b'<html>\n<title> - CYBERSECURITY FOR POWER SYSTEMS</title>\n<body><pre>[House Hearing, 114 Congress]\n[From the U.S. Government Publishing Office]\n\n\n                    CYBERSECURITY FOR POWER SYSTEMS\n\n=======================================================================\n\n                              JOINT HEARING\n\n                               BEFORE THE\n\n                        SUBCOMMITTEE ON ENERGY &\n                SUBCOMMITTEE ON RESEARCH AND TECHNOLOGY\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED FOURTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                            October 21, 2015\n\n                               __________\n\n                           Serial No. 114-43\n\n                               __________\n\n Printed for the use of the Committee on Science, Space, and Technology\n \n \n [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n \n        Available via the World Wide Web: http://science.house.gov\n        \n        \n                              ____________\n                              \n                              \n                     U.S. GOVERNMENT PUBLISHING OFFICE\n97-762PDF                 WASHINGTON : 2017                     \n_________________________________________________________________________________________       \nFor sale by the Superintendent of Documents, U.S. Government Publishing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, \nU.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).\nE-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="1b7c6b745b786e686f737e776b3578747635">[email&#160;protected]</a>  \n       \n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n\n                   HON. LAMAR S. SMITH, Texas, Chair\nFRANK D. LUCAS, Oklahoma             EDDIE BERNICE JOHNSON, Texas\nF. JAMES SENSENBRENNER, JR.,         ZOE LOFGREN, California\n    Wisconsin                        DANIEL LIPINSKI, Illinois\nDANA ROHRABACHER, California         DONNA F. EDWARDS, Maryland\nRANDY NEUGEBAUER, Texas              SUZANNE BONAMICI, Oregon\nMICHAEL T. McCAUL, Texas             ERIC SWALWELL, California\nMO BROOKS, Alabama                   ALAN GRAYSON, Florida\nRANDY HULTGREN, Illinois             AMI BERA, California\nBILL POSEY, Florida                  ELIZABETH H. ESTY, Connecticut\nTHOMAS MASSIE, Kentucky              MARC A. VEASEY, Texas\nJIM BRIDENSTINE, Oklahoma            KATHERINE M. CLARK, Massachusetts\nRANDY K. WEBER, Texas                DON S. BEYER, JR., Virginia\nBILL JOHNSON, Ohio                   ED PERLMUTTER, Colorado\nJOHN R. MOOLENAAR, Michigan          PAUL TONKO, New York\nSTEVE KNIGHT, California             MARK TAKANO, California\nBRIAN BABIN, Texas                   BILL FOSTER, Illinois\nBRUCE WESTERMAN, Arkansas\nBARBARA COMSTOCK, Virginia\nGARY PALMER, Alabama\nBARRY LOUDERMILK, Georgia\nRALPH LEE ABRAHAM, Louisiana\nDARIN LaHOOD, Illinois\n                                 ------                                \n\n                         Subcommittee on Energy\n\n                   HON. RANDY K. WEBER, Texas, Chair\nDANA ROHRABACHER, California         ALAN GRAYSON, Florida\nRANDY NEUGEBAUER, Texas              ERIC SWALWELL, California\nMO BROOKS, Alabama                   MARC A. VEASEY, Texas\nRANDY HULTGREN, Illinois             DANIEL LIPINSKI, Illinois\nTHOMAS MASSIE, Kentucky              KATHERINE M. CLARK, Massachusetts\nSTEPHAN KNIGHT, California           ED PERLMUTTER, Colorado\nBARBARA COMSTOCK, Virginia           EDDIE BERNICE JOHNSON, Texas\nBARRY LOUDERMILK, Georgia\nLAMAR S. SMITH, Texas\n                                 ------                                \n\n                Subcommittee on Research and Technology\n\n                 HON. BARBARA COMSTOCK, Virginia, Chair\nFRANK D. LUCAS, Oklahoma             DANIEL LIPINSKI, Illinois\nMICHAEL T. MCCAUL, Texas             ELIZABETH H. ESTY, Connecticut\nRANDY HULTGREN, Illinois             KATHERINE M. CLARK, Massachusetts\nJOHN R. MOOLENAAR, Michigan          PAUL TONKO, New York\nBRUCE WESTERMAN, Arkansas            SUZANNE BONAMICI, Oregon\nDAN NEWHOUSE, Washington             ERIC SWALWELL, California\nGARY PALMER, Alabama                 EDDIE BERNICE JOHNSON, Texas\nRALPH LEE ABRAHAM, Louisiana\nLAMAR S. SMITH, Texas\n                            \n                            C O N T E N T S\n\n                            October 21, 2015\n\n                                                                   Page\nWitness List.....................................................     2\n\nHearing Charter..................................................     3\n\n                           Opening Statements\n\nStatement by Representative Randy K. Weber, Chairman, \n  Subcommittee on Energy, Committee on Science, Space, and \n  Technology, U.S. House of Representatives......................     8\n    Written Statement............................................     9\n\nStatement by Representative Suzanne Bonamici, Minority Ranking \n  Member, Subcommittee on Environment, Committee on Science, \n  Space, and Technology, U.S. House of Representatives...........    10\n    Written Statement............................................    12\n\n                               Witnesses:\n\nMr. Brent Stacey, Associate Lab Director for National & Homeland \n  Science and Technology, Idaho National Lab\n    Oral Statement...............................................    13\n    Written Statement............................................    15\n\nMr. Bennett Gaines, Senior Vice President, Corporate Services and \n  Chief Information Officer, FirstEnergy Service Company\n    Oral Statement...............................................    21\n    Written Statement............................................    23\n\nMs. Annabelle Lee, Senior Technical Executive in the Power \n  Delivery and Utilization Sector, Electric Power Research \n  Institute\n    Oral Statement...............................................    32\n    Written Statement............................................    34\n\nMr. Greg Wilshusen, Director of Information Security Issues, \n  Government Accountability Office\n    Oral Statement...............................................    41\n    Written Statement............................................    43\nDiscussion.......................................................    60\n\n             Appendix I: Answers to Post-Hearing Questions\n\nMr. Brent Stacey, Associate Lab Director for National & Homeland \n  Science and Technology, Idaho National Lab.....................    82\n\nMr. Bennett Gaines, Senior Vice President, Corporate Services and \n  Chief Information Officer, FirstEnergy Service Company.........    86\n\nMr. Greg Wilshusen, Director of Information Security Issues, \n  Government Accountability Office...............................    88\n\n            Appendix II: Additional Material for the Record\n\nStatement submitted by Representative Barbara Comstock, \n  Chairwoman, Subcommittee on Research and Technology, Committee \n  on Science, Space, and Technology, U.S. House of \n  Representatives................................................    94\n\nStatement submitted by Representative Lamar S. Smith, Chairman, \n  Committee on Science, Space, and Technology, U.S. House of \n  Representatives................................................    96\n\nStatement submitted by Eddie Bernice Johnson, Ranking Member, \n  Committee on Science, Space, and Technology, U.S. House of \n  Representatives................................................    98\n\n \n                    CYBERSECURITY FOR POWER SYSTEMS\n\n                              ----------                              \n\n\n                      WEDNESDAY, OCTOBER 21, 2015\n\n                  House of Representatives,\n                   Subcommittee on Energy &\n           Subcommittee on Research and Technology,\n               Committee on Science, Space, and Technology,\n                                                   Washington, D.C.\n\n    The Subcommittees met, pursuant to call, at 10:04 a.m., in \nRoom 2318 of the Rayburn House Office Building, Hon. Randy \nWeber [Chairman of the Subcommittee on Energy] presiding.\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n    Chairman Weber. Good morning, and welcome to today\'s joint \nEnergy and Research and Technology Subcommittee hearing \nexamining cyber threats to American energy systems.\n    Today, we will hear from an expert panel on the growing \nthreat of cyber attacks to the nation\'s electric grid. Our \nwitnesses today will also provide insight into how industry and \nthe federal government are working together, or maybe in some \ninstances not working together, to anticipate cyber threats, \nand improve the reliability and resiliency of our electric grid \nagainst those cyber attacks.\n    The reliability of America\'s power grid is one of our \ngreatest economic strengths. I like to say, the things that \nmake America great are the things that America makes, and how \ndo we do that? With an affordable, reliable, dependable \nelectricity supply.\n    In my home State of Texas, reliable and affordable power \nserves a population that is increasing by more than 1,000 \npeople a day, and it provides power to the energy-intensive \nindustries that drive consumption. Texas is by far the nation\'s \nlargest consumer of electricity. Keeping the Texas power grid \nreliable and secure is key to continuing this economic growth.\n    But as we established in a hearing on broad threats to the \npower supply earlier this year, utilities face significant \nthreats to that same reliable delivery of power. Our electric \ngrid is particularly vulnerable to growing cybersecurity \nthreats as the grid is modernized, as distributed energy, \nelectric vehicles, and modernized digital operating systems \ncreate more access points for cyber attacks. And while the \nnation\'s industrial control systems for the grid are analog \nsystems designed to last for decades, digital IT systems must \nconstantly adapt to combat evolving cyber threats.\n    Small-scale cyber and physical attacks to our electric grid \nare estimated to occur once every four days, and in over 300 \ncases of significant cyber and physical attacks since 2011, \nsuspects have never been identified. Now, let me repeat that. \nIn over 300 cases of significant cyber and physical attacks \nsince 2011, no suspects have been identified.\n    We often think of cybersecurity and other threats to the \npower grid at a macro scale, but these types of attacks can \noccur even at a local level. In 2011, the Pedernales Electric \nCo-op, a non-profit co-op that serves approximately 200,000 \ncustomers north of San Antonio, was struck by a cyberattack. \nWhile the attack thankfully did not disrupt power to consumers, \nit is a stark reminder that threats to the grid are real, and \nthey are not going to go away anytime soon.\n    Our nation\'s power supply cannot be protected overnight, \nparticularly as utilities struggle to adapt technology to \nmanage a growing number of cybersecurity threats. Cyber threats \nto the power grid will continue to evolve, particularly as more \ninterconnected smart technologies are incorporated into the \nelectric grid. We call those smart meters back in Texas. And as \nprotective technology improves, so does the capability and \ncreativity of those who are conducting those cyber attacks, \nunfortunately.\n    While we cannot predict every method of attack, the federal \ngovernment can and should play a role in assisting industry \nwith developing new technology and security safeguards. \nAccordingly, research and development efforts at the Department \nof Energy are focused on providing industry with comprehensive \ntools to conduct internal analysis to identify and address \ncybersecurity weaknesses so that the industry can take the lead \nin addressing these same vulnerabilities.\n    That is why testing facilities and cooperative research, \nlike the Cyber Security Test Bed at Idaho National Lab, are \nvaluable tools to combat cyber threats. At INL, industry can \ntest control systems technology in real world conditions, \nreducing response time and risk for future attacks.\n    I\'d like to say in advance I want to thank the witnesses \nfor testifying before the Committee today. I look forward to a \ndiscussion about cyber threats to our critical infrastructure, \nand how the federal government can provide industry with the \ntools and technology necessary to fight the next generation of \ncyber attacks.\n    [The prepared statement of Chairman Weber follows:]\n\n              Prepared Statement of Subcommittee on Energy\n                        Chairman Randy K. Weber\n\n    Good morning and welcome to today\'s joint Energy and Research and \nTechnology Subcommittee hearing examining cyber threats to American \nenergy systems. Today, we will hear from an expert panel on the growing \nthreat of cyber-attacks to the nation\'s electric grid.\n    Our witnesses today will also provide insight into how industry and \nthe federal government are working together to anticipate cyber \nthreats, and improve the reliability and resiliency of our electric \ngrid against cyber-attacks.\n    The reliability of America\'s power grid is one of our greatest \neconomic strengths. In my home state of Texas, reliable and affordable \npower serves a population that is increasing by more than 1,000 people \nper day, and provides power to the energy intensive industries that \ndrive consumption. Texas is by far the nation\'s largest consumer of \nelectricity. Keeping the Texas power grid reliable and secure is key to \ncontinuing this economic growth.