability, \nbut simultaneously asserts that this section does not preempt State \nauthority ``to take action to ensure the safety, adequacy, or \nreliability of electric service within the State, as long as such \naction is not inconsistent with any reliability standard.'' FPA \x06 \n215(i)(3). Similarly, transmission tariffs approved by FERC are folded \ninto retail rates.\nHow does cost recovery work?\n    Cost recovery is generally established through a rate proceeding \nwhereby a regulatory authority evaluates the costs that the utility \nrequests to recover through rates. These costs may be initiated by the \nutility, or the utility make seek recovery for investments made in \nresponse to a Government mandate for something like increased security. \nThrough a rate hearing, the regulatory authority evaluates the \nrequested cost recovery to ensure that the cost conforms to their \nstandards for approving the costs. These standards vary, including \nevaluations of whether the incurred cost was ``used and useful,'' \n``just and reasonable,'' or prudently incurred. After evaluating the \ncost to see if it is recoverable, the regulatory authority generally \nspecifies a mechanism by which the utility will recover the actual cost \nrecovery. Cost recovery mechanisms include base rate changes to \ntariffs, adjustment clauses, deferral accounts, line item changes, or \nclosed proceedings that allow for the confidential treatment of \nsecurity costs.\nWhat cost recovery mechanisms exist for utilities to recover costs for \n        physical and cybersecurity protections?\n    State regulators are committed to allowing cost recovery of \ncritical infrastructure costs that are prudently incurred. Generally \nthis cost recovery goes through the standard rate case. Regulators have \nfound that the existing inventory of cost recovery protocols and cost \nrecovery mechanisms is sufficient. In some cases, State legislatures \nhave stepped into reaffirm that required security costs are eligible \nfor recovery, as long as the costs are reasonable and prudently \nincurred.\nDoes the current FERC/NERC standards-setting process for infrastructure \n        protection (i.e. NERC writes, FERC approves or remands) make \n        sense in a national security context? Does NARUC believe that \n        industry-written standards are appropriate to protect assets as \n        critical to national security as the electric system?\n    The NERC standards approval process meets the majority of grid \nchallenges. The NERC process engages industry in the development of \nstandards that FERC approves. This process results in mandatory \nstandards for the bulk power system that are clear, technically sound \nand enforceable, and that garner broad support within the industry. \nNERC is continually improving its standards; it is striving to draw \nfrom the state-of-the-art in cybersecurity, through consideration of \nthe National Institute of Standards and Technology (NIST) framework for \ncybersecurity, and to integrate that framework into NERC's existing \nCritical Infrastructure Protection standards. NERC has also implemented \npolicies that allow for the confidential and expedient development of \nstandards, including those related to cyber- and physical security.\nHave any States required utilities to meet physical or cybersecurity \n        standards that go beyond the NERC mandatory standards? If so, \n        please provide States and standards required.\n    We are unaware of such State standards, but would be happy to \ncontact our members and get back to you if we learn of any examples.\nWhat are the key aspects of any piece of legislation that seeks to \n        secure the electric grid from cyber and physical attack?\n    Cybersecurity legislation should not reinvent the wheel. It should \ncontinue to recognize and, if necessary, make more robust the FERC-NERC \nstandards-setting process. It should also recognize and respect the \npower system's existing State and the Federal jurisdictional \nboundaries.\n    The legislation should create a framework for improved information \nflow from the Federal Government to State regulators and industry of \nany known threat or vulnerability. This information flow would \nfacilitate increased security for the grid infrastructure. It is \ncritical that any information conveyed from the Federal Government to \nStates or industry about a specific threat be timely and actionable to \nbest enable a response. This information can enable a utility's expert \noperators and cybersecurity staff to make the needed adjustments to \nsystems and networks to ensure the reliability and security of the bulk \npower system.\n    In the case of actionable intelligence about an imminent threat to \nthe bulk power system, it may be necessary for Government authorities \nto issue an order, which could require certain actions to be taken by \nthe electric power industry. In these limited circumstances, when time \ndoes not allow for classified industry briefings and development of \nmitigation measures for a threat or vulnerability, FERC should be the \nGovernment agency that directs the electric power industry on the \nneeded emergency actions.\nDo the commissioners that comprise NARUC maintain any existing \n        authorities that would allow them to require owners and \n        operators of electric facilities to harden their equipment to \n        mitigate the effects of an electromagnetic pulse?\n    Commission-authorized reliability investments generally require \nthat the utilities protect against ``all hazards.'' Although \ncommissions generally do not prescribe against specific threats, ``all \nhazards'' standard of review mandates that utilities protect against, \nor create mitigation measures to limit detrimental reliability effects, \nfrom any anticipated threat, including an electromagnetic pulse.\nDo the commissioners that comprise NARUC maintain any existing \n        authorities that would allow them to require owners and \n        operators of electric facilities to harden their equipment to \n        mitigate the effects of a cyber attack?\n    Again, State regulatory authorities generally require utilities to \nprotect against all hazards. NERC sets the cybersecurity standards. The \ncommissions, including FERC within its authority over transmission, \napprove costs based on investments the utilities make to conform to \nthese standards.\nHow many Smart Grid projects have been funded by commissioners thus \n        far? In general terms, what are the security requirements for \n        these projects?\n    California and Texas have approved the rollout of advanced metering \ninfrastructure (AMI) with cost recovery. Texas requires that the \nelectric utility have an independent security audit of the advanced \nmeters and report the results of the security audit to the commission. \n(See Texas Substantive Rule \x06 25.130, http://www.puc.state.tx.us/rules/\nsubrules/electric/25.130/25.130.pdf). I believe that California is \nstill evaluating the rules for the AMI rollout.\n    There may be additional Smart Grid projects that have qualified for \ncost recovery of which we are not aware.\n    With the rollout of the Smart Grid investment grants and Smart Grid \ndemonstration projects under the American Reinvestment and Recovery Act \nof 2009, there will be a larger number of Smart Grid projects \ndeveloped. These funding opportunity announcements discuss and \nprioritize security, and will certainly be a factor for consideration \nin the selection of these projects. Smart Grid projects, like all \nprojects, must meet NERC's cybersecurity requirements. Additional \nsecurity requirements and standards are under development. For example, \nNIST is working to develop cybersecurity standards for the Smart Grid, \nwith a domain expert working group dedicated to the task. State \ncommission staffs participate in the NIST cybersecurity working group. \nState commissions may choose to adopt and mandate the standards NIST \ndevelops for Smart Grid deployment within its jurisdiction.\n    Further, NARUC Critical Infrastructure Committee continues to \nmonitor and educate its members on security threats and the evolution \nof the Smart Grid.\n                                 ______\n                                 \n            Statement of William Radasky and John Kappenman\n                              introduction\n    We wish to thank the House Homeland Security Subcommittee on \nEmerging Threats, Cybersecurity, and Science and Technology for \ninviting us to submit this written statement with regard to the \nprotection of the critical electric infrastructure of the United States \nagainst cyber and other physical threats.\n    While this statement will draw upon the experience and capabilities \nof Metatech Corporation, headquartered in California with its largest \noperation in New Mexico, the opinions expressed in this statement are \nthose of Dr. William Radasky, Ph.D., P.E., President of Metatech and \nMr. John Kappenman, P.E., Metatech Consultant.\n                    our capabilities and experience\n    Metatech Corporation was founded in 1984, and in its early years \nfocused its work completely on the understanding of the various forms \nof electromagnetic pulse (EMP) created by nuclear detonations (HEMP, \nSREMP, SGEMP, etc.). The purpose of understanding these intense \nelectromagnetic fields was to determine the appropriate protection for \nmilitary electronic systems so that these systems could still operate \nin the case of a nuclear burst. A burst at high-altitudes (defined as \nabove 30 km) can create a high-altitude electromagnetic pulse (HEMP) \nthat can illuminate the Earth within a line of sight. Two bursts at \nseveral hundred kilometers altitude could fully expose the entire \nUnited States. This type of EMP is considered one of the most severe \ndue to its wide area of coverage and it near simultaneous illumination \nof electronic equipment and systems.\n    With the end of the Cold War and the subsequent reduction of \nnuclear stockpiles in the world, the threat of a major nuclear war has \nbeen reduced. On the other hand, the possibility of one or two nuclear \nbursts at high-altitudes launched by a terrorist organization over the \nUnited States seems to have increased (as suggested by the EMP \nCommission). In the early 1990s, Dr. Radasky began his work with the \nInternational Electrotechnical Commission (IEC) to examine the threat \nof HEMP to civil society. He has chaired IEC SC 77C since 1991, and \nthis subcommittee has produced 20 voluntary standards and publications \ncovering both HEMP and more recently the threat of electromagnetic \nweapons to civil society (known as IEMI). This committee has drawn upon \nthe standard types of protection that are available within the \nelectromagnetic compatibility (EMC) community and extended them to \nthese more severe threats.\n    In the 1990s Dr. Radasky and Mr. Kappenman joined forces to examine \nthe threat of geomagnetic (solar) storms on high voltage power grids. \nMr. Kappenman had worked in this field for many years with the power \nindustry, studying the impacts of storms on power grids, and Dr. \nRadasky and his colleagues had worked on advanced forms of \nelectromagnetic numerical analysis stimulated by their earlier work on \nEMP. It was during this time that we discovered the very strong \nrelationship between the impacts of geomagnetic storms and the late-\ntime portion of the HEMP (known as E3) on the electric power grid. \nWhile the generation mechanisms of these disturbances are completely \ndifferent, the waveforms produced and their impacts on the power grid \nare very similar.\n    At the present time Metatech Corporation is the leading company \nworldwide providing new developments and understandings relating to \nspace weather (geomagnetic storms due to intense solar activity) and \nits impact on large power grids. Our company has in fact been involved \nin the vulnerability and risk assessment for the power grids in England \nand Wales, Norway, Sweden and portions of Japan. Metatech developed and \nprovided continuous space weather forecasting services for the company \nthat operates the electric power grid for England and Wales. Since May \n2002, Metatech has been providing similar vulnerability and risk \nassessments for the U.S. electric power grid to the Commission to \nAssess the Threat to the United States from Electromagnetic Pulse (EMP \nCommission). Metatech has carried out investigations for FEMA under \nExecutive Order 13407 to examine the potential impacts on the U.S. \nelectric power grid for severe geomagnetic storm events. In addition, \nMetatech work has been formative in the January 2009 Report by National \nAcademy of Sciences ``Severe Space Weather Events--Understanding \nSocietal and Economic Impacts Workshop Report''. The assessments \nperformed by Metatech indicate that severe geomagnetic storms pose a \nserious risk for long-term outages to major portions of the North \nAmerican grid. While a severe storm is a low frequency of occurrence \nevent, it has the potential for long-duration catastrophic impacts to \nthe power grid and the country. The impacts could persist for multiple \nyears with the potential of significant societal impacts; in addition \nthe economic costs could be measured in the several trillion dollars \nper year range and could pose the risk of the largest natural disaster \nthat could affect the United States.\n         what is hemp and how does it impact the power system?\n    As indicated earlier, HEMP is produced by a nuclear detonation \nabove 30 kilometers altitude. Intense electromagnetic fields are \nproduced in space by the high-energy radiation leaving the detonation, \nand these fields propagate downward to the Earth's surface. Because of \ndifferent types of interactions, there are actually three main pulses \ncreated, covering three time frames: Less than 1 microsecond, from one \nmicrosecond to 1 second, and beyond 1 second. These time regimes have \nbeen given the notations of E1, E2, and E3, respectively. As we will \ndiscuss in this statement, each of these ``pulses'' creates different \ntypes of problems in modern electric and electronic equipment and \nsystems; this is due to the ``coupling'' of the electromagnetic fields \nto the electric power lines themselves and to the control wiring in \nsubstations and power generation facilities.\n what are other similar em threats that can be dealt with at the same \n                                 time?\n    There are two other significant power system electromagnetic \nthreats of concern to power systems. One is a geomagnetic storm, which \nbegins with the ejection of charged particles from the Sun; these \nparticles travel to the Earth and create large current flows in the \nionosphere at levels of up to millions of amperes for a severe storm. \nThe frequency of occurrence of geomagnetic storms follows the solar \ncycle (\x0811 years), but it is expected that severe storms with the \npotential for catastrophic impacts to power grids in the United States \noccur once every \x0830 years, based on historical evidence. As in the \ncase of the E3 HEMP, this electromagnetic disturbance couples well to \nlong transmission lines and creates geomagnetically induced currents \n(GICs) that can create power blackouts and damage to large \ntransformers.\n    Another electromagnetic threat of concern is that produced by \nelectromagnetic weapons used by criminals or terrorists producing \nintentional electromagnetic interference or IEMI. These weapons have \nbecome more powerful and easier to obtain in recent years due to \nadvances in solid-state electronics. These electromagnetic fields are \nvery similar to those produced by E1 HEMP and will impact the electric \npower system in a similar fashion. The main difference is that the area \naffected by IEMI is much less than for HEMP, although the attack is \nsilent and would not be understood in the same way as a cyber attack. \nIn addition an IEMI attack would not leave any trace to determine how \nthe attack occurred, since the electromagnetic fields would arrive \nsimultaneously at several locations in a system, creating multiple \nfailures of hardware and software.\n         what effects are expected on the power grid from hemp?\n    For the operation of the electric power grid, the HEMP E1 and E3 \npulses are the most important. Research performed for the EMP \nCommission clearly indicates the following concerns:\n    (1) Malfunctions and damage to solid-state relays in electric \n        substations (E1);\n    (2) Malfunctions and damage to computer controls in power \n        generation facilities, substations, and control centers (E1);\n    (3) Malfunctions and damage to power system communications (E1);\n    (4) Flashover and damage to distribution class insulators (E1);\n    (5) Voltage collapse of the power grid due to transformer \n        saturation (E3);\n    (6) Damage to HV and EHV transformers due to internal heating (E3).\n    It should be noted that these effects could result in widespread \nblackouts due to the large geographic footprint of these environments \nand the fact that they are simultaneous in nature. In particular a \nsingle high-altitude burst above the United States would create an E1 \npulse that would arrive at all locations within one power cycle. In \naddition, widespread damage, especially to HV and EHV transformers \ncould require years to recover due to worldwide production limits.\n                           costs of hardening\n    Given the potentially enormous implications of power system threats \ndue to space weather, it is important to develop effective means to \nprevent a catastrophic and crippling failure of the electric power \ngrid. Recent detailed examinations also conclude that the United States \nand other world electric power grid infrastructures are becoming more \nvulnerable to disruption from geomagnetic storms and E3 HEMP \nenvironment interactions for a wide variety of reasons. This trend line \nsuggests that even more severe impacts can occur in the future for \nreoccurrences of large geomagnetic storms. These trends of increasing \nvulnerability remain unchecked, as no design codes have been adopted to \nreduce geomagnetically induced current (GIC) flows in the power grid \nduring such a storm. Present operational procedures utilized by U.S. \npower grid operators largely stem from experiences in recent storms, \nincluding the March 1989 storm, while storms as much as ten times \nlarger than this storm are only recently understood to have occurred \nbefore with the certainty they will occur again. In retrospect, it is \nalso now clear that present U.S. power grid operational procedures are \nbased largely on this out-of-date storm experience, and these \nprocedures will not reduce GIC flows sufficiently; therefore these \ncurrent procedures are unlikely to be adequate to prevent widespread \nblackout or damage to key equipment for historically large disturbance \nevents in the future. The same trend line and theme of increasing \nvulnerability is also true with respect to the fast transient effects \nof the HEMP E1 and IEMI threat conditions.\n    Since both hardening and improved operational mitigation \ndevelopment is necessary, it may be helpful to define these terms more \nclearly. Hardening is a process of modifying the power grid in order to \nblock or reduce GIC in key transformer assets. Operational mitigation \nis the action of taking various operational actions for the purpose of \nposturing the power grid (or key assets) to minimize GIC exposure \n(e.g., removing spare transformers from service based upon an alert/\nforecast of a severe storm). This combination provides a layered and \ncomplimentary approach, in that both act to improve the security of the \ngrid. It is also important that both actions are functionally \nindependent, in that failure to enact a timely or proper operational \nprocedure does not defeat the hardening measures, which reduce the GIC. \nInfrastructure hardening is clearly the more effective and reliable \napproach; operational mitigation is highly dependent on the quality of \nalert/forecast capability and the fact that the varying states of power \nsystem operation during a storm may limit the range of effectiveness \nand flexibility for taking meaningful actions.\nE1 HEMP standards and network upgrades\n    Presently in substations and other power grid facilities, relay and \ncontrol devices span many generations of designs from \nelectromechanically operated relays to multi-function microprocessor \nbased relays and control devices. The widespread applications of multi-\nfunction devices are being used to provide added capabilities to the \noperation of the power grid; however these devices introduce new \nvulnerabilities to the E1 HEMP environment. Existing standards have \ntaken into consideration the unique and harsh electromagnetic \nenvironment common in a high-voltage substation. As a result there are \na variety of standards for substation-based protective relays and relay \nsupport systems that have evolved over the years. While these \nevolutions provide protection against some of the threats posed by the \nE1 HEMP environment, some gaps and shortfalls in immunity test \nthreshold levels continue to exist that if filled would make these \ndevices more robust in their ability to withstand the E1 HEMP or IEMI \nthreats. While the current electromagnetic transient test levels of \nconcern are from sources not related to the E1 HEMP or IEMI \nenvironments, some of the similarities illustrate the significant \nopportunities that are possible for dual application.\n    Many activities are currently underway within the IEEE and \nInternational Electrotechnical Commission (IEC) to update and improve \nthe EMC immunity of electronic equipment used in factories, power \nsubstations and power-generating stations including nuclear power \nplants. The IEC has developed a set of electric fast transient (EFT) \ntests that are very similar to the waveforms coupled by E1 HEMP to \ncables. The EFT test pulse has a rise time of 5 ns and a pulse width of \n50 ns. The typical EMC test levels suggested are between 1 and 4 kV. As \nnoted in Metatech's work, EI HEMP can under some circumstances produce \nmore than 10 kV, with a similar waveform. Of particular interest is the \nfact that some companies in the European power industry have suggested \nthat higher levels of immunity test standards be applied to power \nsystem control electronics. It is clear that if EM standards are \ndeveloped that have a dual application (normal usage and HEMP), then \nthe possibility of acceptance of these standards will be more positive. \nIn addition, recent work led by Metatech with Cigre is examining the \nadditional protection that would be required in substations to \neliminate the threat of IEMI. Protection against IEMI would provide \nprotection against E1 HEMP.\n    Given the on-going work and the fact that the United States has \nseveral HEMP and power system experts involved in the work of the IEC, \nthese new international standards could be analyzed for their \napplication to power system equipment in the United States to improve \nthe hardness of the overall power system to HEMP. In addition to the \nEMC work, there is also continuing work in the IEC to develop further \nHEMP standards for the civil infrastructure with heavy participation of \nseveral U.S. HEMP experts. This work should be directly supported \nthrough research funding to develop cost-effective ways to apply the \nnew IEC standards to improve the hardness of important civil systems.\n    As the EMP Commission Report has noted, there are several thousand \nmajor substations and other high-value components on the transmission \ngrid. With the development of standardized and hardened equipment, a \ncontinual program of replacement and upgrade with HEMP-hardened \ncomponents will substantially reduce the cost. The estimated cost for \nHEMP-hardened replacement units and HEMP protection schemes is in the \nrange of $250 million to $500 million. Approximately 5,000 generating \nplants of significance will need some form of added protection against \nHEMP, particularly for their control systems. As the EMP Commission \nnoted, these costs are in the range of $100 million to $250 million.\nPower grid hardening and mitigation for E3 HEMP and geomagnetic storms\n    Both the E3 portion of a HEMP environments and naturally occurring \ngeomagnetic storms can cause the flow of geomagnetically induced \ncurrents (GIC) through transformers in an exposed power grid. The GIC, \nif large enough, can disrupt the AC performance of the grid causing \ninitial blackouts and also creating the potential for permanent damage \nto large transformers, which can lead to restoration delays of the \npower grid. Hardening of the power system is optimally done through the \napplication of passive devices or circuit modifications that block or \nreduce the flow of GIC in a power grid. Because GIC accesses power \nsystems through the multiplicity of grounded neutral leads of wye-\nconnected transformers, the most effective point at which to place \nblocking or limiting devices is also in these neutral-to-ground leads. \nNeutral GIC blocking devices have been actively researched since the \nearly 1990s, and several hardware versions have been successfully \ndeployed for blocking stray DC or GIC flows into exposed transformers.\n    The analysis performed to date for the EMP Commission by Metatech \nindicates that the conceptual design of installing neutral resistors on \nthe transformer neutral-to-ground connections is the preferred option \nof protection. These resistors would be low resistance--on the order of \n5 ohms. Even though small, they would substantially increase the \nresistance in the power line network; since they are located in the \nneutral to ground connection, they would not substantially decrease the \nefficiency of operation of the power grid. These devices would allow a \nsignificant reduction of the GIC currents induced (around 60% reduction \nin overall GIC levels are estimated from the studies). The advantage of \nthis design is that it will be relatively simple to develop with lower \nengineering trade-off risks and lower overall installed costs compared \nother more exotic devices. In order to evaluate this option more \ncompletely, it will be necessary to carefully study the economic \naspects of this approach and to move forward with a funded R&D effort \nto fully engineer and test the prototypes.\n    The EMP Commission in their report estimated costs for switchable \nground resistors for high-value transformers are estimated to be in the \nrange of $150 million. Further studies are needed to determine the \nnumber and location of high-value transformers, but preliminary \nestimates are for some \x085,000 such transformers to be considered on the \n230 kV, 345 kV, 500 kV and 765 kV networks. These cost estimates are \nbased upon simple devices that are still at a conceptual stage of \ndevelopment. Metatech has been briefing various interested Government \nagencies and organizations on a comprehensive R&D program that would \nfinalize the design requirements for the protection system and would \ndevelop better estimates of costs; therefore total costs several times \nlarger than the previous EMP Commission estimate might be foreseeable.\n    With respect to the overall cost of hardening, it is also important \nto keep in mind the cost of outages, even when they are of short \nduration. A hardening program that expends even as much as \x08$1 billion \nto protect the U.S. power grid against a severe geomagnetic storm, an \nevent that has occurred before and is certain to occur again, is still \nfar cheaper than the costs of a widespread blackout to the U.S. \neconomy. For example the DOE estimated that the August 2003 blackout, \n(affecting \x0860 million people in Midwestern and NE United States) cost \nabout $10 billion. If we instead only elect to black out or shut down \nthe power grid based on forecast alerts of this sort of event, it would \ncost more than 10 times the hardening cost just in terms of the \neconomic impact to the United States. When one factors in that \nforecasts will no doubt come with false alerts, then the costs of \nhardening are indeed quite prudent.\n                    operational mitigation training\n    The EMP Commission also recognized the importance of developing a \ncapability to monitor and evaluate the unique set of adverse effects on \ncritical systems and to speed their restoration. Operators and others \nin a position of authority must be trained to recognize that a HEMP \nattack, an IEMI attack or a severe geomagnetic storm is occurring or is \nabout to take place. This should be done in order ``to understand the \nwide range of effects it can produce, to analyze the status of their \ninfrastructure systems, to avoid further system degradation, to \ndispatch resources to begin effective system restoration, and to \nsustain the most critical functions while the system is being \nrepaired''.\n    The detailed power grid models that have been employed by Metatech \nfor the EMP Commission and FEMA studies provide an excellent starting \npoint to develop a comprehensive training program and operational \navoidance procedures for the U.S. power industry to counter the harmful \nimpacts from the E3 HEMP and severe geomagnetic storm environments.\n    As the EMP Commission and others have suggested, efforts to promote \ntraining centers that would have the mission of simulating, training, \nexercising, and testing both operational avoidance and recovery plans \nare important for the country. These training centers would allow the \ncomprehensive simulation of HEMP and other major system threats, such \nas geomagnetic storms or coordinated terrorist attacks, whether they \nare physical or electromagnetic in nature (IEMI). These training \ncenters would aid in the development of procedures for addressing the \nimpact of such attacks to identify weaknesses, to provide training for \npersonnel and to develop HEMP response procedures and coordination of \nall activities across appropriate agencies and industry.\n    Better and more appropriate procedures can be developed such as:\n  <bullet> Making decisions to remove certain high-value assets (such \n        as EHV transformers) from operation in the network to reduce \n        their exposure to damaging GIC levels.\n  <bullet> Making decisions to remove key generating plant transformers \n        from operation again to reduce their exposure to damaging GIC \n        levels.\n  <bullet> Making decisions to reduce or shed load (or to create \n        limited blackouts) in portions of the grid to reduce exposure \n        of high-value assets to damaging E1, E3, or severe geomagnetic \n        storm environments.\n  <bullet> Making decisions on additional staffing under alert \n        conditions to perform manual overrides, where possible, of \n        operational controls that could be compromised due to E1 \n        impacts.\n                           alert capabilities\n    In 1998, the National Grid Company, which operates the power grid \nfor all of England and Wales, awarded Metatech a contract to develop \nand operate the world's first geomagnetic storm forecasting service \nusing solar wind electrojet models. These operational electrojet models \nare driven by solar wind data from the ACE L1 satellite. This detailed \nelectrojet model provided a predictive forecast capability needed by \nthe electric power industry. Large and sudden storm onsets can erupt on \na planetary scale within a matter of minutes, meaning that power \nsystems that are concerned about the impact of these disturbances will \nnot have any meaningful lead-time available if they depend upon local \nreal-time monitoring alone. In the famous geomagnetic storm of March \n13-14, 1989, the Hydro Quebec power grid went from completely normal \noperating conditions to complete province-wide blackout in an elapsed \ntime of only 90 seconds. The electrojet predictive model will instead \nprovide these power system operators a nominal lead-time of \napproximately 45 minutes for most storm events, and a somewhat smaller \nlead-time for major events.