b"<html>\n<title> - PROTECTING THE ELECTRIC GRID: H.R. 2165, THE ``BULK POWER SYSTEM PROTECTION ACT OF 2009,'' AND H.R. 2195</title>\n<body><pre>[House Hearing, 111 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n\n\n   PROTECTING THE ELECTRIC GRID: H.R. 2165, THE ``BULK POWER SYSTEM \n                PROTECTION ACT OF 2009,'' AND H.R. 2195\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                 SUBCOMMITTEE ON ENERGY AND ENVIRONMENT\n\n                                 OF THE\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED ELEVENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                            OCTOBER 27, 2009\n\n                               __________\n\n                           Serial No. 111-77\n\n\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n\n\n\n      Printed for the use of the Committee on Energy and Commerce\n\n                        energycommerce.house.gov\n                                _____\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n\n74-848                    WASHINGTON : 2012\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC \n20402-0001\n\n\n\n\n\n\n\n\n\n\n\n\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n\n                 HENRY A. WAXMAN, California, Chairman\nJOHN D. DINGELL, Michigan            JOE BARTON, Texas\n  Chairman Emeritus                    Ranking Member\nEDWARD J. MARKEY, Massachusetts      RALPH M. HALL, Texas\nRICK BOUCHER, Virginia               FRED UPTON, Michigan\nFRANK PALLONE, Jr., New Jersey       CLIFF STEARNS, Florida\nBART GORDON, Tennessee               NATHAN DEAL, Georgia\nBOBBY L. RUSH, Illinois              ED WHITFIELD, Kentucky\nANNA G. ESHOO, California            JOHN SHIMKUS, Illinois\nBART STUPAK, Michigan                JOHN B. SHADEGG, Arizona\nELIOT L. ENGEL, New York             ROY BLUNT, Missouri\nGENE GREEN, Texas                    STEVE BUYER, Indiana\nDIANA DeGETTE, Colorado              GEORGE RADANOVICH, California\n  Vice Chairman                      JOSEPH R. PITTS, Pennsylvania\nLOIS CAPPS, California               MARY BONO MACK, California\nMICHAEL F. DOYLE, Pennsylvania       GREG WALDEN, Oregon\nJANE HARMAN, California              LEE TERRY, Nebraska\nTOM ALLEN, Maine                     MIKE ROGERS, Michigan\nJANICE D. SCHAKOWSKY, Illinois       SUE WILKINS MYRICK, North Carolina\nCHARLES A. GONZALEZ, Texas           JOHN SULLIVAN, Oklahoma\nJAY INSLEE, Washington               TIM MURPHY, Pennsylvania\nTAMMY BALDWIN, Wisconsin             MICHAEL C. BURGESS, Texas\nMIKE ROSS, Arkansas                  MARSHA BLACKBURN, Tennessee\nANTHONY D. WEINER, New York          PHIL GINGREY, Georgia\nJIM MATHESON, Utah                   STEVE SCALISE, Louisiana\nG.K. BUTTERFIELD, North Carolina\nCHARLIE MELANCON, Louisiana\nJOHN BARROW, Georgia\nBARON P. HILL, Indiana\nDORIS O. MATSUI, California\nDONNA M. CHRISTENSEN, Virgin \n    Islands\nKATHY CASTOR, Florida\nJOHN P. SARBANES, Maryland\nCHRISTOPHER S. MURPHY, Connecticut\nZACHARY T. SPACE, Ohio\nJERRY McNERNEY, California\nBETTY SUTTON, Ohio\nBRUCE L. BRALEY, Iowa\nPETER WELCH, Vermont\n                 Subcommittee on Energy and Environment\n\n               EDWARD J. MARKEY, Massachusetts, Chairman\nMICHAEL F. DOYLE, Pennsylvania       DENNIS HASTERT, Illinois\nG.K. BUTTERFIELD, North Carolina          Ranking Member\nCHARLIE MELANCON, Louisiana          RALPH M. HALL, Texas\nBARON P. HILL, Indiana               FRED UPTON, Michigan\nDORIS O. MATSUI, California          ED WHITFIELD, Kentucky\nJERRY McNERNEY, California           JOHN SHIMKUS, Illinois\nPETER WELCH, Vermont                 JOHN B. SHADEGG, Arizona\nJOHN D. DINGELL, Michigan            STEVE BUYER, Indiana\nRICK BOUCHER, Virginia               GREG WALDEN, Oregon\nFRANK PALLONE, New Jersey            SUE WILKINS MYRICK, North Carolina\nELIOT L. ENGEL, New York             JOHN SULLIVAN, Oklahoma\nGENE GREEN, Texas                    MICHAEL C. BURGESS, Texas\nLOIS CAPPS, California\nJANE HARMAN, California\nCHARLES A. GONZALEZ, Texas\nTAMMY BALDWIN, Wisconsin\nMIKE ROSS, Arkansas\nJIM MATHESON, Utah\nJOHN BARROW, Georgia\n\n\n\n\n\n\n\n\n\n\n                             C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHon. Edward J. Markey, a Representative in Congress from the \n  Commonwealth of Massachussetts, opening statement..............     1\nHon. Fred Upton, a Representative in Congress from the State of \n  Michigan, opening statement....................................    32\nHon. John D. Dingell, a Representative in Congress from the State \n  of Michigan, opening statement.................................    33\nHon. John Shimkus, a Representative in Congress from the State of \n  Illinois, prepared statement...................................    34\nHon. Doris O. Matsui, a Representative in Congress from the State \n  of California, opening statement...............................    35\nHon. Cliff Stearns, a Representative in Congress from the State \n  of Florida, opening statement..................................    35\nHon. Jerry McNerney, a Representative in Congress from the State \n  of California, opening statement...............................    36\nHon. Tammy Baldwin, a Representative in Congress from the State \n  of Wisconsin, opening statement................................    37\nHon. John Barrow, a Representative in Congress from the State of \n  Georgia, opening statement.....................................    37\nHon. Gene Green, a Representative in Congress from the State of \n  Texas, prepared statement......................................    52\nHon. Michael C. Burgess, a Representative in Congress from the \n  State of Texas, prepared statement.............................    54\n\n                               Witnesses\n\nHon. Bennie G. Thompson, a Representative in Congress from the \n  State of Mississippi, and Chairman, Committee on Homeland \n  Security\n    Prepared statement...........................................    38\nHon. James R. Langevin, a Representative in Congress from the \n  State of Rhode Island, and Chairman, Subcommittee on Strategic \n  Forces, House Armed Services Committee\n    Prepared statement...........................................    58\nJoseph McClelland, Director, Office of Electric Reliability, \n  Federal Energy Regulatory Commission...........................    63\n    Prepared statement...........................................    66\nPatricia Hoffman, Principal Deputy Assistant Secretary, Office of \n  Electricity, U.S. Department of Energy.........................    78\n    Prepared statement...........................................    81\n    Answers to submitted questions...............................   166\nGarry A. Brown, Chairman, New York Public Service Commission.....    88\n    Prepared statement...........................................    91\nDavid N. Cook, Vice President and General Counsel, North American \n  Electric Reliability Corporation...............................   110\n    Prepared statement...........................................   112\n    Answers to submitted questions...............................   169\nJohn DiStasio, General Manager and CEO, Sacramento Municipal \n  Utility District...............................................   126\n    Prepared statement...........................................   128\n\n                           Submitted Material\n\nH.R. 2165........................................................     3\nH.R. 2195........................................................    19\nLetter of November 10, 2009, from Mr. DiStasio to Subcommittee...   160\n\n \n   PROTECTING THE ELECTRIC GRID: H.R. 2165, THE ``BULK POWER SYSTEM \n                PROTECTION ACT OF 2009,'' AND H.R. 2195\n\n                              ----------                              \n\n\n                       TUESDAY, OCTOBER 27, 2009\n\n                  House of Representatives,\n            Subcommittee on Energy and Environment,\n                          Committee on Energy and Commerce,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 9:37 a.m., in \nRoom 2322, Rayburn House Office Building, Hon. Edward J. Markey \n[chairman of the subcommittee] presiding.\n    Present: Representatives Markey, Inslee, Butterfield, \nMatsui, McNerney, Dingell, Baldwin, Matheson, Barrow, Upton, \nStearns, Shimkus, Blunt, Pitts, Walden, Sullivan, Burgess, \nScalise, and Barton (ex officio).\n    Staff Present: Bruce Wolpe, Senior Advisor; John Jimison, \nSenior Counsel; Jeff Baran, Counsel; Caitlin Haberman, Special \nAssistant; Lindsay Vidal, Special Assistant; Earley Green, \nChief Clerk; Mitchell Smiley, Special Assistant; Matt \nEisenberg, Staff Assistant; Andrea Spring, Minority \nProfessional Staff; Peter Spencer, Minority Professional Staff; \nAaron Cutler, Minority Counsel; Amanda Mertens Campbell, \nMinority Counsel; and Garrett Golding, Minority Legislative \nAnalyst.\n\nOPENING STATEMENT OF HON. EDWARD J. MARKEY, A REPRESENTATIVE IN \n        CONGRESS FROM THE COMMONWEALTH OF MASSACHUSETTS\n\n    Mr. Markey. Good morning. Welcome to the Subcommittee on \nEnergy and Environment and to this very important hearing.\n    The Nation Academy of Engineering has called the North \nAmerican electric grid the ``supreme engineering achievement of \nthe 20th century.'' The grid is one of our greatest strengths, \nbut, if not properly protected, it could become one of our \ngreatest weaknesses.\n    More than any other technology, the grid is the long pole \nin the tent of America's economy and national security. All of \nour Nation's critical systems--financial services, health care, \ntelecommunications, transportation, water, defense, law \nenforcement, and so on--depend on the grid.\n    Remarkably, 99 percent of the electric energy used to power \nour military facilities, including critical strategic command \nassets, come from the commercially operated grid. Our \ndependence on the grid will only deepen as we move toward \ngreater reliance on automation and information technology.\n    It has becoming increasingly clear in the last 2 years that \nthe grid is vulnerable to cyber attacks and to other threats \nfrom terrorists, criminals, and hostile states. Over 2 years \nago, the Department of Homeland Security revealed the so-called \n``Aurora vulnerability'' through which hackers could use \ncommunications networks to physically destroy electric \ngenerators, transformers, and other critical assets.\n    We know that the cyber system controlling the grid and \nother critical infrastructure are continuously probed by \noutside parties. Just last week, the U.S.-China Commission \nreported on China's deep involvement in cyber espionage. In \naddition, new risks are coming to light, such as grid control \nsystems vulnerability, to portable weapons that use high-\npowered radio frequency, or microwaves to destroy electronic \nequipment. Some of these vulnerabilities could worsen if we \ndon't implement smart grid technologies in a smart way.\n    This past Thursday, I was joined by a number of other \nmembers of this subcommittee at a classified briefing on grid \nsecurity. I assure you, the vulnerabilities of the grid are \nevery bit as urgent as the weaknesses in transportation \nsecurity that were so tragically revealed by the events of \nSeptember 11th. A coordinated attack on the grid could \nliterally shut down the U.S. economy, putting lives at risk and \ncosting tens of billions of dollars. Moreover, unlike a storm \nknocking out power lines that can be replaced in a matter of \ndays, an attack on the grid could result in damage requiring \nmonths or years to fix.\n    There is broad agreement that to meet these challenges we \nneed new Federal authorities and mandates. The status quo for \nFederal regulation in this area, which relies exclusively on \nindustry development or consensus reliability standards through \nthe North American Electric Reliability Corporation, is \ninadequate.\n    That said, tough questions remain as to precisely what \nshape any new authorities and mandates should take. This \nmorning we will consider two bills that address these issues: \none sponsored by Mr. Barrow, which Chairman Waxman and I have \ncosponsored; and a second sponsored by Homeland Security \nCommittee Chairman Bennie Thompson.\n    [The information follows:]\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n    \n    Mr. Markey. I commend Mr. Barrow and Chairman Thompson for \ntheir leadership on this critical issue.\n    I think it is fair to say that the Barrow bill, of which I \nam a cosponsor, would establish the minimum new authority that \nall parties, including the utility industry and State \nregulators, agree is necessary. However, many parties argue \npersuasively that we must go further in order to adequately \naddress the threats before us. I have kept an open mind on \nthese issues, and I urge the other members of this subcommittee \nto do likewise.\n    I am committed to working closely with Mr. Upton and Mr. \nBarton, along with Mr. Barrow and Chairman Waxman and all the \nother members of the committee, to move strong grid security \nlegislation as soon as possible. This hearing represents an \nimportant first step in that direction.\n    I thank the witnesses for joining us. I look forward to \nyour testimony.\n    And now I turn and recognize the ranking member of the \ncommittee, Mr. Upton.\n\n   OPENING STATEMENT OF HON. FRED UPTON, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF MICHIGAN\n\n    Mr. Upton. Well, thank you, Mr. Chairman. And I do want to \nthank you for holding this very important hearing. We \nappreciate our witnesses joining us this morning, as well.\n    The House Homeland Security Committee has examined this \nissue, focusing on the vulnerability in electric generator \ncontrol systems which could allow remote access, enabling a bad \nactor to remotely destroy a generator. We have also begun to \nlook at these issues here, including classified hearings with \nthe Department of Defense and Homeland Security, FERC, and \nothers just last week.\n    Today, we will seek additional answers, with a focus on the \nmost productive way to ensure the security of our energy \ninfrastructure. I know we can work together on bipartisan \nlegislation to address this very, very serious issue.\n    It is my hope that legislation to protect our critical \ninfrastructure will also include Alaska, Hawaii, and our \nterritories. Currently, NERC does not cover those areas, and \nour critical national security assets, particularly in Alaska \nand Hawaii, are too important to ignore.\n    Domestic infrastructure should be protected for \ncybersecurity generally, in addition to physical and \nelectromagnetic threats. Additionally, I don't think it is \nenough to just cover the bulk power system; we also must \ninclude the distribution system. It has become clear that the \ndistribution system outages and vulnerabilities can lead to \nproblems with the bulk power system, and critical defense \nfacilities are connected at the distribution level.\n    There is no question that this legislation should be \ncomprehensive. We should seek to fill as many security gaps as \npossible. The threats that we face are too serious and abundant \nto only address a small portion of our vulnerability. The \nstakes could not be higher.\n    And, as we know, security is not free. There will be a cost \nto protecting our critical energy and national defense \ninfrastructure. Our legislation should provide a mechanism by \nwhich all generators, regardless of whether or not they are \nrate-regulated by a State PUC, are capable of covering the cost \nof investments that they are required to make in the name of \nprotecting the national security of the U.S.\n    The security of our Nation's energy infrastructure from \nattack is one of the most important issues that our committee \nwill address. It is not an issue that we can take lightly or \ncover in just one hearing.\n    Energy has certainly been one of the leading issues debated \nin Congress this year, rightfully so. Energy literally powers \nour economy. Even small price spikes and supply disruptions can \nwreak havoc on the economy. It is imperative that the security \nof our Nation's energy infrastructure gets the attention it \ndeserves.