b"<html>\n<title> - PROTECTING THE ELECTRIC GRID: H.R.</title>\n<body><pre>[House Hearing, 112 Congress]\n[From the U.S. Government Publishing Office]\n\n\n \n PROTECTING THE ELECTRIC GRID: H.R. --------, THE GRID RELIABILITY AND \n                       INFRASTRUCTURE DEFENSE ACT \n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                    SUBCOMMITTEE ON ENERGY AND POWER\n\n                                 OF THE\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED TWELFTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              MAY 31, 2011\n\n                               __________\n\n                           Serial No. 112-52\n\n\n\n      Printed for the use of the Committee on Energy and Commerce\n\n                        energycommerce.house.gov\n\n                               ----------\n                         U.S. GOVERNMENT PRINTING OFFICE \n\n72-383 PDF                       WASHINGTON : 2012 \n\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \nDC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \nWashington, DC 20402-0001 \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n\n                          FRED UPTON, Michigan\n                                 Chairman\n\nJOE BARTON, Texas                    HENRY A. WAXMAN, California\n  Chairman Emeritus                    Ranking Member\nCLIFF STEARNS, Florida               JOHN D. DINGELL, Michigan\nED WHITFIELD, Kentucky                 Chairman Emeritus\nJOHN SHIMKUS, Illinois               EDWARD J. MARKEY, Massachusetts\nJOSEPH R. PITTS, Pennsylvania        EDOLPHUS TOWNS, New York\nMARY BONO MACK, California           FRANK PALLONE, Jr., New Jersey\nGREG WALDEN, Oregon                  BOBBY L. RUSH, Illinois\nLEE TERRY, Nebraska                  ANNA G. ESHOO, California\nMIKE ROGERS, Michigan                ELIOT L. ENGEL, New York\nSUE WILKINS MYRICK, North Carolina   GENE GREEN, Texas\n  Vice Chair                         DIANA DeGETTE, Colorado\nJOHN SULLIVAN, Oklahoma              LOIS CAPPS, California\nTIM MURPHY, Pennsylvania             MICHAEL F. DOYLE, Pennsylvania\nMICHAEL C. BURGESS, Texas            JANICE D. SCHAKOWSKY, Illinois\nMARSHA BLACKBURN, Tennessee          CHARLES A. GONZALEZ, Texas\nBRIAN P. BILBRAY, California         JAY INSLEE, Washington\nCHARLES F. BASS, New Hampshire       TAMMY BALDWIN, Wisconsin\nPHIL GINGREY, Georgia                MIKE ROSS, Arkansas\nSTEVE SCALISE, Louisiana             ANTHONY D. WEINER, New York\nROBERT E. LATTA, Ohio                JIM MATHESON, Utah\nCATHY McMORRIS RODGERS, Washington   G.K. BUTTERFIELD, North Carolina\nGREGG HARPER, Mississippi            JOHN BARROW, Georgia\nLEONARD LANCE, New Jersey            DORIS O. MATSUI, California\nBILL CASSIDY, Louisiana              DONNA M. CHRISTENSEN, Virgin \nBRETT GUTHRIE, Kentucky              Islands\nPETE OLSON, Texas\nDAVID B. McKINLEY, West Virginia\nCORY GARDNER, Colorado\nMIKE POMPEO, Kansas\nADAM KINZINGER, Illinois\nH. MORGAN GRIFFITH, Virginia\n\n                                 7_____\n\n                    Subcommittee on Energy and Power\n\n                         ED WHITFIELD, Kentucky\n                                 Chairman\nJOHN SULLIVAN, Oklahoma              BOBBY L. RUSH, Illinois\n  Vice Chairman                        Ranking Member\nJOHN SHIMKUS, Illinois               JAY INSLEE, Washington\nGREG WALDEN, Oregon                  JIM MATHESON, Utah\nLEE TERRY, Nebraska                  JOHN D. DINGELL, Michigan\nMICHAEL C. BURGESS, Texas            EDWARD J. MARKEY, Massachusetts\nBRIAN P. BILBRAY, California         ELIOT L. ENGEL, New York\nSTEVE SCALISE, Louisiana             GENE GREEN, Texas\nCATHY McMORRIS RODGERS, Washington   LOIS CAPPS, California\nPETE OLSON, Texas                    MICHAEL F. DOYLE, Pennsylvania\nDAVID B. McKINLEY, West Virginia     CHARLES A. GONZALEZ, Texas\nCORY GARDNER, Colorado               HENRY A. WAXMAN, California (ex \nMIKE POMPEO, Kansas                      officio)\nH. MORGAN GRIFFITH, Virginia\nJOE BARTON, Texas\nFRED UPTON, Michigan (ex officio)\n\n                                  (ii)\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                             C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHon. Ed Whitfield, a Representative in Congress from the \n  Commonwealth of Kentucky, opening statement....................     1\n    Prepared statement...........................................     3\nHon. Bobby L. Rush, a Representative in Congress from the State \n  of Illinois, opening statement.................................    29\nHon. Henry A. Waxman, a Representative in Congress from the State \n  of California, opening statement...............................    30\nHon. Fred Upton, a Representative in Congress from the State of \n  Michigan, prepared statement...................................   152\n\n                               Witnesses\n\nHon. Trent Franks, a Representative in Congress from the State of \n  Arizona........................................................    31\n    Prepared statement...........................................    34\nHon. James R. Langevin, a Representative in Congress from the \n  State of Rhode Island..........................................    44\n    Prepared statement...........................................    46\nPatricia A. Hoffman, Assistant Secretary, Office of Electricity \n  Delivery and Energy Reliability, Department of Energy..........    52\n    Prepared statement...........................................    54\n    Additional comments (for Mr. McKinley).......................    90\n    Additional comments (for Mr. Olson)..........................   100\nPaul N. Stockton, Assistant Secretary of Defense for Homeland \n  Defense and Americas' Security Affairs, Department of Defense..    60\n    Prepared statement...........................................    62\nJoseph H. McClelland, Director, Office of Electric Reliability, \n  Federal Energy Regulatory Commission...........................    72\n    Prepared statement...........................................    74\n    Additional comments..........................................    96\nGerry Cauley, President and CEO, North American Electric \n  Reliability Corporation........................................   103\n    Prepared statement...........................................   106\nFranklin D. Kramer, former Assistant Secretary of Defense for \n  International Security Affairs, Department of Defense..........   121\n    Prepared statement...........................................   123\nBarry R. Lawson, Associate Director, Power Delivery and \n  Reliability, National Rural Electric Cooperative Association...   132\n    Prepared statement...........................................   134\n\n                           Submitted Material\n\nDiscussion Draft of H.R. --------, To amend the Federal Power Act \n  to protect the bulk-power system and electric infrastructure \n  critical to the defense of the United States against \n  cybersecurity and other threats and vulnerabilities............     7\n\n\n PROTECTING THE ELECTRIC GRID: H.R. --------, THE GRID RELIABILITY AND \n                       INFRASTRUCTURE DEFENSE ACT\n\n                              ----------                              \n\n\n                         TUESDAY, MAY 31, 2011\n\n                  House of Representatives,\n                  Subcommittee on Energy and Power,\n                          Committee on Energy and Commerce,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 2:07 p.m., in \nroom 2123 of the Rayburn House Office Building, Hon. Ed \nWhitfield (chairman of the subcommittee) presiding.\n    Members present: Representatives Whitfield, Terry, Burgess, \nScalise, McMorris Rodgers, Olson, McKinley, Pompeo, Rush, \nMarkey and Waxman (ex officio).\n    Staff present: Maryam Brown, Chief Counsel, Energy and \nPower; Allison Busbee, Legislative Clerk; Patrick Currier, \nCounsel, Energy and Power; Greg Dotson, Democratic Energy and \nEnvironment Staff Director; and Caitlin Haberman, Democratic \nPolicy Analyst.\n\n  OPENING STATEMENT OF HON. ED WHITFIELD, A REPRESENTATIVE IN \n           CONGRESS FROM THE COMMONWEALTH OF KENTUCKY\n\n    Mr. Whitfield. I call this hearing to order. The hearing is \nentitled ``Protecting the Electric Grid: the Grid Reliability \nand Infrastructure Defense Act.''\n    Today's hearing focuses on protecting the Nation's electric \ngrid from physical and cybersecurity threats and \nvulnerabilities. A secure grid is of utmost importance to our \nnational security, of course, and our national economic \ninterests.\n    Cybersecurity threats and vulnerabilities to the electric \ngrid have increased in recent years and were the subject of \nseveral hearings in the 110th and 111th Congresses. There is \nevidence that bad actors have conducted cyber probes of U.S. \ngrid systems, and that cyber attacks have been conducted \nagainst critical electric infrastructure in other countries.\n    This past February, a cyber attack dubbed Night Dragon, \nwhich is believed to have emanated from China, targeted the \ncritical infrastructure of energy and petrochemical companies \nin the United States. The Night Dragon attack was not overly \nsophisticated, but was nevertheless successful in breaching the \ncomputer systems of key assets. This example is one of several, \nand is the tip of the iceberg, and illustrates that we must be \nmore vigilant in securing the Nation's critical energy \ninfrastructure, including the electric grid.\n    Beyond potential cyber attacks, the bulk power system \nremains exposed to physical vulnerabilities and threats, \nincluding direct terrorist attacks, weapons that can create an \nelectromagnetic pulse, and geomagnetic storms. Federal and \nState agencies and industry stakeholders have sought to address \nmany of these concerns. In particular, through an extensive \nstakeholder process, the North American Electric Reliability \nCorporation, pursuant to its authority under section 215 of the \nFederal Power Act, has worked over the last several years to \ndevelop and implement reliability standards and to address grid \nsecurity vulnerabilities in a timely manner.\n    To address these shortcomings, the Committee recently \nreleased a discussion draft entitled the ``Grid Reliability and \nInfrastructure Defense Act'' or the GRID Act. The bill is \nidentical to bipartisan legislation developed by this committee \nlast Congress by Chairman Upton and Mr. Markey. The GRID Act \nprovides the Federal Energy Regulatory Commission with \nemergency authority to respond to imminent physical and cyber \nthreats to the bulk power system and electric infrastructure \nthat serves facilities vital to our national defense. This \nemergency authority can be triggered only upon a directive from \nthe President. The discussion draft also provides FERC with \nauthority to identify and remedy weaknesses that leave the grid \nvulnerable to cyber attacks and electromagnetic pulse events. \nNotably, the legislation also directs FERC to develop \nregulations to facilitate the sharing of information, as \nappropriate, between governmental agencies, NERC, and owners \nand operators of the bulk power system. Doing so will improve \ncommunication among affected stakeholders, which will result, \nwe hope, in a more secure grid.\n    Although the discussion draft is identical to last year's \nbill, we expect that input from today's witnesses and insight \nprovided by those witnesses will help us improve the bill to \nreflect current conditions and any changed circumstances. I \nknow, for example, that Congressman Franks has introduced \nlegislation that is, I believe, more narrowly focused than this \nbroader approach, and we look forward to his testimony to \nexplain his views on this area because he has spent a great \ndeal of time on it, as has Congressman Langevin.\n    So I want to thank the witnesses in advance for being with \nus today. I will introduce them a little bit later.\n    [The prepared statement of Mr. Whitfield follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] \n    \n    [H.R. -------- follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] \n    \n    Mr. Whitfield. At this time I would like to yield for the \npurpose of an opening statement to Mr. Rush, the ranking \nmember.\n\n OPENING STATEMENT OF HON. BOBBY L. RUSH, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF ILLINOIS\n\n    Mr. Rush. I want to thank you, Mr. Chairman, thank you to \nall the distinguished guests for being here today.\n    Mr. Chairman, today we are holding a hearing on the Grid \nReliability and Infrastructure Defense Act, or the GRID Act for \nshort. This bipartisan piece of legislation is identical to the \nbill that was favorably reported out of the E&C Committee \nunanimously last year and then went on to pass the House by a \nvoice vote before getting stalled in the Senate.\n    Mr. Chairman, this bill represents the type of legislation \nthat advances the security interests of all Americans and shows \nwhat can be accomplished when we choose to work together in a \nbipartisan manner. So I appreciate you conducting this hearing \ntoday, Mr. Chairman, and I hope and expect that we will move \nthis bill with the same type of cooperation and collaboration \nthat we experienced last session as this legislation moves \nthrough the committee.\n    Mr. Chairman, the U.S. electric grid consists of \ninterconnected transmission lines and local distribution \nsystems that deliver electricity to our homes, schools, our \noffices, generation facilities and related communications \nsystems. The intricate design of the grid makes all of our \ncomponents highly interdependent so that problems in one \nlocation can lead to a domino effect of reliability concerns in \nother areas.\n    In today's highly digitized world, the operational controls \nover the transmission grid at generators are increasingly \nmanaged by computer systems such as the supervisory control and \ndata acquisition, or SCADA systems, which are linked to the \nInternet or other communication systems as well as to each \nother. This reliance on automation and two-way communication \namplifies the grid's vulnerability to remote cyber attacks. \nAdditionally, the increased use of advanced metering systems \nand other smart grid capabilities leaves our electric grid even \nmore open to attack.\n    Mr. Chairman, this bill will amend the Federal Power Act to \nadd a new section, section 2015(a), which will give the Federal \nEnergy Regulatory Commission, FERC, new authority to protect \nthe electric grid from cyber attack as well as from other \nthreats including those posed from geomagnetic storms created \nby solar activity.\n    Additionally, this bill will provide FERC with the \nauthority to issue emergency orders to protect against a grid \nsecurity threat whether by malicious act, a geomagnetic storm, \nor by targeted physical attacks if the President notifies the \ncommission that such a threat exists.\n    Mr. Chairman, we are all aware of the constant potential \nthreats that our Nation faces whether by countries such as \nChina and Russia, who have already conducted cyber probes of \nthe U.S. grid systems, or by terrorist organizations looking \nfor ways to weaken our capabilities. Cyber attacks can cause \nuntold harm to our Nation's grid, and they can be done from \nfaraway locations at very, very low cost and with little \nability to trace the source of these threats. So it is \nimperative that we provide those agencies that are responsible \nfor protecting us, protecting our Nation's grid, protecting all \nAmericans with all the tools, all the authority and all the \nresources that they need to keep us safe.\n    So Mr. Chairman, I applaud you for holding this very \nimportant hearing today. I look forward to hearing from our \nwitnesses and our experts on this critical issue, and with \nthat, I yield back all the time that I have, which is 1 second.\n    Mr. Whitfield. Thank you for being so generous once again, \nMr. Rush.\n    At this time I recognize the ranking member of the full \ncommittee, Mr. Waxman, for the purposes of an opening \nstatement.\n\nOPENING STATEMENT OF HON. HENRY A. WAXMAN, A REPRESENTATIVE IN \n             CONGRESS FROM THE STATE OF CALIFORNIA\n\n    Mr. Waxman. Thank you, Mr. Chairman.\n    Today, the subcommittee examines the Grid Reliability and \nInfrastructure Defense Act. This legislation is as bipartisan \nas they come. This legislation was born out of a bipartisan \nrealization that our electric grid simply isn't adequately \nprotected from a range of potential threats. And the current \nprocess for addressing vulnerabilities in the electric grid is \nnot sufficient.\n    In an emergency situation where the grid faces an imminent \nthreat, the Federal Energy Regulatory Commission currently \nlacks authority to require the necessary protective measures. \nThere are also an ever-growing number of grid security \nvulnerabilities. These are weaknesses in the grid that could be \nexploited by criminals, terrorists or other countries to damage \nour electric grid. These same weaknesses even make the grid \nvulnerable to naturally occurring geomagnetic storms.\n    During the last Congress, Chairman Upton, Representatives \nEd Markey and Joe Barton and I developed the GRID Act on a \nbipartisan basis. The majority and minority staffs had \nextensive discussions with interested stakeholders and \nagencies. We worked with many members to answer their \nquestions, address their concerns, and consider their \nconstructive suggestions. This cooperative process produced \nstrong bipartisan legislation.