[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]


                    CYBERSECURITY FOR POWER SYSTEMS

=======================================================================

                              JOINT HEARING

                               BEFORE THE

                        SUBCOMMITTEE ON ENERGY &
                SUBCOMMITTEE ON RESEARCH AND TECHNOLOGY

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                            October 21, 2015

                               __________

                           Serial No. 114-43

                               __________

 Printed for the use of the Committee on Science, Space, and Technology
 
 
 [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
 
        Available via the World Wide Web: http://science.house.gov
        
        
                              ____________
                              
                              
                     U.S. GOVERNMENT PUBLISHING OFFICE
97-762PDF                 WASHINGTON : 2017                     
_________________________________________________________________________________________       
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].  
       

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY

                   HON. LAMAR S. SMITH, Texas, Chair
FRANK D. LUCAS, Oklahoma             EDDIE BERNICE JOHNSON, Texas
F. JAMES SENSENBRENNER, JR.,         ZOE LOFGREN, California
    Wisconsin                        DANIEL LIPINSKI, Illinois
DANA ROHRABACHER, California         DONNA F. EDWARDS, Maryland
RANDY NEUGEBAUER, Texas              SUZANNE BONAMICI, Oregon
MICHAEL T. McCAUL, Texas             ERIC SWALWELL, California
MO BROOKS, Alabama                   ALAN GRAYSON, Florida
RANDY HULTGREN, Illinois             AMI BERA, California
BILL POSEY, Florida                  ELIZABETH H. ESTY, Connecticut
THOMAS MASSIE, Kentucky              MARC A. VEASEY, Texas
JIM BRIDENSTINE, Oklahoma            KATHERINE M. CLARK, Massachusetts
RANDY K. WEBER, Texas                DON S. BEYER, JR., Virginia
BILL JOHNSON, Ohio                   ED PERLMUTTER, Colorado
JOHN R. MOOLENAAR, Michigan          PAUL TONKO, New York
STEVE KNIGHT, California             MARK TAKANO, California
BRIAN BABIN, Texas                   BILL FOSTER, Illinois
BRUCE WESTERMAN, Arkansas
BARBARA COMSTOCK, Virginia
GARY PALMER, Alabama
BARRY LOUDERMILK, Georgia
RALPH LEE ABRAHAM, Louisiana
DARIN LaHOOD, Illinois
                                 ------                                

                         Subcommittee on Energy

                   HON. RANDY K. WEBER, Texas, Chair
DANA ROHRABACHER, California         ALAN GRAYSON, Florida
RANDY NEUGEBAUER, Texas              ERIC SWALWELL, California
MO BROOKS, Alabama                   MARC A. VEASEY, Texas
RANDY HULTGREN, Illinois             DANIEL LIPINSKI, Illinois
THOMAS MASSIE, Kentucky              KATHERINE M. CLARK, Massachusetts
STEPHAN KNIGHT, California           ED PERLMUTTER, Colorado
BARBARA COMSTOCK, Virginia           EDDIE BERNICE JOHNSON, Texas
BARRY LOUDERMILK, Georgia
LAMAR S. SMITH, Texas
                                 ------                                

                Subcommittee on Research and Technology

                 HON. BARBARA COMSTOCK, Virginia, Chair
FRANK D. LUCAS, Oklahoma             DANIEL LIPINSKI, Illinois
MICHAEL T. MCCAUL, Texas             ELIZABETH H. ESTY, Connecticut
RANDY HULTGREN, Illinois             KATHERINE M. CLARK, Massachusetts
JOHN R. MOOLENAAR, Michigan          PAUL TONKO, New York
BRUCE WESTERMAN, Arkansas            SUZANNE BONAMICI, Oregon
DAN NEWHOUSE, Washington             ERIC SWALWELL, California
GARY PALMER, Alabama                 EDDIE BERNICE JOHNSON, Texas
RALPH LEE ABRAHAM, Louisiana
LAMAR S. SMITH, Texas
                            
                            C O N T E N T S

                            October 21, 2015

                                                                   Page
Witness List.....................................................     2

Hearing Charter..................................................     3

                           Opening Statements

Statement by Representative Randy K. Weber, Chairman, 
  Subcommittee on Energy, Committee on Science, Space, and 
  Technology, U.S. House of Representatives......................     8
    Written Statement............................................     9

Statement by Representative Suzanne Bonamici, Minority Ranking 
  Member, Subcommittee on Environment, Committee on Science, 
  Space, and Technology, U.S. House of Representatives...........    10
    Written Statement............................................    12

                               Witnesses:

Mr. Brent Stacey, Associate Lab Director for National & Homeland 
  Science and Technology, Idaho National Lab
    Oral Statement...............................................    13
    Written Statement............................................    15

Mr. Bennett Gaines, Senior Vice President, Corporate Services and 
  Chief Information Officer, FirstEnergy Service Company
    Oral Statement...............................................    21
    Written Statement............................................    23

Ms. Annabelle Lee, Senior Technical Executive in the Power 
  Delivery and Utilization Sector, Electric Power Research 
  Institute
    Oral Statement...............................................    32
    Written Statement............................................    34

Mr. Greg Wilshusen, Director of Information Security Issues, 
  Government Accountability Office
    Oral Statement...............................................    41
    Written Statement............................................    43
Discussion.......................................................    60

             Appendix I: Answers to Post-Hearing Questions

Mr. Brent Stacey, Associate Lab Director for National & Homeland 
  Science and Technology, Idaho National Lab.....................    82

Mr. Bennett Gaines, Senior Vice President, Corporate Services and 
  Chief Information Officer, FirstEnergy Service Company.........    86

Mr. Greg Wilshusen, Director of Information Security Issues, 
  Government Accountability Office...............................    88

            Appendix II: Additional Material for the Record

Statement submitted by Representative Barbara Comstock, 
  Chairwoman, Subcommittee on Research and Technology, Committee 
  on Science, Space, and Technology, U.S. House of 
  Representatives................................................    94

Statement submitted by Representative Lamar S. Smith, Chairman, 
  Committee on Science, Space, and Technology, U.S. House of 
  Representatives................................................    96

Statement submitted by Eddie Bernice Johnson, Ranking Member, 
  Committee on Science, Space, and Technology, U.S. House of 
  Representatives................................................    98

 
                    CYBERSECURITY FOR POWER SYSTEMS

                              ----------                              


                      WEDNESDAY, OCTOBER 21, 2015

                  House of Representatives,
                   Subcommittee on Energy &
           Subcommittee on Research and Technology,
               Committee on Science, Space, and Technology,
                                                   Washington, D.C.

    The Subcommittees met, pursuant to call, at 10:04 a.m., in 
Room 2318 of the Rayburn House Office Building, Hon. Randy 
Weber [Chairman of the Subcommittee on Energy] presiding.
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

    Chairman Weber. Good morning, and welcome to today's joint 
Energy and Research and Technology Subcommittee hearing 
examining cyber threats to American energy systems.
    Today, we will hear from an expert panel on the growing 
threat of cyber attacks to the nation's electric grid. Our 
witnesses today will also provide insight into how industry and 
the federal government are working together, or maybe in some 
instances not working together, to anticipate cyber threats, 
and improve the reliability and resiliency of our electric grid 
against those cyber attacks.
    The reliability of America's power grid is one of our 
greatest economic strengths. I like to say, the things that 
make America great are the things that America makes, and how 
do we do that? With an affordable, reliable, dependable 
electricity supply.
    In my home State of Texas, reliable and affordable power 
serves a population that is increasing by more than 1,000 
people a day, and it provides power to the energy-intensive 
industries that drive consumption. Texas is by far the nation's 
largest consumer of electricity. Keeping the Texas power grid 
reliable and secure is key to continuing this economic growth.
    But as we established in a hearing on broad threats to the 
power supply earlier this year, utilities face significant 
threats to that same reliable delivery of power. Our electric 
grid is particularly vulnerable to growing cybersecurity 
threats as the grid is modernized, as distributed energy, 
electric vehicles, and modernized digital operating systems 
create more access points for cyber attacks. And while the 
nation's industrial control systems for the grid are analog 
systems designed to last for decades, digital IT systems must 
constantly adapt to combat evolving cyber threats.
    Small-scale cyber and physical attacks to our electric grid 
are estimated to occur once every four days, and in over 300 
cases of significant cyber and physical attacks since 2011, 
suspects have never been identified. Now, let me repeat that. 
In over 300 cases of significant cyber and physical attacks 
since 2011, no suspects have been identified.
    We often think of cybersecurity and other threats to the 
power grid at a macro scale, but these types of attacks can 
occur even at a local level. In 2011, the Pedernales Electric 
Co-op, a non-profit co-op that serves approximately 200,000 
customers north of San Antonio, was struck by a cyberattack. 
While the attack thankfully did not disrupt power to consumers, 
it is a stark reminder that threats to the grid are real, and 
they are not going to go away anytime soon.
    Our nation's power supply cannot be protected overnight, 
particularly as utilities struggle to adapt technology to 
manage a growing number of cybersecurity threats. Cyber threats 
to the power grid will continue to evolve, particularly as more 
interconnected smart technologies are incorporated into the 
electric grid. We call those smart meters back in Texas. And as 
protective technology improves, so does the capability and 
creativity of those who are conducting those cyber attacks, 
unfortunately.
    While we cannot predict every method of attack, the federal 
government can and should play a role in assisting industry 
with developing new technology and security safeguards. 
Accordingly, research and development efforts at the Department 
of Energy are focused on providing industry with comprehensive 
tools to conduct internal analysis to identify and address 
cybersecurity weaknesses so that the industry can take the lead 
in addressing these same vulnerabilities.
    That is why testing facilities and cooperative research, 
like the Cyber Security Test Bed at Idaho National Lab, are 
valuable tools to combat cyber threats. At INL, industry can 
test control systems technology in real world conditions, 
reducing response time and risk for future attacks.
    I'd like to say in advance I want to thank the witnesses 
for testifying before the Committee today. I look forward to a 
discussion about cyber threats to our critical infrastructure, 
and how the federal government can provide industry with the 
tools and technology necessary to fight the next generation of 
cyber attacks.
    [The prepared statement of Chairman Weber follows:]

              Prepared Statement of Subcommittee on Energy
                        Chairman Randy K. Weber

