[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]





  THE ELECTRICITY SECTOR'S EFFORTS TO RESPOND TO CYBERSECURITY THREATS

=======================================================================

                                HEARING

                               BEFORE THE

                         SUBCOMMITTEE ON ENERGY

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                            FEBRUARY 1, 2017

                               __________

                            Serial No. 115-3



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]







      Printed for the use of the Committee on Energy and Commerce
                        energycommerce.house.gov

                                  ______

                         U.S. GOVERNMENT PUBLISHING OFFICE 

24-845                         WASHINGTON : 2017 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001
                          































                    COMMITTEE ON ENERGY AND COMMERCE

                          GREG WALDEN, Oregon
                                 Chairman
JOE BARTON, Texas                    FRANK PALLONE, Jr., New Jersey
  Vice Chairman                        Ranking Member
FRED UPTON, Michigan                 BOBBY L. RUSH, Illinois
JOHN SHIMKUS, Illinois               ANNA G. ESHOO, California
TIM MURPHY, Pennsylvania             ELIOT L. ENGEL, New York
MICHAEL C. BURGESS, Texas            GENE GREEN, Texas
MARSHA BLACKBURN, Tennessee          DIANA DeGETTE, Colorado
STEVE SCALISE, Louisiana             MICHAEL F. DOYLE, Pennsylvania
ROBERT E. LATTA, Ohio                JANICE D. SCHAKOWSKY, Illinois
CATHY McMORRIS RODGERS, Washington   G.K. BUTTERFIELD, North Carolina
GREGG HARPER, Mississippi            DORIS O. MATSUI, California
LEONARD LANCE, New Jersey            KATHY CASTOR, Florida
BRETT GUTHRIE, Kentucky              JOHN P. SARBANES, Maryland
PETE OLSON, Texas                    JERRY McNERNEY, California
DAVID B. McKINLEY, West Virginia     PETER WELCH, Vermont
ADAM KINZINGER, Illinois             BEN RAY LUJAN, New Mexico
H. MORGAN GRIFFITH, Virginia         PAUL TONKO, New York
GUS M. BILIRAKIS, Florida            YVETTE D. CLARKE, New York
BILL JOHNSON, Ohio                   DAVID LOEBSACK, Iowa
BILLY LONG, Missouri                 KURT SCHRADER, Oregon
LARRY BUCSHON, Indiana               JOSEPH P. KENNEDY, III, 
BILL FLORES, Texas                       Massachusetts
SUSAN W. BROOKS, Indiana             TONY CARDENAS, California
MARKWAYNE MULLIN, Oklahoma           RAUL RUIZ, California
RICHARD HUDSON, North Carolina       SCOTT H. PETERS, California
CHRIS COLLINS, New York              DEBBIE DINGELL, Michigan
KEVIN CRAMER, North Dakota
TIM WALBERG, Michigan
MIMI WALTERS, California
RYAN A. COSTELLO, Pennsylvania
EARL L. ``BUDDY'' CARTER, Georgia
                         Subcommittee on Energy

                          FRED UPTON, Michigan
                                 Chairman
PETE OLSON, Texas                    BOBBY L. RUSH, Illinois
  Vice Chairman                        Ranking Member
JOE BARTON, Texas                    JERRY McNERNEY, California
JOHN SHIMKUS, Illinois               SCOTT H. PETERS, California
TIM MURPHY, Pennsylvania             GENE GREEN, Texas
ROBERT E. LATTA, Ohio                MICHAEL F. DOYLE, Pennsylvania
GREGG HARPER, Mississippi            KATHY CASTOR, Florida
DAVID B. McKINLEY, West Virginia     JOHN P. SARBANES, Maryland
ADAM KINZINGER, Illinois             PETER WELCH, Vermont
H. MORGAN GRIFFITH, Virginia         PAUL TONKO, New York
BILL JOHNSON, Ohio                   DAVID LOEBSACK, Iowa
BILLY LONG, Missouri                 KURT SCHRADER, Oregon
LARRY BUCSHON, Indiana               JOSEPH P. KENNEDY, III, 
BILL FLORES, Texas                       Massachusetts
MARKWAYNE MULLIN, Oklahoma           G.K. BUTTERFIELD, North Carolina
RICHARD HUDSON, North Carolina       FRANK PALLONE, Jr., New Jersey (ex 
KEVIN CRAMER, North Dakota               officio)
TIM WALBERG, Michigan
GREG WALDEN, Oregon (ex officio)
























  
                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Fred Upton, a Representative in Congress from the State of 
  Michigan, opening statement....................................     1
    Prepared statement...........................................     3
Hon. Bobby L. Rush, a Representative in Congress from the State 
  of Illinois, opening statement.................................     4
Hon. Frank Pallone, Jr., a Representative in Congress from the 
  State of New Jersey, opening statement.........................     5
    Prepared statement...........................................     7
Hon. Greg Walden, a Representative in Congress from the State of 
  Oregon, opening statement......................................     8
    Prepared statement...........................................    10

                               Witnesses

Gerry W. Cauley, President and CEO, North American Reliability 
  Corporation....................................................    11
    Prepared statement...........................................    14
    Answers to submitted questions...............................   110
Scott I. Aaronson, Executive Director, Security and Business 
  Continuity, Edison Electric Institute, on behalf of Electricity 
  Subsector Coordinating Council.................................    26
    Prepared statement...........................................    29
    Answers to submitted questions...............................   124
Chris Beck, Chief Scientist and Vice President for Policy, The 
  Electric Infrastructure Security Council.......................    45
    Prepared statement...........................................    47
    Answers to submitted questions...............................   135
Barbara Sugg, Vice President for IT and Chief Security Officer, 
  Southwest Power Pool, on behalf of ISO/RTO Council.............    62
    Prepared statement...........................................    64
    Answers to submitted questions...............................   142

                           Submitted material

Statement of the Large Public Power Council......................   103
Joint statement of the American Public Power Association and the 
  National Rural Electric Cooperative Association................   108

 
  THE ELECTRICITY SECTOR'S EFFORTS TO RESPOND TO CYBERSECURITY THREATS

                              ----------                              


                      WEDNESDAY, FEBRUARY 1, 2017

                  House of Representatives,
                            Subcommittee on Energy,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 10:15 a.m., in 
room 2322 Rayburn House Office Building, Hon. Fred Upton 
(chairman of the subcommittee) presiding.
    Present: Representatives Upton, Olson, Barton, Shimkus, 
Murphy, Latta, Harper, McKinley, Johnson, Long, Flores, Mullin, 
Hudson, Cramer, Walberg, Walden (ex officio), Rush, McNerney, 
Peters, Doyle, Castor, Sarbanes, Welch, Tonko, Loebsack, 
Schrader, Kennedy, Butterfield, and Pallone (ex officio).
    Staff present: Will Batson, Legislative Clerk, E&P Ray 
Baum, Staff Director; Jordan Davis, Director of Policy and 
External Affairs; Wyatt Ellertson, Research Associate, Energy/
Environment; Adam Fromm, Director of Outreach and Coalitions; 
Tom Hassenboehler, Chief Counsel, Energy/Environment; Zach 
Hunter, Director of Communications; A.T. Johnston, Senior 
Policy Advisor/Professional Staff, Energy/Environment; Katie 
McKeough, Press Assistant; Brandon Mooney, Senior Policy 
Advisor, Energy; Mark Ratner, Policy Coordinator; Annelise 
Rickert, Counsel, Energy; Dan Schneider, Press Secretary; Peter 
Spencer, Professional Staff Member, Energy; Evan Viau, Staff 
Assistant; Jeff Carroll, Minority Staff Director; David 
Cwiertny, Minority Energy/Environment Fellow; Rick Kessler, 
Minority Senior Advisor and Staff Director, Energy; John 
Marshall, Minority Policy Coordinator; Alexander Ratner, 
Minority Policy Analyst; Andrew Souvall, Minority Director of 
Communications, Outreach and Member Services; Tuley Wright, 
Minority Energy and Environment Policy Advisor; and C.J. Young, 
Minority Press Secretary.

   OPENING STATEMENT OF HON. FRED UPTON, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF MICHIGAN

    Mr. Upton. The Subcommittee on Energy will now come to 
order. Apologize for the delay. There were some technical 
difficulties with the cameras but they are now working. So 
everybody looks good and in color.
    I recognize myself for 5 minutes. Today's hearing is going 
to examine what the electricity sector is currently doing to 
prepare for and respond to cybersecurity threats to the 
nation's electricity transmission systems.
    News reports bombard us almost daily about malware 
infections and portrayals of the harm from cyber-attacks. We've 
read alarming descriptions of what might happen if there is 
successful widespread attack on the critical infrastructure of 
the electricity system and the potential challenges to 
recovering from such an attack.
    It is unquestionable that ensuring the reliable supply of 
electricity is absolutely vital to our nation's security, 
economy, our health and welfare.
    In Michigan and across the country, electricity enables 
telecommunications, financial transactions, the transport and 
delivery of energy, food, everything. It powers the 
infrastructure that delivers our drinking water. It enables 
businesses and industry to make and provide the goods and 
services of our modern society and it powers our hospitals and 
our households.
    So cyber threats to reliability deserve our constant 
examination. But as we do so, we have to recognize that 
ensuring reliability is the central function of electricity 
grid operations, and a tremendously complex system has 
developed over time to ensure that the lights stay on. Given 
the unique nature of electricity, the system operates to 
address the occasional loss of transmission components and to 
avoid cascading failures. It doesn't always succeed, but large-
scale blackouts have been rare for a reason.
    Nevertheless, new risks are emerging rapidly. The 
integration into the system of new technologies, especially 
digital technologies, that are essential for keeping up with 
the nation's energy needs constantly adds new vulnerabilities. 
Combine this with the rapid development of cyber-attacks and 
safeguarding transmission infrastructure becomes particularly 
challenging.
    In recent years, Congress has enhanced the ability of the 
electricity sector to address emerging cyber and physical 
threats. In the last Congress, this committee wrote provisions 
included in the FAST Act that sought to facilitate sharing of 
threat information between the private sector asset owners and 
the federal government. Other measures enhanced authorities for 
taking emergency action against cyber and physical attacks.
    At the same time, the NERC, operating through authorities 
authored by this committee, has been establishing and enforcing 
critical infrastructure protection standards and coordinating a 
number of other activities to confront these threats. Industry 
and federal authorities have been working to address those 
risks.
    We have taken testimony that outlines these activities in 
recent years, and I think that evidence shows that utilities 
and transmission operators are not sitting still.
    I don't think that anyone will dispute that improvements in 
operational practices, information sharing, defensive planning, 
supply chain controls, hardening of infrastructure remains 
necessary. And nobody will dispute that someday, an attack may 
succeed in taking down these components. So how does the 
industry plan to respond?
    This hearing will update the subcommittee on the state of 
the various NERC and industry activities to mitigate risks and 
respond to cyber-attacks. This will inform two objectives.
    First, this subcommittee's agenda for the Congress will 
include a close focus on the various structural, economic, and 
technological factors that are affecting development of the 
nation's electricity systems. We'll be examining policies that 
may need to be reformed to ensure this system adequately meets 
the demand of consumers in coming decades, and a key aspect of 
any of this work will certainly involve enhancing reliability 
in the evolving electricity system to meet the demands of the 
digital age.
    And second, we must continue to build a record about 
electric sector efforts to address cyber security threats. This 
will help us identify whether additional measures are 
necessary. In time, we will hear from DOE, FERC and other 
agencies, but developing a clear picture today about what the 
industry actually is doing will be critical to this ongoing 
effort.
    With that as a backdrop, let me welcome our witnesses. Our 
panel today provides a number of important perspectives. We 
will hear from NERC, the industry's reliability organization 
responsible for setting and enforcing standards. We will hear 
how the industry coordinates cybersecurity planning and 
response. We will hear perspective from a critical 
infrastructure expert, and we'll hear from someone responsible 
for cybersecurity in the actual operations of transmission 
systems.
    This panel this morning should help cover a range of topics 
from security standards to information sharing, recovery 
planning. It's going to help us understand where gaps may be 
going forward, and we welcome that testimony.
    [The prepared statement of Mr. Upton follows:]

                 Prepared statement of Hon. Fred Upton

    Today's hearing will examine what the electricity sector is 
currently doing to prepare for and respond to cybersecurity 
threats to the nation's electricity transmission systems.
    News reports bombard us almost daily about malware 
infections and portrayals of the harm from cyber attacks. We've 
read alarming descriptions of what might happen if there is 
successful, widespread attack on the critical infrastructure of 
the electricity system-and the potential challenges to 
recovering from such an attack.
    It is unquestionable that ensuring the reliable supply of 
electricity is absolutely vital to our nation's security, 
economy, our health and welfare.
    In my home state of Michigan and across the country, 
electricity enables telecommunications, financial transactions, 
the transport and delivery of energy, food. It powers the 
infrastructure that delivers our drinking water. It enables 
business and industry to make and provide the goods and 
services of our modern society. It powers our hospitals, our 
households.
    So cyber threats to reliability deserve our constant 
examination. But as we do so, we should also recognize that 
ensuring reliability is the central function of electricity 
grid operations-and a tremendously complex system has developed 
over time to ensure our lights stay on. Given the unique nature 
of electricity, the system operates to address the occasional 
loss of transmission components and to avoid cascading 
failures; it doesn't always succeed, but large scale blackouts 
have been rare for a reason.
    Nevertheless, new risks are emerging rapidly. The 
integration into the system of new technologies-especially 
digital technologies-that are essential for keeping up with our 
nation's energy needs constantly add new vulnerabilities. 
Combine this with the rapid development of cyber threats and 
safeguarding transmission infrastructure becomes particularly 
challenging.
    In recent years, Congress has enhanced the ability of the 
electricity sector to address emerging cyber and physical 
threats. In the last Congress, this Committee wrote provisions 
included in the FAST Act that sought to facilitate sharing of 
threat information between private sector asset owners and the 
federal government. Other measures enhanced authorities for 
taking emergency action against cyber and physical attacks.
    At the same time, the North American Electric Reliability 
Corporation (NERC)--operating through authorities authored by 
this Committee-has been establishing and enforcing critical 
infrastructure protection standards and coordinating a number 
of other activities to confront these threats. Industry and 
federal authorities have also been working to address risks.
    We've taken testimony that outlines these activities in 
recent years. And I think the evidence shows that utilities and 
transmission operators are not sitting still.
    But I don't believe anybody will dispute that improvements 
in operational practices, information sharing, defensive 
planning, supply chain controls, hardening of infrastructure 
remain necessary. And nobody will dispute that someday, an 
attack may succeed in taking down critical components; how does 
the industry plan to respond to that?
    Today's hearing will update the subcommittee on the state 
of the various NERC and industry activities to mitigate risks 
and respond to cyber attacks. This will inform two objectives:
    First, the energy subcommittee's agenda for this Congress 
will include a close focus on the various structural, economic, 
and technological factors that are affecting development of the 
nation's electricity system.
    We'll be examining policies that may need to be reformed to 
ensure this system adequately meets the demands of consumers in 
coming decades. And a key aspect of any of this work will 
involve enhancing reliability in the evolving electricity 
system to meet the demands of the digital age.
    And second: we must continue to build a record about 
electric sector efforts to address cyber security threats. This 
will help the subcommittee identify whether additional 
measures, are necessary. In time, we will hear from DOE, FERC 
and other agencies, but developing a clear picture today about 
what the industry actually is doing will be critical to this 
ongoing effort.
    With that as a backdrop, let me welcome our witnesses. Our 
panel today provides a number of important perspectives: We'll 
hear from NERC, the industry's reliability organization 
responsible for setting and enforcing standards; we'll hear how 
the industry coordinates cybersecurity planning and response; 
we'll hear perspective from a critical infrastructure expert; 
and we'll hear from somebody responsible for cybersecurity in 
the actual operations of transmission systems.
    The panel this morning should help cover a range of topics-
from security standards to information sharing and recovery 
planning. It should help us discuss the various levels of cyber 
and related physical risks to electricity infrastructure and 
how they are addressed. And it should help us understand where 
gaps may be going forward.

    Mr. Upton. At this point, I recognize the ranking member of 
the subcommittee, my friend from Chicago, Mr. Rush.

