b"<html>\n<title> - CRITICAL INFRASTRUCTURE CYBERSECURITY: ASSESSMENTS OF SMART GRID SECURITY</title>\n<body><pre>[House Hearing, 112 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n \n   CRITICAL INFRASTRUCTURE CYBERSECURITY: ASSESSMENTS OF SMART GRID \n\n                                SECURITY\n=======================================================================\n\n\n\n                                HEARING\n\n                               BEFORE THE\n\n              SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS\n\n                                 OF THE\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED TWELFTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                           FEBRUARY 28, 2012\n\n                               __________\n\n                           Serial No. 112-120\n\n\n\n      Printed for the use of the Committee on Energy and Commerce\n\n                        energycommerce.house.gov\n\n\n\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n76-641                    WASHINGTON : 2013\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC \n20402-0001\n\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n\n                          FRED UPTON, Michigan\n                                 Chairman\n\nJOE BARTON, Texas                    HENRY A. WAXMAN, California\n  Chairman Emeritus                    Ranking Member\nCLIFF STEARNS, Florida               JOHN D. DINGELL, Michigan\nED WHITFIELD, Kentucky                 Chairman Emeritus\nJOHN SHIMKUS, Illinois               EDWARD J. MARKEY, Massachusetts\nJOSEPH R. PITTS, Pennsylvania        EDOLPHUS TOWNS, New York\nMARY BONO MACK, California           FRANK PALLONE, Jr., New Jersey\nGREG WALDEN, Oregon                  BOBBY L. RUSH, Illinois\nLEE TERRY, Nebraska                  ANNA G. ESHOO, California\nMIKE ROGERS, Michigan                ELIOT L. ENGEL, New York\nSUE WILKINS MYRICK, North Carolina   GENE GREEN, Texas\n  Vice Chairman                      DIANA DeGETTE, Colorado\nJOHN SULLIVAN, Oklahoma              LOIS CAPPS, California\nTIM MURPHY, Pennsylvania             MICHAEL F. DOYLE, Pennsylvania\nMICHAEL C. BURGESS, Texas            JANICE D. SCHAKOWSKY, Illinois\nMARSHA BLACKBURN, Tennessee          CHARLES A. GONZALEZ, Texas\nBRIAN P. BILBRAY, California         JAY INSLEE, Washington\nCHARLES F. BASS, New Hampshire       TAMMY BALDWIN, Wisconsin\nPHIL GINGREY, Georgia                MIKE ROSS, Arkansas\nSTEVE SCALISE, Louisiana             JIM MATHESON, Utah\nROBERT E. LATTA, Ohio                G.K. BUTTERFIELD, North Carolina\nCATHY McMORRIS RODGERS, Washington   JOHN BARROW, Georgia\nGREGG HARPER, Mississippi            DORIS O. MATSUI, California\nLEONARD LANCE, New Jersey            DONNA M. CHRISTENSEN, Virgin \nBILL CASSIDY, Louisiana              Islands\nBRETT GUTHRIE, Kentucky              KATHY CASTOR, Florida\nPETE OLSON, Texas\nDAVID B. McKINLEY, West Virginia\nCORY GARDNER, Colorado\nMIKE POMPEO, Kansas\nADAM KINZINGER, Illinois\nH. MORGAN GRIFFITH, Virginia\n\n                                 7_____\n\n              Subcommittee on Oversight and Investigations\n\n                         CLIFF STEARNS, Florida\n                                 Chairman\nLEE TERRY, Nebraska                  DIANA DeGETTE, Colorado\nSUE WILKINS MYRICK, North Carolina     Ranking Member\nJOHN SULLIVAN, Oklahoma              JANICE D. SCHAKOWSKY, Illinois\nTIM MURPHY, Pennsylvania             MIKE ROSS, Arkansas\nMICHAEL C. BURGESS, Texas            KATHY CASTOR, Florida\nMARSHA BLACKBURN, Tennessee          EDWARD J. MARKEY, Massachusetts\nBRIAN P. BILBRAY, California         GENE GREEN, Texas\nPHIL GINGREY, Georgia                DONNA M. CHRISTENSEN, Virgin \nSTEVE SCALISE, Louisiana                 Islands\nCORY GARDNER, Colorado               JOHN D. DINGELL, Michigan\nH. MORGAN GRIFFITH, Virginia         HENRY A. WAXMAN, California (ex \nJOE BARTON, Texas                        officio)\nFRED UPTON, Michigan (ex officio)\n\n                                  (ii)\n\n\n                             C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHon. Cliff Stearns, a Representative in Congress from the State \n  of Florida, opening statement..................................     1\n    Prepared statement...........................................     4\nHon. Diana DeGette, a Representative in Congress from the State \n  of Colorado, opening statement.................................     6\nHon. Lee Terry, a Representative in Congress from the State of \n  Nebraska, opening statement....................................     7\nHon. Michael C. Burgess, a Representative in Congress from the \n  State of Texas, opening statement..............................     8\nHon. Marsha Blackburn, a Representative in Congress from the \n  State of Tennessee, opening statement..........................     8\nHon. Phil Gingrey, a Representative in Congress from the State of \n  Georgia, opening statement.....................................     9\nHon. Henry A. Waxman, a Representative in Congress from the State \n  of California, opening statement...............................     9\n\n                               Witnesses\n\nGregory C. Wilshusen, Director, Information Security Issues, \n  Government Accountability Office...............................    11\n    Prepared statement...........................................    13\nDavid C. Trimble, Director, Natural Resources and Environment, \n  Government Accountability Office \\1\\...........................\n    Prepared statement...........................................    13\nRichard J. Campbell, Specialist, Energy Policy, Congressional \n  Research Service...............................................    31\n    Prepared statement...........................................    33\n\n----------\n\\1\\ Mr. Trimble did not offer oral remarks for the record. Mr. \n  Trimble and Mr. Wilshusen submitted a joint statement.\n\n\n                   CRITICAL INFRASTRUCTURE CYBERSECU-\n                RITY: ASSESSMENTS OF SMART GRID SECURITY\n\n                              ----------                              \n\n\n                       TUESDAY, FEBRUARY 28, 2012\n\n                  House of Representatives,\n      Subcommittee on Oversight and Investigations,\n                          Committee on Energy and Commerce,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 10:19 a.m., in \nroom 2322 of the Rayburn House Office Building, Hon. Cliff \nStearns (chairman of the subcommittee) presiding.\n    Members present: Representatives Stearns, Terry, Myrick, \nBurgess, Blackburn, Gingrey, DeGette, and Waxman (ex officio).\n    Staff present: Carl Anderson, Counsel, Oversight and \nInvestigations; Todd Harrison, Chief Counsel, Oversight and \nInvestigations; Katie Novaria, Legislative Clerk; Andrew \nPowaleny, Deputy Press Secretary; Alvin Banks, Democratic \nInvestigator; Brian Cohen, Democratic Investigations Staff \nDirector and Senior Policy Advisor; and Kiren Gopal, Democratic \nCounsel.\n\n OPENING STATEMENT OF HON. CLIFF STEARNS, A REPRESENTATIVE IN \n               CONGRESS FROM THE STATE OF FLORIDA\n\n    Mr. Stearns. Good morning, everybody. I call the \nsubcommittee's second hearing on cybersecurity and critical \ninfrastructure protection to order.\n    My colleagues, America's infrastructure systems have become \nmore automated and more reliant on information systems and \ncomputer networks to operate. While our systems are more \nefficient, they also open the door to cyber threats and cyber-\nattacks. Today, the subcommittee focuses on that part of the \ncritical infrastructure known as smart grid, which refers to \nthe information technology systems increasingly incorporated \ninto the Nation's electricity networks.\n    Smart grid technologies are designed to lower operation \ncosts, reduce maintenance costs, and expand the flexibility of \noperational control relative to the current grid system. Their \noperational efficiency and improved asset use is driven by \nadvanced communication and information technologies.\n    I believe that we must update our electric grid with better \ntechnology integration, which is why I spearheaded the effort \nto secure funding for Energy Smart Florida, the largest smart \ngrid demonstration project in the country. This initiative will \ninvest hundreds of millions of dollars in smart grid technology \nand renewable energy in Florida and throughout the entire \ncounty. Energy Smart Florida will revolutionize how people use \nenergy in their homes and enable them to make smarter choices \nabout energy consumption and better control their carbon \nemissions. In addition, the widespread deployment of smart \nmeters will provide Floridians with more reliable electrical \nservice through an intelligent network that will be able to \ndetect potential problems and automatically reconfigure the \ngrid to minimize or eliminate outages.\n    But ask any expert in the national security field and see \nwhat keeps them up at night. They would probably tell you, as \nthey tell me, that it is the increased possibility of a \ndevastating cyber-attack. This threat is real and is why it is \nvirtually important--vitally important for us to do what we can \nto protect our critical infrastructure from these threats. We \nhave seen in the past decade what impact both man-made and \nnatural disasters have on our Nation's utility systems. Imagine \nthe impact of a cyber-attack to the electrical grid. How many \ndays could hospitals operate with onsite electric generation? \nHow would metro rail systems operate, if at all? How would we \nrecharge our smart phones or access the internet? The goal of \nthe smart grid is to improve efficiency, reliability and \ninteroperability. An equal goal, however, must be to improve \nupon the security controls and to minimize the impact from a \nman-made or natural disaster to ensure reliability and avoid \nsuch possibilities.\n    Now, a recent report completed by the Pike Research company \nestimated that utilities' initiatives to secure their \ninfrastructure will drive increasing investments to involve \ncybersecurity systems and total roughly $14 billion from now \nthrough the year 2018. While the Department of Energy has \nemphasized investment in technologies such as smart meters, \namong other technologies, we want to ensure that where there is \ninvestment, there is not a cybersecurity gap. We want to \nemphasize that there is also investment in securing control \nsystem segments including transmission upgrades, substation \nautomation, and distribution automation systems.