[Senate Hearing 112-529] [From the U.S. Government Publishing Office] S. Hrg. 112-529 ELECTRIC GRID SECURITY ======================================================================= HEARING before the COMMITTEE ON ENERGY AND NATURAL RESOURCES UNITED STATES SENATE ONE HUNDRED TWELFTH CONGRESS SECOND SESSION TO EXAMINE THE STATUS OF ACTION TAKEN TO ENSURE THAT THE ELECTRIC GRID IS PROTECTED FROM CYBER ATTACKS __________ JULY 17, 2012
Printed for the use of the Committee on Energy and Natural Resources _____ U.S. GOVERNMENT PRINTING OFFICE 75-809 PDF WASHINGTON : 2012 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 COMMITTEE ON ENERGY AND NATURAL RESOURCES JEFF BINGAMAN, New Mexico, Chairman RON WYDEN, Oregon LISA MURKOWSKI, Alaska TIM JOHNSON, South Dakota JOHN BARRASSO, Wyoming MARY L. LANDRIEU, Louisiana JAMES E. RISCH, Idaho MARIA CANTWELL, Washington MIKE LEE, Utah BERNARD SANDERS, Vermont RAND PAUL, Kentucky DEBBIE STABENOW, Michigan DANIEL COATS, Indiana MARK UDALL, Colorado ROB PORTMAN, Ohio JEANNE SHAHEEN, New Hampshire JOHN HOEVEN, North Dakota AL FRANKEN, Minnesota DEAN HELLER, Nevada JOE MANCHIN, III, West Virginia BOB CORKER, Tennessee CHRISTOPHER A. COONS, Delaware Robert M. Simon, Staff Director Sam E. Fowler, Chief Counsel McKie Campbell, Republican Staff Director Karen K. Billups, Republican Chief Counsel C O N T E N T S ---------- STATEMENTS Page Bingaman, Hon. Jeff, U.S. Senator From New Mexico................ 1 Cauley, Gerry, President and Chief Executive Officer, North American Electric Reliability Corporation...................... 25 McClelland, Joseph, Director, Office of Electric Reliability, Federal Energy Regulatory Commission........................... 4 Murkowski, Hon. Lisa, U.S. Senator From Alaska................... 2 Snitchler, Todd A., Chairman, Public Utilities Commission of Ohio 32 Wilshusen, Gregory C., Director, Information Security Issues, Government Accountability Office............................... 11 APPENDIX Responses to additional questions................................ 57 ELECTRIC GRID SECURITY ---------- TUESDAY, JULY 17, 2012 U.S. Senate, Committee on Energy and Natural Resources, Washington, DC. The committee met, pursuant to notice, at 10 a.m. in room SD-366, Dirksen Senate Office Building, Hon. Jeff Bingaman, chairman, presiding. OPENING STATEMENT OF HON. JEFF BINGAMAN, U.S. SENATOR FROM NEW MEXICO The Chairman. OK. Why don't we go ahead and get started? I am advised that Senator Murkowski is on her way, but urged us to proceed. This morning's hearing is to examine the status of actions taken by the Federal Energy Regulatory Commission or FERC, and the North American Electric Reliability Corporation or NERC, and the States to protect the electric grid from computer attacks on their facilities and control systems. I don't think we need to talk much about the serious nature of this issue. Last week, we experienced a week-long outage in much of this region. It was a weather-related outage, but it demonstrates how important reliable service on the electric grid is. We read every day of newly discovered attacks or threats on computer systems in this country and around the world. According to the Director of National Intelligence, there's been a dramatic increase in the frequency of malicious cyber activity, targeting U.S. computers and networks, including a more than tripling of the volume of malicious software, since 2009. So, the threat is real, and it is serious. In 2005, we gave FERC the authority to name an entity to develop and enforce standards to protect the reliability of the grid. I believe that there are two things that we can say about the system that has emerged since then. First, the current reliability system does have a mandatory character, so the electric grid is the only critical infrastructure in this country that has some form of an enforceable standard for cybersecurity. Second, the current reliability system that has emerged is cumbersome and overly complicated. This may be adequate to deal with reliability concerns like, standards for trimming trees so that they do not fall on transmission lines, but when it comes to cyber attacks, I am concerned that the current system is not adequate. The process to develop standards started in earnest in 2006 when NERC filed a series of reliability standards with NERC; a number of them related to cybersecurity and FERC found them wanting. In a series of filings since then, NERC has corrected some of the shortcomings that the FERC highlighted. As recently as April, version 4 of the cyber standards was approved, with the provision that NERC address the remaining inadequacies by the end of the first quarter of next year. That means that we are here today in this committee, 7 years after we passed the law, and we are still waiting for this process to produce the full set of adequately protective standards that we need. That cumbersome process has to address a threat, whose nature is rapidly changing. The standards that are in place may not be flexible enough to deal with emerging threats, and we still do not have an effective system in place to require action in the face of an imminent cyber attack. NERC has developed a system of alerts to help the industry with newly discovered threats. I will have some questions about that system, how that system is working in practice. The concerns that have prompted this hearing are ones that have resulted in bipartisan cybersecurity legislation that we have reported from this committee, both this Congress and in the last Congress. In 2010, Senator Murkowski and I agreed on an expedited approach to cybersecurity standards that was centered at FERC and that passed the committee unanimously. That bill was hotlined for passage in the Senate at the end of the last Congress. It ran into holes from two of our colleagues and, perhaps, more. Last year, Senator Murkowski and I reworked the proposal into one that featured a greater role for NERC, but allowed FERC to set effective deadlines for action and also gave the Secretary of Energy emergency cybersecurity authority. Once again, that bill passed this committee unanimously. I don't believe that the cyber threat facing the electric grid has gotten any less serious since last year, when we acted on a bipartisan basis to pass our legislation out of the committee. In the testimony for today's hearing, there are suggestions that there are additional cyber issues that also need focused attention, particularly with respect to the implementation of smart grid technologies. We need to address these vulnerabilities that are clearly before us. The bill that passed this committee unanimously would be an excellent place to start. It did a good job of balancing the need to avail ourselves of the expertise in industry on these issues, with the need to act expeditiously. Nothing since then has changed the need for clear authority to deal with immediate emergencies and longer-term vulnerabilities. As we all agreed last year, processes that take years to bear fruit, may be sufficient for less urgent reliability issues, but not for the challenges we face in cybersecurity. So, I look forward to hearing from the witnesses. Let me defer to Senator Murkowski for any opening statements she would like to make. STATEMENT OF HON. LISA MURKOWSKI, U.S. SENATOR FROM ALASKA Senator Murkowski. Thank you, Mr. Chairman. Welcome, to all the witnesses this morning. I appreciate the hearing today. Of course, the purpose of this morning's hearing is to take another--and, perhaps, a closer--look at the ongoing efforts to protect our Nation's grid from cyber attacks. I do think it is important that we recognize the tremendous amount of work that has already gone into safeguarding the grid's reliability. Back in 2005, Congress directed FERC to select an electric reliability organization, now known as the NERC, and tasked it with establishing and enforcing mandatory reliability standards, including cyber standards. I think it has been a difficult, time-consuming process, but I would like to commend NERC for the professional and balanced way that it has consistently met its responsibilities. There is no question, Mr. Chairman, as you point out, that cybersecurity is an absolutely critical issue. It should be addressed by this Congress. I am certain that every member of this body is concerned that our Nation may be vulnerable to cyber attacks that could have severe economic and security ramifications. We see stories about this just about every day, on individuals, on companies, on the Government--these cyber incursions. It is time for us to take steps to protect ourselves from a very real and emerging threat. Last year, as you point out, Mr. Chairman, the Energy Committee did report out a sector-specific cybersecurity bill. This action was taken in response to the majority leader's directive to the various committees with cyber jurisdiction to produce their own bills. At which point, they would all be stitched together into a single piece of cybersecurity legislation. I think, Mr. Chairman, that the Energy Committee was the only committee to have actually done just exactly that. But since that time, now over a year ago, circumstances have evolved. I think there is near agreement that we need a comprehensive approach to the cybersecurity problem. Some would have us believe that only the Department of Homeland Security and a host of new Federal regulations will protect us from persistent cyber threats. But I don't think that heavy-handed static requirements from yet another Federal regulator will address the very real threat that we face. I think, instead, that we need a much more nimble approach to deal with cyber-related threats that are constantly growing and always changing. I have joined with a number of other Ranking Member colleagues to introduce, what we're calling, the Secure IT Act. This is S. 3342. I think it's a pragmatic approach to this issue. We focus on 4 areas that, I believe, we can draw bipartisan support for. That is within the area of information sharing. We have got FISMA reform, criminal penalties, additional research. But what the Secure IT Act does not do, I think, is equally important. It does not add new layers of bureaucracy and regulation that will serve little purpose and achieve meager results. I think it is a pretty straightforward approach to cybersecurity that can go a long ways in addressing our problem. Mr. Chairman, I thank you for convening this hearing. I look forward to hearing what the witnesses have to say on the actions that have been taken to date, as well as the ongoing efforts to secure the grid at both the transmission and the distribution level. The Chairman. Thank you very much. I would just point out that the Majority Leader has advised, I think, everyone who's-- listens to his statements that he hopes we can move to cybersecurity legislation on the Senate floor between now and the time we adjourn in August, and so, I think this hearing is particularly timely for that reason. Let me introduce our 4 witnesses. First is, Mr. Joseph McClelland, Director of the Office of Electric Reliability at the Federal Energy Regulatory Commission. Next is, Mr. Gregory C. Wilshusen, who is the Director of Information and Technology, with the Government Accountability Office. Third is, Mr. Gerry Cauley, who is President and Chief Executive Officer with the North American Electric Reliability Corporation, NERC. Thank you very much for being here. Mr. Todd Snitchler, who is the Chairman of the Public Utility Commission of Ohio. Thank you very much for being here. Mr. McClelland, why don't you start. If each of you could take 5 or 6 minutes and give us the main things you think we need to understand about the issue. We will then have some questions. STATEMENT OF JOSEPH MCCLELLAND, DIRECTOR, OFFICE OF ELECTRIC RELIABILITY, FEDERAL ENERGY REGULATORY COMMISSION Mr. McClelland. Thank you, Mr. Chairman. Mr. Chairman, Ranking Member, and members of the committee, thank you for the privilege to appear before you today to discuss the security of the electric grid. My name is Joe McClelland, and I am the Director of the Office of Electric Reliability at the Federal Energy Regulatory Commission. I am here today as a Commission staff witness and my remarks do not necessarily represent the views of the Chairman or any individual commissioner. The Commission is committed to protecting the reliability of the Nation's bulk power system. Nevertheless, limitations in Federal authority do not fully protect the grid against physical and cyber threats. My testimony summarizes the Commission's oversight of the reliability of the electric grid under section 215 of the Federal Power Act, and the Commission's implementation of that authority, with respect to cyber-related reliability issues, primarily through Order 706 In the Energy Policy Act of 2005, Congress entrusted the Commission with a major new responsibility, to oversee mandatory enforceable reliability and cybersecurity standards for the Nation's bulk power system. This authority is in new section 215 of the Federal Power Act. Under the new authority, FERC cannot author or modify reliability standards, but must select an Electric Reliability Organization, or ERO, to perform this task. The ERO develops and proposes reliability standards or modifications for the Commission's review, which it can then either approve or remand. If the Commission approves the proposed reliability standard, it applies to the users, owners, and operators of a bulk power system and becomes mandatory in the United States. If the Commission remands a proposed standard, it is sent back to the ERO for further consideration. The Commission selected the North American Electric Reliability Corporation, or NERC, as the ERO. It is important to note that FERC's jurisdiction and reliability authority is limited to the ``bulk power system,'' as defined in the FPA, which excludes Alaska and Hawaii distribution systems, and can exclude transmission facilities in certain large cities, such as New York. In addition to the reliability authority, FERC is also charged with oversight of the cybersecurity of the bulk power system. As is the case with non-security issues, FERC's authority under 215 of our cybersecurity is exercised through the reliability standards developed by the ERO and approved by FERC. Pursuant to this duty, FERC approved 8 cybersecurity standards known as the Critical Infrastructure Protection standards, or CIP standards, proposed by NERC, while concurrently directing modifications to them in January 2008. Three sets of modifications, responding to the Commission's directives, have been received from the ERO, and the last was approved earlier this year. Although the CIP standards are approved, full compliance with these revised standards will not be mandatory until 2014. More importantly, in approving the latest revision of the CIP standards, the Commission recognized that they are an interim step and raised its concern that the newly revised standards do not provide enough protection to satisfy the Commission's January 2008 Order. Thus, the Commission established a deadline for the end of the first quarter of 2013, for NERC to file standards in compliance with the outstanding directives in that Order. Physical attacks against the power grid can cause equal or great destruction than cyber attacks. One example of a physical threat is an electromagnetic pulse, or EMP, event. In 2001, Congress established a commission to assess the threat from EMP. In 2004 and, again, in 2008, the Commission issued its reports. Among the findings in the reports were that a single EMP attack could seriously degrade or shut down a large part of the electric power grid. Depending upon the attack, significant parts of the electric infrastructure could be, ``Out of service for periods measured in months to a year or more.'' In addition to man-made attacks, EMP events are also naturally generated, caused by solar flares and storms, disrupting the Earth's magnetic field. Such events can be powerful and can also cause significant and prolonged disruptions to the power grid. The standards development system utilized under FPA 215 develops mandatory reliability standards, using an open and inclusive process, based on consensus. Although it can be an effective mechanism with dealing with the routine requirements of the power grid, it is inadequate when addressing threats to the power grid that endanger national security. Despite its active role in approving reliability standards, FERC's current legal authority is insufficient to assure direct, timely, and mandatory action to protect the grid, particularly where certain information should not be publicly disclosed. Any new legislation should address several key concerns. First, legislation should allow the Federal Government to take action before a cyber or physical national security incident has occurred. Second, any legislation should ensure appropriate confidentiality of the sensitive information submitted, developed, or issued under this authority. Third, if additional reliability authority is limited to the bulk power system, as that term is currently defined in the FPA, it would not authorize Federal action to mitigate cyber or other national security threats to reliability that involve certain critical facilities in major population areas. Finally, it is important that entities be able to recover costs that they incur to mitigate vulnerabilities and threats. Thank you for your attention today. I am available to address any questions that you may have. [The prepared statement of Mr. McClelland follows:] Prepared Statement of Joseph McClelland, Director, Office of Electric Reliability, Federal Energy Regulatory Commission Mr. Chairman, Ranking Member and Members of the Committee: Thank you for this opportunity to appear before you to discuss the security of the electric grid. My name is Joseph McClelland. I am the Director of the Office of Electric Reliability (OER) of the Federal Energy Regulatory Commission (FERC or Commission). The Commission's role with respect to reliability is to help protect and improve the reliability of the Nation's bulk power system through effective regulatory oversight as established in the Energy Policy Act of 2005. I am here today as a Commission staff witness and my remarks do not necessarily represent the views of the Commission or any individual Commissioner. The Commission is committed to protecting the reliability of the nation's bulk electric system; nevertheless, the Commission's current authority is not adequate to address cyber or other national security threats to the reliability of our transmission and power system. These types of threats pose an increasing risk to our Nation's electric grid, which undergirds our government and economy and helps ensure the health and welfare of our citizens. I will describe how limitations in Federal authority do not fully protect the grid against physical and cyber threats. My testimony also summarizes the Commission's oversight of the reliability of the electric grid under section 215 of the Federal Power Act (FPA) and the Commission's implementation of that authority with respect to cyber related reliability issues primarily through Order No. 706. background In the Energy Policy Act of 2005 (EPAct 2005), Congress entrusted the Commission with a major new responsibility to oversee mandatory, enforceable reliability standards for the Nation's bulk power system (excluding Alaska and Hawaii). This authority is in section 215 of the Federal Power Act. Section 215 requires the Commission to select an Electric Reliability Organization (ERO) that is responsible for proposing, for Commission review and approval, reliability standards or modifications to existing reliability standards to help protect and improve the reliability of the Nation's bulk power system. The Commission has certified the North American Electric Reliability Corporation (NERC) as the ERO. The reliability standards apply to the users, owners and operators of the bulk power system and become mandatory in the United States only after Commission approval. The ERO also is authorized to impose, after notice and opportunity for a hearing, penalties for violations of the reliability standards, subject to Commission review and approval. The ERO may delegate certain responsibilities to ``Regional Entities,'' subject to Commission approval. The Commission may approve proposed reliability standards or modifications to previously approved standards if it finds them ``just, reasonable, not unduly discriminatory or preferential, and in the public interest.'' The Commission itself does not have authority to modify proposed standards. Rather, if the Commission disapproves a proposed standard or modification, section 215 requires the Commission to remand it to the ERO for further consideration. The Commission, upon its own motion or upon complaint, may direct the ERO to submit a proposed standard or modification on a specific matter but it does not have the authority to modify or author a standard and must depend upon the ERO to do so. Limitations of Section 215 and the Term ``Bulk Power System'' Currently, the Commission's jurisdiction and reliability authority is limited to the ``bulk power system,'' as defined in the FPA, and therefore excludes Alaska and Hawaii, including any federal installations located therein. The current interpretation of ``bulk power system'' also excludes some transmission and all local distribution facilities, including virtually all of the grid facilities in certain large cities such as New York, thus precluding Commission action to mitigate cyber or other national security threats to reliability that involve such facilities and major population areas. The Commission directed NERC to revise its interpretation of the bulk power system to eliminate inconsistencies across regions, eliminate the ambiguity created by the current discretion in NERC's definition of bulk electric system, provide a backstop review to ensure that any variations do not compromise reliability, and ensure that facilities that could significantly affect reliability are subject to mandatory rules. NERC has recently filed a revised definition of the term bulk power system, and the Commission has solicited comments on its proposal to accept NERC's revised definition. However, it is important to note that section 215 of the FPA excludes local distribution facilities from the Commission's reliability jurisdiction, so any revised bulk electric system definition developed by NERC will still not apply to local distribution facilities. Critical Infrastructure Protection Reliability Standards An important part of the Commission's current responsibility to oversee the development of reliability standards for the bulk power system involves cyber related reliability issues. In August 2006, NERC submitted eight proposed cyber standards, known as the Critical Infrastructure Protection (CIP) standards, to the Commission for approval under section 215. Critical infrastructure, as defined by NERC for purposes of the CIP standards, includes facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the ``Bulk Electric System.'' Under NERC's implementation plan for the CIP standards, full compliance became mandatory on July 1, 2010. On January 18, 2008, the Commission issued Order No. 706, the Final Rule approving the CIP reliability standards while concurrently directing NERC to develop significant modifications addressing specific concerns. The Commission set a deadline of July 1, 2009 for NERC to resolve certain issues in the CIP reliability standards, including deletion of the ``reasonable business judgment'' and ``acceptance of risk'' language in each of the standards. NERC concluded that this deadline would create a very compressed schedule for its stakeholder process. Therefore, it divided all of the changes directed by the Commission into phases, based on their complexity. NERC opted to resolve the simplest changes in the first phase, while putting off more complex changes for later versions. NERC filed the first phase of the modifications to the CIP Reliability Standards (Version 2) on May 22, 2009. In this phase, NERC removed from the standards the terms ``reasonable business judgment'' and ``acceptance of risk,'' added a requirement for a ``single senior manager'' responsible for CIP compliance, and made certain other administrative and clarifying changes. In a September 30, 2009 order, the Commission approved the Version 2 CIP standards and directed NERC to develop additional modifications to certain of them. Pursuant to the Commission's September 30, 2009 order, NERC submitted Version 3 of the CIP standards which revised Version 2 as directed. The Version 3 CIP standards became effective on October 1, 2010. This first phase of the modifications directed by the Commission in Order No. 706, which encompassed both Version 2 and Version 3, did not modify the critical asset identification process, a central concern in Order No. 706. On February 10, 2011, NERC initiated the second phase of the Order No. 706 directed modification, filing a petition seeking approval of Version 4 of the CIP standards. Version 4 includes new proposed criteria to identify ``critical assets'' for purposes of the CIP reliability standards. On April 19, 2012, the Commission issued Order No. 761, approving the Version 4 CIP standards, which introduced ``bright line'' criteria for the identification of Critical Assets. The version 4 CIP standards do not go into effect until April 1, 2014. The currently effective CIP reliability standards allow utilities significant discretion to determine which of their facilities are ``critical assets and the associated critical cyber assets,'' and therefore are subject to the requirements of the standards. It is important to note that although ``critical assets'' are used to identify subsequent ``critical cyber assets,'' only the subset of ``critical cyber assets''--which are self-determined by the affected entities--are subject to the CIP standards. As the Commission stated in Order No. 706, the identification of critical assets is the cornerstone of the CIP standards. If that identification is not done well, the CIP standards will be ineffective at maintaining the reliability of the bulk power system. In the order approving NERC's Version 4 standards, the Commission recognized that Version 4 is an interim step and stated its concern that Version 4 does not provide enough protection to satisfy Order No. 706. Thus, the Commission established a deadline of end of first quarter of 2013 for NERC to file standards in compliance with the outstanding directives in Order No. 706. The remaining CIP standards revisions to respond to the Commission's directives issued in Order No. 706 are still under development by NERC. It is important to note that the majority of the Order No. 706 directed modifications to the CIP standards have yet to be addressed by NERC. Until they are addressed, there are significant gaps in protection. the nerc process As an initial matter, it is important to recognize how mandatory reliability standards are established. Under section 215, reliability standards must be developed by the ERO through an open, inclusive, and public process. The Commission can direct NERC to develop a reliability standard to address a particular reliability matter. However, the NERC process typically requires years to develop standards for the Commission's review. In fact, the CIP standards approved by the Commission in January 2008 took approximately three years to develop. NERC's procedures for developing standards allow extensive opportunity for stakeholder comment, are open, and are generally based on the procedures of the American National Standards Institute. The NERC process is intended to develop consensus on both the need for, and the substance of, the proposed standard. Although inclusive, the process is relatively slow, open and unpredictable in its responsiveness to the Commission's directives. This process requires public disclosure regarding the reason for the proposed standard, the manner in which the standard will address the issues, and any subsequent comments and resulting modifications in the standards as the affected stakeholders review the material and provide comments. NERC- approved standards are then submitted to the Commission for its review. The procedures used by NERC are appropriate for developing and approving routine reliability standards. The process allows extensive opportunities for industry and public comment. The public nature of the reliability standards development process can be a strength of the process. However, it can be an impediment when measures or actions need to be taken to address threats to national security quickly, effectively and in a manner that protects against the disclosure of security-sensitive information. The current procedures used under section 215 for the development and approval of reliability standards do not provide an effective and timely means of addressing urgent cyber or other national security risks to the bulk power system, particularly in emergency situations. Certain circumstances, such as those involving national security, may require immediate action, while the reliability standard procedures take too long to implement efficient and timely corrective steps. On September 3, 2010, FERC approved a new reliability standards process manual filed by NERC. While this manual includes a process for developing a standard related to a confidential issue, the new process is untested and it is unclear how the process would be implemented. FERC rules governing review and establishment of reliability standards allow the agency to direct the ERO to develop and propose reliability standards under an expedited schedule. For example, FERC could order the ERO to submit a reliability standard to address a reliability vulnerability within 60 days. Also, NERC's rules of procedure include a provision for approval of ``urgent action'' standards that can be completed within 60 days and which may be further expedited by a written finding by the NERC board of trustees that an extraordinary and immediate threat exists to bulk power system reliability or national security. However, it is not clear NERC could meet this schedule in practice. Moreover, faced with a national security threat to reliability, there may be a need to act decisively in hours or days, rather than weeks, months or years. That would not be feasible even under the urgent action process. In the meantime, the bulk power system would be left vulnerable to a known national security threat. Moreover, existing procedures, including the urgent action procedure, could widely publicize both the vulnerability and the proposed solutions, thus increasing the risk of hostile actions before the appropriate solutions are implemented. In addition, a reliability standard submitted to the Commission by NERC may not be sufficient to address the identified vulnerability or threat. Since FERC may not directly modify a proposed reliability standard under section 215 and must either approve or remand it, FERC would have the choice of approving an inadequate standard and directing changes, which reinitiates a process that can take years, or rejecting the standard altogether. Under either approach, the bulk power system would remain vulnerable for a prolonged period. This concern was highlighted in the Department of Energy Inspector General's January 2011 audit report on FERC's ``Monitoring of Power Grid Cyber Security.'' The audit report identified concerns regarding the adequacy of the CIP standards and the implementation and schedule for the CIP standards, and concluded that these problems exist, in part, because the Commission's authority to ensure adequate reliability of the bulk electric system is limited. This report emphasizes the need for additional authority to ensure adequate cyber security over the bulk electric system. Finally, the open and inclusive process required for standards development is not consistent with the need to protect security- sensitive information. For instance, a formal request for a new standard would normally detail the need for the standard as well as the proposed mitigation to address the issue, and the NERC-approved version of the standard would be filed with the Commission for review. This public information could help potential adversaries in planning attacks. physical security and other threats to reliability The existing reliability standards do not extend to physical threats to the grid, but physical threats can cause equal or greater destruction than cyber attacks and the Federal government should have no less ability to act to protect against such potential damage. One example of a physical threat is an electromagnetic pulse (EMP) event. EMP events can be generated from either naturally occurring or man-made causes. In the case of the former, solar magnetic disturbances periodically disrupt the earth's magnetic field which in turn, can generate large induced ground currents. This effect, also termed the ``E3'' component of an EMP, can simultaneously damage or destroy bulk power system transformers over a large geographic area. Regarding man- made events, EMP can also be generated by weapons. Equipment and plans are readily available that have the capability to generate high-energy bursts, termed ``E1'', that can damage or destroy electronics such as those found in control and communication systems on the power grid. These devices can be portable and effective, facilitating simultaneous coordinated attacks, and can be reused, allowing use against multiple targets. The most comprehensive man-made EMP threat is from a high- altitude nuclear explosion. It would affect an area defined by the ``line-of-sight'' from the point of detonation. The higher the detonation the larger the area affected, and the more powerful the explosion the stronger the EMP emitted. The first component of the resulting pulse E1 occurs within a fraction of a second and can destroy control and communication electronics. The second component is termed ``E2'' and is similar to lightning, which is well-known and mitigated by industry. Toward the end of an EMP event, a third element, E3, occurs. This causes the same effect as solar magnetic disturbances. It can damage or destroy power transformers connected to long transmission lines. It is important to note that effective mitigation against solar magnetic disturbances and non-nuclear EMP weaponry provides effective mitigation against a high-altitude nuclear explosion. In 2001, Congress established a commission to assess the threat from EMP, with particular attention to be paid to the nature and magnitude of high-altitude EMP threats to the United States; vulnerabilities of U.S. military and civilian infrastructure to such attack; capabilities to recover from an attack; and the feasibility and cost of protecting military and civilian infrastructure, including energy infrastructure. In 2004, the EMP commission issued a report describing the nature of EMP attacks, vulnerabilities to EMP attacks, and strategies to respond to an attack.