 OPENING STATEMENT OF HON. BOBBY L. RUSH, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF ILLINOIS

    Mr. Rush. I want to thank you, Mr. Chairman, for this 
opportunity and for this hearing.
    Mr. Chairman, this is an important hearing on the 
electricity sector's efforts to respond to cybersecurity 
threats. Mr. Chairman, this is a very first step in examining 
the critical issue of a electricity sector cybersecurity.
    I look forward, Mr. Chairman, to engaging our distinguished 
panel of industry witnesses and their recommendations designed 
to protect the grid from external threats.
    However, Mr. Chairman, I am sure we will all agree that 
additional information is needed to truly appreciate the 
expanding host of challenges that could potentially threaten 
the U.S. electrical sector.
    Mr. Chairman, it is my understanding that you have 
committed to holding at least one additional hearing with 
agency stakeholders in the near future so that the members of 
this subcommittee will have a greater and a fuller appreciation 
for the security issues facing the grid.
    The issue of external forces hacking into most public and 
private domestic targets is one that is front and center on the 
minds of most of the American people.
    If recent history is any indication, then it's not a matter 
of if, Mr. Chairman, but, rather, when some threat, whether it 
be a national disturbance, an individual hacker, a rogue state 
or even a well-known foreign power challenges the resiliency of 
our nation's energy infrastructure.
    Mr. Chairman, we are all aware the cyber-attack in the 
Ukraine this past December that left over 225,000 people 
without power in Kiev as a result of suspected Russian hacking.
    While we have been fortunate, Mr. Chairman, to date in that 
we haven't suffered any major cybersecurity attacks on our own 
grid, let us not become complacent and wait until an event 
occurs.
    Many of us, Mr. Chairman, still view Russia, among other 
countries, as a potential threat to the U.S. grid system and we 
cannot risk our safety and security on the whims of Putin or 
any other foreign leader who may try to do us harm.
    Quite the contrary, we must be prudent and proactive in 
securing our electrical grid and part of that strategy must 
include close cooperation and collaboration between the public 
and private sectors.
    As was noted, in the last quadrennial energy review 
conducted by the Obama administration in January 2014, there is 
still work to do to improve the information sharing processes 
between government and industry.
    Additionally, we must ensure that our grid is protected 
from some of the specific challenges of today's world. We must 
make certain that the electricity sector is secure, even in the 
place of an aging infrastructure and a changing energy 
portfolio.
    That would include more distributed energy, smart grid 
technologies and other advanced technologies. Mr. Chairman, it 
is vital that Congress examines the state of the grid and 
provides real leadership in regards to modernizing our grid and 
making sure that it's secure for the challenges of the 21st 
century.
    With that, I yield back.
    Mr. Upton. Thank you. I understand that Chairman Walden is 
on his way but he's not quite here. So we will go to Ranking 
Member Pallone for an opening statement.

OPENING STATEMENT OF HON. FRANK PALLONE, JR., A REPRESENTATIVE 
            IN CONGRESS FROM THE STATE OF NEW JERSEY

    Mr. Pallone. Thank you, Mr. Chairman. Greg was at the other 
hearing.
    I want to thank you for holding today's hearing evaluating 
the cybersecurity threats to the electricity sector in our 
country and, of course, I welcome you to this new role as 
chairman of the Energy Subcommittee.
    You and I accomplished a great deal together in the last 
Congress and I hope to work together with you, Mr. Rush, on 
critical energy policy in this Congress.
    This hearing is a good first step for our committee to look 
into the impacts of cybersecurity threats on the electricity 
grid.
    However, I believe that we need more hearings and a deeper 
analysis of the issue so members can truly understand the 
challenges and threats facing our grid and I appreciate the 
chairman's willingness to honor Ranking Member Rush's request 
to hold another hearing on this topic with federal government 
witnesses, especially from the Department Energy and the 
Federal Energy Regulatory Commission.
    Their perspective and experience on this issue will be 
vital to the committee's oversight efforts and I also believe 
that the committee should hold a closed-door hearing to look at 
the cybersecurity risk to our electricity grid.
    There are classified aspects of this issue that can't be 
discussed in a public hearing like this and members deserve the 
opportunity to be briefed on this high-level information in 
order to ensure we are adequately protecting the grid from 
threats.
    To date, the industry has done a commendable job of 
guarding electricity consumers against losses caused by cyber-
attack. But make no mistake, the threats are out there.
    In December 2015, Russian state hackers successfully 
compromised the Ukraine's electric grid, shutting down multiple 
distribution centers and leaving more than 200,000 residents 
without power for their lights and heaters.
    That attack was premeditated and well-choreographed with 
groundwork that predated the full attack by many months. It was 
sophisticated and synchronized, taking down backup power 
supplies and jamming phone lines to keep operators unaware of 
the extent of damages. And to date, it stands as the only 
recognized cyber-attack to successfully take down a power grid.
    Certainly, there are vast differences between the system in 
the Ukraine and our own grid. So it's tempting to dismiss 
events in the Ukraine as something that could never happen 
here.
    But we owe it to the American people to ask whether 
anything about that attack could be replicated here, what 
lessons can we learn to make our electric grid more secure and 
utility workers more vigilant of cybersecurity threats.
    And what should be the priorities of this committee and 
this Congress to ensure that a successful cyber-attack on the 
electric grid never happens on American soil? If Russia hacked 
our election, what's to stop them from hacking our electricity 
grid?
    Now, our committee has not been idle when it comes to grid 
security. Last Congress, Chairman Upton, with my support and 
the support of many members of the committee, pushed through 
legislation to enhance the security of our group from cyber and 
other threats.
    I was pleased to see that signed into law by President 
Obama because I consider grid security to be a top tier 
national security concern.
    And yet, just days ago President Trump signed a 
presidential memorandum establishing the members of the 
National Security Council's principles committee and it appears 
that the Secretary of Energy, who Congress just made the lead 
federal official responsible for securing our electricity grid, 
has been booted off this significant interagency advisory 
panel, and this is incredibly troubling and I strongly urge the 
president to reconsider his decision to sideline DOE from the 
national security dialog.
    I would hope that my Republican colleagues would join me in 
asking the president to reverse this decision. It's 
inexcusable, in my opinion, that there no longer appears to be 
room at the top level of the National Security Council for the 
secretary of energy who also is in charge of nuclear security 
but there is a permanent slot for Steve Bannon, his chief 
strategist.
    Essentially, President Trump has chosen his top political 
security advisor over the nation's top energy security advisor 
and that's a recipe for disaster.
    I hope my colleagues will join me in conveying that view to 
the White House before something happens that endangers our 
economy and our people because the safety of our grid and our 
nuclear arsenal are too important.
    I don't know if anybody else wants my time. Otherwise, I'll 
yield back.
    [The prepared statement of Mr. Pallone follows:]

             Prepared statement of Hon. Frank Pallone, Jr.

    Mr. Chairman, thank you for holding today's hearing 
evaluating the cybersecurity threats to the electricity sector 
in our country. I welcome you to this new role as Chairman of 
the Energy Subcommittee. You and I accomplished a great deal 
together in the last Congress, and I hope to work together with 
you and Mr. Rush on critical energy policy in this Congress.
    This hearing is a good first step for our committee to look 
into the impacts of cybersecurity threats on the electricity 
grid. However, I believe that we need more hearings and a 
deeper analysis of the issue so members can truly understand 
the challenges and threats facing our grid. I appreciate the 
Chairman's willingness to honor Ranking Member Rush's request 
to hold another hearing on this topic with federal government 
witnesses, especially from the Department of Energy and the 
Federal Energy Regulatory Commission. Their perspective and 
experience on this issue will be vital to the Committee's 
oversight efforts. I also believe that the Committee should 
hold a closed-door hearing to look at the cybersecurity risks 
to our electricity grid. There are classified aspects of this 
issue that cannot be discussed in a public hearing like this, 
and Members deserve the opportunity to be briefed on this high-
level information in order to ensure we are adequately 
protecting the grid from threats.
    To date, the industry has done a commendable job of 
guarding electricity consumers against losses caused by a 
cyberattack. But make no mistake: the threats are out there.
    In December 2015, Russian state hackers successfully 
compromised the Ukraine's electric grid, shutting down multiple 
distribution centers and leaving more than 200,000 residents 
without power for their lights and heaters. That attack was 
premeditated and well-choreographed, with groundwork that pre-
dated the full attack by many months. It was sophisticated and 
synchronized, taking down backup power supplies and jamming 
phone lines to keep operators unaware of the extent of damages. 
To date, it stands as the only recognized cyberattack to 
successfully take down a power grid.
    Certainly, there are vast differences between the system in 
the Ukraine and our own grid, so it's tempting to dismiss 
events in the Ukraine as something that could never happen 
here. But we owe it to the American people to ask whether 
anything about that attack could be replicated here. What 
lessons can we learn to make our electric grid more secure and 
utility workers more vigilant of cybersecurity threats? And, 
what should be the priorities of this Committee and this 
Congress to ensure that a successful cyberattack on the 
electric grid never happens on American soil? If Russia hacked 
our election, what's to stop them from hacking our electricity 
grid?
    Now, our Committee has not been idle when it comes to grid 
security. Last Congress, Chairman Upton, with my support and 
the support of many members of the Committee, pushed through 
legislation to enhance the security of our grid from cyber and 
other threats. I was pleased to see that signed into law by 
President Obama because I consider grid security to be a top 
tier national security concern. And yet, just days ago, 
President Trump signed a presidential memorandum establishing 
the members of the National Security Council's Principals 
Committee--and it appears the Secretary of Energy--who Congress 
just made the lead federal official responsible for securing 
our electricity grid--has been booted off this significant 
interagency advisory panel.
    This is incredibly troubling and I strongly urge the 
President to reconsider his decision to sideline DOE from the 
national security dialogue. I would hope that my Republican 
colleagues would join me in asking the President to reverse 
this decision. It is inexcusable that there no longer appears 
to be room at the top level of the National Security Council 
for the Secretary of Energy--who also is in charge of nuclear 
security--but there is a permanent slot for Steve Bannon, his 
chief strategist. Essentially, President Trump has chosen his 
top political security advisor over the nation's top energy 
security advisor--and that's a recipe for disaster. I hope my 
colleagues will join me in conveying that view to the White 
House before something happens that endangers our economy and 
our people. The safety of our grid and our nuclear arsenal are 
too important.
    I yield back.

    Mr. Upton. The gentleman yields back.
    I just want to tell the gentleman that we do anticipate 
having some classified hearings as to cyber. So I know everyone 
has signed a pledge, so look forward to having that happen.
    At this point, I'll yield 5 minutes to the full committee 
chairman, my friend, the gentleman from Oregon, Mr. Walden.
    Mr. Walden. Thank you, Mr. Upton.
    Mr. Upton. Welcome to your first appearance before the 
subcommittee as full committee chair.

  OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF OREGON

    Mr. Walden. I am delighted to be here, and I am delighted 
you're chairing this subcommittee. I wish you could have been 
downstairs for the beginning of the Health Subcommittee because 
we had a nice big University of Oregon ``O'' come up on the new 
screen there to match your green hearing room.
    Good morning, and I am pleased that the ranking member has 
such strong confidence in the new Secretary of Energy. We think 
he's a good man, too, and look forward to working with him on 
this committee.
    One of the humbling responsibilities for members of the 
Energy and Commerce Committee is to fully appreciate the power 
we have to make policy changes that can have enormous and 
positive impacts on American consumers for decades to come.
    From health care, to manufacturing and trade, to 
telecommunications, transportation, and the delivery of energy, 
our goal is to identify how to position the United States to be 
able to harness the tremendous potential of digital 
communications for all sectors of the economy, while minimizing 
unintended side effects.
    We are witnessing the transformation of American commerce 
as advances in digital and information technology affect almost 
everything that we do in our daily lives. And we see how 
layering new digital ways of doing things onto existing 
practices and infrastructures creates new risks and potential 
harm.
    Who among us is not frequently seeking out a plug-in so we 
can keep our various electronic devices charged? We are really 
tethered.
    Never has the reliability of the electric grid been more 
important to everything in our lives. That also means never has 
the electric grid been more of a potential target for 
disruption by nefarious actors.
    The hearing today concerns what is being done to address 
and respond to the cybersecurity threats to our nation's 
electricity system.
    By any measure, the reliable supply of electricity is an 
essential part of almost everything that we do, and its loss--
even for short periods of time--can have expensive and life-
threatening consequences.
    Unfortunately, cyber threats in this sector are 
unavoidable, and they are growing. This is due to the dynamic 
nature of the information flows in the modern world as well as 
the increasing sophistication of hackers and adversaries.
    Threats in these flows will only grow as the instant 
information and communications enabled by digital technology 
become more essential for our electricity system to operate at 
increased levels of reliability.
    Looking forward, it's clear the growth of digital 
technology will constantly introduce new avenues for 
cybersecurity threats. They must be managed effectively.
    Responsibility for addressing these threats, while 
harnessing the promise of digital technology, rests largely on 
the thousands of people involved in planning and operating our 
nation's complex electricity transmission systems, as well as 
the organizations charged with ensuring reliability.
    This morning we will hear from industry and cybersecurity 
experts who can provide us a report on the state of 
cybersecurity planning and practices.
    Our witnesses will help us understand just what is being 
done to address cybersecurity threats and how the industry 
plans to confront new threats as they emerge. The hearing will 
help us begin to understand more fully where the electricity 
sector is and where it should be in terms of cybersecurity and 
related risk to electric reliability.
    This will lay the groundwork for closer scrutiny of the 
relevant policies necessary to ensure future reliability in an 
evolving electricity, and, frankly, digital sectors.
    There are many questions to pursue, such as, how is 
cybersecurity planning being embedded in procurement and other 
systems planning by the industry? What measures are being 
implemented to prepare for successful attacks, so that--just as 
with nature's constant threats--if the lights do go out, can we 
get them back on quickly?
    And I know all of you run that grid test periodically and 
the tabletopping of it. So we will be interested to hear more 
about that.
    What's being developed to address the truly high 
consequence of the low probability events that can have the 
most devastating impacts? And what more can be done?
    We really appreciate your testimony. I've read through it 
and we are enhanced by your counsel. We look forward to working 
with you.
    With that, Mr. Chairman, I yield back the balance of my 
time.
    [The prepared statement of Mr. Walden follows:]

                 Prepared statement of Hon. Greg Walden

    One of the humbling responsibilities for members of the 
Energy and Commerce Committee is to fully appreciate the power 
we have to make policy changes that can have enormous and 
positive impacts on American consumers for decades to come. 
From health care, to manufacturing and trade, to 
telecommunications, transportation, and the delivery of energy, 
our goal is to identify how to position the United States to 
harness the tremendous potential of digital communications for 
all sectors of the economy, while minimizing unintended side 
effects.
    We are witnessing the transformation of American commerce 
as advances in digital and information technology affect almost 
everything that we do in our daily lives. And we see how 
layering new digital ways of doing things onto existing 
practices and infrastructures creates new risks and potential 
harm. Who among us is not frequently seeking out a plug in so 
that we can keep our various electronic devices charged? Never 
has the reliability of the electric grid been more important to 
everything in our lives. That also means never has the electric 
grid been more of a potential target for disruption by 
nefarious actors. The hearing today concerns what is being done 
to address and respond to the cybersecurity threats to our 
nation's electricity system.
    By any measure, the reliable supply of electricity is an 
essential part of almost everything we do, and its loss-even 
for short periods-can have expensive and life threatening 
consequences. Unfortunately, cyber threats in this sector are 
unavoidable and growing.
    This is due to the dynamic nature of the information flows 
in the modern world as well as the increasing sophistication of 
hackers and adversaries. Threats in these flows will only grow 
as the instant information and communications enabled by 
digital technology become more essential for our electricity 
system to operate at increased levels of reliability.
    Looking forward, it is clear the growth of digital 
technology will constantly introduce new avenues for 
cybersecurity threats that must be managed effectively. 
Responsibility for addressing these threats, while harnessing 
the promise of digital technology, rests largely on the 
thousands of people involved in planning and operating our 
nation's complex electricity transmission systems, as well as 
the organizations charged with ensuring reliability.
    This morning we will hear from industry and cybersecurity 
experts who can provide us a report on the state of 
cybersecurity planning and practices. Our witnesses will help 
us understand just what is being done to address cybersecurity 
threats, and how the industry plans to confront new threats as 
they emerge.
    The hearing will help us begin to understand more fully 
where the electricity sector is and where it should be in terms 
of cybersecurity and related risks to electric reliability. 
This will lay the groundwork for closer scrutiny of the 
relevant policies necessary to ensure future reliability in an 
evolving electricity sector.
    There are many questions to pursue: How is cybersecurity 
planning being embedded in procurement and other systems 
planning by the industry? What measures are being implemented 
to prepare for successful attacks, so that--just as with 
nature's constant threats-if the lights do go out, can we get 
them on quickly? What is being developed to address the truly 
high consequence but low probability events that can have the 
most devastating impacts? And what more can be done?
    As the committee implements its own energy policy agenda, 
the testimony we take will inform how we approach the future 
and how we best use innovation and technology to protect 
American consumers.

