[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]


               DOE MODERNIZATION: LEGISLATION ADDRESSING 
                 CYBERSECURITY AND EMERGENCY RESPONSE

=======================================================================

                                 HEARING

                               BEFORE THE

                         SUBCOMMITTEE ON ENERGY

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             MARCH 14, 2018

                               __________

                           Serial No. 115-108
                           
                           
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]                           


      Printed for the use of the Committee on Energy and Commerce

                        energycommerce.house.gov
                        
                               __________
			                               
		                 

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
30-558                     WASHINGTON : 2018                     
          
-----------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected]. 
			                  

                        
                        
                    
                    
                    COMMITTEE ON ENERGY AND COMMERCE

                          GREG WALDEN, Oregon
                                 Chairman
JOE BARTON, Texas                    FRANK PALLONE, Jr., New Jersey
  Vice Chairman                        Ranking Member
FRED UPTON, Michigan                 BOBBY L. RUSH, Illinois
JOHN SHIMKUS, Illinois               ANNA G. ESHOO, California
MICHAEL C. BURGESS, Texas            ELIOT L. ENGEL, New York
MARSHA BLACKBURN, Tennessee          GENE GREEN, Texas
STEVE SCALISE, Louisiana             DIANA DeGETTE, Colorado
ROBERT E. LATTA, Ohio                MICHAEL F. DOYLE, Pennsylvania
CATHY McMORRIS RODGERS, Washington   JANICE D. SCHAKOWSKY, Illinois
GREGG HARPER, Mississippi            G.K. BUTTERFIELD, North Carolina
LEONARD LANCE, New Jersey            DORIS O. MATSUI, California
BRETT GUTHRIE, Kentucky              KATHY CASTOR, Florida
PETE OLSON, Texas                    JOHN P. SARBANES, Maryland
DAVID B. McKINLEY, West Virginia     JERRY McNERNEY, California
ADAM KINZINGER, Illinois             PETER WELCH, Vermont
H. MORGAN GRIFFITH, Virginia         BEN RAY LUJAN, New Mexico
GUS M. BILIRAKIS, Florida            PAUL TONKO, New York
BILL JOHNSON, Ohio                   YVETTE D. CLARKE, New York
BILLY LONG, Missouri                 DAVID LOEBSACK, Iowa
LARRY BUCSHON, Indiana               KURT SCHRADER, Oregon
BILL FLORES, Texas                   JOSEPH P. KENNEDY, III, 
SUSAN W. BROOKS, Indiana                 Massachusetts
MARKWAYNE MULLIN, Oklahoma           TONY CARDENAS, California
RICHARD HUDSON, North Carolina       RAUL RUIZ, California
CHRIS COLLINS, New York              SCOTT H. PETERS, California
KEVIN CRAMER, North Dakota           DEBBIE DINGELL, Michigan
TIM WALBERG, Michigan
MIMI WALTERS, California
RYAN A. COSTELLO, Pennsylvania
EARL L. ``BUDDY'' CARTER, Georgia
JEFF DUNCAN, South Carolina
                         
                         
                         Subcommittee on Energy

                          FRED UPTON, Michigan
                                 Chairman
PETE OLSON, Texas                    BOBBY L. RUSH, Illinois
  Vice Chairman                        Ranking Member
JOE BARTON, Texas                    JERRY McNERNEY, California
JOHN SHIMKUS, Illinois               SCOTT H. PETERS, California
ROBERT E. LATTA, Ohio                GENE GREEN, Texas
GREGG HARPER, Mississippi            MICHAEL F. DOYLE, Pennsylvania
DAVID B. McKINLEY, West Virginia     KATHY CASTOR, Florida
ADAM KINZINGER, Illinois             JOHN P. SARBANES, Maryland
H. MORGAN GRIFFITH, Virginia         PETER WELCH, Vermont
BILL JOHNSON, Ohio                   PAUL TONKO, New York
BILLY LONG, Missouri                 DAVID LOEBSACK, Iowa
LARRY BUCSHON, Indiana               KURT SCHRADER, Oregon
BILL FLORES, Texas                   JOSEPH P. KENNEDY, III, 
MARKWAYNE MULLIN, Oklahoma               Massachusetts
RICHARD HUDSON, North Carolina       G.K. BUTTERFIELD, North Carolina
KEVIN CRAMER, North Dakota           FRANK PALLONE, Jr., New Jersey (ex 
TIM WALBERG, Michigan                    officio)
JEFF DUNCAN, South Carolina
GREG WALDEN, Oregon (ex officio)
  
                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Fred Upton, a Representative in Congress from the State of 
  Michigan, opening statement....................................     1
    Prepared statement...........................................     3
Hon. Greg Walden, a Representative in Congress from the State of 
  Oregon, opening statement......................................    21
    Prepared statement...........................................    22
Hon. Frank Pallone, Jr., a Representative in Congress from the 
  State of New Jersey, opening statement.........................    23

                               Witnesses

Mark Menezes, Under Secretary, U.S. Department of Energy.........    25
    Prepared statement...........................................    28
    Answers to submitted questions...............................   169
Tristan Vance, Director, Chief Energy Officer, Indiana Office of 
  Energy Development.............................................    64
    Prepared statement...........................................    67
Zachary Tudor, Associate Laboratory Director for National and 
  Homeland Security, Idaho National Laboratory...................    77
    Prepared statement...........................................    79
Mark Engels, Senior Enterprise Security Advisor, Dominion Energy.    86
    Prepared statement...........................................    88
Kyle Pitsor, Vice President, Government Relations, National 
  Electrical Manufacturers Association...........................   104
    Prepared statement...........................................   106
Scott Aaronson, Vice President, Security and Preparedness, Edison 
  Electric Institute.............................................   117
    Prepared statement...........................................   119

                           Submitted Material

H.R. 5174........................................................     5
H.R. 5175........................................................     7
H.R. 5239........................................................    10
H.R. 5240........................................................    14
Statement of the American Public Power Association and the 
  National Rural Electric Cooperative Association................   140
Report entitled, ``Cybersecurity Program Update,'' The American 
  Puclic Power Association,......................................   143
Letter of January 24, 2018, from the Committee to Secretary of 
  Energy Rick Perry..............................................   155
Letter of March 13, 2018, from Secretary of Energy Rick Perry to 
  the Subcommittee on Energy.....................................   158
Statement of Siemens Energy......................................   165

 
 DOE MODERNIZATION: LEGISLATION ADDRESSING CYBERSECURITY AND EMERGENCY 
                                RESPONSE

                              ----------                              


                       WEDNESDAY, MARCH 14, 2018

                  House of Representatives,
                            Subcommittee on Energy,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 10:04 a.m., in 
room 2322 Rayburn House Office Building, Hon. Fred Upton 
(chairman of the subcommittee) presiding.
    Members present: Representatives Upton, Olson, Barton, 
Shimkus, Latta, Harper, McKinley, Kinzinger, Griffith, Johnson, 
Long, Bucshon, Mullin, Hudson, Walberg, Duncan, Walden (ex 
officio), Rush, McNerney, Peters, Castor, Sarbanes, Welch, 
Tonko, Loebsack, Butterfield, and Pallone (ex officio).
    Staff present: Mike Bloomquist, Staff Director; Daniel 
Butler, Staff Assistant; Kelly Collins, Legislative Clerk, 
Energy/Environment; Jordan Davis, Director of Policy and 
External Affairs; Wyatt Ellertson, Professional Staff, Energy/
Environment; Margaret Tucker Fogarty, Staff Assistant; Adam 
Fromm, Director of Outreach and Coalitions; Jordan Haverly, 
Policy Coordinator, Environment; Ben Lieberman, Senior Counsel, 
Energy; Mary Martin, Chief Counsel, Energy/Environment; Drew 
McDowell, Executive Assistant; Brandon Mooney, Deputy Chief 
Counsel, Energy; Mark Ratner, Policy Coordinator; Annelise 
Rickert, Counsel, Energy; Dan Schneider, Press Secretary; Peter 
Spencer, Professional Staff Member, Energy; Jason Stanek, 
Senior Counsel, Energy; Austin Stonebraker, Press Assistant; 
Madeline Vey, Policy Coordinator, Digital Commerce and Consumer 
Protection; Hamlin Wade, Special Advisor, External Affairs; 
Everett Winnick, Director of Information Technology; Priscilla 
Barbour, Minority Energy Fellow; Jeff Carroll, Minority Staff 
Director; Jean Fruci, Minority Energy and Environment Policy 
Advisor; Tiffany Guarascio, Minority Deputy Staff Director and 
Chief Health Advisor; Rick Kessler, Minority Senior Advisor and 
Staff Director, Energy and Environment; John Marshall, Minority 
Policy Coordinator; Alexander Ratner, Minority Policy Analyst; 
and C.J. Young, Minority Press Secretary.

   OPENING STATEMENT OF HON. FRED UPTON, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF MICHIGAN

    Mr. Upton. Good morning. Good morning. So, this DOE 
modernization hearing is going to focus on the proposed 
legislation relating to core energy security missions of the 
Department. This mission is to ensure the supply and delivery 
of energy that is vital to our economic and national security, 
our public welfare, and health.
    For the last two Congresses we have been working to update 
the Department's authorities and capabilities both to mitigate 
against and respond to energy supply emergencies, especially 
with respect to critical energy infrastructure and to 
cybersecurity.
    For example, we directed the Department to modernize its 
strategic petroleum reserve and response capabilities. We 
clarified and enhanced DOE's role as the sector-specific agency 
for the energy sector, especially for critical electric 
infrastructure. We moved through the House H.R. 3050 last 
summer to strengthen DOE's support for state energy emergency 
offices in their cybersecurity efforts and the common theme has 
been to update DOE's cybersecurity and emergency coordinating 
functions and provisions of technical assistance to other 
agencies, states, and asset owners. So in keeping with these 
modernization efforts, the legislation today continues that 
work.
    H.R. 5174, the Energy Emergency Leadership Act, introduced 
by Mr. Walberg and Ranking Member Rush, elevates the role in 
DOE and specifies certain emergency and preparedness functions 
to ensure full attention to the risks of cybersecurity and 
other threats to the energy sector.
    Given the reliance on energy in modern society, ensuring 
that supply has become of such surpassing importance that we 
have to be able to make sure that the agency has sufficient 
leadership focus to meet its responsibilities.
    Similarly, H.R. 5175, the Pipeline and LNG Facility 
Cybersecurity Preparedness Act, which I introduced along with 
Mr. Loebsack would enhance DOE's ability to coordinate the 
interconnected systems of energy delivery and supply which 
includes ensuring the security of digital systems in pipeline 
and grid operations.
    Although several governmental authorities play a role, DOE 
has got to have the adequate visibility across the energy 
sector to ensure the Federal, State, and asset owners are 
sufficiently prepared and coordinated and to efficiently 
deploy, where needed, its world class technological 
capabilities. This bill certainly aims to assure that it can be 
done.
    Both H.R. 5239, the Cyber Sense Act of 2018, and H.R. 5240, 
the Enhancing Grid Security Through Public-Private Partnership 
Act, have been introduced by Mr. Latta and Mr. McNerney, two 
leaders on grid innovation. The Cyber Sense bill, a version of 
which passed the House as part of H.R. 8 back in 2016, seeks to 
establish a voluntary DOE program that would permit cybersecure 
products intended for use in the bulk-power system.
    And the Enhancing Grid Security Act bill seeks to 
facilitate and encourage public-private partnerships aimed at 
strengthening the physical and cybersecurity electric 
utilities, especially mid-size and small utilities which may 
not have met the resources to identify and address 
cybersecurity vulnerabilities and system risks.
    Two panels of witnesses this morning are going to provide 
their perspective on these bills and discuss what other 
measures may be helpful to ensure DOE can fulfill its energy 
security and emergency missions.
    I want to welcome back Undersecretary of Energy Mark 
Menezes, who returns from his appearance in January. I look 
forward to his comments and to talk about his own plans to 
elevate DOE's leadership in emergency response. He's 
accompanied by Pat Hoffman, Principal Deputy Assistant 
Secretary in the Office of Electricity, who can provide 
technical perspective from her experience addressing 
cybersecurity and energy emergency functions.
    Our second panel will feature a range of energy security 
and emergency perspectives. One witness from DOE's Idaho 
National Lab will help us understand federal capabilities to 
support cybersecurity in the energy sector.
    We are going to hear from the State of Indiana's Emergency 
Response Authority from Dominion Energy on pipeline security 
from EEI on electric cybersecurity and from the National 
Electrical Manufacturers Association to talk about 
cybersecurity of grid components.
    We welcome you all and with that I would yield to the 
ranking member of the subcommittee, my friend, Mr. Rush.
    [The prepared statement of Mr. Upton follows:]

                 Prepared statement of Hon. Fred Upton

    Our DOE modernization hearing today will focus on proposed 
legislation relating to a core energy security mission of the 
Department. This mission is to ensure the supply and delivery 
of energy that is vital to our economic and national security, 
our public health and welfare.
    For the past two Congresses we've been working to update 
the Department's authorities and capabilities both to mitigate 
against and respond to energy supply emergencies, especially 
with respect to critical energy infrastructure and to 
cybersecurity.
    For example, we directed the Department to modernize its 
strategic petroleum reserve and response capabilities; we 
clarified and enhanced DOE's role as the sector specific agency 
for the energy sector, especially for critical electric 
infrastructure; we moved through the House H.R. 3050 last 
summer to strengthen DOE's support for state energy emergency 
offices and their cybersecurity efforts.
    The common theme here is to update DOE's cybersecurity and 
emergency coordinating functions and provision of technical 
assistance to other agencies, states, and asset owners. So, in 
keeping with these modernization efforts, the legislation today 
continues this work.
    H.R. 5174, the Energy Emergency Leadership Act, introduced 
by Mr. Walberg and Ranking Member Rush, elevates the role in 
DOE and specifies certain emergency and preparedness functions 
to ensure full attention to the risks of cybersecurity and 
other threats to the energy sector.
    Given the reliance on energy in modern society, ensuring 
its supply has become of such surpassing importance, we should 
be sure the agency has sufficient leadership focus to meet its 
responsibilities.
    Similarly, H.R. 5175, the Pipeline and LNG Facility 
Cybersecurity Preparedness Act, which I introduced along with 
Mr. Loebsack, would enhance DOE's ability to coordinate the 
interconnected systems of energy delivery and supply, which 
includes ensuring the security of digital systems in pipeline 
and grid operations.
    Although several governmental authorities play a role, DOE 
must have adequate visibility across the energy sector, to 
ensure the Federal, State, and asset owners are sufficiently 
prepared and coordinated, and to efficiently deploy, where 
needed, its world class technological capabilities. This bill 
aims to assure this can be done.
    Both H.R. 5239, the Cyber Sense Act of 2018, and H.R. 5240, 
the Enhancing Grid Security through Public-Private Partnership 
Act, have been introduced by Mr. Latta and Mr. McNerney, two 
leaders on grid innovation. The Cyber Sense bill, a version of 
which passed the House as part of H.R. 8 in 2016, seeks to 
establish a voluntary DOE program that would promote cyber-
secure products intended for use in the bulk-power system.
    The Enhancing Grid Security bill seeks to facilitate and 
encourage public-private partnerships aimed at strengthening 
the physical and cybersecurity of electric utilities, 
especially mid-sized and small utilities, which may not have 
the resources to identify and address cybersecurity 
vulnerabilities and system risks.
    Two panels of witnesses this morning will provide 
perspective on these bills and discuss what other measures may 
be helpful to ensure DOE can fulfill its energy security and 
emergency missions.
    I'd like to welcome back Under Secretary of Energy Mark 
Menezes, who returns from his appearance in January. I look 
forward to his comments and to talk about his own plans to 
elevate DOE's leadership on emergency response. He is 
accompanied by Pat Hoffman, Principal Deputy Assistant 
Secretary in the Office of Electricity, who can provide 
technical perspective from her experience addressing 
cybersecurity and energy emergencies.
    Our second panel features a range of energy security and 
emergency perspectives. Our witness from DOE's Idaho National 
Lab will help us understand federal capabilities to support 
cybersecurity in the energy sector.
    We'll hear from the State of Indiana's emergency response 
authority; we'll hear from Dominion Energy on pipeline 
security, from the Edison Electric Institute on electric 
cybersecurity, and from National Electrical Manufacturers 
Association, to talk about cybersecurity of grid components.
    Welcome, and I look forward to the discussion.

    [H.R. 5174, H.R. 5175, H.R. 5239, and H.R. 5240 follow:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Rush. I want to thank you, Mr. Chairman, for holding 
this important hearing today on legislation addressing 
cybersecurity and emergency response.
    Mr. Chairman, I support the four bills before us and I want 
to specifically and respectfully acknowledge Mr. Walberg of 
Michigan who worked with my office on the Energy Emergency 
Leadership Act. This bill will establish a new DOE assistant 
secretary position with jurisdiction over all energy emergency 
and security functions related to energy supply, 
infrastructure, and cybersecurity.
    Mr. Chairman, while cybersecurity is an important issue, I 
would be remiss if I did not point out that today at this very 
same time students have declared this as National Walk-Out Day. 
And as we speak, Mr. Chairman, students from across the country 
are leaving their classrooms to honor the lives of the 17 
people killed at Stoneman Douglas High School last month and to 
press policy makers to pass commonsense gun control laws.
    Mr. Chairman, cybersecurity is a serious issue that must be 
addressed. However, nothing can be more urgent than answering 
the cries and the pleas emanating from our Nation's youth--
students who have had enough of being scared and anxious and 
frustrated by the lack of leadership coming from both the 
administration and this Congress on the issue of gun violence.
    Mr. Chairman, as policy makers, as parents, as 
grandparents, as adults, and as leaders we are failing our 
youth by letting politics and influential interest groups come 
before our most sacred responsibility, and that is protecting 
our children.
    Mr. Chairman, every single Democrat on the four Energy and 
Commerce committees sent a letter to Chairman Walden on March 
7th urging him to hold hearings as soon as possible to address 
gun violence in America. That followed a February 16th letter 
also signed by all 24 Democrats on the full committee to 
Chairman Walden and Health Subcommittee Chairman Burgess urging 
the Republican leadership to hold a hearing as soon as possible 
on federal investment in gun violence prevention research.
    Mr. Chairman, we owe it to our children at the very least 
to examine this problem in a serious and thoughtful manner and 
I can assure you that this issue will come up again and again, 
regardless of the planned topic of discussion until we hold a 
hearing.
    With that, I yield the remainder of my time to my friend 
and colleague from California, Mr. McNerney.
    Mr. McNerney. Well, I thank the ranking member for yielding 
and the chairman for holding this hearing.
    Today, we will examine several legislative proposals 
concerning our Nation's grid security. As co-chairs of the Grid 
Innovation Caucus, Bob Latta and I are focused on providing a 
forum that advocates for grid investments and examines the 
risks and opportunities with our grid.
    Our work, through the Grid Caucus, has led to the 
introduction of two bills we will discussing today. H.R. 5239, 
the Cyber Sense Act of 2018 would create a program to identify 
cybersecure products for the bulk power grid system through 
testing and verification. The bulk power system is the backbone 
of American industry and provides all the benefits of reliable 
electric power to the American people. It's essential that we 
make this system as secure as possible as cyberattacks pose a 
serious threat to our electric grid. Any vulnerable components 
of our grid is a threat to our security and this bill will go a 
long way to strengthen our system.
    Mr. Latta and I are also co-leads of H.R. 5240, the 
Enhancing Grid Security Through Public-Private Partnerships 
Act. This bill will create a program to enhance the physical 
and cybersecurity of electric utilities through assessing 
security vulnerabilities, increase cybersecurity training, and 
data collection. It will also require the interruption cost 
estimate calculator, which is used to calculate the return on 
investment on utility investments, to be updated at least every 
2 years to ensure accurate calculations.
    These two bipartisan bills, along with the other bills we 
have before us today, will help put us on the path to better 
securing our electric utility system.
    I welcome the panelists and look forward to hearing their 
insights on the useful of our legislation and how it may be 
improved.
    Thank you. I yield back.
    Mr. Upton. Gentleman's time is expired.
    The chair will recognize the chairman of the full 
committee, the gentleman from Oregon, Mr. Walden.

  OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF OREGON

    Mr. Walden. Thank you very much, Mr. Chairman.
    I want to thank my colleague from California for his good 
work on these issues. This is really important stuff for our 
country and those of us who have been briefed up on it know the 
importance of the work that's going on in our agencies and the 
security issues that are really before us.
    Today's hearing examines legislation addressing 
cybersecurity and emergency response. It will help us respond 
to some of the most urgent challenges--the reliability of our 
Nation's energy infrastructure. Because our energy 
infrastructure drives the entire Nation's economy, I've made it 
a top priority for this committee to focus on emerging threats 
and proposed solutions to make our infrastructure more 
resilient. We are looking ahead to make sure we are doing 
everything we can to protect our electric grid and our oil and 
natural gas infrastructure as well and improve our ability to 
respond when the unexpected happens.
    Because nearly all of our Nation's energy infrastructure is 
privately owned and operated, the Federal Government needs to 
work closely with representatives of the energy sector and the 
companies in the supply chain that manufacture equipment and 
technologies. In today's highly interconnected world, the 
threat of cyberattacks is ever present. So we have to be 
vigilant. We must also be prepared for physical threats whether 
they be sabotage or natural disasters like the hurricanes we 
experienced last year.
    As the sector-specific agency for energy, the Department of 
Energy has a very important coordinating role to play and this 
function was on display earlier this year in response to 
Hurricanes Nate, Maria, Irma, and Harvey. Many of us followed 
DOE's situation reports on the storms' impacts and the energy 
industry's recovery and restoration activities. The Department 
of Energy's emergency responders in the field provided critical 
subject matter expertise and assisted with waivers and special 
permits to aid restoration. To prevent a major fuel supply 
emergency, the Department of Energy's strategic petroleum 
reserve provided much-needed oil to refiners. TDOE also 
analyzed electricity supply to determine whether it needed to 
draw on its Federal Power Act authorities to secure the energy 
grid.
    So today's hearing will examine four bipartisan bills 
designed to improve DOE's energy security and emergency 
response authorities. I want to thank all our members for 
working across the aisle on these important issues.
    I join Chairman Upton in welcoming back Under Secretary of 
Energy Mark Menezes to our panel. I look forward to your 
comments on the Department of Energy's security priorities and 
its views on the legislation.
    I also want to welcome the witnesses appearing on the 
second panel where we will hear a range of perspectives from 
state government, the energy industry, and supply chain 
manufacturers. We are also joined by a witness from DOE's Idaho 
National Lab. I was there on Monday. I very much appreciated 
the briefings including the classified ones and so I am very 
impressed by the work that goes on at INL and our country 
should be very proud of the incredible men and women and the 
work they do there in every regard. I also saw the unique 
capabilities to test system wide cybersecurity applications on 
a full scale electric grid loop. INL is one of 17 DOE national 
labs tackling the critical scientific challenges of our time 
and the threats that come our way and I want to thank INL 
leadership and staff for sharing their research and expertise 
with the Committee.
    This subcommittee has held dozens of hearings on energy 
infrastructure and produced several bipartisan bills to improve 
the resilience and reliability of our Nation's energy delivery 
system and these bills will ultimately make our nation more 
energy secure, reduce the cost of fuels and electricity for 
consumers.
    So at the end of the day, if we focus on what's best for 
consumers we will continue to make good public policy 
decisions.
    With that, Mr. Chairman, I yield back the balance of my 
time and thank our witnesses for their participation.
    [The prepared statement of Mr. Walden follows:]

                 Prepared statement of Hon. Greg Walden

    Today's hearing, examining legislation addressing 
cybersecurity and emergency response, will help us respond to 
some of the most urgent challenges to the reliability of our 
Nation's energy infrastructure. Because our energy 
infrastructure drives the entire Nation's economy, I've made it 
a top priority for the committee to focus on emerging threats 
and propose solutions to make our infrastructure more 
resilient. We're looking ahead, to make sure we're doing 
everything we can to protect our electric grid and our oil and 
natural gas infrastructure, and to improve our ability to 
respond when the unexpected happens.
    Because nearly all our Nation's energy infrastructure is 
privately owned and operated, the Federal Government needs to 
work closely with representatives of the energy sector and the 
companies in the supply chain that manufacture equipment and 
technologies. In today's highly interconnected world, the 
threat of cyber-attacks is ever present, so we must be 
vigilant. We must also be prepared for physical threats, 
whether they be sabotage or natural disasters, like the 
hurricanes we experienced this summer.
    As the sector-specific agency for energy, the Department of 
Energy has a very important coordinating role to play. This 
function was on display earlier this year in response to 
hurricanes Nate, Maria, Irma and Harvey. Many of us followed 
DOE's situation reports on the storms' impacts and the energy 
industry's recovery and restoration activities. DOE's emergency 
responders in the field provided critical subject matter 
expertise and assisted with waivers and special permits to aid 
restoration. To prevent a major fuel supply emergency, DOE's 
Strategic Petroleum Reserve provided much needed oil to 
refiners. DOE also analyzed electricity supply to determine 
whether it needed to draw on its Federal Power Act authorities 
to secure the grid.
    Today's hearing will examine four bipartisan bills designed 
to improve DOE's energy security and emergency response 
authorities. I want to thank our members for working across the 
aisle on these important issues.
    I join Chairman Upton in welcoming back Under Secretary of 
Energy Mark Menezes to join our first panel. I look forward to 
his comments on the department's energy security priorities and 
its views on the legislation.
    I also want to welcome the witnesses appearing on the 
second panel. We'll hear a range of perspectives from state 
government, the energy industry, and supply chain 
manufacturers. We're also joined by a witness from DOE's Idaho 
National Lab, which I had the privilege of visiting earlier 
this week. Idaho National Lab, or INL, is the nation's leading 
nuclear research laboratory. INL also has unique capabilities 
to test system-wide cybersecurity applications on a full scale 
electric grid loop. INL is one of seventeen DOE national labs 
tackling the critical scientific challenges of our time and I 
want to thank INL leadership and staff for sharing their 
research and expertise with the Committee.
    This subcommittee has held dozens of hearings on energy 
infrastructure and produced several bipartisan bills to improve 
the resilience and reliability of our Nation's energy delivery 
systems. These bills will ultimately make our nation more 
energy secure and reduce the cost of fuels and electricity for 
consumers. At the end of the day, if we focus on what's best 
for consumers we'll continue make good policy decisions.

    Mr. Upton. Gentleman yields back.
    The chair recognizes the ranking member of the full 
committee, the gentleman from New Jersey, Mr. Pallone.

OPENING STATEMENT OF HON. FRANK PALLONE, JR., A REPRESENTATIVE 
            IN CONGRESS FROM THE STATE OF NEW JERSEY

    Mr. Pallone. Thank you, Mr. Chairman.
    Today's hearing revolves around a quartet of bipartisan 
bills designed to enhance the security of our Nation's energy 
infrastructure. However, before we get to cybersecurity, I'd 
like to talk for a minute about the security of our Nation's 
children.
    Today, 1 month has passed since the tragic shootings at 
Marjorie Stoneman Douglas High School that took the lives of 17 
children and educators, and as we sit here students all across 
the Nation have just completed a 17-minute walkout in memory of 
those killed in that attack as well as to protest this body's 
refusal to take action on the gun violence epidemic.
    Students and their families are justifiably frustrated with 
the inaction here in Washington. They are sick and tired of a 
president who says one thing in front of the cameras and then 
works behind the scenes to push the NRA agenda as soon as he 
thinks the cameras are focused somewhere else. And they are 
also sick and tired of a Republican leadership in Congress that 
won't move forward on any common sense legislation, some of 
which has strong bipartisan support.
    Americans have legitimate questions about the ever-
increasing capacity of guns to kill in large numbers and the 
ease with which people who are in danger to themselves and 
others can obtain them in the marketplace and those questions 
at least deserve to be explored through hearings in this 
committee.
    Every Democrat on this committee has asked in two separate 
letters to the chairman for a series of five hearings on the 
gun violence epidemic. We have not received a response and no 
hearings have yet to be scheduled. So I hope that the chairman 
and my Republican colleagues will finally see the need to 
schedule the five hearings we requested.
    We don't expect them to necessarily agree with us or those 
participating in today's walkout on all the solutions to the 
gun violence epidemic. However, we do hope that they will 
finally acknowledge the legitimate need to explore the 
questions we are asking and for this committee to take action. 
And now, with regard to cybersecurity, I appreciate the 
majority taking these small but important bipartisan steps to 
enhance the Department of Energy's authorities with regard to 
our Nation's energy infrastructure.
    These four bills build upon the good work done by this 
committee and the FAST Act under Chairman Upton's leadership. I 
think it makes sense from both the security and business 
standpoint to have the department with the best knowledge of 
the energy industry taking the primary role in coordinating 
efforts to prevent and respond to cyberattacks on these 
facilities.
    In general, I am supportive of each of these bills. H.R. 
5174, the Energy Emergency Leadership Act sponsored by 
Representative Walberg and Ranking Member Rush, would create a 
new DOE assistant secretary position with jurisdiction over all 
energy emergency and security functions related to energy 
supply, infrastructure and cybersecurity.
    H.R. 5175, the Pipeline and LNG Facilities Cybersecurity 
Preparedness Act, was introduced by Chairman Upton and Mr. 
Loebsack. It would require the secretary of energy to carry out 
a program to establish policies and procedures that would 
improve the physical and cybersecurity of natural gas 
transmission and distribution pipelines, hazardous liquid 
pipelines and liquefied natural gas facilities.
    Representative Latta and McNerney's bill, H.R. 5239, the 
Cyber Sense Act of 2018, is based on McNerney's language 
included in the last Congress energy bill. It would require the 
secretary to establish a voluntary program to identify 
cybersecure products that can be used in bulk power systems.
    Mr. McNerney and Mr. Latta also introduced H.R. 5240, the 
Enhancing Grid Security Through Public-Private Partnership Act, 
which directs the secretary to create and implement a program 
to enhance the physical and cybersecurity of electric 
utilities.
    In addition to these bills, I also wanted to direct the 
Committee's attention to the LIFT America Act, the 
infrastructure bill that committee Democrats introduced last 
year.
    A number of the bill's provisions would enhance the 
security and resiliency of the grid through new grant programs 
and by requiring certain projects receiving DOE assistance 
including the cybersecurity plan written in accordance with 
guidelines developed by the secretary.
    And the bill would also establish a strategic transformer 
reserve program to reduce electric grid vulnerability to 
physical and cyberattacks, natural disasters, and climate 
change, and these are provisions that will better assure the 
security of our energy infrastructure and I hope this committee 
will consider them as we move forward.
    And again, Mr. Chairman, thanks for bringing up these 
bipartisan bills and I yield back.
    Mr. Upton. Gentleman yields back, and as I indicated, we 
are joined for our first panel with the Honorable Mark Menezes, 
the undersecretary of energy.
    I would just note for those of us that went on the 
bipartisan trip to look at the hurricane damage in Puerto Rico, 
on my local radio website this morning I see that the bridge 
that we saw that was washed out was rededicated yesterday with 
the governor and it's opened up. It's been 6 months. It 
connects 60 families in a town of about 33,000 folks. So I know 
we were there for an hour or so back in December. So I just 
thought I'd give that little update.
    And with that, Mr. Menezes, welcome back again to the 
Committee. We look forward to your testimony. You know the 
rules. Thank you in advance for your testimony. We will give 
you 5 minutes to sum it up and then we will ask questions from 
that point.
    So welcome.

