[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]


 
 PROTECTING THE ELECTRIC GRID: H.R. --------, THE GRID RELIABILITY AND 
                       INFRASTRUCTURE DEFENSE ACT 

=======================================================================

                                HEARING

                               BEFORE THE

                    SUBCOMMITTEE ON ENERGY AND POWER

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION

                               __________

                              MAY 31, 2011

                               __________

                           Serial No. 112-52



      Printed for the use of the Committee on Energy and Commerce

                        energycommerce.house.gov

                               ----------
                         U.S. GOVERNMENT PRINTING OFFICE 

72-383 PDF                       WASHINGTON : 2012 

For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
Washington, DC 20402-0001 


























                    COMMITTEE ON ENERGY AND COMMERCE

                          FRED UPTON, Michigan
                                 Chairman

JOE BARTON, Texas                    HENRY A. WAXMAN, California
  Chairman Emeritus                    Ranking Member
CLIFF STEARNS, Florida               JOHN D. DINGELL, Michigan
ED WHITFIELD, Kentucky                 Chairman Emeritus
JOHN SHIMKUS, Illinois               EDWARD J. MARKEY, Massachusetts
JOSEPH R. PITTS, Pennsylvania        EDOLPHUS TOWNS, New York
MARY BONO MACK, California           FRANK PALLONE, Jr., New Jersey
GREG WALDEN, Oregon                  BOBBY L. RUSH, Illinois
LEE TERRY, Nebraska                  ANNA G. ESHOO, California
MIKE ROGERS, Michigan                ELIOT L. ENGEL, New York
SUE WILKINS MYRICK, North Carolina   GENE GREEN, Texas
  Vice Chair                         DIANA DeGETTE, Colorado
JOHN SULLIVAN, Oklahoma              LOIS CAPPS, California
TIM MURPHY, Pennsylvania             MICHAEL F. DOYLE, Pennsylvania
MICHAEL C. BURGESS, Texas            JANICE D. SCHAKOWSKY, Illinois
MARSHA BLACKBURN, Tennessee          CHARLES A. GONZALEZ, Texas
BRIAN P. BILBRAY, California         JAY INSLEE, Washington
CHARLES F. BASS, New Hampshire       TAMMY BALDWIN, Wisconsin
PHIL GINGREY, Georgia                MIKE ROSS, Arkansas
STEVE SCALISE, Louisiana             ANTHONY D. WEINER, New York
ROBERT E. LATTA, Ohio                JIM MATHESON, Utah
CATHY McMORRIS RODGERS, Washington   G.K. BUTTERFIELD, North Carolina
GREGG HARPER, Mississippi            JOHN BARROW, Georgia
LEONARD LANCE, New Jersey            DORIS O. MATSUI, California
BILL CASSIDY, Louisiana              DONNA M. CHRISTENSEN, Virgin 
BRETT GUTHRIE, Kentucky              Islands
PETE OLSON, Texas
DAVID B. McKINLEY, West Virginia
CORY GARDNER, Colorado
MIKE POMPEO, Kansas
ADAM KINZINGER, Illinois
H. MORGAN GRIFFITH, Virginia

                                 7_____

                    Subcommittee on Energy and Power

                         ED WHITFIELD, Kentucky
                                 Chairman
JOHN SULLIVAN, Oklahoma              BOBBY L. RUSH, Illinois
  Vice Chairman                        Ranking Member
JOHN SHIMKUS, Illinois               JAY INSLEE, Washington
GREG WALDEN, Oregon                  JIM MATHESON, Utah
LEE TERRY, Nebraska                  JOHN D. DINGELL, Michigan
MICHAEL C. BURGESS, Texas            EDWARD J. MARKEY, Massachusetts
BRIAN P. BILBRAY, California         ELIOT L. ENGEL, New York
STEVE SCALISE, Louisiana             GENE GREEN, Texas
CATHY McMORRIS RODGERS, Washington   LOIS CAPPS, California
PETE OLSON, Texas                    MICHAEL F. DOYLE, Pennsylvania
DAVID B. McKINLEY, West Virginia     CHARLES A. GONZALEZ, Texas
CORY GARDNER, Colorado               HENRY A. WAXMAN, California (ex 
MIKE POMPEO, Kansas                      officio)
H. MORGAN GRIFFITH, Virginia
JOE BARTON, Texas
FRED UPTON, Michigan (ex officio)

                                  (ii)





























                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Ed Whitfield, a Representative in Congress from the 
  Commonwealth of Kentucky, opening statement....................     1
    Prepared statement...........................................     3
Hon. Bobby L. Rush, a Representative in Congress from the State 
  of Illinois, opening statement.................................    29
Hon. Henry A. Waxman, a Representative in Congress from the State 
  of California, opening statement...............................    30
Hon. Fred Upton, a Representative in Congress from the State of 
  Michigan, prepared statement...................................   152

                               Witnesses

Hon. Trent Franks, a Representative in Congress from the State of 
  Arizona........................................................    31
    Prepared statement...........................................    34
Hon. James R. Langevin, a Representative in Congress from the 
  State of Rhode Island..........................................    44
    Prepared statement...........................................    46
Patricia A. Hoffman, Assistant Secretary, Office of Electricity 
  Delivery and Energy Reliability, Department of Energy..........    52
    Prepared statement...........................................    54
    Additional comments (for Mr. McKinley).......................    90
    Additional comments (for Mr. Olson)..........................   100
Paul N. Stockton, Assistant Secretary of Defense for Homeland 
  Defense and Americas' Security Affairs, Department of Defense..    60
    Prepared statement...........................................    62
Joseph H. McClelland, Director, Office of Electric Reliability, 
  Federal Energy Regulatory Commission...........................    72
    Prepared statement...........................................    74
    Additional comments..........................................    96
Gerry Cauley, President and CEO, North American Electric 
  Reliability Corporation........................................   103
    Prepared statement...........................................   106
Franklin D. Kramer, former Assistant Secretary of Defense for 
  International Security Affairs, Department of Defense..........   121
    Prepared statement...........................................   123
Barry R. Lawson, Associate Director, Power Delivery and 
  Reliability, National Rural Electric Cooperative Association...   132
    Prepared statement...........................................   134

                           Submitted Material

Discussion Draft of H.R. --------, To amend the Federal Power Act 
  to protect the bulk-power system and electric infrastructure 
  critical to the defense of the United States against 
  cybersecurity and other threats and vulnerabilities............     7


 PROTECTING THE ELECTRIC GRID: H.R. --------, THE GRID RELIABILITY AND 
                       INFRASTRUCTURE DEFENSE ACT

                              ----------                              


                         TUESDAY, MAY 31, 2011

                  House of Representatives,
                  Subcommittee on Energy and Power,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 2:07 p.m., in 
room 2123 of the Rayburn House Office Building, Hon. Ed 
Whitfield (chairman of the subcommittee) presiding.
    Members present: Representatives Whitfield, Terry, Burgess, 
Scalise, McMorris Rodgers, Olson, McKinley, Pompeo, Rush, 
Markey and Waxman (ex officio).
    Staff present: Maryam Brown, Chief Counsel, Energy and 
Power; Allison Busbee, Legislative Clerk; Patrick Currier, 
Counsel, Energy and Power; Greg Dotson, Democratic Energy and 
Environment Staff Director; and Caitlin Haberman, Democratic 
Policy Analyst.

  OPENING STATEMENT OF HON. ED WHITFIELD, A REPRESENTATIVE IN 
           CONGRESS FROM THE COMMONWEALTH OF KENTUCKY

    Mr. Whitfield. I call this hearing to order. The hearing is 
entitled ``Protecting the Electric Grid: the Grid Reliability 
and Infrastructure Defense Act.''
    Today's hearing focuses on protecting the Nation's electric 
grid from physical and cybersecurity threats and 
vulnerabilities. A secure grid is of utmost importance to our 
national security, of course, and our national economic 
interests.
    Cybersecurity threats and vulnerabilities to the electric 
grid have increased in recent years and were the subject of 
several hearings in the 110th and 111th Congresses. There is 
evidence that bad actors have conducted cyber probes of U.S. 
grid systems, and that cyber attacks have been conducted 
against critical electric infrastructure in other countries.
    This past February, a cyber attack dubbed Night Dragon, 
which is believed to have emanated from China, targeted the 
critical infrastructure of energy and petrochemical companies 
in the United States. The Night Dragon attack was not overly 
sophisticated, but was nevertheless successful in breaching the 
computer systems of key assets. This example is one of several, 
and is the tip of the iceberg, and illustrates that we must be 
more vigilant in securing the Nation's critical energy 
infrastructure, including the electric grid.
    Beyond potential cyber attacks, the bulk power system 
remains exposed to physical vulnerabilities and threats, 
including direct terrorist attacks, weapons that can create an 
electromagnetic pulse, and geomagnetic storms. Federal and 
State agencies and industry stakeholders have sought to address 
many of these concerns. In particular, through an extensive 
stakeholder process, the North American Electric Reliability 
Corporation, pursuant to its authority under section 215 of the 
Federal Power Act, has worked over the last several years to 
develop and implement reliability standards and to address grid 
security vulnerabilities in a timely manner.
    To address these shortcomings, the Committee recently 
released a discussion draft entitled the ``Grid Reliability and 
Infrastructure Defense Act'' or the GRID Act. The bill is 
identical to bipartisan legislation developed by this committee 
last Congress by Chairman Upton and Mr. Markey. The GRID Act 
provides the Federal Energy Regulatory Commission with 
emergency authority to respond to imminent physical and cyber 
threats to the bulk power system and electric infrastructure 
that serves facilities vital to our national defense. This 
emergency authority can be triggered only upon a directive from 
the President. The discussion draft also provides FERC with 
authority to identify and remedy weaknesses that leave the grid 
vulnerable to cyber attacks and electromagnetic pulse events. 
Notably, the legislation also directs FERC to develop 
regulations to facilitate the sharing of information, as 
appropriate, between governmental agencies, NERC, and owners 
and operators of the bulk power system. Doing so will improve 
communication among affected stakeholders, which will result, 
we hope, in a more secure grid.
    Although the discussion draft is identical to last year's 
bill, we expect that input from today's witnesses and insight 
provided by those witnesses will help us improve the bill to 
reflect current conditions and any changed circumstances. I 
know, for example, that Congressman Franks has introduced 
legislation that is, I believe, more narrowly focused than this 
broader approach, and we look forward to his testimony to 
explain his views on this area because he has spent a great 
deal of time on it, as has Congressman Langevin.
    So I want to thank the witnesses in advance for being with 
us today. I will introduce them a little bit later.
    [The prepared statement of Mr. Whitfield follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 
    
    [H.R. -------- follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 
    
    Mr. Whitfield. At this time I would like to yield for the 
purpose of an opening statement to Mr. Rush, the ranking 
member.

 OPENING STATEMENT OF HON. BOBBY L. RUSH, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF ILLINOIS

    Mr. Rush. I want to thank you, Mr. Chairman, thank you to 
all the distinguished guests for being here today.
    Mr. Chairman, today we are holding a hearing on the Grid 
Reliability and Infrastructure Defense Act, or the GRID Act for 
short. This bipartisan piece of legislation is identical to the 
bill that was favorably reported out of the E&C Committee 
unanimously last year and then went on to pass the House by a 
voice vote before getting stalled in the Senate.
    Mr. Chairman, this bill represents the type of legislation 
that advances the security interests of all Americans and shows 
what can be accomplished when we choose to work together in a 
bipartisan manner. So I appreciate you conducting this hearing 
today, Mr. Chairman, and I hope and expect that we will move 
this bill with the same type of cooperation and collaboration 
that we experienced last session as this legislation moves 
through the committee.
    Mr. Chairman, the U.S. electric grid consists of 
interconnected transmission lines and local distribution 
systems that deliver electricity to our homes, schools, our 
offices, generation facilities and related communications 
systems. The intricate design of the grid makes all of our 
components highly interdependent so that problems in one 
location can lead to a domino effect of reliability concerns in 
other areas.
    In today's highly digitized world, the operational controls 
over the transmission grid at generators are increasingly 
managed by computer systems such as the supervisory control and 
data acquisition, or SCADA systems, which are linked to the 
Internet or other communication systems as well as to each 
other. This reliance on automation and two-way communication 
amplifies the grid's vulnerability to remote cyber attacks. 
Additionally, the increased use of advanced metering systems 
and other smart grid capabilities leaves our electric grid even 
more open to attack.
    Mr. Chairman, this bill will amend the Federal Power Act to 
add a new section, section 2015(a), which will give the Federal 
Energy Regulatory Commission, FERC, new authority to protect 
the electric grid from cyber attack as well as from other 
threats including those posed from geomagnetic storms created 
by solar activity.
    Additionally, this bill will provide FERC with the 
authority to issue emergency orders to protect against a grid 
security threat whether by malicious act, a geomagnetic storm, 
or by targeted physical attacks if the President notifies the 
commission that such a threat exists.
    Mr. Chairman, we are all aware of the constant potential 
threats that our Nation faces whether by countries such as 
China and Russia, who have already conducted cyber probes of 
the U.S. grid systems, or by terrorist organizations looking 
for ways to weaken our capabilities. Cyber attacks can cause 
untold harm to our Nation's grid, and they can be done from 
faraway locations at very, very low cost and with little 
ability to trace the source of these threats. So it is 
imperative that we provide those agencies that are responsible 
for protecting us, protecting our Nation's grid, protecting all 
Americans with all the tools, all the authority and all the 
resources that they need to keep us safe.
    So Mr. Chairman, I applaud you for holding this very 
important hearing today. I look forward to hearing from our 
witnesses and our experts on this critical issue, and with 
that, I yield back all the time that I have, which is 1 second.
    Mr. Whitfield. Thank you for being so generous once again, 
Mr. Rush.
    At this time I recognize the ranking member of the full 
committee, Mr. Waxman, for the purposes of an opening 
statement.