\n    But as we established in a hearing on broad threats to the power \nsupply earlier this year, utilities face significant threats to the \nreliability of power delivery. Our electric grid is particularly \nvulnerable to growing cybersecurity threats as the grid is modernized, \nas distributed energy, electric vehicles, and modernized digital \noperating systems create more access points for cyber-attacks.\n    And while the nation\'s industrial control systems for the grid are \nanalogue systems designed to last for decades, digital IT systems must \nconstantly adapt to combat evolving cyber threats.\n    Small scale cyber and physical attacks to our electric grid are \nestimated to occur once every four days. And in over 300 cases of \nsignificant cyber and physical attacks since 2011, suspects have never \nbeen identified.\n    We often think of cybersecurity and other threats to the power grid \nat a macro scale, but these types of attacks can occur even at the \nlocal level. In 2011, the Pedernales Electric Co-op, a non-profit co-op \nthat serves approximately 200,000 customers north of San Antonio, was \nstruck by a cyberattack. While the attack thankfully did not disrupt \npower to consumers, it is a stark reminder that threats to the grid are \nreal, and are not going away.\n    Our nation\'s power supply cannot be protected overnight, \nparticularly as utilities struggle to adapt technology to manage a \ngrowing number of cybersecurity threats. Cyber threats to the power \ngrid will continue to evolve, particularly as more interconnected smart \ntechnologies are incorporated into the electric grid.\n    And as protective technology improves, so does the capability and \ncreativity of those conducting attacks.\n    While we cannot predict every method of attack, the federal \ngovernment can and should play a role in assisting industry with \ndeveloping new technology and security safeguards.\n    Accordingly, research and development efforts at the Department of \nEnergy are focused on providing industry with comprehensive tools to \nconduct internal analysis to identify and address cybersecurity \nweaknesses so that industry can take the lead in addressing these \nvulnerabilities.\n    That\'s why testing facilities and cooperative research, like the \nCyber Security Test Bed at Idaho National Lab, are valuable tools to \ncombat cyber threats. At INL, industry can test control systems \ntechnology in real world conditions, reducing response time and risk \nfor future attacks.\n    I want to thank our witnesses for testifying before the Committee \ntoday. I look forward to a discussion about cyber threats to our \ncritical infrastructure, and how the federal government can provide \nindustry with the tools and technology necessary to fight the next \ngeneration of cyber-attacks.\n\n    Chairman Weber. I now recognize Ms. Bonamici.\n    Ms. Bonamici. Thank you very much, Chairman Weber, for \nholding this hearing, and thank you to our witnesses for \nparticipating.\n    As many of you know, October is National Cyber Security \nAwareness Month, so it\'s a fitting time for this hearing today.\n    We\'re all familiar with the increasing frequency of cyber \nattacks that compromise personal and business information. At \nthe World Economic Summit earlier this year, cyber threats made \nthe top 10 list of the most likely global risks. Lloyd\'s of \nLondon estimates that cyber attacks can cost businesses as much \nas $400 billion a year.\n    What we\'re focusing on today is a different kind of \ncybersecurity. It\'s about securing the electric grid so that a \ncyber attack doesn\'t affect grid operations, which could halt \nour daily lives and threaten our economic security. These \nattacks often gain entry through an information technology \nsystem, but, instead of taking corporate data, they directly \ntarget system operations that can cause havoc and chaos.\n    In February of this year, an elite group of hackers broke \nthrough an electric utility\'s firewall and gained access to \ntheir substation controls in just 22 minutes. Luckily the \nattack was a drill initiated at the request of the utility to \ntest their system. But this example demonstrates what\'s \npossible.\n    The energy sector continues to report more cyber attacks to \nthe Department of Homeland Security, more than any other \ncritical infrastructure sector. In just one month the PJM \nInterconnection, which coordinates electricity transactions in \n13 states and in D.C., experienced 4,090 documented cyber \nattempts to attack their system. That\'s more than five and a \nhalf attacks on their electrical market system per hour.\n    So far, no publically reported cyber events have resulted \nin an electricity outage in the United States but the \nsophistication of attacks on industrial controls systems is \nincreasing.\n    Utilities across our country are advancing energy \nefficiency through smart grids and programs like feed-in tariff \nsystems. As we discuss ways to keep the grid safe, we also must \nbe mindful of doing so without inhibiting innovation.\n    Google, Wells Fargo, and Aetna are exploring ways to \nleverage employee behavior as a tool, instead of a \nvulnerability, to build a more secure system. From \nunderstanding how people swipe their phones, to the patterns \nthey use when typing on a keyboard or walking, a better \nunderstanding of behavioral biometrics is opening the door to \ndeveloping more cyber-secure components and processes. The more \nwe understand about human and social behavior, the stronger our \ntoolbox. Rather than resting the success of our cybersecurity \nefforts on programs that require changes in human behavior, we \nmight have better success if we change our technology and \nprocesses to fit the behavior of people. And the more we \nunderstand the behavior of threat actors, the better we can \ndesign protections.\n    So in addition to building a better technology-based \nfirewall, we need to invest in developing a better human \nfirewall. Our weakest link and our most resilient asset to meet \nthe dynamic changing needs of the cyber arms race is us.\n    I thank each of our witnesses for being here today, and I \nlook forward to hearing what each of you has to say, and thank \nyou for sharing your expertise.\n    Thank you, Mr. Chairman. I yield back the remainder of my \ntime.\n    [The prepared statement of Ms. Bonamici follows:]\n           Prepared Statement of Subcommittee on Environment\n                Minority Ranking Member Suzanne Bonamici\n\n    Thank you, Chairman Weber and Chairwoman Comstock, for holding this \nhearing, and thank you to our witnesses for participating. As many of \nyou know, October is National Cyber Security Awareness Month, so it\'s a \nfitting time for this hearing.\n    We are all familiar with the increasing frequency of cyber attacks \nthat compromise personal and business information.\n    At the World Economic Summit earlier this year, cyber threats made \nthe top 10 list of most likely global risks. Lloyd\'s of London \nestimates that cyber attacks can cost businesses as much as $400 \nbillion a year.\n    What we are focusing on today, however, is a different kind of \ncyber security. It\'s about securing the electric grid so a cyber attack \ndoesn\'t affect grid operations, which could halt our daily lives and \nthreaten our economic security. These attacks often gain entry through \nan information technology system, but, instead of taking corporate data \nthey directly target system operations that can cause havoc and chaos.\n    In February of this year, an elite group of hackers broke through \nan electric utility\'s firewall and gained access to their substation \ncontrols in 22 minutes. Luckily the attack was a drill initiated at the \nrequest of the utility to test their system. But this example \ndemonstrates what\'s possible.\n    The energy sector continues to report more cyber attacks to the \nDepartment of Homeland Security than any other critical infrastructure \nsector. In just one month the PJM Interconnection, which coordinates \nelectricity transactions in 13 states and DC, experienced 4,090 \ndocumented cyber attempts to attack their system. That\'s more than five \nand a half attacks on their electrical market system per hour.\n    So far no publically reported cyber events have resulted in an \nelectricity outage in the U.S. But the sophistication of attacks on \nindustrial controls systems is increasing.\n    Utilities across our country are advancing energy efficiency \nthrough smart grids and programs like feed-in tariff systems. As we \ndiscuss ways to keep the grid safe, we must be mindful of doing so \nwithout inhibiting innovation.\n    Google, Wells Fargo, and Aetna are exploring ways to leverage \nemployee behavior as a tool, instead of a vulnerability, to build a \nmore secure system. From understanding how people swipe their phones, \nto the patterns they use when typing on a keyboard or walking, a better \nunderstanding of behavioral biometrics is opening the door to \ndeveloping more cyber-secure components and processes.\n    The more we understand about human and social behavior, the \nstronger our toolbox. Rather than resting the success of our \ncybersecurity efforts on programs that require changes in human \nbehavior, we might have better success if we change our technology and \nprocesses to fit the behavior of people. And the more we understand the \nbehavior of threat actors, the better we can design protections.\n    So in addition to building a better technology-based firewall, we \nneed to invest in developing a better human firewall. Our weakest link \nand our most resilient asset to meet the dynamic changing needs of the \ncyber arms race is us.\n    I thank each of our witnesses for being here today, and I look \nforward to hearing what each of you has to say.\n    Thank you, Mr. Chairman, and I yield back my remaining time.\n\n    Chairman Weber. I thank the gentlelady from Oregon.\n    Our first witness today is Mr. Brent Stacey, Associate Lab \nDirector for National & Homeland Science and Technology at that \nIdaho National Laboratory. Mr. Stacey earned his bachelor\'s \ndegree from Idaho State University.\n    Our next witness is Mr. Bennett Gaines, Senior Vice \nPresident of Corporate Services and Chief Information Officer \nfor FirstEnergy Service Company. Mr. Gaines earned his \nbachelor\'s degree in social sciences from Baldwin Wallace \nCollege and his master\'s degree from the University of Phoenix.\n    Next, we have Ms. Annabelle Lee, Senior Technical Executive \nin the Power Delivery and Utilization Sector for the Electric \nPower Research Institute. Ms. Lee received her B.A. from \nStanford University and her master\'s degree from Michigan State \nUniversity.\n    And our final witness today is Mr. Greg Wilshusen--is it--\n--\n    Mr. Wilshusen. Wilshusen.\n    Chairman Weber. Wilshusen.\n    Mr. Wilshusen. Yes.\n    Chairman Weber. Okay. So the rest of the Committee is duly \nnotified. Wilshusen, Director of Information Security Issues \nfor the Government Accountability Office. Mr. Wilshusen \nreceived his bachelor\'s degree in business administration from \nthe University of Missouri and his master\'s degree in \ninformation management from George Washington University School \nof Engineering and Applied Sciences.\n    Welcome to all of you, and Mr. Stacey, you are recognized.\n\n                 TESTIMONY OF MR. BRENT STACEY,\n\n             ASSOCIATE LAB DIRECTOR FOR NATIONAL &\n\n                HOMELAND SCIENCE AND TECHNOLOGY,\n\n                       IDAHO NATIONAL LAB\n\n    Mr. Stacey. Thank you, Chairmen Weber, Chairwoman Comstock, \nRanking Member Grayson, Ranking Member Lipinski, and \ndistinguished Members of the Committees. I want to thank you \nfor holding this hearing and inviting testimony from Idaho \nNational Laboratory, also known as INL.\n    INL is acutely aware of the important national challenges \nfacing critical infrastructure, especially the infrastructure \nvital to securing our energy supply. For over a decade, INL has \ndeveloped and built capabilities focused on the control systems \nemployed by our nation\'s critical infrastructure. I\'d like to \nhighlight a few examples out of many which represent how INL \nteaming with others has contributed to the security of our \ninfrastructure.\n    First, the 2006/2007 Department of Homeland Security\'s \nAurora project test, destroying an electrical generator \nconnected to INL\'s power grid, was significant in proving a \ncyber-physical vulnerability in the electric power system.\n    Second, for DOE Office of Electricity Distribution and \nEnergy Reliability, as the lead laboratory along with Sandia \nNational Laboratory for the National Supervisory Control and \nData Acquisition Test Bed, INL completed more than 100 \nassessments on vendor and asset owner control systems to \nidentify and resolve cyber vulnerabilities. For DHS, INL \nprovides control systems and critical infrastructure experts in \nsupport of DHS programs including Industrial Control System \nCyber Emergency Response Team, or ICS-CERT.\n    INL remains committed to the complex national security \nchallenges that face our nation. As we lean forward pushing the \nlimits of science and engineering for control systems security, \nwe see a number of trends that offer insight into the direction \nfor future research and development. These insights include, \none, the presumption that a control system is air-gapped is not \nan effective cybersecurity strategy. This has been demonstrated \nby over 600 assessments. Intrusion detection technology is not \nwell developed for control system networks. The average length \nof time for detection of a malware intrusion is 4 months and \ntypically identified by a third party. As the complexity and \ninterconnectedness of control systems increase, the probability \nincreases for unintended system failures of high consequence \nindependent of malicious intent. The dynamic threat is evolving \nfaster than the cycle of measure and countermeasure, and far \nfaster than the evolution of policy. And fifth, the demand for \ntrained cyber defenders with control systems knowledge vastly \nexceeds the supply.