\1\ A second report was produced in 2008 that further investigated vulnerabilities of the Nation's infrastructure to EMP.\2\ Both electrical equipment and control systems can be damaged by EMP. --------------------------------------------------------------------------- \1\ Graham, Dr. William R. et al., Report of the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack (2004). \2\ Dr. John S. Foster, Jr. et al., Report of the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack (2008). --------------------------------------------------------------------------- An EMP may also be a naturally-occurring event caused by solar flares and storms disrupting the Earth's magnetic field. In 1859, a major solar storm occurred, causing auroral displays and significant shifts of the Earth's magnetic fields. As a result, telegraphs were rendered useless and several telegraph stations burned down. The impacts of that storm were muted because semiconductor technology did not exist at the time. Were the storm to happen today, according to an article in Scientific American, it could ``severely damage satellites, disable radio communications, and cause continent-wide electrical black-outs that would require weeks or longer to recover from.''\3\ Although storms of this magnitude occur rarely, storms and flares of lesser intensity occur more frequently. Storms of about half the intensity of the 1859 storm occur every 50 years or so according to the authors of the Scientific American article, and the last such storm occurred in November 1960, leading to world-wide geomagnetic disturbances and radio outages. The power grid is particularly vulnerable to solar storms, as transformers are electrically grounded to the Earth and susceptible to damage from geomagnetically induced currents. The damage or destruction of numerous transformers across the country would result in reduced grid functionality and even prolonged power outages. --------------------------------------------------------------------------- \3\ Odenwald, Sten F. and Green, James L., Bracing the Satellite Infrastructure for a Solar Superstorm, Scientific American Magazine (Jul. 28, 2008). --------------------------------------------------------------------------- In March 2010, Oak Ridge National Laboratory (Oak Ridge) and their subcontractor Metatech released a study that explored the vulnerability of the electric grid to EMP-related events. This study was a joint effort contracted by FERC staff, the Department of Energy and the Department of Homeland Security and expanded on the information developed in other initiatives, including the EMP commission reports. The series of reports provided detailed technical background and outlined which sections of the power grid are most vulnerable, what equipment would be affected, and what damage could result. Protection concepts for each threat and additional methods for remediation were also included along with suggestions for mitigation. The results of the study support the general conclusion that EMP events pose substantial risk to equipment and operation of the Nation's power grid and under extreme conditions could result in major long term electrical outages. In fact, solar magnetic disturbances are inevitable with only the timing and magnitude subject to variability. The study assessed the 1921 solar storm, which has been termed a 1-in-100 year event, and applied it to today's power grid. The study concluded that such a storm could damage or destroy up to 300 bulk power system transformers interrupting service to 130 million people for a period of years. On April 30, 2012, the Commission held a technical conference to discuss issues related to reliability of the bulk power system as affected by geomagnetic disturbances. The conference explored the risks and impacts from geomagnetically induced currents to transformers and other equipment on the bulk power system, as well as options for addressing or mitigating the risks and impacts. The Commission is considering the comments filed after that conference. The existing reliability standards do not address EMP vulnerabilities. Protecting the electric generation, transmission and distribution systems from severe damage due to an EMP-related event would involve vulnerability assessments at every level of electric infrastructure. the need for legislation In my view, section 215 of the Federal Power Act provides an adequate statutory foundation for the ERO to develop most reliability standards for the bulk power system. However, the nature of a national security threat by entities intent on attacking the U.S. through vulnerabilities in its electric grid stands in stark contrast to other major reliability vulnerabilities that have caused regional blackouts and reliability failures in the past, such as vegetation management and protective relay maintenance practices. Widespread disruption of electric service can quickly undermine the U.S. government, its military, and the economy, as well as endanger the health and safety of millions of citizens. Given the national security dimension to this threat, there may be a need to act quickly to protect the grid, to act in a manner where action is mandatory rather than voluntary, and to protect certain information from public disclosure. The Commission's current legal authority is inadequate for such action. This is true of both cyber and physical threats to the bulk power system that pose national security concerns. Section 215 of the FPA excludes all facilities in Alaska and Hawaii and all local distribution facilities from the Commission's reliability jurisdiction, which may leave significant facilities vulnerable to the threat of a cyber or physical attack. In addition, although the NERC standards development process as envisioned in section 215 can be fine for routine reliability matters, it is too slow, too open and too unpredictable to ensure its responsiveness in the cases where national security is endangered. This process is inadequate when measures or actions need to be taken to address threats to national security quickly, effectively and in a manner that protects against the disclosure of security-sensitive information. These shortcomings can be solved through a comprehensive, government-wide approach to cyber security issues or through a sector- specific approach. If a government-wide course is pursued, care should be taken to ensure that the two approaches complement each other, preserving FERC's ability to regulate electric reliability effectively. Any new legislation should address several key concerns. First, to prevent a significant risk of disruption to the grid, legislation should allow the federal government to take action before a cyber or physical national security incident has occurred. In particular, the federal government should be able to require mitigation even before or while NERC and its stakeholders develop a standard, when circumstances require urgent action. Second, any legislation should ensure appropriate confidentiality of sensitive information submitted, developed or issued under this authority. Without such confidentiality, the grid may be more vulnerable to attack. Third, if additional reliability authority is limited to the bulk power system, as that term is currently defined in the FPA, it would not authorize Federal action to mitigate cyber or other national security threats to reliability that involve certain critical facilities and major population areas. Fourth, it is important that entities be able to recover costs they incur to mitigate vulnerabilities and threats. conclusion The Commission's current authority is not adequate to address cyber or other national security threats to the reliability of our transmission and power system. These types of threats pose an increasing risk to our Nation's electric grid, which undergirds our government and economy and helps ensure the health and welfare of our citizens. Thank you again for the opportunity to testify today. I would be happy to answer any questions you may have. The Chairman. Thank you very much. Mr. Wilshusen, go right ahead. STATEMENT OF GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION AND TECHNOLOGY, GOVERNMENT ACCOUNTABILITY OFFICE Mr. Wilshusen. Mr. Chairman, Ranking Member Murkowski, members of the committee. Thank you for the opportunity to testify at today's hearing on actions to secure the electricity grid. As you know, the electric power industry, which is composed of electricity generation, transmission, distribution, and system operations, is increasingly incorporating information technology systems and networks into its existing infrastructure, as it modernizes the electricity grid. The use of IT can provide many benefits, such as greater efficiency and reliability, and lower costs to consumers. However, this increased reliance on computer systems and networks also introduces cyber-based risk to the grid if the systems and networks are not properly protected. For nearly a decade, GAO has identified the protection of systems supporting our Nation's critical infrastructure, which includes the electricity grid, as a Government-wide, high risk area. Today, I will discuss the cyber threats to the electricity grid and several of the actions taken and challenges remaining to secure the grid. But, first, if I may, Mr. Chairman, I would like to recognize several members of my team who were instrumental in developing this statement and also conducting the work on which it is based. With me today is Anjalique Lawrence, seated behind me. Back at the office: Mike Gilmore, Lee McCracken, David Trimble, Jon Ludwigson, and Paige Gilbreath, all played significant roles and made significant contributions. Mr. Chairman, the threats to systems supporting the electricity grid are evolving and growing. They include both unintentional and intentional threats, and may come in the form of equipment failures, as well as targeted and untargeted attacks from our adversaries. The interconnectivity between industrial control systems, computer networks, and the Internet can amplify the impact of these threats and expose the grid to known and unknown cybersecurity vulnerabilities, potentially affecting the operations of critical infrastructures, the security of sensitive information, and the flow of commerce. Several reported incidents illustrate the potentially serious impact of these threats. To address such concerns, State and Federal authorities play key roles in overseeing grid reliability, which involves the security of the grid. State regulators generally oversee the reliability of local distribution system; whereas, NERC has developed and enforced mandatory standards intended to ensure the reliability of the bulk power system, which includes certain generation facilities and the high voltage electricity transmission network. FERC has approved and, thus, made mandatory, 8 critical infrastructure standards developed by NERC to help ensure the secure electronic exchange of information and to prevent unauthorized physical and logical access to critical cyber assets. In addition, NIST has identified guidelines on how to securely implement smart grid systems and identified an initial set of interoperability and cybersecurity standards for the smart grid. However, FERC has not yet adopted these standards, citing a lack of consensus for them. GAO has previously reported on a number of key challenges to securing the modernized electricity grid; for example, aspects of current regulatory environment may complicate matters. Specifically, jurisdictional issues and the difficulties associated with responding to continually evolving cyber threats were a key regulatory challenge to ensuring the cybersecurity of the grid. We also reported other challenges affecting industry efforts to secure the smart grid. Specifically, the electricity industry had not consistently built security features for certain smart grid devices, established an effective mechanism for sharing cybersecurity information, and created a set of metrics for evaluating the effectiveness of cybersecurity controls. GAO has made several recommendations to FERC aimed at addressing these challenges and the Commission has agreed with these recommendations. In summary, Mr. Chairman, the evolving and growing threat from cyber-based attacks highlights the importance of securing the electricity industry's systems and networks. A successful attack could result in wide-spread power outages, significant monetary losses, and extensive property damage. More needs to be done to meet the challenges facing the industry and enhancing security. In particular, Federal regulators and other stakeholders will need to work closely together with the private sector, to address cybersecurity challenges, as the generation, transmission, and distribution of electricity come to rely more on emerging and sophisticated technologies. Mr. Chairman, Ranking Member, this completes my statement. I would be happy to answer any questions. [The prepared statement of Mr. Wilshusen follows:] Prepared Statement of Gregory C. Wilshusen, Director, Information and Technology, Government Accountability Office why gao did this study The electric power industry is increasingly incorporating information technology (IT) systems and networks into its existing infrastructure (e.g., electricity networks, including power lines and customer meters). This use of IT can provide many benefits, such as greater efficiency and lower costs to consumers. However, this increased reliance on IT systems and networks also exposes the grid to cybersecurity vulnerabilities, which can be exploited by attackers. Moreover, GAO has identified protecting systems supporting our nation's critical infrastructure (which includes the electricity grid) as a governmentwide high-risk area. GAO was asked to testify on the status of actions to protect the electricity grid from cyber attacks. Accordingly, this statement discusses (1) cyber threats facing cyber-reliant critical infrastructures, which include the electricity grid, and (2) actions taken and challenges remaining to secure the grid against cyber attacks. In preparing this statement, GAO relied on previously published work in this area and reviewed reports from other federal agencies, media reports, and other publicly available sources. what gao recommends In a prior report, GAO has made recommendations related to electricity grid modernization efforts, including developing an approach to monitor compliance with voluntary standards. These recommendations have not yet been implemented. what gao found The threats to systems supporting critical infrastructures are evolving and growing. In testimony, the Director of National Intelligence noted a dramatic increase in cyber activity targeting U.S. computers and systems, including a more than tripling of the volume of malicious software. Varying types of threats from numerous sources can adversely affect computers, software, networks, organizations, entire industries, and the Internet itself. These include both unintentional and intentional threats, and may come in the form of targeted or untargeted attacks from criminal groups, hackers, disgruntled employees, nations, or terrorists. The interconnectivity between information systems, the Internet, and other infrastructures can amplify the impact of these threats, potentially affecting the operations of critical infrastructures, the security of sensitive information, and the flow of commerce. Moreover, the electricity grid's reliance on IT systems and networks exposes it to potential and known cybersecurity vulnerabilities, which could be exploited by attackers. The potential impact of such attacks has been illustrated by a number of recently reported incidents and can include fraudulent activities, damage to electricity control systems, power outages, and failures in safety equipment. To address such concerns, multiple entities have taken steps to help secure the electricity grid, including the North American Electric Reliability Corporation, the National Institute of Standards and Technology (NIST), the Federal Energy Regulatory Commission, and the Departments of Homeland Security and Energy. These include, in particular, establishing mandatory and voluntary cybersecurity standards and guidance for use by entities in the electricity industry. For example, the North American Electric Reliability Corporation and the Federal Energy Regulatory Commission, which have responsibility for regulation and oversight of part of the industry, have developed and approved mandatory cybersecurity standards and additional guidance. In addition, NIST has identified cybersecurity standards that support smart grid interoperability and has issued a cybersecurity guideline. The Departments of Homeland Security and Energy have also played roles in disseminating guidance on security practices and providing other assistance. As GAO previously reported, there were a number of ongoing challenges to securing electricity systems and networks. These include:
A lack of a coordinated approach to monitor industry compliance with voluntary standards. Aspects of the current regulatory environment made it difficult to ensure the cybersecurity of smart grid systems. A focus by utilities on regulatory compliance instead of comprehensive security. A lack of security features consistently built into smart grid systems. The electricity industry did not have an effective mechanism for sharing information on cybersecurity and other issues. The electricity industry did not have metrics for evaluating cybersecurity. Chairman Bingaman, Ranking Member Murkowski, and Members of the Committee: Thank you for the opportunity to testify at today's hearing on the status of actions to protect the electricity grid from cyber attacks. As you know, the electric power industry is increasingly incorporating information technology (IT) systems and networks into its existing infrastructure (e.g., electricity networks including power lines and customer meters). This use of IT can provide many benefits, such as greater efficiency and lower costs to consumers. Along with these anticipated benefits, however, cybersecurity and industry experts have expressed concern that, if not implemented securely, modernized electricity grid systems will be vulnerable to attacks that could result in widespread loss of electrical services essential to maintaining our national economy and security. In addition, since 2003 we have identified protecting systems supporting our nation's critical infrastructure (which includes the electricity grid) as a governmentwide high-risk area, and we continue to do so in the most recent update to our high-risk list.\1\ --------------------------------------------------------------------------- \1\ GAO's biennial high-risk list identifies government programs that have greater vulnerability to fraud, waste, abuse, and mismanagement or need transformation to address economy, efficiency, or effectiveness challenges. We have designated federal information security as a governmentwide high-risk area since 1997; in 2003, we expanded this high-risk area to include protecting systems supporting our nation's critical infrastructure--referred to as cyber-critical infrastructure protection, or cyber CIP. See, most recently, GAO, High- Risk Series: An Update, GAO-11-278 (Washington, D.C.: February 2011). --------------------------------------------------------------------------- In my testimony today, I will describe (1) cyber threats facing cyber-reliant critical infrastructures,\2\ which include the electricity grid, and (2) actions taken and challenges remaining to secure the grid against cyber attacks. In preparing this statement in July 2012, we relied on our previous work in this area, including studies examining efforts to secure the electricity grid and associated challenges and cybersecurity guidance.\3\ (Please see the related GAO products in appendix I.) The products upon which this statement is based contain detailed overviews of the scope of our reviews and the methodology we used. We also reviewed documents from the Federal Energy Regulatory Commission, the North American Electric Reliability Corporation, the Department of Energy, including its Office of the Inspector General, and the Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team, as well as publicly available reports on cyber incidents. The work on which this statement is based was performed in accordance with generally accepted government auditing standards. Those standards require that we plan and perform audits to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions. We believe that the evidence obtained provided a reasonable basis for our findings and conclusions based on our audit objectives. --------------------------------------------------------------------------- \2\ Federal policy established 18 critical infrastructure sectors. These include, for example, banking and finance, communications, public health, and energy. The energy sector includes subsectors for oil and gas and for electricity. \3\ GAO, Critical Infrastructure Protection: Cybersecurity Guidance Is Available, but More Can Be Done to Promote Its Use, GAO-12-92 (Washington, D.C.: Dec. 9, 2011), and Electricity Grid Modernization: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to be Addressed, GAO-11-117 (Washington, D.C.: Jan. 12, 2011). --------------------------------------------------------------------------- background The electricity industry, as shown in figure 1, is composed of four distinct functions: generation, transmission, distribution, and system operations. Once electricity is generated--whether by burning fossil fuels; through nuclear fission; or by harnessing wind, solar, geothermal, or hydro energy--it is generally sent through high-voltage, high-capacity transmission lines to local electricity distributors. Once there, electricity is transformed into a lower voltage and sent through local distribution lines for consumption by industrial plants, businesses, and residential consumers. Because electric energy is generated and consumed almost instantaneously, the operation of an electric power system requires that a system operator constantly balance the generation and consumption of power. Utilities own and operate electricity assets, which may include generation plants, transmission lines, distribution lines, and substations--structures often seen in residential and commercial areas that contain technical equipment such as switches and transformers to ensure smooth, safe flow of current and regulate voltage. Utilities may be owned by investors, municipalities, and individuals (as in cooperative utilities). System operators--sometimes affiliated with a particular utility or sometimes independent and responsible for multiple utility areas--manage the electricity flows. These system operators manage and control the generation, transmission, and distribution of electric power using control systems--IT-and network- based systems that monitor and control sensitive processes and physical functions, including opening and closing circuit breakers.\4\ As we have previously reported, the effective functioning of the electricity industry is highly dependent on these control systems.\5\ However, for many years, aspects of the electricity network lacked (1) adequate technologies--such as sensors--to allow system operators to monitor how much electricity was flowing on distribution lines, (2) communications networks to further integrate parts of the electricity grid with control centers, and (3) computerized control devices to automate system management and recovery. --------------------------------------------------------------------------- \4\ Circuit breakers are devices used to open or close electric circuits. If a transmission or distribution line is in trouble, a circuit breaker can disconnect it from the rest of the system. \5\ GAO, Critical Infrastructure Protection: Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain, GAO-07- 1036 (Washington, D.C.: Sept. 10, 2007). --------------------------------------------------------------------------- modernization of the electricity infrastructure As the electricity industry has matured and technology has advanced, utilities have begun taking steps to update the electricity grid--the transmission and distribution systems--by integrating new technologies and additional IT systems and networks. Though utilities have regularly taken such steps in the past, industry and government stakeholders have begun to articulate a broader, more integrated vision for transforming the electricity grid into one that is more reliable and efficient; facilitates alternative forms of generation, including renewable energy; and gives consumers real-time information about fluctuating energy costs. This vision--the smart grid--would increase the use of IT systems and networks and two-way communication to automate actions that system operators formerly had to make manually. Electricity grid modernization is an ongoing process, and initiatives have commonly involved installing advanced metering infrastructure (smart meters) on homes and commercial buildings that enable two-way communication between the utility and customer. Other initiatives include adding ``smart'' components to provide the system operator with more detailed data on the conditions of the transmission and distribution systems and better tools to observe the overall condition of the grid (referred to as ``wide-area situational awareness''). These include advanced, smart switches on the distribution system that communicate with each other to reroute electricity around a troubled line and high-resolution, time- synchronized monitors--called phasor measurement units--on the transmission system. The use of smart grid systems may have a number of benefits, including improved reliability from fewer and shorter outages, downward pressure on electricity rates resulting from the ability to shift peak demand, an improved ability to shift to alternative sources of energy, and an improved ability to detect and respond to potential attacks on the grid. regulation of the electricity industry Both the federal government and state governments have authority for overseeing the electricity industry. For example, the Federal Energy Regulatory Commission (FERC) regulates rates for wholesale electricity sales and transmission of electricity in interstate commerce. This includes approving whether to allow utilities to recover the costs of investments they make to the transmission system, such as smart grid investments. Meanwhile, local distribution and retail sales of electricity are generally subject to regulation by state public utility commissions. State and federal authorities also play key roles in overseeing the reliability of the electric grid. State regulators generally have authority to oversee the reliability of the local distribution system. The North American Electric Reliability Corporation (NERC) is the federally designated U.S. Electric Reliability Organization, and is overseen by FERC. NERC has responsibility for conducting reliability assessments and developing and enforcing mandatory standards to ensure the reliability of the bulk power system--i.e., facilities and control systems necessary for operating the transmission network and certain generation facilities needed for reliability. NERC develops reliability standards collaboratively through a deliberative process involving utilities and others in the industry, which are then sent to FERC for approval. These standards include critical infrastructure protection standards for protecting electric utility-critical and cyber-critical assets. FERC has responsibility for reviewing and approving the reliability standards or directing NERC to modify them. In addition, the Energy Independence and Security Act of 2007\6\ established federal policy to support the modernization of the electricity grid and required actions by a number of federal agencies, including the National Institute of Standards and Technology (NIST), FERC, and the Department of Energy. With regard to cybersecurity, the act required NIST and FERC to take the following actions: --------------------------------------------------------------------------- \6\ Pub. L. No. 110-140 (Dec. 19, 2007). NISTwas to coordinate development of a framework that includes protocols and model standards for information management to achieve interoperability of smart grid devices and systems. As part of its efforts to accomplish this, NIST planned to identify cybersecurity standards for these systems and also identified the need to develop guidelines for organizations such as electric companies on how to securely implement smart grid systems. In January 2011,\7\ we reported that NIST had identified 11 standards involving cybersecurity that support smart grid interoperability and had issued a first version of a cybersecurity guideline.\8\ --------------------------------------------------------------------------- \7\ GAO-11-117. \8\ NIST Special Publication 1108, NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0, January 2010 and NIST Interagency Report 7628, Guidelines for Smart Grid Cyber Security, August 2010. --------------------------------------------------------------------------- FERC was to adopt standards resulting from NIST's efforts that it deemed necessary to ensure smart grid functionality and interoperability. However, according to FERC officials, the statute did not provide specific additional authority to allow FERC to require utilities or manufacturers of smart grid technologies to follow these standards. As a result, any standards identified and developed through the NIST-led process are voluntary unless regulators use other authorities to indirectly compel utilities and manufacturers to follow them. the electricity grid is potentially vulnerable to an evolving array of cyber-based threats Threats to systems supporting critical infrastructure--which includes the electricity industry and its transmission and distribution systems--are evolving and growing. In February 2011, the Director of National Intelligence testified that, in the past year, there had been a dramatic increase in malicious cyber activity targeting U.S. computers and networks, including a more than tripling of the volume of malicious software since 2009.