b"<html>\n<title> - EFFORTS TO PROTECT U.S. ENERGY DELIVERY SYSTEMS FROM CYBERSECURITY THREATS</title>\n<body><pre>[Senate Hearing 115-273]\n[From the U.S. Government Publishing Office]\n\n\n\n\n                                                        S. Hrg. 115-273\n \n  EFFORTS TO PROTECT U.S. ENERGY DELIVERY SYSTEMS FROM CYBERSECURITY \n                                THREATS\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                              COMMITTEE ON\n                      ENERGY AND NATURAL RESOURCES\n                          UNITED STATES SENATE\n\n                     ONE HUNDRED FIFTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             APRIL 4, 2017\n\n                               __________\n                               \n                               \n                               \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                               \n                               \n\n\n                       Printed for the use of the\n               Committee on Energy and Natural Resources\n               \n               \n\n        Available via the World Wide Web: http://www.govinfo.gov\n        \n        \n        \n        \n                            _________ \n\n                U.S. GOVERNMENT PUBLISHING OFFICE\n                   \n 24-979                 WASHINGTON : 2018              \n        \n        \n        \n        \n        \n               COMMITTEE ON ENERGY AND NATURAL RESOURCES\n\n                    LISA MURKOWSKI, Alaska, Chairman\nJOHN BARRASSO, Wyoming               MARIA CANTWELL, Washington\nJAMES E. RISCH, Idaho                RON WYDEN, Oregon\nMIKE LEE, Utah                       BERNARD SANDERS, Vermont\nJEFF FLAKE, Arizona                  DEBBIE STABENOW, Michigan\nSTEVE DAINES, Montana                AL FRANKEN, Minnesota\nCORY GARDNER, Colorado               JOE MANCHIN III, West Virginia\nLAMAR ALEXANDER, Tennessee           MARTIN HEINRICH, New Mexico\nJOHN HOEVEN, North Dakota            MAZIE K. HIRONO, Hawaii\nBILL CASSIDY, Louisiana              ANGUS S. KING, JR., Maine\nROB PORTMAN, Ohio                    TAMMY DUCKWORTH, Illinois\nLUTHER STRANGE, Alabama              CATHERINE CORTEZ MASTO, Nevada\n                      Colin Hayes, Staff Director\n                Patrick J. McCormick III, Chief Counsel\n                 Kellie Donnelly, Deputy Chief Counsel\n           Angela Becker-Dippmann, Democratic Staff Director\n                Sam E. Fowler, Democratic Chief Counsel\n                David Gillers, Democratic Senior Counsel\n                \n                \n                            C O N T E N T S\n\n                              ----------                              \n\n                           OPENING STATEMENTS\n\n                                                                   Page\nMurkowski, Hon. Lisa, Chairman and a U.S. Senator from Alaska....     1\nHeinrich, Hon. Martin, a U.S. Senator from New Mexico............     3\n\n                               WITNESSES\n\nHoffman, Patricia, Acting Assistant Secretary, Office of \n  Electricity Delivery and Energy Reliability, U.S. Department of \n  Energy.........................................................     4\nCauley, Gerry W., President and Chief Executive Officer, North \n  American Electric Reliability Corporation......................    14\nHighley, Duane D., President and CEO, Arkansas Electric \n  Cooperative Corporation........................................    23\nMcCurdy, Hon. Dave, President and CEO, American Gas Association..    34\nBochman, Andrew A., Senior Cyber and Energy Security Strategist, \n  Idaho National Laboratory......................................    50\nWelsh, Colonel Gent, Commander, 194th Wing, Washington Air \n  National Guard.................................................    58\n\n          ALPHABETICAL LISTING AND APPENDIX MATERIAL SUBMITTED\n\nBochman, Andrew A.:\n    Opening Statement............................................    50\n    Written Testimony............................................    52\n    Responses to Questions for the Record........................   220\nCauley, Gerry W.:\n    Opening Statement............................................    14\n    Written Testimony............................................    16\n    Responses to Questions for the Record........................   196\nHeinrich, Hon. Martin:\n    Opening Statement............................................     3\nHighley, Duane D.:\n    Opening Statement............................................    23\n    Written Testimony............................................    25\n    Responses to Questions for the Record........................   207\nHoffman, Patricia:\n    Opening Statement............................................     4\n    Written Testimony............................................     6\n    Supplemental Response to Question from Senator Hirono........   174\n    Responses to Questions for the Record........................   190\nMcCurdy, Hon. Dave:\n    Opening Statement............................................    34\n    Written Testimony............................................    36\n    Responses to Questions for the Record........................   215\nMurkowski, Hon. Lisa:\n    Opening Statement............................................     1\nPower Pack Group:\n    Statement for the Record.....................................   236\nREM Technology Consulting Services, Inc.:\n    Statement for the Record.....................................   240\nUnited Technologies Council:\n    Statement for the Record.....................................   265\nWelsh, Colonel Gent:\n    Opening Statement............................................    58\n    Written Testimony............................................    60\n    Responses to Questions for the Record........................   228\n\n\n                           EFFORTS TO PROTECT\n\n\n\n                      U.S. ENERGY DELIVERY SYSTEMS\n\n\n\n                       FROM CYBERSECURITY THREATS\n\n                              ----------                              \n\n\n                         TUESDAY, APRIL 4, 2017\n\n                                       U.S. Senate,\n                 Committee on Energy and Natural Resources,\n                                                    Washington, DC.\n    The Committee met, pursuant to notice, at 10:06 a.m. in \nRoom SD-366, Dirksen Senate Office Building, Hon. Lisa \nMurkowski, Chairman of the Committee, presiding.\n\n  OPENING STATEMENT OF HON. LISA MURKOWSKI, U.S. SENATOR FROM \n                             ALASKA\n\n    The Chairman. Good morning. The Committee will come to \norder.\n    I want to acknowledge my stand-in Ranking Member, Senator \nHeinrich. I understand that Ranking Member Cantwell is delayed \na little bit coming from the game.\n    [Laughter.]\n    Very important.\n    Senator Heinrich. I don't know what you are talking about.\n    The Chairman. Very important.\n    I am sure there are those that are happy this morning, and \nfor those of us that love the West Coast and all things West, \nwe are not as excited this morning. But anyway, we will look \nforward to Senator Cantwell coming later this morning.\n    We are here today to not talk about basketball, but we are \nhere to examine our collective efforts and those from Congress, \nthe rest of the Federal Government and industry to protect our \ndomestic energy delivery systems from cybersecurity threats.\n    Here in the United States, we have purposefully built \nredundant systems to ensure resilience and technological \nadvancements have improved system efficiencies. We have made \nour devices smarter and connected more of them to the internet, \nboosting consumer convenience and lowering costs. But as the \nso-called ``internet of things'' has become increasingly \ninvolved in all phases of energy generation and delivery, we \nhave created even more avenues for cyber intrusion.\n    This Committee has long recognized that our nation's energy \nsector is a popular target for bad actors. Everyone from \nindividual hackers to nation-states who wish to do us harm. \nThat is why we took action over a decade ago, through the \nEnergy Policy Act of 2005, to protect the nation's critical \ngrid infrastructure from both physical and cybersecurity \nthreats.\n    The 2005 law directed the certification of an electric \nreliability organization, now the North American Electric \nReliability Corporation (NERC), to develop and enforce \nmandatory reliability standards. Congress specifically declined \nto provide the Federal Energy Regulatory Commission (FERC) with \ndirect authority to establish such standards, instead opting \nfor an industry stakeholder process to assist in formulating \nthese highly complex and technical requirements.\n    This decision has fostered a robust public/private \npartnership, and given FERC's current lack of quorum, it \nperhaps is even more prescient today. I am pleased that NERC's \nPresident and CEO, Gerry Cauley, is here to testify this \nmorning.\n    Last Congress, in the FAST Act, we moved again to protect \nour energy systems from cyberattack. As enacted, that law \nincludes provisions from this Committee codifying the \nDepartment of Energy as the sector-specific agency for the \nenergy sector and providing the Secretary with authority to \naddress grid-related emergencies caused by cyberattacks, \nphysical attacks, electromagnetic pulses (EMP) or geomagnetic \ndisturbances.\n    We will address the EMP issue, in depth, at a future \nhearing, but I am looking forward to hearing today from Pat \nHoffman, the Acting Assistant Secretary for the Office of \nElectricity Delivery and Energy Reliability, about the \nDepartment of Energy's (DOE) effort to implement its FAST Act \nauthorities.\n    Finally, while our Committee has spent considerable time \nover the years examining the threats posed to the nation's grid \ninfrastructure, today we will also assess efforts to secure \nnatural gas pipelines. Given the interdependency of natural gas \nand electricity, it is imperative that these energy delivery \nsystems are adequately protected. So I look forward to Dave \nMcCurdy's testimony as the President and CEO of the American \nGas Association. Mr. McCurdy, I am also curious to know why it \nis taking so long, particularly, as a former Chairman of the \nHouse Intelligence Committee, to get the requisite security \nclearance from the Energy Department, and we will have an \nopportunity to chat about that.\n    In addition, this morning we will hear from Mr. Duane \nHighley, who is the President and CEO of the Arkansas Electric \nCooperative Corporation and the Co-Chair of the Electricity \nSubsector Coordinating Council (ESCC) which interfaces with the \nFederal Government on behalf of industry.\n    We also have Mr. Andrew Bochman, a Senior Cyber and Energy \nSecurity Strategist for the Idaho National Laboratory. This is \nthe lab responsible for the Aurora experiment which first \ndemonstrated how a cyberattack could impact physical assets.\n    We will then hear from Colonel Gent Welsh, from the \nWashington National Guard, who has done a lot of important work \nto secure critical infrastructure in that state and develop a \ncyber workforce.\n    We all recognize that this is no time for the United States \nto rest on the question of cybersecurity. The number and scope \nof attacks is ever-increasing and the resulting harm could be \nvery significant. That is why our Subcommittee, under Senator \nGardner's leadership, held a cybersecurity hearing last month \nand that is why we are broadening the effort here at the full \nCommittee today.\n    I would like to thank all of our witnesses for joining us \nthis morning, and I look forward to their comments in just a \nfew minutes.\n    At this time, I will turn to Senator Heinrich for his \nopening comments.\n\n              STATEMENT OF HON. MARTIN HEINRICH, \n                  U.S. SENATOR FROM NEW MEXICO\n\n    Senator Heinrich. Thank you, Madam Chairman. As you \nmentioned, Senator Cantwell is running a few minutes late and \nasked me to fill in until she arrives.\n    As a member of the Senate Intelligence Committee, I am \nacutely aware of the sophisticated threats that our energy \ninfrastructure faces in cyberspace today. Cybersecurity is one \nof the most serious challenges to our economy and national \nsecurity that we face as a nation-state. The future of warfare \nis moving further away from the battlefield each day and closer \nto the devices and the networks that everyday citizens, as well \nas the private sector, rely on and depend on.\n    Protecting our nation from malicious cyber actors requires \na very comprehensive approach, and keeping our energy \ninfrastructure secure is absolutely central to that. In \nJanuary, the U.S. Department of Energy warned that the U.S. \ngrid ``faces imminent danger'' from cyberattacks.\n    The Department's Quadrennial Energy Review (QER) warns that \na widespread power outage caused by a cyberattack could place \nat risk the health and safety of millions of U.S. citizens. The \nQER included a number of policy recommendations for both \nregulators and Congress. The QER also pointed out that our \nelectric grid has become increasingly reliant on a reliable and \nsecure supply of natural gas, and it is essential to what we do \nthat we do all we can to protect against cyberattacks against \nnatural gas pipelines as well. So I am pleased that Congressman \nMcCurdy will be testifying today on behalf of the American Gas \nAssociation to discuss pipeline cybersecurity as well.\n    Top officials within the intelligence community have \ntestified that energy infrastructure is an enticing target to \nmalicious actors. Those officials have also warned that without \naction, the U.S. remains vulnerable to cyberattacks that could \nresult in catastrophic damage to public health and safety, \neconomic security and national security.\n    I am pleased, again, to be an original co-sponsor of \nSenator King's bipartisan Securing Energy Infrastructure Act, \nwhich was the subject of last week's Subcommittee hearing, and \nI hope we can take action on this bill this year.\n    Today we are also going to hear from Pat Hoffman, the \nActing Assistant Secretary for the Office of Electricity \nDelivery and Energy Reliability at the Department of Energy. \nThis office, in coordination with our national labs, helps \nprotect our nation's energy infrastructure from a variety of \ncyber threats.\n    I am very concerned the President is proposing significant \ncuts to the Electricity Office's budget that could impair our \nability to meet the challenges foreign actors, and others, \npresent to the security of our nation's energy infrastructure.\n    Thank you for holding this full Committee hearing today, \nand I look forward to all of our witnesses' testimony.\n    The Chairman. Thank you, Senator Heinrich.\n    At this time, we will begin with our distinguished panel. I \nhave introduced each of you already, so we will move straight \nto your comments. I would ask you to keep your comments to five \nminutes or less. Your full statements will be incorporated as \npart of the record.\n    We will begin with Patricia Hoffman, again, the Acting \nAssistant Secretary for the Office of Electricity Delivery and \nEnergy Reliability at the U.S. Department of Energy, and we \nwill proceed down the line.\n    Ms. Hoffman, welcome.\n\n  STATEMENT OF PATRICIA HOFFMAN, ACTING ASSISTANT SECRETARY, \n  OFFICE OF ELECTRICITY DELIVERY AND ENERGY RELIABILITY, U.S. \n                      DEPARTMENT OF ENERGY\n\n    Ms. Hoffman. So, thank you.\n    Good morning. Thank you, Chairman Murkowski, Ranking Member \nCantwell, Senator Heinrich, members of the Committee. Thank you \nfor the opportunity to discuss the continuing threats facing \nour nation's energy infrastructure and the Department of \nEnergy's role and authorities under the Fixing America's \nSurface Transportation, or FAST, Act. The Department of Energy \nis focusing on cybersecurity and resilience of energy delivery \nsystems, and this is one of the Secretary's top priorities.\n    Our economy, national security, and even the well-being of \nour citizens depend on the reliable delivery of electricity. \nThe mission of the Office of Electricity Delivery and Energy \nReliability is to strengthen, transform, and improve energy \ninfrastructure to ensure access to reliable and secure sources \nof energy. The Department is committed to working with our \npublic and private sector partners to protect the nation's \ncritical energy infrastructure, including the electric power \ngrid, from physical security events, natural and man-made \ndisasters and cybersecurity threats.\n    To address security, it is critical for us to be proactive \nand cultivate what I call, an ecosystem of resilience, a \nnetwork of producers, distributors, regulators, vendors and \npublic partners, acting together to strengthen our ability to \nprepare, respond and recover. We continue to partner with \nindustry, federal agencies, states, local governments and other \nstakeholders to quickly identify threats, develop in-depth \nstrategies to mitigate those threats and rapidly respond to any \ndisruptions.\n    DOE plays a critical role in supporting industry functions \nin several ways. Providing partnership mechanisms that support \ncollaboration and trust, leveraging government capabilities to \ngather intelligence on threats and vulnerabilities and sharing \nactionable intelligence with energy owners and operators in a \ntimely manner. We also support energy sector best practices, \nincident coordination and response and innovation through R&D \nfor the next generation physical and cyber systems.\n    In the energy sector, the core critical infrastructure \npartners consist of the Electric Sector Coordinating Council \nand the Oil and Gas Sector Coordinating Council. Through these \npartnerships, the energy sector and the government share \nemerging threat data and vulnerability information.\n    An example of this type of collaboration is a Cybersecurity \nRisk Information Sharing Program (CRISP), a voluntary public/\nprivate partnership, that is funded by industry, administered \nby the Electric Sector Information Sharing and Analysis Center \nand supported by the Department of Energy.