    Good morning and welcome to today's joint Energy and Research and 
Technology Subcommittee hearing examining cyber threats to American 
energy systems. Today, we will hear from an expert panel on the growing 
threat of cyber-attacks to the nation's electric grid.
    Our witnesses today will also provide insight into how industry and 
the federal government are working together to anticipate cyber 
threats, and improve the reliability and resiliency of our electric 
grid against cyber-attacks.
    The reliability of America's power grid is one of our greatest 
economic strengths. In my home state of Texas, reliable and affordable 
power serves a population that is increasing by more than 1,000 people 
per day, and provides power to the energy intensive industries that 
drive consumption. Texas is by far the nation's largest consumer of 
electricity. Keeping the Texas power grid reliable and secure is key to 
continuing this economic growth.
    But as we established in a hearing on broad threats to the power 
supply earlier this year, utilities face significant threats to the 
reliability of power delivery. Our electric grid is particularly 
vulnerable to growing cybersecurity threats as the grid is modernized, 
as distributed energy, electric vehicles, and modernized digital 
operating systems create more access points for cyber-attacks.
    And while the nation's industrial control systems for the grid are 
analogue systems designed to last for decades, digital IT systems must 
constantly adapt to combat evolving cyber threats.
    Small scale cyber and physical attacks to our electric grid are 
estimated to occur once every four days. And in over 300 cases of 
significant cyber and physical attacks since 2011, suspects have never 
been identified.
    We often think of cybersecurity and other threats to the power grid 
at a macro scale, but these types of attacks can occur even at the 
local level. In 2011, the Pedernales Electric Co-op, a non-profit co-op 
that serves approximately 200,000 customers north of San Antonio, was 
struck by a cyberattack. While the attack thankfully did not disrupt 
power to consumers, it is a stark reminder that threats to the grid are 
real, and are not going away.
    Our nation's power supply cannot be protected overnight, 
particularly as utilities struggle to adapt technology to manage a 
growing number of cybersecurity threats. Cyber threats to the power 
grid will continue to evolve, particularly as more interconnected smart 
technologies are incorporated into the electric grid.
    And as protective technology improves, so does the capability and 
creativity of those conducting attacks.
    While we cannot predict every method of attack, the federal 
government can and should play a role in assisting industry with 
developing new technology and security safeguards.
    Accordingly, research and development efforts at the Department of 
Energy are focused on providing industry with comprehensive tools to 
conduct internal analysis to identify and address cybersecurity 
weaknesses so that industry can take the lead in addressing these 
vulnerabilities.
    That's why testing facilities and cooperative research, like the 
Cyber Security Test Bed at Idaho National Lab, are valuable tools to 
combat cyber threats. At INL, industry can test control systems 
technology in real world conditions, reducing response time and risk 
for future attacks.
    I want to thank our witnesses for testifying before the Committee 
today. I look forward to a discussion about cyber threats to our 
critical infrastructure, and how the federal government can provide 
industry with the tools and technology necessary to fight the next 
generation of cyber-attacks.

    Chairman Weber. I now recognize Ms. Bonamici.
    Ms. Bonamici. Thank you very much, Chairman Weber, for 
holding this hearing, and thank you to our witnesses for 
participating.
    As many of you know, October is National Cyber Security 
Awareness Month, so it's a fitting time for this hearing today.
    We're all familiar with the increasing frequency of cyber 
attacks that compromise personal and business information. At 
the World Economic Summit earlier this year, cyber threats made 
the top 10 list of the most likely global risks. Lloyd's of 
London estimates that cyber attacks can cost businesses as much 
as $400 billion a year.
    What we're focusing on today is a different kind of 
cybersecurity. It's about securing the electric grid so that a 
cyber attack doesn't affect grid operations, which could halt 
our daily lives and threaten our economic security. These 
attacks often gain entry through an information technology 
system, but, instead of taking corporate data, they directly 
target system operations that can cause havoc and chaos.
    In February of this year, an elite group of hackers broke 
through an electric utility's firewall and gained access to 
their substation controls in just 22 minutes. Luckily the 
attack was a drill initiated at the request of the utility to 
test their system. But this example demonstrates what's 
possible.
    The energy sector continues to report more cyber attacks to 
the Department of Homeland Security, more than any other 
critical infrastructure sector. In just one month the PJM 
Interconnection, which coordinates electricity transactions in 
13 states and in D.C., experienced 4,090 documented cyber 
attempts to attack their system. That's more than five and a 
half attacks on their electrical market system per hour.
    So far, no publically reported cyber events have resulted 
in an electricity outage in the United States but the 
sophistication of attacks on industrial controls systems is 
increasing.
    Utilities across our country are advancing energy 
efficiency through smart grids and programs like feed-in tariff 
systems. As we discuss ways to keep the grid safe, we also must 
be mindful of doing so without inhibiting innovation.
    Google, Wells Fargo, and Aetna are exploring ways to 
leverage employee behavior as a tool, instead of a 
vulnerability, to build a more secure system. From 
understanding how people swipe their phones, to the patterns 
they use when typing on a keyboard or walking, a better 
understanding of behavioral biometrics is opening the door to 
developing more cyber-secure components and processes. The more 
we understand about human and social behavior, the stronger our 
toolbox. Rather than resting the success of our cybersecurity 
efforts on programs that require changes in human behavior, we 
might have better success if we change our technology and 
processes to fit the behavior of people. And the more we 
understand the behavior of threat actors, the better we can 
design protections.
    So in addition to building a better technology-based 
firewall, we need to invest in developing a better human 
firewall. Our weakest link and our most resilient asset to meet 
the dynamic changing needs of the cyber arms race is us.
    I thank each of our witnesses for being here today, and I 
look forward to hearing what each of you has to say, and thank 
you for sharing your expertise.
    Thank you, Mr. Chairman. I yield back the remainder of my 
time.
    [The prepared statement of Ms. Bonamici follows:]
           Prepared Statement of Subcommittee on Environment
                Minority Ranking Member Suzanne Bonamici

    Thank you, Chairman Weber and Chairwoman Comstock, for holding this 
hearing, and thank you to our witnesses for participating. As many of 
you know, October is National Cyber Security Awareness Month, so it's a 
fitting time for this hearing.
    We are all familiar with the increasing frequency of cyber attacks 
that compromise personal and business information.
    At the World Economic Summit earlier this year, cyber threats made 
the top 10 list of most likely global risks. Lloyd's of London 
estimates that cyber attacks can cost businesses as much as $400 
billion a year.
    What we are focusing on today, however, is a different kind of 
cyber security. It's about securing the electric grid so a cyber attack 
doesn't affect grid operations, which could halt our daily lives and 
threaten our economic security. These attacks often gain entry through 
an information technology system, but, instead of taking corporate data 
they directly target system operations that can cause havoc and chaos.
    In February of this year, an elite group of hackers broke through 
an electric utility's firewall and gained access to their substation 
controls in 22 minutes. Luckily the attack was a drill initiated at the 
request of the utility to test their system. But this example 
demonstrates what's possible.
    The energy sector continues to report more cyber attacks to the 
Department of Homeland Security than any other critical infrastructure 
sector. In just one month the PJM Interconnection, which coordinates 
electricity transactions in 13 states and DC, experienced 4,090 
documented cyber attempts to attack their system. That's more than five 
and a half attacks on their electrical market system per hour.
    So far no publically reported cyber events have resulted in an 
electricity outage in the U.S. But the sophistication of attacks on 
industrial controls systems is increasing.
    Utilities across our country are advancing energy efficiency 
through smart grids and programs like feed-in tariff systems. As we 
discuss ways to keep the grid safe, we must be mindful of doing so 
without inhibiting innovation.
    Google, Wells Fargo, and Aetna are exploring ways to leverage 
employee behavior as a tool, instead of a vulnerability, to build a 
more secure system. From understanding how people swipe their phones, 
to the patterns they use when typing on a keyboard or walking, a better 
understanding of behavioral biometrics is opening the door to 
developing more cyber-secure components and processes.
    The more we understand about human and social behavior, the 
stronger our toolbox. Rather than resting the success of our 
cybersecurity efforts on programs that require changes in human 
behavior, we might have better success if we change our technology and 
processes to fit the behavior of people. And the more we understand the 
behavior of threat actors, the better we can design protections.
    So in addition to building a better technology-based firewall, we 
need to invest in developing a better human firewall. Our weakest link 
and our most resilient asset to meet the dynamic changing needs of the 
cyber arms race is us.
    I thank each of our witnesses for being here today, and I look 
forward to hearing what each of you has to say.
    Thank you, Mr. Chairman, and I yield back my remaining time.

    Chairman Weber. I thank the gentlelady from Oregon.
    Our first witness today is Mr. Brent Stacey, Associate Lab 
Director for National & Homeland Science and Technology at that 
Idaho National Laboratory. Mr. Stacey earned his bachelor's 
degree from Idaho State University.
    Our next witness is Mr. Bennett Gaines, Senior Vice 
President of Corporate Services and Chief Information Officer 
for FirstEnergy Service Company. Mr. Gaines earned his 
bachelor's degree in social sciences from Baldwin Wallace 
College and his master's degree from the University of Phoenix.
    Next, we have Ms. Annabelle Lee, Senior Technical Executive 
in the Power Delivery and Utilization Sector for the Electric 
Power Research Institute. Ms. Lee received her B.A. from 
Stanford University and her master's degree from Michigan State 
University.
    And our final witness today is Mr. Greg Wilshusen--is it--
--
    Mr. Wilshusen. Wilshusen.
    Chairman Weber. Wilshusen.
    Mr. Wilshusen. Yes.
    Chairman Weber. Okay. So the rest of the Committee is duly 
notified. Wilshusen, Director of Information Security Issues 
for the Government Accountability Office. Mr. Wilshusen 
received his bachelor's degree in business administration from 
the University of Missouri and his master's degree in 
information management from George Washington University School 
of Engineering and Applied Sciences.
    Welcome to all of you, and Mr. Stacey, you are recognized.