\9\ Different types of cyber threats from numerous sources may adversely affect computers, software, networks, organizations, entire industries, or the Internet. Cyber threats can be unintentional or intentional. Unintentional threats can be caused by software upgrades or maintenance procedures that inadvertently disrupt systems. Intentional threats include both targeted and untargeted attacks from a variety of sources, including criminal groups, hackers, disgruntled employees, foreign nations engaged in espionage and information warfare, and terrorists. Table 1 shows common sources of cyber threats. --------------------------------------------------------------------------- \9\ Director of National Intelligence, Statement for the Record on the Worldwide Threat Assessment of the U.S. Intelligence Community, statement before the Senate Select Committee on Intelligence (Feb. 16, 2011). TABLE 1: SOURCES OF CYBERSECURITY THREATS ------------------------------------------------------------------------ Threat source Description ------------------------------------------------------------------------ Bot-network operators Bot-net operators use a network, or bot-net, of compromised, remotely controlled systems to coordinate attacks and to distribute phishing schemes, spam, and malware attacks. The services of these networks are sometimes made available on underground markets (e.g., purchasing a denial-of-service attack or services to relay spam or phishing attacks). ------------------------------------------------------------------------ Criminal groups Criminal groups seek to attack systems for monetary gain. Specifically, organized criminal groups use spam, phishing, and spyware/malware to commit identity theft, online fraud, and computer extortion. International corporate spies and criminal organizations also pose a threat to the United States through their ability to conduct industrial espionage and large-scale monetary theft and to hire or develop hacker talent. ------------------------------------------------------------------------ Hackers Hackers break into networks for the thrill of the challenge, bragging rights in the hacker community, revenge, stalking, monetary gain, and political activism, among other reasons. While gaining unauthorized access once required a fair amount of skill or computer knowledge, hackers can now download attack scripts and protocols from the Internet and launch them against victim sites. Thus, while attack tools have become more sophisticated, they have also become easier to use. According to the Central Intelligence Agency, the large majority of hackers do not have the requisite expertise to threaten difficult targets such as critical U.S. networks. Nevertheless, the worldwide population of hackers poses a relatively high threat of an isolated or brief disruption causing serious damage. ------------------------------------------------------------------------ Insiders The disgruntled organization insider is a principal source of computer crime. Insiders may not need a great deal of knowledge about computer intrusions because their knowledge of a target system often allows them to gain unrestricted access to cause damage to the system or to steal system data. The insider threat includes contractors hired by the organization, as well as careless or poorly trained employees who may inadvertently introduce malware into systems. ------------------------------------------------------------------------ Nations Nations use cyber tools as part of their information- gathering and espionage activities. In addition, several nations are aggressively working to develop information warfare doctrine, programs, and capabilities. Such capabilities enable a single entity to have a significant and serious impact by disrupting the supply, communications, and economic infrastructures that support military power--impacts that could affect the daily lives of citizens across the country. In his January 2012 testimony, the Director of National Intelligence stated that, among state actors, China and Russia are of particular concern. ------------------------------------------------------------------------ Phishers Individuals or small groups execute phishing schemes in an attempt to steal identities or information for monetary gain. Phishers may also use spam and spyware or malware to accomplish their objectives. ------------------------------------------------------------------------ Spammers Individuals or organizations distribute unsolicited e- mail with hidden or false information in order to sell products, conduct phishing schemes, distribute spyware or malware, or attack organizations (e.g., a denial of service). ------------------------------------------------------------------------ Spyware or malware authors Individuals or organizations with malicious intent carry out attacks against users by producing and distributing spyware and malware. Several destructive computer viruses and worms have harmed files and hard drives, including the Melissa Macro Virus, the Explore.Zip worm, the CIH (Chernobyl) Virus, Nimda, Code Red, Slammer, and Blaster. ------------------------------------------------------------------------ Terrorists Terrorists seek to destroy, incapacitate, or exploit critical infrastructures in order to threaten national security, cause mass casualties, weaken the economy, and damage public morale and confidence. Terrorists may use phishing schemes or spyware/malware in order to generate funds or gather sensitive information. ------------------------------------------------------------------------ Source: GAO analysis based on data from the Director of National Intelligence, Department of Justice, Central Intelligence Agency, and the Software Engineering Institute's CERT Coordination Center. These sources of cyber threats make use of various techniques, or exploits that may adversely affect computers, software, a network, an organization's operation, an industry, or the Internet itself. Table 2 shows common types of cyber exploits. TABLE 2: TYPES OF CYBER EXPLOITS ------------------------------------------------------------------------ Type of exploit Description ------------------------------------------------------------------------ Cross-site scripting An attack that uses third- party web resources to run script within the victim's web browser or scriptable application. This occurs when a browser visits a malicious website or clicks a malicious link. The most dangerous consequences occur when this method is used to exploit additional vulnerabilities that may permit an attacker to steal cookies (data exchanged between a web server and a browser), log key strokes, capture screen shots, discover and collect network information, and remotely access and control the victim's machine. ------------------------------------------------------------------------ Denial-of-service An attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources. ------------------------------------------------------------------------ Distributed denial-of-service A variant of the denial-of- service attack that uses numerous hosts to perform the attack. ------------------------------------------------------------------------ Logic bombs A piece of programming code intentionally inserted into a software system that will cause a malicious function to occur when one or more specified conditions are met. ------------------------------------------------------------------------ Phishing A digital form of social engineering that uses authentic-looking, but fake, e-mails to request information from users or direct them to a fake website that requests information. ------------------------------------------------------------------------ Passive wiretapping The monitoring or recording of data, such as passwords transmitted in clear text, while they are being transmitted over a communications link. This is done without altering or affecting the data. ------------------------------------------------------------------------ Structured Query Language (SQL) injection An attack that involves the alteration of a database search in a web-based application, which can be used to obtain unauthorized access to sensitive information in a database. ------------------------------------------------------------------------ Trojan horse A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms by, for example, masquerading as a useful program that a user would likely execute. ------------------------------------------------------------------------ Virus A computer program that can copy itself and infect a computer without the permission or knowledge of the user. A virus might corrupt or delete data on a computer, use e-mail programs to spread itself to other computers, or even erase everything on a hard disk. Unlike a computer worm, a virus requires human involvement (usually unwitting) to propagate. ------------------------------------------------------------------------ War driving The method of driving through cities and neighborhoods with a wireless-equipped computer--sometimes with a powerful antenna--searching for unsecured wireless networks. ------------------------------------------------------------------------ Worm A self-replicating, self- propagating, self-contained program that uses network mechanisms to spread itself. Unlike computer viruses, worms do not require human involvement to propagate. ------------------------------------------------------------------------ Zero-day exploit An exploit that takes advantage of a security vulnerability previously unknown to the general public. In many cases, the exploit code is written by the same person who discovered the vulnerability. By writing an exploit for the previously unknown vulnerability, the attacker creates a potent threat since the compressed timeframe between public discoveries of both makes it difficult to defend against ------------------------------------------------------------------------ Source: GAO analysis of data from the National Institute of Standards and Technology, United States Computer Emergency Readiness Team, and industry reports. electricity grid faces cybersecurity vulnerabilities The potential impact of these threats is amplified by the connectivity between information systems, the Internet, and other infrastructures, creating opportunities for attackers to disrupt critical services, including electrical power. In addition, the increased reliance on IT systems and networks also exposes the electric grid to potential and known cybersecurity vulnerabilities. These vulnerabilities include an increased number of entry points and paths that can be exploited by potential adversaries and other unauthorized users; the introduction of new, unknown vulnerabilities due to an increased use of new system and network technologies; wider access to systems and networks due to increased connectivity; and an increased amount of customer information being collected and transmitted, providing incentives for adversaries to attack these systems and potentially putting private information at risk of unauthorized disclosure and use. In May 2008, we reported that the corporate network of the Tennessee Valley Authority--the nation's largest public power company, which generates and distributes power in an area of about 80,000 square miles in the southeastern United States--contained security weaknesses that could lead to the disruption of control systems networks and devices connected to that network.\10\ We made 19 recommendations to improve the implementation of information security program activities for the control systems governing the Tennessee Valley Authority's critical infrastructures and 73 recommendations to address specific weaknesses in security controls. The Tennessee Valley Authority concurred with the recommendations and has taken steps to implement them. --------------------------------------------------------------------------- \10\ GAO, Information Security: TVA Needs to Address Weaknesses in Control Systems and Networks, GAO-08-526 (Washington, D.C.: May 21, 2008). --------------------------------------------------------------------------- We and others have also reported that smart grid and related systems have known cyber vulnerabilities. For example, cybersecurity experts have demonstrated that certain smart meters can be successfully attacked, possibly resulting in disruption to the electricity grid. In addition, we have reported that control systems used in industrial settings such as electricity generation have vulnerabilities that could result in serious damages and disruption if exploited.\11\ Further, in 2007, the Department of Homeland Security, in cooperation with the Department of Energy, ran a test that demonstrated that a vulnerability commonly referred to as ``Aurora'' had the potential to allow unauthorized users to remotely control, misuse, and cause damage to a small commercial electric generator. Moreover, in 2008, the Central Intelligence Agency reported that malicious activities against IT systems and networks have caused disruption of electric power capabilities in multiple regions overseas, including a case that resulted in a multicity power outage.\12\ As government, private sector, and personal activities continue to move to networked operations, the threat will continue to grow. --------------------------------------------------------------------------- \11\ GAO-07-1036. \12\ The White House, Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure (Washington, D.C.: May 29, 2009). --------------------------------------------------------------------------- reported incidents illustrate the potential impact of cyber threats Cyber incidents continue to affect the electricity industry. For example, the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team recently noted that the number of reported cyber incidents affecting control systems of companies in the electricity sector increased from 3 in 2009 to 25 in 2011. In addition, we and others have reported\13\ that cyber incidents can affect the operations of energy facilities, as the following examples illustrate: --------------------------------------------------------------------------- \13\ GAO-07-1036 and GAO-12-92. Smart meter attacks.--In April 2012, it was reported that sometime in 2009 an electric utility asked the FBI to help it investigate widespread incidents of power thefts through its smart meter deployment. The report indicated that the miscreants hacked into the smart meters to change the power consumption recording settings using software available on the Internet. Phishing attacks directed at energy sector.--The Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team reported that, in 2011, it deployed incident response teams to an electric bulk provider and an electric utility that had been victims of broader phishing attacks. The team found three malware samples and detected evidence of a sophisticated threat actor. Stuxnet.--In July 2010, a sophisticated computer attack known as Stuxnet was discovered. It targeted control systems used to operate industrial processes in the energy, nuclear, and other critical sectors. It is designed to exploit a combination of vulnerabilities to gain access to its target and modify code to change the process. Browns Ferry power plant.--In August 2006, two circulation pumps at Unit 3 of the Browns Ferry, Alabama, nuclear power plant failed, forcing the unit to be shut down manually. The failure of the pumps was traced to excessive traffic on the control system network, possibly caused by the failure of another control system device. Northeast power blackout.--In August 2003, failure of the alarm processor in the control system of FirstEnergy, an Ohio- based electric utility, prevented control room operators from having adequate situational awareness of critical operational changes to the electrical grid. When several key transmission lines in northern Ohio tripped due to contact with trees, they initiated a cascading failure of 508 generating units at 265 power plants across eight states and a Canadian province. Davis-Besse power plant.--The Nuclear Regulatory Commission confirmed that in January 2003, the Microsoft SQL Server worm known as Slammer infected a private computer network at the idled Davis-Besse nuclear power plant in Oak Harbor, Ohio, disabling a safety monitoring system for nearly 5 hours. In addition, the plant's process computer failed, and it took about 6 hours for it to become available again. actions have been taken to secure the electricity grid, but challenges remain Multiple entities have taken steps to help secure the electricity grid, including NERC, NIST, FERC, and the Departments of Homeland Security and Energy. NERC has performed several activities that are intended to secure the grid. It has developed eight critical infrastructure standards for protecting electric utility-critical and cyber-critical assets. The standards established requirements for the following key cybersecurity-related controls: critical cyber asset identification, security management controls, personnel and training, electronic ``security perimeters,'' physical security of critical cyber assets, systems security management, incident reporting and response planning, and recovery plans for critical cyber assets. In December 2011, we reported that NERC's eight cyber security standards, along with supplementary documents, were substantially similar to NIST guidance applicable to federal agencies.\14\ --------------------------------------------------------------------------- \14\ GAO-12-92. --------------------------------------------------------------------------- NERC also has published security guidelines for companies to consider for protecting electric infrastructure systems, although such guidelines are voluntary and typically not checked for compliance. For example, NERC's June 2010 Security Guideline for the Electricity Sector: Identifying Critical Cyber Assets is intended to assist entities in identifying and developing a list of critical cyber assets as described in the mandatory standards. NERC also has enforced compliance with mandatory cybersecurity standards through its Compliance Monitoring and Enforcement Program, subject to FERC review. NERC has assessed monetary penalties for violations of its cyber security standards. NIST, in implementing its responsibilities under the Energy Independence and Security Act of 2007 with regard to standards to achieve interoperability of smart grid systems, planned to identify cybersecurity standards for these systems. In January 2011, we reported\15\ that it had identified 11 standards involving cybersecurity that support smart grid interoperability and had issued a first version of a cybersecurity guideline.\16\ NIST's cybersecurity guidelines largely addressed key cybersecurity elements, such as assessment of cybersecurity risks and identification of security requirements (i.e., controls); however, its guidelines did not address an important element essential to securing smart grid systems--the risk of attacks using both cyber and physical means.\17\ NIST officials said that they intended to update the guidelines to address this and other missing elements they identified, but their plan and schedule for doing so were still in draft form. We recommended that NIST finalize its plan and schedule for incorporating missing elements, and NIST officials agreed. We are currently working with officials to determine the status of their efforts to address these recommendations. --------------------------------------------------------------------------- \15\ GAO-11-117. \16\ NIST Special Publication 1108, NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0, January 2010 and NIST Interagency Report 7628, Guidelines for Smart Grid Cyber Security, August 2010. \17\ GAO-11-117. --------------------------------------------------------------------------- FERC also has taken several actions to help secure the electricity grid. For example, it reviewed and approved NERC's eight critical infrastructure protection standards in 2008. Since then, in its role of overseeing the development of reliability standards, the commission has directed NERC to make numerous changes to standards to improve cybersecurity protections. However, according to the FERC Chairman's February 2012 letter in response to our report on electricity grid modernization, many of the outstanding directives have not been incorporated into the latest versions of the standards. The Chairman added that the commission would continue to work with NERC to incorporate the directives. In addition, FERC has authorized NERC to enforce mandatory reliability standards for the bulk power system, while retaining its authority to enforce the same standards and assess penalties for violations. We reported in January 2011 that FERC also had begun reviewing initial smart grid standards identified as part of NIST efforts. However, in July 2011, the commission declined to adopt the initial smart grid standards identified as a part of the NIST efforts, finding that there was insufficient consensus to do so. The Department of Homeland Security has been designated by federal policy as the principal federal agency to lead, integrate, and coordinate the implementation of efforts to protect cyber-critical infrastructures and key resources. Under this role, the Department's National Cyber Security Division's Control Systems Security Program has issued recommended practices to reduce risks to industrial control systems within and across all critical infrastructure and key resources sectors, including the electricity subsector. For example, in April 2011, the program issued the Catalog of Control Systems Security: Recommendations for Standards Developers, which is intended to provide a detailed listing of recommended controls from several standards related to control systems.\18\ The program also manages and operates the Industrial Control Systems Cyber Emergency Response Team to respond to and analyze control-systems-related incidents, provide onsite support for incident response and forensic analysis, provide situational awareness in the form of actionable intelligence, and share and coordinate vulnerability information and threat analysis through information products and alerts. For example, it reported providing on- site assistance to six companies in the electricity subsector, including a bulk electric power provider and multiple electric utilities, during 2009-2011. --------------------------------------------------------------------------- \18\ DHS, National Cyber Security Division, Control Systems Security Program, Catalog of Control Systems Security: Recommendations for Standards Developers (April 2011). --------------------------------------------------------------------------- The Department of Energy is the lead federal agency which is responsible for coordinating critical infrastructure protection efforts with the public and private stakeholders in the energy sector, including the electricity subsector. In this regard, we have reported that officials from the Department's Office of Electricity Delivery and Energy Reliability stated that the department was involved in efforts to assist the electricity sector in the development, assessment, and sharing of cybersecurity standards.\19\ For example, the department was working with NIST to enable state power producers to use current cybersecurity guidance. In May 2012, the department released the Electricity Subsector Cybersecurity Risk Management Process.\20\ The guideline is intended to ensure that cybersecurity risks for the electric grid are addressed at the organization, mission or business process, and information system levels. We have not evaluated this guide. --------------------------------------------------------------------------- \19\ GAO-12-92. \20\ U.S. Department of Energy, Electricity Subsector Cybersecurity Risk Management Process, DOE/OE-0003 (Washington, D.C.: May 2012). --------------------------------------------------------------------------- challenges to securing electricity systems and networks In our January 2011 report, we identified a number of key challenges that industry and government stakeholders faced in ensuring the cybersecurity of the systems and networks that support our nation's electricity grid.\21\ These included the following: --------------------------------------------------------------------------- \21\ GAO-11-117. There was a lack of a coordinated approach to monitor whether industry follows voluntary standards.--As mentioned above, under the Energy Independence and Security Act of 2007, FERC is responsible for adopting cybersecurity and other standards that it deems necessary to ensure smart grid functionality and interoperability. However, FERC had not developed an approach coordinated with other regulators to monitor, at a high level, the extent to which industry will follow the voluntary smart grid standards it adopts. There had been initial efforts by regulators to share views, through, for example, a collaborative dialogue between FERC and the National Association of Regulatory Utility Commissioners, which had discussed the standards-setting process in general terms. Nevertheless, according to officials from FERC and the National Association of Regulatory Utility Commissioners, FERC and the state public utility commissions had not established a joint approach for monitoring how widely voluntary smart grid standards are followed in the electricity industry or developed strategies for addressing any gaps. Moreover, FERC had not coordinated in such a way with groups representing public power or cooperative utilities, which are not routinely subject to FERC's or the states' regulatory jurisdiction for rate setting. We noted that without a good understanding of whether utilities and manufacturers are following smart grid standards, it would be difficult for FERC and other regulators to know whether a voluntary approach to standards setting is effective or if changes are needed.\22\ --------------------------------------------------------------------------- \22\ In an order issued on July 19, 2011, FERC reported that it had found insufficient consensus to institute a rulemaking proceeding to adopt smart grid interoperability standards identified by NIST as ready for consideration by regulatory authorities. While FERC dismissed the rulemaking, it encouraged utilities, smart grid product manufacturers, regulators, and other smart grid stakeholders to actively participate in the NIST interoperability framework process to work on the development of interoperability standards and to refer to that process for guidance on smart grid standards. Despite this result, we believe our recommendations to FERC in GAO-11-117, with which FERC concurred, remain valid and should be acted upon as consensus is reached and standards adopted. --------------------------------------------------------------------------- Aspects of the current regulatory environment made it difficult to ensure the cybersecurity of smart grid systems.-- In particular, jurisdictional issues and the difficulties associated with responding to continually evolving cyber threats were a key regulatory challenge to ensuring the cybersecurity of smart grid systems as they are deployed. Regarding jurisdiction, experts we spoke with expressed concern that there was a lack of clarity about the division of responsibility between federal and state regulators, particularly regarding cybersecurity. While jurisdictional responsibility has historically been determined by whether a technology is located on the transmission or distribution system, experts raised concerns that smart grid technology may blur these lines. For example, devices such as smart meters deployed on parts of the grid traditionally subject to state jurisdiction could, in the aggregate, have an impact on those parts of the grid that federal regulators are responsible for-- namely the reliability of the transmission system. There was also concern about the ability of regulatory bodies to respond to evolving cybersecurity threats. For example, one expert questioned the ability of government agencies to adapt to rapidly evolving threats, while another highlighted the need for regulations to be capable of responding to the evolving cybersecurity issues. In addition, our experts expressed concern with agencies developing regulations in the future that are overly specific in their requirements, such as those specifying the use of a particular product or technology. Consequently, unless steps are taken to mitigate these challenges, regulations may not be fully effective in protecting smart grid technology from cybersecurity threats. Utilities were focusing on regulatory compliance instead of comprehensive security.--The existing federal and state regulatory environment creates a culture within the utility industry of focusing on compliance with cybersecurity requirements, instead of a culture focused on achieving comprehensive and effective cybersecurity. Specifically, experts told us that utilities focus on achieving minimum regulatory requirements rather than designing a comprehensive approach to system security. In addition, one expert stated that security requirements are inherently incomplete, and having a culture that views the security problem as being solved once those requirements are met will leave an organization vulnerable to cyber attack. Consequently, without a comprehensive approach to security, utilities leave themselves open to unnecessary risk. There was a lack of security features built into smart grid systems. Security features are not consistently built into smart grid devices.--For example, experts told us that certain currently available smart meters had not been designed with a strong security architecture and lacked important security features, including event logging\23\ and forensics capabilities that are needed to detect and analyze attacks. In addition, our experts stated that smart grid home area networks--used for managing the electricity usage of appliances and other devices in the home--did not have adequate security built in, thus increasing their vulnerability to attack. Without securely designed smart grid systems, utilities may lack the capability to detect and analyze attacks, increasing the risk that attacks will succeed and utilities will be unable to prevent them from recurring. --------------------------------------------------------------------------- \23\ Event logging is a capability of an IT system to record events occurring within an organization's systems and networks, including those related to computer security. --------------------------------------------------------------------------- The electricity industry did not have an effective mechanism for sharing information on cybersecurity and other issues.--The electricity industry lacked an effective mechanism to disclose information about cybersecurity vulnerabilities, incidents, threats, lessons learned, and best practices in the industry. For example, our experts stated that while the electricity industry has an information sharing center, it did not fully address these information needs. In addition, President Obama's May 2009 cyberspace policy review also identified challenges related to cybersecurity information sharing within the electric and other critical infrastructure sectors and issued recommendations to address them.\24\ According to our experts, information regarding incidents such as both unsuccessful and successful attacks must be able to be shared in a safe and secure way to avoid publicly revealing the reported organization and penalizing entities actively engaged in corrective action. Such information sharing across the industry could provide important information regarding the level of attempted cyber attacks and their methods, which could help grid operators better defend against them. If the industry pursued this end, it could draw upon the practices and approaches of other industries when designing an industry-led approach to cybersecurity information sharing. Without quality processes for information sharing, utilities will not have the information needed to adequately protect their assets against attackers. --------------------------------------------------------------------------- \24\ The White House, Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure (Washington, D.C.: May 29, 2009). --------------------------------------------------------------------------- The electricity industry did not have metrics for evaluating cybersecurity.--The electricity industry was also challenged by a lack of cybersecurity metrics, making it difficult to measure the extent to which investments in cybersecurity improve the security of smart grid systems. Experts noted that while such metrics\25\ are difficult to develop, they could help compare the effectiveness of competing solutions and determine what mix of solutions combine to make the most secure system. Furthermore, our experts said that having metrics would help utilities develop a business case for cybersecurity by helping to show the return on a particular investment. Until such metrics are developed, there is increased risk that utilities will not invest in security in a cost-effective manner, or have the information needed to make informed decisions on their cybersecurity investments. --------------------------------------------------------------------------- \25\ Metrics can be used for, among other things, measuring the effectiveness of cybersecurity controls for detecting and blocking cyber attacks. To address these challenges, we made recommendations in our January 2011 report. To improve coordination among regulators and help Congress better assess the effectiveness of the voluntary smart grid standards process, we recommended that the Chairman of FERC develop an approach to coordinate with state regulators and with groups that represent utilities subject to less FERC and state regulation to (1) periodically evaluate the extent to which utilities and manufacturers are following voluntary interoperability and cybersecurity standards and (2) develop strategies for addressing any gaps in compliance with standards that are identified as a result of this evaluation. We also recommended that FERC, working with NERC as appropriate, assess whether commission efforts should address any of the cybersecurity challenges identified in our report. FERC agreed with these recommendations. Although FERC agreed with these recommendations, they have not yet been implemented. According to the FERC Chairman, given the continuing evolution of standards and the lack of sufficient consensus for regulatory adoption, commission staff believe that coordinated monitoring of compliance with standards would be premature at this time, and that this may change as new standards are developed and deployed in industry. We believe that it is still important for FERC to improve coordination among regulators and that consensus is reached on standards. We will continue to monitor the status of its efforts to address these recommendations. In summary, the evolving and growing threat from cyber-based attacks highlights the importance of securing the electricity industry's systems and networks. A successful attack could result in widespread power outages, significant monetary costs, damage to property, and loss of life. The roles of NERC and FERC remain critical in approving and disseminating cybersecurity guidance and enforcing standards, as appropriate. Moreover, more needs to be done to meet challenges facing the industry in enhancing security, particularly as the generation, transmission, and distribution of electricity comes to rely more on emerging and sophisticated technology. Chairman Bingaman, Ranking Member Murkowski, and Members of the Committee, this concludes my statement. I would be happy to answer any questions you may have at this time. appendix i: related gao products Cybersecurity: Threats Impacting the Nation. GAO-12-666T. Washington, D.C.: April 24, 2012. Cybersecurity: Challenges in Securing the Modernized Electricity Grid, GAO-12-507T. Washington, D.C.: February 28, 2012. Critical Infrastructure Protection: Cybersecurity Guidance Is Available, but More Can Be Done to Promote Its Use. GAO-12-92. Washington, D.C.: December 9, 2011. High-Risk Series: An Update. GAO-11-278. Washington, D.C.: February 2011. Electricity Grid Modernization: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to Be Addressed. GAO-11-117. Washington, D.C.: January 12, 2011. Cybersecurity: Continued Attention Needed to Protect Our Nation's Critical Infrastructure. GAO-11-865T. Washington, D.C.: July 26, 2011. Critical Infrastructure Protection: Key Private and Public Cyber Expectations Need to Be Consistently Addressed. GAO-10-628. Washington, D.C.: July 15, 2010. Cyberspace: United States Faces Challenges in Addressing Global Cybersecurity and Governance. GAO-10-606. Washington, D.C.: July 2, 2010. Cybersecurity: Continued Attention Is Needed to Protect Federal Information Systems from Evolving Threats. GAO-10-834T. Washington, D.C.: June 16, 2010. Critical Infrastructure Protection: Update to National Infrastructure Protection Plan Includes Increased Emphasis on Risk Management and Resilience. GAO-10-296. Washington, D.C.: March 5, 2010. Cybersecurity: Progress Made but Challenges Remain in Defining and Coordinating the Comprehensive National Initiative. GAO-10-338. Washington, D.C.: March 5, 2010. Cybersecurity: Continued Efforts Are Needed to Protect Information Systems from Evolving Threats. GAO-10-230T. Washington, D.C.: November 17, 2009. Defense Critical Infrastructure: Actions Needed to Improve the Identification and Management of Electrical Power Risks and Vulnerabilities to DOD Critical Assets. GAO-10-147. Washington, D.C.: October 23, 2009. Critical Infrastructure Protection: Current Cyber Sector-Specific Planning Approach Needs Reassessment. GAO-09-969. Washington, D.C.: September 24, 2009. National Cybersecurity Strategy: Key Improvements Are Needed to Strengthen the Nation's Posture. GAO-09-432T. Washington, D.C.: March 10, 2009. Electricity Restructuring: FERC Could Take Additional Steps to Analyze Regional Transmission Organizations' Benefits and Performance. GAO-08-987. Washington, D.C.: September 22, 2008. Information Security: TVA Needs to Address Weaknesses in Control Systems and Networks. GAO-08-526. Washington, D.C.: May 21, 2008. Critical Infrastructure Protection: Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain. GAO-07-1036. Washington, D.C.: September 10, 2007. Cybercrime: Public and Private Entities Face Challenges in Addressing Cyber Threats. GAO-07-705. Washington, D.C.: June 22, 2007. Meeting Energy Demand in the 21st Century: Many Challenges and Key Questions. GAO-05-414T. Washington, D.C.: March 16, 2005. The Chairman. Thank you very much. Mr. Cauley. STATEMENT OF GERRY CAULEY, PRESIDENT AND CHIEF EXECUTIVE OFFICER, NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION Mr. Cauley. Thank you, and good morning, Chairman Bingaman, and Ranking Member Murkowski, and members of the committee, and fellow panelists. My name is Gerry Cauley. I am the President and CEO of the North American Electric Reliability Corporation. When we go about our business for reliability and security of the power grid, we think, first, of the customers and rate payers and citizens that we serve. When I do that, we think about 4 principles. First of all, focus on really big important reliability problems find solutions, and fix them. Second, we apply principles of using risk-based approaches to make sure that we are prioritizing effectively and that we are