\n    In a world in which we are rapidly migrating to the \nInternet of Everything, these insights, and others, highlight a \nseemingly unmanageable, exponentially increasing burden of \nvulnerabilities, attack surfaces and interdependencies.\n    INL views this burdensome and dynamic cyber-physical \nlandscape, at its most basic level, as a three-tier pyramid of \ndefense. The base level is hygiene: the foundation of our \nnation\'s efforts composed of the day-to-day measure and \ncountermeasure battle. Elements of this level include important \nroutine tasks such as standards compliance and patching. The \nhygiene level is and has been primarily the role of industry. \nThe second level of the pyramid is advanced persistent threat \ncomposed of the more sophisticated criminal and nation-states\' \npersistent campaigns. This requires a strategic partnership \nwith industry and government. At this level, ICS-CERT provides \ncritical surge response capacity and alerts. At the top of this \npyramid are the high-impact low-frequency events: catastrophic \nand potentially cascading events that will likely require \nsubstantial time to assess, respond to, and recover from. This \nlevel is primarily the responsibility of government.\n    At INL, we are focusing our future research on the top two \nlevels, striving for a 2- to four-year research-to-deployment \ncycle. Our objective with this research is to achieve \ntransformational innovations that improve the security of our \npower infrastructure by reducing complexity, implementing \ncyber-informed design, and integrating selected digital \nenhancements.\n    In conclusion, I\'d like to thank the Committee members for \nthis opportunity to share our insights into the capabilities, \nexperiences, and vision for cybersecurity and the protection of \nour nation\'s power grid. Your interest in understanding \ncybersecurity threats with an emphasis on the reliability of \nour national power grid is commendable and gives me confidence \nthat there is strong support from our legislators for research \nleading to innovative solutions.\n    One of my intentions today is to instill reciprocal \nconfidence that INL, in concert with DOE and DOE laboratories, \nwill continue to apply our intellectual talent and research to \naddress these challenges.\n    In honoring the time allotted for my statement, I request \nthat my full written statement be entered into the record. \nThank you.\n    Chairman Weber. Without objection, so ordered.\n    [The prepared statement of Mr. Stacey follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman Weber. Mr. Gaines, you\'re up.\n\n                TESTIMONY OF MR. BENNETT GAINES,\n\n                     SENIOR VICE PRESIDENT,\n\n                     CORPORATE SERVICES AND\n\n                   CHIEF INFORMATION OFFICER,\n\n                  FIRSTENERGY SERVICE COMPANY\n\n    Mr. Gaines. Good morning, Chairman Weber and Members of the \nCommittee. I am Bennett Gaines, Senior Vice President, \nCorporate Services, Chief Information Officer for FirstEnergy. \nOur 10 operating companies serve 6 million electrical customers \nin six states, and we control an interconnected network of \npower plants, transmission lines and distribution facilities. I \nam responsible for providing information technology services, \nensuring the security of the company\'s physical and cyber \nassets.\n    Over the past few years, FirstEnergy has worked with the \nDepartment of Homeland Security, the Department of Energy, and \nCongress, sharing steps we are taking to address cyber threats \nas well as developing partnerships with the federal government \nin these efforts.\n    In 2013, FirstEnergy was one of only a handful of utilities \nthat entered into a cooperative research and development \nagreement, or CRADA, with Homeland Security, a relationship \nthat has proven valuable to both us and the federal government. \nIn 2014, we began working directly with the Department of \nEnergy as one of the first utilities to deploy the \nCybersecurity Risk Information Sharing Program, or CRISP, tool. \nWe strongly believe that sharing this information of critical \ninformation is essential and should be actively supported \nmoving forward. The fact is, although the cybersecurity efforts \nof electric utilities have been effective in addressing threats \nto date, we need to continually strengthen and build on these \nefforts to ensure they are up to the task of meeting the future \ncyber-related challenges.\n    Operational and technical advances have created roader \nsurfaces that are more vulnerable to attacks. Companies \ncontinue to integrate remote access, mobile devices that \nincrease exposure. High-value targets such as Supervisory \nControlled Data, Acquisition, or SCADA systems, further entice \nattackers to take advantage of an organization.\n    Cyber attacks are on the rise, and the behavior of \ncyberterrorists has become increasingly destructive. Many \ncompanies are doing an excellent job with prevention through \nlayer defense, real-time alerting, operational monitoring, \nsecurity awareness training, and other proven tactics. However, \nin light of today\'s threats and vulnerabilities, we need to \nfocus more of our attention on getting ahead of the threats \nrather than simply reacting to the threats.\n    Toward that end, we need to take aggressive steps to \nmitigate vulnerabilities and minimize the damage and business \nlosses that could result from potential compromises.\n    At FirstEnergy, we\'re evaluating cyber threats to our \ncommunications network by integrating more traditional data \nregarding physical access systems and the status of equipment \nand health and on our power systems. This process, called \nThreat Intelligence Management, or TIM, provides a more \ncomprehensive system-wide consistent picture that our Security \nOperations Center can use to improve our response to cyber \nattacks. While any information can be shared, it also must be \naggregated, correlated, analyzed and distilled to be relevant \nand actionable. By supporting these essential functions, TIM \nhelps us maintain a critical infrastructure that is both highly \nsecure and resilient. The program analyzes a constant flow of \ninformation from every corner of the system to anticipate and \ndetect threats. This data can be shared among government and \nindustry partners to enhance awareness of threats and provide \nmore warning information to better mitigate attacks.\n    Simply put, TIM offers a better platform for information \nsharing. The program not only helps us better identify and \nanalyze threats and attacks, it also supports more effective \ninformation sharing and great collaboration among all \nstakeholders. This results in more threat indicators, improved \nsecurity, greater resilience of critical infrastructure, and \nultimately more effective collaboration between industry and \ngovernment.\n    Finally, the TIM program provides enhanced visibility of \nthe enterprise overall security posture. This is accomplished \nby coordinating the monitoring of cybersecurity, physical \nsecurity, information technology, and operational technologies. \nAdvanced analysis of these functions provide early warning of \nsecurity incidents and rapid mitigation of vulnerabilities.\n    In closing, we must continually improve our cybersecurity \nsystems and processes to stay ahead of the bad actors. To give \nyou a greater sense of the size and scope of the problem, I \nsimply point out that during my brief time here today, \nFirstEnergy probably has defended itself from at least four \ncyber attacks.\n    As you consider where to focus our efforts moving forward, \nI urge you to look towards greater research and funding in this \narea with a focus on aggregating, correlating, analyzing and \ndistilling information in order to be relevant and actionable. \nI strongly believe that one of the best ways to achieve this \ngoal is through an effective threat intelligence management \nprogram.\n    Thank you very much for the time.\n    [The prepared statement of Mr. Gaines follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman Weber. Thank you, Mr. Gaines.\n    Ms. Lee, you\'re now recognized.\n\n                STATEMENT OF MS. ANNABELLE LEE,\n\n               SENIOR TECHNICAL EXECUTIVE IN THE\n\n             POWER DELIVERY AND UTILIZATION SECTOR,\n\n               ELECTRIC POWER RESEARCH INSTITUTE\n\n    Ms. Lee. Good morning, Chairmen and Members of the \nSubcommittees.\n    The Electric Power Research Institute is an independent, \nnonprofit organization and conducts research and development \nrelating to the generation, delivery, and use of electricity \nfor the benefit of the public.\n    The nation\'s power system consists of both legacy and next-\ngeneration technologies. New grid technologies will operate in \nconjunction with legacy equipment that may be several decades \nold and provide new security controls.\n    Traditional information technology--IT--devices typically \nhave a lifespan of 3 to five years, and historically, IT has \nincluded computer systems, applications, communications \ntechnology and software typical for a business or enterprise. \nIn contrast, operational technology, or OT, devices, have a \nlifespan of up to 40 years or longer and have historically \nfocused on physical equipment technology that is commonly used \nto operate the energy sector.\n    There\'s some basic differences between the security \nrequirements for IT and OT systems. For example, the focus for \nIT systems is confidentiality of information such as customer \nenergy usage and privacy information. The focus for OT systems \nis availability and integrity to ensure that the reliability of \nthe grid is maintained even in the event of a cybersecurity \nincident.\n    With the increase in the use of digital devices and more \nadvanced communications and IT, the overall attack surface has \nincreased. These new devices include commercially available \ncomponents as an alternative to proprietary solutions that are \nspecific to the electric sector. Many of the commercially \navailable solutions have known vulnerabilities that could be \nexploited when the solutions are installed in OT devices.\n    The electric sector is addressing these attacks with \nvarious mitigation strategies. Cybersecurity must be included \nin all phases of the system development lifecycle and address \ndeliberate attacks launched by disgruntled employees and \nnation-states as well as non-malicious cybersecurity events, \nfor example, user errors or incorrect documentation.\n    Risk assessment is a key planning tool for implementation \nof an effective cybersecurity program. EPRI, in conjunction \nwith utilities, researchers, and vendors, developed a risk \nassessment methodology that is based on a typical IT \nmethodology with impact and likelihood criteria that are \nspecific to the electric sector. This work was performed as \npart of the National Electric Sector Cybersecurity Organization \nResource, or NESCOR for short, project, DOE funded public-\nprivate partnership. Several utilities are implementing \nmitigation strategies at the enterprise level. One example is \nan Integrated Security Operations Center, or ISOC for short. An \nISOC is designed to collect, integrate and analyze alarms and \nlogs from traditionally siloed organizations, providing much \ngreater situational awareness to the utility\'s security team.\n    Two documents specifically address the electric sector and \nprovide mitigation strategies. Both documents are used \nworldwide. The first is the National Institute of Standards and \nTechnology Interagency Report Guidelines for Smart Grid Cyber \nSecurity. The development was led by NIST with a team of \nroughly 150 volunteers. A second document is the Electricity \nSubsector Cybersecurity Capability Maturity Model, which allows \nelectric utilities and grid operators to assess their \ncybersecurity capabilities and prioritize their actions and \ninvestments to improve cybersecurity. Many utilities and EPRI \nmap their R&D programs to the domain specified in this maturity \nmodel.\n    With the modernization of the electric grid, new \ntechnologies and devices have been deployed to meet our current \nand future electric sector needs. With this new functionality \ncomes new threats including cybersecurity threats. To take \nadvantage of the new technology, these threats must be \naddressed.\n    This concludes my statement.\n    [The prepared statement of Ms. Lee follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman Weber. Thank you, Ms. Lee.\n    Mr. Wilshusen, you are recognized for five minutes.\n\n                STATEMENT OF MR. GREG WILSHUSEN,\n\n            DIRECTOR OF INFORMATION SECURITY ISSUES,\n\n                GOVERNMENT ACCOUNTABILITY OFFICE\n\n    Mr. Wilshusen. Chairman Weber, Representative Bonamici, and \nother Members of the Subcommittees, thank you for the \nopportunity to testify at today\'s hearing on efforts by federal \nagencies and industry to mitigate cybersecurity threats to the \nU.S. power systems.\n    As you know, the electric power industry is increasingly \nincorporating information and communications technologies into \nits existing infrastructure. The use of these technologies can \nprovide many benefits such as greater efficiency and lower cost \nto consumers. However, if not implemented securely, modernized \nelectricity grid systems will be vulnerable to attack and that \ncould result in loss of electrical services essential to \nmaintaining our national economy and security.