[Senate Hearing 115-489]
[From the U.S. Government Publishing Office]


                                                    S. Hrg. 115-489

ADVANCED CYBER TECHNOLOGIES THAT COULD BE USED TO HELP PROTECT ELECTRIC 
        GRIDS AND OTHER ENERGY INFRASTRUCTURE FROM CYBERATTACKS

=======================================================================

                                HEARING

                               BEFORE THE

                              COMMITTEE ON
                      ENERGY AND NATURAL RESOURCES
                          UNITED STATES SENATE

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                            OCTOBER 26, 2017

                               __________

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]


                       Printed for the use of the
               Committee on Energy and Natural Resources

        Available via the World Wide Web: http://www.govinfo.gov
        
                              __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
27-434                      WASHINGTON : 2019                     
          
--------------------------------------------------------------------------------------        
        
        
        
               COMMITTEE ON ENERGY AND NATURAL RESOURCES

                    LISA MURKOWSKI, Alaska, Chairman
JOHN BARRASSO, Wyoming               MARIA CANTWELL, Washington
JAMES E. RISCH, Idaho                RON WYDEN, Oregon
MIKE LEE, Utah                       BERNARD SANDERS, Vermont
JEFF FLAKE, Arizona                  DEBBIE STABENOW, Michigan
STEVE DAINES, Montana                AL FRANKEN, Minnesota
CORY GARDNER, Colorado               JOE MANCHIN III, West Virginia
LAMAR ALEXANDER, Tennessee           MARTIN HEINRICH, New Mexico
JOHN HOEVEN, North Dakota            MAZIE K. HIRONO, Hawaii
BILL CASSIDY, Louisiana              ANGUS S. KING, JR., Maine
ROB PORTMAN, Ohio                    TAMMY DUCKWORTH, Illinois
LUTHER STRANGE, Alabama              CATHERINE CORTEZ MASTO, Nevada

                      Brian Hughes, Staff Director
                Patrick J. McCormick III, Chief Counsel
                     Isaac Edwards, Senior Counsel
           Angela Becker-Dippmann, Democratic Staff Director
                Sam E. Fowler, Democratic Chief Counsel
                David Gillers, Democratic Senior Counsel
                            
                            
                            C O N T E N T S

                              ----------                              

                           OPENING STATEMENTS

                                                                   Page
Murkowski, Hon. Lisa, Chairman and a U.S. Senator from Alaska....     1
Cantwell, Hon. Maria, Ranking Member and a U.S. Senator from 
  Washington.....................................................     2

                               WITNESSES

Imhoff, Carl, Manager, Electricity Market Sector, Pacific 
  Northwest National Laboratory..................................     5
Raines, Dr. Richard, Director of Electrical and Electronics 
  Systems Research, Oak Ridge National Laboratory................    13
Tudor, Zachary D., Associate Laboratory Director, National and 
  Homeland Security, Idaho National Laboratory...................    25
Earl, Dr. Duncan, President & Chief Technology Officer, Qubitekk, 
  Inc............................................................    36
Riedel, Daniel, CEO and Founder, New Context Services, Inc.......    40

          ALPHABETICAL LISTING AND APPENDIX MATERIAL SUBMITTED

Cantwell, Hon. Maria:
    Opening Statement............................................     2
Earl, Dr. Duncan:
    Opening Statement............................................    36
    Written Testimony............................................    38
    Responses to Questions for the Record........................    75
Imhoff, Carl:
    Opening Statement............................................     5
    Written Testimony............................................     7
    Responses to Questions for the Record........................    66
Murkowski, Hon. Lisa:
    Opening Statement............................................     1
Raines, Dr. Richard:
    Opening Statement............................................    13
    Written Testimony............................................    15
    Response to Question for the Record..........................    70
Riedel, Daniel:
    Opening Statement............................................    40
    Written Testimony............................................    42
Tenable, Inc. and Siemens Energy:
    Statement for the Record.....................................    77
Tudor, Zachary D.:
    Opening Statement............................................    25
    Written Testimony............................................    28
    Responses to Questions for the Record........................    72

 
ADVANCED CYBER TECHNOLOGIES THAT COULD BE USED TO HELP PROTECT ELECTRIC 
        GRIDS AND OTHER ENERGY INFRASTRUCTURE FROM CYBERATTACKS

                              ----------                              


                       THURSDAY, OCTOBER 26, 2017

                                       U.S. Senate,
                 Committee on Energy and Natural Resources,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10:01 a.m. in 
Room SD-366, Dirksen Senate Office Building, Hon. Lisa 
Murkowski, Chairman of the Committee, presiding.

           OPENING STATEMENT OF HON. LISA MURKOWSKI, 
                    U.S. SENATOR FROM ALASKA

    The Chairman. Good morning, everyone. The Committee will 
come to order. I apologize we are a little bit later starting 
than I had hoped.
    Over the years, we have conducted a number of hearings 
designed to examine the vulnerabilities of our nation's 
electric grid system. In this Congress, we have held a series 
of hearings focused on cybersecurity, electromagnetic pulse, 
and grid security issues at both the full and the subcommittee 
levels.
    During today's hearing, we will add to that, by looking at 
advanced and emerging cyber technologies and processes that are 
being developed in our national labs and in the private sector. 
These are technological improvements and sometimes 
breakthroughs, that could be used to protect the grid, as well 
as other critical energy infrastructure, from future 
cyberattacks.
    I have mentioned, certainly many times in this Committee, 
but outside of the Committee as well, that around the country 
sometimes we get the sense that folks believe in this 
``immaculate conception'' theory of energy, that it just 
happens. We all recognize, I think, that there is a lot more to 
this than that.
    A related question is, what happens when the lights don't 
turn on? When you flip that switch and you just expect it to 
happen, and then they do not turn on. What happens when 
electricity is out for an extended period of time? And we are 
certainly seeing that in Puerto Rico and the U.S. Virgin 
Islands right now, the real-world impact of an extended power 
outage.
    Just as we can harden our energy infrastructure to protect 
it from natural disasters, we must also look to ways to harden 
the grid from constantly evolving cyber intrusions as well. It 
seems like every day now we hear about an attempted hack or 
actual breach that has taken place, and the list is long and 
getting longer. OPM, Ukraine's power grid, the WannaCry 
ransomware, Equifax, Anthem, Home Depot, Target, the list keeps 
growing and growing. Just last Friday, the Department of 
Homeland Security issued a public alert of an ongoing hacking 
threat to the U.S. energy systems.
    In the midst of all of this, we have to continually look 
for ways to eliminate, diminish, or mitigate our 
vulnerabilities. So whether it is the application of quantum 
encryption, artificial intelligence, or moving control of grid 
infrastructure off of the public internet, the witnesses we 
have today will help provide our Committee with insights into 
how we can protect our national energy infrastructure now and 
into the future.
    I mentioned quantum encryption, and I would like to note a 
recent article by McClatchy about the advances that China has 
made on this topic. Earlier this year China announced that a 
satellite and ground station 745 miles apart had communicated 
through quantum particles. Last month a video conference 
between China and Austria, a distance of about 4,600 miles, was 
held via China's quantum satellite. They have established a 
1,200-mile quantum link between Shanghai and Beijing and 
announced that they will build a $10 billion quantum research 
facility. According to that article, some scientists believe 
that with the amount of resources China is putting into the 
field, a quantum computer may be built in a decade or less. 
Whether or not these claims are accurate, I think, remains to 
be seen, but it is clear that significant research is underway 
around the world in the cyber realm.
    I want to thank our witnesses for joining us today. I look 
forward to learning about the efforts that you have been 
involved with to combat and deal with this threat, particularly 
on the work that you are doing to keep our electric grid and 
our energy infrastructure safe and reliable. So thank you for 
joining us.
    I now turn to Senator Cantwell for her comments. And I want 
to thank you, Senator Cantwell, because you have been dogged 
and persistent when it comes to the issue of cyber and the 
cyber threats, particularly as they relate to our energy grids.