\n    Protecting critical infrastructure is a complicated issue. \nWe are talking about facilities and frameworks owned by private \ncompanies, and by Federal, State, and local governments. They \nare interconnected. Electricity powers water systems that cool \nnuclear reactors, for example. They are vulnerable to threats \nfrom a number of different sources, including nation-states, \ncriminals, and hackers.\n    The issues surrounding critical infrastructure protection \nand security are complex. To help analyze these complexities, I \nam pleased to be joined by our panel of experts in the field. \nToday, we will hear testimony from two witnesses at GAO: Mr. \nGregory Wilshusen, Director of Information Security Systems, \nand Mr. David Trimble, Director of Natural Resources and the \nEnvironment. I look forward to their testimony, and getting a \nbetter understanding of their extensive work examining \ncybersecurity implications of the smart grid. I also would like \nto welcome Mr. Richard Campbell, of the Congressional Research \nService, who has examined this very subject and we look forward \nto his contributions today.\n    My colleagues, as I mentioned previously, this is the \nsubcommittee's second hearing in this Congress on critical \ninfrastructure protection and cybersecurity. The purpose of \nthis hearing, in particular, is to get an overview of smart \ngrid cybersecurity, and how it is working and what can be done \nbetter. It is my intention to call the Department of Energy and \npossibly other stakeholders to a future hearing for further \nconsideration of smart grid security.\n    I have enjoyed working with the Ranking Member, Ms. DeGette \nand the Minority in these matters and look forward to working \nwith them on overseeing cybersecurity issues again. So I look \nforward to this hearing, the perspectives of our expert \nwitnesses about the safety of this vital part of critical \ninfrastructure, and whether we are taking the right steps to \nprotect them from cybersecurity risks and threats.\n    [The prepared statement of Mr. Stearns follows:]\n\n\n    [GRAPHIC] [TIFF OMITTED] 76641.001\n    \n    [GRAPHIC] [TIFF OMITTED] 76641.002\n    \n    Mr. Stearns. And with that, I recognize the ranking member, \nMs. DeGette.\n\n OPENING STATEMENT OF HON. DIANA DEGETTE, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF COLORADO\n\n    Ms. DeGette. Thank you very much, Mr. Chairman, for holding \nthis hearing on smart grid cybersecurity.\n    Last year in July, representatives of the Department of \nHomeland Security came before this subcommittee to discuss \ntheir efforts to protect and deploy Federal resources and to \ncoordinate with the private sector to prevent and respond to \ncyber attacks. This hearing, as you mentioned, is an important \nfollow-up to that hearing.\n    Protecting our critical infrastructure from cyber attacks \nis, of course, of vital importance. As our electric grid \nevolves, we become more and more dependent on so-called smart \ntechnologies to control, connect, and maintain this \ninterconnected system. This is a good thing. It will make the \ngrid more efficient and more reliable. For example, consumers \nwill soon be able to track the price of electricity minute by \nminute and adjust electricity use accordingly, waiting, for \nexample, until prices are right to do the laundry or start the \ndishwasher.\n    However, these investments also expose us to new threats. \nThese new technologies can be easy prey for hackers or \nterrorists who seek to bring down unprotected networks. As the \nsmart grid becomes more interoperable, these attacks could have \ndebilitating effects nationwide, as you mentioned, Mr. \nChairman. In 2007, DHS ran a test known as Aurora, which \nshowcases just how dangerous grid vulnerabilities can be. They \nused a dial-up modem to rewrite computer code and remotely \ndetonate an industry-controlled system generator. That is why I \nam pleased we are having this hearing today. We as a Congress \nmust do everything in our power to ensure that the grid remains \nsafe and secure.\n    The testimony we hear today will help us understand our \nsuccesses and identify flaws in the current approach so that we \ncan understand what else can be done to protect the smart grid. \nThis hearing will also help us understand if Congress needs to \nprovide more resources or more legislative authority for key \ncybersecurity agencies.\n    The administration has made cybersecurity a priority, \nlaunching a comprehensive national cybersecurity initiative to \nprotect the digital infrastructure. The President's 2013 budget \nincludes $769 million to support the National Cybersecurity \nDivision within the Department of Homeland Security. These \nfunds are targeted at improving monitoring on Federal networks \nto respond to cyber threats, and supporting cyber attack \nresponses for critical infrastructure owners and operators, and \nfor State and local authorities.\n    I commend this targeted focus on cybersecurity, but I am \nhoping that today our witnesses will help us learn more about \nany gaps in security that may still exist.\n    Mr. Chairman, as I said, I appreciate that you are holding \nthis hearing, and I am encouraged that you have announced that \nwe are going to keep looking into other areas where we can work \ntogether in a bipartisan fashion. For example, we will hear \nfrom witnesses today the issue of cybersecurity goes well \nbeyond the protection of the critical infrastructure. Consumers \nentrust important personal information on their banks--to their \nbanks, their internet service providers, their credit card \ncompanies, and the retailers from whom they purchase items from \nonline. These companies should ensure that they are protecting \nthis information and Congress needs to be doing its oversight \njob to make sure that this is the case.\n    Every day we hear stories about e-mail accounts being \nhacked, credit card information being hijacked, and Social \nSecurity numbers or other important personal information being \nstolen by cyber criminals. It has even happened to some of us \nwho sit on this panel. The loss of this information can be \ncostly and personally damaging. In September of last year, the \ninternet security company, Symantec, issued the Norton Cyber \nCrime Report and calculated that cyber crimes cost companies \nand consumers $114 billion annually. That same report found \nthat more than 2/3 of adults online had been victims of a cyber \ncrime.\n    As our use of internet services becomes more and more \nintegrated, using the same internet services for e-mail, social \nnetworking, photo sharing, bill paying, and browsing and \nsearch, we have to be more vigilant in ensuring the protection \nof our personal information. Sites like Google, Yahoo, and \nFacebook will be targets for hackers, and if successful, these \ncyber attacks will have a major impact on the American public.\n    For that reason, Mr. Chairman, in addition to investigating \nhow the government can improve critical infrastructure \ncybersecurity, I think this subcommittee should also look \nclosely at what the private sector is doing to prevent cyber \nattacks and keep consumers' personal information safe.\n    I look forward to working with you on all of these issues, \nMr. Chairman, and with that, I will yield back.\n    Mr. Stearns. Thank the gentlelady and recognize the \ngentleman from Nebraska, Mr. Terry, for 2 minutes.\n\n   OPENING STATEMENT OF HON. LEE TERRY, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF NEBRASKA\n\n    Mr. Terry. Thank you, Mr. Chairman, for holding this \nimportant hearing. Of course, one of the cornerstone \nresponsibilities of this Committee is finding--determining \nreliability of our electricity delivery system. In today's \nworld, that means when we are protecting the grid, it means we \nhave to look into the cyber attacks.\n    Let me just give you one quick story from University of \nNebraska at Omaha, PKI Institute of Information Assurance. They \nset up as a class project in their master's program an electric \ncompany fake Web site, and then tracked who would attack it. \nWithin about 48 hours, there was probably about 50 hack \nattempts, most of them coming from a certain region in China, \nbut all over the world. This just shows how vulnerable we are.\n    Now as we move to more of a smart grid, that also means \nthat we have more vulnerabilities, whether it is from EMPs or \nfrom cyber attacks. So looking at how we can strengthen our \nability to defend from these attacks is just part of our core \neffort here.\n    So at this time, I would like to yield the rest of my time \nto----\n    Mr. Stearns. The gentleman yields back the balance of his \ntime?\n    Mr. Terry. Yes.\n    Mr. Stearns. And so we have extra time here, and we \nrecognize Dr. Burgess for a minute and a half to 2 minutes.\n\nOPENING STATEMENT OF HON. MICHAEL C. BURGESS, A REPRESENTATIVE \n              IN CONGRESS FROM THE STATE OF TEXAS\n\n    Mr. Burgess. Thank you, Mr. Chairman for the recognition. I \nwant to thank our witnesses for being here today, because this \nis an issue of extreme importance. We are facing threats from \naround the world, and certainly, all of us want to remain \nvigilant.\n    From hearings that we have had in previous Congresses in \nthis subcommittee, and from talking to people who are charged \nwith protecting our country, defending our country in an \nincreasingly adverse cyber environment, we are well aware that \nevery day from around the world, as Mr. Terry mentioned, are \ntrying to break into our vital modes of infrastructure and \ntechnology, and not the least of that being the electric grid.\n    We are also concerned about cost and that is why I am so \ngrateful that some of the testimony today has focused on the \neffectiveness and the effectiveness of even the metrics that we \nuse in order to assess how we are doing, and I think that is of \ncritical importance, both as a consumer and certainly, it is \nclear that the utility companies themselves will be interested \nin knowing what the effectiveness of the measures that we are \nasking them to implement--they have to be interested in the \neffectiveness of those measures.\n    We want these to be informed decisions. We do not want them \nto be emotional or political decisions, but we want them to be \nbased on the best possible information, so that is why I am \ngrateful, Mr. Chairman, that you called this hearing. I am \ngrateful for our witnesses to be here, and I will yield back to \nthe chairman.\n    Mr. Stearns. Gentleman yields back and we recognize the \ngentlelady from Tennessee, Ms. Blackburn----\n    Mrs. Blackburn. Thank you so much----\n    Mr. Stearns [continuing]. For a minute and a half.\n\nOPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF TENNESSEE\n\n    Mrs. Blackburn. Thank you. I appreciate that. I do want to \nwelcome our witnesses.