coming up with cost-effective solutions. Third, we focus on the learning industry. So, we are continually adapting and developing reliability solutions and learning from experience. Finally, we hold the industry accountable, as well as ourselves, to produce reliability results. This approach works really well in conventional risks, such as storm outages, equipment failures, human factors, errors, and those kinds of things. I think the approach also works well in the arena of cyber and physical security. One of the big differences, however, in security is we are often challenged by the lack of information, and this is where, in cyber, the partnership between industry and Government, in terms of information sharing, to help us understand those risks and be able to adapt to them, is very important. So, our strategy for security recognizes that a perfect defense against the bad guys is not achievable nor necessarily affordable. So what we have to do is combine defense strategies, such as through our standards, as well as resilience, and adapting and enhancing the existing resilience of the bulk power system. So, our strategy includes several activities. The first is in the--having a base set of standards that ensure the protection of the grid. We promote and are involved in active information sharing between industry and Government, and among industry, and among critical infrastructure sectors. We are focused on training and exercising and testing our ability to perform well under security challenges. We are continually assessing the reliability and security of the system, looking at emerging issues and emerging threats. We are working with Government agencies to develop solutions for security and also addressing cross-sector dependencies. I did previously testify in front of the committee in May 2011, and I would just like to briefly review some of the changes and some of the activities that we have completed since that time. First, in the area of standards--and I appreciate the Chairman pointing out that the electric power industry and the nuclear power industries are the only two critical infrastructures that do have mandatory standards and enforceable standards that are in place and that are working. It was mentioned that we--the Commission just recently approved version 4, which includes a bright-line criteria, in terms of which facilities are required to be included within those standards. We are currently working on what I believe will be a plateau of security for us in version 5, where we are adopting NIST's risk controls into our standards, and we will have those completed and filed with the Commission by the end of the first quarter in 2013. In addition to the standards, we also have a very rigorous program on compliance. Since 2008, we have conducted over 500 audits of individual companies, sending teams onsite, finding various findings and recommendations and things that need to be corrected. We also have the industry under a very aggressive program to monitor the remediation of those issues. A third area is in the area of information sharing and analysis. This is our way of addressing near-term issues and risks that emerge continuously. There is a parallel that--if you look at--Microsoft essentially publishes on the second Tuesday of each month for patches and vulnerabilities that have been identified over the previous month. That is essentially an approach that we need to take in terms of emerging risks and threats that come in that might be--need to be addressed on a matter of hours or days. We use our information sharing process, issue alerts. We were able to get an agreement signed with Homeland Security to gain us access to the National Cybersecurity and Communications Integration Center, the NCCIC, and we have a secure portal up and running that allows the sharing of information. We have got over 500 companies that are actively engaging, in terms of posting and using that information. Our alerts that we're able to issue go to all 1,900 companies that are affected by the bulk power system. Another area where we work actively is in the area of partnering with Federal partners. We have developed best practices guidelines, based on NIS practices with Department of Energy. We also worked on the White House Initiative to develop a risk management maturity model, and we recently issued 4 reports on resilience, severe cyber attack, and GMD. So, in conclusion, I think our framework of standards, information sharing, and partnering with Government is the approach that will be most successful in cybersecurity. Thank you. [The prepared statement of Mr. Cauley follows:] Prepared Statement of Gerry Cauley, President and Chief Executive Officer, North American Electric Reliability Corporation introduction Good morning Chairman Bingaman, Ranking Member Murkowski, members of the Committee and fellow panelists. My name is Gerry Cauley and I am the President and CEO of the North American Electric Reliability Corporation (NERC). NERC was designated the Electric Reliability Organization (ERO) by the Federal Energy Regulatory Commission (FERC) in accordance with Section 215 of the Federal Power Act (FPA), enacted by the Energy Policy Act of 2005. NERC's reliability standards are mandatory and enforceable within the US for the bulk power system and include Critical Infrastructure Protection (CIP) Standards. To date, these standards (and those promulgated by the Nuclear Regulatory Commission) are the only mandatory cybersecurity standards in place across the critical infrastructures of the United States. NERC's mission is to ensure the reliability of the bulk power system of North America and promote reliability excellence with accountability for standards and compliance, risks to reliability and continued coordination and collaboration with public and private sector partners. I testified on this subject before this Committee in May 2011, and I appreciate the opportunity to update the Committee on NERC's activities related to cybersecurity. These activities include, but are not limited to: 1. Receiving FERC approval of NERC's Critical Cyber Asset Identification standards (CIP-002 version 4); 2. Beginning work on a comprehensive revision to the cybersecurity standards, leveraging lessons learned from previous versions; 3. Issuing eight additional alerts related to cybersecurity concerns; 4. Developing a risk management process guideline to help utilities better understand their cybersecurity risks, assess severity, and allocate resources more efficiently to manage those risks; 5. Completing the first phase of the High-Impact Low- Frequency Task Force reports identifying recommendations for owners and operators with respect to addressing severe impact resilience, cyber attacks, spare equipment, and geomagnetic disruptions; 6. Facilitating the first-ever Grid Security Exercise (GridEx) for the Electricity Sub-sector in North America; and 7. Participating in government partnership initiatives, including the Department of Homeland Security's (DHS) National Level Exercise series and various cybersecurity forums and briefings with Canadian government agencies, as well as the White House-initiated, Department of Energy (DOE)-led Electricity Sub-sector Cybersecurity Risk Management Maturity Model, which will support ongoing development and measurement of cybersecurity capabilities within the sub-sector; the cybersecurity challenge for the grid As a result of society's growing dependence on electricity, the electric grid is one of the Nation's most critical infrastructures. The bulk power system in North America is one of the largest, most complex, and most robust systems ever created. As CEO of the organization charged with ensuring the reliability and security of the North American grid, I remain deeply concerned about the changing risk landscape from conventional risks, such as extreme weather and equipment failures, to new and emerging risks where we are left to imagine scenarios that might occur and prepare to avoid or mitigate the consequences. Some of those consequences could be much more severe than we have previously experienced. I am most concerned about coordinated physical and cyber attacks intended to disable elements of the power grid or deny electricity to specific targets, such as government or business centers, military installations, or other infrastructures. These threats differ from conventional risks in that they result from intentional actions by adversaries and are not simply random failures or acts of nature. To explore the impacts of this changing risk landscape from the view of the newer emerging risks, NERC has worked with industry and government to better understand cybersecurity risks and manage those risks. Based on all of the work NERC has been involved in to date, it is clear that the most effective approach against adversaries exploiting the newer risk landscape is through thoughtful application of resiliency principles. Resiliency requires proactive readiness for whatever may come our way and includes robustness; the ability to minimize consequences in real-time; the ability to restore essential services; and the ability to adapt and learn. nerc measures to address cybersecurity threats and vulnerabilities NERC has incorporated these resiliency elements in our strategic approach to ensuring reliability of the bulk power system. This strategic approach includes: 1) developing mandatory and enforceable standards; 2) ensuring compliance and audit oversight; 3) sharing and analyzing information and issuing Alerts from the Electricity Sector Information Sharing and Analysis Center (ES-ISAC); 4) engaging in private-public partnerships; and 5) conducting outreach, training, and education activities within and external to the bulk power system. Only through these critical infrastructure protection components can we achieve a balanced approach to guard against advanced persistent threats to grid cybersecurity and mitigate vulnerabilities. reliability standards In 2007, FERC designated NERC the ERO in accordance with Section 215 of the Federal Power Act, enacted by the Energy Policy Act of 2005. Upon FERC's approval, NERC's reliability standards became mandatory within the US. These mandatory reliability standards include CIP Standards 001 through 009, which address the security of cyber assets essential to the reliable operation of the electric grid. To date, these standards (and those promulgated by the Nuclear Regulatory Commission) are the only mandatory cybersecurity standards in place across the critical infrastructures of the US. Subject to FERC oversight, NERC and its Regional Entity partners enforce these standards, developed with substantial input from industry and approved by FERC, to accomplish our mission to ensure the reliability of the electric grid. NERC's nine mandatory CIP standards address the following areas: Standard CIP-001: Covers Sabotage Reporting. Standard CIP-002: Requires the identification and documentation of the Critical Cyber Assets associated with the Critical Assets that support the reliable operation of the Bulk Electric System. Standard CIP-003: Requires that Responsible Entities have minimum security management controls in place to protect Critical Cyber Assets. Standard CIP-004: Requires that personnel with access having authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including contractors and service vendors, have an appropriate level of personnel risk assessment, training, and security awareness. Standard CIP-005: Requires the identification and protection of the Electronic Security Perimeter(s) inside which all Critical Cyber Assets reside, as well as all access points on the perimeter. Standard CIP-006: Addresses implementation of a physical security program for the protection of Critical Cyber Assets. Standard CIP-007: Requires Responsible Entities to define methods, processes, and procedures for securing those systems determined to be Critical Cyber Assets, as well as the other (non-critical) Cyber Assets within the Electronic Security Perimeter(s). Standard CIP-008: Ensures the identification, classification, response, and reporting of Cyber Security Incidents related to Critical Cyber Assets. Standard CIP-009: Ensures that recovery plan(s) are put in place for Critical Cyber Assets and that these plans follow established business continuity and disaster recovery techniques and practices. In December 2010, NERC approved an enhancement to its Critical Cyber Asset Identification standard (CIP-002 version 4) that establishes bright-line criteria for the identification of critical assets. This enhanced standard was filed with the Federal Energy Regulatory Commission (FERC) in February 2011, and FERC approved the standard on April 19, 2012. The implementation of the CIP standards under the bright-line approach is currently underway. In addition, industry is currently developing a comprehensive revision to the cybersecurity Standards. The revision leverages experience with existing CIP standards to enhance the industry's protections against cyber threats and vulnerabilities, including transitioning the classification of critical assets to a ``low-medium- high'' impact-based system. The revised CIP standards will also provide greater flexibility in implementing solutions to emerging cyber threats. The revised CIP standards have been improved to remove technology-specific requirements by replacing them with a risk-based approach to implementing appropriate and changing technologies. That is, rather than specifying how to implement a requirement, the revised requirements specify the risk-based result that must be achieved, which enables industry to implement new and emerging technologies to address the risk. NERC can use an emergency standards development process if circumstances warrant. In addition, FERC can order NERC to develop or modify a reliability standard to address a specific matter.\1\ Finally, the NERC Board of Trustees can direct NERC to develop and adopt a standard in response to a FERC directive and timetable if the Board determines that the regular standards process is not sufficiently responsive to the Commission. --------------------------------------------------------------------------- \1\ FERC can order NERC to develop a proposed reliability standard or a modification to a reliability standard to address a specific matter (such as a cyber threat or vulnerability) under FPA Section 215(d) (5). --------------------------------------------------------------------------- Under the emergency standards process, FERC has authorized NERC to use an expedited standards development process to meet urgent reliability issues. These special standards can be developed on an expedited, confidential basis to address imminent or longer-term national security threats. NERC has practiced using this expedited, confidential process as part of GridEx. In addition to developing mandatory reliability standards, NERC supports the ERO's Regional Entities to improve the consistency of compliance program results, improve risk-based approaches for auditing and spot checking, and promote a culture of security and compliance through education, transparency, and incentives. Specifically, we conduct audit oversight of the Regional Entities' compliance audit teams during audits of registered entities, and maintain oversight throughout the entire audit process (pre-audit, on-site, and post audit) in accordance with the audit oversight program. During this process, NERC seeks to capture compliance applications, positive observations, lessons learned, and recommendations. NERC's audit oversights are designed to perform a thorough evaluation of the processes and criteria used by all Regional Entities in their determination of registered entities' compliance with the NERC Reliability Standards, including the CIP Standards. Compliance with the NERC CIP standards is an important threshold for properly securing the bulk electric system. However, no single security asset, technique, procedure, or standard--even if strictly followed--will protect an entity from all potential cyber threats. The cybersecurity threat environment is constantly changing and our defenses must keep pace. Security best-practices call for additional processes, procedures, and technologies beyond those required by the CIP standards. the es-isac and nerc alerts Not all vulnerabilities can or should be addressed through a reliability standard. In such cases, NERC Alerts are a key element in critical infrastructure protection. To address cyber challenges not covered under the CIP Standards, NERC works through its ES-ISAC to inform the industry and recommend mitigation actions. The ES-ISAC gathers information from disparate electric industry participants about security-related events, disturbances, and off- normal occurrences within the Electricity Sub-sector and shares that information with key governmental entities. In turn, these governmental entities provide the ES-ISAC with information regarding risks, threats, and warnings which the ES-ISAC is then responsible for disseminating throughout the Electricity Sub-sector. The two functions that the ES- ISAC supports, information sharing and analytics, are vitally important to all other critical infrastructures and key resource sectors that have active ISACs. Effective collaboration and communication is essential to addressing infrastructure protection and resilience within each sector, as well as the important interdependencies that exist among sectors. NERC staff with appropriate security clearances often work with cleared personnel from Federal agencies to communicate unclassified sensitive information to the industry. As defined in NERC's Rules of Procedure, the ES-ISAC developed the following three levels of Alerts for formal notice to industry regarding security issues: Industry Advisory.--Purely informational, intended to alert registered entities to issues or potential problems. A response to NERC is not necessary. Recommendation to Industry.--Recommends specific action be taken by registered entities. Requires a response from recipients as defined in the Alert. Essential Action.--Identifies actions deemed to be ``essential'' to bulk power system reliability and requires NERC Board of Trustees approval prior to issuance. Like recommendations, essential actions require recipients to respond as defined in the Alert. The risk to the bulk power system determines selection of the appropriate Alert notification level. Generally, NERC distributes Alerts broadly to users, owners, and operators of the bulk power system in North America utilizing its Compliance Registry. Entities registered with NERC are required to provide and maintain up-to-date compliance and cyber security contacts. NERC also distributes the Alerts beyond the users, owners and operators of the bulk power system, to include other electricity industry participants who need the information. Alerts may also be targeted to groups of entities based on their NERC- registered functions (e.g., Balancing Authorities, Transmission Operators, Generation Owners, etc.). Alerts are developed with the strong partnership of Federal technical organizations, including DHS and DOE National Laboratories, and bulk power system subject matter experts, called the HYDRA team. NERC has issued 22 CIP-related Alerts since January 2010 (20 Industry Advisories and two Recommendations to Industry). Those Alerts covered items such as Aurora, Stuxnet, Night Dragon, and the reporting of suspicious activity. Responses to Alerts and mitigation efforts are identified and tracked, with follow-up provided to individual owners and operators and key stakeholders. In addition, NERC released one Joint Product CIP Awareness Bulletin in collaboration with DOE, DHS and the Federal Bureau of Investigation (FBI) titled, ``Remote Access Attacks: Advanced Attackers Compromise Virtual Private Networks (VPN).'' The NERC Alert system is working well. It is known by industry, handles confidential information, and does so in an expedited manner. The information needed to develop the Alert is managed in a confidential and expedited manner and does not require a NERC balloting process. Information sharing through the ES-ISAC is the greatest asset we have to combat emerging threats to cybersecurity and help ensure the reliability of the bulk power system. As a result, NERC has been enhancing the ES-ISAC's capabilities by building out a private, secure portal to receive voluntary reports from industry members and working with various organizations (both industry and government) to obtain the data and mechanisms necessary to conduct these information sharing activities. Anything Congress can do to further facilitate information sharing between the public and private sector would add greatly to these efforts. Some actions may include: making more clearances available to industry, identifying alternative methods to communicate classified information to our Canadian partners, and encouraging increased information sharing by US Government departments and agencies with asset-owners. nerc's public-private partnerships to enhance grid cybersecurity As mentioned, NERC has developed several strong relationships with industry and government entities. As chair of the Electricity Sub- sector Coordinating Council (ESCC), I work with industry CEOs and our partners within the government, including the Department of Defense, DOE, and DHS, to identify, discuss, and resolve critical infrastructure protection policy, process, and resource issues. This type of public- private partnership is essential to effective cybersecurity protection by facilitating information sharing about cyber-related vulnerabilities and threats. Last year, NERC signed a Cooperative Research and Development Agreement with DHS that provides ES-ISAC staff with access to DHS' National Cybersecurity and Communications Integration Center (NCCIC). Access to the classified NCCIC facilitates a significantly improved bi- directional sharing of critical infrastructure protection information between the US government and the Electricity Sub-sector in North America. NERC has also recently established a protected communications corridor for the ES-ISAC in part to facilitate this bi-directional information sharing between the DHS NCCIC and BPS entities. NERC also provides leadership to three significant DHS-affiliated public-private partnerships. These groups are: Partnership for Critical Infrastructure Security, the senior-most policy coordination group between public and private sector organizations comprised of the chairs or co- chairs of all 18 critical infrastructure and key resources sectors and their Government Coordinating Council counterparts; Cross-Sector Cyber Security Working Group, which was established to coordinate cross-sector initiatives that promote public and private efforts to help ensure secure, safe, and reliable critical infrastructure services; and Industrial Control Systems Joint Working Group, which is a cross-sector industrial control systems working group that focuses on the areas of education, cross-sector strategic roadmap development, and coordinated efforts to develop better vendor focus on security needs for industrial control systems. NERC also collaborates with the Industrial Control Systems Cyber Emergency Response Team to share threat, vulnerability, and security incident information. As part of NERC's outreach and awareness efforts to engage industry and government in addressing some of the key cybersecurity challenges we face, NERC facilitated the first-ever Grid Security Exercise (GridEx) for the Electricity Sub-sector in North America. This distributed play exercise, which was held in November 2011, was designed to validate the readiness of the Electricity Sub-sector to respond to a cyber incident, strengthen utilities' crisis response functions, and provide input for internal security program improvements. Seventy-five industry and government organizations from the US and Canada participated in GridEx. BPS entities included generation and transmission owners, reliability coordinators, independent system operators, and balancing authorities. Key government agencies, such as DHS, FBI, and DOE, were also heavily involved. GridEx provided a realistic environment for organizations to assess their cyber response capabilities. The biennial exercise was viewed across industry and government as a training success in preparing the BPS for a disruptive security event. NERC issued a final report in March 2012, and is applying the GridEx recommendations to further strengthen the bulk power system's preparedness and response mechanisms. Given the heightened awareness of security in the Electricity Sub- sector, NERC hosts an annual Grid Security Conference (GridSecCon) to discuss emerging threats, industry best practices, and provide cutting edge training to the industry. NERC will again host this conference in October 2012, and will bring together cyber and physical security thought leaders from government and industry to discuss securing industrial control systems, social engineering attacks, and security event response management, among other topics. conclusion As outlined today, NERC has many tools available, including critical infrastructure protection standards and processes and the ES- ISAC, to address imminent and non-imminent threats and vulnerabilities. We work with multiple government, industry, and consumer partners to support a coordinated comprehensive effort to address cybersecurity. We appreciate this opportunity to discuss NERC's activities on cybersecurity with the committee related to cybersecurity protection of the grid. The Chairman. Thank you very much. Mr. Snitchler, go right ahead. STATEMENT OF TODD A. SNITCHLER, CHAIRMAN, PUBLIC UTILITIES COMMISSION OF OHIO Mr. Snitchler. Good morning. Chairman Bingaman, Ranking Member Murkowski, and members of the committee, I want to thank you for the opportunity to appear before you today as we examine the status of actions taken to ensure that the electric grid is protected from cyber attacks. My name is Todd Snitchler, and I am the Chairman of the Public Utilities Commission of Ohio. Our State agency is responsible for assuring residential and business customers access to adequate, safe, and reliable utility service at fair prices, ensuring the financial integrity and service reliability of the Ohio utility industry and, among other things, promoting utility infrastructure investments, including investments in IT infrastructure. I am pleased to have the opportunity to discuss cybersecurity issues for the electric grid; because, often times, we take that grid for granted. Should Congress decide to pass legislation on cybersecurity, however, it is my view that we must distinguish between imminent threats, which require immediate action, and vulnerabilities, which can be addressed and resolved more deliberately. Particularly, regarding the electricity grid, one-size solutions for cybersecurity may not be the most effective means to mitigate and reduce known vulnerabilities. Additionally, the desired outcome from such legislation should be the establishment of a foundation that contemplates 4 basic considerations. First, we need to protect diamonds like diamonds and apples like apples. That is, we must prioritize accordingly to ensure that the appropriate level of security is provided to all areas that require protection. Second, States and the owners of critical infrastructure that we regulate cannot protect the infrastructure to the maximum extent possible, unless the relevant Federal agencies provide the actionable information necessary to identify and address the threat or vulnerability. In other words, true information sharing between those who have the information and those who need the information to protect their systems. Third, our utilities can provide a gold-plated, or even a platinum-plated, system which is ultra-cyber secure. However, this raises the question of just how much do we want a kilowatt hour of electricity to cost. Fourth, preparedness should not focus solely on response capabilities, but should also ensure that resilience is built into the infrastructure. Our Nation's utilities--municipal-, cooperative-, and investor-owned--have done this country proud in responding to the greatest calamities and catastrophes, quickly, and capably restoring power after significant storms, earthquakes, wildfires, or even acts of terrorism. As a State regulator, my fellow commissioners and I, as well as our staff, have many responsibilities. Some items of significance today are resolved and become less significant down the road, and other items that are less significant today may become a issue of paramount importance in the near future, with a major change, for instance, in weather or technology. This is true for many things, including the provision of electricity in a safe, reliable, and economic fashion. Just as utilities cannot protect against all threats, neither can they eradicate all susceptibilities. We must recognize there are different parts of these systems that require different levels of protection. This is why we must ensure there is adequate protection of the grid, especially its most valuable parts, while we must not expend undue levels of resources protecting other less important parts of the system. Another point of consideration that must be recognized is that State agencies, like the PUCO, along with owners of that critical infrastructure, are unable to provide the full measure of protection necessary to help secure the critical infrastructure if the relevant agencies are not providing that actionable information to address imminent threats. State regulators take the reliability and security of the bulk power system very seriously. Through strong, Federal, State, public, and private partnerships, we have consistently maintained and improved reliability and security of the grid. Cybersecurity is an emerging area of risk for our utilities and for State commissions as well. Although, it is unique in some respects, this is not the first time that our State utility systems have faced reliability threats. Through a strong, public-private partnership, we have overcome past risks. It is my belief that this emerging of information systems into the electric and other utility sectors will improve the resilience, reliability, and efficiency. Cooperation and acceptance of responsibility is a must. With modern threats becoming apparent to us in the last several years, we understand that our traditional responsibility to ensure reliable service must include the need to ensure security, both physical and cyber. Over the past several years, State commissions have begun to probe the cyber preparedness of our utility companies in the realm of the smart grid. In concept, the smart grid has the potential to provide many improvements in situational awareness, prevention, management, and restoration. In spite of introducing new weaknesses, smart grid fundamentally makes the electric system more secure. In each of the areas that I have identified in my testimony, steps are being taken to manage the risk. The issue is how much money should be put into this effort when it is virtually impossible to stop all attacks, but vitally important to stop some. Smart grid poses an additional and particularly thorny policy issue, as well. Through NARUC's collaborative with FERC on smart grid and other activities, State commissions have begun to identify key areas to assure the smart grid investments boast the highest, most sophisticated levels of security. Commissions, therefore, have had to become more expert in our understanding of the prudent smart grid and cybersecurity investments. In Ohio, for instance, an extensive audit was recently performed on one of our utilities that complied with the NISTIR 7628, and industry best practices that were to identify potential areas of improvement were set forth. This effort was massive and will become a best practices model for other commissions and utilities in their cybersecurity analyses and efforts. My testimony also lists a significant number of activities that have been undertaken by the Ohio Commission, in our effort to become more advanced in our understanding of cybersecurity issues. I also identify several other States, including, Pennsylvania, Texas, Missouri, and New York, who are also making active steps to try and increase their understanding, as well. A long-standing mission of every State public utility is to ensure the physical viability of the utility plan under our supervision. A less traditional responsibility, that of cybersecurity and information systems standards and development, is increasingly being thrust into the mix, and this newer responsibility clearly envelops a broader range of industries and specific expertise. I see that I'm out of time, and the rest of my comments are in our written testimony. Thank you. [The prepared statement of Mr. Snitchler follows:] Prepared Statement of Todd A. Snitchler, Chairman, Public Utilities Commission of Ohio Chairman Bingaman, Ranking Member Murkowski, and Members of the Committee, thank you for this opportunity to appear before you today as you examine the status of action taken to ensure that the electric grid is protected from cyber attacks. My name is Todd Snitchler, and I am the Chairman of the Public Utilities Commission of Ohio (PUCO), the State agency responsible for: assuring residential and business consumers access to adequate, safe, and reliable utility services at fair prices; ensuring financial integrity and service reliability in the Ohio utility industry; promoting utility infrastructure investments (including investments in IT infrastructure); and, related items like fostering of competition, safety, and even mediation responsibilities. I am pleased to have been given this opportunity to discuss cybersecurity issues for the electric grid. We take for granted the reliability of our nation's grid and we are hyper-sensitive when we lose power because we are not generally accustomed to it--nor should we be. Should Congress decide to pass legislation on cybersecurity, however, it must distinguish between imminent threats, which require immediate action, and vulnerabilities, which can be addressed and resolved more deliberately. Particularly regarding the electric grid, one-size solutions for cybersecurity may not be the most effective means to mitigate and reduce known vulnerabilities. Additionally, the desired outcome for such legislation should be the establishment of a foundation that contemplates at least four basic considerations. First, let us protect diamonds like diamonds and apples like apples. That is, we must prioritize accordingly to ensure that the appropriate level of security is provided to all areas that require protection. Second, States and the owners of the critical infrastructure we regulate cannot protect the infrastructure to the maximum extent possible unless relevant Federal agencies provide the actionable information necessary to identify and address the threat and/or