[Senate Hearing 115-262]
[From the U.S. Government Publishing Office]


                                                        S. Hrg. 115-262

    CYBERSECURITY THREATS TO THE U.S. ELECTRIC GRID AND TECHNOLOGY 
  ADVANCEMENTS TO MINIMIZE SUCH THREATS, AND TESTIMONY ON S. 79, THE 
                   SECURING ENERGY INFRASTRUCTURE ACT

=======================================================================

                                HEARING

                               BEFORE THE

                         SUBCOMMITTEE ON ENERGY

                                 OF THE

                              COMMITTEE ON
                      ENERGY AND NATURAL RESOURCES
                          UNITED STATES SENATE

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             MARCH 28, 2017

                               __________

               [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]



                       Printed for the use of the
               Committee on Energy and Natural Resources

        Available via the World Wide Web: http://www.govinfo.gov
              
              
                              __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
24-977                     WASHINGTON : 2018                     
          
----------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). 
E-mail, [email protected].          
              
              
            
              
              
              COMMITTEE ON ENERGY AND NATURAL RESOURCES

                    LISA MURKOWSKI, Alaska, Chairman
JOHN BARRASSO, Wyoming               MARIA CANTWELL, Washington
JAMES E. RISCH, Idaho                RON WYDEN, Oregon
MIKE LEE, Utah                       BERNARD SANDERS, Vermont
JEFF FLAKE, Arizona                  DEBBIE STABENOW, Michigan
STEVE DAINES, Montana                AL FRANKEN, Minnesota
CORY GARDNER, Colorado               JOE MANCHIN III, West Virginia
LAMAR ALEXANDER, Tennessee           MARTIN HEINRICH, New Mexico
JOHN HOEVEN, North Dakota            MAZIE K. HIRONO, Hawaii
BILL CASSIDY, Louisiana              ANGUS S. KING, JR., Maine
ROB PORTMAN, Ohio                    TAMMY DUCKWORTH, Illinois
LUTHER STRANGE, Alabama              CATHERINE CORTEZ MASTO, Nevada
                                 ------                                

                         Subcommittee on Energy

                         CORY GARDNER, Chairman

JAMES E. RISCH                       JOE MANCHIN III
JEFF FLAKE                           RON WYDEN
STEVE DAINES                         BERNARD SANDERS
LAMAR ALEXANDER                      AL FRANKEN
JOHN HOEVEN                          MARTIN HEINRICH
BILL CASSIDY                         ANGUS S. KING, JR.
ROB PORTMAN                          TAMMY DUCKWORTH
LUTHER STRANGE                       CATHERINE CORTEZ MASTO

                      Colin Hayes, Staff Director
                Patrick J. McCormick III, Chief Counsel
  Brianne Miller, Senior Professional Staff Member and Energy Policy 
                                Advisor
           Angela Becker-Dippmann, Democratic Staff Director
                Sam E. Fowler, Democratic Chief Counsel
                David Gillers, Democratic Senior Counsel
                            
                            
                            C O N T E N T S

                              ----------                              

                           OPENING STATEMENTS

                                                                   Page
Gardner, Hon. Cory, Subcommittee Chairman and a U.S. Senator from 
  Colorado.......................................................     1
Manchin III, Hon. Joe, Subcommittee Ranking Member and a U.S. 
  Senator from West Virginia.....................................     2
King, Jr., Hon. Angus S., a U.S. Senator from Maine..............     5
Alexander, Hon. Lamar, a U.S. Senator from Tennessee.............     5
Franken, Hon. Al, a U.S. Senator from Minnesota..................     6

                               WITNESSES

Bardee, Michael, Director, Office of Electric Reliability, 
  Federal Energy Regulatory Commission...........................     7
Fowke III, Benjamin, Chairman of the Board, President & Chief 
  Executive Officer, Xcel Energy Inc.............................    14
Di Stasio, John, President, Large Public Power Council...........    79
Zacharia, Dr. Thomas, Deputy Director for Science and Technology, 
  Oak Ridge National Laboratory..................................    88

          ALPHABETICAL LISTING AND APPENDIX MATERIAL SUBMITTED

Alexander, Hon. Lamar:
    Opening Statement............................................     5
American Public Power Association, Edison Electric Institute, and 
  the National Rural Electric Cooperative Association:
    Statement for the Record.....................................   147
Bardee, Michael:
    Opening Statement............................................     7
    Written Testimony............................................     9
    Responses to Questions for the Record........................   123
Di Stasio, John:
    Opening Statement............................................    79
    Written Testimony............................................    81
    Responses to Questions for the Record........................   128
Fowke III, Benjamin:
    Opening Statement............................................    14
    Written Testimony............................................    16
    Responses to Questions for the Record........................   127
Franken, Hon. Al:
    Opening Statement............................................     6
Gardner, Hon. Cory:
    Opening Statement............................................     1
King, Jr., Hon. Angus S.:
    Opening Statement............................................     5
Manchin III, Hon. Joe:
    Opening Statement............................................     2
S. 79, the Securing Energy Infrastructure Act....................   116
U.S. Department of Energy:
    Statement for the Record.....................................   151
Zacharia, Dr. Thomas:
    Opening Statement............................................    88
    Written Testimony............................................    90
    Responses to Questions for the Record........................   130

 
    CYBERSECURITY THREATS TO THE U.S. ELECTRIC GRID AND TECHNOLOGY 
  ADVANCEMENTS TO MINIMIZE SUCH THREATS, AND TESTIMONY ON S. 79, THE 
                   SECURING ENERGY INFRASTRUCTURE ACT

                              ----------                              


                        TUESDAY, MARCH 28, 2017

                               U.S. Senate,
                            Subcommittee on Energy,
                 Committee on Energy and Natural Resources,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 2:17 p.m. in 
Room SD-366, Dirksen Senate Office Building, Hon. Cory Gardner, 
Chairman of the Subcommittee, presiding.

            OPENING STATEMENT OF HON. CORY GARDNER, 
                   U.S. SENATOR FROM COLORADO

    Senator Gardner [presiding]. We will go ahead and get the 
Subcommittee started. Senator Manchin will be joining us 
shortly, but thank you very much, as we call this Subcommittee 
hearing to order.
    Good afternoon. This is the Subcommittee on Energy's first 
115th Congress hearing. I am honored to chair the Subcommittee 
this Congress and look forward to working with the 
Subcommittee's Ranking Member, Senator Manchin.
    The Energy Subcommittee is certainly important to my home 
state of Colorado. In Colorado, we have coal in the 
northwestern part of the state, oil on the western slope, 
natural gas and wind on the eastern plains and solar in the San 
Luis Valley. We are truly an all-of-the-above energy state and 
very proud of that fact.
    We are also home to the Department of Energy's National 
Renewable Energy Laboratory which is instrumental in research 
and development for new technologies in advancing grid 
modernization, renewable energy and energy efficiency that will 
transform the marketplace.
    As Chairman, I look forward to promoting a strong and 
responsible energy policy that is critical to unleashing the 
nation's energy potential, and I look forward to using the 
Subcommittee to advance policies that benefit Coloradans and 
all Americans.
    Today the Subcommittee will examine the cybersecurity 
threats to the U.S. electric grid and technology advancements 
to minimize such threats and receive testimony on Senate bill 
79, the Securing Energy Infrastructure Act. We will discuss the 
risks we face and the actions we should follow to protect our 
energy infrastructure from the impact of cyberattacks. In 
addition to defensive strategies, I am also interested in 
discussing whether there is a need to build preparedness and 
response capabilities in case of a long-term, widespread 
outage.
    The American people and American businesses depend on 
reliable and affordable electricity. These same customers 
expect the over 3,000 utilities in our country to be thinking 
ahead, coordinating actions and being responsive to our 
evolving demands.
    If we are not prepared for cyberattacks, a Ukraine-like 
situation could take place in the United States. In 2015 an 
attack on power companies in Ukraine resulted in 225,000 
Ukrainians losing power. Last December there was an attack in 
Ukraine that resulted in another round of power outages but the 
strategy on the Ukrainian grid was more complex than the year 
before.
    Hackers are certainly trying to create that kind of havoc 
here in the United States. One U.S. utility CEO has said, ``If 
I were to share with you the number of attacks that come into 
the network every day, you would be astounded.'' And it is not 
from people working out of their garage. It is from nation 
states that are trying to penetrate systems.
    I am encouraged to see that industry through the 
Electricity Sector Coordinating Council is working to 
collaborate and create best practices and partnerships with the 
government.
    The government and industry have also made great strides in 
cybersecurity through the creation of the National Institute of 
Standard and Technology, or NIST, cybersecurity framework, and 
the Electricity Information Sharing and Analysis Center (E-
ISAC).
    It is concerning, however, that we continue to hear of 
attacks from so many fronts. Hackers are going after personal 
information and personal accounts that can be disastrous and 
financially painful for those affected. We hear of ransomware 
attacks requiring payments to resume access to machines and 
controls. We hear of millions of dollars being spent across 
industry and government to protect from these ever-changing 
threats to our national progress.
    The questions that loom, however, are how, when, where is 
that next cyberattack going to happen? Are we prepared to 
react?
    I am hopeful that through this hearing and the opportunity 
we have to hear your testimony today and in the coming months 
we can strengthen both our preparedness and our response 
capabilities.
    I already see opportunities to enhance our cyber workforce 
and the need to gain clarity on the coordinated response 
actions of the Department of Energy Secretary and industry 
leaders. I am hopeful that we will uncover additional 
opportunities today.
    With that, if you are ready, I will turn it over to our 
Ranking Member, Senator Manchin, from West Virginia.

