[Senate Hearing 112-40]
[From the U.S. Government Publishing Office]
S. Hrg. 112-40
CYBER SECURITY
=======================================================================
HEARING
before the
COMMITTEE ON
ENERGY AND NATURAL RESOURCES
UNITED STATES SENATE
ONE HUNDRED TWELFTH CONGRESS
FIRST SESSION
TO
RECEIVE TESTIMONY ON A JOINT STAFF DISCUSSION DRAFT PERTAINING TO CYBER
SECURITY OF THE BULK-POWER SYSTEM AND ELECTRIC INFRASTRUCTURE AND FOR
OTHER PURPOSES
__________
MAY 5, 2011
[GRAPHIC NOT AVAILABLE IN TIFFF FORTMAT]
Printed for the use of the
Committee on Energy and Natural Resources
__________
U.S. GOVERNMENT PRINTING OFFICE
67-362 PDF WASHINGTON: 2011
_____________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, [email protected].
COMMITTEE ON ENERGY AND NATURAL RESOURCES
JEFF BINGAMAN, New Mexico, Chairman
RON WYDEN, Oregon LISA MURKOWSKI, Alaska
TIM JOHNSON, South Dakota RICHARD BURR, North Carolina
MARY L. LANDRIEU, Louisiana JOHN BARRASSO, Wyoming
MARIA CANTWELL, Washington JAMES E. RISCH, Idaho
BERNARD SANDERS, Vermont MIKE LEE, Utah
DEBBIE STABENOW, Michigan RAND PAUL, Kentucky
MARK UDALL, Colorado DANIEL COATS, Indiana
JEANNE SHAHEEN, New Hampshire ROB PORTMAN, Ohio
AL FRANKEN, Minnesota JOHN HOEVEN, North Dakota
JOE MANCHIN, III, West Virginia BOB CORKER, Tennessee
CHRISTOPHER A. COONS, Delaware
Robert M. Simon, Staff Director
Sam E. Fowler, Chief Counsel
McKie Campbell, Republican Staff Director
Karen K. Billups, Republican Chief Counsel
C O N T E N T S
----------
STATEMENTS
Page
Bingaman, Hon. Jeff, U.S. Senator From New Mexico................ 1
Cauley, Gerry, President and Chief Executive Officer, North
American Electric Reliability Corporation...................... 17
Hoffman, Patricia, Assistant Secretary, Office of Electricity
Delivery and Energy Reliability, Department of Energy.......... 3
McClelland, Joseph, Director, Office of Electric Reliability,
Federal Energy Regulatory Commission........................... 8
Murkowski, Hon. Lisa, U.S. Senator From Alaska................... 2
Owens, David, Executive Vice President, Business Operations,
Edison Electric Institute...................................... 24
Tedeschi, William, Senior Scientist, Engineer, Sandia National
Laboratories, Albuquerque, NM.................................. 31
APPENDIX
Responses to additional questions................................ 61
CYBER SECURITY
----------
THURSDAY, MAY 5, 2011
U.S. Senate,
Committee on Energy and Natural Resources,
Washington, DC.
The committee met, pursuant to notice, at 9:37 a.m. in room
SD-366, Dirksen Senate Office Building, Hon. Jeff Bingaman,
chairman, presiding.
OPENING STATEMENT OF HON. JEFF BINGAMAN, U.S. SENATOR FROM NEW
MEXICO
The Chairman. OK. Good morning. Thanks for coming today to
this hearing. It's a hearing devoted to cyber security in the
electric sector.
The safety of the North American power system is critical
to the Nation's economy and to our security. Today that power
system includes over 200,000 miles of high voltage transmission
lines, thousands of generating facilities, millions of digital
controls. Each year we upgrade and expand the system, adding
more miles of transmission lines, new supply resources and
control devices.
As we upgrade and expand the Nation's electric system we
are also modernizing that system. Information technology and
communication systems have come to play a significant role in
ensuring the reliability and security of the electric sector.
While modernization allows us to achieve a variety of important
economic and environmental objectives, it also introduces new
security concerns. As this process unfolds, preserving and
enhancing the cyber security of our electric infrastructure
must be among our top priorities.
So, let me highlight 2 things.
First, the electric sector is already subject to a set of
mandatory and enforceable cyber security standards that are
developed by industry stakeholders and approved by the Federal
Energy Regulatory Commission. This fundamentally distinguishes
the electric sector from virtually all other critical
infrastructure sectors. However, I do not believe that the
existing suite of reliability standards and the process for
developing them is sufficient to defend electric infrastructure
against deliberate cyber attacks and to address system
vulnerabilities. The new authorities contemplated in the
discussion draft that we've circulated fill these gaps in a way
that will help to complement current cyber security standards.
The second point I wanted to make is that today it's almost
2 years since the day--since our cyber security hearing
occurred in the 111th Congress. In fact, we are fortunate to
welcome many of the same witnesses. The draft legislation we're
discussing today is very similar to the legislation we
discussed in 2009. It recognizes positive changes in the
standards development and approval processes.
However, in the time since our last hearing the security
environment has also changed and certainly much more quickly.
Cyber related threats can arise virtually anytime/anywhere and
change without warning. For these reasons, there is no reason
we should not delay in acting to enhance the cyber security of
our electric system.
I note that this is not the only committee in the Senate
working on cyber security issues. I welcome the opportunity to
work closely with other committees to ensure that the product
of this committee's efforts work seamlessly with the proposals
coming out of other committee's work.
With that let me call on Senator Murkowski for her
comments.
STATEMENT OF HON. LISA MURKOWSKI, U.S. SENATOR
FROM ALASKA
Senator Murkowski. Thank you, Mr. Chairman. Welcome to the
witnesses this morning.
The 2007 Aurora experiment by the Department of Energy and
the Idaho National Lab put us all on notice of dangers of a
cyber attack. In that experiment researchers hacked into a
replica power plant's control systems causing the generator to
self destruct. Aurora showed us that large coordinated attacks
could severely damage the Nation's electric infrastructure.
Since then there have been a growing number of cyber
intrusions in government and critical infrastructure networks.
Starting in November 2009, cyber attacks which were dubbed
``Night Dragon'' attacks, were launched against several global
oil, energy and petrochemical companies. The attackers targeted
highly sensitive proprietary and financing information on oil
and gas fuel bids and operations. Then last year the Stuxnet
worm demonstrated the complexity of what a potential cyber
security attack could look like in this country.
I think we recognize that the danger that is posed to our
Nation's electric infrastructure from a possible cyber attack
is very clear. Congress must provide government agencies with
the authority to respond to cyber security threats and their
vulnerabilities and do so in a timely manner. At the same time
it's critical to recognize the electric industry is currently
the only critical infrastructure sector to have mandatory and
enforceable cyber security standards in place. We must continue
to encourage a public/private partnership to protect the
Nation's critical infrastructure. To that end, we must ensure
that the private sector has the information that it needs to
respond to credible cyber threats and vulnerabilities.
I think we recognize that it is industry that has the
expertise in operating our Nation's complex utility systems.
The discussion draft legislation that we're considering can be
part of a responsible solution. The draft provides both FERC
and DOE with needed tools to address today's known risks and
weaknesses as well as future threats.
We've also tried to respect the so-called section 215
process that was originally created in the 2005 Energy Policy
Act. That Act passed an electric reliability organization,
since designated as NERC, with developing mandatory,
enforceable, reliability standards in partnership with industry
stakeholders. I understand that section of the discussion draft
may still need a little bit of work here. So I would look
forward to hearing from our witnesses on that aspect of it this
morning.
One area that we have not included in the draft legislation
are the physical threats posed by electromagnetic pulses and
geomagnetic storms. Based on the testimony that we receive
today the committee will need to decide if we should address
those issues within this legislation. As the chairman has
noted, this committee is just 1 of 7 committees that are
examining the cyber issue. What we're considering today is an
electricity sector piece. But it does appear that the
administration and the leadership prefer a government wide,
comprehensive approach to cyber security.
Clearly cyber security involves a great many actors and a
host of technical considerations. We'll work to report out our
part of the cyber puzzle. Then if a comprehensive approach is
decided on, certainly work with other committees and leadership
in fitting our piece into the broader field.
I thank you again, Mr. Chairman, and look forward to the
testimony from the witnesses.
The Chairman. Thank you very much.
We have 5 witnesses today. Let me just introduce them
briefly.
The Honorable Patricia Hoffman, who is the Assistant
Secretary for the Office of Electricity Delivery and Energy in
the Department of Energy. Thank you for being here.
Mr. Joseph McClelland, who is the Director of the Office of
Energy Projects with the Federal Energy Regulatory Commission.
Thank you for being here.
Mr. Gerry Cauley, who is President and Chief Executive
Officer of the North American Electric Reliability Corporation.
Thank you for being here.
Mr. David Owens, the Executive Vice President for Business
Operations with Edison Electric Institute. Thank you for being
here.
Finally, Mr. William Tedeschi, who is the Senior Scientist
and Engineer with Sandia National Laboratory in Albuquerque.
Thank you all for coming. Why don't each of you take 5 or 6
minutes, tell us the main things you think we need to know
about this subject? We will then have some questions.
Ms. Hoffman, please go right ahead.
STATEMENT OF PATRICIA HOFFMAN, ASSISTANT SECRETARY, OFFICE OF
ELECTRICITY DELIVERY AND ENERGY RELIABILITY, DEPARTMENT OF
ENERGY
Ms. Hoffman. Good morning, Mr. Chairman and members of the
committee. I'd like to extend my thanks to the chairman, the
ranking member and the esteemed members of the committee for
inviting me here today to discuss the cyber security issues
facing the electric industry as well as the discussion draft
legislation intended to strengthen the protection of the bulk
power system and the electric infrastructure from cyber
security threats. Ensuring a resilient electric grid is
particularly important since it is arguably the most complex
and critical infrastructure, which other sectors depend upon
for essential services.
The Homeland Security Presidential Directive 7 designated
the Department as the sector specific agency for the energy
sector. My office works closely with the private sector, and
State and Federal regulators to provide secure sharing of
threat information, to identify and fund gaps in infrastructure
research and testing, to conduct vulnerability assessments, and
to encourage risk management strategies for critical energy
infrastructure. Our office is building its capabilities to
facilitate assistance to industry, and to conduct forensics and
obtain situational awareness.
The Administration's cyberspace Policy Review underscores
the need to strengthen the public/private partnerships in order
to design more secure technologies as well as improve the
resilience of critical government and industry systems and
networks. Our office has long recognized that neither the
government, nor the private sector, nor individual citizens can
meet cyber security challenges alone. We must work together.
The Office of Electricity Delivery and Energy Reliability
(OE) has launched several new initiatives to enhance cyber
security in the energy sector.
In coordination with the Department of Homeland Security
and other Federal agencies, we have conducted several cyber
threat information sharing workshops to analyze classified
information to determine the impact to the sector and develop
flexible mitigations specifically designed to work for the
energy sector.
In coordination with National Institute of Standards and
Technologies and NERC, OE is leading a collaborative effort
with representatives from across the public and private sectors
to develop cyber security risk management guidelines.
Through competitive solicitations and partnerships with
industry, academia and national laboratories, OE has supported
the development of several advanced cyber security technologies
that are now commercially available within the energy sector.
Some examples include: A technology to secure serial
communications for control systems. Software tool kits that
provide auditing of SCADA security settings. Vulnerabilities
assessments of 38 different SCADA systems, and a common cyber
security vulnerabilities report to help utilities and vendors
mitigate vulnerabilities found in many SCADA systems. We are
currently in the process of updating this report and hope to
have that released this summer.
The Senate discussion draft recognizes the important
difference between cyber security vulnerabilities and the cyber
security threat. In addition, section 224F requires a
comprehensive plan to identify emergency measures to protect
the reliability of the electric power supply of national
defense facilities. Pertinent to that, in July 2010 DOE and DOD
signed a Memorandum of Understanding concerning cooperation and
a strategic partnership to enhance energy security. This MOU
will provide an opportunity to develop a comprehensive approach
that reduces the impact of power loss to defense critical
assets in considering both the mitigation and response measures
to ensure vital defense capabilities are not disrupted.
Finally, the draft discussion does not address, a unique
but sensitive cyber security information disclosure issue faced
by the Federal Power Marketing Administrations that are
subjected to both the Freedom of Information Act as well as
mandatory reliability standards that are approved by FERC. This
security vulnerability could be avoided if legislation was
enacted that provided statutory protection of this information
under Exemption Three of the Freedom of Information Act.
In conclusion, I would like to again thank this committee
for its leadership in supporting the protection of the bulk
power system and the critical electric infrastructure against
cyber security threats. Recognizing the interdependencies
between different sectors, it is important to have a
comprehensive strategy for cyber security legislation. DOE
looks forward to the continued dialog with this committee on
this legislation. I ask that my written statement be submitted
for the record. I would be pleased to answer any questions this
committee may have.
Thank you.
[The prepared statement of Ms. Hoffman follows:]
Prepared Statement of Patricia Hoffman, Assistant Secretary, Office of
Electricity Delivery and Energy Reliability, Department of Energy
Chairman Bingaman, Ranking Member Murkowski and members of the
Committee, thank you for this opportunity to discuss the cyber security
issues facing the electric industry, as well as proposed legislation
intended to strengthen protection of the bulk power system and electric
infrastructure from cyber security threats.
Title XIII of the Energy Independence and Security Act of 2007
(EISA) states, ``It is the policy of the United States to support the
modernization of the Nation's electricity transmission and distribution
system to maintain a reliable and secure electricity infrastructure.''
The protection and resilience of critical national infrastructures is a
shared responsibility of the private sector, government, communities,
and individuals. As the complexity, scale, and interconnectedness of
today's infrastructures have increased, it has changed the way services
and products are delivered, as well as the traditional roles of owners,
operators, regulators, vendors, and customers.
Ensuring a resilient electric grid is particularly important since
it is arguably the most complex and critical infrastructure that other
sectors depend upon to deliver essential services. Over the past two
decades, the roles of electricity sector stakeholders have shifted:
generation, transmission, and delivery functions have been separated
into distinct markets; customers have become generators using
distributed generation technologies; and vendors have assumed new
responsibilities to provide advanced technologies and improve security.
These changes have created new responsibilities for all stakeholders in
ensuring the continued security and resilience of the electric power
grid.
cyber security activities and accomplishments
For more than a decade, the Department of Energy's Office of
Electricity Delivery and Energy Reliability (OE) has been substantively
engaged with the private sector to secure the electric grid. In
December 2003, the Homeland Security Presidential Directive 7 (HSPD?7)
designated the Department as the sector?specific agency (SSA) for the
energy sector responsible for collaborating with all federal agencies,
state and local governments, and the private sector. As the SSA, OE,
representing the Department, works closely with the private sector and
state/Federal regulators to provide secure sharing of threat
information, to collaborate with industry to identify and fund gaps in
infrastructure research, development and testing efforts, to conduct
vulnerability assessments of the sector, and to encourage risk
management strategies for critical energy infrastructure.
The 2010 National Security Strategy underscores the need to
strengthen public-private partnerships in order to design more secure
technology that will better protect and improve the resilience of
critical government and industry systems and networks. OE has long
recognized that neither government, nor the private sector, nor
individual citizens can meet cyber security challenges alone. In 2006,
OE facilitated the development of the Roadmap to Secure Control Systems
in the Energy Sector to provide a detailed collaborative plan for
improving cyber security in the energy sector and concrete steps to
secure control systems used in the electricity and oil and natural gas
sectors. The plan calls for a 10-year implementation timeline with a 5-
year update scheduled for release in the summer of 2011. To implement
the priorities in the Roadmap, the Energy Sector Control Systems
Working Group was formed and comprised of cyber security and control
systems experts from government, the electricity sector, and the oil
and natural gas sector.
Since 2006, the Roadmap has provided a collaborative strategy for
prioritizing cyber security needs and focusing actions under way
throughout government and the private sector to ensure future energy
system security. The Roadmap goals and strategy have also been fully
integrated into the Energy Sector-Specific Plan. Since the Roadmap was
released, important progress has been made in improving cyber security
in the energy sector. These improvements have benefited existing
systems and are contributing to the secure design and integration of
advanced systems that incorporate smart grid technologies.
Through competitive solicitations and partnerships with industry,
academia and national laboratories, OE has supported the development of
several advanced cyber security technologies that are now commercially
available within the energy sector:
A technology to secure serial communications for control
systems, based on the Secure Supervisory Control and Data
Acquisition (SCADA) Communications Protocol developed by the
Pacific Northwest National Laboratory. This technology is
rapidly being adopted by utilities.
Software toolkits, available for download from the vendor
website, that let electric utilities audit the security
settings of SCADA systems. The latest release addresses the
Inter-Control Center Communications Protocol (ICCP), which is
used for utility-to-utility communications.
Monitoring modules that aggregate security events from a
variety of data sources on the control system network and then
correlate the security events to help utilities better detect
cyber attacks.
An Ethernet security gateway, based on an interoperable
design developed by Sandia National Laboratories, that secures
site-to-site Ethernet communications and protects private
networks.
OE established the National SCADA Test Bed in 2003 to provide a
national capability for cyber security experts to systematically
evaluate the components of a functioning system for inherent
vulnerabilities, develop mitigations, and test the effectiveness of
various cyber security technologies. Major accomplishments include:
Completed vulnerability assessments of 38 SCADA systems and
provided mitigation recommendations. As a result, vendors have
implemented many of the recommendations in ``hardened'' next-
generation SCADA systems that are now commercially available
and being deployed in the power grid.
Utility groups have also formed partnerships to fund
additional cyber security assessments at the test bed to
address specific cyber security concerns.
Provided advanced cyber security training for over 2300
representatives from over 200 utilities to demonstrate how to
detect and respond to complex cyber attacks on SCADA systems.
Developed the ``Common Cyber Security Vulnerabilities
Observed in Control System Assessments'' report to help
utilities and vendors mitigate vulnerabilities found in many
SCADA systems. OE has also worked with the North American
Electric Reliability Corporation (NERC) to develop the Top Ten
Vulnerabilities of Control Systems and their Associated
Mitigations report in 2006 and 2007.
OE is also working closely with academic and industry partners
through the Trustworthy Cyber Infrastructure for the Power Grid
(TCIPG), which is a University led public-private research partnership
supported by OE, Department of Homeland Security (DHS), and Industry
for frontier research that supports resilient and secure smart grid
systems. TCIPG leverages and expands upon previous research funded
primarily by the National Science Foundation. TCIPG research focuses on
building trusted energy delivery control systems from un-trusted
components, and transitioning next-generation cyber security
technologies to the energy sector. As an example, TCIPG released the
Network Access Policy Tool that is now being used by industry and asset
owners to characterize the global effects of local firewall rules in
control system architectures. The tool will help utilities better
manage and maintain security on their highly-complex communications
networks.
Just recently, OE launched several new initiatives to enhance cyber
security in the energy sector.
OE, in coordination with DHS and other Federal agencies, has
conducted several cyber threat information sharing workshops to
analyze classified information, determine the impact to the
sector, and develop mitigations that were specifically designed
to work in the sector. This cooperative process has proven to
be more effective and accepted than dictating solutions to the
sector.
OE, in coordination with the National Institute of Standards
and Technology (NIST) and NERC, is leading a collaborative
effort with representatives from across the public and private
sectors to develop a cyber security risk management guideline.
The objective of this effort is to provide a consistent,
repeatable, and adaptable process for the electric sector, and
enable organizations to proactively manage risk.
Ensuring the cyber security of a modern, digital electricity
infrastructure is a key objective of national smart grid efforts. As a
result, a number of key initiatives have been developed to ensure
future system security and enable the energy sector to better design,
build, and integrate smart grid technologies. OE has engaged in
partnerships to perform these activities with key organizations
including Federal Energy Regulatory Commission (FERC), the U.S.
Department of Commerce, NIST, DHS, the Federal Communications
Commission, the Department of Defense (DoD), the intelligence
community, the White House Office of Science and Technology Policy,
state public utility commissions, the National Association of
Regulatory Utility Commissioners, NERC, the Open Smart Grid
Subcommittee, Electric Power Research Institute (EPRI), and other
energy sector organizations.
The American Recovery and Reinvestment Act of 2009 accelerated the
development of smart grid technologies by investing in pilot projects,
worker training, and large scale deployments. This public-private
investment worth over $9.6 billion was dedicated to a nationwide plan
to modernize the electric power grid, enhance the security of U.S.
energy infrastructure, and promote reliable electricity delivery. The
$4.5 billion in Recovery Act funds, managed by OE, was leveraged by
$5.1 billion in funds from the private sector to support 132 Smart Grid
Investment Grant and Smart Grid Demonstration Grant projects across the
country. Each project awardee committed to implementing a cyber
security plan that includes an evaluation of cyber risks and planned
mitigations, cyber security criteria for device and vendor selection,
and relevant standards or best practices the project will follow.
As called for in Section 1305 of EISA, OE is collaborating with
NIST and other agencies and organizations to develop a framework and
roadmap for interoperability standards that includes cyber security as
a critical element. As part of this effort, NIST established the
public-private Smart Grid Interoperability Panel, and within that, the
450-member Cyber Security Working Group (CSWG) to lead the development
of cyber security requirements for the smart grid. After engaging
members in numerous workshops and teleconferences and following two
formal reviews, the CSWG released the first version of its ``Cyber
Security Guidelines for the Smart Grid''. The three-volume document
details a strategy that includes smart grid use cases, a high-level
smart grid risk assessment process, smart grid-specific security
requirements, development of a security architecture, assessment of
smart grid standards, and development of a conformity assessment
program for requirements.
To address cyber security needs for smart grid technologies, OE
partnered with leading utilities and EPRI to develop cyber security
profiles for major smart grid applications--Advanced Metering
Infrastructure, Third-Party Data Access, and Distribution Automation.
These profiles provide vendor-neutral, actionable guidance to
utilities, vendors and government entities on how to build cyber
security into smart grid components in the development stage, and how
to implement those safeguards when the components are integrated into
the power grid. These documents support the NIST ``Cyber Security
Guidelines for the Smart Grid'' NISTIR--7628. OE also co-chairs the
NIST CSWG.
senate energy and natural resources committee proposed legislation
The proposed bill includes provisions intended to strengthen the
bulk power system and electric infrastructure by addressing cyber
security vulnerabilities and protecting against cyber security threats
by adding a new section to the Federal Power Act (FPA). While the
Administration does not yet have a position on the bill, the Department
offers the following observations.
To begin with, the proposed bill correctly identifies, defines, and
distinguishes between a cyber security vulnerability and a cyber
security threat. These are two related, but different concepts.
Vulnerabilities need to be identified and addressed, while threats need
to be protected against. In that regard, references in the proposed
bill to ``protecting critical electric infrastructure from cyber
security vulnerabilities'' should be changed to ``addressing critical
electric infrastructure cyber security vulnerabilities.''
In addition, Section 224(a)(1) defines critical electric
infrastructure to include distribution assets that affect interstate
commerce. This significantly expands FERC's jurisdiction for setting
reliability standards beyond the bulk power system as provided in FPA
section 215. Also, Section 224(f) would require a comprehensive plan
identifying emergency measures to protect the reliability of the
electric power supply of national defense facilities located in Alaska,
Hawaii, and Guam in the event of an imminent cyber security threat.
Pertinent to that, in July 2010, DOE and DoD signed a memorandum of
understanding (MOU) ``Concerning Cooperation in a Strategic Partnership
to Enhance Energy Security''. The purpose of the MOU is to enhance
national energy security and demonstrate Federal Government leadership
in transitioning America to a low carbon economy. This MOU provides an
opportunity to develop a comprehensive approach that reduces the impact
of power loss to defense critical assets, considering both mitigation
and response measures to ensure vital defense capabilities are not
disrupted.
Finally, the legislation does not yet address a unique, sensitive
cyber security information disclosure problem faced by Federal Power
Marketing Administrations subject to both the Freedom of Information
Act and mandatory reliability standards enacted under Section 215 of
the Federal Power Act. This sensitive information, developed under the
mandatory reliability standards, appears not to be protected from
public disclosure under the Freedom of Information Act. This security
vulnerability could be avoided if legislation providing statutory
protection for this information were enacted that qualified under
Exemption 3 of the Freedom of Information Act.
conclusion
In conclusion, I would like to again thank this Committee for its
leadership in supporting the protection of the bulk power system and
critical electric infrastructure against cyber security threats.
Recognizing the interdependencies between different sectors, it is
important to have a comprehensive strategy for cyber security
legislation. DOE would be happy to work with the Committee on this
legislation.
I would be pleased to address any questions the Committee might
have.
The Chairman. Thank you very much. Everyone's statement
will be included in the record as if read, including the one
that you've prepared.
So, Mr. McClelland, go right ahead.
STATEMENT OF JOSEPH MCCLELLAND, DIRECTOR, OFFICE OF ELECTRIC
RELIABILITY, FEDERAL ENERGY REGULATORY COMMISSION
Mr. McClelland. Mr. Chairman and members of the committee,
thank you for the privilege to appear before you today to
discuss the security of the power grid. My name is Joe
McClelland and I am the Director of the Office of Electric
Reliability at the Federal Energy Regulatory Commission. I am
here today as a Commission Staff Witness and my remarks do not
necessarily represent the views of the Commission or any
individual commissioner.
In the Energy Policy Act of 2005 Congress entrusted the
Commission with a major new responsibility, to oversee a
mandatory, enforceable reliability and cyber security standards
for the Nation's bulk power system. This authority is in
section 215 of the Federal Power Act. It is important to note
that FERC's authority under section 215 is limited to, ``the
bulk power system,'' which excludes Alaska and Hawaii,
transmission facilities in certain large cities such as New
York, as well as all local distribution systems.
Under section 215, FERC cannot author or modify reliability
or cyber security standards but must depend upon an electric
reliability organization or ERO to perform this task. The
Commission selected the North American Electric Reliability
Corporation or NERC as the ERO. The ERO develops and proposes
cyber security standards or modifications for the Commission's
review which it can either approve or remand.
If the Commission approves the proposed cyber security
standard it becomes mandatory and enforceable in the United
States to all users, owners and operators of the bulk power
system.
If the Commission remands a proposed standard it is sent
back to the ERO for further consideration.
Pursuant to its responsibility to oversee the reliability
and cyber security of the power grid, in January 2008 FERC
approved eight cyber security standards known as the Critical
Infrastructure Protection or CIP standards, but also directed
NERC to make significant modifications to these standards.
Compliance with these eight standards first became mandatory on
July 1st, 2010. Although NERC has filed and the Commission has
approved some modifications to the CIP standards the majority
of the Commission's directed modifications to these standards
have not yet been addressed by NERC. It is not clear how long
it will take for the CIP standards to be modified to eliminate
some of the significant gaps in protection within them.
On a related note, as Smart grid technology is added to the
bulk power system greater cyber security protections will be
required. Given that this technology provides more access
points thereby increasing the grid's vulnerabilities. The CIP
standards will apply to some but not most of the Smart grid
applications. Moreover there are non cyber threats that also
pose national security concerns. Naturally occurring events are
physical attacks against the power grid that cause equal or
greater disruption than cyber attacks and the Federal
Government should have no less ability to protect against them.
One example is electromagnetic pulse or EMP. An EMP event
could seriously degrade or shut down a large part of the
electric power grid. In addition to manmade attacks, EMP events
are also naturally generated caused by solar flares and storms
disrupting the Earth's magnetic field.
Such events are inevitable, can be powerful and can also
cause significant and prolonged disruptions to the power grid.
In fact, FERC, DHS and DOE recently completed a joint EMP study
conducted through the Oak Ridge National Laboratory. The study
evaluated both manmade and naturally occurring EMP events to
determine their effects on the power system and to identify
protective mitigation measures that could be installed.
Included among its findings was that without effective
mitigation that the solar storm of 1921 which is considered a
one in one hundred year event were to occur today, over 300
bulk power system transformers could be damaged or destroyed
thereby interrupting power to 130 million people for 10 years.
Although section 215 of the Federal Power Act can provide
an adequate statutory foundation for the development of routine
reliability standards for the bulk power system, the threat of
cyber attacks or other intentional, malicious acts against the
grid is different. These are threats that can endanger national
security that may be posed by criminal organizations, terrorist
groups, foreign Nations or others, intent on attacking the
United States through its electric grid. A widespread
disruption of electric service can quickly undermine our
government, our military, our economy as well as endanger the
health and safety of our citizens. Given the national security
dimensions to this threat there may be a need to act quickly,
to act in a manner where action is mandatory rather than
voluntary and to protect certain information from public
disclosure.
The Commission's legal authority is inadequate for such
action. New legislation should address several key concerns.
First, FERC should be permitted to take direct action
before a cyber or physical national security incident has
occurred.
Second, FERC should be allowed to maintain the appropriate
confidentiality of security sensitive information.
Third, the limitations on the term ``bulk power system''
should be understood as our current jurisdiction under 215 does
not apply to Alaska and Hawaii as well as some transmission
facilities and all local distribution facilities.
Fourth, entities should be able to recover costs they
incurred to mitigate the vulnerabilities and threats.
Finally, legislation on national security threats to
reliability should cover not only cyber security threats but
also natural events and intentional, non-cyber, malicious acts
including threats from an EMP.
The cyber security discussion draft addresses many of these
issues. Thank you for your attention today. I look forward to
any questions that you might have.
[The prepared statement of Mr. McClelland follows:]
Prepared Statement of Joseph Mcclelland, Director, Office of Electric
Reliability, Federal Energy Regulatory Commission
Mr. Chairman and Members of the Committee: Thank you for this
opportunity to appear before you to discuss the security of the
electric grid. My name is Joseph McClelland. I am the Director of the
Office of Electric Reliability (OER) of the Federal Energy Regulatory
Commission (FERC or Commission). The Commission's role with respect to
reliability is to help protect and improve the reliability of the
Nation's bulk power system through effective regulatory oversight as
established in the Energy Policy Act of 2005. I am here today as a
Commission staff witness and my remarks do not necessarily represent
the views of the Commission or any individual Commissioner.
My testimony summarizes the Commission's oversight of the
reliability of the electric grid under section 215 of the Federal Power
Act (FPA) and the Commission's implementation of that authority with
respect to cyber security primarily through Order No. 706. I also will
describe some of the current limitations in Federal authority to
protect the grid against physical and cyber security threats, and also
comment on the cyber security discussion draft. The Commission
currently does not have sufficient authority to require effective
protection of the grid against cyber or physical attacks. If adequate
protection is to be provided, legislation is needed and my testimony
discusses the key elements that should be included in legislation in
this area.
background
In the Energy Policy Act of 2005 (EPAct 2005), Congress entrusted
the Commission with a major new responsibility to oversee mandatory,
enforceable reliability standards for the Nation's bulk power system
(excluding Alaska and Hawaii). This authority is in section 215 of the
Federal Power Act. Section 215 requires the Commission to select an
Electric Reliability Organization (ERO) that is responsible for
proposing, for Commission review and approval, reliability standards or
modifications to existing reliability standards to help protect and
improve the reliability of the Nation's bulk power system. The
Commission has certified the North American Electric Reliability
Corporation (NERC) as the ERO. The reliability standards apply to the
users, owners and operators of the bulk power system and become
mandatory in the United States only after Commission approval. The ERO
also is authorized to impose, after notice and opportunity for a
hearing, penalties for violations of the reliability standards, subject
to Commission review and approval. The ERO may delegate certain
responsibilities to ``Regional Entities,'' subject to Commission
approval.
The Commission may approve proposed reliability standards or
modifications to previously approved standards if it finds them ``just,
reasonable, not unduly discriminatory or preferential, and in the
public interest.'' The Commission itself does not have authority to
modify proposed standards. Rather, if the Commission disapproves a
proposed standard or modification, section 215 requires the Commission
to remand it to the ERO for further consideration. The Commission, upon
its own motion or upon complaint, may direct the ERO to submit a
proposed standard or modification on a specific matter but it does not
have the authority to modify or author a standard and must depend upon
the ERO to do so.
Limitations of Section 215 and the Term ``Bulk Power System''
Currently, the Commission's jurisdiction and reliability authority
is limited to the ``bulk power system,'' as defined in the FPA, and
therefore excludes Alaska and Hawaii, including any federal
installations located therein. The current interpretation of ``bulk
power system'' also excludes some transmission and all local
distribution facilities, including virtually all of the grid facilities
in certain large cities such as New York, thus precluding Commission
action to mitigate cyber or other national security threats to
reliability that involve such facilities and major population areas.
The Commission recently issued Order No. 743, which directs NERC to
revise its interpretation of the bulk power system to eliminate
inconsistencies across regions, eliminate the ambiguity created by the
current discretion in NERC's definition of bulk electric system,
provide a backstop review to ensure that any variations do not
compromise reliability, and ensure that facilities that could
significantly affect reliability are subject to mandatory rules. NERC
is currently developing its response to that order. However, it is
important to note that section 215 of the FPA excludes local
distribution facilities from the Commission's reliability jurisdiction,
so any revised bulk electric system definition developed by NERC will
still not apply to local distribution facilities.
Critical Infrastructure Protection Reliability Standards
An important part of the Commission's current responsibility to
oversee the development of reliability standards for the bulk power
system involves cyber security. In August 2006, NERC submitted eight
proposed cyber security standards, known as the Critical Infrastructure
Protection (CIP) standards, to the Commission for approval under
section 215. Critical infrastructure, as defined by NERC for purposes
of the CIP standards, includes facilities, systems, and equipment
which, if destroyed, degraded, or otherwise rendered unavailable, would
affect the reliability or operability of the ``Bulk Electric System.''
Under NERC's implementation plan for the CIP standards, full compliance
became mandatory on July 1, 2010.
On January 18, 2008, the Commission issued Order No. 706, the Final
Rule approving the CIP reliability standards while concurrently
directing NERC to develop significant modifications addressing specific
concerns. The Commission set a deadline of July 1, 2009 for NERC to
resolve certain issues in the CIP reliability standards, including
deletion of the ``reasonable business judgment'' and ``acceptance of
risk'' language in each of the standards. NERC concluded that this
deadline would create a very compressed schedule for its stakeholder
process. Therefore, it divided all of the changes directed by the
Commission into phases, based on their complexity. NERC opted to
resolve the simplest changes in the first phase, while putting off more
complex changes for later versions.
NERC filed the first phase of the modifications to the CIP
Reliability Standards (Version 2) on May 22, 2009. In this phase, NERC
removed from the standards the terms ``reasonable business judgment''
and ``acceptance of risk,'' added a requirement for a ``single senior
manager'' responsible for CIP compliance, and made certain other
administrative and clarifying changes. In a September 30, 2009 order,
the Commission approved the Version 2 CIP standards and directed NERC
to develop additional modifications to certain of them. Pursuant to the
Commission's September 30, 2009 order, NERC submitted Version 3 of the
CIP standards which revised Version 2 as directed. The Version 3 CIP
standards became effective on October 1, 2010. This first phase of the
modifications directed by the Commission in Order No. 706, which
encompassed both Version 2 and Version 3, did not modify the critical
asset identification process, a central concern in Order No. 706.
On February 10, 2011, NERC initiated the second phase of the Order
No. 706 directed modification, filing a petition seeking approval of
Version 4 of the CIP standards. Version 4 includes new proposed
criteria to identify ``critical assets'' for purposes of the CIP
reliability standards. This filing is currently under review by the
Commission. In order to better understand the NERC Version 4 petition,
particularly the number of critical cyber assets that will be
identified under this revision, the Commission issued data requests to
NERC, with responses due on July 11, 2011, which reflects an extension
of time requested by NERC.
The remaining CIP standards revisions to respond to the
Commission's directives issued in Order No. 706 are still under
development by NERC. It is important to note that the majority of the
Order No. 706 directed modifications to the CIP standards have yet to
be addressed by NERC. Until they are addressed, there are significant
gaps in protection such as a needed requirement for a defense in depth
posture. NERC's standards development plan filed with the Commission in
April 2011 classifies these outstanding revisions to the CIP standards
as ``High Priority'' with a targeted completion in the second quarter
of 2012.
Identification of Critical Assets
As currently written, the CIP reliability standards allow utilities
significant discretion to determine which of their facilities are
``critical assets and the associated critical cyber assets,'' and
therefore are subject to the requirements of the standards. In Order
No. 706, the Commission directed NERC to revise the standards to
require independent oversight of a utility's decisions by industry
entities with a ``wide-area view,'' such as reliability coordinators or
the Regional Entities, subject to the review of the Commission. This
revision to the standards, like all revisions, is subject to approval
by the affected stakeholders in the standards development process. NERC
has attempted to address this directive in Version 4 of the CIP
standards, which is now under review by the Commission.
When, in Order No. 706, the Commission approved Version 1 of the
CIP reliability standards, it also required entities under those
standards to self-certify their compliance progress every six months.
In December 2008, NERC conducted a self-certification study, asking
each entity to report limited information on its critical assets and
the associated critical cyber assets identified in compliance with
reliability standard CIP-002-1. As the Commission stated in Order No.
706, the identification of critical assets is the cornerstone of the
CIP standards. If that identification is not done well, the CIP
standards will be ineffective at protecting the bulk power system. The
results of NERC's self-certification request showed that only 29% of
responding generation owners and operators identified at least one
critical asset, while about 63% of the responding transmission owners
identified at least one critical asset. NERC expressed its concern with
these results in a letter to industry stakeholders dated April 7, 2009.
NERC conducted another self-certification survey of responsible
entities to determine progress towards identification of critical cyber
assets. It gathered information about critical assets and critical
cyber assets as of December 31, 2009. This survey included additional
questions designed to obtain a better understanding of the results from
industry's critical asset identification process. In general, this
survey did not demonstrate a significant increase in identified
critical assets. NERC noted some encouraging results as well as some
that were a cause for concern. In addition, the Regional Entities have
been performing audits which have included registered entities'
determination of their critical cyber asset lists. FERC staff has been
observing selected audits to examine the Regional Entities' methods of
conducting these audits. It is important to note that although
``critical assets'' are used to identify subsequent ``critical cyber
assets,'' only the subset of ``critical cyber assets'' are subject to
the CIP standards.
NERC's Critical Infrastructure Protection Committee released a
guidance document to assist registered entities in identifying their
critical assets. That document, which took effect on September 17,
2009, provides ``guidelines'' that define which assets should be
evaluated, provides risk-based evaluation guidance for determining
critical assets, and describes reasonable bases that could be used to
support that determination. A second NERC security guideline regarding
critical cyber assets became effective on June 17, 2010. This security
guideline ``provides guidance for identifying Critical Cyber Assets by
evaluating potential impacts to `reliable operation' of a Critical
Asset.'' Neither of these guidance documents contained any actions that
were mandatory for users, owners or operators of the bulk-power system.
Version 4 of the CIP standards, which are currently pending before
the Commission, would change the way in which critical assets are
identified. Instead of using a loosely defined risk-based assessment
methodology, CIP-002 Version 4 Attachment 1 contains what NERC
describes as ``uniform criteria for the identification of Critical
Assets.'' For example, criterion 1.1 would identify generation plants
equal to or greater than 1500MW as critical assets. The filing asserts
that this would account for 29% of the installed generator capacity in
the United States. Because this is an on-going proceeding before the
Commission, I am limited in what I can discuss about the merits of
NERC's petition.
the nerc process
As an initial matter, it is important to recognize how mandatory
reliability standards are established. Under section 215, reliability
standards must be developed by the ERO through an open, inclusive, and
public process. The Commission can direct NERC to develop a reliability
standard to address a particular reliability matter, including cyber
security threats or vulnerabilities. However, the NERC process
typically requires years to develop standards for the Commission's
review. In fact, the CIP standards approved by the Commission in
January 2008 took approximately three years to develop.
NERC's procedures for developing standards allow extensive
opportunity for stakeholder comment, are open, and are generally based
on the procedures of the American National Standards Institute. The
NERC process is intended to develop consensus on both the need for, and
the substance of, the proposed standard. Although inclusive, the
process is relatively slow, open and unpredictable in its
responsiveness to the Commission's directives. This process requires
public disclosure regarding the reason for the proposed standard, the
manner in which the standard will address the issues, and any
subsequent comments and resulting modifications in the standards as the
affected stakeholders review the material and provide comments. NERC-
approved standards are then submitted to the Commission for its review.