               STATEMENT OF HON. MARIA CANTWELL, 
                  U.S. SENATOR FROM WASHINGTON

    Senator Cantwell. Well, thank you, Madam Chair, and thanks 
for scheduling this important hearing so we can continue the 
discussion about what technologies we need to protect our 
electric grid and make sure that our whole energy 
infrastructure is protected from cyberattacks.
    I want to say at the outset, I spent much of this summer 
working on this issue and spent a great deal of time at our 
national labs with Secretary Perry focusing on some of our 
cybersecurity solutions. I hope that he understands the 
pressing need here and will restore the DOE's crippling 
cybersecurity budget that was proposed by the Administration. 
It is very important that we continue to have the resources as 
a nation to fight and to protect key energy infrastructure.
    I am dismayed that instead of focusing on cybersecurity as 
one of the key issues of resiliency, he is instead trying to 
get a command economy approach with FERC by trying to change 
market-based rate prices for consumers and instead trying to 
push a rule that would drive coal into the marketplace and 
raise rates on consumers. I think that FERC operates best when 
it operates on market rules.
    I am also requesting this morning, Madam Chair, in light of 
yesterday or two days ago's amazing news about the huge 
increase in park fees that we have a hearing on this in the 
future. Many of my constituents woke up to, literally, shock 
over the fact that these exorbitant rates would be charged in 
our park system. I hope that we can have some input on this and 
show that our constituents are extremely concerned about it. 
For us in the Northwest, our outdoor economy is a big 
juggernaut. I know it is in your state as well.
    But anyway, thank you for having this hearing and thank you 
to the witnesses for being here. It is such a critical issue 
and getting your input is very important.
    I would also like to especially welcome Mr. Carl Imhoff, 
who is testifying on behalf of the Pacific Northwest National 
Laboratory (PNNL). Again, thank you for hosting us and the 
Secretary earlier this year and for all the impressive work 
that you do.
    Cybersecurity is the one issue that keeps me up at night 
worrying about how foreign entities and actors might attack us 
as the next provocation in a national/international effort. We 
used to think of it as a plane that might fly into airspace or 
a sub that might cross international waters, and now what we 
have to worry about is provocations from actual grid attacks. 
If we don't make the necessary investments to prevent and 
defend against these impacts, our enemies could succeed in 
causing widespread blackouts or devastating the economy or 
threatening to bring millions of Americans to the point of 
without power being in great disarray.
    As I referenced earlier, the Trump Administration proposed 
budget cuts to the cyber programs at DOE and put our critical 
infrastructure at risk. I have conveyed those concerns to the 
Administration in two letters, and as I said, spent a lot of 
time this summer hoping that they would see the impacts here to 
our budget and what they would do.
    Since our Committee's last cybersecurity hearing when we 
discussed the Ukraine outages of 2015 and 2016, we have 
witnessed numerous large-scale cyberattacks as the risks 
continue to grow. In July, the Washington Post reported that 
the Russian government hackers were behind cyber intrusions 
into U.S. nuclear power plant business systems. In September, 
it was revealed that the hackers accessed the personal 
information of 143 million Americans through the data breach of 
Equifax. And just this week, the Department of Homeland 
Security issued a report about ongoing cyber threats to 
nuclear, water, and energy sectors that appear to reference the 
July incidents that I just mentioned.
    With each day of cybersecurity threats to the grid and the 
multiple efforts that are underway, it is important that we 
continue to combat effectively our security risk through 
innovation. We need to take action.
    The good news is our national labs are ready to play a key 
role in bolstering our cybersecurity, and they do so in close 
collaboration with the private sector. The PNNL cyber firewall 
blocks 24 million suspected internet communications, 25,000 of 
which are confirmed cyberattacks. That is what they do each 
day, so I have no doubt that they know how to help protect our 
country and our important missions.
    Our witnesses today will demonstrate the breakthroughs that 
result from these productive public-private partnerships and 
why they need to continue. In that vein, I am calling on an 
increase in collaboration between the government, private 
sector, utilities, military, and academia. I know we are going 
to, in our state, try to continue the discussion at the 
University of Washington Bothell in a symposium on energy 
cybersecurity workforce.
    I have also, on the Commerce Committee, attended some of 
the hearings that that Committee has had on cyber workforce. 
And we know from our DOE Quadrennial Energy Review, this is 
exactly what the previous Secretary said we needed to do, was 
to help build the cyber workforce for tomorrow. Hopefully this 
symposium will bring together critical partners to leverage the 
knowledge, expertise, and experience of all aspects of the 
challenge that we face.
    It is clear to me that cyber solutions will require us to 
leverage the world class expertise of our labs, the private 
sector, and all of us working together. That is why I hope that 
Secretary Perry and the President will reverse their harmful 32 
percent cut to the Department of Energy's cybersecurity budget 
without further delay and hopefully help us make the 
investments we need for the future.
    Thank you.
    The Chairman. Thank you, Senator Cantwell.
    Know that I join you in your concern with the recent 
announcement from Park Service about the fees. So that is 
something that we will look to.
    I welcome you to the Committee this morning. Thank you for 
giving us your time.
    I will introduce each of you and give you an opportunity to 
present your opening statements for approximately five minutes 
or so. Know that your full statements will be included as part 
of the record. After each of you have presented, we will have 
an opportunity to ask questions of you.
    We will lead off with Mr. Carl Imhoff, who is the Director 
for the Electricity Market Sector at Pacific Northwest National 
Laboratory. Welcome. Dr. Richard Raines is the Director for 
Electrical and Electronic Systems Research Division at Oak 
Ridge National Laboratory. We have another national lab expert 
with us this morning, Mr. Zachary Tudor, who is the Associate 
Laboratory Director of National and Homeland Security at Idaho 
National Laboratory. Dr. Duncan Earl is with us. He is the 
President and Chief Technology Officer for Qubitekk, 
Incorporated. And the last member of the panel this morning is 
Mr. Daniel Riedel, who is the CEO of New Context Services, Inc. 
We are delighted to have each of you.
    Mr. Imhoff, if you would please lead off, thank you.

 STATEMENT OF CARL IMHOFF, MANAGER, ELECTRICITY MARKET SECTOR, 
             PACIFIC NORTHWEST NATIONAL LABORATORY

    Mr. Imhoff. Thank you, Chairman Murkowski, Ranking Member 
Cantwell, and members of the Committee for the opportunity to 
join this hearing today.
    My name is Carl Imhoff, and I lead the grid research 
program at DOE's Pacific Northwest National Laboratory in 
Washington State. For more than two decades PNNL has supported 
system resilience, reliability, and innovation for DOE and 
utilities across the nation. I also chair DOE's Grid 
Modernization Laboratory Consortium, a team of 12 national 
laboratories, including Oak Ridge and INL, that supports DOE's 
grid modernization initiative, along with over 100 partners 
from academia and industry.
    Today I'd like to offer two points regarding advanced 
technology for improved cyber resilience of the nation's power 
system.
    Point one. Cyber risk information sharing between industry 
and DOE has significantly improved our national grid cyber 
readiness. The public-private effort must continue to advance 
in scope, speed, and industry inclusion to deliver full 
situational awareness of both operational control systems as 
well as utility enterprise networks.
    Point two. Beyond situational awareness, the fundamental 
science and technology offer important opportunities to deliver 
defensive tools that span the growing Internet of Things 
challenges at both the grid edge as well as core grid 
operations. And in this area, I'll offer three examples.
    Looking first at improving grid cyber situational 
awareness, PNNL and DOE developed and deployed the 
Cybersecurity Risk Information Sharing Program, or CRISP, first 
for DOE assets across the U.S. in the early 2000s. This concept 
was successfully tested on utility activities and transitioned 
to industry leadership via NERC over the past few years with 
industry investing in infrastructure and DOE funding the 
intelligence evaluation. This voluntary program identifies 
cyber threats and shares that information with utilities that 
collectively generate over 75 percent of the electricity of the 
United States. This effort continues to expand coverage and 
improve the speed, accuracy and affordability of situational 
awareness tools.
    Going forward, PNNL is extending cyber situational 
awareness to better address grid operational control systems or 
OT and other interdependent infrastructures such as fuel 
delivery in light, natural gas pipelines, and communications. 
We believe that the nation must develop an integrated real-time 
view of the cyber risk spanning the IT and OT elements of the 
power system. NERC standards already require significant sense 
of the OT environment. PNNL is applying advanced real-time 
analytics to these OT data streams leveraging the fundamental 
science of high performance computing, statistics and a re-
emerging field of deep learning. Deep learning refers to 
advances in artificial intelligence concepts from the '90s that 
are delivered on a profoundly improved, high performance 
computing platform. That's the big delta since the '90s. And 
they leverage the ultra large data sets that are growing and 
emerging in the power system as well.
    These new tools will uncover relationships and trends that 
indicate cyber risk or control system anomalies resulting in 
better, faster operational decisions and automated machine-to-
machine exchanges.
    Beyond improved situational awareness, the nation must also 
develop inherently resilient paradigms for networks, open data, 
and system controls.
    Adaptive networks are important because the emerging grid 
is substantially more dependent upon communications today than 
it was even ten years ago.
    PNNL recently teamed with Schweitzer Engineering in 
Washington State to develop a product using a new concept 
called software defined networks to enable reconfiguration of 
communication networks through software commands. These 
networks provide an additional adaptive defense layer for the 
grid.
    Data resilience concepts are important because of the 
growth in e-commerce and new utility market constructs. The 
challenge is how to protect data in open environments. One 
example is blockchain, the technology the Bitcoin uses to 
secure transactions. Resilient data concepts will enable secure 
use of distributed power generation and energy storage systems 
and help secure emerging market constructs like transactive 
energy.
    A third technology innovation is adaptive control systems 
which adjust to real time based upon system conditions. 
Adaptive controls can provide a more level cyber playing field 
by adjusting on the fly to confuse, obfuscate, and mislead 
adversaries as they attack the system.
    Cyber technology innovations are absolutely essential, but 
they're not sufficient to deliver a national cyber readiness 
posture. Small and midsized grid operators must learn and 
implement fundamental best practices in cyber applications and 
regulators and utilities must have new valuation tools and data 
sets to evaluate cyber technology investments and provide the 
regulatory incentives essential to delivering these improved 
technology assets.
    So, in conclusion, industry and DOE cyber sharing efforts 
have significantly advanced our cyber situational awareness and 
the next challenge is to integrate control system situational 
awareness to achieve full awareness across IT and OT systems. 
And in parallel, we need to leverage high performance 
computing, deep learning and new control theory to develop 
inherently resilient systems and system designs for networks, 
data and grid control systems.
    Thank you.
    [The prepared statement of Mr. Imhoff follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    The Chairman. Thank you, Mr. Imhoff.
    Dr. Raines, welcome.

