[Senate Hearing 115-273]
[From the U.S. Government Publishing Office]




                                                        S. Hrg. 115-273
 
  EFFORTS TO PROTECT U.S. ENERGY DELIVERY SYSTEMS FROM CYBERSECURITY 
                                THREATS

=======================================================================

                                HEARING

                               BEFORE THE

                              COMMITTEE ON
                      ENERGY AND NATURAL RESOURCES
                          UNITED STATES SENATE

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             APRIL 4, 2017

                               __________
                               
                               
                               
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                               
                               


                       Printed for the use of the
               Committee on Energy and Natural Resources
               
               

        Available via the World Wide Web: http://www.govinfo.gov
        
        
        
        
                            _________ 

                U.S. GOVERNMENT PUBLISHING OFFICE
                   
 24-979                 WASHINGTON : 2018              
        
        
        
        
        
               COMMITTEE ON ENERGY AND NATURAL RESOURCES

                    LISA MURKOWSKI, Alaska, Chairman
JOHN BARRASSO, Wyoming               MARIA CANTWELL, Washington
JAMES E. RISCH, Idaho                RON WYDEN, Oregon
MIKE LEE, Utah                       BERNARD SANDERS, Vermont
JEFF FLAKE, Arizona                  DEBBIE STABENOW, Michigan
STEVE DAINES, Montana                AL FRANKEN, Minnesota
CORY GARDNER, Colorado               JOE MANCHIN III, West Virginia
LAMAR ALEXANDER, Tennessee           MARTIN HEINRICH, New Mexico
JOHN HOEVEN, North Dakota            MAZIE K. HIRONO, Hawaii
BILL CASSIDY, Louisiana              ANGUS S. KING, JR., Maine
ROB PORTMAN, Ohio                    TAMMY DUCKWORTH, Illinois
LUTHER STRANGE, Alabama              CATHERINE CORTEZ MASTO, Nevada
                      Colin Hayes, Staff Director
                Patrick J. McCormick III, Chief Counsel
                 Kellie Donnelly, Deputy Chief Counsel
           Angela Becker-Dippmann, Democratic Staff Director
                Sam E. Fowler, Democratic Chief Counsel
                David Gillers, Democratic Senior Counsel
                
                
                            C O N T E N T S

                              ----------                              

                           OPENING STATEMENTS

                                                                   Page
Murkowski, Hon. Lisa, Chairman and a U.S. Senator from Alaska....     1
Heinrich, Hon. Martin, a U.S. Senator from New Mexico............     3

                               WITNESSES

Hoffman, Patricia, Acting Assistant Secretary, Office of 
  Electricity Delivery and Energy Reliability, U.S. Department of 
  Energy.........................................................     4
Cauley, Gerry W., President and Chief Executive Officer, North 
  American Electric Reliability Corporation......................    14
Highley, Duane D., President and CEO, Arkansas Electric 
  Cooperative Corporation........................................    23
McCurdy, Hon. Dave, President and CEO, American Gas Association..    34
Bochman, Andrew A., Senior Cyber and Energy Security Strategist, 
  Idaho National Laboratory......................................    50
Welsh, Colonel Gent, Commander, 194th Wing, Washington Air 
  National Guard.................................................    58

          ALPHABETICAL LISTING AND APPENDIX MATERIAL SUBMITTED

Bochman, Andrew A.:
    Opening Statement............................................    50
    Written Testimony............................................    52
    Responses to Questions for the Record........................   220
Cauley, Gerry W.:
    Opening Statement............................................    14
    Written Testimony............................................    16
    Responses to Questions for the Record........................   196
Heinrich, Hon. Martin:
    Opening Statement............................................     3
Highley, Duane D.:
    Opening Statement............................................    23
    Written Testimony............................................    25
    Responses to Questions for the Record........................   207
Hoffman, Patricia:
    Opening Statement............................................     4
    Written Testimony............................................     6
    Supplemental Response to Question from Senator Hirono........   174
    Responses to Questions for the Record........................   190
McCurdy, Hon. Dave:
    Opening Statement............................................    34
    Written Testimony............................................    36
    Responses to Questions for the Record........................   215
Murkowski, Hon. Lisa:
    Opening Statement............................................     1
Power Pack Group:
    Statement for the Record.....................................   236
REM Technology Consulting Services, Inc.:
    Statement for the Record.....................................   240
United Technologies Council:
    Statement for the Record.....................................   265
Welsh, Colonel Gent:
    Opening Statement............................................    58
    Written Testimony............................................    60
    Responses to Questions for the Record........................   228


                           EFFORTS TO PROTECT



                      U.S. ENERGY DELIVERY SYSTEMS



                       FROM CYBERSECURITY THREATS

                              ----------                              


                         TUESDAY, APRIL 4, 2017

                                       U.S. Senate,
                 Committee on Energy and Natural Resources,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10:06 a.m. in 
Room SD-366, Dirksen Senate Office Building, Hon. Lisa 
Murkowski, Chairman of the Committee, presiding.

  OPENING STATEMENT OF HON. LISA MURKOWSKI, U.S. SENATOR FROM 
                             ALASKA

    The Chairman. Good morning. The Committee will come to 
order.
    I want to acknowledge my stand-in Ranking Member, Senator 
Heinrich. I understand that Ranking Member Cantwell is delayed 
a little bit coming from the game.
    [Laughter.]
    Very important.
    Senator Heinrich. I don't know what you are talking about.
    The Chairman. Very important.
    I am sure there are those that are happy this morning, and 
for those of us that love the West Coast and all things West, 
we are not as excited this morning. But anyway, we will look 
forward to Senator Cantwell coming later this morning.
    We are here today to not talk about basketball, but we are 
here to examine our collective efforts and those from Congress, 
the rest of the Federal Government and industry to protect our 
domestic energy delivery systems from cybersecurity threats.
    Here in the United States, we have purposefully built 
redundant systems to ensure resilience and technological 
advancements have improved system efficiencies. We have made 
our devices smarter and connected more of them to the internet, 
boosting consumer convenience and lowering costs. But as the 
so-called ``internet of things'' has become increasingly 
involved in all phases of energy generation and delivery, we 
have created even more avenues for cyber intrusion.
    This Committee has long recognized that our nation's energy 
sector is a popular target for bad actors. Everyone from 
individual hackers to nation-states who wish to do us harm. 
That is why we took action over a decade ago, through the 
Energy Policy Act of 2005, to protect the nation's critical 
grid infrastructure from both physical and cybersecurity 
threats.
    The 2005 law directed the certification of an electric 
reliability organization, now the North American Electric 
Reliability Corporation (NERC), to develop and enforce 
mandatory reliability standards. Congress specifically declined 
to provide the Federal Energy Regulatory Commission (FERC) with 
direct authority to establish such standards, instead opting 
for an industry stakeholder process to assist in formulating 
these highly complex and technical requirements.
    This decision has fostered a robust public/private 
partnership, and given FERC's current lack of quorum, it 
perhaps is even more prescient today. I am pleased that NERC's 
President and CEO, Gerry Cauley, is here to testify this 
morning.
    Last Congress, in the FAST Act, we moved again to protect 
our energy systems from cyberattack. As enacted, that law 
includes provisions from this Committee codifying the 
Department of Energy as the sector-specific agency for the 
energy sector and providing the Secretary with authority to 
address grid-related emergencies caused by cyberattacks, 
physical attacks, electromagnetic pulses (EMP) or geomagnetic 
disturbances.
    We will address the EMP issue, in depth, at a future 
hearing, but I am looking forward to hearing today from Pat 
Hoffman, the Acting Assistant Secretary for the Office of 
Electricity Delivery and Energy Reliability, about the 
Department of Energy's (DOE) effort to implement its FAST Act 
authorities.
    Finally, while our Committee has spent considerable time 
over the years examining the threats posed to the nation's grid 
infrastructure, today we will also assess efforts to secure 
natural gas pipelines. Given the interdependency of natural gas 
and electricity, it is imperative that these energy delivery 
systems are adequately protected. So I look forward to Dave 
McCurdy's testimony as the President and CEO of the American 
Gas Association. Mr. McCurdy, I am also curious to know why it 
is taking so long, particularly, as a former Chairman of the 
House Intelligence Committee, to get the requisite security 
clearance from the Energy Department, and we will have an 
opportunity to chat about that.
    In addition, this morning we will hear from Mr. Duane 
Highley, who is the President and CEO of the Arkansas Electric 
Cooperative Corporation and the Co-Chair of the Electricity 
Subsector Coordinating Council (ESCC) which interfaces with the 
Federal Government on behalf of industry.
    We also have Mr. Andrew Bochman, a Senior Cyber and Energy 
Security Strategist for the Idaho National Laboratory. This is 
the lab responsible for the Aurora experiment which first 
demonstrated how a cyberattack could impact physical assets.
    We will then hear from Colonel Gent Welsh, from the 
Washington National Guard, who has done a lot of important work 
to secure critical infrastructure in that state and develop a 
cyber workforce.
    We all recognize that this is no time for the United States 
to rest on the question of cybersecurity. The number and scope 
of attacks is ever-increasing and the resulting harm could be 
very significant. That is why our Subcommittee, under Senator 
Gardner's leadership, held a cybersecurity hearing last month 
and that is why we are broadening the effort here at the full 
Committee today.
    I would like to thank all of our witnesses for joining us 
this morning, and I look forward to their comments in just a 
few minutes.
    At this time, I will turn to Senator Heinrich for his 
opening comments.

              STATEMENT OF HON. MARTIN HEINRICH, 
                  U.S. SENATOR FROM NEW MEXICO

    Senator Heinrich. Thank you, Madam Chairman. As you 
mentioned, Senator Cantwell is running a few minutes late and 
asked me to fill in until she arrives.
    As a member of the Senate Intelligence Committee, I am 
acutely aware of the sophisticated threats that our energy 
infrastructure faces in cyberspace today. Cybersecurity is one 
of the most serious challenges to our economy and national 
security that we face as a nation-state. The future of warfare 
is moving further away from the battlefield each day and closer 
to the devices and the networks that everyday citizens, as well 
as the private sector, rely on and depend on.
    Protecting our nation from malicious cyber actors requires 
a very comprehensive approach, and keeping our energy 
infrastructure secure is absolutely central to that. In 
January, the U.S. Department of Energy warned that the U.S. 
grid ``faces imminent danger'' from cyberattacks.
    The Department's Quadrennial Energy Review (QER) warns that 
a widespread power outage caused by a cyberattack could place 
at risk the health and safety of millions of U.S. citizens. The 
QER included a number of policy recommendations for both 
regulators and Congress. The QER also pointed out that our 
electric grid has become increasingly reliant on a reliable and 
secure supply of natural gas, and it is essential to what we do 
that we do all we can to protect against cyberattacks against 
natural gas pipelines as well. So I am pleased that Congressman 
McCurdy will be testifying today on behalf of the American Gas 
Association to discuss pipeline cybersecurity as well.
    Top officials within the intelligence community have 
testified that energy infrastructure is an enticing target to 
malicious actors. Those officials have also warned that without 
action, the U.S. remains vulnerable to cyberattacks that could 
result in catastrophic damage to public health and safety, 
economic security and national security.
    I am pleased, again, to be an original co-sponsor of 
Senator King's bipartisan Securing Energy Infrastructure Act, 
which was the subject of last week's Subcommittee hearing, and 
I hope we can take action on this bill this year.
    Today we are also going to hear from Pat Hoffman, the 
Acting Assistant Secretary for the Office of Electricity 
Delivery and Energy Reliability at the Department of Energy. 
This office, in coordination with our national labs, helps 
protect our nation's energy infrastructure from a variety of 
cyber threats.
    I am very concerned the President is proposing significant 
cuts to the Electricity Office's budget that could impair our 
ability to meet the challenges foreign actors, and others, 
present to the security of our nation's energy infrastructure.
    Thank you for holding this full Committee hearing today, 
and I look forward to all of our witnesses' testimony.
    The Chairman. Thank you, Senator Heinrich.
    At this time, we will begin with our distinguished panel. I 
have introduced each of you already, so we will move straight 
to your comments. I would ask you to keep your comments to five 
minutes or less. Your full statements will be incorporated as 
part of the record.
    We will begin with Patricia Hoffman, again, the Acting 
Assistant Secretary for the Office of Electricity Delivery and 
Energy Reliability at the U.S. Department of Energy, and we 
will proceed down the line.
    Ms. Hoffman, welcome.

  STATEMENT OF PATRICIA HOFFMAN, ACTING ASSISTANT SECRETARY, 
  OFFICE OF ELECTRICITY DELIVERY AND ENERGY RELIABILITY, U.S. 
                      DEPARTMENT OF ENERGY

    Ms. Hoffman. So, thank you.
    Good morning. Thank you, Chairman Murkowski, Ranking Member 
Cantwell, Senator Heinrich, members of the Committee. Thank you 
for the opportunity to discuss the continuing threats facing 
our nation's energy infrastructure and the Department of 
Energy's role and authorities under the Fixing America's 
Surface Transportation, or FAST, Act. The Department of Energy 
is focusing on cybersecurity and resilience of energy delivery 
systems, and this is one of the Secretary's top priorities.
    Our economy, national security, and even the well-being of 
our citizens depend on the reliable delivery of electricity. 
The mission of the Office of Electricity Delivery and Energy 
Reliability is to strengthen, transform, and improve energy 
infrastructure to ensure access to reliable and secure sources 
of energy. The Department is committed to working with our 
public and private sector partners to protect the nation's 
critical energy infrastructure, including the electric power 
grid, from physical security events, natural and man-made 
disasters and cybersecurity threats.
    To address security, it is critical for us to be proactive 
and cultivate what I call, an ecosystem of resilience, a 
network of producers, distributors, regulators, vendors and 
public partners, acting together to strengthen our ability to 
prepare, respond and recover. We continue to partner with 
industry, federal agencies, states, local governments and other 
stakeholders to quickly identify threats, develop in-depth 
strategies to mitigate those threats and rapidly respond to any 
disruptions.
    DOE plays a critical role in supporting industry functions 
in several ways. Providing partnership mechanisms that support 
collaboration and trust, leveraging government capabilities to 
gather intelligence on threats and vulnerabilities and sharing 
actionable intelligence with energy owners and operators in a 
timely manner. We also support energy sector best practices, 
incident coordination and response and innovation through R&D 
for the next generation physical and cyber systems.
    In the energy sector, the core critical infrastructure 
partners consist of the Electric Sector Coordinating Council 
and the Oil and Gas Sector Coordinating Council. Through these 
partnerships, the energy sector and the government share 
emerging threat data and vulnerability information.
    An example of this type of collaboration is a Cybersecurity 
Risk Information Sharing Program (CRISP), a voluntary public/
private partnership, that is funded by industry, administered 
by the Electric Sector Information Sharing and Analysis Center 
and supported by the Department of Energy.
    Another example of how the Department supports the cyber 
posture of the energy industry is through the Department's 
Cyber Capability Maturity Model, which helps private sector 
owners and operators better evaluate their cybersecurity 
capability. This tool allows organizations, regardless of size, 
type or industry, to evaluate, prioritize and improve their own 
cybersecurity capabilities.
    Beyond providing guidelines and technical support to the 
energy sector, the Department also supports an R&D portfolio 
designed to develop advanced tools and techniques to provide 
enhanced cyber protection for key energy systems.
    Intentional, malicious cyber threats challenge our energy 
systems and are on the rise in both number and sophistication. 
This evolution has profound impacts on the energy sector. Since 
2010, the Department has invested more than $210 million in 
cybersecurity research development projects that are led by 
industry, universities and national laboratories. These 
investments have resulted in more than 35 new tools and 
technologies.
    Threats continue to evolve. The Department of Energy is 
working diligently to stay ahead of the curve. The solution is 
an ecosystem of resilience that works in partnership with 
local, state and industry stakeholders to help provide the 
methods, the strategies and the tools needed to help protect 
local communities through increased resilience and flexibility.
    To accomplish this we must accelerate information sharing 
to inform better local investment decisions and encourage 
innovation and use of best practices to help raise the energy 
sector's security maturity and strengthen local incident 
response and recovery capabilities, especially through the 
participation and training programs, disaster and preparedness 
exercise.
    Building an ecosystem of resilience is, by definition, a 
shared endeavor, and we must continue to keep a focus on 
partnerships. This is an imperative.
    I thank you for the opportunity for being here today, and I 
look forward to answering any questions that you may have.
    [The prepared statement of Ms. Hoffman follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
        
    
    The Chairman. Thank you, Ms. Hoffman.
    Next we will turn to Mr. Gerry Cauley, welcome.