The procedures used by NERC are appropriate for developing and
approving routine reliability standards. The process allows extensive
opportunities for industry and public comment. The public nature of the
reliability standards development process can be a strength of the
process. However, it can be an impediment when measures or actions need
to be taken to address threats to national security quickly,
effectively and in a manner that protects against the disclosure of
security-sensitive information. The current procedures used under
section 215 for the development and approval of reliability standards
do not provide an effective and timely means of addressing urgent cyber
or other national security risks to the bulk power system, particularly
in emergency situations. Certain circumstances, such as those involving
national security, may require immediate action, while the reliability
standard procedures take too long to implement efficient and timely
corrective steps. On September 3, 2010, FERC approved a new reliability
standards process manual filed by NERC. While this manual includes a
process for developing a standard related to a confidential issue, the
new process is untested and it is unclear how the process would be
implemented.
FERC rules governing review and establishment of reliability
standards allow the agency to direct the ERO to develop and propose
reliability standards under an expedited schedule. For example, FERC
could order the ERO to submit a reliability standard to address a
reliability vulnerability within 60 days. Also, NERC's rules of
procedure include a provision for approval of ``urgent action''
standards that can be completed within 60 days and which may be further
expedited by a written finding by the NERC board of trustees that an
extraordinary and immediate threat exists to bulk power system
reliability or national security. However, it is not clear NERC could
meet this schedule in practice. Moreover, faced with a national
security threat to reliability, there may be a need to act decisively
in hours or days, rather than weeks, months or years. That would not be
feasible even under the urgent action process. In the meantime, the
bulk power system would be left vulnerable to a known national security
threat. Moreover, existing procedures, including the urgent action
procedure, could widely publicize both the vulnerability and the
proposed solutions, thus increasing the risk of hostile actions before
the appropriate solutions are implemented.
In addition, a reliability standard submitted to the Commission by
NERC may not be sufficient to address the identified vulnerability or
threat. Since FERC may not directly modify a proposed reliability
standard under section 215 and must either approve or remand it, FERC
would have the choice of approving an inadequate standard and directing
changes, which reinitiates a process that can take years, or rejecting
the standard altogether. Under either approach, the bulk power system
would remain vulnerable for a prolonged period.
This concern was highlighted in the Department of Energy Inspector
General's January 2011 audit report on FERC's ``Monitoring of Power
Grid Cyber Security.'' The audit report identified concerns regarding
the adequacy of the CIP standards and the implementation and schedule
for the CIP standards, and concluded that these problems exist, in
part, because the Commission's authority to ensure adequate cyber
security over the bulk electric system is limited. The audit report
concludes that the Commission should take a more aggressive action when
ordering new or revised standards and highlights its lack of authority
to implement its own reliability standards or mandatory alerts in
response to emerging threats or vulnerabilities. This report emphasizes
the need for FERC to have additional authority for ensuring adequate
cyber security over the bulk electric system.
Finally, the open and inclusive process required for standards
development is not consistent with the need to protect security-
sensitive information. For instance, a formal request for a new
standard would normally detail the need for the standard as well as the
proposed mitigation to address the issue, and the NERC-approved version
of the standard would be filed with the Commission for review. This
public information could help potential adversaries in planning
attacks.
NERC's Formal Notices
Currently, the alternative to a mandatory reliability standard is
for NERC to issue a formal notice encouraging utilities and others to
take voluntary action to guard against a specific cyber or other
vulnerability. Such a notice may be an Advisory, a Recommendation or an
Essential Action. The notice approach allows for quicker action, but
compliance with a notice is voluntary, and will likely produce
inconsistent and potentially ineffective responses. For example, two
Advisories and a Recommendation were issued in 2010 by NERC, regarding
an identified cyber security threat referred to as ``Stuxnet.'' The
details of actions taken to mitigate the vulnerabilities identified by
Stuxnet, and the assets to which they apply, as well as their
effectiveness, are not known. Reliance on voluntary measures to protect
national security is fundamentally inconsistent with the conclusion
Congress reached during enactment of EPAct 2005, that voluntary
standards are not sufficient to protect the reliability of the bulk
power system.
smart grid
The need for vigilance will increase as new technologies are added
to the bulk power system. For example, smart grid technology promises
significant benefits in the use of electricity. These include the
ability to better manage not only energy sources but also energy
consumption. However, a smarter grid would permit two-way communication
between the electric system and a large number of devices located
outside of controlled utility environments, which will introduce many
potential access points.
Smart grid applications will automate many decisions on the supply
and use of electricity to increase efficiencies and ultimately to allow
cost savings. Without adequate physical and cyber protections, however,
this level of automation may allow adversaries to gain access to the
rest of the company's data and control systems and cause significant
harm. Security features must be an integral consideration when
developing smart grid technology and must be assured before widespread
installation of new equipment. The challenge will be to focus not only
on general approaches but, importantly, on the details of specific
technologies and the risks they may present.
Regarding data, there are multiple ways in which smart grid
technologies may introduce new cyber vulnerabilities into the system.
For example an attacker could gain access to a remote or intermediate
smart grid device and change data values monitored or received from
down-stream devices, and pass the incorrect data up-stream to cause
operators or automatic programs to take incorrect actions.
In regard to control systems, an attacker that gains access to the
communication channels could order metering devices to disconnect
customers, order previously shed load to come back on line prematurely,
or order dispersed generation sources to turn off during periods when
load is approaching generation capacity, causing instability and
outages on the bulk power system. One of the potential capabilities of
the smart grid is the ability to remotely disconnect service using
advanced metering infrastructure (AMI). If insufficient security
measures are implemented in a company's AMI application, an adversary
may be able to access the AMI system and could conceivably disconnect
every customer with an AMI device. If such an attack is widespread
enough, the resultant disconnection of load on the distribution system
could result in impacts to the bulk power system. If an adversary
follows this disconnection event with a subsequent and targeted cyber
attack against remote meters, the restoration of service could be
greatly delayed.
In addition to any smart grid related standards that may be adopted
by the Commission, the CIP standards will apply to some, but not most,
smart grid applications. The standards require users, owners and
operators of the bulk power system to protect cyber assets, including
hardware, software and data, which would affect the reliability or
operability of the bulk power system. These assets are identified using
a risk-based assessment methodology that identifies electric assets
that are critical to the reliable operation of the bulk power system.
If a smart grid device were to control a critical part of the bulk
power system, it should be considered a critical cyber asset subject to
the protection requirements of the CIP standards. However, this
designation is currently up to the affected entity as part of its self-
determination of critical cyber assets, as discussed previously.
Many of the smart grid applications will be deployed at the
distribution and end-user level. For example, some applications may be
targeted at improving market efficiency in ways that may not have a
reliability impact on the bulk power system, such that the protection
requirements of the CIP standards, as they are currently written, may
not apply. However, as discussed above, these applications either
individually or in the aggregate could affect the bulk power system.
physical security and other threats to reliability
The existing reliability standards do not extend to physical
threats to the grid, but physical threats can cause equal or greater
destruction than cyber attacks and the Federal government should have
no less ability to act to protect against such potential damage. One
example of a physical threat is an electromagnetic pulse (EMP) event.
In 2001, Congress established a commission to assess the threat from
EMP, with particular attention to be paid to the nature and magnitude
of high-altitude EMP threats to the United States; vulnerabilities of
U.S. military and civilian infrastructure to such attack; capabilities
to recover from an attack; and the feasibility and cost of protecting
military and civilian infrastructure, including energy infrastructure.
In 2004, the EMP commission issued a report describing the nature of
EMP attacks, vulnerabilities to EMP attacks, and strategies to respond
to an attack.\1\ A second report was produced in 2008 that further
investigated vulnerabilities of the Nation's infrastructure to EMP.\2\
Both electrical equipment and control systems can be damaged by EMP.
---------------------------------------------------------------------------
\1\ Graham, Dr. William R. et al., Report of the Commission to
Assess the Threat to the United States from Electromagnetic Pulse (EMP)
Attack (2004).
\2\ Dr. John S., Jr. et al., Report of the Commission to Assess the
Threat to the United States from Electromagnetic Pulse (EMP) Attack
(2008).
---------------------------------------------------------------------------
An EMP may also be a naturally-occurring event caused by solar
flares and storms disrupting the Earth's magnetic field. In 1859, a
major solar storm occurred, causing auroral displays and significant
shifts of the Earth's magnetic fields. As a result, telegraphs were
rendered useless and several telegraph stations burned down. The
impacts of that storm were muted because semiconductor technology did
not exist at the time. Were the storm to happen today, according to an
article in Scientific American, it could ``severely damage satellites,
disable radio communications, and cause continent-wide electrical
black-outs that would require weeks or longer to recover from.''\3\
Although storms of this magnitude occur rarely, storms and flares of
lesser intensity occur more frequently. Storms of about half the
intensity of the 1859 storm occur every 50 years or so according to the
authors of the Scientific American article, and the last such storm
occurred in November 1960, leading to world-wide geomagnetic
disturbances and radio outages. The power grid is particularly
vulnerable to solar storms, as transformers are electrically grounded
to the Earth and susceptible to damage from geomagnetically induced
currents. The damage or destruction of numerous transformers across the
country would result in reduced grid functionality and even prolonged
power outages.
---------------------------------------------------------------------------
\3\ Odenwald, Sten F. and Green, James L., Bracing the Satellite
Infrastructure for a Solar Superstorm, Scientific American Magazine
(Jul. 28, 2008).
---------------------------------------------------------------------------
In March 2010, Oak Ridge National Laboratory (Oak Ridge) and their
subcontractor Metatech released a study that explored the vulnerability
of the electric grid to EMP-related events. This study was a joint
effort contracted by FERC staff, the Department of Energy and the
Department of Homeland Security and expanded on the information
developed in other initiatives, including the EMP commission reports.
The series of reports provided detailed technical background and
outlined which sections of the power grid are most vulnerable, what
equipment would be affected, and what damage could result. Protection
concepts for each threat and additional methods for remediation were
also included along with suggestions for mitigation. The results of the
study support the general conclusion that EMP events pose substantial
risk to equipment and operation of the Nation's power grid and under
extreme conditions could result in major long term electrical outages.
In fact, solar magnetic disturbances are inevitable with only the
timing and magnitude subject to variability. The study assessed the
1921 solar storm, which has been termed a 1-in-100 year event, and
applied it to today's power grid. The study concluded that such a storm
could damage or destroy up to 300 bulk power system transformers
interrupting service to 130 million people for a period of years.
The existing reliability standards do not address EMP
vulnerabilities. Protecting the electric generation, transmission and
distribution systems from severe damage due to an EMP-related event
would involve vulnerability assessments at every level of electric
infrastructure.
the need for legislation
In my view, section 215 of the Federal Power Act provides an
adequate statutory foundation for the ERO to develop most reliability
standards for the bulk power system. However, the nature of a national
security threat by entities intent on attacking the U.S. through
vulnerabilities in its electric grid stands in stark contrast to other
major reliability vulnerabilities that have caused regional blackouts
and reliability failures in the past, such as vegetation management and
protective relay maintenance practices. Widespread disruption of
electric service can quickly undermine the U.S. government, its
military, and the economy, as well as endanger the health and safety of
millions of citizens. Given the national security dimension to this
threat, there may be a need to act quickly to protect the grid, to act
in a manner where action is mandatory rather than voluntary, and to
protect certain information from public disclosure.
The Commission's current legal authority is inadequate for such
action. This is true of both cyber and physical threats to the bulk
power system that pose national security concerns.
Any new legislation should address several key concerns. First, to
prevent a significant risk of disruption to the grid, legislation
should allow the Commission to take action before a cyber or physical
national security incident has occurred. In my opinion, the cyber
security discussion draft addresses this concern by allowing the
Commission to timely act on cyber security vulnerabilities before an
incident occurs and by giving the Secretary of Energy emergency
authority to act on cyber security threats. In particular, the
Commission should be able to require mitigation even before or while
NERC and its stakeholders develop a standard, when circumstances
require urgent action.
Second, any legislation should allow the Commission to maintain
appropriate confidentiality of sensitive information submitted,
developed or issued under this authority. Without such confidentiality,
the grid may be more vulnerable to attack and the Commission will not
be able to adequately protect it. The cyber security discussion draft
also includes provisions for protection of critical electric
infrastructure information, which includes a provision for FERC to
establish procedures to allow the Commission to release critical
infrastructure information to the extent necessary to enable entities
to implement any FERC order under the proposal. It also appropriately
would require FERC to limit redistribution of information so that the
information is only in the hands of those that need to know.
Third, if additional reliability authority is limited to the bulk
power system, as that term is currently defined in the FPA, it would
not authorize Commission action to mitigate cyber or other national
security threats to reliability that involve certain critical
facilities and major population areas. The cyber security discussion
draft would apply to any entity that owns, controls, or operates
critical electric infrastructure. While Alaska and Hawaii would be
excluded, the discussion draft requires the Secretary of Defense to
prepare a comprehensive plan to protect any national defense facilities
located in those states.
Fourth, it is important that entities be able to recover costs they
incur to mitigate vulnerabilities and threats. The cyber security
discussion draft requires the Commission to permit public utilities to
recover prudently incurred costs required to implement immediate
actions ordered by the Secretary of Energy to avert or mitigate a cyber
security threat. I support this provision and any clarifications that
might better ensure recovery of costs incurred under this legislation.
Finally, in my view, any legislation on national security threats
to reliability should address not only cyber security threats but also
natural events; i.e., a geomagnetic disturbance, or intentional
physical malicious acts (targeting, for example, critical substations
and generating stations) including threats from an electromagnetic
pulse. This additional authority would not displace other means of
protecting the grid, such as action by federal, state and local law
enforcement and the National Guard. If particular circumstances cause
both FERC and other governmental authorities to require action by
utilities, FERC would coordinate with other authorities as appropriate.
In short, any new authority should allow the Commission to quickly
order mandatory measures that are focused and confidential to address
fast-moving, sophisticated and targeted cyber and physical attacks and
natural events while providing cost recovery to the affected entities.
conclusion
The Commission's current authority is not adequate to address cyber
or other national security threats to the reliability of our
transmission and power system. These types of threats pose an
increasing risk to our Nation's electric grid, which undergirds our
government and economy and helps ensure the health and welfare of our
citizens. Congress should address this risk now. The cyber security
discussion draft in front of us today would go a long way to resolving
this issue. Thank you again for the opportunity to testify today. I
would be happy to answer any questions you may have.
The Chairman. Thank you very much.
Mr. Cauley, go right ahead.
STATEMENT OF GERRY CAULEY, PRESIDENT AND CHIEF EXECUTIVE
OFFICER, NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION
Mr. Cauley. Good morning, Chairman Bingaman, Ranking Member
Murkowski, members of the committee and fellow panelists.
As CEO of the organization that is charged with overseeing
the reliability and security of the North American grid, I wake
up every day concerned about the emerging risks caused by
intentional actions of our adversaries who would do harm to our
Nation and to our citizens. The security of the North American
power grid is an utmost priority for NERC. The mainstay of
NERC's critical infrastructure program is a set of nine
mandatory cyber security standards that we actively monitor and
enforce.
We've recently made significant strides in improving our
cyber standards. When I came onboard at NERC in 2010 I
recognized the importance of establishing bright line criteria
for the identification of critical assets to be protected. The
new standard was developed in 6 months and filed with the
Commission in February of this year and is pending their
approval.
Our standards process works for what it was intended to do,
to establish sustained, baseline requirements for the
reliability and resilience of the bulk power system. However,
there's no single approach, not even compliance with mandatory
standards that will protect the grid against all threats from
physical and cyber attacks. The threat environment is
constantly changing and our defenses must keep pace. Achieving
a high degree of resilience requires continuously adaptive
measures beyond those outlined in our standards, measure we are
actively pursuing today.
The most important of these activities is the operation of
the electricity sector, information sharing and analysis
center. In this role NERC works closely with Federal partners
to promptly disseminate threat indications, warnings and
analysis to electricity sector participants. The crux of a
dynamic, adaptive strategy is to get timely, actionable
information to the asset owners and operators and the experts
in the field.
NERC staff has the necessary security clearances to work
with the Department of Homeland Security, DOE and Federal
intelligence agencies to generate unclassified recommendations
that lead to actions by industry. Using this process NERC has
issued 14 security related alerts since January 2010 covering
such issues as Aurora, Stuxnet, Night Dragon and other threats.
The NERC alert system works well coupled with our CIP standards
and availability of a new, confidential and expedited standards
development process NERC has the tools we need to protect the
cyber security of the bulk power system.
NERC is leading a number of other initiatives to ensure the
resilience of the bulk power system.
We're preparing an industry wide security exercise in
November 2011. Jointly with DOE and NIST, we are developing
cyber security best practices for electric systems including
distribution.
In collaboration with the DOE national labs, we're
initiating a program to monitor grid cyber networks and another
program to improve the training and qualifications of industry
cyber experts.
With regard to the proposed draft legislation, first and
foremost, NERC has consistently supported legislation to
address cyber emergencies and improve information sharing
between government and the private sector. It is my
interpretation of section 215(d)(5) that FERC now has the
authority to direct NERC to prepare a standard that is needed
to address a specific vulnerability including cyber security
and to do so by a certain date. Therefore it is not clear to me
that the vulnerability section proposed in the new section
224(b) is needed.
If section 224(b) is returned, first I'm concerned that the
jurisdiction extends to distribution systems which were
intentionally excluded from jurisdiction of FERC and NERC in
section 215. If the intent is to expand the scope of authority
for electric system security into distribution systems this is
a critical issue requiring involvement of the States and also
calls for consultation with asset owners and operators and
other stakeholders should be included in such a process.
Second, I'm concerned that no requirement exists in the
draft legislation for FERC to identify any deficiency in
existing reliability standards or a cyber security
vulnerability for the ERO to address. Without some specific
idea of the problem to be solved it would be difficult for the
ERO to produce an adequate set of requirements.
Third, the discussion draft calls for the ERO to develop a
reliability standard in response to a FERC order on
vulnerabilities. But given the dynamic nature of threats and
vulnerabilities many are not appropriate to be addressed by a
standard. Currently NERC's essential action alerts are not
legally enforceable. Legislation that provides a means for both
standards and other emergency directives to be legally
enforceable would significantly enhance the cyber security of
the grid. Such an approach would require the involvement of
both the ERO and the Commission and sufficient due process for
those entities subject to the requirements.
I believe legislation addressing the security of the
Nation's electricity infrastructure could be beneficial, that
the framework should focus on enabling information sharing and
problem solving between the government and private sectors.
NERC's standards provide a baseline of cyber protection for a
power grid. Our alert program is effective in addressing
emerging threats. Legislation could help by addressing the due
process requirements and enforceability of emergency
directives.
Thank you for the opportunity to speak today. I look
forward to your questions.
[The prepared statement of Mr. Cauley follows:]
Prepared Statement of Gerry Cauley, President and Chief Executive
Officer, North American Electric Reliability Corporation
introduction
Good morning Chairman Bingaman, Ranking Member Murkowski, members
of the Committee and fellow panelists. My name is Gerry Cauley and I am
the President and CEO of the North American Electric Reliability
Corporation (NERC). I am a graduate of the U.S. Military Academy, a
former officer in the U.S. Army Corps of Engineers, and have more than
30 years' experience in the bulk power system\1\ industry, including
service as a lead investigator of the August 2003 Northeast blackout
and coordinator of the NERC Y2K program. I appreciate the opportunity
to testify today on the discussion draft of cybersecurity legislation.
---------------------------------------------------------------------------
\1\ The Bulk Power System (sometimes referred to as ``BPS'') is
defined as generation and transmission of electricity greater than
100kv, in contrast to the distribution of electricity to homes and
businesses at lower voltages.
---------------------------------------------------------------------------
NERC's Mission
NERC's mission is to ensure the reliability of the bulk power
system of North America and promote reliability excellence. NERC was
founded in 1968 to develop voluntary standards for the owners and
operators of the bulk power system. NERC is an independent corporation
whose membership includes large and small electricity consumers,
government representatives, municipalities, cooperatives, independent
power producers, investor-owned utilities, independent transmission
system operators and federal power marketing agencies such as TVA and
Bonneville Power Administration.
In 2007, NERC was designated the Electric Reliability Organization
(ERO) by the Federal Energy Regulatory Commission (FERC) in accordance
with Section 215 of the Federal Power Act (FPA), enacted by the Energy
Policy Act of 2005. Upon approval by FERC, NERC's reliability standards
became mandatory within the United States. These mandatory reliability
standards include Critical Infrastructure Protection (CIP) Standards
001 through 009, which address the security of cyber assets essential
to the reliable operation of the electric grid. To date, these
standards (and those promulgated by the Nuclear Regulatory Commission)
are the only mandatory cybersecurity standards in place across the
critical infrastructures of the United States. Subject to FERC
oversight, NERC and its Regional Entity partners enforce these
standards, which are developed with substantial input from industry and
approved by FERC, to accomplish our mission to ensure the reliability
of the electric grid. In its position between industry and government,
NERC embodies the often-invoked goal of creating effective partnerships
between the public sector and the private sector.
As a result of society's growing dependence on electricity, the
electric grid is one of the Nation's most critical infrastructures. The
bulk power system in North America is one of the largest, most complex,
and most robust systems ever created by mankind. Throughout North
America, four interconnections with a capacity of over one-million
megawatts of generation and nearly half-a-million miles of high voltage
transmission lines all acting in unison, meet the electric needs of
more than 340 million people, with a maximum demand of nearly 850
thousand megawatts. The electricity being used in this room right now
is generated and transmitted in real time over a complex series of
lines and stations from as far away as Ontario or Tennessee. As complex
as it is, few machines are as robust as the bulk power system. Decades
of experience with hurricanes, ice storms and other natural disasters,
as well as mechanical breakdowns, vandalism and sabotage, have taught
the electric industry how to build strong and reliable networks that
generally withstand all but the worst natural and physical disasters
while supporting affordable electric service. The knowledge that
disturbances on the grid can impact operations thousands of miles away
has influenced the electric industry culture of reliability, affecting
how it plans, operates and protects the bulk power system.
the cybersecurity challenge for the grid and nerc's approach
to addressing it
Along with the rest of our economy, the electric industry has
become increasingly dependent on digital technology to reduce costs,
increase efficiency and maintain the reliability of the bulk power
system. The networks and computer environments that make up this
digital technology could be as vulnerable to malicious attacks and
misuse as any other technology infrastructure. Much like the defense of
this country, the defense of the bulk power system requires constant
vigilance and expertise.
As CEO of the organization charged with overseeing the reliability
and security of the North American grid, I am deeply concerned about
the changing risk landscape from conventional risks, such as extreme
weather and equipment failures, to new and emerging risks where we are
left to imagine scenarios that might occur and prepare to avoid or
mitigate the consequences. Some of those consequences could be much
more severe than we have previously experienced. I am most concerned
about coordinated physical and cyber attacks intended to disable
elements of the power grid or deny electricity to specific targets,
such as government or business centers, military installations, or
other infrastructures. These threats differ from conventional risks in
that they result from intentional actions by adversaries and are not
simply random failures or acts of nature.
The most effective approach against such adversaries is through
thoughtful application of resiliency principles, as outlined in a
National Infrastructure Advisory Council (NIAC) report on the grid
delivered to the White House in October 2010. I served on that council
along with a number of industry CEOs. Resiliency requires proactive
readiness for whatever may come our way and includes robustness; the
ability to minimize consequences in real-time; the ability to restore
essential services; and the ability to adapt and learn. Examples of the
NIAC team's recommendations include: 1) a national response plan that
clarifies the roles and responsibilities between industry and
government; 2) improved sharing of actionable information by government
regarding threats and vulnerabilities; 3) cost recovery for security
investments driven by national policy; and 4) a strategy on spare
equipment with long lead times, such as electric power transformers.
critical infrastructure protection (``cip'') reliability standards and
other nerc measures to address cybersecurity threats and
vulnerabilities
NERC's critical infrastructure program, including both reliability
standards and alerts, provides many tools to respond to cyber threats
and vulnerabilities. Industry, consumers, and government
representatives all participate in the NERC standards development
process and provide important expertise.
1. Reliability Standards
NERC has nine existing CIP standards that address the following
areas:
Standard CIP-001: Covers Sabotage Reporting.
Standard CIP-002: Requires the identification and
documentation of the Critical Cyber Assets associated with the
Critical Assets that support the reliable operation of the Bulk
Electric System.
Standard CIP-003: Requires that Responsible Entities have
minimum security management controls in place to protect
Critical Cyber Assets.
Standard CIP-004: Requires that personnel having authorized
cyber or authorized unescorted physical access to Critical
Cyber Assets, including contractors and service vendors, have
an appropriate level of personnel risk assessment, training,
and security awareness.
Standard CIP-005: Requires the identification and protection
of the Electronic Security Perimeter(s) inside which all
Critical Cyber Assets reside, as well as all access points on
the perimeter.
Standard CIP-006: Intended to ensure the implementation of a
physical security program for the protection of Critical Cyber
Assets.
Standard CIP-007: Requires Responsible Entities to define
methods, processes, and procedures for securing those systems
determined to be Critical Cyber Assets, as well as the other
(non-critical) Cyber Assets within the Electronic Security
Perimeter(s).
Standard CIP-008: Ensures the identification,
classification, response, and reporting of Cyber Security
Incidents related to Critical Cyber Assets.
Standard CIP-009: Ensures that recovery plan(s) are put in
place for Critical Cyber Assets and that these plans follow
established business continuity and disaster recovery
techniques and practices.
In December 2010, NERC approved an enhancement to its Critical
Cyber Asset Identification standard (CIP-002 version 4) that
establishes bright-line criteria for the identification of critical
assets. This enhanced standard was filed with FERC in February 2011 and
is currently pending FERC approval.
In addition to the development of reliability standards through
NERC's regular processes, FERC has authorized NERC to use an expedited
standards development process to meet urgent reliability issues. NERC
also has rules approved by FERC to enable the development of special
standards on an expedited, confidential basis to address imminent or
longer term national security threats.
Finally, FERC can order NERC to develop a proposed reliability
standard or a modification to a reliability standard to address a
specific matter (such as a cyber threat or vulnerability) under FPA
Section 215(d)(5). In addition, the NERC Board of Trustees may propose
and adopt a standard in response to a FERC directive if the board
determines that the regular standards process is not being sufficiently
responsive to the Commission.
Compliance with the NERC CIP standards is an important threshold
for properly securing the BPS. However, there is no single security
asset, security technique, security procedure or security standard
that, even if strictly followed or complied with, will protect an
entity from all potential threats. The cybersecurity threat environment
is constantly changing and our defenses must keep pace. Security best-
practices call for additional processes, procedures and technologies
beyond those required by the CIP standards.
2. NERC Alerts
Not all vulnerabilities can or should be addressed through a
reliability standard. In such cases, NERC Alerts are a key element in
critical infrastructure protection. To address cyber challenges not
covered under the CIP Standards, NERC works through its Electricity
Sector-Information Sharing and Analysis Center (ES-ISAC) to inform the
industry and recommend preventative actions.
NERC must be able to promptly disseminate threat indications,
analyses and warnings to assist electricity-sector participants in
taking protective actions. NERC staff with appropriate security
clearances often work with cleared personnel from Federal agencies to
communicate sanitized sensitive information to the industry. As defined
in NERC's Rules of Procedure, the ES-ISAC developed the following three
levels of Alerts for formal notice to industry regarding security
issues:
Industry Advisory.--Purely informational, intended to alert
registered entities to issues or potential problems. A response
to NERC is not necessary.
Recommendation to Industry.--Recommends specific action be
taken by registered entities. Requires a response from
recipients as defined in the Alert.
Essential Action.--Identifies actions deemed to be
``essential'' to bulk power system reliability and requires
NERC Board of Trustees approval prior to issuance. Like
recommendations, essential actions require recipients to
respond as defined in the Alert.
The risk to the bulk power system determines selection of the
appropriate Alert notification level. Generally, NERC distributes
Alerts broadly to users, owners, and operators of the bulk power system
in North America utilizing its Compliance Registry. Entities registered
with NERC are required to provide and maintain up-to-date compliance
and cyber security contacts. NERC also distributes the Alerts beyond
the users, owners and operators of the bulk power system, to include
other electricity industry participants who need the information.
Alerts may also be targeted to groups of entities based on their NERC-
registered functions (e.g.; Balancing Authorities, Planning
Authorities, Generation Owners, etc.)
Alerts are developed with the strong partnership of Federal
technical organizations, including the Department of Homeland Security
and the Department of Energy National Laboratories, and bulk power
system subject matter experts, called the HYDRA team by NERC. NERC has
issued 14 CIP-related Alerts since January 2010 (12 Industry Advisories
and two Recommendations to Industry). Those Alerts covered items such
as Aurora, Stuxnet, Night Dragon and the reporting of suspicious
activity. Responses to Alerts and mitigation efforts are identified and
tracked, with follow-up provided to individual owners and operators and
key stakeholders. In addition, NERC released one Joint Product CIP
Awareness Bulletin in collaboration with DOE, DHS and the FBI titled,
``Remote Access Attacks: Advanced Attackers Compromise Virtual Private
Networks (VPNs)''.
The NERC Alert system is working well. It is known by industry,
handles confidential information and does so in an expedited manner.
The information needed to develop the Alert is managed in a
confidential and expedited manner and does not require a NERC balloting
process.
NERC understands that the Congress is seeking to ensure the
cybersecurity of the electricity grid. Using standards, Alerts and
essential actions, NERC is already working with FERC and the industry
to protect the cybersecurity of the bulk power system.
nerc work with dod, dhs and doe to protect grid cybersecurity
As chair of the Electricity Sub-Sector Coordinating Council (ESCC),
I work with industry CEOs and our partners within the government,
including the Department of Defense, the Department of Homeland
Security and the Department of Energy, to discuss and identify critical
infrastructure protection concepts, processes and resources, as well as
to facilitate information sharing about cyber vulnerabilities and
threats. This type of public/private partnership is key to effective
cybersecurity protection.
Recently, I met with officials from U.S. NORTHCOM where we
discussed collaborating on various electric grid-focused activities
including participation in the 2011 SecureGrid Exercise, providing
electric sector situational awareness and collaborating on the Joint
Capability Technology Demonstration (JCTD) Smart Power Infrastructure
Demonstration for Energy Reliability and Security (SPIDERS). The latter
project is being proposed to understand how specific facilities could
develop small reliable ``micro-grids'' on a short-term or emergency
basis. Similarly, NERC is discussing a project with DOD to develop case
studies at critical military installations to further understand the
requirements for ``flow of power'' and the implications to military
readiness.
NERC is working with DHS National Cybersecurity and Communications
Integration Center to develop a Memorandum of Understanding for bi-
directional sharing of critical infrastructure protection information
between the government and the electricity sector in North America.
NERC also provides leadership to two significant DHS-affiliated public-
private partnerships. These are the Partnership for Critical
Infrastructure Security (PCIS) and the Industrial Control Systems Joint
Working Group (ICSJWG). The PCIS is the senior-most policy coordination
group between public and private sector organizations. On the
government side, PCIS comprises the National Infrastructure Protection
Plan (NIPP) Federal Senior Leadership Council (FSLC) and the State,
Local, and Tribal Government Coordinating Council (SLTGCC), as well as
the chairs of all of the other Government Sector Coordinating Councils.
On the private side, PCIS comprises the chairs of all of the private-
sector coordinating councils. The ICSJWG is a cross-sector industrial
control systems working group that focuses on the areas of education,
cross-sector strategic roadmap development, coordinated efforts on
developing better vendor focus on security needs and cybersecurity
policy issues.
NERC is engaged with DOE National Laboratories to further the level
of awareness and expertise focused on cybersecurity, especially as it
pertains to the bulk power system. We are working with Pacific
Northwest National Laboratory on the Electric Sector Network Monitoring
initiative and also on developing cybersecurity certification
guidelines for Smart-Grid Cyber Operators. In a similar fashion, NERC
is working with the Idaho National Laboratory to promote the Cyber
Security Evaluation Tool for use within the electric sector. NERC also
is partnering with the Industrial Control Systems Cyber Emergency
Response Team to share threat, vulnerability and security incident
information.
Finally, NERC is working with DOE and the National Institute of
Standards and Technology to develop comprehensive cybersecurity risk
management process guidelines for the entire electric grid, including
both the bulk power system and distribution systems. We believe this to
be particularly important with the increasing availability of smart-
grid and smart-meter technologies. While the majority of technology
associated with the smart grid is found within the distribution system,
vulnerabilities realized within the distribution system could
potentially impact the bulk power system. Everyone engaged in smart-
grid and smart-meter implementation should ensure that appropriate
security applications and technologies are built into the system to
prevent the creation of additional threats and vulnerabilities.
NERC Comments on the Discussion Draft
First and foremost, NERC has consistently supported legislation
authorizing some government entity to address cyber emergencies, as the
draft would authorize the Secretary of Energy to do.
Second, NERC strongly supports any effort to improve information
sharing between government and the private sector owners of critical
electric infrastructure. NERC especially commends the provisions of the
discussion draft directing the Secretary and the Commission to
establish procedures on the release of critical infrastructure
information to entities subject to the proposed legislation. NERC and
the electric industry can only deal with the risks they are aware of.
It is impractical, inefficient and impossible to defend against all
possible threats or vulnerabilities. Entities must prioritize their
resources to ensure they are protected against those risks that pose
the greatest harm to their assets, their business and their customers.
The electric industry is in the best position to understand the impact
that a particular event or incident could have on the bulk power
system, but the industry does not have the same access to actionable
intelligence and analysis that the government does. This lack of
information leads the industry to be, at best, a step behind when it
comes to protecting against potential threats and vulnerabilities. Too
often the industry has heard from government agencies that the threats
are real, but is given little or no additional information. This leads
to frustration among the private sector leaders who are unable to
respond effectively due to ill-defined and nebulous threat information.
NERC also appreciates the additional attention in the discussion
draft to providing security clearances, but that route will not likely
deal with the unavailability of actionable information for electricity
industry decision-makers. NERC has over 1900 entities on its Compliance
Registry, some have just a few employees and some have many thousands.
It is important to be realistic about the number of clearances that may
be made available. Of more importance is developing methods and
procedures for sanitizing sensitive information so that it can usefully
be made available to the broad range of private decision-makers who
must take action to protect against the threat or vulnerability.
The bulk of NERC's comments are directed to the draft legislation's
treatment of ``Cyber Security Vulnerabilities,'' which are something
less urgent than ``Cyber Security Threats.'' NERC appreciates that the
draft legislation proposes for the ERO to play a meaningful role in
addressing cybersecurity vulnerabilities, as the ERO now does. As
discussed above, NERC has the tools, the expertise and the
relationships with government agencies, intelligence resources and
industry subject matter experts to address identified vulnerabilities
effectively and efficiently. FERC has the authority now under FPA Sec.
215(d)(5) to direct NERC to prepare a proposed standard to address a
specific vulnerability or other matter, and to do so by a certain date.
Thus, it is not clear to NERC that the vulnerability section (proposed
new FPA Section 224(b)) is needed. If this section is retained, please
consider the following concerns:
1. FERC's jurisdiction under this bill extends to
distribution systems; the ERO's does not: The definition of
Critical Electric Infrastructure in proposed Section 224
extends to distribution systems. Section 215 does not provide
NERC with that jurisdiction. Thus, existing NERC reliability
standards and requirements cannot be as broad as FERC's
jurisdiction under the draft bill, and standards prepared by
NERC at the direction of FERC similarly cannot be as broad as
FERC's direction if FERC directs an action to protect the
distribution system action. If NERC is intended to have the
same jurisdiction as FERC over the distribution system and
assets, this needs to be clarified. Without such clarification,
FERC could always find that an ERO-proposed reliability
standard ``fails to provide adequate protection of critical
electric infrastructure from a cybersecurity vulnerability''
and reject the ERO's efforts under Section 224, effectively
removing the ERO role from the vulnerabilities section.
2. Identification of vulnerability: No requirement exists in
the legislation for FERC to identify any deficiency in existing
reliability standards or the specific cybersecurity
vulnerability for the ERO to address. Without some idea of the
``target'' that FERC would like the ERO to hit, it will be
difficult for the ERO to produce an adequate set of
requirements, assuming the jurisdiction issue above is
addressed.
3. Enforceable tools in addition to standards: The discussion
draft calls for the ERO to develop a reliability standard in
response to a FERC order on vulnerabilities, but given the
constantly changing nature of vulnerabilities, not all
vulnerabilities can or should be addressed by a standard.
Currently, NERC actions other than standards are not legally
enforceable. Legislation that provides a means for both
standards and other NERC directives to be legally enforceable
would significantly enhance the cybersecurity of the grid. Such
an approach would require the involvement of both the ERO and
the Commission.
4. Due process: The discussion draft would authorize FERC to
promulgate an interim final rule without consultation or any
due process. In addition, unlike the 90-day sunset on DOE
emergency orders, there is no such limitation on FERC interim
final rules.
conclusion
NERC works with multiple agencies, industry, consumers and
government to support a coordinated comprehensive effort to address
cybersecurity. As outlined today, NERC has many tools available
including the ESCC and the ES-ISAC to address imminent and non-imminent
threats and vulnerabilities through our Alerts and standards processes.
These existing processes should be enhanced, not pre-empted, by
cybersecurity grid legislation.
We appreciate this opportunity to discuss NERC's activities on
cybersecurity with the committee and to offer our views on legislation
that would improve cybersecurity protection of the grid.
The Chairman. Thank you very much.
Mr. Owens.
STATEMENT OF DAVID K. OWENS, EXECUTIVE VICE PRESIDENT, BUSINESS
OPERATIONS, EDISON ELECTRIC INSTITUTE
Mr. Owens. Good morning, Chairman Bingaman, Ranking Member
Murkowski and other distinguished members of this committee.
As was said earlier, my name is David K. Owens. I'm
Executive Vice President at the Edison Electric Institute.
You're aware that EEI is the trade association of the U.S.
shareholder owned electric companies. Our members serve about
75-70 percent of end users of electricity. I certainly do
appreciate this opportunity to appear before you today to talk
about cyber security and critical electric infrastructure.
Now to accompany my written statement is a document titled,
``Principles for Cyber Security and Critical Infrastructure
Protection.'' Now this document was adopted by EEI's Board of
Directors last September. It demonstrated the significant
concern of our industry and our CEOs in particular, about cyber
security threats and the need to develop consensus around a
framework to improve security of the electric grid.
Now rather than me getting into all the details of
observations I've made about the bill or restating my
testimony. I'd like to leave you with 2 principle points.
I'd like to talk very specifically about the need for
coordination, planning and information sharing. I believe some
of the other witnesses, Secretary Hoffman stressed that. The
need also for clear regulatory structure that focuses resources
where they're needed.
Now all of you know cyber security is not a check the box
exercise. You can't say if we do these ten things we're not
going to have a cyber security problem. Instead cyber security
requires an evolutionary process and an ongoing dialog
involving industry and government. Now the threats that we face
daily and the mechanisms for identifying them also vary.
Sometimes a government will become aware of a threat or other
times it will be the industry or individual utilities that will
be aware of this or outside security firms or academia.
The point is that there is no perfect process for
identifying what tomorrow's threats are nor how a creative
hacker might exploit vulnerabilities. A better approach in my
view is fostering coordination and dialogs both horizontally
and vertically between industry and government. Now I know
you're probably saying well what does he mean by that?
Horizontal communication, in my view, is across--should be
across the industry and across government.
Now the electric industry, the private sector, we're
working with a lot of other utilities that serve our Nation.
We're working with public entities. We're working with
governmental entities and so forth because we all have a
commonality of keeping the lights on. So the entire electric
sector is working very closely together. That's an example of
horizontal communication.