\n    The advanced geomagnetic storm forecasting system was developed to \nprovide forecasts for the entire Northern Hemisphere, and detailed \nimpacts of these storm conditions were further assessed for the NGC \npower grid across England and Wales. This system updated the forecast \non a continuous 1-minute cadence and became operational in May 1999. \nThis system was deployed in the NGC System Control Room in Wokingham, \nEngland where it was continuously used as the primary space weather \ntool for the control of the entire national grid. In addition to these \nforecast capabilities, Metatech with NGC deployed 16 real-time remote \nmonitoring locations throughout England and Wales to monitor the storm \nenvironment and impacts on the power grid. Nearly 2,000 channels of \ndata are continuously collected in real-time from this sophisticated \nnetwork and made available for nowcast and system status displays in \nthe NGC System Control Room. This geomagnetic storm forecasting system, \nwhich is highly tailored to electric power grids, is the most-advanced \nin the world, even exceeding the capability of the NOAA-SEC.\n    In addition, Metatech has successfully modeled and validated \ndetailed power grid models throughout the world. A complete U.S. Power \ngrid model has been fully developed for the United States. EHV Power \nGrid infrastructure and was employed in both the EMP Commission studies \nand also in FEMA investigations under Executive Order 13407.\n    While it is possible to install a geomagnetic storm forecasting \nsystem in the United States using the approach applied in the case of \nEngland and Wales, it should be noted that this system provided the \nforecast to a single location, where action could be taken for the \nentire grid. In the United States the situation is different, and both \nfor geomagnetic storms and a HEMP attack, it is necessary to develop a \nprocedure to send the geomagnetic forecast or information concerning a \nmissile launch at the United States to all power grid operators within \nminutes. In addition a coordinated response of the power grid operators \nneeds to be determined ahead of time for different scenarios. It is \nimportant that action be taken to allow this information to be sent to \nthose who require it.\n                   concerns about smart grid security\n    While the current situation with regard to the vulnerability of the \npower grid to HEMP and other high-level electromagnetic disturbances is \nserious, national discussions of future changes to the power grid could \nwell make things worse. In particular the concept of the ``Smart Grid'' \nis under active consideration, and while the precise details of such a \nplan are not clear, it is clear that a major objective is to collect \nmore data on the grid and to provide that data to the operators of the \ngrid.\n    The problem with many proposals for the Smart Grid is that there \nwill be a proliferation of millions of computers (Smart Meters), which \nwill be placed at homes and businesses to monitor the use of power in \nreal time. These data will allow the system operators to operate their \ngrids more efficiently and to eliminate the need for extra margins. \nThese distributed computers will be vulnerable to the threat of \nradiated and conducted high frequency threats (such as E1 HEMP and \nIEMI) and will be impacted by severe harmonics created during E3 HEMP \nand geomagnetic storms. It is clear that very high levels of \nelectromagnetic protection should be required for these meters, yet in \ndiscussions concerning Smart Meters today, security seems to be a \nsecond thought. We recommend that the physical and electromagnetic \nsecurity of Smart Grid components be raised to the highest level of \nconsideration.\n    Another area of concern is the plan to build a new super-grid to \nconnect wind power in the Midwest with the Eastern and Western grid \nwith the construction of a new 765 kV grid. It is important to \nrecognize that the higher voltage levels of this transmission network \n(relative to the 500 kV grid in most of the country) increase its \nvulnerability to E3 HEMP and geomagnetic storms, potentially increasing \nthe vulnerability of the grid by a factor of 2 or more over what exists \ntoday. Plans to build such a grid should definitely consider the \nprotection of the high voltage transformers.\n                           role of standards\n    As alluded to at several points in this statement, it is first \nimportant to make a decision that the power grid needs to be protected \nagainst HEMP and other similar electromagnetic threats such as \ngeomagnetic storms and IEMI. Once this is done then the means to \naccomplish the goal should be through standards. While standards often \ntake years to develop, in this case much of the HEMP and IEMI work has \nalready been done in the IEC for generic systems (e.g., computers). \nStandards can therefore be developed rapidly to improve the hardening \nof hardware currently in service and also for the development of new \nproducts. This approach will allow the fastest time to reach a hardened \nstate, while keeping the costs at a reasonable level.\n            conclusions regarding ferc regulatory authority\n    Given that the United States has a very diverse, mostly private \nownership of the power grid, it is difficult for industry to deal with \nthe threats of HEMP, geomagnetic storms and/or IEMI on their own and \ncertainly not in a piecemeal fashion. There is an argument that if a \npower company makes improvements to their portions of the grid and \nothers do not, then wide area geographic threats can still have a \ncatastrophic impact.\n    During the beginning of the power system work in the EMP \nCommission, NERC was invited to provide its recommendations regarding \nwhich power system electronics were the most important to the operation \nof the grid. A prioritized equipment list was provided and used by the \nEMP Commission to perform susceptibility tests. While this part of the \ncollaboration was successful, follow-up discussions with NERC were not \nas successful. It seemed that the working level people within NERC were \nnot willing to recommend protection standards against HEMP in spite of \noverwhelming evidence that this threat falls into the low-probability, \nhigh-consequence area. Indeed the potential consequences are so serious \nthat it should be viewed as a Systemic Risk, one that could threaten \nthe lives of many and alter the course of the history of this country, \nif ever allowed to unfold.\n    For this reason, we would recommend that FERC, which has already \nshown a strong interest in the protection of the power grid from HEMP, \nbe given the regulatory authority to deal with the threat of HEMP and \nother related electromagnetic threats.\n                                 ______\n                                 \n                       Statement of Emprimus LLC\n                             July 21, 2009\n    Chairwoman Clarke, Ranking Member Lungren, Chairman Thompson, \nRanking Member King, and Members of the subcommittee: Thank you for the \nopportunity to share with you our thoughts about the present \nvulnerability of the U.S. electric grid and other critical civilian \ninfrastructure to growing electromagnetic threats, and our \nrecommendations for steps towards remediation of these threats. \nEmprimus is deeply concerned about our national infrastructure \nelectrical, electronic, and cyber vulnerabilities in a number of areas, \nand has already been involved in several discussions with Congressional \nmembers and their staffs, and other agency personnel about these \nissues, as well as providing briefings to relevant industry and \ntechnical associations in recent months. Emprimus has a multi-\ndisciplined background which includes a private testing program to \nevaluate and understand the vulnerability of many types of civilian \nelectronic equipment to these growing threats, as well as new ways to \nremediate them.\n    We strongly support legislation to amend the Federal Power Act to \nprovide additional authorities to adequately protect the critical \nelectric infrastructure against cyber attack and the related \nintentional electromagnetic interference (IEMI) attacks, as well as \nhardening the electric grid against high altitude electromagnetic pulse \n(EMP) and severe geomagnetic storms. For conciseness in this record, we \nwill generically refer to all electromagnetic threats as ``EMP.'' As we \nwill show, all three of these threats are related in that they have \nsimilar effects and share common remediation solutions. It is important \nto note at the outset that EMP is also a cyber threat just as surely as \ninternet hackers are, since data states can be destructively altered.\n1. What are the severe electromagnetic threats to our electric system \n        and other critical infrastructure?\n    Every year, the modern infrastructure of the United States becomes \nincreasingly dependent on integrated circuit-based electronic control \nsystems, computers, servers and burgeoning masses of electronically \nstored data. The emerging threat and growing use of non-nuclear EMP/\nIEMI (Intentional Electromagnetic Interference, including Radio \nFrequency [RF] weapons) poses grave dangers to all of our civilian \ninfrastructure, including our national electric grid, civilian \nfacilities' data and data assets, and can damage computer systems, \ntheir electronic equipment and the data they contain, control and \nmonitoring systems, and support systems which would impede operations \nof most critical civilian infrastructure installations. Support systems \nat risk range from security systems to communication links to fire \nprotection to all HVAC systems.\n    For instance, recent research and testing shows how power \ndistribution can be shut down for a multi-State area by mobile non-\nnuclear EMP attacks. Major metropolitan areas in the United States have \na number of critical choke points. For example, some electrical \nsubstations in each area of the country connect a large amount of \nelectric generation to the bulk electric transmission system, and \nsimilar electrical substations are used to connect the transmission \nsystem to the metropolitan distribution system. A mobile non-nuclear \nattack perpetrated by terrorists or other parties in an innocent-\nlooking truck at the typically unguarded perimeter of a single \nsubstation would cause connection faults and trips, resulting in \ndropping generators off-line similar to recent blackouts in New York \nand Florida. A coordinated attack at several of these substations could \nlead to a cascading collapse condition, leading to prolonged large \nmulti-State power outage conditions. A multi-city coordinated attack \ncould have an even more serious national effect. With proper attention \nto shielding and filtering of substation electronics controls, \ncommunications equipment, and data centers as part of a mandated \nimprovement program, the impacts of these intentional EMP events can be \nminimized.\n    The military has shielded their facilities for decades against EMP. \nNow, high levels of EMP can be delivered locally by either hand-held \ndevices, or via more powerful vehicle-borne weapons, and create \ndisruption and damage similar to that caused by high-altitude EMP, but \non a local scale. The threat of a severe geomagnetic storm is always \nwith us, and will occur at some time in the future with near certainty. \n(A solar event similar to the 1859 storm would cause catastrophic \ndamage to our modern electricity-based infrastructure.) The recent \nQuebec grid collapse as a result of a serious solar storm has resulted \nin Canadian action to improve its grid.\n    The following chart shows how all three types of electromagnetic \nthreats to our infrastructure are related with regard to their damage \nand disruption effects.\n\n----------------------------------------------------------------------------------------------------------------\n                                                                     Damage to Grid          Damage to Other\n                                         Damage to  Electric      Electronic  Controls        Infrastructure\n                                          Grid Transformers             and Data           Electronics and Data\n----------------------------------------------------------------------------------------------------------------\nHigh-altitude Electromagnetic Pulse    Yes, National Scale....  Yes, Serious...........  Yes, Serious.\n (EMP).\nIntentional Electromagnetic            Local or Regional        Yes, Serious Local.....  Yes, Serious Local.\n Interference, or Non-nuclear EMP.      Effects.\nSevere Geo-magnetic Storms...........  Yes, Regional or         Sporadic...............  Sporadic.\n                                        National Scale.\n----------------------------------------------------------------------------------------------------------------\n\n    This chart shows how the impacts of these threats are related. \nFortunately, appropriately mandated national action can significantly \nreduce the impacts of all three threat classes.\n    The International Electrotechnical Commission (IEC) has defined \nnon-nuclear EMP/IEMI as the ``intentional malicious generation of \nelectromagnetic energy introducing noise or signals into electric and \nelectronic systems thus disrupting, confusing, or damaging these \nsystems for terrorist or criminal purposes.'' The insidious aspect of \nthis class of EMP for the energy sector and other key sectors of our \nnational infrastructure is that it attacks both cyber- and physical \nsecurity aspects of our electronics-based systems in manners that can \ncompletely circumvent firewalls, tier structures, layered networks, \npasswords, physical barriers, security procedures, etc. Unlike \ntraditional cyber threats to data security, non-nuclear EMP may be \nextremely covert and difficult to detect and trace with forensics, and \nwith the ability to impede digital forensics by corrupting the data. \nThere are remediation approaches to help diminish this threat class if \nappropriate steps are taken.\n2. What are the effects of an EMP event on the electric system?\n    Non-nuclear EMP attack.--As demonstrated in the example above of a \nrelatively modest attack by a small number of individuals on several \ncritical electric power substations, substantial damage and disruption \ncan be inflicted by the use of these uncontrolled and easy-to-deploy \nelectromagnetic weapons. The U.S. Navy has shown how plans for many of \nthese devices are available on the internet, has tested and \ndemonstrated the vulnerability of computer and SCADA systems, and has \ndemonstrated the fabrication and use of such a device built with a \ntotal parts cost of $500.00. These man-portable or vehicle-borne \nweapons are becoming a modern tool of those wishing to conduct highly \nasymmetrical warfare, including disgruntled employees, criminals, \nextremists, and terrorists. These devices can be deployed against \nelectric power substations and other electronics, and in fact against \nall 18 segments of the DHS sectors of critical civilian infrastructure \nwith similar results.\n    High-altitude EMP attack.--A high-altitude EMP event detonated \nseveral hundred miles above the center of the contiguous United States \nwould cause catastrophic damage to the present national electrical \ngrid, as was detailed by the recent Congressional EMP Commission: \n``Report of the Commission to Assess the Threat to the United States \nfrom Electromagnetic Pulse (EMP) Attack,'' April 2008. An EMP event of \nthis type has an initial fast burst lasting nanoseconds that will \ndamage or destroy most modern electronics within line of sight that are \nbased on integrated circuitry, and a slower burst lasting up to several \nminutes that will create very large voltages over hundreds and \nthousands of miles that will result in disastrous damage to the high-\nvoltage transformers and electronics that power our national electric \ndistribution system. As the EMP Commission states, ``The \nelectromagnetic pulse generated by a high altitude nuclear explosion is \none of a small number of threats that can hold our society at risk of \ncatastrophic consequences. The increasingly pervasive use of \nelectronics of all forms represents the greatest source of \nvulnerability to attack by EMP. Electronics are used to control, \ncommunicate, compute, store, manage, and implement nearly every aspect \nof United States (U.S.) civilian systems. When a nuclear explosion \noccurs at high altitude, the EMP signal it produces will cover the wide \ngeographic region within the line of sight of the detonation. This \nbroad-band, high-amplitude EMP, when coupled into sensitive \nelectronics, has the capability to produce widespread and long lasting \ndisruption and damage to the critical infrastructures that underpin the \nfabric of U.S. society.'' This is not a short duration problem: The \nhigh voltage grid transformers that will be destroyed have few spares, \nlittle commonality, and most are now manufactured offshore. Lead times \nfor small quantities of these transformers are years, but hundreds or \nthousands would be destroyed.\n    Severe geomagnetic storms.--The impact on electric power \ntransformers deployed at the ends of our long high-voltage transmission \nlines would be essentially the same as that from a high-altitude EMP \nevent described above. The geomagnetic induced currents (GIC) from \nthese events will also generate high, damaging voltage surges over any \nlong conductive paths (communications, telecom, data lines, etc.) \nleading to computer systems, data storage, and any other electronic \nequipment. An expert in GIC has indicated that uninterruptable power \nsupplies are especially vulnerable. An 1859-class event would shut down \nmost of our grid for years, if our critical transformers remain \nunprotected.\n3. What technological fixes are required to secure infrastructure from \n        an EMP event?\n    Electronic and data dependent infrastructure.--The 18 Department of \nHomeland Security sectors of Critical non-military Infrastructure all \nhave a vital dependence on digital data, electronic sensing, computing, \ncontrols, and data storage that can be corrupted and/or damaged by both \nhigh-altitude EMP and non-nuclear EMP. It is important to point out \nthat these threats are CYBER threats, since they can corrupt and \ndestroy data just as surely as the more publicized internet hacker \nattacks we are so familiar with these days. In fact, EMP is probably \nmore insidious, since these attacks leave no network footprints and \ndestroy evidence amenable to digital forensics, and they can cause \nphysical damage to the electronic equipment attacked. It is conceivable \nthat EMP could be used to cover up traditional cyber attacks. Critical \nequipment in the DHS Critical Infrastructure segments such as data \ncenters, supervisory control and data acquisition (SCADA) systems, \nprocess control equipment, etc. can be protected by appropriate \nelectromagnetic shielding, filtering, and security procedures, along \nwith enhanced threat detection. It is especially important that \nfacilities responsible for meeting regulatory data retention \nrequirements rapidly acquire this protection, especially trading \ninstitutions and banking data centers. The 2008 EMP Commission Final \nReport has much more detail on the effects of EMP on \ntelecommunications, banking, refineries and pipelines, and other \ninfrastructure, recommending that mandated fixes proceed promptly.\n    High-voltage transformers.--The national power grid high-voltage \ntransformers must be remediated to withstand the huge direct current \nvoltages they would be exposed to in a high altitude EMP event or \nsevere geomagnetic storm. The 2008 EMP Commission Final Report has a \nnumber of specific recommendations regarding transformer protection, \nimproving grid communications and control, safer islanding of grid \nsegments (permitting a damaged portion of the grid to be safely \nisolated), and other key remediations. Some of these critical fixes can \nbe started immediately and at relatively low cost, especially with \nregard to high-voltage transformer protection. These protections are \nneeded to protect against severe geomagnetic storms, as well as EMP, \nsince at least a severe storm will occur sooner or later.\n4. Why does the modernization of the American electric grid create new \n        vulnerabilities that may not have existed before?\n    There are several factors that are working to increase the \nvulnerability of our critical electric grid.\n            Interconnectivity\n    Heavy reliance on interconnectivity to meet peak load demands has \nincreased the probability of cascading failures in the event of an EMP \nevent. This is related to the existence of choke points or critical \nsubstations which present attractive asymmetrical targets.\n            Longer transmission lines\n    Increasing distances encourage use of very high voltage \ntransmission of power from generation source to point of use, and both \nthe high voltage and distance make the system more susceptible to the \nhigh-altitude EMP and geomagnetic storm threats.\n            Renewable power sources\n    As more long distance lines are added to deliver power from \nrenewable sources of wind and solar located in sparsely populated areas \nto distant high-population-density areas, the exposure of the grid to \nhigh-altitude EMP and geomagnetic storm damage will be significantly \nincreased. Intelligent planning now can mitigate this danger.\n            Smart Grid\n    The addition of ``Smart Grid'' electronic processing and \ncommunications between users and generation sources adds many \nadditional points of failure to the operation of the grid if it is \nattacked by an EMP event.\n            Electric utility operation\n    Electric utility data centers and control centers for grid \noperation, customer account management, and business management \nincluding regulatory data retention requirements are highly dependent \non the operation of electronic equipment, which is at serious risk of \ndata corruption and equipment damage from the fast EMP transients and \nfrom more localized EMP/IEMI attacks.\n            Critical substations\n    These substations transmit huge blocks of power from large \ngenerating plants which, if the controls are damaged, could disrupt \nlarge multi-State areas.\n\n    As reported by the EMP Commission, each of these vulnerabilities \ncan be greatly diminished by timely action, but the solutions need to \nbe initiated now.\n5. Why is the U.S. electric grid different from other nations?\n    The size and technology of the U.S. electric grid differentiates it \nfrom most other third-world nation grids. For example, differentiating \nfeatures include:\n  <bullet> Longer transmission lines due to lower population density \n        and large area;\n  <bullet> More critical substations;\n  <bullet> More prevalent conversion from coal to natural gas, in more \n        vulnerable automated and unmanned facilities;\n  <bullet> Many more high-voltage transformers susceptible to EMP \n        damage.\n    As described previously, each of these factors contributes to \nincreased EMP risk.\n    In contrast to most other developed countries that have one or two \nelectrical power entities, the United States has over 400 transmission-\nowning entities, greatly complicating coordinated remediation efforts. \nAlso, the R&D and electrical infrastructure capital improvement \nexpenditures have been in serious decline in recent years. These \nfactors complicate implementing a coordinated remediation of our \nNation's electrical power system against the three EMP threats. It will \nrequire additional Federal authority to mandate swift and coordinated \naction, along with appropriate Federal funding to initiate these \nappropriate steps.\n6. What is the cost of securing our electric and other critical \n        infrastructure from an electromagnetic event such as EMP, \n        severe geomagnetic storms, or non-nuclear EMP/IEMI?\n    On June 10, 2009, Emprimus gave a briefing on the subject at a \nmeeting sponsored by the National Defense University and the National \nDefense Industrial Association on Capitol Hill. The following estimates \nfor infrastructure protection were presented:\n\n REQUESTED CONGRESSIONAL ACTION AND FUNDING FOR CRITICAL INFRASTRUCTURE\n                               REMEDIATION\n------------------------------------------------------------------------\n                                                             Amount\n------------------------------------------------------------------------\nProtect High-Voltage Transformers and Critical            $1,000,000,000\n Substations.........................................\nPipelines, Water, and Waste Water....................      1,000,000,000\nUtilities' Data Centers and Control..................      2,000,000,000\nSmart Grid Remediation for Electromagnetic Threats...        500,000,000\n911 & State Emergency Ops (EOC) State Fed and County       2,000,000,000\n Data Centers........................................\nKey Financial Data Centers...........................      2,000,000,000\nInfrastructure Research..............................        500,000,000\nEMP Threat Detectors and Other External Threat               750,000,000\n Security............................................\n------------------------------------------------------------------------\n\n\n     MINIMAL CONGRESSIONAL ACTION AND FUNDING FOR THE MOST CRITICAL\n                    FACILITIES IN EACH INFRASTRUCTURE\n------------------------------------------------------------------------\n                                                             Amount\n------------------------------------------------------------------------\nMost Critical HV Transformers........................       $150,000,000\nPipelines, Water, and Wastewater.....................        100,000,000\nUtility Data Centers and Controls....................        150,000,000\nKey Smart Grid Remediation...........................        100,000,000\n911 & State Emergency Ops (EOC) State Fed and County         200,000,000\n Data Centers........................................\nCritical Financial Data Centers......................        150,000,000\nKey Infrastructure Research..........................         75,000,000\nEMP Threat Detectors and Other External Threat                75,000,000\n Security............................................\n------------------------------------------------------------------------\n\n    The first column shows the levels required to reduce our \ninfrastructure risks to acceptable levels from the physical and cyber \nthreats imposed by the subject electromagnetic threats, and the second \ncolumn shows a minimal initial program to start actions on the most \ncritical infrastructure reinforcement needs. Although it partitions the \nproblem slightly differently, the Congressional EMP Commission Final \nReport of April, 2008, has similar numbers for the electric supply \nportion of the infrastructure hardening. The highest priority objective \nis to protect a subset of the most critical national infrastructure so \nthat minimal services can be restored after a severe event to allow \nrecovery to begin. The initial costs are obviously a function of the \nlevel of critically definition, numbers of protected facilities, and \nlevels of protection.\n    The Final Report of the Congressional Commission on the Strategic \nPosture of the United States, May 2009, states that:\n\nFindings: ``The United Stated is highly vulnerable to attack with \nweapons designed to produce electromagnetic pulse effects.''\n\nRecommendations: ``EMP vulnerabilities should be reduced as the United \nStates modernizes its electric power grid.''\n\n    Mme. Chairwoman, it is our hope that this has been useful \ninformation for the subcommittee on the serious national issue of EMP. \nAgain, we strongly support legislation to amend the Federal Power Act \nto provide additional authorities to adequately protect the critical \nelectric infrastructure against cyber attack and the related non-\nnuclear EMP/IEMI attacks, as well as hardening the electric grid \nagainst high-altitude EMP and severe geomagnetic storms. We would look \nforward to answering any questions you may have, and we thank you, \nRanking Member Lungren, and the Members of the subcommittee for your \nsupport in addressing this electric power vulnerability and the broader \nissue of the vulnerability of our critical national infrastructure \nsectors to these electromagnetic Achilles heels.\n                                 ______\n                                 \n                    Statement of the EMP Commission\n                             July 21, 2009\n    My name is Mike Frankel and I served as the executive director of \nthe EMP Commission for the entire span of its activities, commencing \nwith its authorization in the Floyd Spence National Defense \nAuthorization Act of 2001 and culminating with the delivery of our \nfinal, classified, report to the Congressional oversight committees in \nFebruary of this year. Presently, I am chief science officer for L-3 \nCommunications/Applied Technologies Group. I am a physicist by training \nand avocation, and have spent many years developing technical expertise \nin nuclear weapon effects and managing WMD related programs for the \nDepartment of Defense in a career that spanned research work for the \nNavy, the Defense Nuclear Agency, the Defense Threat Reduction Agency, \nand the Office of the Secretary of Defense. The perspective of the EMP \nCommission is being more than adequately represented to this committee \ntoday by our very distinguished chairman, Dr. William Graham. I should \nlike to submit instead complementary background information that \naddresses in part a topic that was not emphasized in our final report, \nand that is the nexus between cyber threats and EMP.\n    This committee is to be commended for holding this hearing which \nspecifically includes the full spectrum of electronic threats to the \npower grid. While ``ordinary'' cyber and EMP are not usually thought of \nas coupled, this has been a mistake. The cyber threat is much in \neveryone's consciousness with an immediacy as current as yesterday's \nheadlines, in this case the alleged North Korean source of cyber \nattacks on networks in South Korea and the United States. This \ncommittee has previously rendered valuable service by highlighting the \ndangerous cyber vulnerabilities of the power grid exposed in the \n``Aurora'' test series conducted at the NNSA's Idaho National \nLaboratory. The EMP threat has been much less in the public \nconsciousness to date, although the range of potential damage from such \nan event may, as described in the public portion of the EMP \nCommission's report, exceed that realizable from most cyber attack \nscenarios. I should like to advance the somewhat new perspective that \nelectromagnetic pulse threats to our critical infrastructures, \nspecifically including the power grid, need to be thought of as but a--\nhitherto neglected--component of the cybersecurity threat. More broadly \nspeaking, there is a spectrum of electronics threats to the power grid, \nthat range from conventional notions of cyber to different forms of \nEMP--both nuclear and non-nuclear, and even natural disasters--an \nelectronic Katrina if you will.