\n    Another example of how the Department supports the cyber \nposture of the energy industry is through the Department's \nCyber Capability Maturity Model, which helps private sector \nowners and operators better evaluate their cybersecurity \ncapability. This tool allows organizations, regardless of size, \ntype or industry, to evaluate, prioritize and improve their own \ncybersecurity capabilities.\n    Beyond providing guidelines and technical support to the \nenergy sector, the Department also supports an R&D portfolio \ndesigned to develop advanced tools and techniques to provide \nenhanced cyber protection for key energy systems.\n    Intentional, malicious cyber threats challenge our energy \nsystems and are on the rise in both number and sophistication. \nThis evolution has profound impacts on the energy sector. Since \n2010, the Department has invested more than $210 million in \ncybersecurity research development projects that are led by \nindustry, universities and national laboratories. These \ninvestments have resulted in more than 35 new tools and \ntechnologies.\n    Threats continue to evolve. The Department of Energy is \nworking diligently to stay ahead of the curve. The solution is \nan ecosystem of resilience that works in partnership with \nlocal, state and industry stakeholders to help provide the \nmethods, the strategies and the tools needed to help protect \nlocal communities through increased resilience and flexibility.\n    To accomplish this we must accelerate information sharing \nto inform better local investment decisions and encourage \ninnovation and use of best practices to help raise the energy \nsector's security maturity and strengthen local incident \nresponse and recovery capabilities, especially through the \nparticipation and training programs, disaster and preparedness \nexercise.\n    Building an ecosystem of resilience is, by definition, a \nshared endeavor, and we must continue to keep a focus on \npartnerships. This is an imperative.\n    I thank you for the opportunity for being here today, and I \nlook forward to answering any questions that you may have.\n    [The prepared statement of Ms. Hoffman follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n        \n    \n    The Chairman. Thank you, Ms. Hoffman.\n    Next we will turn to Mr. Gerry Cauley, welcome.\n\n  STATEMENT OF GERRY W. CAULEY, PRESIDENT AND CHIEF EXECUTIVE \n    OFFICER, NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION\n\n    Mr. Cauley. Thank you and good morning, Chairman Murkowski, \nRanking Member Cantwell and Senator Heinrich and members of the \nCommittee. Thank you for conducting this timely hearing to \nassess the progress and challenges of securing the power grid \nwhich is critical to our nation's security and well-being. The \nthreat of cyberattacks by nation-states, terrorist groups and \ncriminal actors is at an all-time high.\n    In December 2015, a cyberattack in the Ukraine left over \n225,000 customers without power for several hours. This \nindicates that nation-state adversaries have the tools and \nclearly now the will to disrupt the grid of another nation.\n    More recently in the U.S., although no part of the grid was \naffected, we saw a million electronic devices all part of the \ninternet of things, captured and used in a denial of service \nattack disrupting major internet service providers.\n    We've seen increases in ransomware, data theft and other \ncriminal activities across all sectors of our economy.\n    NERC's role is to assure the reliability and security of \nthe bulk power system through mandatory standards, compliance \nmonitoring and enforcement and reliability assessments. Our \nindependent board and staff are unaffiliated with system owners \nand operators.\n    FERC approves NERC's standards and enforcement actions in \nthe U.S. and has authority to direct NERC to develop new or \nrevised standards.\n    As a nation, we share an interconnected grid with our \nneighbors which is why NERC is international in scope, spanning \nthe United States, Canada and Mexico.\n    Our cyber standards are written with inputs from the best \nexperts in industry and provide a strong foundation for \nsecurity practices.\n    NERC and its eight regions also have cyber experts, who \nconduct hundreds of site visits every year to assess security \ncontrols. We're finding that power companies take cybersecurity \nvery seriously with strong attention at the top from CEOs and \nboards.\n    Grid control cyber assets communicate over private \nnetworks, including fiber, microwave and lease circuits. They \nare isolated from business systems and from the public \ninternet.\n    Utility personnel are screened and well-trained. Companies \nare using advanced security services from third party providers \nto maintain the latest threat information.\n    Most importantly, power companies know they must \ncontinuously monitor and detect suspicious activity, isolate \nmalware and destroy it before an attack happens, commonly known \nas the ``kill chain.''\n    As flexible and risk-based as our standards are, I firmly \nbelieve we cannot win a cyber war with regulations and \nstandards alone. Industry must be agile and continuously adapt \nto threats. To do that, we need robust sharing of information \nregarding threats and vulnerabilities.\n    NERC operates the Electricity Information Sharing and \nAnalysis Center. Our role is to assimilate intelligence, to \nshare trusted information with industry and the government and \nto recommend specific actions.\n    One of our most effective tools in this effort is the \nCybersecurity Risk Information Sharing Program, as mentioned by \nMs. Hoffman. Developed by the Department of Energy, CRISP has \nbeen adopted by NERC and deployed across wide areas of the U.S. \ngrid to continuously detect malicious activity and share that \ninformation with industry.\n    NERC can also issue formal alerts to industry at three \nlevels of urgency, two of which require responses.\n    NERC conducts an annual grid assurance, grid security \nconference and training events and frequent classified \nbriefings.\n    We also conduct a continent-wide cyber and physical \nsecurity exercise, called GridEx, with over 4,000 participants \nfrom industry and government across North America engaged for \ntwo days responding to a simulated massive attack on our grid.\n    To date, there's not been a single cyberattack in the U.S. \nresulting in customer outages. This is an exceptional record \nand is due, in large part, to the vigilance of NERC, industry \nand our government partners; however, we will never be \ncomplacent. The risk is very real, and we have to work hard \nevery day to stay ahead of our adversaries.\n    I'll close by mentioning a few challenges ahead: securing \nmillions of electronic devices being installed on distributed \nenergy systems and behind the mirror; ensuring the security \nchain within our--security of our global supply chain; building \na more robust public/private model to coordinate strategy and \nresources between the government and industry; expanding the \nsharing of classified information; filling a growing gap in \ncyber workforce; coordinating across critical infrastructures \nlike telecom, finance and gas; and investing in grid \nresilience, including strategic reserves.\n    I thank you for the time this morning, and I look forward \nto your questions.\n    [The prepared statement of Mr. Cauley follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n        \n    The Chairman. Thank you, Mr. Cauley.\n    We will next turn to Mr. Duane Highley, the President and \nCEO of the Arkansas Electric Cooperative Corporation.\n\n  STATEMENT OF DUANE D. HIGHLEY, PRESIDENT AND CEO, ARKANSAS \n                ELECTRIC COOPERATIVE CORPORATION\n\n    Mr. Highley. Thank you.\n    Good morning, Chairman Murkowski, Ranking Member Cantwell, \nSenator Heinrich and members of the Committee. Thank you for \nthe invitation to testify today. I'm speaking on behalf of \nArkansas Electric Cooperative Corporation where I serve as CEO \nand the National Rural Electric Cooperative Association which \nrepresents 900 not-for-profit consumer-owned utilities serving \n42 million people in 47 states.\n    I also serve as one of three co-chairs of the Electric \nSubsector Coordinating Council, or ESCC, a CEO level, public/\nprivate partnership serving as our subsector's principle entity \nin coordinating with our senior government counterparts on \npolicy level issues. The 30 CEOs on our council meet regularly \nwith senior officials from the White House, Department of \nEnergy, Department of Homeland Security, Federal Energy \nRegulatory Commission, Federal Bureau of Investigation, et \ncetera.\n    The electric sector, like other critical sectors, is now at \nthe front lines of international warfare. We're under constant \ncyberattack. Many of those attacks are sponsored by foreign \nenemies and nation-states.\n    Though the recently updated Quadrennial Energy Review \nrecommends protecting the electric sector as a national \nsecurity asset, it's important to remember that most of the \ncritical infrastructure is owned and operated by private \nindustry. So, for that reason, we must have timely access to \nactionable information obtained through the defense and \nintelligence gathering capabilities of our government. We have \nto work together to protect the grid.\n    Our traditional design of the electric grid relies on \ndefense in depth to maintain reliability. We designed the grid \nto survive significant natural disasters with minimal \ninterruption and generally quick recovery. That same redundancy \nmakes the grid very resilient to intentional cyberattacks.\n    The electric sector is also the only sector with mandatory \nenforceable reliability and cybersecurity standards developed \nthrough NERC. We have to meet these standards and verify \ncompliance through audits conducted by NERC's regional entities \nor face fines and penalties, potentially as high as $1 million \nper day per violation. And we take those standards very, very \nseriously.\n    That said, just relying on defense, in depth and mandatory \nstandards is not enough. That's why we're developing real time \ncommunication environment for sharing threat information \nbetween government and industry.\n    Real time sharing is great but both parties have to play. I \ncan share with you examples of times in the past when we became \naware that our government counterparts knew about a developing \nthreat, but were unable to share it because of the classified \nnature of the threat itself. Often we've learned of threats \nfrom private sector sources well before our government \ncounterparts chose to share them with industry.\n    One of the primary initiatives of the Electric Subsector \nCoordinating Council is to work together to improve information \nsharing in both directions, government to industry and industry \nto government.\n    I believe that we've developed a mutual trust relationship \nand we've obtained some security clearances but not enough \nacross the sector and not enough at a higher level of \nclearance, and we have contributed to the development of and \ndeployed tools such as DOE's cybersecurity capability and \nmaturity model, the Electric Information Sharing and Analysis \nCenter, the E-ISAC, the Cyber Risk Information Sharing Program, \nor CRISP, in partnership with DOE and the national labs.\n    These tools, clearances and briefings have helped, but we \ncan still do more. We have to work together and we have to be \nable to trust one another to communicate threat information in \nreal time.\n    I'm pleased to report we've already met with Secretary \nPerry at DOE and leadership at the White House and FERC in the \ntransition, and I'm confident in their commitment to maintain \nthe momentum of the prior Administration in supporting, funding \nand staffing our many developing projects.\n    In particular, we're very pleased at the response of DOE \nfor greater assistance to smaller electric systems such as \ncooperatives and municipals. Last year DOE provided funding to \nthe trade associations to assist their member utilities in \nimproving cyber and physical security. The co-ops have used \nthese funds to create the Rural Cooperative Cybersecurity \nCapabilities Program, or RC3, to assist the smaller utility \nsystems.\n    ESCC has also recently developed a Cyber Mutual Assistance \nProgram modeled after existing mutual assistance programs where \nutilities mobilize staff across the country to help restore \nservice after a disaster. The Cyber Mutual Assistance Program \nprovides a steady cadre, a ready cadre, of IT staff to assist \nin restoration of critical systems, if needed. We already have \n93 member systems, including 18 cooperatives, on board. So now, \n80 percent of all utility customers in the United States are \ncovered by this program.\n    In summary, the electric sector has mandatory enforceable \ncybersecurity standards and redundant design providing defense \nin depth to protect us. But that's not the entire answer to \ndefending against an ever-changing threat.\n    To bridge the gap, we need an ongoing dialogue and ever \nmore open information sharing, finding ways to provide more and \nhigher level security clearances to our staff who are at the \nfront lines, rapidly declassifying and sharing threat \ninformation and jointly developing new solutions to protect \nagainst this threat.\n    I look forward to your questions.\n    [The prepared statement of Mr. Highley follows:] \n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n     \n    The Chairman. Thank you, Mr. Highley, we greatly appreciate \nthat testimony.\n    Next we turn to Congressman Dave McCurdy, the President and \nCEO of the American Gas Association. Welcome, Congressman.\n\nSTATEMENT OF HON. DAVE McCURDY, PRESIDENT AND CEO, AMERICAN GAS \n                          ASSOCIATION\n\n    Mr. McCurdy. Thank you, Chairman Murkowski, Senator \nHeinrich and members of the Committee. As the Chairman \nindicated, I am here as the CEO of the American Gas Association \n(AGA). I'm also the former Chairman of the House Intelligence \nCommittee and former CEO of the Electronic Industries Alliance. \nI also served on the board of the Software Engineering \nInstitute and co-founded the Internet Security Alliance in \npartnership between the electronic industry's alliance and \nCyLab at Carnegie Mellon University. So, I have to say, I've \nbeen engaged in internet policy since before it was called \ncybersecurity.\n    AGA represents more than 200 local energy companies that \ndeliver clean natural gas to more than 72 million customers. \nNatural gas meets more than one-fourth of the United States' \nenergy needs and is the foundation fuel for a clean and secure \nenergy future.\n    Alongside this opportunity natural gas offers comes serious \nresponsibility to protect pipeline systems from cyberattacks. \nTechnological advances have made natural gas utilities better \nable to serve our customers; however, there is a recombinant \nchallenge with a more connected industry, as we become a target \nfor increasingly sophisticated cyber adversaries.\n    Natural gas utilities meet that threat via a commitment to \nsecurity, skilled personnel, technological advances and \npartnership with the Federal Government.\n    I'd like to highlight four critical areas related to \npipeline and energy sector cybersecurity.\n    First, natural gas utilities understand and take very \nseriously cyberattacks and cyber threats. This drives us to \nemploy the best technology and personnel available to protect \nour systems and the customers that we serve. This obligation \nstarts at the top. AGA member utility executives assign the AGA \ncommitment to cyber and physical security demonstrating their \ndedication with a call to action to ensure natural gas \npipelines remain resilient to cyber and physical security \nthreats.\n    Second, energy security interdependence. Recently the \nelectric sector has increased the use of natural gas for power \ngeneration. With that comes a greater need for coordination. \nNatural gas utilities focus on safe and reliable gas delivery \nand they utilize a variety of assets in contractual plans to \nsecure that reliability. We welcome electric generation \ncustomers, but stress the gas/electric interdependency policy \nshould preserve and enhance, not decrease, natural gas system \nreliability for all customers, both gas and electric. In this \nregard, the importance of having adequate gas pipeline \ninfrastructure must not be overlooked.\n    And third, we need to maintain our existing security \npartnerships. Gas utilities maintain a pipeline security \npartnership with our statutory partner, the Transportation \nSecurity Administration. Industry also works closely with DOE, \nas we've heard from Ms. Hoffman and Gerry Cauley. These vital, \nnon-regulatory partnerships are cooperative and support a more \neffective risk management approach to security. Further, \ndisturbing the continuity of our security partnerships by \nreshuffling pipeline security authorities will not make us \nsafer. It will simply add uncertainty to the mix.\n    And last, as we've heard, public/private collaboration is \nparamount. Industry needs better government cyber threat data \ndelivered in real time, quicker dissemination of classified \nthreat information and a closer working relationship with \nsector agencies, law enforcement and the intelligence \ncommunity.\n    And finally, we should reform how industry leaders receive \nsecurity clearances, as the Chairman and others have mentioned. \nFor me, this is not a mere talking point. Despite my military, \ncongressional and intelligence experience and currently holding \na DoD clearance, I have not received a DOE security clearance, \nSCI, that I applied for over a year ago to be able to sit in on \nsome of the discussions that we have at the ESCC and other \nareas, and I am the leader of the Natural Gas Sector for this \nindustry.