OPENING STATEMENT OF HON. HENRY A. WAXMAN, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Mr. Waxman. Thank you, Mr. Chairman.
    Today, the subcommittee examines the Grid Reliability and 
Infrastructure Defense Act. This legislation is as bipartisan 
as they come. This legislation was born out of a bipartisan 
realization that our electric grid simply isn't adequately 
protected from a range of potential threats. And the current 
process for addressing vulnerabilities in the electric grid is 
not sufficient.
    In an emergency situation where the grid faces an imminent 
threat, the Federal Energy Regulatory Commission currently 
lacks authority to require the necessary protective measures. 
There are also an ever-growing number of grid security 
vulnerabilities. These are weaknesses in the grid that could be 
exploited by criminals, terrorists or other countries to damage 
our electric grid. These same weaknesses even make the grid 
vulnerable to naturally occurring geomagnetic storms.
    During the last Congress, Chairman Upton, Representatives 
Ed Markey and Joe Barton and I developed the GRID Act on a 
bipartisan basis. The majority and minority staffs had 
extensive discussions with interested stakeholders and 
agencies. We worked with many members to answer their 
questions, address their concerns, and consider their 
constructive suggestions. This cooperative process produced 
strong bipartisan legislation.
    On April 15, 2010, the committee favorably reported the 
bill by a unanimous vote of 47 to zero. And on June 9, 2010, 
the GRID Act passed the House by voice vote on the suspension 
calendar. Unfortunately, the GRID Act did not become law in the 
last Congress.
    I commend the chairman for taking up the GRID Act for 
consideration in this Congress. This bipartisan legislation 
will provide the FERC with the authorities it needs to address 
imminent threats to the electric grid with temporary emergency 
orders. It also directs the Commission to address longer-term 
grid vulnerabilities with standards written or approved by the 
Commission.
    In addition, the bill includes provisions that focus 
specifically on the portions of the grid that serve facilities 
critical to the defense of the United States. And the bill is 
budget neutral.
    These are important national security and grid reliability 
issues. In the last Congress, we heard from the Defense 
Department and from former Defense Secretaries, National 
Security Advisors, and CIA Directors. They all told us that the 
changes made by this bill are critical to our national 
security.
    I look forward to hearing from today's witnesses. Although 
we are likely to hear some in industry argue against providing 
FERC authority to address these serious threats, we worked 
across the aisle in the last Congress to develop workable 
legislation. I hope today marks the beginning of a similar 
process in this Congress.
    The GRID Act is simply too important to allow special 
interests to weaken its effectiveness. The Committee needs to 
act to protect the Nation's electric grid from cyber attacks, 
direct physical attacks, electromagnetic pulses and solar 
storms.
    Thank you, Mr. Chairman.
    Mr. Whitfield. Thank you.
    OK. Today we have three panels of witnesses, and on the 
first panel, we have two Members of Congress, the Honorable 
Trent Franks of Arizona and Mr. Jim Langevin of Rhode Island. 
We appreciate both of you being here very much, and Mr. Franks, 
I will recognize you for a 5-minute opening statement.

 STATEMENTS OF HON. TRENT FRANKS, A REPRESENTATIVE IN CONGRESS 
   FROM THE STATE OF ARIZONA; AND HON. JAMES R. LANGEVIN, A 
   REPRESENTATIVE IN CONGRESS FROM THE STATE OF RHODE ISLAND

                   STATEMENT OF TRENT FRANKS

    Mr. Franks. Well, thank you, Mr. Chairman, and good 
afternoon to you, sir, and to Ranking Members Rush and Waxman 
and the rest of the fellow members here on the committee.
    I believe the subject of today's hearing is one of profound 
implication and importance to western civilization, and 
consequently, I hope the members will feel inclined to read my 
written testimony. I just thank you again for allowing me to 
testify here today.
    Mr. Chairman, in our technological advancement, we have now 
captured the electron and transported its utility into nearly 
every business, home and industrial endeavor throughout the 
civilized world. In so doing, we have advanced our standard of 
living and productivity beyond dreams but we have also grown 
profoundly dependent upon electricity and its many 
accoutrements. In keeping with one of humanity's most reliable 
hallmarks, we now found among our greatest strengths an 
unsettling vulnerability to EMP, or electromagnetic pulse.
    The effects of geomagnetic storms and electromagnetic 
pulses on electric infrastructure are well documented with 
nearly every space, weather and EMP expert recognizing the 
dramatic disruptions and cataclysmic collapses these pulses can 
bring to electric grids.
    In 2008, the EMP Commission testified before the Armed 
Services Committee, of which I am a member, that the U.S. 
society and economy are so critically dependent upon the 
availability of electricity that a significant collapse of the 
grid precipitated by a major natural or manmade EMP event could 
result in catastrophic civilian casualties. This conclusion is 
echoed by separate reports recently compiled by the DO, DHS, 
DOE and the National Academy of Sciences along with various 
other government agencies and independent researchers. All of 
them, Mr. Chairman, came to very similar conclusions. The 
sobering reality is that this vulnerability if left unaddressed 
could have grave societal-altering consequences.
    Like many of you, I believe Federal regulations should be 
very limited. However, our first national priority is national 
security, and to protect our national security, we must protect 
our major transformers from cascading destruction. To that end, 
I have introduced the SHIELD Act, which differs primarily from 
your discussion draft in three critical areas. Unlike the GRID 
Act, which I commend this committee deeply for passing last 
year, the SHIELD Act authorizes to promulgate standards 
necessary to protect our electric infrastructure against both 
natural and manmade electromagnetic pulse events if the 
standards developed by the ERO are inadequate to protect 
national security. The SHIELD Act additionally requires 
automated hardware-based solutions rather than procedural and 
operational safety measures alone, and the SHIELD Act does not 
contain cybersecurity provisions, leaving the conflicting 
approaches to that extremely important issue among the Members 
of the Senate in particular to be debated in a separate bill.
    Automated hardware, Mr. Chairman, is particularly important 
when one considers the shortcomings of procedural and 
operational safety measures alone in response to an EMP event. 
According to solar weather experts, there is only 20 to 30 
minutes warning from the time we predict a solar storm that may 
affect us until the time it actually does. This is simply not 
enough time to implement procedures that will adequately 
protect the grid. Furthermore, these predictions are only 
accurate one out of three times. This places a crushing dilemma 
on industry, who must decide whether or not to heed the warning 
with the knowledge that a wrong decision either way could 
result in the loss of thousands or even millions of lives and 
massive legal ramifications beyond expression.
    Mr. Chairman and members, we are now 65 years into the 
nuclear age, and the ominous intersection of jihadist terrorism 
and nuclear proliferation has been inexorably and relentlessly 
hurdling toward America and the free world for decades. But 
when we add the dimension of asymmetric electromagnetic pulses 
to the equation, we face a menace that may represent the 
gravest short-term threat to the peace and security of the 
human family in the world today. Certainly, there are those who 
believe that the likelihood of terrorists or rogue states 
obtaining nuclear weapons and using them in an EMP attack is 
remote and it may be a reasonable conclusion for the moment, 
but in the recent events of the Arab spring, which our 
intelligence apparatus did not foresee, it shows us that 
regimes can change very quickly. If terrorists or rogue states 
do acquire nuclear weapons, hardening our electric grid would 
immediately become a desperate national priority. However, that 
process will take several years, and a regime change only takes 
a few weeks, a missile launch only takes a few minutes. The 
fact that we are now 100 percent vulnerable means that we 
should start securing our electric infrastructure now. Indeed, 
by reducing our vulnerability, we may reduce the likelihood 
that terrorists or rogue states would attempt such an attack in 
the first place.
    Thankfully, Mr. Chairman and members, there is a moment in 
the life of nearly every problem when it is big enough to be 
seen by responsible, reasonable people and still small enough 
to be solved. You and I live in that moment when there still 
may be time for the free world to address and mitigate the 
vulnerability that naturally occurring or weaponized EMP 
represents to the mechanisms of our civilization. Your actions 
today to protect America may gain you no fame or fanfare in the 
annals of history. However, it may happen that in your 
lifetime, a natural or manmade event so big has an effect so 
small that none but a few will recognize the disaster that was 
averted. And for the sake of our children and future 
generations, I pray it happens exactly that way.
    Thank you, and God bless you all.
    [The prepared statement of Mr. Franks follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 
    
    Mr. Whitfield. Thank you, Mr. Franks.
    Mr. Langevin, you are recognized for a 5-minute opening 
statement.

                 STATEMENT OF JAMES R. LANGEVIN

    Mr. Langevin. I would like to thank you, Chairman 
Whitfield, and Ranking Member Rush and Ranking Member Waxman 
for allowing me to testify on what I believe to be one of the 
most critical national security issues facing our country 
today: securing our electric grid from cyber vulnerabilities, 
an issue to which I have devoted several years of my time and 
effort, and I wanted to be here with my colleague, Mr. Franks.
    As both a member of the House Armed Services Committee as 
well as the House Permanent Select Committee on Intelligence, I 
sit at a very interesting nexus which gives me broad 
transparency into the national security challenges that face 
our Nation today, and I previously testified on this issue in 
2009 after a bill that I drafted with then-Homeland Security 
Chairman Bennie Thompson, which was adapted into then-Chairman 
Markey's GRID Act, and I of course want to thank the committee 
for including me in this discussion again here today.
    We know that there are a number of actors who seek to do 
harm to our networks from foreign nation-states, domestic 
criminals and hackers, to disgruntled employees, and as the 
threat and capability both grow, so does the risk to our 
critical infrastructure. Now, this threat is not new. In the 
110th Congress as chairman of the Homeland Security 
Subcommittee with jurisdiction over cybersecurity, I conducted 
a detailed examination of cyber threats to our critical 
infrastructure, and I want to reiterate what I made clear in my 
previous testimony before this subcommittee. I believe we 
remain vulnerable to a cyber attack against the electric grid 
that could cause severe damage to our critical infrastructure, 
our economy, our security and even American lives.
    Now, the vast majority of our critical assets are in 
private hands, and because fixing vulnerabilities can be 
costly, security can find itself in conflict with other 
priorities like profit, competition and accountability to 
shareholders. Sadly, the American people are the ones placed at 
risk when the owners of our critical infrastructure fail to 
prepare for the worst-case scenarios.
    I was pleased by the early attention paid to the issue of 
cybersecurity by the Obama administration, and despite some 
delays in the process, I would like to commend the 
administration for taking some very serious steps in the right 
direction. Under the leadership of Cyber Coordination Howard 
Schmidt and his staff, the White House has released legislative 
guidance that envisions more government involvement in setting 
standards and best practices for cyber protection across all 
sectors of our critical infrastructure. This mirrors 
philosophically the framework of legislation I introduced 
earlier this year.
    Now, DHS is also taking important steps to become more 
involved in securing our critical infrastructure. The 
establishment of the Industrial Controls Systems Computer 
Emergency Response Team, or ICS-CERT, under Sean McGurk, 
formalized a group of experts and fly-away teams that could 
respond to cyber incidents across all sectors of our utilities.
    However, a company must still request help from the 
government before it can be deployed, and the simple act of 
having to ask often forces decision makers and industry to 
steer clear of seeking help for these complex problems. I am 
pleased to see industry players increasingly stepping up to the 
plate to combat these threats but I fear they cannot most fast 
and far enough under the current system. As Michael Assante, 
the president of the National Board of Information Security 
Examiners and former chief security officer at the North 
American Electric Reliability Corporation, or NERC, testified 
last year, and I quote, ``We are not only susceptible but we 
are not very well prepared.''
    Now, I supported the GRID Act as it moved through the House 
last year because it seems to address some of the unique 
political and regulatory challenges in our power industry 
today. Currently, we live under a system that does not 
prioritize security but actively penalizes open reporting and 
cooperation. The legislation that is before us today aims to 
correct this by allowing Federal regulators greater authority 
to protect Americans during times of imminent crisis. It also 
provides for the issuance of orders to identify and mitigate 
vulnerabilities to protect the bulk power system from cyber 
attacks. While this measure is a significant step forward, I 
would also encourage the committee to consider provisions in my 
legislation and in Senate and administration proposals that 
expand this model to other sectors of critical infrastructure 
and enhance the ongoing efforts of DHS to quickly respond to a 
major crisis.
    I would also note my concern that by specifying only the 
bulk power system, this legislation excludes critical 
distribution systems that would leave major cities like New 
York and Washington unprotected by the broader provisions of 
this bill.
    I will conclude by cautioning again that inaction on this 
issue will make our Nation increasingly vulnerable to cyber 
attacks from both outside and within. We know the threat 
exists, and we have an opportunity to address it before any 
further damage is caused. It is the responsibility of Congress 
and the administration to take the appropriate steps that will 
protect this Nation.
    Once again, I would like to thank you, Chairman Whitfield 
and Ranking Member Rush as well as Ranking Member Waxman, for 
their attention to this very important issue and for the 
opportunity to testify here today. I certainly look forward to 
working with the Energy and Commerce Committee and to 
supporting your efforts to raise awareness about securing our 
critical infrastructure and protecting our citizens from cyber 
attack.
    Thank you, and I yield back.
    [The prepared statement of Mr. Langevin follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 
    