\n    Today, I\'ll discuss actions taken and required to bolster \ncybersecurity of the nation\'s power systems. Before I begin, if \nI may, I\'d like to recognize several members of my team who \nwere instrumental in developing my statement and performing the \nwork underpinning it. With me today is Mike Gilmore, an \nAssistant Director, and Brad Becker, who led this effort. In \naddition, Lee McCracken, John Ludwigson, and Scott Pettis also \nmade significant contributions.\n    In 2011, we reported on a number of challenges that \nindustry and government stakeholders faced in securing smart \ngrid systems and networks against cyber threats. These \nchallenges included taking a comprehensive approach to \ncybersecurity, ensuring that smart grid systems had built-in \nsecurity measures, monitoring implementation of cybersecurity \nstandards and guidelines, effectively sharing cybersecurity \ninformation, and establishing cybersecurity metrics.\n    Since then, FERC has acted to implement our recommendations \nto assess these and other challenges in its ongoing \ncybersecurity efforts. However, it did not implement our \nrecommendation to coordinate with state regulators and other \ngroups to periodically evaluate the extent to which utilities \nand manufacturers are following voluntary cybersecurity \nguidelines.\n    Other entities have acted to improve cybersecurity in the \nsector. For example, NERC has issued updates to its critical \ninfrastructure protection standards for cybersecurity and has \nhosted an annual conference on grid security. In 2014, NIST \nupdated its smart grid cybersecurity guidelines to address the \nthreat of combined physical-cyber attacks. NIST also issued a \nframework for improving critical infrastructure protection and \ncybersecurity. The framework is intended to provide a flexible \nand risk-based approach for entities including those within the \nelectricity subsector to protect their vital assets from cyber \nthreats.\n    The Departments of Homeland Security and Energy have \nefforts underway to promote the adoption of the framework by \ncritical infrastructure owners and operators. These departments \nhave also developed cybersecurity risk management approaches \nand tools that are available for use by the electricity \nsubsector.\n    Nevertheless, given the increasing use of information and \ncommunications technologies to operate the electricity grid and \nother areas, continued attention to these and other areas is \nrequired to help mitigate the risk these threats pose to the \nelectricity grid.\n    In particular, assuring that security features are built \ninto smart grid systems and that a comprehensive approach to \ncybersecurity is taken whereby utilities employ a defense in \ndepth strategy based on sound risk management principles will \nbe essential. Effectively sharing cyber threat vulnerability \nand incident information among federal, state and local \ngovernments as well as the private sector stakeholders in a \ntimely manner is imperative to provide utilities with the \ninformation they need to protect their assets against cyber \nthreats.\n    Additionally, an effective mechanism for monitoring the \nimplementation and effectiveness of the cybersecurity policies, \npractices and controls over U.S. power systems is paramount to \nensure the resiliency and security of the electricity grid.\n    To summarize, more needs to be done to meet the challenges \nfacing the industry in enhancing security. Federal regulators \nand other stakeholders need to work closely with the private \nsector to address cybersecurity challenges as the generation, \ntransmission and distribution of electricity come to rely more \non emerging and interconnected technologies.\n    Chairman Weber and Members of the Subcommittee, this \nconcludes my statement. I\'d be happy to answer your questions.\n    [The prepared statement of Mr. Wilshusen follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman Weber. Thank you, Mr. Wilshusen, and I now \nrecognize myself for five minutes of questions. Wow, where do \nwe start?\n    Mr. Gaines, the Department of Energy\'s Office of \nElectricity works with electric utilities on information \nsharing and encouraging utilities to learn from the challenges \nfaced by their regional counterparts. The Department of \nHomeland Security also operates programs to facilitate the \ninformation sharing you referred to in your comments. What \ninformation do you feel is most important to share with each \nother and for the industry to share with regulators, and the \nthird part to my question really is, in your comments I think \nyou said information had to be actionable.\n    Mr. Gaines. Correct.\n    Chairman Weber. Define what you mean by ``actionable.\'\' Let \nme reiterate. What information do you feel is most important \nfor industry to share with each other and then to share with \nthe regulators? It may be one and the same. And then define \n``actionable information\'\' for us.\n    Mr. Gaines. I\'ll start out with your first questions in \nthat we have spent the last two years working directly with \nboth agencies and within the confines of the programs that they \nhave, which are the CRISP tool and the enhanced cybersecurity \ntool, and they are very effective. The difficulty of both of \nthose tools, they\'re historical; they look back. They don\'t \nlook at real-time incidents, and in some cases, there can be a \nlag between three to six months from when an incident occurred. \nIt\'s not correlated on a timely manner as to what is going on \nwith the rest of the industry so that we can take action on \nthose events, and in some cases, you could have a dormant piece \nof malware sitting in your environment that you didn\'t take \naction on but that was alerted months earlier.\n    As it relates to actionable, it\'s having real-time \ninformation, and a technical term--I don\'t want to lose you--is \nthe actual threat actors\' IP address and the specific \ninformation that\'s time-framed within that window. An \nillustration of that would be----\n    Chairman Weber. You\'re not losing me. I was wondering about \nthat earlier when you said up to 4 months since 2011, 300 \nattacks, and no suspects.\n    Mr. Gaines. That\'s correct.\n    Chairman Weber. Go ahead.\n    Mr. Gaines. And that is the difficulty is that by the time \nthe actor penetrates your environment, they\'re not the actor \nthat you see. There\'s an alias that sits behind that wall and \nthe difficulty is following that breadcrumb back to the \noriginal source, and one of the difficulties that we have in \nthe industry is, is the information we get from the federal \ngovernment is not timely, and so for us to take action on \nsomething that really we have no control over is very \ndifficult. My suggestion would be to reverse that, is for us to \nprovide across the industry real-time incidents, and it\'s \ndoable, and to be able to track not only the source but the \nactual follow-on activity that occurs from that event.\n    One of the things that we don\'t do is we don\'t do a good \ndiagnostics of what happens once the event occurs, and we move \non to the next one.\n    Chairman Weber. Let me jump over to Mr. Wilshusen. You \ntalked about having conferences, I think, you met around the \ncountry, probably industry and I presume government as well. \nHow often are those conferences held and how many attendees, \nand should we increase that frequency and are they sharing that \ninformation?\n    Mr. Wilshusen. Well, what I referred to were conferences \nthat were being held by NERC, which is the North American \nElectric Reliability Corporation, and they hold those annually, \nbut to the extent that Mr. Gaines talked about in providing \nuseful, actionable information in a timely manner, annual is \nnot enough. They do talk about different threats----\n    Chairman Weber. It would almost have to be daily or weekly.\n    Mr. Wilshusen. Much more frequently. This has been----\n    Chairman Weber. Absolutely.\n    Mr. Wilshusen. Right. This has been----\n    Chairman Weber. I\'m talking about the sharing of the \ninformation.\n    Mr. Wilshusen. Right, the sharing of the information, \nparticularly between federal government and the private sector \nand even among private sector entities has been a longstanding \nproblem and a challenge throughout all critical infrastructure \nsectors including the, electricity subsector. What we have \nfound in the past is that there have been certain obstacles to \ndoing that including from the government sector to private \nsector, making sure that those individuals at the private \nsector had the appropriate security clearances--that\'s been a \nchallenge--as well as having a secure mechanism to share that \ninformation timely.\n    Chairman Weber. Is there one office that oversees what \nyou\'re describing? Is there one office within your agency, for \nexample, that oversees that? Who oversees that?\n    Mr. Wilshusen. Well, overall, DHS has a responsibility \nacross federal government for taking the lead in the----\n    Chairman Weber. So does DHS--you may not know this--forgive \nme for interrupting, but does DHS have one office that \nallocates their time and manpower and resources to just this \ncybersecurity for energy companies alone? Do you know?\n    Mr. Wilshusen. Well, it does have a group that\'s \nresponsible overall but the Department of Energy, known as the \nsector-specific agency, also has responsibility for interacting \nwith the energy sector to include the electricity sector for \nsharing information and assisting that sector in securing its \nsystems.\n    Chairman Weber. I am running out of time, but I have one \nlast question. So what could be done better to help streamline \nthis process?\n    Mr. Wilshusen. Well, one of the requirements under the \nExecutive Order 13-636 is for agencies and particularly I think \nit\'s DOD and perhaps DHS to come up with a mechanism that will \nallow for faster sharing of information to the private sector.\n    Chairman Weber. All right. Thank you.\n    I\'m over time, and I yield to the gentlelady from Oregon.\n    Ms. Bonamici. Thank you very much, Mr. Chairman, and thank \nyou to the witnesses for bringing your expertise on an \nimportant issue.\n    I also serve on the Education and Workforce Committee, and \nI\'m going to focus at first on some of the workforce issues \nmaking sure that we have the workforce that we need to continue \nto address this serious issue, and I know Mr. Stacey, you said \nthat the demand for trained cyber defenders with control \nsystems knowledge vastly exceeds the supply.\n    Now, my alma mater, the University Of Oregon, has just \ncreated an Oregon Center for Cybersecurity and Privacy. They \nreceived a federal--some federal funding, and a Center of \nExcellence designation, and they plan to begin enrolling \nstudents by next summer. But how can we incentivize more \nuniversities to support educating this workforce, and once we \nhave a strong pipeline of students and get them into the \nworkforce, how can we attract them to public service and \ngovernment jobs when typically the private sector would pay \nmore and be perceived as more innovative?\n    So I\'ll start with Ms. Lee and also ask Mr. Wilshusen and \nanybody who wants to weigh in.\n    Ms. Lee. As I noted in my statement, I previously was in \nthe federal government for 14 years. I think one of the real \nadvantages of working in the federal government is the kind of \nwork you can do and the impact that you have. I mentioned the \nguidelines for smart grid cybersecurity products that we \ndeveloped. There were 150 volunteers from around the world that \nparticipated in developing that document. These were senior-\nlevel people literally around the world. I kept getting asked, \ndo you pay these people, and my response was no, these are \nvolunteers. I think one thing in the federal government and \nworking with the federal government for several decades, you \ncan have an impact and influence that you don\'t have anywhere \nelse, and to me, that\'s a real benefit for working in the \npublic sector. Private sector does compete. It is difficult \nnow. There\'re very few--as mentioned earlier, there are not \nsignificant numbers of people who are in cybersecurity, and \nthose who focus on control systems, and as I mentioned, there \nare some basic differences between cybersecurity for control \nsystems and our IT systems. That community is even smaller. We \nneed to beef up that workforce. There are controls that you \ndon\'t put on OT systems that are typical on IT systems, and we \nneed to--we definitely need to grow this area.\n    Ms. Bonamici. And do you agree with Mr. Stacey that there\'s \na serious need, that we don\'t have the workforce?\n    Ms. Lee. We don\'t have the workforce.\n    Ms. Bonamici. I want to follow up because I know the U of O \nCenter is going to be working with the faculty from several \ndifferent departments including computer and information \nscience, philosophy, business, law. What role--you talked about \nthe role of human behavior but how can we really capitalize on \nunderstanding human behavior to deal with the threats, and also \nhopefully to be out in front and prevent them.\n    I\'ll open it up to the panel. Ms. Lee, do you want to \nstart?\n    Ms. Lee. As you mentioned, I think human behavior is very \nimportant. Historically--and I\'ve been doing cybersecurity now \nfor almost three decades--the solution was, have longer \npasswords, and so what does everybody do? They write them down \nbecause you can\'t remember 12- or 15-character passwords that \nyou have to change every 3 or 4 months.\n    Ms. Bonamici. We\'ve all done that.