\n    On April 15, 2010, the committee favorably reported the \nbill by a unanimous vote of 47 to zero. And on June 9, 2010, \nthe GRID Act passed the House by voice vote on the suspension \ncalendar. Unfortunately, the GRID Act did not become law in the \nlast Congress.\n    I commend the chairman for taking up the GRID Act for \nconsideration in this Congress. This bipartisan legislation \nwill provide the FERC with the authorities it needs to address \nimminent threats to the electric grid with temporary emergency \norders. It also directs the Commission to address longer-term \ngrid vulnerabilities with standards written or approved by the \nCommission.\n    In addition, the bill includes provisions that focus \nspecifically on the portions of the grid that serve facilities \ncritical to the defense of the United States. And the bill is \nbudget neutral.\n    These are important national security and grid reliability \nissues. In the last Congress, we heard from the Defense \nDepartment and from former Defense Secretaries, National \nSecurity Advisors, and CIA Directors. They all told us that the \nchanges made by this bill are critical to our national \nsecurity.\n    I look forward to hearing from today's witnesses. Although \nwe are likely to hear some in industry argue against providing \nFERC authority to address these serious threats, we worked \nacross the aisle in the last Congress to develop workable \nlegislation. I hope today marks the beginning of a similar \nprocess in this Congress.\n    The GRID Act is simply too important to allow special \ninterests to weaken its effectiveness. The Committee needs to \nact to protect the Nation's electric grid from cyber attacks, \ndirect physical attacks, electromagnetic pulses and solar \nstorms.\n    Thank you, Mr. Chairman.\n    Mr. Whitfield. Thank you.\n    OK. Today we have three panels of witnesses, and on the \nfirst panel, we have two Members of Congress, the Honorable \nTrent Franks of Arizona and Mr. Jim Langevin of Rhode Island. \nWe appreciate both of you being here very much, and Mr. Franks, \nI will recognize you for a 5-minute opening statement.\n\n STATEMENTS OF HON. TRENT FRANKS, A REPRESENTATIVE IN CONGRESS \n   FROM THE STATE OF ARIZONA; AND HON. JAMES R. LANGEVIN, A \n   REPRESENTATIVE IN CONGRESS FROM THE STATE OF RHODE ISLAND\n\n                   STATEMENT OF TRENT FRANKS\n\n    Mr. Franks. Well, thank you, Mr. Chairman, and good \nafternoon to you, sir, and to Ranking Members Rush and Waxman \nand the rest of the fellow members here on the committee.\n    I believe the subject of today's hearing is one of profound \nimplication and importance to western civilization, and \nconsequently, I hope the members will feel inclined to read my \nwritten testimony. I just thank you again for allowing me to \ntestify here today.\n    Mr. Chairman, in our technological advancement, we have now \ncaptured the electron and transported its utility into nearly \nevery business, home and industrial endeavor throughout the \ncivilized world. In so doing, we have advanced our standard of \nliving and productivity beyond dreams but we have also grown \nprofoundly dependent upon electricity and its many \naccoutrements. In keeping with one of humanity's most reliable \nhallmarks, we now found among our greatest strengths an \nunsettling vulnerability to EMP, or electromagnetic pulse.\n    The effects of geomagnetic storms and electromagnetic \npulses on electric infrastructure are well documented with \nnearly every space, weather and EMP expert recognizing the \ndramatic disruptions and cataclysmic collapses these pulses can \nbring to electric grids.\n    In 2008, the EMP Commission testified before the Armed \nServices Committee, of which I am a member, that the U.S. \nsociety and economy are so critically dependent upon the \navailability of electricity that a significant collapse of the \ngrid precipitated by a major natural or manmade EMP event could \nresult in catastrophic civilian casualties. This conclusion is \nechoed by separate reports recently compiled by the DO, DHS, \nDOE and the National Academy of Sciences along with various \nother government agencies and independent researchers. All of \nthem, Mr. Chairman, came to very similar conclusions. The \nsobering reality is that this vulnerability if left unaddressed \ncould have grave societal-altering consequences.\n    Like many of you, I believe Federal regulations should be \nvery limited. However, our first national priority is national \nsecurity, and to protect our national security, we must protect \nour major transformers from cascading destruction. To that end, \nI have introduced the SHIELD Act, which differs primarily from \nyour discussion draft in three critical areas. Unlike the GRID \nAct, which I commend this committee deeply for passing last \nyear, the SHIELD Act authorizes to promulgate standards \nnecessary to protect our electric infrastructure against both \nnatural and manmade electromagnetic pulse events if the \nstandards developed by the ERO are inadequate to protect \nnational security. The SHIELD Act additionally requires \nautomated hardware-based solutions rather than procedural and \noperational safety measures alone, and the SHIELD Act does not \ncontain cybersecurity provisions, leaving the conflicting \napproaches to that extremely important issue among the Members \nof the Senate in particular to be debated in a separate bill.\n    Automated hardware, Mr. Chairman, is particularly important \nwhen one considers the shortcomings of procedural and \noperational safety measures alone in response to an EMP event. \nAccording to solar weather experts, there is only 20 to 30 \nminutes warning from the time we predict a solar storm that may \naffect us until the time it actually does. This is simply not \nenough time to implement procedures that will adequately \nprotect the grid. Furthermore, these predictions are only \naccurate one out of three times. This places a crushing dilemma \non industry, who must decide whether or not to heed the warning \nwith the knowledge that a wrong decision either way could \nresult in the loss of thousands or even millions of lives and \nmassive legal ramifications beyond expression.\n    Mr. Chairman and members, we are now 65 years into the \nnuclear age, and the ominous intersection of jihadist terrorism \nand nuclear proliferation has been inexorably and relentlessly \nhurdling toward America and the free world for decades. But \nwhen we add the dimension of asymmetric electromagnetic pulses \nto the equation, we face a menace that may represent the \ngravest short-term threat to the peace and security of the \nhuman family in the world today. Certainly, there are those who \nbelieve that the likelihood of terrorists or rogue states \nobtaining nuclear weapons and using them in an EMP attack is \nremote and it may be a reasonable conclusion for the moment, \nbut in the recent events of the Arab spring, which our \nintelligence apparatus did not foresee, it shows us that \nregimes can change very quickly. If terrorists or rogue states \ndo acquire nuclear weapons, hardening our electric grid would \nimmediately become a desperate national priority. However, that \nprocess will take several years, and a regime change only takes \na few weeks, a missile launch only takes a few minutes. The \nfact that we are now 100 percent vulnerable means that we \nshould start securing our electric infrastructure now. Indeed, \nby reducing our vulnerability, we may reduce the likelihood \nthat terrorists or rogue states would attempt such an attack in \nthe first place.\n    Thankfully, Mr. Chairman and members, there is a moment in \nthe life of nearly every problem when it is big enough to be \nseen by responsible, reasonable people and still small enough \nto be solved. You and I live in that moment when there still \nmay be time for the free world to address and mitigate the \nvulnerability that naturally occurring or weaponized EMP \nrepresents to the mechanisms of our civilization. Your actions \ntoday to protect America may gain you no fame or fanfare in the \nannals of history. However, it may happen that in your \nlifetime, a natural or manmade event so big has an effect so \nsmall that none but a few will recognize the disaster that was \naverted. And for the sake of our children and future \ngenerations, I pray it happens exactly that way.\n    Thank you, and God bless you all.\n    [The prepared statement of Mr. Franks follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] \n    \n    Mr. Whitfield. Thank you, Mr. Franks.\n    Mr. Langevin, you are recognized for a 5-minute opening \nstatement.\n\n                 STATEMENT OF JAMES R. LANGEVIN\n\n    Mr. Langevin. I would like to thank you, Chairman \nWhitfield, and Ranking Member Rush and Ranking Member Waxman \nfor allowing me to testify on what I believe to be one of the \nmost critical national security issues facing our country \ntoday: securing our electric grid from cyber vulnerabilities, \nan issue to which I have devoted several years of my time and \neffort, and I wanted to be here with my colleague, Mr. Franks.\n    As both a member of the House Armed Services Committee as \nwell as the House Permanent Select Committee on Intelligence, I \nsit at a very interesting nexus which gives me broad \ntransparency into the national security challenges that face \nour Nation today, and I previously testified on this issue in \n2009 after a bill that I drafted with then-Homeland Security \nChairman Bennie Thompson, which was adapted into then-Chairman \nMarkey's GRID Act, and I of course want to thank the committee \nfor including me in this discussion again here today.\n    We know that there are a number of actors who seek to do \nharm to our networks from foreign nation-states, domestic \ncriminals and hackers, to disgruntled employees, and as the \nthreat and capability both grow, so does the risk to our \ncritical infrastructure. Now, this threat is not new. In the \n110th Congress as chairman of the Homeland Security \nSubcommittee with jurisdiction over cybersecurity, I conducted \na detailed examination of cyber threats to our critical \ninfrastructure, and I want to reiterate what I made clear in my \nprevious testimony before this subcommittee. I believe we \nremain vulnerable to a cyber attack against the electric grid \nthat could cause severe damage to our critical infrastructure, \nour economy, our security and even American lives.\n    Now, the vast majority of our critical assets are in \nprivate hands, and because fixing vulnerabilities can be \ncostly, security can find itself in conflict with other \npriorities like profit, competition and accountability to \nshareholders. Sadly, the American people are the ones placed at \nrisk when the owners of our critical infrastructure fail to \nprepare for the worst-case scenarios.\n    I was pleased by the early attention paid to the issue of \ncybersecurity by the Obama administration, and despite some \ndelays in the process, I would like to commend the \nadministration for taking some very serious steps in the right \ndirection. Under the leadership of Cyber Coordination Howard \nSchmidt and his staff, the White House has released legislative \nguidance that envisions more government involvement in setting \nstandards and best practices for cyber protection across all \nsectors of our critical infrastructure. This mirrors \nphilosophically the framework of legislation I introduced \nearlier this year.\n    Now, DHS is also taking important steps to become more \ninvolved in securing our critical infrastructure. The \nestablishment of the Industrial Controls Systems Computer \nEmergency Response Team, or ICS-CERT, under Sean McGurk, \nformalized a group of experts and fly-away teams that could \nrespond to cyber incidents across all sectors of our utilities.\n    However, a company must still request help from the \ngovernment before it can be deployed, and the simple act of \nhaving to ask often forces decision makers and industry to \nsteer clear of seeking help for these complex problems. I am \npleased to see industry players increasingly stepping up to the \nplate to combat these threats but I fear they cannot most fast \nand far enough under the current system. As Michael Assante, \nthe president of the National Board of Information Security \nExaminers and former chief security officer at the North \nAmerican Electric Reliability Corporation, or NERC, testified \nlast year, and I quote, ``We are not only susceptible but we \nare not very well prepared.''\n    Now, I supported the GRID Act as it moved through the House \nlast year because it seems to address some of the unique \npolitical and regulatory challenges in our power industry \ntoday. Currently, we live under a system that does not \nprioritize security but actively penalizes open reporting and \ncooperation. The legislation that is before us today aims to \ncorrect this by allowing Federal regulators greater authority \nto protect Americans during times of imminent crisis. It also \nprovides for the issuance of orders to identify and mitigate \nvulnerabilities to protect the bulk power system from cyber \nattacks. While this measure is a significant step forward, I \nwould also encourage the committee to consider provisions in my \nlegislation and in Senate and administration proposals that \nexpand this model to other sectors of critical infrastructure \nand enhance the ongoing efforts of DHS to quickly respond to a \nmajor crisis.\n    I would also note my concern that by specifying only the \nbulk power system, this legislation excludes critical \ndistribution systems that would leave major cities like New \nYork and Washington unprotected by the broader provisions of \nthis bill.\n    I will conclude by cautioning again that inaction on this \nissue will make our Nation increasingly vulnerable to cyber \nattacks from both outside and within. We know the threat \nexists, and we have an opportunity to address it before any \nfurther damage is caused. It is the responsibility of Congress \nand the administration to take the appropriate steps that will \nprotect this Nation.\n    Once again, I would like to thank you, Chairman Whitfield \nand Ranking Member Rush as well as Ranking Member Waxman, for \ntheir attention to this very important issue and for the \nopportunity to testify here today. I certainly look forward to \nworking with the Energy and Commerce Committee and to \nsupporting your efforts to raise awareness about securing our \ncritical infrastructure and protecting our citizens from cyber \nattack.\n    Thank you, and I yield back.\n    [The prepared statement of Mr. Langevin follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] \n    \n    Mr. Whitfield. Thank you, Mr. Langevin. We appreciate the \ntestimony of both of you.\n    As you know, this is an important issue with great \nconsequences for the country, and last year, of course, the \nGRID Act did pass the House of Representatives but was unable \nto get through the Senate, and we are quite familiar with that. \nWe pass a lot of things here that don't get through the Senate, \nbut our objective is to get something through the House and the \nSenate and signed by the President. And I know, Mr. Franks, \nthat a large number of members of the Armed Services Committee, \nand you serve on that as well, Mr. Langevin, are cosponsoring \nyour bill, and I am assuming, Mr. Langevin that your bill and \nSenator Rockefeller's bill basically reflects the \nadministration's proposal. Is that correct?\n    Mr. Langevin. Well, I wouldn't go so far as to say that, \nbut they both move in a similar direction.\n    Mr. Whitfield. What I would like from both of you to just \ngive advice to this committee on what you think we need to do \nto maximize our opportunity to get this passed in the Senate. \nMr. Franks?\n    Mr. Franks. Well, Mr. Chairman, as it happened last year, I \nwent over and personally lobbied the Senate as hard as I could \non the GRID Act, even though as I have laid out today, I \nbelieve that there are some critically important things that \nneeded to be added to or changed. I met with Senator Murkowski \nand others there in the chamber, and the big challenge was that \nthey had differing strategies on what should be done about \ncybersecurity.\n    Now, let me make it so desperately clear here. I believe \nthat cybersecurity is a critically important issue, and I think \nI would find myself largely in Mr. Langevin's camp on that \nissue, but the problem is, the personalities there have \ndifferent strategies on how to address it, and I am trying to \nprotocol here, Mr. Chairman. They couldn't get together on \nthat, and that is why we felt like the issue should be \nseparated, not because that one is more important than the \nother per se but because I just think it is going to be \nespecially difficult. That is complicated this year, as you \nknow. The White House just a few weeks ago, probably what you \nwere talking about with Mr. Langevin, released a legislative \nproposal for nationwide cross-sector cybersecurity efforts, and \nthe Senate is working to produce a goal to meet those needs, \nand my concern is that if we tie them together, we may weaken \nboth of them, because there is very little disagreement on the \nEMP aspects of it. The Senators were very supportive of being \nable to protect the grid itself, just had some very seriously \ndiffering approaches to the cybersecurity element of it.