    Mr. Whitfield. Thank you, Mr. Langevin. We appreciate the 
testimony of both of you.
    As you know, this is an important issue with great 
consequences for the country, and last year, of course, the 
GRID Act did pass the House of Representatives but was unable 
to get through the Senate, and we are quite familiar with that. 
We pass a lot of things here that don't get through the Senate, 
but our objective is to get something through the House and the 
Senate and signed by the President. And I know, Mr. Franks, 
that a large number of members of the Armed Services Committee, 
and you serve on that as well, Mr. Langevin, are cosponsoring 
your bill, and I am assuming, Mr. Langevin that your bill and 
Senator Rockefeller's bill basically reflects the 
administration's proposal. Is that correct?
    Mr. Langevin. Well, I wouldn't go so far as to say that, 
but they both move in a similar direction.
    Mr. Whitfield. What I would like from both of you to just 
give advice to this committee on what you think we need to do 
to maximize our opportunity to get this passed in the Senate. 
Mr. Franks?
    Mr. Franks. Well, Mr. Chairman, as it happened last year, I 
went over and personally lobbied the Senate as hard as I could 
on the GRID Act, even though as I have laid out today, I 
believe that there are some critically important things that 
needed to be added to or changed. I met with Senator Murkowski 
and others there in the chamber, and the big challenge was that 
they had differing strategies on what should be done about 
cybersecurity.
    Now, let me make it so desperately clear here. I believe 
that cybersecurity is a critically important issue, and I think 
I would find myself largely in Mr. Langevin's camp on that 
issue, but the problem is, the personalities there have 
different strategies on how to address it, and I am trying to 
protocol here, Mr. Chairman. They couldn't get together on 
that, and that is why we felt like the issue should be 
separated, not because that one is more important than the 
other per se but because I just think it is going to be 
especially difficult. That is complicated this year, as you 
know. The White House just a few weeks ago, probably what you 
were talking about with Mr. Langevin, released a legislative 
proposal for nationwide cross-sector cybersecurity efforts, and 
the Senate is working to produce a goal to meet those needs, 
and my concern is that if we tie them together, we may weaken 
both of them, because there is very little disagreement on the 
EMP aspects of it. The Senators were very supportive of being 
able to protect the grid itself, just had some very seriously 
differing approaches to the cybersecurity element of it.
    Mr. Whitfield. OK. Mr. Langevin, do you have a comment?
    Mr. Langevin. Well, Mr. Chairman, I would just say that 
last year we were a bit frustrated by the Senate still 
contemplating which path forward they were going to take. I was 
fortunate to get an amendment included in the House Armed 
Services defense authorization bill last year that would have 
established a White House Office on Cybersecurity with a 
director's position that would have been Senate confirmed, and 
it would have included updates to the FISMA law. That did not 
get through the conference committee last year because the 
Senate was still struggling to determine which direction they 
were going to take, whether it was going to be Rockefeller-
Snowe or Collins-Lieberman. I believe that the Senate is moving 
in the direction of resolving those issues, and I am hopeful 
that now that the White House has come out with its guidance on 
their views on cybersecurity going forward that that will clear 
some of the hurdles in the Senate and they will be able to come 
together and reach an agreement which hopefully will allow the 
GRID Act, will allow these issues to clear the hurdles that 
remain ahead.
    So I would say it is perseverance. We are going to have to 
continue to keep the pressure on the Senate but hopefully, and 
I would say that I am I close contact with Senator Sheldon 
Whitehouse, who is also from Rhode Island and who is also one 
of the leaders in the Senate on cybersecurity. He believes that 
we will see quite positive progress on the issue of 
cybersecurity in the Senate, so I am hopeful that we will see a 
lot of these issues addressed and we will be able to get them 
through conference.
    Mr. Whitfield. Well, thank you all very much, and we do 
look forward to continuing to work with you because both of you 
have been leaders in this area and we hope that we can continue 
to call on you for your input.
    At this time I will recognize the gentleman from Illinois.
    Mr. Rush. Thank you, Mr. Chairman. I am going to be brief.
    Mr. Langevin, you have expressed some level of restraint 
regarding this bill in that you think that it could be 
strengthened in certain areas, and I am curious, I know that we 
want to send the best bill that we can to the Senate. Again, we 
can persevere, as you have indicated, but how do you think that 
we can strengthen this bill?
    Mr. Langevin. Well, a couple of things, Congressman Rush. I 
would like to see the approach that we are taking here, 
addressing the challenges to the bulk power system broadened to 
include other areas of critical infrastructure, because some of 
them would be in the jurisdiction of the full Energy and 
Commerce Committee. Others may be in the area of the Financial 
Services Committee. But I think that the approach that you are 
taking here is a positive one with respect to the electric 
grid.
    In addition to that, I would like to see this bill address 
distribution systems, not just transmission but distribution 
systems. As I said, it is my understanding that because 
distribution is not dealt with in the bill that areas like 
Washington, D.C., and New York would be left out of the intent 
and hopefully the coverage that this legislation would provide, 
protection provided to our electric grid. So I would encourage 
the committee to look further at that issue.
    Mr. Rush. Congressman Franks, do you have any suggestions 
along the same lines?
    Mr. Franks. Well, I think that Congressman Langevin has it 
absolutely right, that I know we have pictures of New York and 
Washington but we still want to keep them around for a while, 
and I think that it is wise to extend that to the transmission 
lines.
    Again, my primary purpose here is to try to focus as 
narrowly as I can on maintaining the base electric grid, 
because if that goes down, our cybersecurity issues are no 
longer an issue because we don't have computer systems, we 
don't have the electricity to run them, and it might behoove 
the committee to consider a possibility of sending the GRID Act 
over as it is and in a separate version just addressing the EMP 
issue in case there is the issue where the Senate can't come 
together on exactly how they want to do the cybersecurity, but 
I emphasize one last time that the cybersecurity issue is 
absolutely critical. I visited the Palo Verde nuclear power 
plant in Arizona just outside by district. It is the largest 
one in the Nation. And we had a hacker that was strokes away 
from being able to go in and begin to monkey with the reactor 
itself.
    Mr. Rush. Mr. Chairman, my general assembly and my State 
legislature, they just yesterday passed a bill out and sent it 
to the governor addressing some of these same matters, and I am 
interested in the other cities that you named but I am also 
interested in the third city, the city by the lake, Chicago, 
and what the threats are to Chicago also.
    So with that, Mr. Chairman, I yield back the balance of my 
time.
    Mr. Whitfield. Thank you, Mr. Rush.
    Generally speaking, when we have Members of the House or 
the Senate testifying, the chairman and ranking member are the 
only ones that ask questions. However, I would ask our friends 
on this side of the aisle if they have any questions. Mr. 
Terry?
    Mr. Terry. I don't, but I have worked with Trent on his 
bill and I just wanted to thank both of you for your good work. 
This is an extremely important issue, and as the ranking member 
and the chairman both said, we need to get this to the point 
where the Senate can pass it and we get it to the President's 
desk, so thank you for your efforts. I yield back.
    Mr. Whitfield. Well, thank you, Mr. Terry, and once again, 
thank you all so much for your concern and your leadership on 
this issue, and we will continue to work with you as we move 
forward, and unless you all want to stay and hear the other 
panel, we will let you go on in your other activities. So thank 
you.
    Mr. Langevin. Thank you.
    Mr. Franks. Thank you, Mr. Chairman.
    Mr. Whitfield. At this time I would like to call up our 
second panel, which includes the Honorable Patricia Hoffman, 
who is the Assistant Secretary, Office of Electricity Delivery 
and Energy Reliability at the Department of Energy. We have the 
Honorable Paul Stockton, Assistant Secretary of Defense for 
Homeland Security and America's Security Affairs at the U.S. 
Department of Defense, and we have Mr. Joseph McClelland, who 
is the director of the Office of Electric Reliability at FERC.
    So welcome to the hearing, and thank you all for taking 
time to be with us and to give us your expertise and thoughts 
on this issue. So at this time, Ms. Hoffman, I will recognize 
you for a 5-minute opening statement, and I would just point 
out there is a little device on the top of the table that has a 
red, green and yellow light, and when it turns red, we would 
like for you to maybe think about coming to an end, but we 
won't hold strictly to that.
    Ms. Hoffman, you are recognized for 5 minutes.

STATEMENTS OF PATRICIA A. HOFFMAN, ASSISTANT SECRETARY, OFFICE 
 OF ELECTRICITY DELIVERY AND ENERGY RELIABILITY, DEPARTMENT OF 
 ENERGY; PAUL N. STOCKTON, ASSISTANT SECRETARY OF DEFENSE FOR 
HOMELAND DEFENSE AND AMERICAS' SECURITY AFFAIRS, DEPARTMENT OF 
DEFENSE; AND JOSEPH H. MCCLELLAND, DIRECTOR, OFFICE OF ELECTRIC 
       RELIABILITY, FEDERAL ENERGY REGULATORY COMMISSION

                STATEMENT OF PATRICIA A. HOFFMAN

    Ms. Hoffman. Good afternoon, Mr. Chairman and members of 
the committee. I would like to extend my thanks to the chairman 
and the esteemed members of the committee for inviting me here 
today to discuss cybersecurity issues facing the electric 
industry, as well as potential legislation intended to 
strengthen protection of the bulk power system and the electric 
infrastructure.
    Ensuring a resilient electric grid is particularly 
important, since it is arguably the most complex and critical 
infrastructure that others depend upon to delivery essential 
services. The Department of Energy's Office of Electricity 
Delivery and Energy Reliability supports the administration's 
strategic, comprehensive approach to cybersecurity, and 
specifically with respect to the electric grid, we recognize 
that our focus should be on seven key areas. One is 
facilitating public-private partnerships to accelerate grid 
cybersecurity efforts; two, funding research and development of 
advanced technology to create secure and resilient electricity 
infrastructure; three, developing cybersecurity standards that 
provide a baseline to protect against known vulnerabilities; 
four, timely sharing of information; five, the development of 
risk management frameworks; six, facilitation of incident 
management and response capabilities; and seven, the 
development of a highly skilled and adaptive workforce.
    Cybersecurity for the electric grid must not only address 
threats and vulnerabilities of traditional information systems 
but also address the unique issues to electric control systems 
such as SCADA systems and other control devices.
    The Cyberspace Policy Review underscores the need to 
strengthen public-private partnerships in order to design a 
more secure technology and improve resilience of the critical 
government and industry systems and networks. As directed by 
HSPD-7, a public-private partnerships must be established to 
effectively address national security concerns for critical 
infrastructure. However, private industry alone cannot be 
responsible for preventing, deterring, and mitigating effects 
of deliberate efforts to destroy or exploit critical 
infrastructure systems. Our Office has long recognized that 
neither the government nor the private sector nor individual 
citizens can meet cybersecurity challenges alone. We must work 
together.
    OE supports and funds activities to enhance cybersecurity 
in the energy sector. Nearly all of the cybersecurity 
activities involve public and private partnerships. Through 
partnerships and competitive solicitations with the DOE, 
Department of Energy National Laboratories, industry and 
academia, OE has sponsored research and development of several 
advanced cybersecurity technologies that are commercially 
available, and a couple of these examples include a secure 
serial communications for control system that has been 
commercialized by Sweitzer Engineering Laboratory; a software 
toolkit that provides auditing of SCADA security settings--this 
was commercialized by Digital Bond, which is a small business; 
vulnerability assessments of 38 different SCADA systems; and a 
common vulnerabilities report to help utilities and vendors 
mitigate vulnerabilities found in many SCADA systems.
    Supporting the development of cybersecurity standards--our 
office is collaborating with NIST and other agencies and 
organizations to develop a framework and roadmap for 
interoperability standards that include cybersecurity as a 
critical element. The NIST smart grid interoperability panel 
cybersecurity working group released the Cybersecurity 
Guidelines for the Smart Grid. OE also partnered with leading 
utilities to develop cybersecurity profiles to provide vendor-
neutral actionable guidance to utilities, vendors and 
government entities on building cybersecurity into the smart 
grid components at the development stage including safeguards 
and implementing safeguards when integrated into the grid.
    OE supports continued investment in developing and building 
a cybersecurity workforce within the energy sector. Some 
examples include working with State and local governments and 
agencies to put together technical briefs, education forums, 
workshops and exercises, just to name a few.
    The Department fully supports the administration's proposed 
comprehensive cybersecurity legislation focused on 
cybersecurity for the American people, our Nation's critical 
infrastructure and the Federal Government's own networks and 
computers. Specifically, the administration proposes the 
following legislative changes to enhance protection of critical 
infrastructure: voluntary government assistance to industry, 
voluntary sharing with industry and States and critical 
infrastructure security risk mitigation.
    In conclusion, I would like to thank the committee for its 
leadership and supporting the protection of the bulk power 
system and critical infrastructure against cyber threats. The 
OE looks forward to working with Congress to further the 
dialog, and I would be pleased to answer any questions that you 
may have.
    [The prepared statement of Ms. Hoffman follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 
    
    Mr. Whitfield. Thank you, Ms. Hoffman.
    Mr. Stockton, you are recognized for 5 minutes.

                 STATEMENT OF PAUL N. STOCKTON

    Mr. Stockton. Thank you, Mr. Chairman, Mr. Ranking Member 
and other distinguished members of the committee. I have a 
detailed statement which I will submit for the record, but I 
want to focus on a few key points that I make that I hope will 
be helpful to you as you exercise the leadership that we need 
coming from the House of Representatives and the Congress as a 
whole.
    First of all, the Department of Defense is not in the lead 
for energy security in the United States. For the Federal 
Government, that is my colleagues at the Department of Energy, 
Department of Homeland Security, Department of Defense in 
support of them but let me emphasize, the Department of Defense 
cannot execute its core missions in service of this Nation 
unless we have a secure flow of commercial electric power, and 
that is for a simple reason: the Department of Defense depends 
for its energy 99 percent on the commercial sector. We don't 
own the commercial sector. We never will. We have no regulatory 
authority over it, but we are utterly dependent on the flow of 
that commercial power.
    Let me talk a little bit about why that is the case. In the 
modern way of warfare, since 9/11, our forces deployed abroad 
fighting in Afghanistan and Iraq and operating elsewhere depend 
to an increasing extent on military facilities back here in the 
United States to conduct and support those operations. To 
generate, deploy and operate forces abroad, we depend on 
military facilities in the States represented here today, and 
if there is an interruption in the flow of commercial power to 
those facilities, for a short period they have backup power 
generation but for a longer disruption of the grid we would be 
facing a situation of potentially devastating effects on our 
conduct of defense operations abroad, and we could face serious 
challenges at home. I will talk about those consequences in a 
moment, but first I want to talk a little bit about the nature 
of the threat.
    First of all, the cyber threat is something we take very, 
very seriously. That is why I am so strongly in support of the 
administration's cybersecurity legislative proposal. But I want 
to emphasize that cyber is only one of the threat vectors that 
the Nation faces. Simple kinetic attacks intelligently 
conducted by the adversary could have significant disruptive 
effects on the flow of commercial power to Department of 
Defense facilities in the United States. We heard Congressman 
Franks speak eloquently about the risk of solar flares, again, 
something we take very, very seriously. But Mr. Chairman, 
looking at you and the ranking member, the States that you are 
from as well as other States represented here, I would like to 
turn for a moment to the New Madrid fault and the threat that 
earthquakes pose as sort of a representative way of looking at 
the nature of natural hazards. In the national-level exercise 
we just conducted 2 weeks ago that posited for its scenario a 
7.7 earthquake on the New Madrid fault, our friends at NERC 
estimated that there would be a multi-State long-term power 
outage, long term, weeks, potentially months, rolling blackouts 
in Chicago and in the East Coast, and what I would like you to 
think about is the downstream effects of such an event, both on 
critical Department of Defense operations in Fort Campbell, for 
example, everyplace else, all the facilities are represented 
here today, but also in the immediate area. Two things to think 
about. First of all, the way that the loss of electric power 
would magnitude the scale of the catastrophe to which we would 
all be responding. Municipal water systems in Memphis and 
elsewhere, they depend on the flow of commercial power. When 
that power stops, drinking water gradually gets turned off, and 
in a situation like the New Madrid fault, gas lines are going 
to be broken, fires are going to be breaking out, where is the 
water pressure to fight those fires. Where is the gas to fuel 
the trucks that will be going to fight the fires or collect 
water elsewhere, because of course as you all know, gas pumps 
and diesel pumps, they run on electric power. We would very 
quickly be in a situation where we need to get emergency diesel 
power flowing to nuclear power plants, State emergency 
operations centers, everything else required to deal with the 
disaster, and this would be in a situation where roads and 
bridges are down and there is so much demand for backup diesel 
power compared to the amount of diesel fuel that is 
prepositioned at these facilities.
    These are examples of the kinds of ways in which a disaster 
would be magnified but I am looking at it from an additional 
perspective. The Department of Defense would be supporting the 
governors of your States through FEMA, of course, and there 
would be big demand on the Department of Defense to provide 
additional support at the same time that our response 
operations would be severely disrupted. With the loss of 
electric power, how are we going to receive the massive forces 
that would be coming in at the request of governors? How are we 
going to stage them, move them forward? These are challenges 
that we need to take on very, very seriously.
    Now, the Department of Defense is doing so, and what I 
wanted to do briefly is talk about some of the remediation 
efforts we are taking. First of all, we are working closely 
with the Department of Energy to partner together in the 
Federal Government so we can reach out to industry and find out 
how we can work together with industry to provide industry with 
what we would call a better design basis to ensure the 
resilience of the electric power grid against all of these 
hazards. I believe today's power grid has very strong 
resilience but it is not designed for the kinds of threats that 
we are talking about today, above all, cyber or carefully 
designed kinetic attacks. We need to work together with 
industry to find a way to enable them to build more resilience 
into the grid and then inside the Department of Defense family, 
we need to do a better job of securing the flow of electric 
power to our critical defense facilities in all of the States 
represented here today to make sure that single points of 
failure on the flow of electric power coming in, we take care 
of those problems and we remedy those in partnership with the 
utilities in the same neighborhoods as our military facilities.
    Mr. Chairman, I look forward to answering your questions.
    [The prepared statement of Mr. Stockton follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 
    