  STATEMENT OF DR. RICHARD RAINES, DIRECTOR OF ELECTRICAL AND 
  ELECTRONICS SYSTEMS RESEARCH, OAK RIDGE NATIONAL LABORATORY

    Dr. Raines. Good morning, Chair Murkowski, Ranking Member 
Cantwell and members of the Committee. Thank you for the 
opportunity to appear before you today with this distinguished 
panel.
    I'm Dr. Rick Raines, Director of Electrical and Electronics 
Systems Research at the Department of Energy's Oak Ridge 
National Laboratory (ORNL). I previously served as the Director 
of Cybersecurity Data Analytics at ORNL which was followed by a 
military and federal service career where I founded and 
directed the Air Force Cyberspace Technical Center of 
Excellence at the Air Force Institute of Technology.
    The Department of Energy's national laboratory system has a 
long history of providing solutions to the nation's hardest 
problems. Our structure and operations encourage partnerships 
with industry and other institutions to solve big science 
challenges. Cybersecurity of our critical energy infrastructure 
is a national challenge demanding national focus.
    Today, I want to address the importance of securing a 
resilient, electrical grid and discuss some of the 
technological breakthroughs we're developing at ORNL to harden 
the grid defenses.
    As you're well aware, our electric grid is a vital national 
asset. It is also a system that's becoming increasingly 
vulnerable to cyber intrusions, due in large part to its 
increased connectivity with the public internet.
    As industry has embraced these technological and cost-
effective advances, operational risks have increased. Energy 
sector devices and systems are experiencing increased exposure 
to savvy and nefarious cyber actors. As a result, we're in a 
highly dynamic cycle of developing cybersecurity measures and 
capabilities to address these rapidly emerging threats.
    Our challenge is to produce solutions to better protect 
energy sector communications and controls while continuing to 
make the grid smarter and to better able recover when problems 
do arise, including the devastating effects of Hurricanes 
Harvey, Irma and Maria.
    At Oak Ridge our scientists and engineers are engaged in 
research to defend and modernize the grid, including real-time 
monitoring and sensing of the grid state and new technologies 
to control and better utilize distributed power resources such 
as community microgrids. We have developed cybersecurity 
technologies that can detect intrusions, such as malicious 
software code, advanced persistent threats, and real-time cyber 
awareness tools to detect anomalies and network communication 
traffic.
    Among our cybersecurity work is a concept called Dark Net. 
The Dark Net vision is to shield the nation's electric grid 
from hostile cyber intrusions while advancing the state of the 
art and anticipating and mitigating threats. The Dark Net, in 
its most simple terms, is a way to get the communications and 
control of the electric grid off the public internet. Moving 
these functions onto a private system could be accomplished 
using existing and underutilized optical fiber, commonly known 
as dark fiber. It's estimated over 100,000 miles of optical 
fibers exist within the U.S. Bundling with multiple fibers, 
communication techniques can easily increase its capacity 
tenfold.
    I'd like to be clear that the Dark Net is not just about 
moving the grid's command and control functions off the public 
internet, nor is it just about the unused fiber that we have, 
but it's about creating and leveraging a holistic tool kit of 
capabilities to make it harder for an adversary to exploit our 
systems.
    Working with our private and public partners we envision 
Dark Net as a highly secure, resilient, and redundant 
communication sensing and technical assistance solution 
supporting all elements of the electric enterprise and its 
supply chain. Our goal is to develop methods so that these 
attacks are automatically detected, isolated, and defended, 
achieving a self-aware, self-healing network. We believe the 
Dark Net project can provide cost-effective, secure solutions 
to include the use of new and existing dark fiber and advanced 
communications and cybersecurity technologies; working with 
industry to create living laboratories where we'll test 
security functionality and resiliency; implementing new 
technologies in tool kit form and operational security 
approaches to protect against grid and cyber threats; and 
lastly, enhancing grid state monitoring with advanced sensing, 
measurement, and situational awareness. The grid must evolve to 
address a variety of challenges such as cyberattack, severe 
weather, a changing mix of power generation types, the growth 
of interconnected smart devices, and the aging of our energy 
infrastructure. We envision Dark Net as a key component in the 
evolution toward a secure national energy asset.
    In conclusion, Oak Ridge National Laboratory and the other 
DOE national labs stand ready to work with public and private 
partners to develop and employ innovative technical solutions 
to protect the nation's electric grid.
    Thank you again for the opportunity to provide this 
briefing. I welcome your questions.
    [The prepared statement of Dr. Raines follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    The Chairman. Thank you, Dr. Raines.
    Mr. Tudor, welcome. I know that Senator Risch wanted to 
make a comment before you spoke.
    Senator Risch. Well thank you.
    Zach, welcome to the Committee. You are in for a real treat 
here.
    I have gotten to know Mr. Tudor in his capacity as 
Associate Lab Director at the Idaho National Laboratory. He is 
responsible for the lab's national and homeland security 
mission and that includes nuclear non-proliferation, critical 
infrastructure protection, obviously, very important to this 
hearing and defense systems missions. He has an incredibly 
impressive resume which I am not going to go into here, but he 
is the right man for the job in Idaho. We are glad to have him, 
and he is the right person for this hearing which you are going 
to see in a moment. So, welcome, Zach.
    The Chairman. Thank you, Senator Risch.
    Mr. Tudor, welcome.

 STATEMENT OF ZACHARY D. TUDOR, ASSOCIATE LABORATORY DIRECTOR, 
   NATIONAL AND HOMELAND SECURITY, IDAHO NATIONAL LABORATORY