\n    I yield back.\n    Mr. Markey. The gentleman's time has expired.\n    The Chair recognizes the gentleman from Michigan, chairman \nemeritus of our committee, Mr. Dingell.\n\nOPENING STATEMENT OF HON. JOHN D. DINGELL, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF MICHIGAN\n\n    Mr. Dingell. Mr. Chairman, thank you. I commend you for \nholding this hearing today. The reliability of this Nation's \nelectricity grid in the face of its vulnerabilities to \ncybersecurity attacks is a matter of the utmost interest and \nconcern.\n    Mr. Chairman, I would note that the White House has \nindicated that there will be a significant effort on the part \nof the administration to address the renewal of the grid. \nTherefore, this hearing comes at a very important time because, \nin addition to addressing the questions of efficiency of the \ngrid, we can also see to it that questions relative to the \nsafety and security of the grid are also addressed.\n    If there were a successful remote cyber attack on a plant's \nutility control systems, we could face something more serious \nthan a brief brownout or blackout. The Idaho National \nLaboratory has shown how a hacker can remotely turn a large \ngenerator into a smoldering scrap pile in just a few moments. \nKnown as the ``Aurora vulnerability,'' this type of attack \ncould destroy generating equipment and impair the generation \nand delivery of electricity across the entire area of North \nAmerica for weeks or months, its consequences cascading on \nconsumers, on our economy, on our health care system, and on \nour national defense assets, amongst other things.\n    These concerns are not just theoretical. It has been \nreported that China, Russia, and other nations have conducted \ncyber probes of the U.S. grid systems. Moreover, cyber attacks \nhave actually been conducted against critical infrastructure in \nother countries.\n    In response to the Department of Homeland Security's \nworrying about Aurora vulnerability, the North American \nElectric Reliability Corporation, NERC, issued an advisory in \nJune 2007 which outlined immediate and longer-term mitigation \nmeasures for utilities. An FERC audit of 30 utilities found \nthat, 2 years later, progress had been made but that very \nsignificant issues still remain.\n    As the Electricity Reliability Organization designated \nunder Section 215 of the Energy Policy Act of 2005, NERC has \ndeveloped reliability standards for critical infrastructure \nprotection. However, there are significant gaps, given the \nnature of a national security threat. We need to extend Federal \nauthority to take emergency actions as necessary to protect the \ngrid. I look forward to building a bipartisan consensus on \nlegislation which will ensure that the Federal Government has \nall the necessary powers to intervene when there are \nemergencies that threaten the Nation's electricity supply.\n    I also welcome our panel of witnesses. It is my hope that \nthey can inform us on whether emergency power should extend \nbeyond the bulk power system to utility systems in Alaska, \nHawaii, Guam, and in other American possessions or areas.\n    These powers should also be able to reach critical \ndistribution systems in places like the District of Columbia or \nNew York City. We want to be sure that the legislation \naddresses threats to the electrical system and that the Federal \nGovernment is not improperly hobbled by legal and \njurisdictional boundaries in the case of emergencies.\n    Thank you, Mr. Chairman.\n    Mr. Markey. Great. The gentleman's time has expired.\n    The Chair recognizes the gentleman from Illinois, Mr. \nShimkus.\n\n  OPENING STATEMENT OF HON. JOHN SHIMKUS, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF ILLINOIS\n\n    Mr. Shimkus. Thank you, Mr. Chairman.\n    I, too, concur that this is a very important meeting, and I \nappreciate you all coming to help us sort through this.\n    You know, I had recently retired, about a year ago, from \nthe Army Reserves. I served 3 years actively in West Germany. \nAnd, throughout my years here, I have always followed up on \ncomments about the electromagnetic pulse concern, whether from \nnatural occurrences or ships or a nuclear burst.\n    And we have always talked about smart metering is like the \nHoly Grail of energy efficiency. I think some people would \nargue that we set ourselves more at risk on some of this if it \nis an intentional electromagnetic burst in the atmosphere \nbecause of the ability to fry out this smart metering in all \nthese solid-state applications, and the recovery time would be \nmuch greater than if we kept it simple.\n    So that will be my focus to debate, to hear, to try to \nfigure out what is good and how far should we go, but, again, \nbeing careful that we don't try to automate so much that we \nactually decrease our ability to have a quick recovery, whether \nthere be an intentional electromagnetic pulse burst or \nsomething that will naturally occur that will cause us great \nharm.\n    It was interesting, I heard a story out of St. Louis. I \nlive close to St. Louis, Missouri. The nuclear power plant in \nMissouri is still on dial-up for its communications, just dial-\nup communications. And one of the things that they mentioned \nwas, well, they don't really want to be on broadband because \nthey don't want cybersecurity issues, they don't want some \nother types of concerns.\n    So it will be interesting to follow--again, this is all \njust basically over-the-radio broadcast news, so I look forward \nto following that up.\n    Thank you, Mr. Chairman. I yield back.\n    Mr. Markey. Great. The gentleman's time has expired.\n    The Chair recognizes the gentlelady from California, Ms. \nMatsui.\n\nOPENING STATEMENT OF HON. DORIS O. MATSUI, A REPRESENTATIVE IN \n             CONGRESS FROM THE STATE OF CALIFORNIA\n\n    Ms. Matsui. Thank you, Mr. Chairman, and thank you for \ncalling this hearing. I am very pleased to be here today and \nwould just take a couple minutes so we can continue on to the \ndistinguished witnesses.\n    I would like to thank today's panelists for joining us to \ndiscuss the security of our electric grid, with regard to the \ntwo pending pieces of legislation. In particular, I would like \nto welcome my friend and constituent, John DiStasio, general \nmanager and CEO of Sacramento Municipal Utility District, \notherwise known as SMUD, to today's hearing.\n    John has served SMUD most admirably for nearly 30 years. He \noriginally joined the utility as a buyer for the district's \npurchasing department. He was promoted to the utility's top \npost last year, after serving as the assistant general manager \nsince 2000 and being awarded a number of customer service \nhonors.\n    I look forward to hearing his views on ways in which we can \nlegislatively address cybersecurity issues in relation to \nprotecting our electric infrastructure.\n    Additionally, I look forward to hearing all of your expert \nopinions. The expertise you share here will be useful \nthroughout the committee process and in considering these \nmeasures.\n    As we are aware, the world has become critically reliant on \ndigital communications, making military targets, civilian \ninfrastructure, particularly our electric grid, vulnerable to \ncyber attack. The electric grid is a significant part of our \ncountry's infrastructure. Failure to take preventative steps to \nensure its protection significantly endangers our economy.\n    It is critical that we examine the existing regulatory \nauthorities that respond to threats aimed at our power system. \nAnd we need to continually examine the expanding risk of cyber \nattacks and the implications for traditional methods of \ndeterrence. This committee is well-positioned to examine this \nissue and has already suggested one manner in which to address \nit. Together, we can ensure that we have the tools and \nresources necessary to effectively defend our electric \ninfrastructure.\n    I look forward to hearing from the panelists on the bills \nbefore us today and working with the committee and stakeholders \non these important matters. Once again, I thank you, Mr. \nChairman, for highlighting this important topic. And I yield \nback the balance of my time.\n    Mr. Markey. The gentlelady's time has expired.\n    The Chair recognizes the gentleman from Florida, Mr. \nStearns.\n\n OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN \n               CONGRESS FROM THE STATE OF FLORIDA\n\n    Mr. Stearns. Good morning. And thank you, Mr. Chairman, and \nthank the ranking member, Mr. Upton, for calling this really \nimportant hearing, which basically is addressing the \nvulnerability of the Nation's electrical grid to cyber attacks \nand the steps that are needed to be taken to protect this \ncritical infrastructure.\n    It has become apparent, I think, to all that our electric \ngrid is vulnerable to cyber attacks by terrorists and by other \nnations. Our Nation's infrastructure systems are heavily, \nobviously, reliant on computer-based systems that are used to \nmonitor and control sensitive processes and physical functions. \nThese systems were once mostly closed proprietary operations \nbut are increasingly connecting to open networks, like \ncorporate intranets and the Internet.\n    The transition towards widely used technologies and open \nconnectivity exposes the control system to the ever-present \ncyber risks that exist in the information technology world in \naddition to control-system-specific tasks.\n    Driving such concerns are reports that malicious attacks \nare rising on specialized computer control systems that open \nand shut valves on natural gas pipelines, throw circuit \nbreakers on power lines, and make telecommunications and \ndefense networks, nuclear power plants, and hydro dams do their \njobs.\n    To address these vulnerabilities, the Institute for Human \nand Machine Cognition, which is part of the Florida Institute \nof Technology and partnership thereof--Mr. Chairman, it is \nlocated in my hometown of Ocala, Florida--is creating new \nprocesses for better defending supervisory control and data \nacquisition systems, SCADA, from attack. Such systems, known as \nSCADA, monitor and report on the functions of closed \ncomputerized networks that provide real-time data in the \noperation of these central facilities.\n    For example, SCADA networks could track something as simple \nas a climate control system in an office building or monitor \nthe key workings of something as complex and expansive as a \nnuclear power plant. SCADA networks are also widely used to \ncontrol the flow of oil and natural gas through pipelines, \ndams, and many non-energy-related processes such as water and \nsewer lines, telecommunication systems, and mass transit \nsystems.\n    So, Mr. Chairman, I think this is a very good hearing, and \nI look forward to our witnesses.\n    Mr. Markey. Great. The gentleman's time has expired.\n    The Chair recognizes the gentleman from California, Mr. \nMcNerney.\n\n OPENING STATEMENT OF HON. JERRY MCNERNEY, A REPRESENTATIVE IN \n             CONGRESS FROM THE STATE OF CALIFORNIA\n\n    Mr. McNerney. Well, I want to thank you, Mr. Chairman, for \ncalling this meeting on the critical issue that is in front of \nus and also a very fascinating issue.\n    I want to thank the witnesses. I have looked at your \nresumes, and I am very pleased with the caliber of information \nyou are going to bring in front of us.\n    Mr. DiStasio, from my area in California, I appreciate your \ncoming out here today.\n    It amazes me that we have a network, a physical network, of \nelectrical system that serves our country that is vulnerable to \ncyber attack that can bring down large portions of our country. \nSo the question is, what do we do about it? And we need to \nworry both about how to prevent attacks, how to make ourselves \nless vulnerable, and also how to plan for contingencies if \nattacks are successfully carried out, both cyber and physical \nattacks.\n    So these are big issues. The issue is complicated, but we \nlook forward to getting some concrete ideas from you.\n    I want to thank Mr. Barrow for your leadership on this; \nBennie Thompson, who is not here, for his leadership. This is \nwhat we need, this kind of forward-looking leadership.\n    So thank you all for coming, and I look forward to your \ntestimony.\n    Mr. Markey. The gentleman's time has expired.\n    The gentlelady from Wisconsin, Ms. Baldwin, is recognized.\n\n OPENING STATEMENT OF HON. TAMMY BALDWIN, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF WISCONSIN\n\n    Ms. Baldwin. Thank you, Mr. Chairman, for holding this \nimportant hearing on protecting the Nation's electric grid from \ncyber attacks and other threats.\n    The threat of someone with ill intent attacking and \naccessing the control systems of electric generators or other \nequipment presents a substantial concern that must be \naddressed. These cyber or other forms of attacks, perpetrated \nwith the intent to disrupt services in the short term or wreak \nlong-term havoc by damaging equipment, could have a significant \nimpact not only on our national security but also our economic \nsecurity. In fact, according to one estimate, if a third of the \ncountry lost power for 3 months, the economic price tag would \nbe $700 billion.\n    The Idaho National Laboratory test, known as Aurora, which \nhas been cited a couple of times already, demonstrated how an \nattacker could break into a control system and disrupt the \ngrid. This test highlighted the seriousness of a potential \nthreat to our infrastructure and the urgency with which \nCongress and our Nation's agencies must act to mitigate any \nconsequences.\n    As we consider the two bills before us, we must remember \nthat we have a responsibility to remain vigilant, to make sure \nthat our agencies have the proper tools to protect against \ncyber attacks, and to ensure that industry is fully prepared to \nwork in concert with government to prevent any disruptions.\n    I look forward to hearing from our witnesses today about \nhow we can best address these reliability and security issues.\n    Thank you, Mr. Chairman. I yield back the balance of my \ntime.\n    Mr. Markey. The gentlelady's time has expired.\n    The gentleman from Georgia, the sponsor of this \nlegislation, who I would like to congratulate for his excellent \nefforts in this area, is recognized for 2 minutes.\n\n  OPENING STATEMENT OF HON. JOHN BARROW, A REPRESENTATIVE IN \n               CONGRESS FROM THE STATE OF GEORGIA\n\n    Mr. Barrow. Well, thank you, Mr. Chairman. And thank you \nfor moving this legislation forward and for the opportunity to \nwork together on this issue of critical importance to our \nhomeland security.\n    I am a sponsor of H.R. 2165, the ``Bulk Power System \nProtection Act of 2009,'' one of the subjects of today's \nhearing, because I am convinced that the threats to our \ncritical energy infrastructure are every bit as real and every \nbit as dangerous as any threat we can imagine. I am pleased \nthat this Congress and this committee have given this a high \npriority and will push forward to pass meaningful legislation.\n    I obviously think that my bill is on the right track, but I \nam open to new angles, incorporating new ideas into the mix. I \nencourage my colleagues to cosponsor H.R. 2165, and let's use \nit as a foundation for working together on these solutions.\n    The key to sustainable security is that government and \nindustry identify and address evolving threats against our \ncountry together. As our society becomes more and more reliant \non technological advances, we actually become more and more \nvulnerable to debilitating attacks. This hearing is an \nimportant first step toward closing security gaps which \nthreaten us. The time to act is now; the American people expect \nit, and our national security demands it.\n    I thank the witnesses for being here today, and I thank the \nchairman for the time. And I yield back the balance of my time.\n    Mr. Markey. I thank the gentleman for his work.\n    All time for opening statements has been completed.\n    Chairman Bennie Thompson, chairman of the Homeland Security \nCommittee and lead sponsor of H.R. 2195, one of the bills that \nwe are considering today, has submitted a written statement for \nthe record. I would like unanimous consent that that statement \nbe entered into the record.