\n    Ms. Lee. Yeah. You write them down. That\'s the only way you \ncan remember them. Is to look at cybersecurity and the solution \nhas to be yes, we need to figure it out. As I say, it\'s a messy \nenvironment.\n    If you look at the reality of cybersecurity, the devices \nthat are out there, the controls you may need to implement. you \ncan\'t do. You either can\'t afford them or they affect the \nperformance. You need to figure out the solutions. And I think \nthat\'s the direction that cybersecurity needs to go. \nHistorically----\n    Ms. Bonamici. Thank you. I need to get a couple more \nquestions in.\n    Mr. Gaines, you talked about the TIM, the Threat \nIntelligence Management. That seems like a sound approach. What \nare the barriers to improving and expanding that approach?\n    Mr. Gaines. The barriers are twofold. One, there are \nlimitation that industry has today in communicating with the \ngovernment vulnerabilities, and that is a real challenge in \nthat we are limited to some extent because we hold the \nliability if there\'s a breach or vulnerability to the network. \nI think that needs to looked at and in some cases eliminated so \nthat we can share openly very specific information about \nvulnerabilities.\n    The second is, is the actual technologies themselves. \nToday, we are one of only two utilities that have a completely \nintegrated security operation center, and Ms. Lee spoke about \nthat center. It\'s a center that we integrate the physical, \nbeing badge access, building access. We integrate the IT, being \nthe cyber component, and we integrate the operational, the \nSCADA systems together. All three of those systems are actually \nmonitored, reviewed, and we take actions against events, and \nI\'ll use a simple analogy so you can understand----\n    Ms. Bonamici. I\'m afraid my time\'s going to expire. Can I \njust have a few more seconds, Mr. Chairman?\n    Chairman Weber. Without objection.\n    Ms. Bonamici. I want to get in a quick question for Mr. \nWilshusen. You mentioned in your testimony that FERC was \nadopting standards from NIST\'s efforts but according to FERC \nofficials, the statute did not provide any authority to allow \nFERC to require the smart grid technologies to follow the \nstandards and now it\'s voluntary. How\'s that working?\n    Mr. Wilshusen. Well, it is voluntary. One of the problems \nthat we noted is that FERC has not--because the standards are \nvoluntary and have not been adopted, it has not gone out to \nexamine the effectiveness or the extent to which those \nvoluntary standards have been implemented.\n    Ms. Bonamici. Thank you, and I\'m very over time.\n    Thank you, Mr. Chairman. Yield back.\n    Chairman Weber. No problem.\n    And now the Chairman is pleased to recognize for his first \nappearance in a hearing in this Committee, the gentleman from \nIllinois, Darin LaHood. Welcome.\n    Mr. LaHood. Thank you, Mr. Chairman, very much. I \nappreciate it. Great to be part of this Subcommittee.\n    I want to thank the witnesses for your testimony this \nmorning.\n    I guess, Mr. Stacey, I wanted to just maybe see if you \ncould highlight a couple examples of cyber attacks that maybe \nrecently happened where systems have been compromised and maybe \nthe cost to a particular company and how it affected citizens \nor customers.\n    Mr. Stacey. Yes. Two of the most recent are BlackEnergy and \nHavex attacks. These have been to the human-machine interface \nassociated with the industrial control systems. Near as we can \ntell, those are primarily associated with collecting \ninformation, trying to map out systems and see what they look \nlike, although the payloads on those are dynamic. There\'s been \na very active response from DHS on this along with other \nentities, in fact, traveling around the country in briefings \nwith the FBI and notifying people about that.\n    As far as the costs associated with individual utilities in \nmitigating that, I don\'t have insight into that, but I know the \nfederal government and the laboratory took a very aggressive \nstance on notifying and making people aware of those particular \nmalware.\n    Mr. LaHood. And I guess as a follow-up maybe to Mr. Gaines, \nwhen we talk about cybersecurity and talk about really what \nthese entities are engaged in is criminal activity, when we \ntalk about deterring that, I mean, are there currently any \nactive prosecutions by the federal government, either the U.S. \nAttorney\'s Office or anybody that we can kind of use as \nexamples to deter this behavior?\n    Mr. Gaines. I don\'t--I\'m not aware of any criminal activity \nso I say that. I do know that there have been incidents that \nhave been nation-state and/or in some cases domestic that \nprobably warrant the investigation of that. A good example of \nthat would\'ve been the Metcalf incident that occurred in \nsouthern California in 2013. That substation lost 17 \ntransformers. There were 127 rounds of ammunition that was shot \ninto the substation and power had to be rerouted.\n    To the Chairman\'s point, though, that actor has not--and/or \nactors have not been found, and the evidence obviously is very \nclear that it was multiple actors very potentially.\n    But to the extent that there has been prosecution, that has \nnot occurred, to my knowledge.\n    Mr. LaHood. And on that specific case with Metcalf, is \nthere an ongoing investigation to try to determine who the \nperpetrator was?\n    Mr. Gaines. There absolutely is, and following that \nincident, FERC issued a number of standards on physical \nsecurity that the industry is now implementing, and a lot of \nthat has to do with both the monitoring both of the physical \nasset and the cyber asset, and so we\'ve learned from an \nindustry but to the extent that we\'ve seen that replicated or \nduplicated in industry, it has not.\n    Mr. LaHood. In terms of becoming aware when a system is \ncompromised, walk me through a little bit of, if a company is \ncompromised, the reporting on that in terms of to the federal \ngovernment. Is that something that\'s made public, or who\'s the \nrepository of threats or compromises that happen, and then how \ndoes that get made public or is there some secrecy involved \nwith that? I mean, I guess what I\'m getting at, do companies, \nyou know, in a competitive marketplace not want people to be \naware that their systems were compromised for vulnerabilities? \nHow is that addressed?\n    Mr. Gaines. I\'ll give you a real-life example. At 11 \no\'clock yesterday afternoon, our systems were attempted to be \npenetrated by a denial of service, so they\'re flooding your \nnetwork. That flooding of the network slows down your network, \nand at that point we pick it up on our firewalls, we shut the \ntraffic down, and then we do forensics on that. Within an hour, \nwe report that to the ES ISAC. That ISAC is our sector group \nthat we use to facilitate that type of information. Now, I go \nback to my original point that I made earlier. That happened to \nme. I venture to say that that same actor was scanning other \nnetworks and that that same DDoS attack was being attempted. At \n4 o\'clock, we get an acknowledgement back from the government \nthat they received the information. As of 11 o\'clock, 24 hours \nlater, I still don\'t have a response back from the government.\n    There\'s a good example of the timeliness of information. If \nwe could share that information real time within the industry, \nthink about the potential of being able to collaborate very \nquickly and take action because most likely that actor has shut \ndown their server and they\'ve moved on, and so we have no time \nagain to take any reasonable mitigation steps. The good news \nis, our security systems worked. To the extent that that threat \nI reported gets communicated, it does get communicated. Most \nlikely it\'ll be a few months from now. It\'ll be watered down, \nand the real sad part about it is, it doesn\'t have the level of \ndetail to take any action on it.\n    Mr. LaHood. Thank you.\n    Thank you, Mr. Chairman.\n    Chairman Weber. Thank you.\n    And before I go to the gentleman from New York, if I can \njust take one second here, so what you just described, Mr. \nGaines, gets back to those conferences. If you could come in \nwith that kind of information in real time to everybody that \nwas in a like business and say expect this kind of attack, is \nthat a doable deal?\n    Mr. Gaines. I would--if I may----\n    Chairman Weber. Sure.\n    Mr. Gaines. I would argue slightly different. I have \nsecurity clearance, and to the gentleman\'s point, Homeland \nSecurity does offer briefings to those that have security \nclearance. They\'re non-industry-specific so they can be across \nany sector. And ironically, the same approaches that an actor \nuses in finance is very similar to an attempt that they would \nuse in our industry. That\'s still not soon enough. Those \nbriefings occur once every three months.\n    Chairman Weber. But is there no platform to broadcast this \ninformation industry-wide? And let\'s be energy industry \nspecific. Is there no platform for that?\n    Mr. Gaines. There is. My point being is, it\'s not timely \nenough. There is, and it\'s a very good tool. It\'s not timely \nenough and it\'s not detailed enough.\n    Chairman Weber. All right. Thank you.\n    I appreciate the gentleman from New York\'s indulgence. \nYou\'re recognized.\n    Mr. Tonko. Thank you, Mr. Chairman.\n    Welcome to our panelists.\n    The line between federal and state power has historically \nbeen drawn at the intersection between the high-voltage \ntransmission system and the lower-voltage distribution system. \nHowever, the relevance of this distinction is less clear when \nit comes to cybersecurity, and Ms. Lee, you addressed some of \nthat with the new technologies, but to both you and Mr. Gaines, \nMs. Lee and Mr. Gaines, could the increase of smart grid and \ndistributed energy technologies being deployed on the \nelectrical distribution system increase those cybersecurity \nrisks to the high-voltage transmission system.\n    Ms. Lee. As I said in my statement, the increase in \ntechnology and the inclusion of IT and communications, the new \ntechnology, yes, that does increase the potential for \ncybersecurity events. I will add another one, and that is the \ninterconnection of these systems. If we look at the new \ntechnology, our distributed energy resources, renewable devices \nwhere you transmit the electricity that may be generated in one \nstate to another state, all of that increases the attack \nsurface and the potential for cybersecurity events.\n    On the other side, utilities, reliability is number one. \nCybersecurity should support the reliability of the grid, and \nthere are a number of tools and techniques that the electric \nsector has been using for decades to address reliability that \ncan also be used to address cybersecurity. This is not a \ntotally foreign area, and so it\'s taking advantage of what \nthey\'re currently doing, and then looking at the techniques and \ntechnologies that the IT community uses to address these new \nthreats.\n    Mr. Tonko. Thank you.\n    And Mr. Gaines, do you also concur that it increases risk \nhere?\n    Mr. Gaines. If I may, not to differ, I might add a \ndifferent perspective----\n    Mr. Tonko. Okay.\n    Mr. Gaines. --if I could, please? The distribution system \nand transmission system are two separate systems. The \ndistribution system is a regional, local system and smart grid \nand/or tied to that smart grid is a meter. That\'s an individual \nIP address. It\'s an individual computer. Think of it like that. \nThere are securities around that through a certificate and \nencryption, and in our design, that particular meter is not \ntied into our core distribution system. We have what we call a \nhead-in system that sits outside of our company.\n    So I would suggest to you that from a smart meter and smart \ngrid perspective, the design and construct of that is secure. \nIs there a risk in our cases in Pennsylvania? We have two \nmillion customers, and I\'m convinced given enough time with a \nbad actor, they could figure out how to be destructive with \nthat. But to the extent that our design and configuration \nwithin the industry and our design and configuration is very \nsimilar to most smart grids and the technology is very similar. \nSo there\'s a risk but I don\'t see it as a huge threat.\n    Mr. Tonko. And no specific recommendations you would make \nto address that increased risk, either of you?\n    Mr. Gaines. I would--the gentleman, Mr. Stacey, made some \nvery good points. I think good hygiene is important, good \nengineering is important, and constant management. These \ndevices are now computers and so they have to be maintained. \nThey don\'t have the life of an existing meter, which is 20 to \n30 years. These devices have a life of between five to seven \nyears, and so the challenge that the industry is making sure \nthey maintain their smart grid environment, not neglect it.\n    Mr. Tonko. Ms. Lee?\n    Ms. Lee. There are things that the industry, as Mr. Gaines \nsaid, is doing, and I mentioned in my testimony all utilities \ndo risk assessments. They need to prioritize their system, \nprioritize the risks and vulnerabilities, and then make \ndecisions about which ones they want to mitigate. They do not \nhave unlimited resources. Utilities deal with many areas of \nrisk. Cybersecurity is one area. And they need to prioritize \nand determine what they want to do for their mitigation \nstrategies and then make decisions that way.\n    Mr. Tonko. There was some exchange--thank you. There was \nsome exchange over the role of forensics in cybersecurity. What \ndo we need--this is to all of you. What is needed to adequately \nconduct a forensic analysis after a cyber event? What are the \nbest----\n    Mr. Gaines. Directed to me, sir?