                 TESTIMONY OF MR. BRENT STACEY,

             ASSOCIATE LAB DIRECTOR FOR NATIONAL &

                HOMELAND SCIENCE AND TECHNOLOGY,

                       IDAHO NATIONAL LAB

    Mr. Stacey. Thank you, Chairmen Weber, Chairwoman Comstock, 
Ranking Member Grayson, Ranking Member Lipinski, and 
distinguished Members of the Committees. I want to thank you 
for holding this hearing and inviting testimony from Idaho 
National Laboratory, also known as INL.
    INL is acutely aware of the important national challenges 
facing critical infrastructure, especially the infrastructure 
vital to securing our energy supply. For over a decade, INL has 
developed and built capabilities focused on the control systems 
employed by our nation's critical infrastructure. I'd like to 
highlight a few examples out of many which represent how INL 
teaming with others has contributed to the security of our 
infrastructure.
    First, the 2006/2007 Department of Homeland Security's 
Aurora project test, destroying an electrical generator 
connected to INL's power grid, was significant in proving a 
cyber-physical vulnerability in the electric power system.
    Second, for DOE Office of Electricity Distribution and 
Energy Reliability, as the lead laboratory along with Sandia 
National Laboratory for the National Supervisory Control and 
Data Acquisition Test Bed, INL completed more than 100 
assessments on vendor and asset owner control systems to 
identify and resolve cyber vulnerabilities. For DHS, INL 
provides control systems and critical infrastructure experts in 
support of DHS programs including Industrial Control System 
Cyber Emergency Response Team, or ICS-CERT.
    INL remains committed to the complex national security 
challenges that face our nation. As we lean forward pushing the 
limits of science and engineering for control systems security, 
we see a number of trends that offer insight into the direction 
for future research and development. These insights include, 
one, the presumption that a control system is air-gapped is not 
an effective cybersecurity strategy. This has been demonstrated 
by over 600 assessments. Intrusion detection technology is not 
well developed for control system networks. The average length 
of time for detection of a malware intrusion is 4 months and 
typically identified by a third party. As the complexity and 
interconnectedness of control systems increase, the probability 
increases for unintended system failures of high consequence 
independent of malicious intent. The dynamic threat is evolving 
faster than the cycle of measure and countermeasure, and far 
faster than the evolution of policy. And fifth, the demand for 
trained cyber defenders with control systems knowledge vastly 
exceeds the supply.
    In a world in which we are rapidly migrating to the 
Internet of Everything, these insights, and others, highlight a 
seemingly unmanageable, exponentially increasing burden of 
vulnerabilities, attack surfaces and interdependencies.
    INL views this burdensome and dynamic cyber-physical 
landscape, at its most basic level, as a three-tier pyramid of 
defense. The base level is hygiene: the foundation of our 
nation's efforts composed of the day-to-day measure and 
countermeasure battle. Elements of this level include important 
routine tasks such as standards compliance and patching. The 
hygiene level is and has been primarily the role of industry. 
The second level of the pyramid is advanced persistent threat 
composed of the more sophisticated criminal and nation-states' 
persistent campaigns. This requires a strategic partnership 
with industry and government. At this level, ICS-CERT provides 
critical surge response capacity and alerts. At the top of this 
pyramid are the high-impact low-frequency events: catastrophic 
and potentially cascading events that will likely require 
substantial time to assess, respond to, and recover from. This 
level is primarily the responsibility of government.
    At INL, we are focusing our future research on the top two 
levels, striving for a 2- to four-year research-to-deployment 
cycle. Our objective with this research is to achieve 
transformational innovations that improve the security of our 
power infrastructure by reducing complexity, implementing 
cyber-informed design, and integrating selected digital 
enhancements.
    In conclusion, I'd like to thank the Committee members for 
this opportunity to share our insights into the capabilities, 
experiences, and vision for cybersecurity and the protection of 
our nation's power grid. Your interest in understanding 
cybersecurity threats with an emphasis on the reliability of 
our national power grid is commendable and gives me confidence 
that there is strong support from our legislators for research 
leading to innovative solutions.
    One of my intentions today is to instill reciprocal 
confidence that INL, in concert with DOE and DOE laboratories, 
will continue to apply our intellectual talent and research to 
address these challenges.
    In honoring the time allotted for my statement, I request 
that my full written statement be entered into the record. 
Thank you.
    Chairman Weber. Without objection, so ordered.
    [The prepared statement of Mr. Stacey follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman Weber. Mr. Gaines, you're up.

                TESTIMONY OF MR. BENNETT GAINES,

                     SENIOR VICE PRESIDENT,

                     CORPORATE SERVICES AND

                   CHIEF INFORMATION OFFICER,

                  FIRSTENERGY SERVICE COMPANY

    Mr. Gaines. Good morning, Chairman Weber and Members of the 
Committee. I am Bennett Gaines, Senior Vice President, 
Corporate Services, Chief Information Officer for FirstEnergy. 
Our 10 operating companies serve 6 million electrical customers 
in six states, and we control an interconnected network of 
power plants, transmission lines and distribution facilities. I 
am responsible for providing information technology services, 
ensuring the security of the company's physical and cyber 
assets.
    Over the past few years, FirstEnergy has worked with the 
Department of Homeland Security, the Department of Energy, and 
Congress, sharing steps we are taking to address cyber threats 
as well as developing partnerships with the federal government 
in these efforts.
    In 2013, FirstEnergy was one of only a handful of utilities 
that entered into a cooperative research and development 
agreement, or CRADA, with Homeland Security, a relationship 
that has proven valuable to both us and the federal government. 
In 2014, we began working directly with the Department of 
Energy as one of the first utilities to deploy the 
Cybersecurity Risk Information Sharing Program, or CRISP, tool. 
We strongly believe that sharing this information of critical 
information is essential and should be actively supported 
moving forward. The fact is, although the cybersecurity efforts 
of electric utilities have been effective in addressing threats 
to date, we need to continually strengthen and build on these 
efforts to ensure they are up to the task of meeting the future 
cyber-related challenges.
    Operational and technical advances have created roader 
surfaces that are more vulnerable to attacks. Companies 
continue to integrate remote access, mobile devices that 
increase exposure. High-value targets such as Supervisory 
Controlled Data, Acquisition, or SCADA systems, further entice 
attackers to take advantage of an organization.
    Cyber attacks are on the rise, and the behavior of 
cyberterrorists has become increasingly destructive. Many 
companies are doing an excellent job with prevention through 
layer defense, real-time alerting, operational monitoring, 
security awareness training, and other proven tactics. However, 
in light of today's threats and vulnerabilities, we need to 
focus more of our attention on getting ahead of the threats 
rather than simply reacting to the threats.
    Toward that end, we need to take aggressive steps to 
mitigate vulnerabilities and minimize the damage and business 
losses that could result from potential compromises.
    At FirstEnergy, we're evaluating cyber threats to our 
communications network by integrating more traditional data 
regarding physical access systems and the status of equipment 
and health and on our power systems. This process, called 
Threat Intelligence Management, or TIM, provides a more 
comprehensive system-wide consistent picture that our Security 
Operations Center can use to improve our response to cyber 
attacks. While any information can be shared, it also must be 
aggregated, correlated, analyzed and distilled to be relevant 
and actionable. By supporting these essential functions, TIM 
helps us maintain a critical infrastructure that is both highly 
secure and resilient. The program analyzes a constant flow of 
information from every corner of the system to anticipate and 
detect threats. This data can be shared among government and 
industry partners to enhance awareness of threats and provide 
more warning information to better mitigate attacks.
    Simply put, TIM offers a better platform for information 
sharing. The program not only helps us better identify and 
analyze threats and attacks, it also supports more effective 
information sharing and great collaboration among all 
stakeholders. This results in more threat indicators, improved 
security, greater resilience of critical infrastructure, and 
ultimately more effective collaboration between industry and 
government.
    Finally, the TIM program provides enhanced visibility of 
the enterprise overall security posture. This is accomplished 
by coordinating the monitoring of cybersecurity, physical 
security, information technology, and operational technologies. 
Advanced analysis of these functions provide early warning of 
security incidents and rapid mitigation of vulnerabilities.
    In closing, we must continually improve our cybersecurity 
systems and processes to stay ahead of the bad actors. To give 
you a greater sense of the size and scope of the problem, I 
simply point out that during my brief time here today, 
FirstEnergy probably has defended itself from at least four 
cyber attacks.
    As you consider where to focus our efforts moving forward, 
I urge you to look towards greater research and funding in this 
area with a focus on aggregating, correlating, analyzing and 
distilling information in order to be relevant and actionable. 
I strongly believe that one of the best ways to achieve this 
goal is through an effective threat intelligence management 
program.
    Thank you very much for the time.
    [The prepared statement of Mr. Gaines follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman Weber. Thank you, Mr. Gaines.
    Ms. Lee, you're now recognized.

                STATEMENT OF MS. ANNABELLE LEE,

               SENIOR TECHNICAL EXECUTIVE IN THE

             POWER DELIVERY AND UTILIZATION SECTOR,

               ELECTRIC POWER RESEARCH INSTITUTE

    Ms. Lee. Good morning, Chairmen and Members of the 
Subcommittees.
    The Electric Power Research Institute is an independent, 
nonprofit organization and conducts research and development 
relating to the generation, delivery, and use of electricity 
for the benefit of the public.
    The nation's power system consists of both legacy and next-
generation technologies. New grid technologies will operate in 
conjunction with legacy equipment that may be several decades 
old and provide new security controls.
    Traditional information technology--IT--devices typically 
have a lifespan of 3 to five years, and historically, IT has 
included computer systems, applications, communications 
technology and software typical for a business or enterprise. 
In contrast, operational technology, or OT, devices, have a 
lifespan of up to 40 years or longer and have historically 
focused on physical equipment technology that is commonly used 
to operate the energy sector.
    There's some basic differences between the security 
requirements for IT and OT systems. For example, the focus for 
IT systems is confidentiality of information such as customer 
energy usage and privacy information. The focus for OT systems 
is availability and integrity to ensure that the reliability of 
the grid is maintained even in the event of a cybersecurity 
incident.
    With the increase in the use of digital devices and more 
advanced communications and IT, the overall attack surface has 
increased. These new devices include commercially available 
components as an alternative to proprietary solutions that are 
specific to the electric sector. Many of the commercially 
available solutions have known vulnerabilities that could be 
exploited when the solutions are installed in OT devices.
    The electric sector is addressing these attacks with 
various mitigation strategies. Cybersecurity must be included 
in all phases of the system development lifecycle and address 
deliberate attacks launched by disgruntled employees and 
nation-states as well as non-malicious cybersecurity events, 
for example, user errors or incorrect documentation.
    Risk assessment is a key planning tool for implementation 
of an effective cybersecurity program. EPRI, in conjunction 
with utilities, researchers, and vendors, developed a risk 
assessment methodology that is based on a typical IT 
methodology with impact and likelihood criteria that are 
specific to the electric sector. This work was performed as 
part of the National Electric Sector Cybersecurity Organization 
Resource, or NESCOR for short, project, DOE funded public-
private partnership. Several utilities are implementing 
mitigation strategies at the enterprise level. One example is 
an Integrated Security Operations Center, or ISOC for short. An 
ISOC is designed to collect, integrate and analyze alarms and 
logs from traditionally siloed organizations, providing much 
greater situational awareness to the utility's security team.
    Two documents specifically address the electric sector and 
provide mitigation strategies. Both documents are used 
worldwide. The first is the National Institute of Standards and 
Technology Interagency Report Guidelines for Smart Grid Cyber 
Security. The development was led by NIST with a team of 
roughly 150 volunteers. A second document is the Electricity 
Subsector Cybersecurity Capability Maturity Model, which allows 
electric utilities and grid operators to assess their 
cybersecurity capabilities and prioritize their actions and 
investments to improve cybersecurity. Many utilities and EPRI 
map their R&D programs to the domain specified in this maturity 
model.
    With the modernization of the electric grid, new 
technologies and devices have been deployed to meet our current 
and future electric sector needs. With this new functionality 
comes new threats including cybersecurity threats. To take 
advantage of the new technology, these threats must be 
addressed.
    This concludes my statement.
    [The prepared statement of Ms. Lee follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman Weber. Thank you, Ms. Lee.
    Mr. Wilshusen, you are recognized for five minutes.