\n    We all know and we realize how very--how debilitating these \nattacks would be. Some of the reports that I have read indicate \nthat we could see blackouts for 9 to 18 months in areas if we \nwere hit with a cyber attack, and certainly last year as we \nhave looked at the series of attacks known as Night Dragon and \nhow the hackers broke into and stole proprietary information \nworth millions of dollars, we see how this has a direct impact \non not only U.S. but European energy companies.\n    I think that one of the things that concerns me is looking \nat what we have found out with the increase from '06 to '10 a \n650 percent increase in the number of attacks and the \nincidences that have been tracked. So we welcome you and we \nlook forward to hearing what you have to say, and some of the \naccelerated planning issues that are in front of us.\n    Thank you very much. Yield back.\n    Mr. Stearns. Gentlelady yields back and I recognize the \ngentleman from Georgia, Mr. Gingrey, for 1 minute.\n\n  OPENING STATEMENT OF HON. PHIL GINGREY, A REPRESENTATIVE IN \n               CONGRESS FROM THE STATE OF GEORGIA\n\n    Mr. Gingrey. Mr. Chairman, I thank you for giving me a \nminute of time. I was looking for an e-mail on my iPhone, but I \ndon't know how to use the iPhone so I couldn't pull up the e-\nmail. But basically I received an e-mail on my iPhone just a \ncouple of days ago, purportedly from literally my best friend, \nwho happens to be of European descent, and it was this typical \ne-mail, ``I am contacting you with tears in my eyes. We went on \nvacation in Spain, we got mugged at the--we can't get home, \ncould you please e-mail us or wire us 1,600 Euros? God bless \nyou and thank you for your help.'' I mean, that kind of thing \nis amazing. It is the first time I have ever received one of \nthose, but that is small potatoes, of course, compared to what \nwe are talking about here, but it just is a small example of \nthe seriousness of cyber attack on the smart grid, so I am \nreally looking forward to hearing from the witnesses and \nlearning more about this----\n    Ms. DeGette. Will the gentleman yield? Maybe your iPhone \ndoesn't work because you opened that e-mail from your friend \nand now they have destroyed all your network.\n    Mr. Gingrey. I have been attacked.\n    Ms. DeGette. Yes.\n    Mr. Gingrey. Thank you, Ms. DeGette.\n    Ms. DeGette. You are welcome.\n    Mr. Stearns. All right, our side is complete. With that, \nrecognize the Ranking Member of the Full Committee, the \ngentleman from California for 5 minutes.\n\nOPENING STATEMENT OF HON. HENRY A. WAXMAN, A REPRESENTATIVE IN \n             CONGRESS FROM THE STATE OF CALIFORNIA\n\n    Mr. Waxman. Thank you, Mr. Chairman. I appreciate your \nholding this hearing, and I want to say, this is exactly the \ntype of oversight this subcommittee should be conducting, \nensuring that our government uses its resources wisely, and \nthat the private sector is taking appropriate steps to \nguarantee the safety and security of our Nation's critical \ninfrastructure.\n    Today's hearing will give us an opportunity to learn about \nthe key challenges to ensuring the security of this Nation's \nelectric grid. As the grid becomes more technologically \nadvanced, it becomes more exposed to hackers, terrorists, and \nforeign enemies. As the grid becomes more interoperable, the \npotential effect of a cybersecurity breach becomes more \nwidespread.\n    The smart grid offers tremendous potential benefits. \nModernizing the grid will make electricity cheaper, more \nefficient, more reliable, but at the same time, we must take \nappropriate action to protect the electric grid and to improve \nservices and access for citizens across the Nation.\n    In 2007, Congress and then-President Bush approved the \nEnergy Independence and Security Act of 2007. This legislation \nauthorized the Smart Grid Investment Grant Program and the \nsmart grid Demonstration Program. The 2009 Recovery Act amended \nthese programs and provided funding to ensure their \nimplementation.\n    The first program, the Smart Grid Demonstration Program, \nfunded 32 projects to verify the viability of smart grid \ntechnology and quantify the costs and benefits of these \nimprovements. The second program, the Smart Grid Investment \nGrant Program, awarded grants for smart grid technology \nupdates. These grants have allowed the installation of smart \nmeters in millions of homes, implementation of automatic peak \npricing, response for commercial and industrial customers, and \nthe development of comprehensive demand response programs. \nThese programs provided 99 grants to recipients in 42 States, \nthe District of Columbia, and Guam. In total, the Energy \nDepartment invested $3.4 billion in grants, which was matched \nby $4.6 billion in private investments, for a total public \nprivate investment of over $8 billion.\n    Today will give us an opportunity to evaluate what is \nworking and what can be improved in these programs. The \nDepartment of Energy's Inspector General recently issued a \nreport on the Smart Grid Grant Program and identified some \nreimbursement issues and concerns about approval of some \ncybersecurity plans. Today's hearing will allow us to explore \nthose issues.\n    Beyond oversight, we must also do our part in protecting \nthe electrical grid. Both GAO and the DOE Inspector General \nhave acknowledged that Federal Energy Regulatory Commission has \nonly limited authority to ensure the grid is truly secure. In \nfact, the Inspector General found that FERC does not have the \nauthority to develop its own standards or mandatory alerts, \neven when new threats are identified. This gap in authority \ncreates serious potential risks.\n    Last May, the Subcommittee on Energy and Power held a \nhearing to discuss the bipartisan Grid Reliability and \nInfrastructure Defense Act, a bill that would give FERC \nadditional authority to protect the electric grid from \npotentially dangerous vulnerabilities. Today's hearing will \nagain demonstrate why we need to act on this legislation \nwithout further delay. We must continue to invest in making our \nelectric grid the best in the world. That includes investing in \nstandards and technologies so that the electric grid is secure \nin the face of unexpected terror attacks or hacking attempts. \nThis hearing is an important step in identifying what can be \ndone to ensure that the electric grid is protected.\n    I have focused my opening statement on the electric grid, \nbut I hope this hearing produces some ways for members to learn \nhow to use their iPhones, and to be able to realize that when \nthey get e-mails asking for money, they had better think twice \nabout it. I nearly fell for that one myself. A good friend was \nevidently not able to afford to leave Paris. Things could be \nworse, but they wanted something worse, they wanted my money. \nThis shows that our security of our technology is very \nimportant objective, and I think it is worthwhile for our \nhearing to do it.\n    I am sure, since I have 19 second left, I want to comment \nthat I am sure by the end of this hearing, whatever we find we \ndon't like, the Republicans will blame on President Obama. Such \nis life. But I think this is a good hearing and I compliment \nthe chairman for holding it. I will yield back my second.\n    Mr. Stearns. The gentleman yields back his second, and I \npoint out that sometimes we hear on your side everything is \nblamed on Bush, so----\n    Mr. Waxman. Too late for that.\n    Mr. Stearns. All right. Let me direct my comments to our \nwitnesses this morning. As you know, the testimony that you are \nabout to give is subject to Title 18 Section 1001 of the United \nStates Code. When holding an investigative hearing, this \nCommittee has a practice of taking testimony under oath. Do you \nhave any objection to testifying under oath?\n    The Chair then advises you that under the rules of the \nHouse and the rules of this Committee, you are entitled to be \nadvised by counsel. Do you desire to be advised by counsel \nduring your testimony today? If not, would you please rise and \nraise your right hand?\n    [Witnesses sworn.]\n    Mr. Stearns. You may now give your 5-minute summary of your \nwritten statement, and Mr. Wilshusen, you are first.\n\n   TESTIMONY OF GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION \nSECURITY ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE, ACCOMPANIED \n     BY DAVID C. TRIMBLE, DIRECTOR, NATURAL RESOURCES AND \n ENVIRONMENT, GOVERNMENT ACCOUNTABILITY OFFICE; AND RICHARD J. \n  CAMPBELL, SPECIALIST, ENERGY POLICY, CONGRESSIONAL RESEARCH \n                            SERVICE\n\n               TESTIMONY OF GREGORY C. WILSHUSEN\n\n    Mr. Wilshusen. Thank you, Mr. Chairman.\n    Chairman Stearns, Ranking Member DeGette, and members of \nthe subcommittee, thank you for the opportunity to testify \ntoday at today's hearing on cybersecurity for the smart grid. I \nam joined today by David Trimble, who is the Director for GAO's \nNatural Resources and Environment team. In addition, Mr. \nChairman, if I may, I would like to recognize John Logoson, \nMike Gilmore, and especially Lee McCracken for their efforts--\n--\n    Mr. Stearns. Ask them to raise their hand. We are not \nsure----\n    Mr. Wilshusen. For their efforts in developing our written \nstatement that we submitted today.\n    As you know, the electric power industry is increasingly \nincorporating information technology systems and networks into \nits existing infrastructure as it modernizes the electricity \ngrid. In 2007, the Energy Independence and Security Act \nestablished that it is Federal policy to support this \nmodernization. Known as a smart grid, these nationwide efforts \nare aimed at improving the reliability and efficiency of the \ngrid, and facilitating the use of alternative energy sources. \nSmart grid technologies include smart meters that enable two \nway communications between utilities and customers, smart \ncomponents that provide system operators with detailed data on \nthe conditions of transmission and distribution systems, and \nadvanced methods for controlling equipment. The use of these \nsystems may have a number of benefits, such as fewer and \nshorter outages of electrical service, lower electricity rates, \nand an improved ability to respond to attacks on the electric \ngrid.