[Senate Hearing 114-721]
[From the U.S. Government Publishing Office]
S. Hrg. 114-721
ASSESSING THE SECURITY OF CRITICAL
INFRASTRUCTURE: THREATS, VULNERABILITIES, AND SOLUTIONS
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON
HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED FOURTEENTH CONGRESS
SECOND SESSION
__________
MAY 18, 2016
__________
Available via the World Wide Web: http://www.fdsys.gov/
Printed for the use of the
Committee on Homeland Security and Governmental Affairs
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
U.S. GOVERNMENT PUBLISHING OFFICE
23-709 PDF WASHINGTON : 2017
----------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
RON JOHNSON, Wisconsin Chairman
JOHN McCAIN, Arizona THOMAS R. CARPER, Delaware
ROB PORTMAN, Ohio CLAIRE McCASKILL, Missouri
RAND PAUL, Kentucky JON TESTER, Montana
JAMES LANKFORD, Oklahoma TAMMY BALDWIN, Wisconsin
MICHAEL B. ENZI, Wyoming HEIDI HEITKAMP, North Dakota
KELLY AYOTTE, New Hampshire CORY A. BOOKER, New Jersey
JONI ERNST, Iowa GARY C. PETERS, Michigan
BEN SASSE, Nebraska
Christopher R. Hixon, Staff Director
Brooke N. Ericson, Chief Counsel for Homeland Security
Jose J. Bautista, Professional Staff Member
Servando H. Gonzales, U.S. Customs and Border Protection Detailee
Gabrielle A. Batkin, Minority Staff Director
John P. Kilvington, Minority Deputy Staff Director
Abigail A. Shenkle, Minority Professional Staff Member
Matthew R. Grote, Minority Senior Professional Staff Member
Laura W. Kilbride, Chief Clerk
Benjamin C. Grazda, Hearing Clerk
C O N T E N T S
------
Opening statements:
Page
Senator Johnson.............................................. 1
Senator Carper............................................... 14
Senator Peters............................................... 16
Senator Tester............................................... 19
Senator Portman.............................................. 23
Senator Ayotte............................................... 26
Senator Heitkamp............................................. 30
Prepared statements:
Senator Johnson.............................................. 45
Senator Carper............................................... 46
WITNESS
Wednesday, May 18, 2016
Major General Donald P. Dunbar, Adjutant General, State of
Wisconsin...................................................... 3
Thomas L. Farmer, Chair, Cross-Sector Council, Partnership for
Critical Infrastructure Security............................... 5
Ted Koppel, Author, ``Lights Out: A Cyberattack, a National
Unprepared, Surviving the Aftermath''.......................... 7
Scott I. Aaronson, Managing Director, Cyber and Infrastructure
Security, Edison Electric Institute............................ 9
Alphabetical List of Witnesses
Aaronson, Scott I.:
Testimony.................................................... 9
Prepared statement........................................... 66
Dunbar, Major General Donald P.:
Testimony.................................................... 3
Prepared statement........................................... 48
Farmer, Thomas L.:
Testimony.................................................... 5
Prepared statement........................................... 57
Koppel, Ted.:
Testimony.................................................... 7
Prepared statement........................................... 64
APPENDIX
ICIT Report submitted by Senator Portman......................... 75
American Public Power Association/National Rural Electric
Cooperative Association statement submitted for the Record..... 119
Responses to post-hearing questions for the Record
Mr. Dunbar................................................... 121
Mr. Farmer................................................... 125
Mr. Koppel................................................... 127
Mr. Aaronson................................................. 129
ASSESSING THE SECURITY OF CRITICAL.
INFRASTRUCTURE: THREAT, VULNERABILITIES, AND SOLUTIONS
----------
WEDNESDAY, MAY 18, 2016
U.S. Senate,
Committee on Homeland Security
and Governmental Affairs,
Washington, DC.
The Committee met, pursuant to notice, at 10:01 a.m., in
room SD-342, Dirksen Senate Office Building, Hon. Ron Johnson,
Chairman of the Committee, presiding.
Present: Senators Johnson, Portman, Lankford, Ayotte,
Ernst, Sasse, Carper, McCaskill, Tester, Heitkamp, Booker, and
Peters.
OPENING STATEMENT OF CHAIRMAN JOHNSON
Chairman Johnson. Good morning. I want to thank all of our
witnesses for taking the time to join us here and for your
thoughtful testimony. I am looking forward to the hearing.
Senator Carper is at a different committee hearing right
now. He will be joining us later. And, we have a number of
Members that also will but are running behind, but I would like
to get started and be respectful of your time.
When I first took over the Chairmanship of this Committee,
coming from a business background as a manufacturer, I
certainly found that developing a mission statement for any
organization is pretty helpful. It directs the activity of the
organization. So, working with Senator Carper, we developed a
pretty simple mission statement: to enhance the economic and
national security of America. They are inextricably linked.
This Committee is really two committees in one: Homeland
Security and Governmental Affairs. It is like the House
Oversight Committee and Homeland Security.
On the homeland security side of the Committee, we
established four primary priorities; border security,
cybersecurity, protecting our critical infrastructure,
including our electrical grid, and then doing whatever we can
to combat Islamic terror and other violent extremists to keep
the homeland safe. We have been pursuing that mission
statement. We have been addressing those top priorities.
I guess it was about a year ago when we held our first
hearing on the potential threat of electromagnetic pulses
(EMP). We had former Central Intelligence Agency (CIA) Director
James Woolsey. We had Dr. Richard Garwin, who worked with
Enrico Fermi. I believe Dr. Fermi referred to Dr. Richard
Garwin as one of the few true geniuses he had ever met. So,
some smart people who even though some people consider, for
example, the threat of EMP hokum, I asked pointblank these
individuals, ``Do you think it is hokum?'' The answer was an
unqualified, ``No, absolutely not.''
Mr. Koppel, I truly appreciate the fact that you have
written this book to raise public awareness of the
vulnerabilities that we have with our electrical grid.
In the 2001 National Defense Authorization Act, they
authorized EMP commissions to take a look at the potential
threat posed by things like EMP and potentially geomagnetic
disturbances as well. That 2008 commission established some
recommendations that were to be undertaken by the Department of
Homeland Security (DHS) and the Department of Energy (DOE). I
am going to take time to read them. They go A through O, and I
just want to take time to read what the 2008 EMP Commission
recommended:
``A. To understand system and network-level
vulnerabilities, including cascading effects.''
``B. Evaluate and implement quick fixes.''
``C. Develop national and regional restoration plans.''
``D. Assure availability of replacement equipment.''
``E. Assure availability of critical communications
channels.''
``F. Expand and extent emergency power supplies.''
``G. Extend black start capability.''
``H. Prioritize and protect critical nodes.''
``I. Expand and ensure intelligent island capability.''
``J. Assure protection of the high-value generation
assets.''
``K. Assure protection of high-value transmission assets.''
``L. Assure sufficient numbers of adequately trained
recovery personnel.''
``M. Simulate, train, exercise, and test the recovery
plan.''
``N. Develop and deploy system test standards and
equipment.''
``O. Establish installation standards.''
Now, again, I realize that is kind of short, bullet-point
form, but to me those are some pretty reasonable
recommendations. The Secretary of the Department of Homeland
Security and the Secretary of the Department of Energy were
basically--it was recommended that their agencies start
addressing these quick fixes, these recommendations.
In our hearing, a report of the Government Accountability
Office (GAO) basically reported that none of these had been
done. This was, again, 2008, the results of a 2008 EMP
Commission. Here we are in 2015, now here we are in 2016. None
of this has been done. People are not taking this threat
seriously, and we have to.
So, again, the purpose of this hearing is to lay out the
realities, the very complex problem. Again, I am not an
electrical engineer, but we have to start looking at exactly
what the vulnerabilities are. We have to identify it. We have
to define it. And, from my standpoint, we have to take that
first step in solving any problem, which is admitting we have
one, which is the purpose of this hearing.
Now, I do have a written statement for the record that I
would ask to be entered,\1\ without objection.
---------------------------------------------------------------------------
\1\ The prepared statement of Senator Johnson appears in the
Appendix on page 45.
---------------------------------------------------------------------------
We will wait for Senator Carper. When he comes, we will see
if he wants to offer an opening statement. But until that point
in time, it is the tradition of this Committee to swear in
witnesses, so if you will all rise and raise your right hand.
Do you swear that the testimony you will give before this
Committee will be the truth, the whole truth, and nothing but
the truth, so help you, God?
General Dunbar. I do.
Mr. Farmer. I do.
Mr. Koppel. I do.
Mr. Aaronson. I do.
Chairman Johnson. Thank you.
Our first witness is Major General Dunbar. General Dunbar
is Wisconsin's adjutant general. In this role, General Dunbar
commands the Wisconsin National Guard and is responsible for
emergency management. He also serves as Wisconsin's homeland
security adviser, chairs the Homeland Security Council, and is
the senior State official for cyber matters. Previously, he
served in the U.S. Air Force, the Washington Air National
Guard, and National Guard Bureau.
General, thank you for your service, and we would welcome
your testimony.
TESTIMONY OF MAJOR GENERAL DONALD P. DUNBAR,\1\ ADJUTANT
GENERAL, STATE OF WISCONSIN
General Dunbar. Thank you, Senator. Good morning, and good
morning to Members of the Committee. Thank you for the
opportunity to speak today. I am the adjutant general for the
State of Wisconsin, and although I appear before you today in
uniform, I want to stress that I am appearing on behalf of the
State of Wisconsin in a State status. I am not on active duty
orders, and no one in the Defense Department (DOD) has seen,
reviewed, or approved my remarks.
---------------------------------------------------------------------------
\1\ The prepared statement of General Dunbar appears in the
Appendix on page 48.
---------------------------------------------------------------------------
I am privileged to command Wisconsin's National Guard. As
you know, the National Guard is constitutionally unique. It has
two foundational roles: We are the primary combat reserve of
the U.S. Army and the U.S. Air Force and the first military
responders in the homeland.
You mentioned my other roles. Thank you for that. It is an
honor to appear before the Committee to discuss critical
infrastructure.
Critical infrastructure is a shared responsibility. The
Federal Government has a substantial role as do the industry
leaders who generally own and operate the infrastructure.
However, States have a leadership role as well. I will touch
briefly on our organization, our strategy, and our efforts at
addressing the threats to critical infrastructure in Wisconsin.
We did not create a separate agency to manage homeland
security, choosing instead to rely on existing roles and
responsibilities. Our Governor created a Homeland Security
Council, which includes representatives from State agencies and
first responders who are joined by Federal partners and
industry leaders regularly to attend and participate.
Our homeland security strategy is updated quadrennially
after each gubernatorial election and provides a framework to
guide continuing efforts in preparation and protection of our
communities and citizens. It also guides our investment of
State and Federal resources. The strategy seeks to ensure that
our first responders are trained and equipped, that our
critical infrastructure is safe and secure, and that we
continue to plan and prepare for emergencies and disasters that
may impact our State.
This strategy is our keystone document. It has four
priorities: cybersecurity, preventing and protecting against
asymmetric/terrorist threats, catastrophic incidents, and
capability sustainment. Each priority has identified goals and
objectives designed to be specific and measurable.
Time does not allow for an in-depth discussion on all
aspects of our efforts, but we are working on lines of effort
to mitigate the threats to critical infrastructure. I will
highlight just a few.
In cybersecurity, we have developed at State expense a
framework of five State cyber teams prepared to assist State
and local government with cyber response. Three of these teams
consist mainly of State and local professionals who, by
agreement, have permission to respond when activated for
response. We are developing a fourth team consisting of
industry leaders which will also be available to respond, and
our fifth team will come from the National Guard. We currently
have in the National Guard a computer network defense team that
helps protect our portion of the DOD network.
The new team that we are building will be a computer
protection team in collaboration with the Illinois Army
National Guard. This team will be operational by the end of
2019, and although trained to meet the Army's military
requirements, it is fully available for State active duty at
the Governor's discretion.
The Wisconsin National Guard is finalizing an agreement
with several of our utility companies. Our agreement is aimed
at information sharing and the potential for National Guard
physical support. We initiated this relationship after learning
of certain real-world events, such as the attack in Metcalf.
Wisconsin Emergency Management (WEM) and the Department of
Natural Resources partnered with our railroad commissioner and
major rail lines and have arranged for a cache of critical foam
to be stored regionally at no expense in case we have an oil
spill and fire on our rail lines.
We have also revamped our HazMat structure, creating more
versatile and regionally diverse teams that are strategically
located consistent with population density and key lines of
communication.
We are working with our Public Service Commission (PSC) and
our utilities to understand better the threat to our electric
grid and actively seeking ways to mitigate potential effects.
As an example, we are working with our public water and
sewage utilities, all of whom have generator backup for their
systems. However, all of these systems require diesel fuel, and
we are working hard to make sure we have a solid plan for
delivery in an outage.
Another area we are discussing, although this is much more
difficult given our utilities' sophistication, is the physical
backup to utility systems. I am no expert, but I took note of
the recent cyber attack in the Ukraine which disrupted their
power system. Clearly, Ukraine is not a system on par with the
system of the United States; however, when they understood that
the attack was a cyber attack, they switched to manual backup.
Based on open-source reporting, this occurred after about 6
hours. The cyber network may yet still be infected, but the
power disruption lasted only 6 hours. To my mind, that is a
powerful lesson worth exploring, and we are working with our
PSC to ask these questions of our utility partners.
Last, I will mention that our National Guard works closely
with emergency management across the board in planning for and
exercising our emergency plans. We are certainly not alone in
this aspect, as the National Guard across the Nation has unique
relationships with law enforcement, firefighters, Federal
agencies, and industry partners. Always ready, always there, we
provide our Nation's Governors with a surge force that is
highly trained and relevant across the domestic response
spectrum.