                STATEMENT OF MR. GREG WILSHUSEN,

            DIRECTOR OF INFORMATION SECURITY ISSUES,

                GOVERNMENT ACCOUNTABILITY OFFICE

    Mr. Wilshusen. Chairman Weber, Representative Bonamici, and 
other Members of the Subcommittees, thank you for the 
opportunity to testify at today's hearing on efforts by federal 
agencies and industry to mitigate cybersecurity threats to the 
U.S. power systems.
    As you know, the electric power industry is increasingly 
incorporating information and communications technologies into 
its existing infrastructure. The use of these technologies can 
provide many benefits such as greater efficiency and lower cost 
to consumers. However, if not implemented securely, modernized 
electricity grid systems will be vulnerable to attack and that 
could result in loss of electrical services essential to 
maintaining our national economy and security.
    Today, I'll discuss actions taken and required to bolster 
cybersecurity of the nation's power systems. Before I begin, if 
I may, I'd like to recognize several members of my team who 
were instrumental in developing my statement and performing the 
work underpinning it. With me today is Mike Gilmore, an 
Assistant Director, and Brad Becker, who led this effort. In 
addition, Lee McCracken, John Ludwigson, and Scott Pettis also 
made significant contributions.
    In 2011, we reported on a number of challenges that 
industry and government stakeholders faced in securing smart 
grid systems and networks against cyber threats. These 
challenges included taking a comprehensive approach to 
cybersecurity, ensuring that smart grid systems had built-in 
security measures, monitoring implementation of cybersecurity 
standards and guidelines, effectively sharing cybersecurity 
information, and establishing cybersecurity metrics.
    Since then, FERC has acted to implement our recommendations 
to assess these and other challenges in its ongoing 
cybersecurity efforts. However, it did not implement our 
recommendation to coordinate with state regulators and other 
groups to periodically evaluate the extent to which utilities 
and manufacturers are following voluntary cybersecurity 
guidelines.
    Other entities have acted to improve cybersecurity in the 
sector. For example, NERC has issued updates to its critical 
infrastructure protection standards for cybersecurity and has 
hosted an annual conference on grid security. In 2014, NIST 
updated its smart grid cybersecurity guidelines to address the 
threat of combined physical-cyber attacks. NIST also issued a 
framework for improving critical infrastructure protection and 
cybersecurity. The framework is intended to provide a flexible 
and risk-based approach for entities including those within the 
electricity subsector to protect their vital assets from cyber 
threats.
    The Departments of Homeland Security and Energy have 
efforts underway to promote the adoption of the framework by 
critical infrastructure owners and operators. These departments 
have also developed cybersecurity risk management approaches 
and tools that are available for use by the electricity 
subsector.
    Nevertheless, given the increasing use of information and 
communications technologies to operate the electricity grid and 
other areas, continued attention to these and other areas is 
required to help mitigate the risk these threats pose to the 
electricity grid.
    In particular, assuring that security features are built 
into smart grid systems and that a comprehensive approach to 
cybersecurity is taken whereby utilities employ a defense in 
depth strategy based on sound risk management principles will 
be essential. Effectively sharing cyber threat vulnerability 
and incident information among federal, state and local 
governments as well as the private sector stakeholders in a 
timely manner is imperative to provide utilities with the 
information they need to protect their assets against cyber 
threats.
    Additionally, an effective mechanism for monitoring the 
implementation and effectiveness of the cybersecurity policies, 
practices and controls over U.S. power systems is paramount to 
ensure the resiliency and security of the electricity grid.
    To summarize, more needs to be done to meet the challenges 
facing the industry in enhancing security. Federal regulators 
and other stakeholders need to work closely with the private 
sector to address cybersecurity challenges as the generation, 
transmission and distribution of electricity come to rely more 
on emerging and interconnected technologies.
    Chairman Weber and Members of the Subcommittee, this 
concludes my statement. I'd be happy to answer your questions.
    [The prepared statement of Mr. Wilshusen follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman Weber. Thank you, Mr. Wilshusen, and I now 
recognize myself for five minutes of questions. Wow, where do 
we start?
    Mr. Gaines, the Department of Energy's Office of 
Electricity works with electric utilities on information 
sharing and encouraging utilities to learn from the challenges 
faced by their regional counterparts. The Department of 
Homeland Security also operates programs to facilitate the 
information sharing you referred to in your comments. What 
information do you feel is most important to share with each 
other and for the industry to share with regulators, and the 
third part to my question really is, in your comments I think 
you said information had to be actionable.
    Mr. Gaines. Correct.
    Chairman Weber. Define what you mean by ``actionable.'' Let 
me reiterate. What information do you feel is most important 
for industry to share with each other and then to share with 
the regulators? It may be one and the same. And then define 
``actionable information'' for us.
    Mr. Gaines. I'll start out with your first questions in 
that we have spent the last two years working directly with 
both agencies and within the confines of the programs that they 
have, which are the CRISP tool and the enhanced cybersecurity 
tool, and they are very effective. The difficulty of both of 
those tools, they're historical; they look back. They don't 
look at real-time incidents, and in some cases, there can be a 
lag between three to six months from when an incident occurred. 
It's not correlated on a timely manner as to what is going on 
with the rest of the industry so that we can take action on 
those events, and in some cases, you could have a dormant piece 
of malware sitting in your environment that you didn't take 
action on but that was alerted months earlier.
    As it relates to actionable, it's having real-time 
information, and a technical term--I don't want to lose you--is 
the actual threat actors' IP address and the specific 
information that's time-framed within that window. An 
illustration of that would be----
    Chairman Weber. You're not losing me. I was wondering about 
that earlier when you said up to 4 months since 2011, 300 
attacks, and no suspects.
    Mr. Gaines. That's correct.
    Chairman Weber. Go ahead.
    Mr. Gaines. And that is the difficulty is that by the time 
the actor penetrates your environment, they're not the actor 
that you see. There's an alias that sits behind that wall and 
the difficulty is following that breadcrumb back to the 
original source, and one of the difficulties that we have in 
the industry is, is the information we get from the federal 
government is not timely, and so for us to take action on 
something that really we have no control over is very 
difficult. My suggestion would be to reverse that, is for us to 
provide across the industry real-time incidents, and it's 
doable, and to be able to track not only the source but the 
actual follow-on activity that occurs from that event.
    One of the things that we don't do is we don't do a good 
diagnostics of what happens once the event occurs, and we move 
on to the next one.
    Chairman Weber. Let me jump over to Mr. Wilshusen. You 
talked about having conferences, I think, you met around the 
country, probably industry and I presume government as well. 
How often are those conferences held and how many attendees, 
and should we increase that frequency and are they sharing that 
information?
    Mr. Wilshusen. Well, what I referred to were conferences 
that were being held by NERC, which is the North American 
Electric Reliability Corporation, and they hold those annually, 
but to the extent that Mr. Gaines talked about in providing 
useful, actionable information in a timely manner, annual is 
not enough. They do talk about different threats----
    Chairman Weber. It would almost have to be daily or weekly.
    Mr. Wilshusen. Much more frequently. This has been----
    Chairman Weber. Absolutely.
    Mr. Wilshusen. Right. This has been----
    Chairman Weber. I'm talking about the sharing of the 
information.
    Mr. Wilshusen. Right, the sharing of the information, 
particularly between federal government and the private sector 
and even among private sector entities has been a longstanding 
problem and a challenge throughout all critical infrastructure 
sectors including the, electricity subsector. What we have 
found in the past is that there have been certain obstacles to 
doing that including from the government sector to private 
sector, making sure that those individuals at the private 
sector had the appropriate security clearances--that's been a 
challenge--as well as having a secure mechanism to share that 
information timely.
    Chairman Weber. Is there one office that oversees what 
you're describing? Is there one office within your agency, for 
example, that oversees that? Who oversees that?
    Mr. Wilshusen. Well, overall, DHS has a responsibility 
across federal government for taking the lead in the----
    Chairman Weber. So does DHS--you may not know this--forgive 
me for interrupting, but does DHS have one office that 
allocates their time and manpower and resources to just this 
cybersecurity for energy companies alone? Do you know?
    Mr. Wilshusen. Well, it does have a group that's 
responsible overall but the Department of Energy, known as the 
sector-specific agency, also has responsibility for interacting 
with the energy sector to include the electricity sector for 
sharing information and assisting that sector in securing its 
systems.
    Chairman Weber. I am running out of time, but I have one 
last question. So what could be done better to help streamline 
this process?
    Mr. Wilshusen. Well, one of the requirements under the 
Executive Order 13-636 is for agencies and particularly I think 
it's DOD and perhaps DHS to come up with a mechanism that will 
allow for faster sharing of information to the private sector.
    Chairman Weber. All right. Thank you.
    I'm over time, and I yield to the gentlelady from Oregon.
    Ms. Bonamici. Thank you very much, Mr. Chairman, and thank 
you to the witnesses for bringing your expertise on an 
important issue.
    I also serve on the Education and Workforce Committee, and 
I'm going to focus at first on some of the workforce issues 
making sure that we have the workforce that we need to continue 
to address this serious issue, and I know Mr. Stacey, you said 
that the demand for trained cyber defenders with control 
systems knowledge vastly exceeds the supply.
    Now, my alma mater, the University Of Oregon, has just 
created an Oregon Center for Cybersecurity and Privacy. They 
received a federal--some federal funding, and a Center of 
Excellence designation, and they plan to begin enrolling 
students by next summer. But how can we incentivize more 
universities to support educating this workforce, and once we 
have a strong pipeline of students and get them into the 
workforce, how can we attract them to public service and 
government jobs when typically the private sector would pay 
more and be perceived as more innovative?
    So I'll start with Ms. Lee and also ask Mr. Wilshusen and 
anybody who wants to weigh in.
    Ms. Lee. As I noted in my statement, I previously was in 
the federal government for 14 years. I think one of the real 
advantages of working in the federal government is the kind of 
work you can do and the impact that you have. I mentioned the 
guidelines for smart grid cybersecurity products that we 
developed. There were 150 volunteers from around the world that 
participated in developing that document. These were senior-
level people literally around the world. I kept getting asked, 
do you pay these people, and my response was no, these are 
volunteers. I think one thing in the federal government and 
working with the federal government for several decades, you 
can have an impact and influence that you don't have anywhere 
else, and to me, that's a real benefit for working in the 
public sector. Private sector does compete. It is difficult 
now. There're very few--as mentioned earlier, there are not 
significant numbers of people who are in cybersecurity, and 
those who focus on control systems, and as I mentioned, there 
are some basic differences between cybersecurity for control 
systems and our IT systems. That community is even smaller. We 
need to beef up that workforce. There are controls that you 
don't put on OT systems that are typical on IT systems, and we 
need to--we definitely need to grow this area.
    Ms. Bonamici. And do you agree with Mr. Stacey that there's 
a serious need, that we don't have the workforce?
    Ms. Lee. We don't have the workforce.
    Ms. Bonamici. I want to follow up because I know the U of O 
Center is going to be working with the faculty from several 
different departments including computer and information 
science, philosophy, business, law. What role--you talked about 