    Mr. Tudor. Thanks.
    Chairman Murkowski, Ranking Member Cantwell and 
distinguished members of the Committee, thank you for holding 
this hearing and inviting Idaho National Laboratory's (INL) 
testimony on advanced technologies to protect the U.S. power 
grid and other energy infrastructure from cyberattack. I 
appreciate the opportunity to address this Committee and 
express my utmost respect and gratitude for your leadership and 
continued interest in this topic.
    I also want to acknowledge my peers and partners from 
industry and national labs who will share their examples of 
innovation, unique capabilities and technology breakthroughs in 
areas such as situational awareness, quantum computing, 
sensors, automation, modeling and simulation and visualization.
    The cyberattacks on the Ukraine power grid demonstrated how 
quickly these events can move and impact a wide variety of 
interdependent systems across the region. In the U.S. high 
profile events like Nuclear 17 and Palmetto Fusion illustrate 
why utilities and regulators are concerned with increasing 
burdens due to more sophisticated and frequent cyber events. 
Industry must have advanced capabilities and cyber skills not 
only to detect but also to respond to these events before there 
is an unacceptable impact.
    Protection of the grid and energy infrastructure from 
cyberattack is one of the nation's most difficult technical and 
operational challenges and requires the national laboratory's 
capabilities.
    INL enables research and development of cybersecurity 
solutions to understand and manage the multifaceted 
interdependencies between the grid and other critical 
infrastructure, detect and respond within compressed timelines 
to prevent highly impactful consequences and develop top tiered 
defenders to mitigate sophisticated threat actors. As part of 
our national laboratory leadership role in addressing this 
national challenge, INL advocates that effective grid and 
energy infrastructure protection is achieved, not only with 
advanced technology, but also requires innovative engineering 
approaches in a deep pool of top tiered cyber defenders.
    As such, the development of technology process and people 
are priorities within INL's strategic initiative, the Cybercore 
Integration Center. This initiative is envisioned to create and 
align national science and engineering resources, technical 
expertise, and collaborative partnerships to focus on scalable 
and sustainable control system cybersecurity solutions--
solutions that protect the U.S. grid, other critical 
infrastructure, and also military systems.
    In response to your request for INL's participation in this 
hearing, I provide several examples in the written testimony of 
INL's progress in developing advanced technology solutions, 
advanced engineering processes, and the development of that top 
tier workforce. For brevity, I will quickly summarize four 
examples.
    In collaboration with the partners of the California Energy 
Systems for the 21st Century (CES-21), an innovative concept 
from machine-to-machine automated threat responses is being 
developed. When this research proves successful, utilities, and 
not only California utilities, will have access to automated 
threat and exploit prioritization capabilities that will reduce 
the time for discovery and recovery from illicit behavior 
resulting in increased resiliency of the electric grid.
    The INL Autonomic Intelligent Cyber Sensor will enable 
system owners to more easily design, implement, and monitor 
cyber secured control system networks. The goal of this 
technology is to automate network information, deploy deceptive 
virtual hosts, kind of virtual and dynamic honeypots, and 
identify threats on network traffic with very high accuracy.
    These two advanced technology examples represent 
opportunities to gain benefits of machine-to-machine speed in 
responding to cyber intrusion or attack. The next examples 
emphasize an engineering approach and workforce development 
strategy for grid protection.
    Recognizing that just chasing vulnerabilities has not been 
sufficient. Our Consequence-driven, Cyber-informed Engineering, 
or CCE, is a transformational engineering process methodology 
that fully leverages an organization's deep engineering 
expertise and their intimate knowledge of their own systems and 
processes. This enables the organization to eliminate and 
manage the cyber risks that could result but in the greatest 
consequence.
    A pilot study was completed with a major U.S. electric 
power utility to determine the potential value of CCE to assist 
utilities with reducing cyber risks by implementing cyber-
informed engineering solutions while engineering out 
vulnerabilities and attack pathways that detect those severe 
consequences.
    Following the Ukraine attack, INL researchers used their 
experience gained while investigating the event to convert the 
lessons learned into a training course for utilities. The 
Ukraine event in a box devices fit on a desktop and are 
designed to challenge course participants to cyber defend the 
equipment that they routinely encounter.
    In summarizing, the described examples highlight 
Cybercore's holistic research and development strategy for 
control system cybersecurity innovation.
    I do want to re-emphasize that solutions to protect the 
grid and energy infrastructure are realized through deployment 
of advanced technologies, implementation of enhanced 
engineering and operational processes, and the development of 
highly-skilled and well-informed workforce.
    I thank the Committee members for this opportunity to share 
our strategy and examples of the progress in protecting the 
grid and energy infrastructure, and I welcome your questions.
    [The prepared statement of Mr. Tudor follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    The Chairman. Thank you, Mr. Tudor.
    Dr. Earl, welcome.

  STATEMENT OF DR. DUNCAN EARL, PRESIDENT & CHIEF TECHNOLOGY 
                    OFFICER, QUBITEKK, INC.

    Dr. Earl. Thank you and good morning.
    Madam Chair Murkowski, Ranking Member Cantwell, members of 
the Committee, I am Dr. Duncan Earl, President and Chief 
Technology Officer at Qubitekk. Thank you for inviting me to 
appear before you today to discuss the role quantum technology 
can play in protecting our electrical grid.
    The U.S. electrical grid has operated for nearly 150 years 
without experiencing a large-scale, long-term blackout. This is 
a testament to the hard work of the men and women who maintain 
the grid as well as the many smart devices that we depend on to 
monitor and control it.
    However, the grid has never faced a threat of the type and 
severity as it is experiencing today. Over 70,000 power 
substations throughout our country depend and rely on smart 
devices to maintain the delicate balance between energy 
generation and energy demand. Effective coordination between 
these devices is only possible when they share data that is 
accurate and uncompromised.
    Unfortunately, as we have seen in other countries, the 
ability of hackers to infiltrate grid networks and corrupt 
these communications is real and growing. To prevent a 
devastating attack on our own nation's electrical grid, we must 
implement the best cybersecurity solutions possible to protect 
sensitive grid communications.
    If you ask utilities today, ``At this very moment, are your 
communication channels secure?'' many will admit that they do 
not know. A new technology, quantum technology, can allow them 
to answer, ``Yes.''
    Quantum technology enables communications that cannot be 
intercepted or altered. Any attempt to do so can be immediately 
detected and thwarted. Fundamentally different from past 
solutions based on mathematics and software, this new solution 
is rooted in physics and uses hardware to create a trusted 
channel that is secure today, tomorrow, and a thousand years 
from now.
    Quantum technology uses the laws of quantum physics to 
generate secret keys that cannot be cracked. The keys are 
transmitted as light through optical fibers to devices in the 
field. Although quantum physics, with the demonstrations of 
teleportation and particles existing in parallel universes, can 
sound like science fiction, its application to grid security is 
real and near-term.
    At Qubitekk, with funding from the Department of Energy 
Office of Electricity's Cybersecurity for Energy Delivery 
Systems, or CEDS, program, we are conducting preliminary tests 
of quantum technology with utilities in California and 
Tennessee. In 2018 and 2019, larger pilot testing within 
substations is planned. We are also working closely with our 
industry and national laboratory partners to develop protocols 
that allow traditional communication solutions to integrate 
with these new quantum systems.
    To speed the adoption of this technology, though, will 
require government action. With government support, a 
nationwide quantum-protected network between our substations 
can be built, creating an impenetrable shield around our grid's 
communication channels. With increased funding to existing DOE 
programs, quantum-enhanced cybersecurity solutions can be 
developed to protect every substation in our country. 
Ultimately, as occurred with the Internet, early government 
investment in communication infrastructure and equipment will 
be needed.
    Finally, Senators, let me suggest the most important reason 
yet why we must embrace and pursue quantum technology, and I'll 
echo what Senator Murkowski said. China has already developed 
and installed the foundations for a nationwide quantum network 
that leverages both fiber optic and satellite-based 
communications. Last month they demonstrated the first-ever 
quantum secured video call between China and the European 
Union. Earlier this month, they committed $10 billion to the 
creation of a massive new quantum information laboratory in 
Eastern China. Although much of the basic science in quantum 
technology was developed here in the United States, our 
hesitation in its implementation has left us far behind in the 
quantum race.
    Quantum networks are just the beginning of the quantum 
revolution. Quantum technology will revolutionize 
cybersecurity, computers, artificial intelligence, chemistry, 
medicine, and ultimately, the world economy. Building a 
quantum-protected grid will not only strengthen America's 
security but will also create a sustainable first market for 
quantum technology here in the U.S. It represents a significant 
step toward challenging, and eventually overtaking, our 
counterparts in Asia and the European Union.
    With that, I look forward to your questions on this 
technology.
    [The prepared statement of Dr. Earl follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    The Chairman. Thank you, Dr. Earl.
    Mr. Riedel.

         STATEMENT OF DANIEL RIEDEL, CEO AND FOUNDER, 
                   NEW CONTEXT SERVICES, INC.