              STATEMENT OF HON. JOE MANCHIN III, 
                U.S. SENATOR FROM WEST VIRGINIA

    Senator Manchin. Thank you, Mr. Chairman. I want to thank 
you for scheduling this hearing and for your work on this 
important issue.
    Now I want to thank all of you for being here today, and I 
am looking forward to the quality of discussions ahead.
    I think our states all have a lot in common, particularly 
because both of our states are domestic energy exporters. I 
think we both recognize the importance of that role in this 
nation.
    I also want to thank Senators King, Heinrich and Cortez 
Masto for the roles that they are playing in leadership on this 
issue.
    I appreciate that our witnesses are joining us today for 
this very timely discussion about the critical nature of our 
electrical grid and the very real cyber and physical threats 
that we face.
    The electric grid is essential to our lives and is also the 
lifeblood of the economy. The grid moves power, hundreds, if 
not thousands, of miles to our houses, offices, and supplies 
factories, every day. People and businesses in the northeast 
and mid-Atlantic states are heavily dependent on a well-
functioning grid to access power generated in my home state of 
West Virginia.
    The Energy Information Administration (EIA) reports that in 
2014 West Virginia produced over 80,000 kilowatt hours of 
electricity, and the EIA consistently reports that West 
Virginia typically exports more electricity than it consumes. 
West Virginia's neighbors, Maryland, Virginia, Washington, DC, 
and others, depend on us for reliable electric generation, not 
to mention coal and natural gas production.
    Whether because of a cyber or physical attack or some other 
energy disruption, imagine what it would be like if West 
Virginia stopped producing and delivering energy. Instances 
like the Polar Vortex quickly become even more dangerous and 
likely tragic. The secure and reliable transportation of energy 
is vitally important to our state's economy and to the safety 
and health of our citizens in those neighboring states.
    So I believe today's hearing is an important start to a 
longer conversation about the security of our grid. As the 
electric industry has increased its reliance on digital 
technologies to better serve consumers, the grid has grown more 
vulnerable to cyberattack.
    In December 2015, the first successful cyberattack took 
place against part of Ukraine's electric grid, demonstrating 
that shutting down the grid is a real possibility. Several 
hundred thousand customers were without power for several hours 
and many experts suggest that Russia was responsible.
    A year later, in December 2016, there was another power 
outage, this time in Northern Kiev, Ukraine. For approximately 
one hour, according to the affected Ukrainian power company, a 
blackout was caused by a cyberattack which was very similar to 
the allegedly Russian cyberattack on Ukraine's grid a year 
prior.
    Many cyber experts have come to the conclusion that it is 
not a question of if, but a question of when, a massive attack 
on our grid will occur. We must do everything we can to protect 
and prepare including hardening our networks to protect the 
grid and ensure the continued reliable delivery of electricity.
    But we also need to focus on emergency preparedness and 
incident response to minimize the effects of a potential 
attack. That is why the King/Risch/Collins/Heinrich bill is a 
step in the right direction. Senate bill 79 would establish a 
two-year pilot program within the national labs to research and 
test technology that could be used to isolate and protect the 
most critical systems of the electric grid. It would also 
establish a working group to evaluate the proposals of the 
pilot program and to develop a national cyber-informed 
engineering strategy.
    Mr. Chairman, the 2013 attack on the Pacific Gas and 
Electric Substation in Metcalf, California, reminds us that the 
threats to our grid are not limited to cyberspace. According to 
press reports, the Federal Energy Regulatory Commission, or 
FERC as we know it, has identified a small number of critical 
group-related facilities that, if physically attacked, could 
significantly impair the ability of utilities to keep the 
lights on.
    Keeping America's energy network secure from cyber and 
physical intrusion is critical as new technologies and threats 
continue to emerge from transnational, organized crime, 
terrorist groups and hostile foreign governments.
    The argument goes that the smarter and more connected the 
power grid becomes, the more vulnerable it becomes. I am sure 
you are familiar with the scale we are talking about. The 
Department of Homeland Security reported that 56 percent of 
cyber incidents against critical infrastructure in 2013 were 
directed at energy infrastructure, mostly on the electric grid. 
While the number has shrunk to 16 percent in 2015, there is 
much more to be done.
    That is why I supported the Energy Policy Modernization Act 
of 2016 that Chairman Murkowski and Ranking Member Cantwell 
worked so hard to get passed out of Committee and finally out 
of the Senate by a vote of 85 to 12. It does not happen often 
here. The bill included a cyber energy section that I supported 
when it passed the Senate.
    The cyber energy section directed the Secretary of Energy 
to carry out an energy/cybersecurity workforce development 
program. It also directed the Secretary of Energy to carry out 
a supply chain testing program for grid components. As more and 
more of our grid's components are both network enabled as well 
as manufactured abroad, we need to be sure that every piece of 
our national security assets has been rigorously vetted. It 
also proposed to double the Department's current investments in 
all energy/cybersecurity programs, and encouraged the 
Department of Energy to work hand in hand with the private 
sector. This recognizes the importance of aligning government 
capabilities with the needs of industry actors that are dealing 
with potential threats to our grid every day.
    Unfortunately, Congress adjourned last year before the 
Conference Committee was able to complete its work on this 
legislation, but the need to act still remains.
    The ability to deliver energy quickly, securely and without 
interruption is something that West Virginia prides itself on, 
which is why I am particularly appreciative of Senator King's 
passion for this issue. Senator Heinrich and Senator Risch's 
ongoing efforts on this bill are also to be applauded. I also 
want to thank the Chair for holding this hearing, which was 
much needed.
    I look forward to the testimony of our witnesses.
    Senator Gardner. Thank you, Senator Manchin.
    Before we introduce the witnesses today, Senator King, if 
you would like to say a few words about S. 79, the Securing 
Energy and Infrastructure Act.

             STATEMENT OF HON. ANGUS S. KING, JR., 
                    U.S. SENATOR FROM MAINE

    Senator King. Thank you, Mr. Chairman.
    You both have quite eloquently outlined the need. I, in 
addition to this Committee, sit on both the Armed Services and 
Intelligence Committees. Over the past four years we have had 
dozens, if not hundreds, of warnings of cyberattacks against 
critical infrastructure, and the grid certainly qualifies for 
that. I characterize what we are looking at now as the longest 
windup for a punch in world history. We know it is coming, we 
just don't know where and when and the risks are enormous.
    The second thing I wanted to say is that there is no single 
solution to this problem. The utilities themselves have done 
amazing and wonderful work in defending themselves. FERC has 
worked with them. There are lots of solutions percolating 
around the pilot program that is proposed in S. 79 that 
basically came out of work that was a result of the Ukraine 
hack in 2015. In this attack they found that one of the reasons 
the Ukrainian grid was able to be resilient was that there were 
some old-fashioned analog switches, and perhaps even places 
where old Dimitri with his dog had to go out and pull a switch, 
that saved the grid from a real catastrophe.
    What we are talking about here is not rebuilding or 
reengineering the entire grid, but to really ask the question, 
are there some back to the future answers at critical points 
that might protect us from the kind of attack we know is 
coming?
    It is no coincidence that the four principle sponsors of 
this bill, myself, Senator Risch, Senator Heinrich and Senator 
Collins are also all on the Intelligence Committee, and our 
work on this bill really started in that Committee and has 
carried through on to this Committee.
    So I look forward to the hearing. I appreciate your calling 
it.
    The other thing I want to express is that time is running 
out. I do not want to go home to my constituents in the middle 
of a blackout and say well, we might have gotten to this, but 
we had different committees that had jurisdiction and we really 
could not quite get at it in the Conference Committee. That is 
not going to cut it.
    I think this qualifies as an emergency, and I hope that we 
can act promptly. I hope that this is a bill that might get the 
level of support that it could go through on its own without 
waiting for a more comprehensive energy bill because that 
endangers, I think, our taking a practical step that could be 
of significant help to us.
    Thank you, Mr. Chairman.
    Senator Gardner. Thank you, Senator King.
    Before we do the formal introductions, we have two members 
of the Committee that may wish to say a word or two about our 
witnesses today.
    Senator Alexander.

              STATEMENT OF HON. LAMAR ALEXANDER, 
                  U.S. SENATOR FROM TENNESSEE

    Senator Alexander. Thank you, Senator Gardner.
    I am delighted to welcome Dr. Thomas Zacharia to the 
Committee. He is the Deputy Director for Science and Technology 
at the Oak Ridge National Laboratory and presides over one of 
the largest research budgets in our country. I will say two 
things about him.
    One is he developed the computer program at Oak Ridge which 
has produced the fastest computers in the United States, in any 
event. And next year, in 2018, there will be a computer five 
times as fast. That was his doing and his leadership. So he can 
speak with authority to the question of what can supercomputing 
do to help us with cybersecurity, with the grid, with waste 
fraud and abuse and Medicaid and Medicare--anything that has to 
do with data manipulation, Thomas knows how to build and 
operate the fastest computers in the world.
    Second, the Oak Ridge Laboratory is the largest science and 
energy laboratory, and he works with a lot of people. He is 
very well respected by all of the people with whom he works.
    So I welcome him here and look forward to his testimony.
    Senator Gardner. Thank you, Senator Alexander.
    Senator Franken.