the role of human behavior but how can we really capitalize on 
understanding human behavior to deal with the threats, and also 
hopefully to be out in front and prevent them.
    I'll open it up to the panel. Ms. Lee, do you want to 
start?
    Ms. Lee. As you mentioned, I think human behavior is very 
important. Historically--and I've been doing cybersecurity now 
for almost three decades--the solution was, have longer 
passwords, and so what does everybody do? They write them down 
because you can't remember 12- or 15-character passwords that 
you have to change every 3 or 4 months.
    Ms. Bonamici. We've all done that.
    Ms. Lee. Yeah. You write them down. That's the only way you 
can remember them. Is to look at cybersecurity and the solution 
has to be yes, we need to figure it out. As I say, it's a messy 
environment.
    If you look at the reality of cybersecurity, the devices 
that are out there, the controls you may need to implement. you 
can't do. You either can't afford them or they affect the 
performance. You need to figure out the solutions. And I think 
that's the direction that cybersecurity needs to go. 
Historically----
    Ms. Bonamici. Thank you. I need to get a couple more 
questions in.
    Mr. Gaines, you talked about the TIM, the Threat 
Intelligence Management. That seems like a sound approach. What 
are the barriers to improving and expanding that approach?
    Mr. Gaines. The barriers are twofold. One, there are 
limitation that industry has today in communicating with the 
government vulnerabilities, and that is a real challenge in 
that we are limited to some extent because we hold the 
liability if there's a breach or vulnerability to the network. 
I think that needs to looked at and in some cases eliminated so 
that we can share openly very specific information about 
vulnerabilities.
    The second is, is the actual technologies themselves. 
Today, we are one of only two utilities that have a completely 
integrated security operation center, and Ms. Lee spoke about 
that center. It's a center that we integrate the physical, 
being badge access, building access. We integrate the IT, being 
the cyber component, and we integrate the operational, the 
SCADA systems together. All three of those systems are actually 
monitored, reviewed, and we take actions against events, and 
I'll use a simple analogy so you can understand----
    Ms. Bonamici. I'm afraid my time's going to expire. Can I 
just have a few more seconds, Mr. Chairman?
    Chairman Weber. Without objection.
    Ms. Bonamici. I want to get in a quick question for Mr. 
Wilshusen. You mentioned in your testimony that FERC was 
adopting standards from NIST's efforts but according to FERC 
officials, the statute did not provide any authority to allow 
FERC to require the smart grid technologies to follow the 
standards and now it's voluntary. How's that working?
    Mr. Wilshusen. Well, it is voluntary. One of the problems 
that we noted is that FERC has not--because the standards are 
voluntary and have not been adopted, it has not gone out to 
examine the effectiveness or the extent to which those 
voluntary standards have been implemented.
    Ms. Bonamici. Thank you, and I'm very over time.
    Thank you, Mr. Chairman. Yield back.
    Chairman Weber. No problem.
    And now the Chairman is pleased to recognize for his first 
appearance in a hearing in this Committee, the gentleman from 
Illinois, Darin LaHood. Welcome.
    Mr. LaHood. Thank you, Mr. Chairman, very much. I 
appreciate it. Great to be part of this Subcommittee.
    I want to thank the witnesses for your testimony this 
morning.
    I guess, Mr. Stacey, I wanted to just maybe see if you 
could highlight a couple examples of cyber attacks that maybe 
recently happened where systems have been compromised and maybe 
the cost to a particular company and how it affected citizens 
or customers.
    Mr. Stacey. Yes. Two of the most recent are BlackEnergy and 
Havex attacks. These have been to the human-machine interface 
associated with the industrial control systems. Near as we can 
tell, those are primarily associated with collecting 
information, trying to map out systems and see what they look 
like, although the payloads on those are dynamic. There's been 
a very active response from DHS on this along with other 
entities, in fact, traveling around the country in briefings 
with the FBI and notifying people about that.
    As far as the costs associated with individual utilities in 
mitigating that, I don't have insight into that, but I know the 
federal government and the laboratory took a very aggressive 
stance on notifying and making people aware of those particular 
malware.
    Mr. LaHood. And I guess as a follow-up maybe to Mr. Gaines, 
when we talk about cybersecurity and talk about really what 
these entities are engaged in is criminal activity, when we 
talk about deterring that, I mean, are there currently any 
active prosecutions by the federal government, either the U.S. 
Attorney's Office or anybody that we can kind of use as 
examples to deter this behavior?
    Mr. Gaines. I don't--I'm not aware of any criminal activity 
so I say that. I do know that there have been incidents that 
have been nation-state and/or in some cases domestic that 
probably warrant the investigation of that. A good example of 
that would've been the Metcalf incident that occurred in 
southern California in 2013. That substation lost 17 
transformers. There were 127 rounds of ammunition that was shot 
into the substation and power had to be rerouted.
    To the Chairman's point, though, that actor has not--and/or 
actors have not been found, and the evidence obviously is very 
clear that it was multiple actors very potentially.
    But to the extent that there has been prosecution, that has 
not occurred, to my knowledge.
    Mr. LaHood. And on that specific case with Metcalf, is 
there an ongoing investigation to try to determine who the 
perpetrator was?
    Mr. Gaines. There absolutely is, and following that 
incident, FERC issued a number of standards on physical 
security that the industry is now implementing, and a lot of 
that has to do with both the monitoring both of the physical 
asset and the cyber asset, and so we've learned from an 
industry but to the extent that we've seen that replicated or 
duplicated in industry, it has not.
    Mr. LaHood. In terms of becoming aware when a system is 
compromised, walk me through a little bit of, if a company is 
compromised, the reporting on that in terms of to the federal 
government. Is that something that's made public, or who's the 
repository of threats or compromises that happen, and then how 
does that get made public or is there some secrecy involved 
with that? I mean, I guess what I'm getting at, do companies, 
you know, in a competitive marketplace not want people to be 
aware that their systems were compromised for vulnerabilities? 
How is that addressed?
    Mr. Gaines. I'll give you a real-life example. At 11 
o'clock yesterday afternoon, our systems were attempted to be 
penetrated by a denial of service, so they're flooding your 
network. That flooding of the network slows down your network, 
and at that point we pick it up on our firewalls, we shut the 
traffic down, and then we do forensics on that. Within an hour, 
we report that to the ES ISAC. That ISAC is our sector group 
that we use to facilitate that type of information. Now, I go 
back to my original point that I made earlier. That happened to 
me. I venture to say that that same actor was scanning other 
networks and that that same DDoS attack was being attempted. At 
4 o'clock, we get an acknowledgement back from the government 
that they received the information. As of 11 o'clock, 24 hours 
later, I still don't have a response back from the government.
    There's a good example of the timeliness of information. If 
we could share that information real time within the industry, 
think about the potential of being able to collaborate very 
quickly and take action because most likely that actor has shut 
down their server and they've moved on, and so we have no time 
again to take any reasonable mitigation steps. The good news 
is, our security systems worked. To the extent that that threat 
I reported gets communicated, it does get communicated. Most 
likely it'll be a few months from now. It'll be watered down, 
and the real sad part about it is, it doesn't have the level of 
detail to take any action on it.
    Mr. LaHood. Thank you.
    Thank you, Mr. Chairman.
    Chairman Weber. Thank you.
    And before I go to the gentleman from New York, if I can 
just take one second here, so what you just described, Mr. 
Gaines, gets back to those conferences. If you could come in 
with that kind of information in real time to everybody that 
was in a like business and say expect this kind of attack, is 
that a doable deal?
    Mr. Gaines. I would--if I may----
    Chairman Weber. Sure.
    Mr. Gaines. I would argue slightly different. I have 
security clearance, and to the gentleman's point, Homeland 
Security does offer briefings to those that have security 
clearance. They're non-industry-specific so they can be across 
any sector. And ironically, the same approaches that an actor 
uses in finance is very similar to an attempt that they would 
use in our industry. That's still not soon enough. Those 
briefings occur once every three months.
    Chairman Weber. But is there no platform to broadcast this 
information industry-wide? And let's be energy industry 
specific. Is there no platform for that?
    Mr. Gaines. There is. My point being is, it's not timely 
enough. There is, and it's a very good tool. It's not timely 
enough and it's not detailed enough.
    Chairman Weber. All right. Thank you.
    I appreciate the gentleman from New York's indulgence. 
You're recognized.
    Mr. Tonko. Thank you, Mr. Chairman.
    Welcome to our panelists.
    The line between federal and state power has historically 
been drawn at the intersection between the high-voltage 
transmission system and the lower-voltage distribution system. 
However, the relevance of this distinction is less clear when 
it comes to cybersecurity, and Ms. Lee, you addressed some of 
that with the new technologies, but to both you and Mr. Gaines, 
Ms. Lee and Mr. Gaines, could the increase of smart grid and 
distributed energy technologies being deployed on the 
electrical distribution system increase those cybersecurity 
risks to the high-voltage transmission system.
    Ms. Lee. As I said in my statement, the increase in 
technology and the inclusion of IT and communications, the new 
technology, yes, that does increase the potential for 
cybersecurity events. I will add another one, and that is the 
interconnection of these systems. If we look at the new 
technology, our distributed energy resources, renewable devices 
where you transmit the electricity that may be generated in one 
state to another state, all of that increases the attack 
surface and the potential for cybersecurity events.
    On the other side, utilities, reliability is number one. 
Cybersecurity should support the reliability of the grid, and 
there are a number of tools and techniques that the electric 
sector has been using for decades to address reliability that 
can also be used to address cybersecurity. This is not a 
totally foreign area, and so it's taking advantage of what 
they're currently doing, and then looking at the techniques and 
technologies that the IT community uses to address these new 
threats.
    Mr. Tonko. Thank you.
    And Mr. Gaines, do you also concur that it increases risk 
here?
    Mr. Gaines. If I may, not to differ, I might add a 
different perspective----
    Mr. Tonko. Okay.
    Mr. Gaines. --if I could, please? The distribution system 
and transmission system are two separate systems. The 
distribution system is a regional, local system and smart grid 
and/or tied to that smart grid is a meter. That's an individual 
IP address. It's an individual computer. Think of it like that. 
There are securities around that through a certificate and 
encryption, and in our design, that particular meter is not 
tied into our core distribution system. We have what we call a 
head-in system that sits outside of our company.
    So I would suggest to you that from a smart meter and smart 
grid perspective, the design and construct of that is secure. 
Is there a risk in our cases in Pennsylvania? We have two 
million customers, and I'm convinced given enough time with a 
bad actor, they could figure out how to be destructive with 
that. But to the extent that our design and configuration 
within the industry and our design and configuration is very 
similar to most smart grids and the technology is very similar. 
So there's a risk but I don't see it as a huge threat.
    Mr. Tonko. And no specific recommendations you would make 
to address that increased risk, either of you?
    Mr. Gaines. I would--the gentleman, Mr. Stacey, made some 
very good points. I think good hygiene is important, good 
engineering is important, and constant management. These 
devices are now computers and so they have to be maintained. 
They don't have the life of an existing meter, which is 20 to 
30 years. These devices have a life of between five to seven 
years, and so the challenge that the industry is making sure 
they maintain their smart grid environment, not neglect it.
    Mr. Tonko. Ms. Lee?
    Ms. Lee. There are things that the industry, as Mr. Gaines 
said, is doing, and I mentioned in my testimony all utilities 
do risk assessments. They need to prioritize their system, 
prioritize the risks and vulnerabilities, and then make 