\n    The nature of a cyber threat is to reach out and touch something, \nelectronically, through its connected network. This may be thought to \noccur through delivery of intelligent messages which encode information \nand/or instructions that direct a system to some unwanted activity that \nmay prove very harmful to its owners' interests. A SCADA may be reached \nand instructed to open or close a valve controlling pressures in a \nnatural gas pipeline, with a disastrous pipeline explosion as a result. \nIndeed, this has already happened through SCADA malfunction, albeit not \ndeliberately intentioned. The Aurora test series exposed by this \ncommittee which destroyed an electrical generating system, at its base \ndemonstrated the disastrous effects of the mischievous at-a-distance \ncontrol of an electronic control system. EMP--both nuclear and non-\nnuclear--will also reach out and impress unwanted signals through the \nconnected network. But in the case of EMP, the signals do not contain \nspecific information or instructions. They are simply shot-gunned \nelectronic pulses, without encoded information, which nevertheless, at \nlow power levels, upon encountering vulnerable systems such as SCADAs, \nchange their bit settings in unpredictable ways guaranteeing they will \nnot operate as planned. Of course at higher power levels, as documented \nby the EMP Commission, they may cause actual physical damage to any \nencountered electronic system, up to the point of burning out and \nmelting critical circuit elements. Thus, at low levels of intensity, \nEMP may rightly be thought of as a ``stupid cyber'' threat.\n    These hearings are also particularly timely in light of the current \nintellectual energy being invested in the pursuit of energy \nindependence, in particular the development of ``Smart Grid'' \ntechnology as well as alternative energy sources such as wind and \nsolar. While Smart Grid is an evolving concept and its architecture \nstill a moving target, some outlines of its ultimate shape are emerging \nand it is clear that it will depend, to a much a greater degree than \npresent, on the ability to fine tune the delivery of energy to where \nand when it will be needed. And this will necessitate the proliferation \nof more, and smarter, sensors and control systems than their already \nubiquitous presence, to exercise the real-time capabilities of the \nnewer and more agile grid architecture. With such a proliferation comes \nenhanced vulnerabilities, to both cyber and EMP threats. Similarly, \ncommercial introduction of new technologies, such as ultra-high-\nvoltage-->1,000 KV--transmission line systems as has been discussed in \nthe context of exploitation of wind power and its delivery from the \npoint of generation to where it's needed, entails critical new \nvulnerabilities as well. It is appropriate, that precisely now, at the \ncusp of such significant technological transformation, that proper \nattention be paid as well to new vulnerabilities which may be \nintroduced in the rush to innovate. The historical economic lesson from \nthe military systems development world is that designing protection \ninto a system from scratch is more effective and much cheaper than \nattempting retrofit solutions when problems are discovered later on.\n    Finally, I'd like to return to the theme of a spectrum of \nelectronic threats to the power grid which merit attention, of which \n``ordinary'' cyber is but one component. We've discussed another \ncomponent as well, electromagnetic pulses due to either nuclear or non-\nnuclear (RF) sources. But there are also electromagnetic pulses \nstemming from natural events which pose a grave danger and to which the \npresent power grid remains highly vulnerable--the ``electronic \nKatrina'' attending a very massive geomagnetic solar storm. Solar \nstorms--fluctuations induced in the earth's magnetic field due to \neruptions of charged solar matter from the surface of the sun \n(``coronal mass ejections'' in the astronomer's language) which are \nflung out in the direction of the earth, are rather common events. Most \nare of an intensity that present no danger to anything. Some however \nare significantly larger and, again on a fairly regular basis, may \ncouple electromagnetic pulse energy to long transmission lines. These \ninduced currents are thus a natural EMP and may overwhelm and \nphysically damage (melt) huge and hard to replace components of the \nelectrical grid. Just such a scenario played out in the huge solar \nstorm of 1989 which took down the Hydro Quebec company system, rendered \nits many millions of Canadian customers powerless, and irreparably \ndamaged one of their multi-million dollar extremely high-voltage \ntransformers (house-sized units no longer manufactured domestically and \nwhich may take up to a year to deliver following a purchase).\n    But those are ``ordinary'' events. The EMP Commission also examined \nthe results of a ``100-year storm'', a Katrina analog in the world of \n``space weather''. Such an extreme event is guaranteed to come, it is \nonly a question of when. Indeed such storms have already visited us \nduring the last 100 years but they occurred at a time previous to the \ndeployment of our modern electric power grid with its long transmission \nlines capable of absorbing the unwanted solar EMP energy. Since the \n``receiving antenna'' did not yet exist, except for the spectacularly \nunusual auroral displays--the aurora borealis was reportedly sighted \nnear the equator--no harm was done. Absent some preparations which have \nnot yet been taken, the next time will be very different with \nextraordinary permanent damage to hard to replace components and untold \nsuffering lasting for extended periods in its wake. So taking steps to \nprotect the system from cyber and EMP should proceed hand-in-hand with \nprotection against the full spectrum of such electronic threats. And \nsteps which are taken to protect against a singular threat should be \nconsidered from a perspective which seeks, as far as possible, \nsolutions that confer dual or multi-benefits against a spectrum of \nthreats. Understanding the need to approach EMP as one of a spectrum of \nelectronically related insults and as a component of the more \ngeneralized cybersecurity problem, and a serious consideration of the \nprospects for remedies that confer multiple protective benefits, is the \nproper path forward to protect our uniquely valuable power grid from \nall electronic threats. And the time for such planning is now.\n    Unfortunately, it is hard to detect signs of concern, or even \ninterest just yet on the part of those charged with reducing the \nvulnerability of the electric grid. Unlike the Department of Defense \nwhich considered the (classified) recommendations of the EMP Commission \nreport seriously and initiated certain (classified) remedial \nactivities, it hard to detect any similar resonance to date on the part \nof our civilian agencies.\n    I wish to thank the committee for this opportunity to present my \nviews of this most important issue.\n                                 ______\n                                 \n              Statement of Applied Control Solutions, LLC\n    I appreciate the opportunity to provide the following statement for \nthe record. I have spent more than 35 years working in the commercial \npower industry designing, developing, implementing, and analyzing \nindustrial instrumentation and control systems. I hold two patents on \nindustrial control systems, and am a Fellow of the International \nSociety of Automation. I have performed cybersecurity vulnerability \nassessments of power plants, substations, electric utility control \ncenters, and water systems.\\1\\ I am a member of many groups working to \nimprove the reliability and availability of critical infrastructures \nand their control systems.\n---------------------------------------------------------------------------\n    \\1\\ Because much of my information is not in the public domain, I \nam not at liberty to identify specific utilities on the record.\n---------------------------------------------------------------------------\n    On October 17, 2007, I testified to this subcommittee on ``Control \nSystems Cyber Security--The Need for Appropriate Regulations to Assure \nthe Cyber Security of the Electric Grid''.\\2\\\n---------------------------------------------------------------------------\n    \\2\\ http://homeland.house.gov/SiteDocuments/20071017164638-\n60716.pdf.\n---------------------------------------------------------------------------\n    On March 19, 2009, I testified to the Senate Committee on Commerce, \nScience, and Transportation on ``Control Systems Cyber Security--The \nCurrent Status of Cyber Security of Critical Infrastructures''.\\3\\\n---------------------------------------------------------------------------\n    \\3\\ http://commerce.senate.gov/public/_files/WeissTestimony.pdf.\n---------------------------------------------------------------------------\n    I will provide an update on cybersecurity of the electric system \nincluding adequacy of the NERC CIPs and my views on Smart Grid \ncybersecurity. I will also provide my recommendations for DOE, DHS, and \nCongressional action to help secure the electric grid from cyber \nincidents.\n                               background\n    First of all, I believe it is any utility's obligation to maintain \na high level of electric service reliability. For the most part, the \nutility industry takes this responsibility very seriously and focuses \nvery strongly on electric system reliability. The grid has been \ndesigned to be resilient and accommodate failures (the N-1 criteria). \nThe equipment in place (older legacy and new equipment) has \ndemonstrated a high level of reliability. However, as the older \nequipment is replaced with new equipment such as for Smart Grid \napplications an interesting paradox occurs--as reliability increases \nfrom the installation of new equipment, the cyber vulnerability also \nincreases.\n    First, I believe a major point of discontinuity has been the \nunsuccessful equating of the terms Critical Infrastructure Protection \n(CIP) and cybersecurity.\n    CIP (or ``functional security'') is focused on the function of the \nelectric grid being maintained regardless of the status of the \ncomputers. Cybersecurity, on the other hand, focuses on protecting the \ncomputers independent of whether electric reliability is being \nmaintained. For the sake of semantics, I will use the term \n``cybersecurity'' but my intention is that the operation of the \ncomputers is focused on ``keeping the lights on,'' or what is becoming \nincreasingly referred to as ``functional security.''\n    Secondly, cyber events can be either intentional attacks or \nunintentional incidents.\n    NIST defines a cyber incident as ``An occurrence that actually or \npotentially jeopardizes the Confidentiality, Integrity, or Availability \n(CIA) of an information system or the information the system processes, \nstores, or transmits or that constitutes a violation or imminent threat \nof violation of security policies, security procedures, or acceptable \nuse policies. Incidents may be intentional or unintentional.''\\4\\\n---------------------------------------------------------------------------\n    \\4\\ FIPS PUB 200, Minimum Security Requirements for Federal \nInformation and Information System, March 2006.\n---------------------------------------------------------------------------\n    Cyber incidents are also more than just malware or botnet attacks. \nCyber incidents include all forms of impacts on electronic \ncommunications.\n    Man-made Electromagnetic Interference (EMI) has already impacted \nNorth American and European electric and water Supervisory Control and \nData Acquisition (SCADA) systems and ruptured a natural gas pipeline.\n    In industry control systems, the most probable cyber incident is \nunintentional. Moreover, in a stellar application of the ``law of \nunintended consequences,'' I believe that ``blindly'' following the \nNERC CIPs \\5\\ will result in more unintentional cyber incidents.\n---------------------------------------------------------------------------\n    \\5\\ http://www.nerc.com/page.php?cid=2|20.\n---------------------------------------------------------------------------\n    Unintentional cyber incidents have already killed people, caused \nsignificant outages, and large economic impacts. Additionally, if the \nincident can be caused unintentionally, the same type of incident, if \nintentional, could have even more damaging effect.\n                             recent history\n    What has been happening since I testified to this subcommittee in \nOctober 2007? It is not a pretty picture and the power industry clearly \nneeds Congress's help.\n    Knowledge Base.--Figure 1 characterizes the relationship of the \ndifferent types of special technical skills needed for control system \ncybersecurity expertise, and the relative quantities of each at work in \nthe industry today.\n    Most people now becoming involved with control system cybersecurity \ntypically come from a mainstream business Information Technology (IT) \nsecurity background and not a control system background. This trend is \ncertainly being accelerated by the Smart Grid initiatives, where the \napparent lines between IT and control systems are blurring. Many of the \nentities responsible for control system cybersecurity, industry, \nequipment suppliers, and Government personnel (e.g., DHS NCSD and S&T, \nDOE, EPA, etc.) do not entirely appreciate the difficulties created by \nthis trend.\n    This lack of appreciation has resulted in the repackaging of IT \nbusiness security techniques for control systems rather than addressing \nthe needs of field control system devices that often have no security \nor lack the capability to implement modern security mitigation \ntechnologies. This, in some cases, has resulted in making control \nsystems less reliable without providing increased security. An example \nof the uninformed use of mainstream IT technologies is utilizing port \nscanners on Programmable Logic Controller (PLC) networks. This has the \nunintended consequence of shutting them down. This specific type of \ncyber incident has occurred more than once in both the nuclear power \nand conventional power portions of the industry, with negative \nconsequences.\n    As can be seen in Figure 1, IT encompasses a large realm, but does \nnot include control system processes. Arguably, there are less than \nseveral hundred people world-wide that fit into the tiny dot called \ncontrol system cybersecurity. Of that very small number, an even \nsmaller fraction exists within the electric power community. \n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Control System Cyber Incidents.--Since I testified to this \nsubcommittee in October 2007, I have documented more than 30 control \nsystem cyber incidents, more than 20 of which were in the North \nAmerican electric power industry! These incidents affected nuclear and \nfossil plants, substations, and control centers. Impacts ranged from \nloss of displays, controller slowdowns and shutdowns, plant shutdowns, \nand a major regional power outage. Geographically, these incidents \noccurred in more than ten States and a Canadian province. None of the \nincidents were actually identified as ``cyber''.\n    Meeting the NERC CIPs would not have prevented many of these \nincidents. In fact, some could have actually been caused or exacerbated \nby following the NERC CIPs.\n    Equipment Suppliers.--It is important to understand that suppliers \nprovide equipment with the features their customers' request. Given \nthat fact, the report card on our control system suppliers is a mixed \nbag. Responding to industry requests, the major Distributed Control \nSystem (DCS) and SCADA suppliers have been addressing security at the \nmaster station level. However, suppliers of field control and equipment \nmonitoring systems have not had those industry requests and thus are \ncontinuing to include dial-up or wireless modems, Blue Tooth and Zigbee \nconnections, and/or direct Internet connections as part of their \nproduct offerings. This also applies to equipment used in the Smart \nGrid and nuclear plants.\n    Business IT-focused suppliers continue to supply equipment and \ntesting tools designed for IT applications not for legacy control \nsystems applications. This has resulted in control system equipment \nimpacts including shutdown or even hardware failures.\n    Consultants and System Integrators.--Most of the consultants and \nsystem integrators that are focusing on ``cybersecurity'' are really \nfocusing on compliance for NERC CIPs. Most are focusing on the SCADA or \nDCS master stations as they are IT-like systems that non-control system \npersonnel can understand. That leaves the legacy field equipment that \nhas essentially no security hardly even addressed as part of the NERC \nCIP process. The consultants and system integrators that are focused on \nequipment upgrades or new equipment installation generally do not \naddress security.\n    Utilities.--The original intention of the NERC CIPs (even before \nthey were called the CIPs) were to make the bulk electric grid secure. \nUnfortunately, the ``letter of the law'' of the NERC CIPs is not \nsecurity, but compliance. It is a critically important distinction to \nmake, and to understand. I know of only one utility that is trying to \nassure their systems are secure independent of compliance \nconsiderations. Almost all utilities are playing the game of compliance \nrather than securing their systems. This has resulted in industry's \nlukewarm attempt to meet NERC Advisories such as Aurora.\\6\\ This lack \nof will has directly led to the significant number of actual electric \nindustry cyber incidents many of which were not even addressed by the \nNERC CIPs!\n---------------------------------------------------------------------------\n    \\6\\ http://homeland.house.gov/SiteDocuments/20080521142118-\n53954.pdf.\n---------------------------------------------------------------------------\n    NERC.--The North American Electric Reliability Corporation (NERC) \nwas established in 1968 to ensure the reliability of the bulk power \nsystem in North America. NERC is a self-regulatory organization, \nsubject to oversight by FERC and governmental authorities in Canada. As \nof June 18, 2007, FERC granted NERC the legal authority to enforce \nreliability standards with all U.S. users, owners, and operators of the \nbulk power system, and made compliance with those standards mandatory \nand enforceable making NERC the Electric Reliability Organization \n(ERO). NERC's status as a self-regulatory organization means that it is \na non-Government organization which has statutory responsibility to \nregulate bulk power system users, owners, and operators through the \nadoption and enforcement of standards for fair, ethical, and efficient \npractices.\\7\\ Prior to becoming the ERO, NERC was an American National \nStandards Institute (ANSI)-accredited organization meaning it was a \nconsensus standards organization and was subject to the direction of \nits member utility organizations. The ANSI accreditation requires \nstandards need to go through a formal ballot process. This is a time-\nconsuming effort and tends to favor setting a ``very low bar.'' This \nconsensus process has resulted in cybersecurity standards that are very \nweak and ambiguous assets and even exclude some of the most important \nrecommendations from the Final Report of the Northeast Outage.\\8\\ In \nthe past, NERC has been a clear obstructionist to adequately securing \nthe electric grid. NERC has used the ANSI process to reject more \ncomprehensive requirements. That obstructionism included public \nresponses denigrating Project Aurora.\\9\\ The consensus approach is \nadequate for subjects like tree-trimming but is not appropriate for \ncritical infrastructure protection.\n---------------------------------------------------------------------------\n    \\7\\ http://www.nerc.com/page.php?cid=1.\n    \\8\\ https://reports.energy.gov/BlackoutFinal-Web.pdf.\n    \\9\\ http://www.cnn.com/2007/US/09/27/power.at.risk/index.html.\n---------------------------------------------------------------------------\n    I was part of the NIST/MITRE team that performed a line-by-line \ncomparison of the NERC CIPs to NIST Special Publication (SP) 800-53 \n\\10\\ which is mandatory for all Federal agencies including Federal \npower agencies.\\11\\ The report demonstrates that NIST SP800-53 is more \ncomprehensive than the NERC CIPs. However, NERC and many utilities are \nfighting the implementation of NIST SP800-53. Are the utilities trying \nto say that the computers at the Department of Housing and Urban \nDevelopment need a more comprehensive set of cybersecurity rules than \nevery non-Federal power plant, substation, and control center in the \nUnited States? Unless an asset is classified as ``critical'' in CIP-\n002, no further cybersecurity evaluation is necessary. A large segment \nof the utility industry is using the amorphous requirements in CIP-002 \nto exclude most of their control system assets from even being \nassessed. Michael Assante, Vice President and Chief Security Officer of \nNERC wrote a public open letter on April 7 \\12\\ in which he makes it \nvery clear that the industry is not doing an adequate job of even \nmeeting the weakened intent of the NERC CIPs. Specifically, Assante's \nletter states that only 29 percent of Generation Owners and Operators \nidentified at least one Critical Asset and fewer than 63 percent of the \ntransmission owners identified at least one Critical Asset. This means \nthat 71% of generation owners did not identify a single critical asset \nand 37% of transmission owners did not identify a single critical \nasset. I am personally aware of utilities that have identified ZERO \nCritical Assets even though they have automated their plants and \nsubstations and have control centers.\n---------------------------------------------------------------------------\n    \\10\\ http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-53-\nRev.%203.\n    \\11\\ Marshall Abrams, MITRE Technical Report, MTR70050, Addressing \nIndustrial Control Systems in NIST Special Publication 800-53, March \n2007.\n    \\12\\ Letter from Mike Assante to NERC Industry Stakeholders, \n``Critical Cyber Asset Identification'', April 7, 2009.\n---------------------------------------------------------------------------\n    Despite Assante's attempts to change NERC's approach on \ncybersecurity, NERC has continued its focus as a utility-directed \norganization. NERC's Board of Trustees approved revisions to the NERC \nCIPs on May 6, 2009 after passage by the electric industry with an 88 \npercent approval rating. However, the revisions did not address any of \nthe technical limitations such as exclusions of telecom, distribution, \nnon-routable protocols or strengthening CIP-002 to address Assante's \nApril 7 letter. A second example would be the June 30, 2009 Alert on \nthe Conficker Worm.\\13\\ The Alert states the ES-ISAC estimates the risk \nto bulk power system reliability from Conficker is LOW due to the \nlimited exploitation of this vulnerability and generally widespread \nawareness of the issue even though NERC acknowledges the potential \nconsequence is high and the awareness among control system users is \nvery low.\n---------------------------------------------------------------------------\n    \\13\\ http://www.nerc.com/page.php?cid=5%7C63.\n---------------------------------------------------------------------------\n    Smart Grid.--The intent of the Smart Grid is to embed intelligence \ninto the electric grid to allow two-way communications between devices \nand control centers for monitoring and control. The Smart Grid's use of \nthe Internet and Internet Protocols (IP) is blurring the line between \nbusiness IT and control systems resulting in more people without \nknowledge of the electric system being involved in securing these \nsystems.\n    This is a recipe for disaster--there has already been at least one \ncase of a denial of service attack (DDOS) to a distribution automation \nsystem.\n    From a Regulatory standpoint, the situation is convoluted because \nthe NERC CIPs explicitly exclude electric distribution which is the \nheart of the Smart Grid and yet the NIST Smart Grid security efforts \npoint to the NERC CIPs.\n    Unless Congress passes legislation to allow FERC to include \ndistribution or the individual public utility commissions mandate that \nthe NERC CIPs must be followed for their distribution systems, there \nare no regulations for securing the Smart Grid.\n    Education.--To the best of my knowledge, there are no technical, \ninterdisciplinary university curricula for control systems \ncybersecurity. There are universities starting to address this subject \nin an ad hoc manner such as the University of Illinois and Mississippi \nState University. Congress might well seek ways to encourage and fund \nmore such curricula as a significant way to improve cybersecurity in \nall control systems.\n    Certifications.--There are no personnel certifications for control \nsystem cybersecurity.\n    IT certifications such as the Certified Information Systems \nSecurity Professional (CISSP) and the Certified Information Security \nManager (CISM) do not address control systems. Professional engineering \nexaminations do not include security.\n    There needs to be a certification demonstrating knowledge of \ncontrol systems as well as security by organizations competent to \noversee this requirement. One organization could be the CSFE \\14\\ which \ncertifies Functional Safety experts. There are on-going efforts by \nindividual companies and organizations such as ISA to certify \nindustrial control systems for cybersecurity.\n---------------------------------------------------------------------------\n    \\14\\ www.csfe.org.\n---------------------------------------------------------------------------\n    Government R&D.--R&D has been focused on effectively ``repackaging \nIT''. Very little work has been devoted to legacy and even new field \nequipment, even though these devices have limited or no security, and \ncan cause the biggest impacts.\n    There has also been no attempt to analyze actual cyber incidents to \nlearn what policies and technologies should be developed to protect \nthem.\n    NIST.--NIST has effectively two disjointed programs on \ncybersecurity that impact the electric grid. The NIST Information \nTechnology (IT) Laboratory has been responsible for updating NIST \nSP800-53 and the daughter standard NIST SP800-82.\\15\\ There has been a \nsignificant amount of effort addressing industrial control systems and \napplicability to the electric industry. NIST is also acting as the \nstandards coordinator for the Smart Grid.\n---------------------------------------------------------------------------\n    \\15\\ http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-\n82-fpd.pdf.\n---------------------------------------------------------------------------\n    As a member of the Smart Grid Cyber Security Working Group and the \nIndustry-to-Grid Working Group, I see a dichotomy that troubles me. \nInstead of mandating NIST SP800-53 for the Smart Grid, it appears as if \nNIST doesn't want to be seen as pushing their own standards. Not only \nis NIST SP800-53 the best cybersecurity standard currently available, \nit is mandatory for all Federal power agencies. Why shouldn't NIST \nSP800-53 be mandated for all power utilities, not just Federal ones?\n                            recommendations\n    Traditional reliability threats such as tree trimming to prevent \npower line damage could be handled by private industry. However cyber \nis a new threat that requires a joint effort by the Government and \nprivate industry. I believe there are a number of roles for the Federal \nGovernment to play in defending against cyber incidents and/or physical \nattacks against electric facilities.\n    Articles such as the recent Wall Street Journal article on Chinese \nand Russian hackers imply that the electric industry is unaware of \ncomputer intrusions.\\16\\ This is probably true on several accounts. As \nmentioned, the electric industry is not doing an adequate job of even \nlooking. Additionally, there is a lack of adequate cyber forensics for \ncontrol systems. This leads to the fact that is it difficult to have an \nearly detection and warning capability for cyber threats for the \nelectric industry today. However, that same difficulty is also an \nopportunity for the Government and private industry to develop \nappropriate forensics. A non-technical challenge is the industry's \ncontinuing reticence to provide control system cyber incident data to \nthe Government and for law enforcement to share relevant information on \nactual attacks to the industry so they can protect themselves.\n---------------------------------------------------------------------------\n    \\16\\ http://online.wsj.com/article/SB123914805204099085.html.\n---------------------------------------------------------------------------\n            What can DHS and DOE do?\n    I cannot speak for the division in responsibilities between DHS and \nDOE, but I can point out what needs to be done:\n  <bullet> Provide intelligence on threats to those needing to know--\n        that does not mean only security-cleared individuals, but all \n        individuals working in the area;\n  <bullet> Make use of available technical talent--there is very \n        little, and the safety and security of our country depend on \n        these efforts;\n  <bullet> Analyze actual control system cyber incidents to develop \n        appropriate cyber technologies and policies--there are few \n        places to get the information as most of it has not been \n        provided to the Government--and what has is often classified \n        and unavailable;\n  <bullet> Establish benchmarks for how much security is enough, what \n        is an acceptable vulnerability assessment, what is an \n        acceptable risk assessment, audit metrics, trade-offs between \n        security and functionality, etc.;\n  <bullet> Support first-of-kind technology development, particularly \n        for legacy field devices;\n  <bullet> Support development of college technical as well as policy \n        curricula;\n  <bullet> Support the establishment of a CERT (Computer Emergency \n        Response Team) for control systems that is not under the \n        purview of the Government, because industry is still \n        uncomfortable about providing what they consider to be \n        confidential data to Government agencies like the FBI.\n            What can Congress do?\n    Currently FERC is constrained by the Energy Policy Act of 2005.\\17\\ \nIt cannot write standards and its scope is restricted to the bulk \nelectric system. There are several steps that Congress can take to help \nmaintain the reliability of the electric system from cyber threats:\n---------------------------------------------------------------------------\n    \\17\\ http://en.wikipedia.org/wiki/Energy_Policy_Act_of_2005.\n---------------------------------------------------------------------------\n    1. Provide cybersecurity legislation that gives FERC the scope to \n        write standards including mandating NIST SP800-53 for the bulk \n        electric grid and the Smart Grid.\n    2. For cybersecurity, increase FERC's scope to include electric \n        distribution. There are technical as well as administrative \n        reasons. Low voltage transmission and high voltage distribution \n        systems electronically communicate with each other; utilities \n        electronically communicate with each other; and the utilities \n        use common systems. We cannot afford to have a ``Tower of \n        Babel'' set of rules for each State and for the same equipment.\n    3. NERC is in a conflict-of-interest position because its \n        fundamental purpose has changed. If NERC can not do the job of \n        assuring cybersecurity of the electric grid, find an \n        organization with the will power and authority to do so.