STATEMENT OF THE HONORABLE MARK MENEZES, UNDER SECRETARY, U.S. 
                      DEPARTMENT OF ENERGY

    Mr. Menezes. Thank you, Chairman Upton, Ranking Member 
Rush, and distinguished members of the subcommittee.
    Good morning, and thank you for the opportunity to 
participate in this legislative hearing to discuss the 
strategic priorities addressing the cybersecurity threats 
facing our national energy infrastructure and the Department of 
Energy's role in protecting these critical assets and 
responding to emergencies.
    Maintaining and improving the resilient energy 
infrastructure is a top priority of the secretary and a major 
focus of the department. You referred to the written statement. 
I have submitted a much more comprehensive written statement so 
my remarks will be limited to just the highlights.
    To demonstrate our commitment and focus on this mission, 
the secretary announced last month that he is establishing the 
Office of Cybersecurity, Energy Security, and Emergency 
Response, to be known as CESER. This organizational change will 
strengthen the department's role as the sector-specific agency 
or energy sector cybersecurity supporting our national security 
responsibilities.
    The creation of the CESER office will accomplish several 
goals: One, build on the programs that we have today; two, 
elevate the department's focus on energy infrastructure 
protection and response; three, enable a more coordinated 
preparedness and response to cyber and physical threats and 
natural disasters; and most importantly, four, create a 
structure and an office with an evolving mission to ensure 
sufficient authorities and resources are in place to address 
present and future threats.
    The focus of the office will necessarily include 
electricity delivery, oil and natural gas infrastructure, and 
all forms of generation. The secretary's desire to create 
dedicated and focused attention on these responsibilities will 
provide greater visibility, accountability, and flexibility to 
better protect our Nation's energy infrastructure and support 
its asset owners.
    As more fully explained in my submitted written testimony, 
DOE works in collaboration with other agencies and private 
sector organizations including the Federal Government's 
designated lead agencies for coordinating the response to 
significant cyber incidents--DHS, the FBI, the National Cyber 
Investigative Joint Task Force, as well as DOT, PHMSA, U.S. 
Coast Guard, and FERC and others through the Energy Government 
Coordinating Council and other coordinating councils.
    The FAST Act designated DOE as the sector-specific agency 
for energy sector cybersecurity. Congress enacted several 
important new energy security measures in the FAST Act as it 
relates to cybersecurity. The secretary of energy was provided 
new authority upon declaration of a grid security emergency by 
the President to issue emergency orders to protect, restore, or 
defend the reliability of critical electric infrastructure. 
This authority allows DOE to respond as needed to threats of 
cyber and physical attacks on the grid, and although the 
administration does not have a formal position on any of the 
legislation under discussion today, we are pleased to continue 
to work with the committee to provide technical assistance. And 
this morning, I would like to provide the subcommittee with 
some high-level priorities of the department in the context of 
the President's fiscal year 2019 budget request and which is 
the subject matter of today's bills.
    Overall, investing in energy security and resilience from 
an all-hazards approach is vital, given the natural and manmade 
threats facing the Nation's energy infrastructure, the energy 
industry, and the supply chain. The fiscal year 2019 request 
would provide the department an opportunity to invest in early-
stage research, network threat detection, cyber incident 
response teams, and the testing of supply chain components and 
systems.
    Beyond providing guidance and technical support to the 
energy sector, our Office of Electricity supports R&D designed 
to develop advanced tools and techniques to provide enhanced 
cyberprotection for key energy systems. OE cybersecurity for 
energy delivery systems' R&D program is designed to assist 
energy sector asset owners by developing cybersecurity 
solutions for our energy infrastructure. OE co-funds projects 
with industry, our national labs, and university partners to 
make advances in cybersecurity capabilities. These research 
partnerships are helping to detect, prevent, and mitigate 
consequences of a cyber incident for our present and future 
energy systems.
    It's important to emphasize that DOE plays a critical role 
in supporting the entire energy sector's efforts to enhance the 
security and resilience of the Nation's critical energy 
infrastructure. To address today's ever increasing and 
sophisticated challenges, it is critical for us to be leaders 
and cultivate a culture of resilience.
    We must constantly develop, educate, and train a robust 
network of producers, distributors, vendors, public partners, 
regulators, policy makers, and stakeholders acting together to 
strengthen our ability to prepare, to respond, and recover. As 
part of a comprehensive energy cybersecurity resilient 
strategy, the department supports efforts to enhance visibility 
and situational awareness of operation networks, increase 
alignment of cyber preparedness and planning across local, 
State, and Federal levels and leverage the expertise of DOE's 
national labs to drive cybersecurity innovation.
    As always, the department appreciates the opportunity to 
appear before this committee and discuss cybersecurity and 
emergency response in the energy sector and we applaud your 
leadership.
    We look forward to working with you and your respective 
staffs and continue to address cyber and physical security 
challenges, and I look forward to your questions.
    Thank you.
    [The prepared statement of Mr. Menezes follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Upton. Thank you for your testimony and, as you know, 
we are talking about several bills this morning.
    We want to make sure that DOE in fact does have the clear 
authority in the energy sector to be prepared for emergencies, 
particularly concerning the distribution of oil and gas and 
electricity, and we welcome your commitment to work with us and 
the bill's sponsors, as you indicated in your testimony, to 
provide the technical assistance to make sure that these 
proposals provide the tools that the agency can use.
    I want to particularly thank, as Chairman Walden indicated 
in his opening statement, the willingness to work with the 
Idaho National Lab. I know that he had a very productive day 
out there earlier this week and I will tell members of our 
subcommittee that we are planning to have a classified briefing 
with them at some point in the near future so that we can know 
precisely what we have to be ready for and be able to ask 
questions in a classified setting. We are looking forward to 
setting that up in the next couple of weeks.
    Let me just ask if you can help us identify other areas we 
might be able to clarify and strengthen your authorities to 
respond to energy supply emergencies, if we can have that 
commitment again today, and if you want to share any specifics 
today or certainly down the road where you can help us make 
sure that the worst doesn't happen and we will put out 
thousands, maybe hundreds of thousands, maybe even millions of 
folks without the ability to hook into the needed energy 
resources for their daily lives.
    Mr. Menezes. Thank you for the question, Chairman Upton.
    Indeed, having a robust communications and coordination 
system with our industry asset owners is critical to do this. 
We currently serve on a variety of and coordinate subsector 
coordinating councils. We work closely with industry. We have 
regular meetings. We coordinate. We make our labs available to 
those that need it. We train, we practice, and we prepare. We 
do all that and, to be sure, we work with our sister agencies 
through the Energy Government Coordinating Council and work 
really on a daily basis with, as I mentioned, DHS and the other 
agencies.
    All of that we are doing today. When the system is stressed 
when we have the emergencies in Puerto Rico, the art then is to 
put all that in place and respond in real time and to work with 
our sister agencies, and I have testified before that the 
expectations that the DOE has and the technologies that we have 
and the abilities to mobilize and to react are sometimes 
exceeded by the authorities and the resources that we have.
    It is important for the department with the bills that you 
have to be clear on the authorities, you know, that we have and 
if I could say, too, it would be important to ensure that we 
have the authority to get the resources that we have when we 
are working with the other committees to ensure that we have 
the resources. So we thank you for your leadership on that. But 
clear direction and the authorization to have the resources 
would be very helpful.
    Mr. Upton. So DOE works with the Department of Homeland 
Security, TSA, and other agencies to ensure the protection of 
pipelines. But these agencies, as we know, certainly have other 
priorities. It is my understanding that TSA, despite having 
some 50,000 employees, is only able to dedicate some--a handful 
of folks, literally, three or four--to pipeline security.
    So the question I might have is are you concerned by that 
fact, that a lead agency for pipeline safety is so stretched 
that only a handful of people would be working on pipelines?
    Mr. Menezes. Well, I can't speak directly to the resources 
and demands that they have but I can tell you from the 
experience that we have at DOE, having been over there now 
almost 4 months, all agencies are constrained to use existing 
resources to respond to new and additional obligations, for 
example, and it is a constant effort to find adequate resources 
to do things to accomplish our statutory obligations.
    I will say that with pipelines both DHS and DOT co-chair, 
that sector-specific pipeline industry. We are involved through 
the oil and natural gas subsector coordinating council. And so 
we have regular interaction with the agencies that you 
mentioned and other agencies but also with the industry.
    So, we are involved in it. But, again, it's always a 
challenge to find adequate resources within the current 
budget--to do the things that are expected of you.
    Mr. Upton. Thank you.
    I yield for questions to the ranking member of the 
subcommittee, Mr. Rush.
    Mr. Rush. I want to thank you, Mr. Chairman.
    Mr. Under Secretary, to date we have not experienced any 
large-scale cyberattacks on our energy grid. However, there 
have been minor incidences, maybe even what we might call 
probes into the system.
    In your professional opinion, would you say that we have 
not experienced any large-scale attacks due to our defenses or 
is it simply because no entity has as of yet really attempted 
to launch a full-scale attack?
    And do we really even know, rather, what their capabilities 
are of some of these foreign entities or rogue states that may 
eventually try to do us some harm?
    Mr. Menezes. Thank you for the question, Ranking Member 
Rush.
    Yes, a very important question. We are at probably a 
historical turning point from what has been going on in the 
past. I had mentioned the ever increasing level of 
sophistication and the ever increasing number of threats. What 
has happened in the past simply is over and every day presents 
new challenges.
    Some of the questions you asked would involve classified 
material that I can't get into today but it is public that we 
are facing threats today that we haven't seen in the past. The 
Internet of Things, all software, all of these are providing 
opportunities for those that are very creative to try to attack 
our systems, and it's ongoing. It's daily. It's 24/7. It is 
around the clock. Interestingly, as we know, that now it is 
machines that are doing all this and they're using artificial 
intelligence. So you have machines.
    Our goal, of course, would be to counter their machines 
with our machines and our artificial intelligence. But it's an 
ever-escalating battle.
    So you're right to ask the question. We don't even know 
what the future threats are. And this is part of the reason why 
we are standing up this office. We want this to be highly 
visible. We want this to be accountable to other agencies, to 
the Congress, so that you all have a much higher visibility on 
what DOE is doing.
    So you asked the right questions. We are concerned about 
not only current but future threats and having the resources.
    Pat, did you want to say something?
    Ms. Hoffman. I just would also like to credit the strong 
partnership we have with industry and that we are keeping pace 
with respect to intelligence and classified information 
sharing, partnership with the ISAC for alerts and getting 
information out to industry as soon as possible, as well as 
partnerships and looking at engineering solutions and looking 
at technology solutions that will help mitigate some of the 
issues.
    Mr. Rush. That leads me to another concern, and that's our 
Nation's workforce preparedness when it comes to cybersecurity. 
Are we doing all that we can to ensure that we have a highly 
skilled trained workforce both presently and in the future to 
address cybersecurity issues?
    Mr. Menezes. We are doing what we can. I am not sure that 
we are doing everything that we can but we certainly are 
elevating education in the realm of preparedness in addition to 
response and ultimately recovery. But it's going to be research 
and development and breakthrough technologies to be able to 
protect and defend our system and to be able to respond.
    So we currently have training programs in place where we 
deal with not only our workforce but also the industry's 
workforce because they have to have the benefit of everything 
that we see, we know, and that we are developing so that they 
can train and they can instill a culture of resilience within 
their organizations.
    And I can testify firsthand on the past success of the 
leadership of this committee and working with the ESCC and the 
industry partners in DOE's role. I can assure you it was 
important for the electricity sector to have their CEOs 
participate, and when the CEOs participate they return to the 
company and they instill a culture of compliance and resilience 
and that they make many changes and they make sure that the 
workforce is very educated on these very technical and highly 
sophisticated programs.
    So we are committed to ensuring that we have a dedicated 
and educated workforce.
    Mr. Rush. Thank you, Mr. Chairman. I yield back.
    Mr. Upton. The chair recognizes the gentleman from Texas, 
Mr. Barton.
    Mr. Barton. Thank you, Mr. Chairman. It's always good to 
see our good friend here in such a highposition.
    This is an important hearing that we are having today 
because it addresses an issue that we really haven't done a 
very good job of addressing--this issue of cybersecurity and 
emergency response.
    I am not real sure what cybersecurity is, first of all. So 
I guess my first question would be does the Department of 
Energy have a definition of cybersecurity?
    Mr. Menezes. Well, let me go back to the days that I was on 
that side of the dais in '05 when we decided to add the word 
cybersecurity into the mandatory reliability provisions that we 
put in EPAC of '05.
    We thought whether we should define it back then, to be 
frank about it, and we decided then that it was better to have 
it as, frankly, broad as it could be because we weren't sure 
what it would become.
    And so consequently I am not sure if we have a formal 
definition. I am looking over at----
    Mr. Barton. So far you have done a very good job of 
dissimulating and not saying a darn thing so----
    [Laughter.]
    Mr. Menezes. I know that.
    Mr. Barton [continuing]. But roles do change.
    Mr. Menezes. Yes. I don't think we have a formal 
definition. But----
    Mr. Barton. Well, do we need one.?
    Mr. Menezes [continuing]. Again, the Internet of Things and 
software typically are ways that they seek to gain entry into 
systems via those mechanisms.
    Mr. Barton. Mr. Chairman, let's let the record show that I 
stumped the under secretary of energy on the first question, 
but in a polite way, because he and I are friends.
    Well, would you say that cybersecurity deals with the 
internet intercepting--somehow making it difficult for computer 
systems to operate, hacking into a controlled system or power 
plants or pipeline controls? Would that be a practical type of 
cybersecurity attack--something like that?
    Mr. Menezes. Yes, and you mentioned those are threats, 
right. But there's a security part of that, too. So it would 
include the communication systems, making sure you have 
resilient communication systems, control systems that you can 
monitor and detect and react and take action.
    You had mentioned the threat detection and the analysis, 
and it's not limited to just one sector of the energy industry, 
for example. So you have points of potential entry into any 
systems and we are talking about supply chain today but we have 
generation. We have all the distribution. We have transmission. 
We have the producers, the vendors. It's all up and down the, 
every point.
    Mr. Barton. Well, let me ask another simple question, which 
you may not want to answer.
    Which of our industries are sectors that the Department of 
Energy has responsibility for would you consider to be most 
vulnerable to a cybersecurity attack?
    Mr. Menezes. I think any that use the internet and use 
computers and are part of a system. And so when you get the 
briefings, we are members.
    DOE is a member of the National Security Council and as 
such we have intelligence and counterintelligence and access to 
all of our sister agencies and we have eyes on things.
    When you look at it, those that wish to penetrate our 
system will try all segments. So in that respect, we are all 
vulnerable. We are all constantly vulnerable.
    Mr. Barton. Let me ask my final question. To the 
department's knowledge, have there been any cybersecurity 
attacks on our energy sector that the Department of Energy is 
responsible for?
    Mr. Menezes. Attacks?
    Mr. Barton. Yes. Have there been attempts to----
    Mr. Menezes. Our systems are constantly being attacked. 
Constantly. Not only the DOE system but also the energy system.
    Mr. Barton. OK. Well, if you say constantly then I would 
interpret that to mean that we've successfully fended them off, 
since I am not aware of any breakdowns in our energy 
infrastructure.
    Mr. Menezes. Well, there have been some reported breaches, 
if you will. We are fortunate that we haven't had a major 
consequence of attacks and thus far we have been successful in 
identifying.
    Part of this analysis involves modeling, information 
sharing, and monitoring. You may collect data and then you will 
use our experts' abilities to evaluate what we are seeing and 
then try to figure out what is happening.
    Mr. Barton. My time has expired. But would the department 
be willing to have a bipartisan briefing where you could go 
into some detail about the attempted attacks?
    Mr. Menezes. Yes, sir.
    Mr. Barton. Thank you.
    Thank you, Mr. Chairman.
    Mr. Upton. Gentleman's time has expired.
    Mr. McNerney.
    Mr. McNerney. Well, I thank the Chairman and, again, I 
thank the witness.
    Are you familiar with the two bills that Mr. Latta and I 
have proposed--the Cyber Sense Act and the Enhanced Grid 
Security Through Public-Private Partnerships Act?
    Mr. Menezes. Yes, sir.
    Mr. McNerney. Do you think those bills serve a good 
purpose?
    Mr. Menezes. We applaud the committee for the leadership 
that you have shown and I think--has one of them passed 
already, I believe? In past Congresses?
    Mr. McNerney. Right. So----
    Mr. Menezes. And I will say that on the supply chain--you 
have already seen action, right. You have seen action from NERC 
in proposing critical infrastructure protection standards. So 
you see it pending at FERC so certainly your past efforts have 
generated that activity. It's also generated activity here in 
this administration because in the fiscal year 2019 request we 
requested additional moneys to do what your bill is proposing 
to do.
    Mr. McNerney. Do you have any suggestions on improving 
either one of those two pieces of legislation?
    Mr. Menezes. Again, my suggestions would be as you choose 
to send direction over--and obligations over to the Department 
of Energy if you can authorize resources we find that that 
helps us because otherwise the department typically would be 
forced to figure out where to get resources that it's currently 
using for other----
    Mr. McNerney. But speaking of resources, the fiscal 2019 
budget looks like a 40 percent cut in the electricity delivery 
and reliability account, which then is split into two further 
accounts.
    So you're saying on the one hand that you need resources 
and on the other hand the administration is proposing 
significant cuts in program funding.
    So how can they reconcile those notions?
    Mr. Menezes. I think the OE budget cut--I believe it's the 
case where it shows that we are pulling out almost $96 million 
and moving it into CESER. So it's creating a new office. But we 
are still----
    Ms. Hoffman. We see an increase in CESER budget line for 
the 2019 request to $96 million.
    Mr. McNerney. I saw that, but I mean, I hear that you keep 
saying we need more resources and yet some of these line items 
are being significantly slashed.
    Mr. Menezes. Well, can I point out a victory that this 
office had with the administration?
    As many of you know, because of the several trips that 
we've taken to Puerto Rico, for example, on the emergency 
response, OK, a very critical part--I know we've been talking 
about cybersecurity but if you will allow me to talk about 
that.
    Again, when we got over there and looked at our resources, 
it was surprising. It was surprising to me that all the work 
that DOE was doing on emergency response in this hurricane 
season, for example, the resources were, I thought, 
insufficient.
    We asked the White House and they agreed to double the 
budget of the emergency response, of ISER--our Infrastructure 
Security Energy Recovery.
    Mr. McNerney. So you're saying that in general terms the 
administration is acting in a way that'll increase your 
resources. Is that what you're saying?
    Mr. Menezes. In this area. In this area.
    Mr. McNerney. In this area?
    Mr. Menezes. Yes, and it's in our fiscal year 2019, to set 
up CESER. It's all in the congressional justification for it. 
So----
    Mr. McNerney. So, I mean are you----
    Mr. Menezes [continuing]. So we have support in the 
administration on the topics that we are talking about today.
    Mr. McNerney. So in a sense, are you robbing Peter to pay 
Paul for the CESER?
    Mr. Menezes. No. No, we are not. No, we are moving some 
existing programs over to CESER just to begin to set up the 
office and so that was not a--in fact, that's an increase. That 
is actually an increase.
    So, again, together it's going to be $96 million and that 
is an uptick of about maybe 16 percent, I think, from what it 
was in fiscal year 2018.
    Now, CESER didn't exist--fiscal year 2017. So it's a 
positive story here.
    Mr. McNerney. All right. Mr. Chairman, I am going to yield 
back.
    Mr. Upton. I would just note that we've got Secretary Perry 
scheduled to come next month to talk about the budget as well.
    Mr. Olson.
    Mr. Olson. I thank the chair. Welcome to our two witnesses.
    My first question will be about Hurricane Harvey. I 
followed your reports on Hurricane Harvey--the situation 
reports very closely as the storm hit and after the storm hit 
and the impacts on our energy sector--the Port of Houston and 
the petrochemical complex.
    DOE was a good partner. Worked hand in hand with Governor 
Abbott, with the local county judges, my county judge, Bob 
Hebert, Fort Bend County, county judge Matt Sebesta, Brazoria 
County, county judge Ed Emmett, Harris County. He helped to get 
waivers they needed and the assistant had to ensure the permits 
and waivers were issued without delay. That's very important.
    You mentioned, Mr. Menezes, that the budget has been 
doubled now since lessons learned from Harvey for recovery 
efforts.
    What are some lessons learned like that that we could apply 
in the future, going forward, from Hurricane Harvey? Feel free, 
both of you, to make comments about that question.
    Mr. Menezes. Well, I am aware that we did an after activity 
report, I believe. I might defer to Pat. I think she's in 
possession of that report.
    I am not sure if it's finalized or not but certainly we 
will make it available to all members of the committee.
    Pat, do you have specific comments on that?
    Ms. Hoffman. Yes, thank you very much for the question.
    I think I would applaud industry's effort as well in 
Hurricane Harvey and Irma and Marie and the strong work that 
they've done.
    Some of the lessons learned is as we continue to move 
forward the industry is on the front line so exchanging 
coordination of information is critical and absolute for having 
an effective recovery and restoration process and I think 
that's where you have seen the success as well as some of the 
lessons learned. From a department perspective, being able to 
engage our power marketing administrations, to be continuing to 
use the strategic petroleum reserve are all important aspects 
of how the department can help in a restoration process. The 
waivers and the coordination with industry were always very 
positive and helpful to support so being proactive in those 
areas as we continue.
    As we look forward on cyber, as we think about that, some 
of the needs and the issues are really being proactive in 
looking at threat analysis, continuing to support the mutual 
assistance program, and I think whether it's hurricanes or 
cybers, we really want to be able to engage stronger in the 
mutual assistance program in support of industry.
    Mr. Olson. And you all read my mind. Let's now talk about 
cyber.
    Attacks happen on America every single day in cyberspace. 
Bad actors have attacked our power industry. They've attacked 
refineries, chemical plants, pipelines, all across the 
spectrum.
    You mentioned, Mr. Menezes, about AI--artificial 
intelligence. I formed a caucus here in the House to look at 
those issues and I have a bill out to get us on board with AI 
because that's our future to prevent some of these attacks.
    My bill just basically says let's partner up with the 
private to make sure these attacks don't happen through 
cyberspace and use AI as a weapon. AI is to empower people. 
It's not to have machines run our world but it's to empower 
people with information to make sound decisions when a disaster 
hits, like a hurricane. And just like you commented about, the 
bill basically says let's have a true public-private 
partnership, support the private sector, empower them with the 
public sector's assistance, make sure we adjust jobs because 
there's lots of jobs being lost or jobs being created, have 
facts about jobs. Also bias--there's natural bias can be around 
information that may be biased--avoid that, and also privacy--
big issues.
    But how can AI help out with the recovery from Harvey and 
those you're facing?
    Mr. Menezes. Well, thank you for that question, Mr. Olson.
    You raise a very important point. AI will be the future of 
how strong and resilient we can be because of the ever-growing 
sophistication of these attacks.
    With respect to your bill, again, the administration 
doesn't have a formal view of it. But as a general rule----
    Mr. Olson. It's good. Trust me.
    Mr. Menezes. As a general rule, all the direction that you 
can provide to us, particularly in the use of tools that we can 
use within industry, former Chairman Barton had asked about 
attacks on the system and we are here representing the 
department and to be sure, the department is subject to 
attacks.
    It is our industry, however, that typically would be front 
line because the bad actors would look for soft targets. It 
might not spend a lot of effort in going after government 
assets that they think are going to be hard targets.
    So they're developing artificial intelligence to probably 
identify those risk levels. Well, industry is going to be on 
the front line and so it's very important that we get a set of 
tools and resources to be able to work with industry and to 
help industry have the resources and the knowledge and the 
wherewithal to be able to anticipate, predict, react, respond, 
and to make their systems more secure.
    Mr. Olson. Amen. Machines to empower people, not take over 
the world. Thank you for your comments. We're working for this.
    I yield back. Thank you, Chairman.
    Mr. Upton. Gentleman's time has expired.
    Mr. Tonko.
    Mr. Tonko. Thank you, Mr. Chair, and to Secretaries Menezes 
and Hoffman. Welcome. It's good to have you back again.
    I know DOE is taking its role as the sector-specific agency 
for cybersecurity seriously. But I have a few questions on the 
reorganization of the Office of Electricity Delivery and Energy 
Reliability. And, for the record, I am not necessarily opposed 
to the change but I would like to understand how it might 
affect DOE functions as we move into the future.
    Last month, Secretary Perry announced the creation of the 
Office of Cybersecurity, Energy Security, and Emergency 
Response which, as I understand it, will take existing programs 
from the Office of Electricity.
    Can you explain the vision for this cybersecurity office 