    Mr. Upton. Thank you. The gentleman yields back. We are 
ready for our witnesses.
    We are joined by Gerry Cauley, President and CEO of the 
North American Electrical Reliability Corporation, NERC; Scott 
Aaronson, Executive Director for the Security and Business 
Continuity from EEI, Edison Electric, on behalf of the 
Electricity Subsector Coordinating Council; Barbara Sugg, Vice 
President for IT and Chief Security Officer of Southwest Power 
Pool on behalf of ISO/RTO Council; and Dr. Chris Beck, Chief 
Scientist and Vice President for policy from the Electric 
Infrastructure Council.
    I welcome you all. We appreciate you submitting your 
testimony early, so we are able to take it home on the last day 
or two. We ask you to summarize it and take about 5 minutes in 
your presentation, at which time we will go to questions.
    Mr. Rush, yes.
    Mr. Rush. Mr. Chairman, by way of announcements, we have a 
former member here, Mike Ross from Arkansas.
    Mr. Upton. It is good to see your face, Mike. Welcome back. 
A good friend to all of us that served with you. Thank you. 
Thanks, Bobby.
    (Applause.)
    Mr. Cauley, you're recognized for 5 minutes.

    STATEMENTS OF GERRY W. CAULEY, PRESIDENT AND CEO, NORTH 
  AMERICAN RELIABILITY CORPORATION (NERC); SCOTT I. AARONSON, 
 EXECUTIVE DIRECTOR, SECURITY AND BUSINESS CONTINUITY, EDISON 
 ELECTRIC INSTITUTE (EEI), ON BEHALF OF ELECTRICITY SUBSECTOR 
  COORDINATING COUNCIL; CHRIS BECK, CHIEF SCIENTIST AND VICE 
  PRESIDENT FOR POLICY, THE ELECTRIC INFRASTRUCTURE SECURITY 
COUNCIL (EIS COUNCIL); BARBARA SUGG, VICE PRESIDENT FOR IT AND 
 CHIEF SECURITY OFFICER, SOUTHWEST POWER POOL (SPP), ON BEHALF 
                    OF ISO/RTO COUNCIL (IRC)

                  STATEMENT OF GERRY W. CAULEY

    Mr. Cauley. Good morning, Chairman Upton, Ranking Member 
Rush, Committee Chairman Walden, Ranking Member Pallone, and 
members of the subcommittee.
    Thank you for conducting this timely hearing this morning 
to assess the cybersecurity of the nation's power grid.
    The threat of cyber-attack by nation states, terrorist 
groups and criminals is at an all-time high. In December, as 
has been mentioned, of 2015, a cyber-attack in the Ukraine left 
over 225,000 customers without power for several hours.
    This indicates that nation state adversaries have the cyber 
tools and now the will to disrupt the grid of other nations.
    More recently, in the U.S., although no effects were seen 
on the power grid, we saw a million electronic devices all part 
of the internet of things captured and used in a sudden denial 
of service attack against internet service providers.
    We've seen an increased presence of ransomware, data theft, 
and other criminal activities against all sectors of our 
economy. As defined by Congress, NERC's role is to assure the 
reliability and security of the bulk power system through 
mandatory standards, enforcement, and through reliability 
assessments.
    Our independent board and staff are not affiliated with the 
power system owners and operators. FERC approves NERC's 
standards and enforcement actions in the U.S. and has the 
authority to direct NERC to produce new standards or to revise 
existing standards.
    As a nation, we share a grid with our fellow countries to 
the north and south, which is why NERC is an international 
organization spanning the U.S., Canada and, of course, Mexico.
    Our cybersecurity standards, which are developed with the 
expertise of industry participating in that, provide a strong 
foundation for security practices across the industry.
    As just a few examples, our standards require inventory of 
cyber assets and configuration management, security perimeters 
and physical access controls, effective passwords and 
authentication, the use of certified software and patches, 
background checks and training of personnel, incident reporting 
and recovery plans.
    NERC, along with our eight regional entities, has cyber 
experts that conduct hundreds of visits each year to assess 
cybersecurity controls at these companies.
    We are finding that power companies take cybersecurity very 
seriously with strong attention at the top from CEOs and from 
boards.
    Cyber assets used to operate the grid are separate and 
isolated from business systems and corporate systems, and also 
from the public internet. Utility personnel are screened and 
well trained.
    There is a strong culture of security across each company. 
Companies are using advanced third party services to identify 
vulnerabilities and threats, and to maintain their system's 
secure.
    Most importantly, power companies know they must 
continually monitor and detect suspicious activity, isolate 
malware, and destroy it before anything happens. And this 
process is commonly known as the kill chain.
    As flexible and risk-based as our standards are, I firmly 
believe that we cannot win a cyber war with regulations and 
standards alone. Industry must be agile and continuously adapt 
to threats, and to do that we need robust sharing of 
information regarding threats and vulnerabilities.
    NERC operates the electric sector Information Sharing and 
Analysis Center, the E-ISAC. Our role is to assimilate 
intelligence and share trusted information with industry and 
government and to recommend specific actions.
    One of our most effective tools in this process is the 
Cybersecurity Risk Information Sharing Program, otherwise known 
as CRISP. Developed by the Department of Energy, CRISP has been 
adopted by NERC and deployed across wide areas of the U.S. grid 
to continuously monitor and detect malicious activity.
    Working with the U.S. government analysts at the classified 
level, we are able to detect problems early and get this 
information out to industry for action.
    When time is of the essence, NERC can also issue alerts to 
industry at three levels of urgency. The two highest levels of 
urgency require response from industry back to NERC.
    In addition to operating the E-ISAC, NERC conducts an 
annual security conference, training events and frequent 
classified briefings. As has been mentioned, we also conduct 
continent-wide cyber and physical security exercise called 
GridEx.
    Over 4,000 participants from industry and government 
organizations across North America engage for two days in a 
very severe massive cyber and physical attack on our grid. The 
exercise includes a tabletop which industry CEOs and senior 
government officials coordinate a national response including 
communications, deployment of resources, cyber mutual 
assistance, and other strategies.
    To date, there has not been a single cyber-attack in North 
America that has resulted in a power outage to a customer. This 
is an exceptional record. However, we will never be complacent. 
We understand the risk is real. We have hard work to do every 
day and we will continue to do that.
    I thank the Committee for the time today and look forward 
to your questions. Thank you.
    [The statement of Mr. Cauley follows:]
    
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
  
    
    Mr. Upton. Thank you.
    Mr. Aaronson.

                 STATEMENT OF SCOTT I. AARONSON

    Mr. Aaronson. Thank you, Chairman Upton, Ranking Member 
Rush, and members of the subcommittee. I am glad to be here 
today to discuss the security of the power grid. We appreciate 
you holding this important hearing and making it a priority for 
the subcommittee.
    As owners and operators of some of the nation's most 
critical infrastructure, we share your commitment to ensuring 
the grid is secure and resilient.
    From some of the headlines and movie script scenarios out 
there you may be left with the impression that a month's-long 
power outage is inevitable and the power sector is powerless to 
do anything about it.
    If there is one thing you take from my testimony it is 
this: Our industry is doing an extraordinary amount of work at 
all levels all the time to defend the grid and to respond to 
incidents.
    You have to remember we live and work in the communities 
that we serve and our infrastructure is our most important 
asset. We are motivated for many reasons to make security a 
major priority.
    Since these topics can be sensitive and, as was mentioned, 
sometimes classified, we may not talk about them a lot in 
public, but don't take that as complacency or a lack of action.
    My written testimony has more extensive details on how 
electric companies address threats so I won't read it to you. 
But, instead, I'd like to quickly focus on three areas that 
form the foundation for how the electric power industry 
approaches security.
    It's three legs of the stool, effectively. So the first leg 
of the stool is standards. The electric industry has mandatory 
and enforceable critical infrastructure protections, or CIP, 
regulatory standards for both cyber and physical security that 
Mr. Cauley just mentioned.
    These are not lax lowest common denominator standards. 
These are rigorous requirements that improve the industry's 
security posture.
    Failure to comply can cost companies more than a million 
dollars per infraction per day. So, suffice it to say, 
companies feel a strong incentive to comply.
    But compliance does not equal total security. So that 
brings me to the next leg of the stool, which is partnerships. 
Protection of critical infrastructure is a shared 
responsibility.
    In order to be prepared for an ever-changing threat 
environment, industry and government are partnering at an 
extremely high level. In addition to my role at EEI, I am also 
privileged to serve on the secretariat of the Electricity 
Subsector Coordinating Council, or ESCC. The ESCC is made up of 
all three segments of the industry as well as Canadians and 
independent power generators, the nuclear sector as well as the 
gas sector.
    It is made up of 31 CEOs from across the segments of the 
industry. Those CEOs meet regularly with senior government 
officials not to simply update each other but to set a 
strategic course that has helped the sector make extraordinary 
advances in grid security in a very short amount of time by 
bringing together government-industry executive leadership.
    It's also been recognized by the National Infrastructure 
Advisory Council, which advises the executive office of the 
president as the model for how critical infrastructure sectors 
can partner with government.
    So the ESCC focuses on four specific areas. The first is 
deploying tools and technology. The focus here has been moving 
government-developed tools to industry applications that 
improve situational awareness. And, again, Mr. Cauley mentioned 
the best example of this, the Cyber Risk Information Sharing 
Program, or CRISP.
    The second focus for the ESCC has been improving the flow 
of information. That is making sure the right people are 
getting the right information at the right time.
    From classified briefings for executives to actual 
intelligence for operators, government and industry are sharing 
threat information more easily and more often, and some of that 
has to do with some of the legislation that has been passed by 
committees like this to make information sharing more seamless 
between the public and private sectors.
    The third thing that we are doing in the ESCC is 
coordinating with other sectors. While electricity is often 
described as the most critical to critical, if we don't have 
water, we can't generate steam or cool our systems. If we don't 
have transportation or pipelines, we can't move fuel or our 
equipment. If we don't have communications, we can't operate.
    So to address interdependencies, the power sector is 
working across sectors, and most recently we are pursuing a 
partnership with the financial services and communication 
sectors to form a Strategic Infrastructure Coordinating 
Council, or SICC, that follows the model of the ESCC by 
bringing senior executives together to form a center of gravity 
that will help harmonize people, policies, and technologies 
across the sectors that form the foundation of civil society.
    Then the last area of focus for the ESCC also happens to be 
the third leg of the stool. So we have got regulations, we have 
got partnerships, and then we are preparing to respond and 
recover from incidents if there were ever a successful attack. 
Simply put, electric companies have to be right 100 percent of 
the time and the adversary has to be right once.
    Given those odds, preparing for incidents is just common 
sense. First of all, we have a history of working together to 
restore power after an incident through mutual assistant 
networks where workers from across the sector help affected 
companies.
    We also have a robust spare equipment sharing program 
including several bilateral and multilateral arrangements, one 
of them known as the Spare Transformer Equipment Program, or 
STEP.
    We exercise regularly, as Mr. Cauley noted. NERC's GridEx 
series brings together thousands of operators and executives 
from across North America in the largest exercise of its kind, 
and we now are developing a cyber mutual assistance program to 
coordinate industry resources for companies affected by cyber 
incidents.
    As an example of how quickly the sector can implement new 
strategies under the ESCC, the CMA program was conceived in 
January of 2016, just about a year ago, following GridEx III 
and the 2015 cyber-attack on Ukraine's energy grid.
    In just the last year, this program went from a concept 
suggested by the CEOs of the ESCC to a program that currently 
has more than 80 participants and growing almost daily, a legal 
structure, a play book that has been exercised and even 
utilized in response to the Mirai botnet that affected internet 
services this past October.
    Bottom line is this: We are constantly working to manage 
risk, but also planning to address incidents because we 
understand we can't fully eliminate risk.
    There isn't enough money in the world to protect against 
every threat in every location, but we are working to prevent 
incidents from having long-term or devastating impacts.
    We understand that the service we provide is critical to 
the life, health, and safety of all Americans. From CEOs to 
operators, the power sector has shown it takes this 
responsibility very seriously and is committed to constantly 
improving its security posture as these threats evolve.
    Again, I appreciate the opportunity to be here and look 
forward to answering your questions.
    [The statement of Mr. Aaronson follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    
  
    Mr. Upton. Thank you very much.
    Dr. Beck.

                    STATEMENT OF CHRIS BECK

    Dr. Beck. Chairman Upton, Ranking Member Rush and members 
of the subcommittee, thank you for the opportunity to testify 
before you today on this important topic.
    EIS Council, a 501(c)(3) nonprofit, is, at its core, a 
public interest organization. Our chief mission is to do our 
part to ensure societal continuity for black sky hazards by 
hosting research and national and international collaboration 
focused on whole community resilience, response, and 
restoration planning.
    Black sky is increasingly becoming a term of art referring 
to threats that could cause extended and long-duration power 
outages covering many states and lasting more than a month, and 
the subsequent cascading failures of our other critical 
infrastructures.
    Six black sky threats have been identified as primary 
concerns. Three are naturally occurring and three are 
malicious, including a sophisticated cyber-attack--the subject 
of today's hearing.
    The Ukrainian cyber-attack demonstrated that a blackout of 
electric power can be achieved through remote cyber means. 
Stuxnet and Aurora demonstrate that catastrophic damage to 
physical equipment can be accomplished through cyber-attack 
vectors on operational technology or industrial control 
systems, causing disruption, misoperation, or destruction of 
the hardware they control.
    The successful coupling of these two components could 
result in a black sky event. This would be the case if the 
damaged equipment were critical to grid operation and required 
a long period of time to repair or replace.
    It would also be the case if the disruption pushes 
restoration times past the point where cascading failures of 
other infrastructures began interfering with the restoration 
process.
    In the aftermath of a natural disaster, response activities 
typically commence once the immediate danger has passed. In a 
cyber-attack scenario, it is possible or even likely that the 
attacker could launch subsequent attacks to disrupt response 
and recovery efforts or cause further damage.
    At the same time that the cyber threat is constantly 
evolving, the attack surface continues to grow with the ever-
growing trend to computerize and allow remote access and 
control.
    An adversary may also infiltrate a utility not through a 
direct attack on the utility system itself, but through a 
trusted, maybe less secure third party connection, or by 
inserting malware into critical hardware or software at several 
points along that product's production life cycle.
    Leading power utilities have taken positive action along 
the cyber-attack threat timeline or kill chain though there is 
certainly a large spread between the capabilities within the 
power utilities.
    Electric utilities also have a long history of providing 
mutual assistance, and the same concept is being applied by the 
ESCC for mutual support in response to cyber incidents though 
challenges unique to cyber must be taken into account.
    Operational technology systems in particular vary greatly 
from utility to utility. IT and OT professionals are typically 
a limited resource.
    In a large enough attack, availability of such expertise 
will likely be too limited to address the need, and CEOs may be 
reluctant to flow personnel to assist others when they might be 
the next target themselves.
    To bolster electric sector mutual support, external support 
is also necessary. Government support for utilities is 
available at the federal and state levels. ICS-CERT and E-ISAC 
provide operational support and information sharing.
    A DOD USCYBERCOM may provide assistance through defense 
support to civil authority missions. DOE is the federal agency 
for emergency support function 12 for federal support to energy 
restoration, and the FAST Act provisions now provide broad 
authority under a grid security emergency declaration by the 
President.
    At the state level, National Guard units may assist 
electric utilities and state fusion centers in sharing 
information and including electric utilities in emergency 
planning and operations.
    These support options, however, might be overwhelmed by the 
scale of the attack. Another possibility would be expanding the 
concept of mutual assistance to bring IT and OT professionals 
from other private sectors including information technology, 
aerospace, water and waste water, telecommunications, 
manufacturing, and others.
    EIS Council is facilitating a process to explore this 
opportunity. Power grid restoration following a successful 
black sky cyber-attack will only be possible if broad multi-
sector planning is in place for cross-sector support to that 
restoration process.
    Those plans must be continuously tested and improved 
through exercises such as GridEx and through training within 
each utility and across sectors. Cyber security enhancements 
ultimately require focused private and public sector 
leadership.
    When the CEO of a company takes security and resilience 
seriously, the company develops a culture of security and 
resilience. Inclusion of security and, specifically, cyber 
security principles in planning for expansion, equipment 
replacement and employee training are all essential to enhanced 
cyber security in the electric power sector.
    I thank you very much and look forward to your questions.
    [The statement of Dr. Beck follows:]
    
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    

    Mr. Upton. Thank you.
    Ms. Sugg.