\n    Without objection, so ordered.\n    [The prepared statement of Mr. Thompson follows:]\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n    Mr. Markey. And all members can introduce their statements \nfor that purpose.\n    [The prepared statements of Messrs. Green and Burgess \nfollow:]\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n    Mr. Markey. I would also like to add that Chairwoman Yvette \nClarke of the relevant committee on the Homeland Security \nCommittee and Jim Langevin, who was the Chair last year, would \nalso like to have permission to have space reserved in the \nrecord for their statements, as well. And I want to \ncongratulate them on their excellent work on this issue.\n    [The prepared statement of Mr. Langevin follows:]\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n    \n    Mr. Markey. I note that the gentleman from Pennsylvania, \nMr. Pitts, has arrived; Mr. Scalise has arrived.\n    Would you like to be recognized, Mr. Scalise?\n    Mr. Scalise. No, thank you.\n    Mr. Markey. Then we will turn----\n    Mr. Pitts. I will submit it for the record, Mr. Chairman.\n    Mr. Markey. Then the gentleman from Pennsylvania's \nstatement will be included in the record at the appropriate \npoint.\n    [The prepared statement of Mr. Pitts was unavailable at the \ntime of printing.]\n    Mr. Markey. So we will turn to our first witness, Mr. \nJoseph McClelland, director of the Office of Electric \nReliability at the Federal Energy Regulatory Commission. Mr. \nMcClelland has led FERC's efforts to approve and enforce \nmandatory reliability standards for the electric grid.\n    We thank you for joining us today. Please begin.\n\n STATEMENTS OF JOSEPH MCCLELLAND, DIRECTOR, OFFICE OF ELECTRIC \n  RELIABILITY, FEDERAL ENERGY REGULATORY COMMISSION; THE HON. \nPATRICIA HOFFMAN, PRINCIPAL DEPUTY ASSISTANT SECRETARY, OFFICE \n OF ELECTRICITY, U.S. DEPARTMENT OF ENERGY; THE HON. GARRY A. \n BROWN, CHAIRMAN, NEW YORK PUBLIC SERVICE COMMISSION; DAVID N. \n   COOK, VICE PRESIDENT AND GENERAL COUNSEL, NORTH AMERICAN \n   ELECTRIC RELIABILITY CORPORATION; JOHN DISTASIO, GENERAL \n     MANAGER AND CEO, SACRAMENTO MUNICIPAL UTILITY DISTRICT\n\n                 STATEMENT OF JOSEPH MCCLELLAND\n\n    Mr. McClelland. Mr. Chairman and members of the \nsubcommittee, thank you for the privilege to appear before you \ntoday to discuss the security of the power grid.\n    My name is Joe McClelland, and I am the director of Office \nof Reliability for the Federal Energy Regulatory Commission. I \nam here today as a commission staff witness, and my remarks do \nnot necessarily represent the views of the Commission or any \nindividual commissioner.\n    In the ``Energy Policy Act of 2005,'' or EPACT of 2005, \nCongress entrusted the Commission with a major new \nresponsibility: to oversee mandatory, enforceable reliability \nand cybersecurity standards for the Nation's bulk power system. \nThis authority is new Section 215 of the ``Federal Power Act.''\n    Under the new authority, FERC cannot author or modify \ncybersecurity standards but must select an industry self-\nregulatory organization, termed the Electric Reliability \nOrganization, or ERO, to perform this task. The ERO develops \nand proposes cybersecurity standards or modifications for the \nCommission's review, which it can then either approve or \nremand. If the Commission approves a proposed cybersecurity \nstandard, it applies to the users, owners, and operators of the \nbulk power system and becomes mandatory in the United States. \nIf the Commission remands a proposed standard, it is sent back \nto the ERO for further consideration and work.\n    The Commission selected the North American Electric \nReliability Corporation, or NERC, as the ERO. It is important \nto note that FERC's jurisdiction and reliability authority is \nlimited to the, quote, ``bulk power system,'' end quote, as \ndefined in the ``Federal Power Act,'' which excludes Alaska and \nHawaii, transmission facilities, and certain large cities such \nas New York City, and distribution systems.\n    Pursuant to this duty, in January of 2008 FERC approved \neight cybersecurity standards, known as the ``Critical \nInfrastructure Protection Standards,'' or CIP standards, \nproposed by NERC while concurrently directing modifications to \nall of them. Although the existing CIP standards are approved, \nfull implementation of these standards by all entities will not \nbe mandatory until 2010.\n    The first of several batches of modifications responding to \nthe Commission's directives was approved in September of 2009, \nalthough the Commission directed further modifications to the \nrevised standards. It is not yet clear how long it will take \nfor the CIP standards to be modified to eliminate some of the \nsignificant gaps in protection within them.\n    On a related note, as smart grid technology is added to the \nbulk power system, greater cybersecurity protections will be \nrequired, given that this technology provides more access \npoints to attackers and can increase the grid's cyber \nvulnerabilities. The CIP standards will apply to some but not \nall smart grid applications.\n    Physical attacks against the power grid can cause equal or \ngreater destruction than cyber attacks. One example of a \nphysical threat is an electromagnetic pulse, or EMP, event. In \n2001, Congress established a commission to assess the threat \nfrom EMP. And, in 2004 and again in 2008, the EMP Commission \nissued its reports.\n    Among the findings of the reports were that a single EMP \nattack could seriously degrade or shut down a large part of the \nelectric power grid. Depending upon the attacks, significant \nparts of the electric infrastructure could be, quote, ``out of \nservice for periods measured in months to a year or more,'' end \nquote.\n    In addition to man-made attacks, EMP events are also \nnaturally generated, caused by solar flares and storms \ndisrupting the Earth's magnetic field. Such events can be \npowerful and can also cause significant and prolonged \ndisruptions to the power grid.\n    Regardless of whether an EMP event is manmade or occurs \nnaturally, it can cause equal or even greater destruction than \na cyber attack, and the Federal Government should have no less \nability to protect against it.\n    In September of this year, FERC initiated a research \nproject with the Oak Ridge National Laboratory to study the \nevents of an EMP event on the United States and to identify \nmitigation measures to protect against it. DOE and DHS have \njoined in this study, and we expect to complete it within 6 \nmonths.\n    The standards development system utilized under the \n``Federal Power Act'' develops mandatory reliability standards \nusing an open and inclusive process based on consensus. \nAlthough it can be an effective mechanism with dealing with the \nroutine requirements of the power grid, it is too slow, too \nindependent, and too open to address threats to the power grid \nthat endanger national security. FERC's current legal authority \nis insufficient to assure direct, timely, and mandatory action \nto protect the grid, particularly where certain information \nshould not be publicly disclosed.\n    Any new legislation should address several key concerns. \nFirst, FERC should be permitted to take direct action before a \ncyber or physical national security incident has occurred. \nSecond, FERC should be allowed to maintain the appropriate \nconfidentiality of security-sensitive information. Third, the \nlimitations on the term, quote, ``bulk power system,'' end \nquote, should be considered, as FERC cannot act to protect \nattacks involving Alaska and Hawaii, as well as some \ntransmission and all local distribution facilities in large-\npopulation areas. Finally, if Congress finds it appropriate, \nCongress should provide a mechanism allowing entities to \nrecover costs that the utilities incur to mitigate \nvulnerabilities and threats.\n    Thank you for attention today, and I look forward to any \nquestions that you may have.\n    [The prepared statement of Mr. McClelland follows:]\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n    Mr. Markey. Great. Thank you, Mr. McClelland, very much.\n    And I will say to each one of you that you only have 5 \nminutes for your opening statement. And after I introduce you, \nyou don't have to read that part of your statement again. You \ncan get right to the meat of it, oK, because I will have done \nit.\n    Our next witness is Ms. Patricia Hoffman, principal deputy \nassistant secretary of the Office of Electricity at the U.S. \nDepartment of Energy. In this capacity, Ms. Hoffman provides \nleadership on a national level to modernize the electric grid \nand enhance the security and reliability of the energy \ninfrastructure.\n    Thank you for joining us today. Whenever you are ready, \nplease begin.\n\n             STATEMENT OF THE HON. PATRICIA HOFFMAN\n\n    Ms. Hoffman. Thank you, Chairman Markey and members of the \nsubcommittee, for this opportunity to testify before you today \non H.R. 2195 and 2165.\n    The energy sector's threat analysis encompasses natural \nevents, criminal acts, and insider threats, as well as foreign \nand domestic terrorism. Because of the diversity of assets in \nthe systems in the energy sector, a multitude of methodologies \nhave been used to assess risks, vulnerabilities, and \nconsequences.\n    Also, improving the resiliency of the Nation's electric \npower grid for the purpose of national security will come at a \ncost. As Congress considers legislation, we recognize there are \nlimited resources. Therefore, we must prioritize our \nactivities, continually assessing risk, the impact to the \nelectric sector, and financial impacts.\n    Incident response and information sharing still remain \nforemost our concern. While the United States has had a good \ndeal of experience with physical disruptions to the grid, such \nas the 2003 Northeast blackout and the hurricanes of 2005 and \n2008, it does not have experience-based lessons learned from a \ncyber incident. While coordination and communication has \nimproved between public and private organizations over the past \nseveral years, much more is needed to prevent and respond to an \nattack that could hamper the U.S. electric power grid.\n    The 2010 Energy and Water Appropriations Conference Report \ndirects the Department of Energy to develop an independent \nnational energy-sector cybersecurity organization to institute \nresearch; development and deployment priorities, including \npolicies and protocols to ensure the effective deployment of \ntested and validated technology and software controls to \nprotect the bulk power system; and the integration of smart \ntechnologies to enhance the security of the electric grid.\n    Congress assigned the National Institute of Standards and \nTechnology, NIST, with the responsibility to coordinate the \ndevelopment of a framework and a roadmap for interoperability \nstandards, including cybersecurity. The Department has been \nworking closely with NIST and other agencies through this Smart \nGrid Task Force and the private sector. I am pleased to say \nsignificant progress has been made. NIST issued Release 1.0 of \nthe ``NIST Framework and Roadmap for Smart Grid \nInteroperability Standards,'' as well as Draft NIST Interagency \nReport 7628, ``Smart Grid Cybersecurity Strategy and \nRequirements.''\n    The Department recognizes the inherent weaknesses \nassociated with driving system effectiveness and risk from a \nsingle worst-case scenario. A single worst-case scenario is \npossible but rarely exists and often exceeds the known and \nprojected adversary capabilities. At the same time, focusing on \nthe worst-case scenario may result in overlooking protection \nsystem elements needed to counter more probable, significant, \nand credible threats. Consequently, the Department is looking \nat a more balanced methodology to effectively detect and deter \nthreats.\n    The Department reviewed the various bills and conducted \nanalysis to evaluate the effectiveness. We also have reviewed \nthe existing cybersecurity standards and the relative \neffectiveness in addressing high-consequence risks in a rapidly \nchanging threat environment.\n    The Department provides the committee the following \ntechnical comments.\n    The Federal Energy Regulatory Commission could be \nauthorized to issue an emergency security directive to owners \nand operators of the bulk power system covering a specific \nperiod of time if the Secretary of Energy has determined that a \npower grid emergency exists.\n    A power grid emergency could be defined as a situation that \nposes a high risk to the bulk power system that must be \naddressed within 60 days without public disclosure. \nDetermination of a power grid emergency in general would \nrequire the expertise of the Secretary of Energy, in \nconsultation with the Secretary of Homeland Security, the \nOffice of Attorney General, and the Director of National \nIntelligence.\n    In making a determination, the Secretary could consider: a \nknown cyber vulnerability exists that may affect the bulk power \nsystem; a threat actor is determined to have known or suspected \nintent, requisite resources, and capabilities to carry out the \nthreat with a high likelihood; if exploited, the vulnerability \nwould result in significant consequences, including damage to \nassets, infrastructure, loss of life, and psychological damage; \nthe situation presents an imminent risk to the bulk power \nsystem.\n    Any directive should have performance objectives and \nmetrics for mitigating the identified threat vulnerability and/\nor potential consequence. The directive may alternately be in \nthe form of an alert that notify owners or operators of a \npotentially serious cyber situation. Specific methods for \ncompliance could be left to the discretion of the provider of \nthe bulk electric power, provided the security performance \nobjectives are met.\n    Any directives should notify private-sector operators of \nthe bulk power system of the nature of the risk, consistent \nwith the proper handling of classified and restricted \ninformation, and direct operators to investigate, take \nappropriate and corrective action, and file report findings \nback to FERC within a specified time period; and, if required, \ndirect owners and operators of the bulk power system through \nNERC to develop mitigations to test and validate such \nmitigations. The Department of Energy could provide technical \nsupport.\n    With this, I will conclude my testimony. I thank you for \nthe opportunity for being here, and I look forward to any \nquestions you have.\n    [The prepared statement of Ms. Hoffman follows:]\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n    Mr. Markey. Thank you, Ms. Hoffman, very much.\n    Our next witness is Mr. Garry Brown. He is the chairman of \nthe New York State Public Service Commission. Mr. Brown is \ntestifying on behalf of the National Association of Regulatory \nUtility Commissioners that will henceforth in this committee be \nreferred to as NARUC, which will completely confuse anyone \nwatching on C-SPAN.\n    So this is your last notice, viewers. It is the National \nAssociation of Regulatory Utility Commissioners. So, all 50 \nStates have them. They each decide, kind of, what the \nelectricity and telephone rates are in your State.\n    Mr. Brown is going to speak for all of them in America. He \nhas 30 years of experience in mastering the arcane language of \nregulatory law.\n    And you have 5 minutes, Mr. Brown.\n\n                  STATEMENT OF GARRY A. BROWN\n\n    Mr. Brown. Good morning, Chairman Markey.\n    As you said, I am the Chair of Electricity Committee at \nNARUC.\n    State regulators take the reliability and security of the \nbulk power system very seriously. However, as technology \nchanged, new risks and vulnerabilities have emerged. The \ntransition to a smarter, digital, more efficient grid carries \nwith it potential concerns.\n    Do you want me to talk through it?\n    Mr. Markey. You can continue through.\n    Mr. Brown. Thank you.