We also have interdependencies. For example, we rely on
telecommunications industry so that we can communicate and
improve our overall day to day operations. We also use water
systems in order to cool our facilities. We use transportation
in order to move our fuel. We also look at financial markets
that fund our operations. So there's an interdependency. That's
also horizontal communication.
Now no single industry, in my view, can be considered
secure unless we're engaged in coordination across those
industry sectors. Let me talk a little bit about horizontal
communication within the government. Here I'm perfectly sure
that DOE and the FERC communicate regularly.
One agency probably has substantial intelligence about
what's occurring in the electric network and in other vital
facilities in our Nation, whereas the other agency may have the
responsibility of mandating reliability standards. But it's
critically important that those agencies work together. So in
addressing cyber security, my view, is that the government
needs to consider how they engage in horizontal communications
as well.
Then there's vertical communications. The vertical
communications is the government communicating with industry
and vice versa. Now we are not in the business in the utility
industry of identifying threats, but the government is and
needs to coordinate very closely with industry. On the other
hand, we're pretty good at operating our systems and providing
reliable electric service and understanding how to address
potential vulnerabilities.
So I believe there's a shared responsibility. There's a
responsibility of government. There's a responsibility of
industry to work together. If we're working together then we
can provide greater security over the overall electric system.
One of the things that I've observed in terms of the
disaster in Japan was the need for planning before a crisis
occurs. Protecting critical infrastructure demands planning
both from government and from the private sector. The roles and
responsibilities need to be very clear. Now I applaud this
committee's efforts and our Congress for its deep consideration
of how we put these various pieces together to protect our
critical infrastructure.
Let me move to my second principle. I'd like to believe
that we all recognize that a risk based approach for dealing
with cyber security that is identifying assets, that make the
system vulnerable, is very, very critical. We strongly support
that.
We also recognize as well that under section 215, the
Federal Power Act, that we had mandatory and enforceable
reliability standards. We recognize that. But we also recognize
that there's a gap. That gap means that we need to have a
process where we can deal with imminent threats. We have to
separate imminent threats from potential vulnerabilities.
I see that I'm almost out of time. So I'm just going to say
this. We look forward to work with the committee in these
areas. I look forward to your questions.
[The prepared statement of Mr. Owens follows:]
Prepared Statement of David K. Owens, Executive Vice President,
Business Operations, Edison Electric Institute
My name is David Owens, and I am Executive Vice President in charge
of the Business Operations Group at the Edison Electric Institute
(EEI). EEI is the trade association of U.S. shareholder-owned electric
companies and has international affiliate and industry associate
members worldwide. EEI's U.S. members serve 95 percent of the ultimate
customers in the shareholder-owned segment of the industry and
represent about 70 percent of the U.S. electric power industry. I
appreciate your invitation to discuss the cyber security of critical
electric infrastructure and to comment on the Committee's draft
legislation.
It is almost two years since I last had the opportunity to testify
on this subject before this Committee. Since then, EEI's member
companies--along with other owners, operators, and users of the
electric grid--have continued to make cyber security a priority, while
working together to make our critical infrastructure more resilient. In
fact, EEI is part of a broader coalition of electric power stakeholders
working on these issues. While I am not officially testifying on its
behalf, this coalition includes several major trade associations
representing the full scope of electric generation, transmission and
distribution in the United States, as well as regulators, Canadian
interests and large industrial consumers. Rarely do these groups find
consensus on public policy issues, but in the case of securing the
electric grid, there is unanimous support for a regime that leverages
the strength of both the public and private sectors to improve cyber
security. My testimony focuses on the value of this cooperative
relationship, the unique nature of threats to the power grid, and the
ongoing efforts of the nation's electric sector to respond to those
threats.
I also will share our analysis of the Committee's bill,
particularly as it relates to EEI's ``Principles of Cyber Security and
Critical Infrastructure Protection,'' which is attached for the record.
This document was adopted by our Board of Directors last September in
an effort to address cyber security threats and develop consensus
around a framework to improve security for the electric grid. Included
in this document, and most salient to the Committee's work today, are
the following principles the industry believes are integral to
successful cyber security policy:
Leveraging public and private sector expertise, while
including robust information sharing between government and the
private sector, as well as among other stakeholders; and,
A clear regulatory structure that focuses resources and
attention on protecting truly critical assets from imminent
threats.
public-private coordination and information sharing
Among the myriad lessons learned following the earthquakes and
tsunami in Japan is the need for dialogue and coordination before
disaster strikes. It is clear that critical infrastructure protection
is a shared cause that demands planning, as well as an understanding of
roles and responsibilities ahead of time.
Both the federal government and electric utilities have distinct
realms of responsibility and expertise in protecting the bulk power
system. The optimal approach to utilizing the considerable knowledge of
both government intelligence specialists and electric utilities in
ensuring the cyber security of the nation's electric grid is to promote
a regime that clearly defines these complementary roles and
responsibilities and provides for ongoing consultation and sharing of
information between government agencies and utilities.
Fundamentally, the private sector can be disadvantaged in assessing
the degree and urgency of possible or perceived cyber threats because
of limitations on its access to classified information. The government
is entrusted with national security responsibilities and has access to
volumes of intelligence to which electric utilities are not privy. Thus
the government is able to detect threats, evaluate the likelihood or
risk of a malicious attack, and utilize its expertise in law
enforcement. On the other hand, electric utilities are experienced and
knowledgeable about how to provide reliable electric service at a
reasonable cost to their customers, and we understand how our complex
systems are designed and operated. Owners, users, and operators of the
electric grid are in a unique position to understand the consequences
of a potential malicious act as well as proposed actions to prevent
such exploitation, including ensuring against unintended consequences
of remedial actions. It is critically important to establish a workable
structure that enables the government and the private sector to work
together in order to provide a more secure system for our customers.
Thus, the industry appreciates that the Committee's draft bill
acknowledges the need for intelligence sharing between government and
the private sector, though we believe a more robust and explicit
mandate is required.
It also is important to recognize that a strong industry
partnership with government agencies currently exists. On an ongoing
basis, the electric power industry communicates and collaborates in the
United States with the Department of Homeland Security (DHS), the
Department of Energy (DOE), and the Federal Energy Regulatory
Commission (FERC). The industry also works very closely with the North
American Electric Reliability Corporation (NERC) to develop mandatory
reliability standards, including an array of ``Critical Infrastructure
Protection'' or ``CIP'' standards. In addition, NERC, in its capacity
as the Electric Sector Information Sharing and Analysis Center
(ESISAC), uses its ``alert and advisory'' procedures to provide the
electric power industry with timely and actionable information received
from various federal agencies to assure the continued reliability and
security of the nation's electric systems.
This NERC advisory system continues to evolve and, in the time
since I last testified, has proven its ability to respond and
disseminate information successfully when responding to significant
national security events like the Stuxnet worm.
I would urge you not to reinvent the wheel, nor jump to conclusions
about the efficacy of the existing cyber security regimes. The
mechanisms in place to deal with these new and constantly evolving
threats are, themselves, evolving. It is important that the Committee
support continued participation in NERC's stakeholder-driven and FERC-
approved standards and development process, which will yield mandatory
CIP cyber security standards for the bulk power system that are clear,
technically sound, and enforceable.
Finally, I would add that simply creating mechanisms for
information sharing and public-private coordination is only part of the
solution. Those lines of communication must be developed at the highest
levels of both government and industry, and then drilled on a regular
basis to ensure that, in times of crisis, those with relevant
information and operational expertise can communicate seamlessly,
quickly and, when needed, securely.
clear, focused regulatory structure
A successful cyber security framework also needs to focus on
protecting truly critical assets from imminent threats. There is a
security axiom that states: if you try to protect everything, you
protect nothing. Put another way, risk-based prioritization ensures
both government and private sector resources are allocated wisely.
The distinction between imminent threats and vulnerabilities is an
important one. Threats, by definition, constitute an emergency, while
vulnerabilities might be exploited at a later date, providing time to
determine the best way to respond to them.
EEI agrees that it is appropriate for this Committee and Congress
to consider legislation providing federal energy regulators new
authority to address emergency cyber security threats. I want to
emphasize, however, that current law already provides the means to
address the many non-emergency cyber security issues in the electric
industry. Section 215 of the Federal Power Act (FPA), which this
Committee helped develop and which was enacted by Congress as part of
the Energy Policy Act of 2005, provides for the Electric Reliability
Organization to establish mandatory and enforceable electric
reliability standards, specifically including standards to address
cyber security, under FERC oversight. Chairman Bingaman and other
Senators on this Committee should be commended for their work on
enacting Section 215 and other efforts to ensure the reliability of the
electric grid.
The basic construct of the relationship between FERC and NERC in
developing and enforcing reliability standards is sound. In summary,
NERC, using a well-defined stakeholder process that leverages the vast
technical expertise of the owners, users, and operators of the North
American electric grid, develops reliability standards, which are then
submitted to FERC for review and approval. In approving such standards,
FERC is to give ``due weight'' to the technical expertise of the ERO.
Once approved by FERC, these standards are legally binding and
enforceable in the United States. Any stakeholder, including FERC, may
request that a standard be developed to address some aspect of
reliability, expressly including cyber security.
I suggest the question on which the Committee should focus is,
``What additional authority should be provided to federal energy
regulators in order to promote clarity and focus in response to
emergency situations?'' Legislation in this area should complement, not
supplant, the mandatory reliability regime already established under
FPA Section 215. Any new federal authority should be appropriately
narrow and focused only on unique problems that cannot be addressed
under Section 215. The Section 215 mandatory reliability framework
reflects years of work and broad consensus reached by industry and
other stakeholders in order to ensure a robust, reliable grid. It
should not be undermined so early in its implementation.
While the open stakeholder processes used for developing industry-
wide reliability and critical infrastructure protection standards
admittedly are not well-suited to emergencies requiring immediate
mandatory action with confidential handling of information, the vast
majority of cyber security issues do not rise to the level of national
security emergencies. Rather than creating broad new federal regulatory
authorities that could undermine the consensus-driven policy framework
developed through years of stakeholder input and memorialized in
section 215, legislation should be focused on addressing a relatively
narrow set of potential threats that legitimately merit special federal
emergency authority.
Because of its extraordinary nature and potentially broad impacts
on the electric system, any additional federal emergency authority in
this area should be used judiciously. Legislation granting such
authority should be narrowly crafted and limited to address
circumstances where the President or his senior intelligence or
national security advisors determine there is an imminent threat to
national security or public welfare.
Also, the Committee draft provides DOE and FERC with parallel
authorities to address cyber security threats and vulnerabilities,
respectively. The Committee's draft could be clarified and strengthened
by providing for a single agency to take expedited actions based on
advice or information from the President or intelligence agencies.
To further focus efforts on those threats that have the potential
to do the greatest harm, any new authority also should be limited to
truly critical assets. Over-inclusion of electric utility
infrastructure would be counterproductive; efforts to maintain and
enhance the cyber security of the nation's critical electric
infrastructure should focus first on the critical facilities that, if
not protected, could cause substantial disruption to the nation's
electric grid.
Any new legislation giving additional statutory authority should be
limited to true emergency situations involving imminent cyber security
threats where there is a significant declared national security or
public welfare concern. In such an emergency, it is imperative that the
government provide appropriate entities clear direction about actions
to be taken, and assurance that those actions will not have significant
adverse consequences to power operations or assets, while at the same
time avoiding any possible confusion caused by potential conflicts or
overlap with existing regulatory requirements.
build security into the grid
A separate but equally important component of grid security is to
ensure that manufacturers of critical grid equipment and systems are
adequately fulfilling their security responsibilities by adopting good
security practices in their organizations, building security into their
products, and establishing effective programs so that, as new
vulnerabilities are discovered, they can inform customers and provide
technical assistance with mitigation. As grid technologies continue to
evolve, they inevitably will include greater use of digital controls.
Congress recognized the potential cyber security vulnerabilities, as
well as benefits, that could result from greater digitization of the
grid when it directed DOE to study these issues in Section 1309 of the
Energy Independence and Security Act of 2007.
As new smart grid technologies are developed, it will be imperative
for the industry to work closely with vendors and manufacturers to
ensure they understand that cyber security is essential so that cyber
security protections are incorporated into devices as much as possible.
EEI is encouraging the development of a security certification
program and expansion of National Lab involvement to provide
independent testing for new grid components. Such a program would help
utilities differentiate among different vendor solutions to select
those that provide appropriate cyber security.
ferc ``interim final rule'' authority
Under the Committee's draft legislation, FERC is to determine
whether the current NERC reliability standards are ``adequate to
protect critical electric infrastructure from cyber security
vulnerabilities.'' Under Section 224(b)(6)(C), any interim rule FERC
enacts would stay in effect until NERC develops a reliability standard
or modification that ``the Commission determines provides adequate
protection to critical electric infrastructure from the cyber security
vulnerability addressed by the interim final rule.''
Since NERC reliability rules apply only to the bulk electric
system, FERC would have unilateral authority to write rules without
input from the NERC stakeholder-driven process to establish technical
standards. And, with no hearing or prior notice required before making
the rule immediately effective, we are concerned about the lack of due
process for stakeholder input. It would be desirable to at least have
some requirement for FERC to consult with industry if time permits,
similar to the consultation language in other parts of the bill.
ferc and doe emergency procedure authorities
Having both FERC and DOE able to designate critical electric
infrastructure introduces confusion and potential duplication. The lack
of procedures or specific criteria for designating critical electric
infrastructure is also problematic. It is unclear how, or if, an entity
could challenge a designation by DOE under the general review
provisions of the FPA.
conclusion
With thousands of entities operating a single complicated,
interdependent machine like the electric grid, the intra-industry
coordination undertaken by the electric sector under the auspices of
NERC has been invaluable.
There also are interdependencies not just within the electric
sector, but across other critical infrastructure. For this reason, it
would be preferable for Congress to take a comprehensive, multi-sector
approach to legislation. Electric utilities, for example, rely on
telecommunications systems to operate the grid, pipelines to fuel our
generation, and wholesale markets to sell our product. Should any of
these critical sectors be compromised, the electric grid would be
impacted as well. The interconnected nature of critical infrastructure
prevents us from claiming victory unless a comprehensive approach is
taken. I understand this Committee's jurisdiction and interest focus
specifically on protecting the electric grid, but would urge you to
work with the appropriate congressional committees to address cyber
security more holistically.
That said, while many cyber security issues already are addressed
under current law, we believe it is appropriate to provide federal
energy regulators with explicit statutory authority to address cyber
security in a situation deemed sufficiently serious to require a
Presidential declaration of emergency. In such a situation, the
legislation should clarify the respective roles, responsibilities, and
procedures of the federal government and the industry, including those
for handling confidential information, to facilitate an expeditious
response.
Promoting clearly defined roles and responsibilities, as well as
ongoing consultation and sharing of information between government and
the private sector, is the best approach to improving cyber security.
Each cyber security situation requires careful, collaborative
assessment and consultation regarding the potential consequences of
complex threats, as well as mitigation and preventive measures, with
owners, users, and operators of the bulk power system.
EEI and its member companies remain fully committed to working with
the government and industry partners to increase cyber security. EEI's
commitment to such coordinated efforts is illustrated by the broad
coalition of industry stakeholder associations that continue to work
together on these matters.
I appreciate the opportunity to appear today and would be happy to
answer any questions.
Attachment.--EEI Principles for Cyber Security and Critical
Infrastructure Protection
September 9, 2010
background
Protecting the nation's electric grid and ensuring a reliable
supply of power is the electric power industry's top priority. Cyber
security incidents may disrupt the flow of power or reduce the
reliability of the electric system. Key to the success of this effort
is the ability to provide measures capable of protecting the evolving
intelligent network against interruption, exploitation, compromise or
outright attack of cyber assets, whether the attack vector is physical,
cyber or both.
The electric power industry takes cyber security threats very
seriously. As part of the industry's overall reliability effort,
electric companies work to maintain the reliability and the security of
the computers, control systems, and other cyber assets that help
electric companies operate the electric grid. In response to the cyber
threat, electric companies employ various strategies to protect these
systems, but cyber security threats still exist.
addressing cyber security threats
Reliability is more than a slogan for the electric utility
industry--it's a mandate. In fact, federal and state regulators have
significant interest and statutory authority in ensuring electric
companies provide adequate reliability. Thus, utilities take very
seriously their responsibility to address cyber vulnerabilities and the
security of the computers, control systems, and other cyber assets that
help operate the electric grid. This focus on reliability, resiliency
and recovery takes into account an all-hazards approach, recognizing
risks from natural phenomena such as hurricanes or geomagnetic
disturbances to intentional cyber attacks.
Protecting the grid from cyber attacks requires a coordinated
effort among electric companies, the federal government, and the
suppliers of critical electric grid systems and components. Electric
companies work closely with the North American Electric Reliability
Corporation (NERC) and federal agencies to enhance the cyber security
of the bulk power system. This includes coordination with the Federal
Energy Regulatory Commission (FERC), the Department of Homeland
Security (DHS), and the Department of Energy (DOE), as well as
receiving assistance from federal intelligence and law enforcement
agencies.
To complement its cyber security efforts and to address rapidly
changing intelligence on evolving threats, the industry embraces a
cooperative relationship with federal authorities to protect against
situations that threaten national security or public welfare, and to
prioritize the assets which need enhanced security. A well-practiced,
public-private partnership utilizes all stakeholders' expertise,
including the government's ability to provide clear direction and
assess threats, while owners and operators of the critical
infrastructure propose mitigation strategies that will avoid
significant adverse consequences to utility operations or assets. At
the same time a constructive regulatory environment will assure that
incremental investments to protect the grid are prudent, and reduce
risk in a manner proportional to the cost.
protecting the grid is a shared responsibility
1. Prioritize Assets to Ensure Effective Protection
Recognizing that there are a variety of interdependencies, and
potential consequences associated with the loss of different
facilities, the utility industry supports a risk-based, prioritized
approach that identifies assets truly critical to the reliable
operation of the electric grid. This ensures the most important
elements of our system receive the highest level of attention, as well
as the resources necessary to secure them.
2. Threats Require Emergency Action; Vulnerabilities Should Be
Addressed More Deliberately
In this context, a threat is imminent and requires a rapid
response. In these instances, the industry is willing to accommodate
certain operational consequences in the interest of addressing the
threat. Vulnerabilities, on the other hand, have a longer time horizon
and can benefit from a more measured response. Government authority
should reflect and respect these different levels of danger.
3. Clear Regulatory Structure and Open Lines of Communication
The Federal regulatory framework and roles for all stakeholders
involved in securing the electric grid should be clear to avoid
duplicative or conflicting actions in times of crisis. The electric
utility industry is not in the law enforcement or intelligence
gathering business, and the government has limited experience operating
the electric grid. Thus, each should be consulted, and the flow of
information should be regularly exercised, before a threat becomes a
crisis. It is critical that the federal government and industry
communicate with each other seamlessly; to avoid confusion, those at
the highest levels of government and industry should be involved in
coordinating responses and declaring the need for emergency action.
4. Proactively Manage New Risks
As the new Smart Grid develops, it is essential that cyber security
protections are incorporated into both the grid architecture and the
new smart grid technologies. The electric power industry must continue
to work closely with vendors, manufacturers, and government agencies
and be aligned with emerging and evolving cyber security standards
(such as those being driven by NIST) to ensure that the new technology
running the grid is, most importantly, secure and reliable. We
encourage the development of a security certification program that
would independently test smart grid components and systems and certify
that they pass security tests. This certification process would help
utilities select only those systems that provide appropriate cyber
security.
5. Committed to Protecting Bulk Electric System and Distribution Assets
The utility industry understands that cyber attacks affecting
distribution systems could have broader implications. Since
jurisdiction is split between state regulators and the Federal Energy
Regulatory Commission, the utility industry supports enhanced threat
information coordination and communication between regulatory agencies
and utilities to protect our systems (whether distribution or the bulk
electric system) while also honoring the existing regulatory model.
6. Cost Recovery and Liability Protection
Costs associated with emergency mitigation are, by definition,
unexpected and thus not included in a utility's rate base. To ensure
emergency actions do not put undue financial strain on electric
utilities, the industry supports mechanisms for recovering costs. In
addition, electric utilities support liability protections for actions
taken under an emergency order.
The Chairman. Thank you very much.
Mr. Tedeschi, go right ahead.
STATEMENT OF WILLIAM TEDESCHI, SENIOR SCIENTIST, SANDIA
NATIONAL LABORATORIES, ALBUQUERQUE, NM
Mr. Tedeschi. Good morning, Chairman Bingaman, Ranking
Member Murkowski and distinguished members of the Senate
Committee on Energy and Natural Resources. Thank you for the
opportunity to testify. I am William Tedeschi, Senior Scientist
and Licensed Professional Engineer at Sandia National
Laboratories, a multi program, national security laboratory. I
am honored to be here today with the Honorable Patricia Hoffman
of the United States Department of Energy, Joe McClelland of
the Federal Energy Regulatory Commission, Gerry Cauley of the
North American Electric Reliability Corporation and David Owens
of the Edison Electric Institute.
Sandia is one of the 3 national Nuclear Security
Administration Laboratories with responsibility for stockpile
stewardship and annual assessment of the Nation's nuclear
weapons. Within the U.S. nuclear weapons complex, Sandia is
uniquely responsible for the systems engineering and
integration of the nuclear weapons and the stockpile and for
the design development and qualification of non-nuclear
components of nuclear weapons. While nuclear weapons remain
Sandia's core mission the science and technology and
engineering capabilities required to support this mission
position us to support other aspects of national security as
well. Indeed there is natural increasingly significant synergy
between our core mission and our broader national security
work.
This broader role involves research and development and
non-proliferation, counter proliferation, counter terrorism,
energy security, defense and homeland security. My statement
today will focus on the risk of nuclear electromagnetic pulse
threats against the U.S. power grid and the potential need to
harden the grid against such threats. I am a subject matter
expert, nuclear weapons system and affects including
electromagnetic pulse threats and in assessing the risks posed
by such threats.
I will first refer to the results of a recent technical
peer review of 7 reports focused on the topic of this
testimony, a peer review that a Sandia team of experts provided
to the Federal Energy Regulatory Commission.
Then I will present the view of the Sandia team on the risk
of nuclear electromagnetic pulse attacks and the potential need
to harden the U.S. power grid against them.
We commend the Federal Energy Regulatory Commission and the
authors of the 7 reports on evaluating the impact of nuclear,
high altitude, EMP pulse threats to the U.S. power grid for
their comprehensive work which represents an excellent start on
modeling a very complex problem. However we respectfully
suggest that further computational and experimental work is
required before fully informed decisions can be made about
where and to what extent the power grid should be hardened
solely against nuclear, high altitude, electromagnetic pulse
threats. If the decision is made to protect the power grid
against a broader set of more likely electromagnetic pulse
threats including solar geomagnetic and electromagnetic
interference threats than an awareness of nuclear, high
altitude, EMP environments in effect, should also be
considered.
From an integrated risk perspective the Sandia team
considers nuclear, high altitude, electromagnetic pulse threats
to be a remote likelihood. Also, the true extent of the grid's
susceptibility and vulnerability to such effects and the
resulting consequences are mostly unknown. Except for the
apparent worse case environments and assumptions made in the
reports that the Sandia team, peer review, evaluated.
The Sandia team recommends that this complex problem be
studied in more depth in order to include results from
additional computer based simulations and experimental testing
specifically under nuclear, high altitude, electromagnetic
threat conditions.
How to high voltage transformers and their protection and
control elements respond to the range of induced current
insults?
If they fail, how do they fail and at what level of insult?
Answering such questions would provide critical data to
enable better understanding and validation of results by
advancing a complete understanding of all the risk elements as
well as quantification and reduction of uncertainties in order
to fully inform decisions that may be made about hardening the
U.S. power grid.
We suggest that a graded hardening approach to be
considered whereby selective hardening could be accomplished
easily and cost effectively in combination with addressing new
and emerging threats to the grid, for example intentional
electromagnetic interference. Also by further evaluating the
consequence of electromagnetic pulse attacks on mission
critical U.S. installations and functions, for example
important U.S. war fighting or continuity of operations.
Specific sites may be identified that may require selective
electromagnetic pulse hardening.
This concludes my prepared remarks. I would be pleased to
respond to any questions. Thank you.
[The prepared statement of Mr. Tedeschi follows:]
Prepared Statement of William Tedeschi, Senior Scientist, Sandia
National Laboratories, Albuquerque, NM
introduction
Chairman Bingaman, Ranking Member Murkowski, and distinguished
members of the Senate Committee on Energy and Natural Resources, thank
you for the opportunity to testify. I am William Tedeschi, senior
scientist and licensed professional engineer at Sandia National
Laboratories. Sandia is a multiprogram national security laboratory
owned by the United States Government and operated by Sandia
Corporation\1\ for the National Nuclear Security Administration (NNSA).
---------------------------------------------------------------------------
\1\ Sandia Corporation is a subsidiary of the Lockheed Martin
Corporation under Department of Energy prime contract no. DE-AC04-
94AL85000.
---------------------------------------------------------------------------
Sandia is one of the three NNSA laboratories with responsibility
for stockpile stewardship and annual assessment of the nation's nuclear
weapons. Within the U.S. nuclear weapons complex, Sandia is uniquely
responsible for the systems engineering and integration of the nuclear
weapons in the stockpile and for the design, development, and
qualification of nonnuclear components of nuclear weapons. While
nuclear weapons remain Sandia's core mission, the science, technology,
and engineering capabilities required to support this mission position
us to support other aspects of national security as well. Indeed, there
is natural, increasingly significant synergy between our core mission
and our broader national security work. This broader role involves
research and development in nonproliferation, counterproliferation,
counterterrorism, energy security, defense, and homeland security.
My statement today will focus on the risk of nuclear
electromagnetic-pulse (EMP) threats against the U.S. power grid and the
potential need to harden the grid against such threats. I have been
employed at Sandia National Laboratories for 26 years, where I have
done engineering work on the U.S. nuclear stockpile and have assessed a
broad range of foreign threats to U.S. national security assets and
infrastructures. I am a subject matter expert in nuclear weapon systems
and effects, including EMP threats, and in assessing the risks posed by
such threats. Part of this expertise came from Sandia having
technically supported the congressionally mandated EMP Commission from
2002 to 2008 through targeted EMP testing of a whole range of
electronic equipment, assessments of water-and financial-system
infrastructure susceptibility, and targeted writing assignments. I was
the program manager for that work. My testimony starts with a
description of a recent technical peer review of seven reports focused
on the topic of this testimony, a peer review that a Sandia team of
experts provided to the Federal Energy Regulatory Commission;
thereafter, the testimony puts forward the view of the Sandia team on
the risk of EMP attacks and the potential need to harden the U.S. power
grid against them.
major points of this testimony
It is the belief of a Sandia team of experts that
1. Nuclear high-altitude electromagnetic-pulse (HEMP) attacks
against the U.S. power grid are of remote likelihood.
2. The susceptibility of the power grid to EMP attacks is not
well characterized and should be further addressed with
computer-based simulations and experimental testing in order to
understand all the risk elements, quantify and reduce
uncertainties, and thus fully inform decisions that may be made
about the U.S. power grid.
3. Possible approaches to mitigating electromagnetic threats
to the U.S. power grid could be graded hardening, whereby
selective hardening would be accomplished easily and cost-
effectively while addressing new and emerging threats to the
grid, or selective hardening for protection of some critically
important U.S. nodes.
electromagnetic pulse (emp) threats to the u.s. power grid
Sandia Team Provided a Technical Peer Review for the Federal Energy
Regulatory Commission
The Federal Energy Regulatory Commission (FERC) recently requested
Sandia to do a peer review of seven reports (more than 700 pages in
length) on electromagnetic threats to the U.S. power grid and on
possible actions for mitigating such threats. A team of six subject
matter experts (including myself) in EMP threats and effects, including
damage susceptibility and consequences, conducted this work. Included
in the team were two members with significant expertise in modeling
national infrastructures and their interdependencies. Our assessment
and recommendations do not constitute a position of or an endorsement
by Sandia National Laboratories. Rather, they represent the conclusions
the team reached after conducting a technical service Sandia is
frequently called upon to perform for national security purposes. The
team's high-level observations and findings were threefold:
The reports are comprehensive, and the authors' knowledge
about the U.S. power grid design and operations, as well as
solar-induced and nuclear high-altitude EMP (HEMP)
environments, is impressive.
The work represents an excellent start on modeling a very
complex problem, but it is not yet complete and, in our view,
should not be the basis for any short-term national decisions
on whether and to what extent to harden the U.S. power grid
solely against nuclear HEMP threats.
Further study of this complex problem is recommended in
order to include computer-based simulations and experimental
testing to better understand, validate, and add to the existing
work so that a complete understanding of all the risk factors
and associated uncertainties can be obtained to support ongoing
decisions.
Some additional general comments about the reports that the Sandia
technical peer review team provided to FERC include the following:
The identified threats appear to be worst-case nuclear HEMP
threats, but no details are provided to indicate the seriousness and
plausibility of such threats or what might be the full spectrum of
possible HEMP threats. Not all nuclear bombs are created equal;
technical details matter--details not only on the potential severity of
nuclear HEMP effects, but also on the likelihood of such threats ever
materializing. Further elaboration on this aspect is warranted but must
be done in a classified setting.
Numerous assumptions are made about the nuclear HEMP environments'
coupling efficiency into the exposed power grid and about the
susceptibility of key system elements and the upset or damage that
might occur to those key elements (that is, protective features,
control systems, and the high-voltage transformers). Few to no data and
only a few referenced citations and limited technical analysis are
offered to buttress the assertions made. Many assumptions are also made
about the power grid and the type and implementation of its equipment.
The power grid referenced in the reports as the ``normal grid design''
is portrayed without any information about validation from utilities.
Assumptions about age, design, and failure thresholds of transformers
introduce additional uncertainty and are based on limited samplings of
transformers of a particular type and from a clear source. All the
assumptions point to large uncertainties in the output results and
interpretations from the model; therefore, statements on the number of
``at-risk'' transformers and the severity of the regional damage should
be viewed as illustrative only. More modeling and simulation and
experiments to characterize the response space of these key elements
are recommended.
Finally, in our team's view, the reports' assessment of possible
effects on the U.S. power grid as a result of nuclear HEMP attacks is
too negative, based on a series of compounded, apparently worst-case
assumptions. The reports lack discussion of the effect of possible
uncertainties and mitigators on the results.
More detailed and specific technical comments were submitted to
FERC for its consideration, and those can be provided upon request.
sandia team's position on electromagnetic pulse (emp) threats to the
u.s. power grid
Background on Nuclear High-Altitude EMP (HEMP) Threats: Effects,
Damage, and Hardening
Nuclear EMP effects at Earth's surface are created by nuclear bomb
explosions high inside the atmosphere (at an altitude of 40?100
kilometers) and in near outer space (from 100 kilometers to hundreds of
kilometers above Earth's surface). According to publicly available
information, both the United States and Russia experienced and
characterized this class of nuclear weapon effects in the early 1960s
during their high-altitude nuclear tests. The type and yield of the
bomb and the altitude at which it is detonated primarily determine the
strength of the EMP effects at ground level. Once the nuclear bomb's
parameters are defined, predicting nuclear HEMP environments with
computer-based models is a well-established capability in the United
States.
The hostile nuclear EMP environment is created by the gamma-ray
output (as well as x-rays and bomb debris for exo-atmospheric bursts)
from the nuclear explosion (the ``source'') and the subsequent electron
generation and dynamics within the atmosphere and magnetic field
perturbations outside the atmosphere. Nuclear bomb explosions at high
altitude in the atmosphere and in near-Earth space create three
distinct components of EMP threats that are characterized by the
timeframe over which they occur after the burst (from nanoseconds to a
microsecond, from microseconds to a second, and from a second to many
minutes). These electromagnetic threats are termed the E1, E2, and E3
components of nuclear HEMP. Each EMP threat component has different
electric field strengths (typically ranging from kilovolts per meter
for E1 to volts per kilometer for E3) and frequency content (ranging
from many hundreds of megahertz to many hertz) that ultimately
determine how much current is ``coupled'' into which parts of the
exposed power-grid infrastructure elements, and whether or not that
component will be temporarily or permanently disabled.
The EMP waves travel downward (or ``propagate'') to the ground at
the speed of light, exposing objects to the EMP threat waveforms. The
amount of damage, if any, to the exposed electronics (for example, grid
control centers and supervisory control and data acquisition, or SCADA,
elements) and objects (such as transformers) connected to long
electrical conductors (such as long power and copper communication
lines) depends on how much energy in the form of induced electric
current couples into the object or item that was exposed to the EMP.
The added current going into an exposed electronic component or item of
electrical equipment represents an ``insult,'' over and above the
normal operating conditions within the component that can then cause an
upset or burnout of the object. The U.S. nuclear EMP effects community
has the computational ability to model the created EMP threat waveforms
from the source and propagate them down to the ground and thereby to
exposed objects. This community is also generally able to calculate how
much current is induced in exposed conductors (for example, long lines)
and well-defined discrete objects (such as buildings and electronics
boxes). However, the more complicated the exposed object's design and
geometry (for example, the design and geometry of a transformer), the
more difficult it is to computationally model the induced current.
Therefore, experiments are also conducted to help characterize the
induced, or coupled, current insults as a complement to computational
modeling approaches.
The ultimate response of the exposed component or subsystem depends
on the magnitude of the incoming current insult (how many amperes and
over what timeframe). Sometimes, the high current insult burns out a
sensitive device or circuit inside the exposed object, and the item is
then permanently damaged. That is, the component will no longer work,
and it would need to be replaced with a new component before system
functionality and operability could be restored. For more moderate
incoming current insults, local heating is generated inside the object
because of current dissipation, and the local heating can have a
temporary disruptive effect. Once the generated heat inside the object
is dissipated, the object can return to normal functionality, but
sometimes this return to functionality occurs only after human
intervention to power down and power up the object. If the incoming
current insult is low and not significant, the object can absorb the
current insult and continue operating as designed. If the component is
simple (for example, an electrical circuit or device), we can model the
response of the exposed object to the current insult and thus determine
whether it would be upset or damaged. However, many electrical
components, subsystems, and even integrated systems have complex
designs and constructions, and therefore we must resort to a
combination of computer-based models and experimental test-based
approaches to understand their response to the EMP-caused current
insults. For complex, interdependent linked systems, such as the U.S.
power grid, it is essential that computational and experimental
modeling approaches be combined in order to verify and validate that
the correct problem is being modeled and acquire the right level of
confidence in the results.
Once an electronics-based device, component, subsystem, or system
has been fully characterized to nuclear HEMP threats and has been found
to be susceptible or vulnerable to the EMP-induced current insult,
adverse effects (such as temporary or permanent failure) can be
mitigated in several ways. One would want to consider mitigating the
adverse affects, especially if that component is a critical element in
a larger networked system. A common approach for mitigation is to
harden the exposed object(s) against the EMP threat using a range of
well-established design hardening techniques, such as faraday-cage
shielding, grounding, filters, fast-acting current shunt devices, and
responsive control systems to manage the effects that could start to
cascade across a larger network of linked objects. If hardening against
EMP effects is done early in the design definition and development
process, before manufacturing, it can be added in the easiest and most
cost-effective manner. The designer must know ahead of time the
expected nuclear HEMP threat environments and the required level of
hardness for the exposed component or subsystem needed for continued
operation after the EMP attack.
The U.S. electric power grid contains some level of inherent
hardness to the three nuclear EMP components. E1 (the high-frequency
component) corresponds to electromagnetic interference threats from
nearby transmitters (for example, cell-phone, radar, TV, and Wi-Fi
transmissions), and electromagnetic compatibility standards are
followed to protect against such electromagnetic threats. The E2 (mid-
frequency) component corresponds to the EMP from nearby lightning
strikes, which the power grid is already protected against. Finally, E3
(the low-frequency component) corresponds to solar-induced geomagnetic
storms and the resultant ground-induced current threats, which the
power grid is already resilient against to a degree and is more
resilient against in some northern latitudes.
A key unanswered question remains: How much more severe would the
full range of possible nuclear-driven E1, E2, and E3 components be, and
what level of protection would the existing power grid have against
HEMP effects generated by a nuclear detonation? The answer depends, in
part, on the type, yield, and detonation altitude of the nuclear bomb
that produces the HEMP effects, the real-world orientations of power
grid elements relative to the detonation, any inherent shielding
properties of the exposed infrastructure elements, and the robustness
of the exposed elements to withstand the EMP insult. More computer-
based modeling and simulation, as well as experimental testing, would
provide a basis for a more complete understanding of the response of
the power grid to a HEMP attack and of the specific hardening measures
to be considered for addition to the grid.
As new technologies are studied, developed, and added to the power
grid (such as smart grid monitoring and control), being aware of and
considering the evolving threat space (for example, intentional
electromagnetic interference) and natural environments (such as
variations in solar geomagnetic storm intensity) that could affect the
performance and reliability of the new technologies may offer
opportunities to add some level of inherent hardness against specific
nuclear HEMP environments.
Assessing the Risks Posed by Nuclear High-Altitude EMP (HEMP) Attacks
In assessing the risk posed by nuclear HEMP attacks, we use the
classical risk equation, where risk is expressed in terms of likelihood
(or probability) of the attack, susceptibility (or vulnerability) to
the hostile environments created by the attack, and consequence (or
system-level impact) as a result of the attack.
In Sandia team's view, the likelihood of a nuclear HEMP attack
occurring above the United States is very remote. The advanced nuclear
weapon states have had the capability to do significant damage against
the United States and our power grid for many decades, but they have
been and hopefully will continue to be deterred from such attacks by a
strong U.S. strategic deterrent. Some argue that terrorists who might
someday gain possession of a nuclear device can conduct a similar type
of attack and generate the same amount of damage. According to the
team, the assertion that terrorists can use a nuclear warhead in a
crippling HEMP attack against the United States is not credible, and
the likelihood of something like that happening is low. More detailed
explanation can be provided in a classified venue.
In terms of actual susceptibility of the power grid to nuclear HEMP
effects, the limited available data on damage effects make it difficult
to know what will precisely happen to exposed elements across the grid,
especially to the large high-voltage transformers. Given the amount of
investment associated with potentially hardening against EMP effects,
additional computational analysis and testing are needed for higher
confidence in whether and to what extent exposed elements are
susceptible to any temporary or permanent EMP damage effects. While
computer modeling work to date has been extensive on the induced
currents on exposed power lines, very few experimental data exist on
how the exposed grid elements (the controllers, protective devices,
high-voltage transformers, etc.) would actually respond to higher than
normal currents. Highly instrumented testing of key power-grid
components to E1 and E3 threat insults is recommended and should
include characterizing how failures (physical damage) occur and at
which insult levels they occur. Such data would help validate existing
power-grid models, reduce inherent uncertainties about the amount of
damage induced, and provide more confidence in the results.
Finally, not enough data exist to confidently assess the extent of
any power-grid outages from a nuclear HEMP attack and the amount of
time needed for recovery. Several real-world examples have been studied
of how the grid might respond to E3-like effects (for example, the
March 1989 Hydro-Quebec grid collapse due to a severe solar geomagnetic
storm and the August 2003 power outage in the Northeastern United
States), and table-top exercises have been developed on how utilities
would find and fix the resultant EMP-induced damage and bring the grid
back online after a certain period. However, one can only
parametrically evaluate the impact of nuclear E1 and E3 attacks because
we do not know the level and extent of damage that would actually
occur. If additional data were to become available on E1 and E3 damage
effects and lethality levels of critical power-grid components, then
the basis would exist for more-confident U.S. power grid simulations of
the extent and magnitude of damage and the resultant recovery times.
summary and conclusions
From an integrated ``total'' risk perspective, the Sandia team
considers nuclear HEMP threats to be of remote likelihood. Also, the
true extent of the grid's susceptibility and vulnerability to such
effects (be they temporary, permanent, or even not present) and the
resulting consequences (damage extent and period they would be lasting)
are mostly unknown, except for the assumed worst-case environments and
assumptions made in the current nuclear HEMP threat studies that the
Sandia technical peer review team evaluated. We commend FERC and the
authors of the studies for their excellent work to date on evaluating
the impact of EMP threats to the U.S. power grid. However, we
respectfully suggest that more computational and experimental work is
required before fully informed decisions can be made about where and to
what extent the power grid should be hardened solely against nuclear
HEMP threats. If the decision is made to protect the power grid against
a broader set of likely EMP threats, including solar geomagnetic and
electromagnetic interference threats, then an awareness of nuclear HEMP
environments and effects should also be considered.