vulnerabilities--in other words true information sharing between those that have critical information (the Federal agencies) and those that need such information to protect their systems. Third, our utilities can provide a ``gold-plated'' or even a ``platinum-plated'' system which is ultra-cyber secure. However, this raises the question of just how much more do we want a kilowatt hour of electricity to cost? While we understand that if the lights are not on it does not matter what the cost of the electricity is, do we really want the critical infrastructure to be so expensive that due to cost constraints it is no longer considered critical? Fourth, preparedness should not focus solely on response capabilities, but should also ensure that resilience is built into our infrastructure--our nation's utilities (municipal, cooperative, and investor-owned) have done this country proud in responding to the greatest calamities and catastrophes, quickly and capably restoring power after significant storms, hurricanes, earthquakes, wildfires, and even acts of terrorism. As a State regulator, my fellow Commissioners and I, as well as our Staff, have many responsibilities. Some items of significance today are resolved and become less significant down the road. Other items that are less significant today may become of paramount importance in the near future with a major change in one variable like weather, for instance. This is true for many things, including the provision of electricity in a safe, reliable and economic fashion. Focusing on reliability, there are many factors that impact that aspect--physical infrastructure in place and operational considerations, such as generators, wires, substations, transformers, and meters. Also greatly impacting reliability is equipment failure. Equipment may fail due to its age, its overuse or underuse, physical vulnerabilities, and as we are aware, perhaps due to cyber vulnerabilities. Many of these vulnerabilities have existed and are known, while other weaknesses are more recently being better understood. Just as the electric utilities cannot protect against all threats, neither can they eradicate all susceptibilities. But we must recognize there are different parts of these systems that require different levels of protection. This is why we must ensure that there is adequate protection for the electric grid, especially the most valuable parts, while we must not expend undue levels of resources in protecting other, less important parts of the system. Another important point of consideration that must be recognized is that State agencies like the PUCO, along with the owners of our critical infrastructure, are unable to provide the full measures of protection necessary to help secure our nation's critical infrastructure if the relevant Federal agencies do not provide actionable information to address imminent threats. State regulators take the reliability and security of the bulk-power system very seriously. Through strong Federal, State, public, and private partnerships, we have consistently maintained and improved reliability and security of the grid. As times and technologies have changed, new risks and vulnerabilities have emerged. The transition to a smarter, more efficient grid--while full of promise--carries with it unforeseen concerns and unintended consequences. As Congress considers legislation in this area, it should build on existing Federal-State coordination and result in a framework where vulnerabilities to the system are identified, prioritized, and resolved in a timely fashion. However, identification of vulnerabilities is only one part of the main equation; equally, or even more importantly, is a need by the States and especially by the asset owners to recognize the threats to the nation's grid. We hear consistently from asset owners who provide information about their systems to Federal agencies in the spirit of cooperation, all the while seeking reciprocity, yet they never receive truly meaningful, actionable, timely information in return. They cannot protect all of their systems against everything; none of us can. They have to target their defenses and we have to help them understand the actionable threats so that they may bolster their defenses where needed. As with most sectors of the economy, information systems are rapidly merging with utility systems, potentially heightening the risks of service disruption. Cybersecurity is an emerging area of risk for our utilities and for State Commissions as well; although it is unique in some respects, this is not the first time our utility systems have faced new reliability threats. Through a strong public-private partnership, we have overcome past risks, and it is my belief that this merging of information systems into the electric and other utility sectors improves their resilience, reliability and efficiency. National security roles and responsibilities have been subject to the purview of Emergency Management Agencies, State Police, and Departments of Homeland Security. However, the lines defining and separating roles in critical infrastructure protection between the Federal government, State agencies, and the private sector owners of critical infrastructure are necessarily overlapping now. Cooperation and acceptance of responsibility is a must. With modern threats becoming apparent to us in the last several years, we understand that our traditional responsibility to ensure reliable service must include the need to ensure security--both physical and cyber. Breaches of security, obviously, can have extremely serious reliability consequences. From my vantage point, State commissions can identify certain key areas of concern about cybersecurity. The first concern focuses on business process systems--email, office computing, databases, etc.--that are not unique to utilities. In fact, commissions in recent years have improved their own security, along with everyone else, as attacks on these systems become more sophisticated and we become more dependent on them for our operations. A second vulnerability is more specific to regulated utilities: control systems. Supervisory Control and Data Acquisition (SCADA) systems have been and remain an inextricable part of utility operations, and have served to improve the efficiency and reliability of our system operations in every system throughout the country. In recent years, susceptibilities in these SCADA systems have been repeatedly highlighted. Over the past several years, State commissions have begun to probe the cyber-preparedness of our utility companies in the realm of smart grid. With tens of billions of dollars in investment on the line, commissions want to know that the investments are not going to introduce new and unmanageable risks. In concept, the smart grid has the potential to provide many improvements in situational awareness, prevention, management, and restoration. In spite of introducing new weaknesses, smart grid fundamentally makes the electric system more secure. Still, this technology brings with it new vulnerabilities and points-of-access to create intentional disruption, which should be taken extremely seriously. ``Guns-gates-and-guards'' analogs of password protection and ``security through obscurity'' must be augmented with a framework of maximum system resilience and next- generation safeguards that allow the network to be impregnable, even if devices connected to it are compromised. In each of these areas, steps are being taken to manage the risk. The regulated companies that we oversee, through the North American Electric Reliability Corporation (NERC), are continuously in a process of developing and updating standards for cybersecurity that we believe are a good step in the right direction for SCADA and business process systems. NERC, for example, has adopted a cyber-security standard for the bulk electric system. NERC's cybersecurity (``CIP'') standards are extensive and thorough. Over the past five years electric utilities across the country have requested significant additional staffing and dollars for CIP standard compliance activities in their transmission rate case filings at FERC. The CIP standards already in place are adequate for both physical security and cyber-security. However, extending the applicability of those standards to lower voltage facilities raises the question of how much more we are willing to pay for a marginal increase in cybersecurity. The issue of how much more money should be put into this effort when it is virtually impossible to stop some cyber attacks (e.g., hackers getting into the Pentagon's computer system) needs to be addressed. Smart grid poses an additional, and particularly thorny, policy issue as well. Through NARUC's collaborative with FERC on smart grid and through other activities, State commissions have also begun to identify key areas to assure that smart grid investments boast the highest, most sophisticated levels of security. Recent Federal funding support for smart-grid investments has incentivized the deployment of hardware in advance of the development of standards for cybersecurity, among other issues. Commissions may be confronted with expenditures on cybersecurity for which no specific standard has yet been reached. This draws commissions into specific areas of review in order to determine the prudence of expenditures--a review that would be unnecessary if the expenditure would be made in compliance with recognized standards. Commissions, therefore, have had to become more expert in their understanding of prudent smart grid and cybersecurity investments. Because we are driven by our obligation to assure the reliability of service for our ratepayers, we must better understand the prudence of the costs in ensuring reliability (including expenditures for cyber- security) that goes into their rates. As a result, our agency has expended significant time and resources to become better educated regarding cybersecurity. Over the past several years, as the electric industry aptitude has grown regarding cybersecurity, so too has that knowledge base grown across State commissions. In Ohio, for instance, regarding the smart grid discussion above, an extensive audit was conducted to assess the degree to which Duke Energy Ohio's Smart Grid system complied with the NISTIR 7628 and industry best practices and identify potential areas of improvement, which was a precursor to the action items in the stipulation. An internal audit was also provided during the audit and included penetration testing on a number of Smart Grid assets. An extension stipulation was reached regarding Duke's cybersecurity plan and the implementation of that plan, including the role of the Commission. This effort was massive and will become a best practices model for other commissions and utilities in their cybersecurity analyses and efforts. We have been very involved in the NIST's and now the Smart Grid Interoperability Panel's (or SGIP's) Cyber Security Working Group. My agency has been very active in pursuing cybersecurity training opportunities with Idaho National Labs, NIST & NIST's ITL Computer Security Division, the SGIP, EnerNex, NERC's Grid Security Conference, and others, as well as participating in the development of the initial NIST-IR 7628, the most recent version being a multi-volume compendium of Smart Grid Cyber Security Strategy and Requirements. We have actively participated in the National Association of Regulatory Utility Commissioners (NARUC) Cybersecurity Boot Camps. Additionally, our Staff participates in two different sets of regular, twice-monthly conference calls with our colleagues from across the country. These calls address critical infrastructure protection issues, cybersecurity issues for utilities, as well as smart grid development and implementation issues. Our Staff participates in monthly threat briefings for both the electric sector as well as the oil and natural gas sector. Also, our Staff regularly participates in weekly briefings with Ohio Homeland Security. Through this partnership, our agency has a permanent seat at the State of Ohio's Strategic Analysis and Information Center (or SAIC), just as it does in our State of Ohio Emergency Operations Center. Presently, the State of Ohio has developed a Statewide Cybersecurity Strategy and our Staff has been actively engaged in both the development as well as the on-going implementation of that strategy. Over a year ago, my agency conducted a cybersecurity workshop for our utilities as well as for our State and Federal partners. Leading part of that workshop was a representative from the U.S. Department of Energy's Cybersecurity for Energy Delivery Systems program. Also participating was Ohio's Homeland Security Advisor, as well as representatives from the cyber squads from both of the FBI divisions in Ohio. In addition, the two U.S. Department of Homeland Security (DHS) Protective Security Advisors stationed in and serving Ohio addressed not only their physical protective security program, but also DHS's cybersecurity advisor program and the related cyber resources and tools available from DHS for asset owners. Our efforts in strengthening the cybersecurity posture of Ohio's utilities continue. Ohio also has one of the premier military bases in the country-- Wright-Patterson Air Force Base. Located in the south-western portion of the state, this base employs a significant number of personnel and performs mission-critical work for the Department of Defense. My agency has worked with this base in the past, and will do so in the future, to ensure that it has what it needs to accomplish its objectives. While I am not an expert on what other States are doing with regard to cybersecurity, I am aware of a few examples of activity that State commissions have engaged in, to ensure that companies are focused on this issue. In most instances these activities are coordinated with other State agencies that also have a jurisdictional responsibility for safety and/or security. Since 2005, the Pennsylvania Public Utility Commission has required all jurisdictional utilities to have a written cyber security plan to complement their emergency response, business continuity and physical security protocols, each of which are tested on an ongoing basis. The Pennsylvania PUC has issued orders on cybersecurity in reaction to media reports of grid infiltration by international hackers. Pennsylvania also issued a secretarial letter to its utilities encouraging them to be active in the NIST Standards development process by reviewing and commenting on the NIST Framework and the Cyber Security Coordination Task Group documents and to participate in various related working groups. Pennsylvania has also incorporated cyber-security review in its management audits process. Pennsylvania performs management and efficiency audits at least once every five years on all electric, gas, and water utilities with over $10 million of plant in service. Another State taking action is Missouri. Missouri requires all of its utilities to have in place reliability plans and has queried its utilities about steps taken or planned regarding cybersecurity as it relates to company operations. The Missouri Commission required the utilities to furnish Staff with a verified statement affirming whether the company is in compliance with NERC Order No. 706 or what remedial actions are to be taken and how long it will take the company to become compliant. The Commission also asked what other organizations, groups, industry groups or other organizations these companies participate with, such as local FBI or State agencies, regarding security issues. In New York, they are sharing the responsibility for critical infrastructure protection at the Department of Public Service. Since 2003, when it was created, the New York State Public Service Commission Office of Utility Security has carried out a regular program of oversight of both physical security and cybersecurity practices and procedures at the regulated utility companies in the energy, telecommunications and water sectors. Staff of this office is devoted full time to this security audit responsibility. Generally, that office utilizes the existing NERC CIP standards as benchmarks to form its own judgments about the quality of cybersecurity measures in place at New York's regulated utilities. Its Staff adheres to a schedule that calls for visiting each regulated electric utility company four times a year to audit compliance with some portion of the CIP standards, with the goal of measuring compliance with all of the standards at each company over the course of a year. The Public Utility Commission of Texas has established a stakeholder working group (comprised of utilities and ERCOT Staff) designed to work on issues specific to cybersecurity. This effort is lead by Texas Commission Staff. The group meets regularly to discuss the cybersecurity assessments performed on Smart Meter Texas, which is the common portal that provides end-user access to energy usage data sourced from the AMI that was deployed by the respective utilities. Each utility is responsible for securing its own AMI and cybersecurity assessments are required of the utilities by rulemaking once deployment of AMI and other smart grid technology is approved. Regulations include requirements for end-to-end assessments, performed independently and annually of the utility system. These results are kept confidential but shared with the Staff. In addition commission staff participates in the discussions at the ERCOT ISO Critical Infrastructure Protection Working Group (CIPWG), in which NERC CIP issues are discussed. While this concerns the bulk electric system, other topics related to cybersecurity that are broached include: newly discovered vulnerabilities; emerging threats to critical infrastructure; cybersecurity standards development from outside NERC; mission assurance for the military; and any cybersecurity training opportunities, conferences, workshops, or exercises. A long-standing mission of State public utility commissions is to ensure the physical viability of the utility plant under their supervision. A less traditional responsibility, that of cybersecurity and information systems standards and development, is increasingly thrust into the mix, yet this newer responsibility clearly envelops a broader range of industries and specific expertise. Utility regulators recognize the dependence of sound cybersecurity practices and cyber reporting on sound construction practices and utility-outage reporting, and vice versa. A concern that I wish to leave with you for consideration is that protocols intended to distinguish between disruptions to critical infrastructure related to cyber events and those related to physical events, for example, a distributed-denial-of-service (DDOS) attack as opposed to a fiber-optic cable failure, have not kept up with the fast- emerging nature of cyber threats. Such protocols are easier to craft than to implement. The first evidence of disruption is the disruption itself, and such events do not often present themselves with the root cause clearly visible. In the critical ``golden hours'' after a possible new developing threat is detected, or immediately following an event, it may not always be clear what is actually happening or why. For this reason, close coordination between the utility sector and the cyber sector is essential to the response. As the State public utility commissions have traditionally served as the gateway to the utility sector and have their own independent core of expertise and relationships key to understanding, in real-time, events affecting that plant, close coordination among the operators of our cyber networks, the Federal government, and State homeland security partners, including State utility commissions, is essential. Resolving cybersecurity issues will require significant efforts on the parts of all of us, not just one or two of us. We all are part of the solution. Working with the asset owners and with our Federal partners, the States have been successful in the past in enhancing the overall reliability of our nation's electric grid. Our Federal government possesses significant assets that can provide States and the critical asset owners with timely and actionable threat information necessary to better secure these assets. We are partners in this struggle to maintain and enhance the reliability of our electric grid and to increase its resiliency, and we must all work together to achieve our collective goal. Mr. Chairman and members of the Committee, this concludes my testimony. We at the Public Utilities Commission of Ohio take the issues of cybersecurity and reliability very seriously. As such, we believe a Federal-State, public-private partnership is essential to meeting these challenges over the long term. Thank you again for the opportunity to provide testimony here today and I would be happy to answer any questions that you or members of the Committee may have. The Chairman. Thank you. Thank you, all, very much for your testimony. I will start with a few questions. Mr. Cauley, let me ask you first, Could you describe what happens when a vulnerability is discovered, vulnerability to a cyber attack, for example. If you issue an alert to utilities about that vulnerability, is there any requirement that they follow your advice on that alert? Mr. Cauley. Thank you. We produce the report with intelligence information from the Government, with cleared experts. We create a document that we can then issue to industry, which is unclassified. We have 3 levels that we can issue. One is an informational heads-up. One is a recommendation, which we can track the results and performance of the recommendations. The third is an essential action, if we feel that it is imperative that the industry implement that. Then, our board can approve it, and it is a required action, and the industry is required to report back the results of that performance. The one area I pointed out last year in testimony was the-- even though the industry is required to report back and they are required to implement the action, there is not an enforcement mechanism for that. I appreciate that in the discussion of that legislation, there was an inclusion to deal with that gap. The Chairman. So, at the current time, if you issue an alert and you say, ``Take the following action,'' and the utility does not do so, you have no ability to enforce that? Mr. Cauley. The industry is required to respond by our rules and by rules that FERC has approved, so the--we are limited at this point to a civil action, but not within our current rules and our current framework. The Chairman. So, you can take them to court? Mr. Cauley. We could. The Chairman. But there is no immediate penalty or immediate remedy available to you. Aurora, I guess, is the most famous cyber vulnerability that has sort of gotten a lot of publicity. It was on CNN for several days back in 2007. You issued an advisory for that vulnerability, I believe; is that correct? Mr. Cauley. That is correct. The Chairman. Are you able to track how many utilities still have not complied with the recommendations in that advisory? Mr. Cauley. We were able to--one of the first things I came--did when I came back to NARC as CEO in the beginning of 2010, as I recognized that the information that the industry had from 2007 was insufficient, unclear, and, essentially, not actionable--so, we worked to issue another alert in 2010, which, I think, points out the importance of information sharing and access to information. So, we were able to put out a meaningful alert in 2010. We are tracking on a twice-yearly basis. We are tracking on the completion of mitigation. We have that information, and we file it with the Commission. It is sensitive information because of the nature of the vulnerability, but we do track that and file that with the Commission. The Chairman. It seems to me--and you can just respond and tell me if I am misstating the situation. But it seems to me that the way the standard-setting process works, standards should be developed as a general framework for exercising authority to require mandatory actions in the case of a vulnerability being discovered. In fact, the way the system is working is that you are required to issue a new standard, with all of the accompanying delay, for any new threat that comes along, or if you don't do that, then you are left only with the ability to make non-binding recommendations. Now, is that a fair statement of where things stand? Mr. Cauley. I think, Mr. Chairman, not every risk or challenge or vulnerability requires a standard. We get a lot of things corrected with information and just explaining to the industry what the issues are. There is a lot of problem-solving going on every day. Alerts give us an opportunity to deal with emerging issues or issues that need a timely response. Whether or not we could develop--we could develop a standard on Aurora. The difficulty with that is, it is more of an equipment manufacturing-type standard, which is more applicable to an IEEE, the Institute of Electronic and Electrical Engineers, and I understand that they are committed to looking at that issue as a technical standard on equipment. If the Commission felt that there was a vulnerability that had been out there and had been out there too long, my belief is that, within the current section 215, the Commission could issue an order to the ERO to produce that standard, if it was a priority over other risks that we are dealing with. The Chairman. Senator Murkowski. Senator Murkowski. Thank you, Mr. Chairman. I am going to ask a little bit more about information sharing. It is something that each of you has addressed. Clearly, the NERC plays a role here with the Electricity Sector Information Sharing and Analysis Center, where you share and analyze the information. You have mentioned some of that. But it sounds like even from NERC's point of view, you would urge Congress to do what it can to facilitate further information sharing. Mr. Snitchler, you have indicated how important it is that the Federal agencies provide the actionable information, too, to help address or identify threats or vulnerabilities. GAO has also mentioned that. So, let me start with you, Mr. McClelland. Does the FERC think that the private sector has the information that it needs today to take action to address the cybersecurity threats and vulnerabilities from the information sharing perspective; do you have in place what you need? Then, if I could ask each of you to just further address this, because I think this really goes to the heart of what we are talking about here today. Mr. McClelland. Thank you, Senator. I think, in general, the security practices are well- documented. I think there are protocols to standards. There are alerts and advisories that detail specific security protocols to improve the security posture of the utilities. But, specifically, no, there are circumstances where there may be a specific actor that has targeted a particular piece of equipment or an operating practice. In those cases, it is important that those individual entities, and the industry at large, perhaps to a lesser degree if they don't have that specific equipment, is brought in, counseled, shown the threat, and then, any particular mitigations that could be applied are explained to that entity. Senator Murkowski. So, then, to the rest of you. How do we do a better job of the information sharing? Mr. Wilshusen. Mr. Wilshusen. One is to make sure that there is an appropriate mechanism in which--in place to actually share information on a timely, actionable basis. We did a review a couple of years ago at the Department of Homeland Security, of its lead role promoting the private- public partnership in securing our critical infrastructures, which include the electricity grid. We found that, to a large extent, the information that DHS provided through its alerts and threat information was not meeting the expectations of its private sector partners. In many cases, the information was not actionable, not timely. So, one of the means that would have to take place is to ensure that the information that is being provided is current, timely, and also anonymized. That has been one of the problems, is making sure that the information is sufficiently anonymous, so as not to identify any particular company or organization, but gets the information out to the individuals who actually put fingers on keyboards and secure the systems. Senator Murkowski. Mr. Cauley. Mr. Cauley. Senator Murkowski, I fully agree with the suggestion that the most important thing that legislation could do would be to foster a robust information sharing between Government and industry. Today, it is happening, but it is sort of like sipping from a lawn hose. We just need more. Also, the information sources are ad hoc across agencies, so we work out individual relationships with agencies to get information. We have a very limited access to clearances within the industry, particularly on the top secret side. The value of that is, only industry experts can really, fully understand the impacts. Often, our limited folks that we have that do have clearances are explaining back to the intelligence folks what might be the impacts for a particular threat. So, I think getting more clearances, having a more unified system for sharing of information would be very beneficial. Senator Murkowski. Mr. Snitchler. Mr. Snitchler. Senator, what we hear from the utilities that we regulate is, often, that there is--they perceive a one- way information street, and they provide information and don't feel that they are getting a reasonable amount of information in return. By that, as already mentioned by other panelists, some of the specific data that could be helpful to them. There is also, I think, often times, the fear of disclosure will result in practices that maybe impact one utility, as opposed to all of them equally. So, there is a reluctance, perhaps, to share granular detail that might be helpful. Again, the anonymized information that was previously referenced, I think, would be helpful for that, because then it would ensure that we could have better disclosure of information in both directions. The critical component that we hear from utilities, without exception, is the need for security and that information not to find its way out into the public realm because of the potential implications, both to them and to the utility system. Senator Murkowski. Thank you. Thank you, Mr. Chairman. The Chairman. Senator Wyden. Senator Wyden. Thank you, Mr. Chairman. Mr. Chairman, thank you for holding this hearing. I think it is extremely timely, in light of the leader's desire to bring cyber legislation to the floor. I want to review with the 4 of you, essentially, where things are, on a couple of key questions. Now, as Chairman Bingaman noted, there are already rules in place that include cyber threats to the electric grid, and that, of course, was launched years ago. Now, this exercise seems to have produced another division in what I call the ``growing cyber industrial complex.'' For years now, the Federal Energy Regulatory Commission and the North American Electric Reliability Corporation, private companies, and lots of lawyers have shuffled paper back and forth, grants have been dispensed by the Department of Energy, and this has produced a product that has left few satisfied. So, let me start with you, Mr. McClelland, in terms of some of the concerns that would be helpful to have addressed this morning. Do you believe that because the standards don't require a physical separation, between the energy company networks that run the business operations and the critical infrastructure--the substations and the transmission--that despite all of this paper shuffling, this shortcoming is still a significant factor in making the electric grid vulnerable to attack? Mr. McClelland. I will answer that and then maybe add a little to it, is that one of the CIP standards, CIP 5, requires an Electronic Security Perimeter around a critical cyber asset. Only critical cyber assets, which are self-designated by the entity that is captured by the standard, are covered by the standards themselves. So, if an entity decides it has critical cyber assets, then it designates an Electronic Security Perimeter around those assets. If the business systems are connected to the critical cyber asset, via the SCADA systems, or whatever the control systems are, then those business systems, theoretically, fall within that Electronic Security Perimeter. So, if they are interconnected, if they work together, if they can't be separated, the assumption I would have is that they would be within--they would both be included within that ESP and physically protected. Senator Wyden. But the bottom line is, the networks don't have to be separate, is that correct? Mr. McClelland. That is correct. Senator Wyden. OK. The second question I would like to ask of you is, that, for purposes of the legislation that is being considered for the floor of the Senate here before August, some companies are asking, that for purposes of this bill, they should be legally protected--legally protected through indemnification provisions when they report vulnerabilities in any cyber network. Now, it is my understanding that, with respect to the 2005 law, there is no such legal protection; is that correct? If so, is the absence of that kind of legal protection or indemnification processes--has that caused any problem in your view? Mr. McClelland. Under the cyber standards or any of the reliability standards, one of the considerations under the violation severity level is whether or not an entity self- reports its problem. That is taking into consideration, as far as the enforcement provision, the penalties, how willing they are to admit that they have a problem, what the mitigation plan looks like, how timely they could be. So, self-reporting is an important aspect, as far as mitigation of the enforcement aspects, even under the existing network or the framework. Senator Wyden. But the question is, Are there indemnification procedures now? My understanding is there are not. Mr. McClelland. Right. Senator Wyden. Is the absence of these provisions causing any problem? The reason I am asking is because this is going to be a big issue in the discussion, is whether or not there ought to be these indemnification processes when companies come forward and report problems. What I would like to know is, if there are any problems today, as a result of the lack of reporting requirements. Could you answer that? Mr. McClelland. I guess I would answer it by saying that, the self-reporting requirements--you know, the enforcement provisions under the existing standards are important, and if it is not a standard that compels action, then it is not something that you can assure happens. You know, information exchange, alerts, advisories, essential actions can be helpful. But, at the end of the day, if there is no enforcement provision, it--there is no teeth behind