\n    As Congress considers legislation in this area, it should \nseek to build on existing----\n    Mr. Markey. When the bells ring, it tells us with two bells \nthat there is a roll call--this won't come off of your time--\nthree bells, that we have a quorum.\n    When it goes out to six bells and then it goes six bells \nand then six bells and six bells, you should start running very \nfast. But that hasn't occurred in my 33 years here. But I just \nwant to notify you that, if it just keeps going through and \nringing, that that is not a good thing. But, so far, our \nreliability counsel up here----\n    Mr. Shimkus. Mr. Chairman, it is worse when there is no \npower, so you hear no bells.\n    Mr. Markey. So this is maybe the key hearing. Otherwise, we \nwill be reliant upon the same system that my district relied \nupon in 1775, with Paul Revere riding through and knocking on \npeople's doors and saying, ``Get out your gun.''\n    So, anyway, you have 4 minutes and 29 seconds to go, Mr. \nBrown.\n    Mr. Brown. Thank you.\n    As Congress considers legislation in this area, it should \nseek to build on existing Federal-State coordination that \nresults in a framework where vulnerabilities to the system are \nidentified, prioritized, and resolved in a timely fashion. \nCongress needs to distinguish between imminent threats, which \nrequire immediate action, and vulnerabilities, which can be \nresolved more deliberately.\n    Our first vulnerability focuses on business process \nsystems--e-mail, office equipment, databases, et cetera--that \nare not unique to utilities but take on special significance \ngiven the utilities' economic importance.\n    A second vulnerability is more specific to utilities, and \nthat is utility control systems. Supervisory control and data \nacquisition, or SCADA, systems are already inextricably part of \nour utility operations and have served to improve the \nefficiency and reliability of our system operations in every \nsystem throughout the country.\n    Regulatory commissions have begun to probe the cyber-\npreparedness of utility companies in the realm of smart grid. \nIn concept, the smart grid has the potential to provide \nimprovements in situational awareness, prevention, management, \nand restoration. In spite of introducing new vulnerabilities, \nsmart grid fundamentally makes the electric system more secure. \nStill, this technology brings with it new vulnerabilities and \nnew points of access to create intentional disruption, which \nshould be taken extremely seriously.\n    In each of these areas, steps are being taken to manage \nrisk. The regulated companies we oversee have, through the \nNorth American Electric Reliability Corporation, developed good \ncybersecurity standards. The question of how far that standard \nextends is not yet clear. NERC's cybersecurity standards are \nextensive and thorough. Over the past 2 years, electric \nutilities across the country have requested significant \nadditional staffing and significant additional dollars for \nNERC's standard compliance activities in their transmission \nrate case filings at FERC.\n    The standards already in place are adequate for both \nphysical and cybersecurity. Overextending the applicability of \nthose standards to lower-voltage facilities raises the question \nhow much more we are willing to pay for what may be a marginal \nincrease in cybersecurity.\n    I would like to share three examples of commissions engaged \nto ensure companies are meeting their responsibilities.\n    Since 2005, the Pennsylvania Public Utility Commission has \nrequired all jurisdictional utilities to have a written \ncybersecurity plan to complement their emergency response, each \nof which are tested on an ongoing basis.\n    Another State taking action is Missouri. The commission \nrequires all of its utilities to have in place reliability \nplans and, in May 2009, queried its utilities about steps taken \nor planned regarding cybersecurity as it relates to company \noperations. The contacts made highlighted NERC order number \n706, which mandates that electric companies adhere to eight \nstandards relative to cybersecurity.\n    Since 2003, the New York Commission's Office of Utility \nSecurity has carried out a regular program of oversight of both \nphysical and cybersecurity practices and procedures of the \nregulated utility companies in the energy telecommunications \nand water sectors. Staff of this office is devoted full-time to \nsecurity audit responsibilities.\n    Generally, we utilize the existing NERC CIP standards as \nbenchmarks to form our own judgments about the quality of \ncybersecurity measures in place at the regulated utilities. \nStaff is adhering to a schedule that calls for visiting each \nregulated utility company four times a year to audit compliance \nwith some portion of CIP standards, with the goal of measuring \ncompliance with all of the standards at each of the companies \nover the course of the year.\n    We have the benefit in New York of a close and effective \npartnership with our State cybersecurity office. The New York \nOffice of Cybersecurity and Critical Infrastructure \nCoordination directs efforts to maintain cybersecurity \npractices within State government agencies. We have established \nan excellent record for being a prompt and reliable source of \ninformation. I have personally been in consultation with CCIC \nand NERC to consider cyber threats and risks to the smart grid.\n    I want to get to Federal legislation quickly. NARUC \nbelieves Congress should build upon existing Federal-State \ncoordination and result in an environment where vulnerabilities \nare identified, prioritized, and resolved in a timely fashion. \nCongress needs to distinguish between imminent threats, which \nrequire immediate action, and vulnerabilities, which can be \nresolved more deliberately.\n    First, a component of any legislation should be the ability \nfor Federal departments and agencies to have information \nidentifying priority vulnerabilities and imminent threats and \nhow this information is communicated to the various electricity \nproviders, State and Federal law enforcement, and State \nregulatory authorities.\n    In normal situations, the electric power industry can \nprotect the reliability and security of the bulk power system \nwithout governmental intelligence information. However, in the \nlimited circumstances----\n    Mr. Markey. If you can summarize, Mr. Brown, please.\n    Mr. Brown. Yes, I can.\n    In the limited circumstances when the industry does not \nneed governmental intelligence information on a particular \nthreat or vulnerability, it is critical that such information \nbe timely.\n    NARUC believes H.R. 2165 takes the best approach to the \nissues that confront cybersecurity in our Nation's electric \nsystem. And we thank Representative Barrow, Chairman Waxman, \nand Chairman Markey for introducing this legislation. There is \na need for Federal leadership on these complex cybersecurity \nissues.\n    This concludes my remarks, Mr. Chairman.\n    [The prepared statement of Mr. Brown follows:]\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n    Mr. Markey. Thank you, Mr. Brown, very much.\n    Our next witness is Mr. David Cook. He is the vice \npresident and general counsel of the North American Electric \nReliability Council, or NERC. In this role, Mr. Cook helps to \nlead the development of mandatory and enforceable reliability \nstandards for the electric grid.\n    Prior to joining NERC in 1999, Mr. Cook worked for 10 years \nas deputy general counsel of the Federal Energy Regulatory \nCommission.\n    So, again, just for our audience, Mr. Cook is speaking for \nNERC, which is the private sector. Mr. Brown is speaking for \nNARUC, which are the State regulators. And the first two \nwitnesses speak for the Federal Government, and that would be \nthe Department of Energy, which I think everyone knows, and the \nFERC, Federal Energy Regulatory Commission.\n    We have FERC and NERC, and it does get confusing to people, \noK, but it is Federal Government, State government, and now the \nprivate sector.\n    Mr. Cook, whenever you are ready, please begin.\n\n                   STATEMENT OF DAVID N. COOK\n\n    Mr. Cook. Thank you, Mr. Chairman and members of the \nsubcommittee.\n    NERC's overall mission is to ensure the reliability of the \nbulk power system in North America. Cybersecurity is an \nimportant component of that mission. The challenges the grid \nfaces from cybersecurity threats, however, are different from \nother reliability concerns.\n    Digital technology changes frequently, and novel potential \nthreats can arise very quickly, requiring rapid and often \nconfidential responses. Threats can arise virtually any time \nand anywhere across the vast array of communicating devices on \nthe grid. Moreover, cybersecurity threats are more likely to be \ndriven by intentional manipulation of devices rather than \nweather-related or operational events that regularly occur on \nthe system.\n    All of these characteristics set cybersecurity apart from \nother reliability concerns. For these reasons, NERC believes \nthat the U.S. Government needs additional emergency authority \nto address specific imminent cybersecurity threats.\n    As the international regulatory authority for the \nreliability of the bulk power system, NERC is responsible for \ndeveloping reliability standards applicable to all users, \nowners, and operators of the system. The standard-setting \nprocess brings together NERC and industry and security experts \nfrom the United States and Canada to develop standards that \nmust apply to the international grid.\n    Developing long-term standards that apply to more than \n1,800 diverse entities that own and operate the bulk power \nsystem is a complex undertaking. Standards must apply equally \nto companies with thousands of employees and those with only \n20. Additionally, the standards must do no harm.\n    NERC recognizes that, while the standards in place today \nprovide a sound starting point, they should be and are being \nimproved. NERC is also working in a number of areas to make \navailable the kinds of information that will help the industry \nbetter secure critical assets from advanced well-resourced \nthreats and other known cybersecurity activity on an ongoing \nbasis.\n    In its role as the electricity-sector information sharing \nand analysis center, NERC analyzes and disseminates threat \ninformation and warnings to the electricity industry in the \nform of voluntary advisories, recommendations to industry, and \nessential action notifications.\n    NERC's preparedness and awareness efforts are necessary but \nnot sufficient to protect the system against imminent specific \ncybersecurity threats. The principal gap that NERC sees in the \ncurrent law is that the Federal Government lacks sufficient \nauthority to address an imminent and specific cybersecurity \nthreat. Both H.R. 2165 and H.R. 2195 address that gap.\n    NERC believes the authority to act in such emergencies \nshould be assigned to a single Federal agency. The legislation \nshould also assure coordination between the Federal agency with \nthat authority and appropriate officials in Canada and Mexico. \nH.R. 2165 contains important provisions that require such \nconsultation, while H.R. 2195 contains no specific provisions \nin this area.\n    The jurisdiction provided by H.R. 2195 would go beyond the \nscope of existing Section 215 to cover distribution system \nassets. 2165 would limit its scope to the existing Section 215.\n    While physical threats are also a concern, NERC believes \naddressing the present gap and authority to address specific \nimminent cybersecurity threats is the highest legislative \npriority at this time.\n    One of the greatest challenges the industry faces in \ndealing effectively with the threats we have been discussing is \nthe limited amount of concrete technical information coming \nfrom government agencies. Much of the information about threats \nis classified or otherwise subject to restrictions on \ndisclosure.\n    Without more specific information being appropriately made \navailable to asset owners, they are unable to determine whether \nparticular cybersecurity concerns exist on their systems or \ndevelop appropriate mitigation strategies. A mechanism, \ntherefore, is needed to validate the existence of such threats \nand ensure information is appropriately conveyed.\n    Over the past year, NERC has worked to facilitate this \ninformation sharing and stands ready to support further efforts \nin this area. Both H.R. 2165 and H.R. 2195 contain provisions \nto address this problem.\n    To conclude, NERC, the electric industry, and the \ngovernments of North America share a mutual goal of ensuring \nthat threats to the reliability of the bulk power system, \nespecially cybersecurity threats, are clearly understood and \neffectively mitigated. NERC fully supports legislative efforts \nto provide the Federal Government with emergency authority to \naddress imminent cybersecurity threats as quickly as possible.\n    Moving forward, NERC is committed to complementing Federal \nauthority to address cybersecurity challenges, regardless of \nthe form that legislation may take.\n    Thank you.\n    [The prepared statement of Mr. Cook follows:]\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n    Mr. Markey. Thank you, Mr. Cook, very much.\n    And our final witness is Mr. John DiStasio. He is general \nmanager and CEO of the Sacramento Municipal Utility District, \nor SMUD; henceforth called ``SMUD'' for our hearing purposes.\n    So we will have SMUD, NERC, NARUC, DOE, and FERC. Good \nluck, C-SPAN viewers, in this hearing.\n    He will be discussing bulk power as it is differentiated \nfrom a distribution system and how we can coordinate.\n    So welcome, Mr. DiStasio. Whenever you are ready, please \nbegin.\n    Mr. Markey. And you can see why we should legislate in this \narea. You can see how it could escape a lot of attention from \nCongress, in terms of the security of the system.\n    Welcome, Mr. DiStasio. Whenever you are ready, please \nbegin.\n\n                   STATEMENT OF JOHN DISTASIO\n\n    Mr. DiStasio. Thank you, Chairman Markey, members of the \nsubcommittee. I appreciate the opportunity to explain how the \nelectric industry is addressing cybersecurity challenges and to \nsupport narrowly targeted legislation to enhance those efforts.\n    SMUD supplies electricity to California's capital region. \nWe serve a population of 1.4 million people. We operate 473 \nmiles of transmission lines but nearly 10,000 miles of \ndistribution lines. Our customers include the State of \nCalifornia, the county of Sacramento, companies such as Intel, \nand other customers critical to public welfare and our local \neconomy.\n    SMUD is a member of the American Public Power Association, \nAPPA, and the Large Public Power Council, LPPC. They are part \nof a larger coalition of electricity stakeholders that have \nbeen working together on cybersecurity issues for the last 2 \nyears.\n    The industry coalition includes investors, cooperatively \nand publicly owned utilities, utility generators, independent \ngenerators, Canadian utilities, large industrial consumers, and \nState PUCs. We often have very different views on policy issues \nfacing our industry, but on the issue of cybersecurity we have \nbeen working together to help develop NERC's reliability \nstandards for critical infrastructure protection and, more \nrecently, to identify areas where additional legislation may be \nneeded.\n    APPA, LPPC, NARUC, the Canadian Electric Association, the \nEdison Electric Institute, the Electricity Consumers Resource \nCouncil, the Electric Power Supply Association, the National \nRural Electric Cooperative Association, and the Transmission \nAccess Policy Study Group all support carefully crafted \nspecific legislation to deal with the discrete issue of \ncybersecurity.\n    We understand the seriousness of this issue, and we know we \nneed to deal with it. It is in the industry's best interest to \nprotect against cyber attacks. When the lights go out for \nwhatever reasons, we are the ones held responsible. If they do \ngo out, we want to bring them back on as quickly as possible \nand to minimize potential risk to health, safety, and property \nand to minimize any adverse impacts to the public.