    Mr. Whitfield. Thank you, Mr. Stockton.
    Mr. McClelland, you are recognized for a 5-minute opening 
statement.

               STATEMENT OF JOSEPH H. MCCLELLAND

    Mr. McClelland. Thank you. Mr. Chairman and members of the 
committee, thank you for the privilege to appear before you 
today to discuss the security of the power grid. My name is Joe 
McClelland and I am the Director of the Office of Electric 
Reliability at the Federal Energy Regulatory Commission. I am 
here today as a commission staff witness, and my remarks do not 
necessarily represent the views of the commission or any 
individual commissioner.
    In the Energy Policy Act of 2005, Congress entrusted the 
commission with a major new responsibility: to oversee 
mandatory, enforceable reliability and cybersecurity standards 
for the Nation's bulk power system. This authority is in 
section 215 of the Federal Power Act. It is important to note 
that FERC's authority under section 215 is limited to the 
``bulk power system,'' which excludes Alaska and Hawaii, 
transmission facilities in certain large cities such as New 
York, as well as local distribution systems. Under section 215, 
FERC cannot author or modify reliability or cybersecurity 
standards but must depend upon an electric reliability 
organization, or ERO, to perform this task. The commission 
selected the North American Electric Reliability Corporation, 
or NERC, as the ERO. The ERO develops and proposes 
cybersecurity standards or modifications for the commission's 
review, which can then either approve or remand. If the 
commission approves the proposed cybersecurity standard, it 
becomes mandatory in the United States, applying to the users, 
owners and operators of the bulk power system. If the 
commission remands a proposed standard, it is sent back to the 
ERO for further consideration.
    Pursuant to its responsibility to oversee the reliability 
and cybersecurity of the power grid, in January of 2008 FERC 
approved eight cybersecurity standards known as the critical 
infrastructure protection, or CIP standards, but also directed 
NERC to make significant modifications to them. Compliance with 
these eight CIP standards first became mandatory on July 1, 
2010. Although NERC has filed and the commission has approved 
some modification to the CIP standards, the majority of the 
commission's directed modifications to the CIP standards have 
not yet been addressed by NERC. It is not clear how long it 
will take for the CIP standards to be modified to eliminate 
some of the significant gaps in protection within them.
    On a related note, as smart grid technology is added to the 
bulk power system, greater cybersecurity protections will be 
required, given that this technology provides more access 
points thereby increasing the grid's vulnerabilities. The 
cybersecurity standards will apply to some but not most smart 
grid applications.
    Moreover, there are non-cyber threats that also pose 
national security concerns. Naturally occurring events or 
physical attacks against the power grid can cause equal or 
greater destruction than cyber attacks, and the Federal 
Government should have no less ability to protect against them. 
One example is electromagnetic pulse, or EMP. An EMP event 
could seriously degrade or shut down a large part of the power 
grid. In addition to manmade attacks, EMP events are also 
naturally generated, caused by solar flares disrupting the 
earth's magnetic field. Such events are inevitable, can be 
powerful, and can also cause significant and prolonged 
disruptions to the grid. In fact, FERC, DHS and DOE recently 
completed a joint EMP study through the Oak Ridge National 
Laboratory. The study evaluated both manmade and naturally 
occurring EMP events to determine their effects on the power 
system and to identify protective mitigation measures that 
could be installed. Included among its findings was that 
without effective mitigation, if the solar storm of 1921, which 
has been termed a one-in-100-year event, were to occur today, 
well over 300 extra high-voltage transformers could be damaged 
or destroyed, thereby interrupting power to 130 million people 
for a period of years. Although section 215 of the Federal 
Power Act can provide an adequate statutory foundation for the 
development of routine reliability standards for the bulk power 
system, a threat of cyber attacks or other intentional 
malicious acts against the electric grid is different. These 
are threats that can endanger national security that may be 
posed by criminal organizations, terrorist groups, foreign 
nations or others intent on attacking the United States through 
its electric grid. Widespread disruption of electric service 
can quickly undermine our government, our military, our economy 
as well as endanger the health and safety of millions of our 
citizens. Given the national security dimension to this threat, 
there may be a need to act quickly, to act in a manner where 
action is mandatory rather than voluntary and to protect 
certain information from public disclosure. Faced with a cyber 
or other national security threat to reliability, there may be 
a need to act decisively in hours or days rather than weeks, 
months or years. The commission's legal authority is inadequate 
for such action.
    New legislation should address several key concerns. First, 
FERC should be permitted to take action before a cyber or 
physical national security incident has occurred. Second, FERC 
should be allowed to maintain appropriate confidentiality of 
security-sensitive information. Third, the limitations of the 
term ``bulk power system'' should be understood as our current 
jurisdiction under 215 does not apply to Alaska and Hawaii as 
well as some transmission facilities and all local distribution 
facilities. Fourth, entities should be able to recover costs if 
they occur to mitigate vulnerabilities and threats. And 
finally, any legislation on national security threats to 
reliability should cover not only cybersecurity threats but 
also natural events and intentional physical malicious acts 
including threats from an EMP. The GRID Act draft addresses 
many of these issues.
    Thank you for your attention today, and I look forward to 
any questions that you may have.
    [The prepared statement of Mr. McClelland follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 
    
    Mr. Whitfield. Well, thank you all for your testimony.
    Many of you heard Congressman Franks and Mr. Langevin also 
talk about the need to expand. I noticed the White House in 
their cybersecurity proposal is exactly that, is focused only 
on cybersecurity, and that was a suggestion that Mr. Franks 
made that let us do cybersecurity in one bill and let us 
address the other issues in a separate bill. Do you all have 
any thoughts as far as strategy, that that is something the 
committee should attempt to do, or not? Ms. Hoffman.
    Ms. Hoffman. As was mentioned earlier, cybersecurity is a 
difficult and complex issue, and EMP and other issues are 
different in nature, although the impact to the country can be 
devastating, either one, so in order to tackle things one at a 
time, the administration is looking just comprehensively at the 
cyber legislation individually.
    Mr. Whitfield. OK. Mr. Stockton, do you have a comment?
    Mr. Stockton. Yes, sir. I think that the cyber legislation 
proposed by the administration is a critical step towards 
protection of infrastructure as a whole would greatly benefit 
the energy sector as well. Clearly, there are threats that we 
have been discussing that wouldn't be encompassed by this 
legislation but it is a critical building block on which we 
need to make progress.
    Mr. Whitfield. Right. Mr. McClelland?
    Mr. McClelland. I don't see where the administration's bill 
would conflict with the GRID Act. The administration's bill 
provides a broad umbrella to partner with industry to bring the 
practices to a higher level. The commission's authority under 
215 doesn't have to conflict with that concept, and in fact, 
any further enhancement of the commission's authority or any 
regulatory authority may actually complement that concept.
    Mr. Whitfield. Well, you know, Mr. Langevin pointed out the 
need to expand from bulk systems to expand your section 215 
authority. Do all of you agree that that should be done? I am 
assuming you do, Mr. McClelland.
    Mr. McClelland. As I pointed out in my testimony, the 
commission, you know, our position or my position is that the 
distribution systems aren't covered and so we wish to point out 
that if the term ``bulk power system'' is followed, there would 
be significant pieces of the power grid that would not be 
protected if the GRID Act passes, either from a cybersecurity 
or physical perspective.
    Mr. Whitfield. Mr. Stockton, do you or Ms. Hoffman have any 
comments on that part?
    Ms. Hoffman. I think it is important to take a holistic 
look at cybersecurity. As you look at the administration's 
proposal, it wants to take a comprehensive approach so that 
would include entities that would be defined as critical 
whether they are in the bulk power system or at the 
distribution. The important thing to note is, we need everybody 
to understand how to advance cybersecurity procedures and 
postures, and I would say that includes State governments as 
well as any Federal action.
    Mr. Whitfield. How would you all describe the coordination 
between DOE, DOD and FERC today on these types of issues?
    Ms. Hoffman. The coordination between DOD and DOE primarily 
looks at defense facilities and the interface with the energy 
sector. We do provide some support work on studies and looking 
at the interdependency between the energy sector and the 
defense. We are looking at micro grids. We are looking at 
advanced technologies in support of the defense facilities. Our 
coordination with FERC provides tools and technologies to look 
at improved reliability for the electric sector. We do 
coordinate it with information sharing to the extent possible, 
looking at technologies that will actually improve the posture 
of the system. So the coordination with FERC is, they are a 
regulatory entity. The Department of Energy funds public-
private partnerships so in a sense, we are incentivizing 
changes within industry, and FERC looks at regulating aspects 
of industry.
    Mr. Whitfield. Does anybody else have any comment?
    Mr. McClelland. I would say there are formalized 
mechanisms, as Ms. Hoffman pointed out. There are formalized 
mechanisms such as the government coordinating council, where 
the Department of Energy sits as the energy sector lead. FERC 
participates in those formalized initiatives with the other 
agencies. In addition, we have excellent working relationships 
on an informal or an impromptu basis with the Department of 
Energy, the Department of Defense, Department of Homeland 
Security, CIA, NSA and NRC. So we reach out as necessary to 
either borrow expertise or provide expertise pursuant to power 
grid and individual needs on the grid.
    Mr. Whitfield. When we talk about cybersecurity attacks, in 
the United States I am not aware of any major attack, and 
internationally, what comes to my mind is the Stuxnet in Iran 
which basically shut down some of their nuclear power systems. 
Are you aware of any other major cybersecurity attacks that 
have had significant impact?
    Ms. Hoffman. I am not aware of any major significant 
attacks. Stuxnet was a very complex attack within the nuclear 
sector. The issue or the focus that we have is, there are 
incidents that may occur, and we need to be prepared to be able 
to respond to those incidents quickly and promptly, and so as 
we move forward, it is looking at, how do we have an incident 
management plan or an incident response plan to be able to 
address the event quickly, so looking at information exchange, 
diagnostics, and the ability to deter and prevent any further 
damage.
    Mr. Whitfield. OK. Mr. Rush, you are recognized for 5 
minutes.
    Mr. Rush. Thank you, Mr. Chairman.
    First of all, I want to thank the witnesses. In the last 
Congress, when we worked on this issue in a bipartisan manner, 
the administration provided the members of this committee with 
a classified briefing that helped us understand the 
vulnerabilities to our electric grid and actions needed to 
protect that same grid, and I just have to ask each of you, in 
light of the fact that we have some new members, a lot of new 
members on this subcommittee, will each of you agree to at a 
time determined by the chairman to return and brief the members 
of this committee again on the vulnerabilities of our 
cybersecurity area? Will each of you do that?
    Ms. Hoffman. Yes, sir.
    Mr. Stockton. Yes.
    Mr. McClelland. Yes.
    Mr. Rush. Well, let me just ask Ms. Hoffman, you seem to 
feel as though, the impression that I get is that you seem to 
feel as though oK, this is a step in the right direction but it 
is narrow, and what the administration is looking at is a much 
broader view. They are taking a more universal, a broader view 
of this particular issue. If you were to overlay the 
administration's efforts on this bill, this proposal and the 
GRID Act, what would we see and what would you see as being 
some of the most significant differences?
    Ms. Hoffman. The administration's proposed discussion draft 
focuses on several things. It looks at criminal aspects with 
respect to criminal charges and enforcement. It looks at 
voluntary information sharing. It looks at voluntary 
assistance. So it is building a public-private partnership to 
actually build capabilities in support to the industry sector, 
which is critically needed at this point in time. It also looks 
at the ability to develop plans, risk-based plans. Now, most of 
the critical infrastructure definition and the development of 
risk-based plans will of course be done through a rulemaking 
process through DHS, but the administration has taken a 
holistic approach of trying to get all the sectors up to a 
cybersecurity baseline performance.
    Now, in deference to the GRID Act, which is focusing on 
transformers, EMP, it is focusing on emergency and standard 
development, which is a slightly different approach from what 
the administration's position is but both those could be worked 
for complementary efforts.
    Mr. Rush. Do any of the other witnesses have any comments 
on this?
    Well, let me ask you this. It seems as though--I know my 
State, as I indicated earlier, yesterday the members of the 
general assembly passed smart grid regulations, and it seems as 
though some of the States are starting to move on their own, 
but the administration has a discussion draft or a pending 
bill, and I am not sure whether or not these States who are 
starting to take actions are basing any of their efforts on 
what the administration is ultimately looking at. So how much 
cooperation, how much sharing of information, how much 
enlightenment is the administration providing to these States 
so they won't have to come back and redo whatever legislation 
they might pass prior to the administration getting its bill 
passed, and what is the status of the administration's proposal 
right now? There are two points there. Ms. Hoffman? You might 
want to----
    Ms. Hoffman. The status is, it is a discussion draft and 
the administration is looking forward to working with Members 
of Congress to continue that discussion, to advance the 
components of that discussion draft. With respect to smart 
grid, there are security profiles and standards that are 
currently under development to provide security within the 
devices as they are being built, so we are working 
cybersecurity standards with the development of device as we 
deploy and implement smart grid technologies.
    One of the things that we are trying to do is provide 
improved system performance, which can aid and provide benefit 
for restoration time out as management so more preventive 
versus looking at the consequences if an event occurs.
    Mr. Rush. Gentlemen, my time is up.
    Mr. Whitfield. Thank you, Mr. Rush.
    At this time I recognize the gentleman from West Virginia, 
Mr. McKinley, for 5 minutes.
    Mr. McKinley. Thank you, Mr. Chairman.
    Ms. Hoffman, I wasn't here when this bill passed last year, 
but I am curious if you could walk me through it or maybe 
someone else on the panel perhaps. The way I am reading this, 
the GRID Act, is we start with subsection A of definitions and 
then we move into B, which is emergency response measures, and 
that refers very specifically to security threat, and under 
that subsection B, it has a subsection 6 which has cost 
recovery. So there is a vehicle, a mechanism to recover cost 
for threat. Then if we can skip C just for the moment that has 
to do with vulnerability, and then you go to D, which is called 
critical defense facilities. Under critical defense facilities, 
there is a subsection on page 15 about cost recovery. I am just 
curious, back on the one I skipped over, C, that is the section 
that refers to grid security vulnerabilities. Under 
vulnerabilities, there is no cost recovery by this particular 
piece of legislation. Was that intentional, that 
vulnerabilities would not be able to recover the costs, the 
utility companies and anyone else would not be able to recover 
their costs? I am sorry I singled you out but I don't care who 
answers the question.
    Mr. McClelland. I can take a shot at that. I believe you 
are correct. I believe that threats are singled out for cost 
recovery. I believe under the 100 most critical facilities for 
the DOD, the user is required to pay for any upgrades or any 
enhanced measures. I didn't see cost recovery for 
vulnerabilities either.
    Mr. McKinley. Does that make any sense to you, that there 
is someone that could have the expense, if you read down 
through all the issues that you have for if nothing else the 
large transformer availability. There would be no way to 
recover the cost to having that on board.
    Mr. McClelland. Right. Well, we have consistently said at 
the commission that we think that there must be three aspects 
if you would like to have someone move on one of these issues. 
One is, you have got to identify priorities, second, you have 
to identify mitigation, and third, you have to provide cost 
recovery.
    Mr. McKinley. So are you in agreement then we probably 
should have some cost recovery under vulnerabilities?
    Mr. McClelland. Personally, I would say yes.
    Mr. McKinley. Do the rest of you have any problem with cost 
recovery under vulnerabilities?
    Ms. Hoffman. We don't have any problem on cost recovery. 
Just recognize cost recovery, no matter what the actions are, 
is going to be recovered somewhere from the ratepayers, from 
the entities that are being protected. So eventually----
    Mr. McKinley. So if the others are very clear--I am not an 
attorney, I am an engineer. It just tells me when you leave 
something out, it looks like we have left it out deliberately.
    There was another line that I caught under, I think it 
might have been page 8, yes, page 8 on line 22. It talks about 
there under cost recovery, only those that were substantial 
costs. Could we get that clarified somehow? Can you all help us 
with some language that might be more appropriate to define 
what substantial costs would be?
    Mr. McClelland. Sorry. Were you looking for a comment 
there?
    Mr. McKinley. Given the time, no. I hope that we can get 
something back on that.
    The last is a little bit of concern, Ms. Hoffman, to your 
answer. So much of our defense is actually overseas, and we are 
going to be very reliant on the other countries' responses to 
threats and vulnerability. You said we would respond quickly. 
And you said you didn't know of any attack. Do we have any 
evidence of probing, inquiries, photography, suspicious work? 
Is there something going on? Because it is one thing to have an 
attack. The other is someone in preparation for it. Can you 
share any----
    Ms. Hoffman. I just don't have any information on that.
    With respect to overseas, my focus is on the domestic U.S. 
infrastructure so I----
    Mr. McKinley. What should we do then overseas if we know 
that is certainly a possibility with the terrorism that is 
going on? Do we just simply rely on the other countries to 
provide the same type of responses to threats and vulnerability 
and then we react after it has happened, or what role do you 
see us playing in trying to promulgate something now?
    Ms. Hoffman. With respect to international grid structures, 
you know, Europe has their own sort of response mechanisms for 
any sort of emergency that happens on their system. I have to 
admit that I don't have a great insight or detail on how we 
should respond for an overseas issue.
    Mr. McKinley. I know I am running over on time. Is there 
some way we could maybe work something like that into here, 
something you could provide to us later to how we might be able 
to integrate both the European and the American grid together, 
at least in terms of cybersecurity? Thank you very much.
    Mr. Whitfield. Did you want to respond, Ms. Hoffman?
    Ms. Hoffman. Yes, I am willing to have further dialog. 
Thank you.
    [The information follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 
    