decisions about which ones they want to mitigate. They do not 
have unlimited resources. Utilities deal with many areas of 
risk. Cybersecurity is one area. And they need to prioritize 
and determine what they want to do for their mitigation 
strategies and then make decisions that way.
    Mr. Tonko. There was some exchange--thank you. There was 
some exchange over the role of forensics in cybersecurity. What 
do we need--this is to all of you. What is needed to adequately 
conduct a forensic analysis after a cyber event? What are the 
best----
    Mr. Gaines. Directed to me, sir?
    Mr. Tonko. Any of the four.
    Mr. Gaines. Two things. First of all, there needs to be--I 
go back to what we can share and what we cannot share with the 
government during an incident. That's a--there's a lag that 
occurs there. If I have a major incident in my environment, I 
have to report that to several agencies. That can be days or 
weeks in some cases. Secondly, once we determine it truly was a 
cyber incident, then I have to put together a full 
investigative report, and then it goes through a very lengthy 
process of determining the actual degree or significance of 
that. I suggest to you that we cut all that or most of that 
away, and that if I truly know that I've been breached inside 
of my network, I think there's an obligation that we work much 
closer with the federal government on a real-time basis of 
defining the problem first and then let's go assess the 
penalties or determine who was at fault later, and that lag at 
times can be weeks and months before we actually get into the 
real forensics and do the real what I think are important 
things are mitigating it. And more importantly, that 
information is not shared with the industry in some cases for a 
year.
    Mr. Tonko. Thank you very much.
    Mr. Chair, I yield back.
    Chairman Weber. I thank the gentleman.
    And now the gentleman from Arkansas, Mr. Westerman, is 
recognized for five minutes.
    Mr. Westerman. Thank you, Mr. Chairman, and thank you, 
panel, for your insight today.
    Mr. Wilshusen, I'll direct this question to you, but others 
may wish to add in on it. I've visited several power-generating 
facilities, and I was pleased to find out that the control 
systems inside the power plants are totally isolated from the 
outside world in the facilities I've visited, so the chance of 
a cyber attack on the actual generating facilities is pretty 
much mitigated unless a bad actor got into the facility and 
messed with the control system, which could cause a huge issue. 
So when we're talking about a cyber attack, what physically are 
the risks there since these power plants are basically just 
getting a demand signal from the grid? What kind of destruction 
do you anticipate could happen from a cyber attack?
    Mr. Wilshusen. Well, first of all, I would first ask about 
your premise that the industrial control systems networks are 
indeed isolated and separated from other external networks or 
company communications networks. What we have found and what I 
have seen reported through ICS-CERT and others is that often 
companies believe their industrial control systems networks may 
be air-gapped, if you will, but are surprised to find when in 
fact they are not. With the increasing introduction of 
information and communications technologies, we're finding, 
increasingly, that these networks are indeed interconnected 
with other networks. That's one thing. But given that, if they 
are air-gapped, it does provide an additional level of security 
certainly to where remote access may not be available and where 
an attacker may have to have physical access to the device. But 
to be sure that's something that if they are air-gapped, that 
is an improvement and a control over it, but--and that's what 
has been historically but increasingly we're finding on what's 
being reported is that they are being interconnected with 
internal and external networks, thereby as Ms. Lee mentioned, 
increasing the attack surface and increasing the likelihood of 
a potential incident over those industrial control systems 
networks.
    Mr. Westerman. So is that the main concern with cyber 
attacks is getting into those power-generating facilities' 
control systems or is it more to protect the distribution and 
transmission systems?
    Mr. Wilshusen. Well, I think you have that probably at 
multiple sections throughout the entire electricity grid, 
depending upon where the control systems or the sensors are 
located. If they are indeed interconnected to external 
networks, there's an increased likelihood that they may be 
vulnerable to attack if they're not sufficiently hardened. Of 
course, there are actions that an entity can take to better 
secure those connections and to better secure those devices. If 
those are being done, that will help, but historically, that 
always hasn't been done for a number of reasons.
    Mr. Westerman. It just seems like it would be a good 
operating protocol to have those industrial control systems 
isolated from the outside world as far as having the best way 
to keep a cyber attack from happening on one of those 
facilities.
    Mr. Wilshusen. Yes, that's correct, but often they're 
interconnecting in order to provide greater efficiency and 
usefulness, if you will, and so there's always that balance, 
but yes, it would be better from a security perspective to keep 
them isolated.
    Mr. Westerman. So when we talk about the role that smart 
grid technology plays in creating cyber vulnerabilities, does 
the fact that the smart grid relies on two-way communication 
make the grid more susceptible to cyber attacks, and if so, how 
is that?
    Mr. Wilshusen. Well, potentially, and that would be as Mr. 
Gaines mentioned more at the distribution level rather than the 
power-generating and transmission level where there could be 
attacks against individual smart meters. Indeed, I believe 
there have been reported attacks against smart meters, but more 
for the purpose of committing fraud and addressing some of the 
programming that is in those smart meters, but the threat 
potentially is, and again, absent other controls that may now 
be in place, is that collectively as millions of smart meters 
out there could that have an impact on the larger electricity 
grid, and that's something that there potentially could.
    Mr. Westerman. And when you talk about smart meters, are 
you talking about the meters that give the feedback or just the 
ones that the meter reader can drive through the neighborhood 
and read the meters without getting out of the vehicle? Are 
those----
    Mr. Wilshusen. Yeah, those would be included in that, yes.
    Mr. Westerman. I think I'm out of time, Mr. Chairman.
    Chairman Weber. Okay. The gentleman yields back.
    The gentlelady from Connecticut, Ms. Esty, is recognized.
    Ms. Esty. Thank you, Mr. Chairman and to our Ranking 
Members for today's very important hearing.
    In Connecticut, we're very focused on grid reliability just 
actually from natural disasters we've been coping with, and 
certainly the cybersecurity threat has gotten us all to pay 
much closer attention.
    I have two quick questions. First for Ms. Lee and Mr. 
Gaines. Can you explain a little bit more how we should address 
the challenges between the difference in lifespan of 
operational technology and information technology? All of us 
who know, who have any of those devices in our pockets, and if 
you've got teenagers, you really know within a year they want a 
new one, and yet we're looking at overall systems on the 
utility side that are decades long. What do we know about from 
prior history that can help us in Congress think about how to 
meld together these two systems, one of which is highly 
capital-intensive over decades and another which is changing 
constantly?
    Mr. Gaines. Ms. Lee, go ahead.
    Ms. Lee. Thank you. Yes, as I mentioned earlier, the 
difference in lifecycle--and it's amazing when you think our 
device if it's a year old, it's ancient.
    What needs to be done, and talking about the modernization 
of the grid, and I think of that more than just a smart grid. 
If you want to talk about all of the domains--generation, 
transmission and distribution--the new devices are using 
commercially available operating systems and applications 
rather than the proprietary solutions that were used 
historically, and so when you look at these devices, yes, they 
may have a lifespan of 30 or 40 years but you have Windows, you 
have your internet protocols. It's having the two communities, 
and Mr. Gaines talked about that, having the communities, the 
IT and OT communities together, figure out the best solutions, 
and a lot of utilities are putting them in the same room and 
addressing these difficulties because when you get away from 
the proprietary solutions, you need to figure out how do you do 
it with all of these commercially available products.
    Mr. Gainrs. I would add to that two things you heard me in 
the testimony. We have and are converging both the operational 
side of our business and the IT side of our business, and we're 
doing it a lot with technology first of all. Inside of a 
substation, 15 years ago it was an analog substation and it was 
not two-way communication. What sits in a substation now is a 
communications network, and so we are building out with inside 
substations a very protected, secure network inside of that 
substation, and it comes with us--it comes with cyber risk but 
it also comes with the ability to monitor that substation. And 
so that is the piece that some of those in industry are doing. 
We are thinking of that substation as a physical asset as well 
as a logical asset. And so when I actually manage our 
substations, I think of them as a computer. I think of them as 
an asset in transmitting and/or transferring energy, and in one 
place we look at both of those. We don't separate those two. We 
don't separate the operational side of our business from the 
cyber side or the technology side. And as more communication 
devices go into substations, that's going to be required.
    Ms. Esty. Thank you. That is very helpful.
    And just a quick question for anyone who wants to chime in. 
Part of what we do is direct research dollars from this 
Committee, and if you had to divide up the federal research 
dollars between on cybersecurity, in prevention, detention, 
mitigation, and recovery, at this stage of the game, what do 
you think for us--those of us who sit here in Congress as we're 
allocating funds and we all know we should have more funds, but 
with the not enough money that we have, as I think about it, 
how should we think about dividing those up?
    Mr. Gaines. Mine would be prevention. It has the greatest 
opportunity to be able to share, and I think the greatest 
opportunity to expand and grow.
    Mr. Stacey. Yes. Thank you for the question.
    I would offer that we're spending an awful lot today on the 
measure-countermeasure. The threats and the daily bombardment 
is consuming most of our resources. We need to make sure that 
we're investing a significant amount of our research dollars in 
how do we take some of these critical assets off the table with 
either some kind of disruption zone--which is now a terminology 
that's being used where you put some kind of a----
    Chairman Weber. A firewall? A firewall?
    Mr. Stacey. Well, it's not quite as sophisticated as a 
firewall. It's an analog circuit that allows the electrons to 
go in and only do one thing, and it requires the cyber hacker 
to have physical access to the other side. And so research 
associated with trying to help define the critical assets and 
then we create an environment to take some of these critical 
assets off the table.
    So to answer your question shortly, I believe more needs to 
be done to get us out of this paradigm of measure-
countermeasure and how we're going to solve this long term 
because, frankly, the resources aren't scalable. Thank you.
    Ms. Esty. Thank you. That's very helpful, yes.
    We all remember Mad Men and Spy versus Spy. I think you're 
right. We need to be removing assets from vulnerability. It 
makes a lot of sense.
    Thank you all very much.
    Chairman Weber. The gentlelady yields back.
    I now recognize the gentleman from Alabama, Mr. Palmer.
    Mr. Palmer. Thank you, Mr. Chairman, and thank you to the 
witnesses for coming in this morning. It's extremely important.
    Mr. Gaines, the National Institute for Standards and 
Technology has developed voluntary guidelines for smart grid 
cybersecurity, and the Federal Energy Regulatory Commission 
continues to approve cybersecurity standards. How helpful are 
these types of standards to the industry?
    Mr. Gaines. The standards are invaluable. They create a 
baseline. However, I suggest to you that's just what they are 
is a baseline, and that the threats that we see today are going 
forward, they're not going back. And so we identify most of the 
vulnerabilities associated with those standards and things that 
happen to us, not what things are going to happen to us. And I 
don't think that you can regulate or put standards in this to 
control every vulnerability. What I think you have to have is a 
collaborative effort across industry and government to address 
some of the issues that we have.
    Mr. Palmer. Part of my concern is that these are industry 
standards, and James Clapper, the Director of National 
Intelligence, said the greatest threat to our national security 
is cyber attacks. I think he identified 140 attacks against 
U.S. corporations by China, and it appears to me that we're in 
the middle of a digital arms race in terms of cyber attacks, 