                   STATEMENT OF BARBARA SUGG

    Ms. Sugg. Good morning, Chairman Upton, Ranking Member Rush 
and all members of the Energy Subcommittee.
    My name is Barbara Sugg. I am the Vice President of 
Information Technology and Chief Security Officer at Southwest 
Power Pool, which is headquartered in Little Rock, Arkansas.
    Southwest Power Pool is one of the nine independent system 
operators and regional transmission organizations--the term 
ISO/RTO will be used henceforth--in North America.
    Collectively, these nine organizations serve two-thirds of 
the energy consumers in the United States and half in Canada. 
We are nonprofit organizations. We do not own generating plants 
or operate generating plant substations or transmission 
facilities.
    However, we do provide a number of various services from 
reliability coordination and balancing authority functions to 
transmission planning for future expansion of the transmission 
grid.
    We all have the common goal of ensuring sustainable, 
affordable, and reliable power with our wholesale energy 
markets.
    I am here today on behalf of the ISO/RTO Council, known as 
the IRC. The IRC has an executive committee, which includes the 
CEOs from each of these nine organizations and is made up of a 
number of committees and working groups focused on different 
areas of interest to the ISO/RTO community.
    I serve as a member of the IT committee, which brings 
together the chief information officers from each of those nine 
organizations, where we come together to share best practices, 
to collaborate on common interests, and to work on directives 
that may come from the executive committee.
    One of the working groups that reports to us is the 
security working group. With this security working group, which 
has been in place for a very long time now, there are security 
experts that come together from each of our regions to share 
best practices, to work on incident response planning, and to 
understand our dependencies with each other.
    Cybersecurity is a top concern at the ISO/RTO. As Ranking 
Member Rush said earlier, it's not a matter of if but when, and 
we recognize that.
    We have five core strategies to our cybersecurity 
framework. One of those is defense. Certainly, we have to be 
prepared to defend against attack. We do this through controls, 
through multiple layers of security and good practices to 
ensure that we stand ready to defend.
    The next is response. From advanced security monitoring and 
practicing incident response plans we stand ready to respond. 
And the third is recovery. You've heard us mention about the 
GridEx opportunities to practice our recovery drills.
    We do those every other year in a nationwide effort but we 
also do local, state, and regional exercises much more 
frequently to ensure that our recovery plans are ready to go.
    Partnership is the fourth key element of our strategy and 
these gentlemen talked a lot about all the of the information-
sharing opportunities and the various government agencies that 
work with us to collaborate and provide cyber assistance.
    The fifth is education. We recognize the importance of 
every single ISO/RTO employee when it comes to protecting our 
systems and protecting our information, and so security 
awareness is high on our list.
    Over 10 years ago, the CIP standards to critical 
infrastructure protection standards came out. They've advanced 
quite a bit over the last decade and they serve as a base level 
of security for us.
    However, we have to get beyond the standards and recognize 
that a culture of compliance is important but even more so 
important is a culture of security.
    We look beyond the standards in a number of ways from 
developing, in advance of standards, security coding 
requirements for our control system vendors. And when I say we 
I am talking about the entire ISO/RTO community working 
together to make sure that we are equally protected.
    We have worked with the FERC energy infrastructure security 
office to do security architecture reviews, and to look for 
best practices and talk about evolving threats and current 
technologies.
    It's very difficult for the standards to keep up with the 
evolving threats and so we must look beyond that. It's also 
difficult with emerging technologies.
    Standards shouldn't be so prescriptive that they limit us 
in our capability to develop new infrastructure and new 
architecture. And we work very closely with NERC and the rest 
of the community to ensure that those standards are secure 
enough for us without being overly prescriptive and limiting 
our capabilities to keep up with the evolving threats.
    I thank you for your time this morning and I look forward 
to answering your questions.
    [The statement of Ms. Sugg follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    
    Mr. Upton. Well, thank you all.
    I think each of you mentioned that it is a daunting task. 
When you look at the power grid, 7,700 operating power plants 
that generate electricity from a variety of primary energy 
sources, 200,000 miles of high-voltage transmission lines, 
55,000 substations, five-and-a-half million miles of local 
distribution lines.
    I think each of you mentioned that you have to be right 
every day. They just have to be right once for a catastrophe to 
happen. And as we all know, we passed, on a bipartisan basis, 
the FAST Act in the last Congress.
    Tell us how that has helped you on a bipartisan basis. Tell 
us specifically, Mr. Cauley and Mr. Aaronson, how has that 
helped protect consumers?
    Mr. Cauley. Well, thank you very much for the question, Mr. 
Chairman.
    Two ways for me in particular. One is there was a lack of 
clarity around emergency authorities and I think providing 
those emergency authorities to the Department of Energy under 
an emergency declared by the President was helpful.
    I testified a number of times in the past about that 
potential gap. I think the other thing that's extremely 
valuable to us and to consumers is it provided for greater 
protections of cybersecurity information.
    It's very important that as companies report to us details 
that border on being classified, if not classified, that we are 
able to maintain the confidences and keep that secure. 
Particularly, allowing FERC to have procedures to secure 
information which we frequently exchange with them, but other 
controls around maintaining those confidences.
    Mr. Upton. Mr. Aaronson.
    Mr. Aaronson. Echoing some of the things that Mr. Cauley 
just said, agree. And then in addition, I think it really 
speaks to the value of the partnership at a very high level, 
providing the Secretary of Energy, who oversees our sector-
specific agency with some authorities in the midst of a grid 
security emergency, which was very well defined in the FAST 
Act.
    Further, it sort of solidifies that relationship in the 
midst of an incident. And the fact that it calls for 
coordination with the sector--where practicable--during such 
emergency ensures that the Secretary would be well informed on 
what to order.
    We are in the process of responding to the notice of 
proposed rulemaking from the Department of Energy that would 
outline some of the processes for how this authority would be 
used and we look forward to continuing that conversation. The 
joke has come up--there isn't one phone number you can call, 
the Batphone, for the electric sector.
    So having a understanding of who would need to be 
coordinated with and contacted in the midst of such emergency 
is going to be a challenge.
    But, again, with the Sector Coordinating Council playing 
that role as a center of gravity with the ISO/RTO Council and 
other partners throughout the sector it gives us a good, high 
level set of entities to coordinate with should the unthinkable 
happen.
    Mr. Upton. Mr. Cauley, you talked a little bit in your 
testimony about the tabletop exercise. Can you elaborate a 
little bit more?
    The other thing I want to hear particularly, Mr. Aaronson, 
from you, as it relates to that, and I presume that you were 
involved, the STEP program.
    One of the concerns that a number of us have raised is if 
there was some issue where a transformer was taken down because 
of the lack of uniformity between a variety of different units 
that may be taken out of business. How long would it actually 
take to get new transformers into place and the mechanism that 
that would go about it?
    I presume that that was probably one of the issues that was 
engaged in a tabletop exercise that you had.
    Mr. Cauley. The exercise in preparing for our fourth, now 
in November of this year, have intentionally gotten 
progressively more difficult and challenging to overcome, and 
the pattern is we build capability, we learn what we learn, and 
we get better each time.
    I think as we run the exercise in a way that's two days and 
that it's companies distributed across the U.S. and Canada 
participate locally in their state and local environment using 
their operating systems and people. People actually run out to 
stations.
    They call the FBI. They actually do it on the ground. Then 
there is a central exercise that we look at at the executive 
level with the top levels of government, and we have had FEMA, 
DHS, White House representatives and others.
    Mr. Upton. Are the results of that in a classified setting?
    Mr. Cauley. There is a public report for each of the 
exercises. What we found is that when we propose an exercise 
that destroys equipment, explosions, deaths, where the power 
could be out for weeks and potentially months, it really 
exceeds the capabilities that we have anticipated in the past, 
not just industry, but government. We never thought of it that 
way.
    We have to think differently in terms of unity of effort, 
how do we unite around these capabilities and bring the best of 
industry, best of government to overcome those situations.
    Mr. Upton. I know my time is expired, but I have one quick 
question on that. Were the governors engaged in this tabletop 
exercise?
    Mr. Cauley. We anticipate expanding that in GridEx IV in 
November but, yes, there were representatives from National 
Guard. The state of Wisconsin, I believe, was represented. And 
so we did engage some state-level representation at the table.
    But, obviously, we need to bring in a lot of state-level 
activity. A lot of the solution, in my mind, is going to be how 
do we handle the public situation and the issues on the ground 
during a crisis. And that really involves local and state 
governments to support it.
    Mr. Upton. And Mr. Aaronson, just quickly to respond on the 
STEP program.
    Mr. Aaronson. So I appreciate you asked that. In addition 
to STEP, let me kind of go through a few of the resiliency 
programs.
    This goes to some of the things Gerry was just talking 
about with respect to having an exercise, understanding where 
your vulnerabilities are, and then implementing some solutions 
to fill those gaps.
    In addition to this Spare Transformer Equipment Program 
which grew up about 10 years ago, a little bit more than that, 
that is a binding relationship between the companies that are a 
part of it.
    In the event of a presidentially-declared terrorist 
incident, there is a contractual obligation to share equipment 
during such incident. That's a really high bar.
    Fortunately, STEP has been utilized beyond just in 
presidentially-declared terrorist activities but to be able to 
move these really important components that form the backbone 
of the system.
    In addition to STEP and its rigorous approach to Spare 
equipment, we also have something called SpareConnect, which is 
effectively a database of asset owners and asset managers for 
companies.
    If I am a company that has been impacted by something and I 
need to get one of these high-voltage transformers in place, I 
can create a bilateral agreement, call the person who has the 
equipment that I need, make an arrangement, and have it moved 
into place.
    There also are industry-led versions of this, something 
called Grid Assurance that has stood up. Again, companies come 
together to pool resources and a new program called Restore, 
which is a regional approach, along the same lines.
    Last thing I'll say about this is having the equipment is 
one thing. Moving it is another. These things are quite 
literally hundreds of thousands of pounds and very hard to 
move. It has required us to work with other sectors, again, 
going to interdependencies across sectors, but rail and 
trucking in particular and then the riggers who actually get it 
onto the rail car, move it into place and then go the last mile 
to bring it to the location.
    We have both worked with the rail industry and exercised it 
through something called the Transformer Transportation Working 
Group. So, again, lessons learned from all of these incidents 
have really informed industry programs that are making us more 
resilient and more able to move equipment to where it's needed.
    Mr. Upton. Sorry it took so long. Thank you.
    Mr. Rush.
    Mr. Rush. I want to thank you, Mr. Chairman.
    I want to touch on an area that we have been silent on--
this hearing's been silent on so far and that's the area of the 
cybersecurity workforce.
    I think that's a very critical concern on the plans or the 
technology--on the well-intentioned efforts of many of us we 
have come to know and we don't have a sufficient, capable, and 
expert workforce.
    According to the IEEE, there are a million unfilled 
cybersecurity engineering jobs around the world with that 
number expected to grow by 1.5 million by 2019. In the U.S. 
alone there are only 67 job seekers for every 100 open 
cybersecurity positions.
    I am wondering if this shortage of available workers is 
posing problems for electric companies seeking to fill 
cybersecurity jobs that protect our electricity grid.
    Mr. Aaronson, can you talk about the current situation in 
the electricity sector as it relates to cybersecurity jobs and 
is it indeed true that companies are finding it difficult to 
find and hire skilled workers to fill these positions?
    Mr. Aaronson. So I think this is a refrain that you'll 
hear, and I am sure there is others on the panel who have some 
experience actually trying to fill these positions.
    I will say I've heard from my membership and across the 
sector that this is a challenge. There are a lot of needs and 
not a lot of people to fill it.
    This is something that's going to require a long-term 
concerted effort starting with STEM education and moving up to 
attracting a workforce to this particular critical 
infrastructure industry.
    I will say a couple of things. EEI in particular has a 
program known as Troops to Energy, and that helps to take 
people who have served in the military who have excellent skill 
sets and really do lend themselves to being a part of a 
critical infrastructure industry.
    So there is attraction there. There is also attraction 
among cyber workforce and cyber experts. This is a pretty cool 
industry to be in. You are the most critical infrastructure 
sector and we are quite literally defending against adversaries 
from near pure nation states all the way down to sort of the 
traditional proverbial hacker kid in his mom's basement.
    Having that opportunity is something that is attractive but 
it doesn't change the fact that we need to generate more of 
these people.
    Mr. Rush. Ms. Sugg, would you want to add anything 
additionally?
    Ms. Sugg. That's a great question and an interesting topic. 
I don't find that we are having as much trouble filling those 
kinds of positions because we are working with the 
universities.
    STEM education is a big focus for us as well. At the 
university level we are working with a number of them on their 
curriculums, and what's interesting is the Millenials are 
particularly skilled at this.
    This is new technology. It's evolving threats and it's 
something that the Millenials find really exciting and some of 
our most innovative thinkers, which is really what you need to 
think outside of the box on security, are coming out of the 
universities.
    There are a number of opportunities for experienced 
employees to get education and certifications in cybersecurity 
areas.
    So that's been helpful as well and it is something people 
that have worked in other areas find interesting and perhaps 
want to change their careers because it is ever changing and 
good employees love a good challenge.
    The universities are producing some really skilled 
graduates that challenge our way of thinking about security in 
a very healthy way.
    Mr. Rush. Is there a role for the federal government in 
terms of increasing the quality and quantity of the 
cybersecurity workforce?
    Ms. Sugg. I think there is an opportunity for the federal 
government to challenge the universities to think more broadly 
about the different types of cybersecurity in areas and sectors 
that are perhaps less secure, such as the internet, and maybe 
there are opportunities to fund research toward developing a 
more secure internet and that would be something that would be 
very interesting at the academic level.
    Mr. Rush. I want to thank you, Mr. Chairman. I yield back.
    Mr. Upton. Thank you. The chair would like to recognize the 
chairman of the full committee, Mr. Walden, for 5 minutes.
    Mr. Walden. I thank the chair and thank our witnesses again 
for your testimony and your counsel.
    I listen to this and I think about your tests. I was in the 
radio business. We would do these emergency alert tests and 
drills from time to time, and we had one of these. You were 
talking about how you go out to the substation, you call the 
FBI, you do all that. We got the call into the radio station to 
announce that Bonneville Dam, one of the major dams crossing 
the Columbia River, and we were supposed to announce on air had 
been breached.
    Fortunately, I had a sort of retired announcer working that 
Saturday morning who said, ``I think it's probably not a good 
idea to actually go on the air and tell people that one of the 
Columbia River dams has been breached, but we will make a note 
here.''
    So you have to be careful when you do these exercises, but 
they are really important because emergencies do happen. I 
think back to what happened during Hurricane Katrina and how 
rapidly things disintegrated when there was no power. Because 
then there is no water, there is no sewage, there is no 
refrigeration. The ATMs don't work.
    I talked earlier about how we are all connected to these 
digital devices. You can't talk to your loved ones. You can't 
make emergency calls. So the work you're doing to push this and 
test this is really important.
    I know many of us have been in both classified and 
unclassified briefings on this matter about the reliability of 
the grid and the threats that are there. We are very cognizant 
of the cyber security issues, and the attempts by others to put 
hardware into our systems that have vulnerabilities in it, and 
to harness the internet of things to be a swarming attacking 
machine, basically.
    When you analyze the systems that are there, and I don't 
mean the hardware systems--I mean the human systems to 
communicate and interact--what are we missing? What are you 
finding we need to improve on?
    Are you hamstrung by certain laws, too? We did six 
hearings, I think, on our telecommunications subcommittee on 
this topic of cybersecurity. Every witness on every panel said 
please do no harm.
    If you lock things in statute in terms of technology the 
bad guys will know what we have to do and you'll misallocate 
our capital. Are there things like that locked in that we 
should review, either in a public setting or in a more secure 
setting?
    We want to make sure we have a reliable grid that can 
withstand any kind of issue whether it's a solar flare or a bad 
actor. What are we missing here? Or is it all perfect?
    Mr. Cauley. Well, I'll just start the response. I think a 
lot of the framework that we have is really good. I think the 
idea of the industry participating in a standard setting and 
the standards being really focused on being adaptive and sort 
of driving solutions I think works.
    So I think continuing to engage industry experts and 
leaders, and the process that we have to Section 215 in FERC 
and NERC I think is very helpful.
    There are some challenges that are difficult. Most of the 