    Mr. Whitfield. At this time I recognize the gentleman from 
Massachusetts, Mr. Markey, for 5 minutes.
    Mr. Markey. Thank you, Mr. Chairman, very much. Thank you 
for having this very important hearing, and thanks to Mr. 
Franks and everyone else who is here for their interest in this 
issue.
    Chairman Upton has continued his efforts on the bipartisan 
GRID Act, which I introduced with him in the last Congress. 
That legislation passed the Houser on suspension one year ago 
today, and Mr. Upton and I worked together in a bipartisan 
fashion to pass the bill a year ago, and I think this is a 
perfect example of bipartisanship because, remarkably, 99 
percent of the electric energy used to power our military 
facilities including critical strategic command assets comes 
from the commercially operated grid, and over the last several 
years, the grid's vulnerability to cyber threats has come into 
sharp focus. The Department of Homeland Security revealed the 
so-called aurora vulnerability through which hackers could use 
communications networks to physically destroy electric 
generators, transformers and other critical assets.
    Just over a week ago, Lockheed Martin suffered what it 
called a significant and tenacious cyber attack on its system, 
and in today's Wall Street Journal, a description of the 
Defense Department's cybersecurity plan has a military official 
quoted as saying that if a terrorist or other adversary shuts 
down our power grid, maybe we will put a missile down one of 
your smokestacks. Unlike the frequent outages experienced by 
Pepco's customers every time the Washington, D.C., area 
experiences a serious storm, a coordinated attack on the grid 
could literally shut down the U.S. economy, putting lives at 
risk and costing tends of billions of dollars. Damage from such 
an attack could take months or even years to recover from.
    Moreover, from such an event may not just be a matter of 
rebuilding. Three nuclear reactors in Japan have suffered near-
complete core meltdowns after the earthquake caused a loss of 
electricity needed to cool them down. Unit 1's meltdown likely 
began just a few short hours after the earthquake, tsunami and 
blackout. The hot radioactive fuel is believed to have burned 
holes that are as much as 10 centimeters wide through the 
pressure vessels. It is expected to take months to stabilize 
the reactors and decades to clean up the damage that the 
meltdown caused. And Mr. Stockton mentioned that the power 
outage risk associated with earthquakes near the New Madrid 
fault line is notable because there are extra nuclear reactors 
located near it, and those several reactors could be 
vulnerable.
    So Mr. McClelland, let me ask you this. Here in the United 
States in the past 8 years, there have been at least 69 reports 
of emergency diesel generators failing at 48 nuclear reactors. 
Nineteen of these failures lasted for more than 2 weeks, and 
six lasted longer than a month, and there aren't any 
requirements that spent nuclear fuel pools have backup power at 
all when there is no fuel in the reactor core. Clearly, a 
blackout could cause a meltdown in this country too.
    Mr. McClelland, do you believe that the portions of the 
grid that supply electricity to our nuclear reactors, that is, 
electricity to the reactor, not from the reactor, are more 
secure than the rest of the grid?
    Mr. McClelland. The commission has been working with the 
Nuclear Regulatory Commission on this issue, and there are 
three sources of power. There is the offsite power, that you 
just asked about, the on-site diesel generators----
    Mr. Markey. So they are more secure? Are you saying they 
are more secure?
    Mr. McClelland. There are agreements in place between the 
Nuclear Regulatory Commission----
    Mr. Markey. No, but today, are they are more secure than 
the rest of the system, or not?
    Mr. McClelland. In many cases, no.
    Mr. Markey. No. The answer is no. Thank you.
    Mr. McClelland, since the legislative hearing this 
committee held in October of 2009, have sufficient measures 
been put in place to secure the American electrical grid from 
cyber and physical attack?
    Mr. McClelland. There has been some progress on the NERC 
standards, some submission as far as----
    Mr. Markey. Have sufficient measures been put in place? 
``Sufficient'' is the key word at this point.
    Mr. McClelland. We have issued inquiries to the NERC.
    Mr. Markey. So are you saying there are sufficient----
    Mr. McClelland. There have been some filings made and we 
are checking the status of those filings to see whether or not 
they do indeed represent progress.
    Mr. Markey. Well, let me ask you this. Given that the 
number of cyber access points to the grid is increasingly 
rapidly with the growth of smart grid applications, do you 
believe the threat facing the grid is greater or less than it 
was a year ago when the House overwhelmingly passed grid 
security legislation, given the fact that a smart grid actually 
winds up with no vulnerabilities, ironically.
    Mr. McClelland. Yes, the threats are greater.
    Mr. Markey. So you think there could be greater 
vulnerability?
    Mr. McClelland. Undoubtedly, yes.
    Mr. Markey. Do you believe that the way the grid security 
standards are currently set is even capable of leading to the 
rapid adoption of standards that are sufficient to respond to 
the threat that our grid faces?
    Mr. McClelland. The commission has said on numerous 
occasions that when it comes to national security, the 
standards development process is too slow, it is too open and 
it is too unpredictable.
    Mr. Markey. Mr. Stockton, do you agree with that?
    Mr. Stockton. He is better positioned to assess the 
adequacy of the regulatory environment.
    Mr. Markey. Ms. Hoffman?
    Ms. Hoffman. There is room for improvement.
    Mr. Markey. OK. Thank you, Mr. Chairman.
    Mr. Whitfield. Mr. Terry, you are recognized for 5 minutes.
    Mr. Terry. Thank you.
    Mr. McClelland, in the SHIELD Act versus the GRID Act, on 
FERC authority, do you feel that you need additional level of 
authority to respond to a national security threat? Can you be 
more specific in that? Then on the flip side of that additional 
authority is how we balance that with State regulatory 
entities.
    Mr. McClelland. The SHIELD act provides the commission with 
a proviso that if it finds the NERC standard insufficient, it 
can author a measure to put into place to address a security 
vulnerability. The commission currently under the 215 process 
cannot author or modify reliability standards. We can't author 
or modify NERC alerts. We can provide input but we cannot 
author or modify. I feel it is important that the commission be 
given that direct authority to be able to order interim 
measures or measures to be put into place, to write those 
measures and to direct that they put into place to address 
vulnerabilities to the bulk power system or threats.
    Mr. Terry. And in regard to that, do you foresee any 
difficulties then working with State regulatory agencies on the 
same issues?
    Mr. McClelland. I think it is going to be very important 
that the commission coordinate not only with the State 
regulatory agencies but with the electric reliability 
organization and with the affected entities that the commission 
communicates with, so yes, I think it is very important.
    Mr. Terry. Ms. Hoffman, do you have any thoughts in regard 
to the additional jurisdictional request?
    Ms. Hoffman. I think it is absolutely important for the 
Federal FERC to coordinate with the State entities in looking 
at cybersecurity vulnerabilities, mitigation measures, 
solutions, because as we move forward, the more educated and 
consistent we are across the board as we take a comprehensive 
approach, the more it will benefit not only the electric sector 
but other sectors that may have the involvement with States or 
other entities.
    Mr. Terry. All right. Thank you.
    The other question I have in regard to the hardening of the 
grid, what type of hardware solutions exist out there? Would 
you have under the SHIELD or GRID Act the appropriate ability, 
authority to, for want of a better word, mandate the technology 
and is there any conclusions on what the costs would be 
nationally to adopt the hardware solutions? Mr. McClelland?
    Mr. McClelland. There are several different aspects of 
electromagnetic pulse. If we confine the discussion to the 
high-altitude electromagnetic pulse from a nuclear detonation, 
that is a good example because it includes all three 
components. E1 is a high-energy radiofrequency burst. E3 is a 
ground-induced current. The ground-induced currents attack bulk 
power system transformers. They find their way onto the bulk 
power system transformers and destroy those transformers very 
quickly. One tried-and-true method is series compensation, that 
is to say putting capacitors in the line. That stops the flow 
of ground-induced current, assuming there are no parallel paths 
to that line.
    Back to E1, it is more difficult. It is more challenging. I 
did receive some information recently from an Israeli scientist 
that shows promising technology for erecting a Faraday cage. A 
Faraday cage would block the E1 component, and it is simply 
spray-on, metallic spray-on coating that looks very promising 
in this area. So there is development that has been undertaken. 
There are others in the world that have deployed effective 
mitigations against electromagnetic pulse. We have not done so 
in this country.
    Mr. Terry. At what cost?
    Mr. McClelland. I can get back to you with those numbers. I 
do have those numbers but not at my fingertips. And I will just 
say this right up front. I think E1 is more challenging but I 
do have numbers also for E1 that I can get back to you.
    [The information follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 
    