\n    America's natural gas delivery system is the safest, most \nreliable energy delivery system in the world. Security is woven \ninto the natural gas utility culture and our members apply a \nportfolio of tools to stay ahead of cybersecurity threats. One \nof our most important tools is partnership with the Federal \nGovernment.\n    Chairman, thank you for the opportunity to testify. I look \nforward to the exchange of ideas.\n    [The prepared statement of Mr. McCurdy follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n      \n    The Chairman. Thank you, Congressman McCurdy.\n    Next, we turn to Mr. Andrew Bochman, who is with us today \nfrom Idaho National Labs.\n    Thank you.\n\n    STATEMENT OF ANDREW A. BOCHMAN, SENIOR CYBER AND ENERGY \n         SECURITY STRATEGIST, IDAHO NATIONAL LABORATORY\n\n    Mr. Bochman. Good morning, Chairman Murkowski, Ranking \nMember Heinrich, or depending upon her proximity, Cantwell, and \ndistinguished members of the Committee, I thank you for holding \nthis hearing and inviting Idaho National Laboratory's, or \nINL's, testimony on the protection of our energy delivery \nsystems.\n    I am INL's Senior Cyber and Energy Security Strategist. In \nthis capacity, I provide guidance to DOE, and INL leadership on \nmatters related to protecting national energy infrastructure \nagainst mounting cyber and physical threats. I am here today to \nshare impressions on the state of cybersecurity in the energy \nsector and provide an update on DOE and national lab actions.\n    I just returned from a USAID-funded trip to Estonia where I \njoined a team of U.S. state-level energy regulators, led by the \nNational Association of Regulatory Utility Commissioners, or \nNARUC. We provided cyber training to Black Sea energy \nregulators, including commissioners from Ukraine, target of two \noutage-causing cyberattacks.\n    The possibility of similar attacks or worse on U.S. energy \ninfrastructure has been much on the minds of DOE, INL and some \nof your colleagues, including Senator King and co-sponsors \nRisch, Heinrich, Collins and Crapo. Last year they drafted the \nSecuring Energy Infrastructure Act, and just last month, \nSenators Cantwell and Wyden wrote a letter to President Trump \nurging him to maintain, as 2015's FAST Act codified, DOE \nprimacy over grid security matters.\n    Concern for such an attack on U.S. energy infrastructure is \nwell warranted. I pause at five reasons. Number one, the \naforementioned successful attacks on foreign transmission and \ndistribution energy infrastructures. Two, the now daily \ndrumbeats of damaging cyberattacks on U.S. Government and \nprivate sector systems. Three, profound shortage of skilled \nindustrial control system security professionals. Number four, \nmanufacturer's zeal to embed new technologies in industrial \nsystems and our eagerness for sound business reasons to buy and \ninstall these products in energy infrastructure. And lastly, \nfive, while we make incremental improvements on defense, our \nattack surface and the attacker's ability to exploit it, are \nexpanding at a much, much faster pace.\n    Cyber risk futurists, myself included, are experiencing a \npalpable sense of foreboding that our nation's current security \nactivities will not yield the transformational changes that we \nneed; however, some significant improvements are in the offing. \nDOE's Office of Electricity Delivery and Energy Reliability, or \nOE, INL and our peer national laboratories are working via \nmultiple policy and programmatic pathways to make a difference. \nHere are six, high impact examples.\n    Number one, DOE's Cyber Threat Intelligence and Information \nSharing Program, you've heard it referenced previously, CRISP, \nis currently in place at dozens of large U.S. utilities and \nefforts are underway to substantially improve both the \ntimeliness and the helpfulness of the security warnings they \nreceive.\n    Two, INL and industry partners are on the homestretch of a \nthreat-informed, engineering-centric assessment and mitigation \nactivity at a large U.S. utility. We call this approach, \nConsequence-driven, Cyber-informed Engineering, or CCE. It \nclarifies and prioritizes the way we look at high consequence \nrisks within control systems environments.\n    Methodology lessons harvested from this pilot will be \nshared with other partners to expand the nation's ability. And \nI'd like you to remember this phrase, ``to engineer out the \ncyber risk from our most critical energy infrastructures.''\n    Number three, INL assists DOE with initiatives to make grid \nsystems more resilient against geo-magnetic disturbance and \nelectromagnetic pulse events.\n    Four, with the substantial expansion of the industrial \ncontrol system security workforce as a goal, INL and its \npartners, Pacific Northwest National Lab (PNNL) and Sandia, \nU.S. universities and commercial training partners are teaming \nto create curricula to make this happen as quickly as possible.\n    Five, OE's Infrastructure Security and Energy Restoration \nOrganization, ISER, is the seat of the Department's sector \nspecific agency authority. INL and PNNL are supporting the \nbuild out of ISER's cyber incident response and coordination \ncapabilities in conjunction with DHS, NERC's Electricity \nInformation Sharing and Analysis Center and other grid security \nstakeholder organizations.\n    And lastly, per the 2013 Executive Order on improving \ncritical infrastructure cybersecurity, INL supports ISER as it \nconvenes the energy sector's Section Nine energy companies. \nAmong several capabilities requested so far, is a multi-lab \nenvironment where energy sector systems can be analyzed from a \nthreat informed cybersecurity vantage point with specific \nmitigation actions shared securely among the lab's equipment \nsuppliers and asset owners and operators as well.\n    I'll leave off there.\n    Thank you very much for inviting me to testify today. And I \nlook forward to your questions.\n    [The prepared statement of Mr. Bochman follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n        \n    The Chairman. Mr. Bochman, thank you.\n    We are also able to welcome this morning Colonel Gent Welsh \nwith the Washington Air National Guard. We appreciate your \nservice.\n\n          STATEMENT OF COLONEL GENT WELSH, COMMANDER, \n           194TH WING, WASHINGTON AIR NATIONAL GUARD\n\n    Colonel Welsh. Thank you.\n    Madam Chair Murkowski, Ranking Member Cantwell, Senator \nHeinrich and members of this Committee, my name is Colonel Gent \nWelsh. I'm the Commander of the 194th Wing for the Washington \nAir National Guard, the Air National Guard's 89th Wing and the \nfirst cyber wing in the air guard. Thank you again for the \nhonor to participate in such a crucial conversation today.\n    A quick disclaimer. Please note that I appear before the \nCommittee today in a National Guard Title 32 status. Although \nI've served as a National Guard Officer for more than 23 years, \nmy testimony today has not been reviewed or approved by anyone \nat the United States Air Force or the Department of Defense.\n    As you know, the front lines of the next conflict are not \noverseas in some country folks can't find on a map, they are \nright here, right now, every day at the doorstep of every owner \nand operator of our nation's critical infrastructure.\n    Developing a plan to best secure our critical \ninfrastructure is challenging, primarily because more than 85 \npercent of our critical infrastructure to include our \nelectrical grid, our water sources and our health care system, \nis owned by the private sector. As you know, the private sector \ndoesn't always consider government a valuable partner.\n    In Washington State, we believe we've broken that mold. \nMajor General Bret Daugherty, the Adjutant General in our \nstate, is also the Governor's Homeland Security Advisor and \nhead of all emergency management efforts. These positions give \nhim tremendous convening authority within the state to pull \npeople together. And with the leadership of Senator Cantwell \nand members of our House delegation, such as Representatives \nKilmer and Heck, we're able to get a variety of stakeholders \naround the table routinely to include public and private owners \nand operators of critical infrastructure to discuss and prepare \nfor a catastrophic cyber event.\n    As everyone on this Committee knows, when something does \nhappen, it's going to happen in a state, and we've made our \nagency a key player in our state in the security and critical \ninfrastructure.\n    We're fortunate that our state law provides our agency with \npolicies and authorities that provide resources before and \nafter a cyber event. We have more than 600 cyber professionals \nthat work in the Washington National Guard at our disposal. And \nbecause we conduct continual outreach efforts, both private and \nlocal governments know what we can offer. And that's critical. \nThe private sector has to understand and know the government \ncan provide something tangible and resources of value if you \nwant their true cooperation. That's why policy authorities and \ncapabilities matter. If government has clear policies and plans \nfor either resources or outside assistance, that makes a \ndecision for private industry to work with government easier.\n    Washington is proof the government and private industry can \nnot only get along, we can actually work together and very \nwell. The Washington National Guard considers Pacific Northwest \nNational Laboratory, the Idaho National Laboratory and several \nmajor utility companies, strong partners. The same could be \nsaid for Microsoft, Boeing and other Washington State \ncorporations.\n    Our efforts began five years ago when we formed an \nintegrated project team within state government to fully \ndevelop the first ever, significant Cyber Incident Response \nPlan for the state. I'm talking about the state, not just state \ngovernment networks. We've truly led this nation and positioned \nWashington in many ways as a national thought leader in \ncritical infrastructure cybersecurity at the public level.\n    Since then, we've continued to work with our state critical \ninfrastructure sectors to exercise and refine our plan. I'd be \nremiss not bragging about the more than 600 cyber professionals \nin our organization. Several assist in our local utility \ncompanies, the Snohomish County Public Utilities District, with \na critical cyber assessment back in 2015. Their work was beyond \nsuccessful and was incredibly enlightening.\n    Since then, we've had a steady stream of visitors to \ninclude the former Secretary of Defense, Ash Carter, who wanted \nto learn more about how cyber partnerships work in Washington \nState.\n    It starts with the power of the citizen airman and soldier, \nour typical solider and airman participates one weekend a month \nand two weeks a year. Outside of that obligation they have \nfull-time jobs, many working in the IT or critical \ninfrastructure sectors.\n    They bring in a remarkable understanding of their private \nsector's needs and their capability shortfalls. They also bring \nin credibility with these organizations as National Guard \nmembers. They are folks that understand government and private \nindustry, and they're able to bridge those gaps and that's a \ntremendous combination.\n    Looking forward, we're hopeful to bring a cyber schoolhouse \nto Washington State that allows us to train members of critical \ninfrastructure sectors alongside our National Guard members. \nThose are the folks that are on the front lines these days in \nthis environment.\n    Sharing information and best practices among those tasked \nto defend this nation within the private sector is how we'll be \nmore resilient to a significant cyberattack.\n    And for those on the panel, I'm going to go off script for \na second. We've solved some of the security clearance issues in \nour state, and I'd be happy to share some info on that.\n    Again, I'd ask that you review my submitted testimony for \nfurther information and certainly thank you for the opportunity \nto appear in front of this Committee from the other Washington.\n    And my sympathies for the Gonzaga Bulldogs because I'm a \nWashingtonian.\n    Thank you.\n    [The prepared statement of Colonel Welsh follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]       \n       \n    The Chairman. Thank you, Colonel Welsh. I appreciate you \nsumming things up from the state's perspective because I think \nit is critically important that we appreciate how that all \ncomes down to the states and the responsibilities there.\n    There is an awful lot to talk about this morning in the \nspaces that you all have discussed in your comments.\n    Let me start with the information sharing protections, and \nI will refer back to the opening comments that I made with the \nFAST Act that we passed last Congress.\n    We codified DOE as a sector-specific agency for energy. We \nprovided the Secretary with some authority to direct utility \naction in emergency situations. We also included provisions to \nprotect some of the sensitive information from disclosure.\n    I will start with you, Mr. Highley. As the ESCC Co-Chair, \nhow important are these provisions that we included in the FAST \nAct in its effort to help facilitate the timely sharing of the \ncyber threat information? And the CRISP program was mentioned, \nthe Cybersecurity Risk Information Sharing Program. What we set \nup, is it helping at all? Is it too early?\n    Mr. Highley. Yes.\n    The Chairman. If you can speak to what we have put into law \nand what we are seeing as of this point?\n    Mr. Highley. We're very grateful for the FAST Act \nauthority, and we're supportive of the naming of DOE, \nreinforcing DOE, as the sector-specific agency for electric \nenergy and the electric sector.\n    That's where we want to see that. That's where the subject \nmatter experts are, and that's where we have begun to develop a \ntrust relationship between the CEOs that are part of the ESCC \nand our government counterparts.\n    And I think trust is the key to information sharing. We \nneed to be able to get that information over the wall from \ngovernment to industry and then back over from industry to \ngovernment. That's why it was so crucial for us to see this \ntransition go so well from one Administration to the next and \nsee the support of Secretary Perry.\n    We support the direct action from DOE, in the event of an \nemergency. The FOIA protections are essential because this is \ncritical infrastructure we're talking about that's at the front \nlines of international warfare. We can't just have that, you \nknow, here's the most important target, be disclosed. So, we're \nsupportive of that.\n    The Chairman. What about within the Quadrennial Energy \nReview and the recommendations there, the recommendation that \nFERC be granted the direct authority to promulgate the \nreliability standards?\n    I am assuming you do not support that recommendation from \nthe QER? I would also ask you to speak to what it actually \nmeans for the stakeholder process that has been established \nthrough Congress.\n    Mr. Highley. So----\n    The Chairman. Mr. Cauley, I will ask you to comment on that \nas well.\n    Mr. Highley. We're supportive of the NERC process, because \nNERC has the subject matter experts that go through and vet a \nproposed, a proposal, from FERC before it gets to industry. \nIt's a very complex machine we're talking about modifying, and \nwe think we need to rely on those experts at NERC which has \nboth industry and government input to make sure that things are \ndone properly.\n    And when you talk about making a change to the electric \nsystem, FERC has the authority now to order NERC to make a \nrulemaking and they can give them the timeline. So, it can \nhappen very quickly and it has. I know Gerry will comment on \nthat. But we're supportive of keeping that authority at NERC.\n    The Chairman. At NERC.\n    Mr. Cauley, on the stakeholder process?\n    Mr. Cauley. Yes, thank you.\n    It's probably, I did read through most of the QER report \nand the one thing that I would struggle with the most is that \nadditional authority at FERC to do standards.\n    When there's a crisis and something needs to be done \nquickly, standards are not the solution. Basically, we need to \nget directives and marching orders out, but not through a \nstandard process.\n    To be able to have the industry expertise at the table and \nour process to get the best solutions for standards is very \neffective. We can produce a standard quickly. We were told to \ndo the physical security standard in 90 days and we did it in \n87 days. We could do a standard quicker than that. It's just \nreally, in an emergency, it's not where you head to do \nemergency standards.\n    Thank you.\n    The Chairman. Thank you.\n    Senator Heinrich.\n    Senator Heinrich. Thank you, Madam Chair.\n    Congressman McCurdy and also Colonel Welsh. I thought maybe \nyou could start, Congressman, to speak just a moment about how \nthis bottleneck in security clearances actually directly \nimpacts your ability to manage risk and the timelines? Then, \nColonel Welsh, you mentioned that you might have some thoughts \non how we can speed this up? If the two of you can speak to \nthat, together, I think that would be very helpful for all of \nus.\n    Congressman McCurdy?\n    Mr. McCurdy. Sure, Senator. And everyone around here knows \nit is just Dave.\n    So, the affected policy starts at the top and one of the \nimprovements, I think, over the last few years in the couple \ndecades I've been dealing with this, is having the C Suite, the \nCEOs, the Senior Executives in corporations, focused on this \nissue of cybersecurity. It is not just a CIO issue. There \nweren't even CIOs when we started this process. So it's \ncritical that you have senior executive level engagement.\n    Information sharing, in such groups, like the SEC, our \ngroups, our safety committee within AGA and by the way, every \ninvestor-owned utility in the natural gas sector is a member of \nAGA. They've signed a commitment to security which is a call to \naction.\n    They are into developing the expertise within their \ncompanies and working with government and cross sector to \nimprove our overall security. By the way, many of them, over \nhalf now, are both electric and gas combination companies.