\n    4. HR 2195 \\18\\ would go a long way toward providing effective \n        legislation. I would add the following: Mandate the NIST FISMA \n        guidance documents, such as SP800-53 and require the \n        establishment of a program to develop expertise in electric \n        grid cybersecurity. The expertise gained from this program \n        should be shared with every electric grid owner and operator.\n---------------------------------------------------------------------------\n    \\18\\ http://www.opencongress.org/bill/111-h2195/text.\n---------------------------------------------------------------------------\n                                summary\n    It has been almost 10 years since I helped start the control system \ncybersecurity program at the Electric Power Research Institute (EPRI). \nTen years should have been sufficient time for the industry to make \nsignificant progress. Unfortunately, it has not happened. Actual \ncontrol system cyber incidents continue to occur--in fact, they appear \nto be getting more numerous. An unsecured electric grid is dangerous to \nthe safety and economic well-being of this country. Congress needs to \nstep in and provide regulation to give FERC the additional powers \nnecessary and mandate NIST SP800-53.\n                                 ______\n                                 \n               Statement of Advanced Fusion Systems, LLC\n                             July 19, 2009\n    My name is Curtis Birnbach and I am the president of Advanced \nFusion Systems. While the main thrust of my company is fusion energy \nresearch, one of our subsidiaries has developed technology to protect \nthe electric power grid from EMP attack. I wish to address the threat \nto our Nation posed by both electromagnetic pulse (EMP) and solar \nstorms. At the risk of sounding glib, I bring you good news and bad \nnews.\n    The bad news is that this threat is all too real. I have been \nworking on EMP-related technologies for many years. I have built \nelectrically-driven EMP generators and have extensively studied the \nphenomenology of intense ultra-short pulses. I would like to summarize \nthis work to help bring focus to the critical aspects of this problem. \nEMP from a nuclear detonation or solar storms poses a unique threat in \nthat it can instantly destroy our civilization. I do not make this \nstatement lightly. Our society is totally dependent on the continuous \nsupply of electricity. Should our electricity be suddenly withheld, our \nsociety would immediately collapse.\n    While I am sure that you have already been briefed on the general \naspects of this problem, I wish to focus on the two most critical \ncomponents we use to deliver: Transformers and generators. If they \ndon't function, we can't deliver electricity and life as we know it \nstops. The generators and transformers have two very important things \nin common: They are very expensive and they take years to replace. The \nworst-case victims of either an EMP attack or a solar storm are our \ngenerators and large substation transformers.\n    This brings me to the first of two points in my testimony: The \nUnited States does not have a domestic transformer manufacturing \ncapability for large substation-class transformers. These devices are \nmade exclusively on the Pacific Rim and in Europe. Large transformers \ntypically take 3 to 5 years to obtain and put into operation. The \nproduction capacity of existing overseas manufacturers is quite \nlimited. Should the sudden need for rapid delivery of a couple of \nhundred transformers occur, these manufacturers would be unable to \nsupply our requirement. Further, as they are not U.S. corporations, \nthey have no incentive to delay other existing customers to supply our \nneeds in the event of an emergency. Also, a solar-sourced EMP event may \nwell affect electric power equipment in many other countries \nexacerbating the supply situation.\n    The situation with generators has common elements. While we do have \nsome manufacturing capacity for large generators in the United States, \nit is limited and should a large number be suddenly needed, it would \ntake years to meet that need. If equipment manufacturers are also \nunable to function because of a lack of electricity we end up with a \nchicken-and-egg situation; we can't have one without the other.\n    There is no way that this country can exist for a couple of months, \nno less many years without electricity. To compound this situation, our \nutilities may not be insured against this type of loss. Even if they \nwere insured, the insurance companies would suffer potentially \ncrippling losses if utilities were destroyed over a wide area. Our \nfinancial system, our medical system, our communication systems, our \npublic safety systems--none could function without electricity. Most \ncompanies including utilities would simply cease to exist. There is a \nreal likelihood of civil unrest.\n    Stockpiling transformers will not work. According to Platts Energy \nReporting, there are over a quarter of a million large transformers, \nand close to 20,000 generators. The transformers are not standardized \nso the number that would have to be stockpiled is prohibitively large. \nFor every large transformer there are about a thousand smaller \ntransformers, of which only a small fraction are produced domestically. \nDARPA tried to run a program to build ``universal transformers'' that \ncould be stockpiled. This effort proved impractical as there is too \nmuch variation among transformers.\n    I did promise some good news. My company has developed a grid-level \nprotection system. This system can protect our country from these \nthreats. We have developed an EMP Protective System (EPS). Each EPS \nunit will protect a single phase which is one of three wires (phases) \nthat are typically used in high-power electrical devices. Generators \nhave three wires while transformers have 6 wires. Once an EPS is \ninstalled, it will detect the pulse of an EMP, safely conduct it to \nground, and immediately be ready for the next pulse. These switches \nwere originally designed to operate under conditions similar to those \nencountered in an EMP attack or solar storm. They are totally \nautonomous and react in a small fraction of a billionth of a second. \nThey contain a built-in detection system which is the only way you can \nget a protective device to work quickly enough to be of use.\n    We have looked at some representative sites for installation of \nthese protective devices. As an example, I would like to discuss \nprotection of the Niagara Hydroelectric Plant. This is one of the most \nimportant power stations in this country. While I will not go into \nspecific details for security reasons, based on what limited \ninformation is available to me, I have estimated that the entire \ncomplex could be protected for somewhere between $75 million and $100 \nmillion. The cost of this protection would also be expected to be \nincluded in the rate base for the utility so that ultimately the small \ncost of the protection is borne by consumers who will be receiving a \nmore secure supply of electricity. Compared to the $10 billion that \nthis station might be expected to cost to replace, this one-time cost \nof 1% is a small cost to protect the plant. This one-time cost of the \nequipment to protect the plant is all or partially offset by the \nreduced insurance premiums for a plant that has this protection in \nplace. Obviously, a detailed engineering study would be necessary to \nrefine this number, but it provides an order of magnitude of the cost \nof this protection.\n    I have also done estimates on transmission substations. Large \ntransformers cost around $1.5 million to protect. All incoming and \noutgoing lines in a substation must be protected, but in most cases, \nthis protection is also the same devices that are protecting the \ntransformers. A typical large substation, has at least ten lines of 115 \nKV or more, and dozens of transformers. When balanced against the cost \nof a large substation, which can cost a half billion dollars, the cost \nof protection is typically 10% of the total cost. In either case, the \ncost is a fraction of the replacement cost of substations or \ngenerators, or the lost revenues that the utilities would suffer over a \nperiod of several years as a result of the attack. The loss of revenue \nfar exceeds the replacement cost of the equipment. The economic and \nsocietal costs of being without electricity are of course far greater \nthan the losses of the utility.\n    While these numbers may seem large, remember that this is not a \nsingle-year expenditure. It will take several years to fully implement \nthis type of protection. Implementation of EPS protection is cheap \ninsurance in the face of such losses. These estimates do not include \nthe deaths, injuries, civil unrest and such that would be likely \nconsequences of these events, particularly once it became clear that \nthe disruption would last for extended periods of time.\n    My company is committed to help resolve this problem. By making \nthese protective devices available, we are offering a viable option to \nthe unthinkable scenarios I have described. We are funded through the \nprivate sector. We are only looking to have the Government support the \npurchase of these devices. There has been significant interest in this \ntechnology overseas.\n    In order to make grid protection available and affordable in a \nreasonable period of time, State and Federal legislation encouraging \nthe purchase of EPS technology for critical elements of the electric \ngrid is needed. Three legislative measures should be considered:\n    1. Tax credits for private utilities purchasing EPS equipment for \n        the purpose of grid protection;\n    2. Grants to utilities for installation of critical EPS equipment \n        at vital locations;\n    3. Providing Government-backed bonding authority to raise money to \n        provide EPS funding to rural electric systems and others who \n        need it;\n    4. FERC agreement to include these devices in the rate base.\n                                 ______\n                                 \n           Statement of the Canadian Electricity Association\n                             July 21, 2009\n    The Canadian Electricity Association (``CEA''), the national forum \nand voice of the evolving electricity business in Canada, is pleased to \nprovide the following statement regarding the appropriate actions that \nthe U.S. Congress should take to protect the electric grid from \ncybersecurity threats and vulnerabilities. CEA's members account for \nthe majority of Canada's installed generating capacity and high voltage \ntransmission. In this statement, CEA explains the importance of taking \ncybersecurity actions in the United States that are mindful of the \ninterconnected nature of the North American transmission grid and the \nimportance of avoiding actions that could undermine the reliability of \nthe transmission grid and impact cross-border trade. CEA further \nprovides suggestions for this subcommittee to consider before \ndeveloping legislation to address physical and cybersecurity in the \nelectricity sector. Specifically, CEA suggests that: (1) The North \nAmerican Electric Reliability Corporation remain the primary body for \naddressing cybersecurity matters on the North American transmission \ngrid; (2) any authority given to U.S. Governmental authorities to \naddress emergency situations be of a limited duration and be \ncoordinated with Canadian governmental authorities; (3) consultation \nand information sharing between the U.S. and Canadian governmental \nauthorities should be provided for in any legislation; and, (4) U.S. \nlegislation should be respectful of Canadian sovereignty and \njurisdiction.\n                               background\n    The electric transmission systems of U.S. and Canadian utilities \nare interconnected with one another at numerous points, forming a \nhighly integrated North American transmission grid, as can be seen in \nthe following map:\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Of the 211,152 circuit miles of transmission lines greater than 200 \nkilovolts in North America, 46,499 circuit miles, or 22 percent, are \nlocated in Canada. This integration allows for cross-border trading, \nwhich facilitates a higher level of reliability for consumers, \nefficiencies in fuel and resource management, and efficiencies in \nsystem operation. These benefits, and the activities of companies \ninvesting and participating in markets on both sides of the border, \nserve citizens of the United States and Canada extremely well.\n    To provide perspective on the importance of the U.S./Canadian \ntrading relationship, the chart below shows both exports from Canada to \nthe United States and imports into Canada from the United States \nbetween 1999 and 2008:\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Canada is a net exporter of electricity to the United States. The \nquantity of electricity exported from Canada to the United States has \ntypically been 6 to 10 percent of Canadian production. At the same \ntime, as the chart above demonstrates, electricity imports to Canada \nfrom the United States have also increased over time. The North \nAmerican market is borderless, and supply meets demand north to south \nor south to north as the market requires, to the advantage of consumers \nacross the continent. Such electricity trade enhances the reliability \nof each country's electricity supply and mitigates risk by providing \npower during times of emergency outages or periods of high electricity \ndemand. Canadian utilities are part of and therefore critical to the \nenergy security of the United States, and the reliability of the North \nAmerican transmission grid.\nany actions taken in the united states to address cybersecurity on the \n   bulk-power system must be coordinated with canadian governmental \n                              authorities\n    CEA recognizes the serious risks that cybersecurity threats and \nvulnerabilities present to the international grid. Nevertheless, CEA \nbelieves that any actions to address cybersecurity threats and \nvulnerabilities must be accomplished in a manner that recognizes the \nmutual inter-dependency of the interconnected Canada-U.S. transmission \nsystems, and must not unintentionally imperil or downgrade reliability \nand erect barriers to cross-border trade.\n    The President of the United States recently directed a 60-day, \ncomprehensive review to assess U.S. policies and structures for \ncybersecurity, and the result was the release of ``Cyberspace Policy \nReview'' on May 29, 2009. In the report, the White House concluded that \n``the United States needs a comprehensive framework to ensure \ncoordinated response and recovery by the government, the private \nsector, and our allies to a significant incident or threat.'' \nUnderstanding that the United States cannot act in a unilateral \nfashion, the report concluded:\n\n``The United States cannot succeed by acting in isolation, because \ncyberspace crosses geographic and jurisdictional boundaries. The United \nStates must work actively with countries around the world to make the \ndigital infrastructure a trusted, safe, and secure place that enables \nprosperity for all nations.''\n\n    CEA supports the concept of cross-border cooperation between Canada \nand the United States to prevent cybersecurity attacks.\n nerc is the appropriate standard-setting body for the north american \n                           transmission grid\n    CEA believes that the best venue to address cybersecurity matters \non the North American transmission grid is the North American Electric \nReliability Corporation (``NERC''). Through the reliability standard-\nsetting model included in section 215 of the Federal Power Act, the \nNERC reliability standard-setting process allows for a balance of \ninterests ensuring access to expertise from industry across the \ncontinent for the development of standards with continental application \nthat can be approved by authorities on both sides of the border--be it \nFERC in the United States, or any of the jurisdictional authorities in \nthe Canadian provinces. This model recognizes jurisdictional \nsovereignty through the existence of the remand provision in the U.S. \nlegislation, which is also incorporated into the processes for \nstandards approval in a number of Canadian provinces and which is \nincorporated into the existing NERC standard-setting procedures. This \ncomponent assures that no governmental authority has the ability to \nunilaterally modify standards which would apply to the whole system, \nand that any variances are accommodated through the collective process. \nAt the same time, it gives public authorities the confidence that the \nsystem has a Government backstop, providing Governmental authorities on \nboth sides of the border with the confidence that standards developed \nthrough that process reflect their concerns.\n    NERC also has the ability to effectively incorporate the \nexperiences and knowledge of the private sector in both the United \nStates and Canada, which is especially important in this very technical \nindustry. Any legislative directive must avoid placing the regulator in \nan operational role in terms of issuing detailed emergency procedures \nto address a present or imminent threat or vulnerability to electric \nsystem reliability. Such an approach would be consistent with the \nconclusions reached in ``Cyberspace Policy Review'' about the \nimportance of a public-private partnership to address network security \nissues. As the President explained when the report was issued, ``My \nadministration will not dictate security standards for private \ncompanies. On the contrary, we will collaborate with industry to find \ntechnology solutions that ensure our security and promote prosperity.''\n    Recognizing the need to better respond to cybersecurity challenges, \nNERC has recently established processes to allow for the expedited \ndevelopment of cybersecurity standards. NERC is developing approaches \nthat allow cybersecurity standards to be developed in a less public \nmanner and in a way that allows for quick action to respond to ever-\nchanging threats. Importantly, this process follows the NERC standard-\nsetting model, thereby allowing for the development of cybersecurity \nstandards that are respectful of Canadian jurisdictional sovereignty \nand allowing for the development of standards that can be approved by \nCanadian governmental authorities. In addition, CEA is encouraged that \nNERC has elevated the profile of its Critical Infrastructure Protection \nProgram, to increase its cybersecurity expertise and to better \ncoordinate with Governmental authorities. We believe such steps allow \nNERC to better respond to cybersecurity issues.\n                  considerations for u.s. legislation\n    CEA believes much of what needs to be done to address cybersecurity \nissues on the North American transmission grid can be accomplished \nthrough the NERC standards development process. Nevertheless, CEA \nrecognizes that U.S. legislation may be necessary to address certain \ngaps in NERC authority. CEA has attached to this statement as an \nappendix a paper prepared by the major electric utility trade \nassociations in Canada and the United States on the appropriate \napproach to take on cybersecurity. CEA also provides the following \ncomments should this subcommittee pursue a legislative strategy.\nAuthority to Take Action on an Emergency Basis\n    CEA recognizes situations can arise requiring emergency actions to \nbe taken immediately to protect the reliability of the bulk power \nsystem. To the extent that NERC does not have the information or \nauthority to respond to such an emergency situation, CEA agrees that \nGovernmental bodies should be able to respond expeditiously to ensure \nindustry acts to protect the grid. In terms of U.S. Governmental \nauthority to respond to imminent cybersecurity threats, CEA understands \nthe need for authority to address emergency situations, although we \nbelieve that such authority must be limited only to specific, credible, \nand imminent cybersecurity emergencies, be of a limited duration, and \nbe coordinated with Canadian governmental authorities.\nConsultation and Sharing of Information\n    In any cybersecurity legislation, CEA strongly supports the \ninclusion of a requirement that the appropriate U.S. Governmental \nagency consult with appropriate Canadian authorities before taking \nmeasures to address cybersecurity threats. Unlike the U.S. system, \ntransmission is regulated in Canada primarily by provincial \ngovernmental authorities. Moreover, reliability standards are \nauthorized and enforced by provincial governmental authorities. \nConsulting with the appropriate governmental authorities in the \nrelevant provinces will help to ensure that actions taken are \nrespectful of Canadian jurisdictional sovereignty and avoid unintended \nimpacts on reliability and cross-border trade. The absence of \nconsultation between and among governmental authorities could further \nresult in the elimination of, or reduction in, the sharing of critical \ncybersecurity information--not a good result at a time when the sharing \nof information is becoming more and more important.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ CEA also believes strongly that orders or measures to address \nknown or imminent cybersecurity threats must be accompanied by \nsufficient information sharing regarding the threat such that those \nimplementing the order or measure can do so effectively.\n---------------------------------------------------------------------------\n    Consultation and information sharing is absent, for example, in \nH.R. 2195, a bill introduced by Homeland Security Chairman Bennie \nThompson. The absence of a process for coordination between Canadian \nand U.S. Governmental officials prior to any actions taken by FERC to \naddress a cyber vulnerability or threat could undermine both \nreliability and security on the North American transmission grid. As \nnoted in ``Cyberspace Policy Review,'' such coordination among \nGovernmental officials is critical to effectively addressing \ncybersecurity issues.\nAny U.S. Legislation Should be Respectful of Canadian Sovereignty and \n        Jurisdiction\n    In addition to the need for coordination between Canadian and U.S. \nGovernmental officials, this subcommittee should also be mindful that \nU.S. legislation should avoid interfering with Canadian sovereignty and \njurisdiction, which could undermine both cybersecurity and reliability. \nFor example, in H.R. 2195, ``critical electric infrastructure'' is \ndefined so broadly as to include Canadian systems and assets, since \nthose systems and assets, if incapacitated or destroyed, could cause \nsignificant harm to the U.S. grid. Such a broad definition would, under \nthis language, bring Canadian utilities within the scope of FERC \nauthority under Section 224(e). Moreover, the Interim Measures \nauthority under Section 224B would allow FERC to supplement, replace, \nor modify existing cybersecurity reliability standards approved by \nNERC. Since existing cybersecurity standards are in effect in the \nmajority of Canadian provinces, the replacement of such standards in \nthe United States by FERC could result in inconsistent reliability \nstandards on the North American grid, thereby potentially undermining \nreliability and potentially making the system more vulnerable to a \ncyber attack. CEA therefore requests this subcommittee to consider the \nimpact that provisions in any proposed legislation could have on \nCanadian sovereignty and jurisdiction.\n              need for coordination among industry sectors\n    As a final matter, CEA is concerned with any legislative actions \ntaken by Congress that fail to take into account the scope of the \ncybersecurity problem. As noted in ``Cyberspace Policy Review,'' \ncybersecurity affects all sectors and must be addressed in a \ncomprehensive manner. CEA believes any cybersecurity bill would be \ngreatly improved by requiring that the necessary information sharing \nand collaboration take place between governmental agencies and all the \ncritical infrastructure sectors, not just electricity. A focus on just \nthe electricity sector addresses only one piece of a much larger \npuzzle, and could, in fact, miss important elements to effectively \naddressing cybersecurity in the bulk power sector. The President's \nreport recognizes that the cybersecurity issue ``transcends the \njurisdictional purview of individual departments and agencies because, \nalthough each agency has a unique contribution to make, no single \nagency has a broad enough perspective or authority to match the sweep \nof the problem.'' Given the complexity of the cybersecurity problem, \nand the need for coordination on an international basis, CEA asks this \nsubcommittee to exercise caution before developing legislation to \naddress cybersecurity in the electricity sector.\n    CEA appreciates this opportunity to provide this statement and \nwould be happy to answer any questions that may arise during the \nhearing.\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\nThe North American Electric Power Industry's Top Priority is a Reliable \n                      and Secure Bulk Power System\n    The stakeholders of the electric power industry continue to work \nclosely and in partnership with governmental authorities at the \nFederal, State/provincial and local levels in both the United States \nand Canada in order to maintain and improve upon the high level of \nreliability consumers expect. Cybersecurity is an important element of \nbulk power system reliability that the electric power industry takes \nvery seriously.\n     electric power industry in strong partnership with government\n    The electric power industry works closely with various government \nagencies on bulk power system security. On an on-going basis, we \ncommunicate and collaborate in the United States with the Department of \nHomeland Security, the Department of Energy, and the Federal Energy \nRegulatory Commission (FERC), and in Canada with the various Federal \nand provincial authorities to gain needed information about potential \nthreats and vulnerabilities related to the bulk power system. The \nelectric power industry also works very closely with the North American \nElectric Reliability Corporation (NERC) to develop mandatory \nreliability standards, including cybersecurity standards. In addition, \nNERC has an ``alert and advisory'' procedure that provides the electric \npower industry with timely and actionable information to assure the \ncontinued reliability and security of the bulk power system.\n the electric power industry continuously monitors and acts quickly to \n           ensure bulk power system reliability and security\n    Every day, the electric power industry continuously monitors the \nbulk power system and mitigates the effects of transmission grid \nincidents--large and small. Consumers and government are rarely aware \nof these incidents because of the sector's advance planning and \ncoordination activities which reflect the quick and often seamless \nresponse the sector takes to address reliability and security events. \nThis response includes prevention and response/recovery strategies--\nboth are equally important. The industry's strong track record on \nreliability and security continues as we work diligently to adhere to \nmandatory NERC reliability standards, which are approved by FERC, \nincluding standards that address cybersecurity.\n   nerc flexible standards approval processes meet majority of grid \n                               challenges\n    NERC's industry-based and FERC-approved standards development \nprocess yields mandatory standards for the bulk power system that are \nclear, technically sound, and enforceable, yet garner broad support \nwithin the industry. NERC is striving to draw from the state-of-the-art \nin cybersecurity, through consideration of the National Institute of \nStandards and Technology (NIST) framework for cybersecurity, and to \nintegrate that framework into NERC's existing Critical Infrastructure \nProtection standards. NERC has also made important revisions to its \nstandards development process by putting in place policies that allow, \nwhen necessary, for the confidential and expedient development of \nstandards, including those related to cyber- and physical security.\n    emergency cyber situations require an expeditious and efficient \n                                approach\n    If the Federal Government has actionable intelligence about an \nimminent threat to the bulk power system, the electric power industry \nis ready, willing, and able to respond. We understand it may be \nnecessary for Government authorities to issue an order, which could \nrequire certain actions to be taken by the electric power industry. In \nthese limited circumstances, when time does not allow for classified \nindustry briefings and development of mitigation measures for a threat \nor vulnerability, FERC in the United States and the appropriate \ncorresponding authorities in Canada should be the Government agencies \nthat direct the electric power industry on the needed emergency \nactions. These actions should only remain in effect until the threat \nsubsides or upon FERC approval of related NERC reliability standards. \nIn the United States, Section 215 of the Federal Power Act (Energy \nPolicy Act of 2005) invested FERC with a significant role in bulk power \nsystem reliability, and it would be duplicative and inefficient to \nrecreate that responsibility at another agency. As FERC, NERC and the \nelectric power industry relationships move forward and mature in the \narea of reliability and security, any disruption of this would be \ncounterproductive.\n  improved electric power industry-government partnership with better \n                            information flow\n    In nearly all situations the electric power industry can protect \nthe reliability and security of the bulk power system without \nGovernment intelligence information. However, in the limited \ncircumstances when the industry does need Government intelligence \ninformation on a particular threat or vulnerability, it is critical \nthat such information is timely and actionable. After receiving this \ninformation, the electric power industry can then direct its expert \noperators and cybersecurity staff to make the needed adjustments to \nsystems and networks to ensure the reliability and security of the bulk \npower system. The electric power industry is fully committed to taking \nthe needed steps to maintain and improve bulk power system reliability \nand security, and stands ready to work with Congress, FERC, other \nGovernment agencies and NERC on these critical issues.\n    Supporting Associations and Contacts.--American Public Power \nAssociation, Joy Ditto; Canadian Electricity Association, Bonnie \nSuchman; Edison Electric Institute, Scott Aaronson; Electric Power \nSupply Association, Con Lass; Electricity Consumers Resource Council, \nJohn Anderson; Large Public Power Council, Jessica Matlock; National \nAssociation of Regulatory Utility Commissioners, Charles Gray; National \nRural Electric Cooperative Association, Laura M. Schepis; Transmission \nAccess Policy Study Group, Deborah Sliz.\n                                 ______\n                                 \n                 Statement of Industrial Defender, Inc.\n    Thank you for the opportunity to submit written testimony regarding \nefforts to secure the modern electric grid from physical and cyber \nattacks. I appreciate the subcommittee examining these important issues \nand am grateful for your willingness to consider my views.\n    I am the president and CEO of Industrial Defender, Inc., a provider \nof cyber risk protection with over 18 years of industrial control \nsystem and SCADA industry experience and more than 7 years of \nindustrial cybersecurity experience. Industrial Defender has completed \nmore than 100 process control/SCADA cybersecurity assessments, more \nthan 10,000 global technology deployments in securing critical \ninfrastructure systems, more than 3,000 mission-critical SCADA \ndeployments and provides managed security services for 170 process \ncontrol plants in 21 countries. My comments on the subcommittee's \nhearing topic follow.