  STATEMENT OF GERRY W. CAULEY, PRESIDENT AND CHIEF EXECUTIVE 
    OFFICER, NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION

    Mr. Cauley. Thank you and good morning, Chairman Murkowski, 
Ranking Member Cantwell and Senator Heinrich and members of the 
Committee. Thank you for conducting this timely hearing to 
assess the progress and challenges of securing the power grid 
which is critical to our nation's security and well-being. The 
threat of cyberattacks by nation-states, terrorist groups and 
criminal actors is at an all-time high.
    In December 2015, a cyberattack in the Ukraine left over 
225,000 customers without power for several hours. This 
indicates that nation-state adversaries have the tools and 
clearly now the will to disrupt the grid of another nation.
    More recently in the U.S., although no part of the grid was 
affected, we saw a million electronic devices all part of the 
internet of things, captured and used in a denial of service 
attack disrupting major internet service providers.
    We've seen increases in ransomware, data theft and other 
criminal activities across all sectors of our economy.
    NERC's role is to assure the reliability and security of 
the bulk power system through mandatory standards, compliance 
monitoring and enforcement and reliability assessments. Our 
independent board and staff are unaffiliated with system owners 
and operators.
    FERC approves NERC's standards and enforcement actions in 
the U.S. and has authority to direct NERC to develop new or 
revised standards.
    As a nation, we share an interconnected grid with our 
neighbors which is why NERC is international in scope, spanning 
the United States, Canada and Mexico.
    Our cyber standards are written with inputs from the best 
experts in industry and provide a strong foundation for 
security practices.
    NERC and its eight regions also have cyber experts, who 
conduct hundreds of site visits every year to assess security 
controls. We're finding that power companies take cybersecurity 
very seriously with strong attention at the top from CEOs and 
boards.
    Grid control cyber assets communicate over private 
networks, including fiber, microwave and lease circuits. They 
are isolated from business systems and from the public 
internet.
    Utility personnel are screened and well-trained. Companies 
are using advanced security services from third party providers 
to maintain the latest threat information.
    Most importantly, power companies know they must 
continuously monitor and detect suspicious activity, isolate 
malware and destroy it before an attack happens, commonly known 
as the ``kill chain.''
    As flexible and risk-based as our standards are, I firmly 
believe we cannot win a cyber war with regulations and 
standards alone. Industry must be agile and continuously adapt 
to threats. To do that, we need robust sharing of information 
regarding threats and vulnerabilities.
    NERC operates the Electricity Information Sharing and 
Analysis Center. Our role is to assimilate intelligence, to 
share trusted information with industry and the government and 
to recommend specific actions.
    One of our most effective tools in this effort is the 
Cybersecurity Risk Information Sharing Program, as mentioned by 
Ms. Hoffman. Developed by the Department of Energy, CRISP has 
been adopted by NERC and deployed across wide areas of the U.S. 
grid to continuously detect malicious activity and share that 
information with industry.
    NERC can also issue formal alerts to industry at three 
levels of urgency, two of which require responses.
    NERC conducts an annual grid assurance, grid security 
conference and training events and frequent classified 
briefings.
    We also conduct a continent-wide cyber and physical 
security exercise, called GridEx, with over 4,000 participants 
from industry and government across North America engaged for 
two days responding to a simulated massive attack on our grid.
    To date, there's not been a single cyberattack in the U.S. 
resulting in customer outages. This is an exceptional record 
and is due, in large part, to the vigilance of NERC, industry 
and our government partners; however, we will never be 
complacent. The risk is very real, and we have to work hard 
every day to stay ahead of our adversaries.
    I'll close by mentioning a few challenges ahead: securing 
millions of electronic devices being installed on distributed 
energy systems and behind the mirror; ensuring the security 
chain within our--security of our global supply chain; building 
a more robust public/private model to coordinate strategy and 
resources between the government and industry; expanding the 
sharing of classified information; filling a growing gap in 
cyber workforce; coordinating across critical infrastructures 
like telecom, finance and gas; and investing in grid 
resilience, including strategic reserves.
    I thank you for the time this morning, and I look forward 
to your questions.
    [The prepared statement of Mr. Cauley follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
        
    The Chairman. Thank you, Mr. Cauley.
    We will next turn to Mr. Duane Highley, the President and 
CEO of the Arkansas Electric Cooperative Corporation.

  STATEMENT OF DUANE D. HIGHLEY, PRESIDENT AND CEO, ARKANSAS 
                ELECTRIC COOPERATIVE CORPORATION

    Mr. Highley. Thank you.
    Good morning, Chairman Murkowski, Ranking Member Cantwell, 
Senator Heinrich and members of the Committee. Thank you for 
the invitation to testify today. I'm speaking on behalf of 
Arkansas Electric Cooperative Corporation where I serve as CEO 
and the National Rural Electric Cooperative Association which 
represents 900 not-for-profit consumer-owned utilities serving 
42 million people in 47 states.
    I also serve as one of three co-chairs of the Electric 
Subsector Coordinating Council, or ESCC, a CEO level, public/
private partnership serving as our subsector's principle entity 
in coordinating with our senior government counterparts on 
policy level issues. The 30 CEOs on our council meet regularly 
with senior officials from the White House, Department of 
Energy, Department of Homeland Security, Federal Energy 
Regulatory Commission, Federal Bureau of Investigation, et 
cetera.
    The electric sector, like other critical sectors, is now at 
the front lines of international warfare. We're under constant 
cyberattack. Many of those attacks are sponsored by foreign 
enemies and nation-states.
    Though the recently updated Quadrennial Energy Review 
recommends protecting the electric sector as a national 
security asset, it's important to remember that most of the 
critical infrastructure is owned and operated by private 
industry. So, for that reason, we must have timely access to 
actionable information obtained through the defense and 
intelligence gathering capabilities of our government. We have 
to work together to protect the grid.
    Our traditional design of the electric grid relies on 
defense in depth to maintain reliability. We designed the grid 
to survive significant natural disasters with minimal 
interruption and generally quick recovery. That same redundancy 
makes the grid very resilient to intentional cyberattacks.
    The electric sector is also the only sector with mandatory 
enforceable reliability and cybersecurity standards developed 
through NERC. We have to meet these standards and verify 
compliance through audits conducted by NERC's regional entities 
or face fines and penalties, potentially as high as $1 million 
per day per violation. And we take those standards very, very 
seriously.
    That said, just relying on defense, in depth and mandatory 
standards is not enough. That's why we're developing real time 
communication environment for sharing threat information 
between government and industry.
    Real time sharing is great but both parties have to play. I 
can share with you examples of times in the past when we became 
aware that our government counterparts knew about a developing 
threat, but were unable to share it because of the classified 
nature of the threat itself. Often we've learned of threats 
from private sector sources well before our government 
counterparts chose to share them with industry.
    One of the primary initiatives of the Electric Subsector 
Coordinating Council is to work together to improve information 
sharing in both directions, government to industry and industry 
to government.
    I believe that we've developed a mutual trust relationship 
and we've obtained some security clearances but not enough 
across the sector and not enough at a higher level of 
clearance, and we have contributed to the development of and 
deployed tools such as DOE's cybersecurity capability and 
maturity model, the Electric Information Sharing and Analysis 
Center, the E-ISAC, the Cyber Risk Information Sharing Program, 
or CRISP, in partnership with DOE and the national labs.
    These tools, clearances and briefings have helped, but we 
can still do more. We have to work together and we have to be 
able to trust one another to communicate threat information in 
real time.
    I'm pleased to report we've already met with Secretary 
Perry at DOE and leadership at the White House and FERC in the 
transition, and I'm confident in their commitment to maintain 
the momentum of the prior Administration in supporting, funding 
and staffing our many developing projects.
    In particular, we're very pleased at the response of DOE 
for greater assistance to smaller electric systems such as 
cooperatives and municipals. Last year DOE provided funding to 
the trade associations to assist their member utilities in 
improving cyber and physical security. The co-ops have used 
these funds to create the Rural Cooperative Cybersecurity 
Capabilities Program, or RC3, to assist the smaller utility 
systems.
    ESCC has also recently developed a Cyber Mutual Assistance 
Program modeled after existing mutual assistance programs where 
utilities mobilize staff across the country to help restore 
service after a disaster. The Cyber Mutual Assistance Program 
provides a steady cadre, a ready cadre, of IT staff to assist 
in restoration of critical systems, if needed. We already have 
93 member systems, including 18 cooperatives, on board. So now, 
80 percent of all utility customers in the United States are 
covered by this program.
    In summary, the electric sector has mandatory enforceable 
cybersecurity standards and redundant design providing defense 
in depth to protect us. But that's not the entire answer to 
defending against an ever-changing threat.
    To bridge the gap, we need an ongoing dialogue and ever 
more open information sharing, finding ways to provide more and 
higher level security clearances to our staff who are at the 
front lines, rapidly declassifying and sharing threat 
information and jointly developing new solutions to protect 
against this threat.
    I look forward to your questions.
    [The prepared statement of Mr. Highley follows:] 
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
     
    The Chairman. Thank you, Mr. Highley, we greatly appreciate 
that testimony.
    Next we turn to Congressman Dave McCurdy, the President and 
CEO of the American Gas Association. Welcome, Congressman.

STATEMENT OF HON. DAVE McCURDY, PRESIDENT AND CEO, AMERICAN GAS 
                          ASSOCIATION

    Mr. McCurdy. Thank you, Chairman Murkowski, Senator 
Heinrich and members of the Committee. As the Chairman 
indicated, I am here as the CEO of the American Gas Association 
(AGA). I'm also the former Chairman of the House Intelligence 
Committee and former CEO of the Electronic Industries Alliance. 
I also served on the board of the Software Engineering 
Institute and co-founded the Internet Security Alliance in 
partnership between the electronic industry's alliance and 
CyLab at Carnegie Mellon University. So, I have to say, I've 
been engaged in internet policy since before it was called 
cybersecurity.
    AGA represents more than 200 local energy companies that 
deliver clean natural gas to more than 72 million customers. 
Natural gas meets more than one-fourth of the United States' 
energy needs and is the foundation fuel for a clean and secure 
energy future.
    Alongside this opportunity natural gas offers comes serious 
responsibility to protect pipeline systems from cyberattacks. 
Technological advances have made natural gas utilities better 
able to serve our customers; however, there is a recombinant 
challenge with a more connected industry, as we become a target 
for increasingly sophisticated cyber adversaries.
    Natural gas utilities meet that threat via a commitment to 
security, skilled personnel, technological advances and 
partnership with the Federal Government.
    I'd like to highlight four critical areas related to 
pipeline and energy sector cybersecurity.
    First, natural gas utilities understand and take very 
seriously cyberattacks and cyber threats. This drives us to 
employ the best technology and personnel available to protect 
our systems and the customers that we serve. This obligation 
starts at the top. AGA member utility executives assign the AGA 
commitment to cyber and physical security demonstrating their 
dedication with a call to action to ensure natural gas 
pipelines remain resilient to cyber and physical security 
threats.
    Second, energy security interdependence. Recently the 
electric sector has increased the use of natural gas for power 
generation. With that comes a greater need for coordination. 
Natural gas utilities focus on safe and reliable gas delivery 
and they utilize a variety of assets in contractual plans to 
secure that reliability. We welcome electric generation 
customers, but stress the gas/electric interdependency policy 
should preserve and enhance, not decrease, natural gas system 
reliability for all customers, both gas and electric. In this 
regard, the importance of having adequate gas pipeline 
infrastructure must not be overlooked.
    And third, we need to maintain our existing security 
partnerships. Gas utilities maintain a pipeline security 
partnership with our statutory partner, the Transportation 
Security Administration. Industry also works closely with DOE, 
as we've heard from Ms. Hoffman and Gerry Cauley. These vital, 
non-regulatory partnerships are cooperative and support a more 
effective risk management approach to security. Further, 
disturbing the continuity of our security partnerships by 
reshuffling pipeline security authorities will not make us 
safer. It will simply add uncertainty to the mix.
    And last, as we've heard, public/private collaboration is 
paramount. Industry needs better government cyber threat data 
delivered in real time, quicker dissemination of classified 
threat information and a closer working relationship with 
sector agencies, law enforcement and the intelligence 
community.
    And finally, we should reform how industry leaders receive 
security clearances, as the Chairman and others have mentioned. 
For me, this is not a mere talking point. Despite my military, 
congressional and intelligence experience and currently holding 
a DoD clearance, I have not received a DOE security clearance, 
SCI, that I applied for over a year ago to be able to sit in on 
some of the discussions that we have at the ESCC and other 
areas, and I am the leader of the Natural Gas Sector for this 
industry.
    America's natural gas delivery system is the safest, most 
reliable energy delivery system in the world. Security is woven 
into the natural gas utility culture and our members apply a 
portfolio of tools to stay ahead of cybersecurity threats. One 
of our most important tools is partnership with the Federal 
Government.
    Chairman, thank you for the opportunity to testify. I look 
forward to the exchange of ideas.
    [The prepared statement of Mr. McCurdy follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
      
    The Chairman. Thank you, Congressman McCurdy.
    Next, we turn to Mr. Andrew Bochman, who is with us today 
from Idaho National Labs.
    Thank you.