I have submitted my written testimony for the record and
greatly appreciate the opportunity to appear today and offer
these brief remarks. I look forward to any questions you may
have.
Chairman Johnson. Thank you, General Dunbar. By the way,
your written testimony is entered into the record.
Our next witness is Tom Farmer. Mr. Farmer is the chair of
the Partnership for Critical Infrastructure System (PCIS)
Cross-Sector Council. Mr. Farmer worked with the lead
representatives for each of the critical infrastructure sectors
and with senior government officials in coordinated efforts to
advance priorities and capabilities in critical infrastructure
protection and resilience. He also serves as assistant vice
president for security for the Association of American
Railroads. Mr. Farmer.
TESTIMONY OF THOMAS L. FARMER,\1\ CHAIR, CROSS-SECTOR COUNCIL,
PARTNERSHIP FOR CRITICAL INFRASTRUCTURE SECURITY
Mr. Farmer. Thank you, sir, very much. Chairman Johnson,
Members of the Committee, and staff, thank you very much for
this opportunity to address the priorities and cooperative
efforts of the Partnership for Critical Infrastructure Security
Cross-Sector Council in critical infrastructure protection.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Farmer appears in the Appendix on
page 57.
---------------------------------------------------------------------------
As the current Chair, I am privileged to speak for a group
of dedicated professionals across industries who volunteer
their time and efforts to take on leading and organizing
capacities in their respective sector coordinating councils,
those forums formed in the National Infrastructure Protection
Plan (NIPP) that enable industry to communicate and coordinate
effectively with government.
It is the respective efforts of these professionals that
merit attention, for they represent a sustained commitment to
partnerships and action, partnerships within their sectors,
across sectors, and with Government.
The written statement submitted to the Committee addresses
a sampling of their efforts. Their scope exceeds the time
available for a fuller delineation here, but as I prepared for
the hearing, a representative of the dam sector, the Chair of
the Dam Sector Coordinating Council well captured their scope
in a delineation of his sector's activities: preparedness
planning, exercises within the sector among dam facilities,
cross-sector exercise with government officials and
representatives of other industries, information sharing,
cybersecurity guidelines and tools that are developed in
partnership with government, training and webinars focused on
security awareness and preparedness.
Each of the sectors' leads consistently delineate very
productive, proactive efforts on behalf of their respective
sectors. Across sectors we are supporting these efforts by
outreach and capabilities offered by government organizations.
They include the Department of Homeland Security, the Federal
Bureau of Investigation (FBI), the Office of the Director of
National Intelligence (ODNI), the various sector-specific
agencies, and State fusion centers. The support in these areas
is fundamental to enhance and sustain effectiveness in critical
infrastructure protection, areas like intelligence assessments,
information sharing, risk assessments, resiliency assessments,
tailored training and exercise programs, guidance materials for
organizational and sector-based preparedness planning, and
focused engagement on particular threats or security concerns.
This extensive body of work creates opportunities that draw
insights, that glean lessons learned, to apply them practically
in security posture, and in protective measures. A colleague in
the Sector Coordinating Council well captured the concept with
the phrase ``next-level analysis,'' and priorities of our
council emphasize this concept.
What we are talking about is knowing what we can know as
thoroughly as possible, about using information proactively,
about analyzing the wealth of experience gained by the
expansive and effective work undertaken by DHS, FBI, and other
components, particularly focusing on trends, on patterns, on
indicators of recurring concerns.
Terrorism provides one example. Investigations of attacks
and attempts and disrupted plots reveal over and over again
indicators that were experienced, observed, and encountered
that preceded the event. But their significance often was not
understood, even if they were reported.
Similarly, active shooter investigations reveal similar
behavioral indicators that preceded the events. We must and can
learn from this adversity, through analysis that highlights
those recurring indicators of preparations, analysis that
enables professionals in industry and government to identify
the opportunities for security measures, and activities to make
a difference.
We are very familiar with the ``See Something, Say
Something'' campaign. It works. But we can make it better. With
this type of analysis, we can advance and information the ``See
Something, Say Something'' concept, emphasizing those
observable indicators and activities and preparations that have
preceded acts of lethal and destructive violence time and
again, and apply that information in security, training, and
awareness initiatives with employees across industries to
inform their vigilance both on the job and in their home
communities.
In cybersecurity, as we contemplate the hundreds of onsite
and virtual assistance visits provided by DHS and FBI in
response to cyber attacks, as we look at the in excess of 1
million indicators of concern that have been disseminated by
DHS to the private sector, opportunity emerges again, for
analysis that produces a cyber threat profile, a profile we can
update on a recurring basis, to help organizations across
sectors understand what they are most likely to see in terms of
how cyber threats materialize. What are those vulnerabilities
that are so often exploited? What are those protective measures
too often found lacking?
Now, as these analyses are produced why dissemination is
essential, we need to make sure we have depth of penetration
across government and industry. In the Cross-Sector Council, we
have partnered with DHS to do just that, leveraging existing
councils in government and industry to ensure that information
in a timely manner reaches those who are best equipped to get
it out to their respective constituencies.
We have also introduced the capability to share classified
information and tested it on April 26. Two components of the
Wisconsin fusion center participated. And, as part of that
effort, we focus on ensuring that as the intelligence community
(IC) produces products that are classified, they also produce
an unclassified ``tear line,'' a version that all who attend
the briefing can take back to their organizations to inform
vigilance and security measures.
The efforts of the respective councils are sound. They are
proactive. No one is resting on laurels. We consistently seek
opportunities to progress, and our shared objective of
enhancing critical infrastructure protection is attainable.
I thank you very much for this opportunity to participate
in this esteemed forum today.
Chairman Johnson. Thank you, Mr. Farmer.
Our next witness is Ted Koppel. Mr. Koppel is the author of
the book ``Lights Out''--I have a copy. Unfortunately, I do not
have the cover. When I actually read books, I take it off. It
is ``Lights Out: A Cyberattack, a Nation Unprepared, Surviving
the Aftermath.'' He is also a 42-year veteran of ABC News where
he served as anchor and managing editor of the ``Nightline''
program from 1980 to 2005. And, I would point out this is
actually my brother's book. He gave it to me. I would say he is
a little alarmed. ``Did you know this? '' I was aware.
Mr. Koppel, thank you for coming here. I look forward to
your testimony.
TESTIMONY OF TED KOPPEL,\1\ AUTHOR, ``LIGHTS OUT: A
CYBERATTACK, A NATION UNPREPARED, SURVIVING THE AFTERMATH''
Mr. Koppel. Mr. Chairman, Mr. Ranking Member, Members of
the Committee: Your late colleague, the distinguished Senator
from New York, Daniel Patrick Moynihan, liked to say that each
of us is entitled to his own opinion; we are not, however,
entitled to our own facts. That observation, which once seemed
both sensible and self-evident, can no longer be taken for
granted.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Koppel appears in the Appendix on
page 64.
---------------------------------------------------------------------------
In a political climate where even the President's status as
a natural-born American citizen remains the object of doubt for
more than a quarter of our population as he nears the end of
his second term in office, in that climate it will be difficult
to settle the far more complex issue before the Committee this
morning: Is the Nation at risk of a crippling cyber attack
against elements of our infrastructure in general and against
one or more of our electric power grids in particular? After
more than a year of research into the question, I believe the
answer to be ``yes.''
Simply stated, the electric power industry is made up of
3,200 separate companies linked in a network that both
generates and distributes electricity. For the system to
function, a perfect balance has to be maintained between the
amount of electricity being generated and the amount being
distributed. Only the Internet is capable of maintaining that
exquisite balance at all times. The Internet was never designed
to be defended. The Internet remains vulnerable to cyber
attack. Evidence of that vulnerability is accumulating every
single day in private industry, government agencies, and in
breaches of our personal data. General Keith Alexander, the
former head of the National Security Agency (NSA), likes to say
that there are only two kinds of companies--those that have
been hacked and those that do not yet know it.
Members of this Committee are certainly familiar with the
conclusion of our intelligence agencies that the Chinese and
the Russians have already mapped and penetrated the systems
that control our electric power grids. Iran is not far behind.
Nations like North Korea and Syria are enhancing their cyber
warfare capabilities. It is surely only a matter of time before
a terrorist group, unrestrained by any geopolitical interests,
acquires the capability to attack one of our power grids.
The problem, as Tom Ridge, our first Secretary of Homeland
Security, noted, is that ours is a reactive, not a pre-emptive
society. In the wake of the attacks on September 11, 2001, the
United States embarked on actions and expenditures that would
have been inconceivable only a week earlier.
My message to this Committee this morning is simple: The
Nation cannot wait for a cyber attack on the grid before making
preparations for its consequences. It is my belief--and again,
this Committee has access to more information on this subject
than--I believe that while the Department of Homeland Security
has plans for dealing with the consequences of hurricanes,
blizzards, floods and earthquakes, it has no discrete plan for
dealing with the aftermath of a cyber attack on one of the
Nation's power grids. The Department's recommendations for each
disaster are essentially the same: a 2-to 3-day supply of food
and water for each person, a plan for families to meet at a
pre-arranged point, a supply of essential medicines,
flashlights, and a battery-powered radio.
A cyber attack against one of our electric power grids
could deprive tens of millions of Americans of electricity for
a period of weeks or even months. I asked Homeland Security
Secretary Jeh Johnson what, exactly, he would be telling
Americans on their battery-powered radios after an attack that
he was unwilling or unable to share now. He gestured toward a
shelf carrying several white binders: ``I am sure there is a
plan up there somewhere,'' he told me. I do not share the
Secretary's confidence.
We have neither the adequate food supplies to take care of
those millions who decide to shelter in place, nor the
collaborative plans with State governments to house and feed
what could amount to tens of millions of internal refugees. If
we began tomorrow, Mr. Chairman, implementing such plans would
still take a couple of years.
I thank the Committee for its attention to this critical
issue.
Chairman Johnson. Thank you, Mr. Koppel.
Our final witness is Scott Aaronson. Mr. Aaronson served as
the managing director for Cyber and Infrastructure Security at
the Edison Electric Institute (EEI). Prior to joining EEI, Mr.
Aaronson served as a senior adviser to the Chairman of the
House Foreign Affairs Committee and Senator Bill Nelson. Mr.
Aaronson.
TESTIMONY OF SCOTT I. AARONSON,\1\ MANAGING DIRECTOR, CYBER AND
INFRASTRUCTURE SECURITY, EDISON ELECTRIC INSTITUTE
Mr. Aaronson. Thank you, Chairman Johnson and Members of
the Committee. I am glad to be here today to discuss security
of the power grid. We appreciate you holding this important
hearing and that Mr. Koppel chose this subject for his book. As
owners and operators of some of the Nation's most critical
infrastructure, we share his concern and the Committee's to
ensure that the grid is secure and resilient.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Aaronson appears in the Appendix
on page 66.
---------------------------------------------------------------------------
From some of the headlines and movie script scenarios out
there, you might think that we are not doing anything and being
complacent, that a month-long power outage is inevitable. If
there is one thing that you take from my testimony today, it is
to understand that the industry is doing an amazing amount of
work at all levels all of the time to defend the grid and to
respond to an incident.
You have to remember, we live and work in the communities
that we serve. Our infrastructure is our most important asset,
so we have every incentive to make security a major priority.
Since these topics can be sensitive, and even classified
occasionally, we may not talk about them a lot in public, but
do not take that lack of discussion for inaction. My written
testimony has more extensive details on how electric companies
address threats, so I will not read that to you. But I do want
to go through what we effectively call the three legs of the
stool that make up security for the electric grid.
The first leg of the stool is standards. The electric
industry has mandatory and enforceable critical infrastructure
protection (CIP), regulatory standards for both cyber and
physical security. These are not lax, lowest common denominator
standards. These are rigorous requirements that improve the
industry's security posture. Failure to comply can cost up to
$1 million per infraction per day, so suffice it to say there
is a lot of incentive to comply. But compliance does not equal
security. Security is not a check-the-box exercise; if I do X,
Y, and Z, I am secure. No. You have laid a foundation for
security.
The second part of what makes for full security, and the
second leg of the stool, are partnerships. It has already been
said--I think it was Major General Dunbar--that protection of
critical infrastructure is a shared responsibility. In order to
be prepared for an ever-changing threat environment, industry
and government are partnering at an extremely high level. In
addition to my role at EEI, I also am part of the secretariat
for the Electricity Subsector Coordinating Council (ESCC).
Along with the cooperative and public power segments of the
industry, the ESCC is made up of 30 Chief Executive Officers
(CEOs) from across the sector. These CEOs are meeting regularly
with senior government officials from the White House, DHS,
DOD, FBI, intelligence community, and the Department of
Energy--our sector-specific agency.
They do not just meet to simply update each other or pat
each other on the back and say, ``We are doing a great job.''
They are setting a strategic vision for how we can improve the
security posture of the industry and, by extension, the Nation,
bringing together government and industry capabilities in a
concerted way.
So, the ESCC focus is on four major issues, and I will go
through each of them briefly.
The first is deploying tools and technology. The focus here
has been moving government-developed tools to industry
applications to improve situational awareness, and the best
example of that is the Cyber Risk Information Sharing Program
(CRISP), which you can find in my testimony.
The second is improving the flow of information, making
sure the right people are getting the right information at the
right time. From classified briefings for executives to
actionable intelligence for operators, government and industry
are sharing threat information more often and more easily.