\n  protecting the u.s. electric power infrastructure from physical and \n                             cyber attacks\n    The Federal Government has a responsibility to protect our Nation's \nelectric power infrastructure from physical or cyber attacks to ensure \nthe social, economic, health, and safety of our citizens. There has \nbeen a significant increase in malicious cyber attack attempts on \ncritical infrastructure electric power entities from suspected \nterrorists and even adversarial nations and more action is needed to \nfortify our Nation's electric power cyber defenses in order to combat \nthe potentially dangerous threats. A recent coordinated cyber attack on \nthe United States and South Korea, which may have originated in North \nKorea, involved the malicious use of more than 100,000 computers. \nThough this particular attack was not targeted at U.S. electric power \ninterests, it does suggest that more needs to be done in order to \nimprove our Nation's cyber defenses.\n    The majority of electric power assets in the United States are \nowned and operated by private sector entities. Based upon private \nsector contracts executed by Industrial Defender over the past 7 years \nto assess and mitigate cyber risk specific to critical infrastructure \nindustries, including electric power, oil and gas, water, \ntransportation, and chemical sectors, we have found that industries \nwith cybersecurity regulatory mandates in place, including the Chemical \nand Electric Power sectors, are industries taking a leadership role in \nprotecting their digital infrastructure assets. Having regulations in \nplace, however, does not guarantee 100 percent compliance or \nprotection. There have been significant challenges within industries \nfor which mandatory compliance standards have been implemented. A \nrecent letter to electricity industry stakeholders from Michael \nAssante, the Chief Security Officer for the North American Electric \nReliability Corporation (NERC) dated April 7, 2009, raised concern over \nthe identification of Critical Assets and Critical Cyber Assets (NERC \nCIP-002), which are defined as those ``facilities, systems and \nequipment which, if destroyed, degraded, or otherwise rendered \nunavailable, would affect the reliability or operability of the Bulk \nElectric System.'' Results from a survey published for the July 1-\nDecember 31, 2008 period suggest that certain qualifying assets may not \nhave been identified as ``Critical''. Of particular concern were \nqualifying assets owned and operated by electric power generation \nowners and operators, of which only 29 percent reported identifying at \nleast one critical asset, and transmission owners, fewer than 63 \npercent of which identified at least one critical asset. This inaction \nby electricity asset owners and operators regarding mandatory \ncompliance requirements gives rise to great concern over the ability of \nany voluntary private sector compliance program to be effective. There \nis a risk that industries that do not have compliance mandates may be \nwilling to play the percentages that a critical infrastructure incident \nwill not happen at their company, rather than spend thousands or even \nmillions of dollars to mitigate any known risks and vulnerabilities.\n    Ensuring the reliability and security of the bulk electric system \nmust be a cooperative and shared responsibility between private sector \norganizations and the Federal Government. This should include the \nFederal Government overseeing a coordinated effort between public \nsector and private sector entities to enhance and enforce the NERC CIP \nstandards; drive cybersecurity awareness and education within the \npublic and private sector; require vendor commercial information \nsecurity credentials; provide crucial sharing of information regarding \ncyber incidents, vulnerabilities, and best practices; provide a \ncybersecurity implementation funding incentive; and, offer ``Safe \nHarbor Protection'' for private sector companies, ensuring the \nelevation of threat and vulnerability information to the Federal \nGovernment while at the same time increasing public awareness and \nprotection.\n                industry compliance with nerc standards\n    In addition to the North American Electric Reliability (NERC) \nsurvey, which raises concerns over the inaction of bulk electricity \nasset owners and operators, some bulk electricity providers may be \ntaking a ``defensible audit position'' in lieu of a well-designed cyber \nrisk mitigation strategy. It is our opinion that this behavior is the \nresult of non-descriptive and prescriptive requirements in the current \nNERC CIP standards that leave determination of a risk-mitigation \nstrategy solely to the discretion of industry. Additionally, it is \nimportant to note that up to the latest revision of the NERC CIP \nstandards, asset owners and operators were permitted to apply \n``reasonable business judgment'' in determining risk-mitigation \nstrategy for critical assets.\n    The current industry spread relative to interpretation and action \naround the current NERC CIP standards is extremely broad. Based upon \nexperience, significant action was taken by industry in assessing cyber \nrisk through contracting third parties to provide independent NERC CIP \ngap analysis, network design reviews, vulnerability assessments, \npenetration testing, and NERC CIP compliance training. Much of this \nwork was done in advance of the December 31, 2008 deadline; however, \nmany utilities remain very active in performing this work relative to \ntheir operational assets. What is more concerning, regarding NERC CIP \ncompliance, is the slow pace at which industry is adopting technology \nrequired to meet NERC CIP-005 and NERC CIP-007 compliance, \nspecifically, establishing Electronic Security Perimeter and System \nSecurity management for all Critical Cyber-Assets. It is evident, as \nrepresented in Mr. Assante's April 7, 2009 letter to Industry \nStakeholders, that the definition of a ``Critical Asset'', and \nassociated ``Critical Cyber-Asset'', has been viewed differently \nbetween the private sector and NERC. The private sector's \ninterpretation, and hence subsequent identification of critical assets, \nhas resulted in actions that seem contrary to the defined objectives of \nsecuring the Nation's critical infrastructure.\n    In one example, a major U.S. electric power provider considered \nimplementing intrusion detection monitoring technology to mitigate \ncybersecurity risks and vulnerabilities in order to secure its \nsubstations and meet the required NERC CIP compliance standards. \nCurrently, the NERC CIP compliance standards focus on ``routable \ncommunication protocols'' and exclude ``non-routable communication \nprotocols'' and ``communication links''. The electric power entity \neventually made a cost-conscious decision to convert all of its \nsubstations to a non-routable communication protocol SCADA network. As \na result, it did not move forward with the substation equipment \nupgrade, resulting in a move backwards instead of using technology to \nenhance cybersecurity, workplace efficiency, and productivity.\n    With over 150 investor-owned utilities, Government-owned and -\noperated utilities and a number of smaller municipal electric entities \nfalling under the jurisdiction of the NERC CIP standards, there should \nbe significant demand for monitoring technology to support NERC CIP \nrequirements. Unfortunately, the purchasing behavior of bulk \nelectricity providers does not match the number of monitoring sensors \nneeded to support the NERC CIP standards.\ngovernment efforts to secure control systems and the electric industry \n                    from physical and cyber attacks\n    Escalation of threats and exposure of incidences are essential \ncomponents of successfully thwarting cyber attacks against the Nation's \ncritical infrastructure. With 85 percent of the Nation's critical \ninfrastructure owned and operated by the private sector, the public and \nprivate sectors must work collaboratively, with trusted and open lines \nof communication, to ensure the timeliest communication of critical \ncybersecurity information. Relying solely on Federal Government \nintelligence agencies to identify the threat is a shortsighted \nstrategy. The private sector represents the most valuable source of \noperational intelligence, which must be harnessed in order to \neffectively communicate and drive action to reduce the consequences of \npending attacks.\n    Operational systems (SCADA/Process Control Systems) used to safely \nand reliably operate critical infrastructure in electric power, water, \nenergy, chemicals and transportation sectors lack the necessary \nsecurity technology to escalate cyber threats and expose cyber \nincidences in real-time so that appropriate action (communication, \nemergency orders/actions, etc) can be taken to minimize the impact on \nnational security, public safety, and economic interests.\n    Greater investments in ``Defense in Depth Sensor Technology,'' \nincluding electronic security perimeter, remote access and \nauthentication, network intrusion detection, host intrusion detection, \nand patch monitoring and management, will enable real-time aggregation \nof threats and incidences for real-time reporting. FERC Order 706 also \ncalls for ``defense-in-depth'' subject to technical feasibility \nconsiderations with NERC oversight.\n    Through the deployment of Defense in Depth Sensor Technology, the \nU.S. Department of Homeland Security (DHS) should assume the role of \n``Critical Infrastructure Threat Clearing House.'' The goal of the \nCritical Infrastructure Threat Clearing House is to establish lines of \ncommunication between asset owners and operators and DHS to warn the \npublic of potentially dangerous, malicious, and non-malicious \ncybersecurity incidents. It is recommended that DHS establish a ``cyber \nheat map,'' populated with intelligence by Defense in Depth Sensor \nTechnology, which would provide transparency into the current \ncybersecurity threats facing the Nation, as well as supply access to \ndetailed information on each specific threat occurrence. However, for \nthis to be effective, safe harbor protection should be afforded to the \nprivate sector reporting party (see below).\n        pending legislation and coverage of the electric sector\n    Cooperation between private sector organizations and the Federal \nGovernment will need to be achieved to enable increased cybersecurity \nprotection as well as flexibility to expand these infrastructure \nplatforms to support future needs. To this end, legislation pending \nbefore Congress could be strengthened to better achieve the separate \ngoals of the private and public sectors as well as increased public \nsafety. Important issues that are not currently part of the legislative \nproposals are outlined below.\n  <bullet> A distinct lack of threat visibility due to the slow \n        adoption of technology designed to both detect and protect \n        against cybersecurity threats.\n  <bullet> Inclusion of safe harbor protection for private sector \n        companies, ensuring the elevation of threats and \n        vulnerabilities to the Federal Government, resulting in \n        increased public awareness and protection.\n  <bullet> An absence of specific descriptive and prescription \n        recommendations for critical infrastructure systems and \n        requirements.\n  <bullet> Mechanisms to enable a more efficient and timely means of \n        issuing standards through granting FERC ``authorship'' \n        responsibility. Presently the NERC Standards processes are \n        largely created and approved by industry and hence are somewhat \n        self-policing.\n  <bullet> Require any full- or part-time contractor with privileged \n        access to critical infrastructure control related information \n        system to obtain commercial cybersecurity credentials.\n  <bullet> Provision to increase availability of funds for \n        cybersecurity related equipment and staffing.\n    Any final legislation promoting public and private sector \ncollaboration should include the following recommendations.\n  <bullet> More Descriptive Definition of Critical Cyber-Assets.--It is \n        essential that any final legislation specifically identify \n        which critical cyber assets need to be secured. As it relates \n        to SCADA/Process Control System security requirements, all \n        computer or microprocessor-based operational devices used to \n        monitor, control, or analyze the critical infrastructure where \n        accurate timing has been deemed necessary must be included to \n        ensure the integrity of the critical infrastructure. These \n        devices include, but are not limited to: Power Plant Automation \n        Systems; Substation Automation Systems; Programmable Logic \n        Controllers (PLC); Intelligent Electronic Devices (IED); \n        sequence of event recorders; digital fault recorders; \n        intelligent protective relay devices; Energy Management Systems \n        (EMS); Supervisory Control and Data Acquisition (SCADA) \n        Systems; Plant Control Systems; routers; firewalls; Intrusion \n        Detection Systems (IDS); remote access systems; physical \n        security access control systems; telephone and voice recording \n        systems; video surveillance systems; and, log collection and \n        analysis systems.\n  <bullet> Remove the Exclusion of ``Non-routable Protocols'' and \n        ``Communication Links''.--This exclusion is being used as a \n        work-around to avoid implementation costs. FERC Order 706 \n        includes comments from the ISA99 Industrial Automation and \n        Control Systems Security Team objecting to the exclusion of \n        communication links from CIP-002-1 and non-routable protocols \n        from critical cyber assets. The comments argue that both are \n        key elements of associated control systems, essential to proper \n        operation of the critical cyber assets, and have been shown to \n        be vulnerable--through testing and experience.\n  <bullet> Bolster Public/Private Clearing House.--It is increasingly \n        essential that private sector asset owners and operators work \n        collaboratively with the Government to warn the public of \n        potentially dangerous malicious and non-malicious cybersecurity \n        incidents. Through the deployment of Defense-in-Depth Sensor \n        Technology, the U.S. Department of Homeland Security (DHS) \n        should assume the role of ``Critical Infrastructure Threat \n        Clearing House.'' The goal of the Critical Infrastructure \n        Threat Clearing House is to establish lines of communication \n        between asset owners and operators and DHS to warn the public \n        of potentially dangerous, malicious, and non-malicious \n        cybersecurity incidents. It is recommended that DHS establish a \n        ``cyber heat map'' populated with intelligence by Defense in \n        Depth Sensor Technology, which would provide transparency into \n        the current cybersecurity threats the Nation faces, as well as \n        supply access to detailed information on each specific threat \n        occurrence. In order for this to be effective, safe harbor \n        protection should be afforded to the private sector reporting \n        party (see below).\n  <bullet> Include Recommendation of Descriptive and Prescriptive \n        Solutions.--Any final legislation should require the deployment \n        of Defense-in-Depth Sensor Technology throughout the entire \n        SCADA/Process Control System network environment. Defense-in-\n        Depth Sensor Technology includes electronic security perimeter, \n        remote access and authentication, network intrusion detection, \n        host intrusion detection, and patch monitoring and management. \n        Equipping critical infrastructure systems with the appropriate \n        security sensor technology enables real-time aggregation of \n        threats and incidences for real-time reporting to the \n        appropriate authorities.\n  <bullet> Provide ``Safe Harbor Protection''.--Presently there is no \n        ``Safe Harbor Protection'' afforded to the private sector for \n        open ``escalation of threats, exposure of incidences'' with the \n        Federal Government. Without these protections in place, private \n        sector companies will be less inclined to share the information \n        and risk potential negative public exposure. Legislation \n        pending before Congress attempts to address this issue by \n        providing protection to disclosed cybersecurity data; however, \n        the proposals do not provide a similar protection to the \n        disclosing entity. In order to ensure open communication from \n        the private sector, it is essential to provide privacy \n        protection for both the disclosing entity and the disclosed \n        cybersecurity data. As a means of bridging the communication \n        gap between public sector and private sector, safe harbor \n        protection should be provided to private sector companies \n        escalating threats and/or exposing incidences with the Federal \n        Government. This protection is not intended to provide a safe \n        harbor from accountability, but instead to provide protection \n        to share information with the appropriate authorities. The U.S. \n        Department of Defense's (DOD) Defense Industrial Base Cyber \n        Security and Information Assurance (CS/IA) pilot program \n        initiative, launched in early 2008, offers a potential model on \n        this issue. The DIB/CSIA has five major components: (1) A \n        binding bilateral DOD-DIB company framework agreement to \n        facilitate CS/IA cooperation; (2) threat and vulnerability \n        information sharing; (3) DIB network incident reporting; (4) \n        damage assessments; and (5) DOD acquisition and contract \n        changes. Some of these components might be relevant to \n        establishing a similar relationship between the Federal \n        Government and private sector critical infrastructure \n        companies.\n  <bullet> Grant FERC Authorship Responsibility.--Presently, the NERC \n        Critical Infrastructure Protection (CIP) standards [CIP-002--\n        CIP-009] provide electric utility private sector guidance on \n        the subject of cybersecurity. Pending legislation would provide \n        FERC with emergency authorities to issue actions/orders in the \n        event of a known cybersecurity threat to the electric utility \n        infrastructure. These actions/orders would remain in effect \n        over a defined period of time until they are incorporated into \n        a standard, and/or the threat is mitigated, or the order/action \n        expires.\n      The NERC CIP standards are self-policing in that they are created \n        and approved by industry. According to FERC Chairman Jon \n        Wellinghoff in his April 28, 2009 letter to U.S. Representative \n        Edward J. Markey, ``The commission is committed to exercising \n        all of the authority that Congress has given it to help protect \n        the power grid. However, Congress needs to be aware that the \n        commission's current authority is not sufficient to ensure the \n        cybersecurity of the grid. The existing process is based on \n        industry consensus and is, therefore, too slow, subject to \n        disclosure to potential attackers, and not responsive enough to \n        adequately address matters that affect national security.''\n      Granting FERC emergency authorities to act in the event of a \n        threat or incident is the reactive element of protecting our \n        Nation's critical infrastructure. Who is responsible for the \n        proactive element of mitigating our risks, escalating the \n        threats and exposing our incidences?\n      In addition to having emergency authorities, FERC should be \n        granted authorship responsibilities for future cybersecurity \n        standards to ensure the protection and integrity of the \n        Nation's electric utility infrastructure. FERC can continue to \n        leverage NERC for the creation of the standards; however, in \n        the interest of ensuring timely, descriptive, and prescriptive \n        cybersecurity standards, FERC must have the authority to author \n        and issue such standards. Industry input is important to drive \n        public sector-private sector collaboration; however, the \n        present self-policing standards leave the Nation's ability to \n        secure the electric utility infrastructure in a timely manner \n        vulnerable.\n  <bullet> Require a Commercial Cybersecurity Credential.--Any full- or \n        part-time contractor with privileged access to a critical \n        infrastructure control information system, regardless of job or \n        occupational series, would need to obtain a commercial \n        cybersecurity credential accredited by ANSI or an equivalent \n        authorized body. The credential would also require maintaining \n        certified status with a certain number of hours of continuing \n        professional education each year. This program would be phased \n        in and have a similar framework as DOD Directive 8570.1 \n        Information Assurance Training, Certification, and Workforce \n        Program.\n  <bullet> Cybersecurity Implementation Monetary Incentives.--This \n        could be similar in concept and scope to the renewable energy \n        incentives passed in the Emergency Economic Stabilization Act \n        of 2008 and/or the Smart Grid incentives of the American \n        Recovery and Reinvestment Act of 2009 (ARRA).\n   intrusion detection technology and identification of cyber attacks\n    Industrial networks, while sharing many of the same technologies as \nbusiness networks, differ enough from business networks to make many \nconventional threat management approaches ineffective. Industrial \nnetworks tend to be more static and predictable than business networks. \nSafety and effectiveness testing costs for industrial networks are very \nhigh, and the effects of technologies like anti-virus scanning and even \nsecurity patch management on these computers is unpredictable enough \nthat no such technologies can be used safely without incurring very \nhigh costs. Industrial networks tend to be tightly controlled--\ngenerally conventional office tools such as word processors, \npresentation tools, and email clients are not found on legacy \nindustrial networks. However, modern industrial leverage base internet \nprotocols like TCP and HTTP layer on top of these base protocols a \nlarge variety of control-system-custom protocols like Modbus, DNP3, \nICCP and IEC 61850, which are never seen on business networks.\n    The present lack of investment in equipping industrial network \nsystems with real-time security sensors to provide visibility into the \ncurrent cybersecurity threats, vulnerabilities and incidences plaguing \nthem has emerged as both a necessary and dangerous initiative in terms \nof cybersecurity protection. Based on historical risk and vulnerability \nassessment data captured from Industrial Defender professional services \nfield teams, most SCADA environments contain latent vulnerabilities, \nlikely with compiled exploits, and are not discovered, on average, \nuntil almost a year later (331 days).\n    As a result, it is necessary to carefully evaluate security \ntechnologies and techniques before deploying them on industrial \nnetworks and computers. Through the evaluation of many technologies \nover the last 5 years, Industrial Defender has found results that span \nthe entire spectrum from security technologies and procedures that \nactively impair the effectiveness of industrial networks and control \nsystems, through technologies that do not impair networks, but add no \nvalue either, to technologies and approaches that are, in fact, \neffective and worthwhile at securing industrial networks.\n    Network intrusion detection systems (NIDS) are an essential \ncomponent of a defense-in-depth strategy, and there are real benefits \nin the form of specialized expertise when an outsourced managed service \nprovider manages NIDS sensors. NIDS sensors developed for industrial \ncontrol systems need to be customized with knowledge of industrial \nnetwork protocols and systems. The sensors are routinely deployed \ninside the security perimeter of the industrial network, monitoring \ntraffic exchanged between the industrial computers and between those \ncomputers and the business network.\n    Conventional NIDS technologies are ``signature-based.'' That is, \nmuch like the well-known anti-virus (AV) products used on PC \nworkstations, signature-based NIDS use a large set of rules called \n``signatures'' to scan network traffic. Any traffic that matches the \nsignature triggers an alert and may trigger corrective action, as well. \nA key limitation of conventional signature-based NIDS is that like \nsignature-based AV, signature-based NIDS can only detect attacks that \nit has a signature for. As new vulnerabilities are found in common \ncomputer and network components, new signatures are written to identify \ncommunications patterns of attackers trying to take advantage of those \nvulnerabilities. If an attacker discovers a vulnerability or somehow \nmanages to create an attack vector for a vulnerability before a patch/\nfix or signature for the vulnerability is available, that attack is \ncalled a ``zero day'' attack. Signature-based NIDS are by definition \nunable to detect zero-day attacks, because those attacks occur before \nsignatures are available to detect the attacks.\n    Host intrusion detection systems (HIDS) monitor the operation of \ncomputer systems and alert when suspicious activity is detected. The \narchetypical example of HIDS is an anti-virus system. With NIDS, it is \ngenerally possible to monitor networks in a completely passive way, \nreceiving a copy of every message exchanged on a switch, for example, \nwithout impairing the communications on the switch in any way. This is \nimportant because of the prohibitive cost of re-testing an industrial \nsolution for safety and effectiveness if an after-the-fact security \nmonitoring solution changes the behavior of the network significantly.\n    Control system HIDS have the same imperative--first do no harm. \nAfter-market HIDS must not interfere with the operation of the control \nsystem and must not reduce confidence in the correctness of a control \nsystem to the point where a prohibitively expensive re-test is \nrequired. An industrial HIDS solution must be designed with exactly \nthis criterion in mind. Most enterprise class HIDS interfere with the \noperation of the host, either by accident or by design, or they insert \nthemselves so deeply into the operating system and kernel of the host \ncomputer, that they destroy all confidence in the continued correct and \nsafe operation of the control system.\n              government investment in control systems r&d\n    One area of focus should be a centralized clearing house for the \ncorrelation of alerts and traffic statistics. Such central oversight \nwould provide intelligence regarding widespread information gathering \nand other attacks. For the central correlation to work, cooperation of \nlarge, managed service providers and large, self-managed networks is \nneeded, in order to send the necessary standardized alerts, and traffic \nstatistics to the U.S. Government. If a central agency was the real-\ntime clearing house for conclusions about traffic patterns and the \ncorrelation of such conclusions, that agency would be able to correlate \nsuspicious activities across many industrial networks. Such \ncorrelation, especially correlation of traffic profiling results, might \nallow the central monitoring agency to identify widespread information-\ngathering activities targeted at critical infrastructure networks. Such \nactivity is a logical precursor to a widespread attack on \ninfrastructure. It would also allow a central clearing house to draw \nconclusions about widespread infections calling out to the internet for \ninstructions from time to time, which might be a sign of a coordinated \nattack on many sites.\n    Industrial Defender recommends that the Federal Government \ninvestigate establishing a program, correlation infrastructures and \ntechnologies, and the necessary data exchange standards to permit real-\ntime alerts and traffic statistics to be aggregated centrally. \nIndividually managed security service providers and large industrial \nsecurity/network control centers would be encouraged--or required--to \nparticipate in the program and provide the central authority with the \nstatistics and other information that the agency requires to calculate \nhigh level correlations. Such a program could provide government and \nintelligence agencies with important insights into the health of \nindustrial networks overall, and with insight into sudden changes or \nwidespread patterns indicative of preparations for a large-scale \nattack.\n    A second area of focus is to strongly encourage control system \nvendor partnerships with the U.S. Department of Energy's National \nSupervisory Control and Data Acquisition (SCADA) Test Bed programs at \nIdaho National Laboratory and Sandia National Laboratory. There needs \nto be a continued and raised emphasis on control system security \nproduct and technology assessments to identify vulnerabilities and \ncorresponding mitigation approaches when systems are being designed and \nbuilt.\n                                 ______\n                                 \n                Statement of Southern California Edison\na lifecycle framework for self-sustaining implementation of smart grid \n             interoperability and cyber security standards\n                              introduction\n    Advancing Smart Grid interoperability and security through \nstandards adoption fosters innovation and accelerates robust, secure, \nand reliable Smart Grid deployments. This is achieved by lowering the \nbarriers to entry for vendors; accelerating secure and interoperable \nproduct time to market; and ultimately lowering costs for consumers. \nWith all the potential benefits associated with broad standards \nadoption it seems reasonable to institute a standards lifecycle \nframework to ensure the deployment of a robust and interoperable Smart \nGrid. Unfortunately, realizing the benefits of standardization requires \nmore than just selection of a standard.\n    Several papers in circulation including papers developed by EnerNex \n\\1\\ and EPRI \\2\\ show that there are plenty of standards available. \nWith so many available standards, why has the pace of adoption been \nslow? The answer is that the selection of a standard is but one aspect \nof a greater product lifecycle. Full realization of the benefits will \nrequire a shared Government and industry focus on a common set of Smart \nGrid functions, and a standards lifecycle framework supporting those \nfunctions. The goal of this standards lifecycle framework is to align \npolicy, standards development, product development, and procurement \nactions to create a self-sustaining Smart Grid market. A successfully \noperating, self-sustaining Smart Grid product market is defined by \npublic policy supported by standards that are rapidly adopted by \nproduct vendors seeking certification, and driven by utility \nprocurement agents only buying products certified to those standards. \nThe effect in the marketplace is that product vendors are incented to \ncompete against each other to create products that are increasingly \ninteroperable and secure. Within this context, it is clear that any \napproach needs to be comprehensive and cohesive.