    STATEMENT OF ANDREW A. BOCHMAN, SENIOR CYBER AND ENERGY 
         SECURITY STRATEGIST, IDAHO NATIONAL LABORATORY

    Mr. Bochman. Good morning, Chairman Murkowski, Ranking 
Member Heinrich, or depending upon her proximity, Cantwell, and 
distinguished members of the Committee, I thank you for holding 
this hearing and inviting Idaho National Laboratory's, or 
INL's, testimony on the protection of our energy delivery 
systems.
    I am INL's Senior Cyber and Energy Security Strategist. In 
this capacity, I provide guidance to DOE, and INL leadership on 
matters related to protecting national energy infrastructure 
against mounting cyber and physical threats. I am here today to 
share impressions on the state of cybersecurity in the energy 
sector and provide an update on DOE and national lab actions.
    I just returned from a USAID-funded trip to Estonia where I 
joined a team of U.S. state-level energy regulators, led by the 
National Association of Regulatory Utility Commissioners, or 
NARUC. We provided cyber training to Black Sea energy 
regulators, including commissioners from Ukraine, target of two 
outage-causing cyberattacks.
    The possibility of similar attacks or worse on U.S. energy 
infrastructure has been much on the minds of DOE, INL and some 
of your colleagues, including Senator King and co-sponsors 
Risch, Heinrich, Collins and Crapo. Last year they drafted the 
Securing Energy Infrastructure Act, and just last month, 
Senators Cantwell and Wyden wrote a letter to President Trump 
urging him to maintain, as 2015's FAST Act codified, DOE 
primacy over grid security matters.
    Concern for such an attack on U.S. energy infrastructure is 
well warranted. I pause at five reasons. Number one, the 
aforementioned successful attacks on foreign transmission and 
distribution energy infrastructures. Two, the now daily 
drumbeats of damaging cyberattacks on U.S. Government and 
private sector systems. Three, profound shortage of skilled 
industrial control system security professionals. Number four, 
manufacturer's zeal to embed new technologies in industrial 
systems and our eagerness for sound business reasons to buy and 
install these products in energy infrastructure. And lastly, 
five, while we make incremental improvements on defense, our 
attack surface and the attacker's ability to exploit it, are 
expanding at a much, much faster pace.
    Cyber risk futurists, myself included, are experiencing a 
palpable sense of foreboding that our nation's current security 
activities will not yield the transformational changes that we 
need; however, some significant improvements are in the offing. 
DOE's Office of Electricity Delivery and Energy Reliability, or 
OE, INL and our peer national laboratories are working via 
multiple policy and programmatic pathways to make a difference. 
Here are six, high impact examples.
    Number one, DOE's Cyber Threat Intelligence and Information 
Sharing Program, you've heard it referenced previously, CRISP, 
is currently in place at dozens of large U.S. utilities and 
efforts are underway to substantially improve both the 
timeliness and the helpfulness of the security warnings they 
receive.
    Two, INL and industry partners are on the homestretch of a 
threat-informed, engineering-centric assessment and mitigation 
activity at a large U.S. utility. We call this approach, 
Consequence-driven, Cyber-informed Engineering, or CCE. It 
clarifies and prioritizes the way we look at high consequence 
risks within control systems environments.
    Methodology lessons harvested from this pilot will be 
shared with other partners to expand the nation's ability. And 
I'd like you to remember this phrase, ``to engineer out the 
cyber risk from our most critical energy infrastructures.''
    Number three, INL assists DOE with initiatives to make grid 
systems more resilient against geo-magnetic disturbance and 
electromagnetic pulse events.
    Four, with the substantial expansion of the industrial 
control system security workforce as a goal, INL and its 
partners, Pacific Northwest National Lab (PNNL) and Sandia, 
U.S. universities and commercial training partners are teaming 
to create curricula to make this happen as quickly as possible.
    Five, OE's Infrastructure Security and Energy Restoration 
Organization, ISER, is the seat of the Department's sector 
specific agency authority. INL and PNNL are supporting the 
build out of ISER's cyber incident response and coordination 
capabilities in conjunction with DHS, NERC's Electricity 
Information Sharing and Analysis Center and other grid security 
stakeholder organizations.
    And lastly, per the 2013 Executive Order on improving 
critical infrastructure cybersecurity, INL supports ISER as it 
convenes the energy sector's Section Nine energy companies. 
Among several capabilities requested so far, is a multi-lab 
environment where energy sector systems can be analyzed from a 
threat informed cybersecurity vantage point with specific 
mitigation actions shared securely among the lab's equipment 
suppliers and asset owners and operators as well.
    I'll leave off there.
    Thank you very much for inviting me to testify today. And I 
look forward to your questions.
    [The prepared statement of Mr. Bochman follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
        
    The Chairman. Mr. Bochman, thank you.
    We are also able to welcome this morning Colonel Gent Welsh 
with the Washington Air National Guard. We appreciate your 
service.

          STATEMENT OF COLONEL GENT WELSH, COMMANDER, 
           194TH WING, WASHINGTON AIR NATIONAL GUARD

    Colonel Welsh. Thank you.
    Madam Chair Murkowski, Ranking Member Cantwell, Senator 
Heinrich and members of this Committee, my name is Colonel Gent 
Welsh. I'm the Commander of the 194th Wing for the Washington 
Air National Guard, the Air National Guard's 89th Wing and the 
first cyber wing in the air guard. Thank you again for the 
honor to participate in such a crucial conversation today.
    A quick disclaimer. Please note that I appear before the 
Committee today in a National Guard Title 32 status. Although 
I've served as a National Guard Officer for more than 23 years, 
my testimony today has not been reviewed or approved by anyone 
at the United States Air Force or the Department of Defense.
    As you know, the front lines of the next conflict are not 
overseas in some country folks can't find on a map, they are 
right here, right now, every day at the doorstep of every owner 
and operator of our nation's critical infrastructure.
    Developing a plan to best secure our critical 
infrastructure is challenging, primarily because more than 85 
percent of our critical infrastructure to include our 
electrical grid, our water sources and our health care system, 
is owned by the private sector. As you know, the private sector 
doesn't always consider government a valuable partner.
    In Washington State, we believe we've broken that mold. 
Major General Bret Daugherty, the Adjutant General in our 
state, is also the Governor's Homeland Security Advisor and 
head of all emergency management efforts. These positions give 
him tremendous convening authority within the state to pull 
people together. And with the leadership of Senator Cantwell 
and members of our House delegation, such as Representatives 
Kilmer and Heck, we're able to get a variety of stakeholders 
around the table routinely to include public and private owners 
and operators of critical infrastructure to discuss and prepare 
for a catastrophic cyber event.
    As everyone on this Committee knows, when something does 
happen, it's going to happen in a state, and we've made our 
agency a key player in our state in the security and critical 
infrastructure.
    We're fortunate that our state law provides our agency with 
policies and authorities that provide resources before and 
after a cyber event. We have more than 600 cyber professionals 
that work in the Washington National Guard at our disposal. And 
because we conduct continual outreach efforts, both private and 
local governments know what we can offer. And that's critical. 
The private sector has to understand and know the government 
can provide something tangible and resources of value if you 
want their true cooperation. That's why policy authorities and 
capabilities matter. If government has clear policies and plans 
for either resources or outside assistance, that makes a 
decision for private industry to work with government easier.
    Washington is proof the government and private industry can 
not only get along, we can actually work together and very 
well. The Washington National Guard considers Pacific Northwest 
National Laboratory, the Idaho National Laboratory and several 
major utility companies, strong partners. The same could be 
said for Microsoft, Boeing and other Washington State 
corporations.
    Our efforts began five years ago when we formed an 
integrated project team within state government to fully 
develop the first ever, significant Cyber Incident Response 
Plan for the state. I'm talking about the state, not just state 
government networks. We've truly led this nation and positioned 
Washington in many ways as a national thought leader in 
critical infrastructure cybersecurity at the public level.
    Since then, we've continued to work with our state critical 
infrastructure sectors to exercise and refine our plan. I'd be 
remiss not bragging about the more than 600 cyber professionals 
in our organization. Several assist in our local utility 
companies, the Snohomish County Public Utilities District, with 
a critical cyber assessment back in 2015. Their work was beyond 
successful and was incredibly enlightening.
    Since then, we've had a steady stream of visitors to 
include the former Secretary of Defense, Ash Carter, who wanted 
to learn more about how cyber partnerships work in Washington 
State.
    It starts with the power of the citizen airman and soldier, 
our typical solider and airman participates one weekend a month 
and two weeks a year. Outside of that obligation they have 
full-time jobs, many working in the IT or critical 
infrastructure sectors.
    They bring in a remarkable understanding of their private 
sector's needs and their capability shortfalls. They also bring 
in credibility with these organizations as National Guard 
members. They are folks that understand government and private 
industry, and they're able to bridge those gaps and that's a 
tremendous combination.
    Looking forward, we're hopeful to bring a cyber schoolhouse 
to Washington State that allows us to train members of critical 
infrastructure sectors alongside our National Guard members. 
Those are the folks that are on the front lines these days in 
this environment.
    Sharing information and best practices among those tasked 
to defend this nation within the private sector is how we'll be 
more resilient to a significant cyberattack.
    And for those on the panel, I'm going to go off script for 
a second. We've solved some of the security clearance issues in 
our state, and I'd be happy to share some info on that.
    Again, I'd ask that you review my submitted testimony for 
further information and certainly thank you for the opportunity 
to appear in front of this Committee from the other Washington.
    And my sympathies for the Gonzaga Bulldogs because I'm a 
Washingtonian.
    Thank you.
    [The prepared statement of Colonel Welsh follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]       
       