    Mr. Riedel. Good morning.
    Chairman Murkowski, Ranking Member Cantwell and the other 
members of the Committee, it's an honor and privilege to 
testify. My name is Daniel Riedel. I'm the CEO and founder of 
New Context Services. New Context was founded in 2013 with a 
vision of keeping the connected world safe. Our mission is to 
use lean security to automate the orchestration, governance and 
protection of critical infrastructure.
    New Context is working with Southern California Edison, 
Pacific Gas and Electric, and San Diego Gas and Electric, in a 
partnership with Idaho National Lab and Lawrence Livermore 
National Lab in advanced cybersecurity research for machine-to-
machine threat detection and response referred to as California 
Energy Systems of the 21st Century. That work has resulted in 
our involvement in the STIX/TAXII and OpenC2 standards that are 
becoming the default for governmental agencies, enterprises, 
and information sharing communities to distribute threat 
intelligence. New Context also offers secure engineering 
services to many industrial and financial services firms.
    There are five cyber-defense areas I will be discussing 
today: Identity, Trusted Data, Attributed Isolated Networks, 
Threat Detection & Sharing, and Automated Response & 
Remediation.
    Twenty billion IoT devices will soon be connected to the 
internet to grow our economy. At the same time, Smart Grid 
technologies are being rolled out to the energy grid. 
Organizations such as General Electric, ABB, and Siemens are 
building new technologies to create efficiencies in our 
nation's demand for electricity.
    Each of these technologies are going to add new vectors of 
attack while at the same time current attacks are increasing in 
number. Some of these attacks have physical consequences such 
as black energy in the Ukraine.
    Over 80 percent of all attacks are the result of stolen 
credentials. Credentials are a weak link in cybersecurity. We 
must move to multi-factor, biometric, and continuous 
authentication for all individuals who interact with critical 
infrastructure.
    For each human, device, or application that attaches to 
critical infrastructure, we must strengthen the validation for 
the authority to operate. Rolling out more advanced processes 
of attribution across the energy grid faces these challenges: 
current credential technology, current IT practices, legacy 
applications, and the age of the equipment. Within critical 
infrastructure networks we must trust the data that is used in 
the decision-making process. Blockchain frameworks can provide 
this trust. Cryptographic trusted data can be used for a 
variety of use cases in the energy grid.
    Isolated networks are used effectively as a method of 
network separation. However, insider threats and malware can 
still operate within that network. To build an attributed 
isolated network, we have to look at every device on the 
network to ensure identity of the operator and the operational 
history of that device. With stronger identity, we can 
strengthen legal evidence to more effectively prosecute 
malicious attacks.
    The ability to identify and share threat data at machine 
speed helps prevent the spread and propagation of attacks. 
Early in our work with CES-21, New Context identified STIX to 
be the best format for sharing threat intel and remediation 
data. New Context has begun working with the STIX community and 
the energy industry to extend STIX for the grid. STIX is just 
the first step; we now need the ability to share threats and 
remediations automatically between organizations. Several 
information sharing organizations have begun, but we still 
heavily rely on human analysts. If there were a coordinated 
attack on the grid those analysts would not be able to respond. 
To continue to advance threat intel we need to use new 
technology such as artificial intelligence to speed up the 
response.
    Discovering and sharing threats at machine speed is a huge 
step in the right direction, but the logical next step is an 
automated response remediation. The first hurdle in automated 
response is trust by third party. We will need to ensure that 
there is trust in remediation. Once we have been able to solve 
for that trust, then our utilities, national labs, and agencies 
can distribute the remediation to the energy grid. These 
remediations can be deployed with the utility networks allowing 
them to rapidly respond to attacks.
    In summary, Identity, Trusted Data, Attributed Isolated 
Networks, Threat Detection & Sharing, and Automated Response & 
Remediation are technologies to focus on for advanced cyber 
defense. The battlefield continues to change, and we need to 
look at new ways of protecting our infrastructure.
    Our adversaries are formidable, and the challenge to the 
organizations is the high cost of defending their assets while 
the cost to attack them is low. This is a hidden tax on our 
economy that will continue until we address the root cause 
instead of the symptoms.
    Investing in these technologies will lower the cost to 
defend our infrastructure and raise the cost to attack our 
infrastructure. This will allow more innovation in our industry 
and allow us to build the appropriate framework to welcome 
these 20 billion devices.
    Thank you for the opportunity to testify. I look forward to 
today's questions.
    [The prepared statement of Mr. Riedel follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    The Chairman. Thank you, Mr. Riedel.
    Thank you, all of you. Very interesting testimony, very 
important testimony. We just really appreciate it.
    I think we look to some of the breakthroughs that are out 
there and these technologies that we hope will allow for that 
level of protection, but many, several, of you have spoken to 
the human factor. We recognize that most of the control systems 
today are separated from the public internet by a firewall or 
an air gap, but we can still see intrusions through human 
error, whether it's transferring data via a flash drive from a 
public network to a secure one or vice versa. So even with all 
of the advances that we have out there and the processes that 
you have mentioned, we are still in a situation where we have 
exposure to security breach.
    Dr. Raines, you mentioned the Dark Net. How do we work to 
protect the Dark Net from this type of activity, the breach 
through the human factor?
    And then I also want you, Dr. Earl, to speak a little bit--
you mentioned the quantum technology that I had raised in my 
opening, and you have suggested that a quantum protected 
network will create an impenetrable shield around our grid's 
communication channels. But does that apply to the insider 
threats as well? I am interested in this aspect. Technology is 
great; sometimes it is the human factor that is our weakest 
link.
    Dr. Raines. Thank you, Senator, for that question.
    Addressing, first of all, the human link, certainly it's 
going to be with us. And so, how do we take and do better 
education and training of people who have not been exposed, 
historically, to these types of things?
    We have a lot of folks in the industry that are very good 
at operationally providing those capabilities and safety 
paramount. But when you start talking about cybersecurity, it's 
a little bit of a foreign issue in terms of some of the 
industry partners out there.
    So, how do we take and raise this awareness so that, you 
know, they understand the threats that exist? Additionally, 
from a standpoint in making sure that the systems are patched, 
updated, these are mainly IT type systems that are being 
utilized. So there are steps that we can take from that 
standpoint to help out the industry.
    With regards to the Dark Net concept that we're proposing 
here, moving the command and control communications away from 
the internet, at least, separates, as you mentioned before, air 
gapping, if you will. There are exploits that get across air 
gaps as we know, but having separate control and communication 
capabilities via these fibers, as was mentioned by Dr. Earl, 
will give us some enhanced capabilities to understand and 
immediately determine if there was any type of exploitation 
that may hit. So as long as we can take and have that 
separation that we don't connect back or add additional vectors 
for exploitation, we believe that there's going to be that 
added level of security that can occur by going to the 
separate, secure, if you will, dark fiber implementation and 
advanced communication capabilities as well, that we would 
implement, but----
    The Chairman. Let me ask Dr. Earl to speak on the quantum 
technology side and the vulnerabilities there.
    Dr. Earl. Yeah, absolutely.
    So, quantum technology is a very powerful technology, but 
the grid is going to require many solutions. It's just a piece 
of that puzzle.
    However, quantum technology solves two very important 
problems, and it's the foundation upon which you can build a 
more secure grid. The first is it provides a way to immediately 
detect if somebody is tampering with your communication 
channels, and the second thing that it can do is it can provide 
encryption that cannot be broken. There always is a concern 
about insider threat. Quantum technology doesn't address that. 
It addresses the securing of channels, but you need that first 
before you can build up the rest of the solution.
    The Chairman. So very quickly on the quantum technology. 
You have mentioned the traditional systems can be integrated. 
How easy is it to do that?
    You have technology--does the technology need to be built 
into the grid during its development or is it relatively easy 
to add it to existing structure?
    Dr. Earl. We can retrofit it, and we argue that it's 
actually easier than other approaches that we might use for the 
internet for securing and establishing secret keys among 
devices. So, it is very grid centric. It is very easy to 
implement and retrofit.
    The Chairman. Okay.
    Senator Cantwell.
    Senator Cantwell. I would like to yield to my colleague for 
a question.
    Senator Risch. Thank you. I appreciate that.
    Senator Cantwell. He is going to go take care of us in 
small business----
    [Laughter.]
    ----which probably should be part of this discussion.
    Senator Risch. As you know this is Women's Small Business 
Month, so the hearing is on that. I knew you would be very 
interested in that.
    Senator Cantwell. Good. And I am sure this subject 
interests you too, as we talk about solutions on cyber where 
you have to think about how we help small businesses.
    Senator Risch. That is true.
    Senator Cantwell. Because they have the least ability to 
put some of these things in place. So we need to think about 
that.
    Go ahead. I'm sorry.
    Senator Risch. Thank you so much.
    Mr. Tudor, you mentioned the CCE methodology during your 
testimony. You also provided written testimony, and I have not 
had a chance to look at that yet. Do you expound on that 
methodology in your testimony that you have submitted?
    Mr. Tudor. I did, sir.
    Senator Risch. Okay.
    That methodology was first introduced as INL's unique 
cybersecurity innovation in April by Mr. Andy Bachman to this 
Committee. Since then it has attracted some positive attention. 
But in addition to that, it seems to have created some 
confusion, indeed some might even say criticism, that 