moving forward and do you expect to add new programs or 
functions to this office over time?
    Mr. Menezes. Thank you for that question. It's a very good 
question.
    When the secretary arrived over at the department, and you 
have your security clearance, right, you get briefed and your 
world view changes, and almost immediately it became very 
apparent that one of the top priorities will be resources for 
cybersecurity and, again, the physical security--and we were in 
the hurricane seasons as well and so those three things came 
together very quickly. Just from an experience point of view.
    The department, of course, had a history of dealing with 
these issues and so we began a process where we evaluated 
everything within the department, our stakeholders.
    We talked to members of Congress and staff. We talked to 
the appropriators. We talked to OMB and the White House to 
formulate a process to bring the visibility and enhance the 
importance of these three topics.
    Since this is an initial establishment, the DOE Org Act has 
given us the authority to do this--but it wouldn't surprise you 
to find out that our appropriators and others had some very 
keen views on what assets and what could we do to begin the 
process.
    So I would like to emphasize this is an initial step and so 
what we did was we identified within the department those 
successful programs to begin to process to move them over into 
a new office. So it was to simply begin that process.
    So we identified those two, the R&D within OE and the ISER 
function also within OE. It just happened to be that they're 
both in OE.
    It doesn't diminish what we continue to expect out of OE, 
the Office of Electricity, and it's just a beginning point for 
this new office.
    Mr. Tonko. And what will happen to other programs from the 
Office of Electricity?
    Mr. Menezes. What will happen with what?
    Mr. Tonko. The other programs from the Office of 
Electricity.
    Mr. Menezes. Well, they will continue and we will--in a----
    Mr. Tonko. In that realm? In that given division?
    Mr. Menezes. No, the Office of Electricity will, of course, 
help in seeing the transition of them. But the Office of 
Electricity has other critical functions too that they will 
continue to do and----
    Mr. Tonko. Does that include the non-cyber R&D portfolio 
focused on grid modernization and storage?
    Mr. Menezes. Yes. Yes. They will continue to do that.
    The other thing I want to point out is that one thing that 
we started at this department is it's a hallmark of this 
administration at DOE because of our backgrounds is to engage 
in much more of a collaborative effort between all of the 
programs.
    We are about busting these silos. Now, we are limited to 
the actual offices due to revenue streams. But as a practical 
matter, we collaborate. We share responsibilities and you know 
that we coordinate certainly all of our labs. So what you're 
seeing over there is a coordinating effort and a collaborative 
effort so that we can make use of the resources that we 
currently have to do the things that are important.
    Mr. Tonko. Will there be any split of the Office of 
Electricity staff--the FTEs, or full time equivalents going in 
another direction or will they stay intact as it is now?
    Mr. Menezes. Well, we are in the process of identifying 
which employees will ultimately report to or be part of the new 
office and there's a series of procedures and policies that we 
have to follow in order to do that. But we are going to be in 
full compliance with all of the regulations that we need to do.
    Mr. Tonko. Well, it's important, I believe, that 
cybersecurity gets proper consideration in resources. I also 
believe the work being done by the Office of Electricity on 
grid modernization, on micro grids and on storage is also 
critical and I hope that these offices will be working together 
and not having to compete for resources. I think that's very 
important.
    Mr. Menezes. You have our commitment from that, sir.
    Mr. Tonko. OK. With that, I yield back, Mr. Chair.
    Mr. Upton. Mr. Shimkus.
    Mr. Shimkus. Thank you, Mr. Chairman.
    It's great to have to have you--good to see you again, and 
welcome to the committee.
    So I hate acronyms. So CESER is the Office of 
Cybersecurity, Energy Security and Emergency Response 
Management, correct?
    Mr. Menezes. Yes, sir.
    Mr. Shimkus. When you use CESER that's what you're 
referring to and that's a new organization within the 
Department of Energy to address grid resiliency, which can be 
defined by either concerns of attacks or cybersecurity or the 
like. Is that fair?
    Mr. Menezes. That is fair, and it will be headed up by an 
assistant secretary.
    Mr. Shimkus. You used a good terminology--you want to bust 
the silos that occur in major bureaucracies so we have people 
talking to each other.
    Mr. Menezes. Yes, sir.
    Mr. Shimkus. So, so far so good. I think it's needed. It's 
something we've talked about for a long time.
    So let me address a couple questions, and former Chairman 
Barton had raised just the whole cybersecurity--how do you 
define.
    So that's the whole issue of what could be points of entry. 
My colleague, Mr. Tonko, mentioned the micro grids, which kind 
of are developing in our country and then the question would be 
cybersecurity of entry through a data control system that then 
could make instructions to transformers, through generation, 
through the like.
    So that's one way there could be disruption. And isn't that 
also the reason why we want--which we did in the last Congress, 
talked about quite a bit--I think you mentioned the fact that 
we had moved the bill--we do want some communication between 
our government agencies and the private sector. Why is that 
important in this debate?
    Mr. Menezes. They're on the front line. It is they're, A, 
providing the service. They are doing the things that we've 
come to expect from our energy infrastructure. They own and 
operate the actual facilities, they develop the software, and 
they rely on the supply chain, all of which could be 
vulnerable. And so as the government agency responsible for 
that, we need to ensure that they do have the training, they 
have the know-how.
    We share with them information upon which they can 
identify, train, and respond and recover, ultimately. So 
they're on that front line, which is not easy. It's a lot more 
than----
    Mr. Shimkus. So, they're seeing some front line attacks 
that they can then talk to you and we can address training 
and--not remediation but countermeasures, I guess, would be.
    Is CESER able to then also talk to our intel communities 
for higher level cyber concerns that could be then passed on to 
the private sector and say, hey, watch out for this?
    Mr. Menezes. Correct. In fact, the information sharing and 
analytical center has developed CRISP, which is the 
Cybersecurity Risk Information Sharing Program.
    Mr. Shimkus. Thank you.
    Mr. Menezes. Yes. Just threw out a couple more acronyms 
your way. And the importance of that is that while the ISAC 
manages that, it uses information that is shared by our 
intelligence-counterintelligence that we receive.
    I had mentioned previously as members of the NSC, we have 
resources that some agencies do not have and with special 
protections in place for classified information we share that 
information to the extent that we can, and it has been very 
helpful and useful in identifying threats that without it we 
still would not necessarily know that our system was even 
attacked.
    Mr. Shimkus. Let me go quickly. My time is almost expired. 
Talking about electromagnetic pulses either intentional or 
naturally occurring, the hardening of systems, the cost, and 
the communication with the private sector, I mean, the private 
sector when we talk about it they just say, oh, the cost is too 
much--can't do that. And there is some cost, but I think it is 
a concern that I hope that you all and maybe even this CESER 
subsection of DOE is talking about.
    Mr. Menezes. Well, I would say that a hallmark of any 
technology that we develop, any training system, it has to be 
cost effective. Clearly, we cannot give them information that 
imposes such a burden that----
    Mr. Shimkus. But are we talking on EMPs both naturally 
occurring or bad actors? Is that part of what you're discussing 
or----
    Mr. Menezes. Yes. CESER does have the energy security part 
of it so it would include the EMPs as well and the GMDs, if you 
want another acronym.
    Mr. Shimkus. Thank you. My time has expired.
    Mr. Upton. Mr. Loebsack.
    Mr. Loebsack. Thank you, Mr. Chairman, for holding this 
important hearing and I do appreciate both of you being here as 
well--the witnesses. Thank you so much.
    I don't think that we can argue with the fact that it's 
absolutely critical that we do ensure the safety of our energy 
infrastructure and in the 21st century we all know that a very 
critical emerging threat that's been talked about today is 
cyberattacks and we've got to just work as hard as we can to 
make sure that we protect that energy infrastructure.
    I am very proud to work with Chairman Upton. We actually 
can do some things on a bipartisan basis in this committee and 
I think we've done a lot, but to make sure that we get adopted 
eventually and implemented H.R. 5175, the Pipeline and LNG 
Facilities Cybersecurity Preparedness Act. So I want to thank 
the chair for working with me on that, and vice versa. It's 
great.
    I do think it's absolutely critical that we make progress 
to ensure the cybersecurity and safety of our natural gas and 
LNG facilities and I believe that this bill is a step in the 
right direction.
    Physical threats to pipelines and energy infrastructure do 
remain a significant threat, as everyone on this committee 
knows and you folks know. But these days our pipeline system is 
increasingly technologically sophisticated as we get new 
pipelines put in place and that does, I think, probably 
increase our vulnerability in some ways to cybersecurity 
attacks. And for the life of me, since I speak a little Spanish 
and even more Portuguese, I cannot figure out yet how to 
pronounce your name--why it's only two syllables.
    Mr. Menezes. It's Americanized Portuguese.
    Mr. Loebsack. Yes, I am aware of that.
    Mr. Menezes. You were right on that. And so we've 
apparently had the middle E become silent. So it's Menezes.
    Mr. Loebsack. Thank you for explaining that. Mr. Menezes. 
Thank you so much. Thanks for being here today.
    As we mentioned, DOE has to play a critical role in 
ensuring the safety and security of this infrastructure can you 
elaborate a little more about the level of vulnerability of our 
pipeline system to cyberattacks? You have spoken about that 
some this morning already but can you elaborate even more, 
within the context of an open hearing, at any rate?
    Mr. Menezes. Right, and so I will keep it general.
    Perhaps the vulnerability on the pipelines exist because 
it's a transportation system at its sense and it--probably the 
control mechanisms, the communication systems, and the 
operations systems, they may not be as fully integrated, say, 
as a fully operating electricity company in all sectors, for 
example, in the--and so as a consequence it may be the 
assumption that because they're more simplified, if you will, 
you might not have to develop technologies to make them as 
resilient as any other point of entry.
    So as they are improving their efficiencies they are 
bringing in new softwares and new devices and, again, the 
result is you see the flow of product. But as they become more 
sophisticated, we need to ensure that what they put in has the 
resiliency programmed in at the front end----
    Mr. Loebsack. Right.
    Mr. Menezes [continuing]. So that it's resilient, and 
that's going to be the key. So----
    Mr. Loebsack. Because I was kind of shocked actually at an 
earlier hearing when I found out that there isn't a lot of 
Federal involvement when it comes to pipelines in the first 
place. There's sort of oversight after they're already in place 
but there's precious little involvement as they're going in. I 
think that's one area where there can be more involvement to 
make sure that these things are put in properly and that they 
are secure.
    Mr. Menezes. Yes. We are doing what we can in our role for 
the oil and natural gas subsector coordinating council and we 
do have monthly meetings with the group and we have quarterly 
meetings as well with the larger group that is co-led by DOT 
and DHS and we do bring in all those other agencies. So we have 
a structure within the existing authorities to try to address 
that.
    Mr. Loebsack. Yes.
    Mr. Menezes. There's a lot of information sharing and it's 
important. You have got to be at the meetings. You have got to 
be willing to participate. And they are, by the way. I mean, 
they are.
    Mr. Loebsack. And just very quickly--my time is running 
short. Thank you very much. I want to make sure that you folks 
are prepared as a department in the event that this legislation 
is passed, be able to put this into effect.
    I do have one other question. Maybe you could respond in 
writing to me if that's possible. We have a lot of existing 
pipelines now that may not be as subject to cybersecurity 
threats.
    I don't know the answer to that, and maybe you could 
distinguish in writing for me those that are already in the 
ground, already exist, versus the newer ones which might be 
more vulnerable, given the technology, and I would really 
appreciate an answer to that question, perhaps in writing if 
that works for you.
    Mr. Menezes. We'll be happy to get back with you on that.
    Mr. Loebsack. Thank you so much.
    Mr. Menezes. Thank you.
    Mr. Loebsack. Thanks. Thank you, Mr. Chair, and I yield 
back.
    Mr. Upton. Mr. Latta.
    Mr. Latta. Well, thank you very much, Mr. Chairman, for 
holding today's hearing. This is very, very important when we 
are talking about cybersecurity and also the emergency 
response.
    But before I do, and I know he's stepped out right now, but 
I just want to recognize Mr. McNerney from California who's 
been working with me and all the hard work that he's done on 
the issues, especially with grid security.
    Mr. Under Secretary and Ms. Hoffman, thank you very much 
for being with us today because, again, this is a very, very 
important topic that we are dealing with today.
    In your testimony you noted that securing the electric 
sector supply chain is critical to the security and resilience 
of the electrical grid and products must be tested for known 
vulnerabilities in order to assess risk and develop 
mitigations.
    Would you explain the consequences of having a device or a 
component in the electric system that poses a cybersecurity 
vulnerability and, more importantly, do we have the adequate 
measures right now in place to protect that supply chain?
    Mr. Menezes. Great question, and thank you very much for 
it.
    Our supply chains probably would be our most vulnerable 
areas and by supply chain it could be any component part that 
any of our energy partners would rely on. That could make our 
entire system vulnerable. If point of entry could be on what 
you think is a routine software program, perhaps to do 
accounting for a supplier of valves, for example.
    OK. So the importance has been noted in a couple of ways. 
NERC has already proposed CIPs--the critical infrastructure 
protection standards--which is pending at FERC to address this 
very supply chain issue with respect to the agencies that are 
responsible for developing our mandatory reliability provisions 
for the electricity grid and this administration in fiscal year 
2019 has requested additional money so that we, with our labs 
and our experts, can similarly test these products for their 
vulnerabilities and we can mitigate those vulnerabilities. So 
we can make the whole system stronger by really addressing 
those most vulnerable, if you will.
    Mr. Latta. Also in your testimony you referenced the budget 
proposal to invest in testing supply chain components and 
systems and under the Cyber Sense bill seeks to authorize a 
related program focused on identifying and promoting 
cybersecure products using the bulk power system.
    Again, would you elaborate on the work that the DOE is 
doing to test the supply chain components and systems and also 
in a follow-up of that, how does the quality control for supply 
chains help in ensuring that cybersecurity?
    Mr. Menezes. I will allow Pat has more experience directly 
on this.
    Ms. Hoffman. So, through the Electric Sector Coordinating 
Council and our discussions with industry, the supply chain 
need has been highlighted as extreme importance and so I 
appreciate the committee's efforts in this area.
    What we are looking at is actually partnering with industry 
to test and do a pilot program to test several components that 
are critical in the industry to do a deep dive testing of the 
components and subcomponents. What the industry would like to 
understand is all the vulnerabilities so they can assess their 
risk and the risks that they are facing. So part of what the 
NERC standards also emphasize is the disclosure of 
vulnerabilities and the continued testing. One of the things 
that we want to emphasize is as we are looking at testing of 
components there may be a new vulnerability or a new threat 
vector that's discovered tomorrow. So what should be 
institutionalized is a process for continual improvement in 
cybersecurity.
    As we've talked about the definition of cybersecurity being 
secure, information technology, secure firmware software, the 
information side of the industry, we really need to continually 
test products, continually improve products, just like we would 
do from a manufacturing point of view.
    So that philosophy of continual improvement is absolutely 
critical and testing with the national laboratories can help 
identify some of the vulnerabilities and continue to advance 
the improvement of products.
    Mr. Latta. When you're testing the products, how do you get 
that information out to the industry? Because just like this 
past Friday I spoke at one of my electric co-ops in my 
district--I have the largest number of co-ops in the State of 
Ohio--and not too far in the past from that I also spoke at 
another one. But how do you get that information out, 
especially with these products, to make sure that they know 
that they're, A, available and, B, that they're tested and they 
ought to be utilized once they're approved?
    Ms. Hoffman. So the goal is to get the information out 
through the supply chain community and I am sure the next panel 
will talk about that and details of having that disclosure and 
that collaborative relationship with the industry with the 
mitigations and the solutions. But the other area is through 
our national laboratories and through, say, the ISAC program to 
continue to really identify some of the vulnerabilities but get 
it out to industry and all the components and all the sectors 
in the industry.
    Mr. Latta. Yes. Well, thank you very much, and I yield 
back.
    Mr. Upton. OK. I would recognize Mr. Kinzinger. No, I am 
sorry--Mr. McKinley.
    Mr. McKinley. Well, I wasn't expecting that. Thank you, Mr. 
Chairman.
    Mr. Menezes--or Secretary Menezes, a couple questions 
quickly, if I could.
    Three years ago we had Tom Siebel--he's the CEO of C3 
Energy--testify before us about cybersecurity and the grid, and 
he made a very revealing comment.
    He said that just a small group of engineers would be able 
to shut down the grid on the East Coast in 4 days, and it would 
shut down the grid between Boston and New York. Did you ever 
see his testimony or respond back to him on that?
    Mr. Menezes. I did not see it.
    Mr. McKinley. The fact that a lot of things have happened 
and I appreciate your answers back to Barton where you said 
that we are constantly under attack. And maybe it's worked but 
I am saying there are groups saying the engineers can do this. 
They can still get past your system if they want to do that.
    So the other thing, and just maybe it was coincidence in 
2015 Ukraine was faced with a cyberattack. The Russians 
apparently are the ones that contributed to that. What have we 
learned from that? Did we interact with the Ukraine and find 
out how that was shut down so we could prevent that from 
happening here?
    Mr. Menezes. Since that occurred before I arrived, I will 
just----
    Mr. McKinley. Just quickly, because I've got a series of 
more questions. Yes or no, have we interacted with them?
    Ms. Hoffman. The answer is yes. We worked closely with 
them. We actually gained some knowledge of the attack. We have 
had training sessions with industry and analyzing so lots of--
--
    Mr. McKinley. OK. But we've learned something from it.
    But then let me go also now go back even further in 
history. Back in 2007 there was an Aurora generator test that 
was maybe controversial. Are you familiar with it, Secretary?
    Ms. Hoffman. Yes, I am very familiar with it.
    Mr. McKinley. OK, you are. OK. Because they were able to 
display that just by entering 21 codes they could blow up a 
generator and thereby set in motion a blackout in the United 
States.
    What have we done to prevent those 21 codes from being 
introduced?
    Ms. Hoffman. So we worked with industry in analyzing the 
Aurora attack and looking at the focus on relays and the 
vulnerabilities in that. The industry has looked at mitigation 
solutions. We've done information sharing with industry.
    So it's been an active engagement with the industry.
    Mr. McKinley. Have they taken action, implemented things to 
prevent that from happening with that?
    Ms. Hoffman. The industry has implemented and has taken 
action per some of the requests from NERC in doing that.
    Mr. McKinley. OK. The third question or second question has 
to do with vulnerability because you talk about emergency, and 
we have a report here from New England saying that they're not 
going to have enough gas if there's an emergency situation 
that's coming up and they say that because during the cold 
weather they're having to divert that gas to homes and so 
there's not going to be gas for power plants.
    We've experienced that in West Virginia. We had a black 
start plant that had to shut down during the Polar Vortex and 
just this last winter was told that they were on day to day--
they may have to shut down as well.
    So I am wondering about in an emergency how are we going to 
make sure that we have gas available for our power generation, 
let alone cyberattack? Is there a solution to that?
    Mr. Menezes. Well, we need more infrastructure, to be sure, 
both what you referenced. The New England ISO, together with 
NERC, has identified areas in the country where we rely heavily 
on natural gas for our power generation to ensure our 
resilience and the reliability of our grid.
    It's in those constrained areas where it's important that 
we try to increase the infrastructure so that we can have 
adequate supply. That has been the hallmark of this 
administration so that we have a sufficient diversity of fuels 
including natural gas.
    Mr. McKinley. If I could, Mr. Secretary, but we are relying 
on Russia for bringing in LNG to New England and now they've 
unloaded their second tanker on this.
    So if we are going to be energy dominant, how are we energy 
dominant if in an emergency if we are going to rely on a 
foreign government to provide us a natural resource to be able 
to provide electricity in New England?
    Mr. Menezes. Well, good question. Well, the President has 
announced his efforts for the infrastructure bill and contained 
therein or recommendations on how we can help to site and 
build, construct, and permit these--in this case, natural gas 
pipelines to address the issue that you raised.
    Mr. McKinley. Right.
    Mr. Menezes. It's not limited to that but it is a component 
part of that. So it's also a function of working with the 
States because under federalism the states have a big role to 
play as to any interstate gas pipelines ----
    Mr. McKinley. I understand. I don't want a heavy hand----
    Mr. Menezes. There's so much we can do.
    Mr. McKinley. I don't want the heavy hand of the Federal 
Government stepping in. But there is a concern.
    Just in closing quickly, could you tell me what keeps you 
up at night? What is your biggest concern, from your position?
    Mr. Menezes. Well, in the cybersecurity, clearly. Your 
worldview changes as you get a security clearance and you get 
briefed on what's happening.
    I think you all have been read into a lot of this stuff. 
But yes, that causes me to stay awake and, frankly, as we have 
seen what are becoming common winter events when our system is 
stressed it seems as though we may be faced with an inadequate 
supply of what used to be baseload. So the premature closing of 
what historically has been--whether it's nuclear or clean coal, 
these facilities are going offline.
    We are becoming more reliant on natural gas, which is not a 
bad thing. But it does have to get through pipelines and we've 
seen in the cyclone bomb, if you will, on the East Coast we see 
natural gas actually having price spikes, which forces the 
operators to go to nuclear, coal, and, believe it or not, oil. 
So those are the things that keep me up at night.
    Mr. McKinley. OK. Thank you very much. I yield back.
    Mr. Kinzinger. Thank you, Mr. Chairman. Thank you all for 
being here.
    I know we all recognize the very serious threat we face 
with cyberattacks. It can be especially difficult as the 
threats we face are constantly evolving and can vary 
significantly. Individual bad actors are constantly attempting 
to obtain bank routing numbers or medical records from everyday 
Americans--while state actors, for example, North Korea's 
attack on Sony Pictures or China's break of the OPM files, 
represent a very different kind of threat. And for a lot of 
these nonstate actors, a very low barrier of entry.
    In the energy sector, we have to prepare for any level of 
attack, given the innerconnectedness of the grid. Even a 
relatively small scale attack on a single asset could have 
serious consequences.
    I will ask both of you, just whatever you can do with this. 
If you can elaborate on how the work the DOE does, like R&D, 
industry information sharing, and physical hardening of assets 
to combat cyberattacks, is flexible and able to evolve as the 
threats change.
    You might have addressed this to some extent.
    Ms. Hoffman. Sure. I appreciate the question. We've been 
actively engaged with industry and we know that the core 
components of a strong cybersecurity program really looks at 
building capabilities. And so our goal is to help industry 
build as much capabilities as possible so our R&D program is 
focused on supporting that capability development.
    So from an information sharing program, let's look at a 
continuous monitoring or an ability for intrusion detection. 
It's a capability that the industry needs to have and a support 
that we've been providing through the risk information sharing 
program that we've developed with industry.
    Other activities is really trying to get ahead of the game 
and looking at threat analytics but engineering some cyber 
solutions to prevent and mitigate some of the events that are 
occurring or the events that could cause damage to the 
equipment.
    One of the things that we want to do is look at continued 
sharing of programs but also incident response and I think that 
is the next phase of which we must advance in is supporting the 
development of incident response capabilities so those tools 
and capabilities to identify where actors are on the system but 
also to prevent them from continuing to progress from a 
cyberattack point of view.
    So our R&D program, we also have two strong university 
programs, one with the University of Illinois and one with the 
University of Arkansas, to develop the next generation 
solutions as well as partnerships with the national 
laboratories, looking at a moving target type activity to think 
about how could we make the system more dynamic.
    Mr. Kinzinger. And to drill down a little bit, it was 
mentioned, sir, in your testimony that the cyberattack on 
Ukraine, which the CIA attributes to Russian military hackers, 
we've experienced a number of attacks by state actors here.
    Does DOE plan for these kinds of coordinated attacks 
differently and what systems are in place to ensure that the 
DOE is receiving the most pertinent and up to date threat 
information from our intelligence agencies?
    Mr. Menezes. Right. As Pat Hoffman had testified earlier, 
the lessons that we learned with respect to the Ukraine.
    But I would like to point out that we work with NERC on the 
GridEx exercises where we have these kinds of situations and we 
bring industry in, government in, all the stakeholders in, and 
they participate in a real live situation, if you will, that 
brings to bear the most sophisticated approaches that we have 
seen to date.
    So it's been ongoing. It had been a success story by all 
measures. We gain a lot from that. The industry gains a lot 
from that. I can vouch from industry that you take those 
lessons learned and you implement them. And they could be as 
simple as revealing, for example, that you might need satellite 
phones, for example, because when you lose your power you need 
to be able to communicate and you need to have enough satellite 
phones.
    So it can be something as simple as that to something much 
more sophisticated to developing, a more resilient software 
program, for example.
    Mr. Kinzinger. Thank you.
    And DOE has a long history of promoting a strong energy 
workforce and I think we all recognize the need for well-
trained cybersecurity professionals in both the private and 
public sector.