    The Chairman. Thank you, Colonel Welsh. I appreciate you 
summing things up from the state's perspective because I think 
it is critically important that we appreciate how that all 
comes down to the states and the responsibilities there.
    There is an awful lot to talk about this morning in the 
spaces that you all have discussed in your comments.
    Let me start with the information sharing protections, and 
I will refer back to the opening comments that I made with the 
FAST Act that we passed last Congress.
    We codified DOE as a sector-specific agency for energy. We 
provided the Secretary with some authority to direct utility 
action in emergency situations. We also included provisions to 
protect some of the sensitive information from disclosure.
    I will start with you, Mr. Highley. As the ESCC Co-Chair, 
how important are these provisions that we included in the FAST 
Act in its effort to help facilitate the timely sharing of the 
cyber threat information? And the CRISP program was mentioned, 
the Cybersecurity Risk Information Sharing Program. What we set 
up, is it helping at all? Is it too early?
    Mr. Highley. Yes.
    The Chairman. If you can speak to what we have put into law 
and what we are seeing as of this point?
    Mr. Highley. We're very grateful for the FAST Act 
authority, and we're supportive of the naming of DOE, 
reinforcing DOE, as the sector-specific agency for electric 
energy and the electric sector.
    That's where we want to see that. That's where the subject 
matter experts are, and that's where we have begun to develop a 
trust relationship between the CEOs that are part of the ESCC 
and our government counterparts.
    And I think trust is the key to information sharing. We 
need to be able to get that information over the wall from 
government to industry and then back over from industry to 
government. That's why it was so crucial for us to see this 
transition go so well from one Administration to the next and 
see the support of Secretary Perry.
    We support the direct action from DOE, in the event of an 
emergency. The FOIA protections are essential because this is 
critical infrastructure we're talking about that's at the front 
lines of international warfare. We can't just have that, you 
know, here's the most important target, be disclosed. So, we're 
supportive of that.
    The Chairman. What about within the Quadrennial Energy 
Review and the recommendations there, the recommendation that 
FERC be granted the direct authority to promulgate the 
reliability standards?
    I am assuming you do not support that recommendation from 
the QER? I would also ask you to speak to what it actually 
means for the stakeholder process that has been established 
through Congress.
    Mr. Highley. So----
    The Chairman. Mr. Cauley, I will ask you to comment on that 
as well.
    Mr. Highley. We're supportive of the NERC process, because 
NERC has the subject matter experts that go through and vet a 
proposed, a proposal, from FERC before it gets to industry. 
It's a very complex machine we're talking about modifying, and 
we think we need to rely on those experts at NERC which has 
both industry and government input to make sure that things are 
done properly.
    And when you talk about making a change to the electric 
system, FERC has the authority now to order NERC to make a 
rulemaking and they can give them the timeline. So, it can 
happen very quickly and it has. I know Gerry will comment on 
that. But we're supportive of keeping that authority at NERC.
    The Chairman. At NERC.
    Mr. Cauley, on the stakeholder process?
    Mr. Cauley. Yes, thank you.
    It's probably, I did read through most of the QER report 
and the one thing that I would struggle with the most is that 
additional authority at FERC to do standards.
    When there's a crisis and something needs to be done 
quickly, standards are not the solution. Basically, we need to 
get directives and marching orders out, but not through a 
standard process.
    To be able to have the industry expertise at the table and 
our process to get the best solutions for standards is very 
effective. We can produce a standard quickly. We were told to 
do the physical security standard in 90 days and we did it in 
87 days. We could do a standard quicker than that. It's just 
really, in an emergency, it's not where you head to do 
emergency standards.
    Thank you.
    The Chairman. Thank you.
    Senator Heinrich.
    Senator Heinrich. Thank you, Madam Chair.
    Congressman McCurdy and also Colonel Welsh. I thought maybe 
you could start, Congressman, to speak just a moment about how 
this bottleneck in security clearances actually directly 
impacts your ability to manage risk and the timelines? Then, 
Colonel Welsh, you mentioned that you might have some thoughts 
on how we can speed this up? If the two of you can speak to 
that, together, I think that would be very helpful for all of 
us.
    Congressman McCurdy?
    Mr. McCurdy. Sure, Senator. And everyone around here knows 
it is just Dave.
    So, the affected policy starts at the top and one of the 
improvements, I think, over the last few years in the couple 
decades I've been dealing with this, is having the C Suite, the 
CEOs, the Senior Executives in corporations, focused on this 
issue of cybersecurity. It is not just a CIO issue. There 
weren't even CIOs when we started this process. So it's 
critical that you have senior executive level engagement.
    Information sharing, in such groups, like the SEC, our 
groups, our safety committee within AGA and by the way, every 
investor-owned utility in the natural gas sector is a member of 
AGA. They've signed a commitment to security which is a call to 
action.
    They are into developing the expertise within their 
companies and working with government and cross sector to 
improve our overall security. By the way, many of them, over 
half now, are both electric and gas combination companies.
    What we find is critical is that when we have CEOs being 
able to sit across the table with each other and with 
government on a regular basis, but then also in emergencies or 
in threat situations, to be able to receive information. Now we 
don't need to know sources and methods, the old terms we used 
to use. What we do need to know, though, is whether it's 
actionable, indirect or directly relevant for our particular 
environment and situation.
    So it is a bit frustrating when we can't and I know a 
number of the CEOs on the electric side because they've been 
working a little bit longer through a formal process, had 
clearances. I've had--I was in the gang of eight, so I've had 
all kinds of different clearances. I currently have a DoD 
clearance. But if it's at a Secret level, that really doesn't 
help when we're talking Ukraine or some of those other issues 
that are timely when they came up. It's more of a backlog. I'm 
not in control of that. We do the reviews.
    I applied. The Department is actually trying with 
officials, executives, to move the process. But it's, the 
clearance process, across government which is, kind of, fouled 
up there. I hate for it to be a personal example, but it's one 
that----
    Senator Heinrich. Actually, I think it helps for it to be a 
personal example.
    Mr. McCurdy. Yeah.
    Senator Heinrich. Because you are an unusual example.
    Mr. McCurdy. Yeah.
    Senator Heinrich. And if it is this tough for you, you can 
imagine how tough it is for lots of people in the utility 
industry broadly on both the electric and the gas side.
    Mr. McCurdy. Absolutely.
    Senator Heinrich. Colonel Welsh, do you want to talk about 
some of the advances----
    Colonel Welsh. Yes, sir.
    Senator Heinrich. ----you have been able to make in 
Washington State?
    Colonel Welsh. So, you can't have a partnership without 
access and sharing. Information sharing without any partners at 
the table is tough.
    We view, from the National Guard's perspective and really 
in Washington State, I'll give you the Washington State case 
study.
    Every state, every state governor has a Homeland Security 
Advisor. That Homeland Security Advisor has the authority in 
that position to sponsor folks in that state for clearances. So 
we have the luxury of our Homeland Security Advisor being our 
TAG and our Emergency Management Authority, so it, sort of, 
makes it easy. It's all in the same family.
    But the fact that he is able to do that is a tremendous 
trust builder for our partners out there. Nothing makes more 
trust built, you can't build it without a, we'll put you in for 
a clearance. Here's the stuff to sign. Sorry, you'll probably 
get somebody asking your neighbors, you know, how you do, but 
it's tremendous for us. But it starts at that Homeland Security 
Advisor level. Again, we, sort of, wait for again, federal 
policy to, sort of, catch up with that.
    I think on the DHS side what we would like to see is it's 
fairly easy to get a security clearance at the secret level. 
It's that TS level that takes a bit more of a nudge, and that's 
really the only thing that matters. You know, secret is great, 
as everybody knows, but it's at that TS level, you don't need 
to know the sources and methods, but there are some things 
going on out there that are of interest with our sectors.
    Thank you.
    Senator Heinrich. Absolutely. Thank you for your input on 
that.
    I yield back my remaining second.
    The Chairman. Thank you, Senator Heinrich.
    Senator Risch.
    Senator Risch. Well, Madam Chairman, first of all, thank 
you for holding this hearing.
    I sit on the Intelligence Committee also and after all the 
testimony I hear there, I am convinced that the next major 
event in America is going to be a cyber event. Obviously, we 
are always vulnerable, not vulnerable, but at risk for some 
type of kinetic attack. But I am convinced that the next major 
one that affects large numbers of people is going to be 
cybersecurity.
    So it is important that we do talk about this and continue 
to work at it because from everything we are told, we are 
running fast but need to run faster to catch up to where we 
need to be.
    Mr. Bochman, thank you for coming from Idaho to testify 
today. Members of this Committee grow weary of me over the 
years explaining to them how important the INL is and being the 
lead lab for nuclear energy. And now, of course, we are 
developing our expertise on cybersecurity and becoming a lead, 
if not the lead.
    Could you tell my fellow members here the unique 
capabilities that our lab has as far as moving in to that 
position?
    Mr. Bochman. Sure, thanks, Senator.
    Thanks, Senator Risch, sure, you bet.
    Idaho National Lab, without making too much of it, is a 
national----
    Senator Risch. No, go ahead and make too much.
    [Laughter.]
    Mr. Bochman. It's a softball.
    It is the nation's nuclear energy lab where nuclear energy 
has been developed with, I think, 52 test reactors with a small 
modular reactor on the way.
    Senator Risch. And the first one, of course.
    Mr. Bochman. I think we, I think people there figured out 
it was probably a better idea to monitor and control those 
somewhat dangerous processes from a comfortable distance, and 
therefore they were highly incented to create control systems 
that would allow them to do that. Hence, early control systems 
theory and practical engineering knowledge developed ahead of 
the curve there in Idaho.
    When cybersecurity started to become on people's minds, 
certainly it landed in the IT universe first, but very quickly, 
I know folks realized that the same basic types of systems that 
help run banks and retail stores, et cetera, are also at the 
heart. They're either both at the heart of control systems 
operations, industrial control systems and they're also next 
door neighbors to them, as utilities, all our businesses and 
have IT organizations and with convergence.
    We used to talk about convergence of information technology 
and operational technology as something that was coming that we 
needed to prepare for. The most recent SANS Industrial Control 
Systems Conference in Florida, two weeks ago, we all admitted, 
this group of subject matter experts, that it's happened, that 
these, now these two parts are inextricably fused and it's one 
of the ways adversaries can get in.
    So Idaho is a great testing ground with that experience and 
also with its facilities. It has a test grid that has both 
transmission and a variety of distribution voltage assets, 
substations, transformers, control centers and linemen. It's 
integrated into the larger regional grid in a way that makes 
it, I'll say it this way, while we use models a lot and have to 
use models for a grid that's becoming ever more complex and get 
a handle on the types of risks that are there.
    Every once in a while, maybe more than every once in a 
while, it behooves us to validate the models with real world 
testing. And it's been several times now, in my short time 
there, where we've run real world tests that have shown that 
the models we rely on so much and trust, weren't quite right 
and need to be tweaked and tuned. Once you do that, then you 
can have confidence in them again.
    Senator Risch. Could you talk just briefly about the test 
bed that we have there for doing that?
    Mr. Bochman. Yeah, well this is the--there's both the grid 
assets I described. There's also communications test bed 
assets. So you can have both.
    Everyone knows a full electric indoor natural gas operation 
requires copious communications assets. Those are also subject 
to cyberattack and just as disruptive if you aim at them as if 
you aim at the actual industrial control systems that they 
support.
    It's also the home of a program where, in the past, 
industrial control system suppliers sent equipment and the 
security subject matter experts did an exhaustive security 
assessments of it both at the hardware/software and firmware 
level in conjunction with the suppliers to give them feedback 
on how they might harden and build more secure systems in the 
future.
    In my testimony, there's a call now from the Section Nine 
utilities to, in some form, bring about a modernized version 
that fits the purposes of the Industrial Internet of Things 
(IIoT) and world in which we live in. And so, I'll stop there.
    Senator Risch. Okay. Thank you, Mr. Bochman.
    Thank you, Madam Chair.
    The Chairman. Senator Manchin.
    Senator Manchin. Thank you, Madam Chairman.
    I will be quick.
    [Laughter.]
    Thank you, Madam Chairman, I appreciate it very much.
    Thank all of you for coming.
    My concern is reliability, and I think this first question 
will go to Mr. Cauley. Today our reliability organizations, 
electric utilities, are tasked with maintaining our electric 
grid in an increasingly challenging environment. As you all 
know, a perfect storm of factors has put baseload units at risk 
and states are more frequently using outer markets solutions to 
rescue units and to ensure their citizens and businesses have 
reliable, affordable electricity.
    In the meantime, aging infrastructure, extreme weather 
events, the threat of cyberattacks, rapidly changing fuel mix 
and over regulations are increasingly testing our nation's 
electric grid. Several times throughout the month of January in 
2014, the upper Midwest and mid-Atlantic experienced 
temperatures below zero. The Eastern portion of the PJM grid 
flirted with rolling blackouts.
    On January 7th, a winter record was set with 141,132 
megawatts of electricity being used. PJM is the nation's 
largest grid operator, basically overseeing 180,000 megawatts, 
and that's cutting it pretty close.
    Interestingly, following the winter of 2014, AEP reported 
that nearly 90 percent of its coal plants scheduled for 
retirement ran during the Polar Vortex. If not for that, there 
would have been rolling blackouts. Coal helped keep the lights 
on, as we know.
    Last week PJM released a report that said it could keep the 
lights on with the generation portfolio that is 86 percent 
dependent on natural gas. Current installed capacity, this is 
their actual figures, it is 33 percent of coal, 33 percent 
natural gas, 18 percent nuclear and 6 percent renewable. But 
more of that coal is going to be retired.
    So my question would be this. I understand that your 
organization's reliability assessment from last year did not 
even flag PJM as having major near-term reliability issues, but 
I have to ask, is PJM correct? It seems highly risky for them 
to depend 86 percent on one fuel in an environment when all we 
talk about is fuel diversity.
    Mr. Cauley. Thank you, Senator, for that question.
    As a reliability engineer for 37 years, I think one of my 
most important factors is a diversity of our fleet and a 
diversity of our fuel mix. And it is a concern. We've done a 
number of studies over recent years on the changing resource 
mix and its impacts on reliability. One of those----
    Senator Manchin. Do you think PJM is correct?
    Mr. Cauley. I think currently, PJM----
    Senator Manchin. 86 percent?
    Mr. Cauley. ----does have a very robust supply, capacity 
supply, in the near-term years.
    The one concern I would have with PJM is the dependence on 
gas. And the concern there is, not so much the adequate amount 
of gas, but the dependence on gas infrastructure and supply 
during times of extreme weather when you'd be competing.
    Senator Manchin. You would be concerned about the 
reliability, putting all your eggs in one basket?
    Mr. Cauley. Yes, exactly.
    Senator Manchin. What do regulators need to do to help move 
natural gas into a position where it can serve as a baseload?
    I know that the pipeline, I know the things, the pressures 
can freeze up. I have known all of that.