\n    However, the increased reliance on IT systems and networks \nalso exposes the grid to cybersecurity vulnerabilities. For \nnearly a decade, GAO has identified the protection of systems \nsupporting our Nation's critical infrastructures as--which \ninclude the electric grid--as a government-wide high risk area. \nMr. Chairman, the threats to these systems supporting these \ninfrastructures are evolving and growing. They include both \nunintentional and intentional threats, and may come in the form \nof equipment failure, as well as targeted and untargeted \nattacks from our adversaries.\n    The interconnectivity between information systems, the \ninternet, and other infrastructures can amplify the impact of \nthese threats, potentially affecting the operations of critical \ninfrastructures, the security of sensitive information, and the \nflow of commerce.\n    In January 2011, GAO reported on a number of key challenges \nto securing smart grid systems and networks. For example, the \nFederal Energy Regulatory Commission, or FERC, which has \nresponsibility for adopting cybersecurity and other standards \nit deems necessary to ensure grid functionality and \ninteroperability, had not developed a coordinated approach with \nother regulators to monitor industry compliance with voluntary \nstandards. In addition, we reported other challenges affecting \nindustry efforts to secure the smart grid. Specifically, the \nelectricity industry had not consistently built security \nfeatures under certain smart grid devices, established an \neffective mechanism for our sharing cybersecurity information, \nand created a set of metrics for evaluating the effectiveness \nof cybersecurity controls.\n    GAO made several recommendations to FERC aimed at \naddressing these challenges, and the Commission agreed with our \nrecommendations.\n    To summarize, Mr. Chairman, the electricity industry is in \nthe midst of a major transformation as a result of smart grid \ninitiatives. While these initiatives hold the promise of \nsignificant benefits, including a more resilient electric grid, \nlower energy costs, and the ability to tap alternative sources \nof power, the prevalence of cyber threats aimed at the Nation's \ncritical infrastructure and the cyber vulnerabilities arising \nfrom the use of new technologies highlight the importance of \nsecuring smart grid systems. In particular, it will be \nimportant for Federal regulators and other stakeholders to work \nclosely with the private sector to address key cybersecurity \nchallenges posted by the transition--posed by the transition to \nsmart grid technology. While no system can be made 100 percent \nsecure, proven security strategies could help reduce risks to a \nmanageable and acceptable level.\n    Chairman Stearns, Ranking Member DeGette, and other members \nof the subcommittee, this completes my statement, and David and \nI would be happy to answer your questions.\n    [The prepared statement of Mr. Wilshusen and Mr. Trimble \nfollows:]\n[GRAPHIC] [TIFF OMITTED] 76641.003\n\n[GRAPHIC] [TIFF OMITTED] 76641.004\n\n[GRAPHIC] [TIFF OMITTED] 76641.005\n\n[GRAPHIC] [TIFF OMITTED] 76641.006\n\n[GRAPHIC] [TIFF OMITTED] 76641.007\n\n[GRAPHIC] [TIFF OMITTED] 76641.008\n\n[GRAPHIC] [TIFF OMITTED] 76641.009\n\n[GRAPHIC] [TIFF OMITTED] 76641.010\n\n[GRAPHIC] [TIFF OMITTED] 76641.011\n\n[GRAPHIC] [TIFF OMITTED] 76641.012\n\n[GRAPHIC] [TIFF OMITTED] 76641.013\n\n[GRAPHIC] [TIFF OMITTED] 76641.014\n\n[GRAPHIC] [TIFF OMITTED] 76641.015\n\n[GRAPHIC] [TIFF OMITTED] 76641.016\n\n[GRAPHIC] [TIFF OMITTED] 76641.017\n\n[GRAPHIC] [TIFF OMITTED] 76641.018\n\n[GRAPHIC] [TIFF OMITTED] 76641.019\n\n[GRAPHIC] [TIFF OMITTED] 76641.020\n\n    Mr. Stearns. All right, and I understand, Mr. Campbell, \nyour opening statement is welcome.\n\n                TESTIMONY OF RICHARD J. CAMPBELL\n\n    Mr. Campbell. Good morning, Chairman, Ranking Member, and \nmembers of the subcommittee, my name is Richard Campbell. I am \na Specialist in Energy Policy for the Congressional Research \nService. On behalf of CRS, I would like to thank the Committee \nfor inviting me to testify here today. I would like to request \nthat my written testimony be entered into the record.\n    Mr. Stearns. By unanimous consent, so ordered.\n    Mr. Campbell. My testimony will provide background on the \ndevelopment of the smart grid, the Department of Energy's \nvision for the smart grid, and plans for the cybersecurity of \nthe smart grid. I should note that CRS does not advocate policy \nor take a position on specific legislation.\n    The electrical grid in the United States comprises all of \nthe power plants generating electricity, together with the \ntransmission and distribution systems which bring power to end-\nuse customers. The grid also connects the many public and \nprivate electricity companies and power companies throughout \nthe United States. The modernization of the grid to accommodate \ntoday's power flows, serve reliability needs, and meet future \nprojected uses is leading to the incorporation of the \nelectronic intelligence capabilities for power control and \noperations monitoring. The smart grid is the name given to this \nevolving intelligent electricity network. While these \nintelligent components may enhance the efficiency of grid \noperations, they also potentially increase the susceptibility \nof the grid to cyber, that is, computer-generated, attack, \nsince they are built around microprocessor devices controlled \nby software programming. The potential for a major disruption \nor widespread damage to the Nation's power system from a large-\nscale cyber attack has increased focus on the cyber security of \nthe smart grid.\n    The Department of Energy summarized its view of the \npotential of the smart grid by the year 2030 as a fully \nautomated power delivery network that monitors and controls \nevery customer and node, ensuring a two-way flow of electricity \nand information between the power plant and the appliance, and \nall points in between.\n    Federal funding has been provided to help develop concepts \nand technologies for the smart grid. The American Recovery and \nReinvestment Act of 2009 provided $4.5 billion in funding to \nthe DOE for projects to modernize the grid. DOE's Smart Grid \nInvestment Grant program received $3.5 billion of these funds \nwith the expressed purpose of stimulating the rapid deployment \nof advanced digital technologies needed to modernize the grid.\n    The SGIG is a cost-shared program, meaning recipients of \ngrants were to provide as much as 50 percent of a project's \ntotal costs.\n    According to a recent report from the DOE's Office of \nInspector General, all the available grant funds from the SGIG \nprogram have been awarded to 99 recipients, with awards ranging \nin value from $397,000 to $200 million. An approach to \ncybersecurity was required as part of the SGIG application \nprocess. Recipients of awards were required to submit a \ndetailed plan addressing specific cybersecurity elements and \nconcerns. The DOEIG report observed that DOE approved these \ncybersecurity plans even though weaknesses in the plans were \nidentified and not fully addressed. The DOE responded to the \nreport saying that it will require award recipients to update \ntheir cybersecurity plans later this year.\n    The DOE funded the development of the recently released \nRoadmap to Achieve Energy Delivery Systems Cybersecurity. This \nRoadmap provides a plan to improve the cybersecurity of the \nelectricity, oil, and natural gas sectors.\n    The Roadmap recognizes the changing landscape of \ncybersecurity, and the continuing need to seek out and address \ncybersecurity gaps, and includes an implementation strategy for \ncybersecurity built on milestones to be achieved by the year \n2020.\n    The DOE has recently begun to update its vision for the \nsmart grid, focusing on three key attributes it sees as \ndesirable for the smart grid of the future: a seamless, cost-\neffective electricity system; a system capable of accommodating \nall generation choices; a system which enables customer choice.\n    According to this updated vision, the smart grid will still \nsee regional diversity in power choices, while allowing for the \ndevelopment of a national framework. According to DOE, a \nreliable, secure, and resilient grid will be the key to \nachieving this vision.\n    In conclusion, it is the very features which can add \nseamless integration and utility to the smart grid that also \nadd cyber vulnerabilities to electricity networks. Some assert \nthat the smart grid and cybersecurity systems will have to \ndevelop along parallel but interconnected paths if the electric \ngrid of the future is to develop in a manner that can enhance, \nand not impair, future economic development.\n    Congress could provide funding for research and development \nof systems to bridge gaps in cybersecurity and build the smart \ngrid. Federal funding could also be used to bring government \nand industry together in forums to address the needs and \ndirections of these developing systems.\n    Congress may also provide for a regulatory framework which \ncould achieve a basic level of cybersecurity. But due to the \nconstantly changing nature of cyber threats, it is unlikely \nthat effective cybersecurity of the grid will be achieved by \nregulation alone. Some assert that electric utilities must be \nfocused on cybersecurity as keenly as they are on their current \nobligation to serve or to provide shareholder value.\n    Thank you for the invitation to appear today. I will be \npleased to address any questions you may have.\n    [The prepared statement of Mr. Campbell follows:]\n    [GRAPHIC] [TIFF OMITTED] 76641.021\n    \n    [GRAPHIC] [TIFF OMITTED] 76641.022\n    \n    [GRAPHIC] [TIFF OMITTED] 76641.023\n    \n    [GRAPHIC] [TIFF OMITTED] 76641.024\n    \n    [GRAPHIC] [TIFF OMITTED] 76641.025\n    \n    [GRAPHIC] [TIFF OMITTED] 76641.026\n    \n    [GRAPHIC] [TIFF OMITTED] 76641.027\n    \n    [GRAPHIC] [TIFF OMITTED] 76641.028\n    \n    Mr. Stearns. Thank you, Mr. Campbell. I will start with my \nquestions.\n    Let us see if we get something that is current here. A 2011 \nbulletin by the Department of Homeland Security titled \n``Insider Threats to Utilities'' stated that ``based on the \nreliable reporting of previous incidents, we have a high \nconfidence in our judgment that insiders and their actions pose \na significant threat to the infrastructure and information \nsystems of the United States facilities,'' vis-`-vis the grid. \nMr. Wilshusen, are you aware of any specific power outage or \nthreat to the electric grid that has transpired in such a way \nthat is talked about in this Homeland Security report from \n2011?\n    Mr. Wilshusen. You mean specifically from an insider \nthreat?\n    Mr. Stearns. Yes.