    As part of the new announced Office of Cybersecurity, 
Energy Security, and Emergency Response, does DOE plan to 
engage in cybersecurity workforce development? For whoever 
wants to answer that.
    Mr. Menezes. Right, to repeat what we had previously said, 
the short answer is yes. We currently have in place training 
programs throughout the process, whether it be at the front end 
on preparedness. We make sure that you have training to 
anticipate, identify the new threat vectors, how do you 
recover. And, of course, what's most important is to have the 
innovative R&D in place. So while driven primarily by our labs 
together with industry it's important that we train the 
workforce, and the workforce is not just in the departments or 
the governments. It's in the industries themselves and it's not 
limited to just the big player in the industries but it's all 
the participants which we have in place right now to cover the 
large utilities of all sizes whether you're a muni or a co-op.
    So we are trying to develop and implement and train and 
maintain and enhance these programs.
    Mr. Kinzinger. Thank you all, and thanks for your service 
to the country.
    I yield back.
    Mr. Upton. Mr. Griffith.
    Mr. Griffith. Thank you very much, Mr. Chairman, and thank 
you, Mr. Under Secretary, for being here. I appreciate all your 
work on emergency response and Puerto Rico, and I know you're 
passionate about trying to make everything safer.
    I am going to shift gears a little bit. My colleagues have 
asked some great questions on what we already have and I 
appreciate that, and my colleague on the other side of the 
aisle, Congressman Loebsack, touched on this earlier and asked 
you all to get back with him on whether the new pipelines with 
more technologies are more vulnerable than older ones already 
in the ground.
    I would hope that you would include me in whatever response 
you give him because I am interested in that. And we have a new 
pipeline that's being built in my district and a lot of my 
constituents are concerned about all kinds of issues. And so I 
would also ask, and not expecting you to have an answer today, 
but also ask that you take a look at what can we do as far as 
making sure that the new pipelines have technology in them that 
lets us know if there's an earthquake in the area, a collapse 
somewhere. The faster that people know about it the faster we 
can respond. Folks are very concerned about possible breaches.
    I've mentioned natural disasters but it could also be bad 
actors from outside. And also I think maybe we need to look and 
would like your help in figuring out if we need to draft 
legislation that would get DOE in on the front end, as Mr. 
Loebsack pointed out, because I am not sure that FERC is 
looking at, OK, how can we make this pipeline less vulnerable--
should we move it away from the more occupied area of a 
particular--let's say we have a farm. Should we move it away 
from where the house and the barn are and--to an area that's 
less likely both to be attacked by bad actors or to create a 
problem should there be some kind of an issue.
    Likewise on that same vein--I am going to give you a second 
here but I just want to get it all out before I forget 
something--it would also seem to me that DOE would want to know 
who had extra capacity and a new pipeline with the right kind 
of technology could tell you instantly whether or not they had 
the ability to take on more natural gas at a particular moment 
should there be a failure in some other area so that we can get 
that natural gas to where it needs to go by rerouting it 
possibly. And we've got two coming through Virginia, one 
through my district, one going through Bob Goodlatte's and 
other districts.
    While we are laying this pipe is the time to put in any new 
innovations and new thoughts into that, and I am just hoping 
that DOE has some thoughts and plans. And I will give you an 
opportunity to respond to that now but also ask that you get 
back to me on all those thoughts that are important to me 
intellectually but also important to the constituents in my 
district--that they want to feel a little bit safer about this 
pipeline coming through their back yard.
    Mr. Menezes. Well, thank you for the series of questions 
and the commentary.
    Of course, we agree with the issues that you have 
identified. If I can just take a quick crack at it, if you 
will, Pat, and then I will defer to you. But, first of all, 
with respect to developing the technology on the resiliency 
side of it, first of all, you hit on a key point.
    As you know, our system is becoming more and more open. We 
are actually excited about all the possibilities of getting 
more inputs on either side of the meter. Individuals will be 
able to gain input. We are increasing the flexibility of our 
grid for a variety of good reasons--make it more resilient, 
more reliable. However, every time we make it smarter it's a 
new entry--it's a potential new entry. So in my conversations 
with the lab directors, for example, whom we meet with 
regularly on this, as they're developing ways to make things 
more efficient or greater access, more individuals who can get 
electrons--produce whatever they want when they want it, as an 
example, I make sure that my message to them is as you develop 
that new technology, please, at the front end, design it in 
such a way that it is resilient and it is secure. And so that 
message is out and they are doing that. So that's on that 
question.
    With respect to the question on the extra capacity to take 
on more natural gas, I will say that we work with our other 
partners. I mean, we work with FERC. We work with NERC.
    We are aware of the interoperability issues there. We are 
also aware of other potential issues that might give rise, when 
you're talking about sharing market information and that kind 
of thing. So those things have to be looked at and considered 
carefully.
    But the short answer is yes, to the extent that as we are 
making these improvements and we are spending these resources 
and we are developing these programs and we are improving 
technologies, I think you can look at it holistically, if I can 
use that word, to describe what you were discussing.
    And with that, I will pass it to Pat if she wishes to say 
something.
    Ms. Hoffman. Just really quick, adding the resiliency 
looking at four and minus one contingency or single point of 
failures.
    I think also another point that I would like to bring up is 
you're absolutely right, having the ability to increase the 
amount of sensors in the system to be able to predict and get 
ahead of the game as we look at failures as a critical 
component that we think is an important part of our program in 
improving resilience.
    Mr. Griffith. I appreciate it, and I yield back, Mr. 
Chairman.
    Mr. Upton. Mr. Johnson.
    Mr. Johnson. Thank you, Mr. Chairman, and I want to thank 
both of you for being here today. Such an important topic, 
cybersecurity, particularly as it relates to energy and our 
energy infrastructure.
    I dare say that most people don't really think about the 
implications of cybersecurity when it comes to infrastructure 
and the importance of it. So when looking at emerging 
cybersecurity risk and particularly threats of the highest 
consequence to energy infrastructure, it seems critical to me 
that DOE have full visibility on the greatest infrastructure 
risks and consequences.
    Do you believe, Mr. Under Secretary, at this point that DOE 
has sufficient visibility to day on what those risks and 
vulnerabilities are?
    Mr. Menezes. Well, we currently have sufficient visibility 
but it is the future that we need to anticipate. And so today's 
hearing is about how it is that these increasing threats will 
require us to have greater visibility and the resources which 
is why we've set up this office that we affectionately refer to 
as CESER.
    Mr. Johnson. Yes.
    Mr. Menezes. So we are doing OK today, as several members 
have identified. It seems as though while we have the constant 
threats we've been able to avoid a major catastrophe. But we 
want to make sure that going forward we have the visibility and 
the resources. I think Ms. Hoffman would like to say something.
    Mr. Johnson. Sure.
    Ms. Hoffman. I think it's important to continue to support 
the information sharing between industry and the Department of 
Energy in understanding the number of events that are going 
out. The critical need, as the under secretary has talked 
about, moving forward, is that we want to get ahead, we want to 
see what the next generation threats are. And so that close 
public-private partnership and information sharing and the 
flexibility and the freedom for the industry to voluntarily 
share information with the department is absolutely important.
    Mr. Johnson. OK. I am encouraged by that answer because 
I've long held the belief and I still do that this is not an 
issue that has an ending to it. This is not a race that we are 
going to run and cross the finish line. As soon as we figure 
out how to keep the bad guys from getting into our networks, 
especially in the digital world where everything is connected, 
as soon as we figure that out, we've got another problem right 
on the tail end of that.
    So I appreciate that there's a forward look and an 
understanding that that's the case. So what measures can you 
take to increase visibility of security threats today?
    Now, you mentioned some of them. You have created this 
office. Can you give us some examples of what some of the 
future look areas are?
    Mr. Menezes. I will take the larger view and I will defer 
then to Ms. Hoffman on the specifics.
    But the creation of the CESER or the establishment of the 
CESER program is just an initial step and we are taking 
existing programs and putting it in.
    Our vision, though, is much greater and so we want to work 
with this committee and other members of Congress--the White 
House, our other agencies--to actually put in place other 
programs, projects, and the resources to anticipate the 
increasing threat.
    And so that's the big picture and that's why it's 
important, we think, to set this up and have it under an 
assistant secretary.
    Mr. Johnson. OK.
    Ms. Hoffman. So I would just add three things. It's really 
active threat investigations, so going after and looking at 
future threats and tactics and techniques that a bad actor 
would utilize against the system. So it's really being 
proactive, moving forward.
    It's continuing to support the threat analysis programs 
such as the CRISP program where we are actively looking at 
indicators and looking at sharing of information, whether it's 
an indicator that's discovered by industry or by the Federal 
Government and allowing that to be shared with industry as 
quickly as possible. And then it's really getting to the point 
that we can get to machine-to-machine sharing and we can get 
proactive whether it's with artificial intelligence, whether 
it's with other capabilities.
    But it's very--I would say going from the current 
understanding mode to more of a proactive mode are the areas 
that we want to move forward on.
    Mr. Johnson. One of the things that--when I was on active 
duty in the Air Force even as far back as the mid-'90s as the 
world began to be interconnected and we started talking about 
things like network-centric warfare and the digital age and 
what that meant to national security, risk management and risk 
assessment began to be pushed down in the Department of Defense 
as part of our overall culture. So it's one thing to have our 
leaders talking about it.
    I know I am over my time. Can you give us 30 seconds on 
what you're doing to make risk assessment and risk management 
where cybersecurity is part of the culture in DOE?
    Ms. Hoffman. Just really quick--we have a risk management 
tool that we've provided and work with industry on. We have a 
cyber capabilities maturity model, which is also a risk 
assessment tool.
    The industry is looking at the NIST risk assessment 
capabilities. So that is being filtered down. But it is a 
continual process that we want to show in advance. And so there 
are tools and best practices that the legislation has 
recognized and it's very important--a success in industry for 
advancing those capabilities.
    Mr. Johnson. OK. Well, thank you very much.
    Mr. Chairman, thanks for the indulgence and I yield back.
    Mr. Upton. Mr. Long.
    Mr. Long. Thank you, Mr. Chairman, and Mr. Menezes, when 
you opened this morning you mentioned I believe that the cyber 
threat from the bad actors, sometimes it boils down to their 
artificial intelligence attacking our systems and our defense 
is our artificial intelligence trying to prevent their 
artificial--can you speak to that for just 30 seconds and, 
that's a----
    Mr. Menezes. I will let----
    Mr. Long [continuing]. Can of very severe worms, I think.
    Mr. Menezes. I will let Ms. Hoffman answer that one.
    Ms. Hoffman. So when we talk about cybersecurity, it's 
really looking at information, technology, and control system 
technology. But a lot of it is layering computer protections 
against computer attacks and computer protections, and so you 
keep layering on different information technology solutions to 
thwart information-based attacks on the system.
    So it becomes an information and a controlled system but a 
capability of an actor to use that information technology 
against the industry and so it becomes a very broad attack 
surface. And so what we need to do is think about what is the 
right information technology placement in industry that 
provides the capability industry requires but doesn't provide 
that broader attack surface.
    Mr. Long. Kind of reminds me of a friend of mine 40 years 
ago that had a restaurant and he said that he laid awake half 
the night trying to figure out how to keep his employees from 
stealing from him. But the problem was that his employees laid 
awake the other half of the night trying to circumvent his new 
system.
    So, Mr. Menezes, as we live in an increasingly digitized 
world with the ever-growing threat of cybersecurity attacks, I 
think it would be important for the Department of Energy to 
identify the greatest security risk in order to mitigate 
potential damage.
    How does the Department of Energy prioritize any security 
risk and how are you working with private energy asset owners 
to plan for the possibility of cyberattacks?
    Mr. Menezes. Well, our priorities are typically a result of 
what we are seeing and what we are anticipating. So it's in 
real time because information that we gathered--both you and 
Congressman Johnson mentioned the digitalization of our systems 
and, indeed, we are producing not only more data but more 
access points as all of our systems become more digitized.
    So when we prioritize those things that we are addressing, 
obviously we have to address those threats that we know as 
those threats are evolving. That's the first thing. We have to 
continue everything we've done in the past because they can 
always revert to prior technology, so we can't ignore that. We 
build on what we know and then we try to anticipate where we 
think the next threats are coming from. So we have to make sure 
that we can respond to what we know and we have to be able to 
identify those threats.
    As I mentioned earlier, we have a lot of hits on our 
systems. They could appear random. Because of our modeling 
techniques it could be that we are witnessing new ways that 
they are trying to figure out ways to gain access to the 
system.
    So we need to make sure that we have that priority in place 
so we can almost see into the future, if you will, to make our 
current system resilient to those threats.
    Mr. Long. OK. And you also talk a lot in your testimony 
about the Department of Energy working with the Department of 
Homeland Security, Department of Justice, and the FBI on energy 
sector cybersecurity.
    As the sector-specific agency for cybersecurity in the 
energy sector, what is the Department of Energy's role during a 
potential cyberattack on the energy infrastructure?
    Mr. Menezes. I will defer to Pat.
    Ms. Hoffman. So in the event of a cyberattack, first of 
all, we coordinate very closely with industry in looking at 
what is happening on the system.
    We coordinate the primary function through the National 
Cybersecurity and Communications Integration Center--the NCCIC 
at DHS, which is the focal point for cyber coordination in the 
Federal Government. So we will work with them. We will work 
with the FBI as well.
    We will look at the capabilities that industry has for 
dealing with this attack, trying to understand what is the root 
cause of the attack but then also work with industry on 
providing mitigation measures and any support that's needed.
    We would utilize NERC and the ISAC for getting information 
out to the rest of industry from a prevention and preparedness 
point of view and that capability is very strong and used, is 
aware across all the sectors of the industry to pay attention.
    Mr. Long. OK. Thank you.
    I have run out of time so, Mr. Chairman, I yield back.
    Mr. Upton. Mr. Walberg.
    Mr. Walberg. Thank you, Mr. Chairman, and thank you for 
highlighting my legislation, H.R. 5174, as part of this 
hearing, and I appreciate the panel being here, Mr. Menezes and 
Ms. Hoffman, and your attention to these concerns.
    Back when the Department of Energy was organized as a 
Cabinet agency back when I was in graduate school in 1977, the 
largest energy security concern was fuel supply disruptions, 
not electricity disruptions or cybersecurity, as we are talking 
about now. As you would expect, the department's Organization 
Act reflected those concerns. Times have changed and we should 
be thinking differently now about energy security and emergency 
preparedness. So I am glad we are doing that here today.
    Mr. Menezes, the secretary's efforts to elevate the 
agency's leadership on emergency and cybersecurity functions 
are commendable. But I would like to see DOE leadership 
continue under future administrations. It can't be catch as 
catch can. We need that continuity.
    Do you think it would help to codify DOE's assistant 
secretary functions into DOE Organization Act?
    Mr. Menezes. Well, thank you for that question, 
Congressman, and let me take a minute to express our 
appreciation for working with the committee and its efforts to 
review our DOE structure and its authorizing statutes.
    Your staff and other members work in a very collaborative 
way to try to identify ways as we seek to realign and modernize 
the department that you seek to modernize the enabling 
statutes.
    So we support the effort. We appreciate the collaboration 
and exchange of information and we continue to look forward 
with you as you move legislation through the process.
    Mr. Walberg. In H.R. 5174, we specify functions to include 
emergency planning coordination response. Can you talk about 
your work to elevate these functions in the new office?
    Mr. Menezes. Right. Well, and the secretary announced the 
setting up of CESER. That is a clear demonstration of his 
commitment and his organizational vision for the department, to 
highlight it, to increase the visibility, to coordinate 
efforts, and to be a source of additional guidance from 
Congress, the White House, and other agencies. So he's 
committed to that and he's showing it in a very real and 
measurable way.
    So that's what we are proposing and that's what we are 
doing. And then we look forward to working with you, the 
appropriators, others, to ensure that it has the adequate 
resources it needs to accomplish the goals that we hope it 
accomplishes.
    Mr. Walberg. Ms. Hoffman.
     Ms. Hoffman. I would just like to add to what the 
undersecretary said, that any sort of event that occurs the 
effective response really is built off of information sharing 
and coordination.
    So in the preparedness when we are conducting exercises, 
when we are sharing classified threat briefings, when we are 
coordinating with the intelligence community, it's all critical 
components of how we support preparedness and so that we are 
actively coordinating ahead of any event that may occur and 
that will allow the Federal Government and industry to be very 
efficient in making sure that we understand the root causes but 
also the opportunities for mitigations and restoration.
    Mr. Walberg. Good. So, clearly, you will work with us to 
identify any gaps with--of authority or ambiguities--maybe I 
should have left that word out--in the system so we can make 
sure it continues to work.
    Mr. Menezes. Yes, sir.
    Mr. Walberg. Let me ask one more question, Mr. Menezes. Do 
you believe that elevating cybersecurity functions to a Senate-
confirmed assistant secretary level will help intergovernmental 
and interagency communication as well as multidirectional 
information sharing with DOE's ability to appropriately and 
quickly address cyber-related emergencies?
    Mr. Menezes. I do. The key part about being a Senate-
confirmed appointee is the accountability that you have to 
maintain with the two branches of government. You're in the 
executive branch and you're confirmed by the Senate, and so it 
forces you to work with Congress and to fully explain yourself 
to the executive branch.
    Secondly, it increases the visibility and the 
accountability. So as of today, we come up here regularly to 
testify and so it's a way that we can ensure that we are doing 
what we said we were going to do and we are doing what you 
think that we told you that we were going to do, and you can 
give us instructions as to how we can better do what we need to 
do.
    Mr. Walberg. Thank you, and you can review the acronyms 
too, as you come up.
    I yield back.
    Mr. Upton. Mr. Duncan.
    Mr. Duncan. Mr. Chairman, thank you. You saved the best for 
last, I guess. Maybe.
    There's been a lot of talk today about electromagnetic 
pulse and grid hardening. YSolar flares, coronal mass 
ejections, CMEs, resulting geomagnetic storm effects are real.
    So EMPs could be manmade and be a natural event, and we 
sort of discount the natural event but just did a little 
research--1989 we had a huge CME event that knocked out power 
to 6 million people in northeastern Canada, and we just missed 
another one this year in 2017 where a huge solar flare happened 
and the Earth just was not in its path, thank goodness, and 
thank God we weren't.
    But we are not immune to that happening in the future. So 
too many times when we talk about EMPs, people look at us like 
we have on a tinfoil hat--that we are talking about some rogue 
state possibly launching a nuclear weapon in to the atmosphere 
above the Earth and creating an EMP and knocking out our power 
grid. That's a real possibility too when rogue states have 
nuclear weapons.
    So whether it's a natural EMP or whether it's manmade, 
we've got to be prepared for it and one thing that I talk about 
a lot in this committee is my alma mater, Clemson University, 
and they partner with the Savannah River National Laboratory--
DOE, regional utilities, and stakeholders to develop the 
Nation's largest grid emulator, the 20 MVA Duke Energy e-grid 
and are working on the next phase, a high-voltage transmission 
scale user facility that can be used to test large-power 
transformers and other critical transmission assets to develop 
protection schemes from both cyber and EMP attacks.
    It's a prime example of enhancing grid security through 
public-private partnerships, which is the title of one of the 
bills we are reviewing today. So I encourage DOE to continue 
looking for these opportunities, especially since the new 
Office of Cybersecurity, Energy Security, and Emergency 
Response. I guess you're going to pronounce that as CESER. 
Everything in government has an acronym, right?
    Can you further discuss what CESER's plans to harden the 
grid and protect the EMPs are? Either one.
    Ms. Hoffman. So thank you for the question.
    As you are well aware, the department takes an all-hazard 
approach. So we are looking at a multitude of threats that face 
the electric grid and the energy industry.
    The national laboratories have important testing 
capabilities. You mentioned one of them. There are several 
capabilities that we are utilizing from an EMP perspective. We 
have partnered with the industry in looking at an EMP strategy. 
We have also worked with EPRI as they're looking at their 
mitigation and testing plan. We are looking at what the 
department can do to support EMP testing. As you know, it's a 
very expensive process to do EMP testing.
    Mr. Duncan. You mentioned the cost but were you familiar 
with what Clemson is doing, before today?
    Ms. Hoffman. Yes, I am familiar with Clemson several other 
activities in the labs.
    Mr. Duncan. Have you visited the research facility in 
Charleston, South Carolina, or has anybody from DOE done that?
    Ms. Hoffman. I don't know if I've visited that facility but 
I've visited the----
    Mr. Duncan. Can I invite you on behalf of my alma mater to 
visit the drivetrain and test facility in Charleston, South 
Carolina?
    Ms. Hoffman. Yes, sir.
    Mr. Duncan. Both of you?
    Mr. Menezes. Yes, sir.
    Mr. Duncan. OK.
    Let me shift gears real quick. President Trump has talked 
about a huge infrastructure package and we are talking about 
within Congress and I guess TNI is working on this package.
    When people think about infrastructure they think about 
roads, bridges, water, sewer, airports, port deepening, et 
cetera. But grid hardening and our transmission of power 
supplies, so talking about--I think Morgan Griffith talked 
about natural gas pipelines and other things. But are elements 
within DOE, discussing with the White House and members of 
Congress, specifically probably TNI Committee--transportation 
and infrastructure--plans to include grid hardening and 
cybersecurity as part of the infrastructure package or elements 
within the DOE having those conversations?
    Mr. Menezes. Well, thank you for the question and pointing 
out the importance of the issue and the opportunities to work 
with everyone who's working on the infrastructure bill and who 
will be working on the infrastructure bill.
    To be sure, a resilient strong operating energy system 
relies on infrastructure and so those component parts should be 
part of an infrastructure bill to the extent that it's 
necessary.
    The secretary, in fact, is testifying today in the Senate--
in the other body, excuse me.
    Mr. Duncan. On this subject?
    Mr. Menezes. On the other body--on the President's 
infrastructure bill. And so----
    Mr. Duncan. So let me just--because my time is running 
out----
    Mr. Menezes. So energy is a----
    Mr. Duncan [continuing]. Is this a priority for the White 
House with regard to an infrastructure package--grid hardening 
and cyber security as part of the infrastructure package and 
should it be?
    Mr. Menezes. I know that energy components are a part. I am 
not sure if the phrase hardening would be in----
    Mr. Duncan. Let me encourage you to go back to Secretary 
Perry and go back to your bosses and others in the White House 
you have conversations with and let's make this a priority in 
the upcoming infrastructure package.
    But I can tell you it's going to be a priority of a number 
of people here in Congress.
    Mr. Chairman, I appreciate it. With that, I yield back.
    Mr. Walberg [presiding]. I thank the gentleman. Seeing that 
there are no further members wishing to----
    Mr. Rush. Mr. Chairman. Mr. Chairman.
    Mr. Walberg. Mr. Rush.
    Mr. Rush. Before we adjourn, I want to ask unanimous 
consent to allow me to ask the Under Secretary a couple of 
questions.
    Mr. Walberg. Without objection.
    Mr. Rush. Mr. Secretary, I understand that the Secretary 
will be appearing before the committee in the near future to 
discuss the Department's fiscal year 2019 budget request.
    The Department routinely provides detailed budget 
justification to Congress. But a number of the detailed buy-ins 
of the fiscal year 2019 request are not available. Does the 
Department plan to release Volumes II, III, V, and VI prior to 
the Secretary's appearance before the committee?
    Mr. Menezes. We plan to release it when it's complete. Yes, 
sir.
    Mr. Rush. Thank you, Mr. Chairman.
    Mr. Walberg. I thank the gentleman.
    Again, seeing that there are no further members wishing to 
ask questions, I would like to thank the panel for being with 
us today and providing us the answers and probably further 
questions that we'll have down the road.
    Mr. Menezes. Happy to answer any questions for the record. 
Thank you.
    Mr. Walberg. Thank you, sir.
    We'll change panels here now, and move on with the 
continuation of the hearing.
    [Pause.]
    We appreciate the quick changeover here and we want to 
thank all of our witnesses for being here today and taking the 
time to testify before our subcommittee.
    Today's witnesses will have the opportunity to give opening 
statements followed by a round of questions from members.
    Our second witness panel for today's hearing includes 
Tristan Vance, Director--Chief Energy Officer, Indiana Office 
of Energy Development--welcome; Zachary Tudor, Associate 
Laboratory Director for National and Homeland Security Idaho 
National Laboratory--welcome; Mark Engel, Senior Enterprise 
Security Advisor, Dominion Energy--welcome to you; Kyle Pitsor, 
Vice President, Government Relations, National Electrical 
Manufacturers Association--welcome you; and Scott Aaronson, 
Vice President, Security and Preparedness, Edison Electric 
Institute. Welcome.
     We appreciate you all being here today. We'll begin the 
panel with Mr. Tristan Vance, and you are now recognized for 5 
minutes to give an opening statement and I am sure you're well 
aware of the lighting format.
    Welcome. We recognize you.