\n    Mr. Whitfield. OK. Mr. Langevin, do you have a comment?\n    Mr. Langevin. Well, Mr. Chairman, I would just say that \nlast year we were a bit frustrated by the Senate still \ncontemplating which path forward they were going to take. I was \nfortunate to get an amendment included in the House Armed \nServices defense authorization bill last year that would have \nestablished a White House Office on Cybersecurity with a \ndirector's position that would have been Senate confirmed, and \nit would have included updates to the FISMA law. That did not \nget through the conference committee last year because the \nSenate was still struggling to determine which direction they \nwere going to take, whether it was going to be Rockefeller-\nSnowe or Collins-Lieberman. I believe that the Senate is moving \nin the direction of resolving those issues, and I am hopeful \nthat now that the White House has come out with its guidance on \ntheir views on cybersecurity going forward that that will clear \nsome of the hurdles in the Senate and they will be able to come \ntogether and reach an agreement which hopefully will allow the \nGRID Act, will allow these issues to clear the hurdles that \nremain ahead.\n    So I would say it is perseverance. We are going to have to \ncontinue to keep the pressure on the Senate but hopefully, and \nI would say that I am I close contact with Senator Sheldon \nWhitehouse, who is also from Rhode Island and who is also one \nof the leaders in the Senate on cybersecurity. He believes that \nwe will see quite positive progress on the issue of \ncybersecurity in the Senate, so I am hopeful that we will see a \nlot of these issues addressed and we will be able to get them \nthrough conference.\n    Mr. Whitfield. Well, thank you all very much, and we do \nlook forward to continuing to work with you because both of you \nhave been leaders in this area and we hope that we can continue \nto call on you for your input.\n    At this time I will recognize the gentleman from Illinois.\n    Mr. Rush. Thank you, Mr. Chairman. I am going to be brief.\n    Mr. Langevin, you have expressed some level of restraint \nregarding this bill in that you think that it could be \nstrengthened in certain areas, and I am curious, I know that we \nwant to send the best bill that we can to the Senate. Again, we \ncan persevere, as you have indicated, but how do you think that \nwe can strengthen this bill?\n    Mr. Langevin. Well, a couple of things, Congressman Rush. I \nwould like to see the approach that we are taking here, \naddressing the challenges to the bulk power system broadened to \ninclude other areas of critical infrastructure, because some of \nthem would be in the jurisdiction of the full Energy and \nCommerce Committee. Others may be in the area of the Financial \nServices Committee. But I think that the approach that you are \ntaking here is a positive one with respect to the electric \ngrid.\n    In addition to that, I would like to see this bill address \ndistribution systems, not just transmission but distribution \nsystems. As I said, it is my understanding that because \ndistribution is not dealt with in the bill that areas like \nWashington, D.C., and New York would be left out of the intent \nand hopefully the coverage that this legislation would provide, \nprotection provided to our electric grid. So I would encourage \nthe committee to look further at that issue.\n    Mr. Rush. Congressman Franks, do you have any suggestions \nalong the same lines?\n    Mr. Franks. Well, I think that Congressman Langevin has it \nabsolutely right, that I know we have pictures of New York and \nWashington but we still want to keep them around for a while, \nand I think that it is wise to extend that to the transmission \nlines.\n    Again, my primary purpose here is to try to focus as \nnarrowly as I can on maintaining the base electric grid, \nbecause if that goes down, our cybersecurity issues are no \nlonger an issue because we don't have computer systems, we \ndon't have the electricity to run them, and it might behoove \nthe committee to consider a possibility of sending the GRID Act \nover as it is and in a separate version just addressing the EMP \nissue in case there is the issue where the Senate can't come \ntogether on exactly how they want to do the cybersecurity, but \nI emphasize one last time that the cybersecurity issue is \nabsolutely critical. I visited the Palo Verde nuclear power \nplant in Arizona just outside by district. It is the largest \none in the Nation. And we had a hacker that was strokes away \nfrom being able to go in and begin to monkey with the reactor \nitself.\n    Mr. Rush. Mr. Chairman, my general assembly and my State \nlegislature, they just yesterday passed a bill out and sent it \nto the governor addressing some of these same matters, and I am \ninterested in the other cities that you named but I am also \ninterested in the third city, the city by the lake, Chicago, \nand what the threats are to Chicago also.\n    So with that, Mr. Chairman, I yield back the balance of my \ntime.\n    Mr. Whitfield. Thank you, Mr. Rush.\n    Generally speaking, when we have Members of the House or \nthe Senate testifying, the chairman and ranking member are the \nonly ones that ask questions. However, I would ask our friends \non this side of the aisle if they have any questions. Mr. \nTerry?\n    Mr. Terry. I don't, but I have worked with Trent on his \nbill and I just wanted to thank both of you for your good work. \nThis is an extremely important issue, and as the ranking member \nand the chairman both said, we need to get this to the point \nwhere the Senate can pass it and we get it to the President's \ndesk, so thank you for your efforts. I yield back.\n    Mr. Whitfield. Well, thank you, Mr. Terry, and once again, \nthank you all so much for your concern and your leadership on \nthis issue, and we will continue to work with you as we move \nforward, and unless you all want to stay and hear the other \npanel, we will let you go on in your other activities. So thank \nyou.\n    Mr. Langevin. Thank you.\n    Mr. Franks. Thank you, Mr. Chairman.\n    Mr. Whitfield. At this time I would like to call up our \nsecond panel, which includes the Honorable Patricia Hoffman, \nwho is the Assistant Secretary, Office of Electricity Delivery \nand Energy Reliability at the Department of Energy. We have the \nHonorable Paul Stockton, Assistant Secretary of Defense for \nHomeland Security and America's Security Affairs at the U.S. \nDepartment of Defense, and we have Mr. Joseph McClelland, who \nis the director of the Office of Electric Reliability at FERC.\n    So welcome to the hearing, and thank you all for taking \ntime to be with us and to give us your expertise and thoughts \non this issue. So at this time, Ms. Hoffman, I will recognize \nyou for a 5-minute opening statement, and I would just point \nout there is a little device on the top of the table that has a \nred, green and yellow light, and when it turns red, we would \nlike for you to maybe think about coming to an end, but we \nwon't hold strictly to that.\n    Ms. Hoffman, you are recognized for 5 minutes.\n\nSTATEMENTS OF PATRICIA A. HOFFMAN, ASSISTANT SECRETARY, OFFICE \n OF ELECTRICITY DELIVERY AND ENERGY RELIABILITY, DEPARTMENT OF \n ENERGY; PAUL N. STOCKTON, ASSISTANT SECRETARY OF DEFENSE FOR \nHOMELAND DEFENSE AND AMERICAS' SECURITY AFFAIRS, DEPARTMENT OF \nDEFENSE; AND JOSEPH H. MCCLELLAND, DIRECTOR, OFFICE OF ELECTRIC \n       RELIABILITY, FEDERAL ENERGY REGULATORY COMMISSION\n\n                STATEMENT OF PATRICIA A. HOFFMAN\n\n    Ms. Hoffman. Good afternoon, Mr. Chairman and members of \nthe committee. I would like to extend my thanks to the chairman \nand the esteemed members of the committee for inviting me here \ntoday to discuss cybersecurity issues facing the electric \nindustry, as well as potential legislation intended to \nstrengthen protection of the bulk power system and the electric \ninfrastructure.\n    Ensuring a resilient electric grid is particularly \nimportant, since it is arguably the most complex and critical \ninfrastructure that others depend upon to delivery essential \nservices. The Department of Energy's Office of Electricity \nDelivery and Energy Reliability supports the administration's \nstrategic, comprehensive approach to cybersecurity, and \nspecifically with respect to the electric grid, we recognize \nthat our focus should be on seven key areas. One is \nfacilitating public-private partnerships to accelerate grid \ncybersecurity efforts; two, funding research and development of \nadvanced technology to create secure and resilient electricity \ninfrastructure; three, developing cybersecurity standards that \nprovide a baseline to protect against known vulnerabilities; \nfour, timely sharing of information; five, the development of \nrisk management frameworks; six, facilitation of incident \nmanagement and response capabilities; and seven, the \ndevelopment of a highly skilled and adaptive workforce.\n    Cybersecurity for the electric grid must not only address \nthreats and vulnerabilities of traditional information systems \nbut also address the unique issues to electric control systems \nsuch as SCADA systems and other control devices.\n    The Cyberspace Policy Review underscores the need to \nstrengthen public-private partnerships in order to design a \nmore secure technology and improve resilience of the critical \ngovernment and industry systems and networks. As directed by \nHSPD-7, a public-private partnerships must be established to \neffectively address national security concerns for critical \ninfrastructure. However, private industry alone cannot be \nresponsible for preventing, deterring, and mitigating effects \nof deliberate efforts to destroy or exploit critical \ninfrastructure systems. Our Office has long recognized that \nneither the government nor the private sector nor individual \ncitizens can meet cybersecurity challenges alone. We must work \ntogether.\n    OE supports and funds activities to enhance cybersecurity \nin the energy sector. Nearly all of the cybersecurity \nactivities involve public and private partnerships. Through \npartnerships and competitive solicitations with the DOE, \nDepartment of Energy National Laboratories, industry and \nacademia, OE has sponsored research and development of several \nadvanced cybersecurity technologies that are commercially \navailable, and a couple of these examples include a secure \nserial communications for control system that has been \ncommercialized by Sweitzer Engineering Laboratory; a software \ntoolkit that provides auditing of SCADA security settings--this \nwas commercialized by Digital Bond, which is a small business; \nvulnerability assessments of 38 different SCADA systems; and a \ncommon vulnerabilities report to help utilities and vendors \nmitigate vulnerabilities found in many SCADA systems.\n    Supporting the development of cybersecurity standards--our \noffice is collaborating with NIST and other agencies and \norganizations to develop a framework and roadmap for \ninteroperability standards that include cybersecurity as a \ncritical element. The NIST smart grid interoperability panel \ncybersecurity working group released the Cybersecurity \nGuidelines for the Smart Grid. OE also partnered with leading \nutilities to develop cybersecurity profiles to provide vendor-\nneutral actionable guidance to utilities, vendors and \ngovernment entities on building cybersecurity into the smart \ngrid components at the development stage including safeguards \nand implementing safeguards when integrated into the grid.\n    OE supports continued investment in developing and building \na cybersecurity workforce within the energy sector. Some \nexamples include working with State and local governments and \nagencies to put together technical briefs, education forums, \nworkshops and exercises, just to name a few.\n    The Department fully supports the administration's proposed \ncomprehensive cybersecurity legislation focused on \ncybersecurity for the American people, our Nation's critical \ninfrastructure and the Federal Government's own networks and \ncomputers. Specifically, the administration proposes the \nfollowing legislative changes to enhance protection of critical \ninfrastructure: voluntary government assistance to industry, \nvoluntary sharing with industry and States and critical \ninfrastructure security risk mitigation.\n    In conclusion, I would like to thank the committee for its \nleadership and supporting the protection of the bulk power \nsystem and critical infrastructure against cyber threats. The \nOE looks forward to working with Congress to further the \ndialog, and I would be pleased to answer any questions that you \nmay have.\n    [The prepared statement of Ms. Hoffman follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] \n    \n    Mr. Whitfield. Thank you, Ms. Hoffman.\n    Mr. Stockton, you are recognized for 5 minutes.\n\n                 STATEMENT OF PAUL N. STOCKTON\n\n    Mr. Stockton. Thank you, Mr. Chairman, Mr. Ranking Member \nand other distinguished members of the committee. I have a \ndetailed statement which I will submit for the record, but I \nwant to focus on a few key points that I make that I hope will \nbe helpful to you as you exercise the leadership that we need \ncoming from the House of Representatives and the Congress as a \nwhole.\n    First of all, the Department of Defense is not in the lead \nfor energy security in the United States. For the Federal \nGovernment, that is my colleagues at the Department of Energy, \nDepartment of Homeland Security, Department of Defense in \nsupport of them but let me emphasize, the Department of Defense \ncannot execute its core missions in service of this Nation \nunless we have a secure flow of commercial electric power, and \nthat is for a simple reason: the Department of Defense depends \nfor its energy 99 percent on the commercial sector. We don't \nown the commercial sector. We never will. We have no regulatory \nauthority over it, but we are utterly dependent on the flow of \nthat commercial power.\n    Let me talk a little bit about why that is the case. In the \nmodern way of warfare, since 9/11, our forces deployed abroad \nfighting in Afghanistan and Iraq and operating elsewhere depend \nto an increasing extent on military facilities back here in the \nUnited States to conduct and support those operations. To \ngenerate, deploy and operate forces abroad, we depend on \nmilitary facilities in the States represented here today, and \nif there is an interruption in the flow of commercial power to \nthose facilities, for a short period they have backup power \ngeneration but for a longer disruption of the grid we would be \nfacing a situation of potentially devastating effects on our \nconduct of defense operations abroad, and we could face serious \nchallenges at home. I will talk about those consequences in a \nmoment, but first I want to talk a little bit about the nature \nof the threat.\n    First of all, the cyber threat is something we take very, \nvery seriously. That is why I am so strongly in support of the \nadministration's cybersecurity legislative proposal. But I want \nto emphasize that cyber is only one of the threat vectors that \nthe Nation faces. Simple kinetic attacks intelligently \nconducted by the adversary could have significant disruptive \neffects on the flow of commercial power to Department of \nDefense facilities in the United States. We heard Congressman \nFranks speak eloquently about the risk of solar flares, again, \nsomething we take very, very seriously. But Mr. Chairman, \nlooking at you and the ranking member, the States that you are \nfrom as well as other States represented here, I would like to \nturn for a moment to the New Madrid fault and the threat that \nearthquakes pose as sort of a representative way of looking at \nthe nature of natural hazards. In the national-level exercise \nwe just conducted 2 weeks ago that posited for its scenario a \n7.7 earthquake on the New Madrid fault, our friends at NERC \nestimated that there would be a multi-State long-term power \noutage, long term, weeks, potentially months, rolling blackouts \nin Chicago and in the East Coast, and what I would like you to \nthink about is the downstream effects of such an event, both on \ncritical Department of Defense operations in Fort Campbell, for \nexample, everyplace else, all the facilities are represented \nhere today, but also in the immediate area. Two things to think \nabout. First of all, the way that the loss of electric power \nwould magnitude the scale of the catastrophe to which we would \nall be responding. Municipal water systems in Memphis and \nelsewhere, they depend on the flow of commercial power. When \nthat power stops, drinking water gradually gets turned off, and \nin a situation like the New Madrid fault, gas lines are going \nto be broken, fires are going to be breaking out, where is the \nwater pressure to fight those fires. Where is the gas to fuel \nthe trucks that will be going to fight the fires or collect \nwater elsewhere, because of course as you all know, gas pumps \nand diesel pumps, they run on electric power. We would very \nquickly be in a situation where we need to get emergency diesel \npower flowing to nuclear power plants, State emergency \noperations centers, everything else required to deal with the \ndisaster, and this would be in a situation where roads and \nbridges are down and there is so much demand for backup diesel \npower compared to the amount of diesel fuel that is \nprepositioned at these facilities.