                 STATEMENT OF HON. AL FRANKEN, 
                  U.S. SENATOR FROM MINNESOTA

    Senator Franken. Senator Gardner, Xcel may operate in 
Colorado, but it is headquartered in Minneapolis.
    [Laughter.]
    Xcel also serves more than one million people in the Twin 
Cities area. So, I want to welcome Ben Fowke here today. Thank 
you, sir.
    I know we are going to be discussing cybersecurity, and I 
look forward to hearing your thoughts on that crucial subject 
as well as your role on the National Infrastructure Advisory 
Council which advises the President on crucial infrastructure 
activity.
    But first, I want to commend Xcel for being a leader in 
generating clean energy and reducing carbon emissions. More 
than 50 percent of the electricity you supply in Minnesota 
comes from wind, hydro, solar, biomass or nuclear. This helps 
us reduce emissions.
    Your company is on track to reduce greenhouse emissions to 
30 percent of 2005 levels by 2020, and you are not stopping 
there. You have just announced that you are going to add an 
additional 3,380 megawatts of wind capacity across seven 
states.
    We are very proud of what Minnesota has done since Governor 
Pawlenty signed in our renewable energy standard and our energy 
efficiency resource standards.
    I want to thank you for Xcel's leadership, for your 
personal leadership, and for showing how we can transition to 
clean sources of electricity while keeping rates low.
    I look forward to your testimony, and I think it is 
terrific that you also operate in other states.
    [Laughter.]
    Senator Gardner. Yes. And I, Mr. Fowke, would echo that. 
Thanks for making it clear to me as a kid who grew up on the 
eastern plains of Colorado, the dam wind isn't just one word. 
You can actually do something with it.
    [Laughter.]
    So, thank you.
    In addition to Mr. Fowke and Dr. Zacharia, we are also 
joined by Michael Bardee, the Director of the Office of 
Electric Reliability at the Federal Energy Regulatory 
Commission (FERC), and Mr. John Di Stasio, President of the 
Large Public Power Council.
    Thanks to all of you for being here and your time and 
testimony today.
    Mr. Bardee, if you would like to begin with your testimony? 
Thank you.

   STATEMENT OF MICHAEL BARDEE, DIRECTOR, OFFICE OF ELECTRIC 
       RELIABILITY, FEDERAL ENERGY REGULATORY COMMISSION

    Mr. Bardee. Thank you, Chairman Gardner.
    Chairman and members of the Subcommittee, thank you for the 
opportunity to testify. My name is Michael Bardee, and I'm the 
Director of FERC's Office of Electric Reliability. I am here 
today as a Commission staff witness and my remarks do not 
necessarily represent the views of the Commission or any 
individual Commissioner.
    In the Energy Policy Act of 2005 Congress gave the 
Commission a responsibility to oversee mandatory, enforceable 
reliability standards for the nation's Bulk-Power System, 
excluding Alaska and Hawaii. Cybersecurity is an important part 
of this responsibility.
    In 2008, the Commission approved NERC's first set of 
cybersecurity or CIP standards while also directing NERC to 
develop changes. Since then, the Commission has approved 
various changes to the CIP standards. Last year, utilities 
implemented version five of the CIP standards for high and 
medium impact assets. This year, utilities are implementing 
version five for low-impact assets.
    Last July, the Commission directed NERC to develop a 
standard on supply chain risk management. There is no 
requirement for any specific controls, nor did FERC seek one 
size fits all requirements. Instead, FERC said the standard 
should define the objectives while allowing flexibility on how 
to meet those objectives. NERC is working on a standard now and 
is due to submit it to the Commission in September.
    Also in July, FERC sought public comment on whether to 
modify the CIP standards for the protection of control centers 
used to monitor and control the Bulk-Power System. FERC cited 
the 2015 cyberattack on the grid in Ukraine as an example of 
how cyber systems used to operate and maintain a grid, unless 
protected adequately, can create cyber risks. FERC is reviewing 
the comments submitted in response and considering whether 
further action is appropriate on these issues.
    While mandatory standards are an important part of the 
Commission's work on cybersecurity, FERC also worked with 
industry in other ways, sharing information, encouraging best 
practices and providing assistance when requested, including 
through our Office of Energy Infrastructure Security.
    The goal of these efforts is to mitigate the risk of a 
cyber incident, but if such an event ever does happen, the 
industry also needs to be prepared to restore the grid. For 
this reason, last year, FERC completed a report with NERC and 
its regional entities on grid restoration and recovery. The 
report was based on working closely with a number of utilities 
and recommended various practices and additional studies. Work 
on those additional studies is ongoing.
    The work proposed in S. 79 could help utilities to maintain 
a secure electric grid. Utilities have come to rely 
increasingly on digital tools for operating the Bulk-Power 
System. A broad scale reversion to predigital technology is 
uneconomic, unjustified and perhaps even impossible.
    S. 79 focuses on only the most critical systems of the 
covered entities. Also, S. 79 does not require adoption of any 
particular technology and instead requires only research and 
testing. Any decision on implementation would be made only 
after sufficient research and testing.
    I would suggest one small change to S. 79 and that is to 
add FERC to the list of entities specifically included as a 
member of the working group in the bill.
    Thank you for allowing me to testify today. I would be glad 
to address any questions you may have.
    [The prepared statement of Mr. Bardee follows:]
   
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Senator Gardner. Thank you, Mr. Bardee.
    Mr. Fowke.

    STATEMENT OF BENJAMIN FOWKE III, CHAIRMAN OF THE BOARD, 
     PRESIDENT & CHIEF EXECUTIVE OFFICER, XCEL ENERGY INC.

    Mr. Fowke. Senator Gardner, thank you for the invitation to 
speak at this important event. My name is Ben Fowke, and I'm 
the CEO of Xcel Energy. We're an energy company serving 3.5 
million electric customers and two million natural gas 
customers in eight western and mid-western states.
    I'm also a member of the Electric Sector Coordinating 
Council, or ESCC, and a member of the National Infrastructure 
Advisory Council, or NIAC, which advises the President on the 
protection of critical infrastructure.
    Today I want to give you Xcel Energy's perspective on 
cybersecurity. Our modern society depends on electricity. Left 
unprotected from cyberthreats, the grid and electric service we 
all depend on could be at risk. Fortunately, Xcel Energy and 
other utilities have cybersecurity programs designed to adapt 
and to respond to this growing threat. And while no program is 
perfect, I believe that our industry's approach should give the 
Subcommittee increased confidence in the grid security. That 
confidence, however, should be taken in context. Attacks on our 
grid continue to grow in number and in sophistication, and it's 
really easy to fall behind.
    It's clear we need better coordination with the DOE, the 
DHS and other Federal agencies. We need better, more timely 
information sharing, and we need new approaches to protect the 
devices that run the grid. Together, these strategies will 
enhance our cybersecurity defenses and the reliability of the 
power system.
    Let me begin by acknowledging a difficult reality, the 
cyberthreat is growing. In 2016, Xcel Energy identified over 
500,000 individual cyberattacks on our network. And although 
we're attacked daily, we're most concerned about potential 
attacks targeting the grid control systems.
    Grid industrial control systems use digital technology to 
do their work and, like anything else that uses digital 
technology, these systems could be hacked. Without proper 
controls and monitoring a cyberattack of the control system 
could force the grid offline.
    In response to this threat we work continuously to 
implement a flexible, effective, cybersecurity program. Our 
program separates and protects the control system from the 
Internet. We also use strong passwords and strictly control 
employee access to our critical systems. Our network is 
monitored by a dedicated team of cyber analysts on a 24/7 
basis. We act immediately on actionable threat intelligence 
from government and private sources. We routinely install 
antivirus and antimalware programs. We also hunt for 
indications of compromise in order to detect and eliminate 
threats. Finally, we perform third party penetration testing of 
the network to test the effectiveness of our defenses.
    Now despite these best efforts, no program is perfect; 
therefore, system recovery is one of our program's highest 
priorities. And while the challenges of system restoration 
would be different after a cyberattack, our industry's 
experience with system restoration after storms and other 
outages does give us a leg up.
    So, our cyber programs continue to improve but our program 
is and always will be a work in progress. There will always be 
more to do. We continue to look for ways technology can help 
protect the grid. For example, information sharing tools must 
become more sophisticated as the attacks become more 
sophisticated, and our arsenal of information sharing tools is 
continuously improving. Real-time machine-to-machine 
information sharing will further enhance our ability to respond 
to grid attacks, and we're working with other sectors to boost 
these capabilities. We're also beginning to deploy monitoring 
technologies to look for anomalies on the network that could 
indicate the presence of malware.
    Turning to national cybersecurity policy. The electric 
industry, the DOE, the DHS, are working together through the 
ESCC to establish robust national cybersecurity efforts. My 
written testimony provides an overview of the programs 
spearheaded by the ESCC to enhance the nation's cybersecurity 
effectiveness; however, as I stated, there's always more to do 
and Congress and the Administration can help.
    First, in a recent scoping session, NIAC has recommended to 
the President that the nation adopt a new transformational 
national framework for cybersecurity. The NIAC scoping study 
points to a fundamental problem with the current approach and 
that despite recent progress, national cybersecurity policy is 
often uncoordinated and unfocused. And while not speaking on 
the behalf of the Council, I believe the recommendations of the 
NIAC scoping study are urgently needed.
    Second, in our experience, Federal agencies are often slow 
to provide classified information regarding cyberthreats to 
utilities. While protection of the nation's secrets is vital, a 
better process is needed to ensure that we have the necessary 
information in a timely fashion.
    Finally, I believe we need both more research into cyber 
safeguards and the development of improved standards for 
software that controls the operational devices that were on the 
grid.
    Thank you for the opportunity to be here with you today. 
I'd be happy to answer any questions.
    [The prepared statement of Mr. Fowke follows:]
   
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

    Senator Gardner. Thank you, Mr. Fowke.
    Mr. Di Stasio.