 STATEMENTS OF TRISTAN VANCE, DIRECTOR, CHIEF ENERGY OFFICER, 
INDIANA OFFICE OF ENERGY DEVELOPMENT; ZACHARY TUDOR, ASSOCIATE 
 LABORATORY DIRECTOR FOR NATIONAL AND HOMELAND SECURITY, IDAHO 
 NATIONAL LABORATORY; MARK ENGELS, SENIOR ENTERPRISE SECURITY 
    ADVISOR, DOMINION ENERGY; KYLE PITSOR, VICE PRESIDENT, 
    GOVERNMENT RELATIONS, NATIONAL ELECTRICAL MANUFACTURERS 
   ASSOCIATION; SCOTT AARONSON, VICE PRESIDENT, SECURITY AND 
            PREPAREDNESS, EDISON ELECTRIC INSTITUTE

                   STATEMENT OF TRISTAN VANCE

    Mr. Vance. Thank you. Thank you, Mr. Chairman, Ranking 
Member Rush, and members of the subcommittee.
    I am Tristan Vance, the Director of the Indiana Office of 
Energy Development. I also serve as the Chief Energy Officer 
for the State of Indiana and I am testifying on behalf of the 
National Association of State Energy Officials--NASEO.
    Our testimony is in support of H.R. 5174, the Energy 
Emergency Leadership Act; H.R. 5175, Pipeline and LNG 
Facilities cybersecurity Preparedness Act; H.R. 5239, the Cyber 
Sense Act; and H.R. 5240, the Enhancing Grid Security Through 
Public-Private Partnership Act.
    We appreciate the subcommittee's actions on energy 
emergency preparedness as demonstrated by the passage of H.R. 
3050, which reauthorized appropriations for the U.S. State 
Energy Program--SEP--and strengthened its emergency and 
cybersecurity provisions.
    Mr. Chairman, Ranking Member Rush, Full Committee Chairman 
Walden, Ranking Member Pallone, and the original sponsor of the 
SEP legislation and sponsors of the Dear Colleague letter 
calling for $70 million for the SEP program, Mr. Tonko and Mr. 
McKinley, you all deserve special praise for your leadership.
    My state energy director colleagues from across the country 
visited Washington, D.C. in February and strongly encouraged 
many of your Senate colleagues to act on H.R. 3050.
    First, NASEO would like to note the U.S. Department of 
Energy's exceptional response to last year's hurricanes. The 
support for energy emergency response from DOE combined with 
SEP resources, collaboration among states, tribal, and local 
governments and industry worked to save lives and lessen 
economic losses.
    In particular, the electric and petroleum industries' 
efforts to restore services were exceptional. Secretary Perry's 
call for the cybersecurity, Energy Security, and Emergency 
Response Office, or CESER, would further improve both States' 
and the Nation's ability to respond to and mitigate the risks 
of energy supply disruption from all hazards.
    NASEO's 2017 bipartisan recommendation to the Trump 
administration called for such action. In my capacity as a 
NASEO board member, I co-chaired the NASEO transition task 
force, which developed this important recommendation. We 
believe such action will save lives and protect the economy of 
communities in every region of the country.
    The Energy Emergency Leadership Act will elevate this core 
DOE function and we strongly support the bill. I also want to 
stress the importance of CESER having a well-defined state 
energy security program and robust program management 
resources. A strong DOE state energy emergency partnership such 
as the one that exists today in the DOE Office of 
Infrastructure Security and Energy Restoration is critical to 
respond to emergencies effectively.
    Joint state-federal coordination and data sharing is the 
heart of emergency response. In Indiana, for example, the 
propane crisis in 2014 needed a rapid response and government's 
ability to connect stakeholders from three sources in order to 
keep Hoosiers safe and protect our local economy from 
potentially devastating poultry industry losses.
    While our Nation has not faced a cybersecurity event with 
significant energy supply impacts, we should adopt the lessons 
learned from recent natural disasters for our cyber 
preparedness. We share the subcommittee's concerns and the 
threat cybersecurity presents to the energy system--
electricity, natural gas, and petroleum.
    A cyberattack to the energy system during a natural 
disaster is a horrific scenario. However, we must address such 
possibilities. For example, the DOE-NASEO-NARUC Liberty Eclipse 
emergency exercise in 2016 focused on a combined cyber and 
natural disaster event. These low-cost regional exercises are 
essential.
    We also strongly support H.R. 5239 and H.R. 5240 and 
believe States can leverage these activities. They build upon 
the work of utilities, DOE, and the States. For example, in 
Indiana we created the Indiana Executive Council on 
Cybersecurity to lead a public-private partnership and have 
created a State-led exercise series focused on SCADA systems 
for electric and water utilities.
    Equally important is mitigating energy system risks. For 
example, states using public-private partnerships such as 
energy savings performance contracting to upgrade energy 
systems at mission critical facilities and we are working with 
DOE's Clean Cities program to add natural gas, propane, and 
electric vehicles in first responder fleets to enhance 
resiliency.
    NASEO believes the four bills discussed today are a 
significant step forward on an urgent nonpartisan national 
security issue. We greatly appreciate the subcommittee's 
continued leadership on these issues.
    Thank you.
    [The prepared statement of Mr. Vance follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Walberg. Thank you.
    I recognize Mr. Tudor for your 5 minutes of testimony.

                   STATEMENT OF ZACHARY TUDOR

    Mr. Tudor. Thank you, Chairman Upton, Ranking Member Rush, 
Mr. Walberg, and distinguished members of the committee for 
holding this hearing and inviting Idaho National Laboratory's 
testimony on the energy sector's cybersecurity and emergency 
response. I request that my written testimony be made part of 
the record.
    In my role at Idaho National Laboratory, also known as INL, 
I lead an organization that conducts research for the cyber and 
physical protection of critical infrastructure with an emphasis 
on the energy sector.
    INL has capabilities that will support the Department of 
Energy's Office of Cybersecurity, Energy Security, and 
Emergency Response, or CESER, in achieving the new leadership 
role for critical infrastructure protection, consistent with 
the authorities directed in the FAST Act for assuring the 
energy sector's capabilities and coordination for cyber and 
physical protection of emergency response.
    Persistent, capable, well-resourced, and highly motivated 
cyber adversaries are a threat to our Nation's energy sector. 
These adversaries continue to develop the skills, capabilities, 
and opportunities for potential compromise of the Nation's 
energy infrastructure.
    The potential consequences of a sophisticated cyberattack 
create an imperative that Federal agencies, labs, and 
industries collaborate to build capabilities and develop 
innovations that reduce the unacceptable risks associated with 
a cyberattack. DOE, INL, and our other national laboratory 
partners are providing leadership and resources to assure that 
the Nation has detective capabilities to reduce these risks. 
These capabilities include a broad array of science and 
engineering programs, extensive teams of multidisciplinary 
national laboratory researches, unique user facilities and test 
beds for experimentation at scale, and a breadth of 
collaborative relationships with industry, universities, and 
Federal agencies.
    With regard to reducing cyber risks, INL's Cybercore 
Integration Center, known as Cybercore, performs research, 
development, testing, and evaluation of technologies and 
information products to prevent, detect, and respond to cyber 
vulnerabilities and intrusions. When shared through public-
private partnerships, these solutions create barriers to 
attack, mitigate the consequences of an attack, and enable 
rapid restoration of energy sector operations. Specific 
examples of technology advancement that are reducing risks 
include, with DOE and other agencies, INL supported the 
recovery and information sharing in response to the cyberattack 
on Ukraine's electric grid. After our post-event analysis, INL 
developed and is conducting unique cyber strike workshops for 
U.S. asset owners and operators to learn how to protect against 
similar attacks.
    INL developed and completed a pilot study of our 
consequence-driven cyber-informed engineering methodology, or 
CCE, with Florida Power and Light. CCE leverages an 
organization's knowledge and experiences to engineer out the 
potential for the highest consequence cyber events. Briefings 
of the study's results were shared with the Section 9 electric 
utility partners, congressional staffers, and government 
leaders. A second pilot is currently underway.
    INL also is advising the National Security Council on 
implementing the methodology with a larger set of participants. 
INL is one of several national laboratories providing technical 
information and strategic planning guidance to assist CESER 
leadership to develop infrastructures, capabilities, and 
processes for reducing cyber and physical risk.
    This includes providing principles to establish a research 
portfolio that delivers impactful solutions and response to 
cyber and all hazard threats, standards for security-informed 
design to engineer in cyber physical protections for future 
grid infrastructure and next generation energy systems, 
guidance on best practices for coordinating incident response 
with DHS and other federal and private organizations.
    Some examples of INL's current partnerships that are 
reducing cyber risks are research collaboration with the 
electric industry partners at the California Energy Systems for 
the 21st Century Program and Lawrence Livermore National 
Laboratory is leading to new capabilities for machine-to-
machine automated threat response.
    DOE's pilot program, Cybersecurity for the Operational 
Technology Environment, is providing a forum for situational 
awareness for cyber risks among industry partners and 
stakeholders. Examples I described demonstrate that DOE and INL 
are making significant progress in reducing the risks to our 
energy sector. However, with the increasing capabilities of our 
adversaries and the increasing complexity of our energy system 
technologies we will not completely eliminate all risks.
    Hence, INL will continue to prioritize initiatives that 
emphasize the advancement of protection and response 
capabilities that reduces risks. We do this with the 
understanding that the U.S. will continue to identify new 
requirements for technology and innovation, expect solutions 
through expansive organizational leadership, coordination, and 
integration, and prioritize funding and focus for research.
    I look forward to your questions. Thank you.
    [The prepared statement of Mr. Tudor follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Walberg. Thank you.
    Mr. Engels, you're recognized.

                    STATEMENT OF MARK ENGELS

    Mr. Engels. Mr. Chairman, Ranking Member Rush, and members 
of the subcommittee, thank you for the opportunity to testify.
    My name is Mark Engels and I am a Senior Enterprise 
Security Advisor at Dominion Energy. Dominion Energy is one of 
the largest producers and transporters of energy with a 
portfolio of approximately 26,200 megawatts of electricity 
generation, 6,600 miles of electric and transmission and 
distribution lines, 15,000 miles of natural gas pipeline, and 
the Cove Point liquefied natural gas facility in Maryland. We 
operate one of the largest natural gas storage systems in the 
U.S. with one trillion cubic feet of capacity and serve more 
than 6 million utility and retail customers.
    I've been with Dominion Energy almost 40 years and with a 
focus on cybersecurity for 19 of those years. As a 
representative from Dominion Energy, I appreciate the 
opportunity to provide comments and input to this committee and 
applaud the committee's focus to advance public-private 
partnership between the Department of Energy and the oil and 
natural gas sector.
    For Homeland Security Presidential Directive 7, both the 
Department of Energy, the Department of Homeland Security in 
coordination with the Department of Transportation function as 
the sector-specific agencies for natural gas pipelines and LNG. 
The fact that pipelines have two SSAs comprised of three 
different federal agencies cannot be understated, especially 
when it comes to interagency coordination in advance of, 
during, and post-incident operations. The key to this 
coordination is maintaining a productive relationships between 
the energy government coordination councils' two co-chairs--DOE 
and DHS--and the oil and natural gas sector coordinating 
council.
    The ONGSCC is comprised of owners and operators from 20-
plus industry trade associations representing all aspects of 
the oil and natural gas sector. I encourage DOE and TSA, who 
has regulatory authority for pipeline security, to develop a 
memo of understanding that outlines roles and responsibilities 
for dealing with cyber and physical security of natural gas 
pipelines and LNG. TSA already has an MOU with the Department 
of Transportation's Pipeline and Hazardous Materials Safety 
Administration, or PHMSA, which has responsibility for pipeline 
safety.
    The recent announcement of DOE's new Office of 
Cybersecurity, Energy Security, and Emergency Response should 
continue to improve the coordination for pipeline, cyber, and 
physical security.
    The language in H.R. 5175 Section 22 could introduce 
complexity and confusion when it comes to DOE's involvements 
with States. Individual pipeline companies, Dominion Energy 
included, already have longstanding relationships with state 
emergency response organizations, public utility commissions, 
and law enforcement for all hazard events. H.R. 5175 directs 
DOE to focus on advanced cybersecurity applications, pilot 
demonstrations, develop workforce curricula, and provide 
mechanisms to help the energy sector evaluate, prioritize, and 
improve physical and cybersecurity capabilities.
    Dominion Energy has worked with DOE and several national 
labs on a number of efforts that align with the proposed 
legislation. They include being a peer reviewer for the 
Department of Energy's Cybersecurity for Energy Delivery 
Systems Program, participation in workforce and training 
efforts, Cyber Strike--a hands-on workshop communicating 
lessons learned associated with the Ukraine grid attacks--and 
Attack, an approached developed by INL to aggregate and 
evaluate cyber risk-related information.
    Dominion Energy is a member of both the downstream natural 
gas and electricity information sharing and analysis centers, 
both of which have benefited from intelligence provided by 
DOE's Cybersecurity Risk Information Sharing Program, or CRISP. 
Dominion Energy and other natural gas pipeline companies have 
worked very closely with TSA and DOE on cyber and physical 
security to build a partnership based on trust and respect.
    The proposed legislation should make sure that roles and 
responsibilities are clearly defined and understandable by 
pipeline operators who ultimately have to face the growing 
threat every day.
    Thank you again for the opportunity to provide comments and 
I will be glad to answer any of your questions.
    [The prepared statement of Mr. Engels follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Walberg. Thank you.
    Mr. Pitsor.