\n    These are examples of the kinds of ways in which a disaster \nwould be magnified but I am looking at it from an additional \nperspective. The Department of Defense would be supporting the \ngovernors of your States through FEMA, of course, and there \nwould be big demand on the Department of Defense to provide \nadditional support at the same time that our response \noperations would be severely disrupted. With the loss of \nelectric power, how are we going to receive the massive forces \nthat would be coming in at the request of governors? How are we \ngoing to stage them, move them forward? These are challenges \nthat we need to take on very, very seriously.\n    Now, the Department of Defense is doing so, and what I \nwanted to do briefly is talk about some of the remediation \nefforts we are taking. First of all, we are working closely \nwith the Department of Energy to partner together in the \nFederal Government so we can reach out to industry and find out \nhow we can work together with industry to provide industry with \nwhat we would call a better design basis to ensure the \nresilience of the electric power grid against all of these \nhazards. I believe today's power grid has very strong \nresilience but it is not designed for the kinds of threats that \nwe are talking about today, above all, cyber or carefully \ndesigned kinetic attacks. We need to work together with \nindustry to find a way to enable them to build more resilience \ninto the grid and then inside the Department of Defense family, \nwe need to do a better job of securing the flow of electric \npower to our critical defense facilities in all of the States \nrepresented here today to make sure that single points of \nfailure on the flow of electric power coming in, we take care \nof those problems and we remedy those in partnership with the \nutilities in the same neighborhoods as our military facilities.\n    Mr. Chairman, I look forward to answering your questions.\n    [The prepared statement of Mr. Stockton follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] \n    \n    Mr. Whitfield. Thank you, Mr. Stockton.\n    Mr. McClelland, you are recognized for a 5-minute opening \nstatement.\n\n               STATEMENT OF JOSEPH H. MCCLELLAND\n\n    Mr. McClelland. Thank you. Mr. Chairman and members of the \ncommittee, thank you for the privilege to appear before you \ntoday to discuss the security of the power grid. My name is Joe \nMcClelland and I am the Director of the Office of Electric \nReliability at the Federal Energy Regulatory Commission. I am \nhere today as a commission staff witness, and my remarks do not \nnecessarily represent the views of the commission or any \nindividual commissioner.\n    In the Energy Policy Act of 2005, Congress entrusted the \ncommission with a major new responsibility: to oversee \nmandatory, enforceable reliability and cybersecurity standards \nfor the Nation's bulk power system. This authority is in \nsection 215 of the Federal Power Act. It is important to note \nthat FERC's authority under section 215 is limited to the \n``bulk power system,'' which excludes Alaska and Hawaii, \ntransmission facilities in certain large cities such as New \nYork, as well as local distribution systems. Under section 215, \nFERC cannot author or modify reliability or cybersecurity \nstandards but must depend upon an electric reliability \norganization, or ERO, to perform this task. The commission \nselected the North American Electric Reliability Corporation, \nor NERC, as the ERO. The ERO develops and proposes \ncybersecurity standards or modifications for the commission's \nreview, which can then either approve or remand. If the \ncommission approves the proposed cybersecurity standard, it \nbecomes mandatory in the United States, applying to the users, \nowners and operators of the bulk power system. If the \ncommission remands a proposed standard, it is sent back to the \nERO for further consideration.\n    Pursuant to its responsibility to oversee the reliability \nand cybersecurity of the power grid, in January of 2008 FERC \napproved eight cybersecurity standards known as the critical \ninfrastructure protection, or CIP standards, but also directed \nNERC to make significant modifications to them. Compliance with \nthese eight CIP standards first became mandatory on July 1, \n2010. Although NERC has filed and the commission has approved \nsome modification to the CIP standards, the majority of the \ncommission's directed modifications to the CIP standards have \nnot yet been addressed by NERC. It is not clear how long it \nwill take for the CIP standards to be modified to eliminate \nsome of the significant gaps in protection within them.\n    On a related note, as smart grid technology is added to the \nbulk power system, greater cybersecurity protections will be \nrequired, given that this technology provides more access \npoints thereby increasing the grid's vulnerabilities. The \ncybersecurity standards will apply to some but not most smart \ngrid applications.\n    Moreover, there are non-cyber threats that also pose \nnational security concerns. Naturally occurring events or \nphysical attacks against the power grid can cause equal or \ngreater destruction than cyber attacks, and the Federal \nGovernment should have no less ability to protect against them. \nOne example is electromagnetic pulse, or EMP. An EMP event \ncould seriously degrade or shut down a large part of the power \ngrid. In addition to manmade attacks, EMP events are also \nnaturally generated, caused by solar flares disrupting the \nearth's magnetic field. Such events are inevitable, can be \npowerful, and can also cause significant and prolonged \ndisruptions to the grid. In fact, FERC, DHS and DOE recently \ncompleted a joint EMP study through the Oak Ridge National \nLaboratory. The study evaluated both manmade and naturally \noccurring EMP events to determine their effects on the power \nsystem and to identify protective mitigation measures that \ncould be installed. Included among its findings was that \nwithout effective mitigation, if the solar storm of 1921, which \nhas been termed a one-in-100-year event, were to occur today, \nwell over 300 extra high-voltage transformers could be damaged \nor destroyed, thereby interrupting power to 130 million people \nfor a period of years. Although section 215 of the Federal \nPower Act can provide an adequate statutory foundation for the \ndevelopment of routine reliability standards for the bulk power \nsystem, a threat of cyber attacks or other intentional \nmalicious acts against the electric grid is different. These \nare threats that can endanger national security that may be \nposed by criminal organizations, terrorist groups, foreign \nnations or others intent on attacking the United States through \nits electric grid. Widespread disruption of electric service \ncan quickly undermine our government, our military, our economy \nas well as endanger the health and safety of millions of our \ncitizens. Given the national security dimension to this threat, \nthere may be a need to act quickly, to act in a manner where \naction is mandatory rather than voluntary and to protect \ncertain information from public disclosure. Faced with a cyber \nor other national security threat to reliability, there may be \na need to act decisively in hours or days rather than weeks, \nmonths or years. The commission's legal authority is inadequate \nfor such action.\n    New legislation should address several key concerns. First, \nFERC should be permitted to take action before a cyber or \nphysical national security incident has occurred. Second, FERC \nshould be allowed to maintain appropriate confidentiality of \nsecurity-sensitive information. Third, the limitations of the \nterm ``bulk power system'' should be understood as our current \njurisdiction under 215 does not apply to Alaska and Hawaii as \nwell as some transmission facilities and all local distribution \nfacilities. Fourth, entities should be able to recover costs if \nthey occur to mitigate vulnerabilities and threats. And \nfinally, any legislation on national security threats to \nreliability should cover not only cybersecurity threats but \nalso natural events and intentional physical malicious acts \nincluding threats from an EMP. The GRID Act draft addresses \nmany of these issues.\n    Thank you for your attention today, and I look forward to \nany questions that you may have.\n    [The prepared statement of Mr. McClelland follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] \n    \n    Mr. Whitfield. Well, thank you all for your testimony.\n    Many of you heard Congressman Franks and Mr. Langevin also \ntalk about the need to expand. I noticed the White House in \ntheir cybersecurity proposal is exactly that, is focused only \non cybersecurity, and that was a suggestion that Mr. Franks \nmade that let us do cybersecurity in one bill and let us \naddress the other issues in a separate bill. Do you all have \nany thoughts as far as strategy, that that is something the \ncommittee should attempt to do, or not? Ms. Hoffman.\n    Ms. Hoffman. As was mentioned earlier, cybersecurity is a \ndifficult and complex issue, and EMP and other issues are \ndifferent in nature, although the impact to the country can be \ndevastating, either one, so in order to tackle things one at a \ntime, the administration is looking just comprehensively at the \ncyber legislation individually.\n    Mr. Whitfield. OK. Mr. Stockton, do you have a comment?\n    Mr. Stockton. Yes, sir. I think that the cyber legislation \nproposed by the administration is a critical step towards \nprotection of infrastructure as a whole would greatly benefit \nthe energy sector as well. Clearly, there are threats that we \nhave been discussing that wouldn't be encompassed by this \nlegislation but it is a critical building block on which we \nneed to make progress.\n    Mr. Whitfield. Right. Mr. McClelland?\n    Mr. McClelland. I don't see where the administration's bill \nwould conflict with the GRID Act. The administration's bill \nprovides a broad umbrella to partner with industry to bring the \npractices to a higher level. The commission's authority under \n215 doesn't have to conflict with that concept, and in fact, \nany further enhancement of the commission's authority or any \nregulatory authority may actually complement that concept.\n    Mr. Whitfield. Well, you know, Mr. Langevin pointed out the \nneed to expand from bulk systems to expand your section 215 \nauthority. Do all of you agree that that should be done? I am \nassuming you do, Mr. McClelland.\n    Mr. McClelland. As I pointed out in my testimony, the \ncommission, you know, our position or my position is that the \ndistribution systems aren't covered and so we wish to point out \nthat if the term ``bulk power system'' is followed, there would \nbe significant pieces of the power grid that would not be \nprotected if the GRID Act passes, either from a cybersecurity \nor physical perspective.\n    Mr. Whitfield. Mr. Stockton, do you or Ms. Hoffman have any \ncomments on that part?\n    Ms. Hoffman. I think it is important to take a holistic \nlook at cybersecurity. As you look at the administration's \nproposal, it wants to take a comprehensive approach so that \nwould include entities that would be defined as critical \nwhether they are in the bulk power system or at the \ndistribution. The important thing to note is, we need everybody \nto understand how to advance cybersecurity procedures and \npostures, and I would say that includes State governments as \nwell as any Federal action.\n    Mr. Whitfield. How would you all describe the coordination \nbetween DOE, DOD and FERC today on these types of issues?\n    Ms. Hoffman. The coordination between DOD and DOE primarily \nlooks at defense facilities and the interface with the energy \nsector. We do provide some support work on studies and looking \nat the interdependency between the energy sector and the \ndefense. We are looking at micro grids. We are looking at \nadvanced technologies in support of the defense facilities. Our \ncoordination with FERC provides tools and technologies to look \nat improved reliability for the electric sector. We do \ncoordinate it with information sharing to the extent possible, \nlooking at technologies that will actually improve the posture \nof the system. So the coordination with FERC is, they are a \nregulatory entity. The Department of Energy funds public-\nprivate partnerships so in a sense, we are incentivizing \nchanges within industry, and FERC looks at regulating aspects \nof industry.\n    Mr. Whitfield. Does anybody else have any comment?\n    Mr. McClelland. I would say there are formalized \nmechanisms, as Ms. Hoffman pointed out. There are formalized \nmechanisms such as the government coordinating council, where \nthe Department of Energy sits as the energy sector lead. FERC \nparticipates in those formalized initiatives with the other \nagencies. In addition, we have excellent working relationships \non an informal or an impromptu basis with the Department of \nEnergy, the Department of Defense, Department of Homeland \nSecurity, CIA, NSA and NRC. So we reach out as necessary to \neither borrow expertise or provide expertise pursuant to power \ngrid and individual needs on the grid.\n    Mr. Whitfield. When we talk about cybersecurity attacks, in \nthe United States I am not aware of any major attack, and \ninternationally, what comes to my mind is the Stuxnet in Iran \nwhich basically shut down some of their nuclear power systems. \nAre you aware of any other major cybersecurity attacks that \nhave had significant impact?\n    Ms. Hoffman. I am not aware of any major significant \nattacks. Stuxnet was a very complex attack within the nuclear \nsector. The issue or the focus that we have is, there are \nincidents that may occur, and we need to be prepared to be able \nto respond to those incidents quickly and promptly, and so as \nwe move forward, it is looking at, how do we have an incident \nmanagement plan or an incident response plan to be able to \naddress the event quickly, so looking at information exchange, \ndiagnostics, and the ability to deter and prevent any further \ndamage.\n    Mr. Whitfield. OK. Mr. Rush, you are recognized for 5 \nminutes.\n    Mr. Rush. Thank you, Mr. Chairman.\n    First of all, I want to thank the witnesses. In the last \nCongress, when we worked on this issue in a bipartisan manner, \nthe administration provided the members of this committee with \na classified briefing that helped us understand the \nvulnerabilities to our electric grid and actions needed to \nprotect that same grid, and I just have to ask each of you, in \nlight of the fact that we have some new members, a lot of new \nmembers on this subcommittee, will each of you agree to at a \ntime determined by the chairman to return and brief the members \nof this committee again on the vulnerabilities of our \ncybersecurity area? Will each of you do that?\n    Ms. Hoffman. Yes, sir.\n    Mr. Stockton. Yes.\n    Mr. McClelland. Yes.\n    Mr. Rush. Well, let me just ask Ms. Hoffman, you seem to \nfeel as though, the impression that I get is that you seem to \nfeel as though oK, this is a step in the right direction but it \nis narrow, and what the administration is looking at is a much \nbroader view. They are taking a more universal, a broader view \nof this particular issue. If you were to overlay the \nadministration's efforts on this bill, this proposal and the \nGRID Act, what would we see and what would you see as being \nsome of the most significant differences?\n    Ms. Hoffman. The administration's proposed discussion draft \nfocuses on several things. It looks at criminal aspects with \nrespect to criminal charges and enforcement. It looks at \nvoluntary information sharing. It looks at voluntary \nassistance. So it is building a public-private partnership to \nactually build capabilities in support to the industry sector, \nwhich is critically needed at this point in time. It also looks \nat the ability to develop plans, risk-based plans. Now, most of \nthe critical infrastructure definition and the development of \nrisk-based plans will of course be done through a rulemaking \nprocess through DHS, but the administration has taken a \nholistic approach of trying to get all the sectors up to a \ncybersecurity baseline performance.\n    Now, in deference to the GRID Act, which is focusing on \ntransformers, EMP, it is focusing on emergency and standard \ndevelopment, which is a slightly different approach from what \nthe administration's position is but both those could be worked \nfor complementary efforts.\n    Mr. Rush. Do any of the other witnesses have any comments \non this?\n    Well, let me ask you this. It seems as though--I know my \nState, as I indicated earlier, yesterday the members of the \ngeneral assembly passed smart grid regulations, and it seems as \nthough some of the States are starting to move on their own, \nbut the administration has a discussion draft or a pending \nbill, and I am not sure whether or not these States who are \nstarting to take actions are basing any of their efforts on \nwhat the administration is ultimately looking at. So how much \ncooperation, how much sharing of information, how much \nenlightenment is the administration providing to these States \nso they won't have to come back and redo whatever legislation \nthey might pass prior to the administration getting its bill \npassed, and what is the status of the administration's proposal \nright now? There are two points there. Ms. Hoffman? You might \nwant to----\n    Ms. Hoffman. The status is, it is a discussion draft and \nthe administration is looking forward to working with Members \nof Congress to continue that discussion, to advance the \ncomponents of that discussion draft. With respect to smart \ngrid, there are security profiles and standards that are \ncurrently under development to provide security within the \ndevices as they are being built, so we are working \ncybersecurity standards with the development of device as we \ndeploy and implement smart grid technologies.