challenges that we face are not limited to the electric system 
and I think, once we start talking about the kinds of 
existential threats that we are thinking about here, revolving 
a broad sweep of telecommunications and other industries, 
finance and others, I don't ever expect there is going to be an 
attack that's just only on the grid.
    So I think the ability to work cross sector and to engage 
multiple sectors together in a conversation and leadership is 
very helpful. I think we are challenged with supply chain and 
sort of the global picture that everything that we get and use 
from the system that's digital is coming from somewhere in the 
world is a challenge.
    And the final thing I would say that we need to continue to 
work on together is strategic reserves around essential 
equipment and the ability to deploy that in a severe emergency.
    Mr. Walden. By the way, a side question--do you involve the 
amateur radio community in your emergency drills at all? I 
confess, I am one. But it also is a very dispersed--it's like 
the original internet, right?
    Mr. Cauley. We have not particularly sought after that, but 
I know Dr. Beck and his crew at EIS has had some work around 
the use of ham operators for emergencies.
    Mr. Walden. Yes, they are the only communication tool left. 
But go ahead, Mr. Aaronson.
    Mr. Aaronson. So a philosophical question but I won't give 
a philosophical answer. I think the culture issue around, and 
you alluded to it, that people are very much tethered to their 
devices and very much reliant on this.
    We have found, even in storms, while the industry has 
gotten considerably better at restoring more quickly, if you do 
a good job of preparing the general public ahead of time power 
will be out for a short period of time. This is what's going on 
to restore it, I think helping people understand that it may 
not just be storms anymore but there are other sorts of threats 
whether cyber or physical or otherwise that may have an impact, 
and if they can be prepared and they understand that we are 
preparing I do think there is a really important public policy 
and public communication role that the Congress and federal 
policy makers in general can play.
    I'd also say just from cultural perspective, there has been 
this tendency to blame the victim when incidents do happen on 
critical infrastructure operators. Look at Sony, look at 
Target.
    Changing that dynamic a little bit so that people recognize 
when you're talking about very sophisticated threat actors and 
near pure nation states who are targeting critical 
infrastructure, and I think, again, if people recognize there 
is a partnership between industry and government, that we are 
working on this, that we are heartening our systems, that we 
are more resilient, I think that can go a long way.
    One last quick note, I would say this, and you alluded to 
it a bit, this reliance on a culture of compliance. Security 
can never be a check the box exercise, ``OK, I've done X, Y, 
and Z and therefore I am secure.''
    No. Actually, it's the opposite. You are complacent and, 
again, going back to culture, I think helping people understand 
that this is a journey without a destination, but it is one 
that we are all on, will help to prepare your constituents, our 
customers, for the new world that we live in.
    Dr. Beck. I would say, going to Scott's point about the 
social aspect, to your question, Chairman Walden, that I don't 
see any regulation currently that's hamstrung the efforts, but 
they are challenged by two social structures: stovepipes and 
tunnels.
    Stovepipes we are more familiar with and those have to do 
with, for example, government agencies that can be one 
stovepipe or infrastructure sectors that we need to work on 
getting more discussion through those stovepipes or those 
silos.
    But the other one is tunnels, and what I mean by that is 
there is communication and common understanding at specific 
levels of decision making. So CEOs understand each other and 
they have a certain view of a situation.
    The engineers that work on cybersecurity have a different 
understanding of it. The CFOs, et cetera, and so we need to 
look at all of those, breaking down basically both silos and 
tunnels so that there is a common operating picture and 
mission.
    Ms. Sugg. There has been a lot of comments here that I 
could echo and I'll save the time on that. Innovation is 
important. Working together through the ISACs, through multi-
disciplined ISACs are important.
    Continuing to work closely with the Edison Institute. Their 
work is phenomenal and is benefitting the entire industry. And 
through NERC to evaluate what's coming out of the government 
and how do we best prepare ourselves within the framework.
    I agree about it's important not to vilify the company that 
does indeed get breached because we will all learn from it. 
Someone else's detection is everyone else's prevention. So 
thank you.
    Mr. Upton. Mr. McNerney.
    Mr. McNerney. Well, I thank the chairman and I am going to 
follow up on one of your questions with Mr. Aaronson.
    Do you think that transformer standards would help reduce 
the threat of transformer attack or do we need a strategic 
reserve of some kind?
    Mr. Aaronson. So I think as you know the electric grid grew 
up in fits and starts over, quite literally, the better part of 
a century and as a result there are these different voltage 
classes and sort of a mishmash of equipment across the sector.
    Interestingly, that's not necessarily a bad thing. It does 
create some biodiversity, which in and of itself is a 
protection mechanism.
    So I think standardization within reason may be something 
worth at least exploring. With respect to a strategic reserve, 
I think this is one of those instances where government and 
industry have to be aligned.
    Industry, as I mentioned, has the Spare Transformer 
Equipment Program, has SpareConnect, has Grid Assurance, has 
Restore, has these other bilateral arrangements and 
multilateral arrangements across the sector.
    Those are really useful and have grown up out of necessity 
and have been utilized. To the extent that there are 
opportunities for the federal government to provide additional 
backstop, additional spare equipment, not just limited 
transformers but are many other critical components and support 
for moving them. Filling the gaps that the industry observes, I 
think that's a useful pursuit.
    Mr. McNerney. Thank you.
    Mr. Cauley, do you feel that the trend toward distributed 
generation makes our electric system less or more vulnerable to 
cyber-attacks?
    Mr. Cauley. Well, it's a great challenge and a great 
dilemma that we face in front of us. In some respects it 
creates a system that's more resilient because there is more 
resources and capabilities that are more distributed, and there 
are greater redundancies in the system and I think it enhances 
reliability and resilience.
    The challenge is that all those devices are going to be 
communicating with something else and in some cases they are 
much closer to the internet than the bulk power grid.
    So it's going to create a much greater surface to attack 
and can create multipliers in the attack where you have common 
devices that are out there. Instead of there being three 
breakers of a certain model, there are 1.5 million devices that 
are exactly the same and can be simultaneously hacked.
    So it goes both ways and I am deeply concerned that we 
continue to focus on the distribution side in terms of getting 
security right and getting it built into those systems.
    Mr. McNerney. Thank you.
    Ms. Sugg, how effective would cyber hygiene, education, and 
enforcement be in preventing successful cyber-attacks?
    Ms. Sugg. Cyber education is extremely important. Security 
awareness is important. We cover everything in our training and 
education from how to ensure that you don't click on e-mails on 
to how to recognize an event within the systems at any given 
time using some of our advanced security monitoring.
    That awareness is required as part of the standards, which 
I think is a very healthy requirement for us. But we don't just 
limit that to the people that work within the scope of the 
critical infrastructure.
    We expand that awareness and education to all of our 
employees, recognizing that each of them has an opportunity and 
a responsibility to help us protect all of our systems.
    Mr. McNerney. Thank you.
    Mr. Beck, with the internet of things are there concerns 
about potential cyber threats from systems that are already in 
place but we haven't seen incidents yet?
    Dr. Beck. Certainly, the question is the continued 
expansion of the internet of things or even going back to your 
question of Mr. Cauley about distributed generation.
    As things are introduced and connected into the grid, what 
is an important practice is, if we are going to try to stay 
ahead of the threat, to have it be a part of design philosophy 
when new devices or processes are put in place.
    We don't want to connect things and then say oh, gosh, we 
forgot about cybersecurity--now we have got to do a bunch of 
patches and things. Again, it's more of a social issue of 
trying to get security practices baked in to new development as 
we go forward, and we can grow your way to greater security 
because the grid is always expanding, things are always being 
updated and replaced by new equipment, better processes and so 
on. And if that new equipment and better process includes 
security as a baseline feature of its design and 
implementation, we will be safer.
    Mr. McNerney. Well, I've been involved in standards 
committees and I know how slow and deliberate they are. Are 
standards able to keep up with the threat in terms--even 
actually the definition of what cybersecurity and threats mean?
    Mr. Cauley. Well, I think they certainly help provide a 
baseline even as the topic was just about distributed systems 
and internet of things.
    IEEE and other technical equipment standard-setting 
organizations could have standards built in to make those 
devices more equipment. The tendency to selling to consumers is 
to make them as easy as possible to plug in and set up, and 
that really creates a difficulty.
    So I think there is room for standards to set the baseline 
in terms of how protected individual equipment should be.
    Mr. Aaronson. If I could just piggyback on that. I think 
the answer is yes, but standards have a role.
    They cannot completely keep up with a very dynamic threat, 
and I wanted to just weigh in really quickly on the question 
about distributed resources.
    I think Mr. Cauley hit it on the head. It's sort of a 
paradox. There is some resilience that can be brought from 
distributed resources, but it broadened the attack surface and, 
largely, these are consumer-grade electronic devices that do 
not have the same security standards, to bring it back to that 
question that may be necessary.
    Another challenge is visibility from the operators of the 
grid into these distributed resources. It's a misnomer to think 
these distributed resources are not connected to the grid.
    In fact, they have to be. Having a rooftop solar panel if 
it's not connected to the grid is like having a computer not 
connected to the internet. You need to be a part of that 
broader ecosystem.
    So ensuring that there is security baked in, not bolted on 
to those pieces, and that the owners-operators have visibility 
into the power that's being generated is going to be critical 
to ensure reliability and resilience for the rest of the 
sector.
    Mr. McNerney. Thank you.
    Mr. Chairman, I yield.
    Mr. Olson. Gentleman's time is expired.
    The chair calls upon the Vice Chairman of the full 
committee, Mr. Barton from Texas, for 5 minutes.
    Mr. Barton. Thank you, Mr. Chairman, and I apologize for 
not being here at the beginning.
    I had, as some of the others, the hearing on the Medicaid 
program in the Health Subcommittee downstairs. So I am honored 
to be a part of this subcommittee also.
    I want to recognize former Congressman Ross out in the 
audience, a valuable member of this committee in the past, and 
I think probably the subcommittee, and you're looking very 
happy being a former member. So we are glad to have you.
    The purpose of the hearing today, Mr. Chairman, as you well 
know, is to discuss what we are doing and look at trying to 
protect our electrical grid from the threat of cybersecurity 
problems.
    We have the president of the organization responsible for 
protecting us, Mr. Cauley. So I am going to ask the other three 
witnesses, Mr. Aaronson, Dr. Beck and Ms. Sugg.
    Ms. Sugg, what kind of a job do you think he's doing. Is he 
doing a good job? A bad job? What do we need to do to encourage 
him?
    Mr. Aaronson. And I am not saying this just because he is 
sitting right next to me, but I think he's doing an 
extraordinary job and I think that the North American 
Electrical Reliability Corporation serves an exceedingly 
important role as the electrical reliability organization as 
directed by this committee and Congress through the Federal 
Power Act.
    It is a challenge to be sure, but I do think the role that 
they play between a regulatory body that is pushing standards 
and, regulators regulate--that's their responsibility. But also 
then to organize the industry and ensure that the engineers and 
grid operators have a voice in the standards that have to be 
developed for reliability of the system to make sure that these 
standards: number one, keep up with technology; number two, are 
flexible enough, as Ms. Sugg referenced, and that they can 
apply to the smallest of the utilities--and the largest 
investor-owned utilities in the nation is a challenge but one 
that I think Gerry can pass.
    Mr. Barton. You give him an A?
    Mr. Aaronson. I'll give him an A.
    Mr. Barton. Dr. Beck.
    Dr. Beck. I'll second that, and I want to say that I 
appreciate that Mr. Cauley has been a support for EIS Council 
and that we have appreciated the fact that we have been able to 
have discussions with NERC regarding our shared areas of 
interest and he certainly didn't have to do that.
    But we discovered that focusing on what we consider 
outside, and beyond just the professional realm of regulating 
the electric reliability, is fundamentally we are all 
interested in the security of our families and our fellow 
citizens and the nation as a whole, and I think that our shared 
commitment in that has allowed us to work together to share 
ideas and we appreciate that partnership.
    Mr. Barton. OK. Ms. Sugg.
    Ms. Sugg. We appreciate the partnership with NERC as well. 
Our experience is that NERC is very collaborative. They listen. 
They ask a lot of questions.
    They hold us accountable for standards but more so, and 
I've heard Mr. Cauley mention this numerous times in other 
arenas, that it's more important to focus on security and to 
shift that focus from just being focused on or worried about 
being compliant to being secure.
    The standards drafting teams that are led by NERC that pull 
together industry experts to develop the standards, to really 
understand how best to put a standard in place that doesn't 
become overly restrictive, is very healthy for the industry.
    And I also find that NERC is receptive to understanding or 
hearing additional conversation about standards that do exist 
that are already in place. Not just standards that need to be 
developed, but to understand the challenges that we have with 
them and ensure that they stay as robust as possible without 
limiting us in our technologies. I give him an A.
    Mr. Barton. It's very rare that Congress does something 
that, this system came from the Energy Policy Act of 2005, 
which I was chairman of the committee and the chairman of the 
conference committee. So I guess I'll pat myself on the back.
    But I am going to give you the final word, Mr. Cauley. 
You've just gotten three As. That's a pretty good report card.
    Is there something legislatively this subcommittee and full 
committee needs to do to improve what appears to be working or 
are you happy with the authority you have and just want to be 
left alone?
    Mr. Cauley. I appreciate the question and the previous 
question and the responses.
    Mr. Barton. They expect you to take them to dinner tonight 
because of their answers.
    Mr. Cauley. Something along those lines. I think the 
testament to the legislation creating this framework that our 
data, not our view but our data that we collect from industry, 
is that reliability of the bulk power system has improved over 
the last 10 years and that's the testament that we want to 
leave is that we are getting better on the bulk power system in 
terms of number of outages, frequency of outages, impact on 
customers.
    I think the framework works. Our relationship with FERC is 
excellent and when we have got to get something really 
important done, like they said, let's do a physical security 
standard or a standard on GMD. We have a conversation. They 
direct us to do it and we do it and we meet their requirements.
    The one area where I think we continue, particularly in the 
area of security, or we need to continue to work on is the 
ability to share information between industry, NERC and the 
government, and sometimes we do it well and sometimes we don't 
do it well.
    There is always the challenge of what's classified, what's 
secret, what's sensitive to the military. But we crave 
information in industry to figure out what we need to do to 
protect the grid and to get that free flow of information. To 
have it be protected is essential for us. Thank you.
    Mr. Barton. OK. Well, downstairs we are fighting like cats 
and dogs. But in this subcommittee on this issue we are hugging 
each other.
    I think we can work together if we need to and I want to 
thank the witnesses and thank the subcommittee vice chairman 
and the subcommittee ranking member for holding this hearing.
    Mr. Upton. The gentleman's time has expired.
     The chair calls upon the gentleman from California, Mr. 
Peters, for 5 minutes.
    Mr. Peters. Thank you, Mr. Chairman. Thank you to the 
witnesses for being here.
    So in 2003, my wife and I took my two kids to New York. We 
thought we'd get some good food, visit some friends, see ``The 
Lion King'' and we, of course, were there for the blackout. So 
we had a nice Italian meal the first night. The next night was 
salami and crackers and still never seeing ``The Lion King.''
    But the impressive thing about that was that it all came 
from some glitch in Ohio. So I guess we are inferring from your 
comments about the reliability of bulk power that that sort of 
thing has been improved upon.
    But it did also make me think about distributed generation 
because one of the things that we have seen in San Diego in the 
defense sector is a development of micro grids.
    At Pendleton you see this all over, and it seems to me that 
for redundancy and reliability that offers some advantages. But 
I had the same question about the portals into the system for 
attackers.
    And you've sort of answered the question but Mr. Aaronson 
said something that I want to follow up on, which was you want 
security baked in to these devices, not bolted on.
    What can we do from this subcommittee to make sure that 
that happens?
    Mr. Aaronson. So let me refer to the '03 blackout for a 
second, also. While that was not the best day in the history of 
the electric utility industry, and I think Ms. Sugg hit it on 
the head that someone's detection is someone else's protection.
    We learn from all of these experiences and in fact Congress 
learned from that experience and in its wisdom, as Mr. Barton 
was referring to. The Energy Policy Act gave way to the ERO and 
here we are.
    I think there is something to that, which is observing 
where these gaps in security may lie with distributed resources 
and ensuring that if they are going to be a part of the bulk 
electric system that they have a certain level of security that 
they are responsible for as well.
    Again, as owners/operators, who have bulk electrical system 
responsibilities, I think those who might be able to impact the 
bulk electric system should share in that responsibility.
    Again, it goes to my point about visibility, also. One of 
the things that was learned after '03, it was a cascading 
blackout, but the system worked precisely the way it is 
supposed to. The system failed safe.