                    STATEMENT OF KYLE PITSOR

    Mr. Pitsor. Good afternoon, Mr. Chairman, Ranking Member 
Rush, members of the subcommittee. Thank you for the 
opportunity to testify on such an important topic today, the 
physical and cybersecurity of our Nation's electric system.
    My name is Kyle Pitsor, Vice President of Government 
Relations for National Electrical Manufacturers Association, 
representing about 350 manufacturers of electrical equipment 
and medical imaging technologies. NEMA and our member 
manufacturers have made cybersecurity a top priority. As the 
manufacturers of essential grid equipment, NEMA companies are a 
key line of defence against both physical and cyberattacks in 
the electricity transmission and distribution system.
    We understand that a secure product supply chain is 
inherent to a secure grid and cybersecurity aspects should be 
built into, not bolted onto manufacturers' products whenever 
possible. Manufacturers also understand that managing 
cybersecurity supply chain risk requires a collaborative effort 
and open lines of communication among electric utility 
companies, Federal and State and local governments, and 
suppliers of the full spectrum of grid systems and components, 
both hardware and software.
    I would like to mention briefly some of the industry-wide 
efforts NEMA and its members have pursued to establish best 
practices for supply chain and manufacturer cybersecurity 
hygiene and then make a few comments on the Cyber Sense Act and 
the Enhancing Grid Security Through Public-Private Partnership 
Act.
    In 2005, the electrical industry took a step toward 
improving supply chains' security of manufacturers' products by 
publishing a technical best practices document that laid out 
the steps for securing supply chains.
    NEMA published a white paper on cybersecurity, supply chain 
best practices for manufacturers that addresses supply chain 
integrity through four phases of a product's life cycle: the 
manufacturing, delivery, operation, and end of life of a 
product. This month in March, NEMA members have approved a new 
technical document detailing industry best practice cyber 
hygiene principles for electrical manufacturers to implement in 
their manufacturing and engineering processes. The document 
raises a manufacturer's level of cybersecurity sophistication 
by following seven fundamental principles that are outlined in 
my statement.
    With the above-mentioned two industry developed and 
cybersecurity best practices documents in mind, I will make a 
few comments about two of the bills under consideration today. 
First of all, with respect to the Cyber Sense Act, NEMA member 
manufacturers support voluntary cyber evaluation of products 
used in the transmission, distribution, storage, and end use of 
electricity. However, the specific requirements of any such 
program need to be carefully designed in close collaboration 
with manufacturers and other stakeholder groups and developed 
via an open and transparent process.
    We recommend that any cybersecurity evaluation program 
abide by a set of principles that we've outlined in our written 
statement. With respect to the Enhancing Grid Security Through 
Public-Private Partnership Act, NEMA supports the concepts 
included in the draft legislation. With respect to Section 2, 
NEMA agrees that voluntary technical assistance efforts should 
be available to provide electric utilities with information and 
resources to effectively prepare for and combat both physical 
and cybersecurity threats.
    We also agree that this technical assistance should be 
provided in close collaboration with State governments and 
public utility regulatory commissions as well as with equipment 
manufacturers. Including manufacturers in the training and 
technical assistance efforts will ensure that products are 
installed and maintained as intended to limit the risk of 
cyberattack resulting from the possible misuse of a product.
    NEMA also supports the recommendations included in Sections 
3 and 4 of the legislation. One additional outage index that we 
recommend be included in Section 4(b) of the draft legislation 
is the Momentary Average Interruption Frequency Index. 
Momentary outages cost U.S. electricity consumers over $60 
billion in 2014 and account for more than half of all power 
outages. Inclusion of this index, we believe, will improve the 
interrupter cost estimate information produced by the 
Department of Energy.
    In conclusion, NEMA and member company manufacturers 
recognize that cybersecurity risks are constantly evolving and 
changing and requires a shared responsibility by all 
stakeholders.
    NEMA looks forward to working with you as a resource to 
this committee as you continue your work to address 
cybersecurity concerns in the energy sector.
    Thank you, and I look forward to any questions.
    [The prepared statement of Mr. Pitsor follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Walberg. Thank you.
    I now recognize Mr. Aaronson.