The Sandia technical review team recommends that this complex
problem be studied in more depth in order to include results from
additional computer-based simulations and experimental testing.
Specifically, under nuclear HEMP threat conditions, how do high-voltage
transformers and their protection and control elements respond to the
range of induced current insults, and if they fail, how do they fail?
Answering such questions would provide critical data to enable better
understanding and validation of results by advancing a complete
understanding of all the risk elements, as well as quantification and
reduction of uncertainties in order to fully inform decisions that may
be made about the U.S. power grid. We suggest that a graded hardening
approach could be considered, whereby selective hardening could be
accomplished easily and cost-effectively, in combination with
addressing new and emerging threats to the grid (for example,
intentional electromagnetic interference). Also, by further evaluating
the consequence of EMP attacks on mission-critical U.S. installations
and functions (for example, important U.S. war fighting or continuity
of operations), specific sites may be identified that may require
selective EMP hardening.
The Chairman. Thank you all very much. Let me start with a
few questions here.
Mr. McClelland, your testimony, as I understand it is, that
the Commission's legal authority is inadequate and that the
draft legislation that we've prepared address many of those
issues. Can you be more specific as to the ones we are not
adequately addressing?
Mr. McClelland. The draft legislation provided the
Commission with the ability to address vulnerabilities rather
than wait until there was a designation that there was an
imminent danger. The legislation allows the Commission to
address the vulnerabilities. We believe from the read that it
also addressed a situation where it may not be appropriate or
it may not be possible to wait for the ERO to develop a
standard to address a specific issue.
For instance a particular threat against a utility or a
grouping of utilities that serves a particular military base.
There may need to be some interim action that they take. It
wouldn't necessarily be applicable to other utilities.
We believe from the read that we have that the Commission
wouldn't have to wait until the ERO made a designation about a
particular standard or attempted to craft a particular standard
to address that circumstance. The Commission would be able to
move directly to address that issue.
The Chairman. You're giving us an example here.
Mr. McClelland. Yes.
The Chairman. Where the draft does give you, in your view,
the authority that you would need to deal with a situation. Are
there instances where you think the draft fails to give you the
authority you need to deal with particular situations?
Mr. McClelland. No, not in particular. There are areas
where the Commission does not have authority under 215. Some of
those exclusions, for instance, for allowing Alaska and Hawaii
continue. But the draft does address that circumstance in
another manner.
Except, I guess, the point would be that if it addresses--
if it allowed the Commission to address vulnerabilities. If it
allows the Commission to reach beyond the definition of bulk
power system. If it allows the Commission to address EMP and
non cyber aspects, then it would address the issues that I
raised in the testimony.
The Chairman. OK.
Ms. Hoffman, did you have any comment on any of this?
Ms. Hoffman. No, I don't have any comment.
The Chairman. OK. Let me ask on this EMP thing because I
heard your testimony, Mr. McClelland. You were talking about
EMP generally, as I understood it.
You had this particular reference in here which I thought
was pretty startling where you say that the study has been done
assessing the 1921 solar storm which has been termed a one in
100 year event. Applying that, what happened in that 1921 solar
storm to today's power grid. The study concluded such a storm
could damage or destroy up to 300 bulk power system
transformers interrupting service to 130 million people for a
period of years.
That's very different than what Mr. Tedeschi was referring
to. As I understand it he's talking about the electromagnetic
pulse problem which could be created by a nuclear blast
intentionally by someone. I guess I'm just unclear.
You think you don't have the authority to take the
appropriate or to require the appropriate hardening to deal
with either of those circumstances? Is that what I understand?
Mr. McClelland. The Commission's authority is coupled
through the Standards Development Process. The Standards
Development Process is too slow. It's too unpredictable. It's
too open to address national security threats.
So the Commission may order a standard be returned on a
particular matter. But it can't be prescriptive or specific. It
can't write the terms of the standard. It can only turn the
standard over to the ERO for standards development.
The Chairman. OK. So I think, I believe Mr. Owens made the
point that there are 2, sort of, parts of this problem we're
trying to deal with.
One is the problem of potential vulnerabilities. hat would
be the electromagnetic pulse issue.
Then there's the other part of it which is the potential of
imminent threats and the ability of the Commission to act or
the ability of anyone to act quickly to deal with immediate
imminent threats.
You're basically saying that you believe something like
what we've got in draft form here is essential to shore up the
ability of the government to deal with both sets of problems?
Mr. McClelland: Yes. It would allow the Commission to
address a sophisticated and targeted attack or an event aside
from the Standards Development Process. That's right.
The Chairman. OK.
Senator Murkowski.
Senator Murkowski. Thank you, Mr. Chairman.
Just to follow on to the questions here. I direct this to
you, Mr. Tedeschi. When we're talking about the EMP attack or
geomagnetic disturbances, these are not new in the sense that
we're just now learning of them.
So given the knowledge, given what we have in terms of the
potential for these types of disruptions. What have we done to
date in order to protect the grid? I'll ask you and then if
others can step up here.
Mr. Tedeschi. Senator, I would just suggest that the
geomagnetic threats mimic part of the nuclear EMP threat space.
The geomagnetic threats do occur with regularity. The severity
of those is ongoing in terms of our scientific understanding.
Those threats have manifested in the past.
There are examples where elements of the grid have gone
down. The utility owners, NERC, FERC, others, have responded to
those. In some cases, added some of a hardening against the
geomagnetic EMP threats.
Our view on the nuclear electromagnetic threats there's the
component that mimics the geomagnetic threats that it's a very
low likelihood of occurrence. So from our perspective if the
utilities, if NERC, FERC, the legislation, allow DOE and others
to harden against the geomagnetic threats, which are real and
do occur. That that will provide an inherent level of hardness
against nuclear EMP threats if those were to occur someday.
But I think others are more able to answer the question of
likelihood and the severity.
Senator Murkowski [presiding]. Ms. Hoffman.
Ms. Hoffman. Part of the problem is a natural progression
over time. Some of the older transformers may have some
weaknesses in them that make them more vulnerable to any sort
of event. Some of the newer transformers in use have a stronger
capability to withstand certain incidents.
Part of the discussion and the investigation that needs to
take place is what level of protection do we want to require
transformers and the electric grid to have, what level of event
should they be able to withstand? Do we want to protect against
the 1921 event with very high induced currents or do we want to
actually look and say here is a median level of event which the
industry should progress to protect against with respect to
transformers, with respect to harmonics on the electric system.
So a lot of this discussion comes down to the parameters that
we should be building the technology to withstand.
That's the direction I think the conversation is evolving
toward.
Senator Murkowski. Mr. McClelland, did you want to go
ahead?
Mr. McClelland. Sure. There are operational procedures in
place today where if the industry is alerted then they can take
precautions to go in the more conservative operations to
protect equipment. The problem is though that we haven't seen a
1921 event.
A 1921 event, we found from our assessment, could be
catastrophic in nature to the grid itself. So the question
would be not so much as to what level we dampen to, but can we
block all events. The answer we think is, yes.
But there's still some work to do as Mr. Tedeschi pointed
out. We still need to identify the proper equipment. Test the
equipment. Then move for mitigation against these events.
Then we wouldn't have to worry about whether we have a 25
year event, a 50 year event, a 100 year event. If we block it,
it's taken care of. It's an automatic mitigation method. We
don't have to rely so much on human intervention to save the
grid in a circumstance like that.
Senator Murkowski. Thank you.
Mr. McClelland. But to also answer your question directly.
There's been very little, if any, hardware mitigation that's
been put on to protect from say, solar magnetic disturbances on
the grid.
Senator Murkowski. Thank you.
Mr. Cauley, you want to finish it up?
Mr. Cauley. Thank you. I really think that Mr. Tedeschi's
testimony hits on the issue of sorting out the key issues.
We're focused at NERC and I think working with the industry to
resolve the solar magnetic, geomagnetic issue.
We did have a major storm in 1989 that blacked out Quebec.
I think the industry learned from that. There was a lot of
equipment hardening in the northern latitudes where it's more
of an impact.
I think as we look at the risks of a larger storm we have
to ask ourselves, you know, how much further down into the
continent would it extend. So we are working to upgrade notice
procedures, advance warning systems and also doing engineering
studies. If we did the hardening, as being suggested here, it
will affect other issues like clearing of electrical faults and
the dynamic behavior of the system.
So we have to study it. Be very careful about changing the
system in a way that does not cause harm in other ways. So
we're focused now on this solar magnetic and geomagnetic
disturbance issue right now.
Senator Murkowski. Thank you. My time is up.
I just want to ask very quickly. Is there a greater
incidence of the solar magnetic, electromagnetic in the
northern altitudes?
Mr. Cauley. Yes. The impact, depending on the--it's a very
dynamic situation. But if the pulse hits the Earth's magnetic
field that the disturbances most severely affected in the
northern latitudes. So the larger the pulse from the sun, the
further down it can extend into the middle latitudes of the
United States.
Mr. McClelland. May I just quickly add to that? Our study
did consider the likelihood of a solar magnetic disturbance
over Winnipeg, Manitoba verses Minneapolis, Minnesota found
that they were equally likely to occur. In fact if it happens
over Minneapolis, Minnesota the number of bulk power system
transformers that could be damaged/destroyed reaches over 1,000
rather than 368 which was on the Winnipeg, Manitoba incidents.
So it can center. But it can also--it can move around. We
just don't know where it will be. We don't know when it's going
to happen again. We just know with certainty that it will
happen again. It's inevitable.
Mr. Owens. May I add to this conversation just very
briefly?
I do agree in what they're demonstrating is there's no
perfect solution. Mr. McClelland made a reference to the
potential destruction of 300 transformers as he related back to
the prior major solar activity that we had in 1921. One of the
things that we're seeking to do in the industry, we're working
very closely with NERC is to harden our systems, create
redundancy in our systems.
With respect to transformers, we are making sure we have
spare transformers. We have a very substantial spare
transformer inventory that the industry, for several years, has
been committing resources to because we recognize how critical
the transformers are. If you lose a transformer it takes a
while to restore service.
So we're working to make sure we have this redundancy in
our transformers. There are other elements, critical elements
of our network as well that we're looking at. But there's no
perfect solution.
It's very important that you have the redundancies and the
hardening of the system. But it's equally important that you're
able to restore service as quickly as possible.
Senator Murkowski. Thank you all. I am way over time. I
apologize to my----
The Chairman [presiding]. No problem.
Senator Burr.
Senator Burr. Thank you, Mr. Chairman. As interesting as
EMPs and solar magnetic pulse is, I'm going to try to stay away
from that.
As the only member here today of the Intelligence
Committee, I'm going to try to focus on the realities of the
threat that's out there and maybe the options that we have. Ms.
Hoffman, what analytical assets does the DOE have to identify
any intelligence threats?
Ms. Hoffman. The intelligence cyber threats comes through
the Department, Office of Intelligence shop, not through our
organization, the Office of Electricity. We coordinate with our
intelligence office as well as with DHS.
Senator Burr. The analytical work for what the DOE receives
is from multiple sources.
Ms. Hoffman. Yes.
Senator Burr. It comes from DOD. It comes from DHS. It
comes from NSA which is part of our problem.
Now Mr. Cauley, if I understood your testimony correct,
NERC currently has direct contact with the intelligence
community. Is that correct?
Mr. Cauley. That's correct, Senator Burr, with multiple
agencies.
Senator Burr. So you're part of that intelligence loop
right from the analyst?
Mr. Cauley. Those are primary sources that we use to get
information to industry to take actions. We have, myself, top
secret clearance and others on staff have clearances to receive
that information.
Senator Burr. OK.
Mr. McClelland, where does FERC currently get their
intelligence from?
Mr. McClelland. We get our intelligence from DOE, CIA, NSA
and DHS.
Senator Burr. OK. How many people have the security
clearance to say, sit down with CIA to get information from
them?
Mr. McClelland. We have 3 people in our organization that
have SCI clearance. I couldn't give you the specific number,
but we have several more that have TS clearance. All of our
chairman and all commissioners have TS clearance.
Senator Burr. Under the joint draft, FERC would be
authorized to develop standards to address cyber security
vulnerabilities for utility generation, transmission and
distribution. Who currently has jurisdiction over the
distribution system?
Mr. McClelland. The States do.
Senator Burr. Under this would that then supercede the
existing authority?
Mr. McClelland. I think the way the legislation is written,
I think the Commission would have the ability to write cyber
security or non cyber standards for distribution.
Senator Burr. Let me ask an open question. Why should we
give FERC, who is the economic regulator of markets,
jurisdiction over distribution?
Mr. McClelland. Section 215 of the Federal Power Act gave
FERC jurisdiction over both cyber security and reliability
standards.
Senator Burr. I realize we did. Understand that today. We
were very early into sort of the threat----
Mr. McClelland. Right.
Senator Burr. Generation that we're in now. Personally if I
had it to do over again, I'd love to see the focus of this on
how we remove the authority that we gave to FERC. Because I
believe as a country right now, we're--we've got the authority
in too many different places to be responsible for a threat
stream that by the time these agencies are notified, quite
frankly, it may be too late for the immediacy of a threat. I
was more impressed with Mr. Owens' answer, even though it was
on EMP and solar magnetic.
The industry is making the advances that they need to to
respond, to get back up and running. The NERC, if we need to
look somewhere, I guess our question should be what additional
authority to you need to do what you're currently doing verses
to bring anybody else new into the process of mapping out a
pathway forward for the infrastructure and its integrity?
Mr. Cauley, I'm giving you an opportunity. What do you
think?
Mr. Cauley. If that's a question, Senator Burr. I did point
out in my testimony that the one gap that I sense right now is
if there is an imminent threat or vulnerability and we need
industry to take action then we do not have the ability to make
enforceable directives to industry. That has to be done very
carefully.
I'm not an operator. Mr. McClelland is not an operator. We
don't want to order the industry to take an action that has
risky consequences.
Senator Burr. If you were to take an action or if we were
to give you the authority over distribution and you made
determinations under the guidance of cyber vulnerability. Who
pays for it? Who pays for that?
Mr. Cauley. The rate payers.
Senator Burr. Rate payers. Let me just suggest to you
regardless of how we move forward. Let's consider the fact that
the rate payers are going to pay for this. We don't have the
luxury of doing everything that one might think we should do to
protect ourselves.
I would only say this as a member of the committee, you
can't do enough things to protect us 100 percent from the
threats that are out there. So let's recognize the fact that
there's got to be some consideration on cost and a big
consideration on who pays for it.
Mr. McClelland.
Mr. McClelland. I wanted to say one other thing to revisit
the point that you had before about distribution. The problem
with distribution is that if there are 2 way communications
between distribution and say, the bulk power system. You know
from your experience that any time there's 2 way communication
there's a chance for corruption. Currently there are 50, say
50, different agencies maybe looking at cyber security, maybe
not.
We've got wide scale deployment of smart grid equipment
that depends on 2 way communication. So all I'll say is
regardless of where that authority falls there is a gap in the
authority. Is a significant gap that comes to cyber security.
Thanks for----
Senator Burr. I appreciate that comment. This would be a
personal observation with what we don't know today. I'm more
encouraged to slow down the implementation of smart grid
technology until we learn the things that we need to learn to
implement it with a great deal of confidence.
Thank you.
The Chairman. Senator Udall just arrived, but he has
indicated that he would like Senator Lee to go ahead with his
questions before he does questioning. So go ahead.
Senator Lee. Thank you, Mr. Chairman. Thanks to all of you
for joining us here.
The joint staff draft would give authority to DOE and FERC
or a combination of the 2 of them to order electric utilities
and others to take action to overt imminent danger that could
stem from an imminent cyber security threat. If what we're
talking about is cyber terrorism does it make sense to put that
authority in any of the agencies that deal with intelligence?
For example, the intelligence agencies that are gathering the
information that would signal this sort of a threat or does it
make more sense to put it in a Federal regulatory agency that
deals specifically with energy?
Ms. Hoffman. To begin with, the approach has to be
comprehensive. It has to involve both FERC and DOE, in fact the
whole government. The intelligence agencies do a very good job
in analyzing the information. The operators are the folks that
actually look at the operations of the systems will be best to
help develop the mitigations and the solutions.
From my perspective it's a partnership that's required.
Senator Lee. Is this, following up on Senator Burr's line
of questions. Is this something that necessarily needs to be
Federal? Is this something that could not be done on a State by
State basis with State regulators working in concert with
Federal authorities? In other words from a regulatory
standpoint should the regulator be Federal or should the
regulator be State?
Mr. Owens. I might seek to respond to that, Senator.
I think you have to make a distinction between an imminent
threat and a cyber vulnerable assets. With respect to an
imminent threat it makes sense to me to believe that you need a
Federal agency that sees that intelligent information. So you
can act decisively.
I spoke earlier about the need for horizontal
communication. So it means that the FERC, as an example, and
the Department of Energy and the Department of Homeland
Security, all those agencies, those who have intelligence about
the imminent threat and those who have the understanding and
the authority to order a change in operations. They should be
working collaboratively.
When you look at the issue of a cyber vulnerability, a
critical asset, that takes more time because what you want to
do is you want to make sure that you've hardened the system and
you've prevented a potential cyber disaster in the future. That
requires coordination with the industry. It requires complete
coordination with the government agencies are affected.
Where it gets real controversial or difficult is if you
suggest that all assets need to be looked at by one Federal
agency. When we recognize that we also have State bodies that
look at these issues. It seems to me a very clear way to do
this is to make sure that there's that vertical dialog between
the Federal Government and the State agencies, who daily deal
with these issues as well.
They deal with cyber threats at the distribution level.
They work very closely with their local law enforcement
agencies. They work closely with the FBI. They're very much
aware of some of these threats that are involving their local
utilities.
What I believe is important to make sure is we don't have a
gap. I don't believe we have a gap. I think those agencies are
taking on their responsibilities very forcefully. I believe
those agencies, those State agencies are working very closely
with the Federal Government in trying to understand what those
imminent threats are and the actions that have to be taken.
So I would encourage us not to give the impression that the
State agencies aren't doing their job because they are.
Senator Lee. Mr. McClelland, I wanted to follow up on a
different issue with you. You referred to the fact that if we
had another 1921 style event that it could knock out, did you
say 300 transformers?
Mr. McClelland. Over 300. It could affect over 300
transformers, 368 is the exact number.
Senator Lee. Potentially affecting how many customers?
Mr. McClelland. 130 million customers.
Senator Lee. I think I heard you say that some of those
could be affected over a 10-year period is----
Mr. McClelland. No. Yes, they could be affected. There
could be service interruptions for over a 10-year period.
Senator Lee. That's simply because it could take that long
in order to restore all the equipment that would be destroyed
by the one event.
Mr. McClelland. Right. The bulk power system transformers
are typically about a 52-week or 1-year lead time. They're not
produced in the United States anymore. We are dependent on
other Nations to bring them forward.
There is an existing queue of transformers that need to be
built. Developing Nations such as China are using lots of those
slots in the queue, the ordering queue for those transformers.
Senator Lee. OK. Is there anything we could do in that
circumstance to shorten that time period? I mean, I assume we
could ramp up production of those.
Mr. McClelland. Yes.
Senator Lee. Faster, so you're presupposing that were--that
our production rate would be roughly what it is now.
Mr. McClelland. Right. We could attempt to attract
manufacturers to the United States. We could ask for expedited
delivery. Perhaps pay some fee to have expedited recovery. But
there's not a lot more than that.
The transformer capacity is the capacity. So other people
would have to get out of the queue, stand aside, for us to have
those units built. Even then the through put of those
facilities is limited.
Senator Lee. OK. I assume it's not pragmatically plausible.
I'd say it's not possible or practicable to produce a
transformer that is immune from this sort of pulse.
Mr. McClelland. There are blocking devices that can be
employed. The devices are not widespread though. They haven't
been deployed.
So there are conceptual ideas that we've seen. They need to
be prototyped and tested. I'm an electrical engineer having
spent almost 27 years in the business. My recommendation would
be to automatically block this on the most susceptible or most
critical elements of the bulk power system so we don't need to
stand in line after a solar magnetic disturbance to wait for
transformers.
Senator Lee. OK.
Mr. McClelland. One thing, if I could just revisit very
quickly. FERC is more than an economic regulator. My office has
about 135 employees. Most of those employees are electrical
engineers with advanced degrees with vast experience in the
electric utility industry.
Senator Lee. OK.
Mr. McClelland. So we do have expertise with----
Senator Lee. Just going to the technological expertise
within your agency that could qualify you to----
Mr. McClelland. To deal with----
Senator Lee. Deal with these situations.
Mr. McClelland. To deal with new section 215. That's not to
minimize what DOE or what the industry does. But it is to
fairly represent what we do at our agency.
Senator Lee. Thank you. That's all.
Mr.McClelland. Thank you.
Senator Lee. Thank you, Mr. Chairman.
The Chairman. Senator Udall next and then Senator Hoeven.
Senator Udall. Thank you, Mr. Chairman. Good morning to all
of you.
This is an important and timely hearing, and I want to
acknowledge the leadership of the ranking member and the
chairman. I sit on the Armed Services committee. I sit on the
Intelligence Committee. I sit on this committee.
This is a truly complicated challenge for us. There are
many entities and agencies involved. But all of that doesn't
lessen the threat. I think the longer we delay obviously the
more we may experience an incident that we will regret.
The military is moving aggressively toward islanding some
of their facilities. Because I think they see that as a
necessity. So my appeal to all of you and all of us is to focus
on this and truly get something done in the near, near future.
In that spirit, hope there's a bit of positive thrust in that
spirit.
But I want to turn to the Secretary and Ms. Hoffman. In the
report just last month, April 2011, MacAfee and the Center for
Strategic International Studies, CSIS, stated that the
``adoption of security measures continues to grow,'' but
``unlike threats and vulnerabilities, adoption of new security
measures is improving at a snail's pace.'' Do you think that
characterization fairly describes our Nation's electric
industry?
Ms. Hoffman. The adoption of technologies is slow.
First of all we have to look at the availability of new
technologies to address security issues. The cyber security
environment is changing on a real time basis. The capabilities
of the adversary are also changing. But it takes time to deploy
new technologies, and the electric industry tends to follow a
longer timeline with respect to transferring out older
technologies and bringing new technologies in.
So there are several factors compounding an already complex
issue. What we need to do is enable technologies to be upgraded
in a more timely fashion. We also need to continue to test new
technologies. We also need to build a stronger work force so
that as we move forward we can get better adoption of the
technologies into the system.
Senator Udall. Do we need to call--I know we do this in
this town, but a summit of all the stakeholders and look at
that Gordian knot sitting in front of us and all maybe, put our
hands on the sword and cut through it? My concern is that we
continue to point fingers in every single direction. Nothing is
really going to happen until we're forced to react.
That's not the right position to be in.
Ms. Hoffman. We need to continue to have dialogs to get
ahead of the game. It comes down to understanding what are the
priorities for the issues we need to address, analyzing are we
actually complete in our strategies, and whether there are any
gaps with respect to protecting the system.
Then we need to make sure that there's a comprehensive look
at what the impact and the costs are of implementing new
strategies and solutions.
Senator Udall. Mr. McClelland, if I might turn to you.
Could there be circumstances where FERC ought to have the
capacity to just order measures first rather than work through
the ERO?
Mr. McClelland. Yes. I think there could be. I really think
that those circumstances should be very limited and should be
emergency type circumstances.
There may be a particular instance where CIA or DOE or DHS
uncovers an attack vector of vulnerability that could be
exploited. Something like Aurora, maybe there's not enough
information to show that it's an imminent danger. But it's
certainly a viable vulnerability. The facility that would be
interrupted would be critical.
It may not be applicable then to everyone else. But that
entity may need to go to a heightened state of readiness. They
may be what we would term in case of emergency break glass
scenario where they disconnect remote operations at some
facility for some period of time.
There could be limited circumstances like that where a
standard wouldn't be appropriate. But it would be very
important to FERC to move quickly if it's given this authority,
to order those mitigation measures to work with the affected
entity to get those in place.
Senator Udall. I want to give Mr. Cauley a chance to
comment.
But I would add this observation. I serve in the U.S.
Senate. We have 50 States represented here. We can be very
decentralized. We can be very focused on our own regional or
State interests. So I have some sympathy for the challenges
that you face. But I appreciate your comments in this regard
too.
Mr. Cauley. I think there is a need, Senator, for some, as
Mr. McClelland is suggesting, some ability to get information
and actions out to industry quickly. But I don't know of any
one place or any one authority who is the smartest on the
planet, who knows the right answers all the time. Can issue
that order without any risk. So I would encourage whatever we
end up with that there be the opportunity for consultation with
those who have to be involved in that decision.
I think the perception that's been painted that the
industry really hasn't done anything and is slow is a false
one. I'd encourage any of you in your own States to go visit
your local utility control center who fall under our standards.
You will have a hard time getting in. You certainly won't
touch any of their computers. They'll ask you for devices that
you have on you. It's like going into a government facility.
So I don't think the industry likes to advertise how secure
they--all the work they've done to secure our systems. But
there is a lot of work going on.
In our standards we've found--this number may be corrected,
but at least 1,500 violations of cyber security standards. So
we are actively out there beating on this day in and day out.
Folks are fixing it. So it's not like we're standing still.
Senator Udall. Thank you.
The Chairman. Senator Hoeven.
Senator Hoeven. Thank you, Mr. Chairman.
I'd like to follow up on Mr. Cauley's statement. Ask each
of you just--and I'm trying to get a sense of consistency or
where there's differences in your opinion. How secure is our
system? Is it secure? Is it very secure? Is it secure or do you
think it needs significant improvement?
I am looking for kind of like say, following on your
statements saying that boy there's a lot of work being done.
Generally I get the sense you feel the system is secure. What
is everybody's opinion in that regard?
Ms. Hoffman. I will first say it depends on what we're
securing against--from known issues where we can share the
information with the industry or unknown issues.
Senator Hoeven. Let's just start with a cyber attack of
some kind. Somebody trying to put in a worm or some type of,
you know, software attack of some kind to disrupt the system.
Ms. Hoffman. There is a level of security out there
already. Yes.
Senator Hoeven. That's pretty, kind of, noncommittal, so.
Ms. Hoffman. OK.
Senator Hoeven. So we're secure or?
Ms. Hoffman. We're secure to a point. There are
vulnerabilities with human interface, so that if it's a worm or
some human interaction continues to perpetuate that.
Senator Hoeven. Recently the Israelis developed a cyber
attack on the Iranian nuclear power development system. Could
that type of worm be put into our system and disrupt power
supply in the United States?
Ms. Hoffman. I don't have the specific details on those
worms. So I can't give a very good analogy to that specific
example. The issue is there's always room for improvement.
What we need to do is to react quickly, be very quick on
our feet, be able to deal with any sort of event that comes
out. The industry needs to react quickly to the event. One of
the things we need to do is to provide for information exchange
so that we can act quickly. That is the capability we need to
go after.
Senator Hoeven. If the Secretary of Energy has the ability
to intervene in that type of event or concern that that type of
event occurs. How is that decision made? How do they intervene?
Ms. Hoffman. With respect to the Secretary of Energy, under
the Cyber Space Policy Review, there is a national incident
management process under development in the Federal Government.
DHS has a national cyber security control center that we all
participatein within the energy sector. ISAC also participates
in that.
When a cyber event occurs, the information is shared. Next
a coordination group is formed that identifies the potential
impacts and consequences and the potential mitigation
solutions.
Senator Hoeven. So then if each of you would just comment
in terms of what you perceive that risk to be whether it's a
high risk or whether we have strong security in place that
would mitigate it and our ability to react.
Mr. McClelland. Really when you're talking about as many
utilities as you are, you're talking about absolute worst
practices up to absolute best practices. So it depends on the
entity that's defending and it depends on the entity that's
attacking.
But with that said, if my personal level of confidence is
not high. Because if the government agencies can't protect
against a sophisticated Nation, State threat, advanced
persistent threats that we've seen. I don't think that
individual utilities will be able to.
As tightly interconnected as the utility system is, it
doesn't take much. It doesn't take many penetrations or many
disruptions of pieces of equipment to cause profound analogies
within the interconnections themselves.
Senator Hoeven. Our ability to react in the event of that
type of an attack?
Mr. McClelland. Again, it depends on the piece of equipment
that's attacked. If it's a large generator, critical size
generator and if it's a simultaneous attack on several of those
facilities, those generators can take years to construct and
put into service. So prolonged outages or prolonged disruptions
or prolonged cases of reduced output, could be possible.
Mr. Cauley. Senator, the challenge you're hearing in the
responses, I think the answer is both. I think systems are
secure at a baseline level. I think there's the training.
There's the tools, the procedures.
The challenge is there are threats that exceed the normal
capability and awareness of a civilian infrastructure. That's
where the interplay between the Federal Government, who has
intelligence of emerging threats and actors who would do things
coordinated wide area attack on physical facilities, a very
wide coordinated cyber attack that we're not aware of. But the
practices, the normal prudent practices, I would say the
industry has a handle on those. Those are things they're aware
of.
It's the emerging things from threats that we don't have
sufficient tools at this point that we would like to make sure
there's a good coordination between government and industry.
What is it we're seeing? How can we be respond and react to
those kinds of things?
Mr. Owens. I think he said it well. It requires, as I was
stressing earlier, tremendous coordination involving the
government and industry. We've hardened our systems. But as was
said earlier, there's no perfect system.
We have to be able to restore service quickly if there's an
outage. We have isolated assets that we think are very critical
that provide some cyber vulnerability working very closely with
NERC and with the Federal Energy Regulatory Commission. It was
mentioned earlier about the new technology called modernizing
the grid or the smart grid.
We're making sure that the equipment that we're installing
to make that grid much smarter, that they're high cyber
standards that have to be met by the vendors and the
manufacturers. So it's an evolutionary process. It's not a
static process.
Our systems are not perfect. We are building redundancies.
But again, there's still a lot of work that needs to be done.
But it requires complete coordination between industry and
government.
Senator Hoeven. Sir?
Mr. Tedeschi. Senator, I am not a cyber expert. So I must
defer on answering the question.
Senator Hoeven. Alright. Thank you.
The Chairman. Let me ask about one other issue that's come
up in the testimony that some of you've presented here. That is
the whole issue of authority over the distribution systems. As
I understand it we've got FERC's authority is under the Power
Act is over the bulk power system. We're trying to also deal
with this cyber security threat in terms of the distribution
systems because the whole thing is integrated.
Let me just ask you, begin with you, Mr. McClelland, as to
what your thought is as to what has been proposed in our draft
to extend the authority to the distribution systems and what
should be proposed and whether what we've got here is the right
solution or whether there should be a different solution.
Mr. McClelland. I can comment on what's been proposed. Then
I can also comment on what might happen if there's no
distribution system protection.
What's been proposed, as I read it, is an emergency
authority to address a vulnerability that would have a profound
impact on the critical infrastructure of the United States, a
strong impact. That authority would have to be used very
judiciously, very infrequently. So it would not be a normal
authority, but it would be an authority where say a smart grid
installation is proceeding and millions of meters have the
ability to provide a denial of service to some critical bulk
power system facility.
At least in my personal opinion, that may trigger that
authority to be used. Without an authority over distribution
though, it would be up to 50 States to determine their policies
as to how the cyber security might or might not work. It may
not be consistent. It may mean that distribution systems would
have to be treated as a non trusted source.
So from a verification, from a communication standpoint
with cyber security, it would be placed in an outside realm. It
would also mean that there would be no protection afforded to
them by any sort of a Federal program, a Federal standards or a
Federal jurisdictional program.
The Chairman. OK. Mr. Cauley, I think you have testimony in
here about concerns that we would be in this draft extending
jurisdiction, the FERC jurisdiction, to the distribution
systems while your organization would not be able to extend any
of your activities in that area. Am I understanding that right?
Mr. Cauley. Yes, Mr. Chairman. Without taking a particular
position about whether distribution should be included in the
legislation or not, there are some concerns.
First off, I think our standards and the programs that we
have in place work well to achieve the reliability and security
of the bulk power system. The question is do we want to extend
now that same protection to the distribution system I think was
a policy question that I won't weigh in on. But if it were the
case where FERC had authority that was beyond that of NERC I
think it would be at all times we could be looked at as being
deficient because our standards don't extend out to the
distribution area.
So the point I made in the written testimony was I think to
the extent we're going to cover cyber security between NERC and
FERC I think the jurisdiction should be consistent between us.
The Chairman. But you don't think this distinction that Mr.
McClelland is making between authority over to put in place
standards to guard against potential vulnerabilities, that's
one set of authorities.
A separate set of authorities is to take immediate action
to deal with an imminent threat. You don't think it's
appropriate that FERC have authority in that second area
without NERC also having authority in that second area?
Mr. Cauley. I think it's beneficial to have alignment with
our--between the FERC and the NERC. As our process--essentially
when we send out alerts or actions it goes out to the same
companies. It goes out to individual companies that operate
both transmission and generation and distribution.
So I think we would make the situation more complex and
more difficult if we had, sort of, fractured jurisdiction.
The Chairman. OK.
Mr. Owens. May I respond to that too, Senator?
The Chairman. Sure. Go right ahead.
Mr. Owens. I would again go back to a distinction. For an
imminent threat that puts our national security at risk, that
puts our economic security at risk, I think it's very
appropriate that the government act decisively and
deliberately. That means Federal Government in close
coordination amongst the various agencies that have
intelligence information as well as the industry.
So I think that's a no brainer that we've got to act
decisively to protect our society and our way of life and
prevent disruptions. When we're looking at the issue of
vulnerability, of potential vulnerability, of an asset that
could lead to a cyber disruption that could affect our society,
I think it's grey. That area gets very grey.
Where it gets grey is we know that the States already are
dealing with that issue. I think that's what Mr. Cauley spoke
to. I would have great difficulty if we said let's give FERC
that authority and let them have that authority permanently to
begin to develop standards that impact the distribution level,
recognizing that we already have States that are intimately
involved in these activities.
A standard implies that you have to make changes in
investments, in your resources and so forth. There's a cost
associated with that. Those State commissions have a
responsibility of looking at those costs and the impact on
consumers.
So I'd have great difficulty suggesting that we give FERC
permanent authority over distribution assets when we already
recognize the States have a vital role in this area. I think it
would add tremendous confusion.
The Chairman. But I don't think that's what we're doing. As
I understand what the draft does and what I thought I
understood Mr. McClelland to say was that we would be giving
FERC authority to take action to deal with imminent threats in
the distribution system.
Mr. Owens. I have no difficulty with that.
The Chairman. OK. So that's the limited authority. We're
not saying from now on FERC has authority to set standards in
the distribution system.
Mr. Owens. OK.
The Chairman. I don't believe. Is that a correct
understanding?
Mr. McClelland. I think there is a distinction here that's
important to point out. So and I wouldn't argue with Mr. Owens'
point. But there are 2 authorities.
One is for an imminent danger that goes to the DOE.
One is to address a vulnerability that could provide, you
know, an impact, a negative impact on a critical
infrastructure.
The difficult piece of this is to try define imminent
danger. In a cyber security realm--I mean it's not as difficult
if someone is setting up an intercontinental ballistic missile.
You can look by satellites to see the launch pad.
For cyber security it may be a non descript building with
100 people attempting to probe the system. So as long at the
threshold isn't so high, imminent danger can be a very high
threshold to prove. It may in fact mean that an attack is
underway or there is already a problem that begins to
materialize.
So that's the distinction that I think that we would all
wrestle with.
The Chairman. OK.
Senator Murkowski.
Senator Murkowski. Let me just follow on to that. Because
it was my understanding that OK, we're in agreement that when
we're talking about the imminent threats it's DOE that has that
authority. They don't need to wait for anyone here.
But with the less time sensitive vulnerabilities this is
where FERC has that jurisdiction. But you have that stakeholder
process with ERO under section 215 that says the stakeholders
go first. So the concern that has been expressed and I'm not
quite sure whether it was intentional, whether it was drafting
error, where we are.
But what I understand has happened with this. With the text
that we're dealing with is that we may be in a situation here
where FERC is able to bypass that stakeholder process with--
which is not the intention. FERC could actually bypass and then
effectively direct what the standards may be for--at this local
level which I don't think is what we intended it to do.
So the question then becomes do we need to clarify this
within the draft language so that we do not effectively allow
for that bypass. That it is clear that that stakeholder process
has the authority to go first, if you will. Do we need to
resolve within the language this discrepancy? Because it sounds
like the chairman and I are both a little bit foggy on what it
actually does. It sounds like a pretty critical piece of what
we're trying to resolve here.
Mr. Cauley.
Mr. Cauley. I think there could be some clarification as I
had suggested in my testimony. I think the Commission has
authority today to direct us to do a very specific standard and
achieve a very specific outcome. If similar language is sort of
repeated in this new legislation I think it would be very
beneficial if it did provide for the Commission to give us a
specific objective, a problem we're trying to solve and give an
opportunity for the process to work.
One of the difficulties I see with having a vulnerability
section separately is the line between what we're calling
vulnerabilities and threats is a very nebulous line.
Vulnerabilities can come out today. A premise be made that this
is a vulnerability we need to solve in a week in the area of
safety and reliability doing standards fast is not usually one
of my first objectives.
My first objective is to get it right and solve a problem.
I think that carries over to nuclear safety, airline safety.
It's not about being fast.
That's where I suggest that our ability to issue a
mandatory emergency directive whether it be for a vulnerability
that has now just popped up or an imminent known threat coming
in from an intelligence agency. I think we need to strengthen
our ability to get those directives and immediate actions out
and have them have teeth and have some enforceability with
that. So----
Senator Murkowski. So are you suggesting that we should not
have this bifurcation between the vulnerability and the
imminent threat?
Mr. Cauley. I think it's an artificial one to be honest. I
think to the extent that a vulnerability is an enduring
vulnerability like a solar magnetic disturbance is. It's here
this week. It's here next week. It's going to be here 10 years
from now. That should be handled through our standards process.
But the emergent dynamic issues that are coming up whether
you call it a threat or vulnerability need some faster
mechanism to respond to. I think that would be more
appropriately handled through directives and actions in a, sort
of in a near term basis with consultation from the entities
that have to follow those requirements.
Senator Murkowski. Mr. McClelland.
Mr. McClelland. There is a bifurcation in the bill between
imminent danger which is a threat and then vulnerability that
exposes an imminent danger. So for instance, Aurora although it
was demonstrated in a laboratory there was never any
intelligence that anyone planned to use it. So it would fall
under a vulnerability per say.
So the bifurcation once we acknowledge the bifurcation, I
personally saw it as 3 levels.
One would be the routine standards development process.
The second would be a measure to address a vulnerability
through the ERO and the stakeholder process.
A third which would be an extraordinary level which would
be something that needed to be done immediately that could not
result in a standard. A good example would be say, distribution
systems. There are no--the jurisdiction of the ERO does not
extend over distribution systems. In that regard I personally
thought it may be some sort of a targeted vulnerability that
may be temporary in nature to address a specific issue.
Without that vulnerability though, a personal perspective
is that the cyber security would be extremely difficult to
prove imminent danger. There would be no Federal agency that
has the ability, be it FERC, DOE, DHS or anyone that would have
the ability to trust but verify to compel action and make
certain that that action is taken. So from, again from a
perspective, the vulnerability in the manner in the layers that
I represented, I thought would be adequate, somewhat
extraordinary, but adequate to address any cyber security
issues.
Senator Murkowski. Thank you, Mr. Chairman.
Mr. Owens, you're shaking your head. I actually had a
question for you about the NERC alerts not being legally
enforceable. It was Mr. Cauley. You recognize that as a gap.
I'd like that addressed.