    We are very blessed in West Virginia. We have a little bit 
of everything, coal, gas, wind, solar. We try to do it all, but 
throwing all your eggs in one basket.
    Here is my problem. I have not spoken to one CEO of a major 
utility that believes that they have the right mix in their 
energy portfolio. Not one. They think they have been forced 
because of what we have done here, forcing them in a direction 
that reliability is not demand. FERC is not even looking at 
reliability as their responsibility. What happens when the 
system collapses and goes down? Who gets blamed?
    Mr. Cauley. Me.
    [Laughter.]
    Senator Manchin. Oh, okay.
    Mr. Cauley. Well, I will be one of the folks. But it is 
creating some difficulty, and that's why we're working hard to 
make sure we get that information out.
    You know, one of the challenges is newer, inverter-based 
generators like renewable solar and wind don't have the 
rotating mass and the stability of larger units. So that 
creates a reliability challenge. We do see stability margins 
starting to shrink, so what we're trying to do is make sure 
everyone has the information needed to make the best decisions 
going forward.
    Senator Manchin. I am sorry, sir, my time is running short.
    This one is for Mr. Highley. In the U.S., approximately six 
percent of electricity is lost when it is transported from a 
generation facility across transmission distribution lines to 
consumers. Our transmission and distribution lines waste enough 
energy each year to power more than two million homes for one 
month. Each year they lose that much power.
    The Department of Energy in the past did a significant 
amount of work on superconductive materials in an effort to 
reduce transmission line losses. This research has apparently 
not led to any significant breakthroughs. If we are going to 
become more energy efficient, we need to improve these 
transmission distribution of electricity.
    Mr. Highley, what is the industry doing to improve the 
efficiency of electricity transmission and distribution lines? 
And do you expect any developments in the near term that will 
lead to dramatic line loss reductions?
    I am to understand that there are so many new products on 
the market we have not used yet.
    Mr. Highley. As a CEO of a member-owned system, I work for 
my members and I am absolutely incented to save every dollar I 
can for them. And if I could save them money by using those 
technologies for transmission distribution, we would be doing 
it. We don't see it as cost-effective today to deploy that.
    Senator Manchin. To deploy the new technology?
    Mr. Highley. Correct. If it was--in the areas where it's 
cost-
effective----
    Senator Manchin. So you are saying the six percent loss is 
more----
    Mr. Highley. Is----
    Senator Manchin. ----cost-effective than buying the new 
equipment?
    Mr. Highley. Correct, correct in terms of life cycle costs.
    Senator Manchin. So basically our whole----
    Mr. Highley. I have to face the people who pay the bill 
every month. That's my Board of Directors.
    Senator Manchin. I understand that. So I would say that 
basically all of----
    Mr. Highley. They're my----
    Senator Manchin. ----those senators who have been really on 
energy efficiencies that we have been trying to do here is all 
for naught when it comes down to cost?
    Mr. Highley. It's just an economic choice.
    Senator Manchin. I understand.
    Mr. Highley. Yes, sir.
    Senator Manchin. I understand.
    Thank you.
    The Chairman. Thank you, Senator Manchin.
    Senator Cassidy.
    Senator Cassidy. I want to congratulate you all. I have 
never seen a collection of testimony with more acronyms, 
outside of maybe, Department of Defense. It was quite 
remarkable. And as a rule, they did not overlap. It wasn't as 
if I learned it here and then I would see it there, so good 
job, guys.
    Ms. Hoffman, let's start off with that which we have not 
yet discussed, the electromagnetic pulse (EMP) resilience. Now 
that is not related to cyberattacks, that is just the sun 
decides to send off something one day.
    I was not clear from your testimony, and you may have said 
it and I just did not follow, to the degree that we are now 
positioned to robustly endure such an electromagnetic pulse 
from either a military or the sun. I think I understand it 
could be either, right? How are we positioned to withstand 
that?
    Ms. Hoffman. So thank you, Senator, for the question.
    Electromagnetic pulses and GMD disturbances are basically 
electromagnetic disturbances that will affect not only the 
electric sector but multiple sectors in the United States.
    Within the utility sector, we have taken an aggressive 
posture of looking and investigating further the 
electromagnetic issues. The Department has partnered with the 
Electric Power Research Institute and developed a strategy for 
looking at EMP.
    Senator Cassidy. I have limited time, so how, if either EMP 
was discharged in the atmosphere or the sun sent off such an 
issue, if you will, how well are we now positioned to respond 
to it?
    Ms. Hoffman. So, it would depend where it was set off in 
the atmosphere. It would have multiple effects on transformers 
and components on the system.
    There is a need to do some additional hardening on the 
system to mitigate some of those effects. But a lot of the 
discussions are what is the strategy and what is the most cost-
effective solution to implement?
    Senator Cassidy. I am not sure I am getting an answer to my 
question, but implied, is that we are not there yet.
    Ms. Hoffman. We are still working toward what is the best 
solution for the sector.
    Senator Cassidy. And so, if we are still working toward 
what is the best solution it suggests to me we have not yet 
implemented anything.
    Ms. Hoffman. No, the industry has implemented some 
solutions. There have been specific utilities that have looked 
at shielding, hardening of substations. So there has been 
progress with respect to some mitigation measures.
    Senator Cassidy. Okay, but still I am guessing 
vulnerability. Again, it is some. You are speaking in 
fractions. You are not speaking in significant fractions. We 
are 50 percent of the way there is not what I am hearing. I am 
hearing some have done something.
    Ms. Hoffman. Some, yes, utilities.
    Senator Cassidy. Colonel Welsh, you speak of failure of 
imagination. Now, it is a little bit, you know, existential. 
How do you imagine the future?
    I remember being in Israel and somebody came up, some young 
whiz kids came up, with some software that used an eye to 
imagine where in software would be a vulnerability and to 
anticipate what would be a response. Maybe that is how we 
imagine, but I was not sure how should we imagine?
    I saw your testimony, we need to have a robust response and 
the guy from Johns Hopkins on my staff gave me something that 
he has written also using National Guard as part of that 
response. But I guess my question is how do we imagine where 
the next cyberattack would be from?
    Colonel Welsh. Well, I think that the failure of 
imagination covers a wide spectrum, so my concern on the 
failure of imagination is we've now acknowledged that a 
cyberattack is possible, but huge gaps in capabilities, you 
know, at the federal level, at the state level.
    Senator Cassidy. As I read your testimony, again, I am 
skimming it, I apologize, because there is much you did not 
say, it was written, so I am skimming that what you wrote and 
spoke of a failure of imagination as it regards management.
    But is there a way to anticipate from whence the attack 
comes because, again, something else I read said that the folks 
who are going to attack us will probably save their best stuff 
for, you know, they are not going to tip us off as to what 
their most effective attack would be.
    Colonel Welsh. Correct.
    I think there are certain countries out there that we know 
we can potentially expect some interest from now and in the 
future. But again, back to the failure of imagination. It is, 
you know, I think we have decided that we can be attacked, but 
there is not much more imagination that is happening in terms 
of response and recovery. That is really where my concern is 
right now.
    Senator Cassidy. Response and recovery.
    Colonel Welsh. Correct.
    Senator Cassidy. Is there a way to anticipate what the 
attack itself would be, beyond the say, eye, that perhaps I was 
exposed to in Israel?
    Colonel Welsh. Maybe I'm not completely clear on your 
question, Senator.
    Senator Cassidy. Gentlemen, you seem to be----
    Mr. Bochman. If you don't mind, Senator.
    Yeah, there's definitely ways to anticipate, and I'd say 
that's happening every single day.
    If we're talking about a game changing cyberattack on U.S. 
infrastructure, the one it sounds like you're teasing out, 
we're looking for, we're always looking for that. But things of 
a lower order of impact are happening every day and people are 
monitoring them. They're identifying where traffic is coming 
from. They're monitoring signatures and behavioral 
abnormalities and jumping on them and protecting some things, 
blocking some things, not responding later on.
    Senator Cassidy. So you can look at a signature of an 
attack and therefore block something from that particular 
signature from thenceforth, sort of thing?
    Mr. Bochman. Yes, that's business as usual.
    Senator Cassidy. Gotcha.
    Mr. Bochman. That's happening now, fairly broadly. And I 
would imagine, I could say on behalf of the energy sector, 
that's happening broadly.
    Senator Cassidy. And quickly, because I am almost out of 
time.
    Mr. Bochman. Sure.
    Senator Cassidy. You mentioned this, kind of, paradigm 
shifting attack and that is what I was getting at.
    Mr. Bochman. Right.
    Senator Cassidy. How do we anticipate that?
    Mr. Bochman. Ah, to your point, if it's done well, we'll 
have a hard time anticipating it.
    Senator Cassidy. Okay.
    I yield back. Thank you.
    The Chairman. Thank you.
    Senator Stabenow.
    Senator Stabenow. Thank you very much, Madam Chair, and 
thank you to all of you for your testimony. As we talk about 
cyberattacks, of course, we are being attacked right now 
through our communication systems and so on, so this is a very 
important conversation, as we look at capabilities and what 
could happen, what is happening, what will happen.
    Mr. Bochman, I think you talked a little bit about, or you 
have included in your testimony a little bit about, something 
that I heard from a cybersecurity expert at the University of 
Michigan who suggested to me that we need to move away from the 
checkbox compliance mentality when it comes to securing our 
energy infrastructure and move toward building cybersecurity 
into the very fabric of our energy systems. For example, 
firewalls and anti-virus software described to me as merely 
afterthoughts and add-ons, and what we need is to be building 
security into the system.
    What is being done to transition toward an approach that 
fully integrates cybersecurity practices and technologies into 
the systems that are so critical to the economy and national 
security?
    Mr. Bochman. I appreciate the question, Senator Stabenow.
    First of all, in defense of checkboxes and mandatory 
compliance regimes that have, I think, demonstratively improved 
the security of the grid in the United States, you've got to 
achieve a baseline level of hygiene first before you can start 
thinking about playing even more advanced forms of defense.
    Hygiene is what you get when you, if you, adhere to the 
recommendations of say, the SANS top 25 security controls or 
the NERC CIPs or the C2M2 maturity model from DOE. We're trying 
to have people make sure that, it's kind of like the analogy 
for folks is, you know, you brush your teeth and you take 
vitamins and you eat well and get exercise so that you don't 
fall prey to all manner of different infections and bugs that 
could slow you down or worse, right? You want to, at least, be 
there with a level of hygiene. So, I'm responding to the, I 
think, compliance or checkbox mentality thing.
    In terms of building security in, yes, every security 
professional in their earliest days says, we need to make sure 
that we don't try to bolt security on after the facts, after 
something is deployed because that's both more expensive and 
less effective than it is to just get it right the first time 
when you design it, at the design stage, right? The challenge 
is so that's mom and apple pie for security folks.
    The problem is with the energy sector, it's true in all 
sectors, but if you're more IT you're used to replacing 
products on a fairly regular basis. You know, your laptop is 
giving you trouble after a year, or two, or three. It's time 
for a new one anyway, even faster sometimes for cell phones and 
other technologies.
    With assets that are deployed in industrial applications 
like the grid, like natural gas, the way we buy those systems 
and budget for them expects that they will be operational for 
10, 20 or 30 years or at least that's the way it's been up 
until now. And so, once that thing has been designed, 
purchased, deployed and now you're on maintenance cycle, you 
live with that thing. And so, bolt on, bolting on security, 
adding it after the fact, is your only choice.
    I think, though, to conclude, a strong push this is 
something that, I think, all of us here and Senators as well, 
the Committee could do, is it's almost like the oath, vow to do 
no more harm. If we could start to have more rigorous, I won't 
say enforcement, but encouragement, incentivization, is the 
right word, to help people get it right the first time on the 
next generation of products before those are rolled out. I 
think that would be a demonstrable sign of progress.
    Senator Stabenow. Thank you.
    Ms. Hoffman, thank you for being here. Distributed energy 
systems are notable for their efficiency and their flexibility. 
However, in terms of cybersecurity, what are the benefits and 
risks to having a distributed energy network and what does an 
increasingly decentralized network mean for the government and 
industry's role in combating cyber threats?
    Ms. Hoffman. So, thank you, Senator.
    Distributed energy resources are both, provide a value and 
a risk, as you have mentioned.
    From the value side of it, it brings generation closer to 
the load or closer to where demand is so it can provide 
consumers with a greater sense of resilience and reliability by 
being closer to where the customers are demanding that energy. 
It also provides a great diversity and resources from solar, 
from distributed solar, to natural gas generation and onsite 
generation. So it does provide that diversity.
    On the security side of things, though, it's still another 
generation asset that has communications and controls, and one 
needs to look at building security into supply chain or 
generation assets as part of the system. So, it's very 
important that even if you're a solar manufacturer or you're a 
distributed energy manufacturer, that if you have a control 
system and you have a computer or any sort of computer-aided 
control, you really need to embed cybersecurity into those 
devices.
    Senator Stabenow. Thank you very much.
    Thank you, Madam Chair.
    The Chairman. Thank you, Senator Stabenow.
    Senator Wyden.
    Senator Wyden. Thank you, Madam Chair.
    It has been an excellent panel. What is striking is how 
pervasive this challenge is. I am on the Intelligence 
Committee. We have cyber threats there. I am on the Finance 
Committee, and we are concerned about our data with respect to 
our taxes. And then, of course, we are concerned about the 
energy grid. So I want to, sort of, try to touch on several 
pieces of the puzzle this morning. I think I am going to start 
with you, Mr. Cauley.
    First, I am particularly interested in this concept of red 
teaming because we saw this report coming from Houston where 
essentially a team of hackers, for a couple hundred bucks, got 
into a Houston oil refinery. Basically, they broke through an 
electric lock. They installed a small credit card-sized device 
to penetrate the company's control systems.
    I think the government ought to be involved in red teaming. 
What do you think of that concept?
    Mr. Cauley. Well, I think one of the things that the NERC 
standards does is require the electric companies to do 
vulnerability testing which includes red team penetration tests 
and things like that to the critical systems. And I think part 
of our risk approach on our standards is that they're not 
prescriptive but tell people what they need to do.
    Senator Wyden. I guess I would like to hear if you think 
more should be done on this.
    Mr. Cauley. I think more should be done, could be done, and 
I think partnering with government to support that would be 
useful.
    Senator Wyden. Good.
    Let's hold the record open on that point because I would 
like to hear, given the fact that you think more needs to be 
done, what additional work you think would make sense. Okay? 
Could you get that to us, say, within, say, 10 days?
    Mr. Cauley. Yes, yes, sir.
    Senator Wyden. Very good.
    One other question for you and one point just with respect 
to the group. I have been trying to assess our witnesses' 
position on strong encryption, because I think strong 
encryption is vitally important to the security and well-being 
of the American people and certainly the energy grid. There are 
people around here who would be very interested in weakening 
strong encryption. I have made it clear that I will filibuster 
any bill that weakens strong encryption because it will leave 
Americans less safe.
    If any of you have views you would like to advance to the 