\n    What we find is critical is that when we have CEOs being \nable to sit across the table with each other and with \ngovernment on a regular basis, but then also in emergencies or \nin threat situations, to be able to receive information. Now we \ndon't need to know sources and methods, the old terms we used \nto use. What we do need to know, though, is whether it's \nactionable, indirect or directly relevant for our particular \nenvironment and situation.\n    So it is a bit frustrating when we can't and I know a \nnumber of the CEOs on the electric side because they've been \nworking a little bit longer through a formal process, had \nclearances. I've had--I was in the gang of eight, so I've had \nall kinds of different clearances. I currently have a DoD \nclearance. But if it's at a Secret level, that really doesn't \nhelp when we're talking Ukraine or some of those other issues \nthat are timely when they came up. It's more of a backlog. I'm \nnot in control of that. We do the reviews.\n    I applied. The Department is actually trying with \nofficials, executives, to move the process. But it's, the \nclearance process, across government which is, kind of, fouled \nup there. I hate for it to be a personal example, but it's one \nthat----\n    Senator Heinrich. Actually, I think it helps for it to be a \npersonal example.\n    Mr. McCurdy. Yeah.\n    Senator Heinrich. Because you are an unusual example.\n    Mr. McCurdy. Yeah.\n    Senator Heinrich. And if it is this tough for you, you can \nimagine how tough it is for lots of people in the utility \nindustry broadly on both the electric and the gas side.\n    Mr. McCurdy. Absolutely.\n    Senator Heinrich. Colonel Welsh, do you want to talk about \nsome of the advances----\n    Colonel Welsh. Yes, sir.\n    Senator Heinrich. ----you have been able to make in \nWashington State?\n    Colonel Welsh. So, you can't have a partnership without \naccess and sharing. Information sharing without any partners at \nthe table is tough.\n    We view, from the National Guard's perspective and really \nin Washington State, I'll give you the Washington State case \nstudy.\n    Every state, every state governor has a Homeland Security \nAdvisor. That Homeland Security Advisor has the authority in \nthat position to sponsor folks in that state for clearances. So \nwe have the luxury of our Homeland Security Advisor being our \nTAG and our Emergency Management Authority, so it, sort of, \nmakes it easy. It's all in the same family.\n    But the fact that he is able to do that is a tremendous \ntrust builder for our partners out there. Nothing makes more \ntrust built, you can't build it without a, we'll put you in for \na clearance. Here's the stuff to sign. Sorry, you'll probably \nget somebody asking your neighbors, you know, how you do, but \nit's tremendous for us. But it starts at that Homeland Security \nAdvisor level. Again, we, sort of, wait for again, federal \npolicy to, sort of, catch up with that.\n    I think on the DHS side what we would like to see is it's \nfairly easy to get a security clearance at the secret level. \nIt's that TS level that takes a bit more of a nudge, and that's \nreally the only thing that matters. You know, secret is great, \nas everybody knows, but it's at that TS level, you don't need \nto know the sources and methods, but there are some things \ngoing on out there that are of interest with our sectors.\n    Thank you.\n    Senator Heinrich. Absolutely. Thank you for your input on \nthat.\n    I yield back my remaining second.\n    The Chairman. Thank you, Senator Heinrich.\n    Senator Risch.\n    Senator Risch. Well, Madam Chairman, first of all, thank \nyou for holding this hearing.\n    I sit on the Intelligence Committee also and after all the \ntestimony I hear there, I am convinced that the next major \nevent in America is going to be a cyber event. Obviously, we \nare always vulnerable, not vulnerable, but at risk for some \ntype of kinetic attack. But I am convinced that the next major \none that affects large numbers of people is going to be \ncybersecurity.\n    So it is important that we do talk about this and continue \nto work at it because from everything we are told, we are \nrunning fast but need to run faster to catch up to where we \nneed to be.\n    Mr. Bochman, thank you for coming from Idaho to testify \ntoday. Members of this Committee grow weary of me over the \nyears explaining to them how important the INL is and being the \nlead lab for nuclear energy. And now, of course, we are \ndeveloping our expertise on cybersecurity and becoming a lead, \nif not the lead.\n    Could you tell my fellow members here the unique \ncapabilities that our lab has as far as moving in to that \nposition?\n    Mr. Bochman. Sure, thanks, Senator.\n    Thanks, Senator Risch, sure, you bet.\n    Idaho National Lab, without making too much of it, is a \nnational----\n    Senator Risch. No, go ahead and make too much.\n    [Laughter.]\n    Mr. Bochman. It's a softball.\n    It is the nation's nuclear energy lab where nuclear energy \nhas been developed with, I think, 52 test reactors with a small \nmodular reactor on the way.\n    Senator Risch. And the first one, of course.\n    Mr. Bochman. I think we, I think people there figured out \nit was probably a better idea to monitor and control those \nsomewhat dangerous processes from a comfortable distance, and \ntherefore they were highly incented to create control systems \nthat would allow them to do that. Hence, early control systems \ntheory and practical engineering knowledge developed ahead of \nthe curve there in Idaho.\n    When cybersecurity started to become on people's minds, \ncertainly it landed in the IT universe first, but very quickly, \nI know folks realized that the same basic types of systems that \nhelp run banks and retail stores, et cetera, are also at the \nheart. They're either both at the heart of control systems \noperations, industrial control systems and they're also next \ndoor neighbors to them, as utilities, all our businesses and \nhave IT organizations and with convergence.\n    We used to talk about convergence of information technology \nand operational technology as something that was coming that we \nneeded to prepare for. The most recent SANS Industrial Control \nSystems Conference in Florida, two weeks ago, we all admitted, \nthis group of subject matter experts, that it's happened, that \nthese, now these two parts are inextricably fused and it's one \nof the ways adversaries can get in.\n    So Idaho is a great testing ground with that experience and \nalso with its facilities. It has a test grid that has both \ntransmission and a variety of distribution voltage assets, \nsubstations, transformers, control centers and linemen. It's \nintegrated into the larger regional grid in a way that makes \nit, I'll say it this way, while we use models a lot and have to \nuse models for a grid that's becoming ever more complex and get \na handle on the types of risks that are there.\n    Every once in a while, maybe more than every once in a \nwhile, it behooves us to validate the models with real world \ntesting. And it's been several times now, in my short time \nthere, where we've run real world tests that have shown that \nthe models we rely on so much and trust, weren't quite right \nand need to be tweaked and tuned. Once you do that, then you \ncan have confidence in them again.\n    Senator Risch. Could you talk just briefly about the test \nbed that we have there for doing that?\n    Mr. Bochman. Yeah, well this is the--there's both the grid \nassets I described. There's also communications test bed \nassets. So you can have both.\n    Everyone knows a full electric indoor natural gas operation \nrequires copious communications assets. Those are also subject \nto cyberattack and just as disruptive if you aim at them as if \nyou aim at the actual industrial control systems that they \nsupport.\n    It's also the home of a program where, in the past, \nindustrial control system suppliers sent equipment and the \nsecurity subject matter experts did an exhaustive security \nassessments of it both at the hardware/software and firmware \nlevel in conjunction with the suppliers to give them feedback \non how they might harden and build more secure systems in the \nfuture.\n    In my testimony, there's a call now from the Section Nine \nutilities to, in some form, bring about a modernized version \nthat fits the purposes of the Industrial Internet of Things \n(IIoT) and world in which we live in. And so, I'll stop there.\n    Senator Risch. Okay. Thank you, Mr. Bochman.\n    Thank you, Madam Chair.\n    The Chairman. Senator Manchin.\n    Senator Manchin. Thank you, Madam Chairman.\n    I will be quick.\n    [Laughter.]\n    Thank you, Madam Chairman, I appreciate it very much.\n    Thank all of you for coming.\n    My concern is reliability, and I think this first question \nwill go to Mr. Cauley. Today our reliability organizations, \nelectric utilities, are tasked with maintaining our electric \ngrid in an increasingly challenging environment. As you all \nknow, a perfect storm of factors has put baseload units at risk \nand states are more frequently using outer markets solutions to \nrescue units and to ensure their citizens and businesses have \nreliable, affordable electricity.\n    In the meantime, aging infrastructure, extreme weather \nevents, the threat of cyberattacks, rapidly changing fuel mix \nand over regulations are increasingly testing our nation's \nelectric grid. Several times throughout the month of January in \n2014, the upper Midwest and mid-Atlantic experienced \ntemperatures below zero. The Eastern portion of the PJM grid \nflirted with rolling blackouts.\n    On January 7th, a winter record was set with 141,132 \nmegawatts of electricity being used. PJM is the nation's \nlargest grid operator, basically overseeing 180,000 megawatts, \nand that's cutting it pretty close.\n    Interestingly, following the winter of 2014, AEP reported \nthat nearly 90 percent of its coal plants scheduled for \nretirement ran during the Polar Vortex. If not for that, there \nwould have been rolling blackouts. Coal helped keep the lights \non, as we know.\n    Last week PJM released a report that said it could keep the \nlights on with the generation portfolio that is 86 percent \ndependent on natural gas. Current installed capacity, this is \ntheir actual figures, it is 33 percent of coal, 33 percent \nnatural gas, 18 percent nuclear and 6 percent renewable. But \nmore of that coal is going to be retired.\n    So my question would be this. I understand that your \norganization's reliability assessment from last year did not \neven flag PJM as having major near-term reliability issues, but \nI have to ask, is PJM correct? It seems highly risky for them \nto depend 86 percent on one fuel in an environment when all we \ntalk about is fuel diversity.\n    Mr. Cauley. Thank you, Senator, for that question.\n    As a reliability engineer for 37 years, I think one of my \nmost important factors is a diversity of our fleet and a \ndiversity of our fuel mix. And it is a concern. We've done a \nnumber of studies over recent years on the changing resource \nmix and its impacts on reliability. One of those----\n    Senator Manchin. Do you think PJM is correct?\n    Mr. Cauley. I think currently, PJM----\n    Senator Manchin. 86 percent?\n    Mr. Cauley. ----does have a very robust supply, capacity \nsupply, in the near-term years.\n    The one concern I would have with PJM is the dependence on \ngas. And the concern there is, not so much the adequate amount \nof gas, but the dependence on gas infrastructure and supply \nduring times of extreme weather when you'd be competing.\n    Senator Manchin. You would be concerned about the \nreliability, putting all your eggs in one basket?\n    Mr. Cauley. Yes, exactly.\n    Senator Manchin. What do regulators need to do to help move \nnatural gas into a position where it can serve as a baseload?\n    I know that the pipeline, I know the things, the pressures \ncan freeze up. I have known all of that.\n    We are very blessed in West Virginia. We have a little bit \nof everything, coal, gas, wind, solar. We try to do it all, but \nthrowing all your eggs in one basket.\n    Here is my problem. I have not spoken to one CEO of a major \nutility that believes that they have the right mix in their \nenergy portfolio. Not one. They think they have been forced \nbecause of what we have done here, forcing them in a direction \nthat reliability is not demand. FERC is not even looking at \nreliability as their responsibility. What happens when the \nsystem collapses and goes down? Who gets blamed?\n    Mr. Cauley. Me.\n    [Laughter.]\n    Senator Manchin. Oh, okay.\n    Mr. Cauley. Well, I will be one of the folks. But it is \ncreating some difficulty, and that's why we're working hard to \nmake sure we get that information out.\n    You know, one of the challenges is newer, inverter-based \ngenerators like renewable solar and wind don't have the \nrotating mass and the stability of larger units. So that \ncreates a reliability challenge. We do see stability margins \nstarting to shrink, so what we're trying to do is make sure \neveryone has the information needed to make the best decisions \ngoing forward.\n    Senator Manchin. I am sorry, sir, my time is running short.\n    This one is for Mr. Highley. In the U.S., approximately six \npercent of electricity is lost when it is transported from a \ngeneration facility across transmission distribution lines to \nconsumers. Our transmission and distribution lines waste enough \nenergy each year to power more than two million homes for one \nmonth. Each year they lose that much power.\n    The Department of Energy in the past did a significant \namount of work on superconductive materials in an effort to \nreduce transmission line losses. This research has apparently \nnot led to any significant breakthroughs. If we are going to \nbecome more energy efficient, we need to improve these \ntransmission distribution of electricity.\n    Mr. Highley, what is the industry doing to improve the \nefficiency of electricity transmission and distribution lines? \nAnd do you expect any developments in the near term that will \nlead to dramatic line loss reductions?\n    I am to understand that there are so many new products on \nthe market we have not used yet.\n    Mr. Highley. As a CEO of a member-owned system, I work for \nmy members and I am absolutely incented to save every dollar I \ncan for them. And if I could save them money by using those \ntechnologies for transmission distribution, we would be doing \nit. We don't see it as cost-effective today to deploy that.\n    Senator Manchin. To deploy the new technology?\n    Mr. Highley. Correct. If it was--in the areas where it's \ncost-\neffective----\n    Senator Manchin. So you are saying the six percent loss is \nmore----\n    Mr. Highley. Is----\n    Senator Manchin. ----cost-effective than buying the new \nequipment?\n    Mr. Highley. Correct, correct in terms of life cycle costs.\n    Senator Manchin. So basically our whole----\n    Mr. Highley. I have to face the people who pay the bill \nevery month. That's my Board of Directors.\n    Senator Manchin. I understand that. So I would say that \nbasically all of----\n    Mr. Highley. They're my----\n    Senator Manchin. ----those senators who have been really on \nenergy efficiencies that we have been trying to do here is all \nfor naught when it comes down to cost?\n    Mr. Highley. It's just an economic choice.\n    Senator Manchin. I understand.\n    Mr. Highley. Yes, sir.\n    Senator Manchin. I understand.\n    Thank you.\n    The Chairman. Thank you, Senator Manchin.\n    Senator Cassidy.\n    Senator Cassidy. I want to congratulate you all. I have \nnever seen a collection of testimony with more acronyms, \noutside of maybe, Department of Defense. It was quite \nremarkable. And as a rule, they did not overlap. It wasn't as \nif I learned it here and then I would see it there, so good \njob, guys.\n    Ms. Hoffman, let's start off with that which we have not \nyet discussed, the electromagnetic pulse (EMP) resilience. Now \nthat is not related to cyberattacks, that is just the sun \ndecides to send off something one day.\n    I was not clear from your testimony, and you may have said \nit and I just did not follow, to the degree that we are now \npositioned to robustly endure such an electromagnetic pulse \nfrom either a military or the sun. I think I understand it \ncould be either, right? How are we positioned to withstand \nthat?\n    Ms. Hoffman. So thank you, Senator, for the question.\n    Electromagnetic pulses and GMD disturbances are basically \nelectromagnetic disturbances that will affect not only the \nelectric sector but multiple sectors in the United States.\n    Within the utility sector, we have taken an aggressive \nposture of looking and investigating further the \nelectromagnetic issues. The Department has partnered with the \nElectric Power Research Institute and developed a strategy for \nlooking at EMP.\n    Senator Cassidy. I have limited time, so how, if either EMP \nwas discharged in the atmosphere or the sun sent off such an \nissue, if you will, how well are we now positioned to respond \nto it?\n    Ms. Hoffman. So, it would depend where it was set off in \nthe atmosphere. It would have multiple effects on transformers \nand components on the system.\n    There is a need to do some additional hardening on the \nsystem to mitigate some of those effects. But a lot of the \ndiscussions are what is the strategy and what is the most cost-\neffective solution to implement?\n    Senator Cassidy. I am not sure I am getting an answer to my \nquestion, but implied, is that we are not there yet.\n    Ms. Hoffman. We are still working toward what is the best \nsolution for the sector.\n    Senator Cassidy. And so, if we are still working toward \nwhat is the best solution it suggests to me we have not yet \nimplemented anything.\n    Ms. Hoffman. No, the industry has implemented some \nsolutions. There have been specific utilities that have looked \nat shielding, hardening of substations. So there has been \nprogress with respect to some mitigation measures.