But I recognize that Senator Udall is here. Do you mind if
I just finish out my question?
Senator Udall. Go right ahead. Sure.
Senator Murkowski. I have been running over the clock for
the past 2 hearings.
The Chairman. Go right ahead.
Senator Murkowski. I'm very conscious of that.
Mr. Owens.
Mr. Owens. I think we are making it far too complicated.
Senator Murkowski. I agree. It's getting tougher instead of
easier.
Mr. Owens. Let me just try to be very simplistic in
explaining this. One side we have imminent threats. The other
side we have assets that create a vulnerability where it could
lead to a cyber breach that could be very disruptive to our
society.
On the imminent threat side I think all the panelists agree
that it requires an agency that has intelligence about the
threat working with other Federal agencies and the industry to
be decisive. So irrespective of jurisdictional boundaries, it's
irrelevant. We're trying to do something to protect our
national security.
So let's do it. So that's imminent. You got to act quickly.
You got to act decisively. Let's do it. But let's make sure
that folks that operate the systems are involved in the
decisionmaking. So we make the right decisions, not a decision
that's going to lead to unwarranted circumstances.
The second area are we have some assets that were evolving,
that are evolving that now pose potential cyber risk. Some of
those assets are critical. Some of those assets are not
critical.
The critical assets we want to make sure that those
critical assets are identified. We want to make sure that the
government agencies and industry can work closely together. To
make sure that we continue to have those assets secure so they
remove that potential cyber risk.
The question becomes who has that responsibility. Should
the Federal Energy Regulatory Commission have that
responsibility exclusively on over all these critical cyber
assets or should it be acknowledged that the States have a
vital role too? What I'm saying is the States have a vital role
to the degree that some of those critical assets are suggesting
that they can lead to an imminent threat. The question becomes
should the Federal Government act decisively to deal with that.
I don't have a difficulty with that. The difficulty I have
is if the Federal Government, FERC, decides they have the
solution only and they seek to operate and deal with that
solution without having States involved and without having the
industry involved. That's what the problem is.
No single Federal agency has the wherewithal to know all
aspects of the system and how to correct it. It requires
vertical and horizontal communication and coordination. That's
where I have the difficulty with what Mr. McClelland was
saying.
Senator Murkowski. I appreciate that. I think you've laid
it out cleanly. I wish it was that neat.
Can you comment on the enforceability of the alerts and
whether or not that is a gap that needs to be addressed?
Mr. Owens. I think Mr. Cauley is correct that NERC has a
series of alerts. There are alerts that are advisory. There are
alerts that require immediate action by the industry.
He said, and I would agree with him to the degree that
there is an action that needs to be taken he needs to be able
to be decisive in that. But he also said you need to have
industry inputs. So I wouldn't quarrel with him on that.
As long as industry is involved we understand what he sees.
We share his corrective actions then I think it is appropriate
that we respond appropriately.
Senator Murkowski. Thank you, Mr. Chairman. Thank you all.
The Chairman. Senator Udall.
Senator Udall. This is getting interesting. I decline to
defer to the Senator from Alaska for continued line of
questions and answers here.
[Laughter.]
Senator Udall. But this is, I think, why we're holding this
hearing. This is very helpful. I appreciate the passion that's
being displayed.
I did want to make a comment. I know Senator Burr talked at
some length about the smart grid. I don't want to take all of
my time.
But I would ask for answers now. But I would ask the
panelists if you would in your follow on answers to questions.
Define the smart grid for us.
I think we all talk about the smart grid, but I think it's
in the eye of the beholder, and we need to do a better job
explaining to the public what the smart grid is. We need to
know as policymakers what we mean by the term, the smart grid.
[The information referred to follows:]
The digital computing, communications, and information technologies
that are transforming other areas of the economy are now being applied
to the electric system to improve performance and create a ``smarter''
grid. As described in the 2009 Smart Grid System Report prepared by
DOE, a smart grid uses digital technology to improve the reliability,
security, and efficiency of the electric system. New smart grid
functions can be implemented throughout the system, from generation
through the transmission and distribution systems and all the way to
consumers. System operations will be enhanced as a growing number of
distributed generation and storage resources are deployed and
participating customers are able to adjust their load in response to
system operating signals.
Smart grid technologies provide a secure and reliable electricity
infrastructure with the following characteristics\1\:
---------------------------------------------------------------------------
\1\ Energy Independence and Security Act of 2007, Section XIII
(1) Increased use of digital information and controls
technology to improve reliability, security, and efficiency of
the electric grid.
(2) Dynamic optimization of grid operations and resources,
with full cyber-security.
(3) Deployment and integration of distributed resources and
generation, including renewable resources.
(4) Development and incorporation of demand response, demand-
side resources, and energy-efficiency resources.
(5) Deployment of ``smart'' technologies (real-time,
automated, interactive technologies that optimize the physical
operation of appliances and consumer devices) for metering,
communications concerning grid operations and status, and
distribution automation.
(6) Integration of ``smart'' appliances and consumer devices.
(7) Deployment and integration of advanced electricity
storage and peak-shaving technologies, including plug-in
electric and hybrid electric vehicles, and thermal-storage air
conditioning.
(8) Provision to consumers of timely information and control
options.
(9) Development of standards for communication and
interoperability of appliances and equipment connected to the
electric grid, including the infrastructure serving the grid.
(10) Identification and lowering of unreasonable or
unnecessary barriers to adoption of smart grid technologies,
practices, and services.
Senator Udall. Secretary Hoffman, maybe I can turn to you
again. We've talked a lot about cyber threats here today.
There's certainly physical threats to the grid. Do you agree
that that's a vulnerability we have to consider? Could the
draft bill be improved to address the potential of physical
threats to the grid?
Ms. Hoffman. The physical threats exists, and I think
they've always existed. Because they are more familiar we have
processes in place to address them. I think the higher urgency
is trying to find a method for addressing the cyber threats.
So from my perspective the more urgent issue is actually
finding a compromise among interested parties on cyber
legislation so that we can better address the cyber issues that
are out there.
Senator Udall. Anybody else care to comment?
Mr. McClelland. Yes. Actually I can tie that to your smart
grid question too, Senator, in that as the smart grid is
deployed, smart grids become all things to all people. But
assuming that it's a 2 way communication from the meters at the
lowest level through perhaps communication back to the
generators and central dispatch, the physical vulnerabilities
also increase with the smart grid.
Good old fashioned electromechanical meters are impervious
to EMP strikes or EMP events. However, intentional
electromagnetic interference device, a hand held device would
have a profound effect, could have a profound effect on smart
grid meters. So physical also plays into where the grid is
going and how the grid is evolving.
Senator Udall. Anybody else care to comment?
Mr. Cauley. I would just say I am concerned about physical
security as well from a real world sense of what could happen
bad to the grid. I think to Senator Murkowski's view. The more
comprehensive and holistically we can look at this. I think the
more effective legislation will be. Because we have to deal
with what are the priorities. What's the next most important
thing we can invest in?
So I think to have things where we can balance between
physical and cyber and say, what are the real world things that
can happen? What would the consequences be? I would prefer a,
sort of, a more comprehensive and more holistic view.
Mr. Owens. I would echo what Mr. Cauley just said. I would
just expand it just a little bit. We're modernizing the grid. I
don't know what smart grid is either. Even though I have
responsibility for the industry for dealing with that it's an
evolutionary, modernization of the overall grid or another way
to say it we're digitizing the grid.
If we're digitizing the grid it suggests that there are a
tremendous set of new challenges with respect to cyber
security. It also says we've got a lot of new players. We're
going to put in a lot of different kinds of equipment.
So it suggests that we need a high standard for that
equipment. That equipment must be authenticated that it is
cyber secure. It seems to me and this whole area is evolving so
vendors, manufacturers, utilities, regulators. Those who have
the responsibility for protecting the integrity of the grid, we
all have to understand the language. We all have to make cyber
security a top priority.
Senator Udall. Mr. Tedeschi, do you--would you have any
comments? You're the wise man at the table as the scientist
among us.
Mr. Tedeschi. I would just offer up, Senator, that there's
a broad spectrum of threats out there that are real that should
be considered. Cyber is certainly at the top of the list. The
probability from a risk perspective is 1.0 that those threats
are happening every day.
But it would be wise to consider a broader set of threats,
not just EMP, but also physical attack threats, car bombs,
standoff weapons, that sort of thing. There is--there are
security systems around a lot of these facilities. There's
standoffs. There are inherent security hardness levels to them.
But I think the owners of the utilities, Mr. Cauley, got it
just right. That they understand their operations, the effects
that can occur from the variety of threats and there are links
into those who have additional intelligence information, if you
will, that could be brought to bear that they can be aware of
to factor into decisions on where to provide security,
etcetera. So there's a good link, I think, into this world.
But don't forget about the other threats especially car
bombs, explosive type threats, electromagnetic pulse. We
haven't really touched on even unintentional electromagnetic
interference from other high frequency sources like cell
phones, TV transmissions, radars, that can have an adverse
effect on the operation of some of the smart grid technology.
It is new technology. It can be sensitive to a broad variety of
electromagnetic threats not just handheld devices or nuclear
EMP.
So understanding how that technology will operate in
today's broad threat space within America would pay dividends
long term in terms of any hardness that might be invoked.
Senator Udall. If the chairman would indulge me, I'll just
throw out a final question. Maybe a couple of you could comment
and then the rest could comment for the record. I think Senator
Hoeven talked a bit about Stuxnet. There's also the Aurora
event.
I'm curious if some of you would briefly respond to the
significance of those 2 events that we're aware of among
others.
Mr. Cauley. I would just say they're both very real.
They're very real risks. Aurora, we recognized a couple years
ago has the risk of damaging equipment.
One thing that we were able to do a little over a year ago
is to work with the intelligence community to grasp the details
of what the actual threat is, what the vulnerability is and how
to fix it. So we were able to translate that into information
out to industry. So I think we've got, at this point, a very
high response rate in terms of addressing it.
It was real. But I think the awareness level in the last 12
months has really increased. I think the actions that have
taken place.
The Stuxnet is similar. It wasn't there if you look beyond
a year ago it wasn't there. Now all of sudden it's here. It's
real. I think we got the information out to the industry. They
took the actions to install the patches and blocks to keep that
from penetrating our control systems.
So the answer is, I think, they're very real. They're very
scary. They can each do damage to our grid. But I think we just
have to take the protective measures that we've been doing to
make sure it doesn't happen.
But that really describes the nature of this business.
Because next week, there's going to be another one that we
don't know about yet. We have to keep--it's more about having
the mechanisms in process to adapt and keep fixing and learning
then it is to have solved this problem once.
Senator Udall. The rest of you respond for the record. I do
not want to abuse the chairman's forbearance. So thank you
again for being here.
[The information referred to follows:]
The significance of Aurora and Stuxnet includes the demonstrated
ability to target industrial control systems, the difficulty in
identifying the attacker, the difficulty in defending against zero-day
attacks, and the demonstrated ability to conduct cyber-physical, or
blended attacks. The risk to the power system has become more acute
over the past 15 years as digital communicating equipment has
introduced cyber vulnerability to the system, and cost-saving
requirements have allowed some inherent physical redundancy within the
system to be reduced. The specific concern with respect to these
threats is the targeting of multiple key nodes on the system that, if
damaged, destroyed, or interrupted in a coordinated fashion, could
bring the system outside the protection provided by traditional
planning and operating criteria. Such an attack would behave very
differently than traditional risks to the system in that an intelligent
attacker could mount an attack, as in the case of Aurora or Stuxnet,
that would manipulate assets, provide misleading information to system
operators attempting to address the issue, or destroy equipment.
While no such attack has occurred on the North American electric
systems infrastructure to date, Stuxnet demonstrated the ability and
desire to target specific components of an industrial control system.
The attack was so specific in its use of industrial control systems,
that any remaining skeptics should be convinced of the abilities and
intent of intelligent attackers to target industrial control systems.
As in most cyber attacks, timely attribution remains difficult. The
ability to mask the real identity of the attacker is often a concern,
and it often takes an extended period of time to make a final
determination and prosecute or take other appropriate action. The
originators of Stuxnet remain unknown, while a similar case could be
made for attackers that might choose to exploit an Aurora-type
vulnerability. Most of the developed world uses commercial software to
prevent cyber attacks. The use of zero-day vulnerabilities and the USB
drive delivery method for Stuxnet showed the inadequacy of current
anti-virus, intrusion detection, and firewall applications to prevent
unauthorized access to networks. Finally both Aurora and Stuxnet
demonstrated the ability of cyber attacks to cause physical effects.
Such an attack, although never experienced in North America, could
damage or destroy key system components, significantly degrade system
operating conditions, and, in extreme cases, result in prolonged
outages to large parts of the system.
The interconnected and interdependent nature of the electric
systems infrastructure requires that risk management actions be
consistently and systematically applied across the entire system to be
effective. The magnitude of such an effort should not be
underestimated. The North American bulk power system is comprised of
more than 200,000 miles of high-voltage transmission lines, thousands
of generation plants, and millions of digital controls. More than 1,800
entities own and operate portions of the system, with thousands more
involved in the operation of distribution networks across North
America. These entities range in size from large investor-owned
utilities with over 20,000 employees to small cooperatives with only
ten. The systems and facilities comprising the larger system have
differing configurations, design schemes, and operational concerns. Any
mitigation on such a system is complex and expensive, and should be
carefully planned and coordinated between the stakeholders and asset
owners and operators.
The Department has supported the North American Electricity
Reliability Corporation (NERC), the energy sector and other sectors,
and other government departments and agencies Department of Defense
efforts to mitigate the Aurora vulnerability and Stuxnet and other
threats through information sharing and technology development. In
addition, recognizing that Aurora and Stuxnet are just two examples in
a larger threat environment, DOE, in coordination with the National
Institute for Standards and Technology, NERC, and the Department of
Homeland Security, is leading a public-private collaboration to develop
a risk management process guideline to provide a consistent,
repeatable, and adaptable process for the electric sector, and enable
organizations to proactively manage cybersecurity risk. This
collaboration will build upon existing guidance and requirements to
develop a flexible risk management process tuned to the diverse
missions, equipment, and business needs of the electric sector and to
bridge the divide between security for industrial control systems and
information technology.
The Chairman. Let me just ask one final issue here, Mr.
Cauley. Your organization, NERC, is a private membership
organization. I'm right about that, am I not?
Mr. Cauley. That's correct.
The Chairman. If we were to give NERC jurisdiction over
distribution facilities would, in your view, should that
include the ability to levy fines or penalties on companies
that are not members of your organization?
Mr. Cauley. Mr. Chairman, we actually can enforce standards
and levy fines today on entities who are not members of our
organization. So membership only gives us, gives a company the
ability to participate in the governance. Vote on our directors
and so on.
But our authority for our mandatory standards applies to
1,900 companies whether they're members or not. That authority
came from--legislation.
The Chairman. You levy those fines? FERC doesn't.
Mr. Cauley. We levy them. But the FERC approves them in all
cases. So they have the oversight. They're the final approval
authority.
But we have the operatives in the field that do the
investigations and determine appropriate penalties and submit
them to the Commission for approval.
The Chairman. Did you have any thought on this?
Mr. Cauley. But the question--your first question was
whether--if it includes distribution would that work? I'm very
hopeful that if the legislation does include distribution, that
it would be very limited to issues of national level interest
and security. Not totally usurp the right of the States to
manage and the distribution level.
But to the extent that that authority was granted to FERC I
think it would be--make sense since NERC also is a national--
looking at the national interest to have a similar alignment
with that authority.
The Chairman. Mr. McClelland, did you have a thought?
Mr. McClelland. Yes. The Commission has a full range of
authority. It has a review of the standards. It has
enforcement.
Then it also has it's delegated the fee authority to the
ERO to be able to levy those fines. Although they still come
back to the Commission for approval. In addition we have ALJs
and we have settlement processes. Then if someone doesn't like
a Commission decision they could always take us to court.
So there is an iterative process with the Commission on
every order that it issues. The ability to enforce a Commission
rule is something that, as a regulator, that the Commission is
completely comfortable with.
The Chairman. OK. Senator Murkowski, did you have
additional questions?
Senator Murkowski. I do not, Mr. Chairman.
The Chairman. Thank you all. This has been a useful
hearing. I appreciate it.
[Whereupon, at 11:24 a.m., the hearing was adjourned.]
APPENDIX
Responses to Additional Questions
----------
Responses of Gerry Cauley to Questions From Senator Bingaman
Question 1. In February, the Department of Energy launched an open
collaboration with the National Institute of Standards and Technology
and the North American Electric Reliability Corporation to ``develop a
cyber security risk management process guideline for the electric
sector.'' Could you describe the objectives of this collaboration and
how its work will filter into the NERC standards development and
approval processes?
Answer. The Risk Management Process (RMP) is a public-private
collaboration to develop a cybersecurity risk management guideline that
enables organizations to proactively manage risk in the diverse
electrical environment that exists in North America. The evolution of
smart grid technology increases the electricity sector's cybersecurity
risk exposure, emphasizing the need for owners and operators to employ
consistent, measurable, and adaptable processes for electricity
generation, transmission, distribution, retail operations, energy
service providers, as well as situation awareness. Additionally, the
differing jurisdictions--NERC for the North American bulk power system
(BPS), States and municipalities for the distribution grid, working
with the owners and operators of the grid--require a comprehensive yet
flexible approach to managing risk. This effort is led by the
Department of Energy (DOE) in coordination with the National Institute
of Standards and Technology (NIST) and NERC, and with the collaboration
of subject matter expert representatives from across the public and
private sectors. DOE plans to publish these industry-wide risk
management guidelines in 2011, which are intended to complement, but
not replace or supersede, the current Critical Infrastructure
Protection (CIP) Standards. Objectives for this collaboration include:
Support the unique needs of the diverse utilities and other
stakeholders participating in the North American electric grid
with an end-to-end perspective that includes generation,
transmission, distribution, retail, energy service providers
and wide area situation awareness (e.g., Phasor Measurement
Unit or PMU networks).
Provide guidance in applying cybersecurity measures to the
control systems and information technologies used throughout
the electric grid.
Provide guidance for an integrated organization-wide
approach to managing those cybersecurity risks pertinent to
operations, assets, data, personnel, and the Nation as the
existing electric grid is transitioned to a smart grid.
Leverage risk management and cybersecurity experiences and
practices among the electric grid stakeholders including the
risk management guidelines (NIST Special Publications, i.e.,
NIST 800-39; and NERC CIP Standards) and lessons learned within
the Federal Government.
Recommend implementation guidelines that apply the RMP to
electric grid domains and to unique electric grid components,
such as control systems.
NERC expects there will be a phased implementation of the
guidelines, starting with host utilities and vendors. NERC expects to
refine the practices through these demonstration projects. As the
practices are demonstrated to be effective, NERC will consider whether
some subsets of the practices are appropriate for inclusion in the
reliability standards.
Question 2. The Discussion Draft creates a process to address cyber
security vulnerabilities affecting critical electric infrastructure.
The Discussion Draft left open the question of the maximum number of
days FERC should have to determine whether the existing set of
reliability standards are adequate to protect this infrastructure from
cyber security vulnerabilities. Assuming that FERC identified a
specific deficiency in the existing set of reliability standards, do
you have an opinion as to how long, in days, FERC should have to make
this determination? How long should NERC have, in days, to develop
standards in response to a FERC directive to address specifically-
identified cyber security vulnerabilities?
Answer. As noted in my testimony, NERC does not believe the
vulnerabilities section is needed. In response to this question
concerning the discussion draft, NERC would defer to FERC with respect
to the timeframe for FERC's determination whether existing reliability
standards are adequate to protect critical electric infrastructure from
cybersecurity vulnerabilities, except that the timeframe must be
sufficient to allow for notice to and consultation with stakeholders,
including Canadian authorities. Such consultation is essential to
provide a basis for a finding that reliability standards, or other
actions taken by the electric reliability organization (ERO), are
inadequate or that a specific deficiency exists.
The appropriate timeframe for NERC to respond to a FERC directive
to address specifically identified cybersecurity vulnerabilities will
vary depending on whether specific actionable information about the
vulnerability is made available to NERC and stakeholders. It will also
vary depending on the approach determined by NERC to be the most
effective in responding to such a directive. As discussed during the
hearing, not all vulnerabilities can or should be addressed by a
reliability standard. NERC has other tools at its disposal through its
Alert system to address cybersecurity vulnerabilities. In addition, the
legislation should authorize a mandatory and enforceable means for NERC
to address cybersecurity vulnerabilities identified by FERC in addition
to the use of reliability standards. One way to do this would be to
authorize NERC to issue ``Mandatory Directives,'' as discussed in
response to Q. 7 below. In the case where a reliability standard is
required to address an identified vulnerability, NERC should have 180
days to develop a response. The Mandatory Directives could be issued in
much shorter time frame, measured in days or weeks.
Question 3. NERC submitted eight proposed cybersecurity standards,
known as the Critical Infrastructure Protection (CIP) standards, to
FERC for approval under section 215. FERC approved those standards in
2008 but directed NERC to make certain revisions. As I understand it,
NERC continues to work on those revisions and plans to submit them to
FERC somewhere in 2012. If submitted in 2012, development and approval
of the first set of cybersecurity standards will have lasted around 6
years. Why has this process lasted this long?
Answer. The Reliability Standards development process is an
iterative process of continuing improvement. NERC's first set of CIP
standards was approved by FERC in January 2008. NERC has worked with
industry, consumer representatives and regulators to strengthen the CIP
Reliability Standards, and also to respond to specific directives from
FERC. While this process is occurring, mandatory and enforceable
cybersecurity standards have been in place and have provided important
protections for the bulk power system. The need to respond to FERC
directives has necessarily influenced the direction and timing of the
CIP standards development process. The second set of CIP standards
addressed certain high-priority directives from FERC; FERC approved
that second set in September 2009. FERC's September 2009 order included
new directives and gave NERC 90 days to comply. NERC filed the third
version of the CIP standards in December 2009, and FERC approved that
third set in March 2010.
The most recent revision to the CIP Reliability Standards--CIP-002
Version 4--was approved by the NERC stakeholders on December 31st,
2010; approved by the NERC Board of Trustees on January 24, 2011 and
submitted to the Commission for approval on February 10, 2011. Work
continues on further improvements to the standards, including responses
to remaining Commission directives, and it is these further enhanced
standards that will be submitted to the Commission in 2012.
Question 4. Can you describe how NERC's newly-approved procedures
for developing a reliability standard on an expedited basis differ from
the existing development procedures? How would expedited procedures
make it easier for NERC to address cyber security vulnerabilities?
Answer. The new procedures approved by FERC in September 2010
provide for developing a reliability standard on an expedited basis.
Key differences from the traditional standards development procedures
are in the areas of confidentiality of information; use of pre-
identified technical experts for standards drafting; and process
streamlining.
Confidentiality
The expedited process contains procedures that provide protection
of sensitive information affecting national security. The traditional
procedures do not contain similar protections.
The new procedures limit the individuals who may serve on drafting
teams to those who have been pre-screened for their expertise and
willingness to work under strict security and confidentiality rules,
and require drafting teams to work under strict security and
confidentiality rules. Sensitive information is further protected by
limiting distribution of draft standards. In contrast to the general
procedures, the new procedures do not require public posting of draft
standards.
Technical expertise
The new procedures require formation of a Standard Drafting Team
from a list of pre-identified technical experts. This provides for the
necessary diversity of expertise and industry perspectives to develop a
technically sound standard that can quickly be finalized and approved.
Cybersecurity involves every owner, operator and user of the bulk power
system--having a diverse view when crafting the language of a standard
is essential. The expedited procedures assure that the Standard
Drafting Team will have the collective knowledge and expertise to
develop a standard that reflects an understanding of the diverse
utilities and their associated equipment configurations in the North
American bulk power system.
Process streamlining
The new procedures allow the Standards Committee authority to
approve a wide range of process deviations, enabling a standard to be
developed in a shorter period of time. The general procedures allowed
some latitude in shortening the duration of only certain process steps.
These expedited processes will enable NERC to address cybersecurity
vulnerabilities through a reliability standard on a timely basis--when
that is the most appropriate approach.
Question 5. In your statement, you stated that NERC was concerned
that the Discussion Draft contained no requirement that FERC indentify
any deficiency in existing reliability standards or a cybersecurity
vulnerability for NERC to address. The Administrative Procedures Act
requires agencies to give notice of either the terms or substance of
the proposed rule or a description of the subjects and issues involved.
Is that requirement sufficient to address this concern? If not, how
would NERC propose to revise Section 224(b) of the Discussion Draft to
address this concern?
Answer. The Administrative Procedure Act (APA), 5 U.S.C. 553(b),
which requires publication for comment of a general notice of proposed
rulemaking that includes ``either the terms or substance of the
proposed rule or a description of the subjects and issues involved,''
does not resolve NERC's concern. Proposed Section 224(b) (2) requires
FERC to issue an ``initial order,'' not a proposed rule. There is
nothing in the legislative text that requires FERC in its order to
advise the ERO of the specific vulnerability in sufficient detail so
that the ERO can respond appropriately. Moreover, proposed Section
224(b)(6)(B) authorizes FERC to issue an interim final rule ``without
prior notice or hearing.'' In contrast, the provisions of Federal Power
Act Section 215(d) authorize FERC to order the ERO to submit a proposed
reliability standard ``that addresses a specific matter.''
NERC recommends that proposed Section 224(b)(2) be revised to
include at the end the following:
The Commission's order shall specify the vulnerabilities
against which such standards or directives must protect, and
shall appropriately balance the risks to the critical electric
infrastructure associated with such cybersecurity
vulnerabilities, including any regional variation in such
risks, and the costs of mitigating such risks.
Note: with respect to the inclusion of ``or directives'' in the
above language, see the discussion in response to question 7, below.
Question 6. Your testimony states that NERC is not sure that a
section to address cybersecurity vulnerabilities (section 224(b)) is
needed in the Discussion Draft. Does NERC believe that there should be
a means of addressing cybersecurity vulnerabilities? Should this means
be mandatory and enforceable? If not, how can compliance be assured and
measured?
Answer. NERC believes not only that there should be a means of
addressing cybersecurity vulnerabilities, but that such means already
exist. NERC addresses cybersecurity vulnerabilities today through
reliability standards and through its Alert system of Industry
Advisories, Recommendations to Industry, and Essential Actions. Since
January 2010, NERC has issued 14 critical infrastructure protection-
related Alerts; these Alerts covered matters including Stuxnet and
Night Dragon.
FERC also already has authority under FPA Section 215(d)(5) to
order the ERO to ``submit to the Commission a proposed reliability
standard or a modification to a reliability standard that addresses a
specific matter if the Commission considers such a new or modified
reliability standard appropriate to carry out [section 215].''
``Cybersecurity protection'' is expressly included within the
definition of ``reliability standard'' in section 215(a)(3).
There should be a mandatory and enforceable means in addition to
the use of reliability standards for NERC to address cybersecurity
vulnerabilities identified by FERC. One way to do this would be to
authorize NERC to issue ``Mandatory Directives,'' as discussed in
response to Q. 7 below.
Question 7. Your testimony states that making ``other NERC
directives'' legally enforceable would significantly enhance cyber
security. Can you identify these ``other NERC directives''? Please
describe how NERC envisions using these other directives? Does NERC
envision the process of enforcing these directives being overseen by
FERC? Does NERC contemplate using these enforceable NERC directives to
address cyber security or other reliability vulnerabilities? What due
process does NERC envisions for those entities subject to these
directives?
Answer. The other NERC directives referenced in my testimony would
be a new category of directives that could be called ``Mandatory
Directives.'' NERC envisions using a Mandatory Directive to address
cybersecurity vulnerabilities that are not appropriate to address
through reliability standards. The draft legislation should be modified
to include this authority. Provision should be made for expedited FERC
approval of these Mandatory Directives. As is the case with reliability
standards, FERC approval would be an essential step in making these
Mandatory Directives enforceable.
Enforcement of these Mandatory Directives should be overseen by
FERC, just as the enforcement of reliability rules by NERC today is
overseen by FERC. The same due process that applies to the enforcement
of reliability standards under FPA Section 215(e) should apply to the
enforcement of NERC Mandatory Directives.
Question 8a. Your testimony states that NERC has issued 14 cyber
security alerts since January 2010. How do these alerts differ from
NERC standards? Was the alerts process filed with and approved by FERC?
Can you describe, generally, the level of compliance NERC has observed
with respect to these alerts? Have any users, owners, or operators of
the bulk power system that failed to comply with any of the alerts? How
did NERC respond to these users, owners, and operators?
Answer. Alerts differ from NERC reliability standards in that,
unlike standards, the Alerts are not enforceable. Alerts are used when
NERC has a need to place industry participants on formal notice of
particular matters related to the reliability and security of the
electric system. The Alerts are targeted, can be developed much more
quickly than standards, do not involve an industry ballot, and can
reach a broader audience than just those subject to reliability
standards.
NERC's alerts process is set out in Rule 810 of NERC's Rules of
Procedure, which FERC approved in February 2008. Alerts and
Notifications are created and deployed from NERC in its role as the
Electric Sector Information and Analysis Center (ES-ISAC). The ES-ISAC
coordinates electric industry activities to promote critical
infrastructure protection of the bulk power system in North America, as
called for by Rule 1003.1 of NERC's Rules of Procedure, which FERC
approved in July 2006.
NERC has had significant interaction with registered entities, most
recently in response to the Aurora and Stuxnet ``Recommendation to
Industry'' Alerts. Following the Aurora Alert, NERC hosted four
informational webinars and a technical conference with more than 1,000
people participating. NERC continues to follow-up and meet directly
with entity representatives, through both outreach and personal follow-
up activities. A progress check webinar was held in early May that
attracted more than 400 participants and another is scheduled for June.
Similarly, following the Stuxnet Alert in September 2010, NERC made
contact with industry entities to confirm acknowledgement of receipt of
the Alert.
While the present Alerts and Notifications are neither mandatory
nor legally enforceable, the Rules of Procedure do require NERC
registered entities to report on the status of activities related to
any Level 2 (Recommendation to Industry) or Level 3 (Essential Action)
Alert.
This obligatory reporting requirement for NERC Alerts and
Notifications is unique among all of the other Computer Emergency
Response Teams (CERT) and critical infrastructure Information Sharing
and Analysis Centers (ISAC) that do not impose a required response
component.
Question 8b. Can you describe, generally, the level of compliance
NERC has observed with respect to these alerts?
Answer. The responses to the Aurora and Stuxnet alerts have been
very high. Regarding United States entities that were sent the Stuxnet
recommendation, as of November 2010 99% of industry acknowledged
receipt of the recommendation, more than 98% have developed a response
to the recommendation and routed that response to their management for
approval and more than 94% have received approval from management on
the response they developed. Regarding the Aurora recommendation, as of
January 2011, 99% of industry acknowledged receipt, 98% have responded
to NERC and 96% have received management approval for their response
they developed. Implementation plans are at various levels of
completion. Every six months entities must update NERC on the status of
their implementation plan until the implementation is complete. The
next update to this status is June 13th 2011.
Question 8c. Have any users, owners, or operators of the bulk power
system that failed to comply with any of the alerts?
Answer. For those entities that have been non-responsive, NERC
staff follows up with phone calls discussing the recommendation,
answering questions and clarifying uncertainties. In NERC's discussions
with nonresponsive entities, interaction is maintained until a response
is developed and all concerns are resolved and all questions are
answered. In addition to phone calls and personal interaction, NERC
continues to follow-up and meet directly with entity representatives,
through both outreach and personal follow-up activities such as
webinars and technical conferences.
Question 8d. How did NERC respond to these users, owners, and
operators?
Answer. NERC entities that do not fulfill their obligation under
the Rules of Procedure will receive heightened levels of NERC attention
up to and including direct senior level interaction from NERC, Regional
and industry leadership. NERC, the industry including CEO's, and the
Regions take the NERC Alert process seriously.
Question 9. Level Three alerts are characterized as ``essential
action.'' Has NERC ever issued a Level Three alert? How does NERC
compel action consistent with these alerts from among users, owners,
and operators of the bulk power system?
Answer. NERC has not yet issued an ``Essential Action'' Alert.
Although NERC cannot compel action to implement an Essential Action,
NERC has every expectation that if its Board of Trustees makes a
determination that certain actions are ``essential to protect the
reliability of the bulk power system'', then users, owners and
operators of the bulk power system will take appropriate actions. NERC
would follow up as necessary. Essential Actions do carry a mandatory
reporting obligation. A failure to report would constitute a violation
of a rule adopted under the authority of FPA section 215 and could be
enforced by FERC.
Question 10. You indicated that following the 1989 geomagnetic
disturbance that affected Quebec the industry learned lessons and
hardened a lot of equipment hardened at northern latitudes. Can you
describe the lessons the industry learned after that event? How was
equipment hardened? Given that the risks of geomagnetic disturbances
are not a new threat to the electric sector, have utilities in other
geographic areas hardened their equipment and systems against the
affects of geomagnetic disturbances?
Answer. The potential impact of geomagnetic disturbance events have
gained renewed attention as recent studies\1\ have suggested the
severity of solar storms may be greater and reach lower geographic
latitudes than formerly expected. NERC and the U.S. Department of
Energy identified this as a High Impact, Low Frequency event risk to
bulk power system reliability in a joint report issued in April
2010.\2\ Geomagnetic disturbances (GMD) can impact bulk power system
reliability. The most well-known recent experience in North America was
the March 13-14, 1989 geomagnetic disturbance, which led to the
collapse of the Hydro Quebec system in the early morning hours of March
13, 1989, lasting approximately nine hours.
---------------------------------------------------------------------------
\1\ The U.S. Federal Energy Regulation Commission and Oak Ridge
National Labs issued a number of reports on Geomagnetic Storms and
their impact on the bulk power system in November 2010: http://
www.ornl.gov/sci/ees/etsd/pes/ferc_emp_gic.shtml
\2\ The High-Impact, Low -Frequency Report can be found here:
http://www.nerc.com/files/hilf.pdf
---------------------------------------------------------------------------
System and equipment modifications that occurred in the Hydro-
Quebec TransEnergie (HQT) system following the 1989 geomagnetic storm
included adding series compensation elements on long-distance AC
transmission lines, rebalancing their protection systems, monitoring
geomagnetic induced currents (GICs) on key pathways on their system and
testing the addition of blocking capacitors to transformer neutrals.
Additionally, HQT developed new analyses on how GICs impact the Quebec
interconnection and employed new operating and planning procedures to
observe GIC impacts in voltage.
One of the characteristics of transformers experiencing high levels
of GICs is increased requirements for reactive power. The bulk power
system, when faced with the need for large amounts of reactive power,
as Hydro Quebec faced with their 480 nanotesla per minute storm in
1989,\3\ may react in an unplanned or unexpected manner, including
break-up, islanding, or collapse. Industry investigation is needed to
determine the amount and extent of disruptions that might occur. This
analysis includes determination of transformer characteristics to
identify the most affected designs as well as the most, static, dynamic
and transient simulations which model the non-linear behavior of each
of the interconnections in North America. Once these analyses are
complete, appropriate and jurisdictionally acceptable solutions,
including grid hardening, relaying, operational procedures and spare
equipment could be determined to maintain an acceptable level of
reliability, given the relative risk from GMD events.
---------------------------------------------------------------------------
\3\ http://www.nerc.com/files/1989-Quebec-Disturbance.pdf
---------------------------------------------------------------------------
NERC's GMD Task Force recently held a workshop focused on potential
mitigation approaches. A major outcome of the workshop was the
realization that significant work is still required by industry and
governmental organizations to improve not only solar storm forecasting
and but also in developing robust modeling methods to understand how
GMD events impact bulk power system equipment. Once impacts have been
determined, suitable actions can then be taken by both planners and
operators of the bulk power system in North America to ensure
reliability of the grid. The primary deliverable from the workshop, an
Industry Advisory NERC Alert on GMD\4\ provides industry with suitable
guidance for operational and planning actions given the knowledge
available today to prepare for the effects of severe GMD on the bulk
power system. NERC expects to provide incremental information as it
become available.
---------------------------------------------------------------------------
\4\ http://www.nerc.com/fileUploads/File/Events%20Analysis/A-2011-
05-10-01_GMD_FINAL.pdf\4\
---------------------------------------------------------------------------
Question 11. NERC's High Impact, Low Frequency Event Risk to the
North American Bulk Power System report contemplates ``re-launching''
NERC's spare equipment database? Why is the spare equipment database
not operational today? When was it stopped?
Answer. NERC maintains a database of spare transformers, called the
Spare Equipment Database (SED), which is voluntarily populated by
industry stakeholders.
SED is operational today. It is being re-launched in 2012 as a
revitalized tool to provide increased coverage and give it increased
visibility among stakeholders--in direct response to NERC's High
Impact, Low Frequency (HILF) report\5\ developed in collaboration with
the Department of Energy. In 2010, based on the results of HILF roadmap
developed by the Electricity Subsector Coordinating Council\6\ and
technical committees strategic coordinated action plan,\7\ NERC
initiated its SED revitalization efforts and will fund the development
of an on-line data collection tool. SED will initially focus on bulk
power transformers; however, other critical long-lead time equipment
may be added in the future.
---------------------------------------------------------------------------
\5\ Joint NERC and U.S. DOE report, High Impact, Low Frequency
Event Risk to the North American Bulk Power System: http://
www.nerc.com/files/HILF.pdf
\6\ Electricity Subsector Coordinating Council report, Critical
Infrastructure Strategic Roadmap: http://www.nerc.com/docs/escc/
ESCC_Critical_Infrastructure_Strategic_Roadmap.pdf
\7\ Technical Committee Report, Critical Infrastructure Strategic
Initiatives Coordinated Action Plan: http://www.nerc.com/docs/ciscap/
Critical_Infrastructure_Strategic_Initiatives_Coordinated_Action_Plan_BO
T_Apprd_11-2010.pdf
---------------------------------------------------------------------------
Responses of Gerry Cauley to Questions From Senator Murkowski
Question 1. Through the definition of ``critical electric
infrastructure,'' the discussion draft legislation extends FERC's
jurisdiction beyond the Bulk Power System to the distribution level as
long as those systems or assets are ``vital'' to the nation's security,
economy, public health or safety. In your testimony, you point out that
NERC's authority as the ERO does not extend to the distribution level.
In the text, we were trying to respect the Section 215 stakeholder
process--the idea being that if FERC directed the ERO to develop or
modify a cyber standard to protect ``critical electric infrastructure''
that standard would be developed through the existing stakeholder
process. It was certainly not my intent to allow FERC sole discretion
to dictate standards at the local level or bypass the Section 215
process altogether. Please comment. Can you provide the Committee with
clarifying language?
Answer. NERC appreciates the effort to respect the Section 215
standards development process. As I indicated in my testimony, under
the current discussion draft structure, unless FERC and NERC have the
same jurisdictional reach, it will be difficult to achieve the
necessary collaboration and coordination that must take place if
requirements applicable to the bulk power system and the distribution
systems are to work together to achieve the desired outcomes. This
issue arises because the definition of ``critical electric
infrastructure'' in the discussion draft includes distribution
facilities and the definition of bulk power system in section 215 does
not.
As I stated during the hearing, NERC is not seeking jurisdiction
over distribution, but is concerned about the language in the
discussion draft that leads to a mismatch in NERC and FERC
jurisdiction. If FERC is given jurisdiction over certain distribution
facilities for purposes of addressing cyber vulnerabilities, then NERC
believes it should have equivalent jurisdiction. NERC does not believe
it is workable to try to address cyber vulnerabilities in two different
places at the same time. NERC has proposed amendments to various
aspects of the discussion draft in response to question 2, below, and
the provisions dealing with the jurisdictional mismatch are included in
those proposed amendments.
Question 2. You testified that given the constantly changing nature
of vulnerabilities, not all vulnerabilities can or should be addressed
by a standard. I understand that for the Aurora, Stuxnet, and Night
Dragon attacks, NERC issued Alerts. Moreover, the Commission, which has
the authority to order NERC to produce reliability standards, has never
ordered NERC to take such action--is that correct? Can you provide the
Committee with language to make these NERC Alerts legally enforceable?