\n    One of the things that we are trying to do is provide \nimproved system performance, which can aid and provide benefit \nfor restoration time out as management so more preventive \nversus looking at the consequences if an event occurs.\n    Mr. Rush. Gentlemen, my time is up.\n    Mr. Whitfield. Thank you, Mr. Rush.\n    At this time I recognize the gentleman from West Virginia, \nMr. McKinley, for 5 minutes.\n    Mr. McKinley. Thank you, Mr. Chairman.\n    Ms. Hoffman, I wasn't here when this bill passed last year, \nbut I am curious if you could walk me through it or maybe \nsomeone else on the panel perhaps. The way I am reading this, \nthe GRID Act, is we start with subsection A of definitions and \nthen we move into B, which is emergency response measures, and \nthat refers very specifically to security threat, and under \nthat subsection B, it has a subsection 6 which has cost \nrecovery. So there is a vehicle, a mechanism to recover cost \nfor threat. Then if we can skip C just for the moment that has \nto do with vulnerability, and then you go to D, which is called \ncritical defense facilities. Under critical defense facilities, \nthere is a subsection on page 15 about cost recovery. I am just \ncurious, back on the one I skipped over, C, that is the section \nthat refers to grid security vulnerabilities. Under \nvulnerabilities, there is no cost recovery by this particular \npiece of legislation. Was that intentional, that \nvulnerabilities would not be able to recover the costs, the \nutility companies and anyone else would not be able to recover \ntheir costs? I am sorry I singled you out but I don't care who \nanswers the question.\n    Mr. McClelland. I can take a shot at that. I believe you \nare correct. I believe that threats are singled out for cost \nrecovery. I believe under the 100 most critical facilities for \nthe DOD, the user is required to pay for any upgrades or any \nenhanced measures. I didn't see cost recovery for \nvulnerabilities either.\n    Mr. McKinley. Does that make any sense to you, that there \nis someone that could have the expense, if you read down \nthrough all the issues that you have for if nothing else the \nlarge transformer availability. There would be no way to \nrecover the cost to having that on board.\n    Mr. McClelland. Right. Well, we have consistently said at \nthe commission that we think that there must be three aspects \nif you would like to have someone move on one of these issues. \nOne is, you have got to identify priorities, second, you have \nto identify mitigation, and third, you have to provide cost \nrecovery.\n    Mr. McKinley. So are you in agreement then we probably \nshould have some cost recovery under vulnerabilities?\n    Mr. McClelland. Personally, I would say yes.\n    Mr. McKinley. Do the rest of you have any problem with cost \nrecovery under vulnerabilities?\n    Ms. Hoffman. We don't have any problem on cost recovery. \nJust recognize cost recovery, no matter what the actions are, \nis going to be recovered somewhere from the ratepayers, from \nthe entities that are being protected. So eventually----\n    Mr. McKinley. So if the others are very clear--I am not an \nattorney, I am an engineer. It just tells me when you leave \nsomething out, it looks like we have left it out deliberately.\n    There was another line that I caught under, I think it \nmight have been page 8, yes, page 8 on line 22. It talks about \nthere under cost recovery, only those that were substantial \ncosts. Could we get that clarified somehow? Can you all help us \nwith some language that might be more appropriate to define \nwhat substantial costs would be?\n    Mr. McClelland. Sorry. Were you looking for a comment \nthere?\n    Mr. McKinley. Given the time, no. I hope that we can get \nsomething back on that.\n    The last is a little bit of concern, Ms. Hoffman, to your \nanswer. So much of our defense is actually overseas, and we are \ngoing to be very reliant on the other countries' responses to \nthreats and vulnerability. You said we would respond quickly. \nAnd you said you didn't know of any attack. Do we have any \nevidence of probing, inquiries, photography, suspicious work? \nIs there something going on? Because it is one thing to have an \nattack. The other is someone in preparation for it. Can you \nshare any----\n    Ms. Hoffman. I just don't have any information on that.\n    With respect to overseas, my focus is on the domestic U.S. \ninfrastructure so I----\n    Mr. McKinley. What should we do then overseas if we know \nthat is certainly a possibility with the terrorism that is \ngoing on? Do we just simply rely on the other countries to \nprovide the same type of responses to threats and vulnerability \nand then we react after it has happened, or what role do you \nsee us playing in trying to promulgate something now?\n    Ms. Hoffman. With respect to international grid structures, \nyou know, Europe has their own sort of response mechanisms for \nany sort of emergency that happens on their system. I have to \nadmit that I don't have a great insight or detail on how we \nshould respond for an overseas issue.\n    Mr. McKinley. I know I am running over on time. Is there \nsome way we could maybe work something like that into here, \nsomething you could provide to us later to how we might be able \nto integrate both the European and the American grid together, \nat least in terms of cybersecurity? Thank you very much.\n    Mr. Whitfield. Did you want to respond, Ms. Hoffman?\n    Ms. Hoffman. Yes, I am willing to have further dialog. \nThank you.\n    [The information follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] \n    \n    Mr. Whitfield. At this time I recognize the gentleman from \nMassachusetts, Mr. Markey, for 5 minutes.\n    Mr. Markey. Thank you, Mr. Chairman, very much. Thank you \nfor having this very important hearing, and thanks to Mr. \nFranks and everyone else who is here for their interest in this \nissue.\n    Chairman Upton has continued his efforts on the bipartisan \nGRID Act, which I introduced with him in the last Congress. \nThat legislation passed the Houser on suspension one year ago \ntoday, and Mr. Upton and I worked together in a bipartisan \nfashion to pass the bill a year ago, and I think this is a \nperfect example of bipartisanship because, remarkably, 99 \npercent of the electric energy used to power our military \nfacilities including critical strategic command assets comes \nfrom the commercially operated grid, and over the last several \nyears, the grid's vulnerability to cyber threats has come into \nsharp focus. The Department of Homeland Security revealed the \nso-called aurora vulnerability through which hackers could use \ncommunications networks to physically destroy electric \ngenerators, transformers and other critical assets.\n    Just over a week ago, Lockheed Martin suffered what it \ncalled a significant and tenacious cyber attack on its system, \nand in today's Wall Street Journal, a description of the \nDefense Department's cybersecurity plan has a military official \nquoted as saying that if a terrorist or other adversary shuts \ndown our power grid, maybe we will put a missile down one of \nyour smokestacks. Unlike the frequent outages experienced by \nPepco's customers every time the Washington, D.C., area \nexperiences a serious storm, a coordinated attack on the grid \ncould literally shut down the U.S. economy, putting lives at \nrisk and costing tends of billions of dollars. Damage from such \nan attack could take months or even years to recover from.\n    Moreover, from such an event may not just be a matter of \nrebuilding. Three nuclear reactors in Japan have suffered near-\ncomplete core meltdowns after the earthquake caused a loss of \nelectricity needed to cool them down. Unit 1's meltdown likely \nbegan just a few short hours after the earthquake, tsunami and \nblackout. The hot radioactive fuel is believed to have burned \nholes that are as much as 10 centimeters wide through the \npressure vessels. It is expected to take months to stabilize \nthe reactors and decades to clean up the damage that the \nmeltdown caused. And Mr. Stockton mentioned that the power \noutage risk associated with earthquakes near the New Madrid \nfault line is notable because there are extra nuclear reactors \nlocated near it, and those several reactors could be \nvulnerable.\n    So Mr. McClelland, let me ask you this. Here in the United \nStates in the past 8 years, there have been at least 69 reports \nof emergency diesel generators failing at 48 nuclear reactors. \nNineteen of these failures lasted for more than 2 weeks, and \nsix lasted longer than a month, and there aren't any \nrequirements that spent nuclear fuel pools have backup power at \nall when there is no fuel in the reactor core. Clearly, a \nblackout could cause a meltdown in this country too.\n    Mr. McClelland, do you believe that the portions of the \ngrid that supply electricity to our nuclear reactors, that is, \nelectricity to the reactor, not from the reactor, are more \nsecure than the rest of the grid?\n    Mr. McClelland. The commission has been working with the \nNuclear Regulatory Commission on this issue, and there are \nthree sources of power. There is the offsite power, that you \njust asked about, the on-site diesel generators----\n    Mr. Markey. So they are more secure? Are you saying they \nare more secure?\n    Mr. McClelland. There are agreements in place between the \nNuclear Regulatory Commission----\n    Mr. Markey. No, but today, are they are more secure than \nthe rest of the system, or not?\n    Mr. McClelland. In many cases, no.\n    Mr. Markey. No. The answer is no. Thank you.\n    Mr. McClelland, since the legislative hearing this \ncommittee held in October of 2009, have sufficient measures \nbeen put in place to secure the American electrical grid from \ncyber and physical attack?\n    Mr. McClelland. There has been some progress on the NERC \nstandards, some submission as far as----\n    Mr. Markey. Have sufficient measures been put in place? \n``Sufficient'' is the key word at this point.\n    Mr. McClelland. We have issued inquiries to the NERC.\n    Mr. Markey. So are you saying there are sufficient----\n    Mr. McClelland. There have been some filings made and we \nare checking the status of those filings to see whether or not \nthey do indeed represent progress.\n    Mr. Markey. Well, let me ask you this. Given that the \nnumber of cyber access points to the grid is increasingly \nrapidly with the growth of smart grid applications, do you \nbelieve the threat facing the grid is greater or less than it \nwas a year ago when the House overwhelmingly passed grid \nsecurity legislation, given the fact that a smart grid actually \nwinds up with no vulnerabilities, ironically.\n    Mr. McClelland. Yes, the threats are greater.\n    Mr. Markey. So you think there could be greater \nvulnerability?\n    Mr. McClelland. Undoubtedly, yes.\n    Mr. Markey. Do you believe that the way the grid security \nstandards are currently set is even capable of leading to the \nrapid adoption of standards that are sufficient to respond to \nthe threat that our grid faces?\n    Mr. McClelland. The commission has said on numerous \noccasions that when it comes to national security, the \nstandards development process is too slow, it is too open and \nit is too unpredictable.\n    Mr. Markey. Mr. Stockton, do you agree with that?\n    Mr. Stockton. He is better positioned to assess the \nadequacy of the regulatory environment.\n    Mr. Markey. Ms. Hoffman?\n    Ms. Hoffman. There is room for improvement.\n    Mr. Markey. OK. Thank you, Mr. Chairman.\n    Mr. Whitfield. Mr. Terry, you are recognized for 5 minutes.\n    Mr. Terry. Thank you.\n    Mr. McClelland, in the SHIELD Act versus the GRID Act, on \nFERC authority, do you feel that you need additional level of \nauthority to respond to a national security threat? Can you be \nmore specific in that? Then on the flip side of that additional \nauthority is how we balance that with State regulatory \nentities.\n    Mr. McClelland. The SHIELD act provides the commission with \na proviso that if it finds the NERC standard insufficient, it \ncan author a measure to put into place to address a security \nvulnerability. The commission currently under the 215 process \ncannot author or modify reliability standards. We can't author \nor modify NERC alerts. We can provide input but we cannot \nauthor or modify. I feel it is important that the commission be \ngiven that direct authority to be able to order interim \nmeasures or measures to be put into place, to write those \nmeasures and to direct that they put into place to address \nvulnerabilities to the bulk power system or threats.\n    Mr. Terry. And in regard to that, do you foresee any \ndifficulties then working with State regulatory agencies on the \nsame issues?\n    Mr. McClelland. I think it is going to be very important \nthat the commission coordinate not only with the State \nregulatory agencies but with the electric reliability \norganization and with the affected entities that the commission \ncommunicates with, so yes, I think it is very important.\n    Mr. Terry. Ms. Hoffman, do you have any thoughts in regard \nto the additional jurisdictional request?\n    Ms. Hoffman. I think it is absolutely important for the \nFederal FERC to coordinate with the State entities in looking \nat cybersecurity vulnerabilities, mitigation measures, \nsolutions, because as we move forward, the more educated and \nconsistent we are across the board as we take a comprehensive \napproach, the more it will benefit not only the electric sector \nbut other sectors that may have the involvement with States or \nother entities.\n    Mr. Terry. All right. Thank you.\n    The other question I have in regard to the hardening of the \ngrid, what type of hardware solutions exist out there? Would \nyou have under the SHIELD or GRID Act the appropriate ability, \nauthority to, for want of a better word, mandate the technology \nand is there any conclusions on what the costs would be \nnationally to adopt the hardware solutions? Mr. McClelland?\n    Mr. McClelland. There are several different aspects of \nelectromagnetic pulse. If we confine the discussion to the \nhigh-altitude electromagnetic pulse from a nuclear detonation, \nthat is a good example because it includes all three \ncomponents. E1 is a high-energy radiofrequency burst. E3 is a \nground-induced current. The ground-induced currents attack bulk \npower system transformers. They find their way onto the bulk \npower system transformers and destroy those transformers very \nquickly. One tried-and-true method is series compensation, that \nis to say putting capacitors in the line. That stops the flow \nof ground-induced current, assuming there are no parallel paths \nto that line.\n    Back to E1, it is more difficult. It is more challenging. I \ndid receive some information recently from an Israeli scientist \nthat shows promising technology for erecting a Faraday cage. A \nFaraday cage would block the E1 component, and it is simply \nspray-on, metallic spray-on coating that looks very promising \nin this area. So there is development that has been undertaken. \nThere are others in the world that have deployed effective \nmitigations against electromagnetic pulse. We have not done so \nin this country.\n    Mr. Terry. At what cost?\n    Mr. McClelland. I can get back to you with those numbers. I \ndo have those numbers but not at my fingertips. And I will just \nsay this right up front. I think E1 is more challenging but I \ndo have numbers also for E1 that I can get back to you.\n    [The information follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] \n    \n    Mr. Terry. Mr. Stockton or Ms. Hoffman? Ms. Hoffman first.\n    Ms. Hoffman. I would just add to that, Joe adequately \ntalked about some of the hardening-type activities that could \nbe done. The other thing to keep in mind is the current state \nof health of the transformers. You can do some hardening, but \nif the current health of the transformer is not where it should \nbe, there will be vulnerability, so also assessing the current \nhealth of the transformer will also impact to what level of \ndeterrence or capability they have to withstand an EMP or \ngeomagnetic solar flare. Some of the things that we need to ask \nis, how much do we want to harden against? Are we talking about \na 200-amp thing or what is currently tested up to as an 80 amp? \nThe other thing, do we have enough manufacturing capability of \ntransformers in the United States? As we look at it, hardening \nis only one solution and there are several sets of solutions \nthat we must keep in mind.