\n    Mr. Wilshusen. I can't say I know of a specific incident \nwhere that occurred; however, certainly insider threats are \nvery important and a threat that our agencies and entities need \nto consider, because insiders typically have advanced knowledge \nand even access to the systems and the types of systems that \ncontain information that they could have the ability then to \nperpetrate, if they have malicious intent to cause disruptions \nand damage. And it is not just those with malicious intent, but \nalso insiders who may be careless or who may be untrained that \nconduct activities that also impair or harm their systems and \nnetworks. But clearly, that is a key threat.\n    Mr. Stearns. Are you aware of any outsiders soliciting \npeople in the smart grid viable areas? Are you aware of any \noutsiders that are trying to do this?\n    Mr. Wilshusen. In terms of corrupting----\n    Mr. Stearns. Yes.\n    Mr. Wilshusen [continuing]. And using insider threats? I \ncan't say I know of specific examples of where that occurs--\nthat occurred.\n    Mr. Stearns. Can you describe the controls and checks in \nplace at utilities to prevent these kinds of attacks?\n    Mr. Wilshusen. Well, clearly one of the key controls that \nutilities and, indeed, agencies should do is background checks \non their employees and those----\n    Mr. Stearns. Are they doing the background checks, in your \nopinion, adequately?\n    Mr. Wilshusen. We haven't examined the--how the securities \nare----\n    Mr. Stearns. So there has been no examination of how those \nbackground checks have been done and how they have been \ncorroborated, or the credibility of those checks?\n    Mr. Wilshusen. No, we have not assessed that as part of our \nreview.\n    Mr. Stearns. Do you think that should be done?\n    Mr. Wilshusen. Well certainly it should be monitored and \nchecked, because I do believe that individuals that have \nsensitive positions and hold--and have sensitive access to \nsystems should have some level of background investigation \nperformed. And there are other controls, too, that should be in \nplace to help restrict and limit insiders, either careless or \nuntrained insiders, as well as malicious from performing these \ntypes of acts, and that includes by limiting their access to \nonly that level needed for them to perform their jobs, as \nopposed to giving them broader access to systems.\n    Mr. Stearns. The MacAfee Corporation did a report in early \n2011, another current report, in which they surveyed about 200 \nexecutives from critical electricity infrastructure across the \nUnited--across the world, in fact. That found that 85 percent \nhad experienced network infiltrations, and 80 percent had faced \na large scale denial of service attack. Do you think that \nnumber is correct? That is quite large, 80 percent of both \nnetwork infiltrations and 80 percent faced a large scale denial \nof service attack. Do you think those figures are accurate?\n    Mr. Wilshusen. I have no basis to form whether they are \naccurate or not, but I will say as it relates to Federal \nGovernment agencies----\n    Mr. Stearns. Is that typical?\n    Mr. Wilshusen. In terms of those that have reported \nsecurity incidents, yes, most Federal agencies have done that \nand as the Congresswoman mentioned earlier, the number of \nreported security incidents within the Federal Government has \nrisen by 650 percent from 2006 through 2010.\n    Now, what one disparity or inconsistency with that comment \nthat you made, the statistics in that MacAfee report is that \nwithin the Federal Government, there was only about 1 percent \nor so of the reported security incidents were considered to be \ndenial of service attacks, which would be those that would \ndisrupt the----\n    Mr. Stearns. So I assume you reviewed the MacAfee report \nyourself?\n    Mr. Wilshusen. No, I have not.\n    Mr. Stearns. How do these people get into cause these \ninfiltrations? I mean, do you have any idea how it actually \nhappens?\n    Mr. Wilshusen. Well, there are a number of different attack \npatterns----\n    Mr. Stearns. Just give me two quick, the most prevalent.\n    Mr. Wilshusen. Well, one would be, for example, if they put \nmalicious software on a thumb drive and then an employee of \nthat corporation----\n    Mr. Stearns. Puts that thumb drive into the computer?\n    Mr. Wilshusen. Pardon?\n    Mr. Stearns. He puts that thumb drive in the software?\n    Mr. Wilshusen. Puts the thumb drive into the computer and \nthen downloads the malicious software onto the computer. That \nis one way.\n    Mr. Stearns. To the hard disk, yes.\n    Mr. Wilshusen. Another way would be if the attacker would \nset up a malicious Web site and which would also then entice \nemployees of the service center to--or wherever--to go to that \nWeb site and download what appears to be an innocuous or an \nattractive program, when in fact, that too contains malicious \ncode that could then allow----\n    Mr. Stearns. Could the facility put software in place to \nprevent both of those from occurring?\n    Mr. Wilshusen. They can, and disable certain functions--\nphysical ports on the laptop or on the desktop to prevent that \nfrom happening. And indeed, the Department of Defense had such \nan attack on their networks based upon a thumb drive that led \nthem to disable the thumb drives on the vast majority of \ntheir----\n    Mr. Stearns. Last question. Has the Department of Homeland \nSecurity or the Department of Energy issued any guidance to the \nelectricity sector on best practices that we just talked about \nin these two cases?\n    Mr. Wilshusen. Well, as part of the Energy Independence and \nSecurity Act, NIST, the National Institute of Standards and \nTechnology, had responsibilities for developing security \nguidelines in connection with input from a number of different \norganizations that were then to be provided to FERC at \nDepartment of Energy to either approve if there is a consensus \non those, and some of those controls would help to prevent such \nattacks, or could.\n    Ms. DeGette. Thank you. Mr. Wilshusen, were those controls, \nin fact, promulgated by FERC?\n    Mr. Wilshusen. No.\n    Ms. DeGette. Why not?\n    Mr. Wilshusen. It determined that there wasn't a consensus \non those--development of those standards and cybersecurity \nguidelines, and under the Act, there--in the process are \nrequired to develop a consensus for----\n    Ms. DeGette. So now what? Are they developing standards?\n    Mr. Wilshusen. My understanding is that NIST is working to \ngain such a consensus.\n    Ms. DeGette. OK. I want to talk with you a minute more \nabout FERC, because what I am wondering is if they need extra \nauthorities to protect the electric grid from these potentially \ndangerous vulnerabilities.\n    Can you just give us a quick example of the types of \nsecurity flaws that might leave the grid vulnerable to hackers?\n    Mr. Wilshusen. One would be if they do not appropriately \nassess the risk to those various different components of the \nsmart grid and implement the appropriate security controls over \nthat. For example, if the access controls are not appropriately \napplied to different components of the grid, that could \npotentially allow a path into----\n    Ms. DeGette. And of course, the development of this smart \ngrid increases this risk because it is more and more \ncomputerized, correct?\n    Mr. Wilshusen. Yes, the increased use of IT systems and \nnetworks provide additional paths and access points for \npotential attackers to gain access to it. In addition, the \nincreasing interconnectivity of these systems and networks also \nallow potential attackers broader range and access to other \ndevices.\n    Ms. DeGette. And yet at the same time that there is broader \nvulnerability, the increased interconnection and the smart--\ndevelopment of the smart grid, it is a really valuable part of \nour system because it gives us--number one, it gives us more \nefficiency so consumers can get better prices, and number two, \nit allows us to use some of these renewable technologies that \nthe chairman was talking about in his opening statement, \ncorrect?\n    Mr. Wilshusen. Yes.\n    Ms. DeGette. And so here is my question. The GAO and others \nhave said that there could be gaps in the FERC's regulatory \nauthority to deal with development of these standards to \nrespond to new vulnerabilities. Can you talk about that for a \nminute?\n    Mr. Wilshusen. Well in our recent report that we issued \nback in January of 2011, we identified that FERC did not have \nappropriate authorities, that their authorities were pretty \nmuch--since they didn't have the appropriate authorities, their \nauthorities were limited to basically adopting and approving \nstandards that were developed by others for the smart grid, and \nthen primarily just at the bulk power level and bulk power \nsupply level, not necessarily at the distribution level where \ncertain smart grid investments and devices are being \nimplemented. And we made the recommendation to NERC that they \nneed to really work with these other parties and stakeholders \nto include the State public utility commissions that do have \nsuch authorities and responsibilities to monitor the \nimplementation of any standards that it adopts.\n    Ms. DeGette. So----\n    Mr. Wilshusen. And it had not done that.\n    Ms. DeGette. So do they have the authority to do that, or \ndoes Congress need to give them more authority to coordinate \nwith those other operators?\n    Mr. Wilshusen. Well, they have the authority to coordinate \nwith the other operators----\n    Ms. DeGette. OK.\n    Mr. Wilshusen [continuing]. And utility commissions at the \nState level----\n    Ms. DeGette. OK.\n    Mr. Wilshusen [continuing]. But they don't have the \nauthority to mandate particular cybersecurity standards.\n    Ms. DeGette. Do you think they need that authority?\n    Mr. Wilshusen. We do not make that recommendation or really \ngo there. We just actually made the recommendation to FERC that \nit determined whether, you know, what gaps overlaps exist, so--\n--\n    Ms. DeGette. Yes, so if FERC determined that, they could \ncome to us----\n    Mr. Wilshusen. Right.\n    Ms. DeGette [continuing]. And ask for that authority.\n    Mr. Wilshusen. That is correct.\n    Ms. DeGette. Now, there are some--do you know how many of \nthese local and State authorities there are that FERC would \nneed to be coordinating with?\n    Mr. Trimble. Well, you are--FERC is----\n    Ms. DeGette. Mr. Trimble?\n    Mr. Trimble. Yes, sorry.\n    Ms. DeGette. That is OK.\n    Mr. Trimble. FERC is--has jurisdiction over the bulk power \nsystem, but once it gets into the distribution system at the \nState level or at the local level, it falls to the State \nutilities. So the----\n    Ms. DeGette. There are thousands of them, right?