    Mr. Terry. Mr. Stockton or Ms. Hoffman? Ms. Hoffman first.
    Ms. Hoffman. I would just add to that, Joe adequately 
talked about some of the hardening-type activities that could 
be done. The other thing to keep in mind is the current state 
of health of the transformers. You can do some hardening, but 
if the current health of the transformer is not where it should 
be, there will be vulnerability, so also assessing the current 
health of the transformer will also impact to what level of 
deterrence or capability they have to withstand an EMP or 
geomagnetic solar flare. Some of the things that we need to ask 
is, how much do we want to harden against? Are we talking about 
a 200-amp thing or what is currently tested up to as an 80 amp? 
The other thing, do we have enough manufacturing capability of 
transformers in the United States? As we look at it, hardening 
is only one solution and there are several sets of solutions 
that we must keep in mind.
    Mr. Stockton. Let me follow up. Building resilience into 
the system so we can provide for a rapid return of 
functionality, that is another alternative to hardening. We 
need to be able to ensure that we can from a Department of 
Defense perspective get back to conducting our core missions no 
matter what. Sometimes hardening will be the best, most cost-
effective approach. Other times, quick restoration of enough 
power to do the bare minimum to operate those core functions, 
that makes better sense from a cost-effective perspective.
    Mr. Whitfield. Ms. McMorris-Rodgers is recognized for 5 
minutes.
    Mrs. McMorris-Rodgers. Thank you, Mr. Chairman, and thanks 
to all the witnesses for being here today. I appreciate your 
testimony. And we have certainly heard about the 
vulnerabilities and it suggests that there does need to be 
better coordination between the private sector and the 
government.
    Commissioner McClelland and the rest of the panel, what are 
the standard operating procedures for an agency that has 
regulatory or other authority over a critical sector of our 
economy when a credible threat is received? For example, how 
does FERC communicate? Does it direct NERC to issue standards? 
How are those standards communicated to users of the system and 
what is the protocol for NERC?
    Mr. McClelland. If I might start with a correction, it is 
Mr. McClelland. I am not a commissioner.
    Mrs. McMorris-Rodgers. Oh, yes, that is right.
    Mr. McClelland. Thank you. I will answer your question by 
saying it depends on the issue. If it is an urgent matter that 
affects just a few entities, it may be very appropriate--and 
the commission has done this--to bring in members of the 
affected utility who have security clearances, brief them in 
detail on the perceived vulnerability or threat and work out a 
tabletop solution as to how they might increase their 
preparedness for some interim period of time. It wouldn't be 
appropriate, necessarily appropriate to try to develop a 
standard around a very sophisticated targeted threat that 
exploits a vulnerability with a handful of entities.
    If it is a larger issue, the commission engages in a 
rulemaking procedure and so the commission would order NERC 
either upon a filing or upon its own motion to address a 
specific issue, a security issue. NERC would then receive the 
order, engage industry through industry volunteers and a 
standards development process. That process routinely takes 
years. At the end of that time period, NERC would submit a 
standard and the commission would be in the position to either 
approve the standard, at which time it would become mandatory, 
enforceable, or to remand the standard for further work at 
which time NERC would take it back, consider the commission's 
comments and continue to pick up that issue and work on a 
standard.
    Ms. Hoffman. If I may add to that?
    Mrs. McMorris-Rodgers. Please.
    Ms. Hoffman. With respect to a cyber event, generally we 
follow the national cybersecurity response framework, but cyber 
events will generally be coordinated through US CERT. They will 
go through some analysis and forensics. They will bring the 
Energy Sector Coordinating Council as well as the government 
Coordinating Council. They will do risk and consequence 
analysis to determine how is that going to impact the sector, 
share it with the industry, the information that is available, 
and then be able to actually move forward with the industry's 
help on mitigation measures. So it is really key to having that 
information sharing and that quick response capability that is 
very important.
    Mr. McClelland. May I add just one thing to that?
    Mrs. McMorris-Rodgers. Please.
    Mr. McClelland. The only action that is mandatory is a 
standard. Until such time as the ERO or NERC develops a 
standard, submits it to the commission and it is approved, 
nothing is mandatory. So there are some other interim actions. 
NERC could issue an alert, for instance. It could be an 
advisory or a recommendation or an essential action. None of 
those would be mandatory but they do show levels of increasing 
urgency. NERC can convey the information to the industry, ask 
for a follow-up response and they communicate to the industry 
the importance of those levels. But outside of a standard, 
nothing is mandatory.
    Mrs. McMorris-Rodgers. Do you believe that the current 
system is effective, and how could it be enhanced?
    Mr. McClelland. I think that the current system can be 
effective for routine reliability matters, tree trimming for 
instance, but when it comes to national security issues, these 
are fast-moving, very sophisticated, sometimes highly targeted 
situations and we have come to the conclusion that no, the 
standards development process is not adequate to address these 
types of issues. Although it can raise the bar to narrow the 
universe of attackers, it is not adequate in the case where 
national security is jeopardized to use the standards 
development process.
    Ms. Hoffman. If I may add, there is room for improvement. 
From the perspective, we need to do a better job with respect 
to information sharing. That goes back to what is in the 
administration's comprehensive bill as well as this is looking 
at protection of information. That information sharing is a key 
critical component to getting to an effective response and 
mitigation measures whether it is done by the industry by 
themselves or it is actually looked at from a different action 
point of view.
    Mrs. McMorris-Rodgers. Thank you, everyone.
    Mr. Whitfield. Thank you.
    Mr. Olson, you are recognized for 5 minutes.
    Mr. Olson. Thank you, Mr. Chairman, and I would like to 
welcome the witnesses and thank you all for coming and giving 
us your expertise and your time.
    I have got a couple of questions for you, Mr. McClelland, 
and you, Ms. Hoffman. Specifically, if the FERC and the DOE had 
to order a generating unit to operate for reliability purposes 
or in an emergency situation and doing so would result in that 
unit exceeding an environmental permit limit, would FERC or DOE 
indemnify the unit operator from any and all agency action or 
private citizen lawsuit liability?
    Ms. Hoffman. I will get back to you for further 
clarification, but it is my understanding, we do not have 
jurisdiction over another agency's fines, penalties, 
regulations.
    [The information follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 
    
    Mr. Olson. Mr. McClelland?
    Mr. McClelland. The commission has acted in conjunction 
with DOE on one other occasion, to my memory. It was the first 
time that section 207 in the Federal Power Act had been 
invoked. DOD invoked section 202. In that particular case, 
there were generating units serving the Washington, D.C., 
region and transmission upgrades that needed to be performed. 
In that case, however, both DOE and FERC did not need to 
conflict or clash with the environmental regulations. So I know 
of no case where that has already occurred but I can certainly 
posit that back to our general counsel and we can answer that 
question for you.
    Mr. Olson. Thank you for that. I just want to know, you 
know, what could happen? What is the realm of possibility to a 
company that obeys orders from you but in doing some exceeds 
some environmental limitations from some other agency? I mean, 
this is a serious problem. If you tell them to do this because 
there are reliability issues or emergency situations, by gosh, 
they are going to do that and that is the right thing to do, 
but certainly we don't want to have any exposure to them for 
doing with one arm what the government is telling them to do 
and the other arm says no, you guys exceeded some permitting 
process, we are going to punish you for doing that. I mean, 
again, I greatly appreciate your answers to those questions 
because I have had some operators back home in Texas ask me 
these exact questions because we have many, many natural 
disasters--hurricanes, tornadoes, you know, freezes, all of the 
above--that impacted sometimes our reliability of our grid, and 
I know there are differences between some of our systems in 
Texas but again, we do have some people out there who are very 
concerned about this, and I would appreciate an answer to those 
questions.
    That is all I have. I yield back my time, sir. Thank you.
    Mr. Whitfield. Thank you, Mr. Olson.
    Thank you all very much for taking the time to come and 
testify. We appreciate your input and look--yes?
    Mr. Rush. Mr. Chairman, if I might, this is something that 
is kind of gnawing at me. I tried to get to this issue in my 
line of questioning. Is there an administration bill and has 
that bill been filed in the Senate? I know it is not in the 
House.
    Mr. Whitfield. Well, they may be able to answer you. It was 
my understanding, and I may be wrong, that Mr. Rockefeller had 
introduced a bill similar to the administration's request, but 
maybe they can answer it.
    Mr. Rush. Is that the bill, Ms. Hoffman?
    Ms. Hoffman. I don't have explicit knowledge. All I have 
right now is the discussion draft, so I am just not aware.
    Mr. Whitfield. Do you know, Mr. Stockton?
    Mr. Stockton. The same discussion draft.
    Mr. Whitfield. Do you know, McClelland?
    Mr. McClelland. Sorry, it is the same.
    Mr. Whitfield. So the White House doesn't talk to you any 
more than it talks to us, right? We will find out.
    Mr. Markey?
    Mr. Markey. Can I just be recognized for 2 additional 
minutes to ask--I just have another question or two.
    Mr. Whitfield. Without objection, I will give you 2 
additional minutes.
    Mr. Markey. I thank the chairman very much.
    This is a very serious threat to our country. We know that 
al Qaeda and others target us and we know that there are many, 
many PhDs inside of al Qaeda, whether we like it or not. That 
is what we found in Boston when Mohammad Atta and those other 
nine were up there in my district plotting on hijacking those 
tow planes in my district. They were well-educated people, very 
smart. They tried to find the aperture, and they found out in 
the aviation system. They are very technically sophisticated 
people. That is the one thing we did learn about al Qaeda, and 
that is why I have such a passion for this issue.
    Back in 2006, the North American Electric Reliability 
Corporation proposed some grid security standards that seemed 
to be fairly limited. One of them even allows utilities to 
decide for themselves which of their assets are critical and 
thus subject to the standards in the first place. Only 29 
percent of power-generating owners self-reported that they 
owned a single critical asset. Isn't that right, Mr. 
McClelland?
    Mr. McClelland. Yes.
    Mr. Markey. So 70 percent of the electric utility felt they 
have no critical assets and----
    Mr. McClelland. Critical----
    Mr. Markey. Excuse me?
    Mr. McClelland. Sorry. I was going to say the distinction 
is critical cyber assets. Those are the assets that fall under 
the standards.
    Mr. Markey. And I just think that that is a mentality here 
that we have to be realistic about. You know, we have moved to 
a new era. We are potentially under assault in this sector in 
the same way that you mentioned, Mr. Chairman, the attack on 
the Iranian nuclear facility. That was just a very smart way of 
some very smart people figuring how to disable a nuclear power 
plant in Iran from a distance, and thank goodness whoever those 
people are that they were able to do it, disable it and still 
not cause a nuclear disruption, but there may be others that 
are not so benign in what their objectives are and the harm 
that they can do.
    So I just think that this isn't something where you self-
identify yourself as potentially being a problem. I think we 
have to decide that there is a problem and that al Qaeda is out 
there. Do you agree with that, Mr. McClelland?
    Mr. McClelland. Yes, and I would just add one distinction, 
that NERC has submitted a standard to the commission where 
critical assets, now, there are several designations for 
critical assets. Assets that serve nuclear facilities, for 
instance, are now deemed critical assets. The commission, 
however, has requested additional information because critical 
assets are not the assets that are covered by the standard. It 
is critical cyber assets. So the commission has asked, one of 
the lines of questions is, tell us how that translates to 
critical cyber assets because those indeed are still self-
determinations.
    Mr. Markey. Is NERC's guidance advisory or mandatory?
    Mr. McClelland. The standard that NERC has proposed to the 
commission would be mandatory, and that would be the 
designation, bright-line designations of critical assets which 
can help guide an entity to self-determine critical cyber 
assets, which fall under the standard.
    Mr. Markey. Thank you. Thank you, Mr. Chairman.
    Mr. Whitfield. Thank you all. Thank you once again for 
testifying. We look forward to working with you.
    At this time I would like to call up the third panel of 
witnesses. That would be Mr. Gerry Cauley, President and CEO of 
North American Electric Reliability Corporation, Mr. Franklin 
Kramer, former Assistant Secretary of Defense for International 
Security Affairs at the U.S. Department of Defense, and Mr. 
Barry Lawson, Associate Director, Power Delivery and 
Reliability at the National Rural Electric Cooperative 
Association.
    Welcome to the hearing. We look forward to your testimony. 
At this time, Mr. Cauley, I will recognize you for 5 minutes 
for the purposes of your opening statement.

 STATEMENTS OF GERRY CAULEY, PRESIDENT AND CEO, NORTH AMERICAN 
 ELECTRIC RELIABILITY CORPORATION; FRANKLIN D. KRAMER, FORMER 
   ASSISTANT SECRETARY OF DEFENSE FOR INTERNATIONAL SECURITY 
    AFFAIRS; AND BARRY R. LAWSON, ASSOCIATE DIRECTOR, POWER 
 DELIVERY AND RELIABILITY, NATIONAL RURAL ELECTRIC COOPERATIVE 
                          ASSOCIATION