\n    Senator Cassidy. Okay, but still I am guessing \nvulnerability. Again, it is some. You are speaking in \nfractions. You are not speaking in significant fractions. We \nare 50 percent of the way there is not what I am hearing. I am \nhearing some have done something.\n    Ms. Hoffman. Some, yes, utilities.\n    Senator Cassidy. Colonel Welsh, you speak of failure of \nimagination. Now, it is a little bit, you know, existential. \nHow do you imagine the future?\n    I remember being in Israel and somebody came up, some young \nwhiz kids came up, with some software that used an eye to \nimagine where in software would be a vulnerability and to \nanticipate what would be a response. Maybe that is how we \nimagine, but I was not sure how should we imagine?\n    I saw your testimony, we need to have a robust response and \nthe guy from Johns Hopkins on my staff gave me something that \nhe has written also using National Guard as part of that \nresponse. But I guess my question is how do we imagine where \nthe next cyberattack would be from?\n    Colonel Welsh. Well, I think that the failure of \nimagination covers a wide spectrum, so my concern on the \nfailure of imagination is we've now acknowledged that a \ncyberattack is possible, but huge gaps in capabilities, you \nknow, at the federal level, at the state level.\n    Senator Cassidy. As I read your testimony, again, I am \nskimming it, I apologize, because there is much you did not \nsay, it was written, so I am skimming that what you wrote and \nspoke of a failure of imagination as it regards management.\n    But is there a way to anticipate from whence the attack \ncomes because, again, something else I read said that the folks \nwho are going to attack us will probably save their best stuff \nfor, you know, they are not going to tip us off as to what \ntheir most effective attack would be.\n    Colonel Welsh. Correct.\n    I think there are certain countries out there that we know \nwe can potentially expect some interest from now and in the \nfuture. But again, back to the failure of imagination. It is, \nyou know, I think we have decided that we can be attacked, but \nthere is not much more imagination that is happening in terms \nof response and recovery. That is really where my concern is \nright now.\n    Senator Cassidy. Response and recovery.\n    Colonel Welsh. Correct.\n    Senator Cassidy. Is there a way to anticipate what the \nattack itself would be, beyond the say, eye, that perhaps I was \nexposed to in Israel?\n    Colonel Welsh. Maybe I'm not completely clear on your \nquestion, Senator.\n    Senator Cassidy. Gentlemen, you seem to be----\n    Mr. Bochman. If you don't mind, Senator.\n    Yeah, there's definitely ways to anticipate, and I'd say \nthat's happening every single day.\n    If we're talking about a game changing cyberattack on U.S. \ninfrastructure, the one it sounds like you're teasing out, \nwe're looking for, we're always looking for that. But things of \na lower order of impact are happening every day and people are \nmonitoring them. They're identifying where traffic is coming \nfrom. They're monitoring signatures and behavioral \nabnormalities and jumping on them and protecting some things, \nblocking some things, not responding later on.\n    Senator Cassidy. So you can look at a signature of an \nattack and therefore block something from that particular \nsignature from thenceforth, sort of thing?\n    Mr. Bochman. Yes, that's business as usual.\n    Senator Cassidy. Gotcha.\n    Mr. Bochman. That's happening now, fairly broadly. And I \nwould imagine, I could say on behalf of the energy sector, \nthat's happening broadly.\n    Senator Cassidy. And quickly, because I am almost out of \ntime.\n    Mr. Bochman. Sure.\n    Senator Cassidy. You mentioned this, kind of, paradigm \nshifting attack and that is what I was getting at.\n    Mr. Bochman. Right.\n    Senator Cassidy. How do we anticipate that?\n    Mr. Bochman. Ah, to your point, if it's done well, we'll \nhave a hard time anticipating it.\n    Senator Cassidy. Okay.\n    I yield back. Thank you.\n    The Chairman. Thank you.\n    Senator Stabenow.\n    Senator Stabenow. Thank you very much, Madam Chair, and \nthank you to all of you for your testimony. As we talk about \ncyberattacks, of course, we are being attacked right now \nthrough our communication systems and so on, so this is a very \nimportant conversation, as we look at capabilities and what \ncould happen, what is happening, what will happen.\n    Mr. Bochman, I think you talked a little bit about, or you \nhave included in your testimony a little bit about, something \nthat I heard from a cybersecurity expert at the University of \nMichigan who suggested to me that we need to move away from the \ncheckbox compliance mentality when it comes to securing our \nenergy infrastructure and move toward building cybersecurity \ninto the very fabric of our energy systems. For example, \nfirewalls and anti-virus software described to me as merely \nafterthoughts and add-ons, and what we need is to be building \nsecurity into the system.\n    What is being done to transition toward an approach that \nfully integrates cybersecurity practices and technologies into \nthe systems that are so critical to the economy and national \nsecurity?\n    Mr. Bochman. I appreciate the question, Senator Stabenow.\n    First of all, in defense of checkboxes and mandatory \ncompliance regimes that have, I think, demonstratively improved \nthe security of the grid in the United States, you've got to \nachieve a baseline level of hygiene first before you can start \nthinking about playing even more advanced forms of defense.\n    Hygiene is what you get when you, if you, adhere to the \nrecommendations of say, the SANS top 25 security controls or \nthe NERC CIPs or the C2M2 maturity model from DOE. We're trying \nto have people make sure that, it's kind of like the analogy \nfor folks is, you know, you brush your teeth and you take \nvitamins and you eat well and get exercise so that you don't \nfall prey to all manner of different infections and bugs that \ncould slow you down or worse, right? You want to, at least, be \nthere with a level of hygiene. So, I'm responding to the, I \nthink, compliance or checkbox mentality thing.\n    In terms of building security in, yes, every security \nprofessional in their earliest days says, we need to make sure \nthat we don't try to bolt security on after the facts, after \nsomething is deployed because that's both more expensive and \nless effective than it is to just get it right the first time \nwhen you design it, at the design stage, right? The challenge \nis so that's mom and apple pie for security folks.\n    The problem is with the energy sector, it's true in all \nsectors, but if you're more IT you're used to replacing \nproducts on a fairly regular basis. You know, your laptop is \ngiving you trouble after a year, or two, or three. It's time \nfor a new one anyway, even faster sometimes for cell phones and \nother technologies.\n    With assets that are deployed in industrial applications \nlike the grid, like natural gas, the way we buy those systems \nand budget for them expects that they will be operational for \n10, 20 or 30 years or at least that's the way it's been up \nuntil now. And so, once that thing has been designed, \npurchased, deployed and now you're on maintenance cycle, you \nlive with that thing. And so, bolt on, bolting on security, \nadding it after the fact, is your only choice.\n    I think, though, to conclude, a strong push this is \nsomething that, I think, all of us here and Senators as well, \nthe Committee could do, is it's almost like the oath, vow to do \nno more harm. If we could start to have more rigorous, I won't \nsay enforcement, but encouragement, incentivization, is the \nright word, to help people get it right the first time on the \nnext generation of products before those are rolled out. I \nthink that would be a demonstrable sign of progress.\n    Senator Stabenow. Thank you.\n    Ms. Hoffman, thank you for being here. Distributed energy \nsystems are notable for their efficiency and their flexibility. \nHowever, in terms of cybersecurity, what are the benefits and \nrisks to having a distributed energy network and what does an \nincreasingly decentralized network mean for the government and \nindustry's role in combating cyber threats?\n    Ms. Hoffman. So, thank you, Senator.\n    Distributed energy resources are both, provide a value and \na risk, as you have mentioned.\n    From the value side of it, it brings generation closer to \nthe load or closer to where demand is so it can provide \nconsumers with a greater sense of resilience and reliability by \nbeing closer to where the customers are demanding that energy. \nIt also provides a great diversity and resources from solar, \nfrom distributed solar, to natural gas generation and onsite \ngeneration. So it does provide that diversity.\n    On the security side of things, though, it's still another \ngeneration asset that has communications and controls, and one \nneeds to look at building security into supply chain or \ngeneration assets as part of the system. So, it's very \nimportant that even if you're a solar manufacturer or you're a \ndistributed energy manufacturer, that if you have a control \nsystem and you have a computer or any sort of computer-aided \ncontrol, you really need to embed cybersecurity into those \ndevices.\n    Senator Stabenow. Thank you very much.\n    Thank you, Madam Chair.\n    The Chairman. Thank you, Senator Stabenow.\n    Senator Wyden.\n    Senator Wyden. Thank you, Madam Chair.\n    It has been an excellent panel. What is striking is how \npervasive this challenge is. I am on the Intelligence \nCommittee. We have cyber threats there. I am on the Finance \nCommittee, and we are concerned about our data with respect to \nour taxes. And then, of course, we are concerned about the \nenergy grid. So I want to, sort of, try to touch on several \npieces of the puzzle this morning. I think I am going to start \nwith you, Mr. Cauley.\n    First, I am particularly interested in this concept of red \nteaming because we saw this report coming from Houston where \nessentially a team of hackers, for a couple hundred bucks, got \ninto a Houston oil refinery. Basically, they broke through an \nelectric lock. They installed a small credit card-sized device \nto penetrate the company's control systems.\n    I think the government ought to be involved in red teaming. \nWhat do you think of that concept?\n    Mr. Cauley. Well, I think one of the things that the NERC \nstandards does is require the electric companies to do \nvulnerability testing which includes red team penetration tests \nand things like that to the critical systems. And I think part \nof our risk approach on our standards is that they're not \nprescriptive but tell people what they need to do.\n    Senator Wyden. I guess I would like to hear if you think \nmore should be done on this.\n    Mr. Cauley. I think more should be done, could be done, and \nI think partnering with government to support that would be \nuseful.\n    Senator Wyden. Good.\n    Let's hold the record open on that point because I would \nlike to hear, given the fact that you think more needs to be \ndone, what additional work you think would make sense. Okay? \nCould you get that to us, say, within, say, 10 days?\n    Mr. Cauley. Yes, yes, sir.\n    Senator Wyden. Very good.\n    One other question for you and one point just with respect \nto the group. I have been trying to assess our witnesses' \nposition on strong encryption, because I think strong \nencryption is vitally important to the security and well-being \nof the American people and certainly the energy grid. There are \npeople around here who would be very interested in weakening \nstrong encryption. I have made it clear that I will filibuster \nany bill that weakens strong encryption because it will leave \nAmericans less safe.\n    If any of you have views you would like to advance to the \ncontrary, I would like to see that in writing as well. In other \nwords, if you do not agree with the notion of how important \nstrong encryption is, I would like to have anybody share their \nviews as to why we should not be for that.\n    The last point I want to make, Mr. Cauley, goes again, back \nto you, and it really involves the Internet of Things.\n    Last year, James Clapper, who was then the Director of \nNational Intelligence, talked about how the Internet of Things \nwas going to play a bigger and bigger role as it relates to \nsurveillance and monitoring and location trackers. I would be \ninterested in wrapping up this round of questions, we \nunderstand the important role that the North American Electric \nReliability Corporation has, in energy lingo that is NERC. I \nwould be interested in your wrapping up, if you could explain a \npotential role for NERC as we try to address the Internet of \nThings and ensuring that we prove, as is my guiding philosophy, \nthat security and privacy are not mutually exclusive, that \nsmart policies can give us both. What kinds of things could \nthis NERC outfit, the North American Electric Reliability \nCorporation, help us with as we try to come up with a smart \npolicy given the challenge with the Internet of Things?\n    Mr. Cauley. Well, the distribution system, the Internet of \nThings we see, largely at the customer distribution level, are \nnot really within NERC or FERC's purview at the federal level.\n    Senator Wyden. But they could give advice.\n    Mr. Cauley. They do create a significant risk to the bulk \npower system and the denial of service attack, that we saw last \nOctober, could inflict harm on the bulk power system. So we are \nvery concerned about making sure that distributed systems and \ncustomer systems are not easily hacked and captured and become \na weapon in and of themselves. Heavy encryption and protection \nof those systems and making sure that we work with vendors to \nmake sure that they're not easily hacked is our focus.\n    Senator Wyden. If you could give us additional suggestions \nwith respect to NERC and if there are other organizations that \ncould do that work, I would be very interested in it because I \nhave not yet seen a government or an entity like NERC get this \nright yet and it is obvious because it is an incredibly \nchallenging area.\n    Could you get us any thoughts you have, say, since I was \nlooking at it for the next 10 days, on how they and other \nbodies could help us tackle the Internet of Things in this \nmanner that would show that a smart policy means that security \nand liberty are not mutually exclusive, that you can have both. \nIs that agreeable?\n    Mr. Cauley. Yes, sir, we'll do that.\n    Senator Wyden. Great, thank you.\n    Thank you, Madam Chair.\n    The Chairman. Thank you, Senator Wyden.\n    Senator Hoeven.\n    Senator Hoeven. Thank you, Madam Chairman.\n    Essentially, the question I have is how to secure against \nthe interconnectedness of things? I would like each of you to \nrespond to that for just a minute. I mean, everything is \ninterconnected now, right? So if something goes wrong in one \nplace that has a potential cascading effect throughout the \nsystem.\n    How do you create circuit breakers or safeguards to prevent \nthat because on the one hand you have to be fully integrated, \nand we are constantly trying to integrate more and more and get \nrid of silos? On the other hand, if something happens in one \nsector of our energy infrastructure, then potentially that is \ngoing to impact everybody else with a potential cascading \neffect. How do you handle that issue, the interconnectedness of \nthings, I guess, unless you have a better way to term it?\n    Ms. Hoffman. I will start and then----\n    Senator Hoeven. Sure, that would be great.\n    Ms. Hoffman. So first of all, I think you need to test both \ndevices and networks. So you must start testing these networks \nto make sure you identify vulnerabilities. As you're looking at \ncomponents that are connected, you must understand where their \nvulnerabilities are in the components.\n    But also, build a system where cybersecurity is built in so \nthat you know what normal operations of the system is and what \nabnormal operations or abnormal communications are so you can \nblock them and prevent them from causing damage.\n    Senator Hoeven. Can you create circuit breakers that both \nintegrate systems and isolate them, when necessary?\n    Ms. Hoffman. So on the circuit breakers, that's a specific \ntechnology that has the specific function so you should be able \nto look at that.\n    Mr. Cauley. So a lot of work has been done to \ncompartmentalize within the power system. As I mentioned in my \noral remarks, the grid operates over private networks, \nmicrowave and fiber systems that are owned and managed by the \ncompany. So there is a lot of isolation and departmentalization \nto protect those systems.\n    We require, within our standards, that critical assets, we \nunderstand the architecture and design of that system so we \nunderstand all the connection points and vulnerabilities from \nthat.\n    The more you get further down into the system, into \ndistribution and distributed resources and those kinds of \nthings, then we're talking about more amass devices and \ninstruments and communications and it's much more difficult \nbecause the sharing is the value is everybody is contributing. \nIt is a dilemma to try to operate a very interconnected grid \nand a compartmentalized and protected grid at the same time.\n    Senator Hoeven. As you develop your cybersecurity, as you \nintegrate, are you building those types of circuit breakers or \nisolation systems to separate yourself from the problem? Is \nthat a standard part of cybersecurity?\n    Mr. Cauley. Separation and compartmentalization is \nstandard. There are some of the more most critical assets in \ncontrol centers and so on now where people are using one way \ndata diodes and things like that, that would control the flow \nso no harmful information can come in. So that's, sort of, \nearly stages of some of that more advanced work.