            STATEMENT OF JOHN DI STASIO, PRESIDENT, 
                   LARGE PUBLIC POWER COUNCIL

    Mr. Di Stasio. Chairman Gardner, Ranking Member Manchin, 
members of the Subcommittee, thank you for the opportunity to 
appear before the Subcommittee today.
    My name is John Di Stasio, and I'm the President of the 
Large Public Power Council. Known as the LPPC, the Council 
represents 26 of the largest state-owned and municipal 
utilities in the nation, and we provide power to over 30 
million people in 13 states.
    I'm here to respond to the Committee's interest in 
cybersecurity threats facing the U.S. electric grid. I'd also 
like to provide input on S. 79, the Securing Energy 
Infrastructure Act.
    The points I want to emphasize are these. Industry is 
engaged. While cybersecurity threats to the electric grid are 
fast evolving and they do require quick, adaptive responses, 
much is beginning to be known about the threat environment. The 
electric industry, working with the standards promulgated and 
enforced by the North American Electric Reliability 
Corporation, NERC, and also FERC and working with our 
governmental partners, has effectively responded to known 
threats and we're actively working to anticipate emerging 
threats.
    Because of the nature of the cybersecurity threats faced by 
industry, they're evolving rapidly and they're not static so 
the electric industry has repeatedly emphasized the need for 
flexible application of cybersecurity regulations that permit 
industry agility in responding to threats and the ability to 
implement evolving technology solutions. The electric industry 
has been grappling with cybersecurity threats for at least a 
decade. We've learned a lot about the nature of the threats we 
face in a variety of attack vectors. In response to these 
threats and with the oversight of FERC, NERC has implemented 
and enforced the nation's only mandatory suite of cybersecurity 
standards, the CIP protection standards.
    The 2015 cyberattack, as was mentioned, on the Ukrainian 
grid underscored the electric grid's vulnerability. Although I 
don't want to understate the concern, I do want to emphasize 
that techniques used by the attackers were generally understood 
by the industry and are meaningfully addressed by NERC's 
reliability standards. Specifically relevant are those CIP 
standards that provide for electronic security perimeters, 
access control and malware detection and remediation.
    A study by the DHS identified three areas for further 
review: air gapping, application whitelisting and risks that 
reside within the supply chain. These areas are under current 
study by NERC and FERC.
    As to air gapping, NERC says, and I agree, that while there 
are potential security benefits associated with this approach, 
there are reliability and operational considerations too. So 
further study is certainly warranted.
    Similarly, while application whitelisting is one feasible 
way to guard against the operation of malware on utility 
systems, it also presents possible unintended consequences that 
may include interference with essential reliability and 
operational processes. Here again, further study would be 
useful.
    As to the supply chain, NERC is currently in the process of 
developing a standard at FERC direction. Certainly the 
procurement of trusted hardware and software is important, but 
it's not reasonable to ask utilities to police the compliance 
of vendors and their commitments to follow security practices. 
We are pressing for an approach to a supply chain standard 
which also places onus on the vendors to ensure compliance with 
their commitments to implement sound and reliable security 
practices.
    Because cyberthreats evolve rapidly, it is important that 
utilities maintain the agility to respond to threats and the 
ability to implement evolving technology solutions. S. 79 
promotes government industry partnership in studying evolving 
vulnerabilities which will help combat cybersecurity threats; 
however, LPPC does caution against converting study findings 
into any one-size-fits-all solutions. The electric industry's 
response to cybersecurity risk is robust, it's fast evolving 
and it's intimately tied to efforts by the government to 
enhance the nation's security posture.
    I would never claim that all risks are covered, but a great 
deal of work is being undertaken in this area. As in any robust 
security environment, the focus is appropriately not only on 
prevention, but also on response and recovery.
    We welcome the opportunity to work with the members of the 
Committee to provide further information and receive input on 
this joint endeavor.
    Thank you.
    [The prepared statement of Mr. Di Stasio follows:]
    
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Senator Gardner. Thank you.
    Dr. Zacharia.

 STATEMENT OF DR. THOMAS ZACHARIA, DEPUTY DIRECTOR FOR SCIENCE 
         AND TECHNOLOGY, OAK RIDGE NATIONAL LABORATORY

    Dr. Zacharia. Chairman Gardner, Ranking Member Cantwell and 
members of the Subcommittee, thank you for the opportunity to 
appear before you today. And Senator Alexander, thank you for 
the kind remarks.
    I'm Dr. Thomas Zacharia, Deputy Director of Science and 
Technology at the U.S. Department of Energy's Oak Ridge 
National Laboratory (ORNL). The focus of our programs at ORNL 
is on solving compelling national problems in energy and 
security. These problems are connected. Energy security is a 
vital component of our national security.
    Last Tuesday, a series of powerful storms swept through 
East Tennessee. The morning after, I spoke with the Chairman of 
the Electric Power Board (EPB) in Chattanooga with whom ORNL 
has a long-standing partnership. The Chairman told me that the 
severe weather had disrupted services to 65,000 homes in the 
EPB service area, but thanks to the state-of-the-art control of 
the EPB system, half of those homes experienced nothing more 
than just a power flicker and EPB was able to rapidly work to 
restore service to the other homes.
    We know that these same digital systems that are so 
successful at running the electric grid efficiently and 
effectively are also vulnerable to cyberattack. The DOE 
National Laboratory system recognizes this vulnerability and is 
actively pursuing technology advancements to mitigate this 
threat.
    Often described as the world's largest machine, the U.S. 
electric grid is a foundation of our competitive national 
economy and, indeed, our way of life. However, as utilities 
have increased smart interconnections between grid services to 
make the system more agile and adaptive and able to preempt 
disturbances, they have also created some access points for 
potential cyber disruption.
    With the growing sophistication of cyber intrusions, we 
need to go beyond today's practices. With DOE and electric 
utilities, we've been exploring ways to get critical 
infrastructure off the public internet.
    Specifically, the following technological advancements and 
solutions are needed to ensure reliable, efficient, resilient 
and secure grid infrastructure across the country: eliminate 
direct connectivity to the internet, implement advanced cyber 
defensive measures beyond what's possible on the internet, 
develop supply chain components and Internet of Things devices 
with security built in, provide wide area situational awareness 
and decision support by enhancing grid state monitoring with 
advanced sensing and measurements and use living laboratories 
in partnerships with utilities and national laboratories to 
test functionality and resilience of advanced cyber and cyber 
physical solutions to accelerate transition to practice.
    ORNL has developed numerous technologies used to counter 
cybersecurity threats. These technologies range from hardware 
device monitors to software that can detect dormant malicious 
code, to platforms that can discover and detect the presence of 
advanced persistent threats.
    Cyber physical tools and capabilities include Grid Eye 
sensors 
located across the U.S. for real time systems monitoring and 
EAGLE-I which monitors the nation's energy sector in real time. 
This can be leveraged with the PNNL-led effort on the 
Cybersecurity Risk Information Sharing Program (CRISP) to 
provide cyberthreat information to industry partners.
    Without our established public/private partnerships, these 
technologies will not be adopted by industry. For example, DOE 
and ORNL are leveraging the EPB automated smart grid and fiber 
optic network infrastructure to develop next generation of 
cybersecurity defense systems, including next generation 
quantum cybersecurity software that has the potential to 
prevent undetected hacker intrusions into the IT networks.
    National labs, including ORNL, are uniquely positioned to 
address cybersecurity challenges through technology 
breakthroughs in partnership with the private sector.
    One example of the laboratories, the system of 
laboratories, working together on major challenges is the Grid 
Modernization Laboratory Consortium, GMLC. This was established 
as a strategic partnership between DOE and the national 
laboratories to bring together leading experts, technologies 
and resources to collaborate on the goal of modernizing the 
nation's grid.
    Thank you for the opportunity to be here today to share 
with you what we see are some of the solutions to minimize 
cybersecurity threats to the electric grid and, in turn, 
further contribute to the security of the nation.
    [The prepared statement of Dr. Zacharia follows:]
    