    Now, that doesn't change the fact that you haven't had a 
chance to see ``The Lion King'' but it does show that cascaded 
from Ohio up through Quebec into the northeast, stopped in New 
York, didn't go down the entire Eastern seaboard. Spinning 
equipment was not damaged and we were able to restore power 
within a reasonable amount of time, 48 to 72 hours.
    Again, not the best moment in the utility industry's 
history, but a show of how resilient the system is in fact. I 
want to make sure to maintain that resilience and don't want to 
lose visibility or resilience because of a rapid proliferation 
of DER.
    Mr. Peters. Talk about the distributor or the stuff that's 
outside the bulk power system. So, maybe a military micro grid 
has better protections than the average household device.
    But I am thinking, now you have these home devices. You 
turn energy on and off. I assume that that is a point of 
vulnerability and what do we do to make sure that the security 
you talked about is, as you said, baked in? What is it that we 
need to do? Is it standards or what would it be?
    Mr. Aaronson. I think it is standards and requirements. We 
talked earlier about the internet of things, and these are your 
devices like a thermostat, like a refrigerator, like a baby 
monitor, that are being put out at--I think about five and a 
half million per day and by 2020 we are going to have something 
like 20 billion of them connected to the internet.
    And these things have hardwired passwords that are default 
passwords. These things are easy to break, and if we are 
talking about things that have any relationship to critical 
infrastructure I think having that low a bar of security, that 
consumer-grade electronics tend to have, is a concern for us in 
the industry.
    Dr. Beck. I would just add that, again, putting the 
baseline standards is necessary but it also needs to be 
customer driven.
    Customers need to say I am not going to buy a device that 
has hardwired passwords that I can't change and it's just the 
name of the company or the device.
    Mr. Peters. On the other hand, just take it at the most 
basic level. Take someone who's putting solar on their roof. 
They may not care. Why would they care about the larger grid? 
What is going to be incentive for an individual customer to 
talk about that?
    Dr. Beck. Well, I think, again, it's trying to make 
everyone aware that when you're this connected then your 
vulnerability becomes someone else's problem, not just your 
own, right.
    So you can have negative impacts on your neighbors' other 
systems if you don't care. So we have to get, again, people to 
care about this in a broad sense.
    Mr. Peters. All right. Well, I'll look forward to working 
with that. My time is expired. Appreciate it. Thank you, Mr. 
Chairman.
    Mr. Olson. Gentleman yields back.
    The chair calls upon himself for 5 minutes and welcome to 
our four witnesses. As a congressman from the state that 
consumes the most energy in America, Texas, cyber-attacks on 
our electric grid have caused me to lose sleep on occasion.
    We all know about Russia's attack on Ukraine in December of 
2015. That was kind of easy. They have e-mails of employees are 
standard format, first name dot last name dot organization dot 
com, dot org, something like that.
    Got those, put attachments on those. Sent them back. Opened 
up, they deploy and they shut down some circuit breakers.
    As has happened charged said the response was all they 
could do was film the attack with cell phones. Film the attack 
with cell phones.
    Now, I know that we're not like Ukraine. We are much more 
advanced. But in the Navy, I was a pilot for 9 years. They 
teach us to prepare for the worst, hope for the best.
    And so, Mr. Aaronson, along those lines, hypothetically, if 
the lights go out all over D.C. as this hearing ends--we are 
attacked, a cyber-attack--what chain of events does that start 
like that?
    Mr. Aaronson. So that has happened before and in fact not 
long ago there was a voltage dip that occurred because of a 
fire at a substation and the lights, in fact in D.C., did go 
out. And in that first hour it was unclear why. We knew about 
some incidents around the greater metro area. But was it 
terrorism?
    This idea of fog of war in the midst of an outage, was it 
something typical like a voltage dip and those things happen? 
Was it an act of terrorism? Was it cyber? Was it physical?
    Getting ground truth on that is hard and attribution is 
hard. But having the mechanisms in place to talk to each other 
is important.
    So in that instance, and if there were something Ukraine-
like to happen here in the U.S., it's less about why the power 
went out and more about simply restoring at that moment.
    Ukraine was a great example, as are all of these incidents 
that happen all over the world and here domestically, to get us 
better at resilience and the idea is to take the lessons 
learned, apply them and get better.
    In the instance of your hypothetical, what would happen is 
there would be an immediate high level of coordination between 
the ESCC and CEOs in the industry along with senior government 
officials and including Mr. Cauley and his team from the 
Electricity Information Sharing Analysis Center.
    In the case of the voltage dip a few years back, that also 
resulted in a phone call with DHS on something known as the 
NICCL, the National Incident Communications Coordination Line, 
and that NICCL call actually had folks from both the affected 
utility and DHS and White House leadership.
    And what it allowed us to do was have White House 
leadership, at the time Josh Earnest was the White House press 
secretary, go to the podium from the most important podium in 
the land and say this was not a terrorist attack. We knew what 
was going on.
    So that really tight coordination between senior government 
officials and the industry proved itself to be just invaluable.
    Mr. Olson. To recover how do you share those lessons 
learned with government and industry to make sure that we learn 
lessons from these attacks through incidents because that's an 
important part of the whole process.
    We are attacked. Whatever happens learn from it. So how, 
Mr. Aaronson, how do we share that with industry, with the 
federal government?Mr. Aaronson. Those mechanisms exist and 
they are getting better all the time. I am particularly proud, 
again, as part of the secretariat for the Electricity Subsector 
Coordinating Council, the ESCC is a place where that happens.
    But, again, the E-ISAC and Gerry's organization play a 
significant role. The sector as a whole, we operate one big 
machine with thousands of owners and operators. There is this 
shared responsibility. So when a thing happens we are 
particularly good at coming together, applying those lessons 
and making sure that in the future a similar incident would 
have either less impact or no impact at all.
    Mr. Olson. Mr. Cauley, do you have an answer about 
recovery?
    Mr. Cauley. Usually what we are doing is as quick as 
possible situation assessment, put the system back together. If 
we have damaged equipment or computers, we will isolate those 
and start putting the system back together as quickly as 
possible.
    Why reliability has gotten better the last 10 years is 
because we are always learning from every single event, small, 
medium, and large, and we get the information out to industry.
    Mr. Olson. Good. Dr. Beck, add anything to those line of 
questioning?
    Dr. Beck. I think there is challenge in learning lessons 
and protection of the herd because there is a natural tension 
between restoration and attribution.
    So to do attribution sort of like any crime scene, you 
don't disturb the scene. You rope it off and then you analyze 
it and try to figure out what happened, but that crime scene is 
a broken down system that the operators want to restore.
    They don't want to leave a mess that people can look 
through. It's just a challenge. Nobody's wrong. Both things are 
important, but coordinating on attribution could be important 
certainly for a very sophisticated attack that may be 
distributed and that we don't know where all it is embedded.
    Mr. Olson. Ms. Sugg, anything to add from your perspective, 
ma'am?
    Ms. Sugg. From the ISO/RTO perspective, certainly we are 
going to work closely with NERC and support the information-
sharing opportunities that exist to learn from these events.
    In the midst of that crisis, our operators are going to be 
looking for what's going on in a particular area of the 
footprint. I believe Washington, D.C. is in the PJM footprint.
    And so PJM operators are going to be looking for ways to 
contain a particular system outage to keep it from having 
broader cascading effects across their region. That's just one 
of the responsibilities of reliability coordination within the 
ISO/RTO community.
    Mr. Olson. Well, thank you. I'll sleep better tonight, I 
guarantee you.
    One final question--you might know the incoming Secretary 
of Energy is a guy from Texas, Governor Rick Perry. He's a 
friend, and Governor Perry asked me to ask of you all, in his 
new role over at Energy what is the one thing he can do, one 
thing, to help you make our grid more secure, from DOE's 
perspective? Your perspective on DOE?
    Mr. Aaronson. I'll say it again. ESCC, working as closely 
as possible with industry leadership, we have enjoyed a very 
fruitful relationship with the Department of Energy because of 
their senior leadership being committed to it and we look 
forward to and know that Secretary Perry will continue that 
tradition.
    Mr. Olson. Anything else to add, Mr. Cauley?
    Mr. Cauley. I will echo that. Just to get engaged with the 
industry leadership. We have several meetings a year with high-
level folks from DOE, DHS and others, and we engage them in our 
exercise.
    We challenge them and make them uncomfortable, but we have 
grown together in the last couple years and I think with the 
change of administration we need to renew that.
    Mr. Olson. Yes, sir. Dr. Beck, anything to add on that, 
sir?
    Dr. Beck. I would say, commensurate with the incoming 
administration's emphasis on infrastructure that leadership be 
shown there, and to pay attention to the electric and fuel 
infrastructure that supports it and, again, to ensure that 
security is part and parcel also with efficiency and 
reliability so that they are on equal footing and that those 
practices are embedded in any new infrastructure.
    Our infrastructure should always be getting more secure as 
it is upgraded. We can't be introducing or reintroducing old 
vulnerabilities or introducing new ones.
    Mr. Olson. Ms. Sugg, your comments.
    Ms. Sugg. I would encourage continued collaboration across 
the various industries that are dependent upon each other and I 
would also encourage the DOE to continue to focus on developing 
their cybersecurity frameworks that are made available to 
utilities to help ensure that we are thinking about security 
from soup to nuts and not just focused on the current threat or 
the current issue on the front page of the paper.
    Mr. Olson. Well, thank you all. On behalf of Governor 
Perry, much obliged.
    And my time is expired. I now recognize the gentleman from 
Pennsylvania, Mr. Doyle, for 5 minutes. He has departed, so I 
guess it's going to be Ms. Castor from Florida for 5 minutes.
    Ms. Castor. Thank you, Mr. Chairman.
    Good morning and thank you for being here today. Mr. 
Cauley, to date the power grid in the United States has not 
lost any service hours due to a cyber-attack, correct?
    Mr. Cauley. Yes, ma'am. That is correct.
    Ms. Castor. OK. Nevertheless, the electricity sector has 
not been invulnerable to cyber-attacks. As recently as December 
a utility in Riverside, California experienced a cyber event 
that did not cause a blackout but potentially could have 
affected grid reliability, according to an account on file at 
the Department of Energy.
    The same month, suspicious activity was detected on laptop 
at a Vermont electric utility, which was not connected to the 
grid.
    Does NERC have data on cyber-attacks against utilities that 
have not resulted in a loss of power on the grid?
    Mr. Cauley. Yes, ma'am. We track pretty much every incident 
and they are as small as incidents around a compromised laptop, 
which both of these cases were.
    They are connected to the corporate systems and the 
business systems of the enterprise and not to the electrical 
controls of the grid, and both of these were reported to us 
through our regular reporting capability.
    We understood what they were. Basically, the corporate side 
of each utility is as exposed to the outside world as any other 
business and you have to have that diligence around that and we 
are also subject to human frailties, people going onto a 
particular site so the idea is to continuously monitor, catch 
those and fix those. But both of those organizations reported 
to us.
    They did the right thing and we were able to distribute 
that information to the rest of the industry so that they could 
look for the same kind of issue.
    Ms. Castor. I think you're right. Oftentimes the weakest 
components in security are the humans that have to interface 
with the systems. Spear-phishing attacks have resulted in major 
leaks when even savvy users relinquish their passwords.
    And everyone is very concerned about what happened in the 
Ukraine and I--this was a good little article by security 
writer Kim Zetter.
    Everything we know about Ukraine's power plant hack--that 
the end of December two power distribution companies in Ukraine 
said that hackers had hijacked their systems to cut power to 
more than 80,000 people.
    The intruders also sabotaged operator work stations on 
their way out the digital door to make it harder to restore 
electricity to customers.
    The lights came back on in three hours in most cases but 
the hackers had sabotaged management systems and workers had to 
travel to substations to manually close breakers that hackers 
had remotely opened.
    And days after the outage Ukrainian officials appeared to 
blame Russians for the attack, saying that Ukraine's 
intelligence service had detected and prevented an intrusion 
attempt by Russian special services against Ukraine's energy 
infrastructure.
    Speaking at the S4 security conference, former NSA and CIA 
spy chief General Michael Hayden warned that the attacks were a 
harbinger of things to come for the U.S. and that Russia and 
North Korea were two of the most likely culprits if the U.S. 
power grid were ever hit.
    Now, what was interesting is utility operators in the 
Ukraine began experiencing small attacks 6 months prior to the 
main attack.
    These included e-mails to utility operators containing 
documents which installed malware. Could spear-phishing attacks 
and other similar intrusions represent a vulnerability to grid 
systems if hackers are able to identify information about grid 
systems by first infiltrating the personal and business 
information of the grid operators and what are we doing about 
that?
    Mr. Cauley. Well, spear-phishing, going to malicious sites, 
picking up malware on a laptop or a computer is probably the 
greatest vulnerability that we have and the most challenging to 
manage.
    I am pretty sure that the situation in the Ukraine would 
not happen here, because they failed to really recognize 
between March of 2015 and December 2015 we would not allow that 
software to go unchecked and for the perpetrators to get 
elevated credentials so they could actually operate the system.
    Those are extreme violations of all our rules and all our 
checks and balances and the controls that we have in place. I 
don't view what failed there is that an operator clicked on the 
wrong link.
    I feel that the organizational and institutional framework 
failed to have the rules in place to make sure that those are 
constantly checked. Humans will make mistakes.
    It should not last on a laptop more than hours or days 
before they get detected and fixed. It takes months to 
perpetrate a campaign like that, and it did in this case. But 
you got to use that time to figure out you've been compromised 
and fix it.
    Ms. Castor. I appreciate that and I appreciate how all of 
you today have expressed sincere understanding all of the 
security facets of this.
    But please be cognizant that a lot of this can start with 
those innocuous looking smaller type of infiltrations and I 
hope that you're talking with all of your personnel about that, 
too.
    I trust that you are. Thank you very much.
    Mr. Olson. The gentlelady's time has expired.
    The chair calls upon the gentleman from Pennsylvania, Mr. 
Murphy, for 5 minutes.
    Mr. Murphy. Thank you, Mr. Chairman, and thank you to the 
panel, too.
    First of all, I want to make sure we know in the record as 
far as the Ukraine goes--a bigger threat to their grid is the 
fact that Russia has invaded them and Russia has taken their 
coal fields away and that Russia threatens every European 
nation that is under the boot of Gazprom and that's what they 
do and they say if you don't buy our gas from us and you don't 
do this we are shutting off the pipes.
    So that's a big concern, too. But doing it through a back 
door avenue of a cyber-attack is important, something we all 
should pay attention to and I hope that our new president 
establishes good negotiations with President Putin so we can 
get back to the work of doing other things.
    But I wanted to ask about another area here. When it comes 
to working with the cyber-attacks and prevention, et cetera, we 
know that--I think it was Home Depot was hacked and they were 
hacked because they went through some small level billing--an 
HVAC system that didn't have the kind of protections. They 
worked their way through those channels to finally get into 
their----
    Dr. Beck. That was Target.
    Mr. Murphy. Oh, it was Target? OK. May have been they find 
some little area that doesn't have strong defenses here. And so 
I am wondering also in the utility sector and the power grid 
sector what can the federal government do to help to enhance 
cybersecurity, noting that someone may come in through any 
door, any unprotected door in this.
    Does anybody have any ideas of how this could be? Any 
supplier to a power plant, any supplier that they could find 
some weak link there? Mr. Aaronson, do you have a thought on 
that?
    Mr. Aaronson. So a couple of observations, and it brings in 
Ms. Castor's point about humans also. The weakest links, 
whether it is an unsavvy vendor, whether it is even a savvy 
user, there is always the joke.
    There is hardware vulnerabilities, there is software 
vulnerabilities and there is wetware vulnerabilities, and we 
are the wetware.
    I think, going back to my original testimony, as owners and 
operators we have to be right 100 percent of the time and the 
adversary has to be right once, I think looking at the weakest 
link shows that there are a lot of opportunities for the 
adversary to be right.
    But them being right does not have to be catastrophic. It 
goes to this idea that Mr. Cauley was talking about of the 
cyber kill chain.
    Seeing early precursors to potentially more nefarious or 
destructive activity, predictive analytics that help us to see 
those and being more aggressive in that cyber kill chain to 
both prepare, protect, and defend but then also being able to 
respond and recover.
    And to bring this back to Ukraine, while I agree with Mr. 
Cauley that a similar attack in the United States is very 
unlikely, but not impossible, I do think that the lesson that 
we have learned from them is they were able to get their 
200,000-plus customers back up and running within about 6 
hours. They were operating in a degraded state but electricity 
was still flowing.
    Mr. Murphy. Thank you. So let me ask this, though, because 
with regard to the grid, do any of the larger customers have 
any kind of other software and other controls that can pull off 
the grid and demand more?
    So if there was, obviously, not control of the power plant, 
but do they have any kind of links than can affect if they are 
not getting enough?
    Do all those controls have to go back through the original 
utility company and the power company on that grid if they 
experience some problems?
    Mr. Cauley. I think the general answer is that the system 
is built to be very redundant and with excess capacity. So if 