\n    Mr. Highley. Just on the policy level, cross-sector \ncoordination is critical. Oil and gas, telecommunications, \nelectricity, finance, water, all depend on one another, and so \nwhat we're doing at the ASCC is bringing those sectors together \nin cross-sector dialogue, bringing our ISACs, that give us \ninformation about cyber threats and sharing those cyber threats \namongst the different entities so that we're all working toward \nthe same goal.\n    Senator Hoeven. Dave?\n    Mr. McCurdy. Senator, that's a great question.\n    In the natural gas sector, we're doing two things.\n    One, we are delivering electrons. So we have automated \ncontrols. We have Industrial Control systems in those. But we \nalso are moving molecules. So it's a bit more of a mechanical \nand physical process. In both are safety and security, \ncybersecurity, concerns. And so, we have the automatic control \nsystems that are separate from a safety standpoint we need to \nhave backup for that and a second tier. In there we have \nshutoff valves. Again, because of pressurization and \ncompressibility, it's a little slower process so we're able to \nhave some physical control over it as well. And those are \nseparate.\n    In addition to the other basic hygiene where you try to \nseparate your enterprise system from your operations system. \nAnd even though you have human beings crossing between and \nprobably the most significant risk, we haven't talked about it, \nbut people are still the most important risk and we test that \non a regular basis.\n    But there's a--you need that layer of--going beyond a \nlayered defense but layered resiliency. And I think that's the \nculture we're trying to instill in our center.\n    Senator Hoeven. The other question would be how do you know \nif you are safe? Maybe you alluded to it, but you just do that \nthrough testing? I mean, you run various scenarios and do the \ntests?\n    Mr. McCurdy. Yes.\n    Senator Hoeven. To try to assess whether you are safe, \nwhether you have these safeguards and whether they work?\n    Mr. McCurdy. Yes, sir. We do.\n    And to one of the other questions, I think to Ron Wyden's \nquestion about red teaming. We participate in GridEx. We have \nanother one coming up in a few months, and natural gas, I think \nfor the first time, will actually be participating in that as \ndirect. So as we look at the interdependence of the bulk power \nsystem and we're a portion of that, maybe one-third now. \nNatural gas is being used more.\n    But you also have to recognize we deliver one-fourth of the \ncountry's energy directly to more than 74 million customer \nsites, not individuals. So, we've got multiple tiers here, and \nthat's why it's important that we coordinate with DOE but also \nTSA and transportation, because we're a transportation system.\n    There's multiple layers here, and that's why it's important \nto have a hearing like this so we can, kind of, get a better \nunderstanding. It's not just as simply, just one overlay.\n    Senator Hoeven. Are you seeing attacks on a regular basis, \nbe it cyber or other types of attacks on the system?\n    Mr. McCurdy. Absolutely, yes. We have detection \ncapabilities, and even my small association has that \ncapability. We've seen it. We're targets. If you have energy in \nyour title or name, you've been attacked for a long time. \nYou've been surveilled. You've been mapped. You've been all \nthese. And it's no longer, you know, what we used to see as \nindividuals, it's nation-state, it's other.\n    Senator Hoeven. Yes.\n    Mr. McCurdy. Ramping of those threats. You have to assume \nthat you've been penetrated, and then what do you do from \nthere? So, it's a whole different conversation than it was just \na few years ago.\n    I know the Senate and Congress is much more acutely aware \ntoday than it was a few years as well.\n    The Chairman. Thank you, Senator Hoeven.\n    Senator King.\n    Senator King. Thank you, Madam Chair.\n    Mr. Bochman, your paper on the Ukraine attack in December \n2015 was, in large measure, the inspiration for S. 79, the bill \nthat Senator Risch and I have put in. Could you give some \nbackground on what the concept is and what we are trying to do \nin that bill and the concept of places in the grid where we can \nprotect ourselves by, perhaps, having analog technology?\n    Mr. Bochman. Sure, thanks for the question, Senator King.\n    And it is, sort of, a follow on, in a sense from Senator \nHoeven's. The paper the Senator is referring to is the National \nSecurity Case for Simplicity in Energy Infrastructure. And so, \nall those questions, all the other points about cascades and \ninterdependencies of the systems in different sectors, all that \nare enthusiastically embracing adding more technology into \nsystems that used to just be electromechanical and were \nprotected, in large part, through isolation. Each would have a \ntrained engineer, who knew the way that thing worked all the \nway down to their bones, like an engineer in a substation, for \nexample.\n    For, as I alluded to in my testimony, many very good \nbusiness reasons, usually having to do with efficiency and cost \nsavings, but also the ability to see what's going on better. \nWe've connected everything. Convergence has happened. Now we \nare adding communications and sensor and communications \ntechnologies into the most mundane parts of our different \ninterconnected systems. So, they're all talking with each \nother.\n    I was going to say to Senator Hoeven, our ability to \ninfluence the wide deployment of Internet of Things and \nIndustrial Internet of Things is very minimal. So one of the \nbest things that we can try to do to focus our thinking is \nprioritization. And this gets to some of the issues in the case \nfor the simplicity paper you're referencing.\n    What are the systems that absolutely must be protected from \na national security point of view? Because of the energy and \nother processes they support, it would be unacceptable as an \neconomy or as a nation to lose them.\n    Senator King. What we are talking about is finding those \nplaces, not the entire grid, but finding places where \nsimplicity, and perhaps even old technology, could be an \nisolating factor. That is what we are talking about here.\n    Mr. Bochman. Yeah and it's, kind of, neat because very \nselectively adding these types of analog or out of band or \nputting a human, a trusted human, back in the loop, doing that \nin a moderate way in only the holiest of holy places, allows \nyou to then proceed with the modernization which brings all the \nbenefits of the grid that we need to have in the future. So it \nallows you to do that. At the same time, it might let utility \nexecutives, natural gas executives and folks on the hill, sleep \na little bit more soundly.\n    Senator King. Thank you.\n    Mr. Cauley, I think you touched on this and Dave McCurdy \ntouched on it as well, I think. We are talking all about \ncybersecurity and cyberattacks, but in our own national \nsecurity agencies, insider attacks have been the vulnerability. \nTo what extent is the industry looking at its own people and \nhow they are investigated and examined and how do we protect \nagainst a rogue employee who could do a lot of damage?\n    Mr. Cauley. Insider threat is one of the top risks that we \nlook at in both physical and cybersecurity side. And the more \ncritical the job, the more critical the facility that the \nindividual works at, the scale of, in terms of screening and \nreview, doing background checks, goes up with that. So it's a \nwell-known and a well-understood risk.\n    It's not always perfect. I mean, there was one employee who \nseveral, a couple years ago, was at NERC ISO, who went through \nthe normal background checks and turned out that it was a \nsuspicious person, a foreign national that we didn't know about \nbecause it wasn't in the database. But to the extent that that \ninformation is available in--through a background check, that's \na common practice.\n    Senator King. Mr. McCurdy, I take it you see this as a \nthreat as well?\n    Mr. McCurdy. Yes, Senator.\n    And beyond just the individual that may have nefarious \nmotives, just lackadaisical security practices. We do social \nengineering testing of our own staff, and we actually got \ncaught. This week we did one and creative IT staff and just \nclicking on the wrong link or not checking everything. We test \nthat regularly and you have to.\n    It's easy just to assume that because it looks like an \nemail from me or someone else, doesn't mean, yup, you know, \nthen you go check those lines. So there's a whole level, multi-\nlevels, of testing with people to raise their awareness of what \nthe threat is.\n    Senator King. Mr. Bochman, I am out of time, but----\n    Mr. Bochman. Super short.\n    I just wanted to say that you asked about insider threat. \nYou mentioned self-phishing, auto phishing, making sure people \naren't clicking on those crazy things, and some of them are \nvery realistic.\n    When those people, when the attackers successfully phish \nyou and they gain your credentials they know your login and \npassword. They are insider. They have every right to use the \napplications and access the data to whatever authorization \nlevel you were given as that employee. They can proceed at \npace. They're not hacking. They're not going against any--\nthey're not bumping into any other security system. That's why \neveryone is so energized on that topic and still trying to \nfigure out ways to start to take care of it.\n    Senator King. Thank you, Madam Chair, and thank you for \nconvening this important hearing.\n    The Chairman. Thank you, Senator King.\n    Senator Hirono.\n    Senator Hirono. Thank you, Madam Chair, and I thank the \npanel.\n    I have some questions for Ms. Hoffman. In your testimony, \nyou explain that an ecosystem of resilience, working in \npartnership with local, state and industry stakeholders is the \nsolution to staying ahead of ever-evolving cyber threats to our \nenergy delivery systems.\n    Is this ecosystem of resilience happening in every state \nbecause you have to work with the state level? I mean, it has \nto be present in every state? Is it?\n    Ms. Hoffman. So, I think there is a--thank you for the \nquestion.\n    I think there is a different level of maturity in the \ndifferent states in creating an ecosystem of resilience. You \ncould take the example here with Washington State and the \nNational Guard and their ability to partner with a local \nutility and to do some testing. You also have some other states \nthat are very sophisticated in information sharing with the \nfusion centers. And so, there has been some advanced best \npractices.\n    I think the states really have the opportunity to take \nadvantage of looking at their critical infrastructure and \nbuilding that partnership through the supply chain into the \nelectric industry and supporting cybersecurity.\n    Senator Hirono. But this ecosystem is being created in \nevery state at whatever the level of their systems are?\n    Ms. Hoffman. I think it's a work-in-progress and there is \nmaturing at the state levels, including the information sharing \nwith the Federal Government with the state utility commissions.\n    Senator Hirono. Do you have a model or what would work?\n    Ms. Hoffman. I don't have a single model for what would \nwork. I think there are components of what would be successful \nincluding information sharing, testing, partnerships.\n    Senator Hirono. Do you assess what is going on in every \nstate with regard to this ecosystem of resilience?\n    Ms. Hoffman. The Department of Energy does not assess, but \nwe do do energy assurance plans. We have worked, at least in \nthe past, with the state energy offices in looking at energy \nassurance planning.\n    Senator Hirono. Have you done this in Hawaii?\n    Ms. Hoffman. The energy assurance plans? I believe so. I \nwould have to go back and check for you.\n    [The information referred to follows:]\n\n                         INSERT FOR THE RECORD\n\n    The Office of Electricity Delivery and Energy Reliability \n(OE) sponsored Hawaii, through the American Recovery and \nReinvestment Act, to develop an Energy Assurance Plan. The \nHawaii Department of Business, Economic Development and Tourism \nmade a full udpate of the plan in March 2013 and has since done \nsupplemental reviews and updates, including adding a new Fuel \nShortage Emergency Response Measures Annex. Given the \nsensitivity of the critical infrastructure described in the \nplan, it is not available for public distribution, however DOE \nhas a copy of the plan by agreement with the state.\n    Senator Hirono. In addition to our own ecosystem, we also \nhave a huge military presence in Hawaii. I am wondering whether \nyour Department and the national labs have been called upon to \nprovide technical expertise to the Department of Defense to \nhelp address potential cyber threats to our military \ninstallations?\n    Ms. Hoffman. So thank you for that question. That's a very \nimportant relationship between the Department of Energy and the \nDepartment of Defense.\n    I would answer this in a couple ways. We have an MOU with \nthe Department of Defense, so we've been collaborating on a \nregular basis from an R&D perspective with the Department of \nDefense. In the FAST Act, there was a requirement in the FAST \nAct for DOE to work in partnership with DoD to look at electric \nsector critical assets in relationship to the Department of \nDefense. That was completed with the Department of Defense.\n    We have also had innovation through microgrids that we've \ndone with the Department of Defense. I'm sure you might be \nfamiliar with the SPIDERS activities which included several \nmilitary bases in the Hawaii area as well as Colorado and some \nother states. So that is a very important relationship.\n    Senator Hirono. With regard to the FAST Act, are there any \nconcerns of moving the DOE office, the lead agency for \ncybersecurity for the energy sector, and going to Homeland \nSecurity, for example? Is that a concern, leading----\n    Ms. Hoffman. So the FAST Act did codify the Department of \nEnergy's role as the sector-specific agency, as well as we are \nthe Emergency Support Function #12 and it has been mentioned \nmany times in the hearing today as the primary point for \nsecurity issues.\n    Senator Hirono. So as far as you are concerned it should \nstay that way.\n    Last month the President submitted a budget to Congress \nthat would cut $2 billion, or nearly 53 percent, from four \nmajor DOE programs, including the office that you lead, the \nOffice of Electricity Delivery and Energy Reliability.\n    I am deeply troubled about the potential impact that this \nproposed funding cut would have to the cybersecurity for energy \ndelivery systems R&D program. The CFDC's R&D program aligns \nfederal and private sector priorities for important research \nthat helps detect, prevent and mitigate the consequences of a \ncyber incident for current and future energy delivery systems.\n    What will be the specific impact to the R&D program if \nthese cuts are enacted next fiscal year?\n    Ms. Hoffman. Senator, thank you for the question.\n    As in your interest in the program, as the blueprint was \nreleased by the President there is, will be, the Secretary has \nannounced as part of that blueprint, released that the mission \nof the department will change. We will focus on earlier stage \nresearch.\n    The details of the budget aren't available at this time. \nWe're working diligently to work through those details. I look \nforward to and would have probably more details, more \ninformation when the budget is released in May, in greater \ndetail.\n    Senator Hirono. That is being very diplomatically put, I \nwould say.\n    Thank you, Madam Chair.\n    The Chairman. Thank you, Senator Hirono.\n    Senator Franken.\n    Senator Franken. Thank you, Madam Chair, for holding this \nCommittee hearing. Boy, this is pretty hair-raising stuff.\n    Colonel Welsh, you brought up in your testimony that we are \nnot well prepared for what comes after a successful \ncyberattack. You say we have done little to anticipate and \ndevelop actual response capacity that would be needed post \nattack.\n    The Chairman. That is interesting.\n    Senator Franken. Can you elaborate on that? What does that \nlook like? Would anyone else care to jump in too?\n    Colonel Welsh. You bet, Senator.\n    So my premise is basically that we've treated cyber \ndifferent for a long time. Our view is cyber from an emergency \nresponse perspective can be looked at just like any other \nresponse that we undertake as a nation. So, through DHS and \nFEMA.\n    Using the existing natural response framework, things like \nthe National Cyber Incident Response Plan, but one of the most \ntroubling things is, you know, we fight a lot of wildfires out \nin the State of Washington, there are things called resource \ntypes. We know what to call, what to order, what to buy, when \nsomething happens. We don't have any of that in cyber.\n    If some cyber event happens tonight and it happens in the \nState of Washington, thankfully we've got a lot of cyber folks \nto help. But let's just say it happens in Idaho, and they don't \nhave a whole lot. There's no way to get cyber resources. \nThere's no cyber ninja force, for the most part, out there \nready to call and organized in a way that can respond. That, \nsort of, goes back to the previous question before us on \nfailure of imagination. We've not taken that next step from a \nresponse and recovery standpoint.\n    And also, the acknowledgement that a cyberattack is, sort \nof, a cyber is an IT, sort of, issue. But the second and third \norder consequences that are emergency management issues, that \nare already handled by our existing emergency management \nprocesses, have to be brought into the discussion as well. \nThanks.\n    Senator Franken. Anyone else want to jump in on that?\n    Mr. Highley. We all----\n    Senator Franken. Does anyone not want to jump in on that?\n    [Laughter.]\n    Okay.\n    Mr. Cauley. So, I would say first, Senator, that that's the \npurpose of our massive GridEx exercise we do. We basically \nbreak the system. We put people in the dark. We have massive \ndisruptions in cyber and physical attacks.