The third is coordinating with other sectors. While
electricity is always described as the most critical of the
critical--everybody relies on us--without water we cannot
generate steam or cool our systems; without telecommunications,
we cannot operate; without transportation and pipelines, we
cannot move our fuel or move our equipment. There are a lot of
ways to impact the grid short of attacking the grid.
To address these interdependencies, the power industry is
actually working across sectors. And, in fact, Tom Farmer and
the Nation's railroads have been great partners as we work
together, for example, to move large transformers during
incidents.
The last area of focus for the ESCC also happens to be the
last leg of the stool. So we have standards; we have
partnerships. The last is preparations for response and
recovery. Simply put, electric companies have to be right 100
percent of the time, and the adversary has to be right only
once. Given those odds, preparation for an attack is just
common sense.
First of all, we have a history of working together to
restore power after an incident through mutual assistance
networks where workers from unaffected companies descend on the
affected company to restore power. We also have robust spare
equipment sharing programs, including bilateral and
multilateral arrangements, as well as a fully developed and
legally binding plan called the Spare Transformer Equipment
Program (STEP), that requires the sharing of large, hard-to-
replace spare transformers during a national incident.
We exercise regularly. Of particular note is the North
American Electric Reliability Corporation (NERC's) GridEx
series, which brings thousands of owners and operators and
executives from across North America in the largest exercise of
its kind. And, now we are developing a cyber mutual assistance
program to coordinate resources for companies affected by cyber
incidents.
The bottom line is this. We are constantly working to
manage risk, but understand that we can never entirely
eliminate it. There is not enough money in the world to protect
against every threat in every location, but we are working to
prevent incidents from having long-term or devastating impacts.
We understand that the service we provide is critical to the
life, health, and safety of Americans. From CEOs to operators,
the power sector has shown it takes this responsibility
seriously and is committed to constantly improving its security
posture as these threats evolve.
Again, I appreciate the opportunity to be here and look
forward to answering your questions.
Chairman Johnson. Thank you, Mr. Aaronson. Let me start
with you. You just talked about the STEP program, about these
replacement large power transformers. In our EMP hearing, I
asked Dr. Richard Garwin how many are critical. What is the
number of large power transformers that we really need to
protect. He gave me a ballpark of somewhere between 200 and 700
of these large power transformers. Would you agree with kind of
around that assessment?
Mr. Aaronson. In fact, I do. That is a fair assessment, and
depending on what criteria you are using, someplace in there
the number is going to fall.
Chairman Johnson. So, how many replacements do we have for
those that are basically ready to be moved into place in case,
either through a kinetic attack or a cyber attack or EMP or
geomagnetic disturbance (GMD), those large powerful
transformers are destroyed?
Mr. Aaronson. So, the STEP program is actually governed by
a nondisclosure agreement, so the specific number I cannot give
you, but I can tell you this:
No. 1, we are sufficiently spared.
No. 2, outside of those spares that are dedicated through
the Spare Transformer Equipment Program, other companies have,
first of all, operational spares that they use for obvious
reasons. You will use a spare when you are doing maintenance on
an active transformer, so you have that in place regardless. We
have other ways of sharing equipment beyond just the Spare
Transformer Equipment Program.
Chairman Johnson. Let me ask you, so would I be able to--
with nondisclosures, could I as a United States Senator find
out how many we really have to satisfy myself that we really
are covered?
Mr. Aaronson. I would have to go back to the industry to
see if we would be able to breach the nondisclosure for that
purpose.
Chairman Johnson. I would appreciate that, because if you
do not have spares, what is the length of time to replace some
of these large power transformers?
Mr. Aaronson. So, the number that we have heard all of the
time is an 18-month lead time. That is not entirely accurate.
Under duress, there are ways to procure transformers more
quickly. You also have to understand that there is a
significant amount of excess capacity in the system. So, when I
say that we are looking to be able to operate under duress, we
may go to a suboptimal State. One of the lessons that was
learned out of Ukraine is going to a more manual operation. So
this rush to automation is great because it gives us wonderful
efficiencies, but it also increases the attack surface. So by
diminishing the attack surface and looking at the ability to
operate manually, the ability to operate suboptimally, the
ability to focus resources on more critical load, whether it be
hospitals, first responders, military installations, those are
all things that, because of this CEO leadership, we are
developing that capability.
Chairman Johnson. Based on public reports, my--
``assumption'' is probably not the right word, but it sounded
like the reason Ukraine actually restored power 6 days----
Mr. Aaronson. 6 hours.
Chairman Johnson. 6 hours, is because they actually had
manual breakers, which we really do not have nowadays because
we are more advanced. We have it all computerized. Correct?
Mr. Aaronson. The answer is, ``It depends.'' I always hate
giving that answer, but the answer is, ``It depends.'' In some
cases, there is the capacity to operate manually. In others, we
are going to need to continue to develop it.
Chairman Johnson. OK. General Dunbar, in your emergency
planning, Mr. Koppel talked about in general we have plans to
have provisions for 2 to 3 days. Is that pretty much what you
have planned for Wisconsin in your capacity, in your
responsibility?
General Dunbar. Our plans for a long-term power outage,
taking care of the public, quite honestly our goal is to try
and keep the people in their homes so they do not add to the
problem by a mass evacuation. We do rely on the industry for
the food stocks. It is a concern of mine because one system is
very efficient as you know, and if something shuts down, it can
quickly deplete it out. We do not have in Wisconsin a supply of
meals ready to eat (MREs) beyond what you would expect for the
National Guard, and even that is limited because at the DOD
level it has those kinds of supplies.
Chairman Johnson. Mr. Koppel, I was pretty impressed with
the level of reporting and the digging you did in your book.
You did not seem particularly convinced. You seemed to
certainly ask some pretty hard questions, and you were not
getting particularly good answers. Do you agree with Mr.
Aaronson that we are probably sufficiently backed up in terms
of large power transformers?
Mr. Koppel. Well, first of all, I am in no position to
agree or disagree with him because I do not have access to the
numbers either. What I have heard, and what was in a Department
of Energy report back in 2014, is that the number of large
power transformers is quite literally in the tens of thousands.
So, I am frankly a little bit astonished at the notion that we
are only talking about--what did you say?--250 or so.
Mr. Aaronson. 200 to 700.
Mr. Koppel. 200 to 700. I think, A, the number is greater.
B, I think that we are dealing with a problem of unique pieces
of equipment that cannot easily be interchanged. And, C, Mr.
Aaronson sort of dismissed the notion that it takes up to 18
months to get a new one, but most of these large power
transformers are not constructed in the United States. The
majority--I think about 70 percent of them--are constructed
overseas. And, by the time you order these and have them built,
we are talking about pieces of equipment that weigh between
400,000 and 600,000 pounds. It takes at least a year and up to
a year and a half to order a new one and have it delivered. And
even once you get it to the United States, delivering these
things is incredibly difficult because they tend to overstress
pieces of infrastructure like failing bridges.
Chairman Johnson. Mr. Farmer, in your testimony you were
really concentrating a lot--and this is, of course, good--you
know, on coordination and communication and planning, that type
of thing. But can you talk about what we have actually done to
prepare and protect--physically, what we have done in terms of
infrastructure to improve our survivability and improve our
ability to stand the power grid back up?
Mr. Farmer. Well, I am not specifically qualified to
discuss in detail the electrical sector. What I can say,
though, is that there have been very productive partnerships
fostered through the Cross-Sector Council that enable
industries to identify interdependencies and then work in
concert to enhance their resiliency, to enhance their
preparedness, to address concerns. Scott Aaronson addressed in
his testimony the cooperation with the railroad industry and
preparations to move large transformer equipment should we be
in a situation where, due to some form of damage, a transformer
is taken out of operation. And the electrical industry, the
electrical sector approached our industry. We have worked in
close coordination to do a number of things. One is to have
preparedness plans in place for railroads to move the
equipment. We have identified the types of rail cars that move
the equipment. We maintain a current inventory of where those
rail cars are. We have worked with the electricity sector
through exercises the last 2 years.
Each year, the railroad industry holds an annual security
exercise. In that exercise, we take actual events and take them
to another level through realistic terrorism and cyber
scenarios to stress our industry's security planning, to stress
our procedures, our decision-making, our actions to address
concerns, our coordination with Government.
We have integrated that exercise the last 2 years,
scenarios involving damage to large power transformers, and
then the electrical industry calling upon our industry for
support in their movement. So this inventory is maintained by a
group called Rail Link that provides informational technology
(IT) support to our industry. We can generate an updated
inventory within a matter of minutes to identify where the cars
are specifically. And during the exercises, railroads'
operational leads have worked with representatives of power
utilities on what the transportation plan would look like. We
are confident that, provided notice of a need, within a matter
of hours we would have a rail transportation solution in place.
Chairman Johnson. OK. Thank you, Mr. Farmer. Senator
Carper.
OPENING STATEMENT OF SENATOR CARPER\1\
Senator Carper. Thank you. Thank you so much, Mr. Chairman.
I want to apologize to our witnesses. As you know, we serve on
a number of committees, and one of my committees, the Senate
Environment and Public Works (EPW), was holding what we call a
markup today, voting on a number of bills, several of which
were mine, and I needed to be there to defend them. And, so, I
cannot be in two places at once, but I am pleased to be here
and thank you all for joining us today on a really important
subject. So, I am going to go ahead and use this time to give
an opening statement, and then maybe we will have a second
round for questions, and I can ask some questions of all of
you.
---------------------------------------------------------------------------
\1\ The prepared statement of Senator Carper appears in the
Appendix on page 46.
---------------------------------------------------------------------------
Obviously, what we are discussing today is of immense
importance--it is in Delaware, and I know it is in the other 49
States: the security of our critical infrastructure. And, when
we talk about critical infrastructure, we are not just talking
about the grid and supply of electricity, but also the
dependability of our water, even our financial system that
supports our economy.
Unfortunately, our electricity and water utilities, as well
as our banks, are at risk every day in a number of ways. We
have heard a lot lately about criminals and terrorists
targeting them online, but these critical services are also at
risk due to any number of other hazards such as violent storms,
earthquakes, and even failure due to aging and underinvestment.
Fortunately Congress, our Administration, and the private
sector have been hard at work to address vulnerabilities in a
number of these areas. We have passed legislation in recent
years to help make our critical infrastructure more secure and
more resilient. I will mention just a couple of examples.
In 2014, Members of this Committee worked for many months
to enact legislation to reauthorize and enhance something
called the Chemical Facilities Anti-Terrorism Standards (CFATS)
program at the Department of Homeland Security. This program is
our front-line defense against terrorist attacks against
companies that store, manufacture, and process hazardous
chemicals.
That same year, 2014, the President signed legislation from
this Committee to enhance the cybersecurity center at the
Department of Homeland Security that works with critical
infrastructure owners to prevent and respond to cyber attacks.
That same year we also gave the Department of Homeland Security
that authority that it needed to hire the best and brightest
cyber talent that is out there.
Just last year, the President signed cybersecurity
legislation that the Chairman and I and almost every member of
this Committee played a key role in drafting. That crucial new
law makes collaboration between the Federal Government and
companies grappling with cyber attacks easier and faster while
protecting privacy concerns.
This year, we are working hard to ensure proper
implementation of these and other laws. We are also working to
streamline and strengthen the office within the Department of
Homeland Security that helps protect critical infrastructure. I
have never cared for agencies that have a name that does not
really explain what they do, and we have one that we call the
National Protection and Programs Directorate (NPPD), that is
within the Department of Homeland Security. It does not tell
you a whole lot about what they do, but what they do is
important. And, as the Chairman knows, my staff and I have been
working with the Department of Homeland Security on legislation
to streamline this office so that it can be a better partner
with industry. We do this in part by elevating its cyber
functions and making sure that physical and cyber threats to
our critical infrastructure are assessed jointly so the left
hand knows what the right hand is doing.
We also want to change the name of the agency so people
have some idea of what they actually do to name it the ``Agency
for Cyber and Infrastructure Security.'' Doing so will make it
clearer that when there is a problem with a vulnerability in
the electric grid or some other piece of critical
infrastructure, there is no question about who in the Federal
Government can help, should help, and who can be held
accountable when things go wrong and may be singled out from
time to time when there is praise that is due.
As we know, unfortunately, bad things sometimes happen, and
the important thing is to be prepared for that when they do.
So, I want to credit the men and women at the Department of
Homeland Security, including in NPPD and elsewhere, for the
hard work they do to ensure our critical infrastructure is
secure and resilient. As one example of this important work,
the Department conducts onsite assessments and incident
response for dozens of critical infrastructure companies every
year.
When we talk about critical infrastructure--especially
systems that we cannot afford to lose even for a few minutes--
this means building resiliency into our policies and practices.
Today's discussion about critical infrastructure reminds me of
one very promising technology that is already helping to make
our country more resilient to electric grid outages. I was a
naval flight officer for a number of years during the Vietnam
War. When we were over in Southeast Asia, we were stationed at
Moffett Field Naval Air Station, and we basically shared that
large air station with the National Aeronautics and Space
Administration (NASA). And later on, when Moffett Field was
closed to active-duty purposes, some private sector companies
came in and partnered with NASA and have done all kinds of
amazing things. One of them is called ``Bloom Energy.'' They
manufacture fuel cells that basically--some of them are
manufactured in California. They do a lot of the research and
development (R&D) in California, but they also manufacture fuel
cells in Delaware. These stationary fuel cells do not require
additional transmission capability to move electricity to the
end user, meaning reliable electricity can be provided even
when the electric grid goes down. Innovative solutions like
these can help us be a lot better prepared for a variety of
threats in the future.
With that, I want to thank you all for coming, and I look
forward to asking you in a few minutes a few questions. Thank
you so much.