\n---------------------------------------------------------------------------\n    \\1\\ Smart Grid Standards Assessment and Recommendations for \nAdoption and Development, draft v0.82, Enernex for California Energy \nCommission, February, 2009.\n    \\2\\ EPRI Technical Report: Integration of Advanced Automation and \nEnterprise Information Infrastructures: Harmonization of IEC 61850 and \nIEC 61970/61968 Models, EPRI, Palo Alto, CA 2006. Product ID 1013802.\n---------------------------------------------------------------------------\n    Beyond the creation of a standards lifecycle framework, it should \nalso be noted that the associated effects of validation, enforcement, \ncertification, and accreditation are missing or in need of additional \nsupport. Certification and enforcement are critical elements of the \nlifecycle. Certification defines test cases that clarify standards \ninterpretation in products by vendors. In this manner, any ambiguity in \nstandards interpretation is quickly identified and remedied in such a \nclosed-loop process. Without such a process, vendors will interpret \nstandards differently and interoperability will not be achieved.\n    This holistic approach to standards adoption allows for a more \ninclusive stakeholder representation. Achieving increasing levels of \ninteroperability and robustness will require a concerted effort by all \nstakeholders including regulators, Government agencies, utilities, \nvendors, commercial organizations, and standards development \norganizations. These interests can be represented through a look at the \napplicable development and adoption lifecycles and how these lifecycles \nintersect. Two of the most relevant lifecycles are the procurement \nlifecycle and the standards development lifecycle. These two lifecycles \nare significant in that they cover both the development of the products \nand standards and the adoption and enforcement of the standards.\n                    standards development lifecycle\n    The standards development lifecycle is the realization of an \noperational need through the articulation of the need, followed by the \ndevelopment of standards, certification processes, and implementation \nvalidation. The standards process is better served when the \norganizations needing to procure the products are involved in this \nneeds development. In the case of Smart Grid, these organizations are \nmostly utilities. Needs are typically represented through business \nobjectives, use cases, and requirements. These needs should be the \nbasis for both platform agnostic and platform specific standards \ndevelopment. The process for establishing and representing the needs \nthrough standards is well-established and actively practiced in the \nutility industry. \n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    As shown above in Figure 1, the standards development lifecycle \ndoes not end with the development of the standard; this is simply the \nstarting point. The standard needs to be implemented, validated and \nadopted. In most cases where standards are available but not widely \nused, the fault is not with the development of the standard but rather \nwith the enforcement of the standard. Fortunately, normal competitive \nmarket drivers can be used to enable this piece. Commercial \norganizations chartered to validate vendor implementations claiming to \nbe compliant with a given standard are needed. These organizations play \na critical role in the overall adoption of a standard. There are \nseveral commercial organizations currently providing certification \nservices including ZigBee, HomePlug, Wi-Fi, and WiMAX. While the \ncommunications space is well-served by these organizations, other \ndomains have no commercial equivalent. As an example for the electric \ngrid, there are no commercial security certification organizations. \nUtilities and other organization have developed security-related needs \nstatements and there are many security standards. Again, because there \nis no certifying organization the lifecycle is broken and the standards \nadoption becomes ad-hoc. Closing the loop with a certification process \nis a key to accelerating mature standards. In doing so, \ninteroperability issues are discovered and regressed into the standards \nand the technologies. Without this closed-loop process, \ninteroperability is almost impossible to achieve on a broad system \nspanning multiple vendors.\n    Ultimately, adoption is achieved through the procuring \norganization. The utilities procure devices which extend and enhance \nthe capabilities of the electric grid. Using security as an example, \ndevices which are certified as more robust or more secure will be \nprocured over competing devices offering less robustness or security. \nIn this way, both the utilities and the vendors have the necessary \nincentives to foster a sustainable Smart Grid ecosystem.\n            procurement-driven standards lifecycle framework\n    The standards development process relies on the utility procurement \nlifecycle for enforcement. This lifecycle also provides other key touch \npoints with the standards development lifecycle beyond the final \nenforcement of a given standard. These touch points give visibility and \nprovide context for participation of various stakeholders. The utility \nprocurement lifecycle, at its core, is concerned with procuring \nproducts which meet a given set of criteria. These criteria include \nregulatory policy, operational needs, and business functionality as \nwell as any standards compliance requirements. Regulators and standards \norganizations support the utility procurement process at several points \nin the lifecycle.\n    Regulators at both the State and Federal level can provide four key \nroles in the lifecycle.\n    1. Define performance criteria in the context of meeting public \n        policy objectives. California's ``six criteria'' for advanced \n        metering is one example;\n    2. Provide oversight on utility expenditures and can enforce \n        interoperability and cybersecurity standards adoption;\n    3. Ensure utility participation in a centralized incident response \n        effort; and,\n    4. Refine performance criteria based on continuous improvement.\n    Continuing with the security example, the procurement lifecycle \nmerged with the standards development lifecycle to create a \nprocurement-driven, cybersecurity standards lifecycle framework, as \nshown in figure 2 below, provides for a more consistent and more secure \nelectric grid. In fact, enabling the entire lifecycle is the only way \nto increase security capability across the entire grid.\n    As part of this standards lifecycle framework, various industry \nstakeholders are able to define operational needs within the context of \nregulatory objectives. These needs are carried into standards \ndevelopment by utilities and vendors, evaluated for risk and used to \nseed various technology-agnostic and technology-specific standards \ndevelopment by standards development organizations (SDOs). The \nresulting standards can be recognized by Federal and State regulators \nas meeting policy objectives. While standards development is often \ndescribed as a long arduous process, today Smart Grid development can \nbenefit from the many existing standards available. The current \npotential to accelerate standards adoption is described in the ``Smart \nGrid Standards Adoption--Utility Industry Perspective'' \\3\\ white \npaper.\n---------------------------------------------------------------------------\n    \\3\\ Smart Grid Standards Adoption--Utility Industry Perspective \nv5.0, by Utility Smart Grid Executive Working Group and Open SmartGrid, \nMarch 23, 2009.\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    As this lifecycle framework continues, products are developed by \nmanufacturers and software developers and evaluated for standards \ncompliance certification by independent commercial labs, which have \nbeen accredited by a Governmental agency such as NIST.\n    Devices/software are then procured by the utility for \nimplementation. During the course of utility operations, performance \ninformation is gathered, new threats are identified, and knowledge is \nshared. Any security risk that is realized is responded to by a central \nincident response team which coordinates the response to the security \nevent. Again, using the touch points across the standards lifecycle \nframework, the industry is able to transfer this security knowledge to \nthe appropriate organizations.\n                               conclusion\n    Lower product costs, operational costs, and improved resiliency are \nsignificant benefits associated with standards adoption. In order to \ntruly realize these benefits, the entire product lifecycle needs to be \nconsidered. There are two complementary views of this lifecycle, the \nfirst view is the standard lifecycle, and the second is the procurement \nlifecycle. Certification is a key component of the lifecycle and \nwithout certification the cycle is broken and the ability to achieve \nbroad interoperability is negated. These lifecycles should be unified \nby a comprehensive standards lifecycle framework described above. This \nmore holistic view also clearly identifies the roles for key \nstakeholders' participation. For the energy sector, enabling and \nenhancing, this standards lifecycle framework should be the primary \ngoal.\n SCE Response to Questions for the DHS Subcommittee for Cybersecurity, \n        Emerging Threats, and Science and Technology on July 21\nHow much of the total cost of its metering infrastructure does SCE \n        expect to recoup from rate cases?\n    SCE's Smart Meter program is authorized for full rate recovery by \nthe California Public Utilities Commission.\nAre SCE's assets hardened against an intentional or unintentional \n        electromagnetic pulse? If so, how did SCE go about mitigating \n        this threat? How much did implementing protective measures \n        cost? Was SCE able to recoup these costs in a rate case?\n    SCE understands the disruption potential of electromagnetic pulse \n(EMP) and other threats that pose risks to system availability. These \nthreats are taken into account as part of our system design. The risk \nof the SCE assets being affected by EMP is a function of the \nprobability, size, and nature of an EMP threat. As such, SCE's risk-\nadaptive process accounts for this and other threats through our system \navailability, disaster recovery, and business continuity designs.\nPlease describe how SCE implemented mitigations to the Aurora \n        vulnerability.\n    In response to the Aurora Vulnerability, SCE first performed a \ndetailed assessment of the system to identify and mitigate the \nassociated vulnerabilities across our service territory in alignment \nwith NERC recommendations. Additionally, SCE refined planning, \nengineering, procurement, security, and compliance policies to support \nNERC CIP standards.\nWhat would industry like to see from Government in terms of an alert \n        and warning system about an impending cyber attack? Does this \n        early warning system exist today?\n    We believe the Government has an important role to play in the case \nof impending security events. This role should be played in the broader \ncontext of a well-defined structure as articulated in SCE's white paper \n``A Lifecycle Framework for Self-sustaining Implementation of Smart \nGrid Interoperability and Cyber Security Standards'' which is attached \nto this response. Early warning processes in use today include US-CERT, \nthe Electric Sector--ISAC (ES-ISAC) managed through NERC, as well as \nthe DHS Daily Open Source Infrastructure Report. All existing early \nwarning processes would benefit from participating in a broader self-\nsustaining, framework that includes the mechanisms for all stakeholders \nincluding policymakers, vendors, utilities and incident response teams \nto take actions so the overall electric infrastructure becomes \nincreasingly secure.\nWhat is the current role of the Federal Government be in defending \n        against nation-state-level cyber or physical attacks against \n        electric facilities? What should the role of the Federal \n        Government be?\n    We believe the role of the Federal Government should be to work \nwith industry to align collaborative efforts on policy, standards \ndevelopment, product development and procurement actions to create the \nself-sustaining Smart Grid market as outlined in the attached white \npaper ``A Lifecycle Framework for Self-sustaining Implementation of \nSmart Grid Interoperability and Cyber Security Standards''. A \nsuccessfully operating, self-sustaining market is defined by public \npolicy supported by standards that are rapidly adopted by product \nvendors seeking certification, and driven by utility procurements \nbuying products certified to those standards. The effect in the \nmarketplace is that product vendors are incented to compete against \neach other to create Smart Grid solutions that are increasingly \ninteroperable and secure.\nDoes SCE use the Energy ISAC today? Does SCE believe that the Energy \n        ISAC is effective in producing timely and relevant analysis and \n        warnings for the industry? If not, what measures can be \n        undertaken to improve this capability?\n    Yes, SCE utilizes the Electric Sector--ISAC (ES-ISAC), managed \nthrough NERC, for warnings applicable to the electric sector. The ES-\nISAC, notifications are supplemented by US-CERT, as a source for our \nAnti-vulnerability Emergency Response Team, a 24x7 group of SCE subject \nmatter experts tasked with vulnerability and incident response.\n    We do believe the ES-ISAC represents an effective mechanism for \ntimely and relevant analysis and warnings for the industry. ES-ISAC \nparticipation in the broader industry lifecycle framework, as stated in \nthe attached white paper, would improve communication on security \nevents and known vulnerabilities across a broad set of industry \nstakeholders.\nWhat are the key aspects of any piece of legislation that seeks to \n        secure the electric grid from cyber and physical attack?\n    Legislation seeking to secure the electric grid should consider the \nability to facilitate the standards-driven process which motivates the \nmarket to produce and adopt increasingly secure and interoperable \nproducts.\nAre industry-written security standards appropriate to protect assets \n        as critical to national security as the electric system? If so, \n        why? If not, should a Federal entity write the standards?\n    Yes, SCE believes a public/private partnership is the most \neffective way to develop cybersecurity specifications and standards. An \nexample is the current effort between the industry, NIST and the \nDepartment of Energy, known as ASAP-SG, the goal of which is to \norganize and articulate Smart Grid cybersecurity standards by \nleveraging an existing set of standards will help provide the guidance \nnecessary for vendors to develop secure product; certification labs to \ncertify secure product; and utility companies the ability to \nconfidently procure and implement secure products.\n    SCE has published three papers on the topic of security and \nstandards please see: http://www.sce.com/PowerandEnvironment/\nsmartgrid/.\n\n\n                          A P P E N D I X  I I\n\n                              ----------                              \n\nQuestions From Chairwoman Yvette D. Clarke of New York for Dr. William \n  R. Graham, Chairman, Commission to Assess the Threat to the United \n                   States From Electromagnetic Pulse\n    Question 1. The EMP commission report looked at several \ninfrastructure sectors, the first of which was electric power. Please \ntell us about the vulnerabilities you found there, and if you could \nprioritize their criticality. To the best of your knowledge, has the \nelectric industry attempted to address these vulnerabilities? Where are \nwe right now in protecting the electric grid and what more must be \ndone?\n    Answer. The vulnerabilities found in the electric power \ninfrastructure include:\n    a. High-voltage transformer damage due to low frequency (E3) High \n        Altitude EMP. These transformers are only produced outside the \n        United States, and at a very low rate. Lead time for delivery \n        under normal circumstances is months to years.\n    b. Damage to relays and other control electronics in high-voltage \n        substations due to high frequency (E1) EMP.\n    c. Distribution transmission line insulator damage due to E1 EMP.\n    d. Damage to power control center electronics due to E1 EMP.\n    e. Widespread blackout of power grids due to simultaneous failures \n        of controls, transformers, and the loss of load (due to \n        insulator damage).\n    As far as I have been able to determine, the electric industry has \nnot attempted to address these vulnerabilities. The Federal Energy \nRegulatory Commission (FERC) has been active in trying to understand \nEMP and other electromagnetic threats to the power grid, and they are \nencouraging the North American Electric Reliability Corporation (NERC) \nto take action with mandatory standards. FERC has asked the Department \nof Energy (DoE) to begin the development and demonstration of \nprotection technologies against EMP, geomagnetic storms, and \nIntentional Electromagnetic Interference (IEMI). NERC has also recently \nbeen briefed about EMP and geomagnetic storms by representatives of the \nEMP Commission.\n    While the level of discussion concerning the threat of EMP to the \npower grid is increasing, until NERC and the power industry take action \nin developing standards and implementing a schedule for protection, \nnothing will move forward. It is clear that a national leadership from \nthe National Security Council, the Department of Homeland Security, and \nthe DoE is required to move this protection issue forward. Such \nleadership has not been forthcoming.\n    Question 2. Would installing the protections necessary to protect \nthe electric grid from EMP be costly?\n    Answer. Protection for the vulnerabilities indicated above would \nnot be expensive in terms of the initial costs of the equipment, the \nreplacement costs, or certainly when compared with the cost to the \neconomy of the United States of an extended electrical blackout.\n    a. It is recommended that the work of the EMP Commission be studied \nby those in charge of ensuring the reliability of the U.S. power \nsystem, with an emphasis on relative vulnerabilities (e.g. 765 kV \nnetwork) and in terms of applying protection first to new construction, \nwhere the cost will be at the low end for such protection. The U.S. \nexperience with military systems indicates that the cost of protecting \nnew systems from EMP is in the 1-2% range when carried out by \nknowledgeable and experienced engineers. Unfortunately, the number of \nsuch engineers has been declining since the end of the Cold War.\n    b. It is urgent that work begins on adapting international \nstandards on EMP protection to the U.S. power grid as soon as possible. \nIt appears that FERC is in the best position to ensure that NERC \ndevelops the proper protection standards and sets a schedule to \naccomplish the protection.\n    Question 3. The ``Smart Grid'' concept means putting more \ncomputerized systems, similar to Systems Control and Data Acquisition \n(``SCADA'') systems throughout the grid, down to the level of \nindividual users such as homes and buildings. Aren't these systems even \nmore sensitive and susceptible to damage by EMP than the other \ncomponents of the electrical grid? In your opinion, would the ``Smart \nGrid'' be even more likely to be taken down by EMP than our current \ngrid if the computer controls were not protected from EMP?\n    Answer. It is very clear that one of the primary objectives of the \n``Smart Grid'' is to reduce the peak power needs by controlling the \npower usage by the customer (primarily through time of day pricing or \nmandatory reductions in use of electricity at times of high usage of \nelectricity in various regions). While this approach may be beneficial \nin the short run, the information from electronic meters at homes and \nbuildings will essentially be used to operate the grid, without proper \nleadership and systems engineering, will lead to much less margin for \nelectric power reliability.\n    Based on experiments performed by the EMP Commission, substation \nsafety relays have been found to be vulnerable to EMP, but at much \nhigher levels of threat than standard PC equipment (PCs are extremely \nvulnerable to EMP). The point is that Smart Meters (essentially PC \ntechnology) will require a strong, comprehensive effort for both \nElectromagnetic Interference (EMI) and EMP protection.\n    If these meters are not well-protected against EMP, as well as \nnormal EMI, geomagnetic storms, and IEMI (EM weapons), then EMP will \nlikely cause a more rapid failure of the new ``Smart'' Grid. The IEEE \nElectromagnetic Compatibility (EMC) Society met recently in Austin, \nTexas and registered alarm at the lack of basic EMC and EMP protection \nstandards being referenced by the National Institute of Standards and \nTechnology (NIST) and the Electric Power Research Institute (EPRI) in \ntheir review of existing important protection standards for the ``Smart \nGrid''. A letter from the Society is being prepared to indicate this \nconcern.\n    Question 4. New ``Green Generation'' such as wind power will also \nrequire the addition of thousands of miles of new high-voltage \ntransmission, because most of the wind farms will be located far from \npopulation centers. Aren't these very long high-voltage lines the most \nvulnerable to Geomagnetically Induced Currents (GIC), and if that is \nthe case, shouldn't we be building these transmission lines with EMP \nprotective technologies?\n    Answer. Some of the planning performed by industry has indicated, a \npreference for 765 kV lines leading from the Midwest, where wind power \ncan easily be obtained, to Chicago. Studies performed for the EMP \nCommission clearly indicated that long high-voltage power transmission \nsystems (including their connected transformers) are highly vulnerable \nto geomagnetic storms. For example, 765 kV systems are more vulnerable \nto geomagnetic storms than the lower voltage systems found in most of \nthe United States. The reason for the use of higher voltages is to \nminimize power loss, but protection is needed for the transformers. \nClearly the protection of transformer neutrals, as discussed during the \nEMP Commission research, should be applied to all such new transmission \nsystems as they are built, thereby reducing the cost of installation \ncompared to the cost of retrofitting. Such geomagnetic storm protection \nwill also provide protection against E3 EMP.\nQuestions From Chairwoman Yvette D. Clarke of New York for Mr. Michael \n J. Assante, Vice President and Chief Security Officer, North American \n                    Electric Reliability Corporation\n    Question 1. Why did the Critical Infrastructure Protection \nCommittee decide against taking action on the EMP Commission findings \nduring the September 11, 2008 meeting?\n    Answer. The Critical Infrastructure Protection Committee (``CIPC'') \nis a NERC-sponsored, self-governed committee of volunteers representing \nusers, owners, and operators of the bulk power system and other \ninterested entities with a mission to advance the physical and \ncybersecurity of the critical electricity infrastructure of North \nAmerica. The CIPC does not constitute all of the activities related to \nCritical Infrastructure Protection undertaken by NERC, nor does it \ndefinitively represent NERC's full position on any matter. The CIPC \nadvises NERC's Board of Trustees and Electric Sector Steering Group, \nalong with NERC staff, on matters relating to Critical Infrastructure \nProtection.\n    NERC is not in a position to explain the conclusion stated in the \nminutes of CIPC's September 11, 2008 meeting regarding the EMP \nCommission report. The CIPC has worked with the EMP Commission in the \npast. A subgroup of CIPC, the High Altitude Electromagnetic Pulse Task \nForce, was formed during 2002 and 2003 specifically for the purpose of \nworking with the EMP Commission and providing industry insight and \nsupport for its efforts. That industry participation is referenced \nrepeatedly throughout the EMP Commission's April 2008 report. At CIPC's \ninvitation, Dr. Michael Frankel, Executive Director of the EMP \nCommission, made a presentation to the committee at its March 2009 \nmeeting about the work of the EMP Commission and the EMP Commission \nreport.\n    Question 2. It is our understanding from the April 2009 letter sent \nby Mike Assante that a large portion of the electrical industry has not \nidentified ``critical cyber assets,'' which is a requirement under the \nNERC standards. Please explain why this letter was sent and what the \nresponse to the letter has been.\n    Answer. The prioritization of critical assets for protection is the \nfoundation upon which NERC's Critical Infrastructure Protection \n(``CIP'') standards are built. In developing the standards, the \nindustry standards drafting team recognized that the protection of \nassets must occur in a staged approach, with appropriate focus being \ngiven to those elements of the system deemed ``critical'' to \nreliability. This approach was approved by the Federal Energy \nRegulatory Commission (``FERC'') in its conditional approval of NERC's \nReliability Standards CIP-002--CIP-009 in Order No. 706 on January 18, \n2008.\n    ``Critical assets'' are defined in NERC's glossary of terms as \nthose ``facilities, systems, and equipment which, if destroyed, \ndegraded, or otherwise rendered unavailable, would affect the \nreliability or operability of the Bulk Electric System.''\\1\\\n---------------------------------------------------------------------------\n    \\1\\ NERC Glossary of Terms. Version dated April 20, 2009. http://\nwww.nerc.com/files/Glossary_2009April20.pdf.\n---------------------------------------------------------------------------\n    Reliability Standard CIP-002 ``requires the identification and \ndocumentation of the Critical Cyber Assets associated with the Critical \nAssets that support the reliable operation of the Bulk Electric \nSystem.''\\2\\\n---------------------------------------------------------------------------\n    \\2\\ NERC Reliability Standard CIP-002-1. http://www.nerc.com/files/\nCIP-002-1.pdf.\n---------------------------------------------------------------------------\n    Due to the nature of the system, not all Registered Entities own or \noperate critical assets. Many Registered Entities, for example, own or \noperate a single small generating station, which would not necessarily \nbe deemed ``critical'' under the definition above.\n    As part of the implementation plan for the CIP standards, NERC \nrequires Registered Entities to self-certify their progress in coming \ninto compliance with certain Reliability Standards. Responses received \nfrom the industry for the period of July-December 2008 raised a concern \nthat all respondents may not have applied a suitable approach in \nidentifying critical assets and their associated critical cyber assets. \nThe April 7, 2009 letter sent by NERC's Chief Security Officer Michael \nAssante sought to bring clarity to the discussion of appropriate \napproaches to critical asset identification. The letter encouraged \nRegistered Entities to take a fresh look at current risk-based \nassessment models to ensure they appropriately account for new \nconsiderations specific to cybersecurity, such as the need to consider \nmisuse of a cyber asset, not simply the loss of such an asset. Final \ndecisions regarding appropriate identification of critical assets and \ntheir associated critical cyber assets will be made through NERC's \ncompliance and enforcement efforts. Compliance audits on the CIP \nstandards have already begun.\n    The April 7 letter is part of the iterative process between NERC \nand industry stakeholders as we work together to improve reliability. \nIn this case, NERC gathered information about the status of \nimplementation of the Critical Infrastructure Protection standards and \nfed that information and its own insights back to the industry as part \nof a cycle of continuous improvement. NERC is working to address a \ncritical element of the cybersecurity challenge: The educational \nlearning curve and resulting compliance-related challenges that must be \naddressed to improve the cybersecurity of the bulk power system.\n    Question 3. Describe the expense and technical challenges in \ninstalling or implementing cyber and EMP protections for the grid?\n    Answer. The expense and technical challenges associated with \nimplementing cyber and EMP protections for the grid depend upon the \ntypes of protections required and the grid systems being addressed. \nThus, NERC cannot respond specifically, but we are able to provide a \ngeneral response.\n    The nature of the Bulk Power System creates unique complexity in \naddressing security risk. The interconnected system includes \napproximately 5,000 generating plants, 165,000 miles of transmission \nlines, 20,000 substations, and millions of digital controls. These \nassets are widely dispersed, primarily located outside, and are owned \nand operated by approximately 1,800 different entities. The variance in \nsize and organizational structure of these 1,800 entities present \nadditional challenges. Entities range in size from thousands of \nemployees to 20 or fewer employees. The organizations range from large \ninvestor-owned utilities like Exelon and Pacific Gas & Electric to non-\nprofit electricity market operators like ISO New England; from small \nmunicipally owned utilities like the City of Orrville, OH to large \nGovernment agencies like the Tennessee Valley Authority and the U.S. \nArmy Corps of Engineers; and from independent owners of individual \ngenerating plants like JP Morgan Ventures to cooperatives of all sizes, \nfrom Great River Energy to Bluebonnet Electric Cooperative.\n    Systems are highly customized for specific environments, and, while \ncommon components are often used, unique configurations present \nchallenges in providing uniform, specific guidance on protections. \nActions that result in improved security on some systems could \npotentially result in degraded security on others. More effective \napproaches often involve a range of acceptable mitigation options.\n    The real-time operating environment also presents an important \ntechnical challenge, such that security controls that may be \nappropriate in other settings could present significant risks to the \nreliable operation of the system were they to be similarly applied to \nthe bulk power system.\n    NERC believes that the asset owners would be in the best position \nto provide specific information on the costs and technical challenges \nof various protections.\n    Question 4. Do plans or procedures exist for the electric industry \nin the case of a known cyber attack or an imminent EMP? If so, can you \noutline them for us?\n    Answer. NERC's Critical Infrastructure Protection standards require \nan annual exercise for response to cybersecurity events. Standard CIP-\n009 requires that recovery plans be put in place for Critical Cyber \nAssets and that these plans follow established business continuity and \ndisaster recovery techniques and practices.\\3\\\n---------------------------------------------------------------------------\n    \\3\\ NERC Reliability Standard CIP-009. http://www.nerc.com/files/\nCIP-009-1.pdf.\n---------------------------------------------------------------------------\n    To my knowledge, no electric industry plans or procedures have been \ndeveloped specifically for an imminent EMP.