contrary, I would like to see that in writing as well. In other 
words, if you do not agree with the notion of how important 
strong encryption is, I would like to have anybody share their 
views as to why we should not be for that.
    The last point I want to make, Mr. Cauley, goes again, back 
to you, and it really involves the Internet of Things.
    Last year, James Clapper, who was then the Director of 
National Intelligence, talked about how the Internet of Things 
was going to play a bigger and bigger role as it relates to 
surveillance and monitoring and location trackers. I would be 
interested in wrapping up this round of questions, we 
understand the important role that the North American Electric 
Reliability Corporation has, in energy lingo that is NERC. I 
would be interested in your wrapping up, if you could explain a 
potential role for NERC as we try to address the Internet of 
Things and ensuring that we prove, as is my guiding philosophy, 
that security and privacy are not mutually exclusive, that 
smart policies can give us both. What kinds of things could 
this NERC outfit, the North American Electric Reliability 
Corporation, help us with as we try to come up with a smart 
policy given the challenge with the Internet of Things?
    Mr. Cauley. Well, the distribution system, the Internet of 
Things we see, largely at the customer distribution level, are 
not really within NERC or FERC's purview at the federal level.
    Senator Wyden. But they could give advice.
    Mr. Cauley. They do create a significant risk to the bulk 
power system and the denial of service attack, that we saw last 
October, could inflict harm on the bulk power system. So we are 
very concerned about making sure that distributed systems and 
customer systems are not easily hacked and captured and become 
a weapon in and of themselves. Heavy encryption and protection 
of those systems and making sure that we work with vendors to 
make sure that they're not easily hacked is our focus.
    Senator Wyden. If you could give us additional suggestions 
with respect to NERC and if there are other organizations that 
could do that work, I would be very interested in it because I 
have not yet seen a government or an entity like NERC get this 
right yet and it is obvious because it is an incredibly 
challenging area.
    Could you get us any thoughts you have, say, since I was 
looking at it for the next 10 days, on how they and other 
bodies could help us tackle the Internet of Things in this 
manner that would show that a smart policy means that security 
and liberty are not mutually exclusive, that you can have both. 
Is that agreeable?
    Mr. Cauley. Yes, sir, we'll do that.
    Senator Wyden. Great, thank you.
    Thank you, Madam Chair.
    The Chairman. Thank you, Senator Wyden.
    Senator Hoeven.
    Senator Hoeven. Thank you, Madam Chairman.
    Essentially, the question I have is how to secure against 
the interconnectedness of things? I would like each of you to 
respond to that for just a minute. I mean, everything is 
interconnected now, right? So if something goes wrong in one 
place that has a potential cascading effect throughout the 
system.
    How do you create circuit breakers or safeguards to prevent 
that because on the one hand you have to be fully integrated, 
and we are constantly trying to integrate more and more and get 
rid of silos? On the other hand, if something happens in one 
sector of our energy infrastructure, then potentially that is 
going to impact everybody else with a potential cascading 
effect. How do you handle that issue, the interconnectedness of 
things, I guess, unless you have a better way to term it?
    Ms. Hoffman. I will start and then----
    Senator Hoeven. Sure, that would be great.
    Ms. Hoffman. So first of all, I think you need to test both 
devices and networks. So you must start testing these networks 
to make sure you identify vulnerabilities. As you're looking at 
components that are connected, you must understand where their 
vulnerabilities are in the components.
    But also, build a system where cybersecurity is built in so 
that you know what normal operations of the system is and what 
abnormal operations or abnormal communications are so you can 
block them and prevent them from causing damage.
    Senator Hoeven. Can you create circuit breakers that both 
integrate systems and isolate them, when necessary?
    Ms. Hoffman. So on the circuit breakers, that's a specific 
technology that has the specific function so you should be able 
to look at that.
    Mr. Cauley. So a lot of work has been done to 
compartmentalize within the power system. As I mentioned in my 
oral remarks, the grid operates over private networks, 
microwave and fiber systems that are owned and managed by the 
company. So there is a lot of isolation and departmentalization 
to protect those systems.
    We require, within our standards, that critical assets, we 
understand the architecture and design of that system so we 
understand all the connection points and vulnerabilities from 
that.
    The more you get further down into the system, into 
distribution and distributed resources and those kinds of 
things, then we're talking about more amass devices and 
instruments and communications and it's much more difficult 
because the sharing is the value is everybody is contributing. 
It is a dilemma to try to operate a very interconnected grid 
and a compartmentalized and protected grid at the same time.
    Senator Hoeven. As you develop your cybersecurity, as you 
integrate, are you building those types of circuit breakers or 
isolation systems to separate yourself from the problem? Is 
that a standard part of cybersecurity?
    Mr. Cauley. Separation and compartmentalization is 
standard. There are some of the more most critical assets in 
control centers and so on now where people are using one way 
data diodes and things like that, that would control the flow 
so no harmful information can come in. So that's, sort of, 
early stages of some of that more advanced work.
    Mr. Highley. Just on the policy level, cross-sector 
coordination is critical. Oil and gas, telecommunications, 
electricity, finance, water, all depend on one another, and so 
what we're doing at the ASCC is bringing those sectors together 
in cross-sector dialogue, bringing our ISACs, that give us 
information about cyber threats and sharing those cyber threats 
amongst the different entities so that we're all working toward 
the same goal.
    Senator Hoeven. Dave?
    Mr. McCurdy. Senator, that's a great question.
    In the natural gas sector, we're doing two things.
    One, we are delivering electrons. So we have automated 
controls. We have Industrial Control systems in those. But we 
also are moving molecules. So it's a bit more of a mechanical 
and physical process. In both are safety and security, 
cybersecurity, concerns. And so, we have the automatic control 
systems that are separate from a safety standpoint we need to 
have backup for that and a second tier. In there we have 
shutoff valves. Again, because of pressurization and 
compressibility, it's a little slower process so we're able to 
have some physical control over it as well. And those are 
separate.
    In addition to the other basic hygiene where you try to 
separate your enterprise system from your operations system. 
And even though you have human beings crossing between and 
probably the most significant risk, we haven't talked about it, 
but people are still the most important risk and we test that 
on a regular basis.
    But there's a--you need that layer of--going beyond a 
layered defense but layered resiliency. And I think that's the 
culture we're trying to instill in our center.
    Senator Hoeven. The other question would be how do you know 
if you are safe? Maybe you alluded to it, but you just do that 
through testing? I mean, you run various scenarios and do the 
tests?
    Mr. McCurdy. Yes.
    Senator Hoeven. To try to assess whether you are safe, 
whether you have these safeguards and whether they work?
    Mr. McCurdy. Yes, sir. We do.
    And to one of the other questions, I think to Ron Wyden's 
question about red teaming. We participate in GridEx. We have 
another one coming up in a few months, and natural gas, I think 
for the first time, will actually be participating in that as 
direct. So as we look at the interdependence of the bulk power 
system and we're a portion of that, maybe one-third now. 
Natural gas is being used more.
    But you also have to recognize we deliver one-fourth of the 
country's energy directly to more than 74 million customer 
sites, not individuals. So, we've got multiple tiers here, and 
that's why it's important that we coordinate with DOE but also 
TSA and transportation, because we're a transportation system.
    There's multiple layers here, and that's why it's important 
to have a hearing like this so we can, kind of, get a better 
understanding. It's not just as simply, just one overlay.
    Senator Hoeven. Are you seeing attacks on a regular basis, 
be it cyber or other types of attacks on the system?
    Mr. McCurdy. Absolutely, yes. We have detection 
capabilities, and even my small association has that 
capability. We've seen it. We're targets. If you have energy in 
your title or name, you've been attacked for a long time. 
You've been surveilled. You've been mapped. You've been all 
these. And it's no longer, you know, what we used to see as 
individuals, it's nation-state, it's other.
    Senator Hoeven. Yes.
    Mr. McCurdy. Ramping of those threats. You have to assume 
that you've been penetrated, and then what do you do from 
there? So, it's a whole different conversation than it was just 
a few years ago.
    I know the Senate and Congress is much more acutely aware 
today than it was a few years as well.
    The Chairman. Thank you, Senator Hoeven.
    Senator King.
    Senator King. Thank you, Madam Chair.
    Mr. Bochman, your paper on the Ukraine attack in December 
2015 was, in large measure, the inspiration for S. 79, the bill 
that Senator Risch and I have put in. Could you give some 
background on what the concept is and what we are trying to do 
in that bill and the concept of places in the grid where we can 
protect ourselves by, perhaps, having analog technology?
    Mr. Bochman. Sure, thanks for the question, Senator King.
    And it is, sort of, a follow on, in a sense from Senator 
Hoeven's. The paper the Senator is referring to is the National 
Security Case for Simplicity in Energy Infrastructure. And so, 
all those questions, all the other points about cascades and 
interdependencies of the systems in different sectors, all that 
are enthusiastically embracing adding more technology into 
systems that used to just be electromechanical and were 
protected, in large part, through isolation. Each would have a 
trained engineer, who knew the way that thing worked all the 
way down to their bones, like an engineer in a substation, for 
example.
    For, as I alluded to in my testimony, many very good 
business reasons, usually having to do with efficiency and cost 
savings, but also the ability to see what's going on better. 
We've connected everything. Convergence has happened. Now we 
are adding communications and sensor and communications 
technologies into the most mundane parts of our different 
interconnected systems. So, they're all talking with each 
other.
    I was going to say to Senator Hoeven, our ability to 
influence the wide deployment of Internet of Things and 
Industrial Internet of Things is very minimal. So one of the 
best things that we can try to do to focus our thinking is 
prioritization. And this gets to some of the issues in the case 
for the simplicity paper you're referencing.
    What are the systems that absolutely must be protected from 
a national security point of view? Because of the energy and 
other processes they support, it would be unacceptable as an 
economy or as a nation to lose them.
    Senator King. What we are talking about is finding those 
places, not the entire grid, but finding places where 
simplicity, and perhaps even old technology, could be an 
isolating factor. That is what we are talking about here.
    Mr. Bochman. Yeah and it's, kind of, neat because very 
selectively adding these types of analog or out of band or 
putting a human, a trusted human, back in the loop, doing that 
in a moderate way in only the holiest of holy places, allows 
you to then proceed with the modernization which brings all the 
benefits of the grid that we need to have in the future. So it 
allows you to do that. At the same time, it might let utility 
executives, natural gas executives and folks on the hill, sleep 
a little bit more soundly.
    Senator King. Thank you.
    Mr. Cauley, I think you touched on this and Dave McCurdy 
touched on it as well, I think. We are talking all about 
cybersecurity and cyberattacks, but in our own national 
security agencies, insider attacks have been the vulnerability. 
To what extent is the industry looking at its own people and 
how they are investigated and examined and how do we protect 
against a rogue employee who could do a lot of damage?
    Mr. Cauley. Insider threat is one of the top risks that we 
look at in both physical and cybersecurity side. And the more 
critical the job, the more critical the facility that the 
individual works at, the scale of, in terms of screening and 
review, doing background checks, goes up with that. So it's a 
well-known and a well-understood risk.
    It's not always perfect. I mean, there was one employee who 
several, a couple years ago, was at NERC ISO, who went through 
the normal background checks and turned out that it was a 
suspicious person, a foreign national that we didn't know about 
because it wasn't in the database. But to the extent that that 
information is available in--through a background check, that's 
a common practice.
    Senator King. Mr. McCurdy, I take it you see this as a 
threat as well?
    Mr. McCurdy. Yes, Senator.
    And beyond just the individual that may have nefarious 
motives, just lackadaisical security practices. We do social 
engineering testing of our own staff, and we actually got 
caught. This week we did one and creative IT staff and just 
clicking on the wrong link or not checking everything. We test 
that regularly and you have to.
    It's easy just to assume that because it looks like an 
email from me or someone else, doesn't mean, yup, you know, 
then you go check those lines. So there's a whole level, multi-
levels, of testing with people to raise their awareness of what 
the threat is.
    Senator King. Mr. Bochman, I am out of time, but----
    Mr. Bochman. Super short.
    I just wanted to say that you asked about insider threat. 
You mentioned self-phishing, auto phishing, making sure people 
aren't clicking on those crazy things, and some of them are 
very realistic.
    When those people, when the attackers successfully phish 
you and they gain your credentials they know your login and 
password. They are insider. They have every right to use the 
applications and access the data to whatever authorization 
level you were given as that employee. They can proceed at 
pace. They're not hacking. They're not going against any--
they're not bumping into any other security system. That's why 
everyone is so energized on that topic and still trying to 
figure out ways to start to take care of it.
    Senator King. Thank you, Madam Chair, and thank you for 
convening this important hearing.
    The Chairman. Thank you, Senator King.
    Senator Hirono.
    Senator Hirono. Thank you, Madam Chair, and I thank the 
panel.
    I have some questions for Ms. Hoffman. In your testimony, 
you explain that an ecosystem of resilience, working in 
partnership with local, state and industry stakeholders is the 
solution to staying ahead of ever-evolving cyber threats to our 
energy delivery systems.
    Is this ecosystem of resilience happening in every state 
because you have to work with the state level? I mean, it has 
to be present in every state? Is it?
    Ms. Hoffman. So, I think there is a--thank you for the 
question.
    I think there is a different level of maturity in the 
different states in creating an ecosystem of resilience. You 
could take the example here with Washington State and the 
National Guard and their ability to partner with a local 
utility and to do some testing. You also have some other states 
that are very sophisticated in information sharing with the 
fusion centers. And so, there has been some advanced best 
practices.
    I think the states really have the opportunity to take 
advantage of looking at their critical infrastructure and 
building that partnership through the supply chain into the 
electric industry and supporting cybersecurity.
    Senator Hirono. But this ecosystem is being created in 
every state at whatever the level of their systems are?
    Ms. Hoffman. I think it's a work-in-progress and there is 
maturing at the state levels, including the information sharing 
with the Federal Government with the state utility commissions.
    Senator Hirono. Do you have a model or what would work?
    Ms. Hoffman. I don't have a single model for what would 
work. I think there are components of what would be successful 
including information sharing, testing, partnerships.
    Senator Hirono. Do you assess what is going on in every 
state with regard to this ecosystem of resilience?
    Ms. Hoffman. The Department of Energy does not assess, but 
we do do energy assurance plans. We have worked, at least in 
the past, with the state energy offices in looking at energy 
assurance planning.
    Senator Hirono. Have you done this in Hawaii?
    Ms. Hoffman. The energy assurance plans? I believe so. I 
would have to go back and check for you.
    [The information referred to follows:]