Answer. It is correct that to date, FERC has not exercised its
authority under FPA Section 215(d)(5) to direct NERC to produce a
reliability standard to address a specific matter, although FERC has
exercised that authority hundreds of times to direct NERC to make
modifications to standards that NERC had filed for FERC approval. NERC
suggests the following changes to the discussion draft to enable the
ERO to promulgate Mandatory Directives in response to a Commission
order under proposed Section 224(b) that will be mandatory and
enforceable. The changes below also address NERC's concerns that, as
written, proposed Section 224(b) does not expressly require FERC to
identify the specific cyber securities vulnerabilities to be addressed
by the ERO. In addition, these proposed changes address the mismatch in
FERC and NERC jurisdiction that I discussed in response to the prior
question. (Language to be added is underlined; language to be deleted
is stricken through):
[Note: For printing purposes, italic represents underlined language
and bold represents stricken through language.]
I. Add a new definition of ``Mandatory Directive'' as FPA
Section 224(a)(8), to read as follows:
``(8) MANDATORY DIRECTIVE--An enforceable order
issued by the Electric Reliability Organization to
users, owners and operators of Critical Electric
Infrastructure and approved by the Commission to
address critical electric infrastructure cybersecurity
vulnerabilities in response to a Commission order
issued pursuant to subsection (b) of this section.''
II. Modify proposed Section 224(b)(2) to include Mandatory
Directives, as follows:
``(2) INITIAL ORDER--Unless If the Commission
determines that the reliability standards and alerts,
advisories or other actions taken by the Electric
Reliability Organization established pursuant to
section 215 are not adequate to protect critical
electric infrastructure from specified cybersecurity
vulnerabilities within------days after the date of
enactment of this section, the Commission shall order
the Electric Reliability Organization to submit to the
Commission, not later than------days after the date of
enactment of this section such Commission Order, a
proposed reliability standard, or a modification to a
reliability standard, or a Mandatory Directive that
will address the cybersecurity vulnerabilities
identified by the Commission and provide adequate
protection of protect critical electric infrastructure
from cybersecurity vulnerabilities. The Commission's
order shall specify the vulnerabilities against which
such standards or directives must protect, and shall
appropriately balance the risks to the critical
electric infrastructure associated with such
cybersecurity vulnerabilities, including any regional
variation in such risks, and the costs of mitigating
such risks.''
III. Modify proposed section 224(b)(3) to include Mandatory
Directives, as follows:
``(3) SUBSEQUENT DETERMINATIONS AND ORDERS--If at any
time following the issuance of the initial order under
paragraph (2) the Commission determines that the
reliability standards, alerts, advisories or other
actions taken by the Electric Reliability Organization
established pursuant to section 215 or Mandatory
Directives issued by the Electric Reliability
Organization pursuant to this section are inadequate to
protect critical electric infrastructure from an
identified cybersecurity vulnerability, the Commission
shall order the Electric Reliability Organization to
submit to the Commission, not later than 180 days after
the date of the determination, a proposed reliability
standard, or a modification to a reliability standard,
or a Mandatory Directive that will provide adequate
address the cybersecurity vulnerabilities identified by
the Commission and protect protection of critical
electric infrastructure from the cybersecurity
vulnerability vulnerabilities. The Commission's order
shall specify the vulnerabilities against which such
standards or directives must protect, and shall
appropriately balance the risks to the critical
electric infrastructure associated with such
cybersecurity vulnerabilities, including any regional
variation in such risks, and the costs of mitigating
such risks.
IV. Add a new section 224(b)(5) to provide for the
development and approval of Mandatory Directives (and renumber
succeeding subsections accordingly):
``(5) MANDATORY DIRECTIVES--A Mandatory Directive
submitted by the Electric Reliability Organization
pursuant to paragraph (2) or (3) shall be developed by
the Electric Reliability Organization pursuant to
procedures approved by the Commission, may apply to all
users, owners and operators of Critical Electric
Infrastructure as defined in this section, and shall be
mandatory and enforceable as to such entities upon
approval by the Commission, which shall act upon
proposed Mandatory Directives on an expedited basis.''
V. Add a new section 224(b)(7) to provide for enforcement of
Mandatory Directives and reliability standards issued in
response to Commission orders under Sections 224(b)(2) and (3)
(and renumber succeeding subsections accordingly):
``(7) ENFORCEMENT----
(A) Mandatory Directives.--A Mandatory Directive
approved by the Commission under this section may be
enforced in the same manner as is provided for in
section 215(e) for the enforcement of reliability
standards approved under section 215.
(B) Certain Reliability Standards.--Reliability
standards developed by the Electric Reliability
Organization in response to a Commission order issued
under paragraphs (b)(2) or (b)(3) of this section to
protect critical electric infrastructure from an
identified cybersecurity vulnerability, including
reliability standards that replace an Interim Final
Rule issued by the Commission under paragraph (b)(6) of
this section, and approved by the Commission may be
enforced in the same manner as is provided for in
section 215(e) for the enforcement of reliability
standards approved under section 215.
VI. Conforming changes would be made to include Mandatory
Directives in the provisions regarding Interim Final Rules.
Question 3. In the vulnerabilities section of the discussion draft,
we have yet to specify the timeframes for FERC's initial determination
on the adequacy of reliability standards and for NERC's response to any
Commission directive. In NERC's opinion, what is the appropriate amount
of time for these actions?
Answer. NERC would defer to FERC with respect to the timeframe for
FERC's determination whether existing reliability standards are
adequate to protect critical electric infrastructure from cybersecurity
vulnerabilities, except that the timeframe must be sufficient to allow
for notice to and consultation with stakeholders, including Canadian
authorities.
The appropriate timeframe for NERC to respond to a FERC directive
to address specifically identified cybersecurity vulnerabilities will
vary depending on whether specific actionable information about the
vulnerability is made available to NERC and stakeholders. It will also
vary depending on the nature of the approach determined by NERC to be
the most effective in responding to such a directive. As discussed
during the hearing, given the constantly changing nature of
cybersecurity vulnerabilities, not all vulnerabilities can or should be
addressed by a reliability standard. NERC has other tools at its
disposal through its Alert system in addition to reliability standards
to address cybersecurity vulnerabilities. The legislation should
expressly recognize that the response to a cybersecurity vulnerability
identified by the Commission may take the form of an alert, advisory or
other action by the ERO. Such NERC directives can be issued very
quickly, in some cases in as little as a day to several weeks,
depending on the specific nature of the vulnerability. In the case
where a reliability standard is required to address a vulnerability,
NERC should have 180 days to develop a response.
Question 4. Do you read the discussion draft as allowing both FERC
and DOE to develop different lists of critical assets? If so, can you
provide clarifying language to the Committee?
Answer. The composition of the list of critical assets is vital to
assuring that the appropriate owners, operators and users of critical
electric infrastructure are able to receive communications affecting
their assets and are aware of their obligations. NERC has itemized
``bright line'' criteria for the identification of critical assets as
part of the most recent revision to the CIP Reliability Standards,
which was submitted to the Commission for approval in February.
Because the discussion draft does not require consultation or
coordination between FERC and DOE in the identification of critical
electric infrastructure, there is the potential that different lists of
critical assets could be identified. At a minimum, DOE and FERC should
coordinate in the preparation of assets lists and use common criteria
in defining critical electric infrastructure. Suggested language to
accomplish this follows:
Amend the definition of critical electric infrastructure in
proposed FPA Section 224(a)(1) to add the following at the end:
The Commission and the Secretary shall coordinate in
the identification of critical electric infrastructure
systems and assets.
Question 5. What is the nature of NERC? Is your organization a
purely private entity? How does your membership work? How many entities
are on your Compliance Registry and are they all NERC members? Finally,
please specify your enforcement/penalty authority.
Answer. NERC is a private, non-profit corporation governed by an
independent board of trustees. By statute and NERC's bylaws, the
independent trustees can have no financial or business interest in the
users, owners, and operators of the bulk power system who are subject
to NERC's standards. NERC's membership includes large and small
electricity consumers, government representatives, municipalities,
cooperatives, independent power producers, investor owned utilities,
independent transmission system operators and federal power marketing
agencies, such as TVA and Bonneville Power Administration and the eight
regional entities. Due to the international nature and electrical
properties of the bulk power system, NERC's membership also includes
Canadian entities.
NERC is a non-governmental entity that has been certified by the
Federal Energy Regulatory Commission as the ``electric reliability
organization'' for the U.S. and has been delegated certain powers
pursuant to FPA section 215(c)(2).
Membership in NERC is open to all entities with an interest in the
reliability of the bulk power system of North America. Membership in
NERC is free of charge. As of May 16, 2011, NERC has 729 members.
NERC's members fall into the following sectors:
Investor-owned utility
State or municipal utility
Cooperative utility
Federal or provincial utility/power marketing administrator
Transmission-dependent utility
Merchant electricity generator
Electricity marketer
Large end-use electricity customer
Small end-use electricity customer
Independent system operator/regional transmission
organization
Regional Entity
Government representative
The NERC Compliance Registry is separate from the NERC membership
list and consists of users, owners and operators of the bulk power
system. The entities included on the compliance registry are the ones
obligated to comply with NERC's mandatory reliability standards.
Entities included on the NERC Compliance Registry in many cases are,
but are not required to be, members of NERC. As of May 16, 2011, 1,923
entities were listed on the NERC Compliance Registry.
NERC's authority as the ERO to enforce reliability standards is
established in FPA section 215(e). Section 400 of NERC's Rules of
Procedure, which have been approved by FERC, set forth the NERC
Compliance Enforcement Program.\8\ NERC has the authority to impose
financial penalties for violation of Reliability Standards, but those
penalties cannot take effect until they have been filed with FERC, with
an opportunity for FERC review. FERC has ruled that NERC may impose
penalties of up to $1,000,000 per violation. FPA section 215(e)(6)
requires that any penalty must bear a reasonable relation to the
seriousness of the violation and must take into consideration the
efforts of the user, owner, or operator to remedy the violation in a
timely manner.
---------------------------------------------------------------------------
\8\ NERC's Rules of Procedure are available at: http://
www.nerc.com/files/NERC_Rules_of_Procedure_EFFECTIVE_20110412.pdf.
---------------------------------------------------------------------------
Question 6. In your testimony, you describe several alternative
methods for approving standards, including an expedited stakeholder
process and a process by which the NERC Board of Trustees can approve a
standard directed by FERC if there is no consensus among your members.
Do you think these processes adequately address the concerns raised by
the January 2011 GAO Inspector General Audit regarding the timeliness
of the stakeholder process? When did these new processes become
effective and have they been used to date?
Answer. The expedited stakeholder process and the process by which
the NERC Board of Trustees may propose and adopt a standard in response
to a FERC directive if the Board determines that the regular standards
process is not being sufficiently responsive to the Commission (Rule
321 of NERC's Rules of Procedure) are, we believe, responsive to the
concerns raised in the GAO Inspector General Audit. FERC approved
NERC's expedited stakeholder process on February 5, 2010; it approved
new Rule 321 on March 17, 2011. To date NERC has not had the occasion
to use either process.
Question 7. The discussion draft defines the term ``Critical
Electric Infrastructure'' as follows:
. . .means systems and assets, whether physical or virtual,
used for the generation, transmission, or distribution of
electric energy affecting interstate commerce that, as
determined by the Commission or the Secretary (as appropriate),
are so vital to the United States that the incapacity or
destruction of the systems and assets would have a debilitating
impact on national security, national economic security, or
national public health or safety.
To what extent are distribution assets captured in this definition?
Answer. Distribution assets are expressly captured to the extent
that they are determined by DOE or FERC to meet the statutory
definition of ``Critical Electric Infrastructure,'' i.e., to the extent
they are ``so vital to the United States that the incapacity or
destruction of the systems and assets would have a debilitating impact
on national security, national economic security, or national public
health or safety.'' With no clear indication of how the criteria will
be applied by FERC and/or DOE in determining what distribution assets
meet the statutory definition, NERC is unable to comment on the scope
or magnitude of distribution assets that may be covered. If the
definition is intended to cover national defense facilities or
government facilities, that should be made express. I am concerned that
reading the definition to cover major metropolitan areas could lead to
potential conflicts with existing State and local jurisdiction and
authorities.
Question 8. You have stated that you seek to transition to risk-
based assessments for not just cybersecurity standards but all
standard-setting. Please update the Committee on the transition. When
do you expect to base cyber security standards upon risk-based
assessments? In what ways will standards change after implementing
risk-based assessments?
Answer. NERC is incorporating the concept of risk into all of its
standards development activities. A new project prioritization process
is being used to develop the Reliability Standards Development Plan.
This process evaluates several different factors, but gives
considerable weight to the ``reliability risk'' that a project is
intended to address. This risk is evaluated in both qualitative and
quantitative terms--what kind of risk NERC is trying to manage, and how
effectively will the proposed project manage that risk. Other areas
considered in the prioritization include regulatory drivers,
coordination and logistics, and general experiences with the current
set of standards. Each project is evaluated relative to these areas and
prioritized to help NERC allocate its resources. The risk analysis
drives NERC's three-year work plan for Standards Development.
Additionally, NERC is implementing our ``Results-Based Standards''
initiative. This effort uses best-practices from product development to
improve the quality and effectiveness of our standards. In the
``Results-Based'' approach, NERC develops requirements in its standards
to address specific outcomes: ensuring adequate performance, managing
risk, and verifying competency. NERC requires, particularly in the CIP
standards, that entities take actions to mitigate risks or to
demonstrate competency prior to an event occurring. In this way, we not
only evaluate how well an entity performs, but also whether they are
well-prepared. By requiring specific risk-mitigation measures, we
protect against the ``known'' risks, and by verifying competency, we
ensure that the industry has the tools and skills to make informed
decisions when facing unknown risks. In the CIP field, not all
contingencies can be anticipated. Resilience is required.
Responses of Gerry Cauley to Questions From Senator Udall
Question 1. Has the Aurora vulnerability been effectively
mitigated, and how is this verified? What is the factual basis for your
answer?
Answer. NERC believes that registered entities now understand the
Aurora vulnerability and are taking steps to mitigate that
vulnerability within their systems. The basis for this belief is as
follows:
From 2007 through 2010 NERC worked closely with federal partners on
information controls which finally resulted in NERC's receiving
authorization to share with industry an extensive technical library
designated ``For Official Use Only'' on NERC's various protected
portals.
The availability of this technical library allowed NERC to develop
and issue an Aurora ``Recommendation to Industry'' Alert on October 13,
2010 with more explicit information on the vulnerability and
recommendations for detailed mitigation measures than was made
available when the Aurora vulnerability first surfaced in 2007. This
NERC Level 2 ``Recommendation to Industry'' carried mandatory reporting
obligations in accordance with NERC Rules of Procedure (ROP) Section
810, Information Exchange and Issuance of NERC Advisories,
Recommendations and Essential Actions, which outlines the requirements.
The goal of the Aurora Recommendation was to disseminate
vulnerability information, discuss generally-recommended mitigation
measures, and gather situational awareness data critical to an
industry-wide Aurora risk assessment. Work toward this goal has reduced
reliability risks to the bulk power system from exposure to the Aurora
vulnerability.
Through the implementation of recommended actions, based on the
confidential reports received, NERC believes that the potential impact
on the bulk power system from an Aurora event has been significantly
reduced. Mitigation plans either have been or are in the process of
being implemented, and as this process continues, the potential impact
to the power system will be further reduced. Additionally, the
provisioning of the technical library helped establish enhanced
communication channels between NERC and the users, owners, and
operators of the bulk power system and is facilitating general
industry-wide awareness regarding the Aurora vulnerability.
The status of entities' continuing actions in implementing Aurora
mitigation will be updated every six months in accordance with the
reporting obligations in the Aurora Recommendation.
The October 2010, NERC Aurora ``Recommendation to Industry''
included the following questions, which NERC developed in consultation
with FERC and industry subject matter experts:
1. Does your organization fully understand Aurora, especially
given the new information? If not, contact NERC for assistance.
2. Has your organization assembled a project team to assess
Aurora susceptibility, and/or develop Aurora mitigation
recommendations based on the new information?
3. What is your plan to respond to customer inquiries
regarding Aurora?
4. Has your organization taken steps to mitigate the risk of
an Aurora event or attack, as both a consumer and provider of
electric power?
5. Is your project plan for mitigation complete? If not, when
do you expect it to be complete? Please indicate within the
mitigation plan what types of assets were considered for
inclusion.
6. Are your mitigation efforts complete? If not, when do you
expect them to be complete?
The response to the Aurora alert has been very high. As of January
2011, 99% of industry acknowledged receipt, 98% have responded to NERC
and 96% have received management approval for their response they
developed. Implementation plans are at various levels of completion.
Every six months entities have to update NERC on the status of their
implementation plan until the implementation is complete. The next
update to this status is June 13, 2011.
For those entities that have been non-responsive, NERC staff
follows up with phone calls discussing the recommendation, answering
questions and clarifying uncertainties. In NERC's discussions with
nonresponsive entities, interaction is maintained until a response is
developed and all concerns are resolved and all questions are answered.
. In addition to phone calls and personal interaction, NERC continues
to follow-up and meet directly with entity representatives, through
both outreach and personal follow-up activities such as webinars and
technical conferences.
NERC entities that do not fulfill their obligation under the Rules
of Procedure will receive heightened levels of NERC attention up to and
including direct senior level interaction from NERC, Regional and
industry leadership. NERC, the industry including CEO's, and the
Regions take the NERC Alert process seriously.
NERC will monitor the progress of entities as they update their
status every six months as required until complete. In addition NERC
will execute its plans for continually closing the mitigation gap by
implementing a continuous improvement action plan. NERC's action plan
includes:
Establishing a series of periodic webinars for entities to
share information that will continuously inform bulk power
system entities of lessons learned from continuing reviews.
Continue to review the submitted responses and communicate
with entities to solicit feedback and close gaps identified in
response areas.
As entities indicate that they have completed implementation
of their mitigation plans by updating the Aurora Recommendation
responses, NERC will place these entities into a category for a
potential Sufficiency Review, the purpose of which is to
conduct a risk-based assessment that determines an entity's
ability to ensure the safe, reliable operation of the bulk
power system. This review will provide additional assurance of
adequate Aurora mitigation efforts.
Continue to maintain and update the Aurora Technical Library
and provide periodic updates to industry to include documents
pertaining to lessons-learned, best practices and areas of
concern.
Continue to communicate with the industrial control system
vendor community regarding issues and concerns discovered
through Aurora mitigation activities.
Continue to contact entities who stated that they have no
Aurora-vulnerable assets to ensure adequacy of their
activities.
Maintain examples of well-designed customer outreach
packages and other resources that entities make available based
on the needs expressed by entities to further facilitate the
sharing of information.
Question 2. Are the current spare transformer resources, including
the EEI STEP program, sufficient to mitigate the transformer loss
scenario presented in the Oak Ridge National Laboratory report from a
1921-level solar storm (over 300 transformers)? What is the factual
basis for your answer?
Answer. NERC is studying common mode failures, such as potential
increases in failure rates from geomagnetic disturbances (GMD). The
number of transformers that might be required to respond to a 1921-like
GMD event has yet to be determined. A detailed study of the bulk power
system reaction to vulnerable transformer failures must be completed,
with suitable modeling and appropriate scenarios, to understand the
resulting resiliency from operational procedures and spare equipment
requirements.
The electric sector has a long history of successfully managing
day-to-day risk to the reliability of the bulk power system. Mitigation
efforts at threatened assets, NERC's Spare Equipment Database (SED),
EEI's STEP, and the many pooling/bilateral agreements that exist will
support utilities in responding to and managing bulk power system
reliability in the event of a significant GMD.
Generally there are a limited number of replacement spares
available. Spares are typically determined by assessing the likely
failure risk and balancing that against prudent, regulatory review,
allocation of investment funds. Individual failure rates of bulk power
system transformers (transmission auto-transformers and generation
start-up) typically are low (1-1.5%). As high voltage transformers,
depending on size, can range in cost from $1M to $10M+ dollars and have
replacement manufacturing times of 6 to 18 months, programs such as
SED, STEP and equipment pooling arrangements support industry goals to
address individual failures and allow for sharing of high-cost and long
lead-time electric transmission assets.
NERC would like to offer the Committee some context regarding the
ORNL study.\9\ FERC sponsored the study to evaluate the impacts from
GMD that can cause the flow of geomagnetic induced currents (GIC) into
high voltage transformers (345 kV, 500 kV and 765 kV), leading to their
projected failure. A simplified bulk power system model was used to
simulate GIC. Further, based on information gathered from measurements,
descriptions of local geology, and validation from past observed GMDs,
a zonal ground model was developed to represent the ground
impedances.\10\ A set of GMD homogenous intensities and orientations
was developed, the resulting GICs were modeled, and quasi-direct
current (DC) injections into transformer ground neutrals were
calculated.
---------------------------------------------------------------------------
\9\ FERC sponsored ORNL report Meta-R-319 http://www.ornl.gov/sci/
ees/etsd/pes/ferc_emp_gic.shtml.
\10\ Ground impedances form part of the circuit that determines GIC
flows. GIC results from changes in Earth's magnetic field caused by GMD
---------------------------------------------------------------------------
Based on the results of the study, when the intensity of a
homogenously modeled GMD reach 4,800 nanotesla per minute (projected as
the intensity of the 1921 solar storm) at the 50 degree geomagnetic
latitude in the Northern Hemisphere, nearly 1,000 high voltage
transformers experienced GICs greater than 30 amps per phase and over
300 high voltage transformers experienced greater than 90 amps per
phase. In these scenarios, all bulk power system lines were assumed to
be in-service, a single system dispatch and loading was assumed, and
the transformers experiencing the specified GIC neutral amperage were
assumed to irreparably fail. The assumption depicted in the study, and
reflected in FERC's testimony at the hearing, is that all transformers
with GIC at or above 90 amps per phase in their neutrals, would
catastrophically and simultaneously fail, causing an unrecoverable
blackout for more than six months. More work is needed before one can
draw that, or any, conclusion.
The contention that all high voltage transformers will
catastrophically fail simultaneously for the 4,800 nanotesla/minute
scenario affecting 130 million people is a simplistic view, which
ignores the dynamic and system operational character of the bulk power
system. This forecast assumes the dynamic characteristics of the bulk
power system and its resiliency are irrelevant parameters, all
transformers are equally sensitive to GIC flows, and the system will
neither act nor respond when transformers experience high levels of
GIC. Further, it is unclear if the intensity of the field strengths, in
reality, is homogenous. Rather, the fields can be made up of a variety
of structures creating local GIC flows, resulting in narrow
concentrated impacts, rather than broad-scale affects. There is a
danger in overreacting to worst-case scenarios. Industry organizations
do take these issues seriously, but resources are limited. Over-
commitment of resources to address the worst-case scenario will take
resources away from addressing other, more probable risks. NERC's
current work is focused on performing a realistic and responsible
assessment of the impacts and priorities for mitigation, so that it is
possible to balance the real risks and the costs of appropriate
mitigation.
The appropriate use of the FERC study is as a screening assessment
to identify those transformers that may be most vulnerable from GIC
effects. The prudent next step is for additional detailed simulation of
bulk power system behavior. For example, when the injected DC entering
a transformer neutral reaches significant levels (e.g. 90 amps per
phase), the resulting core saturation acts as a large reactor, and,
therefore, demands large amounts of reactive power from the bulk power
system. The reactive demand would result in voltage profile variations
triggering automatic action in some cases, and operator action in
others. High levels of GIC would also cause conventional current
transformers to saturate, providing unreliable signals used to support
system protection. Further, large quantities of harmonics would emanate
from the saturated transformers, also interfering with system
protection objectives. The affects of these characteristics on the bulk
power system under multiple credible scenarios, loadings and system
conditions must be simulated to ensure a full understanding of
potential impacts.
The bulk power system, when faced with the need for large amounts
of reactive power, as when Hydro Quebec was faced with their 480
nanotesla per minute storm in 1989,\11\ may react in an unplanned or
unexpected manner, including break-up, islanding, or collapse. Industry
investigation is needed to determine the amount and extent of
disruptions that might occur. This analysis would include static,
dynamic and transient simulations which model the non-linear behavior
of each of the interconnections in North America. Once these analyses
are complete, appropriate and jurisdictionally acceptable solutions,
including grid hardening, relaying and spare equipment could be
determined to maintain an acceptable level of reliability, given the
relative risk from the GMD event.
---------------------------------------------------------------------------
\11\ http://www.nerc.com/files/1989-Quebec-Disturbance.pdf
---------------------------------------------------------------------------
Finally, the study was developed by FERC without industry vetting
of the modeling approaches, simulation algorithms or basic data
supporting the results. More assessment of the algorithms and
simulation approaches with industry input is a vital next step, as
addressed in testimony of Dr. William Tedeschi, Senior Scientist,
Sandia National Laboratories.
Question 3. How effective has the current standards development
process been in protecting against cyber and other non-cyber threats
and vulnerabilities to the grid? Is it possible to use this process
supplemented with NERC's emergency standards process and the Alerts
process to get the job done?
Answer. NERC's mandatory and enforceable standards have resulted in
unprecedented industry-wide focus and attention to protecting the grid
against cyber and non-cyber threats. It may be possible to get the job
done using standards and NERC's alert and advisory system, especially
if NERC's proposal for Mandatory Directives is accepted. However, some
agency in the federal government should be given authority to respond
to a genuine cyber emergency, because such an emergency may demand
swift and widespread action of a sort not achievable by the ERO,
particularly given the challenge of translating classified information
to industry in a useable form.
Response of Gerry Cauley to Question From Senator Portman
Question 1. Multiple levels of protection on the electric system
have significant, additional costs, and may not be the most cost-
effective means of mitigating known vulnerabilities or combating known
threats. How would you recommend that determinations be made about
additional security requirements that are ordered to be put in to
place? Should there be a risk assessment required to determine cost-
effectiveness?
Answer. Yes, there should be. I believe the reliability investment
that we are promoting every day through our standards, compliance
program, alerts, and other initiatives, should be driven primarily by
overall value to customers and ratepayers. It is important to achieve
reliability risk mitigation in a manner that balances affordability of
electricity in a competitive global market with the need to ensure the
reliability and security of our North American electricity
infrastructure. Additional security requirements should be identified
through priorities and must be driven by a clear understanding of risks
and consequences, as well as the costs and benefits associated with
addressing them.
In February, FERC held a technical conference to begin the
discussion on the identification of priorities. The setting of
priorities for NERC has to take into consideration the need to be
responsive to regulatory directives from the Commission as well as
priorities identified by Congress. Beyond simply discussing priorities
there must be a systematic approach for analyzing risks and setting
priorities going forward.
Responses of Gerry Cauley to Questions From Senator Shaheen
Question 1. There is wide agreement that our goal needs to be to
prevent a cyber attack from ever being successful. But we also can't
ignore the possibility that we will one day see some disruption in our
infrastructure due to this kind of threat. If there was a successful
attack on U.S. electrical infrastructure, how widespread could the
effects be? How much would this cost the economy?
Answer. The resilience of the bulk power system in North America is
well documented and while we occasionally experience isolated outages
due to weather or other natural disasters, those outages are generally
limited in geographic areas and rarely last for a long period of time.
Coordinated physical and cyber attacks intended to disable elements of
the power grid or deny electricity to specific targets, such as
government or business centers, military installations, or other
infrastructures differ from conventional risks in that they result from
intentional actions by adversaries and are not simply random failures
or acts of nature. Damage experienced during a cyber attack on a
critical infrastructure like the electrical sector is difficult to
quantify because there are too many variables, every potential attack
is unique and most importantly, it has never happened before. However,
it is difficult to imagine a scenario with the electric sector
infrastructure in place today that would result in widespread outages
for any significant length of time. There are several major factors
that could contribute to the cost of a cyber event: actual damage to
equipment, economic losses due to lack of electricity; and perhaps most
importantly, the human suffering that could ensue. Damage to equipment
is manageable from a cyber perspective but physical attacks on
equipment such as transformers, if methodically orchestrated by a
determined adversary, could result in extended outages until
replacement equipment was identified, transported and installed. Any
extended outage, depending upon geographic location, could result in
significant economic costs and impact on the safety and well-being of
citizens.
Question 2. Is there anything that can be done to limit how much
damage can result from a single attack?
Answer. Yes. Critical Cyber Assets (CCA) are required to be
segmented both from other system assets and each other. CCAs are
incorporated into the larger Electronic Security Perimeter (ESP) that
controls and identifies all access points within utilities. As a result
of this segmentation, if one ESP is compromised, other ESPs are not
necessarily compromised, thus limiting any attack damage.
Limiting damage and the potential effects of a cascading
environment is important to NERC and the electricity industry. Current
CIP Standards contain requirements for response and recovery planning
for cybersecurity incidents. For example, NERC Reliability Standard
CIP-008, Incident Reporting and Response Planning, requires that the
Responsible Entity develop and maintain a cybersecurity incident
response plan and implement the plan in response to cybersecurity
incidents. At a minimum, the cybersecurity incident response plan must
address:
Procedures to characterize and classify events as reportable
cybersecurity incidents.
Response actions, including roles and responsibilities of
cybersecurity incident response teams, cybersecurity incident
handling procedures, and communications plans.
A process for reporting cybersecurity incidents to the ES-
ISAC. The Responsible Entity must ensure that all reportable
cybersecurity incidents are reported to the ES-ISAC either
directly or through an intermediary.
A process for updating the cybersecurity incident response
plan within 30 calendar days of any changes.
A process for ensuring that the cybersecurity incident
response plan is reviewed at least annually.
A process for ensuring the cybersecurity incident response
plan is tested at least annually. Testing the cybersecurity
incident response plan can range from a conducting a paper
drill, to holding a full operational exercise, to responding to
an actual incident.
NERC Reliability Standard CIP-009, Recovery Plans for Critical
Cyber Assets, requires that the Responsible Entity create and annually
review recovery plans for CCAs. At a minimum, the recovery plans must
address the following:
A definition of severity that would activate incident
recovery plans.
An annual review of exercise recovery plans.
A process and procedure for the backup and storage of
information required to successfully restore CCAs.
Annual testing of information essential to recovery that is
stored on backup media. This testing is to ensure that the
information is available.
The bulk power system is highly redundant and planned with
sufficient resources to accommodate unexpected loads, including a
contingency/reserve margins to meet balancing and regulation needs.
Redundancy plays an important role for reliability and it implies that
more than one means should exist to perform a given function. In the
case of a targeted attack, it is this system redundancy that will
mitigate system failure and cascading effects.
Question 3. Are the possible results of a successful cyber attack
incorporated into broader reliability planning?
Answer. Yes. Establishment and continued refinement of NERC's
enterprise risk-based programs, policies and processes to prepare for,
react to, and recover from cybersecurity vulnerabilities continue to be
a high priority. NERC's Reliability Assessments and Performance
Analysis Division (RAPA) is dedicated to annually assessing the
adequacy of the bulk electric system in the United States and Canada
and produces special assessments to assist with planning purposes. In
2010, DOE and NERC produced the High Impact, Low Frequency (HILF) Event
Risk to the North American Bulk Power System report which focused on a
class of rare risks with the potential to cause long-term catastrophic
damage to the bulk power system. The HILF report looked at pandemic
illness, coordinated cyber, physical, or blended attacks on the system,
geomagnetic disturbances (GMD) caused by extreme solar weather, and the
high-altitude detonation of a nuclear weapon. While some of these
events have never occurred and the probability of future occurrence and
impact is difficult to measure, the report identified nineteen
proposals for action for government and industry to evaluate and where
necessary, enhance current planning and operating practices to address
these risks.
Following release of the HILF report, the Electricity Sub-Sector
Coordinating Council (ESCC) developed the Critical Infrastructure
Strategic Roadmap which provided a framework to address severe-impact
risks, including those identified in the report. NERC staff and the
leadership of the NERC technical committees (Planning, Operating, and
Critical Infrastructure Protection Committees) have developed the
Critical Infrastructure Strategic Initiatives (Coordinated Action Plan)
to address these severe impact scenarios. The following task forces
have been created to further develop this plan:
1. The Cyber Attack Task Force (CATF) is charged with
considering the impact of a coordinated cyber attack on the
reliable operation of the bulk power system and also
identifying opportunities to enhance existing protection,
resilience and recovery capabilities.
2. Physical attack scenarios are addressed in two task
forces--the Severe Impact Resiliency Task Force (SIRTF) and the
Spare Equipment Data Base Task Force (SEDTF). The SIRTF was
formed to provide guidance and options to enhance the
resilience of the bulk power system to withstand and recover
from coordinated cyber and physical attacks as well as GMD.
3. The SEDTF was assigned to vet and redesign the SED,
including policies and protocols for its deployment across
North America. NERC has for many years (early 1980's) operated
an informal transformer-based Spare Equipment Database (SED)
for assisting utilities following events that exceed planned
contingencies. NERC is currently reorganizing and formalizing
SED to provide wider coverage among the many NERC participants
and provide broader coverage of the spare transformers to be
reported to the program.
4. The Geo-Magnetic Disturbance Task Force (GMDTF) was formed
to identify the current capabilities, potential impacts and
resiliency to GMD. The GMDTF will also identify modeling
requirements to support the requisite screening and detailed
study of vulnerable transformers to understand bulk power
system behavior and appropriate hardening and operational
requirements. In April 2011, NERC sponsored an industry
workshop on responding to geo-magnetic disturbances.\12\On May
10, 2011, NERC issued an Advisory Alert to industry on the
operational preparatory actions and bulk power system planning
activities.\13\
---------------------------------------------------------------------------
\12\ See agenda at http://www.nerc.com/docs/pc/gmdtf/
GMD_Workshop_rev6_04.19.2011.pdf
\13\ Industry Advisory, Preparing for Geo-Magnetic Disturbances,
issued on May 10, 2011, http://www.nerc.com/fileUploads/File/
Events%20Analysis/A-2011-05-10-01_GMD_FINAL.pdf
---------------------------------------------------------------------------
______
Responses of David K. Owens to Questions From Senator Bingaman
Question 1. At the 2009 Committee hearing on electric cyber
security, you testified that 1) consultation with industry was critical
to improving cyber security and that 2) legislation should complement,
not supplant, the existing reliability processes. Do you believe that
the changes in today's Discussion Draft respond to your comments from
last Congress? With which federal and state agencies do you coordinate
on cyber security threats and vulnerabilities?
Answer. We appreciate the Committee's continued efforts on this
critical issue. The Committee's ``Discussion Draft'' still provides
significant latitude for the Federal Energy Regulatory Commission
(FERC) to act unilaterally in mitigating cyber vulnerabilities.
Unintended consequences of mitigation are a concern absent input from
the stakeholder-driven, Electric Reliability Organization (ERO) process
contemplated in Sec. 215 of the Federal Power Act.
The industry currently coordinates with law enforcement at both the
state and federal level, as well as with state and Federal regulatory
bodies, including FERC and the various state public utility
commissions. At the Federal level we also continue to develop
relationships and work with the Department of Defense, Department of
Homeland Security, Department of Energy, as well as the intelligence
community, senior Administration leadership, and standards bodies like
the National Institute of Standards and Technology.
Question 2. Your testimony states that vulnerabilities, by their
nature, offer some time to determine the best response. Do you believe
that the process for addressing cyber security vulnerabilities in the
Discussion Draft can be completed in sufficient time to address
vulnerabilities?
Answer. Yes. In fact, we would encourage more coordination and
stakeholder input, such as that outlined in Sec. 215 of the Federal
Power Act.
Question 3. Your testimony highlights information sharing between
government agencies and utilities as an important issue. Do you believe
that this bill meets the needs of the industry in that area?
Answer. We appreciate the language in the ``Discussion Draft'' that
requires procedures be set up for information sharing that enables the
industry to implement rules or orders stemming from the legislation.
While we would prefer a very explicit mandate for sharing, as well as
public-private coordination and consultation in all situations that
time allows, we believe the Committee took an important step by
addressing information sharing in its draft.
Question 4. You testified that industry is working with NERC to
harden systems against and create redundancy in the systems to protect
against the affects of solar disturbances. Can you provide an update on
the general course of progress that members of your coalition are
making? Does EEI believe that the power grid in the United States, or
regions within it, hardened against solar-magnetic disturbances or
electromagnetic pulse from man-made events?
Answer. EEI has not performed a formal survey of its members, but
we are aware that a number of EEI member companies have started to
purchase transformers with features that provide protections against
ground induced current like those caused by solar disturbances.
In addition, EEI member companies are working with NERC to develop
operational practices to mitigate risks associated with solar
disturbances through its Geomagnetic Disturbance Task Force (GMDTF). In
fact, on May 10, 2011, NERC issued an Industry Advisory on Preparing
for Geo-Magnetic Disturbances.
http://www.nerc.com/fileUploads/File/Events%20Analysis/A-2011-05-
10-01_GMD_FINAL.pdf
NERC is actively addressing a range of high-impact, low-frequency
(HILF) risks to the bulk power system. These efforts are coordinated
through several task forces on which EEI and EEI member companies
participate, including: the GMDTF, the Spare Equipment Database Task
Force, the Cyber and Physical Attack Task Force, and the Severe Impact
Resilience Task Force.
The goal of these efforts is to develop models to better understand
the nature and effects of Coronal Mass Ejections (CME), the
vulnerabilities of equipment, bulk power system design considerations,
ability to reduce the operational and real time impacts of geo-magnetic
disturbances (GMD) on the bulk power system, inventory long-lead time
equipment, and restoration methods. Additional information will be
issued as findings from this assessment are completed.
EEI believes that efforts underway to mitigate risks associated
with solar disturbances do, in fact, reduce risk. We believe,
consistent with the testimony of Dr. William Tedeschi, more research is
needed in this area to better understand potential impacts and identify
additional effective risk mitigation strategies.
EEI believes there are residual risks associated with solar-
magnetic disturbances, and that there may not be 100% protection
possible against the most severe events.
Regarding electromagnetic pulse events from man-made activities, we
think that it is useful to differentiate between localized effects that
might be created from a portable device to create disruptive
electromagnetic energy vs. potential EMP from a high-altitude nuclear
weapon. A localized disruption would be handled similarly to how
electric utilities currently handle significant natural disasters. For
example, in the event that a tornado, flood, hurricane, or wild-fire
were to cause a particular facility to be non-operational, the electric
utility would initiate restoration activities and, as appropriate,
migrate operations to backup facilities.
Regarding potential EMP effects resulting from the detonation of a
high-altitude nuclear weapon, electric utilities rely on national
defense to prevent such events from occurring.
Question 5. NERC's High Impact, Low Frequency Event Risk to the
North American Bulk Power System report states that the interconnected
nature of the bulk power system requires that risk management actions
be consistently and systematically applied across the entire system to
be effective. If there are distribution-level systems and assets that
are so vital that their loss would have a debilitating impact on
national security, national economic security, or national public
health or safety, why shouldn't we apply risk management processes
consistently and systematically to this limited set of systems and
assets? Do you think each state has adequate cyber expertise and has
already taken the steps needed to protect distribution facilities?
Answer. To the degree there are distribution-level systems and
assets that are so vital that their loss would have a debilitating
impact on national security, national economic security, or national
public health or safety, they could be protected in a manner consistent
with the recently released Administration proposal for critical
infrastructure protection. Given the interests of the States concerning
distribution-level systems, it is important to coordinate protection
strategies with them.
Question 6. NERC has stated that not all vulnerabilities can or
should be addressed by a standard. Do you agree? If yes, what would be
the appropriate means of addressing some of these vulnerabilities?
Would you support making NERC directives other than standards mandatory
and enforceable?
Answer. Cyber threats and vulnerabilities evolve very quickly and
oftentimes are specific to a particular entity or type of asset, but
standards are designed to ``standardize'' procedures or processes in a
more long-term, broadly applicable way. Instead, patches and alerts are
the preferred approach for addressing rapidly-evolving, targeted
threats and vulnerabilities.