\n    Initial planning for response to an imminent geomagnetic event was \ncompleted by many entities in response to the 1989 geomagnetic storm \nthat triggered a widespread blackout in Quebec. Response to an imminent \nEMP threat would require similar measures for certain components of an \nEMP, but those measures would not deal with all aspects of an EMP.\n    Over the past year, NERC has been working to improve industry-wide \nresponses to known or imminent threats of all kinds. NERC's alerts \nsystem allows it to reach nearly 5,000 industry professionals at \noperations centers, power plants, and other power system facilities \nacross North America. A next-generation alerts tool is currently \nnearing completion, which will enable recipients to view and submit \nsecure information to NERC. Contacts will be able to receive alert \ninformation via text message and e-mail.\n    Question 5. Does NERC have requirements for cyber and physical \nprotections for new ``Smart Grid'' assets?\n    Answer. NERC Reliability Standards apply to the Bulk Power System \nas defined in Section 215 of the Federal Power Act:\n    (A) facilities and control systems necessary for operating an \ninterconnected electric energy transmission network (or any portion \nthereof); and\n    (B) electric energy from generation facilities needed to maintain \ntransmission system reliability. The term does not include facilities \nused in the local distribution of electric energy.\n    Thus, ``Smart Grid'' assets that are necessary to the operation of \nthe Bulk Power System can be covered under NERC Reliability Standards, \nbut those located on facilities used in the local distribution of \nelectric energy are not, unless such assets materially impact the bulk \npower system.\n    NERC is coordinating with NIST as it develops interoperability and \nsystem security standards for ``Smart Grid'' systems at the \ndistribution level, as directed in FERC's July 2009 ``Smart Grid Policy \nStatement''.\n    Question 6. What efforts has NERC made to adopt NIST security \nstandards? How do the current NERC standards differ from NIST 800-53 \nstandards?\n    Answer. NERC currently has efforts underway to adapt the NIST \nframework for use in power system applications. The Cyber Security \nOrder 706 Drafting Team recently posted a concept paper entitled \nCategorizing Cyber Systems: An Approach Based on BES Reliability \nFunctions for industry comment, which outlines a proposed framework for \nrevising the existing Critical Infrastructure Protection Standards. \nComments on the concept paper are due from industry on September 4, \n2009.\n    Existing NERC standards primarily differ from the NIST framework in \nseveral ways:\n    (1) NERC standards do not presently assign a ``level of risk'' \n        (Low-Medium-High) to an asset being protected;\n    (2) NERC standards do not include a graduated approach to controls \n        to align with such a ``level of risk'' framework; and\n    (3) NERC standards apply to individual assets and do not \n        comprehensively consider the systems or networks of which they \n        are a part or the function for which they are employed.\n    Question 7. Is NERC required by law to follow an ANSI standards \ndevelopment process in writing CIP standards?\n    Answer. No, NERC is not required by law to have an ANSI-accredited \nstandards process. Section 215 of the Federal Power Act does require \nthat NERC's standards development process ``provide for reasonable \nnotice and opportunity for public comment, due process, openness, and \nbalance of interests in developing reliability standards . . . ''. \n(Sec. 215(c)(2)(D)). These factors are very similar to the central \ncharacteristics of an ANSI-accredited process, and in certifying NERC \nas the ERO, FERC found that NERC's ANSI-accredited standards \ndevelopment process meets the statutory requirements. NERC's standards \ndevelopment process is set forth in NERC's Rules of Procedure, which \nFERC has approved.\n    Question 8. Is it possible that foreign adversaries have penetrated \nthe electric grid and are in position to cause significant damage at a \ntime of their choosing? Are utilities capable of knowing this?\n    Answer. I am unable to discuss that question in an open forum. I \nwould be prepared to work with the appropriate Government agencies to \narrange a secure briefing for the subcommittee at its request.\n    As raised in my written testimony, the electric grid is placed at \nsignificant risk as a result of limited information-sharing between the \nFederal Government intelligence community and asset owners. In order to \nadequately protect their systems, asset owners need to know what to \nlook for. The origin and signature of potentially dangerous code \ncontinually change and are identified by the Federal Government \nintelligence community. This information often remains classified, \nleaving asset owners without access to this classified information \nunable to protect and respond to potential threats.\n    Question 9. What are the largest risks to the electric grid, and \nwhat is NERC doing to mitigate those risks? In assessing the risk to \nthese systems, how do you assess threat?\n    Answer. Some of the largest risks to the electric grid include \nfrequent, uncontrollable events such as severe weather and other \nnatural disasters. Other large risks are controllable events, such as \nthe causal factors of the August 14, 2003 blackout: Untrimmed trees, \nuntrained system operators, and malfunctioning equipment.\n    NERC's over 100 Reliability Standards focus on mitigating \ncontrollable risks, requiring that transmission owners maintain \nappropriate vegetation clearance around transmission lines, that all \nsystem operators are trained and certified, and that communications \nprotocols are in place to ensure system operators are able to respond \nto events effectively.\n    Cybersecurity is another significant risk to the system. One of the \nmost concerning aspects of this challenge is the cross-cutting and \nhorizontal nature of networked technology that provides the means for \nan intelligent cyber attacker to impact multiple assets at once, and \nfrom a distance. The majority of reliability risks that challenge the \nbulk power system today result in probabilistic failures that can be \nstudied and accounted for in planning and operating assumptions. \nCybersecurity is unique; system planners and operators must recognize \nthe potential for simultaneous loss of assets and common modal failure \nin scale in identifying what needs to be protected. This is why \nprotection planning requires additional, new thinking on top of sound \noperating and planning analysis. NERC believes asset owners and system \noperators are critical to the protection planning process and to \ndetermining the appropriate and necessary protections for their \noperating environments.\n    High Impact, Low Frequency (``HILF'') events, such as EMP events \nand pandemic illness, also present significant risk to the electric \nsystem. These events are the subject of an upcoming workshop to be \nconducted by NERC and the Department of Energy, presently targeted to \nbe held in mid-November 2009. (Please refer to NERC's response to \nQuestion 15 for further information on this effort.)\n    Relative threat can be defined as a function of the probability and \nseverity of a given event. HILF events are typically characterized by \nprobability that is uncertain relative to other threats. Though, to \nNERC's knowledge, the North American Bulk Power System has never \nexperienced a coordinated cyber attack that has affected reliability or \na high-altitude detonation of a nuclear weapon, past experience is not \na reliable indicator of future occurrence. NERC and the industry have \nno illusions of immunity to these threats.\n    Question 10. Has NERC done any analysis on the security of the \nelectric grid from cyber or physical (EMP) attack? If so, how secure \nand resilient does NERC believe the grid is today?\n    Answer. NERC has several efforts underway to assess security and \npreparedness, including its Cyber Risk Preparedness Assessment, Bulk \nPower System threat assessment program, and the HILF initiative. NERC \nalso supported and participated in the development of the EMP \nCommission report.\n    NERC believes that as Registered Entities are coming into \ncompliance with NERC's CIP standards, the system as a whole is becoming \nmore prepared to deal with the effects of a cyber attack to the bulk \npower system. Due to the ever-changing nature of this threat, however, \nthe Bulk Power System may never be fully secure from all potential \ncoordinated cybersecurity threats.\n    Certain of the measures and practices utilities put in place in \nresponse to the 1989 geomagnetic event in Quebec could provide some \nmeasure of protection against some, but clearly not all, manifestations \nof an EMP attack.\n    Question 11. What limitations does the term and definition of \n``bulk power system'' have on the security of the electric grid at \nlarge? Assuming we can protect the ``bulk power system'' from attack, \nwill that be adequate to protect the U.S. electric system?\n    Answer. The ``Bulk Power System'' is defined in Section 215(a)(1) \nof the Federal Power Act as:\n    (A) facilities and control systems necessary for operating an \n        interconnected electric energy transmission network (or any \n        portion thereof); and\n    (B) electric energy from generation facilities needed to maintain \n        transmission system reliability.\n    The term does not include facilities used in the local distribution \nof electric energy.\n    The authority granted by Section 215 to the Federal Energy \nRegulatory Commission and NERC as the ``Electric Reliability \nOrganization'' places appropriate focus on the reliability of the \n``Bulk Power System,'' as outages and disturbances on that system have \nthe potential for far greater impact than those on distribution \nsystems. However, the terms ``Bulk Power System'' and ``U.S. electric \nsystem'' are not synonymous. Protecting the former does not guarantee \nthat the latter will be entirely protected. Local distribution \nfacilities are generally outside NERC's jurisdiction, except (as noted \nabove) where local distribution facilities materially impact the Bulk \nPower System. The States of Alaska and Hawaii are also outside NERC's \njurisdiction.\n    Question 12. Can the electric grid be significantly disrupted \nthrough attacks on assets that are not addressed by NERC CIP standards?\n    Answer. Yes. Beyond the electric sector, debilitating attacks on \nother critical infrastructures, such as natural gas pipelines, \nrailways, and telecommunications, could significantly affect the Bulk \nPower System.\n    Question 13. What efforts have been initiated by NERC to require \nasset owners to secure this infrastructure from electromagnetic pulse \nevents? Please provide specific details.\n    Answer. NERC has recently partnered with the Department of Energy \non the ``High Impact, Low Frequency'' event workshop currently targeted \nto be held in mid-November. One of the goals of this workshop is to \nprovide guidance for the development of future requirements of this \nnature. Please refer to NERC's response to Question 15 for further \ninformation on this effort.\n    Question 14. Does an early detection and warning capability for \ncyber and physical threats exist for the electric industry today? If \nnot, why not?\n    Answer. Elements of an early detection capability exist, but \nmechanisms are needed to promote more information sharing between the \nFederal Government intelligence community and asset owners. When \nphysical or cybersecurity events affecting critical cyber assets occur \non the system, asset owners are required by NERC Reliability Standards \nto report this information to NERC. Asset owners are also encouraged, \nand many do, to report additional security events to NERC in its role \nas the ES-ISAC and submit an OE Form 417 to the Department of Energy \nregarding the event.\n    Mechanisms like NERC's alerts system and notifications from the \nUnited States Computer Emergency Response Team serve as effective \nwarning capabilities for distributing critical information to the \nelectric sector. Both mechanisms are capable of reaching wide audiences \nwithin the industry. Through its alerts system, NERC is able to require \nentities in receipt of the alert to acknowledge receipt and report to \nNERC on actions taken on recommendations included in the alert. NERC's \nlast recommendation (December 2008) was met with a 96% response rate.\n    Question 15. What is the High Impact/Low Probability Working Group? \nWhen and why was it started? How will findings from this group affect \nthe NERC CIP standards?\n    Answer. In partnership with the Department of Energy, NERC has \nrecently begun an effort to assess ``high impact, low frequency'' \nrisks--or, more accurately, those risks whose likelihood of occurrence \nis uncertain relative to other threats, but that could significantly \nimpact the system were they to occur. Officially launched on July 2, \nthe effort is a culmination of high-level discussions between \nleadership at NERC and the Department of Energy. NERC and DOE are \ncurrently recruiting members for the joint industry/Government working \ngroup, which will examine the potential impacts of these events on the \nbulk power system. The group will focus on influenza pandemic, space \nweather, terrorist attacks, and electromagnetic pulse events and host \nan invitation-only workshop in the coming months to discuss their \nassessment and develop conclusions and recommendations to industry \nbased on their work. These recommendations will be used to drive needed \ntechnology research, development, and investment and also to evaluate \nNERC's current standards and initiatives, potentially driving the \ncreation of new standards to address these issues.\n    The workshop is currently slotted for mid-November 2009.\n    Question 16. What responsibility and involvement does NERC have in \nSmart Grid development and deployment?\n    Answer. NERC has supported the development of certain ``Smart \nGrid'' resources on the transmission system through its support of the \nNorth American Synchro-Phasor Initiative (``NASPI''). Coordinated with \nindustry and the Department of Energy, this initiative is designed to \nimprove power system reliability and visibility through wide area \nmeasurement and control using ``phasor measurement units'' or ``PMUs''. \nThe NASPI community is working to advance the deployment and use of \nnetworked phasor measurement devices, phasor data-sharing, applications \ndevelopment and use, and research and analysis.\n    NERC also referenced the development of the ``Smart Grid'' and its \npotential effects on the reliability of the bulk power system in its \n2008 Long-Term Reliability Assessment, briefly mentioning cybersecurity \nas a primary concern when deploying ``Smart Grid'' infrastructure. \nNERC's technical committees are currently forming a ``Smart Grid Task \nForce'' to further review this issue.\n    As mentioned above, NERC is also coordinating with NIST through its \ndevelopment of Smart Grid interoperability and system security \nstandards.\n Questions From Chairwoman Yvette D. Clarke of New York for Mr. Steven \n  T. Naumann, on Behalf of Edison Electric Institute, Electric Power \n                           Supply Association\n    Question 1. Does the industry believe that physical or cyber events \nare serious issues to the functioning of the electric grid?\n    Answer. Yes. The industry takes all threats to the reliability of \nthe bulk power system seriously.\n    Question 2. Is it possible that foreign adversaries have penetrated \nthe electric grid and are in position to cause significant damage at a \ntime of their choosing? Are utilities capable of knowing this?\n    Answer. I do not know. Utilities continually monitor their systems \nfor intrusions. I do not know whether all utilities are capable of \ndetecting all intrusions.\n    Question 3. What are the largest risks to the electric grid, and \nwhat is EEI doing to mitigate those risks? In assessing the risk to \nthese systems, how do you assess threat?\n    Answer. Historically, the largest risks to the grid have been \ncreated by acts of nature including hurricanes, ice storms, wildfires, \nand flooding. The interconnected nature of the electric grid has led to \ntraditional coordination by the North American electric power companies \nin responding to those risks.\n    EEI member companies continually assess operational risks be they \nnatural or manmade and work to put appropriate risk mitigation measures \nin place.\n    Most organizations perform risk assessments that include the \nfollowing elements:\n  <bullet> Identifying threats that could harm and, thus, adversely \n        affect critical operations and assets. Threats include such \n        things as intruders, criminals, disgruntled employees, \n        terrorists, and natural disasters.\n  <bullet> Estimating the likelihood that such threats will materialize \n        based on historical information and judgment of knowledgeable \n        individuals.\n  <bullet> Identifying and ranking the value, sensitivity, and \n        criticality of the operations and assets that could be affected \n        should a threat materialize in order to determine which \n        operations and assets are the most important.\n  <bullet> Estimating, for the most critical and sensitive assets and \n        operations, the potential losses or damage that could occur if \n        a threat materializes, including recovery costs.\n  <bullet> Identifying cost-effective actions to mitigate or reduce the \n        risk. These actions can include implementing new organizational \n        policies and procedures as well as technical or physical \n        controls.\n    Companies throughout North America maintain strong programs to \nanticipate events such as hurricanes and winter storms, and to \nefficiently mitigate damage and restore service when such events \nhappen. Coordination with Federal, State, and local governments, \nincluding law enforcement and emergency management, is a critically \nimportant part of these planning processes. Through decades of \nexperience with these extremely challenging events, electric companies \nunderstand systemic risks, including especially the nature of the \nreliance of the electric industry on other key infrastructure \nindustries such as natural gas pipelines and telecommunications. In \nrecent years, the electric utility industry has added a strong emphasis \non physical and cybersecurity in response to potential terrorist \nattacks on critical infrastructure.\n    Question 4. What would industry like to see from Government in \nterms of an alert and warning system about an impending cyber attack? \nDoes this early warning system exist today?\n    Answer. The industry is strongly interested in receiving timely, \nactionable and specific threat information, and having the opportunity \nto engage in consultation with Federal agencies as to appropriate \nresponse/attack mitigation strategies. Some elements of warning systems \nexist today. However, timely delivery of specific threat/threat actor \ninformation has been a challenge, due to barriers posed by sharing of \nclassified information, as well as the time required by Government \nagency staff to obtain approval to release information to private \nindustry participants. The approval and communications challenges are \nmagnified when multiple Government agencies are involved. If the \nCongress wishes the electric sector to be in a position to respond to \nan impending cyber attack it simply must take steps to provide specific \nthreat/threat actor information to the sector--with appropriate \nmechanisms to protect against inappropriate distribution and release of \nclassified or other security-sensitive information.\n    Question 5. What is the current role of the Federal Government in \ndefending against nation-state-level cyber or physical attacks against \nelectric facilities? What should the role of the Federal Government be?\n    Answer. There are multiple Federal agencies involved in defending \nagainst cyber or physical attacks perpetrated by nation-states and \nother adversaries against electric facilities, including: The \nDepartment of Defense, the Department of Energy, the Department of \nHomeland Security, the Federal Bureau of Investigation, and the Office \nof the Director of National Intelligence, among others. While it would \nbe difficult to describe their mission profiles with precision, the \nindustry is very interested in receiving timely, actionable, and \nspecific threat information from these various entities.\n    Question 6. What are EEI and its industry representatives doing to \naddress the April 8, 2009 Wall Street Journal article discussing the \nexistence of ``cyberspies'' in the electric grid?\n    Answer. NERC has been charged by Congress with overseeing the \nreliability of the bulk power system and addressing issues \nsubstantively. In light of this, I suggest that NERC is the appropriate \nentity within our sector to address and answer this question in detail.\n    Question 7. Have each of the EEI member companies fully implemented \nthe mitigation measures for the Aurora vulnerability? How much did the \nsecurity upgrades cost and how long did it take to mitigate these \nvulnerabilities?\n    Answer. I do not have first-hand knowledge of the actions of other \ncompanies in response to Aurora, nor the costs to mitigate any \nvulnerabilities. I believe that Exelon has fully implemented the \nmitigation measures for the Aurora vulnerability. The costs incurred by \nthe Exelon Companies, Commonwealth Edison Company, Exelon Generation \nLLC and PECO Energy, in complying with the Aurora Advisory were \napproximately $1.2 million.\n    EEI does not have specific knowledge of how many companies have \nmitigated the Aurora vulnerability, or the costs incurred.\n    Question 8. EEI has a program called the Spare Transformer \nEquipment Program, or ``STEP'' program, which is supposed to increase \nthe electric industry's inventory of spare transformers in the event of \na transmission outage caused by a terrorist attack. How many extra \ntransformers have been acquired as a result of that program?\n    Answer. The purpose of the STEP program is to facilitate a \ncontract-based business program to support more efficient management of \nexisting inventories of transformers for dealing with a triggering \nevent, specifically a deliberate destruction of electrical transformers \nin connection with a terrorist event. The program is not intended to \nincrease stockpiles per se, but to set terms and conditions for the \nsharing of inventories among the owners of these kinds of equipment. \nThus, when a company orders a new transformer, it is difficult to \nspecifically determine whether that order has been triggered by \nordinary business needs, or, by the terms of the STEP contract. In \naddition, confidentiality provisions of the STEP agreement prohibit \ndisclosure of various kinds of information.\n    Question 9. What are EEI's concerns about granting FERC authority \nto set standards for security?\n    Answer. The legislative discussion to date has focused on how best \nto ensure that electric companies will take actions in response to \nimmediate cyber-related emergency threats. Whether conducted by FERC or \nNERC, EEI believes that a standards process is ill-suited for \naddressing this need. The present focus of the discussions is on the \nneed for FERC to address cybersecurity issues for the bulk power \nsystem, over which it has reliability jurisdiction. EEI believes that \nthis is the appropriate FERC role.\n    Legislation should define a single agency for issuing national \nemergency actions to the electric sector. For the kinds of broad cyber-\nrelated threats and vulnerabilities that might relate to needs for \nnational emergency actions, EEI believes that the primary authorities \nlocated within both DOE and DHS are the appropriate locations for \ndealing with these matters. For DOE, its role as lead agency for the \nElectricity Sector Coordinating Council (``ESCC'') under the National \nInfrastructure Protection Plan (``NIPP'') suggests a broad coordination \nand communication role. For DHS, its broad agency role and activities \nwith the electric industry to date suggests such a role.\n    For other threats and vulnerabilities that are not of an imminent \nnational emergency nature, the Self Regulatory Organization (``SRO'') \nmodel for setting standards throughout North America is strong and \nshould be sustained. The electric industry recognizes that the NERC \nCritical Infrastructure Protection Standards need improvement. \nDevelopment of the next version of Critical Infrastructure Protection \nStandards has just begun. In addition to addressing security-related \nconcerns at NERC through the standards development process, various \nNERC communications processes and technical committee reviews can be \nused to discuss and communicate security-related reliability issues.\n Questions From Chairwoman Yvette D. Clarke of New York for Mr. Joseph \n   H. McClelland, Director of Reliability, Federal Energy Regulatory \n                               Commission\n    Question 1. What is the current role of the Federal Government in \ndefending against nation-state or terrorist cyber or physical attacks \nagainst electric facilities? Should the security of the electric grid \nrely on voluntary private sector measures? What should the role of the \nFederal Government be?\n    Answer. The commission currently has a limited role in defending \nagainst nation-state or terrorist cyber or physical attacks against \nelectric facilities. Section 215 of the Federal Power Act (FPA) \nauthorizes the commission to approve and enforce mandatory reliability \nstandards for the bulk-power system, including cybersecurity standards. \nThe commission does not, however, have authority to author or modify \ncyber- or physical security standards, and it has no authority to order \nimmediate steps to mitigate a threat or vulnerability that is not \naddressed by current standards. The commission can only approve or \nremand reliability standards submitted to it by the North American \nElectric Reliability Corporation (NERC), the commission-certified \nElectric Reliability Organization (ERO). The commission can direct NERC \nto submit a reliability standard or a modification to a reliability \nstandard that addresses a specific matter, but it cannot control the \ncontent of the draft standard to ensure that it sufficiently addresses \nthe commission's directive. In the event that an inadequate standard is \nsubmitted, the commission can either approve the inadequate standard \nand direct modifications, or reject the standard and thereby have no \nstandard in-place until a replacement standard is drafted by NERC and \nfiled with the commission.\n    Cyber or physical attacks on the bulk-power system may constitute \nthreats to national security, military readiness, public safety, and \nour Nation's economic well-being. Because of the wide-spread effects \nand serious consequences that a successful cyber attack may bring, it \nis important that swift, consistent, and effective action is taken by \nentities to prevent such attacks. Such action cannot be assured through \na voluntary or decentralized process. The Federal Government should \nhave the ability to protect against such attacks by having emergency \nauthority to order mitigation measures when necessary.\n    Question 2. Does an early detection and warning capability for \ncyber and physical threats exist for the electric industry today? Is \nthis an appropriate role for the Federal Government? What are the \ntechnical and political challenges in creating such a system?\n    Answer. Currently, there is no true early detection and warning \ncapability for cyber and physical threats. Although the electric \nindustry voluntarily created the Electric Sector--Information Sharing \nand Analysis Center (ES-ISAC) to share information on certain physical \nand cybersecurity events (such as surveillance issues, break-ins, \nthefts, viruses, computer worms, etc), the scope and amount of shared \ninformation is limited.\n    An early detection and warning system by itself, however, is not \nsufficient. Considering the potential impact that a successful cyber or \nphysical attack on the power grid could have on the safety, economy, \nand military readiness of the United States, the Federal Government \nshould have the ability to order specific measures to protect against \nsuch attacks, in addition to warning entities of imminent threats.\n    In addition to challenges related to the secure and coordinated \ncommunication of sensitive information, including protecting such \ninformation from public disclosure, the challenges to implementing any \nnew Federal authority would include: The ability to protect critical \ninformation about physical and cybersecurity threats and \nvulnerabilities and the mitigation measures employed to address them, \nthe ability to provide cost recovery for utilities that comply with a \ndirective to perform mitigations, and determining which power grid \nfacilities in the United States should be subject to the commission's \njurisdiction. Turning to technical challenges, it will be important to \nwork with other agencies that can quickly identify critical system \nvulnerabilities and threats in order to rapidly develop effective \nsolutions, thereby equipping the affected members of the electric \nindustry to implement timely and effective mitigation measures.\n    Question 3. Who within FERC is charged with protection of the \nelectric grid from electromagnetic pulse? Who within FERC is charged \nwith protection of the electric grid from cyber attack?\n    Answer. As previously mentioned, section 215 of the FPA creates a \nlimited role for the commission with respect to overseeing the cyber- \nand physical security of the bulk power system. The commission can only \napprove or reject reliability standards as they are developed and \nproposed by the ERO. Although the commission can direct the ERO to \ndevelop or modify a reliability standard to address a specific matter, \nit cannot author or modify the standards.\n    My office, the Office of Electric Reliability, has primary \nresponsibility for monitoring the ERO's development of reliability \nstandards and modifications to reliability standards. The Office of \nEnforcement has primary responsibility for overseeing the enforcement \nof existing standards, including the eight cybersecurity standards \napproved by the commission in Order No. 706. Currently, there are no \nstandards to protect against electromagnetic pulse, and therefore there \nis no group or person at the commission charged with protecting the \nelectric grid from electromagnetic pulse.\n    Question 4. What are the current shortcomings in FERC authority to \nregulate physical and cybersecurity practices throughout the electric \ngrid?\n    The commission's primary authority in this area is section 215 of \nthe FPA. Under the current statutory framework, however, the commission \ncannot author or modify reliability standards, and it has no authority \nto order emergency mitigation measures. The commission can direct NERC, \nas the ERO, to develop reliability standards or modifications to \nreliability standards that address specific matters, but this requires \naction through NERC's standard development process.