\n    Mr. Stockton. Let me follow up. Building resilience into \nthe system so we can provide for a rapid return of \nfunctionality, that is another alternative to hardening. We \nneed to be able to ensure that we can from a Department of \nDefense perspective get back to conducting our core missions no \nmatter what. Sometimes hardening will be the best, most cost-\neffective approach. Other times, quick restoration of enough \npower to do the bare minimum to operate those core functions, \nthat makes better sense from a cost-effective perspective.\n    Mr. Whitfield. Ms. McMorris-Rodgers is recognized for 5 \nminutes.\n    Mrs. McMorris-Rodgers. Thank you, Mr. Chairman, and thanks \nto all the witnesses for being here today. I appreciate your \ntestimony. And we have certainly heard about the \nvulnerabilities and it suggests that there does need to be \nbetter coordination between the private sector and the \ngovernment.\n    Commissioner McClelland and the rest of the panel, what are \nthe standard operating procedures for an agency that has \nregulatory or other authority over a critical sector of our \neconomy when a credible threat is received? For example, how \ndoes FERC communicate? Does it direct NERC to issue standards? \nHow are those standards communicated to users of the system and \nwhat is the protocol for NERC?\n    Mr. McClelland. If I might start with a correction, it is \nMr. McClelland. I am not a commissioner.\n    Mrs. McMorris-Rodgers. Oh, yes, that is right.\n    Mr. McClelland. Thank you. I will answer your question by \nsaying it depends on the issue. If it is an urgent matter that \naffects just a few entities, it may be very appropriate--and \nthe commission has done this--to bring in members of the \naffected utility who have security clearances, brief them in \ndetail on the perceived vulnerability or threat and work out a \ntabletop solution as to how they might increase their \npreparedness for some interim period of time. It wouldn't be \nappropriate, necessarily appropriate to try to develop a \nstandard around a very sophisticated targeted threat that \nexploits a vulnerability with a handful of entities.\n    If it is a larger issue, the commission engages in a \nrulemaking procedure and so the commission would order NERC \neither upon a filing or upon its own motion to address a \nspecific issue, a security issue. NERC would then receive the \norder, engage industry through industry volunteers and a \nstandards development process. That process routinely takes \nyears. At the end of that time period, NERC would submit a \nstandard and the commission would be in the position to either \napprove the standard, at which time it would become mandatory, \nenforceable, or to remand the standard for further work at \nwhich time NERC would take it back, consider the commission's \ncomments and continue to pick up that issue and work on a \nstandard.\n    Ms. Hoffman. If I may add to that?\n    Mrs. McMorris-Rodgers. Please.\n    Ms. Hoffman. With respect to a cyber event, generally we \nfollow the national cybersecurity response framework, but cyber \nevents will generally be coordinated through US CERT. They will \ngo through some analysis and forensics. They will bring the \nEnergy Sector Coordinating Council as well as the government \nCoordinating Council. They will do risk and consequence \nanalysis to determine how is that going to impact the sector, \nshare it with the industry, the information that is available, \nand then be able to actually move forward with the industry's \nhelp on mitigation measures. So it is really key to having that \ninformation sharing and that quick response capability that is \nvery important.\n    Mr. McClelland. May I add just one thing to that?\n    Mrs. McMorris-Rodgers. Please.\n    Mr. McClelland. The only action that is mandatory is a \nstandard. Until such time as the ERO or NERC develops a \nstandard, submits it to the commission and it is approved, \nnothing is mandatory. So there are some other interim actions. \nNERC could issue an alert, for instance. It could be an \nadvisory or a recommendation or an essential action. None of \nthose would be mandatory but they do show levels of increasing \nurgency. NERC can convey the information to the industry, ask \nfor a follow-up response and they communicate to the industry \nthe importance of those levels. But outside of a standard, \nnothing is mandatory.\n    Mrs. McMorris-Rodgers. Do you believe that the current \nsystem is effective, and how could it be enhanced?\n    Mr. McClelland. I think that the current system can be \neffective for routine reliability matters, tree trimming for \ninstance, but when it comes to national security issues, these \nare fast-moving, very sophisticated, sometimes highly targeted \nsituations and we have come to the conclusion that no, the \nstandards development process is not adequate to address these \ntypes of issues. Although it can raise the bar to narrow the \nuniverse of attackers, it is not adequate in the case where \nnational security is jeopardized to use the standards \ndevelopment process.\n    Ms. Hoffman. If I may add, there is room for improvement. \nFrom the perspective, we need to do a better job with respect \nto information sharing. That goes back to what is in the \nadministration's comprehensive bill as well as this is looking \nat protection of information. That information sharing is a key \ncritical component to getting to an effective response and \nmitigation measures whether it is done by the industry by \nthemselves or it is actually looked at from a different action \npoint of view.\n    Mrs. McMorris-Rodgers. Thank you, everyone.\n    Mr. Whitfield. Thank you.\n    Mr. Olson, you are recognized for 5 minutes.\n    Mr. Olson. Thank you, Mr. Chairman, and I would like to \nwelcome the witnesses and thank you all for coming and giving \nus your expertise and your time.\n    I have got a couple of questions for you, Mr. McClelland, \nand you, Ms. Hoffman. Specifically, if the FERC and the DOE had \nto order a generating unit to operate for reliability purposes \nor in an emergency situation and doing so would result in that \nunit exceeding an environmental permit limit, would FERC or DOE \nindemnify the unit operator from any and all agency action or \nprivate citizen lawsuit liability?\n    Ms. Hoffman. I will get back to you for further \nclarification, but it is my understanding, we do not have \njurisdiction over another agency's fines, penalties, \nregulations.\n    [The information follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] \n    \n    Mr. Olson. Mr. McClelland?\n    Mr. McClelland. The commission has acted in conjunction \nwith DOE on one other occasion, to my memory. It was the first \ntime that section 207 in the Federal Power Act had been \ninvoked. DOD invoked section 202. In that particular case, \nthere were generating units serving the Washington, D.C., \nregion and transmission upgrades that needed to be performed. \nIn that case, however, both DOE and FERC did not need to \nconflict or clash with the environmental regulations. So I know \nof no case where that has already occurred but I can certainly \nposit that back to our general counsel and we can answer that \nquestion for you.\n    Mr. Olson. Thank you for that. I just want to know, you \nknow, what could happen? What is the realm of possibility to a \ncompany that obeys orders from you but in doing some exceeds \nsome environmental limitations from some other agency? I mean, \nthis is a serious problem. If you tell them to do this because \nthere are reliability issues or emergency situations, by gosh, \nthey are going to do that and that is the right thing to do, \nbut certainly we don't want to have any exposure to them for \ndoing with one arm what the government is telling them to do \nand the other arm says no, you guys exceeded some permitting \nprocess, we are going to punish you for doing that. I mean, \nagain, I greatly appreciate your answers to those questions \nbecause I have had some operators back home in Texas ask me \nthese exact questions because we have many, many natural \ndisasters--hurricanes, tornadoes, you know, freezes, all of the \nabove--that impacted sometimes our reliability of our grid, and \nI know there are differences between some of our systems in \nTexas but again, we do have some people out there who are very \nconcerned about this, and I would appreciate an answer to those \nquestions.\n    That is all I have. I yield back my time, sir. Thank you.\n    Mr. Whitfield. Thank you, Mr. Olson.\n    Thank you all very much for taking the time to come and \ntestify. We appreciate your input and look--yes?\n    Mr. Rush. Mr. Chairman, if I might, this is something that \nis kind of gnawing at me. I tried to get to this issue in my \nline of questioning. Is there an administration bill and has \nthat bill been filed in the Senate? I know it is not in the \nHouse.\n    Mr. Whitfield. Well, they may be able to answer you. It was \nmy understanding, and I may be wrong, that Mr. Rockefeller had \nintroduced a bill similar to the administration's request, but \nmaybe they can answer it.\n    Mr. Rush. Is that the bill, Ms. Hoffman?\n    Ms. Hoffman. I don't have explicit knowledge. All I have \nright now is the discussion draft, so I am just not aware.\n    Mr. Whitfield. Do you know, Mr. Stockton?\n    Mr. Stockton. The same discussion draft.\n    Mr. Whitfield. Do you know, McClelland?\n    Mr. McClelland. Sorry, it is the same.\n    Mr. Whitfield. So the White House doesn't talk to you any \nmore than it talks to us, right? We will find out.\n    Mr. Markey?\n    Mr. Markey. Can I just be recognized for 2 additional \nminutes to ask--I just have another question or two.\n    Mr. Whitfield. Without objection, I will give you 2 \nadditional minutes.\n    Mr. Markey. I thank the chairman very much.\n    This is a very serious threat to our country. We know that \nal Qaeda and others target us and we know that there are many, \nmany PhDs inside of al Qaeda, whether we like it or not. That \nis what we found in Boston when Mohammad Atta and those other \nnine were up there in my district plotting on hijacking those \ntow planes in my district. They were well-educated people, very \nsmart. They tried to find the aperture, and they found out in \nthe aviation system. They are very technically sophisticated \npeople. That is the one thing we did learn about al Qaeda, and \nthat is why I have such a passion for this issue.\n    Back in 2006, the North American Electric Reliability \nCorporation proposed some grid security standards that seemed \nto be fairly limited. One of them even allows utilities to \ndecide for themselves which of their assets are critical and \nthus subject to the standards in the first place. Only 29 \npercent of power-generating owners self-reported that they \nowned a single critical asset. Isn't that right, Mr. \nMcClelland?\n    Mr. McClelland. Yes.\n    Mr. Markey. So 70 percent of the electric utility felt they \nhave no critical assets and----\n    Mr. McClelland. Critical----\n    Mr. Markey. Excuse me?\n    Mr. McClelland. Sorry. I was going to say the distinction \nis critical cyber assets. Those are the assets that fall under \nthe standards.\n    Mr. Markey. And I just think that that is a mentality here \nthat we have to be realistic about. You know, we have moved to \na new era. We are potentially under assault in this sector in \nthe same way that you mentioned, Mr. Chairman, the attack on \nthe Iranian nuclear facility. That was just a very smart way of \nsome very smart people figuring how to disable a nuclear power \nplant in Iran from a distance, and thank goodness whoever those \npeople are that they were able to do it, disable it and still \nnot cause a nuclear disruption, but there may be others that \nare not so benign in what their objectives are and the harm \nthat they can do.\n    So I just think that this isn't something where you self-\nidentify yourself as potentially being a problem. I think we \nhave to decide that there is a problem and that al Qaeda is out \nthere. Do you agree with that, Mr. McClelland?\n    Mr. McClelland. Yes, and I would just add one distinction, \nthat NERC has submitted a standard to the commission where \ncritical assets, now, there are several designations for \ncritical assets. Assets that serve nuclear facilities, for \ninstance, are now deemed critical assets. The commission, \nhowever, has requested additional information because critical \nassets are not the assets that are covered by the standard. It \nis critical cyber assets. So the commission has asked, one of \nthe lines of questions is, tell us how that translates to \ncritical cyber assets because those indeed are still self-\ndeterminations.\n    Mr. Markey. Is NERC's guidance advisory or mandatory?\n    Mr. McClelland. The standard that NERC has proposed to the \ncommission would be mandatory, and that would be the \ndesignation, bright-line designations of critical assets which \ncan help guide an entity to self-determine critical cyber \nassets, which fall under the standard.\n    Mr. Markey. Thank you. Thank you, Mr. Chairman.\n    Mr. Whitfield. Thank you all. Thank you once again for \ntestifying. We look forward to working with you.\n    At this time I would like to call up the third panel of \nwitnesses. That would be Mr. Gerry Cauley, President and CEO of \nNorth American Electric Reliability Corporation, Mr. Franklin \nKramer, former Assistant Secretary of Defense for International \nSecurity Affairs at the U.S. Department of Defense, and Mr. \nBarry Lawson, Associate Director, Power Delivery and \nReliability at the National Rural Electric Cooperative \nAssociation.\n    Welcome to the hearing. We look forward to your testimony. \nAt this time, Mr. Cauley, I will recognize you for 5 minutes \nfor the purposes of your opening statement.\n\n STATEMENTS OF GERRY CAULEY, PRESIDENT AND CEO, NORTH AMERICAN \n ELECTRIC RELIABILITY CORPORATION; FRANKLIN D. KRAMER, FORMER \n   ASSISTANT SECRETARY OF DEFENSE FOR INTERNATIONAL SECURITY \n    AFFAIRS; AND BARRY R. LAWSON, ASSOCIATE DIRECTOR, POWER \n DELIVERY AND RELIABILITY, NATIONAL RURAL ELECTRIC COOPERATIVE \n                          ASSOCIATION\n\n                   STATEMENT OF GERRY CAULEY\n\n    Mr. Cauley. Thank you, and good afternoon, Chairman \nWhitfield and Ranking Member Rush and members of the \nsubcommittee and fellow panelists.\n    As CEO of the organization charged with ensuring \nreliability and security of the North American grid, I wake up \nevery day concerned about emerging risks caused by the \nintentional actions of our adversaries who would want to harm \nour Nation and our citizens.\n    The security of the North American bulk power system is an \nutmost priority for NERC. The mainstay of NERC's critical \ninfrastructure program is a set of nine cybersecurity standards \nthat we actively monitor and enforce. We have recently made \nsignificant strides in improving our cyber standards.\n    When I came on board at NERC in 2010, I recognized the \nimportance of establishing bright-line criteria, as we just \nheard from the previous testimony, to identify critical assets \nto be protected. A new standard was developed in 6 months and \nfiled with the commission in February of this year and is \npending their approval. Our standards process works for what it \nwas intended to do: to establish sustained baseline \nrequirements for the reliability and resilience of the bulk \npower system.\n    However, there is no single approach, not even compliance \nwith mandatory standards, that will protect the grid against \nall potential threats from physical and cyber attacks. The \nthreat environment is constantly changing and our defenses must \nkeep pace. Achieving a high degree of resilience requires \ncontinuously adaptive measures beyond those outlined in our \nstandards, measures we are actively pursuing today.\n    The most important of these activities is the operation of \nour electricity sector information sharing and analysis center. \nIn this role, NERC works closely with Federal partners to \npromptly disseminate threat indications to electricity sector \nparticipants. NERC staff has the necessary security clearances \nto work with the Department of Homeland Security, DOE and \nFederal intelligence agencies to generate unclassified \nrecommendations and actions for industry.\n    Using this process, NERC has issued 14 security-related \nalerts since January 2010 covering such items as Aurora, \nStuxnet, Night Dragon and others. The NERC alert system is \nworking well. Coupled with our CIP standards and the option of \nusing a new expedited and confidential process for developing \nstandards, NERC has a strong foundation of tools we need to \nprotect the cybersecurity of the bulk power system.\n    As outlined in my written testimony, NERC is leading a \nnumber of other initiatives to ensure the resilience of the \nbulk power system including joint efforts with DOD, DHS and \nDepartment of Energy. We are preparing an industry-wide grid \nexercise in November 2011. Jointly with DOE labs, we are \ninitiating a program to monitor grid cybersecurity of the grid \nnetworks and another program to improve the training and \nqualification of industry cyber experts.\n    With regard to the proposed draft legislation, first and \nforemost, NERC has consistently supported legislation to \naddress cyber emergencies and to improve information sharing \nbetween government and the private sector. NERC has \nconsistently supported comprehensive legislation authorizing a \ngovernment entity to address cyber emergencies. Which agency is \na policy decision for Congress. NERC stands ready to assist and \nrespond to designated grid security threats.