In limited circumstances and with stakeholder input designed to
meet a very short deadline, it could make sense for NERC alerts or
directives to be mandatory and enforceable. With respect to the limited
circumstances, I would suggest classifying a fourth level of alert--
currently, there are three--which would provide NERC with this
authority under circumstances where failure to patch the vulnerability
could have particularly devastating effects. With respect to industry
input, we continue to make the case that, to the best of everyone's
ability, unintended consequences from mitigation need to be avoided,
and having grid engineers suggesting mitigation is the most prudent way
to accomplish this.
Responses of David K. Owens to Questions From Senator Murkowski
Question 1. You note that the distinction between imminent threats
and less time sensitive vulnerabilities is important. I understand that
EEI, along with the rest of the industry, supports new federal
authority to deal with emergency threats. However, you believe
vulnerabilities are already covered through the Section 215 process so
additional FERC authority in this area is not necessary. Is that
correct? Do you support NERC's request to make their Alerts legally
enforceable?
Answer. EEI supports new federal authority to deal with emergency
threats; however vulnerabilities are already covered through the
Section 215 process so additional FERC authority in this area is not
necessary.
Cyber threats and vulnerabilities evolve very quickly and
oftentimes are specific to a particular entity or type of asset, but
standards are designed to ``standardize'' procedures or processes in a
more long-term, broadly applicable way. Instead, patches and alerts are
the preferred approach for addressing rapidly-evolving, targeted
threats and vulnerabilities.
In limited circumstances and with stakeholder input designed to
meet a very short deadline, it could make sense for NERC alerts or
directives to be mandatory and enforceable. With respect to the limited
circumstances, I would suggest classifying a fourth level of alert--
currently, there are three--which would provide NERC with this
authority under circumstances where failure to patch the vulnerability
could have particularly devastating effects. With respect to industry
input, we continue to make the case that, to the best of everyone's
ability, unintended consequences from mitigation need to be avoided,
and having grid engineers suggesting mitigation is the most prudent way
to accomplish this.
Question 2. You testified that any new government authority should
be limited to covering truly critical assets--that over-inclusion of
electric utility infrastructure would be counterproductive. Are you
talking about allowing FERC to get down to the distribution level, even
for ``vital'' assets? If we do allow FERC this additional authority, do
you agree with NERC that the discussion draft should be amended to make
sure the ERO, and the Section 215 stakeholder process, can cover this
local level as well?
Answer. To the degree there are distribution-level systems and
assets that are so vital that their loss would have a debilitating
impact on national security, national economic security, or national
public health or safety, they could be protected in a manner consistent
with the recently released Administration proposal for critical
infrastructure protection. Given the interests of the States concerning
distribution-level systems, it is important to coordinate protection
strategies with them. And, given the value of the ERO process, it is
important that any FERC authority be buttressed by stakeholder input.
Question 3. In the vulnerabilities section of the discussion draft,
we have yet to specify the timeframes for FERC's initial determination
on the adequacy of reliability standards and for NERC's response to any
Commission directive. In EEI's opinion, what is the appropriate amount
of time for these actions?
Answer. It is important to balance the need for FERC to have
sufficient time to review the current standards in light of known
potential vulnerabilities with the need to identify those potential
vulnerabilities in an expeditious manner so that NERC can begin its
standards development process. Given that FERC is already familiar with
the existing body of standards, having previously approved them, a
period of around 120 days may be appropriate. Similarly, the time for
NERC to respond must also be a balance of the need to respond to
potential vulnerabilities in a prompt manner while giving the NERC
standards development process a sufficient time to complete the task.
Given that NERC has adopted procedures that provide for faster action
in certain cases, a similar 120 period may be appropriate. FERC and
NERC may have views on this issue.
Question 4. You note in your testimony that the new proposed
authority for FERC to issue an ``Interim Final Rule'' could be done
with no hearing or prior notice. The provision was written this way
because the intent was for a NERC developed standard to eventually
supplant the FERC Interim Rule. If the Committee fixes the discrepancy
problem with NERC's ability to reach the distribution level do you
still have due process concerns?
Answer. Since NERC does not have authority to develop standards for
facilities used in local distribution, this effectively means FERC
would be writing standards or directing operational changes for
distribution facilities. Giving FERC this jurisdiction over local
distribution facilities is contrary to both Section 215 and the Federal
Power Act as a whole, which excludes from federal jurisdiction
facilities used in the local distribution of electric energy.
However, EEI remains concerned with the provision even if
distribution facilities were removed. As I pointed out in my written
and oral testimony, utilities understand how their complex systems are
designed and operated and ``are in a unique position to understand the
consequences of a potential malicious act as well as proposed actions
to prevent such exploitation, including ensuring against unintended
consequences of remedial actions. It is critically important to
establish a workable structure that enables the government and the
private sector to work together in order to provide a more secure
system for our customers.'' This is why it is vitally important that
there be consultation and an opportunity for comment, even if
expedited, before FERC could develop an ``interim final'' rule. An
interim final rule is, in effect, ``final'' until replaced with another
rule. Industry consultation is imperative in order to develop a
solution that protects utility systems and customers. This is an
integral part of the public-private partnership that the majority of
witnesses at the hearing endorsed.
Question 5. The potential threat from an EMP attack or geomagnetic
disturbances is not new. Given the existing knowledge of the potential
for these types of disruptions, what steps have been taken to protect
our grid from EMP and geomagnetic-related events? Are hardening
standards in place for new products being placed onto the grid?
Answer. Although the threats posed by potential EMP effects
resulting from the detonation of a high-altitude nuclear weapon are not
new, the discussion of the potential for a rogue nation to launch and
detonate a small number of high-altitude nuclear weapons is relatively
new, and significantly different than a ``cold war'' discussion of
``mutually assured destruction.'' The industry is not in the position
to evaluate the threats posed by potential rogue nation(s) in this
regard.
A number of electric utilities and regional transmission operators
have developed operational procedures to reduce the risk to the system
during elevated periods of solar disturbance activities. In addition,
entities receive and evaluate solar magnetic event predictions
generated by National Oceanic and Atmospheric Administration (NOAA)
Space Weather Prediction Center (SWPC).
There are no uniform (standard) specifications for new transformers
to mitigate ground induced currents associated with solar magnetic
disturbances. Moreover, there are a number of installation specific
attributes to be factored into potential designs including the
characteristics of the energy to be transformed (e.g. voltage,
impedance, etc.) as well as the relative resistance/conductivity or
underground rock formation of the installation site.
EEI has not performed a formal survey of its members, but we are
aware that a number of EEI member companies have started to purchase
transformers with features that provide protections against ground
induced current like those caused by solar disturbances. Although
entities purchasing new transformers can designate product
characteristics that may mitigate the risk of geomagnetic disturbances,
they are not required to do so.
Question 6. Please describe the industry's existing Spare
Transformer Sharing program. What more can be done in this area?
Answer. Please see attached STEP Overview document.*
---------------------------------------------------------------------------
* Document has been retained in committee files.
---------------------------------------------------------------------------
Responses of David K. Owens to Questions From Senator Udall
Question 1. Has the Aurora vulnerability been effectively
mitigated, and how is this verified? What is the factual basis for your
answer?
Answer. On October 13, 2010, NERC issued an Alert titled:'' AURORA
Mitigation--Protection and Control Engineering Practices and Electronic
and Physical Security Mitigation Measures.''
NERC required registered entities to respond to NERC regarding
their mitigation status. Those entities that have not completed
mitigation are required to report their status to NERC every six months
until they are complete. NERC is best able to provide an answer to your
question.
Question 2. Are the current spare transformer resources, including
the EEI STEP program, sufficient to mitigate the transformer loss
scenario presented in the Oak Ridge National Laboratory report from a
1921-level solar storm (over 300 transformers)? What is the factual
basis for your answer?
Answer. The EEI STEP program is currently structured to address
responding to a terrorist attack on substations and transformers,
rather than a geomagnetic disturbance. Although there are spare
transformers available, it is not known with certainty whether the
available spares would adequately respond to the scenario envisioned in
the Metatech report.
We don't have access to the assumptions, methodology or selection
criteria used by Metatech, or how the conclusion regarding transformer
failure was arrived at. It is our understanding that the report was not
subject to scientific or industry peer review.
Question 3. How effective has the current standards development
process been in protecting against cyber and other non-cyber threats
and vulnerabilities to the grid? Is it possible to use this process
supplemented with NERC's emergency standards process and the Alerts
process to get the job done?
Answer. It's effective and improving. Yes, it's possible to get the
job done as you suggest, and given the complexity of the bulk power
system, it is critical to continue to actively engage owners and
operators of the system as well as industry stakeholders in the
development of mandatory and enforceable standards.
Response of David K. Owens to Question From Senator Portman
Question 1. Multiple levels of protection on the electric system
have significant, additional costs, and may not be the most cost-
effective means of mitigating known vulnerabilities or combating known
threats. How would you recommend that determinations be made about
additional security requirements that are ordered to be put in to
place? Should there be a risk assessment required to determine cost-
effectiveness?
Answer. Risk assessments should be used to prioritize threats and
vulnerabilities and evaluate potential risk mitigation strategies. In a
resource-constrained environment, choices will have to be made about
which risks to address, and to what degree.
It is appropriate to recognize that it is simply not possible to
prevent all failures. In addition to prevention, the electric utilities
have demonstrated a significant resilience in response to various local
and regional disasters.
______
Responses of Joseph McClelland to Questions From Senator Bingaman
Question 1. The Discussion Draft creates a process to address cyber
security vulnerabilities affecting critical electric infrastructure.
The Discussion Draft left open the following question: what is the
maximum number of days the Federal Energy Regulatory Commission (FERC)
should be granted to determine whether the existing set of reliability
standards are adequate to protect this infrastructure from cyber
security vulnerabilities. Can you estimate how long, in days, it might
take FERC to make this determination?
Answer. I believe 120 days would be adequate for FERC to make this
determination. This would include time for the Commission to issue a
proposed determination, seek and consider public comments and then
issue its determination.
Question 2. How long NERC should have, in days, to develop
standards in response to a FERC directive to address cyber security
vulnerabilities?
Answer. I believe 60 days would be adequate for NERC to develop
standards in response to a FERC directive.
Question 3. Your testimony states that NERC submitted eight
proposed cyber security standards, known as the Critical Infrastructure
Protection (CIP) standards, to FERC for approval under section 215.
Your testimony further states that FERC approved those standards in
2008 but directed NERC to make certain revisions. As I understand it,
NERC continues to work on those revisions and plans to submit them to
FERC somewhere in 2012. If submitted in 2012, development and approval
of the first set of cyber security standards will have lasted around 6
years. Why has this process lasted this long?
Answer. The length of time it has taken for the CIP standards to be
developed and implemented illustrates the potential limitations of
NERC's standards development process. Under section 215 of the Federal
Power Act, the ERO's standards development process must provide for
reasonable notice and opportunity for public comment, due process,
openness, and balance of interests in developing reliability standards.
Accordingly, NERC's standards development procedures, under which the
CIP standards must be developed, allows for extensive opportunity for
stakeholder participation. The NERC standards development process is
intended to develop consensus on both the need for, and the substance
of, the proposed standard. This results in a relatively slow process.
Question 4. Can FERC describe the advantages of having a definition
of ``Critical Electric Infrastructure'' that is slightly more expansive
than the current definition of ``Bulk Power System''?
Answer. The ERO's current interpretation of the definition of bulk-
power system excludes virtually all of the grid facilities in certain
large cities such as New York. Moreover, the bulk-power system is
statutorily defined as excluding facilities used in local distribution.
Thus, the advantage of having a definition of ``Critical Electric
Infrastructure,'' as set forth in the Discussion Draft that is more
expansive than the current definition of ``bulk-power system,'' as
defined in section 215(a)(1) of the Federal Power Act, is the
Commission would be, for the first time, authorized to take action to
mitigate cyber security vulnerabilities that involve certain critical
distribution facilities and certain critical transmission facilities
located in major population areas. However, the Discussion Draft
includes these facilities only if their incapacity or destruction
``would have a debilitating impact on national security, national
economic security, or national public health or safety.''
Question 5. Your testimony states that the Federal Power Act allows
for some degree of discretion in defining elements of the Bulk Power
System. (Your 2009 testimony made the same point.) From FERC's
perspective, has progress been made to the processes of identifying
critical assets? Do users, owners, and operators have the same level of
discretion some two years later?
Answer. In February 2011, NERC filed a petition seeking approval of
Version 4 of the CIP standards. Version 4 includes new proposed
criteria to identify ``critical assets'' for purposes of the CIP
reliability standards. This filing is currently under review by the
Commission. Thus, I cannot address its merits at this time. In order to
better understand the NERC Version 4 petition, particularly the number
of critical cyber assets that will be identified under this revision,
the Commission issued data requests to NERC, with responses due on July
11, 2011, which reflects an extension of time requested by NERC.
Currently, users, owners and operators essentially have the same
discretion as to whether their facilities fall under the CIP standards
because there has been no change in method of identifying critical
cyber assets in the CIP Standards that are currently in-effect.
Question 6. Do you think every State has adequate cyber expertise
to protect distribution-level systems and assets that that are so vital
that their loss would have a debilitating impact on national security,
national economic security, or national public health or safety?
Answer. I do not know whether every State has adequate cyber
expertise to protect these distribution-level systems and assets.
However, expertise and coordination at the state level would have to
include the knowledge of how cyber security vulnerabilities on the
distribution-level systems and assets, along with their associated
connectivity, could have a debilitating impact on the bulk-power system
as well as on national security, national economic security, or
national public health or safety.
Question 7. NERC indicated that industry learned lessons and
hardened a lot of equipment following the 1989 geomagnetic disturbance
that affected Quebec. Does FERC believe that the power grid in the
United States, or regions within it, hardened against solar-magnetic
disturbances or electromagnetic pulse from man-made events?
Answer. I am not aware of information showing that the power grid
has been hardened to withstand a geomagnetic disturbance or an EMP
event. Steps taken after the 1989 geomagnetic event are principally
operational in nature. Further, according to the NERC--DOE High Impact,
Low Frequency Event Risk to the North American Bulk Power System
Summary Report (June 2010), the procedures put in place after the 1989
geomagnetic event were not designed for the extreme geomagnetically
induced current (GIC) levels considered in the NERC-DOE study. The
recommended actions in the NERC-DOE study include monitoring of NOAA
alerts, reducing loading on critical transmission facilities,
increasing generation reserves, and deferring or discontinuing
maintenance. Some utilities have readjusted protection systems to be
more tolerant of harmonic currents in order to reduce the probability
of undesirable operation under GIC conditions. However, none of these
actions reduce or prohibit the flow of GIC on the system and are not
considered to be hardening of equipment to protect against an EMP
event. Although we have received information about a few utilities that
have attempted to harden some individual elements within their systems
against either a solar magnetic disturbance or an EMP event, overall,
the U.S. power grid has not been hardened against either.
Question 8. NERC stated that legislation that provided for both
standards and other NERC directives to be legally enforceable would
significantly enhance cyber security. NERC's alerts process is
contained within the NERC Rules of Procedure. Did NERC file these rules
with FERC? If yes, what was the stated intent of the alerts program in
the NERC filing? Did FERC formally approve these rules? What role, if
any, does FERC play in the NERC alerts process?
Answer. Yes, the ERO is required by section 215(f) of the Federal
Power Act to file with the Commission for approval any proposed rule or
proposed rule change. A proposed rule or change to the rules of the ERO
(NERC) may not take effect until the Commission approves the rule.
NERC's ``alert process'' is set forth in section 810 of its Rules of
Procedure, ``Information Exchange and Issuance of NERC Advisories,
Recommendations and Essential Actions.'' NERC has stated that the
purpose of section 810 is to allow NERC to disseminate findings and
recommendations from its analyses of major events and information on
other events and on potential bulk-power system vulnerabilities. The
Commission formally approved section 810 of NERC's Rules of Procedure
by order dated February 6, 2008. See North American Electric
Reliability Corp., 122 FERC � 61,105 (2008). The Commission's role with
respect any NERC advisory, recommendation, or essential action notice
is set forth in section 810(5) of the Rules of Procedure. Specifically,
NERC is required to give the Commission at least five days prior
notice, or less if necessary due to extraordinary circumstances, of
NERC's intention to issue an advisory, recommendation or essential
action notice This provides the Commission an opportunity to provide
input regarding the content of the advisory, recommendation or
essential action notice. However, neither the NERC Rules of Procedure
nor the Commission's regulations require NERC to accept any Commission
input. Further, none of the Alerts are mandatory for the industry to
follow.
Responses of Joseph McClelland to Questions From Senator Murkowski
Question 1. Through the definition of ``critical electric
infrastructure,'' the discussion draft legislation extends FERC's
jurisdiction beyond the Bulk Power System to the distribution level as
long as those systems or assets are ``vital'' to the nation's security,
economy, public health or safety. However, as discussed at the May 5th
hearing, NERC's authority as the ERO does not extend to the
distribution level.
In the discussion draft text, we were trying to respect the Section
215 stakeholder process--the idea being that if FERC directed the ERO
to develop or modify a cyber standard to protect ``critical electric
infrastructure'' that standard would be developed through the existing
stakeholder process. If FERC found that standard to be inadequate, only
then would the Commission be authorized to develop an interim back-stop
standard. And that FERC standard would eventually be supplanted by an
acceptable NERC produced standard. It was not my intent to allow FERC
sole discretion to dictate standards at the local level or bypass the
Section 215 process altogether. Please comment.
Answer. I agree that the discussion draft does not eliminate the
ERO's standards development role. However, if the ERO fails to submit a
timely and adequate standard or modification, the discussion draft
would allow the Commission to issue an interim final rule. The
discussion draft is unclear on whether the Commission may take such
action in other circumstances but, as I stated in my testimony, FERC
should be able to require mitigation even before or while NERC and its
stakeholders develop a standard, when circumstances require urgent
action. Should the Commission require an action on the distribution
system, the Commission could rescind the action when no longer
necessary. If your intention is to allow the ERO to develop reliability
standards to address distribution level cyber vulnerabilities, the
discussion draft may need to be modified.
Question 2. The discussion draft defines the term ``Critical
Electric Infrastructure'' as follows:
. . .means systems and assets, whether physical or virtual,
used for the generation, transmission, or distribution of
electric energy affecting interstate commerce that, as
determined by the Commission or the Secretary (as appropriate),
are so vital to the United States that the incapacity or
destruction of the systems and assets would have a debilitating
impact on national security, national economic security, or
national public health or safety.
To what extent are distribution assets captured in this definition?
Answer. Distribution systems and assets are captured by the
proposed Critical Electric Infrastructure definition in the discussion
draft, if their incapacity or destruction would have a debilitating
impact on national security, national economic security or national
public health or safety.
Question 3. Do you read the discussion draft as allowing both FERC
and DOE to develop different lists of critical assets? If so, can you
provide clarifying language to the Committee?
Answer. Yes. The discussion draft authorizes the Commission or DOE
to identify critical electric infrastructure systems and assets. If
this approach is deemed inappropriate, the definition of Critical
Electric Infrastructure could be clarified as follows:
The term `critical electric infrastructure' means systems and
assets, whether physical or virtual, used for the generation,
transmission, or distribution of electric energy affecting
interstate commerce that, as determined by the Commission in
consultation with the Secretary or the Secretary (as
appropriate), are so vital to the United States that the
incapacity or destruction of the systems and assets would have
a debilitating impact on national security, national economic
security, or national public health or safety.
[Note: For printing purposes, in the above text, italic represents
double underlined language and bold represents strike through
language.]
Question 4. Currently, how do FERC and DOE work together to assess
threats and vulnerabilities? Have there been any problems with this
working relationship? How do the two agencies coordinate with the
government's intelligence agencies? How does FERC coordinate with NERC
on these issues?
Answer. FERC, DOE, DHS, DOD, NRC, FBI, NSA and CIA share
information about vulnerabilities to the electric grid. That
interaction includes ad hoc meetings on specific topics (such as
Stuxnet) and participation in established forums. FERC participates in
and supports the Government Coordinating Council for the Energy Sector
(for which DOE is the sector-specific agency), the Industrial Control
Systems Joint Working Group (organized by DHS) and the Roadmap to
Secure Control Systems in the Energy Sector (sponsored by DOE and DHS).
FERC also receives technical information and daily reports on threats
and vulnerabilities from DHS, the U.S. CERT (Cyber Emergency Response
Team), the ICS CERT (Industrial Control Systems CERT) and the SCADA
Test Bed. To date, I have not seen any problems with this working
relationship.
FERC and NERC coordinate in a number of ways. These include FERC
briefing NERC and the industry on threats and vulnerabilities and
receiving information through the Electric Sector Information Sharing
and Analysis Center (operated by NERC). In addition, FERC works with
NERC on every Alert issued to the Electric Sector by NERC. FERC
provides technical analysis and input to the Alerts.
Question 5. In your testimony, you note that the Commission has
existing authority to direct NERC to develop a reliability standard to
address a particular issue, including a cyber security matter, pursuant
to Section 215(d)(5) of the Federal Power Act. To date, FERC has not
used this authority, which is noted in the DOE/IG report you reference.
Why not? Are you aware of any current vulnerabilities that NERC is not
addressing?
Answer. The Commission has used its FPA section 215(d)(5) authority
to direct the ERO to address cyber security matters. Specifically, on
January 18, 2008, in Order No. 706, the Commission directed the ERO,
pursuant to section 215(d)(5) of the FPA, to develop significant
modifications to the CIP standards the ERO submitted to the Commission
for approval to address vulnerabilities identified by the Commission.
To date, the majority of the Order No. 706 directed modifications to
the CIP standards have not been completed by NERC. Until they are
addressed, there are significant gaps in protection such as inadequate
identification of critical cyber assets. NERC is in various stages of
its standards development process to address these directed
modifications. Section 215 of the FPA does not allow the Commission to
write or modify the standards, therefore the Commission must rely on
the ERO's standards development process to answer the Commission's
directives such as those in Order No. 706. This authority is inadequate
to address cyber threats and vulnerabilities on the power grid. The
DOE-IG report also concluded that this authority was inadequate and
recommended the Commission seek additional authority from Congress.
Question 6. You note that the existing reliability standards do not
address EMP vulnerabilities. Can't FERC order NERC to produce EMP-
related standards pursuant to Section 215? If so, why hasn't the
Commission taken such action?
Answer. Yes. The Commission can order the ERO to address EMP
vulnerabilities under Section 215. However, to date, the Commission has
focused on cyber security issues identified in Order No. 706 which
remain largely unaddressed, as explained in question #5 above. In order
to better understand the EMP issue and inform our actions, the
Commission initiated a joint study with DOE and DHS through the Oak
Ridge National Laboratory. This study was just completed September 20,
2010 and was released for peer review at that time. From that time, the
Commission has been considering possible options to address this matter
including use of its FPA 215 authority. However, the Commission has
found the standards development process to be too slow, too open and
too undependable to protect the grid from vulnerabilities and threats
that can imperil national security. Physical or non-cyber events or
attacks, such as an EMP attack, can damage the grid as much as, or more
than, cyber attacks. These events might vary significantly and range
from natural causes such as solar-magnetic storms to deliberate and
coordinated attacks on specific equipment such as bulk power
transformers. Legislation including non-cyber vulnerabilities would
authorize regulatory requirements, quickly if necessary, to install and
actuate protection measures against a solar storm (or threat of an
electromagnetic pulse attack) or the stockpiling and sharing of costs
for spare transformers.
Question 7. You state that NERC's inclusive stakeholder process,
while appropriate for developing routine reliability standards, can
serve as an impediment when immediate measures need to be taken to
address threats to national security. However, the discussion draft
bifurcates federal authority--it tasks DOE with responding to immediate
threats and FERC, through the NERC process, with responding to less
time-sensitive vulnerabilities. What is FERC's position on this
proposed bifurcation? Does the additional authority granted in the
discussion draft to the Energy Department for imminent threats address
your concerns?
Answer. The discussion draft allows for protection of critical
electric infrastructure against all cyber security vulnerabilities and
threats. The legislation directs FERC to address cyber security
vulnerabilities of the Nation's critical electric infrastructure. These
vulnerabilities may sometimes be urgent even if an ``imminent danger''
of a threat has not yet been adequately documented. To this extent, the
discussion draft's authorization for the Department of Energy to
address imminent threats is not, by itself, an adequate solution. The
discussion draft places the responsibility and authority to address
cyber security vulnerabilities of the electric grid with the agency
that is already charged with regulating reliability and cyber security
of the bulk-power system and is therefore experienced and expert in
regulating these matters. Should the discussion draft retain the
separation of FERC and DOE responsibilities, FERC expects to coordinate
with DOE in order to prevent overlap of our actions regarding FERC's
responsibility to address ``vulnerabilities'' and DOE's responsibility
to address ``threats.'' FERC already coordinates with and has an
excellent working relationship with many other agencies such as DOE,
DHS, DOD, NRC, FBI, NSA and CIA to avoid duplicative or conflicting
actions.
Question 8. What is FERC's position on making NERC's Alerts legally
enforceable?
Answer. Allowing NERC to issue legally enforceable ``Alerts'' would
vest too much authority in a non-government organization.
Question 9. It appears from your testimony that FERC has been
frustrated with NERC's process and timeliness in identifying critical
assets. However, NERC's revised ``bright-line'' proposal for
identifying these assets has been pending with the Commission since
February. Why hasn't the Commission acted on this proposal to fill in
this gap? Couldn't FERC accept this standard and, at the same time,
request additional information if needed?
Answer. In February 2011, NERC filed a petition seeking approval of
Version 4 of the CIP standards. Version 4 includes new proposed
criteria to identify ``critical assets'' for purposes of the CIP
reliability standards. This filing is currently under review by the
Commission. Thus, I cannot address its merits at this time. In order to
better understand the NERC Version 4 petition, particularly the number
of critical cyber assets that will be identified under this revision,
the Commission issued data requests to NERC, with responses due on July
11, 2011, which reflects an extension of time requested by NERC.
Currently, users, owners and operators essentially have the same
discretion as to whether their facilities fall under the CIP standards
because there has been no change in method of identifying critical
cyber assets in the CIP Standards that are currently in-effect.
Question 10. In the vulnerabilities section of the discussion
draft, we have yet to specify the timeframes for FERC's initial
determination on the adequacy of reliability standards and for NERC's
response to any Commission directive. In FERC's opinion, what is the
appropriate amount of time for these actions?
Answer. See the responses to Senator Bingaman's Question Nos. 1 and
2.
Question 11. In the 2007 Energy Independence and Security Act
(EISA), Congress directed NIST and FERC to work on interoperability
standards for smart grid devices, including cyber security standards.
What is the status of this effort? Do the discussion draft's provisions
build on or supersede EISA's efforts to improve the cyber security of
smart grid devices?
Answer. The most recent Commission action regarding
interoperability standards for smart grid devices was a technical
conference held on January 31, 2011 to obtain further information to
aid the Commission's determination of whether there is ``sufficient
consensus'' that certain smart grid interoperability standards are
ready for Commission consideration in a rulemaking proceeding. By
notice issued February 16, 2011 the Commission sought industry
comments. Comments were filed April 8, 2011 and reply comments were
filed April 22, 2011. The discussion draft's provisions complement
EISA's efforts to address cyber security of smart grid devices. EISA
requires the Director of the National Institute of Standards and
Technology (NIST) to coordinate the development of a framework that
includes protocols and model standards for information management to
achieve interoperability of smart grid devices and systems. When the
Commission finds that NIST's work has led to sufficient consensus, the
Commission's task is to institute a rulemaking to adopt such standards
and protocols as may be necessary to insure smart grid functionality
and interoperability in interstate transmission of electric power, and
regional and wholesale electricity markets. Because the smart grid
interoperability standards are developed using a consensus approach,
similar to NERC's development of reliability standards, the process can
be slow. Thus the discussion draft provisions would allow the
Commission, if necessary, to move quickly and effectively to address
cyber security vulnerabilities that may arise from the implementation
of smart grid technology.
Question 12. You testified that you support ``clarifications that
might better ensure recovery of costs incurred under this
legislation.'' Can the Commission provide proposed text?
Answer. As I stated in my testimony, ``it is important that
entities be able to recover costs they incur to mitigate
vulnerabilities and threats.'' However, ensuring cost recovery is
complex because the affected utilities include not only public
utilities regulated under sections 205 and 206 of the Federal Power Act
but also non-public utilities. Also, some utilities charge cost-based
rates while others charge market-based rates. Given these complexities
and others, I do not have specific text to suggest at this time, but
the affected utilities may have considered this issue in more depth.
Question 13. At the May 5th hearing, you testified that FERC should
only get out in front of the ERO in ``limited circumstances.'' Please
elaborate. Can FERC provide the Committee with language to capture only
these limited circumstances?
Answer. The discussion draft would authorize the Commission to take
immediate action to address a cyber security vulnerability, i.e., get
out in front of the ERO by issuing an interim final rule, only if the
Commission determines immediate action is necessary. The discussion
draft language, in subsection (b)(6)(B), appropriately frames these
``limited circumstances'' as those of immediacy. To clarify this point,
however, this subsection could be modified by adding the following at
the beginning of subsection (b)(6)(B): ``Notwithstanding paragraph (A).
. ..''
Question 14. The Energy Committee's discussion draft is an
electricity-sector only cyber piece. Does FERC prefer a comprehensive,
government-wide approach to cyber security issues?
Answer. FERC has no preference, but if a government-wide course is
pursued, care should be taken to ensure that the two approaches
complement each other, preserving or even enhancing FERC's ability to
regulate effectively under legislation such as the discussion draft.
The discussion draft would authorize FERC to address cyber security
vulnerabilities of the Nation's critical electric infrastructure. By
doing so, the legislation places the responsibility and authority to
address cyber security vulnerabilities of the electric grid with the
agency that is already charged with regulating reliability and cyber
security of the bulk-power system and is therefore experienced and
expert in theses matters. The discussion draft does not preclude or
discourage FERC from working with other agencies or even a central
authority (if Congress or the President elects to establish one) to
address and mitigate these issues. In fact, in order to be most
effective, the Commission would need to coordinate closely with other
agencies and bring all resources and expertise to bear on the
particular vulnerability or threat presented. FERC already works
closely with agencies such as DOE, DOD, DHS, NSA, FBI, NRC, CIA in
these matters and expects to continue to do so if the proposed
legislation is passed; even in combination with other cyber security
legislative efforts affecting other industries and agencies.
Responses of Joseph McClelland to Questions From Senator Udall
Question 1. Has the Aurora vulnerability been effectively
mitigated, and how is this verified? What is the factual basis for your
answer?
Answer. No, I am not aware of any information showing that it has
been effectively mitigated. The latest effort to further mitigate the
Aurora vulnerability involved NERC and several federal agencies. This
mitigation effort included the controlled release to industry of a
significant body of technical information about the vulnerability and
NERC's issuance of a Level 2 Recommendation in October 2010. The Level
2 Recommendation set forth mitigation steps that asset owners could
take voluntarily and required feedback on six related questions. Other
than responding to the questions, no actions described in the
Recommendation were mandatory. The responses indicated that the
majority of the companies had not completed their mitigation plans,
their mitigation efforts or even whether the plans would be effective.
Question 2. Are the current spare transformer resources, including
the EEI STEP program, sufficient to mitigate the transformer loss
scenario presented in the Oak Ridge National Laboratory report from a
1921-level solar storm (over 300 transformers)? What is the factual
basis for your answer?
Answer. I do not have any information to substantiate that current
spare transformer resources from the EEI STEP program are sufficient to
mitigate the projected losses from such a storm--up to 368
transformers.
Moreover, the EEI STEP program was designed as a transformer asset
sharing program which assists a participating utility in the
restoration of electric service in the event of an act of deliberate
destruction of utility substations. This program is designed to reduce
the acquisition of transformers by aggregating the needs, in a
particular voltage class, among utilities that participate in that
program class. While this program may assist any one utility in
restoration under a large scale destructive event, it is not designed
to mitigate the multiple utility losses as in the case scenario
presented in the Oak Ridge Study.
Question 3. How effective has the current standards development
process been in protecting against cyber and other non-cyber threats
and vulnerabilities to the grid? Is it possible to use this process
supplemented with NERC's emergency standards process and the Alerts
process to get the job done?
Answer. The current standards development process has not resulted
in cyber security standards that adequately protect the grid against
cyber vulnerabilities or threats. More than three years has passed
since the Commission issued Order No. 706 directing significant
modifications to the eight Critical Infrastructure Protection
reliability standards. Most of the directed modifications have not been
made yet. In addition, the level of sophistication of cyber and other
national security threats has increased and more hacker attention is
being focused on control systems. NERC's emergency standards process
and its ``Alerts process'' are not enough to bridge the gap in
protection. NERC's Alerts are voluntary and are subject to the same
limitations as the standards such as open disclosure and unpredictable
results. Further, NERC's emergency standards process calls for an
urgent action standard to be developed within 60 days and submitted to
the Commission for approval or remand (which could be further expedited
by a written finding by the NERC board of trustees that an
extraordinary and immediate threat exists to bulk-power system
reliability or national security). Should the Commission approve the
standard, it becomes mandatory for two years and must be replaced,
requiring the standards development process to produce a replacement
standard. Moreover, while it is untested and unclear, NERC's urgent
action procedures could widely publicize both the vulnerability and the
proposed solutions before they are even deployed, thereby negating
their effectiveness. If faced with a national security risk to
reliability, there may be a need for an order by the Commission to act
directly; expeditiously, within hours or days, rather than weeks or
months; and confidentially, in a manner that protects certain
information from public disclosure. Thus, even with NERC's emergency
standards process and Alerts process there is a continued need for a
process to mandate immediate and confidential security measures. The
best method for adopting and implementing mandatory and confidential
security measures quickly is through direct federal agency action.
Responses of Joseph McClelland to Questions From Senator Portman
Question 1. Is it your understanding that the joint discussion
draft pertaining to cyber-security of critical electric infrastructure
would extend the jurisdiction of the Federal Regulatory Commission to
include distribution of assets for purposes of ensuring reliability
standards are adequate to protect Critical Electric Infrastructure?
Answer. Yes, see my response to Senator Murkowski's Question No. 2.
Distribution systems and assets would be included only if their
incapacity or destruction would ``have a debilitating impact on
national security, national economic security, or national public
health or safety.''
Question 2. Since distribution assets are generally under the
jurisdiction of the states where they are located, do you anticipate
conflicts with various state laws and regulations or, perhaps, other
federal initiatives such as interoperability standards for Smart Grid?
Answer. No. The discussion draft would expand the Commission's
jurisdiction over certain critical distribution assets for the limited
purpose of protecting such assets from cyber vulnerabilities. Thus,
this limited expansion of the Commission's jurisdiction would preempt
state authority in this discrete area, thereby avoiding any potential
conflict. With respect to other federal initiatives, the Commission
would coordinate with other agencies, as necessary, to prevent overlap
of orders or enforcement actions regarding FERC's responsibility to
address cyber vulnerabilities. FERC already coordinates with many other
agencies such as DOE, DOD, DHS, NRC, NSA, FBI and CIA to avoid
duplicative or conflicting actions.
Question 3. Should conflicts arise, how do you envision these
conflicts will be resolved?
Answer. See above response to your Question No. 2.
Question 4. Do you believe that FERC jurisdiction over distribution
of assets is necessary?
Answer. Without FERC jurisdiction over distribution assets that fit
the definition of critical electric infrastructure, cyber
vulnerabilities and threats would not be not be mitigated as proposed
by this legislation. Similar to how a compromise at the bulk-power
system level could impact the nation, this subset of distribution
facilities needs the same level of protection that would be applicable
to the bulk-power system to deter against having a debilitating impact
on national security, national economic security, or national public
health or safety.
Question 5. What do you think will be accomplished that is not
already being accomplished?
Answer. With FERC's experience and expertise of the mandatory
security requirements to protect the bulk-power system from compromise,
FERC can provide an effective protection effort. For example, FERC will
be able to address the protection of distribution-level systems and
assets, along with their associated physical and virtual connectivity,
to protect the reliability or operability of the bulk-power system.
This would translate into having the necessary protection measures for
certain distribution facilities in concert with measures required for
the bulk-power system for national security, national economic
security, or national public health or safety.
Question 6. The discussion draft permits FERC to issue an interim
rule if the Electric Reliability Organization fails to meet deadlines
established by FERC. What do you envision will be the role of the
Electric Industry in helping FERC to get an interim rule right?
Answer. FERC's orders and appeals allow the affected industry
members to participate whenever practical to help ensure that the
measures contained within an interim FERC rule are appropriate for
expeditious and effective implementation for security of the bulk-power
system. FERC's processes allow the affected utilities the option to
engage in the process and provide their perspective and any alternative
ideas before they are implemented.
Question 7. Multiple levels of protection on the electric system
have significant, additional costs, and may not be the most cost-
effective means of mitigating known vulnerabilities or combating known
threats. How would you recommend that determinations be made about
additional security requirements that are ordered to be put in to
place? Should there be a risk assessment required to determine cost-
effectiveness?
Answer. The consequences of an entity having an ineffective
security posture can be catastrophic, reaching far beyond that entity.
Coordinated and simultaneous cyber attacks meant to cause physical
damage to large electrical equipment with long lead times for
replacement can cause prolonged outages for specific areas of the
country. For this reason, considerations regarding cost effectiveness
in the cyber security realm are different from the typical cost
effectiveness that has been considered for more traditional scenarios.
In most scenarios, the limitations and risks are known and quantifiable
or at least capable of being estimated based on prior experiences such
as severe weather. With cyber security, cost considerations should
consider both the known risks as well as ones that have not yet been
discovered. In light of these complexities, considerations such as the
life-cycle of equipment based on its upgradeability and the
consequences of successfully exploiting any cyber vulnerabilities must
be considered in addition to more traditional procurement and
operational cost measures. For example, according to public reports,
the recent Stuxnet malware exploited several zero-day (previously not
widely known) software vulnerabilities. Control system owners were not
even aware of these vulnerabilities until months after Stuxnet was
launched but their emergence required prompt mitigation regardless of
the associated costs. Although this threat was mitigated, cyber
security is not a one-time event. It is a continuing process involving
technology, security processes and human interaction. Therefore the
appropriate showing of cost effectiveness is that the measures taken
fit into a comprehensive security program that involves prevention,
detection and recovery from a security breach.
Responses of Joseph McClelland to Questions From Senator Shaheen
Question 1. I've heard from the NH electric co-operative about
their concerns in granting FERC authority to regulate at the
distribution level of our electric system. Regulation at this level is
traditionally handled by the state. What authority, if any, does FERC
have right now to regulate distribution facilities in the U.S.?
Answer. Section 215 of the Federal Power Act expressly does not
apply to local distribution facilities. These facilities are also
generally exempt from FERC's rate regulation, although limited
exceptions apply if the facilities are used in providing FERC-
jurisdictional services. The additional authority over distribution
facilities proposed in the discussion draft would be very limited in
nature. It would only allow the Commission to regulate distribution
facilities that are ``so vital to the United States that the incapacity
or destruction of the systems and as sets would have a debilitating
impact on national security, national economic security, or national
public health or safety.'' In addition, the current proposal would only
allow the Commission to regulate that discrete set of facilities for
the purpose of addressing cyber security vulnerabilities.
Question 2. The current NERC standard development process is a
``bottoms up'' approach that works with electricity sector experts in
the U.S. and Canada to develop technical standards that take into
account the different among more than 3000 individual North American
utilities. Why does FERC think this should be replaced with a standards
process that would emanate from Washington, DC?
Answer. FERC does not think that the current NERC standards
development process should be replaced. And the discussion draft does
not eliminate or replace the NERC standards development role. The
standards development process will continue to be performed by the ERO
and industry unless there is a need for immediate action. The
discussion draft would only allow the Commission in very limited
defined circumstances to directly, quickly and confidentially address
cyber security vulnerabilities that threaten national security through
the power grid.
______
Responses of William Tedeschi to Questions From Senator Bingaman
Question 1. Your testimony states that it may be possible to
mitigate electromagnetic threats to the power grid through selective
hardening. Could you describe some of the ways in which utilities could
selectively harden their systems?