Chairman Johnson. Thank you, Senator Carper. Senator
Peters.
OPENING STATEMENT OF SENATOR PETERS
Senator Peters. Thank you, Mr. Chairman, and thank you to
our panelists for your testimony today. This is certainly a
very important topic, especially given the changes we are
seeing in our society in terms of being interconnected in ways
that are difficult to fathom. Critical infrastructure,
operational, whether it is dams and bridges, grids, will all be
connected through the Internet of Things. We are looking at
millions and millions of objects all connected on this
elaborate grid, even to the point that our electric toasters
will be on the grid. So any sort of attack on a grid could
have, without question, a catastrophic impact on society as we
know it.
We will talk about a variety of things. Hopefully we will
have some additional time, if possible, to talk about some of
the cyber issues and physical attacks. But one that I want to
take a little bit of time on is an area that I focused on as a
result of my work as the Ranking Member on the Space and
Science Subcommittee as well as being on the Homeland Security
Committee. And, this is something that we know will happen that
will be potentially catastrophic to the electric grid if we are
not fully prepared. And, that is space weather events where you
have mass coronal ejection from the Sun, which sends particles
to us here on Earth; it has the impact of compressing the
magnetic field if it is large enough, which puts huge pulses of
electricity through pipes, through electrical transmission
lines, blow up transformers, and shut down vast parts of the
grid for the country.
We know it will happen. It happens regularly. Some of them
are very large. The largest one that we know of is the
Carrington Event, which occurred in 1859. We did not have a
whole lot of electricity back then. We only had telegraphs. But
all of the telegraphs went down in the country. They were all
shut down as a result of this event. The sky lit up. Folks
thought it was daytime. They got up, started making their eggs
and breakfast. It was the middle of the night. But the sky was
illuminated so brightly from the storm. Our scientists believe
these storms occur about every 150 years they hit the Earth.
That last one was 150 years ago, so it has been a while since
we have seen it.
We did monitor a storm of that magnitude in 2012 that
missed the Earth by 7 days, so we can come very close to having
one of that magnitude as well, which will have a significant
impact.
And, so, I have been working with my colleague Senator
Booker, who is on both committees with me as well. We have
introduced legislation to provide additional research and data,
working with the National Oceanic Atmospheric Administration
(NOAA) and NASA and all of the Federal agencies, including the
Department of Homeland Security. And, the numbers are quite
concerning, and the fact that Lloyd's of London estimated that
if we get hit with another Carrington-type event, the impact to
our economy would be anywhere from $600 billion to $2.6
trillion. That is what we are looking at as an impact from one
of these storms. And, we could see up to 40 million Americans
without power. And, as we have had this discussion, talking
about the large transformers, some of that could be a year or
two. You could have 40 million folks, particularly along the
eastern seaboard, which is particularly susceptible to these
kinds of solar events. So just think of New York City without
power for a year. That is not a good thing. New Jersey without
power, which is why Senator Booker has been very engaged in
this as well, a very concerning thing, as well as for me in the
State of Michigan.
We have to do a better job of preparing for that, and so I
would like to ask Mr. Aaronson specifically what sort of
research and information do you believe electric utility
companies need from us as we are working on legislation to
provide more information, more advance warning? What
specifically do you need to prepare for this event? And how do
you view it?
Mr. Aaronson. So, specifically what you said about your
role on the Space and Science Committee, notice is incredibly
valuable when it comes to space weather. We actually have GMD
standards in place. The North American Electrical Reliability
Corporation, because this is something we have known for quite
some time could happen, had developed GMD standards which
dictate operational protocols to mitigate the impact of a
serious coronal mass ejection.
So a big part of that is, again, advance notice from an
operational perspective so that operators can take action to
shut down certain systems in a graceful way, let the solar
flare do what it is going to do, and then be able to start back
up, again, using something called--and it has been discussed
already--``black start capability,'' which is basically
starting the grid from scratch.
Black start standards are in place, GMD standards are in
place, and additional notice from some of those geostationary
satellites that give us--I think right now we get about 15
minutes' notice. Increasing that even to 30 minutes would be
invaluable.
Senator Peters. Well, that is an important factor, that we
may not have a lot of advance notice. Our prediction
capabilities for space weather are not as advanced as they
should be. Folks have described it to me that we are where we
were with hurricane predictions in the 1930s when it comes to
space weather events. So we have a long ways to go; where we
may know something is happening, we do not know the magnitude,
we do not know where it is going to hit. And hurricanes have a
significant impact on us, but a $2.6 trillion impact to the
grid that shuts down everything obviously is a major concern.
So if you had just perhaps 18 hours' notice, is that enough
time? And what sort of protocols are in place if NOAA, or
whatever the relevant agency is at the time as we work out some
of these protocols, says, ``we think this storm is coming? ''
This may mean you would have to shut down vast amounts of the
grid in the United States.
Mr. Aaronson. So, another thing to note is this is
something that, as we have said, we have known about or know
could happen for quite some time. And, in fact, there have been
examples of impact because of GMD, particularly at the higher
latitudes where the impacts are more pronounced.
So there have been examples of GMD impacting the grid, but
for minimal amounts of time. You will note that telegraph lines
from the 1850s are significantly different than the
infrastructure we own and operate today. Mr. Koppel during his
answer to Chairman Johnson was talking about the fact that
there are literally tens of thousands--45,000, actually,
substations in the United States, 55,000 in North America. With
that comes an exceeding amount of redundancy.
So the reason that the number is closer to between 200 and
700 of the most critical substations is because those others
represent excess capacity and redundancy throughout the system.
It is inaccurate to say that a single geomagnetic disturbance
would have a universal and unilateral impact across the entire
grid. So really what you do have to look at is as much notice
as possible to take those operational protocols to shut down
the grid to prevent damage, understand that in certain
instances like that, you have what is called ``voltage
collapse,'' which means that the systems fail safe, and that we
are, again, able to restart it through black start procedures.
And then, obviously, the redundancy and ability to move
transformers around in order to restore power should a
particularly damaging geomagnetic storm impact the grid.
Senator Peters. And I appreciate that comment, which I
think highlights the fact that we need to do a whole lot more
research into these storms. Because as you mentioned, it does
not have a uniform impact across the entire grid, but you need
to know where it is hitting, and that is why I made the analogy
to hurricane research. You need to know where it is going to
actually hit in order to prepare, not the whole eastern
seaboard but those particular areas where you think its path--
so the same thing for this research for space weather to make
sure the resources and the coordination are available for all
of the Federal agencies--NASA, NOAA, et cetera--to provide that
information to you.
I also wanted to make sure that I highlight the fact that
the critical infrastructure are these major transformers, as
Mr. Koppel talked about as well, that for the most part are not
made in the United States. They are made in Europe, the primary
manufacturer for them, and a large space weather event has the
potential of not only destroying transformers that exist in the
United States, but actually destroying or at least shutting
down the facilities that manufacture the transformers in Europe
at the same time. A large storm would actually shut down the
manufacturing, so then you could not even make these until
first you repair the entire infrastructure to even create
transformers before you make them and then ship them to the
United States. So this is something that I look forward to
continuing to work closely with the utilities. I know you are
focused on it. I know this is an issue that you have been
following as well. But we have got to make sure these protocols
are in place and we are really thinking this through.
Mr. Aaronson. And I can say fairly unequivocally that
helping to get more advance notice and increasing domestic
manufacturing capacity for transformers are two things that the
industry would be happy to work with you on.
Senator Peters. Right. Thank you.
Chairman Johnson. Senator Peters, first of all, thank you
for that line of questioning. I want to just follow up just
briefly. In a previous hearing, we were told, I think, in
testimony that about $2 billion damage annually because of
other types of solar events. So this is just happening all of
the time. But the massive ones like the Carrington Event is
something--I do not know how many orders of magnitude greater.
Mr. Aaronson, I just have to ask you, if the protocol gave
warning, 15 to 30 minutes, so we can shut down systems, who is
going to make that call? Who is going to make that call under a
massive geomagnetic disturbance that nobody knows how many of
these transformers could be affected, nobody knows, who is
going to make that call to shut them offline, take them offline
so those effects do not go through those wires and destroy
those large power transformers that cannot be replaced?
Mr. Aaronson. So, grid operators are tightly aligned. We
have talked about the fact that there are 1,900 entities that
make up the bulk electric system. There are regional
transmission operators and so on.
Chairman Johnson. Who makes the call? I mean, who makes the
call we are going to shut them all down in 30 minutes, in 15
minutes?
Mr. Aaronson. It is not as simple as cut the power. That is
not how this is going to work. But there is, again, this shared
responsibility among the sector----
Chairman Johnson. Yes, who makes the call?
Mr. Aaronson [continuing]. To be operating this--I do not
know the answer to that question.
Chairman Johnson. I think that is what Mr. Koppel is
talking about.
Let us see here. Senator Tester.
OPENING STATEMENT OF SENATOR TESTER
Senator Tester. Thank you, Mr. Chairman. I want to thank
you all for your testimony.
I want to talk about a little different kind of
infrastructure since you are here, General Dunbar, and that is
the infrastructure of our intercontinental ballistic missiles
(ICBM) forces. It has been--well, currently we have Hueys that
fly our personnel out for protection purposes. We are looking
to get some Black Hawks in a couple of years, earlier if we can
but in a couple of years at the latest.
There have been some that have suggested that maybe we
ought to use the Army National Guard for defense of our ICBMs
to make sure that they are secure. Fire season aside--if we use
them for that, they will not be available for fire season. It
seems like the fire seasons are becoming more and more
significant every year in Montana. In fact, they are.
From your perspective, what kind of training needs to go
in--or are they already trained--for National Guard soldiers to
be able to protect our ICBMs?
General Dunbar. Senator, thank you for that question, so
let me start by, again, making clear for the record that I am
here speaking on behalf of the State of Wisconsin as a National
Guard officer, not for the United States Air Force. That is a
very important Federal mission, and I would not propose that I
speak in any way for the United States Air Force on that issue.
In terms of the National Guard, the National Guard's
advantage to the country is it is a highly trained Army and Air
Force to do certain missions for the Army and the Air Force,
and from that comes a surge capacity for all kinds of missions.
So, in California and other States, National Guard members
have been used to fight fires, both on the ground and in flying
helicopters. I can talk in the State of Wisconsin that we have
our Black Hawk pilots--not all of them but some of our crews--
trained to fly Forest Fire Missions with Bambi Buckets to help
put out those fires that you talk about.
In terms of moving personnel from Point A to Point B, it is
pretty much square within a Black Hawk's mission that most
crews have that capability in their wheelhouse.
In terms of whether it is a good idea, I know you know
this, sir, but the National Guard is a State military force
until we are mobilized for active duty. So, if the Air Force
needed the Guard to do that mission, then they could ask for
volunteers. If the Governor thought that it would interfere
with the State's response to firefighters, the Governor could
push back and say, ``I am not going to authorize volunteers.''
And then, of course, the Federal Government could trump that,
as it always can----
Senator Tester. Bingo.
General Dunbar [continuing]. And say we are going to be on
active duty.
Senator Tester. OK. I am just curious. I mean, we can solve
this whole problem by getting the Black Hawks in quicker, but
that is not within your purview.
I want to talk to Mr. Aaronson for a second about
transmission and the threats--on the grid, I should say. And
excuse me if it has been asked already, but is that threat
mainly in transmission or in generation?
Mr. Aaronson. So, I guess I would answer it this way: The
threat is mostly in transmission. Generation, there are so many
generation assets lending electrons to the grid. Those are
assets we want to protect, but transmission is really where it
is at.
Senator Tester. And, so, is this due to our reliance--
because I know nothing about, quite frankly, how this whole
system works, so we are starting at zero. But is this due to
our transmission reliance on the Web, or why should we be
concerned about this from a terrorist standpoint? Or are we
talking about bombs blowing stuff up?
Mr. Aaronson. So, a lot of answers to that question. First
of all, you are not alone, Senator, in not knowing a lot about
how the electric grid works. Most people just figure you turn
on the light switch and the lights turn on.
Senator Tester. As long as they turn on, it is good.
Mr. Aaronson. And that is our goal, too. We do not want you
to have to think about all of the things that are happening
behind it.
Senator Tester. Yes.
Mr. Aaronson. There are a lot of threats to the grid, and
we like to say from squirrels to nation-states. And, frankly,
there have been more blackouts as a result of squirrels than
nation-states.
Senator Tester. Right.
Mr. Aaronson. The various threats--the reason the
transmission matters, think of transmission as the----
Senator Tester. I know why it matters, truly, because my
lights do not come on without transmission.
Mr. Aaronson. That is right.
Senator Tester. If we do not connect it all up. The
question is: Why is transmission a target? Is it because of the
Internet? Or is it because of something else?
Mr. Aaronson. It is because it is a soft target by
definition. There are 45,000 substations in the United States.
There are long lead lines everywhere.
Senator Tester. You are right. And, by the way, those
substations have been around a long time.
Mr. Aaronson. They sure have.
Senator Tester. When we were in conflicts in World War II,
there were substations. In conflicts in Vietnam, there were
substations. Conflict in the first Gulf War, there were
substations. Why now? What is different than Vietnam? Why
should we be concerned now when we never heard anything about
it in the late 1960s?
Mr. Aaronson. The threats continue to evolve. You can look
at geopolitical situations. You can look at the fact that we
used to be----
Senator Tester. OK, so the threat level is greater.
Mr. Aaronson [continuing]. Superpower, the line that we
were a nation with friends north and south and bordered by
oceans.
Senator Tester. OK. So the threats have raised, is what you
are saying.
Mr. Aaronson. That is correct.