\n    Mr. Trimble. Right, so you are talking about 50 States plus \nthose that aren't under State control or under minimal State \ncontrol.\n    Ms. DeGette. Right, and then there is other agencies like \nHomeland Security, Energy and National Security Agency that \nalso have oversight responsibilities over the critical \nelectrical infrastructure, correct?\n    Mr. Trimble. Um-hum.\n    Ms. DeGette. So all of those individual utilities would \nhave to work together to really address this, right?\n    Mr. Trimble. That is correct.\n    Ms. DeGette. OK. Now, one last question, Mr. Chairman. I \nhave got a lot more questions in this line, but maybe I will \nhave an opportunity to ask then, but the Energy Independence \nand Security Act of 2007 directed the National Institute of \nStandards and Technologies to develop those standards, but \nthose standards haven't been adopted for the reasons Mr. \nWilshusen just explained, right?\n    Mr. Trimble. Right.\n    Mr. Wilshusen. That is correct.\n    Ms. DeGette. And do we have any sense when they are going \nto be adopted, now that it has gone back to the agency?\n    Mr. Trimble. We have not seen a timeline.\n    Ms. DeGette. OK, thank you.\n    Mr. Stearns. The gentlelady from Tennessee is recognized \nfor 5 minutes.\n    Mrs. Blackburn. I thank you all and appreciate so much the \ntime that you are giving us today, and continuing to work with \nus through this issue.\n    I have found it so interesting, as we have worked through \nthese hearings, how our constituents are paying attention to \nthis, and how they come back to us, those constituents that are \nworking in informatics or in energy delivery systems, and they \nhave different things they want to add to the discussion that \nwe are having.\n    One question I do have on the smart meters that are out \nthere. Is there a way that someone's proprietary information is \nbeing tracked or pulled or hacked into--what are the \nprotections that are on these meters? Can you give me just a \nlittle bit of information on that, because some of our \nconstituents--and Ms. DeGette talked about this when she said \npeople can watch and find out when the electricity is going to \ncost them less and then do chores at that time, but our \ncustomers are saying now wait a minute. Is this--while it is \ngiving me information, is this going to be giving--what are the \nprotections, the privacy protections that are going to exist to \nthe consumer about protecting that virtual presence and \nknowledge of themselves?\n    Mr. Wilshusen. Right, that is certainly an area of concern \ninsofar as that those meters need to have the appropriate \ncybersecurity, information security controls built into them. \nWe convened a panel of cybersecurity experts as part of our \nreview that we issued a report back in January of 2011, and \nthey identified that there are control deficiencies in some of \nthose meters, to include not having the appropriate login \ncapabilities, which would help and--or the forensics \ncapabilities to determine how and whether an attack had \noccurred.\n    Mrs. Blackburn. OK, then let me ask you this. With those \nmeters, would it be easy just to--is it very easy just to hack \ninto them? Should people consider there to be so much \ntransparency in these that they are not protecting their usage? \nHelp me with that.\n    Mr. Wilshusen. Well, I would just say that it really \ndepends upon the facts and circumstances of each individual \ntype of meter----\n    Mrs. Blackburn. OK.\n    Mr. Wilshusen [continuing]. And the security \nvulnerabilities or strengths relative to the individual meters.\n    Mrs. Blackburn. OK. Mr. Wilshusen, I want to ask you, May \n'08 you made some comments about TVA's corporate network \ncontains security weaknesses that could lead to disruption of \ntheir control systems, and of course, for those of us in the \nTennessee Valley and TVA as the main power generator, we are \nvery concerned about that. You had 19 specific recommendations \nthat you had for the TVA at that point in time. In your follow \nons, has TVA implemented these? Have they been responsive to \nputting these controls in place? How are we doing with \ntightening that system up?\n    Mr. Wilshusen. Yes, TVA has been responsive in implementing \nnot only the 19 recommendations that were made in the public \nreport, but also we made a number of other recommendations in a \nlimited distribution report----\n    Mrs. Blackburn. Exactly, yes.\n    Mr. Wilshusen [continuing]. That dealt more with the \ntechnical controls over their networks and their industrial \ncontrol system networks. TVA has been responsive, has \nimplemented most, if not all, of our recommendations and we \nhave closed them out.\n    Mrs. Blackburn. Thank you. With that, I will yield back.\n    Mr. Stearns. Gentlelady yields back. Ms. Myrick is \nrecognized for 5 minutes.\n    Mrs. Myrick. Thank you, and really, this is for any of you, \nbut it concerns giving the cybersecurity threats and the \nweaknesses that were identified in the GAO report and in the \nInspector General for the Department of Energy's report. It \nseems to be that cybersecurity is not a real high priority with \nsome companies today, and given the wealth of information that \nis out there about the threats that exist--I am also on Intel \nand we deal with this all the time. And it just seems apparent \nto me that we--that companies really aren't taking this as \nseriously as they should. Not just companies, of course, \ndealing with the electric grid, but other companies as well \nwhen it comes to how they fit into the big picture in the \ncountry.\n    Is it because they don't feel that there is any incentive \nfor them to do it in any way? I am at a little of a loss, I \nguess, because some of them just seem to be kind of blase about \nit, even though they are so vulnerable. It is unreal and then \nit affects the rest of us from a national security standpoint.\n    Mr. Trimble. I would answer in two ways. One, from our \nexpert panel that we convened one of the concerns that they had \nwas confusion and uncertainty over who is in charge in terms \nof----\n    Mrs. Myrick. OK.\n    Mr. Trimble [continuing]. Where the guidance was given, the \ncomplexity of the regulatory oversight. From--if you are \nputting yourself in the producer of the utilities perspective, \nthey are faced with--so the standards haven't been adopted, \neven though--even when they are adopted, they are voluntary, \nand then if you are a producer under State control, you don't \nhave anything from the States. To recover those costs, to make \nthose investment decisions, those costs have to be recoverable. \nThere is no necessary guarantee that you will recover those \ncosts if you make those investments in this uncertainty.\n    So again, this goes back to our recommendation as to when \nyou adopt, you need to closely monitor to what extent these \nstandards are being followed and to what extent they are \neffective, and make changes quickly. So it really, you know, \nsort of asking the system something it hasn't done necessarily \nin the past, which is act quickly and sort of more nimbly than \nit has. But I think part of the answer is really I would just \nput yourself in the shoes of the utility when faced with making \nthose decisions and trying to balance the cost and benefits and \nrisks that you are looking at.\n    Mr. Wilshusen. And I want to add to that. Also in some \ninstances these utilities may or may not be fully aware of some \nof the threats and risks that are there, particularly certain \nincidents. In many cases, some of the most actionable and alert \ninformation may not necessarily be able to be shared with the \nutilities because it is classified.\n    Mrs. Myrick. Right.\n    Mr. Wilshusen. And so the information sharing equation is \nalso a factor in terms of the agency--or the utilities \nreceiving timely and actionable information.\n    We issued a report a year ago or 2 years ago that dealt \nwith the expectations and the delivery of those expectations \nbetween the public-private partnership model that is currently \nin use, and many--this is not only just the electricity \nindustry, but also across other critical infrastructure \nsectors, in that most of the respondents on the private sector \nside indicated that--in fact, 98 percent of them said that \nreceiving timely, actionable, alert and threat information was \nvery important to them, but only 27 percent of them responded \nand said that their Federal partners were greatly or moderately \nproviding that information to them.\n    Mrs. Myrick. So it is not a resistance or lack of \nunderstanding on the part of the companies from your \nperspective and what you are seeing, it is really that they--\nthat this aspect of who is in charge and who they report to and \nhow they get the information and what information they get is \nreally the problem?\n    Mr. Wilshusen. It is a contributing factor.\n    Mrs. Myrick. OK. Anybody else wish to comment?\n    Then I yield back, Mr. Chairman. Thank you.\n    Mr. Stearns. Gentlelady yields back. The gentleman from \nGeorgia, Mr. Gingrey, is recognized for 5 minutes.\n    Mr. Gingrey. Thank you, Mr. Chairman, and I am going to \naddress my first question to all three of you, and I think I \nwill start with Mr. Campbell.\n    Each of you mentioned in the January 2012 report issued by \nthe Department of Energy's Inspector General that 36 of the 99 \ngrant recipients did not have the sufficient security plans in \nplace to provide further risk determent, despite the fact that \nthe Federal Government has spent, I think you said $3.5 billion \nin taxpayer money for this Smart Grid Investment Grant Program. \nNow while I am disappointed that for scheduling purposes it \nprevented the DOE Inspector General from being here today, I \nwould like to ask each of you your thoughts on these three \nquestions, and I will start with Mr. Campbell. What are the \npotential implications of these insufficient security controls?\n    Mr. Campbell. Well basically smart grid devices are being \ndeveloped that may not have full cybersecurity mechanisms built \nin. So if these devices do actually make it to market, there \ncould be problems with cybersecurity of the devices going \nforward.\n    Mr. Gingrey. Mr. Trimble?\n    Mr. Trimble. Yes, I will--what I would add to that, and I \nwill defer to my colleague on the cyber aspect of this, that \none of the downsides if you end up with devices that don't meet \nthe standards or aren't sufficiently protected and then the \nutility has to pull those out, you have created a problem in \nterms of who is going to pay for that mistake, because they \nwill go to the public utility to recover those costs, the \npublic is not going to want to pay for the mistake, and so you \nwill have a very contentious situation.