\n    The commission's current authority is not sufficient to protect the \nelectric grid from cyber- or physical security vulnerabilities and \nthreats that endanger national security. The NERC standard development \nprocess is an open and inclusive stakeholder ballot process that \ntypically takes time and can produce results that inadequately respond \nto the commission's directives. Although NERC has an expedited process, \nthat expedited process has never been used, and even the expedited \nprocess is not likely to allow a timely, adequate response to an \nimminent threat. If the commission has to rely on the NERC process, and \nthat process results in a standard that does not adequately address the \nthreat, the commission has no authority to modify the standard and \nwould be limited to remanding it back for additional ``expedited'' \nprocesses, leaving the grid vulnerable in the meantime.\n    Question 5. What limitations does the term and definition of ``bulk \npower system'' have on the security of the electric grid at large? \nAssuming we can protect the ``bulk power system'' from attack, will \nthat be adequate to protect the U.S. electric system? Are all cities \nprotected? Are facilities in Alaska and Hawaii protected? Are all \ngeneration, transmission, and distribution systems protected?\n    Answer. Currently, the commission defines the term ``bulk power \nsystem,'' based on an industry-developed definition, as ``the \nelectrical generation resources, transmission lines, interconnections \nwith neighboring systems, and associated equipment, generally operated \nat voltages of 100 kV or higher.'' However, the definition is subject \nto the interpretation of the regions and therefore can vary \nconsiderably from place to place. This results in inconsistent \ndesignations of what constitutes the ``bulk power system'' and \ntherefore what facilities are regulated by the reliability standards. \nFor instance, this definition excludes some major metropolitan areas \nsuch as New York City.\n    Additionally, section 215 of the FPA precludes the application of \nreliability standards to Alaska and Hawaii and to ``facilities used in \nthe local distribution of energy.'' Consequently, the commission cannot \nuse its limited authority to protect Alaska, Hawaii, and distribution \nsystems from physical and cyber threats.\n    Question 6. Can the electric grid be significantly disrupted \nthrough attacks on assets that are not regulated by FERC (i.e. assets \nthat do not belong to ``bulk power system'')?\n    Answer. Yes. For example, a city or region with a large number of \nSmart Meters without appropriate cybersecurity protections that allow \nfor remote disconnect is vulnerable to an attack that could cause \nsignificant disruption. If an attacker commanded all the meters to \ndisconnect, the entire load would be dropped rapidly, which could cause \nlarge amounts of generation to be dropped, thereby potentially creating \ncascading outages through the transmission system. In addition, attacks \ncould cause more permanent damage to the meters, to the point that they \nwould need to be manually replaced and reprogrammed before they could \nbe used again. Such repair could take several weeks, delaying power \nrestoration to affected areas.\n    Question 7. Why should FERC be given authority to protect systems \nand assets from physical attack? What kinds of dangers are posed by \nphysical threats like over-voltages and/or overcurrents?\n    Answer. The commission should be granted authority to protect \nsystems from physical attacks because it is the agency charged with \noverseeing the reliability of the grid, and physical attacks can cause \nequal or greater destruction than cyber attacks. Direct physical \nattacks on electric facilities, either through malicious physical \nassault or natural occurrences can have devastating consequences. A set \nof well-coordinated direct physical attacks on the grid could \njeopardize national security and military readiness and threaten the \nNation's social and economic stability. Any crisis created by a \nphysical attack could be compounded by an inability to immediately \nreplace damaged equipment. Lead time for purchase and delivery of the \nmost critical equipment (such as large power transformers) can be up to \n2 years because of limited production and the fact that no domestic \nmanufacturer currently provides these devices. The bulk power system is \ndesigned to withstand the loss of some critical equipment, but not at \nthe magnitude that could fail because of a physical attack. The \ncommission does not need, however, to displace local or other Federal \nauthorities that have oversight of physical security.\n    One example of a physical threat is an electromagnetic pulse (EMP) \nevent. In 2001, Congress established a commission to assess the threat \nfrom EMP, with particular focus on the nature and magnitude of high-\naltitude EMP threats to the United States, the vulnerability of U.S. \nmilitary and civilian infrastructure to an attack, the capability to \nrecover from an attack, and the feasibility and cost of protecting \nmilitary and civilian infrastructure, including energy infrastructure, \nfrom an attack. In 2004, the commission issued a report describing the \nnature of EMP attacks, vulnerabilities to EMP attacks, and strategies \nto respond to an attack. The commission issued a second report in 2008.\n    An EMP may also be a naturally occurring event caused by solar \nflares and storms disrupting the Earth's magnetic field. In 1859, a \nmajor solar storm occurred, causing auroral displays and significant \nshifts of the Earth's magnetic fields. As a result, telegraphs were \nrendered useless and several telegraph stations burned down. The \nimpacts of that storm were muted because very little electronic \ntechnology existed at the time. Were the storm to happen today, \naccording to an article in Scientific American, it could ``severely \ndamage satellites, disable radio communications, and cause continent-\nwide electrical black-outs that would require weeks or longer to \nrecover from.''\n    Commission staff has no data on how well the bulk power system is \nprotected against an EMP event, and the existing reliability standards \ndo not address EMP vulnerabilities. Protecting the electric generation, \ntransmission, and distribution systems from severe damage due to an EMP \nwould involve vulnerability assessments at every level of electric \ninfrastructure. In addition, as the 2004 and 2008 commission reports \npoint out, the reliable operation of the electric grid requires other \ninfrastructure systems, such as communications, natural gas pipelines, \nand transportation, which would also be affected by an EMP attack or \nevent.\n    Question 8. Does FERC maintain any existing authorities that would \nallow it to require owners and operators of electric facilities to \nharden their equipment to mitigate the effects of an electromagnetic \npulse?\n    Answer. Section 215 explicitly addresses reliability and \ncybersecurity but is not explicit about its applicability to EMP. \nMoreover, the process under section 215 typically takes years to return \na standard and there is no assurance that the standard will be \nresponsive to the commission's directive or adequately address the \nthreat. As has been described earlier, the commission does not have any \ndirect authority to require owners and operators of electric facilities \nto harden their equipment to mitigate the effects of an EMP attack.\n    Question 9. Does FERC maintain any existing authorities that would \nallow it to require owners and operators of electric facilities to \nharden their equipment to mitigate the effects of a cyber attack?\n    Answer. Although the commission could direct NERC to develop \nadditional reliability standards to address the threat of a cyber \nattack, the process typically takes years to return a standard and \nthere is no assurance that the standard will be responsive to the \ncommission's directive or adequately address the threat. As has been \ndescribed earlier, the commission does not have any direct authority to \nrequire owners and operators of electric facilities to harden their \nequipment to mitigate the effects of a cyber attack.\n    In January 2008, the commission exercised its authority to approve \ncybersecurity standards and approved eight cybersecurity standards in \nOrder No. 706. However, upon approval, the commission found that the \nstandards required significant modifications in order to effectively \nprotect the bulk power system and therefore directed NERC, as the ERO, \nto make changes to the approved standards. Although the drafting of \nsome of those modifications is currently under way through NERC's \nstandards development process, it is expected to take years before all \nof the modifications are filed with the commission for review. \nCurrently, the eight cybersecurity standards are in various stages of \nimplementation and are not yet in full effect. For instance, the \nstandards do not require that many utilities be ``auditably compliant'' \nuntil mid-2010.\n    There is reason for concern about the thoroughness and consistency \nwith which the electric industry is applying the cybersecurity \nstandards. In April 2009, NERC's Chief Information Officer sent a \nletter to industry (attached) discussing the results of an industry-\nwide survey of critical assets. According to NERC's findings, only 31 \npercent of entities identified at least one critical asset, and only 23 \npercent identified at least one Critical Cyber Asset. The letter also \nstated that only 29 percent of generation owners or operators reported \nat least one Critical Asset. The Chief Information Officer questioned \nthese results and stated that NERC ``will also carry out more detailed \nanalyses to determine whether it is possible that 73 [percent] of Table \n3 and 4 Registered Entities do not possess any assets that, `if \ndestroyed, degraded, or otherwise rendered unavailable, would affect \nthe reliability or operability of the Bulk Electric System.' '' The \ncurrently approved reliability standards allow the regulated entities \nto self-determine the equipment that is subject to the cybersecurity \nstandards. If the equipment is not identified, no cyber protection is \nrequired under the standard.\n    Question 10. What are the key aspects of any piece of legislation \nthat seeks to secure the electric grid from cyber and physical attack? \nWhich of the four bills currently being considered in Congress best \naddresses these requirements?\n    Answer. Any legislation that seeks to secure the electric grid from \ncyber and physical attack should grant the commission authority, \nfollowing a determination by the President or a national security \nagency of a vulnerability or threat that endangers national security, \nto order such emergency mitigation measures or actions necessary to \nprotect the Nation's critical electric infrastructure. This authority \nshould encompass both physical and cybersecurity, as vulnerabilities \nand threats to the grid exist in both areas.\n    Additionally, the commission must have the ability to protect \nsecurity-sensitive information from public disclosure. The potential \nfor publication of sensitive information regarding cyber and physical \nthreats to the security of the Nation's critical electric \ninfrastructure weakens the commission's ability to respond to cyber \nthreats and endangers compliance by private entities concerned about \nthe sensitivity of information they provide to the commission.\n    Finally, Congress should consider applying any new legislation to \nelectric infrastructure that is critical to the safety and security of \nthe United States, regardless of whether the electric facilities are \nexcluded from section 215 or included by that section. Currently under \nsection 215, the commission has no jurisdiction over any electric \ninfrastructure in Alaska and Hawaii, and lacks jurisdiction over some \ntransmission, generation, and all distribution facilities in the rest \nof the United States.\n    Currently, H.R. 2195 and S. 946 address many, but not all, of these \nissues adequately.\n    Question 11. H.R. 2195 would provide FERC with authority to rewrite \nexisting NERC standards if deemed inadequate. How do you envision \nexercising this authority?\n    Answer. H.R. 2195 proposes, inter alia, to direct the commission to \nestablish, in consultation with the Secretary of Homeland Security, \ninterim measures that would supplement, replace, or modify \ncybersecurity standards that the commission, in consultation with the \nSecretary of Homeland Security and other national security agencies, \ndetermines are inadequate to address known cyber vulnerabilities or \nthreats.\n    I envision that the commission would use this authority only when \nthe President or an outside intelligence agency has found that the \nsecurity of the Nation is endangered by either a cyber or physical \nthreat or vulnerability to the Nation's power supply. In these limited \ncases, the commission would be able to quickly develop cybersecurity \ninterim measure that adequately address known vulnerabilities and \nthreats, enact modifications that the commission previously directed \nthe ERO to make, and address security issues that the ERO has not yet \nreached. The ERO would have the opportunity to develop and propose \nstandards through its standards development process to replace the \ninterim measures.\n    Question 12. Does the current FERC/NERC standards-setting process \n(i.e. NERC writes, FERC approves or remands) make sense in a national \nsecurity context? Does FERC believe that industry-written standards are \nappropriate to protect assets as critical to national security as the \nelectric system?\n    Answer. No. The FPA section 215 process is not adequate to protect \nagainst cyber- or physical security vulnerabilities and threats that \nendanger national security. The current standards process is too slow, \nopen, and unpredictable to effectively address threats and \nvulnerabilities that endanger national security. In addition, the \njurisdiction conveyed by section 215 to the commission omits major \nsections of the Nation's critical electric infrastructure including all \nfacilities in Alaska and Hawaii, all distribution facilities, and some \ntransmission and generation including facilities that serve \nmetropolitan areas such as New York City.\n    Question 13. How much does compliance with current NERC mandatory \nstandards cost the average utility? How much do you anticipate the \ncosts would rise if FERC were given authority to write ``stronger'' \nstandards? How does industry recoup the costs of mandatory standards \ntoday? Would they be able to recoup costs in the future, and if so, \nhow?\n    Answer. I do not have specific information regarding the cost to \nindividual utilities of compliance with NERC standards, and in the \nabsence of this information, I am unable to predict the additional cost \nof compliance, if any, with ``stronger'' standards.\n    Typically, the costs of compliance with mandatory standards by \nentities that qualify as ``public utilities'' under the FPA are \nrecovered either through filings submitted to the commission pursuant \nto section 205 of the FPA or filings made to State utility commissions. \nIn a Statement of Policy issued September 14, 2001, the commission \nprovided assurances to regulated entities that the commission ``will \napprove applications to recover prudently incurred costs necessary to \nfurther safeguard the reliability and security of our energy supply \ninfrastructure in response to the heightened state of alert.'' The \ncommission further stated that ``[c]ompanies may propose a separate \nrate recovery mechanism, such as a surcharge to currently existing \nrates or some other cost recovery method.'' The commission reiterated \nthis policy in an April 19, 2004 Statement of Policy on matters related \nto bulk power system reliability.\n    If Congress believes it appropriate, it could include in \nlegislation a directive to the commission to establish a cost recovery \nmechanism for the costs associated with compliance with any commission \norder issued pursuant to emergency authority.\n    Question 14. Should a regulator like FERC provide resources \n(funding) to utilities to implement physical and cyber protections?\n    Answer. Any Federal Government funding of such efforts would be \nmore appropriately assigned to the Department of Homeland Security or \nthe Department of Energy. However, a simpler approach could be to allow \nthe commission to grant cost recovery to the affected entities for any \nmitigation measures that it orders.\n    Question 15. Are procedures in place today that would allow FERC to \nissue immediate orders upon receipt of information that a physical or \ncyber attack is imminent? What are those procedures, and are they \nregularly exercised? (For instance, what could be done to protect the \ngrid from an imminent geomagnetic event given 15 minutes of warning?) \nCould the effects of such an incident actually be mitigated in time?\n    Answer. No, there are currently no procedures or authorities in \nplace that would allow the commission to issue orders that address \nimminent cyber or physical attacks. The commission does not have \nauthority to immediately and directly order actions to thwart imminent \nphysical or cyber attacks. As I have mentioned, under the framework \nestablished by section 215 of the FPA, the commission approves and \nenforces mandatory standards that are developed and proposed by a self-\nregulatory organization and submitted to the commission. This process \nis too slow, open, and unpredictable to address imminent threats to the \npower grid that imperil national security.\n    If such authority did exist, however, it is possible that the \ncommission could issue an effective order with only 15 minutes warning \nif an emergency plan that has already been prepared and practiced is in \nplace. For example, according to the EMP Commission, an effective \nmeasure to protect large transformers from an EMP event is a resistor \nconnected in the neutral of the transformer. If such a resistor had \nbeen installed ahead of time, it is conceivable that it could be \nswitched on within 15 minutes if the utility had enabled remote \noperation and provided adequate training and practice drills. For a \ncyber threat, an effective order might be to direct the immediate \ndisconnect of the remote capabilities of targeted facilities if an \nadequate plan had been developed along with training and practice \ndrills.\n    Question 16. What involvement does FERC have in Smart Grid \ndevelopment and deployment?\n    Answer. On July 16, 2009, the commission issued a final Smart Grid \nPolicy Statement. This policy statement sets priorities to guide the \nelectric industry in the development of Smart Grid standards for \nachieving interoperability and functionality of Smart Grid systems and \ndevices. It also sets out commission policy for the recovery of costs \nby utilities that act early to adopt Smart Grid technologies. The new \npolicy adopts as a commission priority the early development by \nindustry of Smart Grid standards that: (1) Ensure the cybersecurity of \nthe grid; (2) provide two-way communications among regional market \noperators, utilities, service providers and consumers; (3) ensure that \npower system operators have equipment that allows them to operate \nreliably by monitoring their own systems as well as neighboring systems \nthat affect them; and (4) coordinate the integration into the power \nsystem of emerging technologies such as demand response resources, \nelectricity storage facilities, and electric transportation systems. \nAdditionally, commission staff routinely participates in various \nNational Institute of Standards and Technology efforts concerning Smart \nGrid standards, as well as coordinates with the Department of Energy on \nits Smart Grid efforts.\n    Question 17. Does FERC believe that the Energy ISAC is effective in \nproducing timely and relevant analysis and warnings for the industry? \nIf not, what measures can be undertaken to improve this capability?\n    Answer. The ES-ISAC is effective when transmitting system status \ninformation and information regarding operational issues that can \naffect other areas or utilities. While this provides some threat \ninformation on technical issues (such as viruses and computer worms) \nand certain physical threats (such as surveillance issues and copper \ntheft threats), it is very limited. However, this system was not \ndesigned and is not operated in order to address vulnerabilities and \nthreats that endanger national security. As an example, although ES-\nISAC acts as a forum to share information regarding security-related \nevents that are occurring across the bulk-power system, this forum \ncannot preemptively identify the vulnerabilities and threats and does \nnot develop effective mitigations to address the issues it reports.\n    Question 18. Do you believe that the Spare Transformer Program has \nbeen successful, and that there are enough spare transformers that \ncould be put in place to ensure operation of the gird in the event of a \nlarge-scale cyber or EMP event?\n    Answer. As the commission stated when it issued a declaratory order \nabout the program, the Spare Transformer Program initiated by the \nEdison Electric Institute is a good first step. The program is limited, \nhowever, because it does not cover all voltage classes or step-up \ntransformers from generating stations, and many utilities do not \nparticipate. For these and other reasons, the program does not have \nadequate spares to ensure continued operation of the power grid after a \ntargeted cyber or large-scale EMP event.\nQuestions From Chairwoman Yvette D. Clarke of New York for Ms. Patricia \nA. Hoffman, Acting Assistant Secretary, Office of Electricity Delivery \n              and Energy Reliability, Department of Energy\n    Question 1. What is the current role of the Federal Government in \ndefending against nation-state or terrorist cyber or physical attacks \nagainst electric facilities? Should the security of the electric grid \nrely on voluntary private sector measures? What should the role of the \nFederal Government be?\n    Answer. Response was not received at the time of publication.\n    Question 2. Does an early detection and warning capability for \ncyber and physical threats exist for the electric industry today? Is \nthis an appropriate role for the Federal Government? What are the \ntechnical and political challenges in creating such a system?\n    Answer. Response was not received at the time of publication.\n    Question 3. Who within DOE is charged with protection of the \nelectric grid from electromagnetic pulse? Who within DOE is charged \nwith protection of the electric grid from cyber attack?\n    Answer. Response was not received at the time of publication.\n    Question 4. What limitations does the term and definition of ``bulk \npower system'' have on the security of the electric grid at large? \nAssuming we can protect the ``bulk power system'' from attack, will \nthat be adequate to protect the U.S. electric system? Are all cities \nprotected? Are facilities in Alaska and Hawaii protected? Are all \ngeneration, transmission, and distribution systems protected?\n    Answer. Response was not received at the time of publication.\n    Question 5. Can the electric grid be significantly disrupted \nthrough attacks on assets that are not regulated by FERC (i.e. assets \nthat do not belong to ``bulk power system'')?\n    Answer. Response was not received at the time of publication.\n    Question 6. Does DOE maintain any existing authorities that would \nallow it to require owners and operators of electric facilities to \nharden their equipment to mitigate the effects of an electromagnetic \npulse?\n    Answer. Response was not received at the time of publication.\n    Question 7. Does DOE maintain any existing authorities that would \nallow it to require owners and operators of electric facilities to \nharden their equipment to mitigate the effects of a cyber attack?\n    Answer. Response was not received at the time of publication.\n    Question 8. Does the current FERC/NERC standards-setting process \n(i.e. NERC writes, FERC approves or remands) make sense in a national \nsecurity context? Does DOE believe that industry-written standards are \nappropriate to protect assets as critical to national security as the \nelectric system?\n    Answer. Response was not received at the time of publication.\n    Question 9. The Office of Electricity Delivery and Energy \nReliability received $4.5 billion in the American Recovery and \nReinvestment Act, of which $3.5 billion is for grants for Smart Grid \ndevelopment. How do you intend on disbursing this grant money? In \nreviewing applications for monies, how will DOE determine if \nappropriate physical and cyber protections are in place? Will you award \ngrants to applicants for the purpose of protecting their systems \nagainst physical and cyber attacks?\n    Answer. Response was not received at the time of publication.\n    Question 10. Does DOE have a program that would allow for private \nor publicly-owned utilities to receive Federal grant monies for \nhardening their equipment against an intentional or unintentional \nelectromagnetic pulse? If not, why not? Should such a program be \ncreated, and, if so, what would appropriate parameters look like?\n    Answer. Response was not received at the time of publication.\n    Question 11. Does DOE have a program that would allow for private \nor publicly-owned utilities to receive Federal grant monies for \nhardening their equipment against an intentional cyber attack? If not, \nwhy not? Should such a program be created, and, if so, what would \nappropriate parameters look like?\n    Answer. Response was not received at the time of publication.\n    Question 12. When will DOE update its control systems roadmap?\n    Answer. Response was not received at the time of publication.\n    Question 13. Has DOE done any analysis on the security of the \nelectric grid from cyber or physical attack? If so, how secure and \nresilient does DOE believe the grid is today?\n    Answer. Response was not received at the time of publication.\n    Question 14. Does DOE currently have any authority to perform cyber \nor physical vulnerability assessments on private or publicly-owned \nelectric grid assets?\n    Answer. Response was not received at the time of publication.\n    Question 15. Are procedures in place today that would allow DOE to \nissue immediate orders upon receipt of information that a physical or \ncyber attack is imminent? What are those procedures, and are they \nregularly exercised? (For instance, what could be done to protect the \ngrid from an imminent geomagnetic event given 15 minutes of warning?) \nCould the effects of such an incident actually be mitigated in time?\n    Answer. Response was not received at the time of publication.\n    Question 16. Does DOE believe that the Energy ISAC is effective in \nproducing timely and relevant analysis and warnings for the industry? \nIf not, what measures can be undertaken to improve this capability?\n    Answer. Response was not received at the time of publication.\n  Questions From Chairwoman Yvette D. Clarke of New York for Sean P. \n     McGurk, Director, Control Systems Security Program, National \n  Cybersecurity Division, Office of Cybersecurity and Communications, \n National Protection and Programs Directorate, Department of Homeland \n                                Security\n    Question 1. What is the role of DHS in securing the electric grid, \nand how do you carry out that mission? What programs and policies \nexist? How are you resourced?\n    Answer. Response was not received at the time of publication.\n    Question 2. What are the largest threats to the electric grid, and \nwhat is DHS doing to mitigate those threats?\n    Answer. Response was not received at the time of publication.\n    Question 3. What authorities does DHS have to address cyber and \nphysical threats to the electric grid?\n    Answer. Response was not received at the time of publication.\n    Question 4. Who within DHS is charged with protection of the \nelectric grid from electromagnetic pulse? Who within DHS is charged \nwith protection of the electric grid from cyber attack?\n    Answer. Response was not received at the time of publication.\n    Question 5. Out of the critical infrastructure and key resource \nsectors, what is the criticality of the electric grid?\n    Answer. Response was not received at the time of publication.\n    Question 6. Has DHS done any analysis on the security of the \nelectric grid from cyber or physical attack? If so, how secure and \nresilient does DHS believe the grid is today?\n    Answer. Response was not received at the time of publication.\n    Question 7. Does DHS currently have any authority to perform cyber \nor physical vulnerability assessments on private or publicly-owned \nelectric grid assets?\n    Answer. Response was not received at the time of publication.\n    Question 8. What is the current role of the Federal Government in \ndefending against nation-state or terrorist cyber or physical attacks \nagainst electric facilities? Should the security of the electric grid \nrely on voluntary private sector measures? What should the role of the \nFederal Government be?\n    Answer. Response was not received at the time of publication.\n    Question 9. Does an early detection and warning capability for \ncyber and physical threats exist for the electric industry today? Is \nthis an appropriate role for the Federal Government? What are the \ntechnical and political challenges in creating such a system?\n    Answer. Response was not received at the time of publication.\n    Question 10. Does DHS believe there are shortcomings in FERC \nauthority to regulate physical and cybersecurity practices throughout \nthe electric grid?\n    Answer. Response was not received at the time of publication.\n    Question 11. What recommendations has DHS ever made to DOE or FERC \nregarding electric grid protections, and have those recommendations \nbeen followed?\n    Answer. Response was not received at the time of publication.\n    Question 12. Does DHS have a program that would allow for private \nor publicly-owned utilities to receive Federal grant monies for \nhardening their equipment against an intentional or unintentional \nelectromagnetic pulse? If not, why not? Should such a program be \ncreated, and, if so, what would appropriate parameters look like?\n    Answer. Response was not received at the time of publication.\n    Question 13. Does DHS have a program that would allow for private \nor publicly-owned utilities to receive Federal grant monies for \nhardening their equipment against an intentional cyber attack? If not, \nwhy not? Should such a program be created, and, if so, what would \nappropriate parameters look like?\n    Answer. Response was not received at the time of publication.\n    Question 14. Does the current FERC/NERC standards-setting process \n(i.e. NERC writes, FERC approves or remands) make sense in a national \nsecurity context? Does DHS believe that industry-written security \nstandards are appropriate to protect assets as critical to national \nsecurity as the electric system?\n    Answer. Response was not received at the time of publication.\n    Question 15. Does DHS support the grant of authority under HR 2195, \nwhich would provide DHS with authority to assess cyber vulnerabilities \nor threats to critical infrastructure, including critical electric \ninfrastructure and advanced metering infrastructure, on an on-going \nbasis and produce reports, including recommendations, on a periodic \nbasis?\n    Answer. Response was not received at the time of publication.\n    Question 16. Are procedures in place today that would allow DHS to \nissue immediate orders or advisories upon receipt of information that a \nphysical or cyber attack is imminent? What are those procedures, and \nare they regularly exercised? (For instance, what could be done to \nprotect the grid from an imminent geomagnetic event given 15 minutes of \nwarning?) Could the effects of such an incident actually be mitigated \nin time?\n    Answer. Response was not received at the time of publication.\n\n                                 <all>\n\x1a\n</pre></body></html>\n"