\n    Senator Franken. So you do it at night?\n    Mr. Cauley. We do it over a 2-day period.\n    Senator Franken. Okay.\n    Mr. Cauley. And it's simulated so no one actually gets hurt \nin the process. But with leadership from the White House and \nEnergy and Defense and DHS, and the CEOs and leadership of the \nindustry are on the table. We're working through the \nchallenges.\n    Senator Franken. Because the Colonel seems to be saying we \nare not prepared for this.\n    Mr. Highley. There is a cyber----\n    Mr. Cauley. One of the things that came out of this was the \nneed to create a Cyber Mutual Assistance Program, and I'd like \nMr. Highley to talk about that work.\n    Mr. Highley. There is a cyber ninja force. It's in its \nearly formation.\n    Senator Franken. Cyber what force?\n    Mr. Highley. Well, somebody said there wasn't a cyber ninja \nforce. There is a cyber ninja force. It's the Cyber Mutual \nAssistance Program that's parallel to the utilities in the \nelectric sector.\n    Senator Franken. Is ninja an acronym or just----\n    [Laughter.]\n    There are too many acronyms.\n    Mr. Highley. We have 93 member utility systems that are \nmembers of Cyber Mutual Assistance that will help each other in \nthe event of a cyberattack and send their IT professionals to \nassist the others in restoration. That means that 80 percent of \nutility customers in the country are covered by that right now \nfrom the membership.\n    Senator Franken. Because I think what the Colonel is saying \nthat after this happens it is not just cyber.\n    Mr. Highley. True.\n    Senator Franken. It is the effects of the cyber.\n    Mr. Highley. True.\n    Senator Franken. And that we have got to be ready for that.\n    Colonel, you were talking about the number of personnel \nthat you have, cyber personnel or people prepared for this in \nWashington. What I am wondering about, and you talk about this \ntoo, is the need to train people in this. The need to, you \ncalled it a, some kind of school, schoolhouse, cyber \nschoolhouse program. Are we training enough people to do this? \nAnd how can we do that? That is the question.\n    Mr. Bochman. There's an incredible dearth of trained \nutility qualified or industrial control systems, security \npersonnel in the country, probably in the world. But where we \nneed, the demand signals that we're getting from all over the \nplace, are for a thousand or many thousands of these people who \ncan touch that specialized type of equipment. We probably have \nhundreds from some informal surveys we've done.\n    To your--go ahead.\n    Senator Franken. I am sorry, but I am curious. What \ncountries do this better than we do or which piece of it? In \nother words, I think, Russia attacks well.\n    [Laughter.]\n    I have this theory. You know, other? Who is good at \nattacking and who is good at defending and who has these \npeople?\n    I remember after World War II we took some of the German \nscientists.\n    Mr. McCurdy. Well, Senator.\n    Senator Franken. I am not suggesting--I think we need to \nhave home grown and----\n    Mr. McCurdy. Yeah.\n    Senator Franken. Yes.\n    Mr. McCurdy. Senator Franken, there's a lot in that \nquestion, but first of all, no one can surpass the United \nStates in its offensive capabilities in the cyber arena whether \nit's national security agency or other confident, you know, \nclassified areas. So, put that aside.\n    China, Russia, Israel, in certain respects there are \ncriminal elements. There are subnational levels, Iran. So, you \nknow, there's multiple levels of capabilities.\n    The question is what is the threat to us? And this is all \nrisk assessment. If a nation-state decides they want to take \ndown the grid, there are many ways to attack and it's not just \ncyber. It would be a combination of physical and cyber, if it \ngot to that level because that's act of war.\n    Now, there are other ways that people are attacking our \nsystems. They either want to demonstrate capability. They want \nto, you know, steal information. So again, we have to plan for \nthose different types.\n    Recovery is a different question though, and I think you \nwere, kind of, asking that other question. Recovery from the IT \nstandpoint, the ICS, the control systems, that's where we need \nto work with the Federal Government and that's where the--we \nown 90 percent of the infrastructure out there so we have to \nhave those backups.\n    If you're talking about large units that could be affected. \nThat's one issue. It's another if it's computer systems. And on \nmy front, it's mechanical systems. If we have to restart pilot \nlights around the country, you know, in the dead of winter, \nit's pretty challenging.\n    So there are multiple levels that we have to plan for. We \ndo this with regard to storms. A lot of this activity you see, \ncollaborative, is in fact the result of Superstorm Sandy where \nthe Administration worked with utility sectors to respond to a \nnatural disaster. So we've learned. Is it perfect? Never. Will \nit be perfect? You can't get there, but we're improving.\n    Senator Franken. Okay. Thank you. I am way over.\n    The Chairman. Thank you.\n    Senator Cortez Masto.\n    Senator Cortez Masto. Thank you, Madam Chair.\n    I want to follow up on my colleague, Senator Franken. I am \nreally interested in the Cyber Mutual Assistance Program. Can \nyou elaborate? I am really interested in whether there is a set \ninfrastructure to it and put on paper? And do you have \ninvolvement from the federal, state, local government, first \nresponders, everybody that would be involved in an incident? \nAnd then, do you have regular table top exercises to address \nsome sort of cyber threat that has an impact on a community's \ngrid and the consequences of that?\n    Mr. Bochman. If you don't mind I'd like to briefly go \nafter, to answer your question, come back from Senator \nFranken's first question to Colonel Welsh of the National Guard \nand Cyber Mutual Assistance and how it is like and how it is \nunlike the mutual assistance that we often reference with \nstorms and Sandy and such.\n    We're all used to, utility folks, are all used to rallying \nwhen a hurricane or a tornado happens. You count on those \nproximate to you who weren't affected, who weren't damaged and \nthey roll trucks and linemen and equipment and help out. That's \na well-worn and very effective process.\n    The thing in the cybersecurity world, and there's a \nsubtlety here which I hope I can convey, they're all not \ninterchangeable people. They all have, they're like specialties \nin the medical profession, all right? You can't take a brain \nsurgeon and help someone set their leg and vice versa.\n    So the people that are capable of bringing cybersecurity \ngood effects after an incident are those most familiar with the \nparticular type of equipment that that utility uses, which \nmeans, and DoD Under Secretary Paul Stockton who was in charge \nof mission assurance at the time articulated this, that your \nbest ally when you need that type of help and it may come from \na National Guard source, we're all looking to the National \nGuard increasingly for this capability is not the person in the \nutility that's right next to you.\n    This could be a person in the utility on the complete other \nside of the country, but the control systems you use are the \nsame make and model. And so, and not only that, since you knew \nthat, you practiced and did exchanges beforehand and built a \ntrust level with that person and a level of familiarity with \nthat person. So that when you're in your time of great need, \nyou knew who to call. You trusted them and they were familiar \nenough with your environment that you let them come. You trust \nthem and they could potentially help you in that situation.\n    Senator Cortez Masto. Okay, just so I understand, because \nwhat I am thinking about are, let me just put it in conceptual \nterms or rings. The interior ring is the cybersecurity \nspecialists that responded at that level. The next would be \ncommunity-wide, what is happening in that community and the \nresponders that would be involved and the impact to that \ncommunity and then whether it goes state and then federal.\n    So what you are talking and what I hear is that the Cyber \nMutual Assistance Program is that first ring. That is all that \nis involved and that is sharing that information back and forth \nto those cybersecurity experts who are addressing a response at \nthat time. Is that correct?\n    Mr. Highley. The Cyber Mutual Assistance Program is a \nwritten agreement that 93 member utilities have signed to share \nresources and then to trade who has what kind of system. Then \nit goes over to NERC and the exercise we do under GridEx where \nwe get all the sectors together to practice the restoration, \nthe rest of the circles. So working with state and local \ngovernments on restoration is what we also do with NERC, \nthrough GridEx.\n    Senator Cortez Masto. Okay, that is helpful.\n    Is that done on a regular basis or are there things that we \nneed to improve upon those circles and that response?\n    Mr. Cauley. Well, we do the GridEx exercise every two \nyears. The next one will be November. The intervening time \nbetween there's a lot of building capability and doing mini \nexercises to develop that, test that capability.\n    This coming exercise in mid-November will have a new \nemphasis on having state level participation and emergency \nresponse at the local and state level involved in the exercise. \nIt's been there in the past. We just need to make it much more \nexpansive this time around.\n    Senator Cortez Masto. Thank you.\n    Let me follow up very quickly on something that the \nChairman started talking about. I have been sitting in a number \nof these committee hearings addressing cybersecurity threats. \nAnd thank you very much, it is such an important topic.\n    One of the things I constantly hear is the need to be able \nto expedite and share classified information with private \ncompanies and utilities and with the federal level as well. I \nam curious, do any of you have suggestions that could improve \nCRISP's ability to distribute classified and unclassified \ninformation in a timely fashion while still protecting that \nclassified content?\n    Mr. Cauley. I'll--I'd like to answer the question more \nbroadly even than it was asked.\n    I think what's happened is that in the last couple years \nour position has changed to the point where protecting our \ncritical infrastructure, including the electricity system, is a \nnational security matter. I think what we've got to do is \nfigure out how do we get government and industry to work \ntogether like we have a shared problem in front of us and not \nthat the assets belong to the power companies and our job over \nhere, historically, has been to find sensitive information and \nclassified information and protect it. I think it starts with, \nreally, two things.\n    One is getting industry and the top levels of government \ntogether and develop a strategy and a plan going forward on how \nwe're going to manage the critical nature of these assets to \nnational security and how we're going to protect that. I think \nsomething like that was proposed in the NIAC report recently.\n    Then the second piece is how do we, if we believe in the \nplan and we're going to work the plan together, how do we \nbecome part of a shared community where we trust sharing the \ninformation because the old rules of protecting classified \ninformation, sensitive information. We have cases where we've \nactually created new information out of the CRISP project, \nhanded it over to the government and then the government says \nnow that's classified. But we just gave it to you, so we're \nhaving a hard time sharing it because you just classified it. \nWe need to figure out a new set of ground rules around a \npartnership between industry and government on fighting the war \ntogether.\n    Senator Cortez Masto. Thank you. I appreciate the \nopportunity to speak today.\n    The Chairman. Thank you.\n    Senator Duckworth.\n    Senator Duckworth. Thank you, Chairman Murkowski, Ranking \nMember Cantwell, for convening this very important hearing and \nabout how we can secure our energy infrastructure against cyber \nthreats.\n    When I was on the House Armed Services Committee, I saw, \nfirst-hand, the vulnerability across departmental efforts on \nthis. For example, I was touring a contractor for a major Army \nmaneuvent command and they had the capability. They were very \nproud to show me that they had installed low wattage light \nbulbs for the street lights at this military post. They were \nshowing me in Illinois how they could dim the lights and save \nenergy at the post.\n    But I was in a room where they were controlling the grid \nfor this major military command in Texas, and I said, who has \naccess to this computer? Who has a security clearance? They had \none person with a security clearance who was an engineer over \nthere. I said, oh. The room is just left unlocked but look at \nwhat we can do, how nifty this is. We're saving all this \nenergy. And there was no thought to the cyber.\n    And yet, this post is the headquarters of a major military \ncommand, and it was connected to the civilian grid of the \ncommunity immediately off post. So anybody could have gotten \naccess to that room, to that computer, and affected not just \nthe military installation but also the civilian community on \nthe outside. That's why, I think, we need to be much more \nsophisticated in how we talk about these issues.\n    In my own home state, Argonne National Laboratory has a \nteam of scientists and researchers with deep expertise in \ncybersecurity and critical infrastructure. They have been \nworking on developing advanced power grid, cybersecurity \nsolutions for DOE cybersecurity for the energy delivery systems \nprogram, including cloud-based grid applications, wide-area \nprotection and control and distributed energy resource \nmanagement systems.\n    Ms. Hoffman and Mr. Bochman, can each of you quickly \naddress the value of this cutting-edge research that is being \nconducted at Argonne at this time?\n    Ms. Hoffman. So thank you to the Senator for the question.\n    The laboratories provide a wealth of research and solutions \nfor these energy delivery systems, and Argonne National \nLaboratory is on the cutting-edge of a couple of topics.\n    You've mentioned clouds. Cloud-based computing is now being \nevaluated and looked at to be implemented within the energy \nsector, especially around the smaller type utilities that want \nto look for cost-effective solutions. Getting ahead of \nimplementing cloud-based solutions is absolutely critical that \nwe build security in. That is one example that they are working \non.\n    I was--admit I did not bring it up when Senator Stabenow \nbrought up about the distributed energy resources, but looking \nat security around inverters, the work that Argonne is doing \nthere is also a critical, important asset.\n    But the national laboratories, working together, through \nthe Grid Modernization Lab Consortium, really provide an \nopportunity for us to add value across all the capabilities of \nthe national labs.\n    Senator Duckworth. Thank you.\n    Mr. Bochman. Thanks, Pat. And Senator, thanks for the \nquestion.\n    Yes, we have many fine colleagues, really brilliant people \nat Argonne and appreciate the effort that they bring.\n    To go right at your question with two concrete examples. \nThe oft-referenced CRISP program for threat intelligence and \ninformation sharing in the energy sector, Argonne plays a very \nimportant part of that, both in its current version and as \nwe're working to improve it in some ways so it's better for the \ncustomers.\n    They also play an important role in a California/DOE-\nfunded, supported, California energy systems for the 21st \ncentury project that involves machine-to-machine information \nthreat sharing. So whenever people say this needs to be faster \nand near real time or real time, that project that Argonne \nplays an important part on along with INL, PNNL and other labs. \nThey play a big role.\n    Right to your first thing, I want to finish this. When you \ngave that very bleak example, I don't know how many years ago \nthat was, but I assume it could still be----\n    Senator Duckworth. Not too many.\n    Mr. Bochman. We could find that still today, right?\n    I think the ultimate solution for problems that are as \nheinous as that is a cultural one, not a technology one. When \nwe eventually start to see that security which we haven't spent \nmuch time worrying about up until recently, it is actually \nevery bit as much a safety issue as a compliance issue or \nanything else and some lapse in security somewhere could cause \nphysical damage or kill people in other places.\n    Once those two things are fused much more tightly than they \nare today in people's minds, I think you'll see better behavior \nacross the board.\n    Senator Duckworth. And, you know, people have just simply \nhad not thought about the cyber part. They were just very proud \nof the fact that they were saving money for the DoD.\n    Mr. Bochman. Right.\n    Senator Duckworth. And how great it was to have this \ntechnology. When I brought up how vulnerable are you to \ncyberattack, it was something that the engineers, because they \nwere worried about wattage and controlling the street lamps, it \nnever occurred to them that they could be under cyberattack.\n    So I would think that you both would agree with me that \nCongress should prioritize funding for research like the one at \nArgonne in developing efforts in this area.\n    Mr. Bochman. Sure thing.\n    Senator Duckworth. Thank you.\n    I am out of time. Thank you, Madam Chairman.\n    The Chairman. Thank you, Senator Duckworth.\n    Senator Cantwell.\n    Senator Cantwell. Thank you, Madam Chair, and thanks to all \nthe witnesses and to our colleagues. I think this has been a \nvery good hearing illuminating where we are and many of the \nchallenges we face going forward.