                   STATEMENT OF GERRY CAULEY

    Mr. Cauley. Thank you, and good afternoon, Chairman 
Whitfield and Ranking Member Rush and members of the 
subcommittee and fellow panelists.
    As CEO of the organization charged with ensuring 
reliability and security of the North American grid, I wake up 
every day concerned about emerging risks caused by the 
intentional actions of our adversaries who would want to harm 
our Nation and our citizens.
    The security of the North American bulk power system is an 
utmost priority for NERC. The mainstay of NERC's critical 
infrastructure program is a set of nine cybersecurity standards 
that we actively monitor and enforce. We have recently made 
significant strides in improving our cyber standards.
    When I came on board at NERC in 2010, I recognized the 
importance of establishing bright-line criteria, as we just 
heard from the previous testimony, to identify critical assets 
to be protected. A new standard was developed in 6 months and 
filed with the commission in February of this year and is 
pending their approval. Our standards process works for what it 
was intended to do: to establish sustained baseline 
requirements for the reliability and resilience of the bulk 
power system.
    However, there is no single approach, not even compliance 
with mandatory standards, that will protect the grid against 
all potential threats from physical and cyber attacks. The 
threat environment is constantly changing and our defenses must 
keep pace. Achieving a high degree of resilience requires 
continuously adaptive measures beyond those outlined in our 
standards, measures we are actively pursuing today.
    The most important of these activities is the operation of 
our electricity sector information sharing and analysis center. 
In this role, NERC works closely with Federal partners to 
promptly disseminate threat indications to electricity sector 
participants. NERC staff has the necessary security clearances 
to work with the Department of Homeland Security, DOE and 
Federal intelligence agencies to generate unclassified 
recommendations and actions for industry.
    Using this process, NERC has issued 14 security-related 
alerts since January 2010 covering such items as Aurora, 
Stuxnet, Night Dragon and others. The NERC alert system is 
working well. Coupled with our CIP standards and the option of 
using a new expedited and confidential process for developing 
standards, NERC has a strong foundation of tools we need to 
protect the cybersecurity of the bulk power system.
    As outlined in my written testimony, NERC is leading a 
number of other initiatives to ensure the resilience of the 
bulk power system including joint efforts with DOD, DHS and 
Department of Energy. We are preparing an industry-wide grid 
exercise in November 2011. Jointly with DOE labs, we are 
initiating a program to monitor grid cybersecurity of the grid 
networks and another program to improve the training and 
qualification of industry cyber experts.
    With regard to the proposed draft legislation, first and 
foremost, NERC has consistently supported legislation to 
address cyber emergencies and to improve information sharing 
between government and the private sector. NERC has 
consistently supported comprehensive legislation authorizing a 
government entity to address cyber emergencies. Which agency is 
a policy decision for Congress. NERC stands ready to assist and 
respond to designated grid security threats.
    Measures to improve information sharing between the 
government and private sector of critical infrastructure are 
needed. NERC commends the provisions of the discussion draft 
directing the commission to facilitate sharing of protected 
information. While the focus on providing adequate security 
clearances is key, this alone is not enough. It is most 
important to develop methods for declassifying sensitive 
information to make it available to industry decision makers. 
New authority to address grid security vulnerabilities, 
however, is unnecessary. FERC already has the authority under 
the Federal Power Act, section 215(d)(5), to direct NERC to 
prepare a standard to address a specific vulnerability. If 
Congress decides to allow vulnerabilities to be addressed 
through a FERC rule or order, at a minimum, the ERO should be 
given the opportunity to address the identified vulnerability 
before FERC acts with FERC given a backstop authority if the 
ERO fails to address the vulnerability within a prescribed 
period. While we appreciate the language in the current draft 
which calls for FERC to request and consider our 
recommendations if time allows, we believe more is needed.
    Other provisions of the discussion draft are not needed. 
NERC has issued information to ensure the industry understands 
and is mitigating the Aurora vulnerability. The provisions on 
geomagnetic storms and spare transformers also are not needed 
as FERC already has the authority to order us to address these 
topics today. NERC is actively working on the GMD issue 
including a recent workshop and an alert providing industry 
with operational and planning actions to prepare for the 
effects of a severe geomagnetic disturbance.
    In addition, a NERC task force is focused on mitigating 
risks associated with long lead time transformers and 
developing a secure database for sharing information on spare 
equipment.
    Finally, the ERO should be given authority under FERC 
oversight to address grid security vulnerabilities by 
enforceable means other than standards. Congress has provided 
us with many tools to address security. As noted previously, we 
have three levels of alerts. We have strong industry 
participation and response to these alerts including a 
provision to authorize NERC subject to FERC oversight to 
promulgate legally enforceable directives would enhance the 
security of the power grid. I believe legislation addressing 
the security of our Nation's electricity infrastructure could 
be beneficial but the framework should focus on enabling 
information sharing between government and industry and problem 
solving between the private and government sectors.
    Thank you for the opportunity to speak today, and I look 
forward to your questioning.
    [The prepared statement of Mr. Cauley follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 
    
    Mr. Whitfield. Thank you, Mr. Cauley.
    Mr. Kramer, you are recognized for 5 minutes for an opening 
statement.

                STATEMENT OF FRANKLIN D. KRAMER

    Mr. Kramer. Thank you, Mr. Chairman and Mr. Ranking Member, 
Mr. Terry. I appreciate the opportunity to testify.
    I think the proposed legislation, the GRID Act that you 
have the discussion draft, is excellent but I would like to 
suggest five things that would actually make it better, at 
least from my perspective.
    The first is I think that we need mandatory Federal 
standards. We need to turn the system around and have the 
Federal agency, be it FERC or, as in the administration's 
discussion draft, DHS have the authority to issue standards.
    Secondly, I think that we need to focus much more on the 
issue of resilience, how will we deal with the problem of how 
the grid will operate in the face of attack.
    Third, I think that all elements of the Federal Government 
and including especially the DOD have to be given clear 
authority to help protect and/or respond to an attack on the 
grid because it is only the DOD that has the capabilities that 
are necessary.
    Fourth, I think we have to think about the issue of scale 
and resources and particularly the issue of cost and make sure 
that the industry can recover its costs.
    And lastly, I think there needs to be a much more extensive 
research and development program to deal with the advanced 
threats. We need advanced capabilities.
    The reason I say that, Mr. Chairman, all these points, is 
what you have already said. The threat is increasing. We have 
seen, for example, last year an attack on Google. We have seen 
more recently an attack on a company called RSA, very advanced 
cyber companies, and as you mentioned, we have seen the Stuxnet 
attack. Those control systems that were attacked in Stuxnet are 
precisely the kind of control systems that control the electric 
grid. The vulnerability is very, very substantial, and has been 
pointed out by others already in this hearing, right now with 
the smart grid increasingly coming into play, the distribution 
system as well as the generation system, the transmission 
system are sources of vulnerability, so I think we really need 
to focus on the entirety of the problem and recognize how much 
the threat has been increasing over time.
    The reason I say that we need mandatory standards is that 
frankly the current system is just too slow. It doesn't work 
quickly. It hasn't satisfied the problem. In fact, if you look 
at NERC's own, I think it was called high-impact, low-
frequently study last year, it said very clearly that the grid 
is at risk against an advertent adversary. If we think about 
other areas--clean air, clean water, automobile safety 
standards--the Federal Government issues the standards. It 
certainly allows industry to comment, but I think that is the 
way we ought to do it.
    In addition, I think that the current act, the discussion 
draft, has what is called authority for the FERC if there was a 
so-called imminent threat. But I think that imminent is too 
late often. What we really need is if we see a significant 
threat where one needs to be able to take prompt action before 
we get to that microsecond before the attack occurs. The 
Federal Government ought to have that authority so it can issue 
interim standards but earlier than the imminent-threat 
standard.
    On the resilience point, I think we all know--and again, if 
you look at the Google attack or Stuxnet or the like, is that 
cyber offense beats cyber defense. In fact, the Deputy 
Secretary of Defense has said that publicly and plenty of 
others have. In the DOD area, the DOD doesn't just rely on 
passive defense, it also does what is called active defense, 
and if DOD needs to do active defense to protect its network's 
critical infrastructure, and again, we have heard and I have 
said myself and others said today the DOD relies 99.9 percent 
on commercial electricity. Well, that means that commercial 
electricity ought to have the same kind of protection, that 
active defense. I don't think that the industry should do it, I 
think the DOD under the right kind of standards, legislative 
standards, regulations, guidance from the President, ought to 
work with the sector-specific agency and also with the industry 
to be able to provide that.
    We also need to have capabilities that we haven't heard 
talked about today. We need what I call gold standard 
integrity: integrity of data, integrity of software, integrity 
of hardware. We need capabilities like segmentation and 
isolation so that the key elements of the grid can be protected 
by being separated from other elements of the grid.
    We want to look also finally at the issue of scale and 
resources. It is a very large enterprise. We are going to have 
to have the private sector work to get it out there. It seems 
to me that if the industry is going to incur cost, and this is 
a highly regulated industry, that it ought to be able to 
recover those costs. That could be done directly or indirectly 
with the Federal Government. It could be in the rate base. But 
it should be allowed in some way, shape or form.
    And finally, as I said, I think we need to have a 
comprehensive R&D program so that when we have advanced 
threats, we can have advanced capabilities to meet them.
    And with that, Mr. Chairman, I appreciate the opportunity 
to testify and I look forward to your questions.
    [The prepared statement of Mr. Kramer follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 
    
    Mr. Whitfield. Thank you.
    Mr. Lawson, you are recognized for 5 minutes.

                  STATEMENT OF BARRY R. LAWSON

    Mr. Lawson. Chairman Whitfield, Ranking Member Rush and 
members of the subcommittee, thank you for the opportunity to 
testify today on cybersecurity and the GRID Act. My name is 
Barry Lawson, and I am the Associate Director of Power Delivery 
and Reliability at the National Rural Electric Cooperative 
Association, which represents over 900 member-owned not-for-
profit cooperatives providing electricity to 42 million 
consumers in 47 States.
    Over the last decade, I have been involved in a variety of 
critical infrastructure protection and cybersecurity 
initiatives with industry, NERC, DHS and DOE. Based on these 
experiences, I know the electric power industry takes these 
issues very seriously. Additionally, to my knowledge, there has 
not been a documented case of a successful attempt to damage 
the North American bulk power system through cyber means.
    While my testimony today is offered on behalf of electric 
cooperatives, I want to also recognize the longstanding 
partnership among all sectors of the electric power industry 
when it comes to reliability and cybersecurity. NRECA is part 
of a coalition which includes major trade associations 
representing the full scope of the electric power industry as 
well as state regulators, large industrial consumers and 
Canadian utilities. It is rare that we all agree on public 
policy issues but we unanimously support the NERC process and 
narrow new authority for the Federal Government in the event of 
severe, imminent cyber threats.
    Under section 215 of the Federal Power Act, NERC works 
closely with electric power industry experts and others to 
draft mandatory and enforceable reliability and cybersecurity 
standards that apply across the North American grid. The 
standards process can be lengthy when addressing highly 
technical issues but it can also be shortened when needed using 
NERC's expedited standards procedures as approved by FERC. NERC 
also has a FERC-approved process for developing standards in a 
confidential manner when national security requires it.
    NERC rules and procedures also give NERC authority to 
distribute alerts on topics that are important for industry to 
address. FERC reviews these alerts before they are released. 
There are three levels of alerts, and the top two levels have 
mandatory reporting requirements that typically require 
recipients to inform NERC what they did in response to the 
alert. The alert process has quickly and effectively provided 
industry critical information on many issues including Stuxnet, 
Night Dragon and geomagnetic disturbances. NERC is required to 
provide reports to FERC on the top two levels of alerts, 
explaining the level of action industry has taken. To date, 
these reports have shown that industry takes these alerts very 
seriously.
    The industry recognizes the threat environment is 
complicated and that imminent, severe threats are possible. In 
some cases, even NERC procedures and standards cannot assure 
that industry gets timely, actionable information to mitigate a 
threat against the bulk power system. When the Federal 
Government at the highest levels determines that emergency 
action is necessary, it should be able to issue orders to our 
industry that directly address the severe and imminent cyber 
threat and set out the mitigation actions needed to protect the 
bulk power system. Those orders should sunset when the threat 
has subsided or is mitigated, for example, by development of a 
related NERC standard.
    Our primary concern is that the draft GRID Act creates new 
authority for FERC concerning vulnerabilities that largely 
duplicates existing FERC authority and ongoing NERC activities 
under section 215 and could substantially undermine the 
existing reliability standards regime. It should be understood 
that vulnerabilities alone do not adversely impact the 
reliability of the grid. That being said, our industry has 
every incentive ranging from financial considerations to the 
fundamental obligation to serve our customers with reliable and 
affordable power to protect the grid when vulnerabilities 
emerge.
    The draft GRID Act authorizes FERC if it determines there 
is a grid security vulnerability that existing NERC standards 
do not address to issue a rule or order requiring industry to 
implement measures to protect against the vulnerability. The 
new authority the draft seeks to give FERC is very concerning 
to our industry. First, we question whether FERC has the 
intelligence-handling expertise to exercise such broad new 
authority. Second, this new authority regarding vulnerabilities 
would fundamentally alter section 215 by providing FERC an 
unnecessary role in addressing vulnerabilities that NERC and 
industry are managing very well through standards and alerts.
    To help industry to protect the grid from vulnerabilities 
and threats, we need timely, actionable intelligence from 
government. More industry trusted experts need higher levels of 
security clearances so we can plan effective responses to 
threats and vulnerabilities. The draft seeks to make 
improvement in these areas, and we appreciate the 
subcommittee's support.
    In conclusion, we urge the subcommittee to focus on the 
immediate, narrow issues at hand, the need for very quick 
emergency orders if the bulk power system faces an imminent 
cyber attack and the need for the electric power industry to 
receive timely, actionable information.
    Thank you for the opportunity to testify today and I look 
forward to your questions.
    [The prepared statement of Mr. Lawson follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 
    