\n    At the same time, our industry is facing additional \nregulatory requirements in a number of areas, which all \ntranslate to increased costs for our consumers. Therefore, we \nmust use our dollars and workforce wisely to address \ncybersecurity threats and vulnerabilities that are most likely \nto occur and have the greatest potential impact.\n    We need close collaboration between government and industry \nparticipants, rather than finger-pointing. Therefore, any \ncybersecurity legislation Congress adopts should continue the \nstrong industry partnership with government agencies in the \nUnited States and Canada.\n    The interconnected North American electric power industry \nand NERC work closely with the Department of Homeland Security, \nDOE, FERC, and Canadian authorities. New legislation should be \nbuilt on this strong foundation.\n    We support continued participation in NERC's industry based \nand FERC-approved standards development process. NERC and the \nindustry have committed significant resources to develop \nrevised and new security standards. We have committed some of \nour scarcest resources, our subject matter experts in \ncybersecurity and system operations, to help develop second-\ngeneration draft standards.\n    And it should be limited to the realm of cybersecurity. \nSome would prefer to include new legislation, other national \nsecurity threats as well as cyber threats. SMUD and the \nindustry coalition believe that other government entities, both \nState and Federal, have more direct responsibilities for \nnational security.\n    The electric utility industry addresses physical threats \nthrough communication with local, State, and Federal law \nenforcement agencies and through our own security measures. \nSMUD has established a strong and long-term partnership and \ncommunication with the FBI, Sacramento County Sheriff's \nDepartment, El Dorado County Sheriff's Department, and the \nSacramento Police Department.\n    SMUD and the industry coalition support H.R. 2165. This \nbill sets out a process for the Federal Government to interact \nwith the industry in a cybersecurity emergency but does not \ndisrupt the existing reliability regime set out in section 215.\n    Specifically, the bill provides narrowly targeted authority \nfor FERC to issue emergency orders in response to imminent \ncybersecurity threat to the bulk power system, specific \nauthority for FERC to issue orders that address the AURORA \nvulnerability, improved communication flows of timely and \nactionable information from government to industry, and \nenhanced responsibility for us to share critical energy \ninfrastructure information, enhanced authority for the electric \npower industry to protect and keep critical energy \ninfrastructure information confidential and nonpublic and be \nlimited to the bulk power system.\n    With that, I will conclude my remarks, as time is out. \nThank you.\n    [The prepared statement of Mr. DiStasio follows:]\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n    Mr. Markey. Thank you, Mr. DiStasio, very much.\n    Before I recognize myself, just so everyone understands \nwhere we are going here, so we keep these definitions somewhat \ncomprehensible for the audience, we are going to be talking \nabout the bulk power system in the United States. And the \nFederal Power Act defines that to encompass the large-scale \npower plants and transmission facilities, but the Bulk Power \nAct specifically excludes distribution systems. Those are the \nlocal systems of lines that bring power from the large \ntransmission facilities, that is, from the bulk power system \nout to our homes and out to our businesses. And it also \nspecifically excludes the parts of the grid outside the \ncontinental United States, Alaska, Hawaii, and Guam. So just so \nyou all understand what we are talking about here as we get \ninto bulk power and distribution systems.\n    So the Chair will recognize himself; and I would like, Mr. \nBrown, for you to look at that question of the exclusion of the \nbulk power system from the distribution systems. Because it is \nmy understanding that there is no clear dividing line dividing \nthe control systems that serve the bulk power system and those \nthat serve the distribution system. So how can we possibly \nlimit the Federal authority to the bulk power system only when \nit is so interconnected to the distribution system and the fact \nthat that does affect people's homes and businesses?\n    Mr. Brown. As State regulators, we are concerned with the \nwhole system from the top to the bottom, including the bulk \npower system and the distribution system. We have always had \nthis dual jurisdictional aspect to our system whereby the \nFederal Energy Regulatory Commission oversees the bulk power \nsystem, the State regulators oversee the local distribution \nsystem. For a hundred years, we have worked together--or since \nthe Federal Power Act, I guess, 70 years we have worked \ntogether in maintaining the reliability.\n    Mr. Markey. Here is my question. Since Washington, D.C. is \nnot under the bulk power system, since New York is not, since \nso much of our military is not, how can you separate them? \nShouldn't it be integrated as a single authority here to make \nsure that there is one system put in place?\n    Mr. Brown. The NERC standards apply to all elements of the \nsystem from top to bottom. I think when you are talking about \ncybersecurity, we would welcome Federal leadership in \nestablishing standards for cyber issues, but I think you need \nto separate----\n    Mr. Markey. The NERC standards only apply to the bulk power \nsystem. Would you want them extended over to distribution as \nwell?\n    Mr. Brown. I don't think they need to be.\n    Mr. Markey. But aren't they intricately entwined with the \nlocal distribution system?\n    Mr. Brown. There is certainly the connection between the \nbulk power system and the distribution system.\n    Mr. Markey. Right. Shouldn't we then integrate it to \nensure----\n    Mr. Brown. But that doesn't mean that having a centralized \nauthority is necessarily going to be more effective in terms of \nthe reliability of the local system.\n    I think you need to distinguish between the physical \nassets, which for a long time have been under the dual control, \nand the cybersecurity requirements. And, as I say, in \ncybersecurity requirements I don't think the States would have \nhuge problems with the Federal Government setting standards \nthat apply throughout the system from top to bottom.\n    Mr. Markey. Let me go to you, Mr. McClelland. What do you \nthink?\n    Mr. McClelland. Anytime that there is two-way communication \nbetween equipment there is a chance to compromise that \nequipment from a cybersecurity perspective. Deployment of two-\nway communication devices at the distribution level creates a \nhuge technical challenge to secure that equipment, secure those \nprotocols, and protect the assets up and down the line.\n    Mr. Markey. Ms. Hoffman.\n    Ms. Hoffman. When we are looking at performance measures, \nif emergency authority was provided as you look at the \nlegislation that was stated as 2195 and 2165, if it is framed \nas developing performance measures, these performance measures \ncould be implemented either at the State level or at the \nFederal level. So one could look at the performance measure, \nand the State utility commissions could consider that as part \nof their responsibility. So the leadership could be provided at \nthe Federal level under the form of a performance measure.\n    Mr. Markey. Yes. On an ongoing basis, you know, we just \nhave to take note of the fact that when we did have that \nblackout several years ago, a problem in Ohio affected Canada \nand New York City.\n    Mr. Upton. And Michigan, too.\n    Mr. Markey. I was trying to create the upper point, but you \nare right, I should have stopped in the continental United \nStates.\n    By the way, you mentioned Canada in terms of the \ncoordination. Did you include Mexico as well? Are you \ncoordinating with Mexico?\n    Mr. DiStasio. Mexico to a lesser extent.\n    Mr. Markey. But Mexico is in?\n    Mr. DiStasio. Yes.\n    Mr. Markey. And, Mr. Cook, it is my understanding that over \n2 years after the AURORA vulnerability was identified, NERC \nstill has not established standards that would address that \nvulnerability in an optimal way. Why is that? And how can we \npossibly argue that the NERC process is adequate, given this \ndelay?\n    Mr. Cook. The standards are moving in a direction to \naddress some of the vulnerabilities that the AURORA incident \ndisclosed, and we are in a constant process of upgrading those \nstandards. And that is in the process.\n    Mr. Markey. So what is your timeline on completion?\n    Mr. Cook. The Commission has directed us to give them a \ntimeline for completing the changes to the standards. They \nrecently issued an order, and we are to give them that timeline \nby the end of this year. We are in the process of developing \nthat timeline right now.\n    Mr. Markey. Are the standards that you are developing \nspecific to AURORA or optimized to deal with AURORA?\n    Mr. Cook. They don't focus solely on AURORA. They are \nlooking at a range of the threats that the system is dealing \nwith.\n    Mr. Markey. OK. I thank you.\n    The Chair's time has expired. The gentleman from Michigan \nis recognized for 5 minutes.\n    Mr. Upton. Thank you, Mr. Chairman.\n    Mr. McClelland, Mr. Brown said in his testimony that the \nCIP standards already in place are adequate for both physical \nand cybersecurity. Do you think that is accurate?\n    Mr. McClelland. No, the Commission directed an order 706. \nWhen we approved the eight standards, we directed modifications \nto every standard. Some are very substantive and significant. I \nmean, I could provide specific examples as to why they are not \nadequate, but they are not adequate yet. There are still \nsignificant gaps.\n    There is also a significant lag as far as compliance with \nthe standards. Only the most experienced and largest entities \nthat fall under bulk power system jurisdiction have to be \ncompliant with the standards today, and only 12 requirements of \nthe standards do they have to be complaint with. It is a \nphased-in implementation.\n    Mr. Upton. Ms. Hoffman, would you agree with that?\n    Ms. Hoffman. Yes.\n    Mr. Upton. Mr. McClelland, can you describe for us, the \nmembers here, as well as the audience, what an EMP attack would \nbe? What are the dynamics of that?\n    Mr. McClelland. There are two sources of electromagnetic \npulse. One source is naturally occurring. It is a solar \nmagnetic activity that disturbs the Earth's atmosphere, \nmagnetic fields, and ionosphere. It rolls them back, if you \nwill. During that rollback time, the Earth's magnetic fields \nare disturbed. It collapses back on itself; and that produces \nground currents, geomagnetically induced currents. Those \ncurrents travel through the earth; and everything that they hit \non the bulk power system they wreak havoc on, particularly \nlarge bulk power system transformers. They will destroy those \ntransformers within a matter of seconds if they haven't been \nmitigated against such an occurrence.\n    There is also----\n    Mr. Upton. No, go ahead.\n    Mr. McClelland. There is also manmade EMP, electromagnetic \npulse attacks. Those generate three separate times of energy \ndisbursement. One is termed an E1. It happens within a \nbillionth of a second. It is a very high, very strong radio \nfrequency type energy burst. The wires and the transmission \nwires and facilities act as antenna. They pick that burst up, \nand it destroys all control equipment.\n    Very shortly thereafter, there is an E2 effect, which is \nsimilar to lightning. Utilities are very well mitigated against \nlightning. However, after an E1 burst, it is really uncertain \nas to how much more devastation it would cause.\n    And then, finally, there is the E3 effect, which is the \nfirst effect I described that happens naturally, every so \noften.\n    Mr. Upton. And how difficult is it to build a manmade \ndevice that would emit these EMPs?\n    Mr. McClelland. It is not difficult. For a nation state, \nfor a sponsored terrorist organization, it is not difficult. \nAnd it is getting easier all the time.\n    Mr. Upton. And can you tell us about what the cost might \nbe?\n    Mr. McClelland. I don't have any information about cost. \nFor a small--if it is a radio frequency weapon, a small RFI \nplatform, those are less than a hundred thousand dollars \napiece. Those can be portable, and they can be directed--you \nhave to be pretty close to your target, but if you are close--\n--\n    Mr. Upton. Pretty close, within a quarter mile, a hundred \nyards?\n    Mr. McClelland. Within hundreds or thousands of feet, \ndepending upon the quality of the weapon itself. It is \ncertainly possible to put a small portable weapon in a vehicle-\nmounted platform and direct that at facilities.\n    Mr. Upton. And our bulk power distribution system, it would \nbe pretty vulnerable to that type of attack, is that right?\n    Mr. McClelland. The Commission doesn't have any information \nas far as what folks have done or haven't done regarding EMP \nmitigation. We suspect there hasn't been a lot of activity \nthere.\n    Mr. Upton. And, again, that is a physical attack, not a \ncyber attack.\n    Mr. McClelland. That is correct.\n    Mr. Upton. And, Mr. Brown, as you indicated, you believe \nthat H.R. 2165 is the best approach. H.R. 2165 looks at only \ncybersecurity. As I understand it, it does very little for \nphysical security. So if what your statement is on page 5, that \nCIP standards already in place are adequate for both physical \nand cybersecurity, how does that comport to an E1 or, \nobviously, E2 or E3 as it relates to the distribution of that \npower across not only New York but all 50 States?\n    And that is sort of the crux, as we look at the two \ndifferent bills before us, H.R. 2165, which you said is the \nbetter bill, does not have physical security. It does not \ninclude Alaska, Hawaii, Guam, New York, or as it gets to, as \nthe chairman said, the distribution.\n    I just don't know if you have had access to classified \nreports, as some of us were able to participate last week. Mr. \nMcClelland was part of that discussion that we had. But I just \nwant to know what evidence you have as you indicate that the \npresent standards are adequate.\n    Mr. Brown. Well, obviously, I don't have access. And that \nis one of the concerns that we have, is we don't necessarily \nhave access to some of the newer threats that are emerging. All \nwe can judge on is what we know and see.\n    There are a variety of threats to the electric system \nbesides EMP. You can take out an electric system in a variety \nof different ways, and that is why we have been trying to work \nwith NERC on the broad array of security requirements that are \nnecessary to protect the system. And that is why I pointed out \nthe difference between a threat and a vulnerability.\n    If there is an active threat out there, I think everybody \nneeds to know it; and I don't think any of the legislation at \nthis point kind of has a mechanism in place that if there is a \nthreat that there is a way of sharing that threat with all of \nthe State jurisdictional agencies, law enforcement agencies \nthat are going to need to address that threat. I am not sure a \nsingle standard somewhere established in legislation is going \nto be able to solve that problem or a new threat won't arise.\n    Mr. Upton. Our time has expired.\n    I just ask one quick question of Mr. McClelland; and that \nis, as they see threats that come in, it is too late if they \nare imminent. We have to be prepared. And I would presume that \nis why we need legislation very quick. Correct?\n    Mr. McClelland. Right. Right. That is correct.\n    Mr. Upton. I know my time has expired.\n    Mr. Markey. The gentleman's time has expired.\n    The Chair recognizes the gentleman from California, Mr. \nMcNerney.\n    Mr. McNerney. Thank you, Mr. Chairman.