\n    Measures to improve information sharing between the \ngovernment and private sector of critical infrastructure are \nneeded. NERC commends the provisions of the discussion draft \ndirecting the commission to facilitate sharing of protected \ninformation. While the focus on providing adequate security \nclearances is key, this alone is not enough. It is most \nimportant to develop methods for declassifying sensitive \ninformation to make it available to industry decision makers. \nNew authority to address grid security vulnerabilities, \nhowever, is unnecessary. FERC already has the authority under \nthe Federal Power Act, section 215(d)(5), to direct NERC to \nprepare a standard to address a specific vulnerability. If \nCongress decides to allow vulnerabilities to be addressed \nthrough a FERC rule or order, at a minimum, the ERO should be \ngiven the opportunity to address the identified vulnerability \nbefore FERC acts with FERC given a backstop authority if the \nERO fails to address the vulnerability within a prescribed \nperiod. While we appreciate the language in the current draft \nwhich calls for FERC to request and consider our \nrecommendations if time allows, we believe more is needed.\n    Other provisions of the discussion draft are not needed. \nNERC has issued information to ensure the industry understands \nand is mitigating the Aurora vulnerability. The provisions on \ngeomagnetic storms and spare transformers also are not needed \nas FERC already has the authority to order us to address these \ntopics today. NERC is actively working on the GMD issue \nincluding a recent workshop and an alert providing industry \nwith operational and planning actions to prepare for the \neffects of a severe geomagnetic disturbance.\n    In addition, a NERC task force is focused on mitigating \nrisks associated with long lead time transformers and \ndeveloping a secure database for sharing information on spare \nequipment.\n    Finally, the ERO should be given authority under FERC \noversight to address grid security vulnerabilities by \nenforceable means other than standards. Congress has provided \nus with many tools to address security. As noted previously, we \nhave three levels of alerts. We have strong industry \nparticipation and response to these alerts including a \nprovision to authorize NERC subject to FERC oversight to \npromulgate legally enforceable directives would enhance the \nsecurity of the power grid. I believe legislation addressing \nthe security of our Nation's electricity infrastructure could \nbe beneficial but the framework should focus on enabling \ninformation sharing between government and industry and problem \nsolving between the private and government sectors.\n    Thank you for the opportunity to speak today, and I look \nforward to your questioning.\n    [The prepared statement of Mr. Cauley follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] \n    \n    Mr. Whitfield. Thank you, Mr. Cauley.\n    Mr. Kramer, you are recognized for 5 minutes for an opening \nstatement.\n\n                STATEMENT OF FRANKLIN D. KRAMER\n\n    Mr. Kramer. Thank you, Mr. Chairman and Mr. Ranking Member, \nMr. Terry. I appreciate the opportunity to testify.\n    I think the proposed legislation, the GRID Act that you \nhave the discussion draft, is excellent but I would like to \nsuggest five things that would actually make it better, at \nleast from my perspective.\n    The first is I think that we need mandatory Federal \nstandards. We need to turn the system around and have the \nFederal agency, be it FERC or, as in the administration's \ndiscussion draft, DHS have the authority to issue standards.\n    Secondly, I think that we need to focus much more on the \nissue of resilience, how will we deal with the problem of how \nthe grid will operate in the face of attack.\n    Third, I think that all elements of the Federal Government \nand including especially the DOD have to be given clear \nauthority to help protect and/or respond to an attack on the \ngrid because it is only the DOD that has the capabilities that \nare necessary.\n    Fourth, I think we have to think about the issue of scale \nand resources and particularly the issue of cost and make sure \nthat the industry can recover its costs.\n    And lastly, I think there needs to be a much more extensive \nresearch and development program to deal with the advanced \nthreats. We need advanced capabilities.\n    The reason I say that, Mr. Chairman, all these points, is \nwhat you have already said. The threat is increasing. We have \nseen, for example, last year an attack on Google. We have seen \nmore recently an attack on a company called RSA, very advanced \ncyber companies, and as you mentioned, we have seen the Stuxnet \nattack. Those control systems that were attacked in Stuxnet are \nprecisely the kind of control systems that control the electric \ngrid. The vulnerability is very, very substantial, and has been \npointed out by others already in this hearing, right now with \nthe smart grid increasingly coming into play, the distribution \nsystem as well as the generation system, the transmission \nsystem are sources of vulnerability, so I think we really need \nto focus on the entirety of the problem and recognize how much \nthe threat has been increasing over time.\n    The reason I say that we need mandatory standards is that \nfrankly the current system is just too slow. It doesn't work \nquickly. It hasn't satisfied the problem. In fact, if you look \nat NERC's own, I think it was called high-impact, low-\nfrequently study last year, it said very clearly that the grid \nis at risk against an advertent adversary. If we think about \nother areas--clean air, clean water, automobile safety \nstandards--the Federal Government issues the standards. It \ncertainly allows industry to comment, but I think that is the \nway we ought to do it.\n    In addition, I think that the current act, the discussion \ndraft, has what is called authority for the FERC if there was a \nso-called imminent threat. But I think that imminent is too \nlate often. What we really need is if we see a significant \nthreat where one needs to be able to take prompt action before \nwe get to that microsecond before the attack occurs. The \nFederal Government ought to have that authority so it can issue \ninterim standards but earlier than the imminent-threat \nstandard.\n    On the resilience point, I think we all know--and again, if \nyou look at the Google attack or Stuxnet or the like, is that \ncyber offense beats cyber defense. In fact, the Deputy \nSecretary of Defense has said that publicly and plenty of \nothers have. In the DOD area, the DOD doesn't just rely on \npassive defense, it also does what is called active defense, \nand if DOD needs to do active defense to protect its network's \ncritical infrastructure, and again, we have heard and I have \nsaid myself and others said today the DOD relies 99.9 percent \non commercial electricity. Well, that means that commercial \nelectricity ought to have the same kind of protection, that \nactive defense. I don't think that the industry should do it, I \nthink the DOD under the right kind of standards, legislative \nstandards, regulations, guidance from the President, ought to \nwork with the sector-specific agency and also with the industry \nto be able to provide that.\n    We also need to have capabilities that we haven't heard \ntalked about today. We need what I call gold standard \nintegrity: integrity of data, integrity of software, integrity \nof hardware. We need capabilities like segmentation and \nisolation so that the key elements of the grid can be protected \nby being separated from other elements of the grid.\n    We want to look also finally at the issue of scale and \nresources. It is a very large enterprise. We are going to have \nto have the private sector work to get it out there. It seems \nto me that if the industry is going to incur cost, and this is \na highly regulated industry, that it ought to be able to \nrecover those costs. That could be done directly or indirectly \nwith the Federal Government. It could be in the rate base. But \nit should be allowed in some way, shape or form.\n    And finally, as I said, I think we need to have a \ncomprehensive R&D program so that when we have advanced \nthreats, we can have advanced capabilities to meet them.\n    And with that, Mr. Chairman, I appreciate the opportunity \nto testify and I look forward to your questions.\n    [The prepared statement of Mr. Kramer follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] \n    \n    Mr. Whitfield. Thank you.\n    Mr. Lawson, you are recognized for 5 minutes.\n\n                  STATEMENT OF BARRY R. LAWSON\n\n    Mr. Lawson. Chairman Whitfield, Ranking Member Rush and \nmembers of the subcommittee, thank you for the opportunity to \ntestify today on cybersecurity and the GRID Act. My name is \nBarry Lawson, and I am the Associate Director of Power Delivery \nand Reliability at the National Rural Electric Cooperative \nAssociation, which represents over 900 member-owned not-for-\nprofit cooperatives providing electricity to 42 million \nconsumers in 47 States.\n    Over the last decade, I have been involved in a variety of \ncritical infrastructure protection and cybersecurity \ninitiatives with industry, NERC, DHS and DOE. Based on these \nexperiences, I know the electric power industry takes these \nissues very seriously. Additionally, to my knowledge, there has \nnot been a documented case of a successful attempt to damage \nthe North American bulk power system through cyber means.\n    While my testimony today is offered on behalf of electric \ncooperatives, I want to also recognize the longstanding \npartnership among all sectors of the electric power industry \nwhen it comes to reliability and cybersecurity. NRECA is part \nof a coalition which includes major trade associations \nrepresenting the full scope of the electric power industry as \nwell as state regulators, large industrial consumers and \nCanadian utilities. It is rare that we all agree on public \npolicy issues but we unanimously support the NERC process and \nnarrow new authority for the Federal Government in the event of \nsevere, imminent cyber threats.\n    Under section 215 of the Federal Power Act, NERC works \nclosely with electric power industry experts and others to \ndraft mandatory and enforceable reliability and cybersecurity \nstandards that apply across the North American grid. The \nstandards process can be lengthy when addressing highly \ntechnical issues but it can also be shortened when needed using \nNERC's expedited standards procedures as approved by FERC. NERC \nalso has a FERC-approved process for developing standards in a \nconfidential manner when national security requires it.\n    NERC rules and procedures also give NERC authority to \ndistribute alerts on topics that are important for industry to \naddress. FERC reviews these alerts before they are released. \nThere are three levels of alerts, and the top two levels have \nmandatory reporting requirements that typically require \nrecipients to inform NERC what they did in response to the \nalert. The alert process has quickly and effectively provided \nindustry critical information on many issues including Stuxnet, \nNight Dragon and geomagnetic disturbances. NERC is required to \nprovide reports to FERC on the top two levels of alerts, \nexplaining the level of action industry has taken. To date, \nthese reports have shown that industry takes these alerts very \nseriously.\n    The industry recognizes the threat environment is \ncomplicated and that imminent, severe threats are possible. In \nsome cases, even NERC procedures and standards cannot assure \nthat industry gets timely, actionable information to mitigate a \nthreat against the bulk power system. When the Federal \nGovernment at the highest levels determines that emergency \naction is necessary, it should be able to issue orders to our \nindustry that directly address the severe and imminent cyber \nthreat and set out the mitigation actions needed to protect the \nbulk power system. Those orders should sunset when the threat \nhas subsided or is mitigated, for example, by development of a \nrelated NERC standard.\n    Our primary concern is that the draft GRID Act creates new \nauthority for FERC concerning vulnerabilities that largely \nduplicates existing FERC authority and ongoing NERC activities \nunder section 215 and could substantially undermine the \nexisting reliability standards regime. It should be understood \nthat vulnerabilities alone do not adversely impact the \nreliability of the grid. That being said, our industry has \nevery incentive ranging from financial considerations to the \nfundamental obligation to serve our customers with reliable and \naffordable power to protect the grid when vulnerabilities \nemerge.\n    The draft GRID Act authorizes FERC if it determines there \nis a grid security vulnerability that existing NERC standards \ndo not address to issue a rule or order requiring industry to \nimplement measures to protect against the vulnerability. The \nnew authority the draft seeks to give FERC is very concerning \nto our industry. First, we question whether FERC has the \nintelligence-handling expertise to exercise such broad new \nauthority. Second, this new authority regarding vulnerabilities \nwould fundamentally alter section 215 by providing FERC an \nunnecessary role in addressing vulnerabilities that NERC and \nindustry are managing very well through standards and alerts.\n    To help industry to protect the grid from vulnerabilities \nand threats, we need timely, actionable intelligence from \ngovernment. More industry trusted experts need higher levels of \nsecurity clearances so we can plan effective responses to \nthreats and vulnerabilities. The draft seeks to make \nimprovement in these areas, and we appreciate the \nsubcommittee's support.\n    In conclusion, we urge the subcommittee to focus on the \nimmediate, narrow issues at hand, the need for very quick \nemergency orders if the bulk power system faces an imminent \ncyber attack and the need for the electric power industry to \nreceive timely, actionable information.\n    Thank you for the opportunity to testify today and I look \nforward to your questions.\n    [The prepared statement of Mr. Lawson follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] \n    \n    Mr. Whitfield. Thanks, Mr. Lawson.\n    Mr. Kramer, you would agree then that in the interest of \nnational defense that additional Federal authority is \nnecessary?\n    Mr. Kramer. Yes, sir, I think it is absolutely required.\n    Mr. Whitfield. OK. And Mr. Cauley, you mentioned in your \ntestimony, I believe, that you didn't think it was necessary \nfor NERC to develop standards to ensure the availability of \nlarge transformers, and I am certainly not an expert in that \narea but it is my understanding that the availability of large \ntransformers is one of the key issues out there and I was just \ncurious if you would elaborate on your position on that.\n    Mr. Cauley. Thank you, Mr. Chairman. I do take the issue of \nspare equipment and transformers very seriously from physical \nattack, cyber or GMD, and it is a major issue. So I think we \ndon't have enough information yet to know what the standards \nshould be in terms of how much equipment and where it would be \nlocated and how we would transport it, so if I said something \nopposing future standards on spare equipment, I may have \nmisspoke and I will have to go look in my written testimony. \nBut it is a key issue, and we are dealing with it today with \nsome industry experts on a task force that are looking at \nlikely scenarios, what would the need be, how would we move the \nequipment, so we are trying to find a technical solution to the \nproblem before we tackle the issue of whether there should be a \nstandard or not.\n    Mr. Whitfield. So are these transformers manufactured in \nthe United States today?\n    Mr. Cauley. The vast majority of them have been \nmanufactured overseas and continue to be. There is some recent \nactivity to bring some onshore but the vast majority are \nmanufactured overseas.\n    Mr. Whitfield. Now, Mr. Lawson, I am sure you heard the \ntestimony today that in addition to the bulk electric system, \nthat distribution should be included in this, and of course, \nrural electric co-ops are quite involved in distribution, so \nwould you disagree with that, or what would be your position?\n    Mr. Lawson. Well, we believe that the legislation before us \nshould focus on the bulk power system. Distribution is handled \nat the local level, whether that be State or local municipality \nlevel or with the local board of a cooperative, and we don't \nthink it needs to be extended to the Federal level.\n    Mr. Whitfield. But how do we address the potential problem \nin some of these large metropolitan areas that was mentioned?\n    Mr. Lawson. With regard to the distribution facilities in \nthe large metropolitan areas?\n    Mr. Whitfield. Yes.\n    Mr. Lawson. I think there is one definition in the NERC \nglossary that is being worked on today, and that is the \ndefinition of bulk electric system. That definition is looking \nat how and what should be included under bulk electric system, \nand one of the issues that the commission has directed the \nindustry through NERC to review is how those facilities in \nlarge metropolitan areas are covered, and I think the direction \nthat that drafting team is going in that I am a member of is \ncovering more facilities in those metropolitan areas than are \ncurrently covered under the existing NERC BES, bulk electric \nsystem, definition.