and specifically my concern right now is with our energy 
infrastructure and how devastating it would be if we had a 
cyber attack against our infrastructure that shut it down. Do 
you think industry standards alone are enough or does the 
government need to take a more active role in this, 
particularly in developing the technology to protect us against 
cyber attacks?
    Mr. Gaines. First of all, to answer your first question, 
are the standards adequate, they are adequate, and I repeat 
again, they create a baseline. If you would suggest, though, 
that could more be done, I do, and I apologize. I don't 
remember the member's name. More research needs to be put into 
technology, number one, and it can be on any one of those three 
fronts. Prevention is the area that I suggest. Information 
sharing is a big piece of that, how we can be more 
collaborative and develop tools between government and industry 
to share and within industry, and so I would suggest where the 
management can be a major player is, they have access to 
information we don't and vice versa, and the idea is, how can 
we get that to be a timely sharing of information and a more 
detailed level of sharing of information. That's the area that 
I suggest that we put more emphasis on, not necessarily 
standards.
    Mr. Palmer. Well, in regard to the timeliness, Mr. Stacey, 
in your testimony, you mentioned that intrusion detection 
technology is not well developed for control system networks 
and that it can often take months before malware is detected. 
What are the factors that account for such a significant amount 
of time that elapses before detection?
    Mr. Stacey. Well, first, let me characterize, as Ms. Lee 
did, the difference between IT technology and OT. With IT 
technology, we're fairly mature now in proactively managing 
systems. We have configurations and patchings that we use to 
manage these systems.
    Operational technology, or industrial control systems, may 
manage several hundreds or even thousands of points a minute, 
and if you try to proactively manage that network, you can do a 
denial-of-service attack on yourself. And so the tools today 
are basically passive monitoring--watching for things in and 
out--and the sophisticated hackers are aware of that and can go 
slow and low. And so the detection oftentimes, as I said, comes 
from a third party. And this is another research area that 
could be invested in is the detection technology for industrial 
control systems. Thank you.
    Mr. Palmer. Is that, in your opinion, where we need to go 
in terms of improving the detection time?
    Mr. Stacey. Correct.
    Mr. Palmer. Mr. Chairman, I yield the balance of my time.
    Chairman Weber. I thank the gentleman.
    The gentleman from California is now recognized.
    Mr. Swalwell. Thank you, Mr. Chairman, and thank you to our 
panelists.
    This issue, it just--it seems to evolve faster than we can 
stay pace with it, whether it's hacks or breaches that occur on 
the private sector side or hacks and breaches that we're seeing 
at OPM or other federal agencies that have, you know, certainly 
compromised millions of people's personal information, and so I 
guess my first question is, if one of our power grids went down 
tomorrow in a major metropolitan area because of a cyber 
attack, would anyone here be surprised? Just a yes or no up and 
down. Mr. Stacey, yes or no?
    Mr. Stacey. It's certainly possible.
    Mr. Swalwell. But would you be surprised if it happened? If 
you learned tomorrow that, say, the San Francisco Bay area was 
out of power because of a cyber attack, would that surprise 
you?
    Mr. Stacey. No.
    Mr. Swalwell. Mr. Gaines?
    Mr. Gaines. Yes, it would.
    Mr. Swalwell. Ms. Lee?
    Ms. Lee. Yes.
    Mr. Swalwell. And Mr. Wilshusen?
    Mr. Wilshusen. Yes.
    Mr. Swalwell. Okay. And so for those who said--well, let me 
start with you, Mr. Stacey. Why would it not surprise you?
    Mr. Stacey. I just believe--because our monitoring and 
detection for those kinds of events is not sophisticated enough 
for me to give an answer of yes.
    Mr. Swalwell. Do you believe that we have made the 
necessary investments across our country in protecting against 
cyber attacks, and not just the investments but is our 
workforce trained in a way that our cyber hygiene is good 
enough to prevent this from happening?
    Mr. Stacey. Yes, I think we have invested properly. I think 
there's a lot of work being done both in the utility sector and 
within the government sector. I think we're short of staff 
certainly and we're working on that in a number of areas with 
universities, et cetera. But we've heard from several leaders 
within the federal government that we likely have people inside 
the infrastructure, and these are very complex systems and the 
complexity even independent of a malware attack, adds a level 
of vulnerability.
    Mr. Swalwell. Thank you.
    And for the three who said they would be surprised if they 
learned tomorrow that a major metropolitan area had been hit, 
can you just maybe elaborate briefly on why it would surprise 
you? Mr. Gaines?
    Mr. Gaines. I'll give you a fact-based answer.
    Mr. Swalwell. Sure.
    Mr. Gaines. And I certainly know that there are 
vulnerabilities that exist in every network, but I would 
suggest to you at FirstEnergy, I feel we have done the right 
things to secure our company and that component of the grid.
    The other thing that's unique to the grid is, we have the 
interconnects, in our case, PJM, and so in this case, we would 
work very hard with PJM given that if our company was breached, 
to minimize that impact across the network. Is it possible? 
Yes, but your black-and-white answer is, would I be surprised? 
Yes, I would be. And it's because of those two specific 
entities, and I would suggest to you the peers around me that 
are on PJM and the grid probably have the same level of 
confidence that their business, their company is secure also.
    Mr. Swalwell. Great. Thank you.
    Ms. Lee?
    Ms. Lee. Yes, I will agree completely with Mr. Gaines on 
that, and just add to that, if you look at--and it was 
referenced earlier the Metcalf attack, that their end result 
was no power failure. The reliability of the grid is paramount, 
and as he mentioned, working with the interconnections and the 
different utilities, the intent is to maintain the reliability 
of the grid. So yes, it is a hypothetical possibility but if 
you look at all that's in place to ensure the reliability, it 
still is a very stable system.
    Mr. Swalwell. And then can you tell me who you fear an 
attack would come from if it came--if it was--if it occurred? 
Do you think it would be a state actor or a non-state actor? 
Which one would be more likely based on your experience and 
what you've learned? Mr. Wilshusen?
    Mr. Wilshusen. I think initially I would say it's probably 
going to be a non-state actor but I think also I've been 
reading where there could be state actors involved too. But 
certainly terrorists and groups that may wish to do us harm 
would do so. I think state actors are probably, depending on 
the state, also are relying on the electricity and our national 
economy to support them as well.
    Mr. Swalwell. And Mr. Gaines, are you cleared? Do you have 
a security clearance?
    Mr. Gaines. I do have a security clearance.
    Mr. Swalwell. Do you feel that enough people in your 
company are cleared to work with the federal government on the 
threats or could we do a better job of bringing more people in?
    Mr. Gaines. I don't think it's the volume; it's the 
quality. And I would suggest that today I have secret that it 
would be beneficial to move a smaller group to top secret, and 
the difference there is this, and it gets back to the 
timeliness and the level of detail, and for the sensitivity of 
my clearance, I just have to leave it at that, is that it would 
be much more beneficial to see things on a timely basis and at 
a much deeper level to be able to take action, but I feel at 
this point it's adequate but could be improved.
    Mr. Swalwell. Great. Thank you.
    And Mr. Chair, I yield back.
    Chairman Weber. Well, thank you, and I appreciate your 
bringing that up.
    Back to Mr. Stacey's lack of surprise at an attack, I was 
talking with the Ranking Member here, and it's kind of like a 
lot of terrorism. What is it we say, that we have to be 100 
percent vigilant, diligent all the time; they have to be lucky 
one time.
    So I now recognize the gentleman from Michigan, Mr. 
Moolenaar.
    Mr. Moolenaar. Thank you, Mr. Chairman.
    Mr. Gaines, I wanted to follow up with you one some of your 
comments. You had talked about the area of prevention and 
thinking about what we could do to complement the efforts 
you're doing in the industry, and you talked about, you know, 
prevention investments maybe could be--there could be benefits 
across industries. Can you describe that a little bit more?
    Mr. Gaines. Across the industry?
    Mr. Moolenaar. Across the industry.
    Mr. Gaines. Across the industry itself?
    Mr. Moolenaar. Yes.
    Mr. Gaines. And I do have to come back to this issue, and I 
know it's uncomfortable maybe to repeat it again, but we do 
have in the industry a set of standards, and those standards 
hold us to a level, and if we're not compliant, then there's 
liability, and I think that has to be looked at first because 
there is the--there's not the lack of interest in wanting to be 
able to share from an industry but there's certainly a level of 
hesitancy at times at what level we share. So I remind us of 
that.
    To that point, though, I don't think it can be done on a 
voluntary basis. I think that there has to be an open, 
collaborative environment between the government, and I speak 
of probably two or three agencies that I think we could all do 
a better job, and I start out with Homeland because they own 
the infrastructure. I start out with DOE because they are our 
sector control. Those are two. The third would be the FBI 
because they become the investigative arm in the event that 
something happens. I do believe that there is a way with the 
industry to be able to collaborate real-time threat analysis 
information, and it isn't a voluntary but rather a requirement 
that should occur, but it does start with the issue of our 
ability to be able to manage that directly industry to 
government.
    Mr. Moolenaar. So it sounds to me like some of the effort, 
you're talking about people getting together in a room and 
meeting and discussing this. You aren't talking about major 
investments in infrastructure or some kind of----
    Mr. Gaines. Both.
    Mr. Moolenaar. --technology. You are talking about both?
    Mr. Gaines. I am talking about both. I'm talking about the 
industry being able to have the necessary technology within 
their company to be able to provide that level of information, 
and I'm talking about the government being able to have and 
being a recipient and being able to use it, so it's technology 
and it's also skills and resources.
    Mr. Moolenaar. And do you think that when you think about 
prevention, you know, you prevent one threat but that another 
threat emerges that you weren't aware of? How long are the 
benefits from that kind of an investment? You know, how long 
does that last?
    Mr. Gaines. I think that's one of the things Ms. Lee talked 
about is that becomes a priority, where do we focus on first. I 
don't think you can deal with every single threat. There's a 
lot of work that's being done in the industry right now to 
define what a critical asset is, and it's very good work. The 
gentleman asked me, are the standards good. They're really 
good. They create baseline. I can tell you within our company, 
what are by definition the critical substations that have an 
impact on our entire network. Now, if I start there just alone 
with those critical assets and you multiply that times 120 
investor-owned utilities, that's pretty valuable information. 
And so--and again, I don't want to give you any idea how many 
that is other than to say it is a manageable number.
    Mr. Moolenaar. And just, it was mentioned earlier this idea 
of improving early detection, and I don't know if that was you, 
Mrs. Lee, or who it was that talked about the importance of 
that. Is that where we should be focusing?
    Ms. Lee. I will add, I think early detection is important. 
One of the difficulties, and I believe it's been discussed 
here, is when you have an event, it can be very difficult to 
determine whether it's a cybersecurity event. I've done 
exercises with utilities and their frustration was, I didn't 
know it was a cybersecurity event. So it's a matter of, we 
talked about on the protection side but also as we've all 
discussed, using commercially available products. They have 
built-in vulnerabilities. The utilities are--as they're 
developing their mitigation strategies, you have to assume your 
systems at some point are going to be compromised, and so you 
take that as a given, maybe not significant but you use that 
when you develop your mitigation strategies. So I think it's a 
combination of looking at it from the protection side but then 
what do you do if there is a cybersecurity event. You want the 
electricity to continue to flow.
    Mr. Moolenaar. Mr. Wilshusen?
    Mr. Wilshusen. Yes, I would agree with that too because I 
know there's been a lot of discussion about the standards out 
there, and that's fine and they may be adequate, but what also 
needs to happen is the implementation of those standards 
consistently over time throughout the enterprise, and in our 
work at federal agencies and other entities, that often does 