Senator Tester. The threats of people wanting to do damage
to the homeland have raised, and they were not necessarily--
Ted, do you agree with that?
Mr. Koppel. No, Senator, I do not. What has changed is that
the electric power industry has become deregulated. We now have
3,200 companies. I am as much of a novice at this as you, so I
have reduced it to a very simple analogy.
Senator Tester. That is what we like.
Mr. Koppel. I want you to imagine a balloon that has 3,200
valves, and half of those valves are letting air into the
balloon, and the other half are letting air out of the balloon.
As long as you maintain a perfect equilibrium between the
amount of air coming in and the amount of air going out, your
balloon stays inflated. Too much air in, the balloon blows up.
Too much air out, the balloon collapses.
The electric power industry is made up of 3,200 companies.
You have to maintain a perfect balance between the amount of
electricity that is generated and the amount of electricity
that is used. Too much electricity in, you have a problem. Too
much electricity out, you have a problem.
Only the Internet has the capability of maintaining that
exquisite balance. There was no Internet back in the days of
Vietnam. There was no Internet back in the days of World War
II. You were dealing with a totally different kind of electric
power industry.
Senator Tester. And I appreciate that answer because that
is what I had surmised. And I will tell you that the technology
has done a lot of really good stuff for efficiencies and
predictability and dependability. I come from agriculture, and,
interestingly enough, I had a guy get on my combine--I actually
still drive my combine. I do not have a GPS unit on it. And I
had a guy get on my combine last year, and he said, ``How do
you know where to cut? Because you do not have a GPS unit that
is telling you where to harvest.''
The point here is this: If we want to talk about
preemption, I think that you have to run back and try to figure
out how you can still manually control this stuff. And if it is
impossible--as you may be correct, Ted, the Internet is the
only way to control it--then we have to figure out different
ways to do this.
I will tell you that the comments about tens of millions of
refugees, which is probably true, I mean, we have to work on
preemption, because I do not see how we ever deal with a
situation like that. It amazes me, flying into this city, how
we feed people in this country, much less how we would feed
them under a catastrophic situation.
Go ahead.
Mr. Aaronson. If I might, I would like to add a little bit
of context to what Mr. Koppel said because he raises an
important point about the fact that it is 3,200 entities, 1,900
that make up the bulk electric system.
First of all, it is not controlled by the Internet. We are
talking about operational technologies, supervisory control.
These are not Internet facing. So, yes, it is through that
digital overlay is exceedingly helpful in providing these
efficiencies, but it is not uniquely capable of keeping the
grid operational.
Think back to just 20 years ago. We operated the grid for
the better part of a century without digital overlay. There is
the capacity to keep electrons flowing regardless of having
supervisory control.
Senator Tester. You are correct, and the only thing I am
saying is if the threat has emerged because of the Internet, we
need to go back to that system as a fail-safe.
Mr. Aaronson. And we are.
Senator Tester. OK.
Mr. Aaronson. People have looked at what happened in
Ukraine at the end of last year as this eye-opening experience
for the electric sector. It was not eye-opening. It was
something that we were aware could happen and have been
preparing accordingly.
Senator Tester. Thank you, Mr. Chairman.
Chairman Johnson. And I want to point out it was highly
sophisticated, so the use of the Internet, those operators
thought the systems were working properly when they were not.
And I think the greatest threat is taking that a step further
and having the destruction of those large power transformers
that we cannot replace, that takes something from a 6-hour
shutdown to days and weeks and months. And that is what I
continue to be concerned about. My primary concern is the
destruction in some way, shape, or form from various threats of
these large power transformers.
Again, I think that you are minimizing what that is. I
think that you are just trying to be a little too soothing in
this process.
Next, Senator Portman.
OPENING STATEMENT OF SENATOR PORTMAN
Senator Portman. Thank you, Chairman, and thank you and
Senator Carper for holding the hearing. It is an incredibly
important issue.
I want to talk about something that is specific to a threat
to our infrastructure, and that is the increasing evidence out
there that we have ransomware that has infected not just
individuals' computers but commercial systems. I recently had
the opportunity to get a briefing from the FBI on this, and I
noticed that they sent out something on their website just a
couple weeks ago warning people. There is a unique, I suppose,
warning out from the Canadian Government and our government
right now on ransomware based on some information.
To me, this seems to be a growing problem, and yet it is
underreported because my understanding is a lot of companies
are not eager to talk about their ransomware payments. For
those who do not follow this, this is when you have an
infection in your system, and you find your system has been
encrypted to the point that it is blocked, and you get a notice
saying, ``If you pay this amount of money during this time
period''--and sometimes there is a clock that shows you
apparently what your time period is--``we will pull the malware
off, and you will be able to operate your system.''
There have been some unfortunate instances of this that
have gotten a lot of attention. One was the Hollywood
Presbyterian Medical Center in L.A. earlier this year. For
weeks, they had to shuttle their patients to other facilities
because they were locked down with a malware problem.
I guess my question probably is best to you, Mr. Farmer,
because you are here as Chair of the Partnership for Critical
Infrastructure Security. I am sure you have seen this report.
The Institute for Critical Infrastructure Technology (ICIT),\1\
issued this report, and its headline is kind of jarring. It
says, ``2016 will be the year ransomware holds America
hostage.'' Maybe the title of your next book, Ted.
---------------------------------------------------------------------------
\1\ The report submitted by Senator Portman appears in the Appendix
on page 75.
---------------------------------------------------------------------------
So, Mr. Farmer, could you tell us--and I know this data is
difficult to come by because, again, it is not always reported.
But based on what the FBI has said and based on this report and
based on some of these specific instances that have come to the
media's attention, what is the nature of the problem? Is it, in
fact, increasing dramatically, as some say? And what are some
of the ways in which we as legislators could be more effective
in dealing with it?
Mr. Farmer. Thank you, sir, for that question. I do think
the problem is expanding, and the FBI's attention to it and
DHS's attention to it is reflective of that. The media coverage
highlights those cases where ransomware has not only had an
effect but actually worked. And I think like anything else, so
long as the tactic is working, the interest in pursuing it is
going to expand.
There are two avenues to focus on in terms of whether
incidents get reported. Often an affected organization will
report a matter to the FBI as a law enforcement concern. The
FBI will handle that matter through its investigative
procedures with the affected entity. Whether it gets shared
more broadly is a determination that entity might make with its
sector partners, with DHS. But I think there is a lot of
reporting which is informing the FBI's efforts and providing
these awareness bulletins in terms of entities affected by this
trying to deal with the problem and seeking law enforcement
assistance. So, I think on that side, you have a lot of good
reporting, and because of the manner in which the FBI handles
its investigations, that is generally with the affected entity.
Now, because of the FBI's experience--and I give the FBI a
lot of credit here--they have done a great deal of work in
taking what they are learning from these law enforcement
investigations, stripping out the indicators of the affected
organizations, and then publishing for wider dissemination
guidelines and advisories, in particular, papers that focus on
indicators.
One of the things we focus on in the Cross-Sector Council
is we are not necessarily interested in who the perpetrators
are. That is investigative information that is not necessarily
important to us. What is important is the tactics. How is it
that these events are taking place? And, in particular, how
does the intrusion occur onto the affected networks?
The focus of our cybersecurity priorities collectively is
on that aspect. What can we learn from all that work the FBI
does in its investigative efforts? As I mentioned earlier, from
all that assistance DHS provides in terms of onsite work with
affected organizations and sharing indicators, let us take that
next analytical step and understand better how these events
happen.
So, what makes it to the media is the effect: the computers
are no longer accessible, the hospital cannot get to the
records. So, the effect makes it. But what is far more
important from a cybersecurity perspective is how did that
happen. And, I think as Mr. Koppel can point out just from the
work that he did in connection with this book, too often the
means of intrusion are perilously simple, and there is a lot of
work that we can do based on that next level of analysis,
understanding what those tactics are that are used most often,
understanding what vulnerabilities are most often exploited.
That can be passed in advance, understanding what protective
measures when that support is extended were found lacking.
I will give a comparative example. In Australia, their
equivalent of the United States' Computer Emergency Readiness
Team did an analysis of times when the Australian Government--I
think it is the Signals Directorate in Australia--had to
provide assistance to private entities in Australia affected by
cyber attacks, and that analysis found that in 85 percent of
those cases, if four categories of protective measures had been
taken, those attacks never would have materialized as they did.
And, so, we look at that from the U.S. perspective. We
credit DHS and FBI for that expansive work, and we say let us
take that next step of analysis and build a very good cyber
threat profile that we can pair with the Cybersecurity
Framework issued by the National Institute of Standards and
Technology (NIST), and sectors can then look at that and say
for organizations of varying sizes, this is what the threat
looks like; these are what the vulnerabilities are that are
most often exploited; these are the protective measures you
really need to pay attention to; and marry those with
objectives of the framework.
Senator Portman. Mr. Farmer, I would say, with all due
respect to that analysis that has been done and the information
that is out there, I am looking at a bulletin right now that is
on the FBI website. It is tips for dealing with ransomware
threat, and yet it is dramatically increasing, as I understand
it and as this report says, and I think you confirm that.
Mr. Farmer. Right.
Senator Portman. So, despite our ability to understand how
these ransomware attacks are happening and this information
that is out there, it is expanding. And I think one reason it
is, from what I understand, is that sometimes the ransomware
folks are asking for a relatively small amount of money, small
enough that, frankly, they are not being investigated, so let
us say $10,000. I am told that is kind of the sweet spot. My
view would be we need to up the enforcement of that and
investigate all of them because it is sort of the broken
windows analogy on the policing side.
Mr. Farmer. Yes.
Senator Portman. You cannot let some of this ransomware
happen. And then, second, how do you encourage people to
report? As you are saying, some do report it as a law
enforcement matter. Some do not, particularly if it is at this
relatively low level.
And then the final thing is--and this is where I think Ted
Koppel has done a great service--talking about what
restrictions are there that we could help with both at the
regulatory level and at the legislative level to allow people
to protect themselves better. The great example that I have in
some research that my team did was hospitals that are told
under the Health Insurance Portability and Accountability Act
(HIPAA) rules, they have trouble defending themselves following
these very tips that are being laid out. And, I think you wrote
something about actually an Ohio incident where there was a
brownout in Ohio, and some regulatory issues affected the way
people were able to defend themselves.
Is that accurate or am I missing----
Mr. Farmer. I think you are accurate, sir, in terms of the
nature of the threat. You are accurate as well in terms of the
expansion. I do believe a similar widespread publication of
investigative actions and successful prosecutions that result
in serious penalties for this behavior would be helpful as a
deterrent factor.
I will say this, though: I do not agree, though, that----
Senator Portman. So going after people more aggressively
who are participating in this and increasing the fines or the
criminal penalties.
Mr. Farmer. Increasing the criminal penalties, but also
taking that Step 2 of ensuring that those sorts of penalties
are well known. Again, often the focus of attention is on what
happened in the particular event and what the impacts were. We
do not pay enough attention afterward to how that was resolved
in terms of someone was prosecuted, someone went to jail
because of the actions they took.
And there is one area, sir, where I do want to make a
point. I do not think we have done so well yet at highlighting
for organizations across the board, particularly those smaller
in size that do not have a lot of resources. Hospitals become a
good target because they have limited means to protect
themselves. I think we really need to focus on understanding
better through analysis what the intrusion mechanisms are that
enable the ransomware attack to happen and help organizations
understand what they can be doing better in terms of
narrowing--the term that gets used--the ``attack surface,''
narrowing that opportunity.
So, I think it is a two-pronged approach. We do a really
good job of highlighting ransomware as a problem. We do not do
nearly as well a job of saying this is how ransomware
intrusions based on analysis are happening, and here are some
things you can do to narrow the risk profile of your
organization.
Senator Portman. Let us follow up on that. My time has
expired. Again, thank you all for being here. And I think you
are right. It was hospitals maybe among institutions that were
most vulnerable initially and smaller hospitals that did not
have a more sophisticated system. My understanding is it is now
moving to larger hospitals and other entities that have even a
bigger impact on our critical infrastructure.
Thank you, Mr. Chairman, and maybe we will follow up, Mr.
Farmer, if that is OK, with some follow up questions.
Mr. Farmer. Yes, sir.
Senator Portman. Thank you.
Chairman Johnson. Senator Ayotte.
OPENING STATEMENT OF SENATOR AYOTTE
Senator Ayotte. Thank you, Chairman.
I would like to ask you, Mr. Koppel, based on the book that
you wrote, ``Lights Out,'' what are the top three takeaways you
want us to have today in terms of the action that we could take
as a priority?
Mr. Koppel. Thank you, Senator.
Thank you for the question, Senator. I think you are
exactly right. We are focusing a little bit on the wrong
issues, and I think the key issue we need to focus on is even
some of the most potentially successful measures that the
industry is taking to defend itself, I think Mr. Aaronson will
concede, are still some time off in terms of their real
effectiveness. The CRISP program that he referred to before,
when Mr. Aaronson and I spoke about a year ago, I believe he
told me that the goal was that by the end of 2015, something
like 0.4 percent of the industry would be covered, and I would
like to give him an immediate opportunity to respond. Maybe you
are way ahead of that by now.
Mr. Aaronson. It is 0.4 percent of the number of electric
utilities covering approximately 75 percent of all customers.
Mr. Koppel. OK. But it is still a minuscule percentage.
Mr. Aaronson. It is the right ones.
Mr. Koppel. OK, except that the right ones and the wrong
ones are all connected.
Mr. Aaronson. So to that point--and it is an important
one--socializing the information, CRISP is wonderful for the
companies that deploy it because they get near-real-time
feedback about the impacts on their system. Shortly after, that
information goes to classified databases, is compared to those
databases, and then is actually socialized through our Electric
Information Sharing and Analysis Center (EISAC), to all of
those 3,200 entities that you reference. So the few who are
deploying this technology are helping the whole.