\n    Mr. McClelland, I want to thank you for hosting me when I \nvisited FERC and alerting me to the AURORA vulnerability at \nthat time.\n    You discussed in your written testimony the challenges \nposed by smart grid technology. In your opinion, are the local \nutilities aware of this vulnerability? And, if not, what can we \ndo to enhance that lack of preparation?\n    Mr. McClelland. We have an expression inside the Commission \nthat the utilities are out in the wild. What that means is that \nthey haven't really been brought in and briefed about the \nlevel, the sophisticated level of threat that could occur with \ncyber vulnerabilities, with two-way communications. I think \nthat is evidenced by some of the activity that happens at other \nFederal agencies, Department of Defense, and sophistication of \nthe levels of defense that they employ versus a utility that \nmay be not as sophisticated in that regard.\n    Mr. McNerney. Thank you.\n    Mr. DiStasio----\n    Mr. Markey. Mr. DiStasio, he is not talking about a utility \nin Silicon Valley. So you shouldn't take that personally, but--\n--\n    Mr. McNerney. You mentioned that utility sector experts are \nnot necessarily cybersecurity experts and lack high-level \nsecurity clearances. Is there a particular path forward to \nremedying that problem that you envision?\n    Mr. DiStasio. Well, because of the emerging technologies, I \nwill say this has really evolved over time as the electric grid \nhas become operated in a more digital way, more SCADA controls \nand so forth. There has been a greater integration of the \nphysical operators of the system and the technologists, and we \nactually both participate through the NERC process but within \nour own utilities. And we use what is called a layered defense \nin depth process where we look at people and technology and \noperations, controls that address both physical and cyber \nsegregation of our systems, protection of our systems, control \nof information, training, and access to the individuals. So \nthat is actually under way in most utilities across the Nation. \nI will say the diversity of our systems leads us not to be able \nto necessarily have a one-size-fits-all way to resolve that \nissue.\n    Mr. McNerney. Thank you.\n    You know, it seems to me that the real question here is how \nmuch additional authority is needed to approach this problem.\n    Thank you, Mr. Brown, for bringing up the distinction \nbetween immediate and imminent threat versus vulnerabilities. \nWhen you look at 2165 versus 2195, 2165 is a little bit more \nspecific and a little bit more limited range, whereas 95 is not \nas specific but has a broad range. I would ask anyone now on \nthe panel, is there a utility preference for those approaches? \nFor which one of those approaches would be preferable?\n    Mr. DiStasio. I would like to respond to that.\n    From the industry perspective, 2165, as I said in my \ntestimony, would be preferential, because I think it is very \nimportant to distinguish between vulnerabilities which need to \nbe dealt with on a continuous improvement basis over time on a \nproactive and a preventative measure versus immediate and \nimminent threats or emergency issues that we need confidential \ninformation to be able to respond to quickly. And so we think \nthat 2165 best addresses that differentiation.\n    Mr. McNerney. Any other responders on the panel to that \nquestion?\n    Mr. Brown. Just that, in 2005, the authorization for NERC, \nI think a lot of progress has been made along the way in trying \nto address the vulnerability question, trying to set standards \nfor the vulnerability question.\n    I think what makes the threat issue is where we believe the \nfocus might be best served for this legislation, is that there \nbe more--an ability, a process established by Congress that \nwill say, if there is an imminent threat, exactly what the \nprocess will be in terms of disseminating that information to \nState regulators, utilities on a confidential basis so that we \ncan all address this together. I think that is the most \nimportant part of the legislation. That kind of reinventing \nwhat has already been done in 2005 and trying to move it again \nmay be a step backward instead of a step forward.\n    Mr. McNerney. My final question, if I have a little bit of \ntime, Mr. Cook, I was involved in setting standards in my prior \nlife; and it is kind of an interesting process to get people to \nagree on these things. So how is that working out? I mean, are \nyour participants finding ways to agree on these things and \nthen the broader utility network buying into those agreements? \nIs that what is happening?\n    Mr. Cook. As a general matter, that is right.\n    Mr. Markey. The gentleman's time has expired. The witness \nwill please try to answer the question.\n    Mr. Cook. Thank you.\n    The industry has stepped up and is providing experts and is \nworking through the process. As I mentioned earlier, it is a \ncontinuous process of improving these standards, and we are \nmaking that progress.\n    Mr. Markey. Thank you.\n    The gentleman's time has expired.\n    The Chair recognizes the gentleman from Texas, the ranking \nmember of the full committee, Mr. Barton.\n    Mr. Barton. Thank you, Mr. Chairman.\n    I am sitting here thinking what a perk it is to have you \nchairing a hearing with FERC and NERC, while the terrorists are \nsmirking and lurking around. It is somewhat of a Herculean \neffort on your part. We appreciate it.\n    Mr. Markey. Excellent. I will try to respond before the end \nof your comments.\n    Mr. Barton. You are going to have to work to beat that. Of \ncourse, I had 10 or 15 minutes to think about it.\n    Mr. Markey. I think we should give the gentleman his full 5 \nminutes and note the incredible----\n    Mr. Barton. I am going to work on SMUD, too. We will see if \nwe can get something done that is not vulgar on that.\n    Anyway, I would ask Mr. McClelland and Mr. Cook--or Dr. \nCook--to comment on the relationship between the bulk power \nsystem and the distribution system and if you feel that the \nFederal Government should preempt the States in looking at this \nissue with regard to the distribution system.\n    Mr. McClelland. I can start.\n    The bulk power system is generally defined as 100,000 volts \nor above. The legislation EPAC 2005 required the Commission to \napprove standards--review and approved standards for the bulk \npower system. However, it is defined by the regions. And so a \nregion that chooses to redefine the bulk power system as, say, \n200,000 volts and above can exempt 60 or 70 percent of the \ntransmission facilities within that region by redefining the \nterm ``bulk power system.'' So I think it is important to make \nthe distinction that it is not just distribution that would be \nexcluded under bulk power system. It may also be what is \ntraditionally considered transmission facilities that serve \nmajor metropolitan areas that could be excluded by that \ndefinition.\n    Now, back to the term ``distribution facilities.'' It \ndoes--the legislation does exclude facilities used for the \ndistribution of local energy, which would be the facilities \nthat would capture, say, the meters on the homes, smart meters, \nand any cyber facilities where appliances within the homes that \ncommunicate to the meters that may communicate then back to the \ntransmission systems. And from an oversight perspective, from a \nreliability standards perspective, it is extremely difficult to \nregulate that communication without that ability, without that \njurisdiction.\n    Mr. Barton. Mr. Cook.\n    Mr. Cook. For us, it is a matter of priorities, that the \nconsequences are most profound at the bulk system level. And \nthat is where our focus has been, and that is where we believe \nthe focus needs to be.\n    Mr. Barton. Would the witness from the Department of Energy \nwant to comment on that?\n    Ms. Hoffman. Any leadership that FERC provides in \ndeveloping performance measures to protect the reliability of \nthe bulk power system could be applicable to the distribution \nsystem if the State PUC regulators decide to choose and follow \nthem.\n    Mr. Barton. Mr. Chairman, I am going to yield back. I \nthink, to be really serious, this is a very serious hearing, \nand I am glad you are doing it. I would hope, though, that we \ncould legislate at the Federal level without impinging too much \non the local or the State level for distribution systems. I \nwould be reluctant to be too bold in preempting the States. But \nI think this is an important issue, and I am very glad that you \nand Chairman Markey are addressing it in the way that you are \naddressing it.\n    And with that I yield back.\n    Mr. Markey. Thank you, Mr. Barton, as well. I thank you. \nYou have drawn our attention to this issue in another way that, \nfor better or worse, there is a quirk that NERC and FERC do not \nhave----\n    Mr. Barton. I almost used quirk.\n    Mr. Markey [continuing]. Do not have that jurisdiction; \nand, as a result, some jerk could hurt the system. And we have \nto close that regulatory black hole here.\n    Mr. Barton. Great minds think alike, Mr. Chairman.\n    Mr. Markey. I am not sure other people are viewing us that \nway. But I thank the gentleman.\n    The Chair recognizes the gentlelady from Wisconsin.\n    Ms. Baldwin. Thank you, Mr. Chairman.\n    One very specific question and hopefully followed by a \nbroad, open question.\n    In our briefing memo from committee staff, we have our \nattention pointed to physical vulnerabilities of the grid. And \nI am just going to read you an excerpt.\n    For example, large transformers, essential to the reliable \noperation of the grid, are manufactured outside of the United \nStates; and replacement may require up to 2 years. A limited \nnumber of spare large transformers are available within the \nUnited States; and industry has developed a program, the Spare \nTransformer Equipment Program, or STEP, another acronym, \nproviding for sharing of such assets in the event of a \nterrorist attack. Any policy recommendations of how we can--and \nI will ask you, Ms. Hoffman, recommendations for how we could \nbe more prepared in the event of an emergency?\n    Ms. Hoffman. You bring up a very, very important point, \nthat critical to the reliability of the bulk power system is \nthe recovery of that system. So an important aspect of that is \nthe focus on manufacturing and manufacturing capabilities in \nthe United States. So as we look at developing protection \nmechanisms, we must recognize that some parts of the grid will \ngo down. So another key aspect is how fast can we restore? And \nthat is directly to your point, which is very important.\n    Ms. Baldwin. What is our domestic manufacturing capacity \nand what are we doing to bolster it?\n    Ms. Hoffman. For large transformers, very limited. In fact, \nI think there is only one company that will be looking at large \ntransformers.\n    Ms. Baldwin. Thank you.\n    On a much broader question for all of you is the issue of \ncommunication and information exchange. And we have had \ntestimony from the State perspective, from the NERC perspective \nof the frustration being that much of this is classified and \ntightly held and needs to be communicated to actors with the \nability to prepare and plan; and yet we have sensitivities with \ngetting certain information out. We have been grappling with \nthis as a committee on previous legislation relating to \nchemical plant security, with water treatment plant security, \nnow in this arena.\n    I know it is a very broad question, but I would like to \nhear your perspectives on how we get the information that we \nare learning at the Department of Energy and FERC to the hands \nof the people who actually need to plan and help us prepare, \nwhile protecting that information carefully. And we haven't \neven talked about ISOs, but they are another level of all of \nthis.\n    And if you wouldn't mind, just starting with Mr. McClelland \nand going through the panel, that would be helpful.\n    Mr. McClelland. One of the problems we had with the AURORA \nadvisory, the advisory went out by NERC in June, and the \nCommission was asked to do follow-ups to determine how \neffective the mitigations were put into place. We couldn't \nprotect the information, or felt that we may not be able to \nprotect it from a FOIA request, and so we ended up asking for \nindustry volunteers and reviewed their plans one at a time \nwithout taking any information back to the Commission. This \ninformation transfer, the inability to protect the information, \nseverely impeded folks' ability, the entities' ability to \nimplement mitigation strategies.\n    Now, we saw a whole gamut. I don't want to say that was the \nonly reason. There were some folks that were very well \nmitigated. There was good old-fashioned American ingenuity that \nhad been deployed, but there were other entities that did \nnothing, and additional information didn't appear as if it \nwould have helped. So we have asked that any additional \nauthority that be conveyed provide the ability for the \nCommission to protect that information.\n    Ms. Baldwin. Briefly, Ms. Hoffman.\n    Ms. Hoffman. Briefly, point one, clearances. I think there \nhas to be a wider, greater distribution of appropriate levels \nof clearances across the electric sector. Two, we need to \nprotect the information from FOIA requests in accordance to--\nvery similar to maybe what DHS does with their Critical \nInformation Act.\n    Ms. Baldwin. Mr. Brown? Any comment on the communications \nissue?\n    Mr. Brown. We deal with confidential information at the \nState level all the time in terms of information regarding the \nbulk power system. I think we are well prepared and positioned, \nif we get the information, to protect it and use it.\n    The electric systems run on contingencies all the time. \nThat is how the electric system is run. It is always planning \nfor the worst thing that could happen; and that, if it happens, \nthe system will stay up because there is adequate backup. \nObviously, the more information available about threats, the \nbetter that contingency system can work.\n    Ms. Baldwin. Mr. Cook.\n    Mr. Cook. We have been successful in the last year in \narranging for cleared briefings for some CEOs to have access to \nsome more of that information. More of that needs to happen.\n    I agree with Ms. Hoffman that the clearances program needs \nto be accelerated, and there needs to be a way that this \ninformation can get out to folks without them having to make it \npublic. The State Open Records Acts sometimes get in the way of \nthat, because anything that some State agencies get has to be \nmade public then.\n    Ms. Baldwin. Mr. DiStasio.\n    Mr. DiStasio. I would agree with Mr. Cook. I think that is \nan important step for Congress to consider. Because, right now, \nwithout adequate clearance, the information we might get would \nbe limited and not applicable to a pending emergency or \nvulnerability that we are the ones responsible for addressing. \nSo we certainly support additional clearance levels to make \nsure that threats can be dealt with in a timely manner and \nconfidentially.\n    Mr. Markey. The gentlelady's time has expired.\n    The Chair recognizes the gentleman from Illinois.\n    Mr. Shimkus. Thank you, Mr. Chairman.\n    If you all would just, if you have got a piece of paper, \nscribble down solar storm, radio frequency, EMP, and then \ncyber. And then my first question--there is two questions--I \nwould ask you to prioritize the threat as you see it in those \nfour categories, and then I would ask you to prioritize costs \nof recovery.\n    And kind of following up on my opening statement about \nwhere our focus should be, I think sometimes we don't really \nknow what is the biggest threat, what is the biggest cost \nrecovery.\n    And so if I could start with Mr. McClelland and just go \ndown the line, if you all could do that for me. And if you \ndon't want to, you don't have to, but I mean, if you could, \nthat would be helpful.\n    Mr. McClelland. That is a difficult question.\n    Mr. Markey. Who wants to be a millionaire? If you can rank \nthem one, two, three, four, and then we can fill it in.