discussing whether it is really a process that is a step 
backward from technology innovation. Could you address that, 
please?
    Mr. Tudor. Sure. Thank you for your question, Senator.
    We feel that Consequence-driven, Cyber-informed 
Engineering, or CCE, is actually a step forward in some of our 
engineering processes in that we look to use the right 
technology, you know, for the right purpose and implementation 
of cyber controls.
    I think some of the criticism has been about the mention of 
using analog devices as if it's a step back into the Stone Age. 
But in some of these cases we can use the CCE methodology to 
understand those critical consequences and the attack paths 
that lead up to them.
    We can identify choke points for various of these different 
attacks and do what we call disruption zones, areas where we 
can place a discreet, non-programmable component, potentially 
an analog component, that can't be hacked by software means, 
doesn't have software vulnerabilities in it. And then, we'll 
just drive that attacker work factor, you know, way up because 
their normal methods of internet-based, of software-based 
activity will be thwarted at that point.
    So as you work with an organization and, once again, this 
is not something that just the national lab or another provider 
can do. The organization that's being protected works very 
closely to understand what those consequences are, what their 
engineering processes are.
    Identify those paths, work with them, understand who might 
potentially attack and what potential motivations there are. 
And then, develop those mitigating ideas and identify the 
disruption zones and implement them. We found with our partner 
that they felt that the entire process helped them give them a 
different perspective on how to protect their environments.
    Senator Risch. Thank you. I think that is a clear 
explanation.
    Thank you, Madam Chairman. Thank you, Senator Cantwell, for 
yielding.
    The Chairman. Senator Cantwell.
    Senator Cantwell. Thank you, Madam Chair.
    I just want to thank all the witnesses again. This is 
excellent testimony across many fronts and, actually, the 
diversity of ideas yet cohesiveness of the ideas is so 
important. So I thank you for that.
    I obviously want to thank Mr. Imhoff again for your 
leadership. You have helped the State of Washington provide on 
this, everything from working with our National Guard to 
creating a response to the technologies that we've been able to 
deploy.
    I think when we think about this, the synchro-phasor 
technology that the lab has worked on and was part of your 
testimony actually saved California customers an estimated $360 
million plus due to improved utilization of existing systems 
and making these tools more resilient to cyber threats.
    We can see already there is work and application that is 
being done that is helping us strengthen the grid from 
blackouts, and we need to keep going.
    Mr. Earl, the Department of Energy Office of Electricity's 
Cybersecurity for Energy Delivery Systems program helped fund 
the work that you are doing. I feel that one of the key aspects 
here is the need to continue to do R&D and innovate and test 
and apply. I see you are all nodding on that. I guess that is 
what I am trying to help our colleagues understand here.
    Sometimes I say in the information age we are only in the 
third inning of the ballgame. Here, I'm not even sure if we 
have started the game. Actually we have because of the great 
work that you all are doing.
    But how would you characterize where we need to go with 
research, workforce, and this continued collaborative effort, 
in the context of where we are today and how this will evolve?
    Mr. Earl, I think you said it, or Mr. Riedel did, that this 
is ever changing. Whatever we are doing today is going to 
change and evolve. So where are we with the level of investment 
and workforce and level of interconnected responses and I mean 
people responses that we need to build here?
    Maybe we can just start with you, Mr. Imhoff?
    Mr. Imhoff. Thank you, Senator Cantwell.
    It's a complex question. I would say on the Department of 
Energy side, programs like the CEDS cyber program at OE and 
others are funding a lot of the innovations here, several of 
them today, where the injection of funding is adding value.
    In terms of the grid modernization initiative, the Congress 
Appropriations, that initiative is strong and moving forward at 
this point in time.
    I think one of the challenges, while we have over 100 
industrial partners working on these projects, the public-
private partnership is essential. You have to have the field 
validation so that the people, the operators, the switchmen, et 
cetera, understand and can get their arms around the new 
concepts so what they bring to bear, to offer.
    The industry is a little challenged now because they're 
facing flat sales and a lot of challenges on cyber and other 
things. So industry is stretched thin from a human workforce 
standpoint. They have a challenge adding more things on to 
their plate.
    But the manpower issue is part of that, clearly. The 
training, the access, the large number of utility workers who 
are retiring, and there's a lot of work in terms of development 
and feeding the pipe for the next generation, whether it's 
cyber or other grid activities. So I think it's all very 
closely interwoven in terms of getting the workforce right, 
getting the training done.
    And I would say that there are many, some of the new topics 
around analytics and other things are new dimensions that need 
to be added, I think, to the workforce, focus that needs to go 
beyond just enterprise cybersecurity, which, I think, has been 
the dominant focus for, let's say, the past decade.
    We're having a hard time keeping up with the volume of 
cyber analysts, but we're--they now need to have new skills in 
terms of advanced analytics and other things. So we need to 
look to how do we refresh those, curricular development. How do 
we build the partnerships between public and private to train 
people, cross-train existing employees or develop new staff and 
continue to look for those public-private partnerships on field 
validation of new concepts coming out of the R&D portfolio? 
Because that's what it takes at the regional level for 
commissioners and utility commissions and others to get 
comfortable with making the investments to deliver.
    Senator Cantwell. Thank you. It might have been a complex 
question, but you did a very good job.
    Anybody else want to weigh in quickly on that?
    Mr. Riedel. I can briefly.
    Thank you for the question, Senator Cantwell, Ranking 
Member, sorry.
    So we deal with this a lot with our company. We're trying 
to hire qualified people, and finding enough qualified people 
out there is, I think, a challenge for every organization.
    We try and train and make sure that everyone understands 
that security inside of an enterprise or in a corporation is 
not one person's ability or one person's responsibility. So the 
things that we look at are how do we educate our workforce? We 
would love to work with schools and universities to make sure 
they're educating folks.
    I think that the thing that we will try to tell enterprises 
as they deal with this, and utilities as they deal with this, 
is that security, cybersecurity, is a group responsibility, 
that you cannot just expect the security professionals to take 
care of this. You need to take ownership of that while you 
build and engineer your products. And so, those are things that 
we are looking at.
    The only thing I would add to that is, you know, our focus 
is automation. We want to be able to be able to roll out this 
automation that we talked about today into the grid, but to do 
that we have to be able to trust that we understand where that 
automation comes from.
    So not only do we have to make sure that we educate and 
bring these people to be professionals, we also have to make 
sure as we bring them on to our networks and as we have them 
work on those networks we're able to identify those people so 
we can trust the information that they're giving us and then 
trust the remediations they create.
    Senator Cantwell. Thank you.
    Thank you, Madam Chair.
    The Chairman. Senator Cassidy.
    Senator Cassidy. Should it be one of those folks over 
there? I don't want to step out of place----
    Senator Manchin. Bill, would you mind if I? I've got----
    The Chairman. This is a cooperative Committee.
    [Laughter.]
    If Senator Cassidy doesn't mind, we will certainly turn to 
Senator Manchin.
    Senator Manchin. This is a great Committee. Thank you.
    The Chairman. It is.
    Senator Manchin. I appreciate both of you. Thank you, Bill, 
I appreciate it.
    Let me just say real quickly. The reliability of the grid 
system, basically the baseload, do any of you all have concerns 
that the baseload might not be able to energize the grid or we 
could be in concern about a relapse or a collapse? Does anybody 
have that concern?
    From baseload, as I am understanding, nuclear, coal is to 
the basic baseload, 24/7, rain or shine. Gas--we are depending 
on gas being baseload now. And all of our renewables are coming 
on, I guess, with the new battery, the battery storage. That 
will eventually move into that. We have not gotten there yet.
    You all have no concerns in different segments across the 
country? PJM about collapsed over the last polar vortex we had. 
You all knew that, right? They came within that sliver of going 
down.
    Anybody want to talk?
    Mr. Imhoff. So, the--we've seen no evidence that there's a 
lack of capacity to deliver in terms of frequency response and 
other things on the power system.
    Clearly there are changes in some of the resources mix. And 
the NERC bodies, as well as the reliability councils and all 
have not indicated that there is a gap that's an issue. But 
they're having to change some of the processes and all, but I 
think we are, have adequate capacity going forward.
    Senator Manchin. Anybody? Feel the same?
    Dr. Raines. Senator, yes, sir.
    Senator Manchin. Okay.
    Dr. Earl, on quantum. You are talking about, you know, of 
course, cyber is what we are concerned about. I am on Intel and 
every meeting we have deals with cyber and some type of 
cyberattacks that we are getting regularly and how we can stave 
that off.
    In this, I have been to an awful lot of the power plants 
and we have an awful lot of coal plants and then they are all 
switching stations. So when they produce, the power coming out 
goes into, kind of, a switching station, it, kind of, puts it 
out on the grid. And you are saying that you are quantum. You 
can protect that from the internet or being hacked by the 
internet, correct?
    Dr. Earl. So maybe a slightly different way to define that.
    We definitely are trying to protect the communications 
between those switching facilities, the substations, and 
command centers. It's imperative that you're able to trust 
those communications. And so, the channels that they're 
communicated over are not defended. These might be fiber 
optics, airwaves. You don't have complete control over those 
communication channels. So it's important we have a technology 
that can ensure that communication channel is secure first.
    Senator Manchin. And you say that can be retrofitted also 
on this?