                  STATEMENT OF SCOTT AARONSON

    Mr. Aaronson. Thank you, Mr. Chairman, Ranking Member Rush, 
and members of the subcommittee. I appreciate the opportunity 
to testify here today. For EEI's member companies, which 
includes all of the Nation's investor-owned electric companies, 
securing the energy grid is a top priority. I appreciate your 
invitation to discuss this important topic on their behalf.
    The electric power industry, which includes investor-owned 
electric companies, public power utilities, and electric 
cooperatives, supports more than 7 million American jobs and 
contributes $880 billion annually to U.S. gross domestic 
product--about 5 percent of the total. That 5 percent is truly 
the first 5 percent, responsible for generating and delivering 
the energy that powers our economy and our way of life.
    Our members own and operate some of the Nation's most 
critical infrastructure and they take that responsibility 
seriously. EEI's member companies prepare for all hazards--
physical and cyber events, naturally occurring or manmade 
threats, and severe weather of every kind. To address multiple 
threats, our companies take what's known as a defense in-depth 
approach with several layers of security. I would like to 
highlight three main areas of focus: standards, partnerships, 
and response and recovery.
    First, standards--through a process created by Congress the 
electric power sector is subject to mandatory enforceable 
critical infrastructure protection, or CIP, regulatory 
standards for cyber and physical security. Through these 
standards, the bulk power system enjoys a baseline level of 
security. Standards are important, but with intelligent 
adversaries operating in a dynamic threat environment, 
regulations alone are insufficient and must be supplemented.
    That brings me to the second area of focus, which is 
partnerships, which you have heard a lot about today. You heard 
it from DOE and you will hear it from this entire panel--
security is a shared responsibility. None of us can do this 
alone. To be successful in this environment, industry and 
government must partner, and as you heard earlier, we are.
    I am here this morning in my role as EEI's Vice President 
for Security and Preparedness but I am also privileged to be a 
Member of the Secretariat for the Electricity Subsector 
Coordinating Council. The ESCC is comprised of CEOs of 22 
electric companies and nine major industry trade associations 
representing the full scope of electric generation, 
transmission, and distribution in the United States and Canada.
    Through partnerships like the ESCC, government and industry 
leverage one another's strengths. This partnership manifests 
itself in many ways including deployment of government 
technologies, like CRISP, which you have heard about, 
multidirectional information sharing, drills and exercises, and 
facilitating cross-sector coordination.
    What makes the ESCC effective is CEO leadership across all 
segments of the industry. This structure provides resources, 
sets priorities, drives accountability. Furthermore, CEOs serve 
as a draw to other senior counterparts in industry sectors and 
in government. The unity of effort driven by industry working 
with government has produced significant tangible results.
    Finally, the third area of focus is response and recovery. 
The electric power sector is proud of its record on reliability 
but outages do occur. The past year has made one thing 
abundantly clear--we can't protect everything from everything 
all of the time and investments help companies restore power 
and be prepared. Our industry invests more than $120 billion 
each year to make the energy grid stronger, smarter, cleaner, 
more dynamic, and more secure. In addition, the industry's 
culture of mutual assistance unleashes a world-class workforce 
amidst the toughest conditions to restore power safely and 
effectively.
    Today, we have supplemented that traditional response in 
recovery with a 21st century edition--cyber mutual assistance. 
So far, more than 140 entities are participating in the 
program, covering more than 80 percent of U.S. electricity 
customers. That brings me to the bills before the subcommittee 
today. We appreciate both Congress and the Trump 
administration's support of the electric power sector.
    Just as EEI's member companies evolve to meet new threats, 
our government partners continuously improve their posture 
through these new initiatives. For example, we applaud DOE 
Secretary Perry and his team for establishing DOE's new Office 
of Cybersecurity, Energy Security, and Emergency Response, or 
CESER.
    Legislation passed by this committee codified DOE's role as 
the sector-specific agency--thank you--and we believe the 
elevation of CESER will deepen the relationship between our 
industry and DOE on issues of cybersecurity and energy grid 
response initiatives.
    In his testimony, Secretary Menezes mentioned DOE's 
establishment of the supply chain testing facility. We are 
interested in the details of that program. The subcommittee is 
also aware that through the NERC/FERC process as mandatory 
supply chain standard will be implemented soon. The committee 
should consider those efforts when adopting legislation related 
to supply chains.
    Finally, I would like to mention a report included in the 
Enhancing Grid Security Through Public-Private Partnerships Act 
looking at distribution, cyber, and physical security. EEI 
supports this report because it could address several emerging 
questions that many in the industry also are asking. What 
considerations should be made to protect a distribution system 
that is outside of mandatory NERC CIP standards? How can we 
secure newer technology that is largely consumer grade but may 
increase the energy grid's attack surface?
    A collaborative risk-based approach to security at the 
distribution level is essential. This report should drive that 
approach and consider the many different entities in the 
distribution grid, electric companies, and others.
    Again, I appreciate you holding this hearing. I look 
forward to answering any of your questions.
    [The prepared statement of Mr. Aaronson follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Walberg. Thank you. Thanks to the panel for your very 
efficient use of the 5 minutes time. Maybe it would be an 
example to myself and my colleagues.
    Now privileged to represent the neighbor to the south who 
guards my border, Mr. Latta.
    Mr. Latta. Well, thank you very much, Mr. Chairman, and I 
appreciate our panel for being here. And again, this is a 
really important hearing that we are having today because it 
affects us all.
    Mr. Pitsor, if I could start with my questions with you, if 
I may, please. In your testimony you state that you support a 
voluntary cybersecurity evaluation of products used in bulk 
power systems such as the program described in H.R. 5239 Cyber 
Sense.
    One point you raise is that once products are sold 
manufacturers often don't know where or how these components 
are used, installed, or operated. You suggest that asset owners 
should maintain a system of tracking products. Would you 
explain in detail why it is important to track these products?
    Mr. Pitsor. As we look at evaluation of cybersecurity 
threats of different components and how they're assembled in 
the manufacturers, once they have sold a product, they're 
assembled in the field. They're not necessarily aware of who 
purchased them and how they were assembled. And so the tracking 
concept here is to have a database and that could be shared so 
would be more familiar with where products have been placed, 
how they've been assembled, how they've been installed, how 
they've been commissioned. So that if patching is necessary due 
to a cyber-related event or testing for that product, we would 
then be able to contact the asset user as to what patches 
should be installed and how they should be installed.
    Mr. Latta. Let me follow up, when you're talking about the 
database because in Section 2(b)(2) of the Cyber Sense bill 
establishes a cybersecurity vulnerability reporting process and 
related database for products tested and identified as 
cybersecure under this program.
    Would this help address the need for a system for tracking 
those products by having that, as you just mentioned?
    Mr. Pitsor. I think a database would be very helpful in 
terms of addressing that need, yes.
    Mr. Latta. Thank you.
    Mr. Aaronson, if I could ask you, and I think you mentioned 
in your testimony about when you were out with co-ops, and I 
know I just was at two of my co-ops. I represent the largest 
number of co-ops in the State of Ohio.
    But if I could ask this question--as the new technologies 
are becoming increasingly interconnected within our electric 
grid, new vulnerabilities are emerging across the system 
including at the distribution level. Currently, the physical or 
cybersecurity of the bulk power system or the interstate is 
addressed through the Critical Infrastructure Protection 
Standards issued by NERC. But the distribution system 
intrastate is outside the jurisdiction of the mandatory NERC 
standards and the question is are there implications for this 
perceived gap in oversight and protection of the cybersecurity 
of the distribution portion of the Nation's electrical grid?
    Mr. Aaronson. So a couple of things to respond to there. As 
I mentioned in my testimony, we operate one big machine, right, 
with thousands of owners and operators from really large 
investor-owned electric companies that EEI represents to co-ops 
and municipal systems of varying sizes. And so as you know, the 
ESCC incorporates all of those and we work very closely. I know 
both APPA and NRECA provided written testimony or written 
statement for the record. So I would refer to that.
    With respect to gaps, and I call them perceived gaps, just 
because distribution level components are not subject to the 
Federal CIP standards does not mean that there is not security 
happening at that level. That said, we do think that anything 
we can do with respect to components that make up that part of 
the grid--the intrastate--the distribution level, is going to 
be an important approach to continue to advance security for 
all of us.
    The other thing I would say about distribution security is 
we need to prioritize. In security you protect diamonds like 
diamonds and pencils like pencils, and to be sure, there are 
diamonds at the distribution level that we need to be aware of. 
There are components that are crown jewels at the distribution 
level that we need to be securing. And so approaches like Cyber 
Sense may allow us to do that and some of the things that 
Secretary Menezes and Assistant Secretary Hoffman were 
discussing with respect to really looking closely at those 
components and drilling down on the most critical, because if 
you have a hundred priorities you have no priorities--but 
really finding those most critical components and beating the 
heck out of them so that we can understand if there are any 
vulnerabilities in them, again, will make us all more secure.
    Mr. Latta. Well, thank you very much, Mr. Chairman. My time 
is about to expire and I yield back.
    Mr. Walberg. I thank the gentleman.
    Now I am privileged to recognize the ranking member, the 
gentleman from Illinois--in fact, the district I was privileged 
to be born in--I quickly add long before you represented the 
district, Mr. Rush.
    [Laughter.]
    Mr. Rush. Mr. Chairman, it's still the best district in the 
Nation.
    Mr. Vance, in your written testimony you noted that DOE 
held a cybersecurity contest which brought together students 
competing to address the challenges of protecting 
infrastructure and firms that might employ the same students 
after they graduate.
    Do you think that on both the public and private sector 
that we are doing enough to ensure that we have a skilled 
workforce capable of meeting the challenges we will inevitably 
face in regards to cybersecurity? And I will invite any other 
members of the panel to weigh in on some of these issues.
    Mr. Vance. I think what we've been doing in Indiana is 
specifically trying to bring together the public and private 
sides together to analyze what some of the weaknesses are, what 
we are good at, what we are not good at, and as Mr. Aaronson 
from EEI spoke about just a second ago, I think we need to 
prioritize and figure out where those diamonds are and where 
those pencils are.
    It's one thing for me and my colleagues in the public 
sector to sit in a room and try to figure out what we need to 
focus on. We are going to miss a lot of things. What we need to 
do is sit down with the private sector and work through a 
collaborative process to identify where our weaknesses are and 
how to strengthen those.
    So the bills being discussed today, I think, are four steps 
in the right direction to help strengthen those partnerships.
    Mr. Rush. Anybody else want to chime in?
    Mr. Tudor. Mr. Rush, thank you for the question.
    I agree that public-private partnerships are key to moving 
these forward and these four pieces of legislation are 
definitely great steps toward that.
    At the Idaho National Lab, we know that the partnerships 
are the strongest part of our operation, whether it's with 
vendors, asset owners, with other government agencies and 
that's the way that we will be able to develop the structures 
to keep our cyber resilience in our energy systems.
    Mr. Rush. And does anyone have any suggestions on how the 
Congress could help you to ensure that we have enough skilled 
workforce other than what's information in these four bills?
    Mr. Vance. I will add, real quick, just to give a little 
bit more perspective on what we are doing in Indiana. Our 
approach with our cybersecurity council has been to bring 
together all the potential industries involved in 
cybersecurity. So right now, I've got about 250 or so members 
of that council spanning about 20 different industries with 
industry subgroups that then things can bubble up through those 
subgroups into the full committee to address in a cross-sector 
manner.
    So I will give you an example. One of the committees is 
focused on personal identifiable information because that's 
something that's not unique to any one specific industry and it 
really needs to be a topic in and of itself. But it can't just 
be its own council or committee. It has to be part of a bigger 
picture because it ties back to energy, water, finance--all 
these other things.
    So what we've been trying to do in Indiana is to build a 
large council that integrates all these different aspects so it 
can be addressed in a cross-sector manner across different 
industries.
    Mr. Aaronson. Mr. Rush, I would add, I know you're very 
committed to workforce development in particular with respect 
to cyber and I think one of the things that you're hearing both 
from the previous panel and all of us is this is a shared 
responsibility.
    It's a whole of community issue. I reference in my verbal 
testimony the cyber mutual assistance program. To us, that is a 
force multiplier. That is when a company is being attacked 
their counterparts come from around the country and around the 
Nation and around North America, frankly, to support them. And 
so I think that's great for the electricity sector and we are 
very proud of that. But to be able to work with the National 
Guard, to be able to work with other sectors, to be able to 
prioritize restoration when cyber incidents maybe are impacting 
more than one sector.
    We need to look at this again far more holistically. And 
then from a workforce perspective, we are very proud of the 
development that we do within our sector through things like 
the CEWD. It's the Energy Workforce Development--Committee for 
Energy and Workforce Development is a great example of how we 
can find those gaps that we have in our workforce and work 
through education, work through public-private partnerships to 
improve our staffing in our most critical needs.
    Mr. Rush. Thank you, Mr. Chairman. I yield back.
    Mr. Walberg. I thank the gentleman.
    I now recognize the gentleman from Virginia, Mr. Griffith.
    Mr. Griffith. Thank you very much, Mr. Chairman.
    Mr. Tudor, I am going to come to you first but I am going 
to take what's more or less a point of personal privilege and 
just say that I saw you sitting throughout that first panel and 
all those questions on that second row there with a couple of 
young people who are very well behaved. Are they connected with 
you?
    Mr. Tudor. Yes, sir. That's my son, Miles, and my niece, 
Sydney. They're getting a civics lesson today.
    Mr. Griffith. Well, not the most riveting of hearings but 
one that's very important and they have done a great job and I 
thought they were--you could tell they were doing some stuff 
back there and I thought they were like my kids, playing on an 
electronic device. But, apparently, they have a numbers game 
that they're working on that's all done with their hands and 
they've been very quiet and very well behaved. So you and your 
family are to be commended for having such well-behaved 
children.
    That being said, let's get down to business. You make 
reference to the consequence-driven cyber-informed 
engineering--CCE methodology. You say this is more about 
getting ahead of the problems of vulnerabilities and threats 
rather than chasing them. Can you describe what role this 
approach may have in strengthening cybersecurity and critical 
infrastructure?
    Mr. Tudor. Yes. Thank you for that question, sir.
    So consequence-driven cyber-informed engineering, or CCE, 
kind of identifies the problem--that we are constantly seeing 
new vulnerabilities, new threats every day. So an organization 
does a risk assessment on a Monday and by Wednesday when new 
vulnerabilities are discovered, many of the activities 
described in that risk assessment may be moot.
    But if we go back and look at the key consequences of any 
organization and we take an electric utility at this, if 
keeping the lights on is their mission but maybe there's 
several key components that if they were lost may prevent that 
mission from being carried out. Looking at the engineering 
methods of those consequences, looking at the way an adversary 
might go about attacking those infrastructures, using a threat-
based methodology and at INL we do a lot of work considering 
the threat first and we use that mindset when we look at our 
different mitigations, and then developing mitigations with the 
asset owner who is a key component of this.
    So if we can engineer out those severe consequences, 
irregardless of the threat or the current risk or a new 
vulnerability then we believe that that has a chance of 
maintaining that resiliency over a longer period rather than 
just addressing new vulnerabilities as they show up.
    Mr. Griffith. I appreciate that, and there's a pilot 
program but it's had very limited deployment. Are you confident 
this methodology is an effective approach and, if so, what are 
you trying to examine before deciding whether this program 
should be expanded?
    Mr. Tudor. Yes, thank you again.
    We have conducted one pilot. We are on a second, and I 
think that as we've been briefing this across Congress, the 
National Security Council, and others, we've been very 
encouraged that people do believe that this type of methodology 
will be able to go forward.
    So we are working with the DOE and others to develop some 
ways to do CCES scale. In our next few pilot engagements we'll 
be bringing more partners along to provide training for them 
and they can go out and provide training for others. So we hope 
to be able to scale out this methodology in the next several 
years.
    Mr. Griffith. I appreciate that.
    Mr. Engels, you have got a new pipeline coming near my 
district, although not through my district, and I asked before 
about some, for lack of a better term, smart pipe technology. I 
know you're not expecting that question today and so if you 
could just get me an answer later as to what you all might be 
doing in regards to letting us know if there's some kind of a 
break in the line quicker using some smart technology.
    Mr. Engels. I will be glad to follow up with you on that.
    Mr. Griffith. And likewise, I have a friend who's got a 
farm where there's going to be a pump station and whatever you 
all could do to reassure folks that they're being placed in the 
safest location and likewise if there's any smart technology in 
there I would appreciate having that information.
    Mr. Engels. I understand. We'll make sure we follow up.
    Mr. Griffith. Thank you. All right.
    Mr. Aaronson, you mentioned in your written testimony that 
approximately 75 percent of U.S. customers are served by a 
company that participates in cybersecurity risk information 
sharing program.
    Do you have any insight what's going on with the other 25 
percent?
    Mr. Aaronson. So CRISP is a wonderful technology and the 
beauty of it is it was something that was actually developed by 
National Labs. It was piloted for a few years by a small subset 
of companies--did some proof of concept, and that was then. 
We'll call it commercialized, although maybe that's not a fair 
characterization because it is still a public-private 
partnership with the Department of Energy, the North American 
Electrical Reliability Corporation through their information-
sharing analysis center--I am trying to not use acronyms--and 
then the companies that deploy it.
    What we are looking to do and what the ISAC is planning to 
do now is to expand the program. So it started with five 
pilots. It has expanded to more than that, to the 75 percent of 
customers being represented by a company that has deployed 
CRISP. The other thing you should note is that information, 
while it is gleaned from the companies that have deployed the 
sensors that make up CRISP, the information that is gleaned is 
actually socialized to the entire electric utility sector.
    So while there are sensors on 75 percent of companies, we 
are going to get a much broader cross-section in the coming 
years.
    Mr. Griffith. I appreciate that. Thank you for the answer. 
I thank all of you for being here today, and I yield back.
    Mr. Walberg. I thank the gentleman and I recognize the 
gentleman from California, Mr. McNerney.
    Mr. McNerney. I want to thank the chairman and I thank the 
witnesses. Good testimony and informative.
    Mr. Aaronson, in your testimony you pointed out that the 
EEI members do work to prepare for hazards and cyber or natural 
events. What are your members doing to prepare for climate 
change events? Is there a standard or is there some sort of 
work that needs to be done that's being done?
    Mr. Aaronson. So, again, I think we look at this as all 
hazards, and whether it is an act of war or an act of God, 
whether it is a natural disaster, whether it's an earthquake, 
whether it's the wildfires that I know that your district has 
been impacted by, we are looking at ways we can be more 
resilient, and a lot of what we do kind of crosses, again, acts 
of war and acts of God and is more about consequence 
management. Why the lights were turned off--why there was a 
power outage becomes a little less relevant and how quickly can 
we get them restored. And so a lot of our focus is on that 
response and recovery and resilience component of preparation 
for all manner of hazards.
    Mr. McNerney. OK. Thank you.
    Mr. Pitsor, I appreciate your comments on the enhancing 
grid security through public-private partnerships. You 
mentioned that you wanted to see a Momentary Average 
Interruption Frequency Index included in the ICE calculation. 
How would that improve the calculation? How would that improve 
the results?
    Mr. Pitsor. Well, the MAIFI index represents some nearly 50 
percent of all the momentary outages that occur in the U.S. and 
these are momentary outages that are usually 5 minutes or less. 
We think that the overall interrupter calculation, if it's 
missing those 50 percent of the outages, it's not capturing 
fully the economic costs that are associated by these smaller 
momentary outages. For instance, electric motors trip off, 
computers don't have backup power trip off. There are costs 
associated with that that should be captured in the overall 
estimator.
    Mr. McNerney. OK. You mentioned the Cyber Sense Act. How 
would your members respond to nonvoluntary requirements for--
including cybersecurity in their products?
    Mr. Pitsor. We are very supportive of the evaluation 
testing of electrical equipment. I think the key is going to be 
what type of equipment we are speaking of--the scope of the 
testing, what protocols we are testing against, who's paying 
for that testing, and the follow-on work that will be done to 
address vulnerabilities that are found in terms of patching, 
recommissioning, the continuous process that goes on in 
addressing cyber----
    Mr. McNerney. It seems that your members would want to have 
a set of standards they could link their products to.
    Mr. Pitsor. Exactly. Working on supply side standards that 
I mentioned, a new cyber security index standard and then 
looking at how we test different products and different 
configurations against different vulnerabilities. We segment 
those products because some products, as has been recognized, 
are behind layers of security. So the testing of those maybe 
are less than those that have outward-facing connection to the 
internet. There are different levels of testing that would be 
required for those products.
    Mr. McNerney. Do you have concerns about cuts that are 
being proposed in the fiscal 2019 budget's impact on 
cybersecurity or security in general? I guess Mr. Aaronson 
would be the right person to ask that question of.
    Mr. Aaronson. So we appreciate what the Department of 
Energy has done with respect to CESER and elevating some of 
these issues. We've worked really closely in particular with 
the Office of Electricity and their Infrastructure Security 
Energy Restoration Office, which will ultimately matriculate 
over the CESER.
    This last historic hurricane season and the nor'easters the 
last several weeks, and with that response from Puerto Rico--so 
between that, our partnerships with the labs and our 
partnerships with the sector coordinating council we have 
really appreciated the ability to work closely with this 
administration and the previous administration. This has been a 
priority for Department of Energy for several years now.
    Mr. McNerney. So you don't see any sort of a drawback with 
the cuts that are being proposed?
    Mr. Aaronson. At this point, I think the priorities that we 
care about most have not been impacted in our day-to-day 
interactions with the department.
    Mr. McNerney. Thank you. I yield back.
    Mr. Walberg. I thank the gentleman.
    Now I recognize the good doctor and gentleman from Indiana, 
Mr. Bucshon.
    Mr. Bucshon. Thank you, Mr. Chairman.
    Mr. Vance, good to have you here from Indiana.
    Mr. Vance. Thank you.
    Mr. Bucshon. You're welcome. As you know, electric 
cooperatives serve more than 1.3 million customers in the State 
of Indiana, primarily those in rural parts of the State, which 
is southwest Indiana, the Wabash Valley that I represent. An 
additional 300,000 individuals are served by municipal electric 
utilities. Both cooperative and municipal utilities are 
generally much smaller than their investor-owned counterparts.
    What are some of the specific challenges that you see these 
smaller utilities face in terms of defending their assets 
against cybersecurity threats?
    Mr. Vance. I think the challenge is that a co-op or a 
municipal utility face are very similar to what an investor-
owned utility face because they have the same issues in that 
every time that you move toward a networked piece of equipment 
you're exposing yourself to potential cybersecurity attacks.
    So in Indiana we've been very aware of including our co-ops 
and our municipal utilities in our conversations on energy 
security and cybersecurity. They sit on our cybersecurity 
council established by the governor.
    I think one of the important things we are trying to do in 
Indiana as we continue exercises is to build those 
relationships so that we know we have those personal 
connections and when an energy emergency hits we cannot spend 
hours searching through a binder of 300 pages trying to figure 
out what to do.
    I think to some extent the movie ``Ghostbusters'' summed it 
up well when it said, ``Who are you going to call?'' You have 
to know who you're going to call in those situations. We can't 
spend hours trying to figure it out.
    So we've been including our munis and co-ops in our 
conversations.
    Mr. Bucshon. Are there financial challenges to making sure 
that your networks and everything are secure that the State 
helps with or anything?
    Mr. Vance. There's always finding constraints when it comes 
to infrastructure. But to the best of my knowledge, I am not 
aware of any specific constraints with munis and co-ops. But we 
can get back to you on an answer to that.
    Mr. Bucshon. OK. One of the bills we are discussing, and 
somebody mentioned this a little while ago, Enhancing Grid 
Security Through Public-Private Partnership Act specifically 
requires the Secretary of Energy to take different sizes of and 
regions served by electric utilities into account when 
administering cybersecurity programs.
    Based on your experience in Indiana, what might this look 
like?
    Mr. Vance. I think that would be something that we'd be 
very interested to work with DOE on. What that would look like 
I am not entirely sure, off the top of my head.
    Mr. Bucshon. Anybody have any comments on any of this 
stuff? No?
    Good. I yield back, Mr. Chairman.
    Mr. Walberg. I thank the gentleman.
    Seeing no one else on the panel, I recognize myself for 5 
minutes. Thanks to the panel for being here.
    Mr. Aaronson and Mr. Vance, I asked some questions to our 
DOE panel earlier and I would appreciate hearing your answers 
to them as well. I appreciate the secretary's efforts to 
elevate the agency's leadership on emergency and cybersecurity 
functions and I believe they are commendable. But I would like 
to see DOE leadership continue under future administrations, as 
I mentioned. Do you think it would help to codify DOE's 
Assistant Secretary functions in the DOE organization chart?
    Either one--Mr. Vance or Mr. Aaronson.
    Mr. Vance. From our perspective, I would have to discuss 
with my other members of NASEO before I could make a statement 
one way or the other.
    But I would defer to DOE on that.
    Mr. Walberg. OK. Mr. Aaronson.
    Mr. Aaronson. I would just simply say I see no problem with 
that. I think it could be useful, and to Mr. McNerney's 
question also, I think anything that provides accountability, 
that elevates something not just within the organization but 
then visibility as a Senate-confirmed position and across the 
various verticals within the department that acknowledges these 
intersector relationships between electric, gas, and other 
generating capabilities, and then I think anything that can get 
more resources.
    I don't want to be dismissive of your question, Mr. 
McNerney. I think anything that--more resources so we can do 
some of these partnerships more, better, faster, and focus on 
all of the things that are happening in this--with respect to 
security in the sector is going to be valuable. So I think 
codifying it, elevating it, funding it, supporting it are all 
good outcomes.
    Mr. Walberg. OK. Let me ask, do you believe that elevating 
the cybersecurity functions to the Senate-confirmed Assistant 
Secretary level is a positive? Is it necessary?
    Mr. Aaronson. I will leave that to policy makers on that, 
sir. I think it's a positive development though, certainly.
    Mr. Walberg. OK.
    Mr. Aaronson, one of the bills we are discussing today is 
the Enhancing Grid Security Through Public-Private Partnership 
Act, which directs DOE to provide cybersecurity training and 
technical assistance for electric utilities that have fewer 
available resources due to size or region.
    The legislation builds upon the existing public-private 
partnership between DOE, the electric cooperatives, and power 
utilities.
    Could you explain for us the challenges facing certain 
electric utilities in improving the cybersecurity of their 
assets?
    Mr. Aaronson. Sure. So, again, I would point everybody to 
the statement by the American Public Power Association and the 
National Rural Electric Cooperative Association with whom I 
serve as secretaries on the sector coordinating council with.
    So one of the benefits of the sector coordinating council 
is that we do all come together with common cause, whether they 
are large investor-owns, smaller investor-owns, cooperatives, 
municipals, Canadians, independent power generators, the 
nuclear sector, gas, and on and on and on. So we work really 
well together on these issues, again, of sort of mutual concern 
with respect to protection of our infrastructure.
    With respect to challenges among the smaller entities, 
there are workforce challenges. There is the ability to ingest 
intelligence. There is the ability to implement some of the 
good information that is coming out of the government and some 
of the mitigation measures that are recommended. And so 
anything that we can do as a community--again, whole of 
community so that it is a rising tide that lifts all boats--
ultimately helps all of the infrastructure that we own and 
operate together.
    So we are very supportive of that particular provision for 
our co-op and municipal brothers and sisters but also for some 
of other smaller entities that are going to need help 
implementing the things you all recommend.
    Mr. Walberg. So this Section 2 of H.R. 5240, the Enhancing 
Grid Security Through Public-Private Partnerships Act, does 
that strengthen and further these existing public-private 
partnerships?
    Mr. Aaronson. I think it does.
    Mr. Walberg. OK.
    Thank you. The gentleman from New York is here, my friend, 
and we recognize you for 5 minutes for questioning.
    Mr. Tonko. Thank you, Mr. Chair, and thank you to our 
witnesses for being here this afternoon.
    Mr. Aaronson, the utility industry has a long tradition and 
culture of mutual assistance. When a disaster strikes, everyone 
responds, and I know there are still crews from New York 
working in Puerto Rico. The industry has a good idea of how to 
deal with supply disruptions and restorations after a natural 
disaster. But cyber is still uncharted territory. When the 
industry comes together to think about the future of mutual 
assistance, does that include how you might respond to a cyber 
incident?
    Mr. Aaronson. Very much so.
    One of the things that we have done as a sector--and 
actually I will give a little bit of a timeline because I think 
it's instructive.
    So you will recall the end of 2015 we had both GridEx III, 
which is a biannual exercise that NERC puts on, and then just a 
month later there was the attack in Ukraine that had impact on 
their distribution system. The CEOs of the sector coordinating 
council got together for a meeting in January of 2016 and asked 
the question, do we have the surge capacity to deal with either 
the imagined threats in the GridEx scenario or the real ones 
that were perceived from the Ukraine scenario? And the answer 
was sort of, which is never a good answer for chief executives.
    And so they told us as the sector coordinating council 
support staff to go put something together. We put together 
something known as cyber mutual assistance, and so from that 
time just a little over 2 years ago we scoped what cyber mutual 
assistance would look like. We developed a legal structure 
around it. We developed a play book. We exercised it. We've 
utilized it, and now 142 companies representing nearly 80 
percent of all customers in North America have a company that 
is a member of the cyber mutual assistance program.
    It's in its very nascent stages. Traditional mutual 
assistance has been around for more than 80 years. But it is a 
platform that we can begin to surge and support each other in 
the eventuality of a cyberattack.
    Mr. Tonko. And in that collaboration, are there any 
differences that you would cite that they could make a 
distinction from the regular emergency planning and response 
efforts?
    Mr. Aaronson. It is in some ways very similar in that the 
goal is to restore power and one of the things I tell people is 
the best way to not have cyber vulnerabilities is to not have 
cyber infrastructure.
    So another thing that we are pursuing is to actually be 
able to operate in a degraded state manually, which is 
something Ukrainians were able to do and, again, which we have 
some capacity to do but are going to develop even more so.
    With respect to the differences between traditional and 
cyber mutual assistance, the first one is the obvious one. 
You're not going to have bucket trucks of cyber linemen driving 
down the highway to the affected area. But there is the 
capacity to support each other remotely. There are things that 
can be done to develop both information sharing in the event of 
these attacks and the sharing of equipment and the bringing in 
of noncompromised equipment to support the company that may 
have had equipment compromised.
    Last is with storms, you see them coming and they are 
regional. And so companies from all over North America will 
descend, and did certainly this last year, on the affected 
region. Cyber doesn't know boundaries like that and so that is 
a consideration for how do you respond--do I want to send my 
people into a company that's been impacted when I may be next, 
and that is something that the cyber mutual assistance program 
is contemplating and addressing.
    Mr. Tonko. OK. Thank you very much.
    And Mr. Vance, a common theme we are hearing today is how 
partnerships--those between utilities and between different 
levels of government--are critical to ensuring that our 
electric system is reliable, resilient, and prepared for the 
worst.
    Can you give us a sense of the level of cyber expertise at 
the state and local levels?
    Mr. Vance. We have a number of folks at our Office of 
Technology who are the co-coordinators of our cybersecurity 
council who are spending their time on cybersecurity in 
coordination with our Department of Homeland Security, our 
Utility Regulatory Commission, and a number of folks across 
state government.
    So we do have some folks who are focused specifically on 
the cyber issues. This is a relatively recent thing. I think it 
started in 2016 but it's something we are trying to get up to 
speed as soon as we possibly can.
    Mr. Tonko. Thank you. And your testimony mentioned the 
importance of a robust state energy security program. What kind 
of services and resources can DOE provide to our given states?
    Mr. Vance. I think that's something that can be defined as 
we explore this more. But the first things off the top of my 
head are more training and exercise.
    A lot of this planning and exercise activities--for 
example, the exercise we did in Rhode Island that mapped a 
cyberattack on top of a natural disaster--is something that was 
a very useful exercise, bringing people together and go through 
these issues and also put a face to who some of these people 
were at utilities, at DOE, at the states.
    So I think more exercise and opportunities to plan 
regionally are really helpful as well.
    Mr. Tonko. Thank you very much.
    And seeing that I have no time remaining, I yield back, Mr. 
Chair.
    Mr. Walberg. I thank the gentleman.
    Seeing there are no further members wishing to ask 
questions, I would like to thank all of our witnesses again for 
being here today and for the insights you shared with us and 
considering our questions.
    Before we conclude, I would like to ask for unanimous 
consent to submit the following documents for the record: 
Number one, a statement from the American Public Power 
Association and the National Rural Electric Cooperative 
Association; a cybersecurity update letter from the American 
Public Power Association; a letter to Department of Energy 
Secretary Perry; a response letter from the Department of 
Energy Secretary Perry; a statement from Siemens Energy.
    [The information appears at the conclusion of the hearing.]
    Mr. Walberg. And pursuant to committee rules, I remind 
members that they have 10 business days to submit additional 
questions for the record and I ask that witnesses submit their 
response within 10 business days upon receipt of the questions.
    Without objection, the subcommittee stands adjourned.
    [Whereupon, at 1:04 p.m., the committee was adjourned.]
    [Material submitted for inclusion in the record follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                                 [all]