\n    Mr. McClelland. Tough to do. Cyber I had as one; solar \nstorms I have as two. And, in fact, solar storms could be one \nbecause they are inevitable. We are going to get another storm. \nWe are going to get another 1921 event, which has been called a \none-in-100-year storm. That is going to happen. And, if it \ndoes, it will be devastating consequences.\n    RF weapons and EMP would be the next two on the list.\n    Mr. Shimkus. Was radio frequency third or EMP third?\n    Mr. McClelland. I put RF weapons third only because they \nare so affordable and easier to tote, and EMP weapons fourth.\n    Mr. Shimkus. Thank you. And I will come back to the costs.\n    Ms. Hoffman. I did cyber as one, RF as two, solar storms as \nthree, and EMP as four.\n    Mr. Shimkus. Great.\n    Mr. Brown. I want to emphasize cyber as one. These people \nare much more of experts and able to judge the vulnerabilities. \nBut we are about to introduce--perhaps the President has \nalready announced--billions of dollars of new moneys to allow--\n--\n    Mr. Shimkus. Let me stop you there, because I do have that. \nIt is a Washington Post article today. President Obama plans to \nunveil Tuesday $3.4 billion in grants to smart meters, updated \ntransformers, and other devices. Is that where you are headed?\n    Mr. Brown. Yes, exactly. And the point is there is going to \nbe a whole new system of two-way communications introduced to \nthe electricity industry that really----\n    Mr. Shimkus. Does that make that more secure or less \nsecure?\n    Mr. Brown. It can be both. It should be more secure. More \nreal-time information about the system should be good. But it \nintroduces new vulnerabilities to the system, which if not \nprotected is bad.\n    Mr. Shimkus. All right. I have limited time. So you talked \nabout cyber, so cyber--what is your priority?\n    Mr. Brown. Cybersecurity would be, far and away, number \none. I was going to say two, three, and four I am not really \nthat capable of assessing.\n    Mr. Shimkus. OK. Great.\n    Mr. Cook.\n    Mr. Cook. I would put cyber at a very high number one, \nsolar after that. And as between RF and EMP, I am not sure.\n    Mr. Shimkus. Great.\n    Sir.\n    Mr. DiStasio. I would also put cyber number one. And, \nfrankly, I would like to consult with the industry. Because I \nput two, three, and four again----\n    Mr. Shimkus. OK. Let me go back to cost of recovery, if any \nof you could do that based upon these attacks.\n    Mr. McClelland. EMP and RF weapons I would put as number \none. And I would rate them the same because it is the same \nmitigation for either of those two. Cyber I would put as number \ntwo. That is highly dependent, though, on what the utility has \nor has not done. And solar I would put as number three as far \nas the least-cost alternative.\n    And I do want to add that in the original grouping I don't \nhave these--although I ranked them for you, I don't have them \nvery far apart.\n    Mr. Shimkus. Yes, thank you. And I am going to stop there \nbecause I am on limited time.\n    I want to highlight that on April 21st, 2009, a study by \nthe National Academy of Scientists found the U.S. could suffer \none to two trillion in damages as a result of EMP; and it would \ntake four to 10 years to fully recover. By contrast, Hurricane \nKatrina inflicted $150 billion to $300 billion in damage. So \nthis is my fear or concern.\n    I have a wind generating power plant that went down because \nof an Internet connection, and it went down for 10 or 15 days. \nBespeaks to the greening of America and the reliability of \nelectricity.\n    The other issue that I wanted to address, although we have \nkind of covered it, this also speaks of my opinion, everybody \nknows I am a supply guy here on this committee, more generation \nversus less. If we limit the ability for us to increase \ngeneration in America, we increase the ability to put ourselves \nat risk when any one, two, or three of these are targeted. So I \nwould be in support of a position that says let's build more \npower plants, not less.\n    And thank you, Mr. Chairman, and I will yield my remaining \ntime. Thank you, Mr. Chairman.\n    Mr. Markey. The gentleman's time has expired.\n    The Chair recognizes the gentleman from Georgia, the \nsponsor of the bill, Mr. Barrow.\n    Mr. Barrow. I thank the Chair.\n    The table has pretty much been set for the issues that we \nare going to be taking under deliberation in negotiations going \nforward on this. But one thing that hasn't been talked very \nmuch about, and it is an issue that is very much on the minds \nof the folks who are going to be tasked with following or \nimplementing any policies that we are going to be authorizing \nthe implementation of, and that is with the electrical \nindustry, the generators and the distributors.\n    So I want to talk just briefly, at least kind of set the \nstage for those discussions by asking if any of you all can \nidentify any issues of disparate treatment or disparate impact \nthat might result from the kinds of rules that we are all \ntalking about trying to create and authorize here? Can you \nforesee, looking down the road, that there might be any \ndisparate impacts in terms of some of the mandates that might \nbe forthcoming? Impacts that might be disparate in terms of \nwhether or not you are a big guy, a big for-profit utility \ncompany as opposed to a little guy, an EMC, whether any \nregional impacts that you can see as a result of the mandates \nthat we are contemplating here.\n    We all want to do the right thing, and I know the \ngenerators and distributors all want do the right thing. But I \nam sure that as there are staggering costs we are trying to \navoid, there are going to be some costs we are going to incur \nalong the way.\n    So the first thing I want to ask is, can anybody here on \nthe panel give us some idea as to the kinds of costs and \nespecially issues of equity and fairness, disparate impacts \nthat might result from any of the mandates we are talking about \ntoday?\n    Mr. Brown, I think you are sort of on the hot seat \nrepresenting the utility commissioners of the country. Why \ndon't you go first?\n    Mr. Brown. Sure.\n    I am not sure about disparate impacts, but I think you need \nto put this into a context. If there is a federally mandated \ncost that we have got to recover from our rate payers, it means \nperhaps we won't be able to do something else that we have been \ntrying to do.\n    Mr. Barrow. An opportunity cost, in other words.\n    Mr. Brown. Right now, at the State level, we are collecting \nmoney for renewable portfolio standards. Over 30 States have \nthat. Energy efficiency programs, infrastructure needs, new \ntransmission. So there is a lot of pressures already on \nelectricity rates.\n    Mr. Barrow. What kind of costs do you foresee? What kind of \nmagnitude?\n    Mr. Brown. Billions of dollars on a State level, tens of \nbillions of dollars on a national level. At the same time, \ncustomers that are over 60 days in arrears on their bills--in \nNew York over $600 million is in arrears. That is up 25 percent \nfrom a year ago. So just the rates that we have today, people \nare unable to be able to pay it.\n    So I guess my concern is the more mandates that we get \nrequiring expenditures is going to mean dollars that we are not \ngoing to be able to collect to do other things that we really \nwant to do maintaining the reliability, safety, and efficiency \nof the system.\n    Mr. Barrow. Mr. McClelland, Ms. Hoffman, do you all have \nany thoughts to suggest along these lines? What do you foresee?\n    Mr. McClelland. As far as disparate treatment, the \ngenerators that don't fall under tariffs before the Commission, \nany generators that have, say, cost-based contracts or \ncontractual arrangements would not necessarily qualify for \nsecurity upgrades for cybersecurity or for, say, EMP \nexpenditures. So that would have to be addressed.\n    There may be--and I won't speak to the particulars, but \nthere may be utilities or entities under cost freezes. They may \nbe under rate freezes within different States. And that \ntreatment or security upgrade would have to be considered by \nthe State commissions, especially if it was a security upgrade \nnecessary for distribution systems, say, smart metering \nupgrades.\n    And as far as whether or not we incur the costs, I think \nthe threat is here. The vulnerability is here, and the threat \nis here. This is a different world. There are entities that are \nintent--they believe that the bulk power system in the United \nStates, the electric grid, is a legitimate military target; and \nthey have set their sights on that system. And so whether or \nnot--the costs are just going to have to be incurred. We are \ngoing to have to address the issue.\n    Mr. Barrow. Any way you slice it, the costs of prevention \nare a whole lot smaller than the costs of inaction is what you \nare saying.\n    How about you, Mr. DiStasio.\n    Mr. DiStasio. I would just want to add, from the industry \nperspective, the actual NERC regime that was enacted in 2005, \nwe have already added significant compliance resources and \nindustry experts to that at a cost of a fair amount of money. \nAnd one of the reasons that we are actually supportive of the \napproach that you are taking to this is it does tend to \nappropriately focus this on emergency threats, which to me that \nrepresents a much smaller cost.\n    I think I mentioned the fact that we have 400 miles of \ntransmission but 10,000 of distribution, which is not uncommon \nfor many utility systems; and if you look at the expansion of \ntaking it down to lower probability assets in the distribution \nsystem, it adds significant costs without certainty that that \nis going to have the same disruptive effect as the bulk power \nsystem.\n    Mr. Barrow. Thank you.\n    My time has expired. I would like Ms. Hoffman to feel \nwelcome to respond, but my time has expired. Thank you, Mr. \nChairman.\n    Mr. Markey. The gentleman's time has expired, but real \nquick.\n    Ms. Hoffman. Real quick the only comment I would add is one \nsize reliability does not fit all. Defense Department, \nmanufacturing industries require higher level of reliability \nthan, say, residential customers or what they are more willing \nto accept. On-site generation, micro grids, UPS systems are \nalternatives to look at as we consider reliability.\n    Mr. Markey. Great. Are there others who wanted to say a \nword? No.\n    The gentleman's time has expired.\n    Mr. McClelland, do you want to say a word here?\n    Mr. McClelland. I had an opportunity.\n    Mr. Markey. OK. Good. Great.\n    The Chair recognizes the gentleman from Texas, Mr. Burgess.\n    Dr. Burgess. Thank you, Mr. Chairman.\n    And, Chairman Brown, I was particularly intrigued by your \ncomments, how much are we willing to pay for marginal increases \nin security? And obviously that is the fine balance that we \nhave here today. And I don't know if I have a--conceptually, if \nI have a good idea of the number of dollars that it would take \nto harden our grid against an electromagnetic pulse, either \nwhether it is generated by natural occurrences, by a solar \nflare, or a legitimate military target, as was outlined by Mr. \nMcClelland.\n    Can you give us some sense of the task ahead? If we were to \nhave a grid that was completely impervious to anything versus \nwhat is actually practical, what are the cost differentials \nthat we are talking about?\n    Mr. Brown. We have infrastructure needs at State regulatory \nlevels of billions of dollars just to maintain the existing \naging system. The idea that you could make it impervious I \nthink is tens of billions of dollars of investment. It is an \nentirely new and different way of doing the system.\n    Earlier, we talked about the bulk power----\n    Dr. Burgess. Can I stop you there?\n    Do we, in fact--does the technology exist to do that if \ndollars were not an issue? Do we have the technical know-how to \ndo that?\n    Mr. Brown. It is a matter of duplication. You can duplicate \na lot of the system over and over and over again so that \ntechnically--I will leave it to some of the experts whether it \nis completely impervious, but that is a lot of money.\n    And this is all a cost-benefit analysis. I think that is \nwhat regulators do all the time, is cost-benefit analysis. I \ncould gold-plate the electric system in New York and make sure \nthat we don't have as many outages, but the costs might be two \nto three times--the rate payers, they would find it \nunaffordable to pay the rates that are out there.\n    It is always a balance between reliability and cost, and \nyou can't just look at cost because you would have an \nunreliable system. But you can't just look at liability, \nbecause you will have a gold-plated, expensive system. Tough \nbalance.\n    Dr. Burgess. On balance, the legislation that is the \nsubject of this hearing, do you think we are threading that \nneedle appropriately with trying to balance those two ends?\n    Mr. Brown. One of the concerns I had about some of the \nlegislation was it is reaching down all the way into the \ndistribution system, which was the chairman's first question.\n    And I will note that, for example, the three major \nblackouts we have had in New York City, ranging from 1965 on, \nwere all bulk power system disruptions, problems that the bulk \npower level got to the local level. It wasn't problems with the \nlocal system.\n    So spending a lot of money on the local system and then \nperhaps sacrificing some things being done on the bulk power \nsystem may not be a cost-effective way of meeting the concern. \nThat is why we would like to see the focus on the bulk power \nsystem, and we think the work that began in 2005 with NERC is \nthe appropriate way to be moving towards that goal.\n    Dr. Burgess. And yet I mean there are technologies \navailable today that weren't available 5 or 10 years ago. And \nthose technologies do, as I think you pointed out in your \ntestimony, add increased vulnerabilities in different ways.\n    With this legislation, are we taking an appropriate over-\nthe-horizon look at what may be available to electricity \nconsumers in the future in providing them the protections? Or \nare we looking at a situation where we may have to be back here \nin 5 or 10 years, 15 years and revisiting this entire issue? Do \nwe have the appropriate eye on what is coming down the pike for \nthe future?\n    Ms. Hoffman. In order to prevent that, I think we need to \ndo a continual risk evaluation of what the new threats are and \nthe new concerns are, as well as what the new technology is so \nthat we can keep feeding and cycling through that loop so we \nstay ahead of the game.\n    Mr. Brown. And that is why I also emphasize cybersecurity. \nThat is the new element that is coming into the system. The \nsmart grid two-way communications, we really need to get that \nsecure. I think that is the most important focus at this point \nin time.\n    Dr. Burgess. I was just back home. There was an effort to \ngo to smart meters, and then they turned out to not be in \ncompliance with what we said they ought to have. And so you \nhave got a company down there now that is asking its rate \npayers to pick up the millions of dollars for meters that \naren't going to be able to be used. We do have to be careful \nhow we implement these things, because we can end up costing \npeople a lot of money for very little return.\n    And at the same time, as Mr. Shimkus points out, the far \nend of the scale is we may be asking for hundreds of billions \nof dollars of investment to protect us against trillions of \ndollars in loss and decades of recovery.\n    So thank you, Mr. Chairman. I will yield back.\n    Mr. Markey. Great. The gentleman's time has expired.\n    The Chair recognizes the gentleman from Utah, Mr. Matheson.\n    Mr. Matheson. Thank you, Mr. Chairman.\n    I have heard some different opinions about whether or not \nutilities receive specific actionable intelligence from the \nFederal Government regarding imminent cyber threats. And so I \nwas wondering--I would ask all the witnesses or anyone to \nrespond--what your thoughts are about this and do you think \nutilities should receive more clearances or more information?