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Senator Gardner. Thank you, Dr. Zacharia.
    I know Senator Alexander has a hard stop, so, Senator 
Alexander, I am happy to yield to you if you would like to ask 
some questions.
    Senator Alexander. Thank you, Mr. Chairman, I appreciate 
that very much. So I will just ask one question.
    Dr. Zacharia, ever since I have been here, which is now 
about 14 years, the Congress and the Administrations have put a 
priority on building supercomputers, and I believe you have 
built the fastest supercomputing system in our country. Is that 
right?
    Dr. Zacharia. That is correct, Senator.
    Senator Alexander. And it is going to increase in 2018 by a 
factor of five, is that correct too?
    Dr. Zacharia. Factor five was 2004.
    Senator Alexander. Well, let me ask, in fairly specific 
terms, what difference does it make if we have the fastest 
computer, or the second, or the third, or the fourth, or the 
fifth, or the sixth, in terms of cybersecurity and monitoring 
our grid?
    Dr. Zacharia. Senator Alexander, thank you for the 
question.
    Like any other system, leadership in supercomputing is 
absolutely essential because the Chinese and other nations use 
a supercomputer for just the same advantages that we seek to 
achieve in this country. So, the Chinese system that is 
currently, that the Chinese have two systems that is the 
fastest in the world today. Many of the applications that 
they're using are for cybersecurity, both defensive and 
offensive cybersecurity, as well as other materials and 
technologies.
    It's absolutely essential that we maintain the ability to 
match and deter cybersecurity threats. The way the 
supercomputer comes into play is that as the grid system 
particularly as the nation's electric grid system have deployed 
new technologies to make them more smart so they can deliver 
better services to their consumers.
    They've also become much more data aware. They produce a 
lot of data. There are lots of sensors. What supercomputers 
allows us to do is to monitor the data real time, analyze it, 
do some of the deep data analysis and just like you might have 
heard, IBM Watson, to be able to actually make decisions on the 
fly, to do cognitive computing.
    The summit system that is going to be deployed in 2018, 
even though it's going to be five times faster, it also has a 
co-processor that allows you to do real time data analysis and 
decision-making. So these are some of the advantages in terms 
of being able to stay at the leading edge to make sure that the 
nation's grid system is protected and we have the necessary 
tools and capabilities to do that.
    Senator Alexander. Thank you, Dr. Zacharia, and thank you, 
Mr. Chairman, for your courtesy.
    Senator Gardner. Thank you, Senator Alexander. I will now 
turn to the Ranking Member of the Committee, Senator Cantwell.
    Senator Cantwell. Thank you.
    I am also happy you have the fastest supercomputer.
    [Laughter.]
    When every particle in a storm can be put into an algorithm 
and you can process that information so the United States can 
have more data, instead of going to the Europeans, who right 
now have a faster or at least, in my understanding, have 
better, more accurate information on Sandy than we did in the 
United States--we need to keep going. We need to give you all 
the capacity for that and more because this weather aspect is 
so, so important.
    I see your colleague is nodding because when utilities know 
that that level of damage is going to occur, they can better 
plan for it. They can relocate assets, get them there in time, 
all sorts of things.
    So anyway, on the cyber front, Dr. Zacharia, you mentioned 
the supply chain. We also had a hearing on cybersecurity in the 
Commerce Committee, which I found very interesting because a 
lot of the discussion focused on private sector entities. I 
definitely believe in collaboration here between the 
universities, the utilities and the private sector on where we 
go forward. But we did not get too much into the supply chain. 
We talked a lot about education, how we need to have these 
various two-year and four-year academic degrees on 
cybersecurity. We do not, currently, have enough focus on that. 
But we did not talk enough about the supply chain and supply 
chain risk. Could you elaborate on that?
    Dr. Zacharia. So, it is, Senator Cantwell, thank you very 
much for the question.
    It's certainly clear that the supply chain is vulnerable 
and there is clear evidence that the supply chain, some of the 
key components that are used, is vulnerable for cyber 
intrusion. I think it is really important for laboratories like 
the DOE lab system working with private sector and university 
partners to have the ability to test and validate the 
components that go into our grid system, because they are so 
essential to maintaining the security of the system while 
delivering the kind of services the consumer expects today.
    Senator Cantwell. So are you worried about a direct threat 
or just not understanding the supply chain and the dynamics of 
products?
    Dr. Zacharia. Well, I think that it is really important for 
us to ensure that we understand the supply chain of critical 
components on what we consider as an essential part of our U.S. 
economy which is the electric grid.
    And so, while I cannot speak to specific issues about a 
particular component, I think it's essential that we pay 
attention to the security threats and vulnerabilities 
associated with the supply chain.
    Senator Cantwell. Okay.
    Anybody else?
    Mr. Fowke. I would just add that these operating 
technologies are increasingly converging with IT technologies. 
And so, when you think about the hardware that we use to run 
the grid, there's chips and other IT type technologies embedded 
in that and without standards that protect and make sure that 
we have the necessary cybersecurity overlays that equipment and 
the ability to monitor that equipment, then we're really flying 
blind.
    I think there's a lot of work that can be done in making 
sure that what's on the grid and, quite frankly, ultimately 
what's in somebody's home, in the interim of things is secured 
in a way that, I think, we all would come to expect.
    Senator Cantwell. And that is a group discussion as well?
    Mr. Fowke. Yes.
    Senator Cantwell. To get there, it is everybody discussing 
and participating in that?
    Mr. Fowke. Yup.
    Senator Cantwell. Well we definitely need to think about 
that and the recommendations from the Quadrennial Energy Review 
on cybersecurity, and we definitely need to get those 
implemented.
    Thank you, Mr. Chairman.
    Senator Gardner. Thank you, Senator Cantwell.
    Throughout the testimony and in your written testimony, I 
have seen a number of acronyms. I think, if you just look at 
what is involved in cybersecurity, so far, we have covered DOE, 
NIST, DHS, NSA, CIP, E-ISAC, is that how you say it, I, S, A, 
C, E-ISAC, FS-ISAC, ESCC, NIAC, NERC and FERC. It is clear 
where we go in cyber, so I think that is part of the challenge 
that we have.
    Senator Cantwell mentioned that she had a Commerce 
Committee hearing on cyber. Later this week I am going to be 
holding a Foreign Relations hearing where we are going to talk 
about cyber. Here in Energy Committee, we are talking about 
cyber and all these acronyms.
    Mr. Fowke, you mentioned at the beginning of your testimony 
one of the things that we need to work on is better 
coordination with the Department of Energy, Department of 
Homeland Security and the other agencies that we highlighted 
here.
    I have introduced a bipartisan bill to create a Senate 
Select Committee on Cybersecurity, trying to answer some of 
these jurisdictional questions. Over half of the Committees in 
the United States Senate have some jurisdiction, either in the 
rules or self-claimed jurisdiction, over cybersecurity. I think 
nine committees have held 20 hearings on some cyber element.
    What are your thoughts on creating a Senate Select 
Committee on Cybersecurity that would have jurisdiction over 
cybersecurity, cyberspace, which would oversee and strengthen 
U.S. data prevention, data breach prevention strategy, other 
cyber activities? Would it have a value, the Select Committee 
on Cybersecurity, that would help the energy industry organize 
government rules and responsibilities?
    Mr. Fowke. Yes, Senator Gardner, I think it would.
    And let me apologize for the use of the acronyms. That's 
how you get your testimony in in five minutes.
    Senator Gardner. It wasn't just you.
    [Laughter.]
    Mr. Fowke. Oh.
    As I said in my testimony and as the NIAC scoping study 
points out, we just need to coordinate better. I mean, there's 
a lot of work being done, but it's being done by a lot of 
agencies. It's being done by a lot of Congressional committees, 
and there's a lot of industry work that's being done as well.
    I think we're getting better at coordinating, but the bad 
actors are getting better at attacking us at the same time.
    So, to the extent we can have a more coordinated, focused 
effort, you know, it doesn't--it reminds me a little bit about 
the difference between watching a professional soccer team and 
kids that are six years old. Everybody is going to the ball, 
but you've got to play in your swim lanes and as a team. I 
think that's what you're suggesting.
    I would caution that sometimes we rush to pass the 
legislation and we ought to make sure that there isn't 
unintended consequences with that legislation too. And I really 
think the tone at the top is where we start and then we work 
our way down. And that way we can have a coordinated response.
    Senator Gardner. Mr. Fowke, follow up on that too.
    Is there any kind of coordination that Congress can help 
provide industry, or in the various organizations that you are 
a member of? Will you, through industry and your partners in 
government, come up with the correct coordination on your own 
or is it something that Congress needs to provide guidance 
with?
    Mr. Fowke. We need help getting the information.
    As I mentioned in my testimony, quite often, by the time we 
hear about a potential threat or a threat from the government, 
we've known about it for quite a long time through private 
sources or industry communication, et cetera. And I think the 
reason for that is we struggle on taking what could be 
classified information, declassifying it and getting it out 
quickly.
    The second thing we struggle with is where there is a need 
to keep it classified. I think we've got a six to eight-month 
backlog per individual to try to get classified status. So you 
might want to share the classified information, but you can't 
share it because the people aren't cleared.
    In an age where we're talking machine to machine, that is, 
that's quite a hindrance. We need to do better with that 
because we have the tools in place, another acronym, CRISP, the 
detection software. That's a good system and right now the 
information is going right into the lab and it's basically 
where it stays. So, we need to start getting a two-way flow of, 
what I think, could be very valuable information.
    Senator Gardner. So if I understand the problem, there's a 
twofold challenge, right?
    You have the challenge of getting the information from the 
Federal Government, information that you need to protect the 
grid, the system, your power system. And secondly, of course, 
is getting people who can then receive that information with 
the proper classification. Is that correct?
    Mr. Fowke. That's correct.
    Senator Gardner. There is a story that I wanted to share 
with you. I am sure on the Committee, you have all heard this 
story. It was reported in E&E news. It is a story of, I guess 