                         INSERT FOR THE RECORD

    The Office of Electricity Delivery and Energy Reliability 
(OE) sponsored Hawaii, through the American Recovery and 
Reinvestment Act, to develop an Energy Assurance Plan. The 
Hawaii Department of Business, Economic Development and Tourism 
made a full udpate of the plan in March 2013 and has since done 
supplemental reviews and updates, including adding a new Fuel 
Shortage Emergency Response Measures Annex. Given the 
sensitivity of the critical infrastructure described in the 
plan, it is not available for public distribution, however DOE 
has a copy of the plan by agreement with the state.
    Senator Hirono. In addition to our own ecosystem, we also 
have a huge military presence in Hawaii. I am wondering whether 
your Department and the national labs have been called upon to 
provide technical expertise to the Department of Defense to 
help address potential cyber threats to our military 
installations?
    Ms. Hoffman. So thank you for that question. That's a very 
important relationship between the Department of Energy and the 
Department of Defense.
    I would answer this in a couple ways. We have an MOU with 
the Department of Defense, so we've been collaborating on a 
regular basis from an R&D perspective with the Department of 
Defense. In the FAST Act, there was a requirement in the FAST 
Act for DOE to work in partnership with DoD to look at electric 
sector critical assets in relationship to the Department of 
Defense. That was completed with the Department of Defense.
    We have also had innovation through microgrids that we've 
done with the Department of Defense. I'm sure you might be 
familiar with the SPIDERS activities which included several 
military bases in the Hawaii area as well as Colorado and some 
other states. So that is a very important relationship.
    Senator Hirono. With regard to the FAST Act, are there any 
concerns of moving the DOE office, the lead agency for 
cybersecurity for the energy sector, and going to Homeland 
Security, for example? Is that a concern, leading----
    Ms. Hoffman. So the FAST Act did codify the Department of 
Energy's role as the sector-specific agency, as well as we are 
the Emergency Support Function #12 and it has been mentioned 
many times in the hearing today as the primary point for 
security issues.
    Senator Hirono. So as far as you are concerned it should 
stay that way.
    Last month the President submitted a budget to Congress 
that would cut $2 billion, or nearly 53 percent, from four 
major DOE programs, including the office that you lead, the 
Office of Electricity Delivery and Energy Reliability.
    I am deeply troubled about the potential impact that this 
proposed funding cut would have to the cybersecurity for energy 
delivery systems R&D program. The CFDC's R&D program aligns 
federal and private sector priorities for important research 
that helps detect, prevent and mitigate the consequences of a 
cyber incident for current and future energy delivery systems.
    What will be the specific impact to the R&D program if 
these cuts are enacted next fiscal year?
    Ms. Hoffman. Senator, thank you for the question.
    As in your interest in the program, as the blueprint was 
released by the President there is, will be, the Secretary has 
announced as part of that blueprint, released that the mission 
of the department will change. We will focus on earlier stage 
research.
    The details of the budget aren't available at this time. 
We're working diligently to work through those details. I look 
forward to and would have probably more details, more 
information when the budget is released in May, in greater 
detail.
    Senator Hirono. That is being very diplomatically put, I 
would say.
    Thank you, Madam Chair.
    The Chairman. Thank you, Senator Hirono.
    Senator Franken.
    Senator Franken. Thank you, Madam Chair, for holding this 
Committee hearing. Boy, this is pretty hair-raising stuff.
    Colonel Welsh, you brought up in your testimony that we are 
not well prepared for what comes after a successful 
cyberattack. You say we have done little to anticipate and 
develop actual response capacity that would be needed post 
attack.
    The Chairman. That is interesting.
    Senator Franken. Can you elaborate on that? What does that 
look like? Would anyone else care to jump in too?
    Colonel Welsh. You bet, Senator.
    So my premise is basically that we've treated cyber 
different for a long time. Our view is cyber from an emergency 
response perspective can be looked at just like any other 
response that we undertake as a nation. So, through DHS and 
FEMA.
    Using the existing natural response framework, things like 
the National Cyber Incident Response Plan, but one of the most 
troubling things is, you know, we fight a lot of wildfires out 
in the State of Washington, there are things called resource 
types. We know what to call, what to order, what to buy, when 
something happens. We don't have any of that in cyber.
    If some cyber event happens tonight and it happens in the 
State of Washington, thankfully we've got a lot of cyber folks 
to help. But let's just say it happens in Idaho, and they don't 
have a whole lot. There's no way to get cyber resources. 
There's no cyber ninja force, for the most part, out there 
ready to call and organized in a way that can respond. That, 
sort of, goes back to the previous question before us on 
failure of imagination. We've not taken that next step from a 
response and recovery standpoint.
    And also, the acknowledgement that a cyberattack is, sort 
of, a cyber is an IT, sort of, issue. But the second and third 
order consequences that are emergency management issues, that 
are already handled by our existing emergency management 
processes, have to be brought into the discussion as well. 
Thanks.
    Senator Franken. Anyone else want to jump in on that?
    Mr. Highley. We all----
    Senator Franken. Does anyone not want to jump in on that?
    [Laughter.]
    Okay.
    Mr. Cauley. So, I would say first, Senator, that that's the 
purpose of our massive GridEx exercise we do. We basically 
break the system. We put people in the dark. We have massive 
disruptions in cyber and physical attacks.
    Senator Franken. So you do it at night?
    Mr. Cauley. We do it over a 2-day period.
    Senator Franken. Okay.
    Mr. Cauley. And it's simulated so no one actually gets hurt 
in the process. But with leadership from the White House and 
Energy and Defense and DHS, and the CEOs and leadership of the 
industry are on the table. We're working through the 
challenges.
    Senator Franken. Because the Colonel seems to be saying we 
are not prepared for this.
    Mr. Highley. There is a cyber----
    Mr. Cauley. One of the things that came out of this was the 
need to create a Cyber Mutual Assistance Program, and I'd like 
Mr. Highley to talk about that work.
    Mr. Highley. There is a cyber ninja force. It's in its 
early formation.
    Senator Franken. Cyber what force?
    Mr. Highley. Well, somebody said there wasn't a cyber ninja 
force. There is a cyber ninja force. It's the Cyber Mutual 
Assistance Program that's parallel to the utilities in the 
electric sector.
    Senator Franken. Is ninja an acronym or just----
    [Laughter.]
    There are too many acronyms.
    Mr. Highley. We have 93 member utility systems that are 
members of Cyber Mutual Assistance that will help each other in 
the event of a cyberattack and send their IT professionals to 
assist the others in restoration. That means that 80 percent of 
utility customers in the country are covered by that right now 
from the membership.
    Senator Franken. Because I think what the Colonel is saying 
that after this happens it is not just cyber.
    Mr. Highley. True.
    Senator Franken. It is the effects of the cyber.
    Mr. Highley. True.
    Senator Franken. And that we have got to be ready for that.
    Colonel, you were talking about the number of personnel 
that you have, cyber personnel or people prepared for this in 
Washington. What I am wondering about, and you talk about this 
too, is the need to train people in this. The need to, you 
called it a, some kind of school, schoolhouse, cyber 
schoolhouse program. Are we training enough people to do this? 
And how can we do that? That is the question.
    Mr. Bochman. There's an incredible dearth of trained 
utility qualified or industrial control systems, security 
personnel in the country, probably in the world. But where we 
need, the demand signals that we're getting from all over the 
place, are for a thousand or many thousands of these people who 
can touch that specialized type of equipment. We probably have 
hundreds from some informal surveys we've done.
    To your--go ahead.
    Senator Franken. I am sorry, but I am curious. What 
countries do this better than we do or which piece of it? In 
other words, I think, Russia attacks well.
    [Laughter.]
    I have this theory. You know, other? Who is good at 
attacking and who is good at defending and who has these 
people?
    I remember after World War II we took some of the German 
scientists.
    Mr. McCurdy. Well, Senator.
    Senator Franken. I am not suggesting--I think we need to 
have home grown and----
    Mr. McCurdy. Yeah.
    Senator Franken. Yes.
    Mr. McCurdy. Senator Franken, there's a lot in that 
question, but first of all, no one can surpass the United 
States in its offensive capabilities in the cyber arena whether 
it's national security agency or other confident, you know, 
classified areas. So, put that aside.
    China, Russia, Israel, in certain respects there are 
criminal elements. There are subnational levels, Iran. So, you 
know, there's multiple levels of capabilities.
    The question is what is the threat to us? And this is all 
risk assessment. If a nation-state decides they want to take 
down the grid, there are many ways to attack and it's not just 
cyber. It would be a combination of physical and cyber, if it 
got to that level because that's act of war.
    Now, there are other ways that people are attacking our 
systems. They either want to demonstrate capability. They want 
to, you know, steal information. So again, we have to plan for 
those different types.
    Recovery is a different question though, and I think you 
were, kind of, asking that other question. Recovery from the IT 
standpoint, the ICS, the control systems, that's where we need 
to work with the Federal Government and that's where the--we 
own 90 percent of the infrastructure out there so we have to 
have those backups.
    If you're talking about large units that could be affected. 
That's one issue. It's another if it's computer systems. And on 
my front, it's mechanical systems. If we have to restart pilot 
lights around the country, you know, in the dead of winter, 
it's pretty challenging.
    So there are multiple levels that we have to plan for. We 
do this with regard to storms. A lot of this activity you see, 
collaborative, is in fact the result of Superstorm Sandy where 
the Administration worked with utility sectors to respond to a 
natural disaster. So we've learned. Is it perfect? Never. Will 
it be perfect? You can't get there, but we're improving.
    Senator Franken. Okay. Thank you. I am way over.
    The Chairman. Thank you.
    Senator Cortez Masto.
    Senator Cortez Masto. Thank you, Madam Chair.
    I want to follow up on my colleague, Senator Franken. I am 
really interested in the Cyber Mutual Assistance Program. Can 
you elaborate? I am really interested in whether there is a set 
infrastructure to it and put on paper? And do you have 
involvement from the federal, state, local government, first 
responders, everybody that would be involved in an incident? 
And then, do you have regular table top exercises to address 
some sort of cyber threat that has an impact on a community's 
grid and the consequences of that?
    Mr. Bochman. If you don't mind I'd like to briefly go 
after, to answer your question, come back from Senator 
Franken's first question to Colonel Welsh of the National Guard 
and Cyber Mutual Assistance and how it is like and how it is 
unlike the mutual assistance that we often reference with 
storms and Sandy and such.
    We're all used to, utility folks, are all used to rallying 
when a hurricane or a tornado happens. You count on those 
proximate to you who weren't affected, who weren't damaged and 
they roll trucks and linemen and equipment and help out. That's 
a well-worn and very effective process.
    The thing in the cybersecurity world, and there's a 
subtlety here which I hope I can convey, they're all not 
interchangeable people. They all have, they're like specialties 
in the medical profession, all right? You can't take a brain 
surgeon and help someone set their leg and vice versa.
    So the people that are capable of bringing cybersecurity 
good effects after an incident are those most familiar with the 
particular type of equipment that that utility uses, which 
means, and DoD Under Secretary Paul Stockton who was in charge 
of mission assurance at the time articulated this, that your 
best ally when you need that type of help and it may come from 
a National Guard source, we're all looking to the National 
Guard increasingly for this capability is not the person in the 
utility that's right next to you.
    This could be a person in the utility on the complete other 
side of the country, but the control systems you use are the 
same make and model. And so, and not only that, since you knew 
that, you practiced and did exchanges beforehand and built a 
trust level with that person and a level of familiarity with 
that person. So that when you're in your time of great need, 
you knew who to call. You trusted them and they were familiar 
enough with your environment that you let them come. You trust 
them and they could potentially help you in that situation.
    Senator Cortez Masto. Okay, just so I understand, because 
what I am thinking about are, let me just put it in conceptual 
terms or rings. The interior ring is the cybersecurity 
specialists that responded at that level. The next would be 
community-wide, what is happening in that community and the 
responders that would be involved and the impact to that 
community and then whether it goes state and then federal.
    So what you are talking and what I hear is that the Cyber 
Mutual Assistance Program is that first ring. That is all that 
is involved and that is sharing that information back and forth 
to those cybersecurity experts who are addressing a response at 
that time. Is that correct?
    Mr. Highley. The Cyber Mutual Assistance Program is a 
written agreement that 93 member utilities have signed to share 
resources and then to trade who has what kind of system. Then 
it goes over to NERC and the exercise we do under GridEx where 
we get all the sectors together to practice the restoration, 
the rest of the circles. So working with state and local 
governments on restoration is what we also do with NERC, 
through GridEx.
    Senator Cortez Masto. Okay, that is helpful.
    Is that done on a regular basis or are there things that we 
need to improve upon those circles and that response?
    Mr. Cauley. Well, we do the GridEx exercise every two 
years. The next one will be November. The intervening time 
between there's a lot of building capability and doing mini 
exercises to develop that, test that capability.
    This coming exercise in mid-November will have a new 
emphasis on having state level participation and emergency 
response at the local and state level involved in the exercise. 
It's been there in the past. We just need to make it much more 
expansive this time around.
    Senator Cortez Masto. Thank you.
    Let me follow up very quickly on something that the 
Chairman started talking about. I have been sitting in a number 
of these committee hearings addressing cybersecurity threats. 
And thank you very much, it is such an important topic.
    One of the things I constantly hear is the need to be able 
to expedite and share classified information with private 
companies and utilities and with the federal level as well. I 
am curious, do any of you have suggestions that could improve 
CRISP's ability to distribute classified and unclassified 
information in a timely fashion while still protecting that 
classified content?
    Mr. Cauley. I'll--I'd like to answer the question more 
broadly even than it was asked.
    I think what's happened is that in the last couple years 
our position has changed to the point where protecting our 
critical infrastructure, including the electricity system, is a 
national security matter. I think what we've got to do is 
figure out how do we get government and industry to work 
together like we have a shared problem in front of us and not 
that the assets belong to the power companies and our job over 
here, historically, has been to find sensitive information and 
classified information and protect it. I think it starts with, 
really, two things.
    One is getting industry and the top levels of government 
together and develop a strategy and a plan going forward on how 
we're going to manage the critical nature of these assets to 
national security and how we're going to protect that. I think 
something like that was proposed in the NIAC report recently.
    Then the second piece is how do we, if we believe in the 
plan and we're going to work the plan together, how do we 
become part of a shared community where we trust sharing the 
information because the old rules of protecting classified 
information, sensitive information. We have cases where we've 
actually created new information out of the CRISP project, 
handed it over to the government and then the government says 
now that's classified. But we just gave it to you, so we're 
having a hard time sharing it because you just classified it. 
We need to figure out a new set of ground rules around a 
partnership between industry and government on fighting the war 
together.
    Senator Cortez Masto. Thank you. I appreciate the 
opportunity to speak today.
    The Chairman. Thank you.
    Senator Duckworth.
    Senator Duckworth. Thank you, Chairman Murkowski, Ranking 
Member Cantwell, for convening this very important hearing and 
about how we can secure our energy infrastructure against cyber 
threats.
    When I was on the House Armed Services Committee, I saw, 
first-hand, the vulnerability across departmental efforts on 
this. For example, I was touring a contractor for a major Army 
maneuvent command and they had the capability. They were very 
proud to show me that they had installed low wattage light 
bulbs for the street lights at this military post. They were 
showing me in Illinois how they could dim the lights and save 
energy at the post.
    But I was in a room where they were controlling the grid 
for this major military command in Texas, and I said, who has 
access to this computer? Who has a security clearance? They had 
one person with a security clearance who was an engineer over 
there. I said, oh. The room is just left unlocked but look at 
what we can do, how nifty this is. We're saving all this 
energy. And there was no thought to the cyber.
    And yet, this post is the headquarters of a major military 
command, and it was connected to the civilian grid of the 
community immediately off post. So anybody could have gotten 
access to that room, to that computer, and affected not just 
the military installation but also the civilian community on 
the outside. That's why, I think, we need to be much more 
sophisticated in how we talk about these issues.
    In my own home state, Argonne National Laboratory has a 
team of scientists and researchers with deep expertise in 
cybersecurity and critical infrastructure. They have been 
working on developing advanced power grid, cybersecurity 
solutions for DOE cybersecurity for the energy delivery systems 
program, including cloud-based grid applications, wide-area 
protection and control and distributed energy resource 
management systems.
    Ms. Hoffman and Mr. Bochman, can each of you quickly 
address the value of this cutting-edge research that is being 
conducted at Argonne at this time?
    Ms. Hoffman. So thank you to the Senator for the question.
    The laboratories provide a wealth of research and solutions 
for these energy delivery systems, and Argonne National 
Laboratory is on the cutting-edge of a couple of topics.
    You've mentioned clouds. Cloud-based computing is now being 
evaluated and looked at to be implemented within the energy 
sector, especially around the smaller type utilities that want 
to look for cost-effective solutions. Getting ahead of 
implementing cloud-based solutions is absolutely critical that 
we build security in. That is one example that they are working 
on.
    I was--admit I did not bring it up when Senator Stabenow 
brought up about the distributed energy resources, but looking 
at security around inverters, the work that Argonne is doing 