\n    Mr. Wilshusen. Yes, I would agree with both Mr. Trimble and \nMr. Campbell in that it could create opportunities where key \ncontrols are not being implemented into these devices or not \nbeing implemented in whatever the initiative and grant \ninitiative had was developing. One thing that was noted by the \nIG is that these were approved even though the Department had \nrequested that the plans be updated, which they were, but not \nin all instances were those key controls addressed and the \nDepartment has to approve that.\n    According to the IG report, if I read that correctly--\nagain, I defer to the DOEIG on that--is that there was \napparently an emphasis on the part of the Department to make \nsure that these grants were approved and gotten out.\n    Mr. Gingrey. We--as the chairman said in his opening \nremarks, we had hoped to have the IG from DOE here today, and \nhopefully we will schedule another hearing and hear from him.\n    But going back to Mr. Campbell, throughout the life of the \ngrant, is it feasible that these problems that exist could \nstill be corrected?\n    Mr. Campbell. The DOE's office has responded that it will \nrequire the applicant grantees to update their cybersecurity \nplans, I believe it is by April of this year.\n    Mr. Gingrey. All right, Mr. Trimble and Mr. W., you all \nhave some comments on that as well?\n    Mr. Wilshusen. Yes. I would just also add that in the \nreport, the IG indicated that the Department was also going to \nbe, as part of their annual review process of these grant \ninitiatives, were to review the recipient's implementation of \nthose cybersecurity controls in their plans.\n    Mr. Gingrey. And then the last part of this question, and I \nsee I am probably only going to get one question in in the \nallotted 5 minutes, but with this report in mind, the DOE \nInspector General report, do you know of any instances in which \nthe smart grid for which the grant program was supposed to \nbolster has been compromised from a security standpoint? Mr. \nCampbell, any specifics there?\n    Mr. Campbell. I am not aware of any specifics.\n    Mr. Gingrey. Mr. Trimble?\n    Mr. Trimble. No, sir.\n    Mr. Wilshusen. No, sir.\n    Mr. Gingrey. OK. I do have a little bit of time left. Let \nme go--let us see, back to--well that is all right. I will just \nsave that if there is a second round.\n    Mr. Chairman, I yield back the balance of my time.\n    Mr. Stearns. All right, gentleman yields back. We will do a \nsecond round and I will start.\n    Mr. Wilshusen, in your testimony you stated that Department \nof Energy Inspector General found that under the Smart Grid \nInvestment Grant Program, recipients were not always complete \nor lacked sufficient detail in security controls in their \nsubmissions to Department of Energy. Is that correct?\n    Mr. Wilshusen. Yes, sir.\n    Mr. Stearns. Is that a big deal?\n    Mr. Wilshusen. Yes, it can be.\n    Mr. Stearns. And why, specifically?\n    Mr. Wilshusen. Well, if those----\n    Mr. Stearns. Why is it a big deal?\n    Mr. Wilshusen. Well, if it is----\n    Mr. Stearns. I think it is a big deal, but I just want you \nto confirm it.\n    Mr. Wilshusen. If those plans are incomplete and do not \nidentify key controls that should be implemented on as part of \nthese smart grid initiatives, that could lead to vulnerable \ndevices and therefore, may subject those devices to increased \nrisk of being compromised.\n    Mr. Stearns. So you have a smart meter device being \npurchased with government grant money that lacks the proper \nsecurity features and if the guarantees don't have specific or \ndetailed security plans when installing them into the \ncustomer's homes, isn't that it?\n    Mr. Wilshusen. That could be a possibility.\n    Mr. Stearns. Mr. Trimble, is it conceivable that during the \nlife of the grant period, that these security plans are not \ncomplete, are not implemented properly, unless made a condition \nof the grantee to receive the funding? Should we do that?\n    Mr. Trimble. I believe that should have been a requirement \nor----\n    Mr. Stearns. Do you have your mic on?\n    Mr. Trimble. I believe that is what the IG indicated, but \nthat was not our work so I can't speak authoritatively.\n    Mr. Stearns. Do you know of any specific examples that I \ncould hear from you, or Mr. Wilshusen?\n    Mr. Wilshusen. Well in the IG report, they identified three \nof the five security plans that it reviewed. These were the \nplans that had already been initially identified by the \nDepartment as having deficient or shortcomings in the security \nprograms, and then updated by the recipient or the grantee \nrecipients, and they identified that three of the five still \nhad the shortcomings and did not contain complete information. \nAnd some of that information dealt, as I recall, with the \nauditing and some of the technical security controls associated \nwith those initiatives. But as far as more detailed \ninformation, I did not review or have access to the work papers \nsupporting the report by the IG.\n    Mr. Stearns. Is this all primarily in the smart meter \ntechnology? Is that where all this concern is?\n    Mr. Wilshusen. With the IG's report, I don't think it was \nspecific to that. I don't recall if it was specifically \nmentioned.\n    Mr. Stearns. Isn't that where most of the investment is?\n    Mr. Wilshusen. That also I don't know.\n    Mr. Stearns. Yes, Mr. Trimble?\n    Mr. Trimble. I believe it was in a broader range. I thought \nthe bulk of the money was into other systems like phase \nmeasurement units and things like that, but again, we haven't \ndone work in that area.\n    Mr. Stearns. Mr. Campbell, how many, in your opinion, smart \ngrid cyber incidents have there been?\n    Mr. Campbell. I am not familiar with the total number, but \nfrom I have heard in discussion there has been quite a few \ncybersecurity incidents.\n    Mr. Stearns. Under 10, under 100?\n    Mr. Campbell. Probably more than that.\n    Mr. Stearns. Under 1,000?\n    Mr. Campbell. I couldn't say with any specific.\n    Mr. Stearns. So you have no knowledge of how many specific \nsystem cyber attacks there have been, incidents, then?\n    Mr. Campbell. No, sir.\n    Mr. Wilshusen. Mr. Chairman----\n    Mr. Stearns. Yes, sure.\n    Mr. Wilshusen [continuing]. If I might add, I am not even \nsure if there is a monitoring process or reporting mechanism in \nplace for that information to be reported and collected.\n    Mr. Stearns. Mr. Campbell, do you think that waiting 3 \nyears for the grant recipients to implement vigorous \ncybersecurity plans could lead to cybersecurity gaps and \nsubsequent compromises in the system integrity?\n    Mr. Campbell. It is my opinion----\n    Mr. Stearns. If you might pull the mic just a little \ncloser.\n    Mr. Campbell. It is my opinion that during the 3-year \nperiod for development, there should be adequate time for the \nDOE to take a look at the requirements in regard to \ncybersecurity, but we should also note that cyber threats are \ncontinuing to change, so any regulations that you may put in \nplace may not be adequate when the final product rolls out.\n    Mr. Stearns. OK. My last question, Mr. Wilshusen, are there \ndifferent cybersecurity challenges that are vulnerabilities for \ngovernment-run utility services, such as the Bonneville Power \nAdministration versus privately-run utility services?\n    Mr. Wilshusen. We haven't looked at the specific security \ncontrols at private utilities. We have looked at them at TVA, \nand identified a number of security vulnerabilities----\n    Mr. Stearns. At TVA?\n    Mr. Wilshusen. At TVA, yes, as this was the report that was \nreferred to earlier. But my understanding is, it is probably \nlikely that what we found at TVA will probably be--could be \nfound at other public utilities as well, you know, of a similar \ntype of electrical power generation and some transmission.\n    Mr. Stearns. Mr. Trimble, anyone else, do you have any \ncomments in reference to the private versus government-run \nutilities?\n    Mr. Trimble. No, I would defer to Greg on that.\n    Mr. Stearns. Mr. Campbell, any suggestions?\n    Mr. Campbell. No, that seems to be a reasonable response. \nPrivate utilities seem to have many of the same systems that \npublic utilities have.\n    Mr. Wilshusen. And one--if I may just add more broadly, \nwhen we looked at other sectors, for example, we looked at \ncommunications network operated by private sector \norganizations, we found vulnerabilities in their networks that \nwere similar to the vulnerabilities that we find in the \nnetworks of Federal agencies. Now while that is not exactly \nelectricity industry, but I would be fairly confident to say \nthat vulnerabilities identified in government systems are going \nto probably be found in private sector systems in some respects \nbecause the Federal Government security standards and \nguidelines typically are as robust, if not more robust, than \nprivate sector guidelines in many cases.\n    Mr. Stearns. Thank you. My concluding comment is if it hits \none sector, it hit government utility versus private utility, \nit is probably the same kind of statistic.\n    Mr. Wilshusen. I would agree with that comment, which is \nall the more reason why there should be an effective and robust \ninformation sharing capability between the public and private \nsectors.\n    Mr. Stearns. With that, my time is expired.\n    Ms. DeGette. Thank you. Thank you, Mr. Chairman.\n    I want to follow up on the chairman's question about \nreporting, because I think I shared his concern. Mr. Campbell \nand Mr. Wilshusen, both of you--all three of you said we don't \nhave any kind of specific knowledge as to how many cyber \nattacks there have been. And Mr. Wilshusen, you said that we \ndon't really have a systematic approach to reporting. Would it \nbe possible to develop that kind of systematic approach, and if \nwe did, how would it look, who would be in charge of it, et \ncetera?\n    Mr. Wilshusen. Well, we haven't done the work to come up \nand just say definitively, but there are some reporting \nmechanisms in place now. For example, the Department of \nHomeland Security and the U.S. Cert Federal agencies are \nrequired to report their security incidents that occur at their \nsites to U.S. Cert, and then U.S. Cert collects that \ninformation and makes reports on it, summarizes it, identified \ntrends, and also then provides alerts to other Federal \nagencies.\n    Private sector organizations can also report through to the \nU.S. Cert, although in terms of having something formal and \nrequired, that is--presently does not exist.