it was a security test, where they had a person come into the 
utility, basically to audit their security. Apparently the 
security auditor told him that he had seen equipment in the 
utility, in the utility control room, that would not be allowed 
in a federal installation because it is vulnerable to hackers. 
The security auditor said, in a federal installation that piece 
of equipment would not be allowed to be in it because of its 
vulnerability. The head of the utility company asked, what is 
that equipment? And the response was, I can't tell you, it's 
classified.
    [Laughter.]
    So, that is the problem.
    Senator Cortez Masto.
    Senator Cortez Masto. Thank you, Mr. Chair, and I 
appreciate the comments today.
    This is an area that I worked in as the Attorney General of 
the State of Nevada and something that I saw from a state 
perspective that we needed to address but was always concerned 
about the federal interaction. Now I am on the federal side and 
I see the same, kind of, bifurcation where there is a lack of 
communication, not only at the federal level, but the 
communication at the federal level and the states. And that is 
the question I have from the very beginning.
    Mr. Bardee, it is a two-part question relating to how 
information, with respect to threats and remediation, is 
conveyed to state officials? And it goes back to some of the 
concerns that we have talked about with acronyms and the number 
of committees and commissions that are out there.
    I understand that the Electricity ISAC is responsible for 
situational awareness, incident management and communications 
regarding cyberthreats to the grid. But the Electricity ISAC is 
only one of 20 different ISACs. States participate directly in 
only one which is the multi-state ISAC. So, how does the 
cyberthreat information regarding the electric grid get to 
those state officials?
    Mr. Bardee. There are a number of informal mechanisms by 
which that information can be shared. Our agency, for example, 
particularly in our Office of Energy Infrastructure Security, 
reaches out to the states and tries to work with them and share 
information and assist them, as appropriate. I know the 
Department of Energy does, too.
    And the more sensitive information, the classified 
information, generally, it originates in other parts of the 
Federal Government, Department of Homeland Security, for 
example. And we are a recipient of that sometimes, but we're 
not the source of it.
    So I would say that it is a challenge to ensure that the 
states are getting all of the information they need, given the 
ways in which that information may come into the government. 
But it's an ongoing effort and we are looking for ways to 
improve that. I, for example, and some of my colleagues are 
going to be meeting with NARUC, I think in about two weeks, to 
discuss cybersecurity. And this, I would expect, to be part of 
the conversation.
    Senator Cortez Masto. Yes.
    I would appreciate more of a direct interaction at the 
state level and not through different task forces or multi-
levels. I know the state counterparts would appreciate that. I 
think this is an effort that we have to look beyond, not just 
the federal level, but at the state level. Everybody should be 
working to address the cyberthreats that we see, so I 
appreciate your comments.
    Let me just open this up. I understand that the second 
installment of the QER noted that the traditional definition of 
reliability may be insufficient to ensure system integrity and 
available electric power in the face of physical attacks and 
cyberthreats, among other things, and that the security of the 
systems, particularly cybersecurity, is a growing concern. 
Would you agree with that assessment from the QER?
    I will open that up to anyone.
    Mr. Di Stasio. I would say, I think, FERC addressed part of 
this as a--it was mentioned previously about the 2013 Metcalf 
attack in California. At that time, I was a CEO of a 
neighboring utility in California, so that was a very real 
incident for us.
    FERC added a standard on physical security that really 
directed utilities to make a risk-based assessment of where to 
harden the system from both physical attacks and we've already 
got the CIP standards that are focused on doing the same for 
cyber.
    But again, these risks are evolving. They're emerging. 
They're not static. So it becomes more of a prioritization of 
which of the systems and which of the components within the 
system are going to provide the greatest risk mitigation and 
doing those first. And that's what we're really in the midst of 
undertaking right now.
    Senator Cortez Masto. I appreciate that.
    One final question, Dr. Zacharia. You mentioned a 
suggestion that one way to answer the concern about 
cybersecurity threats is that we eliminate the grid or any type 
of critical infrastructure from the internet. Can you expand on 
that? Do you think that is possible, particularly with the 
evolution of technology, the Internet of Things and everybody 
being connected, including smart meters, which we have in the 
State of Nevada?
    Dr. Zacharia. Senator, what I meant to say was that it 
should be disconnected from the commercial internet. So let me 
expand on that.
    Our own experience is that when Oak Ridge National 
Laboratory, about a dozen or so years ago, was deploying one of 
the fastest supercomputers in the world, we did not have very 
high speed network connectivity into the laboratory. And the 
way that we solved that problem was that there is actually dark 
fiber that most of the major utilities have in the right of 
way. Generally it is usually used with control systems and it 
has redundant pairs of fiber. We were able to work with the 
utilities, in this case, TVA, to get a pair of fiber that is 
completely separate and isolated from the commercial internet 
provider.
    One of the suggestions is that there is a tremendous amount 
of dark fiber that is available on the right of way--using 
these dark fiber as a way to create a separate, you know, sort 
of air-gapped, network connectivity because I think it is 
really important that the consumers are used to a certain level 
of service and it's not good to go back. And one way to provide 
that service is to actually have dedicated network and using 
dark fiber that is already available in the ground today.
    Senator Cortez Masto. Thank you. Thank you very much.
    Senator Gardner. Thank you.
    Senator King.
    Senator King. Thank you, Mr. Chairman.
    First, a sort of basic question.
    Mr. Bardee, is there one national grid? My understanding is 
that the entire nation is not connected. There are regional 
grids. Am I correct?
    Mr. Bardee. The best way to describe it is that there are 
three interconnections in the United States.
    One, basically within Texas, not fully congruent but 
basically one for the western third of the United States, and 
the rest in the East.
    Senator King. Are those three connected? In other words, 
could you bring down the entire nation at one time or would you 
have to do three?
    Mr. Bardee. There are very limited connections between 
those three. So generally, if there is a problem in one of the 
interconnections it does not affect the other two.
    Senator King. Let me talk about the sophistication of the 
attacks. My understanding is that the level of sophistication 
is going up.
    Mr. Fowke, you mentioned 500,000 attacks. That is 
astonishing. A lot of those are poking and prodding and testing 
and trying to find vulnerabilities and that these attacks are 
getting more sophisticated all the time. Is that correct?
    Mr. Fowke. Yes, I would not say the 500,000 are 
sophisticated, all sophisticated nation states, but the problem 
with trying to categorize what might just be something like, 
you know, a benign, well it's not benign, but a phishing 
attempt. Something we all get is that there might be more 
behind what looks like run of the mill type, you know, virus or 
malware that's trying to be implanted.
    And what happens is if you get phished and it's allowed to 
get onto your network, that virus, that malware, will hunt 
around for as long as it takes, searching out weaknesses that 
can get it into something more important, like your----
    Senator King. And it can also lie dormant for some period 
of time.
    Mr. Fowke. Yes.
    I believe that is another acronym. I think it is called 
APT, but Advanced----
    Dr. Zacharia. Persistent Threat.
    Mr. Fowke. There, thank you.
    Senator King. Advanced Persistent Threat.
    Mr. Fowke. Right.
    Senator King. But what we are seeing here is the nature of 
warfare changing before our eyes. And the Russians, 
particularly, are playing a weak hand, very effectively, and it 
is on the cheap. For the cost of one tank they can hire 500 
hackers or trolls or whatever.
    We know that this is a part of their foreign policy 
strategy in terms of elections, in terms of other kinds of 
disruptions to western countries. And this is, really, a threat 
that the likes we have not seen.
    By the way, Mr. Chair, I like the idea of the Select 
Committee on Cybersecurity. You get to tell Senator McCain that 
you are taking cyber away from Armed Services.
    [Laughter.]
    Senator Gardner. He co-sponsored it.
    I don't know if he knows the full implication of that.
    [Laughter.]
    Senator King. I think that is an important idea.
    Well again, several of you mentioned S. 79. We are not 
trying to do anything prescriptive here, but we are trying to 
test hopeful, promising technology to link the utility 
community with the national labs. What I hear many of you 
saying is coordination is one of the key elements of this and I 
am talking, we are talking, about coordination on a specific 
project.
    But on the broader sense, I think, good coordination is one 
of the most important things that we can try to develop. We 
need this country to develop a cyber strategy, Deterrents 2.0, 
so that we are not being purely defensive, that there is an 
offensive capability and that our adversaries understand that 
and that there is some kind of risk involved with their 
continuing to prod our grid.
    I really appreciate the testimony here today and look 
forward to working with you. If you have suggestions or input 
how we can--and I take your suggestion, Mr. Bardee, that FERC 
should be part of that committee that analyzes what the labs 
and the utilities come up with. So, I think that's a good 
suggestion. We will add that to the bill.
    Thank you.
    Thank you, Gentlemen.
    Senator Gardner. Thank you.
    Senator Franken.
    Senator Franken. Thank you, Mr. Chairman.
    Earlier this month, President Trump released his budget 
blueprint which calls for an overall cut of $1.7 billion to the 
Energy Department. The budget slashes investment in both basic 
and applied energy research and development, including the 
complete elimination of ARPA-E.
    More broadly, these cuts would threaten the expertise found 
at our national labs, a resource that is the envy of the world. 
One of the programs specifically mentioned for significant cuts 
is the Office of Electricity Delivery and Energy Reliability. 
Now, both our national labs in the Office of Electricity are 
engaged in critical work regarding cybersecurity.
    Mr. Di Stasio, your testimony mentions close coordination 
between your industry and the DOE Office of Electricity. Can 
you elaborate on that collaboration and what severe cuts to 
that office would mean from an industry perspective?
    Mr. Di Stasio. Yes, Senator.
    We've worked closely with the Office of Energy Delivery and 
Reliability, both on the development of smart technologies to 
advance smart grid and so forth, but also on reliability risks 
related to cyber.
    It was mentioned earlier one of the acronyms of CRISP is 