    Dr. Earl. It could be, that's right, especially if it 
dovetails well with what they described, ONL described, about 
the Dark Net where you use existing OR, existing fiber optic 
cables, to basically put this system in place.
    Senator Manchin. Let me ask any of you all who would answer 
this question because I have been to an awful lot of these 
power stations, however they are operated, but the switching 
stations, it is not all that secure. I could, if I wanted to do 
some kind of criminal act, I could walk up to it and make it 
happen. Have you all suggested or basically lobbied for 
securing, making every utility company responsible for the 
securing of those switching stations? It could be natural gas 
also. We are concerned about the gas lines, the pipelines, 
pumping stations.
    Mr. Imhoff. So you're voicing concern around physical 
security?
    Senator Manchin. Yes.
    Mr. Imhoff. We have extensive infrastructure across 
thousands of miles, and out West some of those are very lonely, 
empty miles.
    Senator Manchin. Right.
    Mr. Imhoff. They are favorite target practice 
opportunities, but I will say that over the past year PNNL has 
worked with NERC to help develop what's called design basis 
threat which is a systematic approach at looking at what are 
the series of threats that could be done on a pipeline, gas 
pipeline, compressor station, or switch yards coming out of 
coal plants, et cetera, and then helping the utilities walk 
through and classifying the degree of consequence and risk and 
identifying what other options actually provide physical 
security because you can do that, but you can't do it on every 
single substation or every single transmission tower out there 
in the power system.
    What they are doing is putting in place a systematic 
process to help prioritize those risks and identify their 
options for protection. That process is beginning, and it's 
been very well received by the utilities over the last 12 
months. So I think they're moving in that direction, Senator.
    Senator Manchin. Well, I was just going to say you all come 
from the technical end of it and can really help us there and 
advocate for this because I see a lot needs to be done. I mean, 
we are talking about the internet, and we are talking about 
technology and all this and that. I am talking about just plain 
attacks, just, I mean, criminal activities.
    Okay, thank you very much.
    Senator Cantwell. If I could just follow up on that?
    Isn't it true that most--I am just thinking of Bonneville's 
system. If you go into their command center, they have pretty 
good eyes on most of everything in their grid system. I would 
assume utilities are similar. They have eyes everywhere. Right? 
Is that correct? I mean, besides the technical detection of 
what is happening on a line, they also have eyes on practically 
every aspect of the infrastructure.
    Dr. Earl. I think it depends a little bit on the utilities, 
you know. There's small ones and large ones and they approach 
it differently, but definitely for the larger utilities, I 
think, you're absolutely correct. It's a fairly sophisticated 
operation.
    Senator Cantwell. Thank you.
    The Chairman. But we worry about some of those smaller ones 
like we have up North.
    Senator Cassidy, we are over to you now.
    Senator Cassidy. Mr. Raines, I think it was you that spoke 
of the Dark Net. Does the Dark Net require a lane of different 
fiber optic cables or can it go through the same fiber optic 
cables?
    Dr. Raines. Thank you, Senator, for the question.
    Certainly we can use existing fiber that is not being 
utilized because generally speaking there's a lot of bundles 
that are laid, multiple fibers that occur and not all the 
capacity is being used.
    In the incidences where you have smaller utilities or 
cooperatives that don't have the fiber, there are other avenues 
that we look at in using some of the advanced communication 
capabilities and emerging capabilities to also take and look at 
hardening. But yes, sir, certainly we can utilize those 
existing fibers where they exist.
    Senator Cassidy. Could we overlay? To what degree could we 
now go to Dark Net?
    I once went to a DoD facility and they have their internet 
here and they have their, kind of, closed system there. It was 
two different, I don't know if there are two different 
terminals, but somehow I understood this is this and that is 
that. To what degree do we have that now for utilities?
    Dr. Raines. Well, sir, I cannot answer in totality of that 
for you right now. We are having people that are looking at, as 
I mentioned before, over the 100,000 miles of existing fiber 
that we have, to see exactly where the connectivities are 
relative to, you know, the commercial entities, the industry 
out there. So, certainly, I can get back with you on that 
question, sir.
    Senator Cassidy. That is a nice segue to my next question. 
My staff gave me this from August 17, from the President's 
National Infrastructure Advisory Committee. They have 11 
different recommendations.
    There is a sort of, kind of, urgency behind it and a sort 
of assumption that we should have done this yesterday and we 
haven't done it yet, with agencies and Congress required to put 
things together which apparently we have not. So I appreciate 
the Chair and the Ranking Member holding these hearings, but to 
what degree is leadership being exerted by the Federal 
Government to make sure that all this happens ASAP? Because I 
gather you all think it should happen ASAP. Fair statement?
    Mr. Tudor is smiling, kind of discreetly and 
diplomatically, but to what degree are we providing that 
leadership?
    Mr. Tudor?
    Mr. Tudor. Thank you, Senator.
    And I am nothing, if not discreet and diplomatic.
    [Laughter.]
    I would say that I do believe that the Department of 
Energy, the Department of Homeland Security, know this, are 
taking leadership within the bounds of what we were able to 
accomplish, what we understand that we should do, but I also 
think that leadership understands that we all can do more.
    We've been, you know, working----
    Senator Cassidy. Let me just pause for a second because I 
have actually heard some very good suggestions from you all 
ranging from quantum mechanics which I, kind of, don't 
understand, but am always, kind of, fascinated by to put an 
analog switch in there. Really, kind of, two different 
approaches with a Dark Net overlay. Those are very tangible. 
This is what you could do now and would probably work really 
well.
    What is the state of play? Are we now moving toward that or 
are we just waiting for someone to propose it?
    Dr. Raines. Well, sir?
    Senator Cassidy. Go ahead.
    Dr. Raines. If I may answer that for you.
    One of the test cases that we're working with now is the 
electric power DoD out of Chattanooga which we have fiber 
connections with, and we're looking at how we can establish 
some of that test bed capabilities with them. So on a smaller 
scale we are moving forward.
    Senator Cassidy. So are you telling me although DoD has a 
parallel internet, and you mentioned the Dark Net, is this just 
something, is this a strong recommendation yes, we should be 
doing it, or no, we need to test it before we go fully to 
scale?
    Dr. Raines. Sir, we believe that the technology exists to 
increase our capabilities to defend the electric grid from a 
communications and control standpoint, if we go forward with 
this. And that's what we're proposing for----
    Senator Cassidy. And is that generally agreed upon?
    So, one thing we could do is appropriate the dollars to 
immediately begin putting in a Dark Net for everybody who is 
connected to the grid, except maybe a distributed, you know, if 
I am selling electricity off the roof of my house, maybe not, 
but other than that. Is that something we should be writing in 
legislation now, in your opinion?
    Dr. Earl. So we currently have utility partners with 
extensive fiber optic networks that are ready to start 
implementing this today or testing this today.
    Senator Cassidy. The quantum or the Dark Net?
    Dr. Earl. The quantum and the Dark Net. It really is tied 
together. So, there's, now that's not all utilities, and it's 
going to have to start small and eventually grow.
    Senator Cassidy. Now, just let me ask you, just interrupt 
because when you say not all utilities. I always mispronounce 
it. I don't know if it is miso or myso. But you have this 
exchange of electrons through the whole Mississippi Valley. If 
there is somebody who is a weak link, who does not have Dark 
Net, does not have quantum, does not have analog, can that go 
through the whole network getting those that do have it?
    Dr. Earl. So, ultimately, you're only as strong as your 
weakest link, but your biggest links need to be secured first. 
And the propagation can be limited by focusing there and 
prioritizing there, initially. And there are three separate 
grids, of course, that would be independent from one another.
    But let me just, sort of, echo the question of, you know, 
can we implement this quickly? It is a question of funding.
    The CEDS program within DOE is doing a great job, but they 
don't have a large enough budget, really, to take on Dark Net 
yet. So, at least from my perspective, I think that increasing 
the funding to that program is an excellent thing to do right 
away.
    The other point I'd like to quickly make is these new 
technologies will take time to be implemented. It could be as 
long as, you know, five to ten years for some of these 
technologies to be implemented. If you think of where hackers 
were ten years ago and you think about where hackers are going 
to be in ten years from now, that's where the urgency is coming 
from. We really have got to get ahead of this.
    Mr. Tudor. I would like to say, though, that across the 
industry our utility partners are really beginning to move out 
even faster in developing pilots, working with commercial and 
industry, working with national labs to develop the process and 
procedures to implement these new technologies.
    Mr. Riedel mentioned the CES-21 is a great example of those 
three major utilities working together to implement and 
prototype and demonstrate these technologies and give lessons 
learned out to other utilities across the nation so we can 
understand what the scope of the issue is, how to deploy these, 
and then also provide that expertise as others do it, similar 
to other utilities here on the East Coast as well.
    So I think we are moving out faster than we have been. We 
would all love to do it faster.
    Senator Cassidy. I am way over. I apologize, Senator 
Franken.
    I yield back.
    The Chairman. Thank you, Senator Cassidy.
    Senator Franken.
    Senator Franken. Thank you, Madam Chair.
    I know this is about cybersecurity and the grid, but Dr. 
Raines, I was struck in your testimony by your discussion of 
microgrid technology and its potential application to Puerto 
Rico. The Chair knows that I am very interested in this, and I 
think all of us are. After the devastation of Hurricanes Irma 
and Maria, millions of Americans in Puerto Rico and the Virgin 
Islands are still without power. This is really inexcusable.
    I am going to read from your testimony, ``Most recently Oak 
Ridge National Laboratory has considered how its scientific 
expertise may be leveraged to help an area in which the local 