something is damaged or not behaving correctly it can be 
removed and there is plenty of capacity to move energy around.
    Mr. Murphy. Sure. I am wondering about the two-way 
communication. I am also looking for other back doors in there, 
too.
    Two of the things that we have in Pittsburgh--one is the 
Carnegie Mellon University computer emergency response--the 
global leader in this and also there's another program there 
called the National Cyber Forensic Training Alliance, which is 
a room filled with lots of cubicles of businesses of every 
shape and form, and when one picks up something they announce 
it. It's like the stock exchange.
    Someone says hey, I've got something here and they start 
looking back and forth and see where these back doors--channels 
are starting to probe--where's the Trojan horse running, et 
cetera.
    And I am wondering that it's one of the areas the federal 
government can look at because sometimes we will silo these 
off--let's work on DoD, Navy's going to do their thing, Army's 
going to do their thing, Air Force is going to do their thing, 
Commerce is going to do their thing, maybe different parts of 
Energy.
    I am wondering do we have enough cooperation between 
different branches of the federal government and working at 
these things together so are we creating more inefficiencies in 
our system.
    Dr. Beck, go ahead.
    Dr. Beck. Well, it's still a challenge. So I talked about 
the silos before. But I would say no but it is improving. The 
information sharing needs to be done with regard to sharing 
research, with regard to what are the problems you're trying to 
solve.
    Mr. Murphy. This may be part of the lesson to take back to 
the new secretary of energy, that people have to be willing to 
play together in the same sandbox and share their toys.
    Dr. Beck. Right. So you have DOE labs and you have DoD labs 
and they don't talk to each other very much, but they could 
with leadership and they end up working on similar problems and 
find out later wow, we have a military application. We had a 
problem here but 90 percent of that problem might be relevant 
for a civilian electric power grid.
    It takes the ability to share information at least at a 
high level and then be able to dig in and share that possibly 
if it's classified but at a more technical level as well.
    Mr. Murphy. Thank you. I appreciate that. I yield back, Mr. 
Chairman.
    Mr. Olson. Gentleman's time has expired. The chair calls 
upon the gentleman from New York, Mr. Tonko, for 5 minutes.
    Mr. Tonko. Thank you, Mr. Chair.
    Welcome to our panelists. This subcommittee heard from 
Secretary Moniz about the interdependence of our critical 
infrastructure.
    And from what we heard this morning, it sounds like there 
is agreement that the security of our grid infrastructure is 
particularly important because of so many other sectors relying 
upon it. Is that a fair assessment?
    Mr. Cauley. Yes, sir, and we drive that out when we do our 
exercise and we break everything down. Financial sector, 
transportation, telecommunications, water--we are as dependent 
on them as they are on us.
    Mr. Tonko. OK. Thank you. And while I appreciate the focus 
on increasing security and mitigating cyber risks, I am also 
interested in knowing more about procedures in case there is a 
major cyber-attack.
    So, thankfully, our country has not had any major cyber 
incidents that have needed response but we have had major 
natural disasters. I would cite as an example in my home state 
of New York we dealt with Superstorm Sandy in 2012.
    What specific lessons have been learned from the response 
to major natural disasters that may be applicable to a future 
cyber-related response effort?
    Mr. Aaronson. So I think it's fair to say that the lessons 
in coordination, because we have not had an opportunity outside 
of exercises to necessarily exercise and stretch those muscles 
with respect to a cyber incident. They have grown up with 
respect to natural disasters and a couple physical security 
incidents as well.
    That partnership is invaluable. I look at the role that the 
Electricity Information Sharing Analysis Center plays. I look 
at the role that the Sector Coordinating Council plays in 
coordinating with the highest levels of the industry.
    I look at our partnership with DOE, who operates under 
emergency support function 12. Not only are they our sector-
specific agency, but they are the electric sector's entre into 
the rest of the federal government enterprise, working closely 
with DHS, working closely with FEMA, working closely with the 
Department of Defense.
    A great example was Superstorm Sandy, when we did have the 
opportunity not just to help inform but actually be in the 
interagency room and help to direct resources where they needed 
to be directed. So taking information from affected utilities 
and feeding it into the government and taking information from 
the government and feeding it back to affected utilities, that 
same battle rhythm would be seen in the event of a cyber 
incident as well.
    Mr. Tonko. So the intercommunication is important and I see 
you all kind of nodding in regard to that. So do you feel the 
procedures, the equipment, the personnel are in place in order 
to respond to a major cyber incident today?
    Mr. Aaronson. I think the proper answer is it depends. 
That's always the proper answer. No, I mean, to give some 
modicum of comfort, yes. I think these relationships and these 
processes and these exercises have really informed and these 
experiences have really informed the industry's not just 
security posture, but response posture.
    I do think there is the added complication with cyber of 
data assurance, knowing that the data you are reacting to is 
the right information or has not been compromised in some way. 
So we are very cognizant of those challenges.
    But I do think just simply having that underlying 
foundation of partnership and response capabilities makes us 
fairly well prepared and getting better all the time. That's 
the goal.
    Mr. Tonko. OK. Dr. Beck, did you want to say something?
    Dr. Beck. I would say I largely agree with that but, again, 
with particular respect to cybersecurity, there are additional 
challenges to expanding mutual assistance, which the industry 
has a long history of.
    When it's a physical system--your example of Superstorm 
Sandy, those were mostly downed poles and lines. The equipment 
was standard. The repair techniques and knowledge was standard.
    Within any utility's OT system you're going to see more 
variation than you are between poles and lines. And couple that 
with Mr. Rush's point earlier about a smaller cyber workforce. 
It's a resource challenge. I applaud ESCC for taking it up.
    But it is more challenging than traditional mutual 
assistance.
    Mr. Tonko. Let me just quickly get this in. You all partner 
with the Departments of Energy and Homeland Security and, 
obviously, they provide a lot of expertise.
    But can you discuss your relationship with state and local 
governments? And I would just throw the caveat out of New York, 
again, working to develop their own cybersecurity capabilities. 
They've done this with the National Guard.
    Both New York and New Jersey National Guards have created a 
partnership to form a cyber protection team. Just your response 
to that, please.
    Mr. Aaronson. So I was remiss in not mentioning, as Dr. 
Beck did, the cyber mutual assistance program and agree 
completely with his assessment that it is in its nascent stages 
and mutual assistance in its traditional form was born under 
the crucible of lots and lots of incidents of natural disasters 
over the years.
    The same will be true of cyber, and to bring it to your 
question about state and local, a state chief information 
officer once said to me states are the consequence people. And 
you certainly see experiences where governors and the local, 
national, and the state National Guard work very closely with 
their utilities.
    Those partnerships are in place. The cyber mutual 
assistance program is leveraging those relationships for two 
reasons: one, states are the consequence people; two, the 
National Guard has some extraordinary capabilities that can 
help augment and complement and supplement the capabilities 
that the industry brings to bear with its cyber mutual 
assistance program.
    So I would say working closely with governors at the 
highest level, I would say working with operators and helping 
to bolster the cyber mutual assistance program with the Guard 
and then I would say sharing information at the local level 
through fusion centers.
    And, again, there are 73 fusion centers across the country. 
The joke has always been if you've seen one fusion center 
you've seen one fusion center, but they are increasingly better 
at coordinating amongst each other at the state level and 
giving us yet one more tool to share information and better 
respond in the event of an incident.
    Mr. Tonko. Thank you very much. I yield back, Mr. Chair.
    Mr. Olson. Gentleman's time has expired. The chair calls 
upon the gentleman from Mississippi, Mr. Harper, for 5 minutes.
    Mr. Harper. Thank you, Mr. Chairman, and thanks to each of 
you for being here. This is such an important topic as we go 
forward so I appreciate all the input each of you have given.
    Mr. Cauley, if I may ask you a couple of questions here. Is 
the North American Electric Reliability Corporation's alert 
system working as intended to provide the concise actionable 
security information to the electric industry?
    Mr. Cauley. Yes, sir, it is, and we are able to get out 
information very quickly if needed, within an hour if needed, 
and it gets to all of the owners and operators of the system 
with the specific information and they have access to it 
directly.
    So we are always looking to make it better. I think in the 
Ukraine and the internet of things incident that we saw in the 
last 12 months we have learned to scale.
    We can get thousands of people now on a conference call and 
let them know immediately what's going on, including the CEOs 
and others.
    Mr. Harper. What are the threats outside the bulk power 
system?
    Mr. Cauley. The threats to the grid outside the bulk power 
system?
    Mr. Harper. Yes.
    Mr. Cauley. Well, I think we touched on it earlier. There 
are much more electronic digital devices that exist in the 
distribution system and then customer systems that I think are 
going to increasingly have an influence on the overall grid.
    Mr. Harper. Let me just follow up just a little bit. As you 
previously stated, the North American Electric Reliability 
Corporation uses an alert system to notify the electricity 
industry of the issues or problems.
    You note that North American Electric Reliability 
Corporation determines the appropriate alert notification based 
on the risk to the bulk power system. How do you determine the 
risk or the level of that risk?
    Mr. Cauley. We have expert folks on both the cyber side as 
well as the operational side of the grid to know what the 
potential impacts might be and this is actually one of the 
particular values that we add in our relationship with 
Department of Energy, DHS, and the FBI is they often ask us 
what does this mean and how would it affect the grid if it 
actually happened.
    So we have both sides of that expertise and we have people 
who work in classified space to interpret what it means and 
what the potential downside could be if this actually happened.
    Mr. Harper. OK. Obviously, other business sectors depend 
upon electricity. We have discussed that. But can you explain 
how the electric sector is dependent and reliant on other 
sectors and what is the industry doing to reach out and address 
these interdependencies for better cybersecurity?
    Mr. Cauley. Well, we are reaching out to the other sectors. 
I think the dominant one is the telecommunications industry 
because a lot of our control systems, the ones I mentioned 
earlier, were so essential that we want to protect the most run 
over communications networks.
    The majority of those are privately owned by us through 
services with some of the major vendors. But if those systems 
go down, and you look at the example of Hurricane Sandy when 
some of the major telecommunication suppliers had vaults in 
buildings in Manhattan that were flooded with water, we 
depended very much on those communications capabilities.
    Water, transportation--finance is one you might not think 
about but if there is a severe enough event utilities need the 
liquidity to get everything done and recover and pay their 
folks and pay for the emergency housing and things like that.
    So there are a lot of dependencies that we are working on 
through the expanded relationship that Mr. Aaronson had talked 
about of getting the same level of CEO support that we have in 
the electricity industry.
    We want to get with those other sectors and get them all in 
the room with the government folks that we need to work with to 
make sure we are communicating and coordinating and planning 
together.
    Mr. Harper. Well, I want to commend each of you on the 
level of cooperation and communication that you share and 
appreciate the effort that you're making.
    Thank you. I yield back.
    Mr. Olson. The gentleman from Maryland, Mr. Sarbanes, for 5 
minutes.
    Mr. Sarbanes. Thank you, Mr. Chairman. I want to thank the 
panel.
    I am trying to get my head around how much of these efforts 
to protect the grid from cyber threats and so forth is an 
exercise in kind of retrofitting what we have versus trying to 
build these protections in as new technologies and new 
components of the grid are rolled out. And I don't know if 
there is any way you can quantify or address it in some other 
fashion. Yes.
    Ms. Sugg. So you're right. The bulk of the standards and 
requirements are retrofitting to mitigate risks and identify 
and manage vulnerabilities and what not.
    I applaud NERC's efforts to get ahead of the supply chain 
challenges that we have to develop standards. You know, the 
industry itself has moved forward.
    The ISO/RTO council has put specific requirements in place 
for our control system vendors ahead of there being a standard 
that says you should have some secure coding practices for your 
control system vendors.
    But it's not just software vendors. It's also hardware 
vendors. And then a comment made earlier about, I think it was 
Dr. Beck, about the importance of educating the consumer on 
those smaller devices.
    I think we should put more emphasis on the manufacturers as 
well and really hold them accountable for developing things 
that are easy to maintain security with, not things that you 
just plug in and forget about, with the control systems and all 
of the systems within our organizations, not just those that 
NERC has put some mandated controls around but for all of those 
systems.
    We have a responsibility and accountability to keep them 
current and to address vulnerabilities at all times. But that 
doesn't exist, to my knowledge, when you get outside of the 
industry.
    And so I think we have to go back to the manufacturers and 
perhaps the equipment needs to be certified or----
    Mr. Sarbanes. Is it feasible to think in terms of, in a 
sense, cordoning off some of the consumer component of this 
internet of all things grid that's developing from more of the 
traditional infrastructure as a practical matter?
    Do we just have to accept the notion that somebody's 
thermostat somewhere in their house can be a path all the way 
to shutting down some regional generator or something?
    Mr. Cauley. I think to a large extent we do that already 
because the most critical assets are in the bulk power system.
    So you can picture a grid with the major control center and 
a lot of substations. We are trying to firewall it off, import 
multiple layers of protection.
    So the image that comes to my mind is sort of a shuttle 
going through space and it's just getting bombarded all the 
time. So we are getting bombarded all the time and they are 
usually hitting the shield.
    And as was mentioned earlier, sometimes the frailty is a 
human being enables something to get through. But so we are 
doing that.
    A long-term question as a country that you're kind of 
raising, which is a lot of the electronics comes with huge 
capabilities. We used to buy a relay for the system and it 
would just be a couple of contacts and a coil of copper wire.
    Now you get a box and it has 10,000 lines of code because 
it can do anything and everything that you want. Well, that 
philosophy really permeates everything in the consumer side, in 
the distribution systems and in the bulk power system.
    We are getting electronics that can do everything. The 
difficulty there is then it can be reprogrammed to do anything 
anyone else wants.
    All right. So I think we have to think about long-term 
partnership with suppliers, vendors, and manufacturers in terms 
of building better security into systems, making sure we are 
able to manage a purpose and have those be beneficial purposes 
and not adverse purposes.
    Mr. Sarbanes. Right. You have kind of a bundling problem. 
Get this thing and it can do all of this neat stuff that I 
don't necessarily need and could introduce a vulnerability that 
I won't notice because I never use that feature.
    Mr. Aaronson. Just to sort of piggyback on some of that, I 
think we don't have the luxury of doing the ostrich thing and 
putting our heads in the ground.
    Smarter energy infrastructure is here to stay and it serves 
a really important purpose and I think customers and consumers 
want it and are going to deploy and, again, utility scale and 
just industry in general sees the value.
    We talked about distributed resources, having a impact on 
resiliency. They are both a good one and a bad one, and I think 
instead of trying to fully cordon off I think the most critical 
assets instead we need to look at segmentation and awareness of 
the vulnerabilities that are introduced and additional 
resilience to ensure that a problem at one node is not a 
catastrophic problem, more broadly.
    And again, I think some of the standards that are already 
in place and some of the approaches to the promulgation of 
distributed resources are going in the right direction.
    Mr. Sarbanes. I yield back. Thanks.
    Mr. Olson. The gentleman yields back. The chair calls upon 
the gentleman from West Virginia, Mr. McKinley, for 5 minutes.
    Mr. McKinley. Thank you, Mr. Chairman.
    This issue has come up literally every year since I've been 
in this committee for the last 6 years and I keep being told 
that everything is going to be fine, that we have got things 
under control.
    Two years ago we had Tom Siebel with C3 Energy testify 
before us and Mr. Siebel said, it was kind of shocking to me, 
he said, I could--any hostile country--and he said as a matter 
of fact I could take 10 engineers from U.C. Berkeley and I 
could shut down the electric grid between Boston and New York 
within four days.
    Now, that was after all the testimony about all the 
safeguards we had in place. So is Mr. Siebel wrong?
    Mr. Aaronson. So I guess I'd push back on the premise a 
bit. He is not wrong in that, and I don't think any of us today 
are saying it's 100 percent under control.
    I think, as I mentioned, it is an ongoing effort to 
continue to improve our defenses to respond to incidents 
internationally and domestically and to apply those here. You 
have two options.
    You can be a good example or you can be a cautionary tale 
and, fortunately, there are a lot of cautionary tales out there 
about how a sophisticated, well-informed threat actor with a 
purpose can have an impact on grid operations.
    I think what I would say is while an attack that has an 
impact is always within the realm of the possible, the 
resilience and redundancy that has grown up and the ability to 
respond that continues to evolve makes me a lot more 
comfortable in our ability to deal with these.
    Mr. McKinley. We took that theme, that concept back--we had 
a cybersecurity summit back in West Virginia and we had some 
180 people attending, almost 200 people, in panels from all 
across the country, people coming in.
    They all agree that we are still very vulnerable. This 
exercise that we go through, talking about and telling us we 
are OK. They are saying from the inside we are not.