these issues. Senator Wyden. I will try one more time. Do you think---- [Laughter.] Senator Wyden. Do you think indemnification procedures are needed for purposes of this bill that is going to be considered for the floor before August, yes or no? Mr. McClelland. I am just not prepared to comment on that. I'm sorry. Senator Wyden. OK. Thank you, Mr. Chairman. The Chairman. Senator Franken. Senator Franken. Yes, Mr. McClelland, do you think--no, I'm not good at that---- [Laughter.] Senator Franken. But this question is for you, and for anyone who wants to pick up on it. Deploying a smart grid is crucial for integrating distributed and renewable energy resources, but a 2011 GAO report noted that, while FERC has authority to adopt smart grid standards, it does not have any specific enforcement authority to implement these. What are your recommendations for ensuring that standards are properly developed and enforced? Is this issue adequately addressed in any of the cyber security bills before the Senate? Mr. McClelland. The GAO did find--they did echo FERC's finding from its policy statement on smart grid, that it lacked enforcement authority under the EISA that was passed by Congress. So, we do not have enforcement authority, even if we find that cybersecurity standards, as recommended by NIST, achieve sufficient consensus. The Commission's authority, however, does lie under 215. So, pursuant to that authority, the Commission has been an active participant in NIST's SGIP and Cybersecurity Working Group. Our staff attends those meetings. They are regular participants. They bring that information then back to the NERC 215 process when they actively engage in the standards development teams under the cybsersecurity standards. In fact, the Commission most recently, in approving version 4, even reminded NERC that it needs to consider those NIST provisions and incorporate those NIST provisions, as appropriate, in version 5 of the standards. So, I can't speak to the pending legislation. I'm sorry, Senator. I'm just not current with it. But I can say that the Commission is actively engaged in the NIST process, is actively working to incorporate the relevant aspects of that NIST process into the NERC standards. Senator Wyden. Mr. Wilshusen---- Mr. Wilshusen. Yes---- Senator Wyden. You helped prepare this report, so do you have any comment? Mr. Wilshusen. Right. I would just add that what Mr. McClelland is referring to with section 215 is their ability to enforce mandatory standards established by NERC over the bulk power system. But under the Energy Independence and Security Act, which deals primarily with the implementation of smart grid technologies, much of those technologies are implemented and deployed at the distribution level, which is more under the purview of the State regulatory commissions and others. I believe FERC does not have the enforcement capability at that level, under EISA or---- Senator Wyden. Mr. Snitchler, that is fine with you? Mr. Snitchler. Senator, we---- Senator Wyden. From what I am hearing? Mr. Snitchler. Correct. We think we have got an adequate handle. Ohio has approached the smart grid deployment than other States--each of us has approached it in a different fashion--where we have rolled it out in a series of pilot projects with one utility that is now moving toward full deployment, others who are further behind the curve, but are moving forward. We have been able to work closely with those utilities to make sure that they are operating in a way that gives us a level of comfort, that they have a sufficient amount of security going forward. We actually have had a couple of open dockets at the Commission, in an effort to determine where companies are at, what steps are being taken. But, like other State commissions, it is sometimes a challenge to have our utilities come in and disclose the weaknesses in their system. So, the issue of confidentiality, again, rears its head, even at the State level, as we try to protect that information and prevent it from becoming part of the public domain. Senator Wyden. Taiwan, Singapore, China, South Korea are among the largest manufacturers of semi-conductors and microprocessors for these smart devices. There are concerns that if a cyber criminal gained access to such devices, especially during a manufacturing process, they could covertly insert code in the devices to impair its function. For any of you, are we testing these purchased devices to mitigate potential vulnerabilities? Mr. Wilshusen. I guess I will take that question first. IT supply chain has been a key vulnerability into systems and the critical infrastructures of this Nation. We issued a report earlier this year that dealt with IT supply chain and dealt specifically with some of the microprocessing chips. We looked at several agencies, including DHS, Energy, Department of Defense. To a large extent, we found that the procedures for reviewing the vulnerabilities on IT supply chains and the types of equipment that are being acquired, agencies really have not established effective mechanisms to adequately address that vulnerability. To some extent, it needs to be done at the national level, because the risks are more national in scope. The administration has recently developed an IT supply chain strategy. We are in the process of looking at that strategy as part of our ongoing work. Senator Wyden. My time is up. Does anyone have another comment? I saw Mr. McClelland be nodding. Mr. McClelland. I would only add that, you know, hardware is one component. Any time there is two-way electronic communication, there is a chance for compromise, and there are some very sophisticated entities out there that employ various mechanisms, including hardware compromise, to accomplish that task. So, it is a critical aspect of network security. Senator Wyden. OK. Thank you, gentlemen. Mr. Chairman, thank you. The Chairman. Mr. McClelland, you mentioned this problem of electromagnetic pulse events. I gather our former Congressman and Speaker, Newt Gingrich, had a op-ed in the ``Washington Post'' this last week, where he argued that we need to pass legislation to protect against electromagnetic pulse events, and you seem to say the same thing in your testimony as I read it. Is there anything being done, just at the current time, to deal with this problem? Mr. McClelland. The Commission recently held a technical conference on this very subject. It invited NERC and industry experts, and it compared the Commission's report through the Oak Ridge National Laboratory, to the NERC report. It asked for comments and sought consensus. So, the Commission does have the industry's comments. We are reviewing what can be done, where there is areas of agreement and disagreement. But one thing that was encouraging from the conference is that we thought we heard, regardless of the scale of destruction or damage to the equipment itself, there would be a widespread grid collapse, and everyone agrees that that must be prevented. So, coordinated studies need to be done among the entities. There are, likely, standards that need to be passed, not necessarily NERC standards, but industry standards, to prevent, you know, damage to vulnerable equipment. There is a subset of critical and vulnerable equipment that should be protected--no regrets actions that should be pursued to protect the public against this issue. The Chairman. I guess one obvious question is, What kind of timeframe are we talking about here? I have the distinct impression we may be studying this issue while the electric grid collapses. What is your understanding of the timeframe to get something done? Mr. McClelland. The Commission is moving through completion of reviewing those comments, and under existing authority, it can address the geomagnetic disturbance issue through reliability standards. So, the Commission is now informing itself from the NERC study, from the Oak Ridge study, and from the public comments, and it is moving to review its options under its existing authority to address the issue. The Chairman. So, does that mean this year something is going to be done? Mr. McClelland. I'm sorry, I just can't speak to the timing of Commission action. The Chairman. Whenever people talk about, ``We're moving to review our options,'' that doesn't sound like anything imminent to me. Mr. Cauley, did you have a point of view on this issue? What is NERC doing to solve this problem of the threat from electromagnetic pulse attacks? Mr. Cauley. Thank you, Mr. Chairman. We issued a report in February, which put the engineering and science behind the characteristics of what kind of failures and things we might see, and we have initiated a number of actions. We issued an alert to industry. We have been working with NASA and NOAA in terms of enhancing the alert system, so we can let industry know if there is an issue impact coming, and that we can put the system in a more conservative position to withstand an event. We are also working with EPRI, Electric Power Research Institute, in terms of locating monitors on--Earth current monitors, as well as equipment monitors, so we can understand and see the behavior of the impacts and know what we need to do to address that. This is a long-term effort. I realize that we could have impacts near-term, but really there is a lot to learn and develop. We are also looking at doing testing on transformers, in terms of inducing Earth-type simulated currents in them and seeing how they behave and how they react. So, there is a lot of working on them on multiple fronts. We are not waiting for standards. We are actually moving on the engineering and the modeling and the operational---- The Chairman. When you say you issued an advisory--or an alert, I guess--what did you refer to it as, an advisory or an alert? Mr. Cauley. It was a NERC alert, yes. The Chairman. An alert. Was that a set of directions to utilities to take particular action, or was this just basically saying, ``Here's a problem''? Mr. Cauley. This one was informative, sir, so it gave actions that could be taken if there was a impact full storm that was going to come toward the Earth, actions that would be recommended to be taken. But it was not issued as a required set of actions. The Chairman. So, no required actions have been---- Mr. Cauley. Not in this particular---- The Chairman. Recommended---- Mr. Cauley. That is correct. The Chairman. At this or put forward? Senator Murkowski, did you have other questions? Senator Murkowski. This is more of a general question to all of you. I think Mr. Wilshusen, you mentioned that, perhaps, standards should not be spelled out too specifically or utilities kind of get in this compliance mode of trying to meet the standards, instead of safeguarding the systems. We want to push everybody to be one step ahead of the guys that are trying to disassemble things, and so, we don't want to get them focused on just checking the boxes off; we need them to be thinking ahead every single day. This whole issue of flexibility within a system, as opposed to a prescriptive set of standards concerns me. My concern is that the legislation that is being considered right now, not the secure IT, but what is coming out of Homeland, is a more prescriptive approach. Can I ask each of you to speak just to that issue, as to the need for flexibility in this area that allows us to be a little more nimble, rather than just complying with a set of standards? We'll just go from you, Mr. McClelland, on down. Mr. McClelland. Thank you, Senator. I agree. I think all of the panelists would, too, that the individual entities have to have the latitude to have the directive, but not be so prescriptive as to tie them into any singular response. On the other hand, though, someone needs to make certain that the Mitigation Act is effective. Back to that question about Aurora, you know, it's not enough just to collect survey data; it is important to verify the mitigation. So, I agree; I think the standard needs to compel action, but provide the latitude that the individual entities might need to address the issue on their systems. Mr. Wilshusen. Yes, definitely, I think standards need to be flexible. They should not be overly prescriptive, because you want them to stand the test of time. You don't want to necessarily change your standard every time there is a new threat or a new technology that emerges that presents additional vulnerabilities. As a parallel, in the Federal Government, NIST issues Federal information processing standards, which are mandatory requirements. In addition, though, it has issued lower levels of guidance, usually through special publications and guidelines that provide increasingly more detailed actions that can be taken to secure systems in cybersecurity. But they are more prescriptive, and they are at a greater level of detail than the actual Government-wide standards. This greater level of detail is needed to effectively secure systems. So, it is good NIST had that flexibility and multiple layers of guidance--standards, guidelines, and instructions, if you will, to provide to organizations to secure their systems. Senator Murkowski. Mr. Cauley. Mr. Cauley. Senator Murkowski, I agree, as well. The most effective standards will be based on risk controls, setting up systems to catch issues that need to be identified, not on a prescriptive, line-by-line, rule-based-type standards. We are adopting those risk controls in the version 5 standards. We are looking at the NIST model. We have extracted from their set of standards, the ones that we think would work in the power system, and we are flushing those out within those standards. There is an added factor within--in the security arena, is that you really want to incent people to report issues. Because part of the intelligence is finding out what are the bad guys doing and what information are we finding, and lots of little pieces mean something when you roll it all up together. So, if we are going in with a checklist style of compliance, it is not going to be helpful that. We want people reporting information, actively. I think we are on the right track for that. Senator Murkowski. Mr. Snitchler. Mr. Snitchler. Senator, at the risk of saying, me, too, I would agree with the comments made by the prior panelists. I think the flexibility that you have suggested, necessarily, moves into that resiliency that can be developed by the multiple utilities that we regulate, taking a different approach to achieve to same objective. That diversity of approach to solving a problem also potentially has the ability to keep an entire system from being knocked down, because, instead of targeting one set of security concerns, you are looking at more than one set and ways that that problem may have been solved, and has the ability to require far more effort on the part of those that will do ill-will to the electric grid or to those who may be seeking to try and damage the country. I think, also, by moving away from a prescriptive, check- the-box, as you describe it, list is helpful, and that we are then charging the utilities that we regulate with being as far as they can, one step ahead of, in evaluating all the threats, whatever they may be. I know that I have been to at least one utility in Ohio's command center where they are doing just that and have retained security folks to deal with those issues, in an effort to ensure that they are viewing all the potential sources of entry and all the potential manners in which they can respond and block those out, at various levels within their system. Senator Murkowski. Thank you, Mr. Chairman. The Chairman. Senator Udall. Senator Udall. Thank you, Mr. Chairman. Good morning to all of you. Thanks for joining us on this important topic. Mr. McClelland, if I could, I will start with you. This may be a tangent--a slight tangent, more accurately. I don't know if any of the witnesses have addressed work force issues in their written testimonies, but I realize one of NERC's standards refers to personnel training requirements. I am curious whether you believe we have the right people with the right training in place at FERC, at NERC, at the utilities, or elsewhere, to develop and implement the standards to keep the grid secure and respond to threats and vulnerabilities. Do you think we would be more secure with additional and better training to cyber warriors? Mr. McClelland. I would say, yes. We do have--the Commission is fortunate to have--it is a small staff, but it is a very talented staff that we have mostly drawn from other agencies, and they have spent their entire careers in cybsersecurity. I think NERC is also gifted with some of the employees that they have in place. But these folks are as scarce as hen's teeth, and it is difficult to find them. In many cases, we steal them from each other. That said, we have been able to--and I know NERC has also taken advantage of this. We have leveraged the intel agencies with some of the best, probably--well, undoubtedly, the best skill sets in the world. So, we leverage those intel agencies to help us understand what the issues are and to address the threats. But, certainly, more and well-trained cybersecurity people are something that we all need. Senator Udall. Others on the panel, care to comment? Mr. Cauley. Mr. Cauley. Gerry Cauley, NERC. I believe that is an opportunity for us, and I think we do need to expand and grow our work force in terms of capabilities. It is another example of an opportunity to partner between Government and industry. There is a training program at the Pacific Northwest Lab, and we have been running as many industry folks as we can through that. It is a very good, week-long program. It is very intense. But, we need more of that. Mr. Wilshusen. I would---- Senator Udall. Mr. Wilshusen. Mr. Wilshusen. Yes, thank you. I would just add that, not only just within NERC and FERC, but throughout the Federal Government. We have issued a report earlier this year, too, about human capital challenges within the Federal Government, securing Federal systems. Indeed, that is an area that is a prime consideration and concern. Mr. Snitchler. Good morning, Senator. Senator Udall. Mr. Snitchler. Mr. Snitchler. One of the issues that we have found, anecdotally, in talking with our utilities in Ohio, is that they have actively recruited from within the military, and have had good success with folks who are used to dealing with top secret clearance and higher on issues that involve issues of this nature at the utility. They have found that to be helpful. That being said, they are also at a premium, and it is very difficult to find sufficient staff. I would agree with the prior comments about this being an opportunity for specific work force development that has long-term implications for the country. Senator Udall. Mr. Wilshusen, let me turn to you for the next question. You talk about the difficulties in the industry of sharing information on cybersecurity. Could you describe some ways that you think the electricity industry could improve in this area? Mr. Wilshusen. Yes, I think there are a couple of areas. One would be to have a mechanism in place in which the industry can collect actionable intelligence--or information about security incidents and vulnerabilities that may be present within the industry and then being able to share it with other members, but after it is been anonymized. Before you came, we talked about the need to anonymize certain threat information, alert information, so as not to put other companies in peril. Then, those companies may be more willing to share information that they may have of any incidents occurring at their organizations. So, that will be one key area. Another is, to receive information from Federal sources and through NERC and FERC; particularly, getting additional information through the intelligence community, through Department of Homeland Security, on threats that are occurring and vulnerabilities that are happening within those particular industries. Senator Udall. Let me follow that up. In Colorado, we have the Western Cyber Exchange, which is a public-private partnership, and it works on a regional geographic basis, both on improving cybersecurity, and then on incident response. Do you think regional cross-sector models like this are something we could encourage and should encourage? Mr. Wilshusen. I think they serve their place. You know, regional would help. But many of the threats are international in scope and come from other sources from which regional utilities--or groups may not have that information. That is why it is important at the Federal level, at least, threat information, alert information from the intelligence community, through DHS, be shared with those particular groups. Senator Udall. Mr. Cauley or Mr. Snitchler, would you care to comment on that question, as well? Mr. Cauley. Yes, sir. We have the Information Sharing Analysis Center, and what I think we are trying to create is hubs of information connected to other hubs. So, ours is focused on the power system in North America, but we are connected to intelligence agencies, U.S.-served and other--the NCICs, who are plugged into these other sources, and we share information with our members in North America. I think the one other thing that we could do better is to have more access to clearances, and to create what I would call ``fusion centers,'' perhaps in cooperation with the FBI local offices, regional offices, where we can quickly get very detailed information at the classified level to people in industry who can understand, at a very granular level, what is the threat, and what actions should I take. That is an opportunity for us to think about. Mr. Snitchler. Senator, I think I would echo the comments from the GAO, where actionable information that has been sufficiently anonymized would be helpful, because the issue that we often hear is the question of, If I provide information, will this later be used against me? If it is, obviously, they are reluctant to share that information. Frankly, if we get into a situation where we have a better way to exchange information, we can be implementing best practices and avoiding each individual company's having to uncover and discover the same problem and work their own solution, but would then have, in effect, a clearinghouse of known issues. Then, they could work to solve that with the flexibility within the standard that may be required. Senator Udall. Thank you all, again, for appearing and discussing this very important topic. Thank you, Mr. Chairman. The Chairman. Senator Coons. Senator Coons. Thank you, Chairman Bingaman. Senator Bingaman, you have been beating the drum on this issue for some time now, and I was happy to join you last year in supporting the Grid Cyber Security Act. I am grateful to you and to Senator Murkowski for convening this panel into taking another look at where we stand and what we and Congress have to do in order to raise the baseline for cyber defense in this most important sector for the American economy and the American people. Since we met on this topic a year ago, cybersecurity has become one of the most talked about challenges facing our Nation. Everyone, from the Secretary of Defense, who has said the next Pearl Harbor will be in cyberspace and is coming, to individual business leaders, have warned that the Nation as a whole faces a real threat, which Members of Congress need to work together to address. There is very few issues I lose more sleep about than our cyber vulnerabilities, and when I speak to experts, they simply cause me to lose even more sleep. So, I appreciate the opportunity to reduce my sleep opportunities further today. To Mr. Wilshusen of GAO; forgive me. Your written testimony said that when the GAO looked at the security of utilities, you concluded that, overall, they were focusing on regulatory compliance, more than a comprehensive security. I think that's a quote. Can you elaborate about more--more on what about the existing approach, in fact, leads to standards becoming a ceiling, instead of a floor, for the level of cybersecurity, and what we could do in terms of standard-setting and internal partnerships that would strengthen an approach to comprehensive security, rather than mere compliance? Mr. Wilshusen. I think that one of the dangers when organizations just focus on mere compliance is that they don't take an overarching view and develop a comprehensive program for assessing the risks and taking the appropriate steps to assure that they cost-effectively address those risks and mitigate them to an acceptable level. I think it is still important, though, that you do have standards or minimum baselines of security controls that can be consistent across a wide group of similar organizations, perhaps, an industry, taking into account that each entity may have separate risks and controls in place to help mitigate those risks. So, it is going to be important that each agency have an effective program for assessing the risk and then taking the appropriate steps to implement the appropriate controls to mitigate that. That would include, not only just assuring compliance with standards, but also taking other actions as determined necessary in the facts and circumstances. Senator Coons. If there were to be standards that were negotiated--that were agreed to between industry and regulatory agencies, for an area like cyber, where the threat seems to be rapidly evolving, how would you update, routinely, those standards in a way that contributed to actual comprehensive security; how would you do that in a way that balances the economic impact, the cost, with promoting and achieving actual security? Mr. Wilshusen. I think one way is, first off, with the standards. They need to be at a sufficiently high level to where they are flexible enough to allow for movement in the implementation of controls to address emerging threats and vulnerabilities that occur. So, it really gets back to each agency or organization being able to determine what its risks are, and then take the appropriate controls to mitigate them. At the same time, there needs to be a level of standards, such as the CIP standards, and probably have those evolve as going through the current process, to address new technologies and vulnerabilities that occur. Senator Coons. Mr. Cauley, at NERC, you discussed that your biggest concern is a coordinated, actual physical and cyber attack, and that, perhaps, the combination of a terrorist attack in the physical world, followed by an attack that then takes down some critical infrastructure, such as the electric grid. I happen to agree that a cyber attack of this kind would be particularly dangerous. I would be interested in what sorts of public-private partnerships NERC is engaging in to prepare with or promote relationships with local and State responders to help mitigate those threats, and I would interested in where you hope to expand on those partnerships in the future. Mr. Cauley. Thank you, Senator. We do work closely with State and local agencies, in terms of informing them what we are doing on the system and vulnerabilities. One of the most concerns that we have is any challenge that would do any permanent damage to equipment, so we work closely with law enforcement, FBI, in terms of securing the physical assets and investigating issues that come up with breaches and entry into substations and equipment, things like that. So, I think there is an opportunity to continue working on that and expand that, in terms of types of scenarios--of attack scenarios we might see and run through drills and sort of understand our communications: who has responsibilities; how do we need to move personnel from point A to point B and move equipment; and those kinds of things. So, it's still an opportunity for us to continue working and developing. Senator Coons. Broadly, how would you appraise the capabilities and the preparedness of State and local first responders, law enforcement, emergency management agencies, to deal with this sort of a combined attack or the emerging threats of cyber? Mr. Cauley. I think we certainly see a lot of experience and practice there that gives us some confidence--when we have major storms come through, trees are down, and roads are blocked. A lot of the capabilities that come into play during an attack on the grid would be similar to those kinds of things. So, in terms of securing people, moving people, securing supplies, those kinds of things, I am confident in the capability of the local and regional law enforcement and first responders. Senator Coons. Thank you. Mr. Snitchler, at the utility, the PUCO that you are now a chair of, I was heartened in your prepared testimony to hear that you addressed the importance, not only of public-private partnerships, but also Federal-State. I agree, since, in any of the scenarios we have been discussing, it is likely to be State and local responders who bear a lot of the responsibility, are likely to be first on scene, or likely to be leading the recovery effort. Now, but on an issue like cyber that doesn't respect traditional, internal political boundaries or planning processes, how do you avoid wildly different standards that lead to uncertain and unreliable security situations or potentially to overinvestment in security that puts too much of a burden, in terms of the operating costs of utilities? Mr. Snitchler. Senator, I think you have hit on the--one of the primary issues that we often face at the Commission, which is, What is the appropriate cost and what can consumers and businesses afford to pay, in order to have the safe, reliable system that they have come to expect? Certainly, we try to approach that, being mindful--as I put in my written testimony--about protecting those critical assets, determining what those are, those are your diamonds, and giving them the appropriate level of protection, and then, having your--I hate to use the term ``less valuable'', but those that perhaps are, for example, a transformer on a street as opposed to a substation that is going to power several city blocks. You would treat those two differently. As a result, you would make your investments in how you would want those to be treated differently. To move back to your first question, to address how do you--I think what you are asking is how do you not end up with a litany of ways for States to address these issues, when you have one issue that may be a national security issue or an attack on the country. I think you have to look at threats versus vulnerabilities. I think where you have a threat that has the ability to impact the entire country or a substantial region, then, certainly, there is a definite need for Federal involvement to be able to address those types of concerns. Where you have got a more localized issue or a vulnerability that could be exploited, then, certainly, there is a role for State commissions--the utilities and the State government, in general--to deal with those concerns. I think it is a little bit fact-specific, depending on exactly what the scenario you are describing is; but, certainly, it is not a good idea to have 51 different ways for us to evaluate a problem. But, I think if you break that problem down into a threat versus vulnerability, and then categorize or prioritize, you can arrive at a more comprehensive way of evaluating those issues. Senator Coons. Mr. Snitch, excuse me, Mr. McClelland, if I might, for a last question. I just would be interested in your level of confidence that we have got the information sharing and the collaboration in place to allow State and local operators to distinguish between an unexpected outage, a rolling brownout, an equipment malfunction, and something that, in fact, has originated as a attack on the Nation, and then, to share relevant information in real time. Mr. McClelland. Thank you, Senator. There is certainly room for improvement. I think the important aspect is that the interconnections are very large; there are multiple States within the interconnections. Because it is a network, and a tightly integrated network, the actions or inaction of any particular player can have a substantial impact on the rest of the interconnection. So, going back to your prior question, I think it is important that the entities communicate, that minimum standards be put into place. A minimum in security is a tricky business. Now, you mentioned before about, you know, sort of, what are the costs economically to put the standards in place or to put these protocols in place. But the world moves on, and it is a very small place. What we are seeing is, you know, folks from around the world having access--or potential access to SCADA systems. You can no longer live in isolation. So, the question would be, What are the adequate security provisions that an entity must have to protect its business, and then, how do those practices compare with other practices? Are we sharing lessons learned? Are we sharing relevant intelligence? Is it actionable intelligence, so that folks can see what is happening, they can learn from their neighbor, and they can put the security in place, because the threats are moving at lightning speed? So, as with you, it does keep us up at night. It is probably the most significant thing that we deal with. It actually has a potential to become much worse, because, as we add equipment that was previously dumb equipment and make it smart equipment, and give it two-way communication, and then give it the ability to speak with the largest generators on the system or to have a nexus to the largest generators on the equipment, then we have introduced a vulnerability. It would be like on-line banking, without cybersecurity. You really don't want to go there. So, I think we are at a point now with the grid and the changing grid and the cyber connectivity, where no one can live in isolation. If there is connectivity, there is two-way communication; there has to be some sort of minimum protocols and there needs to be sufficient information sharing so that everyone is able to move ahead with a threat. Senator Coons. Thank you. Thank you, Mr. Chairman. Thank you, to the panel. The Chairman. Senator Murkowski, do you have additional questions? Senator Murkowski. I am done, Mr. Chairman. Thank you, though. The Chairman. Senator Udall, did you have additional questions? Senator Udall. Mr. Chairman, thank you for asking. If I might. I think much of this could be done for the record, but I wanted to ask Mr. Cauley what more can we at the Federal level do to recruit, train, and motivate young people to operate and defend our critical infrastructure, like the electric grid? Mr. Cauley. Senator, you know, I think by its--by the very attention and focus that we are putting on this, I think we are creating sort of an attractive arena to go into, and I think, you know, we are seeing that in some of the schools, as well. But I think, ultimately, one of the other panelists mentioned recruiting military and people from Government. I think we have to recognize that the--sort of, the center of universe