\n    Mr. DeGette. Well, so there is a structure that perhaps you \ncould do it, there is just no requirement to do it, is that \nwhat you are saying?\n    Mr. Wilshusen. It may be a model that could be considered \nif one was to develop such a reporting structure.\n    Ms. DeGette. Do you think it would be important to have \nsome sense of incidences of cyber attacks?\n    Mr. Wilshusen. Oh, I certainly do, yes.\n    Ms. DeGette. What do you think, Mr. Campbell?\n    Mr. Trimble. What I would--I am sorry, what I would just \njump in on this point is when we convened our expert panel, one \nof the challenges and problems that the experts identified was \nthe lack of information sharing among the utilities and the \ngenerators and the government on precisely these issues, the \ncyber attacks, successful or not.\n    Ms. DeGette. So did--so now we have identified--and Mr. \nCampbell, would you agree there is a problem?\n    Mr. Campbell. Yes, but I would also think confidentiality \nof reporting would be a key factor in any system that is \ndeveloped.\n    Ms. DeGette. Right, so who would develop that system? I \nmean, we are super good at identifying problems, but now how do \nwe move towards a solution? Anyone?\n    Mr. Wilshusen. Well, within the Federal Government, you \nknow, DHS has the overriding responsibility as the focal point \nfor protecting critical infrastructures. Each of the 18 \ncritical sectors--infrastructure sectors have sector-specific \nagencies that monitor it for that particular----\n    Ms. DeGette. Yes, I understand all this, so you would say \nit would probably be DHS to develop this?\n    Mr. Wilshusen. They have a model in place where Federal \nagencies are required to. It would be a likely place to start.\n    Ms. DeGette. OK, thank you.\n    Mr. Campbell, I want to follow up on the point about \nprivacy that you just raised, because I don't know if the three \nof you saw the story in ``The Washington Post'' today where \nwhat it talked about was the National Security Agency is \npushing to expand its role in protecting private sector \ncomputer networks from cyber attacks. The White House has been \nconcerned about privacy concerns, and then the story said ``The \nmost contentious issue was a legislative proposal last year \nthat would have required hundreds of companies that provide \nsuch critical services as electricity generation to allow their \ninternet traffic to be continuously scanned using computer \nthreat data provided by the spy agency. Companies would have \nbeen expected to turn over evidence of potential cyber attacks \nby the government.'' So this really is an issue about how you \nbalance security versus privacy. We have been debating this \npretty much since September 11, 2001.\n    And so maybe, Mr. Campbell, you can talk to me if you have \nsome perspective on the tradeoff of cybersecurity versus \nprivacy.\n    Mr. Campbell. Well, I would say that cybersecurity versus \nprivacy is a key issue. Other than that, I would say that we--\nCRS is looking at the issue and we would be happy to talk to \nyou about it at a later time.\n    Ms. DeGette. And you released--CRS released a report on \nprivacy and cybersecurity concerns earlier this month, did it \nnot?\n    Mr. Campbell. Yes.\n    Ms. DeGette. And so let me ask you, what information can \nsmart meters collect about the people in the households who \nhave them? I mean, what is the security issue?\n    Mr. Campbell. Well, smart meters collect information on the \nuse of electricity, and so the idea is that smart meters \nconceivably could develop a profile of the use of electricity \nwithin the home. Now if the information is accumulated at a \nhigh enough level, then individual use of information could be \nlost, but that is an issue that is under development and I \nthink in various States there are various rules concerning \nsmart meter----\n    Ms. DeGette. And that information, it could determine the \nbehavioral patterns of the residents in the home, correct?\n    Mr. Campbell. Correct.\n    Ms. DeGette. So like burglar could figure out--could use a \nsmart meter to figure if a family was on vacation or not, \nright?\n    Mr. Campbell. If they were sophisticated enough to access \nthe information.\n    Ms. DeGette. Or a marketer could even use information about \nwhat appliances a consumer might be using to target that \nconsumer, right?\n    Mr. Campbell. Possibly.\n    Ms. DeGette. So that--I mean, we wouldn't naturally think \nthat there would be security issues relating to these meters, \nbut that is something we need to consider and balance out, \nright?\n    Mr. Campbell. Correct.\n    Ms. DeGette. Thank you, Mr. Chairman.\n    Mr. Stearns. Gentleman from Georgia is recognized for 5 \nminutes.\n    Mr. Gingrey. Thank you, Mr. Chairman.\n    You know, as I sit here and think about this program and \nthe $3.5 billion worth of grant money going towards these \ncompanies, grantees, 99 of them to help develop the smart grid, \nI also think about the $19 billion that was in the stimulus \nmoney for fully developing health information technology, you \nknow, the Offices of National Coordinator and his salary and \nall the employees there to make sure that people, companies \nsmall and large that got grants from that $19 billion pot to \nhelp develop health information technology that is fully \ncoordinated, it just makes me concerned that these grantees \nunder this program to develop the smart grid are not following \nthe guidelines that they should follow and in the final \nanalysis 3 years from now we will have wasted a lot of money.\n    I want to ask you specifically, you mentioned--and maybe \nsome of my colleagues had asked a question about NIST's \ninvolvement, the National Institute of Standards and \nTechnology, the 850-3 program as compared, let us say, to the \nNorth American Electric Reliability Corporation's critical \ninfrastructure protection standards. Now how do those two \ncompare and are they overlapping? Are they similar? Is one \nbetter than the other? What standards should we require of \nthese grantees as they develop these programs with taxpayer \nmoney? Mr. Campbell?\n    Mr. Campbell. My knowledge that the NERC reliability \ncritical infrastructure standards are just applied to those on \nthe bulk electric system, so when we are talking about the \nSmart Grid Investment Grant Program, that is looking at \ndeveloping products, so I think what we are talking about is \ntwo different types of requirements.\n    Mr. Gingrey. Mr. Trimble and Mr. Wilshusen?\n    Mr. Wilshusen. I will field that one. Also there is--we \nactually compared the NERC's eight cyber--critical \ninfrastructure protections cybersecurity reliability standards \nto the controls that are identified and NIST Special \nPublication 850-3, and we found that of the 198 controls in \n850-3 that the NIST or the NERC standards had about 151 of \nthose. One of the issues that the IG reported on in its report, \nalso in addition to what Mr. Campbell said, is that those \nstandards apply only to the bulk electricity supply, but there \nfurther only apply to those assets that the entities within \nthat sector have designated as a critical asset. And so if the \nentity has not identified any critical assets, then those \nstandards would not necessarily apply.\n    And the IG report also indicated that back in 2009, the \nformer chief information security officer of NERC did a survey \nand identified that about, I think it was 36 percent of the \npower generators, or those entities with power generation and \nabout 67 percent of those responsible for transmitting bulk \npower had identified only--at least one critical asset. So that \nleft a fair number of--or at least a fair percentage of \nentities that produce power or transmit it that did not \nidentify any critical assets.\n    Mr. Gingrey. Mr. Trimble?\n    Mr. Trimble. I would just--my expertise is not cyber, so I \nwill--so to simplify that, the issue as I sort of have come to \nunderstand it is the NERC CIP standards apply to--for critical \ninfrastructure protection but it is limited because it is just \nbulk power and it is just those that the industry have \nidentified as being critical assets. But industry self-\nidentification has not been exactly--has been identified as \ncomprehensively as it could be.\n    The NIST standards that we are talking about for cyber \npursuant to ISA are voluntary, primarily focused on \ninteroperability and cyber threats. The limitation there is \nthat FERC's sort of bailiwick is, again, bulk power so it \ndoesn't get into anything beyond sort of interstate \ntransmission, if you will. If you are getting into the State \nlevel, those guidelines, those standards, even though \nvoluntary, don't kick in. If you get down to the city level, \nlike New York, they don't kick in. So you have got this \npatchwork where there is a whole bunch of places with no \nstandards that kick in.\n    Mr. Gingrey. My time is expired, but I just want to say \nthat, you know, it is pretty much green eyeshades sort of \nstuff, but hugely important, and of course, you are bringing \nimportant information to us, the members of the subcommittee, \nand I think this is very beneficial. I deeply appreciate you \nbeing here today, and thank you for your testimony.\n    Mr. Chairman, I yield back.\n    Mr. Stearns. Thank the gentleman and we are getting ready \nto conclude the hearing, and I, as chairman, have the \nopportunity to give a closing remark. I would say it has been \nbrought up here and also I remember in our July hearing. \nDepartment of Homeland Security fields all this information \ndealing with cybersecurity and then gives it to U.S. Cert \nagency, and they offer the documentation, as I understand it, \nto the private industry, so it sort of filters down that way. \nIs that correct?\n    Mr. Wilshusen. I believe it is, yes.\n    Mr. Stearns. Well, my concern is, just like the 9/11 \nCommission said, there was not full communication between all \nthe government agencies as well as private industries on what--\nto alert them of possible information it could have thwarted \nand stopped the 9/11 attack. I see it is clear here today in \nthe conversation that there is not really full adequate \ncommunication between the private sector and the government \nsector dealing with utilities with cybersecurities, and I think \nthis is a warning that we should all take into effect or we \nmight be sitting here at a later date with something that is \nvery serious.\n    I want to thank the witnesses for their time and effort, \nand the subcommittee is adjourned.\n    [Whereupon, at 11:37 a.m., the subcommittee was adjourned.]\n\n                                 <all>\n\x1a\n</pre></body></html>\n"