    So I am still going to remain uncomfortable--it goes back a 
little bit to what Johnny Wooden used to say when he was 
coaching the UCLA Bruins, that we often in America confuse 
effort with accomplishment. And I am afraid we are doing an 
awful lot of effort.
    We are showing up daily, talking about it. But I am not 
comfortable yet and neither were the other people on the panel 
that we hosted.
    So if I could now go to Ms. Sugg. One of the other 
testimony we had not too long ago here was from PJM and they 
said notwithstanding the problems that we have with 
cybersecurity but the bigger issue that we have with our 
electric grid is the electric magnetic pulse, EMP.
    Do you agree with that, that it's as much of a threat as 
cyber, or worse?
    Ms. Sugg. I think the probability of that occurring is much 
lower. However, the impact of it, if it were to happen, is much 
larger than a cyber-attack. So it is a concern.
    We are working with the vertically integrated utilities who 
actually own the physical equipment to understand what sort of 
protections and redundancies and things that they need to have 
in place.
    Our dependency on the telecommunication industry is 
certainly a concern there because if there were a significant 
EMP event it would take out the telecommunications.
    And while we have a lot of redundancy in 
telecommunications, if it were all to go out then we'd have to 
relinquish the controls that we have back to the utilities 
themselves to help manage the grid.
    But I know Dr. Beck is an expert on the EMP. I'll be 
interested in his additional comments.
    Mr. McKinley. If you could. We are running out of time on 
this.
    Dr. Beck. Sure. Well, just quickly, they are both 
definitely an issue. We will just say on the one hand we have 
cyber-attacks, which are happening right now while we are 
having this conversation, right, versus EMP attacks getting the 
bullet for the EMP attack is difficult whereas getting the 
bullet for a cyber-attack you can go out and buy it right now 
on any criminal hacker web site.
    So there is a much different proliferation concern. The 
footprints could be quite similar. You can distribute a cyber-
attack quite broadly as you could with an HEMP attack and also 
the similarity in that similar types of systems can be 
attacked. Any computer network could be susceptible to any EMP. 
It could be susceptible to cyber.
    Mr. McKinley. In respect for the time I had some other 
questions. Let me just close with a--I would hope, given the 
confusion out there, that we could possibly just show us what 
accomplishments, if periodically we get briefed on different 
terrorism attacks.
    If 56 were stopped last month or somehow to show that 
whatever you're doing on cybersecurity is working. Because when 
I have these panels they don't think it is.
    So I need to have something back to be able to support 
that. Thank you. I yield back.
    Mr. Olson. Gentleman yields back.
    The chair calls upon the gentleman from Ohio, Mr. Johnson, 
for 5 minutes.
    Mr. Johnson. Thank you, Mr. Chairman, and I want to thank 
the panel for being here with us today.
    Mr. Aaronson, some have expressed concern that the recent 
episode with the electric utility in Vermont will cause 
industry officials to avoid or think twice about sharing 
information with the government in fear that it could be 
leaked.
    Trust, as we all know, is a two-way street, and while we 
need to ensure that industry officials are properly 
implementing and carrying out federal cybersecurity standards 
and regulations, the government must be a trustful cooperative 
partner.
    What can be done, in your opinion, if anything, to improve 
this relationship and build trust, moving forward?
    Mr. Aaronson. I appreciate the question. The first thing 
I'll say is it would be helpful if sensitive information shared 
in confidence was not shared then with the media.
    Mr. Johnson. Hope you're better at it than we are here. Go 
ahead.
    Mr. Aaronson. Well, I will say up to the moment that there 
was a front-page article in the Washington Post, I would 
suggest that the information sharing associated with the 
Vermont incident went perfectly.
    There was actionable intelligence from government 
officials, shared with the Sector Coordinating Council. We 
brought together more than 30 CEOs onto a phone call within 
about 4 hours.
    That information was then cascaded broadly throughout the 
sector at a very senior level and at the operative level both 
through the Sector Coordinating Council and the E-ISAC. 
Utilities across the sector took that information, compared it 
against their systems and what do you know, some potential 
indicators of compromise were found. That is exactly the way 
it's supposed to happen.
    To answer your question about will this have a chilling 
effect on information sharing, I don't believe it will. I think 
because of the industry's commitment to and responsibility to 
help each other as we operate this one big machine together, 
there is a sense of responsibility to continue to share 
information even in the face of potential breach of or a 
potential disclosure to public sources.
    But we are looking at what happened at the end of last year 
as a teachable moment and one that we hope isn't replicated. 
And I will give the Burlington Electric Department a ton of 
credit. They said in their statement that they would not let 
this episode chill their intent to continue to share 
information.
    Mr. Johnson. OK. Good. Well, thank you for that. Anybody 
else want to comment on that? I've got a couple of other 
questions. OK.
    Let's talk about information sharing a little bit and we 
will just go down the line for any that want to respond.
    Why do you think situational awareness and information 
sharing is so necessary to enhance the electricity sector's 
ability to prepare for and respond to cyber and physical 
threats and vulnerabilities?
    So why is situational awareness and information sharing so 
necessary? Mr. Cauley.
    Mr. Cauley. I think the main reason is that one company's 
only going to view their own experience and what they see. So 
if a company has one laptop compromised they think, well, that 
laptop got compromised, somebody must have pushed the wrong 
button.
    But we are able to put together hundreds of specific 
instances, look at patterns over time and I think one of the 
capabilities we have through CRISP and through our analytics is 
to see patterns of connection points of internet locations, 
signatures of compromise, and things like that.
    We can see a pattern over 3 months, 6 months, 18 months in 
some cases and you can see what they are doing. You can 
actually watch what's evolving in a very big picture.
    So I think that's really the multiplier effect of being 
able to get everybody's data and to be able to share. We share 
through the DOE lab. We work the CRISP program.
     On the back end of that is the Pacific Northwest lab. They 
have people working classified space, helping us analyze the 
data. So for us to be able to get that, what does it mean, what 
are people trying to do to us, what should we look for, we turn 
around and give that back to industry.
    Mr. Johnson. OK.
    Mr. Aaronson. In the interest of time, I will say Gerry is 
spot on and I would just add one more thing Ms. Sugg said 
earlier which is, I love this quote, I wrote it down: 
``Someone's detection is someone else's protection.''
    And I think everything that happens is a lesson for the 
rest of the industry. Applying it helps make us all more 
secure.
    Mr. Johnson. See something, say something.
    Mr. Aaronson. There it is.
    Mr. Johnson. There you go.
    Dr. Beck. I think situational awareness, even in the 
broadest terms, is important. So whether knowing about a 
certain attack at a certain utility, that whether or not it 
needs to be defended against by a different utility it's just 
important to have visibility to those reports to understand, 
this situation is happening or the frequency of attacks or that 
people are reporting it I think that just raises the 
consciousness of keeping your eye on this particular ball.
    Mr. Johnson. OK. Ms. Sugg.
    Ms. Sugg. Very quickly, the NERC alert system certainly has 
picked up in frequency of alerting. As Mr. Cauley mentioned 
earlier, given the understanding that we need to be thinking 
about events at any level no matter how small, one of the 
things that makes it particularly useful to us, I believe, is 
the accountability to respond to it.
    So it's not just a matter of, oh, I received some 
information and maybe I'll study that someday. But NERC puts 
requirements around--you must read this, you must look at these 
things and you must report back, and I think that that helps to 
ensure that if there are vulnerabilities somewhere that some 
utility has found that they are responsible for addressing 
those and reporting that back to NERC.
    Mr. Johnson. OK. Great. Mr. Chairman, I yield back. Thanks 
for indulging.
    Mr. Olson. Gentleman yields back. The chair calls upon the 
gentleman from Michigan, Mr. Walberg, for 5 minutes.
    Mr. Walberg. Thank you, Mr. Chairman, and thanks to the 
panel for being here.
    Coming from Michigan and my district, bordering Canada, I 
was just interested to know that since this grid is a North 
American grid, could you please describe, Mr. Aaronson, how 
utility industry coordinates with our northern neighbors on 
cyber and grid security.
    Mr. Aaronson. Sure, and I'll rely on Gerry a little bit, 
too, given NERC's responsibility as the North American 
Electrical Reliability Corporation.
    For the Sector Coordinating Council, the Canadian 
Electricity Association has been a integral part of that 
relationship as has the Canadian government. We have had not 
just the Department of Energy and Department of Homeland 
Security here in the United States but Natural Resources Canada 
and Public Safety Canada, their counterparts respectively north 
of the border.
    Given that this is a North American grid, we are all 
operating the same machine together, number one. Number two, 
you've seen in instances of particularly natural disasters 
where it's not just crews and bucket trucks from the United 
States descending on affected areas but from north of the 
border as well.
    And then also with our nascent, but growing cyber mutual 
assistance program, there have been Canadian utilities as part 
of that relationship also.
    Mr. Walberg. Mr. Cauley.
    Mr. Cauley. So to us they are equally engaged in all of our 
programs. We actually have representation on the coordinating 
council at the CEO level.
    They participated in the ISAC. They follow our standards 
and so they are equal partners. We share information with them. 
They've had some things happen in Canada that we have not seen, 
like an airplane flying over lines and dropping wire on line.
    So somebody was disgruntled and decided to launch their own 
attack out of an airplane. But we share that among ourselves 
and we are able to basically learn from each other and they are 
equal partners and I think all the ISOs in Canada are run 
highly competent systems with the similar controls we have on 
the U.S. systems.
    Mr. Walberg. Continuing on, Mr. Cauley, with some concerns 
about the relationships with Canada and ourselves from my state 
specifically, there is a growing number of interdependencies 
between power generation and natural gas, pipelines included.
    The two industries are similar but are different in some 
ways. How are you addressing power generation resilience to 
avoid single points of failure and what opportunities do you 
see, moving forward?
    Mr. Cauley. It's a very timely topic for us. We have 
actually been doing some recent analysis and we are in the 
processing of publishing a report to look at key parts of the 
gas infrastructure system that we depend on.
    We have now three of our eight regions that have more than 
50 percent of the power supplied by natural gas. And so 
pipelines and storage facilities do create vulnerabilities and 
I think not just from a physical perspective in terms of 
competition with retail gas customers in extreme weather but 
also from a cyber perspective where physical attack disruptions 
could cascade over into electric power.
    So it's high on our list of priorities and the one thing we 
do encourage is diversity in fuel and we encourage 
infrastructure and I think this is the partnership between us 
and Canada and the growing partnership with the infrastructure 
in Mexico which we are involved in will help us ensure our 
energy security through exchange of gas and electricity and 
renewables and all kinds of resources.
    Mr. Walberg. And, hopefully, along with that concept, 
moving back to a more robust standard of all of the above in 
generation and fuels.
    I know there has been a push that's pushed, at least in my 
district, the energy district of the state, away from having 
that robust opportunity for an all above standard.
    Mr. Cauley, let me just in the remaining few seconds here, 
how is NERC and the industry working to develop policies to 
encourage use of system components that will be less vulnerable 
to attack?
    And follow that up, what the Department of Energy is doing 
in this front as well and how you're working with them?
    Mr. Cauley. Well, our standards, and I think the experience 
that we are learning with feeding back industry encourage 
better protection.
    One of the things that we are seeing directly is greater 
diversity of equipment and basically reducing the criticality 
of an individual station or piece of equipment and creating 
redundancies in the system to make us less vulnerable.
    So I think there is a lot of examples like that where 
people are reacting to being more secure and building it into 
the architecture and design of their systems.
    Mr. Walberg. I yield back.
    Mr. Olson. The gentleman yields back.
    We saved the best for last. The chair calls upon the 
gentleman from Ohio, Mr. Latta, for 5 minutes.
    Mr. Latta. Well, thank you very much, Mr. Chairman, and to 
the panel thanks very much for being here today. It's very, 
very informative.
    I know that the other juries that we have had in the past 
year and two, I should say, that you know, this is a very, very 
important topic.
    It's a very, very serious topic, and if I could start with 
you, Mr. Aaronson, if I could ask this. You mentioned in your 
testimony that you're working with DOE to determine the scope 
and process for emergency orders.
    Would you expand on that conversation and provide insight 
as to whether there would be further action from Congress at 
this time?
    Mr. Aaronson. I don't know about further action from 
Congress yet. I mentioned earlier that the notice of proposed 
rulemaking was put out a few months ago.
    We have a due date actually of this coming Monday, February 
6th, to get comments in. Those comments are helping to inform 
the process of what an emergency order from the Secretary of 
Energy might look like.
    I think the most important thing, and it is built into the 
NOPR, is this idea of consultation. The law said consultation 
with the sector where practicable.
    Practicable to us is a little concerning, given that any 
emergency order that doesn't take into account how grid 
operators actually operate the system could have unintended 
consequences.
    So that is a point that we are making in this response to 
the rulemaking to help inform the process. But I do think that 
given all of the great relationship we have with the secretary 
of energy and, frankly, just the Department of Energy in 
general as our sector-specific agency we are confident that 
they understand us, we understand them and think we can work 
productively with them to implement that emergency authority.
    Mr. Latta. OK. Thank you. Let me follow up, and this has 
been touched on a little bit before. You said something kind of 
interesting that I wrote down.
    You mentioned earlier about the vulnerabilities that the--
that are potentially a concern through the internet of things, 
and if you could expand a little bit on that work and also with 
the electricity infrastructure sharing and analysis center and 
beginning to fix those risks.
    But then you said this. I thought, this is kind of 
interesting. You said you were on a journey without a 
destination. That's not real comforting as we are going down 
that road.
    Mr. Aaronson. Maybe I should pick a better cliche.
    Mr. Latta. I write those things down.
    Mr. Aaronson. But the point I am getting across is there is 
no such thing as 100 percent security. So we are constantly 
evolving and I think that is a good thing.
    If we became stagnant and just relied on this culture of 
compliance and, yes, we are secure, we would not be able to be 
responsive to new and emerging threats.
    So, it's the old joke--I don't have to be faster than the 
bear, I just have to be faster than the other guy. There is 
another cliche to add to that--the hit list.
    But what we were doing is constantly trying to stay ahead 
of the adversary and they have intent and capabilities but we 
do too.
    And I think I am particularly proud of the industry's 
culture of constantly reinventing and looking at its security 
posture, seeing where there are gaps, using exercises like 
GridEx, using observations from things that happen overseas and 
here at home and learning from those and then applying them to 
make us better.
    And to Mr. McKinley who I am sorry isn't here, I agree I 
love the wooden quote of effort does not equal accomplishment.
    But I would say there have been a number of accomplishments 
from putting in place spare equipment programs to creating a 
cyber mutual assistance program to doing a better job of 
sharing information to developing the cyber risk information 
sharing program and applying it from a DOE lab into a 
commercial application.
    So a lot of stuff that is happening in a very short amount 
of time because of the CEO leadership of the Sector 
Coordinating Council.
    Mr. Latta. Thank you. Ms. Sugg, if I could go back to what 
you also said. You said that innovation is important. Are we 
meeting that innovation to make sure we keep up the standards 
to make sure that we meet these potential threats?
    Ms. Sugg. Well, innovation is certainly changing faster 
than the standards are changing, hence my comments about 
ensuring that the standards are not overly prescriptive but are 
more focused on the risk.
    Innovation is important whether it be trying to understand 
the threat avenues from our attackers or understanding the 
newer and more interesting technologies that are coming to bear 
that may provide some additional securities for us beyond what 
we have today.
    We don't ever want to be really comfortable with our 
architecture that we have in place. We need to continue to look 
at opportunities to strengthen it, depending on what 
technologies are available and matching that up with where the 
threats seem to be coming in and how we can try to get ahead of 
that.
    Mr. Latta. Thank you.
    Mr. Chairman, my time has expired and I yield back.
    Mr. Olson. Gentleman yields back and the chair would like 
to have one invitation for the witnesses.
    If you want to see a robust grid security in action at a 
small level, come to Houston, Texas this weekend. There is this 
big football game called Super Bowl 51. It's not a power grid, 
but as you can imagine, if the power goes down right as the 
Falcons are about to score that touchdown to beat the Patriots, 
there will be a riot of biblical proportions. Invitation does 
not come with tickets, and that'll cost you a pretty penny.
    But seeing no further members wishing to ask questions, I 
want to thank all of our witnesses for your participation in 
today's hearing.
    And pursuant to committee rules, I remind members that they 
have 10 business days to submit additional questions for the 
record and ask the witnesses to submit their responses in 10 
business days upon receipt of the questions.
    Mr. Rush, before you leave I ask for uanimous consent that 
a statement for the record from the Large Public Power Council 
and a statement from the American Public Power Association and 
NRECA be put in the record.
    Without objection, the subcommittee is adjourned.
    [Whereupon, at 12:49 p.m., the subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]
    
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
                                   [all]