\n    Mr. McCurdy, I wanted to ask you, there is a 2014 Bloomberg \nreport that states, ``hackers had shut down,'' this was in \nTurkey, ``had shut down alarms, cut off communications, super \npressurized a crude oil pipeline which led to a physical \nexplosion. The main weapon, Valve Station 30, was a keyboard.''\n    We've given the Transportation Security Administration \n(TSA) the responsibility for mandatory reliability standards, \nand yet, here we are with TSA in this ever-changing and dynamic \nenvironment. What is the TSA budget for these activities and \nhow many TSA employees are actually involved in the \ncybersecurity of the million miles of pipeline that we have in \nthe United States?\n    Mr. McCurdy. Well, it was, I guess, above my pay grade. I \ndon't know what their budget is. I'd have to check. You \nprobably do, I think.\n    It's a--and you're right. We have 2.5 million miles of \nnatural gas pipelines which is only a little less than the 2.6 \nmillion miles of paved roads.\n    The TSA does regular audits. They do cooperate. We work \nclosely. They are a subject matter expert in the Department of \nTransportation, as is PHMSA.\n    We talk about the culture of safety and security being \ntogether. That's where it really does come closest, and they \nare expert in that area.\n    We dual hat. The other, as they say, is energy and as to \nthe extent that we are interdependent and support them, we do \nbenefit from that relationship in and across sector sharing of \ntechnologies, standards.\n    We've done things as well. Downstream Natural Gas, we \nformed our own ISAC. Gerry runs the E-ISAC. We now have, we \njust announced that the Downstream Natural Gas ISAC has a seat \nin the E-ISAC. So, there is this sharing.\n    We get the alerts that they put out that are relevant to \nour sector so that we disseminate that to our, you know, \ncritical owners and operators out there in the system. So \nthere's a lot.\n    We use Idaho labs. We use the ICS CERT. We were involved in \nthe NIST, development of the NIST standard. So the industry is \nvery pro-active on this front, and we've had good collaboration \nwith TSA.\n    Senator Cantwell. I think you hit on it, which is the \nnotion that you are on the private side and on the public side \nGAO has said that we still don't have the metrics needed to \nmeasure the relative cybersecurity of our pipeline system.\n    I think what we need to do is, as we continue to see, and I \nmentioned the situation in Turkey, as those kinds of threats \nprevail, we need to elevate this discussion like we are doing \ntoday. But to get the Transportation Security Administration, \nwho I'm not sure everybody understands who they are and what \nrole they play in this, to some elevated level so that we \nactually have metrics here that we are holding the industry \naccountable.\n    Now, I know, you may say something like that people would \nprobably say, wait, wait, wait, no, we don't want any new \nregulation. But at the same time, I am for the collaborative \neffort. I am. I think that we have to have some measureables \nhere that we need to put in place.\n    So we will be looking at that.\n    Mr. McCurdy. Well again, you know, I think it would be an \nopportunity to bring them in and have that conversation as \nwell.\n    But when you look at the cybersecurity standards and if you \nlook at--which are minimal. What we do beyond that in the level \nof focus it has now within the companies themselves.\n    I'll give you an example, I have some CEOs in this week, a \nleadership program. A CEO told me this morning, they're now \nrecruiting board members from software companies or from IT \ncompanies or security firms because that's an expertise they \nneed to even continue to push.\n    So, on the private side, I can only speak to that. But I \nwill tell you that it's a constantly evolving system and the \nthreat evolves, with our actions evolving and we try to stay up \nwith that.\n    Senator Cantwell. You are willing to think about those \nthings in a collaborative fashion.\n    Mr. McCurdy. We have a culture of safety which means that \nwe constantly adapt and improve. And as the Ranking Member \nknows, I've been involved in this for quite some time. I've \nwatched this evolve. And anyone whose static is lost. It's a \nconstant challenging game, and we have to be on top.\n    Senator Cantwell. Well, I wanted, if I could, Madam Chair. \nI know we have a vote that has been called. I wanted to again \nthank Colonel Welsh for being here and for all that is \nhappening in the State of Washington.\n    And to the point that Mr. McCurdy was just making, what you \nhave hit on is 600, I think, cyber personnel within the \nNational Guard. So, that's been a great bonus to the operation \nand infrastructure.\n    It sounds like cross pollination of cyber expertise in \nsecurity as it relates to the infrastructure. We need to \ncontinue to do that.\n    I know that the Center for Strategic and International \nStudies has called it a human capital crisis, that there will \nbe by 2020 an opening of 1.5 million cybersecurity positions. \nDo you have thoughts on how we should proceed on a cyber \nworkforce?\n    [Laughter.]\n    Either from your own National Guard perspective. I know \nwhat we're doing at the University of Washington, which is \nreally great work, particularly at University of Washington, \nTacoma with three different levels of degrees in cybersecurity. \nBut is there more that we need to do, even within our own \nranks?\n    Colonel Welsh. You bet, Senator.\n    So, I think, in some ways, I mean, just the fact that we've \ngot that number of cyber professionals in the state is its own \neconomic engine, you know, if managed appropriately.\n    But you know, the National Guard does a great job of \ntraining folks. We get them into school. They're drug free. You \nknow they're in great shape. Then they get security clearances, \nso I mean, that's a huge benefit to companies out there from, \nsort of, we can give back a little bit.\n    But you're right. There are more jobs than people out \nthere. We've got some great training programs with University \nof Washington, great internship opportunities in the state. And \nthat's the great thing about, as I talked before about, the \nAdjutant Generals Convening Authority. You can actually, kind \nof, get folks together and talk about things like educational \ndiversity and things like that.\n    So we're doing good on workforce development. There's a lot \nmore to do. But again, it's things like having jobs in the \nGuard. It's having jobs in the state that as we have good folks \ncome out of schools we can actually place them and they can get \nto work.\n    Senator Cantwell. And do you think that that kind of \ninformation and partnership, as you alluded to in your \ntestimony, has put us, I don't mean ahead, but on the right \ntrack, as it relates to outlining this theme throughout the \nconversation, which has been how do we share information, how \ndo we analyze and share this critical information?\n    Do you think the fact that we are knitting a culture in \nlayers across the public and private sector is creating avenues \nfor information sharing that didn't exist before?\n    Colonel Welsh. Yes. We don't copyright our processes at all \nin Washington State. So we are willing to share. Everything we \ndo we'll be more than happy to talk about and discuss, but \nagain, it's one approach that has worked.\n    I'm worried more about the states that aren't. And really, \nwe, in some ways, have really have and have nots, if you look \nacross the states. I think the Senator from Hawaii was, sort \nof, nibbling around that a little bit.\n    We're fortunate in the state. We're geographically blessed. \nBut there are others that aren't and when you look, from an \nattacker's perspective, you just have to find the one that \nisn't and start there.\n    Senator Cantwell. Did you want to say something, Mr. \nBochman?\n    Mr. Bochman. Yeah, thanks, Senator.\n    Yeah, sure, the Pacific Northwest National Lab in your \nstate of Washington, the Idaho National Lab and Sandia down in \nNew Mexico, are arguably the three most operational technology \nor industrial security-oriented and capable labs in the \ncomplex. There's others as well that assist. And recognizing \nthat tremendous shortfall in that type of talent, not just a \ngeneric IT security talent, but industrial control system \nsecurity specialists which requires years of experience and \nspecial education.\n    Those three labs have joined together to work with the \nregional universities, with other government agencies, with \nSTEM programs, to begin to really kick this into a much higher \ngear than it seems to be doing on its own.\n    Senator Cantwell. I would just note for everyone that the \nChair and I have worked hard on this and we still have \nprovisions of the energy bill that we would like to see passed \nthat would double the R&D for this effort in DOE and help us \nlook at a supply chain initiative and invest in the cyber \nworkforce, given that there is such a high need. So, we hope \nthat we will be able to keep pushing those ideas and getting \nour colleagues in the House to understand.\n    I think we had a great representation here today and lots \nof great questions, lots of good information brought out by our \ncolleagues.\n    Thank you.\n    The Chairman. Thank you, Senator Cantwell.\n    I appreciate your comments there at the end, General Welsh, \nabout the fact that in certain states, they are perhaps not as \nevenly endowed with the resources. Of course, Alaska and Hawaii \nsit off that grid. Sometimes the simplicity of our grid is \nsomething that gives us a little more comfort. But at the end \nof the day, we are truly one of those islanded states when it \ncomes to access to resources as well.\n    Senator Cantwell mentioned the metrics and how we measure, \nand there has been a lot of discussion in these past four, now \nfive, hearings that we have had when we have been talking about \ninfrastructure and talking about regulation and permitting and \nall that that entails. But we recognize that when it comes to \nregulations there are mandatory and there are voluntary. There \nare tradeoffs and benefits, I think, to each. But in \nrecognizing that when we are talking about cybersecurity, our \nreal challenge here is to be nimble, to be faster and smarter \nthan the guys that are looking to bring us down.\n    What is the right mix between mandatory as opposed to \nvoluntary regulation? I don't know if any of you have anything \nconcrete, but it is something that we need to assess here as we \nare looking at legislating.\n    Mr. Cauley?\n    Mr. Cauley. I think mandatory requirements has its place, \nand I think what we've done in the bulk power system is an \nappropriate fit where you have the most critical assets in the \nsystem. You want to make sure that everyone is meeting a \nthreshold set of requirements that, you know, you could be \nharmed by the weakest link. So, I think, there's comfort across \nthe industry having a common set of standards that are risk-\nbased.\n    It also helps with the mandatory standards in terms of cost \nrecovery and making sure that the resources and investments are \nthere. So, I think, the power industry appreciates having \nmandatory standards for the bulk power system.\n    I think in other areas it may be more challenging. And I, \nyou know, one area where I'm particularly concerned is a lot of \nthe electronics and the distribution system. How do we get \nguidelines and best practices adopted in a consistent way \nacross so many different jurisdictions?\n    I think mandatory standards there would be very difficult \ngiven the jurisdictional challenge, but getting stronger \nguidelines and practices in a consistent way across that area \nwould be helpful.\n    The Chairman. Mr. McCurdy, on the gas side, do you think \nthat the gas industry needs a set of mandatory standards? \nShould the mandatory NERC cyber standards need to apply to the \ngas industry?\n    Mr. McCurdy. No.\n    The Chairman. Okay, that's easy.\n    [Laughter.]\n    Mr. McCurdy. The--and part of that is the nature of the \nsystems themselves. We've seen and we've all learned in the \nelectric sector that because of its true interconnectedness and \neven though there are sub grids there, there can be massive \ncascading failures and those are critical infrastructures and \nthey are a lifeline and they're absolutely essential for our \neconomy and way of life and in public safety.\n    It's less of a challenge, less risk, I think, in the gas \ndistribution network. There are potentials, but they are not \nbecause they're--it's mechanical, it's gas, it's pressurized \nand it's less likely to have a complete regional failure based \non a particular attack. So I think we've evolved. We're growing \ninto that.\n    The reason this is now part of this hearing, I think, and \nfocus is the more that the electric sector is using natural gas \nas a base fuel, there is the concern what's the reliability in \nthe access to that fuel?\n    That's both the cyber question, but that's also a physical \nquestion that you know extremely well and that's where pipeline \npermitting and infrastructure and capacity, those are all \nissues as well.\n    The Northeast in the Polar Vortex, that was raised earlier, \nwas more risk because they had limited access to natural gas \npipelines through firm capacity contracts than they are from a \ncascading failure because of some incident.\n    So those are both questions that we have to ask and that's \nsomething that FERC has to deal with and it's a regional issue, \nit's not federal.\n    The Chairman. Yes.\n    Mr. McCurdy. It's not a federal fix. It's going to be a \nregional fix, but we all need to be working together and raise \nthe awareness of that concern. That's the reason I put that one \nsection in my testimony about the access.\n    The Chairman. We have got a vote that started at noon and \nit is a 15-minute vote, but we are on Senate time here. So I am \ngoing to ask Ms. Hoffman, you wanted to weigh in and I also \nwanted to ask you. With the FAST Act we have identified DOE as \nthe head, if you will, in terms of granting authority to direct \nutility action. Do you think that is being recognized and \nrespected by DHS? Are we on the same footing as DHS?\n    Ms. Hoffman. So the answer is yes, but I do believe that \nthere is the interdependence issue that DHS has a strong \ncapability of making sure that the interdependencies are \nrecognized.\n    The one point that I wanted to make on the earlier \nconversation is how do we measure success? I think at the end \nof the day the way to measure success is to make sure that \nevery industry and sector has the capabilities to do what needs \nto be done when a cyber event occurs. So whether it's a \nworkforce capability, whether it's installing additional \nequipment, whether it's having continuous monitoring, that we \nhave the capabilities built and that we can test against those \ncapabilities and be evaluated that we're performing correctly \nwith those capabilities. That was the comment I wanted to add.\n    The Chairman. Okay.\n    Mr. Bochman, you get the last word.\n    Mr. Bochman. Fantastic. Thanks, Senator.\n    Your opening question about voluntary or mandatory types of \nsecurity guidance, I think there's something, there's some \nthings, there's three flavors, I think. There's guidance and \nbest practices.\n    And just back from Estonia where the Baltic Sea and Black \nSea countries are, who are all trying to figure out how to \nregulate their energy sectors for security. They are so \nthankful that the DOE had put down in writing some very helpful \nbest practices, both for managing--both for measuring maturity \nof security practices and also for procurement guidelines. \nThese are things that took a lot of effort and a lot of \nexpertise to build and give some of our friends a big head \nstart. And so that's one plug for them. They appreciated that. \nThose are guidelines.\n    Swing to the other extreme, are mandatory things. Thou must \ndo, else you'll be penalized a significant amount of money and \nyou won't like it reputational either. That's the NERC CIPs. \nThose have moved the utilities, many would argue, much farther, \nmust faster than they otherwise might have, if they hadn't had \nto comply with those. With those, that's the stick, right?\n    I think I'll finish with the carrot. The carrot which I've \nseen from--that seems missing, I think in some and could be \nimproved from work with public utility commissions and \nutilities themselves would be incentives, ways to motivate, \nfinancially and otherwise, motivate good security behaviors \nthat aren't just the stick of the mandatory things, but \ncertainly go far beyond the guidelines and the best practices \nyou should do these things. I think if we could look at \nincentives to motivate the types of behavior we want, I think \nyou might see things go a lot farther, a lot faster.\n    Mr. McCurdy. And just on that point, if I could, because we \nare state regulated in the natural gas area. And the current \nChairman of NARUC was just at our offices this morning.\n    We now have reimbursement. They are rate based. The ability \nto rate base the cost of cyber is a big deal. And if--because \nit's huge. You can, you know, throw money at this forever and \nnever get to the level you want. But if you don't have it as \nrecoverable in your rates, then it doesn't really work.\n    So, that's--they are moving in that direction. So that's \nwhere the partnership with the states is really very critical \nfrom the incentive standpoint.\n    The Chairman. Good.\n    We could clearly go on for a long time, but even by Senate \nstandards, I am late.\n    [Laughter.]\n    I thank you all for your very, very important testimony. I \nthink you saw the level of interest here. Know that we will \ncontinue to work in this important area.\n    Thank you.\n    We stand adjourned.\n    [Whereupon, at 12:22 p.m. the hearing was adjourned.]\n\n                      APPENDIX MATERIAL SUBMITTED\n\n                              ----------    \n                              \n                              \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                              \n\n\n\n</pre></body></html>\n"