Answer. The utilities have available two primary opportunities for
selectively hardening the power grid. (1) They can wait until new
technologies or planned system upgrades are to be introduced to the
grid, and then apply some form of EMP hardening requirements that can
be incorporated in the acquisition process for those new/upgraded
features to be procured and introduced to the grid. (2) The other major
possibility is that they can choose to retroactively harden key
elements of the current grid, by procuring electronics hardware with
specifically designed hardening features incorporated into the hardware
design. The former approach is recommended, as adding hardening after a
system has been fielded is typically more expensive. However, if a
particular grid element or node is critically important and susceptible
to EMP threats, then one may wish to retroactively add hardening to the
existing design and make it more robust to EMP threats.
There are specific hardening approaches that can be selectively
employed at the hardware, box, and device levels. The principle that
applies is to define, anticipate, and plan to harden against select EMP
threat environments. For highfrequency EMP threats, such as
unintentional electromagnetic interference or malevolent microwave
devices, in the many megahertz to gigahertz frequency range, one can
require new electronics have existing electromagnetic compatibility and
interference (EMC/EMI) standards incorporated into their design. Such
standards are published by both national and international
organizations, based on subject matter expert inputs and endorsed by
industry, governments, and academia. Hardening features can include the
following: properly shielded and grounded enclosures; fast-acting over-
current shunts or blocks at points of entry; spark gaps and other over-
voltage protection; better internal design robustness against over-
current and over-voltage conditions, and direct-current or slowly
varying offsets (such as better design features inside highvoltage
transformers); and electronic filters that are highly selective in the
frequencies of electronic transmissions around and into critical grid
elements or nodes with operating electronics inside. Hardening can also
include creating a more-robust control system for real-time and near
real time monitoring and adjusting the actual operation of power flow
into, over, and out of the grid, to effectively sense, understand, and
respond to a greater range of off-normal conditions during grid
operation. Many of these same hardening approaches, and other related
techniques not mentioned, can also be considered for the low-and
medium-frequency EMP threats, in the many hertz to megahertz frequency
range. The type of hardening one might consider employing and at what
point in the grid's life cycle should be based on a good understanding
of the EMP threat spectrum, what hardware, device, or electronics box
is susceptible to EMP attack, and the identified trade-offs in cost,
benefit, and risk reduction for the various types of possible hardening
approaches.
Question 2. Your testimony states that more work is required before
fully informed decisions can be made about where and to what extent the
grid should be hardened solely against nuclear electromagnetic pulse
threats. What kind of information would additional work on
electromagnetic pulse threats seek to produce? How long would you
estimate that this study may take?
Answer. The additional information we recommend to be generated is
to determine an appropriate set of EMP threat scenarios that could
adversely affect the power grid, determine if and how the grid is
susceptible/vulnerable to the established EMP threats, and identify
appropriate threat mitigation and hardening strategies. This set of
work (see next paragraph for details) is estimated to require from 2 to
3 years to accomplish, depending on the number of EMP threat classes
selected and the amount of technical resolution in the results required
to reduce existing uncertainties to an acceptable level and provide a
level of riskbased confidence in the current and projected resilience
of the power grid.
The full spectrum of possible nuclear high-altitude EMP threats
should be examined and characterized, beyond what has been considered
to date, namely, only the postulated worst-case nuclear EMP threats.
The resulting over-current and over-voltage insults to the grid will be
of lesser magnitude and total energy content than the worst-case
assumptions that have been made to date, but the worst-case system
response may not always be driven by the largest magnitude EMP
conditions. The spectrum of possible conventional EMP threats, both
malevolent and unintentional, should also be examined and
characterized. In particular, what are the technical characteristics of
all the postulated EMP threats in terms of their waveforms, frequency
content, and electric field strengths? These EMP threat waveforms,
along with those postulated from solar-induced geomagnetic storms,
should be peer reviewed and validated by a panel of knowledgeable
subject matter experts. Next, these EMP threat waveforms can be
projected onto selected key elements of the U.S. power grid, and the
induced over-current/over-voltage insult estimated by using a
combination of computerbased modeling and simulation, along with
experimental testing. Threatened key elements of the grid, given a
particular EMP threat scenario, can be identified from our knowledge of
the grid's network topology and unique design features. Once the
electrical insults for the key grid elements are determined, one would
ascertain if the element is susceptible to upset or burnout, or other
possible adverse effects. Thresholds for upset and burnout would be
determined through a combination of computational and experimental
modeling and simulation, and by using a somewhat different set of tools
and subject matter experts. Given a projected set of upset and/or
burnout conditions, one would finally estimate the net cumulative
effect (or consequence) on the power grid given the particular EMP
threat waveform that was projected against a particular set of grid
elements. Once the complete set of risks to the power grid is
characterized and better understood--given the full spectrum of
possible EMP threats and resultant possible damage responses and
ultimately consequences to the grid's continued operability--one can
make more informed decisions on whether, where, and to what extent to
harden the grid against certain classes of EMP threats. All the work
results should be peer reviewed and validated by appropriate subject
matter experts, and relevant work conducted in the past should be
utilized to the maximum extent possible.
Responses of William Tedeschi to Questions From Senator Murkowski
Question 1. Your testimony notes that more study is needed to
characterize and simulate the susceptibility of the power grid to EMP
attacks, and that existing EMP reports should not be the basis for any
short-term national decisions. Is it premature to develop hardening
standards to mitigate an EMP attack?
Answer. Yes, today it is premature to develop hardening standards
for the power grid against EMP threats, both malevolent and non-
malevolent (i.e., unintentional and naturally occurring geomagnetic
threats). The spectrum of possible EMP threats has not been defined and
characterized, and neither has the susceptibility of key grid elements
to EMP-induced over-current/over-voltage insults, along with the
possible resultant damage and consequences to the continued reliable
operation of the grid. For example, the 2010 FERC-sponsored study on
EMP threats to the power grid suggests that over 300 high-voltage (HV)
transformers would be at risk for damage or failure by a 1-in-100 year
geomagnetic storm. This damage estimate appears to have been based
primarily on one data point, an estimated 90-amp over-current insult to
an HV transformer that failed at the Salem Nuclear Plant during the
1989 geomagnetic storm. Applying that particular over-current damage
threshold, based on little analysis and no experimental testing, to all
HV transformers in a large-area geomagnetic storm results in great
uncertainty about the total number of at-risk HV transformers. We
assess that this is a worst-case approach to predicting when HV
transformers could fail due to over-current insults. The Salem Nuclear
Plant HV transformer could have failed for a number of reasons. We
recommend that the specific reasons for that failure, as well as
consideration of the suite of other possible failure thresholds and
conditions, should be better understood so that, ultimately, a more-
balanced damage criteria can be established, which will result in a
better estimate of the potential damage and consequences to the grid,
not only from geomagnetic EMP threats, but also from other EMP threats.
We recommend more analysis, experimentation, and assessment be
performed to determine how and why HV transformers can fail, along with
other key elements of the grid. There simply is not enough data and
understanding at this time on how and why key power grid elements can
fail to the spectrum of possible EMP threats. Once the additional data
and understanding are derived, a defensible technical basis exists for
developing and implementing a national hardening strategy.
Question 2. Do parts of the power grid, and particularly
transformers, based on age and design, react differently to an EMP
attack? Do we need to treat all of them in the same manner?
Answer. Yes, every element in the power grid when exposed to EMP
attack will react differently to the over-current/over-voltage insult
caused by the EMP attack. How each grid element will react depends on a
number of factors: the element's design, as-manufactured configuration,
current configuration if it has been changed or modified, age and
location within the grid topology; installation details; how the EMP
threat irradiates and couples electrical energy into the exposed
element; how that electrical energy insult flows within the element and
deposits its energy along the way; and the strength of the element to
withstand the flowing and deposited electrical energy. The full range
of possible outcomes of the exposed grid element to the EMP attack
include temporary damage or upset, permanent damage, and possibly even
no damage or adverse effect. One must also factor in the interplay of
how one element's response to the EMP attack will affect the operation
of other elements that are connected to it. As far as treating each
element in the same manner, one must demonstrate a sufficient
understanding of the differences between each element of the grid, and
how they will respond to the EMP insult both in their own unique way
and synergistically together, if one is to have confidence in estimates
of how an EMP attack might affect the grid. EMP effects researchers use
analysis, modeling, and experimental testing to conduct detailed
characterizations of the design and key operational functioning aspects
of all the elements making up a network and of how the element (and
ultimately the grid) will react to the deposited electrical energy from
the EMP attack. Even within a population of similar grid elements, for
example 300 HV transformers, there are enough differences in the design
and constituent materials that go into the element and how the element
was manufactured that the element's response to the EMP insult can vary
by more than an order of magnitude, and sometimes the failure
distribution follows well-established statistical distributions; at
other times, it does not. The result is that for the same EMP attack,
anywhere from a small fraction (or none) to a large percentage of the
element's population can be adversely affected. The predicted damage
depends very heavily on when and how the transformer (or element) might
fail, and more than one data point and significant analysis and
modeling are required to get a level of confidence in the expected
damage prediction. It is this analytical and experimental modeling and
simulation phase of characterizing the grid element and interconnected
network that takes a while and a certain amount of resources to
establish a level of understanding and confidence in the result. In the
absence of data and understanding, and given limited time and
resources, researchers typically employ a worst-case approach that
unfortunately can lead to a higher cost impact and dire predictions
that are not technically defensible, and should not be the basis for
important national decisions of this type.
Question 3. You mentioned that the U.S. electric power grid
contains some level of inherent hardness against an EMP impact, and
that the grid is already somewhat hardened against the E2 and E3
components (similar to lightning strikes (E2) and solarinduced
geomagnetic storms (E3)). However, since the E1 frequency strikes
first, how vulnerable is the grid to the E2 and E3 impacts if it has
been disabled by the E1 component? Should our focus be on the E1
frequency? Or should it be on the E3 component since you believe a
solar-induced geomagnetic storm is more likely than a nuclear-induced
EMP attack?
Answer. Yes, for nuclear-detonation-generated EMP, the early-time
E1 component, if strong enough, could do damage first to some grid
elements or control systems, potentially resulting in the later-in-time
E2 and E3 components doing additional damage to the grid. In other
cases, the E1 component may not be strong enough to do any damage, but
the E2 and E3 components will insult the grid, potentially doing
damage. Again, details of the nuclear detonation will affect the extent
and strength of the EMP effects and are relevant to whether damage
might occur. In some nuclear scenarios, none of the E1, E2, and E3
components would be expected to do damage on the power grid. In
general, the E3-like component that results from geomagnetic storms
occurs naturally and with an established periodicity. It is just a
question of when the storm will occur, how strong it may be, and how
long the created electromagnetic field strengths would last, and then
whether the power grid is susceptible to them and what might be the
possible damage effects. The nuclear E1, E2, and E3 components are
human-made, and are assessed to be of low likelihood of occurrence, as
compared with geomagnetic storms and some of the electromagnetic
interference threats. We should also consider human-made malevolent
EMP-generating devices, which can be used to exacerbate a particular
frequency range, or multiple ranges. You are exactly right: The
combination of imposed reduction of capability from one frequency range
and imposition of a different frequency range is another topical area
that should be included in studies of system response.
Question 4. What different types of protection are needed and
available for the various types of potential EMP attacks or geomagnetic
disturbances?
Answer. As noted above in the answer to Senator Bingaman's first
question, there are many hardening approaches, both passive and active
that could be considered and applied to the power grid that would add
an elevated level of resilience against EMP threats. Once the EMP
threats have been sufficiently characterized and an assessment made
with at least a moderate level of confidence of the grid's
susceptibility and resultant damage to such threats, then costeffective
risk-based decisions can be made regarding a national hardening
strategy and specific hardening measures to employ. Our recommended
approach is to characterize the full spectrum of EMP threats, both
intentional (nuclear and nonnuclear) and unintentional (electromagnetic
interference) human-made and naturally occurring (geomagnetic). Next,
we should more fully characterize the grid's susceptibility to
potential damage by those classes of EMP threats (through analytical
and experimental modeling and simulation), and identify possible
techniques to harden against the identified threats. At a minimum, we
should ensure that we are hard against unintentional human-made
interference (which is a threat now) and have an acceptable level of
resilience against geomagnetic EMP threats (which is a work in
progress). Next, we should establish how resilient or susceptible/
vulnerable the grid is to the human-made EMP threats, and then finally
make risk-based national and/or industry-level decisions on whether and
to what extent to harden certain elements of the power grid against the
broader set of EMP threats. That said, risk-based analysis and
assessment approaches should continue to be applied looking for key
grid elements and nodes that might be vulnerable to specific EMP
threats and which might need to be hardened sooner rather than later.
Question 5. Are smart grid technologies that are currently being
distributed across the country and placed into service required to have
hardened features to protect against EMP attacks?
Answer. Our understanding is that smart grid technologies that are
currently being considered and possibly distributed across the country
and placed into service are not required to have hardening features to
protect against EMP attacks. The smart grid technologies at a minimum
should have a level of hardening against lightning and unintentional
electromagnetic interference (EMI) based on some combination of
national and international EMI and electromagnetic compatibility (EMC)
standards. If EMI and EMC standards are being considered and included
in new smart-grid technologies, then they will have some level of
resilience against E1-type EMP effects. How much resilience there is or
might be can be determined through a combination of analytical and
experimental modeling and simulation. Because possible smart-grid
technologies are still under development, are generally small and
likely will be mass-produced and therefore lower in per unit cost than,
for example, HV transformers, there is an excellent opportunity here to
consider and possibly include some form of costeffective, EMP hardening
features to protect against E1-and E2-like EMP threats.
______
Responses of Patricia Hoffman to Questions From Senator Bingaman
Question 1. Last year, Secretary Chu announced funding for the
National Electric Sector Cyber Security Organization. What is the role
of this organization vis-a-vis North American Electric Reliability
Corporation (NERC), NERC's standards development process, and the
Federal Energy Regulatory Commission?
Answer. The Energy and Water Development Appropriations and Related
Agencies Appropriations Act, 2010 (P.L. 11-85) directed that ``...the
Secretary shall establish an independent national energy sector cyber
security organization...'' In response, the Department of Energy issued
a Funding Opportunity Announcement on March 31, 2010. Two organizations
received awards: EnergySec was selected to form the National Electric
Sector Cybersecurity Organization (NESCO). The Electric Power Research
Institute (EPRI) was selected as a research and analysis resource to
this organization, and is referred to as the National Electric Sector
Cybersecurity Organization Resource (NESCOR).
The purpose of the award was to ``establish a National Electric
Sector Cyber Security Organization that has the knowledge,
capabilities, and experience to protect the electric grid and enhance
integration of smart grid technologies that are adequately protected
against cyber attacks.'' In addition, the organization ``will serve as
a focal point to bring together domestic and international experts,
developers, and users who will assess and test the security of novel
technology, architectures, and applications.'' When fully operational,
NESCO/NESCOR will provide early warnings to and share best practices
with, all parts of the sector (generation, transmission, distribution),
not just the bulk power system. NESCO/NESCOR will provide comments to
the North American Electric Reliability Organization (NERC) standards
development process as appropriate and share compliance information in
the sector, but does not enforce or regulate the standards.
NERC's mission is to ensure the reliability of the North American
bulk power system. NERC is the electric reliability organization (ERO)
certified by the Federal Energy Regulatory Commission (FERC) to
establish and enforce reliability standards for the bulk-power system.
NERC develops and enforces (following approval by FERC) reliability
standards, including cyber security standards; monitors the bulk power
system; and educates, trains and certifies industry personnel. NERC is
an authoritative body and can mandate actions by the registered
entities. NESCO/NESCOR is a voluntary body that can provide guidance.
Question 2. In February, the Department of Energy launched an open
collaboration with the National Institute of Standards and Technology
and the North American Electric Reliability Corporation to ``develop a
cyber security risk management process guideline for the electric
sector.'' Could you describe the objectives of this collaboration and
how its work will filter into the NERC standards development and
approval processes?
Answer. DOE, in coordination with the National Institute for
Standards and Technology (NIST) and NERC, is leading a public and
private sector collaboration to develop a risk management process
guideline to provide a consistent, repeatable, and adaptable process
for the electric sector, and enable organizations to proactively manage
cyber security risk. The objective of this collaboration is to build
upon existing guidance and requirements to develop a flexible risk
management process tuned to the diverse missions, equipment, and
business needs of the electric sector for application throughout the
sector, and to bridge the divide between security for industrial
control systems and information technology. The risk management process
guideline is currently in the drafting stage. Representatives from the
NERC standards development team are participating in drafting of the
risk management guideline. As this effort gets further along we will
better be able to assess how it may factor into the NERC standards
development and approval processes.
Question 3. Your testimony states that the Department of Energy and
the Department of Defense have signed a memorandum of understanding
that is intended to enhance national energy security. The Discussion
Draft directs the Secretary of Defense to prepare a plan to protect
power supplies to national defense facilities. How will this memorandum
help the Secretary of Defense in creating this plan?
Answer. The Department of Energy and the Department of Defense
(DOD) energy security Memorandum of Understanding (MOU) provides for
collaboration between the two agencies on energy security research and
development, and energy assurance. This may include projects on power
electronics, microgrids, cyber security, electromagnetic pulse, smart
grid, and storage which will benefit from DOE's energy related
expertise. An Executive Committee has been formed to oversee all
activities, including energy security. The Executive Committee is
chaired by me, as the Assistant Secretary for Electricity Delivery and
Energy Reliability, DOD's Assistant Secretary of Defense for
Operational Energy Plans and Programs, and DOD's Deputy Under Secretary
of Defense for Installations and Environment. The remainder of the
Executive Committee is comprised of key energy decision makers from
both departments.
While this MOU is not focused on cyber security for the grid, it
provides a structure to collaborate on a comprehensive proactive
approach that reduces the impact of power loss to defense critical
assets, considering both mitigation and response measures to ensure
vital defense capabilities are not disrupted.
Question 4. Do you think each state has adequate cyber expertise to
protect distribution-level systems and assets that are so vital that
their loss would have a debilitating impact on national security,
national economic security, or national public health or safety?
Answer. Local distribution companies, and the Public Utility
Commissions (PUCs) that regulate them, are the entities at the State
level that are responsible for reliable electric service within states,
including protection from service disruptions caused by cyber attacks.
It is DOE's understanding that the utilities and PUCs understand, and
are addressing cyber security concerns. States, similar to the Federal
government and the private sector, are challenged by the increasing
sophistication of the threat to maintain a level of cyber security
expertise adequate to manage cyber security risks.
State and local governments are very concerned about the impacts of
cyber attacks and are taking steps to address such risks. The
Department also recognizes the need to mature and increase the level of
cyber security expertise within the states and the electric sector. The
Department's Office of Electric Delivery and Energy Reliability (OE)
works closely with organizations, such as the National Association of
Regulatory Utility Commissioners (NARUC), the National Association of
State Energy Officials, the National Conference of State Legislatures,
the National Governor's Association, and Public Technology Institute
that are helping State and local agencies to address cyber security
issues. These organizations have worked with OE to develop technical
briefs, education forums, workshops, and exercises on cyber security
and other concerns related to grid modernization. OE has been working
with these organizations to support and sponsor activities such as the
NARUC security boot camp provided for PUCs and their staff at the 2011
NARUC winter meeting, and providing technical assistance to PUCs
related to cyber security for the smart grid.
Through the American Recovery and Reinvestment Act, OE provided
funds to forty-eight states and territories plus forty-three cities to
prepare energy assurance plans to better respond to energy emergencies,
including addressing cyber security. States have recently completed
draft emergency assurance plans all of which address cyber security.
Recovery Act funds are also assisting state public utility commissions
directly, providing funds to hire new staff and retrain existing
employees to ensure they have the capacity to quickly and effectively
review proposed electricity projects, including the cyber security
aspects of those projects.
Responses of Patricia Hoffman to Questions From Senator Murkowski
Question 1. Currently, how do DOE and FERC work together to assess
threats and vulnerabilities? Have there been any problems with this
working relationship? How do the two agencies coordinate with the
government's intelligence agencies?
Answer. DOE and the Federal Energy Regulatory Commission (FERC)
coordinate on an ongoing basis depending upon the specific nature of
the critical infrastructure protection activity. Most recently, DOE,
FERC, and the Department of Homeland Security (DHS) sponsored a set of
reports\1\ which provided a technical threat assessment of geomagnetic
disturbances and electromagnetic pulse, providing a more comprehensive
understanding of the issues. FERC is also participating in the effort
led by DOE, along with the National Institute of Standards and
Technology (KIST), DHS, and North American Reliability Corporation
(NERC), to develop a risk management process for the electricity sector
specifically aimed at providing the sector with a common and repeatable
cyber security risk management process.
---------------------------------------------------------------------------
\1\ Prepared by Metatech Corporation under the direction of Oak
Ridge National Laboratory. Available at http://www.orni.govisci/ees/
etsd/pes/ferc_ernp_gic.shtml
---------------------------------------------------------------------------
Threats to the electricity sector are an operational issue and thus
should principally be handled by DOE as the Sector Specific Agency
(SSA) under Homeland Security Presidential Directive 7 and the National
Infrastructure Protection Plan (NIPP). Effectively responding to
potential threats to the sector requires an operationally-oriented
organization with established coordination mechanisms with DHS and the
intelligence community to properly assess and respond to a threat. DOE
is able to draw from a variety of resources, including its Office of
Intelligence and the resources of the National Laboratories to
effectively assess and respond to emerging threats to the sector. This
is all done in close coordination and collaboration with DHS, FERC, and
other Federal partners under the National Cyber Incident Response Plan
and most importantly, in coordination with the electricity sector.
To be effective in its roles as the SSA, DOE depends upon and
constantly works to build and strengthen its relationships with
utilities and the broader electricity sector stakeholder community. DOE
fosters collaboration and voluntary initiatives to further its goal of
a reliable and resilient power grid. Given FERC's role as an
independent regulator, DOE has found that discussions with industry can
sometimes be more open and frank if FERC is not present. This is
consistent with the philosophy of the NIPP which sought to facilitate
open and candid conversations on infrastructure security issues under
the public-private partnership.
Question 2. The Energy Committee's discussion draft is an
electricity-sector only cyber piece. Does the Department prefer a
comprehensive, government-wide approach to cyber security issues?
Answer. Yes, recognizing the interdependencies between different
sectors it is important to have a comprehensive, government-wide
approach to cyber security. The Administration has proposed
comprehensive cyber security legislation (http://www.whitehouse.gov/
ombilegislative_letters).
Question 3. Recently, Howard Schmidt, the White House cyber
security coordinator, made headlines when he said that the risks of
cyber attacks is often overblown and that cyber attacks are the ``risk
of doing business.'' In light of these statements, does the
Administration believe additional Federal authority is needed in the
cyber security arena?
Answer. We often associate high profile events with the term
``cyber attack,'' but the reality is our networks face a spectrum of
risks, many of which are less spectacular yet more pervasive. Our
federal networks, as well as many of those that support our critical
infrastructure are probed thousands of times per day. Managing and
responding to these risks has become a core element of how we as a
nation do business, and an important aspect of ensuring the reliability
of the grid. Cyber security standards can provide an effective baseline
to address known vulnerabilities.
Managing the risk from unknown vulnerabilities and dynamic threats
are best addressed by timely sharing of relevant and actionable threat
information, the use of risk management, and effective incident
management and response. The electricity sector must have the ability
to assess, respond, and mitigate the impacts of an event in a timely
manner.
Question 4. I understand that DOE is working on the need for
domestic manufacturing of transformers. Please elaborate on the problem
and what is being done on this issue.
Answer. The U.S. is heavily dependent on imports for large
transformers above 345kV. In addition, limited manufacturing capacity
results in long lead times for delivery of high voltage transformers,
often over 12 months. This situation is of concern to the Department.
Import dependency is of concern to the utility industry, as well as
DHS/FEMA and DOD. DOE has held discussions with several transformer
manufacturers, including ABB, Efacec, Waukesha and Areva, and
additional discussions are planned. The DOE-North American Electric
Reliability Corporation (NERC) workshop report on High-Impact, Low-
Frequency Event Risk to the North American Bulk Power System (June
2009) identified this as an important concern. Large transformer
concerns were also identified in both the 2007 and 2010 Energy Sector
Specific Plans. Even with the successful start up of new manufacturing
facilities, only a small portion of U.S. utility annual demand is
likely to be rnet. Additionally, a significant national level disaster
impacting a large number of transformers would certainly exceed
domestic manufacturing capability and would likely require the global
market to significantly ramp up production to meet the demand.
In 2009 a new plant was opened in Georgia by Efacec and two other
companies (Mitsubishi and Hyundai) have announced new plants to be
built in the U.S. A domestic manufacturer Waukesha Electric Systems has
begun to expand their production capacity to 500kV and 765kV units in
their Waukesha Wisconsin facility. DOE has also partnered with the
Department of Homeland Security to develop and test a lighter weight
and more transportable, temporary transformer that could be used in
emergencies.
Question 5. What is the Administration's position on the
bifurcation of federal authority set forth in the discussion draft? Do
you believe FERC needs additional authority to address vulnerabilities
or is the existing Section 215 stakeholder process adequate?
Answer. The Administration does not have a position on this
particular discussion draft, but has proposed comprehensive cyber
security legislation (http://vvww.whitehouse.gov/
ombilegislative_letters).
With respect to emergency authority, when the Department of Energy
and FERC were established by the Department of Energy Organization Act,
the Secretary was given the authority to issue orders during an
emergency for the interconnection of facilities, generation, delivery,
interchange, or transmission of electric energy. FERC was given Federal
Power Act (FPA) authority to establish, review and enforce rates and
charges for the transmission and sale of electricity. DOE believes that
these divisions of FPA authority properly place the regulatory rate
making responsibilities of the FPA with FERC, and the authority to make
national emergency determinations with DOE.
We believe that emergency authority is appropriately placed with
the head of a cabinet department who is fully accountable to the
President. DOE and DHS have the capability to develop or obtain
knowledge with respect to threats or vulnerabilities that might give
rise to the need for an emergency order.
Question 6. Do you agree with Mr. Tedeschi from Sandia National
Laboratory that the susceptibility of the power grid to EMP attacks is
not well characterized and should be further addressed with computer-
based simulations and experimental testing?
Answer. Yes, we absolutely agree with the concerns raised in Dr.
Tedeschi's testimony. As he noted ``Assumptions about age, design, and
failure thresholds of transformers introduce additional uncertainty and
are based on limited samplings of transformers of a particular type and
from a clear source. All assumptions point to large uncertainties in
the output results and interpretations from the model; therefore,
statements on the number of 'at-risk' transformers and the severity of
the regional damage should be viewed as illustrative only.''
Computer-based simulations are needed to support electric utility
adoption of technological approaches to reduce the threat of electro-
magnetic pulse (EMP) attacks and solar storms. These will assist
utilities to develop an understanding of the potential impact of EMP on
the power grid and its components. Utilities run computer simulations
to help optimize power production and transmission and to avoid
failures. Ultimately, technological solutions will require research and
development and careful testing and evaluation to ensure their
effectiveness.
Responses of Patricia Hoffman to Questions From Senator Udall
Question 1. Has the Aurora vulnerability been effectively
mitigated, and how is this verified? What is the factual basis for your
answer?
Answer. The Aurora vulnerability has been effectively studied and
analyzed. The fundamental principles behind the Aurora vulnerability
are well understood by experienced and practicing utility engineers and
operators. Assessment of the effectiveness of the mitigations is
currently underway.
In early 2011, the ES-ISAC issued an Essential Action Advisory to
all NERC registered entities to provide the additional technical
details that described the nature of the vulnerability and assess the
current status of mitigating actions implemented by registered entities
through this action. NERC will also use the information to determine
what additional actions may need to be taken. The Department
anticipates the Aurora vulnerability will be addressed by NERC entities
and verified.
In 2007, DHS, DOE, other Federal agencies, and NERC' s Electric
Sector Information Sharing and Analysis Center (ES-ISAC) became aware
the Aurora vulnerability which, if exploited by an attack, could cause
significant physical damage. The ES-ISAC issued an advisory to describe
the mitigation measures that electric sector owners and operators
needed to implement to reduce the risks associated with the Aurora
vulnerability. Unfortunately at that time, the supporting technical
documents could not be released to the owners and operators due to the
documents' classification level.
The Department has supported NERC and the sector through the
development of the 2011 Essential Action Advisory and its accompanying
documents. The Department continues to support Department of Defense
efforts to mitigate the Aurora vulnerability and protect its military
installations.
Question 2. Are the current spare transformer resources, including
the EEI STEP program, sufficient to mitigate the transformer loss
scenario presented in the Oak Ridge National Laboratory report from a
1921-level solar storm (over 300 transformers)? What is the factual
basis for your answer?
Answer. The EEI STEP program is focused on sharing of spare
transformers to assist recovery from a terrorist attack. EEI reports
that some 50 utilities representing approximately 70 percent of the
electricity customers are participating in this program. The vast
majority of smaller utilities including municipals and coops are not
participating.
The adequacy of existing spares to address major transformer
outages will depend on many factors including the geographic impact,
the type of transformers, the age and health of the transformers. But,
it is clear that major transformer losses from a solar storm of
historic magnitude would present an enormous challenge to the sector's
ability to respond to and recover from such an event. The North
American Electric Reliability Corporation (NERC) is addressing the
spare transformer issue and has created a Spare Equipment Database Task
Force, as well as, a Task Force on Geomagnetic Disturbances. NERC will
seek information from all of its member companies. Several transformer
manufacturers including ABB and Siemens are participating on the NERC
task forces as well.
There are limited modeling studies to provide a factual basis to
estimate possible electricity grid impacts to a 1921 magnitude solar
storm. Utilities in Canada, the United States and Europe have begun to
take steps to reduce the potential impact of such large solar storms.
The North American Electric Reliability Cooperation has recently issued
an alert to its members on steps that they may take to reduce potential
impacts on their equipment and the grid. [See: http://www.nerc.com/
fileUploads/File/Events%20Analysis/A-2011-05-10- 01_GMD_F1NAL.pdf]. The
alert was the result of a 2-day NERC workshop in April 2011 to discuss
utility approaches to address the issue. DOE is working with
electricity industry partners to increase attention and to encourage
the use of best practices.
Question 3. How effective has the current standards development
process been in protecting against cyber and other non-cyber threats
and vulnerabilities to the grid? Is it possible to use this process
supplemented with NERC's emergency standards process and the Alerts
process to get the job done?
Answer. What is most important is that a structure exists to
support an ``electric sector incident response plan'' to respond to
events. A combination of the NERC standards and Alerts process, timely
and actionable information sharing, and emergency authority will
provide a comprehensive approach to managing cyber security threats and
vulnerabilities. Standards ensure a level of quality, compatibility,
safety, and connectivity with other equipment and processes.
Standards must be widely accepted and commonly trusted to be
effective. They also provide the foundation for further innovation, or
as in the case of security or safety, a minimum level of requirements.
As a result, standards development is often a time-consuming process.
Development of security standards relies on awareness and consensus of
the threat environment. This is a challenge to the electric sector due
to the dynamic nature and speed of cyber threats that necessitates
access to timely and actionable threat information. This challenge
makes it difficult to adequately assess impact to inform risk decisions
on investment in cyber security improvements beyond what is needed for
compliance.
Responses of Patricia Hoffman to Questions From Senator Portman
Question 1. It is my understanding that the discussion draft grants
the Secretary of Energy the authority to require others to take actions
if 'the Secretary determines that immediate action is necessary to
protect critical electric infrastructure from a cyber security
threat.'' The Secretary may then follow a procedure to make these
requirements permanent. In your opinion, what sort of event would
trigger such an action by the Secretary?
Answer. The discussion draft grants the Secretary of Energy the
authority to require others to take actions if the Secretary determines
that immediate action is necessary to protect critical electric
infrastructure from a cyber security threat.'' The type of event that
would trigger such action by the Secretary would be an event that poses
a significant risk to the operation of critical electric
infrastructure, such as high altitude electromagnetic pulse, or a cyber
attack. The determination of whether to use emergency authority would
be based on analysis of the threat, evaluation of risk and
consequences, and the potential for impact to electric sector and
potential other sectors of the economy. Additionally, use emergency
authority would be determined in consultation with other sector
specific agencies that could be potentially impacted.
Question 2. Why would the Secretary make a requirement permanent?
Answer. It is DOE's understanding of the discussion draft that
cyber security mitigation actions required by an emergency order would
not be permanent, but limited to 90 days unless renewed. However, where
appropriate these actions could be incorporated through the accelerated
standards or NERC Alerts process.
Question 3. Multiple levels of protection on the electric system
have significant, additional costs, and may not be the most cost-
effective means of mitigating known vulnerabilities or combating known
threats. How would you recommend that determinations be made about
additional security requirements that are ordered to be put in to
place? Should there be a risk assessment required to determine cost-
effectiveness?
Answer. Risk assessments should be used to determine cost
effectiveness of security requirements. The NERC-CIP security
requirements were developed through an industry-led collaborative
effort that considered risk assessments and the cost-effectiveness of
these requirements. Additionally, the NIST ``Cyber Security Guidelines
for the Smart Grid'' NISTIR 7628 provides guidance on defense-indepth
strategies and risk assessments. Federal (FERC) and State regulators
should consider cost and assessment of risk, including impact, when
determining additional security requirements.
Responses of Patricia Hoffman to Questions From Senator Shaheen
Question 1. As the witnesses have noted, the electrical grid is a
very tempting target for cyber attacks in the United States. According
to the U.S. Computer Emergency Readiness Team, cyber security incidents
involving government computers have gone up by a factor of 10 in the
past five years. Are electrical utilities and the grid seeing the same
sort of rapid growth in the cyber security threat to their facilities?
Answer. In general, the utilities like government agencies face
thousands of scans and probes every week. For example, during periods
of heightened awareness, a large utility may have to analyze millions
of log entries in a day to ensure that their defenses have not been
breached. The spectrum of cyber security incidents ranges from
reconnaissance-type scans and probes of corporate networks to an attack
such as Stuxnet that reaches into more isolated control systems
networks.
The number of cyber security incidents is not necessarily an
indication of intent or likelihood of a significant attack. The
Department, DHS, NERC, and FERC all receive different levels of
specificity in reporting on cyber incidents based upon their different
responsibilities. In addition, larger utilities have security
operations center that monitor and track cyber incidents. For example,
DOE funded an effort to develop a cyber security operations center for
a major utility. This effort has been successful in bringing together
trusted entities outside of the utility's region to share information
about cyber incidents. The lesson learned is the large investment in
time, resources, and relationship-building is necessary to develop
enough trust to share the information.
In addition to building trust, consistently defining cyber security
incidents and sharing threat information between utilities is a
challenge. Currently, there is no collective, consensus-based cyber
threat assessment. DOE works with several entities to determine and
assess the cyber security threats to the sector. Internal DOE resources
provide expertise and information including the Office of the Chief
Information Officer which provides cyber security expertise and threat
information; the Office of Intelligence which provides early warnings
and indicators, and intelligence reports directly related to the energy
sector; and the National Laboratories which provide both cyber security
expertise and threat information. DOE also partners with NESCO/NESCOR,
DHS, NERC, the intelligence community, law enforcement, electric
utilities, and cyber security consultants to determine and assess the
threats, and share that information with the sector.
Question 2. Given that we haven't had a major disruption of
electrical service due to a cyber attack, does this mean the current
standards process is working?
Answer. Standards are effective in providing baseline levels of
performance, but standards alone are not effective in facilitating or
encouraging an adaptable and agile cyber security organization. They
can also lock organizations into making cyber security decisions that
may not be optimal for their system in order to comply with the
prescriptive nature of a standard. The standards development process
under section 215, because of its need to reflect multiple stakeholders
with different cyber security issues and concerns, is an inherently
slow process and thus will never be able to fully counter the threats
posed to the sector. In this dynamic threat environment, new threats
emerge without warning utilizing new attack vectors. Thus,
organizations must be vigilant and adaptable in monitoring their
systems and implementing proper controls in response to current
threats. A standard cannot achieve this outcome. A combination of NERC
standards and Alerts process, timely and actionable information
sharing, and DOE emergency authority would provide a more comprehensive
approach to managing cyber security threats and vulnerabilities.
As we have seen from the Stuxnet malicious code, the capability and
intent to launch targeted cyber attacks on critical infrastructure and
other information technology exists. Public facing information systems
are constantly under attack across all critical infrastructures. The
absence of a successful attack on our Nation's electricity
infrastructure may mean that electric power providers have been
vigilant in protecting their systems, or it may be that adversaries
have chosen not to attack at this time. Because of the dynamic nature
of the threat environment and the variety of threat actors, it is
challenging to know if and when an attack may occur on the grid. Thus,
the electricity sector must be equipped to constantly adapt and defend
their systems from this evolving threat.
DOE, in coordination with the National Institute for Standards and
Technology (KIST), Department of Homeland Security (DHS), and NERC, is
leading a public and private sector collaboration to develop a risk
management process guideline to provide a consistent, repeatable, and
adaptable process for the electric sector, and enable organizations to
proactively manage cyber security risk. This guideline is an important
step towards moving all organizations within the electricity sector
towards a common risk management process. It incorporates risk
assessments with ongoing monitoring, enabling organizations to quickly
and effectively respond to cyber security threats and vulnerabilities.
Question 3. In previous hearings on cyber security in this
Committee, we've heard about the efforts being made to work with our
neighbors in Canada to ensure consistency in practices and procedure
across the bulk power system. This cross-border collaboration is
important to me since my state, New Hampshire, shares a border with
Canada. Do the effects of cyber attacks cross boundaries? Would a
successful attack on the Canadian power system have an effect in New
Hampshire?
Answer. Yes, the effects of a cyber attack can cross boundaries.
Eastern Canada and the eastern United States are electrically
interconnected and thus the operations of power companies north of the
border directly impact the operations of US power companies. Even
though the control systems of the power companies run independently
using different hardware architectures and different software, what
happens to the grid on one side of the border can potentially impact
the other side of the border. Power systems are designed and have
safeguards to limit the impacts of any disruption. As an example of how
these grids are operationally interconnected, in February of 2008,
portions of the power grid in southeastern Florida shut down due to a
fault at a single substation. This event in Florida was ``felt'' in
Canada by way of frequency deviations in Canada.
Question 4. Could you elaborate about existing cooperation with
Canada on protecting against vulnerabilities in the electric system?
Answer. The Department of Energy is partnering on a Department of
Homeland Security led initiative with private, State and other Federal
agencies to conduct a Cross Border Regional Resiliency Assessment
Program (RRAP) focused on energy and transportation for Maine and New
Brunswick, Canada. The RRAP is a cooperative, DHS-led assessment of
specific critical infrastructure and regional analysis of the
surrounding infrastructure to examine vulnerabilities, threats, and
potential consequences from an all-hazards perspective to identify
dependencies, interdependencies, cascading effects, resiliency
characteristics, and gaps. The focus of this RRAP is on the critical
regional and cross-border energy systems and assets, and their
interdependencies, specifically with the Transportation Sector.
International energy dependencies and impacts are being examined as
well. The RRAP began in May 2011, with vulnerability assessments on
Energy and Transportation assets scheduled to begin in July 2011. The
final report is projected to be delivered in April 2012.
Power companies in the United States and in Canada are very active
members of NERC and serve on the Critical Infrastructure Protection
Committee. This committee is involved with many efforts to improve the
reliability and security of the interconnected power grid through
standards development, compliance enforcement, assessments of risk and
preparedness. Canadian companies are active on several NERC task forces
following up on the 2009 High Impact Low Frequency Event Risk to the
North American Bulk Power System Workshop cosponsored by NERC and DOE.
Question 5. Are there procedures currently in place to share
information about imminent threats across the border?
Answer. NERC currently disseminates critical information including
threat information to power companies on both sides of the border. DHS
and Public Safety Canada constantly monitor the threat landscape and
provide NERC with threat information related to the electricity sector.