Mr. Koppel. Except that the deployment of that information
in the age of the Internet, where we are talking about
fractions of a second----
Senator Ayotte. With very quick development of new
technology.
Mr. Koppel. With very quick development, exactly--is
somewhat less than useful.
My point is I think we may be focusing on the wrong area at
this moment. I think we have to conclude, whether it is from
EMP, whether it is from some space weather incident, or whether
it is from a cyber attack, that the United States needs to
begin preparing for the consequences of a successful cyber
attack on the grid in particular, because the grid indeed just
does have such an impact on so many other parts of the
infrastructure.
We do not have enough food. We are focused primarily on
MREs, which, because they only have a life span, a shelf span
of 5 years, the government has not bought in sufficient
quantity because it does not want to be sitting there with
millions of MREs which are going to be no good after 5 years.
Even if we turn to freeze-dried food, which I think is
going to be the long-range answer, and if we were to begin
today to try to accumulate the necessary amounts of freeze-
dried food, it would be 2 to 3 years, if we started right now,
before we had an adequate supply.
We do not yet have adequate plans for evacuating, if that
indeed is what has to happen--let us say a major city like New
York is hit, and a large part of the East Coast is without
electric power. And some people--and we are talking about tens
or hundreds of thousands of people--decide to evacuate, where
are they going to go? And I think it is a question that perhaps
General Dunbar can address, the degree to which each State is
prepared to accept large numbers of internal refugees. I think
we need to begin making plans. I think we need to begin
communicating State to State, Federal Government to State
government, and vice versa.
I know of at least one State on the East Coast whose
preparations are that they would activate the National Guard,
they would have their sheriff's department, they would have the
State police standing there with maps, a bottle of water, and a
sandwich. And as refugees from nearby cities came through, they
would give them the water, the food, and the map and show them
where the nearest way out of town is.
Senator Ayotte. Wow.
Mr. Koppel. We assume, because we are all Americans, that
every State is going to welcome vast numbers of internal
refugees. I would suggest to this distinguished panel that that
is not necessarily the case.
Senator Ayotte. Thank you, Mr. Koppel.
Mr. Aaronson, I wanted to follow up. When I heard 0.4
percent of those that cover 75 percent of the infrastructure, I
guess I have to agree with Mr. Koppel in terms of describing
that as a very small, if not minuscule amount. But here is a
question I have for you: What is your association's position on
the installation of devices that would protect transformers
that may be susceptible to damage from solar storms or EMP
attacks?
Mr. Aaronson. So there is a lot of misinformation out there
that there is a particular technology that would protect
everything from everything. Early on, we were discussing EMP,
and there are very different natures of an electromagnetic
pulse. You have a high-altitude nuclear weapon as one source--
--
Senator Ayotte. Well, let me ask you this: Are you opposing
installing----
Mr. Aaronson. No, certainly not.
Senator Ayotte [continuing]. Devices to protect
transformers?
Mr. Aaronson. Certainly not. And, in fact, we are doing it,
though, in a responsible way. Our real concern here is
unintended consequences. The point----
Senator Ayotte. What kind of unintended consequences?
Mr. Aaronson. Potential impact to the grid. When you put
new widgets, whatever they may be--blockers, capacitors,
resistors--on the grid, energy has to go someplace. And to Mr.
Koppel's point, I will agree completely that it is a balanced
system, and new stuff can throw that balance----
Senator Ayotte. But here is our problem: So we are worried
about new stuff, but we are facing a potential blackout
situation that could cause mass chaos in our country. So as we
look at the risks we are facing versus deploying new
technology--and,
obviously, there are always new undertakings with new
technology--wouldn't you agree with me that this is a very
important issue for industry to step up and address?
Mr. Aaronson. A hundred percent. And, in fact, we are.
There is a lot of money right now behind the Electric Power
Research Institute, which is looking at just this. What would
the threat be from the various kinds of EMP, whether it is a
direct energy weapon, a nuclear weapon, or a geomagnetic
disturbance? And what are the appropriate mitigation strategies
so that we do not have those unintended consequences?
We agree, this is one of the risks, and we need to mitigate
against it. But we do not want the solution to be worse than
the threat, especially----
Senator Ayotte. I am not sure what could be worse than a
blackout where we are handing people a sandwich and a bottle of
water and giving them a map.
Mr. Aaronson. Well, let us be clear with especially--let me
break down each of the threats. If you are looking at
geomagnetic disturbance, this is something that already happens
all of the time and that, in fact, we do have standards in
place to deal with.
Chairman Johnson. Excuse me. Not at a massive level. Let us
be clear. Not at a massive level like the Carrington Event.
Mr. Aaronson. The geomagnetic disturbance standard is
ambivalent to whether it is a Carrington Event or just your
typical solar max that we get every 11 years. It is operational
procedures to protect the grid in the event of a coronal mass
ejection.
If you then look at direct energy weapons, these are things
that are mostly localized in impact, not all that different
from throwing a Molotov cocktail or a bomb into a substation.
It is bad, but with 45,000 substations, we have a significant
amount of redundancy.
The last one, looking at a high-altitude nuclear weapon,
this is absolutely something that could happen, but I would
posit it is a high-impact but exceedingly low-probability
event. This is not happening tomorrow. So let us do the right
thing to ensure that as we work to mitigate against this and
many other threats that we are doing so in a risk-based and
responsible way.
Senator Ayotte. With all respect, I think that government
has a really important role when it comes to thinking about a
nuclear attack. But let us just be clear. I serve on the Armed
Services Committee, and we have Iran testing ballistic missiles
right now. We have North Korea testing ballistic missiles. So
we have a role in this. I get it, in terms of this. But what
concerns me is that that is not the only source for potential
EMP attack in terms of what could have an impact on this grid.
And, so, what I would like to see is making sure that industry
steps up.
My time is up, but I have a follow up question, so perhaps
I will wait.
Chairman Johnson. Because I want a quick follow up. How do
you explain that 8 years after the 2008 EMP Commission, the GAO
reports to this Committee that we have done none of these--
performed any of these recommendations? Is GAO just wrong or--
--
Mr. Aaronson. No, Chairman, I appreciate you actually
running through the litany of the 2008 report, and I sort of
took notes as you were doing it. My understanding is the GAO
report was looking at some of the things that government may or
may not have been doing over the course of the last 8 years.
I can say--and this goes to Senator Ayotte as well--with
respect to understanding the threat and what it might do to the
grid, understanding the mitigation and the appropriate way to
protect should an event like that happen, the industry is well
underway in not just investigating but in some cases investing
in mitigation. As companies build new control centers, as
companies are building new substations and new control housing,
they are doing things to shield against EMP.
I note that we talked about restoration and replacement of
equipment. The Spare Transformer Equipment Program started in
2006, but has evolved dramatically with an eye toward any
number of existential threats, whether it is combined cyber
physical attacks, really big storms, solar flares, or even EMP.
Going down the line, looking at critical interdependencies,
there is a lot of work happening in this space that mirrors the
recommendations of the EMP Commission's report.
Chairman Johnson. OK. And, again, I will reiterate my
request to get that information on those replacement
transformers. Senator Heitkamp.
Senator Heitkamp. Kelly can finish.
Senator Ayotte. Thank you. I just have a follow up
question. As I understand it, DOD has developed some
technologies that the utilities could actually use hardware
devices to protect electricity generators and pipeline
compressor motors from certain cyber attacks. And I wanted to
ask you, has the industry installed those hardware devices
using some of the developments from the Department of Defense?
And if not, why not?
Mr. Aaronson. So, I am not familiar with the specific
devices that you are referring to, but I will say this: An
enormous part of what the Sector Coordinating Council that I am
privileged to serve as part of the secretariat for is looking
at technology transfer from the government to the industry.
I will also say, as you pointed out in your question before
that this is something that government can help with as well.
The Department of Defense in particular has had to contemplate
how they would prosecute a nuclear war and had some really
interesting information about what the impact of a nuclear
weapon might look like to the grid. The more we can do to get
that information into the hands of the folks who are doing this
successful to apply it to the grid would be invaluable.
Senator Ayotte. So, I am going to submit for the record a
follow up question because, as I understand, you have the
information and you have the ability to do this, and so I will
ask a very specific question and follow up for the record on
this to get a more specific answer from you.
I would like to thank all of our witnesses for being here
and the Chairman. Thank you, Senator Heitkamp. I really
appreciate it.
Chairman Johnson. Thank you, Senator Ayotte. Senator
Heitkamp.
OPENING STATEMENT OF SENATOR HEITKAMP
Senator Heitkamp. Thank you, Mr. Chairman.
Mr. Aaronson, a miracle happens every day. We walk over to
the light switch, and we turn it on, and lights come on. That
is a pretty remarkable thing, and it has been a huge reason why
this country has developed the way it has. So we all see huge
consequences when we do not have access to power.
Also, we are talking a lot about high-tech threats and
challenges. I would tell you that as a veteran of the utility
industry, you should also worry about low-tech. my guys would
tell you that a .22 in the right place could do almost as much
damage as anything we are talking about today. And, so, with
some knowledge, we know that a lot of our substations are not
protected, they are not securitized. I would add that to the
list of things that we ought to be thinking about as we look at
protecting the grid.
Mr. Aaronson. If I can react to that--and, again, in my
opening statement I remarked that we do have standards in
place. Standards in and of themselves are not security. If you
mandate a 10-foot fence around everything, the adversary brings
a 12-foot ladder. So you want to make them bring that ladder,
but you do not want to pretend that just because you have that,
you are secure.
Another component to security is this idea of resilience
and redundancy. As you know--and I have mentioned a few times
and so has Mr. Koppel--45,000 substations. These are by
definition soft targets. They are in communities, they are in
cities, they are in valleys, they are on mountains, they are in
rural areas. So to try to protect everything from everything is
a fool's errand.
What we need to do is continue to build that capacity to be
responsive and redundant when things happen, and I will give
you one quick example. You may be familiar with an attack that
happened in Silicon Valley a couple of years back. One or more
people, we still do not know, shot up a substation, rendering
inoperable 17 of the 21 transformers there. It was a bad
attack. But I will note that the lights did not even blink in
San Francisco or Palo Alto. So it shows the enormous resilience
of this grid.
Senator Heitkamp. But a coordinated attack by somebody with
a great deal of knowledge about how you create redundancy on
the grid could create real problems----
Mr. Aaronson. We agree.
Senator Heitkamp [continuing]. In a classic or traditional
attack.
Mr. Aaronson. We agree completely, and your point about
low-tech, Occam's razor, the simplest is the most likely. It is
a lot easier for the hunter who had a bad day to go take
potshots than it is for a well-coordinated, combined cyber
physical attack. There is sort of an adversarial curve. I want
to quote John Brennan, the Director of the CIA: ``Those who can
do this damage do not want to, and those who want to cannot.''
Now, I will say that axiom is not static. There are
certainly adversaries who are going to get more sophisticated.
Senator Heitkamp. And we cannot afford the exception that
proves the rule. That is the point.
Mr. Aaronson. And we have to stay more sophisticated. That
is exactly right.
Senator Heitkamp. I am concerned about what happens, Major
Dunbar, in the event of a catastrophic power outage as it
relates to first responders and the resiliency and redundancy
for first responders to operate in a world where we do not have
access to electricity. And I am wondering what planning you
have done in the State of Wisconsin or other organizations--in
North Dakota, we have an emergency management plan that is
reviewed periodically with the National Guard. It has proven to
be an invaluable resource when we look at the major floods
where we did experience power outages or huge snowstorms with
ice that takes down power lines.
What kind of system should we be looking at for first
responders so that we can, in fact, keep the peace in the event
of a catastrophic outage?
General Dunbar. Thank you, Senator. In Wisconsin, like all
States, we also have an emergency management plan that we
update periodically. We have had experience with power outage,
but not on the scale that we are talking about long-term and
widespread. It is one thing if a small part of the community
has power outage and the fire department and the police
department have systems that they have right now to allow them
to go into these areas and have generators and things like that
and operate. The scale we are talking about, we do not have
plans.
Senator Heitkamp. Right.
General Dunbar. We are trying to get our head around what
that would look like, the very point that my colleagues on the
panel are making in terms of how--it is one thing to have power
outage for a couple of hours. I joke with my wife, if the power
goes out for a couple of hours, it is almost romantic. You
light a candle. It is not going to be romantic after a month.
It is going to be a bad day, a bad week, a bad month in
America. And then add to that if people start to leave their
homes. A big concern of mine as Homeland Security Adviser in
the State, if this happens in Milwaukee, our largest city in
Wisconsin, or, God forbid, Chicago to our south and people
start to leave their homes----
Senator Heitkamp. I just think it is something that we need
to have that communications network, we need to have the
ability to continue to manage an emergency response network in
the event of a catastrophic power outage, and, so prevention,
hugely important, but also analyzing what we do with
consequences.
Mr. Koppel, you mentioned food security. The World Food
Program tests food all of the time. They have packets that they
deliver or drop from the sky. They are just now transitioning
to a high-protein, high-calorie product. Have you looked at all
at what the World Food Program does to basically look at
logistics in very difficult places and what they do with food
security?
Mr. Koppel. No, ma'am, I have not. But I would point out to
the Senator, we are not talking about delivery. I think if
there is one thing that the United States absolutely surpasses
any other country in the world at, it is delivery. I am talking
about availability. In a State like New York, for example, you
have 17 million people in the State. They have, let us say, 20
or 30 million MREs stored in New York State. Do the math. You
are talking about 2 days' worth of food.