not occur. Vulnerabilities exist because standards aren't being 
implemented consistently over time across the enterprise. And 
so it's through that that attacks often occur. So the aspect of 
monitoring the effectiveness of the security controls is also 
going to be a key part of the overall defense--in-depth 
strategy.
    Mr. Moolenaar. Thank you, and thank you, Mr. Chairman. I 
yield back.
    Chairman Weber. The gentleman yields back.
    I now recognize the gentleman from Louisiana, Dr. Abraham.
    Mr. Abraham. Thank you, Mr. Chairman.
    Mr. Stacey, let me start with you at kind of the 30,000-
foot view. If we have a full-scale cyber attack, what does it 
do to the nation's economy and to the nation's security 
infrastructure?
    Mr. Stacey. It would be significant. All the other 
infrastructures run off the energy infrastructure.
    Mr. Abraham. And that leads me to the next question. How 
often is a cyber attack or an attempted attack tried on our 
nation's power grid?
    Mr. Stacey. What I can tell you is that from ICS-CERT, 
they're seeing a 32 percent increase in fiscal year 2014 of 
target attacks on the energy sector. I don't have the specific 
number for the grid.
    Mr. Abraham. But it has increased in the last----
    Mr. Stacey. It is increasing.
    Mr. Abraham. And I read something in USA Today that the 
U.S. power grid faces physical or online attacks approximately 
once every four days. Is that a fairly accurate statement?
    Mr. Stacey. That's fair.
    Mr. Abraham. Okay. That's all, Mr. Chairman. I yield back.
    Chairman Weber. Thank you. The gentleman yields back.
    The gentleman from Georgia, Mr. Loudermilk, is recognized.
    Mr. Loudermilk. Thank you, Mr. Chairman, and I appreciate 
all of the witnesses being here. I apologize that I wasn't here 
for the earlier testimony but we also have Homeland Security 
issues going on. I'm doing the ping pong between the 
committees.
    But prior to coming to Congress, I spent 30 years in the IT 
industry. Twenty of that time, I had my own business, and a 
good portion of our business was going into smaller utility 
systems and helping them automate. So I have some background in 
this, predominantly smaller municipal co-op systems to where we 
would put fiber optics into the city to tie the different SCADA 
systems together, pump stations, substations, et cetera, so 
they can more effectively monitor--getting more to a smart 
grid. During that time, many of those smaller operations saw 
the value of bringing in revenue, especially in small 
utilities, of selling the interconnectivity to businesses that 
had multiple locations within their jurisdiction. That also led 
to bringing in high-speed internet, which allowed them to 
connect and sell internet services on the same backbone or the 
same infrastructure that was also running their devices. Now, 
of course, we put in a lot of technology to segregate those 
networks, but at the same time, they also saw the functionality 
of being able to monitor and manage and respond without having 
to be in the office to an incident that happened within the 
utility system through the use of the internet.
    So as we were trying to implement these new technologies to 
allow them to be more efficient in operating their utility, and 
many of those provide electricity throughout their cities or 
their area of responsibility, it did help a lot, but then there 
was the concern that we had of someone from the outside being 
able to get in. And so what we would do is, we would do a lot 
of research, and one of the things that we did not have was an 
approved products list that we could go to, that the government 
had said all right, if you use this type of gateway, use this 
firewall, use this type of filter, then we know it'll be 
secure. So we did a lot of research. We went to a lot of 
vendors and we would get what we believed was the most secure, 
put that into place, and in most cases we were under contract 
to maintain it and make sure the security updates were done, 
the patches, et cetera, et cetera.
    The next progression was to then put in the other elements 
of the smart grid for meter reading and all this. So some of 
the things we started looking at were points of access, points 
of failure, points of vulnerability, which growed--which grew 
exponentially once we started adding the more technology.
    In a previous committee, I brought up the lack of an 
approved products list that vendors such as myself or these 
smaller electric utilities can go to that has standards, 
equipment standards, standards of practice, operation, et 
cetera. Now, I understand the Department of Energy is working 
on that, and I applaud that effort. But I do believe, and I 
know that there is a lot of vulnerability accessing the grid, 
you may say, through smaller electric utility systems. Some of 
those that we put equipment in, we went out and spent a lot 
looking at security aspect of it to make sure that they could 
operate securely. Because of budget cuts, many of them would 
cut our contract and manage it themselves, and then some of 
them would actually go and buy parts off of eBay because they 
were cheaper, but I would try to emphasize to them, there's a 
reason that part is on eBay is probably because it has been 
discontinued for security reasons.
    Can any of you that would like to comment on where we are, 
where we're going and if you feel that there is a need to have 
a standard set of standards for equipment, for upgrade, for 
maintenance, and operation with the smaller utilities as well 
as large.
    Mr. Gaines. Well, I'll speak as a large utility. I can't 
speak for a small utility. That would not be accurate for me to 
do.
    Mr. Loudermilk. You may be able to opine as far as how 
vulnerability of the small utilities affect the larger utility.
    Mr. Gaines. Well, I'll try to answer your question 
directly, though, regarding standards associated with 
equipment, software technologies. I think there certainly has 
to be some level of verification, validation of equipment. To 
the extent that you could create a universal standards for 
every type of equipment that sits inside of a network, I think 
it would be very difficult, and the question is, who would 
monitor and manage that. That is the challenge, and it ranges 
from software to hardware. I do think there are some validation 
points, though, that you can put in. Do you have--are you 
building software or are you building equipment--a method of 
configuring it so that it could be personal to the company 
versus a standard set of passwords that are set in a piece of 
software, as an example. Those are things that you could do to 
design into the technology. As it relates to the vulnerability 
between a small utility, municipal or not, we work together 
very well in the industry between our industry association, 
EEI, groups like EPRI who do research for us, and so I would 
tell you that there's very little distinction about what the 
expectations are on a small utility versus a large utility.
    Mr. Stacey. Thank you for the question. I'd offer this 
perspective. Right now, vendors are offering equipment with as 
much flexibility as they can, with as much functionality as 
they can. And that's adding to the complexity. If as a sector 
there was work done on how do I minimize the functionality to 
really what I need-- that the valve only opens and closes as 
fast as I need for an emergency response, and that sensors on 
the pipe managing flow only have the fidelity for managing the 
flow, as we reduce that complexity, initially that would cost 
more because you're asking for something that's different, but 
as an industry, as they worked on reducing the complexity and 
trying to find components that did the minimum functionality 
required to manage within an industrial control system, I think 
there'd be some benefits to that.
    Mr. Loudermilk. Is there currently a rating system or an 
evaluation that is used as far as how secure a utility is in 
their operation?
    Mr. Gaines. In terms of vendor equipment?
    Mr. Loudermilk. The whole footprint, the entire topology. 
Is there a method that some independent organization or the 
government can come in and evaluate and give some type of 
security rating?
    Mr. Gaines. Yes, there is. The CIPS, the Critical 
Infrastructure Protection Standards, are a set of standards 
that originated in 2005. We're on version 5 right now. And they 
baseline the transmission system and the security around that 
through those standards and then they are auditable. And to the 
extent there is remediation associated with those audits, 
they're managed accordingly. FERC administers those through 
NERC.
    Chairman Weber. Does the gentleman yield back?
    Mr. Loudermilk. I'm out of time, Mr. Chairman, so I will 
yield back the time I don't have remaining.
    Chairman Weber. All right. The gentleman yields.
    Mr. Johnson, you're recognized.
    Mr. Johnson. Thank you, Mr. Chairman, and I want to thank 
my colleagues on the Committee for allowing me to sit in on 
this today. It's an area of extreme interest and importance in 
my regard.
    I spent nearly 30 years as an information technology 
professional, part of that time, a large part of that time, in 
the Department of Defense being concerned about the security of 
data systems that support our special opreations folks and 
things like that. I feel very, very strongly that cybersecurity 
is an issue across the spectrum. It's getting a lot of talk but 
it's not getting a lot of focused attention to address the 
issue. It's an issue--and I don't know if the four of you agree 
or not. It's not something that's got a finish line. You know, 
this is not something that we're going to solve and then we're 
going to move on to the next big problem. As long as the world 
is connected with computing systems and networks, you're going 
to have those with the wherewithal, some of them because they 
can, some of them because they desire to create chaos with 
malicious or criminal intent are going to try to get into our 
networks and our energy systems and our power grids are one of 
those areas that would wreak havoc on America's economy, and I 
think we can all agree with that.
    Mr. Gaines, what in your mind does the integration of IT 
systems and supervisory control and data acquisition systems 
have in increasing the risk to grid operations?
    Mr. Gaines. First of all, Mr. Johnson, hello. It's good 
seeing you again.
    Mr. Johnson. Good to see you, sir.
    Mr. Gaines. Thank you.
    I would like to start out by saying I don't think it's if; 
it's when. The OT operational systems technologies and the IT 
technologies are merging and they go back to exactly what I 
suggested, that in a substation now, it looks like a small 
communications network. It's got a device in it that 
communicates with most of the assets, transformers, that 
determine the health and in fact the condition of those 
transformers. That's all communicated back to the SCADA system 
into the IT systems. Secondly, the IT systems are tied to our 
power grid and actually help us manage and monitor that from a 
generation perspective. I think the industry is moving to 
converge those, not necessarily manage them as you would manage 
them on the grid as an operator but manage that space so that 
one, they understand the health of it, they understand the 
reliability of it, and the impacts that cyber, specifically 
cyber, has on it.
    I go back to the Metcalf incident. There were three things 
that occurred within an hour: the cutting of a communication 
line, the actual assault on the location itself, and then the 
loss of load. Those all three were done within an hour, and 
they were in the space that if you would've had monitoring and 
the ability to alert and manage that, I wouldn't suggest that 
you could avoid but you could have mitigated some of the 
issues.
    Mr. Johnson. Can you talk specifically about what 
FirstEnergy is doing to mitigate this vulnerability?
    Mr. Gaines. Yes. We in fact have over the past 12 months 
built a security operations center, and we manage all three of 
those from one center, so I manage the operations and the 
health of those physical assets. We look at that from an IT 
perspective and overlay IT to that, and then I physically 
monitor the station through cameras, video and X-ray. And so I 
see that single pane--as we define it, I single that single 
pane of our critical assets, and that's not dispersed around 
the company. I don't have a physical security desk, I don't 
have an operating center, and I don't have a cyber center. I 
have one operations center that looks at that, and they're not 
looking at it on multiple systems; they're looking at it on one 
system. We are one of the first in the industry. We've worked 
with EPRI very hard so the industry gets it, and there's a lot 
of work being done there.
    Mr. Johnson. Okay. Well, thank you very much.
    I had other questions but I think I've exhausted my time. 
Thank you, Mr. Chairman, for your indulgence.
    Chairman Weber. The gentleman yields back.
    Well, I want to thank the witnesses for their valuable 
testimony and the Members for their questions. The record will 
remain open for two weeks for additional comments and written 
questions from Members.
    This meeting is adjourned.
    [Whereupon, at 11:40 a.m., the Subcommittees were 
adjourned.]

                               Appendix I

                              ----------                              


                   Answers to Post-Hearing Questions


[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                                 [all]