\n    Mr. Tonko. Any of the four.\n    Mr. Gaines. Two things. First of all, there needs to be--I \ngo back to what we can share and what we cannot share with the \ngovernment during an incident. That\'s a--there\'s a lag that \noccurs there. If I have a major incident in my environment, I \nhave to report that to several agencies. That can be days or \nweeks in some cases. Secondly, once we determine it truly was a \ncyber incident, then I have to put together a full \ninvestigative report, and then it goes through a very lengthy \nprocess of determining the actual degree or significance of \nthat. I suggest to you that we cut all that or most of that \naway, and that if I truly know that I\'ve been breached inside \nof my network, I think there\'s an obligation that we work much \ncloser with the federal government on a real-time basis of \ndefining the problem first and then let\'s go assess the \npenalties or determine who was at fault later, and that lag at \ntimes can be weeks and months before we actually get into the \nreal forensics and do the real what I think are important \nthings are mitigating it. And more importantly, that \ninformation is not shared with the industry in some cases for a \nyear.\n    Mr. Tonko. Thank you very much.\n    Mr. Chair, I yield back.\n    Chairman Weber. I thank the gentleman.\n    And now the gentleman from Arkansas, Mr. Westerman, is \nrecognized for five minutes.\n    Mr. Westerman. Thank you, Mr. Chairman, and thank you, \npanel, for your insight today.\n    Mr. Wilshusen, I\'ll direct this question to you, but others \nmay wish to add in on it. I\'ve visited several power-generating \nfacilities, and I was pleased to find out that the control \nsystems inside the power plants are totally isolated from the \noutside world in the facilities I\'ve visited, so the chance of \na cyber attack on the actual generating facilities is pretty \nmuch mitigated unless a bad actor got into the facility and \nmessed with the control system, which could cause a huge issue. \nSo when we\'re talking about a cyber attack, what physically are \nthe risks there since these power plants are basically just \ngetting a demand signal from the grid? What kind of destruction \ndo you anticipate could happen from a cyber attack?\n    Mr. Wilshusen. Well, first of all, I would first ask about \nyour premise that the industrial control systems networks are \nindeed isolated and separated from other external networks or \ncompany communications networks. What we have found and what I \nhave seen reported through ICS-CERT and others is that often \ncompanies believe their industrial control systems networks may \nbe air-gapped, if you will, but are surprised to find when in \nfact they are not. With the increasing introduction of \ninformation and communications technologies, we\'re finding, \nincreasingly, that these networks are indeed interconnected \nwith other networks. That\'s one thing. But given that, if they \nare air-gapped, it does provide an additional level of security \ncertainly to where remote access may not be available and where \nan attacker may have to have physical access to the device. But \nto be sure that\'s something that if they are air-gapped, that \nis an improvement and a control over it, but--and that\'s what \nhas been historically but increasingly we\'re finding on what\'s \nbeing reported is that they are being interconnected with \ninternal and external networks, thereby as Ms. Lee mentioned, \nincreasing the attack surface and increasing the likelihood of \na potential incident over those industrial control systems \nnetworks.\n    Mr. Westerman. So is that the main concern with cyber \nattacks is getting into those power-generating facilities\' \ncontrol systems or is it more to protect the distribution and \ntransmission systems?\n    Mr. Wilshusen. Well, I think you have that probably at \nmultiple sections throughout the entire electricity grid, \ndepending upon where the control systems or the sensors are \nlocated. If they are indeed interconnected to external \nnetworks, there\'s an increased likelihood that they may be \nvulnerable to attack if they\'re not sufficiently hardened. Of \ncourse, there are actions that an entity can take to better \nsecure those connections and to better secure those devices. If \nthose are being done, that will help, but historically, that \nalways hasn\'t been done for a number of reasons.\n    Mr. Westerman. It just seems like it would be a good \noperating protocol to have those industrial control systems \nisolated from the outside world as far as having the best way \nto keep a cyber attack from happening on one of those \nfacilities.\n    Mr. Wilshusen. Yes, that\'s correct, but often they\'re \ninterconnecting in order to provide greater efficiency and \nusefulness, if you will, and so there\'s always that balance, \nbut yes, it would be better from a security perspective to keep \nthem isolated.\n    Mr. Westerman. So when we talk about the role that smart \ngrid technology plays in creating cyber vulnerabilities, does \nthe fact that the smart grid relies on two-way communication \nmake the grid more susceptible to cyber attacks, and if so, how \nis that?\n    Mr. Wilshusen. Well, potentially, and that would be as Mr. \nGaines mentioned more at the distribution level rather than the \npower-generating and transmission level where there could be \nattacks against individual smart meters. Indeed, I believe \nthere have been reported attacks against smart meters, but more \nfor the purpose of committing fraud and addressing some of the \nprogramming that is in those smart meters, but the threat \npotentially is, and again, absent other controls that may now \nbe in place, is that collectively as millions of smart meters \nout there could that have an impact on the larger electricity \ngrid, and that\'s something that there potentially could.\n    Mr. Westerman. And when you talk about smart meters, are \nyou talking about the meters that give the feedback or just the \nones that the meter reader can drive through the neighborhood \nand read the meters without getting out of the vehicle? Are \nthose----\n    Mr. Wilshusen. Yeah, those would be included in that, yes.\n    Mr. Westerman. I think I\'m out of time, Mr. Chairman.\n    Chairman Weber. Okay. The gentleman yields back.\n    The gentlelady from Connecticut, Ms. Esty, is recognized.\n    Ms. Esty. Thank you, Mr. Chairman and to our Ranking \nMembers for today\'s very important hearing.\n    In Connecticut, we\'re very focused on grid reliability just \nactually from natural disasters we\'ve been coping with, and \ncertainly the cybersecurity threat has gotten us all to pay \nmuch closer attention.\n    I have two quick questions. First for Ms. Lee and Mr. \nGaines. Can you explain a little bit more how we should address \nthe challenges between the difference in lifespan of \noperational technology and information technology? All of us \nwho know, who have any of those devices in our pockets, and if \nyou\'ve got teenagers, you really know within a year they want a \nnew one, and yet we\'re looking at overall systems on the \nutility side that are decades long. What do we know about from \nprior history that can help us in Congress think about how to \nmeld together these two systems, one of which is highly \ncapital-intensive over decades and another which is changing \nconstantly?\n    Mr. Gaines. Ms. Lee, go ahead.\n    Ms. Lee. Thank you. Yes, as I mentioned earlier, the \ndifference in lifecycle--and it\'s amazing when you think our \ndevice if it\'s a year old, it\'s ancient.\n    What needs to be done, and talking about the modernization \nof the grid, and I think of that more than just a smart grid. \nIf you want to talk about all of the domains--generation, \ntransmission and distribution--the new devices are using \ncommercially available operating systems and applications \nrather than the proprietary solutions that were used \nhistorically, and so when you look at these devices, yes, they \nmay have a lifespan of 30 or 40 years but you have Windows, you \nhave your internet protocols. It\'s having the two communities, \nand Mr. Gaines talked about that, having the communities, the \nIT and OT communities together, figure out the best solutions, \nand a lot of utilities are putting them in the same room and \naddressing these difficulties because when you get away from \nthe proprietary solutions, you need to figure out how do you do \nit with all of these commercially available products.\n    Mr. Gainrs. I would add to that two things you heard me in \nthe testimony. We have and are converging both the operational \nside of our business and the IT side of our business, and we\'re \ndoing it a lot with technology first of all. Inside of a \nsubstation, 15 years ago it was an analog substation and it was \nnot two-way communication. What sits in a substation now is a \ncommunications network, and so we are building out with inside \nsubstations a very protected, secure network inside of that \nsubstation, and it comes with us--it comes with cyber risk but \nit also comes with the ability to monitor that substation. And \nso that is the piece that some of those in industry are doing. \nWe are thinking of that substation as a physical asset as well \nas a logical asset. And so when I actually manage our \nsubstations, I think of them as a computer. I think of them as \nan asset in transmitting and/or transferring energy, and in one \nplace we look at both of those. We don\'t separate those two. We \ndon\'t separate the operational side of our business from the \ncyber side or the technology side. And as more communication \ndevices go into substations, that\'s going to be required.\n    Ms. Esty. Thank you. That is very helpful.\n    And just a quick question for anyone who wants to chime in. \nPart of what we do is direct research dollars from this \nCommittee, and if you had to divide up the federal research \ndollars between on cybersecurity, in prevention, detention, \nmitigation, and recovery, at this stage of the game, what do \nyou think for us--those of us who sit here in Congress as we\'re \nallocating funds and we all know we should have more funds, but \nwith the not enough money that we have, as I think about it, \nhow should we think about dividing those up?\n    Mr. Gaines. Mine would be prevention. It has the greatest \nopportunity to be able to share, and I think the greatest \nopportunity to expand and grow.\n    Mr. Stacey. Yes. Thank you for the question.\n    I would offer that we\'re spending an awful lot today on the \nmeasure-countermeasure. The threats and the daily bombardment \nis consuming most of our resources. We need to make sure that \nwe\'re investing a significant amount of our research dollars in \nhow do we take some of these critical assets off the table with \neither some kind of disruption zone--which is now a terminology \nthat\'s being used where you put some kind of a----\n    Chairman Weber. A firewall? A firewall?\n    Mr. Stacey. Well, it\'s not quite as sophisticated as a \nfirewall. It\'s an analog circuit that allows the electrons to \ngo in and only do one thing, and it requires the cyber hacker \nto have physical access to the other side. And so research \nassociated with trying to help define the critical assets and \nthen we create an environment to take some of these critical \nassets off the table.\n    So to answer your question shortly, I believe more needs to \nbe done to get us out of this paradigm of measure-\ncountermeasure and how we\'re going to solve this long term \nbecause, frankly, the resources aren\'t scalable. Thank you.\n    Ms. Esty. Thank you. That\'s very helpful, yes.\n    We all remember Mad Men and Spy versus Spy. I think you\'re \nright. We need to be removing assets from vulnerability. It \nmakes a lot of sense.\n    Thank you all very much.\n    Chairman Weber. The gentlelady yields back.\n    I now recognize the gentleman from Alabama, Mr. Palmer.\n    Mr. Palmer. Thank you, Mr. Chairman, and thank you to the \nwitnesses for coming in this morning. It\'s extremely important.\n    Mr. Gaines, the National Institute for Standards and \nTechnology has developed voluntary guidelines for smart grid \ncybersecurity, and the Federal Energy Regulatory Commission \ncontinues to approve cybersecurity standards. How helpful are \nthese types of standards to the industry?\n    Mr. Gaines. The standards are invaluable. They create a \nbaseline. However, I suggest to you that\'s just what they are \nis a baseline, and that the threats that we see today are going \nforward, they\'re not going back. And so we identify most of the \nvulnerabilities associated with those standards and things that \nhappen to us, not what things are going to happen to us. And I \ndon\'t think that you can regulate or put standards in this to \ncontrol every vulnerability. What I think you have to have is a \ncollaborative effort across industry and government to address \nsome of the issues that we have.\n    Mr. Palmer. Part of my concern is that these are industry \nstandards, and James Clapper, the Director of National \nIntelligence, said the greatest threat to our national security \nis cyber attacks. I think he identified 140 attacks against \nU.S. corporations by China, and it appears to me that we\'re in \nthe middle of a digital arms race in terms of cyber attacks, \nand specifically my concern right now is with our energy \ninfrastructure and how devastating it would be if we had a \ncyber attack against our infrastructure that shut it down. Do \nyou think industry standards alone are enough or does the \ngovernment need to take a more active role in this, \nparticularly in developing the technology to protect us against \ncyber attacks?