essentially a tool to allow the triangulation of threat trends 
across multiple systems versus individual systems dealing with 
it by themselves, and we worked with the Office of Energy 
Delivery and Reliability to help better understand that and 
also to get it with our members so that we could get more folks 
to join up.
    We have also worked closely, their office has been 
instrumental, in developing the request that came out of the 
FAST Act that was passed in 2015 that directed us to have an 
essential transformer spare system and also to deal with 
transportation.
    Senator Franken. How is that working?
    Mr. Di Stasio. Well, it's yet to be communicated back to 
the office.
    Senator Franken. Because we had the physical assault on the 
transformers and----
    Mr. Di Stasio. Well, so the issue is that there's a 
discreet number of very large transformers that pose, kind of, 
a disproportionate impact on the grid, should they be impacted. 
And actually, an analysis, and I was complementing Dr. 
Zacharia, was done by Oak Ridge labs to identify what the 
threat landscape looked like in utility planning terms. That 
technical analysis then went to DOE, who in fact, is then 
supposed to come back to Congress, through House Energy and 
Commerce, to provide a report on what we should do. So those 
are just two examples where this office has been a critical 
interface for us as utilities, with the Federal Government and 
that capacity. If it didn't exist in that office, it needs to 
exist somewhere because it's very important work.
    Senator Franken. So, again, what do these kinds of 
Draconian cuts, what will that mean to your work, Mr. Fowke?
    Mr. Fowke. I don't know, Senator, but I can give you a 
definitive answer on that. I know the research is important and 
if these budget cuts cut some of the research out that we're 
talking about here, I think the whole----
    Senator Franken. They are going to.
    Mr. Fowke. ----would suffer for it.
    Senator Franken. Okay.
    The majority of severe power outages are weather related. 
Heat waves diminish the performance of our electrical system 
and at the same time cause extreme loads as people run their 
air conditioners. Droughts cause outages because they impact 
lower hydropower reserves and smaller supply of cooling water 
for coal and nuclear plants. Hurricanes and flooding can cause 
widespread outages, damaging both the grid and generation 
facilities.
    The Transportation bill we passed in 2015 provides the 
Energy Secretary with the authority to address grid-related 
security emergencies caused by cyberattacks, physical attacks, 
electromagnetic pulses or geomagnetic disturbances. 
Conspicuously, conspicuously absent is the biggest actual 
threat to the grid, outages by extreme weather which we will be 
seeing more as climate changes.
    The recently released Quadrennial Energy Review notes that 
cyber terrorists are likely to use natural disasters as force 
multipliers, to quote the report, ``By timing grid attacks to 
correspond with natural disasters, intelligent multi-site 
attacks by knowledgeable attackers targeting the specialized 
components, could result in widespread, long-term, power 
outages from which it could take several weeks to recover.''
    How well is your industry prepared to deal with multiple, 
simultaneous problems? How might timing a cyberattack to 
correspond with a weather-related problem amplify the impact of 
the attack?
    That is for anyone.
    Mr. Fowke. Senator, I think that's a great question, and I 
think it would be naive to think that the bad guys would only 
attack us on a good day.
    And so, what our industry is drilling constantly around is 
exactly that, a physical or a storm outage, natural disaster, 
combined with a cyberattack because if you then take out 
communications you start to get to a situation where you're not 
sure if it's cyber or if it's physical or if you can count on 
the signals that you're getting from your grid.
    So, it gets back to how do we operate this grid blind? How 
do we coordinate with each other? How do we assume the telecom, 
telecommunications will be operating?
    We did it an elaborate grid exercise a couple years ago, 
and I think we learned a lot. But I think we also found that 
there's a lot of resilience built into the grid too. But we 
can't drill enough on that.
    Senator Gardner. Senator Heinrich.
    Senator Heinrich. Thank you, Chairman.
    For either or both, Mr. Fowke or Mr. Di Stasio, one of the 
issues we follow very closely on the Intelligence Committee is 
how we monitor individuals that are suspected of being already 
involved in terrorist activities. You can imagine these are 
exactly the people that you do not want running your critical 
control centers.
    What personnel controls does the utility industry have in 
place when conducting security clearances, background checks, 
and do you think they are sufficient? In addition, are there 
additional federal resources, like the FBI's Terrorist 
Screening Center, that could potentially improve that process 
for the industry, if you had access to those?
    Mr. Di Stasio. Senator, that is a concern because the human 
resources element of cyber is a significant risk as well.
    Most all of us, by requirements of standards and also our 
personnel policies, make sure that we tightly control ingress 
and egress. We do have advanced background checks for certain 
sensitive classifications.
    I will say in the recent past our national association, the 
American Public Power Association, as well as others, have been 
working with the FBI to get access to advanced background 
screening for certain personnel. And that language is being 
considered and developed now.
    Senator Heinrich. Great.
    Mr. Di Stasio. I think, I do think, it's an important point 
not to overlook that while some progress has been made, more 
needs to be made and especially given the fact that there's 
diversity of state policy around this.
    Again, I represent municipal utilities, so we also have 
different sunshine laws in different states and different 
statutes.
    Senator Heinrich. Yes.
    Mr. Di Stasio. And so, trying to harmonize all of that into 
something coherent is a fairly significant undertaking. But it 
is on the radar screen, if you will, as how to best deal with 
some of the human resource issues.
    Senator Heinrich. Mr. Fowke, I believe you mentioned the 
time-based challenge of getting security clearances. Was that 
you?
    Mr. Fowke. Yes.
    Senator Heinrich. The bottleneck there, is it personnel or 
funding to do the analysis for those clearances and is that all 
on the Federal Government side of the ledger?
    Mr. Fowke. Well, it's an elaborate process, as you know, 
and so I think it's a time-based manual effort. It's the 
manpower which translates to the funding, I would assume.
    Senator Heinrich. If that funding is reduced over the 
course of the budget process, what would that mean for being 
able to adequately manage that risk?
    Mr. Fowke. Well, if the funding came out of that aspect of 
the security clearance, then I would suspect it would slow it 
down. And right now, as I mentioned, it's six to eight months.
    Senator Heinrich. Pretty slow as it is.
    Mr. Fowke. Yes.
    Senator Heinrich. Okay.
    Mr. Bardee, I am pretty excited about FERC's proposed rule 
on energy storage and distributed energy resources, 
participating in organized wholesale markets. With these 
additional players from the distribution side participating in 
the bulk power market, does the Federal Power Act provide FERC 
sufficient authority to assure both security and reliability of 
the grid?
    Mr. Bardee. Senator, that's an issue we need to do more 
work on.
    Those types of resources bring value to the markets because 
they diversify our sources of supply, but at the same time, 
ensuring that the grid can be operated reliably by having 
visibility of what those resources will do under certain 
circumstances and having control, if necessary, is difficult 
under the structure we have now where FERC is responsible for 
the Bulk-Power System and states are responsible for the local 
distribution systems that many of these resources connect to.
    So, I think we are very much looking at that issue, trying 
to be creative about ways we can address that issue. And I know 
the industry is too, because they're as much focused on that 
issue as we are. Solutions are not easy though.
    Senator Heinrich. I think that is going to be particularly 
important. It is pretty clear that that is the direction 
markets are headed.
    And I think we are going to see more DERs. We are going to 
see more demand response. We are going to see more storage. All 
aggregated in, you know, spread across the grid and getting the 
rules of the road worked out at the front end rather than 
responding to issues as they arise is going to be particularly 
important.
    Thank you, Mr. Chairman.
    Senator Gardner. Thank you very much.
    If members want to stick around, we will go ahead and have 
another round of questions, if you do not mind.
    I wanted to just highlight a couple of things based on what 
has already been brought up.
    Mr. Fowke, you mentioned you have about 100 people working 
in cybersecurity or security areas where just a short time ago 
you didn't really have any. Is that correct?
    Mr. Fowke. That's correct.
    Senator Gardner. Mr. Bardee, how many people at FERC have 
expertise in cyber?
    Mr. Bardee. On my staff, about 25 and in other places, 
maybe another 20.
    Senator Gardner. And what is the total staff?
    Mr. Bardee. Total staff of the agency is about 1,400.
    Senator Gardner. Fourteen hundred.
    What would it have been two or three years ago?
    Mr. Bardee. Cybersecurity was a smaller part. If you went 
back several years, a very small part.
    Senator Gardner. Yes.
    Mr. Di Stasio, the Cyber Mutual Assistance Program that you 
talked about in your testimony and others talked about in their 
testimony, 10 years ago today in Holly, Colorado, there was a 
tornado, a very devastating tornado. We saw a lot of utilities 
from around the region, around the country, come together to 
fix the physical damage that had occurred, the power lines, the 
telephone poles, utilities, you name it.
    This Cyber Mutual Assistance Program seems to be the same 
thing, but in a digital sense. But yet, we seem to only have 
about 100 members participating today out of the 3,000 
utilities in the country. Why is that? Why don't we see more 
people involved?
    Mr. Di Stasio. I think, Senator, or Chairman, I think it 
will continue to grow. The reality is across those 93 utilities 
that are current members to the Cyber Mutual Assistance Task 
Force, they probably represent a significant number of 
customers in states.
    And again, if you think about this issue of prioritizing 
the risk, just as we've done with NERC where we have both high, 
medium and low risks and as Mr. Bardee mentioned, we're now 
getting to the low risks, but the high and medium have been 
addressed first. And I would suggest that we could certainly 
provide it in the record the numbers of customers and systems 
that are represented across those 93. So, it's not a straight 
calculation.
    Senator Gardner. Thank you.
    Mr. Bardee, Mr. Fowke, in terms of the numbers of people 
working in cyber, is there a workforce need that you see that 
Congress could help with in terms of developing a greater 
workforce in cyber?
    Mr. Fowke. Well, it's not an easy position to fill, I can 
tell you that, Mr. Chairman. And where we are typically filling 
it or quite often we're filling it for the military ranks. It's 
one of the things we're focused on at Xcel Energy, just on the 
broad sense.
    But I think a program within the military that would help 