\n    So I think things are changing and a draft of that \ndefinition was recently out for public comment, and it is now \nmoving on to the second draft phase, so I think there will be \nchanges in that area.\n    Mr. Whitfield. So Mr. Cauley, do you or Mr. Kramer have any \ncomments on that particular issue?\n    Mr. Cauley. Just a couple, Mr. Chairman. The industry has a \nvery long history of the issue of local service and \ndistribution being dealt with with the ratepayers in the local \njurisdiction and obviously the States and other local \njurisdictions, so I think any effort to encroach on that \nthrough Federal legislation I think should just be taken \ncarefully in consultation with the States.\n    On the issue of the military bases, which was part of the \nearlier testimony, I think there is an opportunity to have \nenhanced discussions between the utility company and the \nmilitary bases to say do they have what they need, do they need \nmore backup generators, do they need more lines coming in to \nthe base, so I think there is opportunity for those discussions \nto take place. I will end there. Thanks.\n    Mr. Whitfield. Mr. Kramer?\n    Mr. Kramer. I would disagree with both of these gentlemen. \nFirst of all, I think we have the smart grid becoming ever \nincreasingly a greater part of the electric power system, and \nthe smart grid means that from the consumer side, from the \ndistribution side, you are going to have increasing vectors \nthat allows for cybersecurity attacks, and those could be \nnational security attacks, so I think that we need to have an \noverall Federal standard that protects against that, and NIST \nis working on that. I don't actually think they have done \nenough but at least they have done something. But I think we \nneed to put that into play, so I would very strongly encourage \nthe committee to expand its jurisdiction.\n    With respect to the military bases and the like, I think \nMr. Stockton was pretty clear, they don't have enough, and it \nis not just the bases themselves. If you think about the \nmilitary, for example, the entire critical infrastructure, \ntransportation infrastructure, the telecommunications \ninfrastructure, all of these depend upon electricity. So even \nif the bases themselves had electricity, the DOD simply \ncouldn't operate without transportation, without \ntelecommunications and the like, and I think we really need to \nhave something done about that.\n    Mr. Whitfield. Mr. Lawson?\n    Mr. Lawson. Just to add to that, on the military bases, the \nbest way to effect change and improvements is at the local \nlevel between the military installation, commander and the \nleadership of the utility supplying that military installation. \nThose relationships exist today. They are typically very good \nrelationships, and if there are additional levels of \nreliability, security that are needed, it is very important for \nthe military installation leadership to let the utility know \nand they can work jointly towards providing that.\n    With regard to the smart grid, the industry is not \nimplementing smart grid facilities carelessly. They are doing \nit carefully and keeping security very much in mind in many \ndifferent ways. We are also working very closely and as much as \nwe can with the vendor community to try to explain to them what \nlevels of security we need and what levels of security already \nexist in their equipment today, so it is something that we are \nfocused on and not doing carelessly.\n    Mr. Whitfield. Thank you all. My time is expired.\n    Mr. Rush, you are recognized for 5 minutes.\n    Mr. Rush. Thank you, Mr. Chairman. This has been quite \ninteresting.\n    Mr. Cauley, I would like to ask you about imminent threats \nto the grid and also long-term vulnerabilities as well. Let us \nsay our intelligence agencies learn of an imminent threat to \nthe grid from terrorists. How would you characterize NERC's \nauthority to step in and address that threat on a real-time \nbasis?\n    Mr. Cauley. We have the ability to acquire that information \nthrough working with various intelligence agencies, which we do \ncontinuously to get the information digested into what it means \nin terms of impact on the industry and issue various levels of \nalerts, and we have done that. We issued one back just in April \nwhich we turned around within a day. So depending on the \nurgency, we can turn them out in hours or days. I think as I \npointed out in my testimony, we have different levels. Some are \njust informational, some are recommendations, and there are \nessential actions which we have also been able to put out. The \nessential actions are mandatory under our rules but they are \nnot enforceable from a legal sense in terms of any sort of \npenalties and sanctions, and that was why I was suggesting in \nmy testimony that that would be one opportunity to improve the \ntoolkit that we have to get timely, actionable information out \nto industry.\n    Mr. Rush. And would this apply if there were imminent and \nsevere threat also?\n    Mr. Cauley. This would apply really to any known threat or \nvulnerability where there was a high degree of urgency like we \nneeded to get information out either within hours or days or \nweeks, and I think that is a much preferred approach. Everyone \nkeeps referring to our standards. Well, our standards were not \nmeant to solve a problem in 3 days or 3 weeks. They are meant \nto be long-enduring, around for years and years. The alert \nsystem is meant to solve these urgent actions that you are \ndescribing here.\n    Mr. Rush. Does FERC have sufficient authority at this \npoint?\n    Mr. Cauley. I believe in the area of vulnerabilities in \nterms of, for example, whether it is Aurora or spare \ntransformers, I believe under section 215 that Congress \nintentionally provided FERC authority to direct the ERO to \nproduce a standard that would solve a problem. So under my \nreading of the plain language of section 215, the FERC has the \nability to direct us to----\n    Mr. Rush. Mr. Kramer, do you agree with that?\n    Mr. Kramer. I totally disagree, and I will give you an \nexample. This committee has heard about Stuxnet, obviously, and \nStuxnet is not a classified problem. Semantic organizations \namong many others has issued a very detailed set of reports on \nthis. It is a threat. It is a very, very, very severe threat \nthat we have to think about, and the vulnerability exists \nthroughout the electric grid system because it is the same kind \nof control mechanisms that Stuxnet attacked that are the type \nthat are involved in the electric grid, and it is sitting out \nthere, so to speak, as a blueprint for anyone to use--now, I \ncouldn't use it, but any capable cyber adversary. So I think \nthat that would be an example of what I would call a severe \nthreat. It is not imminent but I think that something needs to \nbe done about that right now, and I think it needs to be done \npromptly, and from my perspective, and I said, as we do in \nother kinds of legislation, I would rather have the opportunity \nfor the industry to comment but for the Federal Government, be \nit the FERC or the DHS, but some Federal agency to determine \nwhat standards are necessary, what actions need to be taken \npromptly and to cause those to be taken under a mandatory \nsystem.\n    Mr. Rush. Mr. Lawson, would you give us your opinion on \nthis?\n    Mr. Lawson. First of all, as I said in my statement, the \nindustry strongly supports the alert process. I am not aware of \nanother tool out there today that can get information out to \napproximately 2,000 utilities within hours or a day or two with \nspecific information about how a threat or a vulnerability or \nanything that specifically relates to the electric utility \nindustry. So I think the alert process is a very critical one \nand one that we need to keep utilizing.\n    Also, under the alert process, there are three levels. The \nbase level is advisory, the middle level is recommended action, \nand the most serious level is essential action. And I can tell \nyou that the industry reacts very strongly to these alerts \nbecause we know that they are communicating very important \ninformation to the industry and that under the top two levels \nof alerts, you will be required to provide NERC with an update \non what you have done with regard to that alert, and those \nreporting requirements are mandatory, and then they are \nsummarized and provided to FERC. So the industry takes these \nvery seriously and the top-level alert, essential action, has \nnot yet been utilized. So only the advisory and the recommended \naction have been utilized, and both of those levels have been \ntaken very seriously by the industry, and I am sure essential \naction would be taken exactly the same.\n    Mr. Rush. Mr. Chairman, I just want to ask one other \nquestion.\n    So let me just ask you this. All three of you can respond \nor anyone can respond. What I am hearing here is that in the \nevent of an imminent, severe, catastrophic cyber attack on the \nelectrical grid system here in this country where there could \nbe vast harm done to the American people, are you saying, am I \ncorrect in understanding that you are saying that the Federal \nGovernment--or let me ask the question this way: Who are the \nAmerican people going to hold responsible for their protection \nto solve the problem and to protect them? Are they going to \nhold the Federal agencies or the industry responsible, in your \nopinion?\n    Mr. Cauley. Congressman Rush, I mean, first of all, to \ndistinguish some time horizons, first of all, if there is an \nimminent emergency like planes flying on 9/11 that are going to \ncause disaster, NERC and I think the industry supports some \ngovernment agency having strong, immediate authority under \nthose kind of circumstances--the Nation is in trouble, somebody \nhas to be in charge--I think we support that. And I think the \nother issues I think where we get a little bit of difference of \nopinion but it is not as bad as it sounds, actually, is on \ndealing with the things we have a longer time to think about \nand respond to, and all we are saying is that we think that the \nFERC has for longer-term issues like spare equipment--we are \nnot going to solve spare transformers tomorrow, it is going to \ntake probably years to resolve that--is that we have the \nauthorities we have now, and I think we could strengthen the \ngap in the middle between dire emergency right now and things \nthat might take months to solve. In the interim, we have our \nalert system and all we need is a little more authority to make \nthose mandatory in some cases. When I testify here today, I am \nnot here testifying against authority for FERC. We work with \nFERC today as a partner in developing our standards. They \nreview them and approve them, and I view going forward that we \nwould continue to work with FERC, that anything that we can do \nto help the industry know what they have to do and whether it \nis mandatory or not, that we would do that in partnership with \nFERC.\n    Mr. Whitfield. Mr. Terry, you are recognized.\n    Mr. Terry. Thank you.\n    To follow up on that, have you, Mr. Cauley, read the GRID \nAct or the proposal, the draft? So as it is written now, my \nassumption is, you don't support it? Is that accurate, you \nwouldn't support it as written?\n    Mr. Cauley. I applaud the committee for taking initiative--\n--\n    Mr. Terry. I have short time. Yes or no?\n    Mr. Cauley. I support parts of it, not the entire----\n    Mr. Terry. The jurisdictional part, you have a problem \nwith?\n    Mr. Cauley. With the vulnerabilities being unnecessary, \nthat is correct.\n    Mr. Terry. Mr. Lawson, same question.\n    Mr. Lawson. We support narrow authority for the Federal \nGovernment with regard to imminent cyber threats.\n    Mr. Terry. So that is a no? OK. I appreciate that. I think \nwe have more work to do than I anticipated before this hearing.\n    Mr. Kramer, I want to spend the rest of the time with you. \nDo you keep track or is there reporting of hacking attempts to \nyour office or any office that you know of?\n    Mr. Kramer. Just so we are clear, I am a former Assistant \nSecretary so I am testifying in my individual capacity here.\n    Mr. Terry. All right.\n    Mr. Kramer. So I read the--there are plenty of reports on \nhacking that are in the open press and there are plenty of \nreports on hacking that are maintained by a lot of entities, \nand I think----\n    Mr. Terry. Electrical generation?\n    Mr. Kramer. Including electrical, and the Night Dragon \npoint was made to this committee as an example.\n    Mr. Terry. I participated in a demonstration at our local \ngenerator that was able to track hacking attempts within the \nlast 24 hours, and I think there was six or seven. Most they \nhave been able to track back to a certain university in China, \nbut we won't go into that for this hearing. Now, they were \nmostly--how do I say this--for fun. It was their practice of \nseeing how they can enter into the system, and not for \nnefarious purpose, although we don't know that when they are \ntrying to do it, when they are trying to hack the system, and \nthat is what concerns me and this committee is what we can do \nto strengthen our system against those hacks.\n    And by the way, just two questions to you, Mr. Kramer, in \nmy 2 minutes left. Generally, what should electrical generation \ncompanies be doing to best ensure that their systems can't be \nhacked into? And then on the electrical generation itself, \nthere have been some side discussions on electrical generation, \nwhether the more critical defense bases or buildings should go \noff grid, totally reliant and with the small module nuclear \nreactors may allow them to do that. You have a minute and a \nhalf to comment on both those questions.\n    Mr. Kramer. I will make three points, sir. First of all, \nwith respect to the issue of serious attack, one of the things \nthat a serious attack would have to do would be reconnaissance. \nYou won't just attack without substantial reconnaissance, so \nthe reconnaissance or the activities that you are talking about \nare quite consequential and would be part of any serious attack \nand so dealing with those early on is just as important as \ndealing with the set of issues, you know, so to speak, when the \nattack occurs.\n    Second, with respect to what the industry ought to do, \nthere are a number of standards set forth, both the NERC \nitself, FERC, DOE and others have written out which I think one \nis called, well, 20 critical activities that were put out by \none of the cybersecurity groups. Those are what you might call \nvery good hygiene, and one of the critical things that I think \nneeds to be done is that there has to be a greater amount of \nprotection provided to the control system portion of the grid \nthan to what is called the corporate portion of the grid, and I \nalso think that there need to be what I would call advanced \ncapabilities developed so that you can isolate the control \nportion of the grid from the corporate capabilities and from \nvendors and others who have to send things in. I think there \nwill need to be, as I mentioned, integrity capabilities that do \nexist now at the bench level, so to speak, at the demonstration \nlevel but are not out there throughout the grid, and I think \nthat the critical parts of the industry, Mr. Markey mentioned \nthat--I don't have his exact figures but roughly 29 percent, if \nI remember right, of the grid was considered critical by the \nindustry. I think it is a much larger amount than that, so I \nthink you have to have more significant.\n    With respect to the bases again, I want to make the point \nthat even if the bases themselves have electricity and there \nare actions going on, I can't tell you what the acronym stands \nfor anymore but it is called SPIDERS. It is a demonstration \nprogram, and this is non-classified--you can look it up on \nGoogle--to make the bases more self-sufficient, and the DOE has \na so-called SPIDERS program at three or four different bases. \nBut even if the bases themselves have electricity, the DOE \nrelies on telecommunications capabilities of the country, it \nrelies on the transportation capabilities of the country, it \nrelies on water, it relies on gas pumps and the like, and all \nthose rely on electricity. So there is no possibility \nwhatsoever that you could have an effective defense unless you \nhave electricity available beyond the bases. In addition, that \nhappens to also be true overseas, which is a different topic \nthat the chairman raised, but it goes beyond the question.\n    Mr. Whitfield. Mr. Rush, do you have anything else you want \nto touch on?\n    Well, that concludes today's hearing. We appreciate your \nbeing here, and I am sure we are going to continue to be in \ntouch with you as we move forward on this legislation, and we \nwill keep the record open for 10 days for additional materials, \nand thank you all very much, and that concludes today's \nhearing.\n    [Whereupon, at 4:25 p.m., the subcommittee was adjourned.]\n    [Material submitted for inclusion in the record follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] \n    \n\n                                 <all>\n\x1a\n</pre></body></html>\n"