Senator Heitkamp. You might be a little concerned about
delivery if the power goes out and you cannot pump the gas.
Mr. Koppel. That is absolutely----
Senator Heitkamp. I think you have to imagine, as Hollywood
does all of the time, what an event like this looks like and
what is the key components.
Mr. Koppel. You are absolutely right, Senator, and the
other point I would make, which I was discussing with General
Dunbar before this session, is that we have a diminished number
of military in uniform. And the fact of the matter is if and
when an event like this occurs, ultimately every State and the
Federal Government is going to be dependent upon the Northern
Command (NORTHCOM). We do not have enough troops to do what
would be necessary in this kind of an event.
And if I may, your colleague Senator Ayotte asked if there
is anything we are leaving out. I do not want this to be left
out. The question of attribution, any other kind of attack that
is launched against the United States, it is easy for our
intelligence branches to discover instantaneously who did it,
where the attack is coming from. In the event of a cyber
attack, attribution becomes one of the biggest problems. You
cannot respond if you do not know who did it. And it might take
months before we actually determine, with any sense of
certainty that would permit the President to respond, who did
it. That is a huge issue and one that needs to be examined more
closely.
Senator Heitkamp. Well, I think this is a great opportunity
for us to have this conversation, to think about preparation,
because 90 percent of making this work is actually being
prepared and being able to imagine the what-ifs. And the what-
ifs are not related always just to high-falutin' security
attacks. There are some amazing things that can happen just
conventionally with some very determined and bad people.
And so, General, thank you so much for your service. We
need to continue to recruit into our National Guard. That is a
challenge, I think, for all of the National Guard today. And
talking about these issues publicly in terms of what importance
it is for people to serve in uniform, especially in the
National Guard.
Mr. Koppel, your book is a perfect example and a great
recruiting tool to tell people what, in fact, the value of that
service is. So thank you so much.
Thank you, Mr. Chairman.
Chairman Johnson. Thank you, Senator Heitkamp.
I just want to underscore what you said, Mr. Koppel, about
availability. I come from a manufacturing background. I am not
exactly sure when the concept was developed, but it has been
decades: ``Just in time.'' That is how we run our economy, just
in time, so we do not have the availability. Senator Carper.
Senator Carper. Thank you. Thank you, Mr. Chairman.
Mr. Koppel, you mentioned the number of people we have in
uniform. I wore a uniform for about 5 years active, another 18
reserve, and so I am mindful of what you are saying. I also was
commander in chief for 8 years with the Delaware National Guard
as Governor of Delaware.
My last State of the State address that I gave came off
pretty well and finished up, and we were having a reception
later in Legislative Hall, and a woman came up to me, and she
said, ``Were you the Governor when we had the blizzard of the
century?'' And I said, ``Yes, ma'am.''
She said, ``Were you the Governor when we had the ice storm
of the century?'' I said, ``Yes, ma'am.''
``Were you the Governor when we had the drought of the
century?'' I said, ``Yes, ma'am.''
And she said, ``Were you the Governor when we had the flood
of the century?'' I said, ``Yes, ma'am.''
She said, ``You know what I think?'' I said, ``No, ma'am.''
She said, ``I think you are bad luck.'' [Laughter.]
Well, fortunately, the good luck was we had a great
National Guard, and Frank Vavala, whom I know the general here
knows well, is our adjutant general, and whenever there is a
blizzard or an ice storm or a flood--they do not do so much on
droughts, but we have Nor'easters, we have hurricanes on the
East Coast, and the National Guard is always there. Air Guard,
Army Guard, and we are grateful for all that they do.
Senator Heitkamp just said in her comments, I think she
mentioned that when you go to pump gas in some kind of
emergency, if you do not have electricity, you cannot pump gas,
and what that sort of leads to. And what it leads me to is to
say, a lot of businesses and a number of homes have diesel-
powered generators that are there to provide electricity, maybe
for a home or for a compound or for a business. They work. They
also pollute a lot, and at a time when we are trying to reduce
carbon emissions, they actually do not help out on that front.
I mentioned in my opening statement that there are some, I
guess, 21st Century tools or methods to meet those needs that
are now met by diesel generators across the country. And one of
them was actually created at the old Moffett Field Naval Air
Station where Navy P-3 squadrons were on the West Coast, and
with a joint facility with NASA. And I am going to ask you for
ideas on other similar technologies that you may be aware of
that can help us when the electricity goes out and businesses
need to be run and gas needs to be pumped. It could be a data
center or a telecommunications company, it could be banking, it
could be retail, it could be logistics--any number of things
that depend on electricity. And when the power goes out, they
are not able in many cases to deliver, to do their job, and the
rest of us are in a bind.
The technology that came out of the efforts at the old NASA
base near Mountain View, California, a company called Bloom
Energy, and they used fuel cells and hydrogen in order to
create electricity for some fairly small boxes--they call them
``Bloom boxes.'' They are actually rather large ones that can
meet greater needs. And they are installed across the country.
Actually, the Department of the Navy uses them to some extent.
I think other units of our military are interested in exploring
those capabilities.
I think a couple of States--we manufacture some of those
Bloom boxes in Delaware. I think both New Hampshire and Ohio
not only use fuel cells like these, but they also contribute
heavily to manufacturing fuel cells.
My question for our witnesses is: How can we change our
policies and practices to further rely on innovative solutions
like fuel cells to increase the security and resilience of our
critical infrastructure? This is one thing that is being done.
Go ahead, please, Mr. Koppel.
Mr. Koppel. If I may, Senator, two points.
One, I have a generator at home that runs on natural gas.
The problem is the natural gas has to get pumped to my home,
and the pump operates on the basis of electricity. So if we
have a massive grid failure, I guess that natural gas is not
going to make it to my house either.
The other point is I interviewed a retired lieutenant
general from the Air Force who indeed is engaged in exactly the
kind of work you are talking about. He and his partners have
noted that the nuclear generators that fuel a number of our
Navy ships have now had 50 years of successful operation
without a single accident. The theory is if we could create a
number of these nuclear power generators and put them on
military bases around the country, they could not only serve
those military bases, but they would be additional power to run
critical infrastructure in neighboring communities.
I asked the general, if the President gave him the go-ahead
tomorrow to develop that capability, how long would it take?
His answer: Ten years.
Senator Carper. Both my boys are Boy Scouts. I used to take
our Scout troop, Troop 67 from Wilmington, Delaware, to the
Norfolk Naval Station, every year for maybe 3 or 4 years, and
spend the weekend, sleep in the barracks, eat in the galley,
climb all over ships, submarines, and aircraft carriers. One
Sunday we went to the Teddy Roosevelt, we got a tour of the
Teddy Roosevelt. And we had about 25, 30 Scouts, maybe half a
dozen adult supervisors. Anyway, we get to the bridge of the
ship, and we were met by the commanding officer of the ship, a
captain, a Navy captain. And he said to our group, he said,
``Boys, when the Teddy Roosevelt goes to sea, it is 1,000 feet
long.'' And the boys went, ``Ooh.'' And he said, ``Boys, when
the Teddy Roosevelt goes to sea, it has 5,000 sailors on
board.'' And the boys went, ``Ooh.'' And he said, ``Boys, when
the Teddy Roosevelt goes to sea, it has 75 aircraft on board.''
And the boys went, ``Ooh. And then he said, ``Boys, when the
Teddy Roosevelt goes to sea, it refuels once every 25 years.''
And the adults went, ``Ooh.''
The hearing we just had, the markup we just had that I was
late for--I am the senior Democrat on the Subcommittee called
``Nuclear Safety.'' We actually focused on just this thing, new
generation, nuclear power, small modular. And, actually, with
the technology, you can use spent fuel rods from other nuclear
power plants and derive electricity from them. So there is some
really exciting stuff going on. Maybe a lot smaller, easier to
build, maintain, and so forth. And redundant with more
resiliency, so thank you for that idea.
Any other ideas, please?
Mr. Aaronson. Yes, Senator Carper, I appreciate some of the
things that Mr. Koppel said. I want to underscore one. He
talked about how his generator relies on natural gas but the
natural gas relies on electricity. I would go even further
back. The electricity relies on natural gas. So there are
profound interdependencies throughout, and I think that is
something that this sector, which has always been held up as
the most critical, really gets just as a matter of course and
is working across those critically interdependent sectors.
With respect to technology as a solution to this, I would
say, yes, technology, things like the Bloom boxes and other
distributive resources, come with some added resilience and
redundancy. It is a double-edged sword. They also come with,
the phrase that has been used, ``an added attack service.''
I am from New Jersey originally, and if you look at what
happened during Superstorm Sandy, several hundred circuits were
destroyed and had to be fixed, and it took between 10 days and
2 weeks to get the power back on. Had there been distributive
resources, maybe 30 million from all over the Greater New York
Metropolitan Area, we would probably still be restoring. So I
do not want to pretend that those devices in and of themselves
equal security or redundancy. They are a component. They are a
tool in the toolbox.
The last thing I would say is with respect to military
installations and that sort of a partnership, yes, in fact,
siting generation on military installations for their use and
then for the community's use in the event of an incident is
something that is happening and certainly could be happening
more. So I think there are a lot of interesting ways--I want to
be very careful to say we are open to anything. I think
anything that enhances the resilience and redundancy of the
service we provide is something we all ought to be exploring,
and it is the value of the Sector Coordinating Council and the
CEO and senior government leadership which are setting that
strategic course. As opposed to finding these little tactical
things that we can be doing, let us learn from some of those
experiences like Ukraine, like Metcalf, like Hurricanes Sandy
and Katrina, like the wildfires in California, and like our
experience putting things on military installations, and let us
build on those and figure
out--let us have an automated response to some of these
incidents, and let us have a capacity to go back to the 1960s
and be able to support civilization without automation.
Senator Carper. All right. Thank you. My time has expired,
but, Mr. Koppel, go ahead.
Mr. Koppel. If I could just add one footnote to what Mr.
Aaronson just said, prior to the deregulation of the power
industry, military bases in this country generated their own
power. And the Pentagon came under great pressure from this
particular geographic location on Capitol Hill to save money by
using private industry to generate the power on the bases. So
to a certain extent, we are talking about going back to the
future.
Senator Carper. All right. Good.
A quick side note, Mr. Chairman. Hurricane Sandy was about
3 or 4 years ago, but actually there were Bloom boxes that were
deployed previously before Hurricane Sandy hit, and they were
actually used, I think, to good effect. So that is, I think
some encouraging news. Thank you so much for being here. It is
a great hearing. Thank you so much. Good to see you all.
Chairman Johnson. Thank you, Senator Carper.
What I am going to do is kind of go down the line there and
give everybody a chance to make a final comment. But I do want
to quickly explore what I am assuming is the major, the primary
weak link, and I think it really is transmission. First of all,
is that correct? Yes, you can shut down a power station, but
there will be other power stations that might survive. But let
us say you do these things on military bases, and you can maybe
distribute within the military base, but then going further and
further out. Transmission is really sort of the weak link here,
isn't it?
Mr. Aaronson. I mean, I will quibble with the word. I would
not call it a ``weak link.'' It is actually exceedingly secure
because it is so redundant, but it is, I think, the primary
focus of our attention for security.
Chairman Johnson. But, again, depending on maybe a very low
probability of an EMP or a massive GMD, the weak link in that
transmission system are these large power transformers,
correct?
Mr. Aaronson. They are the lifeblood of the transmission
system.
Chairman Johnson. OK. What determines the 200 to 700
critical transformers? Is that size? Is it location? Why are
they critical, versus the tens of thousands of other ones that
Mr. Koppel was talking about?
Mr. Aaronson. So, yes, it is size. It is what they serve.
There is any number of criteria that each individual company
would know as to why a particular transformer is critical, and
I will just tell a quick anecdote. There is a company that had
identified several of their transformers to be critical and
disclosed them as so. And then that list changed, and somebody
asked why. And the answer was they built another substation.
So there are certain substations that are taking
electricity in very critical areas and transmitting it, and so
as a result, those are your priority transformers. And let us
put it this way: If you have 45,000 priorities, you have none.
So we really do have to hone in on those that are the most
critical to the system.
Chairman Johnson. So would you agree with me that--my
concern has always been these large power transformers--those
are the things we must protect, we must have redundancy for?
There are other concerns, but that is coming from a
manufacturing background, what is the root cause? Is that sort
of the most critical thing that we should be turning our
attention to, the protection of those?
Mr. Aaronson. There are a lot of critical things that we
need to be doing, but I think I do agree with your statement,
and the industry agrees with your statement, which is why we
have developed so much excess capacity, and, again, working
with folks like Mr. Farmer and the railroads, the ability to
move these things around. I have heard too often this notion of
if there was something really bad that happens, we would
``reengineer the system.'' That is a hard thing for a non-
engineer to fully appreciate.
What we have been doing recently is to explore what does
``reengineer the system'' mean and plan for that so we can do
it more effectively and efficiently if and when something does
happen.
Chairman Johnson. OK. Let me start with you, General
Dunbar. Closing comments?
General Dunbar. Well, Senator, thank you for the
opportunity to be with you. I would foot-stomp I think four
things at the end here.
One, just to reiterate the importance in my mind of trying
to do what is possible from my level to State level. A lot of
things we are talking about are beyond my level. If something
happens long term, it is my intent to try and keep citizens in
their homes, and that means making sure we have water and
sewage systems so that they are not desiring to leave the city.
A big problem if that happens.
If there is a long-term power outage, the industry talks
about things like islanding and micro-gridding. I think there
is great value in trying to think through how we do that as a
country if we had to do that after an event.