\n    Mr. DiStasio. I could address that from the industry \nperspective. To date, we have not received any notifications or \nspecific actionable intelligence relative to imminent threats. \nWe did have the information that has been discussed regarding \nAURORA. There were 30 utilities, as was mentioned, that worked \non a voluntary basis to try to understand and mitigate that.\n    I do believe we do need additional clearance. Because while \nthere are many reports out there that there are significant \nthreats and while there have been briefings that suggest that \nthese things are real and imminent, the utility industry to \ndate has not been notified with any specificity in order to \nbest mitigate those or prevent them. We do work through the \nNERC standards on a prospective basis, but we do think that \nadditional confidential clearance and additional ability to get \nadditional Federal authority to provide specific and actionable \ninformation would be very helpful.\n    Mr. Matheson. OK. Thanks. Yes.\n    Mr. McClelland. I guess I want to be very clear right up \nfront, the NERC standards are wholly inadequate to address \nthreats to national security through the power grid. The NERC \nstandards, on average, take 4 years to develop. Modifications, \nmany different iterations. They are done in an open and \ninclusive forum. So not only is the reason for the standard \npublished but also all the proposed mitigation strategies, and \nbad guys have access to the Web sites and can look at those \nproposed mitigations.\n    So the NERC standard--the existing standards that are in \nplace, the Commission has identified substantial security gaps \nin those standards, directed modifications, and are awaiting \nthe NERC process to finish the modifications.\n    As far as information to utilities, yes, I agree utilities \ndo need more specific information to be conveyed. But it is not \njust the information. In the AURORA advisory which was issued \nin June, there were very specific mitigations that were \nrequested. An advisory is voluntary. There is no ability for \nany Federal agency to direct utilities to take action to \nprotect their systems in the event of a threat or a \nvulnerability. So the advisory was voluntary, and we saw \ncompliance that wasn't great. We didn't see great compliance \neven with entities that understood the issue. However, everyone \ncould have benefited by additional information.\n    Mr. Cook. Just to answer your question, the feedback we are \ngetting is that more specific actionable intelligence \ninformation is what is needed. That is the feedback we got on \nAURORA. There were limits on what could be said. So it is a \ncombination of clearances to the industry and figuring out ways \nof having--arranging a classification of information such that \nit can get out. Both of those are important.\n    Mr. Matheson. OK. I appreciate that.\n    Mr. McClelland, I was going to ask you if the new Federal \nauthority that issues cyber emergency orders is too broad. That \ncould also cause some other unintended consequences. Do you \nhave thoughts about where we get the sweet spot on this?\n    Mr. McClelland. Yes, that is very difficult. The authority \nhas been called extraordinary. It is extraordinary authority. \nAnd the Commission is not an intelligence agency. Some may say \nwe don't even have intelligence. But we don't collect \nintelligence. So we would depend on other agencies such as DOE, \nDHS, DOD, CIA to bring vulnerabilities and threats that would \nendanger national security, use our authority then to order \nmitigation. It is very specific mitigations that may be \ntargeted at very specific utilities for a limited period of \ntime. That is much more targeted and specific than, say, a \nstandards action might be.\n    Mr. Matheson. OK. And can I ask you, do you have thoughts \nabout steps the Federal Government could take to--you heard \nquestions about costs from other members. Do you have thoughts \nabout how the Federal Government could work with utilities to \nhelp mitigate the cost impact relative to the risks that we are \ntrying to address?\n    Mr. McClelland. Yes. We had the benefit of reviewing with \nthe utilities. We asked for 30 volunteers and did get 30 \nvolunteers on the AURORA mitigation. We had the benefit of \nspending a day with each of those utilities, and there were \nsome very good ideas that came from the utilities back to the \nCommission. So it would be an iterative process.\n    The Commission would have to move quickly. If it was a \nvulnerability or threat that endangered national security, we \nwould issue that. There would be a hearing process or a back-\nand-forth process where alternative practices could be proposed \nby the utilities to accomplish the same purpose but \nnevertheless not delay the mitigation being put into place to \nprotect the economy, its citizens, and the military of the \nUnited States.\n    Mr. Matheson. Thank you. I yield back, Mr. Chairman.\n    Mr. Markey. The gentleman's time has expired.\n    The Chair recognizes the gentleman from Oregon, Mr. Walden.\n    Mr. Walden. Thank you, Mr. Chairman.\n    So I want to see if I have this right. Basically, folks in \nthe power industry don't get the information of the specificity \nof the threat that they are supposed to figure out how to deal \nwith. Right? I mean, isn't that what you are saying?\n    Mr. DiStasio. What I said was, to date, there has not been \nany specific actionable information provided. Not to say there \naren't vulnerabilities, but there has not been an individual \nthreat that has been communicated beyond this AURORA test.\n    Mr. Walden. And yet we know there are, Mr. McClelland, to \nthe extent you are able to talk about this, that there are \nfairly specific threats. Well, we all know every computer it \nseems like is being attacked by somebody at some point. And so \nhow do we bridge this? It would seem to me with so much on the \nline that there must be a way that we can communicate the \ninformation you need to understand how serious this is and to \ncope with it. I understand you understand how serious it is. \nHow do we bridge that?\n    Mr. DiStasio. I want to be very clear on one point. The \nutility industry has been dealing with vulnerabilities maybe \nthat originated from reliability and now much more security and \ncyber-based for many, many years and will continue to do that. \nSo we are not awaiting information to do that. However, if \nthere is a gap, it is around this issue that there is a lot of \ndiscussion around pending threats that seem to be more imminent \nthat have not been communicated; and we just need to understand \nwhat those are so we can best mitigate them on the ground \nwithin our systems for the consumers.\n    Mr. Walden. And is the issue here that you want to know the \nvery timely, specific threat, as in X organization is going to \ndo Y to your system, or is it--is there anything you are not \ndoing now to protect your system that that kind of information \nwould help you protect?\n    It would seem to me it is pretty clear where the threat--\nnot where it comes from from a specific individual or \norganization necessarily, but there are only so many ways to \nget into your system and do damage. And I guess that is the \nquestion. You would think you would know what those ways are \nand be set up to mitigate, right?\n    Mr. DiStasio. And we do believe that we are in a position \nto best mitigate. I mentioned before that we use this layered \napproach----\n    Mr. Walden. Right.\n    Mr. DiStasio [continuing]. To deal with these. But to the \nextent there was something that is yet not known to the \nindustry that needs to be communicated, we would benefit by \nhaving specific and actionable information on that.\n    Mr. Walden. So let me go to our government witnesses here. \nWithout getting into specific things we can't talk about here, \nare the actions they are talking about they are doing, the sort \nof physical actions to deal with management of their systems \nand prevent against those threats, do they have as much \nknowledge as they need to know, need to have to deal with it \nwithout knowing specific time, place, type of attack?\n    Mr. McClelland. The distinction between classified and \nunclassified is who is the actor and what specific systems are \nbeing targeted.\n    The vectors back as far as the AURORA advisory, for \ninstance, there was sufficient information and detail within \nthat advisory for folks to be able to perform mitigation \nactions. And that advisory was not developed by the Commission. \nIt was developed by DHS, DOE, and NERC and then issued to \nindustry.\n    I think part of the question here is, is there a central \nagency that is responsible to get the information to the \nindustry and then can hold industry accountable? Right now, all \nthat we have is we have a coordination and a great partnership \nwith DOE, DHS, and industry. But the advisories, the \ninformation that is conveyed is voluntary in nature.\n    Mr. Walden. And is it also your sense that those \nadvisories, that information, those recommendations are not \nbeing acted upon to the extent they need to be acted upon? In \nother words, the systems aren't being upgraded or modified to \ndeal with the threat, and they should be fully aware of what \nthat threat is absent the classified piece of who it is and \nspecific targets?\n    Mr. McClelland. Right. Congress asked the Commission to \nverify, for instance, the compliance with the AURORA advisory. \nAnd, on that basis, I would answer the question that, no, \ncompliance is not sufficient. The Commission reached the \nconclusion that only if it can be compelled would we be able to \nassure that compliance has been executed for that.\n    Mr. Walden. Mr. Brown, let me give you the last 14 seconds.\n    Mr. Brown. The more information the better. I will use New \nYork State as an example. The single largest contingency we \nplan for is a 1,200 megawatt nuclear power plant going down, \nbecause that is our single largest worst thing that could \nhappen. And at all times they maintain what is called spinning \nreserves, so if that plant goes down, everything is cool. Then \nthey figure out the next biggest contingency and start planning \nfor that.\n    The more information the more you can do those \ncontingencies and be prepared for what happens to your system. \nWithout the information, without a specific threat, they are \ngoing to be operating as if the situation was normal. And that \nis where I think you become most vulnerable at that point, when \nyou are not prepared for two or three things happening at once, \nwhich if you knew that there was a threat of that you could \nplan your system around it.\n    So that is why the control area is even more important than \nthe utilities when it comes to this. The utilities maintain \ntheir little footprint. But especially in the Northwest and in \nthe Northeast, there are larger control areas that are looking \nat the system as a whole; and the larger a system you are \nlooking at, the more contingencies you can use to address any \nproblems that develop.\n    Mr. Walden. OK. My time has expired. Thank you very much \nfor your testimony.\n    Mr. DiStasio. Mr. Chairman.\n    Mr. Markey. Mr. DiStasio, yes.\n    Mr. DiStasio. I would like to make one follow-up.\n    The industry does not agree that the information was \nspecific and actionable, and what we would like to do is submit \nsomething for the record for the committee's benefit.\n    Mr. Markey. OK. That would be very helpful, as this hearing \nhas been.\n    [The information appears at the conclusion of the hearing.]\n    Mr. Markey. We are going to focus very keenly in on all of \nthe issues that have been identified here today. It is not lost \non the committee that in a recent survey by the NERC of the \ngeneration owners in America that only one-third of them could \nidentify a single critical asset to which the NERC cyber \nstandards would apply. And so that, in and of itself, says \nsomething about this issue, that only one-third of all \ngenerators in America felt that they had any critical assets at \nall that should have protection.\n    So there is a big gap here. We have to find a way of \nclosing it. And I think today you have really helped us to \nshape kind of the challenge for the committee: bulk power \nsystem versus the distribution system, cyber threats versus \nphysical threats, emergency authority versus standards being \nset. So we have to walk through each of these issues, \nilluminated by the testimony that you have provided for us here \ntoday.\n    We thank all of you very much for your testimony. We want \nto stay very close to all of the stakeholders in this \ndiscussion so that we can ensure that we make the right \ndecision in terms of the legislation, and we want to invite all \nthe members of the committee as well to work with us so that we \nput together the best possible legislation.\n    The gentleman from Texas.\n    Dr. Burgess. Mr. Chairman, I wonder if I might just ask one \nadditional question while we are all gathered here.\n    Mr. Markey. The gentleman interrupted the chairman's \nconcluding statement in order to make that unanimous consent \nrequest. So, without objection, the gentleman will be \nrecognized to ask one question of the panel.\n    Dr. Burgess. And I apologize, because I thought it was a \nsoliloquy. I didn't realize it was the concluding statement.\n    On the issue of the----\n    Mr. Markey. When Chairmen Tauzin and Barton used to utter \nthem, it was almost as if it was coming down from Mount Sinai \nas the 10 Commandments; and so I understand the different \nperspectives actually orient members differently when they hear \nthe person with the gavel speaking.\n    Dr. Burgess. It was just a general knowledge question on \nthe issue of the solar interference.\n    Mr. McClelland, I guess this is for you. A couple of years \nago, when I was working with the pilots union and flight \nattendant unions on trying to mitigate their exposure to in-\nflight radiation, I got the impression there was a predictive \nability to these. Are we able to predict with any accuracy the \nsudden burst of solar activity?\n    Mr. McClelland. That is an excellent question, and it \nspeaks to--I have had the same question sort of posed a \ndifferent way: If the Commission did have emergency authority \nto be able to order mitigations against, say, solar magnetic \nactivity, how could it exercise that when the warning would be \nso little?\n    There is a satellite deployed, it is the ACE satellite, \nthat gives us about 15 to 30 minutes of warning for solar \nactivity. And, in fact, some of the most massive solar storms \nin history have been with little or no sunspot activity. So \nsunspot activity is not a good predictor of the magnitude of \nsolar storm that might occur. Fifteen or thirty minutes would \nbe wholly inadequate unless the Commission had ordered \nmitigation plans be put into place first.\n    For instance, the EMP Commission said that a good way to \nmitigate against E3, this effect, would be to put a resistor in \nseries with the transformer, maybe even a capacitor. Those \ncould be put into place with 15 to 30 minutes. As long as the \nentities were practiced, they could be given that notice. And \nthe thought would be that they will get more and more time, and \nthey could switch those in to mitigate.\n    Dr. Burgess. Thank you, Mr. Chairman.\n    Mr. Markey. The gentleman's time has expired.\n    We thank all the witnesses again. The big solar \nannouncement today, of course, is that the President is down at \nFlorida Power & Light making this big announcement about solar \ntechnology in Florida and its interrelationship with the smart \ngrid. So, obviously, that focuses us on solar, on smart grid, \non making sure we build this out correctly. Because obviously \nin this new distributed energy world that solar presents we \nneed to continue to think through. But my congratulations to \nFlorida Power & Light for that big breakthrough today with the \nPresident.\n    And, with that, this hearing is adjourned.\n    [Whereupon, at 11:37 a.m., the subcommittee was adjourned.]\n    [Material submitted for inclusion in the record follows:]\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n\x1a\n</pre></body></html>\n"