\n    Mr. Gaines. First of all, to answer your first question, \nare the standards adequate, they are adequate, and I repeat \nagain, they create a baseline. If you would suggest, though, \nthat could more be done, I do, and I apologize. I don\'t \nremember the member\'s name. More research needs to be put into \ntechnology, number one, and it can be on any one of those three \nfronts. Prevention is the area that I suggest. Information \nsharing is a big piece of that, how we can be more \ncollaborative and develop tools between government and industry \nto share and within industry, and so I would suggest where the \nmanagement can be a major player is, they have access to \ninformation we don\'t and vice versa, and the idea is, how can \nwe get that to be a timely sharing of information and a more \ndetailed level of sharing of information. That\'s the area that \nI suggest that we put more emphasis on, not necessarily \nstandards.\n    Mr. Palmer. Well, in regard to the timeliness, Mr. Stacey, \nin your testimony, you mentioned that intrusion detection \ntechnology is not well developed for control system networks \nand that it can often take months before malware is detected. \nWhat are the factors that account for such a significant amount \nof time that elapses before detection?\n    Mr. Stacey. Well, first, let me characterize, as Ms. Lee \ndid, the difference between IT technology and OT. With IT \ntechnology, we\'re fairly mature now in proactively managing \nsystems. We have configurations and patchings that we use to \nmanage these systems.\n    Operational technology, or industrial control systems, may \nmanage several hundreds or even thousands of points a minute, \nand if you try to proactively manage that network, you can do a \ndenial-of-service attack on yourself. And so the tools today \nare basically passive monitoring--watching for things in and \nout--and the sophisticated hackers are aware of that and can go \nslow and low. And so the detection oftentimes, as I said, comes \nfrom a third party. And this is another research area that \ncould be invested in is the detection technology for industrial \ncontrol systems. Thank you.\n    Mr. Palmer. Is that, in your opinion, where we need to go \nin terms of improving the detection time?\n    Mr. Stacey. Correct.\n    Mr. Palmer. Mr. Chairman, I yield the balance of my time.\n    Chairman Weber. I thank the gentleman.\n    The gentleman from California is now recognized.\n    Mr. Swalwell. Thank you, Mr. Chairman, and thank you to our \npanelists.\n    This issue, it just--it seems to evolve faster than we can \nstay pace with it, whether it\'s hacks or breaches that occur on \nthe private sector side or hacks and breaches that we\'re seeing \nat OPM or other federal agencies that have, you know, certainly \ncompromised millions of people\'s personal information, and so I \nguess my first question is, if one of our power grids went down \ntomorrow in a major metropolitan area because of a cyber \nattack, would anyone here be surprised? Just a yes or no up and \ndown. Mr. Stacey, yes or no?\n    Mr. Stacey. It\'s certainly possible.\n    Mr. Swalwell. But would you be surprised if it happened? If \nyou learned tomorrow that, say, the San Francisco Bay area was \nout of power because of a cyber attack, would that surprise \nyou?\n    Mr. Stacey. No.\n    Mr. Swalwell. Mr. Gaines?\n    Mr. Gaines. Yes, it would.\n    Mr. Swalwell. Ms. Lee?\n    Ms. Lee. Yes.\n    Mr. Swalwell. And Mr. Wilshusen?\n    Mr. Wilshusen. Yes.\n    Mr. Swalwell. Okay. And so for those who said--well, let me \nstart with you, Mr. Stacey. Why would it not surprise you?\n    Mr. Stacey. I just believe--because our monitoring and \ndetection for those kinds of events is not sophisticated enough \nfor me to give an answer of yes.\n    Mr. Swalwell. Do you believe that we have made the \nnecessary investments across our country in protecting against \ncyber attacks, and not just the investments but is our \nworkforce trained in a way that our cyber hygiene is good \nenough to prevent this from happening?\n    Mr. Stacey. Yes, I think we have invested properly. I think \nthere\'s a lot of work being done both in the utility sector and \nwithin the government sector. I think we\'re short of staff \ncertainly and we\'re working on that in a number of areas with \nuniversities, et cetera. But we\'ve heard from several leaders \nwithin the federal government that we likely have people inside \nthe infrastructure, and these are very complex systems and the \ncomplexity even independent of a malware attack, adds a level \nof vulnerability.\n    Mr. Swalwell. Thank you.\n    And for the three who said they would be surprised if they \nlearned tomorrow that a major metropolitan area had been hit, \ncan you just maybe elaborate briefly on why it would surprise \nyou? Mr. Gaines?\n    Mr. Gaines. I\'ll give you a fact-based answer.\n    Mr. Swalwell. Sure.\n    Mr. Gaines. And I certainly know that there are \nvulnerabilities that exist in every network, but I would \nsuggest to you at FirstEnergy, I feel we have done the right \nthings to secure our company and that component of the grid.\n    The other thing that\'s unique to the grid is, we have the \ninterconnects, in our case, PJM, and so in this case, we would \nwork very hard with PJM given that if our company was breached, \nto minimize that impact across the network. Is it possible? \nYes, but your black-and-white answer is, would I be surprised? \nYes, I would be. And it\'s because of those two specific \nentities, and I would suggest to you the peers around me that \nare on PJM and the grid probably have the same level of \nconfidence that their business, their company is secure also.\n    Mr. Swalwell. Great. Thank you.\n    Ms. Lee?\n    Ms. Lee. Yes, I will agree completely with Mr. Gaines on \nthat, and just add to that, if you look at--and it was \nreferenced earlier the Metcalf attack, that their end result \nwas no power failure. The reliability of the grid is paramount, \nand as he mentioned, working with the interconnections and the \ndifferent utilities, the intent is to maintain the reliability \nof the grid. So yes, it is a hypothetical possibility but if \nyou look at all that\'s in place to ensure the reliability, it \nstill is a very stable system.\n    Mr. Swalwell. And then can you tell me who you fear an \nattack would come from if it came--if it was--if it occurred? \nDo you think it would be a state actor or a non-state actor? \nWhich one would be more likely based on your experience and \nwhat you\'ve learned? Mr. Wilshusen?\n    Mr. Wilshusen. I think initially I would say it\'s probably \ngoing to be a non-state actor but I think also I\'ve been \nreading where there could be state actors involved too. But \ncertainly terrorists and groups that may wish to do us harm \nwould do so. I think state actors are probably, depending on \nthe state, also are relying on the electricity and our national \neconomy to support them as well.\n    Mr. Swalwell. And Mr. Gaines, are you cleared? Do you have \na security clearance?\n    Mr. Gaines. I do have a security clearance.\n    Mr. Swalwell. Do you feel that enough people in your \ncompany are cleared to work with the federal government on the \nthreats or could we do a better job of bringing more people in?\n    Mr. Gaines. I don\'t think it\'s the volume; it\'s the \nquality. And I would suggest that today I have secret that it \nwould be beneficial to move a smaller group to top secret, and \nthe difference there is this, and it gets back to the \ntimeliness and the level of detail, and for the sensitivity of \nmy clearance, I just have to leave it at that, is that it would \nbe much more beneficial to see things on a timely basis and at \na much deeper level to be able to take action, but I feel at \nthis point it\'s adequate but could be improved.\n    Mr. Swalwell. Great. Thank you.\n    And Mr. Chair, I yield back.\n    Chairman Weber. Well, thank you, and I appreciate your \nbringing that up.\n    Back to Mr. Stacey\'s lack of surprise at an attack, I was \ntalking with the Ranking Member here, and it\'s kind of like a \nlot of terrorism. What is it we say, that we have to be 100 \npercent vigilant, diligent all the time; they have to be lucky \none time.\n    So I now recognize the gentleman from Michigan, Mr. \nMoolenaar.\n    Mr. Moolenaar. Thank you, Mr. Chairman.\n    Mr. Gaines, I wanted to follow up with you one some of your \ncomments. You had talked about the area of prevention and \nthinking about what we could do to complement the efforts \nyou\'re doing in the industry, and you talked about, you know, \nprevention investments maybe could be--there could be benefits \nacross industries. Can you describe that a little bit more?\n    Mr. Gaines. Across the industry?\n    Mr. Moolenaar. Across the industry.\n    Mr. Gaines. Across the industry itself?\n    Mr. Moolenaar. Yes.\n    Mr. Gaines. And I do have to come back to this issue, and I \nknow it\'s uncomfortable maybe to repeat it again, but we do \nhave in the industry a set of standards, and those standards \nhold us to a level, and if we\'re not compliant, then there\'s \nliability, and I think that has to be looked at first because \nthere is the--there\'s not the lack of interest in wanting to be \nable to share from an industry but there\'s certainly a level of \nhesitancy at times at what level we share. So I remind us of \nthat.\n    To that point, though, I don\'t think it can be done on a \nvoluntary basis. I think that there has to be an open, \ncollaborative environment between the government, and I speak \nof probably two or three agencies that I think we could all do \na better job, and I start out with Homeland because they own \nthe infrastructure. I start out with DOE because they are our \nsector control. Those are two. The third would be the FBI \nbecause they become the investigative arm in the event that \nsomething happens. I do believe that there is a way with the \nindustry to be able to collaborate real-time threat analysis \ninformation, and it isn\'t a voluntary but rather a requirement \nthat should occur, but it does start with the issue of our \nability to be able to manage that directly industry to \ngovernment.\n    Mr. Moolenaar. So it sounds to me like some of the effort, \nyou\'re talking about people getting together in a room and \nmeeting and discussing this. You aren\'t talking about major \ninvestments in infrastructure or some kind of----\n    Mr. Gaines. Both.\n    Mr. Moolenaar. --technology. You are talking about both?\n    Mr. Gaines. I am talking about both. I\'m talking about the \nindustry being able to have the necessary technology within \ntheir company to be able to provide that level of information, \nand I\'m talking about the government being able to have and \nbeing a recipient and being able to use it, so it\'s technology \nand it\'s also skills and resources.\n    Mr. Moolenaar. And do you think that when you think about \nprevention, you know, you prevent one threat but that another \nthreat emerges that you weren\'t aware of? How long are the \nbenefits from that kind of an investment? You know, how long \ndoes that last?\n    Mr. Gaines. I think that\'s one of the things Ms. Lee talked \nabout is that becomes a priority, where do we focus on first. I \ndon\'t think you can deal with every single threat. There\'s a \nlot of work that\'s being done in the industry right now to \ndefine what a critical asset is, and it\'s very good work. The \ngentleman asked me, are the standards good. They\'re really \ngood. They create baseline. I can tell you within our company, \nwhat are by definition the critical substations that have an \nimpact on our entire network. Now, if I start there just alone \nwith those critical assets and you multiply that times 120 \ninvestor-owned utilities, that\'s pretty valuable information. \nAnd so--and again, I don\'t want to give you any idea how many \nthat is other than to say it is a manageable number.\n    Mr. Moolenaar. And just, it was mentioned earlier this idea \nof improving early detection, and I don\'t know if that was you, \nMrs. Lee, or who it was that talked about the importance of \nthat. Is that where we should be focusing?\n    Ms. Lee. I will add, I think early detection is important. \nOne of the difficulties, and I believe it\'s been discussed \nhere, is when you have an event, it can be very difficult to \ndetermine whether it\'s a cybersecurity event. I\'ve done \nexercises with utilities and their frustration was, I didn\'t \nknow it was a cybersecurity event. So it\'s a matter of, we \ntalked about on the protection side but also as we\'ve all \ndiscussed, using commercially available products. They have \nbuilt-in vulnerabilities. The utilities are--as they\'re \ndeveloping their mitigation strategies, you have to assume your \nsystems at some point are going to be compromised, and so you \ntake that as a given, maybe not significant but you use that \nwhen you develop your mitigation strategies. So I think it\'s a \ncombination of looking at it from the protection side but then \nwhat do you do if there is a cybersecurity event. You want the \nelectricity to continue to flow.\n    Mr. Moolenaar. Mr. Wilshusen?\n    Mr. Wilshusen. Yes, I would agree with that too because I \nknow there\'s been a lot of discussion about the standards out \nthere, and that\'s fine and they may be adequate, but what also \nneeds to happen is the implementation of those standards \nconsistently over time throughout the enterprise, and in our \nwork at federal agencies and other entities, that often does \nnot occur. Vulnerabilities exist because standards aren\'t being \nimplemented consistently over time across the enterprise. And \nso it\'s through that that attacks often occur. So the aspect of \nmonitoring the effectiveness of the security controls is also \ngoing to be a key part of the overall defense--in-depth \nstrategy.