intelligence and security state-of-the-art is in the Government and in the military, and to the extent that it is not just the hiring of the people, but to do training and development programs and cooperative programs. You know, I think information sharing and partnering between Government and industry are the two most important things we can do, and this is one area where we could do a lot more, in terms of Government sharing practices, the art and skill of security management. I think those kinds of things would be very useful for industry. Senator Udall. Mr. Snitchler, would you care to comment? Mr. Snitchler. I would echo the comments from the other panelists. Ohio is blessed to have the Wright-Patterson Air Force Base near Dayton, where we have a substantial military presence, of course. As a result, we have a large number of military folks who may be being discharged from the Service and who are able to move into those positions. But, as I previously noted, even with that, we still find that there is a shortage. These skilled professionals, and they are exactly that, are in short supply and in high demand, and companies are working very hard to try and find them. I think one of the other panelists said, we typically end up raiding somebody else's cupboard to find someone to be able to fit that need. That has been my experience in talking with the utilities that we regulate is, that is often times where they find them. I think a more concerted effort to demonstrate that when you have completed your time of Service, if you want to move into the private sector, these are some of the avenues that you can pursue to have a long-term viable career, because these issues are not going to go away. The skills that they bring to the table make them immediately valuable to an organization, and I think that has tremendous value. Senator Udall. I would note, as I conclude, that I sit on the Armed Services Committee. We are having some of these same discussions with the Department of Defense, and they are also concerned about recruiting young cyber warriors, if you will. So, I think we have got to really focus on growing the pie, growing the sense that this is an important career path and work together, not only with the private sector and the public civilian sector, but also the Department of Defense. I look forward to working with all of you in that regard. Thanks, again, for your testimony. It is very helpful. Thanks. The Chairman. Yes, thank you very much. I think it has been a useful hearing. We will conclude the hearing with that. Thank you. [Whereupon, at 11:30 a.m. the hearing was adjourned.] APPENDIX Responses to Additional Questions ---------- Response of Gerry Cauley to Question From Senator Bingaman NERC registered entities are required under the currently effective NERC Critical Infrastructure Protection Standards (specifically Standard No. CIP-007-3, Requirement 4) to have a malicious software prevention program to protect critical assets supporting the electric grid. The standard specifically requires a NERC registered entity to ``use anti-virus software and other malicious software (``malware'') prevention tools'' (emphasis added) to ``detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware.'' Due to the use of the term ``and'', the use of antivirus technology in a registered entity's malware prevention program appears to be a minimum requirement for[sic]. However, there are other technologies, such as whitelisting, that are superior to antivirus in the protection of these critical assets, but if antivirus is a minimum requirement, this standard appears to present a roadblock to registered entities using those newer, superior technologies in malware prevention. Question 1. Please explain why registered entities should be at risk for noncompliance and penalties for using a malware prevention tool other than antivirus. Answer. NERC has not processed violations for a case as described. The focus during NERC audits is on assessing how the entities are handling and mitigating the virus or cyber intrusion risk, and not strictly on having both methods. NERC's focus is on securing virus and malware no matter the tools. Antivirus software is a well-understood protection method, but it is only one method to detect, prevent, deter, and mitigate the introduction, exposure and propagation of malware. CIP-007-3 R 4 allows for and does not prevent the use of additional and alternative methods. When used, antivirus technologies should be used in conjunction with other methods, such as whitelisting, file integrity checking, and computer and network behavior analysis. Version 5 of the CIP Standards, currently being finalized, requires that entities ``deploy method(s) to deter, detect, or prevent malicious code'' and ``mitigate the threat of identified malicious code,'' thus allowing flexibility by entities to implement the current anti-virus and/or anti-malware paradigm, implement whitelisting, or choose any other method so long as it meets the requirement to deter, detect, prevent, and mitigate threats posed by malicious code. Responses of Gerry Cauley to Questions From Senator Murkowski Question 1. A few months ago the White House and the Department of Homeland Security staged a mock scenario for Senators featuring a cyber-attack on the grid in New York City. I was disappointed to learn that neither FERC nor NERC was invited to participate in this exercise, particularly since at no time during the briefing did the Administration ever inform members that the utility sector is already subject to mandatory cyber standards to protect the Bulk Power System (BPS). Why was FERC not invited to participate in the Administration's grid cyber-attack exercise? How does FERC interact with DHS in the cyber arena currently? Is DHS aware of the cybersecurity standards currently in place for the BPS? Answer. NERC is unaware of the circumstances regarding why FERC was not invited to the DHS exercise; NERC is also unaware of FERC's interaction with DHS in the cyber arena. NERC was not invited to participate in the White House/DHS/Senate briefings and thus could not brief Members and staff on the action that Congress took in the Energy Policy Act of 2005 to address mandatory standards for cybersecurity for the BPS, and how that authority has been implemented. DHS is aware that BPS owners and operators are subject to mandatory cybersecurity standards. In November 2011, NERC hosted the first-ever sector-specific distributed play security exercise, GridEx, which involved NERC's mandatory cybersecurity standards. DHS personnel, including representatives from the Industrial Control Systems Cyber Emergency Response Team and the Office of Infrastructure Protection (including the Electricity Sub-sector Specialists), helped plan and execute GridEx, and participated in it. In addition to awareness of NERC's standards, DHS is also aware of Alerts issued by NERC's Electric Sector Information Sharing Advisory Council (ES-ISAC). NERC and DHS agreed to have ES-ISAC employees staff the National Cybersecurity and Communications Integration Center, where the ES-ISAC has access to actionable intelligence, including classified contextual information available to appropriately cleared staff within the BPS community. NERC also provides anonymous situational awareness to DHS analysts to supplement the information DHS received from the intelligence community. This effort is crucial to improving the level of threat awareness within the industry and improving information sharing between government and industry. As I mentioned in my testimony, NERC regularly interacts with DHS, partnering on many efforts, including several industry task forces working to improve security compliance and risk management. Specifically, DHS participates in the NERC Critical Infrastructure Protection Committee and the Electricity Sub-sector Coordinating Council. Additionally, NERC has partnered with DHS for each Cyber Storm exercise to educate federal partners on the BPS and industry's response to security threats. Question 2. Many of the hearing witnesses noted that you simply cannot protect an entity from all potential cyber-attacks. Mr. Snitchler from the Ohio PUC cautions that while you can try to ``gold- plate'' or even ``platinum-plate'' a system, the critical infrastructure we're trying to protect will become too expensive to run. Instead, he suggests we prioritize, using a risk-based approach. Please comment on the issue of cybersecurity costs and the suitability of using a risk-based approach. Do you agree with Mr. Snitchler that we should be protecting ``diamonds like diamonds'' and ``apples like apples''? Is the current FERC/NERC process for addressing cyber security vulnerabilities risk-based? If not, why not? Answer. Since becoming President and CEO of NERC, I have prioritized incorporating a risk based approach to reliability. We are developing a strong portfolio of standards that address performance, risk containment, and competency. We are applying a defense-in-depth strategy that has proven successful in managing risks in critical sectors, such as nuclear as well as the aerospace industry. I am fully confident that this approach will work well in managing risks to the reliability of the BPS. The NERC CIP Standards have always approached cybersecurity protection from a risk management basis. Version 4 of the CIP standards (approved by FERC earlier in 2012) established a set of impact-based ``bright lines'' to remove subjectivity from the process of determining what BPS components are deemed ``critical.'' Under this paradigm, industry resources are focused on protecting the BPS components that have the most impact on reliable operations. Version 5 of the CIP Standards will have a three-tier approach for the categorization of critical cyber assets. Under Version 5, industry resources will still be focused on protecting the components with the greatest potential to affect the BPS at the highest levels, while recognizing that the remaining components still contribute to reliable operations of the BPS, and thus must be appropriately protected. Question 3. What are NERC's standard operating procedures once it receives credible threat intelligence that may affect the bulk electric system? Answer. NERC's Electricity Sector Information Sharing and Analysis Center (ES-ISAC) has developed different Alerts to inform industry about emerging threats. Alerts are different from standards, and can be developed and issued very quickly, depending on the urgency of the situation. Specifically, the ES-ISAC first reviews classified information with industry subject matter experts (SME) who hold the appropriate level of security clearances. As a part of the vetting process, a preliminary saturation and impact assessment determines the relative significance a compromise of the targeted technology would have on the BPS. Once NERC and the industry SMEs determine how a compromise may occur and the potential impact or significance of the compromise, ES-ISAC staff and industry SMEs develop a draft Alert that contains specific, actionable information that BPS entities can use to establish a defense against the threat or help remediate an already existing impact. This draft Alert, which should be no more sensitive than ``For Official Use Only,'' is then distributed to a larger technical team of BPS SMEs called the HYDRA Team. The HYDRA Team is a broad coalition of industry volunteers with specialties in fields such as transmission, generation, planning, operations, and cybersecurity of industrial control systems. Typically, the vendor of the targeted technology is also involved in the Alert review, as is the vulnerability researcher who discovered the underlying vulnerability in the technology. Members of the technical staffs of the DOE, DHS, and the FERC are also members of the HYDRA Team. They receive draft Alerts and contribute to making final Alerts valuable for the industry. The finalized Alert is then sent to both US (including FERC) and Canadian governmental authorities for their final review and comment. Thereafter, the Director of the ES-ISAC/Chief Cyber Security Officer approves the Alert for release to industry. When the Alert is distributed, it not only goes to NERC's Registered Entities, but also to other Electricity Sub-sector participants. Alerts may also be targeted to groups of entities based on their NERC-registered functions (e.g., Balancing Authorities, Planning Authorities, Generation Owners, etc.). Using this process, NERC has issued an alert in as little as 32 hours after receiving classified information about a threat. Question 4. On Thursday, July 19, 2012, FERC approved an order that allows the ERO to fine the Southwestern Power Administration up to $19,500 for violating two cybersecurity-related reliability standards in July 2011. Please explain the nature of these cybersecurity violations. I understand that DOE believes the federal government is exempt from such penalties under the Federal Power Act. Please specify for the Committee why the federal government is, in fact, subject to compliance with the FERC/NERC reliability standards, including cybersecurity standards. Answer. The Southwestern Power Administration (SWPA) violated NERC CIP-004-1 (Cyber Security--Personnel and Training) and CIP-007-1 (Cyber Security--Systems Security Management). CIP-004-1 sets out requirements for personnel that have authorized cyber access or authorized unescorted physical access to Critical Cyber Assets, including requirements related to personnel risk assessment, training, and security (including cyber security). CIP-007-1 sets out requirements related to security systems determined to be Critical Cyber Assets and other assets within an ``Electronic Security Perimeter.'' Agencies and instrumentalities of the federal government that are users, owners and operators of the bulk power system (such as the Tennessee Valley Authority and the Bonneville Power Administration) are subject to compliance with the FERC/NERC Reliability Standards, including cybersecurity standards. DOE has recognized that such entities are subject to the Reliability Standards, but it has taken the position that neither FERC nor NERC may impose financial penalties on those entities for violation of the standards. By way of background, Section 215(c) of the Federal Power Act (FPA), 16 U.S.C. Sec. 824o(c), authorizes FERC to certify and oversee an electric reliability organization (ERO) responsible for developing and enforcing mandatory Reliability Standards that are applicable to all users, owners and operators of the Bulk-Power System (BPS). FERC certified NERC as the ERO in 2006,\1\ and has since approved over one hundred national Reliability Standards as mandatory and enforceable, pursuant to FPA Section 215(d). --------------------------------------------------------------------------- \1\ North American Electric Reliability Corp., 116 FERC Sec. 61,062, order on reh'g and compliance, 117 FERC Sec. 61,126 (2006), order on compliance, 118 FERC Sec. 61,190, order on reh'g 119 FERC Sec. 61,046 (2007), aff'd sub nom. Alcoa Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009). --------------------------------------------------------------------------- FPA Section 215(b) (1), ``Jurisdiction and applicability,'' describes FERC's reliability jurisdiction as follows: The Commission shall have jurisdiction . . . over . . . all users, owners and operators of the bulk-power system, including but not limited to the entities described in section 201(f) . . . for purposes of approving reliability standards established under this section and enforcing compliance with [FPA Section 215]. All users, owners and operators of the bulk-power system shall comply with reliability standards that take effect under this section. Because they are described in FPA Section 201(f), agencies or instrumentalities of the United States are expressly included within the term ``users, owners, and operators of the bulk-power system'' in Section 215 and made subject to FERC's jurisdiction to both approve and enforce reliability standards. The requirement in FPA Section 215(b)(1) that all users, owners and operators of the bulk-power system must comply with reliability standards that take effect under Section 215 thus applies to Federal entities. In orders issued since 2009, FERC has held consistently that a federal entity that uses, owns or operates the Bulk-Power System must comply with mandatory Reliability Standards.\2\ Most recently, in its July 19, 2012 order, FERC found that Section 215 explicitly conveys authority to assess a monetary penalty against a federal entity that is a user, owner, or operator of the Bulk-Power System for violations of a mandatory Reliability Standard.\3\ FERC rejected arguments that the grant of enforcement authority under FPA Section 215 is limited by the scope of the Commission's general civil penalty authority over federal entities, as set out in FPA Section 316A, and instead found that the separate grant of penalty authority over federal entities under FPA Section 215 is ``explicit and unambiguous.'' FERC found that this penalty authority under FPA Section 215(e) applies to both the ERO and the Commission. --------------------------------------------------------------------------- \2\ North American Electric Reliability Corp., 129 FERC Sec. 61,033 (2009) (2009 Jurisdictional Order), reh'g denied, 130 FERC Sec. 61,002 (2010); North American Electric Reliability Corp., 133 FERC Sec. 61,214 (2010), reh'g denied, 137 FERC Sec. 61,044 (2011). \3\ North American Electric Reliability Corporation, 140 FERC Sec. 61,048 (2012). --------------------------------------------------------------------------- Response of Gerry Cauley to Question From Senator Barrasso Question 1. In your testimony, you encourage Congress to ``facilitate information sharing between the public and private sector.'' You recommend ``making more clearances available to industry, identifying alternative methods to communicate classified information to our Canadian partners, and encouraging increased information sharing by US Government departments and agencies with asset-owners.'' Would you please expand upon the steps Congress should take to facilitate information sharing between the Federal government and industry? Answer. The most important action that can be taken to address cybersecurity is improving information sharing. Improved information sharing depends on a fundamental understanding by government that the private sector owners and operators of the BPS need to know as much as possible about a threat, as soon as possible, so that they can take the appropriate action. The owners and operators of the BPS know their systems and the consequences that actions taken in one part of the BPS may have for another part. They cannot merely be told that there is a threat; they must be provided with sufficient information about the threat so that proper mitigation measures can be developed. In NERC's experience, this has been difficult for government security professionals to understand. As I noted in the hearing, it took more than three years to get actionable information from the government on the Aurora vulnerability. Once that information became available in a form that NERC could share with industry, NERC issued an Alert to industry, and industry then began developing mitigation plans. Any action Congress can take to make more secret-level clearances available to the Electricity Sub-sector would assist in information sharing efforts. Individuals from the Electricity Sub-sector should be able to access and analyze classified information and share it among other cleared partners. In addition, in the instance of a cyber attack, these individuals should be assured that they have access to local secure centers, such as fusion centers or local Federal Bureau of Investigation offices. Continued support for NERC's existing cybersecurity efforts, including NERC standards and the Electricity Sector Information Sharing and Analysis Center (ES-ISAC), the Electric Sector Coordinating Council and NERC's grid security exercise and conference, which provide forums for improving information concerning cybersecurity among the public and private sector, is appreciated. NERC's ES-ISAC is one of the most effective tools NERC has to inform industry about emerging cybersecurity threats through Alerts. As I mentioned in my testimony, the ES-ISAC partners with several industry and government organizations to not only share critical cyber information, but to also develop these Alerts. Also, reflecting the international nature of the BPS, NERC is responsible for ensuring the reliability of the BPS within the US and Canada. Currently, NERC is unable to share sensitive information regarding cyber threats or vulnerabilities with our Canadian partners. We are aware that the government has mechanisms in place to facilitate government-to-government information sharing at classified levels. Further work needs to be done to facilitate information sharing with industry officials in Canada, as well. ______ Responses of Joseph McClelland to Questions From Senator Bingaman Question 1. You testify that the majority of the Directives that FERC issued in Order No 706 have yet to be addressed. Could you describe some of the most important of them? Answer. First, the Commission directed NERC to develop a process of external review and approval of critical asset lists in order to ensure that the proper assets were consistently covered by the CIP standards under a system that depends on the entities to self-designate their equipment. In Order No. 761, the Commission stated that the adoption of appropriate, bright line criteria for Critical Asset identification may obviate the need for an external review. However, as stated in that order, whether this development ultimately eliminates the need for an external review process as directed in Order No. 706 will depend on the discretion allowed to individual registered entities to self-identify and characterize assets or systems for critical infrastructure protection to support the nation's bulk-power system. It also will depend on whether the bright line criteria generally include adequate facilities. Second, Order No. 706 directed the ERO to require immediate revocation of access privileges when an employee, contractor or vendor no longer performs a function that requires physical or electronic access to a critical cyber asset for any reason (including disciplinary action, transfer, retirement, or termination). Question 2. Some have argued that FERC has the authority to order NERC to produce a fairly specific standard. Could you do so, and if you did what would be the process then? Answer. The Commission can direct NERC to develop a reliability standard to address a specific reliability matter. However, the Commission cannot ensure that the content of the standard returned to it by NERC will adequately respond to the specific reliability matter as the Commission may not directly author or modify a reliability standard under section 215. Under section 215, reliability standards must be developed by the ERO through an open, inclusive, and public process. The NERC process is intended to develop consensus on both the need for, and the substance of, the proposed standard. Although inclusive, the process is relatively slow, open and unpredictable in its responsiveness to the Commission's directives. Responses of Joseph McClelland to Questions From Senator Murkowski Question 1. A few months ago the White House and the Department of Homeland Security staged a mock scenario for Senators featuring a cyber-attack on the grid in New York City. I was disappointed to learn that neither FERC nor NERC was invited to participate in this exercise, particularly since at no time during the briefing did the Administration ever inform members that the utility sector is already subject to mandatory cyber standards to protect the Bulk Power System (BPS). Why was FERC not invited to participate in the Administration's grid cyber-attack exercise? How does FERC interact with DHS in the cyber arena currently? Is DHS aware of the cybersecurity standards currently in place for the BPS? Answer. I do not know why the Commission was not involved in this exercise. That question is best answered by those who organized the exercise. With respect to the Commission's interaction with DHS, Commission staff works closely with the DHS both on an informal basis and through formalized processes such as the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the Cyber Unified Coordination Group, and the National Protection and Programs Directorate at DHS. Commission staff meets monthly with the Nuclear Regulatory Commission (NRC), Federal Bureau of Investigation (FBI), and the Department of Energy (DOE) at the Top Secret/ Sensitive Compartmented Information level to discuss events and threats. Meetings with ICS-CERT are also conducted as required to discuss imminent threats and events that could impact the security of the electric grid. The meetings take place so the ICS-CERT can provide guidance to entities on how to address these issues. Question 2. Many of the hearing witnesses noted that you simply cannot protect an entity from all potential cyber-attacks. Mr. Snitchler from the Ohio PUC cautions that while you can try to ``gold- plate'' or even ``platinum-plate'' a system, the critical infrastructure we're trying to protect will become too expensive to run. Instead, he suggests we prioritize, using a risk-based approach. Please comment on the issue of cybersecurity costs and the suitability of using a risk-based approach. Do you agree with Mr. Snitchler that we should be protecting ``diamonds like diamonds'' and ``apples like apples''? Is the current FERC/NERC process for addressing cyber security vulnerabilities-risk based? If not, why not? Answer. In general, the use of a risk-based approach to identify assets that are critical to the operation of the Bulk Power System can be suitable. The cost of cyber protection must be considered against both the effectiveness of the measures and the impact that the facilities in-question can have on the reliability of the Bulk Power System. However the designation of ``diamonds'' does not just depend upon the size or expense of the equipment, but also depends upon the connectivity of the equipment, whether it can be compromised and, in turn, be used to compromise other equipment that may alone or in aggregate successfully compromise the operation of the Bulk Power System or the customers it serves. The currently applicable CIP standards include a risk-based methodology to determine which facilities are ``critical assets and the associated critical cyber assets,'' and therefore are subject to the requirements of the CIP reliability standards. However these standards allow utilities significant discretion to determine which of their facilities fit that description. The recently-approved Version 4 CIP Reliability Standards, which will go into effect on April 1, 2014, replace this risk-based assessment with ``bright line'' criteria. Version 4 relies upon the affected entities to self-designate their ``Critical Cyber Assets''. Only facilities that are self-designated by the regulated entities as ``Critical Cyber Assets'' are covered under the CIP standards. In order to help guide their decisions, the CIP standards identify categories of ``Critical Assets'' as a starting point in the process. If the entities have any ``Critical Assets'' (i.e., such as generating stations at 1500 MW or above, reactive power supplies at 1000 MVAR or above, transmission facilities at 500 kV or above, etc.), they are then required to determine if they have any ``Critical Cyber Assets'' at these facilities and if they decide that they do, those facilities will fall under the CIP standards. Entities can only designate ``Critical Cyber Assets'' from the ``Critical Asset'' list. In Order No. 761, the Commission supported the application of the tiered-approach in the National Institute of Standards and Technology (NIST) Framework. That framework would, among other things, (1) ensure that all Cyber Systems associated with the Bulk-Power System, based on their function and impact, receive some level of protection; (2) customize protection to the mission of the cyber systems subject to protection; and (3) apply a tiered approach to security controls that specifies the level of protection appropriate for systems based upon their importance to the reliable operation of the Bulk-Power System. The Commission stated that incorporating these applicable features of the NIST Framework into the CIP Reliability Standards would be a positive step in improving cyber security for the Bulk-Power System. In addition to considering the NIST Framework, the Commission in Order No. 761 stated that the criteria adopted for the purpose of identifying Critical Cyber Assets should include a cyber asset's ``connectivity'' and its potential to compromise the reliable operation of the Bulk- Power System. Therefore, we expect Version 5 to address these issues. NERC, in its comments to the CIP Version 4 proceeding, stated that it is incorporating into the Version 5 CIP Reliability Standards the NIST risk-based approach. Question 3. We hear a lot about the potential benefits from smart grid systems, including reduced rates and improved reliability. However, we're starting to hear more about an unintended consequence from smart grid systems--namely that the smart grid's reliance on IT systems and networks exposes the electric grid to cybersecurity vulnerabilities which could be exploited by attackers. In the 2007 energy bill, Congress directed NIST to develop smart grid interoperability standards that FERC would later adopt. I understand that while NIST has developed these standards, FERC has not yet taken action because of a lack of consensus on the standards. a. The 2009 stimulus bill provided over $4 billion in smart grid funding before these NIST interoperability standards were even developed. In fact, the stimulus bill provided $10 million in funding for NIST to perform the standard development work. What cybersecurity protections were included in the smart grid assets purchased with stimulus money? Doesn't it cost more to implement security after the network is already up and running? Answer. I do not know what cyber security protections were included in any assets purchased with the stimulus money, since this program was administered by the Department of Energy. Generally, it costs more and may be less effective to implement security after a network is installed. b. GAO has previously suggested that FERC monitor industry compliance with NIST's voluntary smart grid standards. Has the Commission done so? If not, why not? What is FERC doing in the smart grid arena with regard to cybersecurity standards? Answer. The Commission has not monitored compliance with NIST's voluntary smart grid standards. Much of the smart grid involves facilities used in local distribution, which are not under the Commission's Federal Power Act (FPA) jurisdiction. However, Commission staff attends and observes meetings of the NIST Cyber Security Working Group, Smart Grid Task Force, and participates in a collaborative with the National Association of Regulatory Utility Commissioners concerning the smart grid. Commission staff also regularly performs outreach to NIST and the Smart Grid Interoperability Panel and is following the development of smart grid standards. Commission staff also monitors developments of the North American Synchrophasor Initiative (NASPI) relative to applicable cyber security standards. Lastly, pursuant to its FPA 215 responsibilities Commission staff attend and participate in the NERC standards development process--including the CIP standards. Commission staff offers guidance that can include information relevant to the smart grid. Question 4. You testified that because FERC's Federal Power Act authority does not extend to local distribution facilities there may be some ``significant facilities [that are] vulnerable to the threat of a cyber or physical attack.'' Mr. Snitchler's testimony included a snapshot of state actions, including those undertaken in New York, that demonstrate a proactive stance on cyber security. Are there particular cities or local facilities where FERC is concerned no action has been taken by your state counterparts to protect their distribution system from cyber incursions? Answer. I cannot identify specific cities or local facilities where no action has been taken by the states but am aware of the types of risks which such facilities might be facing. Question 5. Throughout your testimony you note your frustration with the time it takes for NERC and its stakeholder process to develop these cybersecurity standards. However, NERC filed its enhanced Critical Cyber Asset Identification Standard (CIP-002 version 4) with the Commission in February 2011 and it took FERC a full 14 months to approve that revision. Why is it taking so long for the Commission to act on such filings and what can the Commission do by way of improvement? Answer. In general, the Commission could shorten the time to process the NERC filings using an Order versus a Notice of Proposed Rulemaking (NOPR). The NOPR process requires the Commission to propose Commission action on the standard. The Commission must then solicit comments on the NOPR and issue a Final Rule on the proposed standard. Although longer, the NOPR process allows for open communication between the Commission and the commenters including opportunities for meetings between Commission members and individual stakeholders and industry interest groups on the Commission's proposed dispositions. Because the Commission may not directly author or modify a reliability standard under section 215, the NOPR process is the most effective way to detail the Commission's concerns regarding a proposed reliability standard before issuing a final rule regarding that standard. In Order No. 693, the Commission stated that it anticipates that it will address most, if not all, new Reliability Standards proposed by NERC through the more open rulemaking process which has been strongly preferred by industry. Additionally, the CIP cyber security standards are extremely technical and it takes both the Commission time to appropriately analyze them and the industry time to prepare its comments to the Commission proposed rule. These procedures, which ensure the Commission has a sufficient record on which to act on the technical aspects of the cyber security standards, take time to implement. Specifically with respect to the Version 4 standards, on February 10, 2011, NERC filed a petition seeking Commission approval of the Version 4 CIP Reliability Standards. On April 12, 2011, Commission staff issued a data request to NERC in order to receive supplemental information necessary to understand the filing because the filing lacked information necessary for the Commission to process them. On April 13, 2011, NERC requested an extension of time to respond to a