transition vets to civilian and give them those cyber type 
training, that they will be able to apply in the civil world, 
would be an absolutely great program. If you think about it, 
many of them already have a security clearance, as some of the 
other problems that I was suggesting that could be readily 
transferred over, it's my understanding. So, that, to me, is a 
great opportunity.
    Senator Gardner. Thank you.
    Dr. Zacharia, exascale computing is the next big step in 
advanced computational research efforts led by the DOE labs. 
Would these expanded national lab capabilities enable critical 
infrastructure cyberattack scenario evaluation and protection 
plan evaluation? And if so, could you talk about the labs that 
would be involved in that exercise?
    Dr. Zacharia. Thank you, Mr. Chairman.
    Exascale computing program is actually a program that is 
led by multiple laboratories. The leadership is actually six 
labs and Oak Ridge National Laboratory has a responsibility to 
deliver the project.
    One of the things that the department has done in terms of 
deploying the exascale is simultaneously there is a program to 
deliver up the applications that will run on these machines 
when these machines are deployed.
    And so, these are, sort of, called codex signs and in the 
area of cybersecurity there are a number of such programs that 
have been started, like typically what DOE Office of Science 
does, is that there is RFP and the peer review, call for 
proposals peer review, and the selection of the best proposals.
    And I can tell you that in the area of cyber there is a co-
design project that is led by your laboratory, the National 
Renewable Energy Laboratory.
    Senator Gardner. Could you say that again? I am sorry, what 
was that?
    [Laughter.]
    Dr. Zacharia. I think one of her finest actually is the 
Director of NREL, so NREL and PNNL are co-leading that activity 
for us, for the exascale computing project, and it's really 
critical.
    And if I may add, Senator, early on there was a discussion 
about the Office of Electricity. One of things that the Office 
of Electricity, one of the programs that they have is EAGLE-I, 
which is a situational awareness program that actually gets 
information in a region that services about 100 million users.
    The other thing that exascale computers allow you to do is 
to take that information, real time, digest that information 
and be part of a proactive way of both understanding the 
vulnerability of the grid as well as unloads on that so you can 
make preventative measures and be aware, grid aware strategy, 
for cybersecurity.
    Senator Gardner. Great. Thank you.
    Senator Cortez Masto, if you would like to go a second 
round?
    Senator Cortez Masto. Thank you, Mr. Chair.
    And very quickly because, obviously, this is a complicated, 
complicated issue that we are dealing with here, and I am 
struck by what I am hearing. Mr. Fowke, I think you said it 
clearly in your speaking points when you said the national 
policy on cybersecurity is uncoordinated and unfocused. That 
has been my concern from a state perspective watching what is 
happening.
    I am curious, and I am going to open this up to the panel. 
Is there a model out there? Is there something that we should 
be looking at that the states may have come up with that is a 
great model for us to be looking at at the federal level? Or is 
there something that you can give us hope where we should be 
looking to address cybersecurity in general across this 
country?
    Mr. Fowke. I think we should look at state level. I think 
that the fusion centers that you might have heard about, 
Senator. I think they can work very well.
    I also think we ought to look overseas. I mean, there are 
nations, albeit, much smaller than the USA that, I think, 
coordinate much better than we do in the United States. And I 
think we should be open to best practices wherever they are.
    Senator Cortez Masto. Thank you.
    Mr. Di Stasio. Senator, one of the things that we also got 
a lot of value out of was undertaking after a Presidential 
Order or Directive in 2014, to talk about coordination across 
the federal agencies. We responded to that and developed what 
was called, and worked with DOE, actually, on what was called a 
maturity model.
    And so, part of that is, I think, we would prefer to--we've 
got a very robust cyber compliance and enforcement program 
through the NERC standards, directed by FERC. We would like to 
be able to build upon that regime.
    We also talked about the Electric Subsector Coordinating 
Council, the work with DOE, the work with DHS, some of the 
suggestions in S. 79.
    I do think we've come a long way. We certainly have a 
greater ways to go, but I feel like we've got some of the 
essential building blocks in place dealing with some of these 
things like clearances, timely and actionable information 
sharing and the work that the labs can do to enhance 
situational awareness. All of those, to me, provide the next 
rounding out of the current state of mitigation of these risks.
    Senator Cortez Masto. Thank you. I appreciate the comments.
    Thank you, Mr. Chair.
    Senator Gardner. Senator King.
    Senator King. I have a very quick follow-up on that.
    Is there a central clearinghouse of hacks where there is 
one place where a grid operator can look and say, okay, here is 
what is going on in Pennsylvania? Here is what is going on in 
California? Is there a central website? I hesitate to use the 
term because maybe that is not what you want in this situation, 
but someplace where this--I am after how good the communication 
and coordination really is.
    Mr. Di Stasio. The place that's most closely associated 
with that type of a description is really the E-ISAC which is 
the information center and clearinghouse. They actually----
    Senator King. Is that government or is that private sector?
    Mr. Di Stasio. It's government, and they actually have a 
watch floor program that operators can go and participate. I've 
actually had the opportunity to go in there myself. And they 
look at a variety of, not just cyber, but all types of 
potential threats and disruptions to the grid and that becomes, 
probably, the most robust information sharing source we have.
    Mr. Fowke. I might just add, I think, the gold standard for 
ISACs is the FS-ISAC. That's the financial services ISAC, and 
they actually are now talking machine to machine. It's much 
more private sector versus government-oriented.
    But we recently joined it and we were the first electric 
utility to do that. I think there will be more because it's one 
more channel and one more sector coordination, where we talk 
about coordination, that's right available to us and we're 
already getting good information from that.
    But to me, it also pushes the issues that I've been saying 
before, we're not, not only it's federal agencies not 
coordinating. We're not coordinating across sectors as well as 
we should too. And these ISACs, if they were better coordinated 
together, I think that would be a great opportunity.
    Senator King. I think that is a very good point because if 
there is going to be an attack it probably will not be just one 
sector, it could be electricity, gas, financial and 
coordinating across sectors, I think, would be very important.
    Mr. Chairman, I want to thank you for this hearing, and I 
want to thank our witnesses.
    This has been very illuminating. Hopefully our discussion 
doesn't have to end today. As you are going home and you think, 
I should have said this or here is a suggestion, please pass it 
back to the Committee because this is an area of absolutely 
vital concern and could not be more important to the people 
that we all represent. So thank you very much for your 
testimony.
    Thank you, Mr. Chairman.
    Senator Gardner. Thank you.
    The good news is for all of you the record will remain open 
for two weeks if you would like to add that additional thought.
    For the information of members, questions for the record 
are due tomorrow by close of business, and we would appreciate 
your responses as soon as possible.
    A final question, or maybe comments, if I could, starting 
with you, Mr. Bardee.
    As we close this hearing today, and I do truly appreciate 
your time and testimony today because this is a very useful 
exercise as we learn more about the problem ourselves and 
challenge ourselves and try to do our best to coordinate the 
moving pieces of this.
    If each of you could give one or two things to summarize 
your top recommendations of Congressional action that would 
enhance our grid cybersecurity preparedness or response 
capabilities, what would it be? You have talked a lot about it 
here at the hearing, but maybe you can summarize that again, 
the top two recommendations.
    Mr. Bardee. I think from my perspective dealing with 
electric reliability. One of them is actually bills like S. 79, 
ensuring that we can get the research that it is difficult for 
the private sector to commit as much in the way of resources 
for.
    Senator Gardner. Thank you for that.
    Mr. Bardee. And the other would be if there are ways to 
improve the kind of personnel training that Mr. Fowke was 
discussing earlier to get us people who have skills, not just 
in cybersecurity, but also in power system engineering. Those 
people are very valuable.
    Senator Gardner. Mr. Fowke?
    Mr. Fowke. Well, I said a lot about information sharing so 
I'll say something I didn't say yet. We talk about 
sophisticated cyberattacks and they are growing, but you know 
how most attacks occur? Not following basic cyber hygiene. And 
that's how a lot of this gets started. So I think we need to 
start thinking about how we can educate and, I dare say, 
mandate some basic cyber standards across industry and 
government which, I think, is long overdue.
    Senator Gardner. Mr. Di Stasio?
    Mr. Di Stasio. I would suggest that we build upon the 
regulatory framework and the coordination that is starting to 
occur. We have been at this for 10 years and I will say 2009 in 
the House, I testified on the Grid Act. And we have come a very 
long way since then but still have quite a bit to do.
    But if we could deal with some of the issues that have been 
mentioned around clearances, human resource training, getting a 
certain level of maturity and understanding of the risks and 
then increase coordination with the government, whether that 
becomes through some consolidation of jurisdictions or whether 
we do it as we have.
    Senator Gardner. Dr. Zacharia?
    Dr. Zacharia. Let me echo the sentiment I think that the 
Senate bill 79 has it exactly right. In that based on our 
experience with working with the Electric Power Board Utility 
in Chattanooga, I think having a pilot where you bring together 
the Federal Government, industry and the national laboratories, 
the best of these three entities together to have a two-year 
pilot to really explore what is possible to get out in front of 
this evolving challenge is probably the best thing that we can 
do because bringing those three players together, getting them 
to work together, share information, understand each other's 
both capabilities and challenges, I think would allow us to 
make significant progress.
    So, thank you very much for this opportunity.
    Senator Gardner. Well, thanks again to members of the 
Committee. As I said, the QFRs are due tomorrow by close of 
business.
    We appreciate your time and testimony today.
    With that, we will adjourn the Committee.
    [Whereupon, at 3:42 p.m. the hearing was adjourned.]

                      APPENDIX MATERIAL SUBMITTED

                              ----------                              

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                                [all]