there is also a critical, important asset.
    But the national laboratories, working together, through 
the Grid Modernization Lab Consortium, really provide an 
opportunity for us to add value across all the capabilities of 
the national labs.
    Senator Duckworth. Thank you.
    Mr. Bochman. Thanks, Pat. And Senator, thanks for the 
question.
    Yes, we have many fine colleagues, really brilliant people 
at Argonne and appreciate the effort that they bring.
    To go right at your question with two concrete examples. 
The oft-referenced CRISP program for threat intelligence and 
information sharing in the energy sector, Argonne plays a very 
important part of that, both in its current version and as 
we're working to improve it in some ways so it's better for the 
customers.
    They also play an important role in a California/DOE-
funded, supported, California energy systems for the 21st 
century project that involves machine-to-machine information 
threat sharing. So whenever people say this needs to be faster 
and near real time or real time, that project that Argonne 
plays an important part on along with INL, PNNL and other labs. 
They play a big role.
    Right to your first thing, I want to finish this. When you 
gave that very bleak example, I don't know how many years ago 
that was, but I assume it could still be----
    Senator Duckworth. Not too many.
    Mr. Bochman. We could find that still today, right?
    I think the ultimate solution for problems that are as 
heinous as that is a cultural one, not a technology one. When 
we eventually start to see that security which we haven't spent 
much time worrying about up until recently, it is actually 
every bit as much a safety issue as a compliance issue or 
anything else and some lapse in security somewhere could cause 
physical damage or kill people in other places.
    Once those two things are fused much more tightly than they 
are today in people's minds, I think you'll see better behavior 
across the board.
    Senator Duckworth. And, you know, people have just simply 
had not thought about the cyber part. They were just very proud 
of the fact that they were saving money for the DoD.
    Mr. Bochman. Right.
    Senator Duckworth. And how great it was to have this 
technology. When I brought up how vulnerable are you to 
cyberattack, it was something that the engineers, because they 
were worried about wattage and controlling the street lamps, it 
never occurred to them that they could be under cyberattack.
    So I would think that you both would agree with me that 
Congress should prioritize funding for research like the one at 
Argonne in developing efforts in this area.
    Mr. Bochman. Sure thing.
    Senator Duckworth. Thank you.
    I am out of time. Thank you, Madam Chairman.
    The Chairman. Thank you, Senator Duckworth.
    Senator Cantwell.
    Senator Cantwell. Thank you, Madam Chair, and thanks to all 
the witnesses and to our colleagues. I think this has been a 
very good hearing illuminating where we are and many of the 
challenges we face going forward.
    Mr. McCurdy, I wanted to ask you, there is a 2014 Bloomberg 
report that states, ``hackers had shut down,'' this was in 
Turkey, ``had shut down alarms, cut off communications, super 
pressurized a crude oil pipeline which led to a physical 
explosion. The main weapon, Valve Station 30, was a keyboard.''
    We've given the Transportation Security Administration 
(TSA) the responsibility for mandatory reliability standards, 
and yet, here we are with TSA in this ever-changing and dynamic 
environment. What is the TSA budget for these activities and 
how many TSA employees are actually involved in the 
cybersecurity of the million miles of pipeline that we have in 
the United States?
    Mr. McCurdy. Well, it was, I guess, above my pay grade. I 
don't know what their budget is. I'd have to check. You 
probably do, I think.
    It's a--and you're right. We have 2.5 million miles of 
natural gas pipelines which is only a little less than the 2.6 
million miles of paved roads.
    The TSA does regular audits. They do cooperate. We work 
closely. They are a subject matter expert in the Department of 
Transportation, as is PHMSA.
    We talk about the culture of safety and security being 
together. That's where it really does come closest, and they 
are expert in that area.
    We dual hat. The other, as they say, is energy and as to 
the extent that we are interdependent and support them, we do 
benefit from that relationship in and across sector sharing of 
technologies, standards.
    We've done things as well. Downstream Natural Gas, we 
formed our own ISAC. Gerry runs the E-ISAC. We now have, we 
just announced that the Downstream Natural Gas ISAC has a seat 
in the E-ISAC. So, there is this sharing.
    We get the alerts that they put out that are relevant to 
our sector so that we disseminate that to our, you know, 
critical owners and operators out there in the system. So 
there's a lot.
    We use Idaho labs. We use the ICS CERT. We were involved in 
the NIST, development of the NIST standard. So the industry is 
very pro-active on this front, and we've had good collaboration 
with TSA.
    Senator Cantwell. I think you hit on it, which is the 
notion that you are on the private side and on the public side 
GAO has said that we still don't have the metrics needed to 
measure the relative cybersecurity of our pipeline system.
    I think what we need to do is, as we continue to see, and I 
mentioned the situation in Turkey, as those kinds of threats 
prevail, we need to elevate this discussion like we are doing 
today. But to get the Transportation Security Administration, 
who I'm not sure everybody understands who they are and what 
role they play in this, to some elevated level so that we 
actually have metrics here that we are holding the industry 
accountable.
    Now, I know, you may say something like that people would 
probably say, wait, wait, wait, no, we don't want any new 
regulation. But at the same time, I am for the collaborative 
effort. I am. I think that we have to have some measureables 
here that we need to put in place.
    So we will be looking at that.
    Mr. McCurdy. Well again, you know, I think it would be an 
opportunity to bring them in and have that conversation as 
well.
    But when you look at the cybersecurity standards and if you 
look at--which are minimal. What we do beyond that in the level 
of focus it has now within the companies themselves.
    I'll give you an example, I have some CEOs in this week, a 
leadership program. A CEO told me this morning, they're now 
recruiting board members from software companies or from IT 
companies or security firms because that's an expertise they 
need to even continue to push.
    So, on the private side, I can only speak to that. But I 
will tell you that it's a constantly evolving system and the 
threat evolves, with our actions evolving and we try to stay up 
with that.
    Senator Cantwell. You are willing to think about those 
things in a collaborative fashion.
    Mr. McCurdy. We have a culture of safety which means that 
we constantly adapt and improve. And as the Ranking Member 
knows, I've been involved in this for quite some time. I've 
watched this evolve. And anyone whose static is lost. It's a 
constant challenging game, and we have to be on top.
    Senator Cantwell. Well, I wanted, if I could, Madam Chair. 
I know we have a vote that has been called. I wanted to again 
thank Colonel Welsh for being here and for all that is 
happening in the State of Washington.
    And to the point that Mr. McCurdy was just making, what you 
have hit on is 600, I think, cyber personnel within the 
National Guard. So, that's been a great bonus to the operation 
and infrastructure.
    It sounds like cross pollination of cyber expertise in 
security as it relates to the infrastructure. We need to 
continue to do that.
    I know that the Center for Strategic and International 
Studies has called it a human capital crisis, that there will 
be by 2020 an opening of 1.5 million cybersecurity positions. 
Do you have thoughts on how we should proceed on a cyber 
workforce?
    [Laughter.]
    Either from your own National Guard perspective. I know 
what we're doing at the University of Washington, which is 
really great work, particularly at University of Washington, 
Tacoma with three different levels of degrees in cybersecurity. 
But is there more that we need to do, even within our own 
ranks?
    Colonel Welsh. You bet, Senator.
    So, I think, in some ways, I mean, just the fact that we've 
got that number of cyber professionals in the state is its own 
economic engine, you know, if managed appropriately.
    But you know, the National Guard does a great job of 
training folks. We get them into school. They're drug free. You 
know they're in great shape. Then they get security clearances, 
so I mean, that's a huge benefit to companies out there from, 
sort of, we can give back a little bit.
    But you're right. There are more jobs than people out 
there. We've got some great training programs with University 
of Washington, great internship opportunities in the state. And 
that's the great thing about, as I talked before about, the 
Adjutant Generals Convening Authority. You can actually, kind 
of, get folks together and talk about things like educational 
diversity and things like that.
    So we're doing good on workforce development. There's a lot 
more to do. But again, it's things like having jobs in the 
Guard. It's having jobs in the state that as we have good folks 
come out of schools we can actually place them and they can get 
to work.
    Senator Cantwell. And do you think that that kind of 
information and partnership, as you alluded to in your 
testimony, has put us, I don't mean ahead, but on the right 
track, as it relates to outlining this theme throughout the 
conversation, which has been how do we share information, how 
do we analyze and share this critical information?
    Do you think the fact that we are knitting a culture in 
layers across the public and private sector is creating avenues 
for information sharing that didn't exist before?
    Colonel Welsh. Yes. We don't copyright our processes at all 
in Washington State. So we are willing to share. Everything we 
do we'll be more than happy to talk about and discuss, but 
again, it's one approach that has worked.
    I'm worried more about the states that aren't. And really, 
we, in some ways, have really have and have nots, if you look 
across the states. I think the Senator from Hawaii was, sort 
of, nibbling around that a little bit.
    We're fortunate in the state. We're geographically blessed. 
But there are others that aren't and when you look, from an 
attacker's perspective, you just have to find the one that 
isn't and start there.
    Senator Cantwell. Did you want to say something, Mr. 
Bochman?
    Mr. Bochman. Yeah, thanks, Senator.
    Yeah, sure, the Pacific Northwest National Lab in your 
state of Washington, the Idaho National Lab and Sandia down in 
New Mexico, are arguably the three most operational technology 
or industrial security-oriented and capable labs in the 
complex. There's others as well that assist. And recognizing 
that tremendous shortfall in that type of talent, not just a 
generic IT security talent, but industrial control system 
security specialists which requires years of experience and 
special education.
    Those three labs have joined together to work with the 
regional universities, with other government agencies, with 
STEM programs, to begin to really kick this into a much higher 
gear than it seems to be doing on its own.
    Senator Cantwell. I would just note for everyone that the 
Chair and I have worked hard on this and we still have 
provisions of the energy bill that we would like to see passed 
that would double the R&D for this effort in DOE and help us 
look at a supply chain initiative and invest in the cyber 
workforce, given that there is such a high need. So, we hope 
that we will be able to keep pushing those ideas and getting 
our colleagues in the House to understand.
    I think we had a great representation here today and lots 
of great questions, lots of good information brought out by our 
colleagues.
    Thank you.
    The Chairman. Thank you, Senator Cantwell.
    I appreciate your comments there at the end, General Welsh, 
about the fact that in certain states, they are perhaps not as 
evenly endowed with the resources. Of course, Alaska and Hawaii 
sit off that grid. Sometimes the simplicity of our grid is 
something that gives us a little more comfort. But at the end 
of the day, we are truly one of those islanded states when it 
comes to access to resources as well.
    Senator Cantwell mentioned the metrics and how we measure, 
and there has been a lot of discussion in these past four, now 
five, hearings that we have had when we have been talking about 
infrastructure and talking about regulation and permitting and 
all that that entails. But we recognize that when it comes to 
regulations there are mandatory and there are voluntary. There 
are tradeoffs and benefits, I think, to each. But in 
recognizing that when we are talking about cybersecurity, our 
real challenge here is to be nimble, to be faster and smarter 
than the guys that are looking to bring us down.
    What is the right mix between mandatory as opposed to 
voluntary regulation? I don't know if any of you have anything 
concrete, but it is something that we need to assess here as we 
are looking at legislating.
    Mr. Cauley?
    Mr. Cauley. I think mandatory requirements has its place, 
and I think what we've done in the bulk power system is an 
appropriate fit where you have the most critical assets in the 
system. You want to make sure that everyone is meeting a 
threshold set of requirements that, you know, you could be 
harmed by the weakest link. So, I think, there's comfort across 
the industry having a common set of standards that are risk-
based.
    It also helps with the mandatory standards in terms of cost 
recovery and making sure that the resources and investments are 
there. So, I think, the power industry appreciates having 
mandatory standards for the bulk power system.
    I think in other areas it may be more challenging. And I, 
you know, one area where I'm particularly concerned is a lot of 
the electronics and the distribution system. How do we get 
guidelines and best practices adopted in a consistent way 
across so many different jurisdictions?
    I think mandatory standards there would be very difficult 
given the jurisdictional challenge, but getting stronger 
guidelines and practices in a consistent way across that area 
would be helpful.
    The Chairman. Mr. McCurdy, on the gas side, do you think 
that the gas industry needs a set of mandatory standards? 
Should the mandatory NERC cyber standards need to apply to the 
gas industry?
    Mr. McCurdy. No.
    The Chairman. Okay, that's easy.
    [Laughter.]
    Mr. McCurdy. The--and part of that is the nature of the 
systems themselves. We've seen and we've all learned in the 
electric sector that because of its true interconnectedness and 
even though there are sub grids there, there can be massive 
cascading failures and those are critical infrastructures and 
they are a lifeline and they're absolutely essential for our 
economy and way of life and in public safety.
    It's less of a challenge, less risk, I think, in the gas 
distribution network. There are potentials, but they are not 
because they're--it's mechanical, it's gas, it's pressurized 
and it's less likely to have a complete regional failure based 
on a particular attack. So I think we've evolved. We're growing 
into that.
    The reason this is now part of this hearing, I think, and 
focus is the more that the electric sector is using natural gas 
as a base fuel, there is the concern what's the reliability in 
the access to that fuel?
    That's both the cyber question, but that's also a physical 
question that you know extremely well and that's where pipeline 
permitting and infrastructure and capacity, those are all 
issues as well.
    The Northeast in the Polar Vortex, that was raised earlier, 
was more risk because they had limited access to natural gas 
pipelines through firm capacity contracts than they are from a 
cascading failure because of some incident.
    So those are both questions that we have to ask and that's 
something that FERC has to deal with and it's a regional issue, 
it's not federal.
    The Chairman. Yes.
    Mr. McCurdy. It's not a federal fix. It's going to be a 
regional fix, but we all need to be working together and raise 
the awareness of that concern. That's the reason I put that one 
section in my testimony about the access.
    The Chairman. We have got a vote that started at noon and 
it is a 15-minute vote, but we are on Senate time here. So I am 
going to ask Ms. Hoffman, you wanted to weigh in and I also 
wanted to ask you. With the FAST Act we have identified DOE as 
the head, if you will, in terms of granting authority to direct 
utility action. Do you think that is being recognized and 
respected by DHS? Are we on the same footing as DHS?
    Ms. Hoffman. So the answer is yes, but I do believe that 
there is the interdependence issue that DHS has a strong 
capability of making sure that the interdependencies are 
recognized.
    The one point that I wanted to make on the earlier 
conversation is how do we measure success? I think at the end 
of the day the way to measure success is to make sure that 
every industry and sector has the capabilities to do what needs 
to be done when a cyber event occurs. So whether it's a 
workforce capability, whether it's installing additional 
equipment, whether it's having continuous monitoring, that we 
have the capabilities built and that we can test against those 
capabilities and be evaluated that we're performing correctly 
with those capabilities. That was the comment I wanted to add.
    The Chairman. Okay.
    Mr. Bochman, you get the last word.
    Mr. Bochman. Fantastic. Thanks, Senator.
    Your opening question about voluntary or mandatory types of 
security guidance, I think there's something, there's some 
things, there's three flavors, I think. There's guidance and 
best practices.
    And just back from Estonia where the Baltic Sea and Black 
Sea countries are, who are all trying to figure out how to 
regulate their energy sectors for security. They are so 
thankful that the DOE had put down in writing some very helpful 
best practices, both for managing--both for measuring maturity 
of security practices and also for procurement guidelines. 
These are things that took a lot of effort and a lot of 
expertise to build and give some of our friends a big head 
start. And so that's one plug for them. They appreciated that. 
Those are guidelines.
    Swing to the other extreme, are mandatory things. Thou must 
do, else you'll be penalized a significant amount of money and 
you won't like it reputational either. That's the NERC CIPs. 
Those have moved the utilities, many would argue, much farther, 
must faster than they otherwise might have, if they hadn't had 
to comply with those. With those, that's the stick, right?
    I think I'll finish with the carrot. The carrot which I've 
seen from--that seems missing, I think in some and could be 
improved from work with public utility commissions and 
utilities themselves would be incentives, ways to motivate, 
financially and otherwise, motivate good security behaviors 
that aren't just the stick of the mandatory things, but 
certainly go far beyond the guidelines and the best practices 
you should do these things. I think if we could look at 
incentives to motivate the types of behavior we want, I think 
you might see things go a lot farther, a lot faster.
    Mr. McCurdy. And just on that point, if I could, because we 
are state regulated in the natural gas area. And the current 
Chairman of NARUC was just at our offices this morning.
    We now have reimbursement. They are rate based. The ability 
to rate base the cost of cyber is a big deal. And if--because 
it's huge. You can, you know, throw money at this forever and 
never get to the level you want. But if you don't have it as 
recoverable in your rates, then it doesn't really work.
    So, that's--they are moving in that direction. So that's 
where the partnership with the states is really very critical 
from the incentive standpoint.
    The Chairman. Good.
    We could clearly go on for a long time, but even by Senate 
standards, I am late.
    [Laughter.]
    I thank you all for your very, very important testimony. I 
think you saw the level of interest here. Know that we will 
continue to work in this important area.
    Thank you.
    We stand adjourned.
    [Whereupon, at 12:22 p.m. the hearing was adjourned.]

                      APPENDIX MATERIAL SUBMITTED

                              ----------    
                              
                              
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]