    Mr. Whitfield. Thanks, Mr. Lawson.
    Mr. Kramer, you would agree then that in the interest of 
national defense that additional Federal authority is 
necessary?
    Mr. Kramer. Yes, sir, I think it is absolutely required.
    Mr. Whitfield. OK. And Mr. Cauley, you mentioned in your 
testimony, I believe, that you didn't think it was necessary 
for NERC to develop standards to ensure the availability of 
large transformers, and I am certainly not an expert in that 
area but it is my understanding that the availability of large 
transformers is one of the key issues out there and I was just 
curious if you would elaborate on your position on that.
    Mr. Cauley. Thank you, Mr. Chairman. I do take the issue of 
spare equipment and transformers very seriously from physical 
attack, cyber or GMD, and it is a major issue. So I think we 
don't have enough information yet to know what the standards 
should be in terms of how much equipment and where it would be 
located and how we would transport it, so if I said something 
opposing future standards on spare equipment, I may have 
misspoke and I will have to go look in my written testimony. 
But it is a key issue, and we are dealing with it today with 
some industry experts on a task force that are looking at 
likely scenarios, what would the need be, how would we move the 
equipment, so we are trying to find a technical solution to the 
problem before we tackle the issue of whether there should be a 
standard or not.
    Mr. Whitfield. So are these transformers manufactured in 
the United States today?
    Mr. Cauley. The vast majority of them have been 
manufactured overseas and continue to be. There is some recent 
activity to bring some onshore but the vast majority are 
manufactured overseas.
    Mr. Whitfield. Now, Mr. Lawson, I am sure you heard the 
testimony today that in addition to the bulk electric system, 
that distribution should be included in this, and of course, 
rural electric co-ops are quite involved in distribution, so 
would you disagree with that, or what would be your position?
    Mr. Lawson. Well, we believe that the legislation before us 
should focus on the bulk power system. Distribution is handled 
at the local level, whether that be State or local municipality 
level or with the local board of a cooperative, and we don't 
think it needs to be extended to the Federal level.
    Mr. Whitfield. But how do we address the potential problem 
in some of these large metropolitan areas that was mentioned?
    Mr. Lawson. With regard to the distribution facilities in 
the large metropolitan areas?
    Mr. Whitfield. Yes.
    Mr. Lawson. I think there is one definition in the NERC 
glossary that is being worked on today, and that is the 
definition of bulk electric system. That definition is looking 
at how and what should be included under bulk electric system, 
and one of the issues that the commission has directed the 
industry through NERC to review is how those facilities in 
large metropolitan areas are covered, and I think the direction 
that that drafting team is going in that I am a member of is 
covering more facilities in those metropolitan areas than are 
currently covered under the existing NERC BES, bulk electric 
system, definition.
    So I think things are changing and a draft of that 
definition was recently out for public comment, and it is now 
moving on to the second draft phase, so I think there will be 
changes in that area.
    Mr. Whitfield. So Mr. Cauley, do you or Mr. Kramer have any 
comments on that particular issue?
    Mr. Cauley. Just a couple, Mr. Chairman. The industry has a 
very long history of the issue of local service and 
distribution being dealt with with the ratepayers in the local 
jurisdiction and obviously the States and other local 
jurisdictions, so I think any effort to encroach on that 
through Federal legislation I think should just be taken 
carefully in consultation with the States.
    On the issue of the military bases, which was part of the 
earlier testimony, I think there is an opportunity to have 
enhanced discussions between the utility company and the 
military bases to say do they have what they need, do they need 
more backup generators, do they need more lines coming in to 
the base, so I think there is opportunity for those discussions 
to take place. I will end there. Thanks.
    Mr. Whitfield. Mr. Kramer?
    Mr. Kramer. I would disagree with both of these gentlemen. 
First of all, I think we have the smart grid becoming ever 
increasingly a greater part of the electric power system, and 
the smart grid means that from the consumer side, from the 
distribution side, you are going to have increasing vectors 
that allows for cybersecurity attacks, and those could be 
national security attacks, so I think that we need to have an 
overall Federal standard that protects against that, and NIST 
is working on that. I don't actually think they have done 
enough but at least they have done something. But I think we 
need to put that into play, so I would very strongly encourage 
the committee to expand its jurisdiction.
    With respect to the military bases and the like, I think 
Mr. Stockton was pretty clear, they don't have enough, and it 
is not just the bases themselves. If you think about the 
military, for example, the entire critical infrastructure, 
transportation infrastructure, the telecommunications 
infrastructure, all of these depend upon electricity. So even 
if the bases themselves had electricity, the DOD simply 
couldn't operate without transportation, without 
telecommunications and the like, and I think we really need to 
have something done about that.
    Mr. Whitfield. Mr. Lawson?
    Mr. Lawson. Just to add to that, on the military bases, the 
best way to effect change and improvements is at the local 
level between the military installation, commander and the 
leadership of the utility supplying that military installation. 
Those relationships exist today. They are typically very good 
relationships, and if there are additional levels of 
reliability, security that are needed, it is very important for 
the military installation leadership to let the utility know 
and they can work jointly towards providing that.
    With regard to the smart grid, the industry is not 
implementing smart grid facilities carelessly. They are doing 
it carefully and keeping security very much in mind in many 
different ways. We are also working very closely and as much as 
we can with the vendor community to try to explain to them what 
levels of security we need and what levels of security already 
exist in their equipment today, so it is something that we are 
focused on and not doing carelessly.
    Mr. Whitfield. Thank you all. My time is expired.
    Mr. Rush, you are recognized for 5 minutes.
    Mr. Rush. Thank you, Mr. Chairman. This has been quite 
interesting.
    Mr. Cauley, I would like to ask you about imminent threats 
to the grid and also long-term vulnerabilities as well. Let us 
say our intelligence agencies learn of an imminent threat to 
the grid from terrorists. How would you characterize NERC's 
authority to step in and address that threat on a real-time 
basis?
    Mr. Cauley. We have the ability to acquire that information 
through working with various intelligence agencies, which we do 
continuously to get the information digested into what it means 
in terms of impact on the industry and issue various levels of 
alerts, and we have done that. We issued one back just in April 
which we turned around within a day. So depending on the 
urgency, we can turn them out in hours or days. I think as I 
pointed out in my testimony, we have different levels. Some are 
just informational, some are recommendations, and there are 
essential actions which we have also been able to put out. The 
essential actions are mandatory under our rules but they are 
not enforceable from a legal sense in terms of any sort of 
penalties and sanctions, and that was why I was suggesting in 
my testimony that that would be one opportunity to improve the 
toolkit that we have to get timely, actionable information out 
to industry.
    Mr. Rush. And would this apply if there were imminent and 
severe threat also?
    Mr. Cauley. This would apply really to any known threat or 
vulnerability where there was a high degree of urgency like we 
needed to get information out either within hours or days or 
weeks, and I think that is a much preferred approach. Everyone 
keeps referring to our standards. Well, our standards were not 
meant to solve a problem in 3 days or 3 weeks. They are meant 
to be long-enduring, around for years and years. The alert 
system is meant to solve these urgent actions that you are 
describing here.
    Mr. Rush. Does FERC have sufficient authority at this 
point?
    Mr. Cauley. I believe in the area of vulnerabilities in 
terms of, for example, whether it is Aurora or spare 
transformers, I believe under section 215 that Congress 
intentionally provided FERC authority to direct the ERO to 
produce a standard that would solve a problem. So under my 
reading of the plain language of section 215, the FERC has the 
ability to direct us to----
    Mr. Rush. Mr. Kramer, do you agree with that?
    Mr. Kramer. I totally disagree, and I will give you an 
example. This committee has heard about Stuxnet, obviously, and 
Stuxnet is not a classified problem. Semantic organizations 
among many others has issued a very detailed set of reports on 
this. It is a threat. It is a very, very, very severe threat 
that we have to think about, and the vulnerability exists 
throughout the electric grid system because it is the same kind 
of control mechanisms that Stuxnet attacked that are the type 
that are involved in the electric grid, and it is sitting out 
there, so to speak, as a blueprint for anyone to use--now, I 
couldn't use it, but any capable cyber adversary. So I think 
that that would be an example of what I would call a severe 
threat. It is not imminent but I think that something needs to 
be done about that right now, and I think it needs to be done 
promptly, and from my perspective, and I said, as we do in 
other kinds of legislation, I would rather have the opportunity 
for the industry to comment but for the Federal Government, be 
it the FERC or the DHS, but some Federal agency to determine 
what standards are necessary, what actions need to be taken 
promptly and to cause those to be taken under a mandatory 
system.
    Mr. Rush. Mr. Lawson, would you give us your opinion on 
this?
    Mr. Lawson. First of all, as I said in my statement, the 
industry strongly supports the alert process. I am not aware of 
another tool out there today that can get information out to 
approximately 2,000 utilities within hours or a day or two with 
specific information about how a threat or a vulnerability or 
anything that specifically relates to the electric utility 
industry. So I think the alert process is a very critical one 
and one that we need to keep utilizing.
    Also, under the alert process, there are three levels. The 
base level is advisory, the middle level is recommended action, 
and the most serious level is essential action. And I can tell 
you that the industry reacts very strongly to these alerts 
because we know that they are communicating very important 
information to the industry and that under the top two levels 
of alerts, you will be required to provide NERC with an update 
on what you have done with regard to that alert, and those 
reporting requirements are mandatory, and then they are 
summarized and provided to FERC. So the industry takes these 
very seriously and the top-level alert, essential action, has 
not yet been utilized. So only the advisory and the recommended 
action have been utilized, and both of those levels have been 
taken very seriously by the industry, and I am sure essential 
action would be taken exactly the same.
    Mr. Rush. Mr. Chairman, I just want to ask one other 
question.
    So let me just ask you this. All three of you can respond 
or anyone can respond. What I am hearing here is that in the 
event of an imminent, severe, catastrophic cyber attack on the 
electrical grid system here in this country where there could 
be vast harm done to the American people, are you saying, am I 
correct in understanding that you are saying that the Federal 
Government--or let me ask the question this way: Who are the 
American people going to hold responsible for their protection 
to solve the problem and to protect them? Are they going to 
hold the Federal agencies or the industry responsible, in your 
opinion?
    Mr. Cauley. Congressman Rush, I mean, first of all, to 
distinguish some time horizons, first of all, if there is an 
imminent emergency like planes flying on 9/11 that are going to 
cause disaster, NERC and I think the industry supports some 
government agency having strong, immediate authority under 
those kind of circumstances--the Nation is in trouble, somebody 
has to be in charge--I think we support that. And I think the 
other issues I think where we get a little bit of difference of 
opinion but it is not as bad as it sounds, actually, is on 
dealing with the things we have a longer time to think about 
and respond to, and all we are saying is that we think that the 
FERC has for longer-term issues like spare equipment--we are 
not going to solve spare transformers tomorrow, it is going to 
take probably years to resolve that--is that we have the 
authorities we have now, and I think we could strengthen the 
gap in the middle between dire emergency right now and things 
that might take months to solve. In the interim, we have our 
alert system and all we need is a little more authority to make 
those mandatory in some cases. When I testify here today, I am 
not here testifying against authority for FERC. We work with 
FERC today as a partner in developing our standards. They 
review them and approve them, and I view going forward that we 
would continue to work with FERC, that anything that we can do 
to help the industry know what they have to do and whether it 
is mandatory or not, that we would do that in partnership with 
FERC.
    Mr. Whitfield. Mr. Terry, you are recognized.
    Mr. Terry. Thank you.
    To follow up on that, have you, Mr. Cauley, read the GRID 
Act or the proposal, the draft? So as it is written now, my 
assumption is, you don't support it? Is that accurate, you 
wouldn't support it as written?
    Mr. Cauley. I applaud the committee for taking initiative--
--
    Mr. Terry. I have short time. Yes or no?
    Mr. Cauley. I support parts of it, not the entire----
    Mr. Terry. The jurisdictional part, you have a problem 
with?
    Mr. Cauley. With the vulnerabilities being unnecessary, 
that is correct.
    Mr. Terry. Mr. Lawson, same question.
    Mr. Lawson. We support narrow authority for the Federal 
Government with regard to imminent cyber threats.
    Mr. Terry. So that is a no? OK. I appreciate that. I think 
we have more work to do than I anticipated before this hearing.
    Mr. Kramer, I want to spend the rest of the time with you. 
Do you keep track or is there reporting of hacking attempts to 
your office or any office that you know of?
    Mr. Kramer. Just so we are clear, I am a former Assistant 
Secretary so I am testifying in my individual capacity here.
    Mr. Terry. All right.
    Mr. Kramer. So I read the--there are plenty of reports on 
hacking that are in the open press and there are plenty of 
reports on hacking that are maintained by a lot of entities, 
and I think----
    Mr. Terry. Electrical generation?
    Mr. Kramer. Including electrical, and the Night Dragon 
point was made to this committee as an example.
    Mr. Terry. I participated in a demonstration at our local 
generator that was able to track hacking attempts within the 
last 24 hours, and I think there was six or seven. Most they 
have been able to track back to a certain university in China, 
but we won't go into that for this hearing. Now, they were 
mostly--how do I say this--for fun. It was their practice of 
seeing how they can enter into the system, and not for 
nefarious purpose, although we don't know that when they are 
trying to do it, when they are trying to hack the system, and 
that is what concerns me and this committee is what we can do 
to strengthen our system against those hacks.
    And by the way, just two questions to you, Mr. Kramer, in 
my 2 minutes left. Generally, what should electrical generation 
companies be doing to best ensure that their systems can't be 
hacked into? And then on the electrical generation itself, 
there have been some side discussions on electrical generation, 
whether the more critical defense bases or buildings should go 
off grid, totally reliant and with the small module nuclear 
reactors may allow them to do that. You have a minute and a 
half to comment on both those questions.
    Mr. Kramer. I will make three points, sir. First of all, 
with respect to the issue of serious attack, one of the things 
that a serious attack would have to do would be reconnaissance. 
You won't just attack without substantial reconnaissance, so 
the reconnaissance or the activities that you are talking about 
are quite consequential and would be part of any serious attack 
and so dealing with those early on is just as important as 
dealing with the set of issues, you know, so to speak, when the 
attack occurs.
    Second, with respect to what the industry ought to do, 
there are a number of standards set forth, both the NERC 
itself, FERC, DOE and others have written out which I think one 
is called, well, 20 critical activities that were put out by 
one of the cybersecurity groups. Those are what you might call 
very good hygiene, and one of the critical things that I think 
needs to be done is that there has to be a greater amount of 
protection provided to the control system portion of the grid 
than to what is called the corporate portion of the grid, and I 
also think that there need to be what I would call advanced 
capabilities developed so that you can isolate the control 
portion of the grid from the corporate capabilities and from 
vendors and others who have to send things in. I think there 
will need to be, as I mentioned, integrity capabilities that do 
exist now at the bench level, so to speak, at the demonstration 
level but are not out there throughout the grid, and I think 
that the critical parts of the industry, Mr. Markey mentioned 
that--I don't have his exact figures but roughly 29 percent, if 
I remember right, of the grid was considered critical by the 
industry. I think it is a much larger amount than that, so I 
think you have to have more significant.
    With respect to the bases again, I want to make the point 
that even if the bases themselves have electricity and there 
are actions going on, I can't tell you what the acronym stands 
for anymore but it is called SPIDERS. It is a demonstration 
program, and this is non-classified--you can look it up on 
Google--to make the bases more self-sufficient, and the DOE has 
a so-called SPIDERS program at three or four different bases. 
But even if the bases themselves have electricity, the DOE 
relies on telecommunications capabilities of the country, it 
relies on the transportation capabilities of the country, it 
relies on water, it relies on gas pumps and the like, and all 
those rely on electricity. So there is no possibility 
whatsoever that you could have an effective defense unless you 
have electricity available beyond the bases. In addition, that 
happens to also be true overseas, which is a different topic 
that the chairman raised, but it goes beyond the question.
    Mr. Whitfield. Mr. Rush, do you have anything else you want 
to touch on?
    Well, that concludes today's hearing. We appreciate your 
being here, and I am sure we are going to continue to be in 
touch with you as we move forward on this legislation, and we 
will keep the record open for 10 days for additional materials, 
and thank you all very much, and that concludes today's 
hearing.
    [Whereupon, at 4:25 p.m., the subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 
    

                                 