The third thing I would mention--and, again, I am not an
expert, but it is my understanding that our black start
capability used to be largely based on coal. We are moving as a
country away from coal for the reasons that we are doing it--I
am not making a political statement, but from a public safety
point of view, if we have issue with generating and
transmitting natural gas and coal will allow a better black
start, we ought to reserve some of that black start capability
from a public safety point of view.
And the last thing I will mention is the information-
sharing piece. The Federal Government is doing a lot of great
work with utilities and with industry. Often the States are not
part of that information sharing. I think we have a role to
play, and we should be part of that information sharing.
Thank you.
Chairman Johnson. Thank you, General. Mr. Farmer.
Mr. Farmer. Thank you, sir, very much for the opportunity.
Thank you, Senator Carper, as well.
I will open by referencing a point you asked about
technology development, and really the key to advancing
technological solutions is a combination of innovation and
investment.
And to the point about coordination, what the Partnership
for Critical Infrastructure Cross-Sector Council, and you can
hear the term ``council'' and ``coordinating committee'' and
think you have just seen another range of inside-the-Beltway
groups. But they are not. In particular, this Cross-Sector
Council that I am privileged to represent dates back 16 years
now. That is a commitment by industry to working in concert,
across sectors and with government, on matters relating to
critical infrastructure protection. And there is a laboratory
of ideas there. It is an ability to bring all that talent, that
expertise together, in industry and government, to look at the
sorts of problems we talked about today.
In some cases, we can look to near-term solutions that can
help ameliorate some of the concerns, and then look through a
technological development program to those longer-term
innovative investments. DHS is starting this year and
coordinated with our council in its development of a Resilience
Challenge Program. The purpose of that is to do exactly what
Senator Carper alluded to: Let us inspire some innovative ideas
on how we can address some of these challenges.
And, again, we are looking at a two-phased approach. In
some cases there are things we can do to mitigate problems now,
and some are going to take a long time. But just because it
takes a long time does not mean we should not be innovating and
investing in that direction. Quite the contrary. If it is going
to take a long time, let us get moving on it and let us use
initiatives like a resilience challenge or some other similar
investment program where we can combine public and private
funds to advance these efforts.
As I said, this council has been in effect for 16 years. It
is a tremendous forum to create a foundation for the sort of
cooperation between industry and government that can make
progress in these important areas. Think about this term
``public-private partnership.'' This is a new way of government
and industry working together, sharing experiences, expertise,
information, ideas on a common goal. What can we do together to
take the sorts of actions, near term and long term, to enhance
how well our infrastructure is protected and how well it can
withstand various types of threats. And we are taking
innovations in this process that would have been inconceivable
just a few years ago.
The day of the Paris attacks, we ratified an information-
sharing approach that we had exercised just a few days earlier,
that we had to put into effect within a matter of hours. We
have built on that since then. And to the general's point about
integrating State and local government, we said to DHS there
are going to be
occasions when, whether it is a cyber threat or a physical
threat or some broader concern--an electromagnetic pulse is one
example--where you are going to want to share very quickly
classified information, and you cannot wait days or weeks to
get people in Washington, D.C., to do that. You have this
tremendous infrastructure in the fusion centers that allows us
to get on a secure video teleconference. Why aren't we using it
to good effect to ensure that what formerly might have taken
days or weeks can now be accomplished in a matter of hours?
On April 26 of this year, we exercised that capability. The
participants did not have notice of precisely when this event
was going to occur. They received an emergency notification
that morning. It simply said, ``Go to the fusion center where
your clearance has been validated for a classified presentation
by DHS.'' And we exercised it in six cities simultaneously, and
it worked. We are going to exercise it again before our
councils come together--Federal Government, industry, State and
local--for a meeting in early July.
The point is the coordination that this process allows
creates opportunities for a kind of interaction between
government and industry that simply has not happened at this
level before. And that is the strength of the perspective that
I think this cross-sector route brings.
Some of these challenges are very daunting. Some of them
are so daunting that inertia can set in and you kind of throw
up your hands and say, ``What to do about it?'' But that is
precisely what this group is designed to avoid. It is designed
to bring together the right subject matter expertise, and
through representatives like Scott and me to reach back for
more. So I thank you for chance to talk about what we do.
Chairman Johnson. I appreciate that. You can have the most
wonderful processes, but one of the things I have noticed about
Washington, D.C., there is an affliction that affects this
place, and it is called the ``denial of reality.'' And in many
respects, I think a lot of the discussion here is centered
around the fact that we just deny this reality. The possibility
of a low-probability event could be just catastrophic.
Now, Mr. Koppel, I appreciate the way you opened your book
with a little scenario, that if people do not read the entire
book, at least read that. OK? It will lay out what a potential
reality would look like. If we lose power for more than 6
hours, it starts filtering into even days and then weeks and
then months. So the first thing we have to do is recognize and
admit this possibility, the reality, and start--because
otherwise we will never take the first step in these processes,
and it will take a very long time. Mr. Koppel.
Mr. Koppel. Thank you, Mr. Chairman, Mr. Ranking Member. I
think the observation I want to make most of all is that the
Chinese are already in our power grid; the Russians are already
inside our power grid. They may lack the motivation because of
the interrelationship that we have with both those governments
to take action against our grid, but they can do it. We live in
an age of cyber warfare. Cyber warfare is going on all of the
time on every different stage of our lives.
The fact that the governments like North Korea, for
example, which are desperately seeking the same kind of cyber
sophistication that the Russians and the Chinese have, the fact
that they do not yet have it should not be the source of any
particular comfort to us. The fact that organizations like
ISIS, which still probably have $1 to $2 billion in resources,
have not yet used that money to buy the expertise to attempt
perhaps a cruder kind of cyber attack on our power grid should
not give us a great deal of confidence.
And I would like to add one other point that I suspect will
be politically very controversial. I do not think the
Department of Homeland Security is best equipped to deal with
this issue. The National Security Agency is by far the most
sophisticated body in the U.S. Government to deal with it, and
I think leaving it up to a department that has one of the
lowest rankings in Federal Government and allowing ourselves to
be concerned more about privacy than about security clearly is
the subject for a whole other hearing. But I did not want to
let this one conclude without at least raising the issue.
Thank you, Mr. Chairman.
Chairman Johnson. I appreciate your comments, and, again, I
appreciate your book. Mr. Aaronson.
Mr. Aaronson. Chairman Johnson, Senator Carper, it may
surprise you to hear ``thank you.'' I appreciate you all
holding this hearing. And it also may surprise you that the
industry agrees with a lot of what is being said. We do take
this seriously. And we do understand the threats that exist out
there.
I will tell you a quick anecdote. About 4 years ago now,
several CEOs were in Colorado Springs for a board meeting,
about 70 of them. We brought them over to NORTHCOM for a
classified briefing, and the CEOs heard from the Intelligence
Community, from the Department of Defense, from other agencies,
some of the threats that were out there. And what came as a
surprise, I think, to the government participants was the CEOs
were not raising their hands saying, ``Is there really a
problem? We do not see this.''
``Yes, there is a problem. What can we do about it?''
And from that one meeting has been born this incredibly
effective relationship between CEOs and senior government
officials. Now, I occasionally joke that CEOs do not do work.
But they do provide accountability. They do provide a
direction. They provide resources. And when the people in the
corner office care about something, it is amazing how the rest
of the enterprise does.
So what we are seeing is, up to and including the CEO
level, security of the electric grid is a priority for this
industry. In Mr. Koppel's book, there is a chapter titled
``Guardians of the Grid.'' We are, and we take that very
seriously.
The other thing I would leave you with is there are a lot
of movie script scenarios out there that have been referred to.
I had the opportunity to testify in a State capital and had to
tell whether or not ``Die Hard 4'' was actually a plausible
scenario. Let us not use movie scripts to dictate public
policy. My problem is when I come into venues like this I am
giving issues of popular mechanics and resilience and
redundancy and all of the things that can and might happen,
might not happen, and we are studying it. I get bored just
saying that. So I understand that we need to be informing
public policy in a reasonable and rational way, understanding
that these high-impact, low-probability events are something we
absolutely have to put on the spectrum, but also understanding
that there are a lot of things that happen day to day that
require our attention as well. The Chinese, other sophisticated
adversaries, that is where government and industry absolutely
have to partner.
Now, I do not have an opinion on what Mr. Koppel said about
whether or not DHS is the right place or the wrong place. We
have had a wonderful experience working with the Department of
Homeland Security and particularly NPPD. But I would suggest
this is a whole-of-community issue. And by ``whole of
community,'' I do mean north-south, between the government and
the industry, the industry and the government, and east-west
across the critical sectors. And Tom talked about what we are
doing with the railroads, but we are seeing very similar
partnerships with communications, with financial services, with
the water sector, with the gas sector.
So we are learning. We are looking at preparation. You
build the roof when it is not raining, and that is what we are
doing today. I think the industry has learned some great
lessons from what has happened in Ukraine, from what has
happened from the quite literally decades of natural disasters.
And I want to leave you with the one parting thought that while
there are 45,000 substations in the United States, it is the
definition of a soft target. It is also exceedingly resilient
and redundant. There is a lot of excess capacity, and we are
working to grow that continually.
And then the last thing I would say is, as you all consider
policies, let us not have a rush toward automation. Let us not
have a rush toward the newest, shiniest object. Let us think
about how policy decisions, just as we think about how
investments decisions, will have an impact on the security,
reliability, and resiliency of the grid.
So, again, I thank you for having me here today.
Chairman Johnson. I am the guy who is talking about manual
breakers in Ukraine that kind of saved them. Senator Carper.
Senator Carper. Thank you. I just want to come back to the
question of the competency of the Department of Homeland
Security. Mr. Koppel, I shared your views 4, 5, 6 years ago.
The previous Chairs of this Committee--Susan Collins, Joe
Lieberman, and me--and now Senator Johnson have worked long and
hard to try to change that reality, and that was a reality half
a dozen years ago, even 3 or 4 years ago. And I will not go
through the entire list of things, but there was a time--we
used to have the problem when I was Governor of Delaware--we
hired people to work in information technology, hire them,
train them, put them to work, and somebody would come along and
hire them away. So we would hire some more. You guys know what
I mean. We would hire some more people, train them, and they
would go to work in IT, and somebody would hire them away.
As it turns out, the National Security Agency has the
ability to hire people, pay them more money, retention bonuses
and that sort of thing. The Department of Homeland Security
never had that. So they would hire people, train them, and they
would get hired away by NSA.
One of the things we have done is to make sure that
Homeland Security has the ability to actually compete in a
market that is really tough in terms of hiring--recruiting,
hiring, and retaining cyber warriors.
I will not go through all of the other things that we have
done, but we have worked long and hard for years, and I think--
what is the old saying, the old tagline on Oldsmobile: ``This
is not your grandfather's Oldsmobile.'' This is not the
Department of Homeland Security of even 4 or 5 years ago. And
can they do better? Sure, they can do better. They can always
do better.
The last thing I would say, the general here is wearing an
Air Force uniform; I used to wear a Navy uniform. And there is
a friendly inter-service rivalry, as you know, and I was with
an Army guy the other day, and he was jagging me about being in
the Navy. And I said, we wear different uniforms, but we are on
the same team. We are on the same team. And the same is true
with Homeland Security and NSA, and we need both of them to be
really bringing their ``A'' game to the contest every day,
because as you suggest, there is a real battle across the land.
The other thing I would say is I was in China about a month
ago, and you may recall that President Xi, the Chinese
President, was here last September. One of the things that our
President confronted him about was cyber theft for stealing
intellectual property for economic advantage. He basically said
to him, ``You have to stop this.'' The Chinese always say,
``Oh, we do not do that.'' Well, they do. They have done it for
years.
But you know what happened? The President said, our
President said, in so many words, ``You keep doing this, and
the kind of sanctions we have imposed on Iran, we can do that
with you. And we are your major trading partner.''
So think about that. Since then, the incidence of cyber
theft for intellectual property for economic advantage with
respect to China has gone down. It is pretty interesting. A guy
named Dave Dewalt who runs FireEye Mandiant, a big
cybersecurity company, reported just last week or 2 weeks ago
that we have seen a continued drop there.
The other thing, Iran for many years was going after our
banks, trying to shut down our banks, going on their websites,
started closing them down, and it is called ``distributive
denial of service.'' And one week after we entered into this
joint agreement with Iran and five other nations, those attacks
just stopped. They just stopped.
And so let us keep that in mind. There are things we can do
and that we need to do to be resilient, but the Chairman and I
believe--we are very much into root causes, and sometimes--now
China has some intellectual property they want to protect, so
they have a dog in the fight. And they also have the threat of
if they keep up this stuff, they will pay the price for that.
The Iranians, they have been given a chance to be a good
player. We will see how things continue if they keep their
word. I think so far they have. And at least those attacks on
our financial institutions have stopped.
Chairman Johnson. Thank you, Senator Carper.
Let me just close out the hearing reminding everybody that
Dr. Richard Garwin--again, whom Enrico Fermi referred to as one
of the few true geniuses he ever met--in testimony before this
Committee reminded us of a solar event on the order of
magnitude of the Carrington Effect happens once about every 100
years. In other words, we talk about low probability/high
catastrophic, that is about a 10-percent chance every decade,
every 10 years, of having a massive solar storm affect our
electrical grid. So maybe not quite so low a probability.
Again, I want to thank all of the witnesses. I think this
has been an extremely good hearing. It has certainly helped lay
out a reality that hopefully we stop denying.
This hearing record will remain open for 15 days until June
2, 5 p.m., for the submission of statements and questions for
the record. This hearing is adjourned.
[Whereupon, at 12:05 p.m., the Committee was adjourned.]
A P P E N D I X
----------
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]