\n    Mr. Moolenaar. Thank you, and thank you, Mr. Chairman. I \nyield back.\n    Chairman Weber. The gentleman yields back.\n    I now recognize the gentleman from Louisiana, Dr. Abraham.\n    Mr. Abraham. Thank you, Mr. Chairman.\n    Mr. Stacey, let me start with you at kind of the 30,000-\nfoot view. If we have a full-scale cyber attack, what does it \ndo to the nation\'s economy and to the nation\'s security \ninfrastructure?\n    Mr. Stacey. It would be significant. All the other \ninfrastructures run off the energy infrastructure.\n    Mr. Abraham. And that leads me to the next question. How \noften is a cyber attack or an attempted attack tried on our \nnation\'s power grid?\n    Mr. Stacey. What I can tell you is that from ICS-CERT, \nthey\'re seeing a 32 percent increase in fiscal year 2014 of \ntarget attacks on the energy sector. I don\'t have the specific \nnumber for the grid.\n    Mr. Abraham. But it has increased in the last----\n    Mr. Stacey. It is increasing.\n    Mr. Abraham. And I read something in USA Today that the \nU.S. power grid faces physical or online attacks approximately \nonce every four days. Is that a fairly accurate statement?\n    Mr. Stacey. That\'s fair.\n    Mr. Abraham. Okay. That\'s all, Mr. Chairman. I yield back.\n    Chairman Weber. Thank you. The gentleman yields back.\n    The gentleman from Georgia, Mr. Loudermilk, is recognized.\n    Mr. Loudermilk. Thank you, Mr. Chairman, and I appreciate \nall of the witnesses being here. I apologize that I wasn\'t here \nfor the earlier testimony but we also have Homeland Security \nissues going on. I\'m doing the ping pong between the \ncommittees.\n    But prior to coming to Congress, I spent 30 years in the IT \nindustry. Twenty of that time, I had my own business, and a \ngood portion of our business was going into smaller utility \nsystems and helping them automate. So I have some background in \nthis, predominantly smaller municipal co-op systems to where we \nwould put fiber optics into the city to tie the different SCADA \nsystems together, pump stations, substations, et cetera, so \nthey can more effectively monitor--getting more to a smart \ngrid. During that time, many of those smaller operations saw \nthe value of bringing in revenue, especially in small \nutilities, of selling the interconnectivity to businesses that \nhad multiple locations within their jurisdiction. That also led \nto bringing in high-speed internet, which allowed them to \nconnect and sell internet services on the same backbone or the \nsame infrastructure that was also running their devices. Now, \nof course, we put in a lot of technology to segregate those \nnetworks, but at the same time, they also saw the functionality \nof being able to monitor and manage and respond without having \nto be in the office to an incident that happened within the \nutility system through the use of the internet.\n    So as we were trying to implement these new technologies to \nallow them to be more efficient in operating their utility, and \nmany of those provide electricity throughout their cities or \ntheir area of responsibility, it did help a lot, but then there \nwas the concern that we had of someone from the outside being \nable to get in. And so what we would do is, we would do a lot \nof research, and one of the things that we did not have was an \napproved products list that we could go to, that the government \nhad said all right, if you use this type of gateway, use this \nfirewall, use this type of filter, then we know it\'ll be \nsecure. So we did a lot of research. We went to a lot of \nvendors and we would get what we believed was the most secure, \nput that into place, and in most cases we were under contract \nto maintain it and make sure the security updates were done, \nthe patches, et cetera, et cetera.\n    The next progression was to then put in the other elements \nof the smart grid for meter reading and all this. So some of \nthe things we started looking at were points of access, points \nof failure, points of vulnerability, which growed--which grew \nexponentially once we started adding the more technology.\n    In a previous committee, I brought up the lack of an \napproved products list that vendors such as myself or these \nsmaller electric utilities can go to that has standards, \nequipment standards, standards of practice, operation, et \ncetera. Now, I understand the Department of Energy is working \non that, and I applaud that effort. But I do believe, and I \nknow that there is a lot of vulnerability accessing the grid, \nyou may say, through smaller electric utility systems. Some of \nthose that we put equipment in, we went out and spent a lot \nlooking at security aspect of it to make sure that they could \noperate securely. Because of budget cuts, many of them would \ncut our contract and manage it themselves, and then some of \nthem would actually go and buy parts off of eBay because they \nwere cheaper, but I would try to emphasize to them, there\'s a \nreason that part is on eBay is probably because it has been \ndiscontinued for security reasons.\n    Can any of you that would like to comment on where we are, \nwhere we\'re going and if you feel that there is a need to have \na standard set of standards for equipment, for upgrade, for \nmaintenance, and operation with the smaller utilities as well \nas large.\n    Mr. Gaines. Well, I\'ll speak as a large utility. I can\'t \nspeak for a small utility. That would not be accurate for me to \ndo.\n    Mr. Loudermilk. You may be able to opine as far as how \nvulnerability of the small utilities affect the larger utility.\n    Mr. Gaines. Well, I\'ll try to answer your question \ndirectly, though, regarding standards associated with \nequipment, software technologies. I think there certainly has \nto be some level of verification, validation of equipment. To \nthe extent that you could create a universal standards for \nevery type of equipment that sits inside of a network, I think \nit would be very difficult, and the question is, who would \nmonitor and manage that. That is the challenge, and it ranges \nfrom software to hardware. I do think there are some validation \npoints, though, that you can put in. Do you have--are you \nbuilding software or are you building equipment--a method of \nconfiguring it so that it could be personal to the company \nversus a standard set of passwords that are set in a piece of \nsoftware, as an example. Those are things that you could do to \ndesign into the technology. As it relates to the vulnerability \nbetween a small utility, municipal or not, we work together \nvery well in the industry between our industry association, \nEEI, groups like EPRI who do research for us, and so I would \ntell you that there\'s very little distinction about what the \nexpectations are on a small utility versus a large utility.\n    Mr. Stacey. Thank you for the question. I\'d offer this \nperspective. Right now, vendors are offering equipment with as \nmuch flexibility as they can, with as much functionality as \nthey can. And that\'s adding to the complexity. If as a sector \nthere was work done on how do I minimize the functionality to \nreally what I need-- that the valve only opens and closes as \nfast as I need for an emergency response, and that sensors on \nthe pipe managing flow only have the fidelity for managing the \nflow, as we reduce that complexity, initially that would cost \nmore because you\'re asking for something that\'s different, but \nas an industry, as they worked on reducing the complexity and \ntrying to find components that did the minimum functionality \nrequired to manage within an industrial control system, I think \nthere\'d be some benefits to that.\n    Mr. Loudermilk. Is there currently a rating system or an \nevaluation that is used as far as how secure a utility is in \ntheir operation?\n    Mr. Gaines. In terms of vendor equipment?\n    Mr. Loudermilk. The whole footprint, the entire topology. \nIs there a method that some independent organization or the \ngovernment can come in and evaluate and give some type of \nsecurity rating?\n    Mr. Gaines. Yes, there is. The CIPS, the Critical \nInfrastructure Protection Standards, are a set of standards \nthat originated in 2005. We\'re on version 5 right now. And they \nbaseline the transmission system and the security around that \nthrough those standards and then they are auditable. And to the \nextent there is remediation associated with those audits, \nthey\'re managed accordingly. FERC administers those through \nNERC.\n    Chairman Weber. Does the gentleman yield back?\n    Mr. Loudermilk. I\'m out of time, Mr. Chairman, so I will \nyield back the time I don\'t have remaining.\n    Chairman Weber. All right. The gentleman yields.\n    Mr. Johnson, you\'re recognized.\n    Mr. Johnson. Thank you, Mr. Chairman, and I want to thank \nmy colleagues on the Committee for allowing me to sit in on \nthis today. It\'s an area of extreme interest and importance in \nmy regard.\n    I spent nearly 30 years as an information technology \nprofessional, part of that time, a large part of that time, in \nthe Department of Defense being concerned about the security of \ndata systems that support our special opreations folks and \nthings like that. I feel very, very strongly that cybersecurity \nis an issue across the spectrum. It\'s getting a lot of talk but \nit\'s not getting a lot of focused attention to address the \nissue. It\'s an issue--and I don\'t know if the four of you agree \nor not. It\'s not something that\'s got a finish line. You know, \nthis is not something that we\'re going to solve and then we\'re \ngoing to move on to the next big problem. As long as the world \nis connected with computing systems and networks, you\'re going \nto have those with the wherewithal, some of them because they \ncan, some of them because they desire to create chaos with \nmalicious or criminal intent are going to try to get into our \nnetworks and our energy systems and our power grids are one of \nthose areas that would wreak havoc on America\'s economy, and I \nthink we can all agree with that.\n    Mr. Gaines, what in your mind does the integration of IT \nsystems and supervisory control and data acquisition systems \nhave in increasing the risk to grid operations?\n    Mr. Gaines. First of all, Mr. Johnson, hello. It\'s good \nseeing you again.\n    Mr. Johnson. Good to see you, sir.\n    Mr. Gaines. Thank you.\n    I would like to start out by saying I don\'t think it\'s if; \nit\'s when. The OT operational systems technologies and the IT \ntechnologies are merging and they go back to exactly what I \nsuggested, that in a substation now, it looks like a small \ncommunications network. It\'s got a device in it that \ncommunicates with most of the assets, transformers, that \ndetermine the health and in fact the condition of those \ntransformers. That\'s all communicated back to the SCADA system \ninto the IT systems. Secondly, the IT systems are tied to our \npower grid and actually help us manage and monitor that from a \ngeneration perspective. I think the industry is moving to \nconverge those, not necessarily manage them as you would manage \nthem on the grid as an operator but manage that space so that \none, they understand the health of it, they understand the \nreliability of it, and the impacts that cyber, specifically \ncyber, has on it.\n    I go back to the Metcalf incident. There were three things \nthat occurred within an hour: the cutting of a communication \nline, the actual assault on the location itself, and then the \nloss of load. Those all three were done within an hour, and \nthey were in the space that if you would\'ve had monitoring and \nthe ability to alert and manage that, I wouldn\'t suggest that \nyou could avoid but you could have mitigated some of the \nissues.\n    Mr. Johnson. Can you talk specifically about what \nFirstEnergy is doing to mitigate this vulnerability?\n    Mr. Gaines. Yes. We in fact have over the past 12 months \nbuilt a security operations center, and we manage all three of \nthose from one center, so I manage the operations and the \nhealth of those physical assets. We look at that from an IT \nperspective and overlay IT to that, and then I physically \nmonitor the station through cameras, video and X-ray. And so I \nsee that single pane--as we define it, I single that single \npane of our critical assets, and that\'s not dispersed around \nthe company. I don\'t have a physical security desk, I don\'t \nhave an operating center, and I don\'t have a cyber center. I \nhave one operations center that looks at that, and they\'re not \nlooking at it on multiple systems; they\'re looking at it on one \nsystem. We are one of the first in the industry. We\'ve worked \nwith EPRI very hard so the industry gets it, and there\'s a lot \nof work being done there.\n    Mr. Johnson. Okay. Well, thank you very much.\n    I had other questions but I think I\'ve exhausted my time. \nThank you, Mr. Chairman, for your indulgence.\n    Chairman Weber. The gentleman yields back.\n    Well, I want to thank the witnesses for their valuable \ntestimony and the Members for their questions. The record will \nremain open for two weeks for additional comments and written \nquestions from Members.\n    This meeting is adjourned.\n    [Whereupon, at 11:40 a.m., the Subcommittees were \nadjourned.]\n\n                               Appendix I\n\n                              ----------                              \n\n\n                   Answers to Post-Hearing Questions\n\n\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n                                 [all]\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'