portion of the Commission's April 12, 2011 data request. The Commission granted this request, and NERC provided the information on May 27, 2011 and June 30, 2011. The Commission issued the Notice of Proposed Rulemaking September 15, 2011 and allowed 60 days from publication in the Federal Register for the industry to comment, or November 21, 2011. The Commission then issued the final rule on April 19, 2012, 150 days later, after reviewing comments from 28 entities and reply comments from NERC. Question 6. The electricity sector has told us that what it needs in the event of a cybersecurity emergency is timely, specific, and actionable information. Does FERC agree? What do the words ``timely, specific and actionable'' mean to FERC? Answer. I agree with this statement. I believe that ``timely, specific and actionable'' means that, to prevent a significant risk of disruption to the grid, the information should allow mitigating action to be taken before a cyber security event. Because cyber events have the ability to compromise multiple systems simultaneously, both prevention and quick intervention are keys. Sufficient and accurate information about both the vulnerability and the targeted systems must be available to develop specific details regarding how to defend, mitigate, or eradicate a cyber attack as quickly as possible, which may require pre-emptive mandatory actions in order to be effective. Specific and actionable means that the information must be detailed in a manner for the owner/operators to be able to quickly apply the mitigations to the equipment allowing for prevention or mitigation of a cyber attack. Question 7. On Thursday, July 19, 2012, FERC approved an order that allows the ERO to fine the Southwestern Power Administration up to $19,500 for violating two cybersecurity-related reliability standards in July 2011. Please explain the nature of these cybersecurity violations. I understand that DOE believes the federal government is exempt from such penalties under the Federal Power Act. Please specify for the Committee why the federal government is, in fact, subject to compliance with the FERC/NERC reliability standards, including cybersecurity standards. Answer. That order is subject to rehearing, so I cannot comment at this time on the issues presented in the proceeding. For your convenience, attached is the Commission's order in that proceeding. Responses of Joseph McClelland to Questions From Senator Barrasso In your testimony, you state that ``[t]he Commission is committed to protecting the reliability of the nation's bulk electric system.'' However, I am concerned that the Commission, under Chairman Wellinghoff, has downplayed the cumulative impact of EPA's new and proposed regulations on electric reliability. On May 17, 2011, Senator Murkowski sent a letter to Chairman Wellinghoff inquiring about the impact of EPA's regulations on reliability. Commissioner Norris has testified that he had three conversations last year with Heather Zichal, Deputy Assistant to the President for Energy and Climate Change Policy, ``regarding FERC staff's review of EPA regulations.'' Commissioner Norris testified that Ms. Zichal contacted him on two occasions--in late June or July of 2011--``for information on the timing of the FERC studies on the reliability impact of the pending EPA Rules and the timing of FERC responses to Sen. Murkowski's questions to the Commissioners.'' Notably, Chairman Wellinghoff and Commissioners Norris and LaFleur did not respond to Senator Murkowski until August 1, 2011--more than two months after receiving the Senator's letter. In their response, the Chairman and Commissioners Norris and LaFleur revealed that your staff had--after almost one year--completed only an ``informal assessment'' of the impact of EPA's regulations on reliability. Your staff's analysis found that as much as 41 GW of coal- fired generating capacity was ``very likely'' to retire, with another 40 GW ``likely'' to retire, on account of EPA's regulations. On September 14, 2011, Chairman Wellinghoff testified before the House Subcommittee on Energy and Power and characterized your staff's analysis as ``back-of-the-envelope.'' However, your staff's analysis, as far as I can tell, is turning out to be a reasonably accurate prediction of the retirements. I am concerned that it took an inquiry from this Committee to bring your staff's analysis to light. I am also concerned about the timing of that analysis. Question 1. Have you or any member of your staff had any direct or indirect contacts or exchanges, in person, by telephone, electronic mail, or otherwise (e.g., together with or in the company of the Chairman or any Commissioner(s)), with Ms. Zichal or anyone in the Executive Office of the President (EOP) about the potential impact of EPA's regulations on electric reliability or on any other subject (e.g., the ``informal assessment'' as Chairman Wellinghoff used the term in his correspondence with Senator Murkowski, or ``FERC staff's review'' or ``FERC studies'' as Commissioner Norris used the terms in his testimony)? If so, please list the dates the contacts or exchanges took place and provide the names and titles of the individuals involved in these contacts or exchanges. Answer. To the best of my knowledge, neither I nor my staff has had any direct or indirect contacts with Ms. Zichal or anyone in the Executive Office of the President on these issues, except as noted in the Chairman's response to Senator Murkowski's May 17, 2011 letter. Question 2. What was the purpose and the subject matter of the contact(s) or exchange(s) you have identified in question 1? Question 3. Have you or any member of your staff advised or provided any information to the Chairman or any of the Commissioners in connection with any contact or exchange (to include, as in question 1 above, in person, by telephone, electronic mail, or otherwise) that the Chairman or any Commissioner may have had with Ms. Zichal or others in the EOP? If so, (a) what was the purpose and the subject matter of the advice or information you or your staff gave to the Chairman or Commissioner(s) in connection with contacts or exchanges with Ms. Zichal or others in the EOP; and (b) please list the dates the contacts or exchanges took place and provide the names and titles of the individuals involved in these contacts or exchanges. Answer. No ______ Response of Todd A. Snitchler to Question From Senator Bingaman Question 1. Mr. Wilshusen has recommended that FERC coordinate with the states and other nonjurisdictional entities (such as Coops or munis) to evaluate the extent to which utilities are complying with voluntary standards and to develop strategies for addressing gaps in compliance. Does that sound like a recommendation that you would welcome? Would it work, given the splits in jurisdiction, differences in state laws and regulations and the fact that many entities are jurisdictional neither at the state or federal level? Answer. Recognition must be given that voluntary standards are, indeed, voluntary. By requiring utilities to develop strategies for addressing ``gaps in compliance'', these ``voluntary'' standards then become ones which are mandatory. I do not believe we are all (FERC, states, utilities) in agreement with respect to mandatory standards or which standards, if any, ought to be mandatory. However, I believe that there could be benefits to having increased coordination between the states, non-jurisdictional entities, jurisdictional utilities, and the federal government in addition to the existing FPA Sec. 215 process. A collective meeting of the parties would be useful in sorting out and resolving these issues. Response of Todd A. Snitchler to Question From Senator Murkowski Question 1. You note that the Ohio PUC has worked closely with the Wright Patterson Air Force Base. What can you tell us about your state's efforts in working with the military? Answer. The Public Utilities Commission of Ohio has met with Wright Patterson Air Force Base (WPAFB) representatives on a variety of topics and issues over the years. Our staff addressed WPAFB representatives on energy assurance issues back in 2009. At that time, the PUCO encouraged WPAFB personnel to engage in meaningful discussions with their local electric utility regarding the specific needs and concerns for base operations, enhanced reliability requirements, and mitigating threats to these enhanced reliability requirements (including generation/ supply, distribution/delivery, and system security--physical as well as cyber). Also at that time, the PUCO offered to facilitate those discussions, but was assured that appropriate base personnel would work directly with the appropriate utility personnel on these issues. Subsequently, the PUCO extended an invitation to WPAFB representatives to participate in Ohio's Energy Assurance tabletop exercise conducted in June 2011; a major component of the event featured a cybersecurity panel discussion with representatives from: the U.S. Department of Energy's Cybersecurity for Energy Delivery Systems (CEDS) program; the Supervisory Special Agents for the Cyber Squads in the Cincinnati and Cleveland Divisions of the U.S. Federal Bureau of Investigation; a Cyber Security Advisor from the U.S. Department of Homeland Security's National Cyber Security Division; the two Protective Security Advisors from the U.S. Department of Homeland Security's Office of Infrastructure Protection which serve the State of Ohio; and Ohio's Homeland Security Advisor. Additionally, the PUCO met with representatives from the electric utility serving WPAFB as early as 2009 to discuss the utility's cybersecurity program and posture. The PUCO also was instrumental in working with the U.S. Air Force at WPAFB to eliminate our nation's, and especially our military's, dependence on foreign oil. Research into synthetic fuel from domestic coal, shale, biomass, and other sources using the Fischer-Tropsch process in order to reduce our dependence on foreign oil and achieve greater price stability has resulted in the creation of the Assured Aerospace Fuels Research Facility (AAFRF). This lab was created to perform essential research and development of these coal-to liquid, biomass-to-liquid, and shale-to-liquid synthetic fuel technologies. It serves as an excellent research tool for professional researchers from government, academia, and industry as well as training grounds for creating skilled operators, technicians, and researchers for future commercial facilities. Responses of Todd A. Snitchler to Questions From Senator Barrasso Question 1. In your testimony, you state that ``one-size solutions for cybersecurity may not be the most effective means to mitigate and reduce known vulnerabilities.'' Would you expand upon your comments for the Committee? Answer. Broad-based principles regarding good cybersecurity practices may be more appropriate for utility applications. Industrial Control Systems (ICS) and Supervisory Control And Data Acquisition Systems (SCADA) tend to be very specialized equipment monitoring and controlling extremely complex networks. What may be considered a best- practices approach for one control system may not function as a best- practices approach for a different control system. The existing differences in approaching cybersecurity utilized by the utilities and also the RTOs actually has a positive effect in that an attack on one utility's system will not necessarily bring down all systems because each has its own method of ensuring their cybersecurity. By allowing disparate approaches to solving the cybersecurity issue, while establishing the broad based, best practices, we potentially strengthen defenses against attacks to the grid. Question 2. In your testimony, you state that ``smart grid [technology] fundamentally makes the electric system more secure.'' However, you also say that ``this technology brings with it new vulnerabilities. . .which should be taken extremely seriously.'' Would you expand upon the vulnerabilities that smart grid technology brings to our electric grid? Answer. The ``Smart Grid'' too often is defined as being synonymous with ``smart meters'' or advanced metering infrastructure (AMI). Other important portions of the Smart Grid often overlooked include synchrophasors, protective relays, reclosers, and substation automation, among others. These components improve fault-detection capabilities and enable self-healing of the electricity grid. Taken as a whole, these technologies do make the electric system more secure and more reliable. The additional vulnerabilities are introduced by converting previously one-directional flows of power and information to become bi-directional. As additional points of data collection and gathering are introduced, so, too, are there additional points where hackers or other non-native data sources may introduce false information feeds into the network in an attempt to cause disruptions or system actions undesirable to the system operators. Finally, each new potential access point creates a remote source of entry to the system. It is essential to security protocols that proper backstopping from those potential entry points ensure that remote access is denied and the system is able to lock out or compartmentalize the access points to ensure that access, if secured, can be isolated and prevent substantial harm to the system. Question 3. In your testimony, you explain that state regulators and industry ``are unable to provide the. . .protection necessary to help secure our nation's critical infrastructure if the relevant Federal agencies do not provide actionable information to address imminent threats.'' You go on to say that ``asset owners who provide information about their systems to Federal agencies in the spirit of cooperation. . .never receive truly meaningful, actionable, timely information in return.'' a. Do you know why the Federal government is not sharing this information with state regulators and industry? Answer. An often-cited answer is lack of security clearances in order to share specific threat information with state regulators or industry. This is understandable for specific threat information. Present practice provides monthly or intermittent threat briefings to the electricity sector, yet such threat information is often too stale or so non-specific as to be un-actionable. Surely an opportunity exists to provide more timely or actionable information without disclosing classified information. Addressing this fundamental problem would be a tremendous help to state regulators and, I expect, to the electricity industry. For instance, in the case of the ``Aurora'' situation, the federal government and its regulators in essence told the electric utility sector, ``we have a secret problem on our hands and we can't tell you what it is. . . .now go fix it.'' In this specific case, the government knew of a vulnerability (they created it in a lab), and wanted that vulnerability addressed yet would not or could not disclose that information at that time. There must be a way for the federal government to provide such actionable intelligence in a timely manner so that those that need to take action know what action to take before the vulnerability becomes a threat and a threat becomes a tragedy. b. Do state regulators and industry lack the security clearances necessary to obtain this information? Answer. A lack of security clearances by regulators and utilities often is cited as the primary impediment to sharing of information by the federal government. However, granting additional regulatory authority to FERC or another federal agency does nothing to change that fact. Therefore, it would appear that it might be worth some time devising a means for the federal government to share relevant, actionable, and timely information with state regulators and utilities without divulging the methods or sources by which that information has been obtained. Additionally, the federal agencies responsible for providing security clearances should establish a consultative process with those in the electricity sector (state government and industry) to identify to whom or to which positions within the industry and/or state government ought to be provided an opportunity to gain the necessary clearance and at what level. The agencies should then be instructed to establish a procedure to thoroughly review and process these requests. In order to secure timely transfer of information, select members of state commissions and/or utilities should be considered for security approval and permitted access to information critical to maintenance and protection of the grid. Question 4. In your testimony, you state that ``our utilities can provide a `gold-plated' or even a `platinum-plated' system which is ultra-cyber secure.'' However, you go on to ask ``how much more do we want a kilowatt hour of electricity to cost?'' Would you discuss the potential impact of new cyber security investments on ratepayers? Answer. It is difficult to assess a financial cost of cybersecurity investments imposed by a federal regulatory agency not yet granted the authority to order such investments. It also is difficult to ascertain what cybersecurity requirements might be imposed by such a scheme. Yet, nothing is too expensive for one who doesn't have to pay the bill. My point is this: there are risks these businesses must manage everyday in running their utility systems. Cybersecurity is one more of those risks that must be managed. There is a definite role for the federal and state governments to assist these critical infrastructures in securing their networks. But, as stated above, a best-practices approach for one utility, when applied to another utility, may not have the same positive impact on that second utility's cybersecurity posture. In other words, what may be prudent and necessary cybersecurity infrastructure expenditures for a utility system in Washington, DC, which houses much of our federal government, may not be appropriate in Houston, Texas, which houses petroleum refining. And neither of the appropriate cybersecurity expenditures in those two instances may be prudent to a utility serving Pleasantville, Ohio. The opportunity exists for the federal and state governments to ensure appropriate cost recovery for necessary cybersecurity remediations or enhancements. Undoubtedly, these utility control systems must become more secure and resilient; but most beneficial would be federal guidance to the electricity sector and state regulatory bodies that would assist us in determining how to best direct scarce resources in the most cost-effective appropriate fashion to be directed against the most imminent threats and against the likely vulnerabilities to the electricity sector. In the end, we cannot, and we should not, expend resources on every known vulnerability: it would just be too expensive. For instance, to use the analogy of physical security, we could place 24-hour manned guardhouses at the base of each major electric transmission tower in order to prevent the vulnerability of a terrorist bringing down the grid with the destruction of multiple towers in several key locations. However this would be a very expensive solution for a low probability vulnerability. We must address the cybersecurity threats and vulnerabilities just as we address the physical security threats and vulnerabilities to our nation's infrastructure. Question 5. At what point do the costs and vulnerabilities associated with smart grid technology outweigh the value for ratepayers? Answer. There is no simple answer to the question posed here. The experience of power outages brought on by storm activity is fundamentally no different than a cyber attack that may disable the grid. A cost-benefit analysis must be performed--either explicitly or implicitly--to ascertain if the costs associated with the risk are worth the benefit achieved by implementation of the grid. The self-healing ability of the smart grid, shorter outage times and increased reliability are all substantial benefits as a result of the use of the smart grid. Further, in restructured markets customers have greater access to options to control their utility usage and control their costs, as well as the increasingly varied pricing options available are all dependent on the utilization of the smart grid tools. ______ Government Accountability Office, Washington, DC, August 2, 2012. Hon. Jeff Bingaman, Chairman, Committee on Energy and Natural Resources, U.S. Senate. Subject: Responses to Questions for the Record; Hearing on Status of Action Taken to Ensure that the Electric Grid Is Protected from Cyber Attacks This letter responds to your July 26, 2012, request that we reply to additional questions arising from the Committee's July 17, 2012, hearing on the status of actions to protect the electricity grid from cyber attacks. At the hearing, we discussed (1) cyber threats facing cyber-reliant critical infrastructures, which include the electricity grid, and (2) actions taken and challenges remaining to secure the grid against cyber attacks.\1\ The enclosure provides our responses, which are primarily based on previously issued products that were performed in accordance with generally accepted government auditing standards.\2\ --------------------------------------------------------------------------- \1\ GAO, Cybersecurity: Challenges in Securing the Electricity Grid, GAO-12-926T (Washington, D.C.: July 17, 2012). \2\ Including: GAO-12-926T; Critical Infrastructure Protection: Cybersecurity Guidance Is Available, but More Can Be Done to Promote Its Use, GAO-12-92 (Washington, D.C.: Dec. 9, 2011); Electricity Grid Modernization: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to be Addressed, GAO-11-117 (Washington, D.C.: Jan. 12, 2011); Critical Infrastructure Protection: Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain, GAO-07- 1036 (Washington, D.C.: Sept. 10, 2007); and Information Security: TVA Needs to Address Weaknesses in Control Systems and Networks, GAO-08-526 (Washington, D.C.: May 21, 2008). --------------------------------------------------------------------------- Should you or your office have any questions on the matters discussed in this letter, please contact me at (202) 512-6244 or [email protected] or David C. Trimble, Director, Natural Resources and Environment, at (202) 512-3841 or [email protected] Sincerely yours, Gregory C. Wilshusen, Director, Information Security Issues. [Enclosure.] Responses to Questions From Senator Bingaman Question 1. You recommend that FERC develop an approach to coordinate with state regulators and entities that are not subject to state regulation to evaluate the extent to which utilities and manufacturers are following voluntary standards, and to develop strategies for addressing gaps in compliance with standards. What encourages you to believe that efforts like this could be successful? Answer. Electricity industry regulation is fragmented, with oversight responsibility divided among various regulators at the federal, state, and local levels. Such regulatory fragmentation can make it difficult for individual regulators to develop an industry-wide understanding of whether utilities and manufacturers are following voluntary standards. This is due to the large number of regulators in the industry-the Federal Energy Regulatory Commission (FERC), electricity regulators in 50 states and the District of Columbia, and regulators of thousands of cooperative and municipal utilities-and their potentially limited visibility over parts of the grid outside their jurisdiction. This complex reality of electricity regulation led us to believe that a coordinated approach to monitoring whether utilities and manufacturers follow voluntary standards would be more successful than an approach in which one or more regulators attempted such an assessment on its own. We are encouraged by the fact that FERC has previously worked with state regulators and groups representing entities not subject to state regulation on a range of issues. For example, we reported that FERC and the state commissions had already begun initial collaboration on smart grid and demand-response issues,\3\ and these and other entities have also collaborated on other topics, including issues related to Regional Transmission Organizations and electric reliability and environmental regulations. --------------------------------------------------------------------------- \3\ GAO-11-117. --------------------------------------------------------------------------- Question 2. I think that you are primarily talking about the NIST smart grid standards that FERC did not adopt because they did not find sufficient consensus in the industry to do so. Do you believe that FERC has the authority to adopt those standards without such consensus? Answer. Section 1305(d) of the Energy Independence and Security Act (EISA)\4\ provides that any time after the National Institute of Standards and Technology's (NIST) work has led to sufficient consensus in FERC's judgment, FERC shall institute a rulemaking proceeding to adopt such standards and protocols as may be necessary to ensure smart- grid functionality and interoperability. In July 2011, FERC declined to institute a rulemaking procedure to adopt initial smart grid standards identified as a part of the NIST efforts, finding that there was not sufficient consensus to do so. EISA does not give FERC authority to adopt the standards in the absence of a determination by FERC that sufficient consensus has been achieved. --------------------------------------------------------------------------- \4\ EISA Sec. 1305(d), Pub. L. No. 110-140, Sec. 1305(d), 121 Stat. 1492, 1788 (Dec. 19, 2007). --------------------------------------------------------------------------- As noted in our testimony statement, smart grid standards identified through the NIST-led process outlined under EISA are voluntary unless regulators use other authorities to indirectly compel utilities and manufacturers to follow them. In this regard, FERC's authority over the rates, terms, and conditions of transmission and wholesale sales in interstate commerce and its responsibility for reliability standards for the bulk-power system may be relevant. For instance, to the extent that smart grid interoperability and cybersecurity standards are deemed necessary by FERC to ensure the reliability of the bulk power system, these standards could be considered through reliability-based authority provided under the Federal Power Act.\5\ Under this authority, the North American Electric Reliability Corporation (NERC) can develop standards to protect the reliability of the bulk power system, or be requested by FERC to do so. If approved, such standards would be considered mandatory and enforceable by both NERC and FERC. However, the FERC Chairman has described limitations on FERC's reliability jurisdiction in the context of securing smart grid systems.\6\ --------------------------------------------------------------------------- \5\ See Sec. 215 of the Federal Power Act, 16 U.S.C. Sec. 824o. \6\ Letters from the FERC Chairman to Chairman Inouye and Ranking Member Cochran and to Chairman Rogers and Ranking Member Dicks on actions taken in response to GAO-11-117 (Feb. 14, 2012). --------------------------------------------------------------------------- Responses to Questions From Senator Murkowski Question 1. Many of the hearing witnesses noted that you simply cannot protect an entity from all potential cyber-attacks. Mr. Snitchler from the Ohio PUC cautions that while you can try to ``gold- plate'' or even ``platinum-plate'' a system, the critical infrastructure we're trying to protect will become too expensive to run. Instead, he suggests we prioritize, using a risk-based approach. Please comment on the issue of cybersecurity costs and the suitability of using a risk-based approach. Do you agree with Mr. Snitchler that we should be protecting ``diamonds like diamonds'' and ``apples like apples''? Answer. We have reported on the importance of using a risk-based approach for securing critical infrastructures, including control systems.\7\ Risk management has received widespread support within and outside government as a tool that can help set priorities on how to protect critical infrastructures.\8\ Security controls identified through a risk management process should be cost-effective and reduce risk to an acceptable level. In making decisions about risks associated with the electricity grid, other sectors' reliance on electricity should be an important consideration.\9\ Due to these interdependencies, the consequences of an attack on the electricity grid could cascade across many sectors, impacting our national economy and security and the health and well-being of citizens. --------------------------------------------------------------------------- \7\ See GAO, Risk Management: Further Refinements Needed to Assess Risks and Prioritize Protective Measures at Ports and Other Critical Infrastructure, GAO-06-91 (Washington, D.C.: Dec. 15, 2005). \8\ Risk is the probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. \9\ Federal policy established 18 critical infrastructure sectors, including the energy sector, which has two subsectors for oil and gas and for electricity. Other sectors include: banking and finance; chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; food and agriculture; government facilities; health care and public health; information technology; national monuments and icons; nuclear reactors, materials, and waste; postal and shipping; transportation systems; and water. --------------------------------------------------------------------------- In relation to the need for risk-based approaches, we testified that, in May 2012, the Department of Energy released the Electricity Subsector Cybersecurity Risk Management Process.\10\ The guideline is intended to ensure that cybersecurity risks for the electric grid are addressed at the organization, mission or business process, and information-system levels. We have not evaluated this guide. --------------------------------------------------------------------------- \10\ U.S. Department of Energy, Electricity Subsector Cybersecurity Risk Management Process, DOE/OE-0003 (Washington, D.C.: May 2012). --------------------------------------------------------------------------- Question 2. We hear a lot about the potential benefits from smart grid systems, including reduced rates and improved reliability. However, we're starting to hear more about an unintended consequence from smart grid systems-namely that the smart grid's reliance on IT systems and networks exposes the electric grid to cybersecurity vulnerabilities which could be exploited by attackers. In the 2007 energy bill, Congress directed NIST to develop smart grid interoperability standards that FERC would later adopt. I understand that while NIST has developed these standards, FERC has not yet taken action because of a lack of consensus on the standards. The 2009 stimulus bill provided over $4 billion in smart grid funding before these NIST interoperability standards were even developed. In fact, the stimulus bill provided $10 million in funding for NIST to perform the standard development work. What cybersecurity protections were included in the smart grid assets purchased with stimulus money? Doesn't it cost more to implement security after the network is already up and running? Answer. We have not conducted the work necessary to answer the question regarding what cybersecurity protections were included in the smart grid assets purchased with stimulus money. However, with respect to the Smart Grid Investment Grant program that received additional funds under the American Recovery and Reinvestment Act of 2009, the Department of Energy Inspector General found that three of the five cybersecurity plans (required to be submitted by grantees) that it reviewed were incomplete, and did not always sufficiently describe security controls and how they were implemented.\11\ While this finding cannot be projected across all such grants, it indicates a risk that grantors and grantees were not adequately considering security prior to the issuance of grants. --------------------------------------------------------------------------- \11\ U.S. Department of Energy, Office of the Inspector General, Office of Audits and Inspections, Audit Report: The Department's Management of the Smart Grid Investment Grant Program, OAS-RA-12-04 (Washington, D.C.: January 20, 2012). --------------------------------------------------------------------------- Generally, implementing information security features after the technology is operating is more difficult and more costly than is designing and developing the technology with security in mind. Responses to Questions From Senator Barrasso Question 1. The President's stimulus bill provided about $3.5 billion for the Smart Grid Investment Grant program. In January of this year, the Department of Energy's Inspector General issued a report about this program. The Inspector General stated that DOE ``approved cyber security plans for Smart Grid projects even though some of the plans contained shortcomings.'' The Inspector General also stated that DOE ``was so focused on quickly disbursing [stimulus] funds that it had not ensured [its] personnel received adequate grants management training.'' In the Department's rush to deploy smart grid technology, has it compromised the security of our nation's electric grid? Answer. We have not examined the cybersecurity aspects of the smart grid technology deployed through DOE's Smart Grid Investment Grant program and thus cannot comment on its impact to the security of the nation's electric grid. Question 2. Would you please estimate how much it will cost to secure the smart grid systems that have been deployed as a result of stimulus funding? Answer. We have not conducted the work necessary to answer this question. Question 3. Who is likely to bear the costs identified in question 2? Will it be asset-owners? Will it be ratepayers? Will it be Federal taxpayers? Answer. As noted above, we have not conducted the work necessary to estimate how much it will cost to secure smart grid systems deployed as a result of stimulus funding. As noted in previous questions, some federal taxpayer money is being spent on smart grid systems under the Smart Grid Investment Grant Program. However, it is unlikely that federal taxpayers would be responsible for the costs associated with additional activities to secure these smart grid systems unless additional funds were designated by Congress for that purpose. In general, however, smart grid investments-like other electricity investments made by utilities-may be paid for in one of a number of ways. The costs of investments in electricity systems may be passed on to ratepayers if they are approved by the relevant regulator according to that regulator's standards for rate recovery. In cases where an investment is not approved by the relevant regulator, the owners of the asset may have to bear the cost of the investment.