power grid is essentially being rebuilt from the ground up. 
Puerto Rico was devastated by Hurricane Maria last month. The 
island's critical infrastructure, including its power, 
transmission, and distribution grid serving more than 1.4 
million customers was nearly demolished by the powerful storm.
    As the relief and recovery effort continues, we are mindful 
that many of the solutions developed for grid resilience could 
be purposely built into a completely new, robust system for 
Puerto Rico through distributed energy resources, for instance, 
Puerto Rico Electric Power Authority could benefit from 
microgrids with more power generation spread throughout its 
territory, sited locally in neighborhoods and communities and 
providing greater flexibility when the larger grid is 
disrupted. Complementary opportunities exist to support the 
development of a more secure and resilient Puerto Rican 
infrastructure which will ultimately lead to a better quality 
of life for its residents and reliable electricity to support 
its businesses.''
    This is something that we have been talking a lot about, a 
number of us, including the Chair and the Ranking Member of 
this Committee.
    Dr. Raines, could you elaborate on the work that Oak Ridge 
is doing to improve resilience for the grid and how that might 
relate to our responsibility after these hurricanes to approach 
rebuilding the grid, getting them up again, as fast as 
possible, but then building something that is resilient and 
sustainable? And if anyone else wants to weigh in on that, 
please do.
    Dr. Raines. Senator, thank you for the question. I'll start 
and turn it over to Carl.
    Earlier this year in the spring we had a team down in 
Puerto Rico that was actually looking at the infrastructure, 
understanding the infrastructure and looking at how we could 
possibly take and redesign or enhance the architecture, the 
existing architecture. You know, we certainly did not foresee 
the devastation that occurred in September and the agony and 
things that people are going through there down there now.
    We have, for a number of years, been looking at microgrid 
technologies. How we can take and build those where given 
different types of power electronics and charging and sensing 
type systems that they can have the isolation from other, the 
larger infrastructure and be able to operate in the events of--
--
    Senator Franken. In island mode if they need it.
    Dr. Raines. Yes, sir.
    Senator Franken. Okay.
    Dr. Raines. Yeah, from that standpoint.
    And so, with that I know that Carl is leading an effort 
among the different labs and he can probably address it quite 
well as well.
    Senator Franken. Please?
    Mr. Imhoff. Specifically for Puerto Rico DOE has asked the 
12 grid modernization laboratories to frame some options that 
could add value in the 1 to 6 months, 6 to 12 months and then 
12 months to 5 years timeframes.
    And the notion of evaluating what critical loads, in terms 
of drinking water purification, health care, communications, 
island communications, et cetera. How did they come down and 
identify where it might be worth the incremental expense for 
microgrids to harden those against future events and leverage 
some of the work that we've done in the grid modernization in 
New Orleans and other places on how to coordinate multiple 
microgrids that during bad storms can actually adjust and focus 
just on the critical loads for emergency applications? That's, 
I think, a good opportunity for us to bring new concepts to the 
rebuild of Puerto Rico over the next couple years.
    Senator Franken. I think it is just responsible to do that 
and smart to do that and, you know, their grid, and I know I am 
out of time, but their grid is right now powered so much by 
diesel and a lot of people from Minnesota in the winter go to 
Puerto Rico and the Virgin Islands for the sun. I am just 
saying. So I think that perhaps in rebuilding this grid we can 
make it more resilient and use more sustainable energy as well.
    It is something that I am glad that national laboratories 
have been asked by the Energy Department to look at. I think 
everybody is rolling in the same direction is what I am saying. 
I feel good about that.
    The Chairman. Thank you, Senator Franken. I think it was a 
good question, an important one.
    We will be having a hearing focusing on the current 
situation in Puerto Rico and going forward, the future of that 
energy grid there, and we will look forward to input from the 
national labs.
    To know that you have taken point on that, Mr. Imhoff, I 
think is important. We will look for more detail in the next 
couple weeks but it is very, very important. So thank you.
    Senator Duckworth.
    Senator Duckworth. Thank you, Madam Chair. I want to thank 
you and the Ranking Member for today's hearing. And I 
definitely want to thank our witnesses for participating today.
    And recently, as my colleague, Mr. Franken, mentioned, we 
have seen frightening weather patterns and infrastructure 
instability in Puerto Rico and in the Ukraine even in 2015 when 
malicious actors destabilized the country's power grid.
    I had to learn that cybersecurity can take many forms. I 
come to this from a military perspective where it is all about 
enemies hacking, trying to attack you, but cybersecurity also 
applies to trying to prevent technological failures from 
occurring as well.
    I am proud that the national labs are partnering with 
industry to develop solutions to modernize our grid, including 
Illinois' own Argonne National Lab. We are leading eight 
projects under DOE's Grid Modernization Laboratory Consortium. 
And we heard this earlier when you responded to my colleague 
from Louisiana about the investments that need to be made. That 
is where my question is going.
    You know, it seems to me that there is a cycle of 
scientific discovery that then provides necessary impetus to 
develop technologies that address those known concerns and then 
we develop ones. We develop those initial technologies and 
prototype then we move toward bringing them to a place where 
they can demonstrate effectiveness and be deployed to the 
marketplace. I would like to further elaborate on that.
    For all the witnesses. In terms of this cycle of discovery, 
prototype development, and then development toward deployment, 
as it relates to cybersecurity threats, where are we in that 
process for our energy infrastructure? And are there specific 
investments we should be making?
    You mentioned informing municipalities and communities, but 
is there anything specific because it seems like this is a 
continual cycle that we go through. Anyone want to take that?
    Mr. Imhoff. Well, I'll get started and hand it over to my 
colleagues.
    Senator Duckworth. Yes.
    Mr. Imhoff. We're in all phases of that cycle.
    Senator Duckworth. Okay.
    Mr. Imhoff. There are many dimensions to this grid 
modernization activity. There are many dimensions to 
cybersecurity. On cybersecurity, I mentioned in my testimony, 
that there are, we have roughly 3,000 utilities in the United 
States. The largest 1,000 are pretty far along on their 
cybersecurity journey. The smallest 1,000 don't have any 
digital devices, so it's not much of an issue. The middle 1,000 
have devices but they have very small engineering staffs and 
very limited budgets, and so it's harder for them just to do 
the basic fundamentals of maintaining good enterprise 
discipline on their infrastructures. So they are in a very 
different place on the development cycle than some of the 
larger utilities who are looking at quantum encryption and 
other activities.
    We are in all phases, and I think it will always be that 
way. Some things are near the more mature state, but you're 
having to work them out into 3,000 utilities that are across 50 
different regulatory jurisdictions. So it just doesn't happen 
overnight. It takes time for things to unfold.
    Dr. Raines. And the thing I'd like to add, Senator, with 
that, our partnerships are absolutely critical because the 
national labs will take and produce lower technology readiness 
level type of solutions. And so, to take and transition those 
to industry or work with the industry partners is absolutely 
critical in this arena.
    I come from a military background as well from the 
standpoint of rapidly getting those products to the field where 
they're needed. And in cybersecurity, like I said earlier in 
the testimony, we are in that very tight loop of adversaries 
are far outpacing us in terms of how we can respond to them. So 
the industry partner is absolutely critical.
    Mr. Tudor. Senator, I'd like to respond to that as well.
    I've been involved in, kind of, technology innovation for 
cybersecurity for about ten years in other jobs. One of the 
things that we do realize, you know, between the development 
and the deployment of technologies is what is called a valley 
of death. I think a lot of times the national labs, their place 
in developing those lower technology, readiness level 
technologies to solve particular problems at the time, have not 
had the emphasis on commercialization, probably not the lab's 
major role to do that. However, in the last few years we have 
seen more and more emphasis from DOE, DHS, and others to bring 
these technologies to bear. But we do need commercial partners, 
whether it's venture capitals or others, to come and help 
invest in these.
    I know the other DHS transition to practice program did a 
wonderful job of coming into the national labs, but Pacific 
Northwest National Lab, Oak Ridge and INL all have technologies 
that were transitioned in some of those. But we need more of 
those types of activities and we need more emphasis on it if we 
really feel that we can get those out there and then 
entrepreneurs like Dr. Earl and Mr. Riedel can then take those 
technologies forward.
    Dr. Earl. Is it okay to add to that as well?
    Senator Duckworth. Madam Chair?
    Dr. Earl. Alright.
    So, in terms of development to deployment, shortening that 
time, I think, one of the biggest challenges is, as was 
mentioned earlier, we have over 3,000 utilities, some big, some 
small. And they're going up against very sophisticated 
adversaries. These nation-state hackers have much more 
sophisticated operations than utilities are used to. And so, 
we're asking big and small utilities to come up with solutions 
on very rapidly changing technology.
    One of the things that the government can help to do, 
national labs can help to do, partnerships can help to do, is 
to identify a template solution, sort of, cookie cutter 
solution that at least could be a starting point for these 
utilities. And then ultimately they need assistance in 
implementing it and maintaining it. That right now doesn't 
really exist for those utilities.
    Mr. Riedel. Senator Duckworth, thank you for the question 
of the panel.
    I wouldn't be here today without the support of the DOE, 
the State of California and some of the funding, so I'm very 
appreciative of that. For me, I think the funding is critical. 
It's a holistic approach that we need to take. There's no one 
technology that's going to solve this problem.
    I think we talked a lot about networks today, about the 
dark fiber and the quantum, but you know, we also still need 
automation to be able to respond to these things in a timely 
fashion and to support the growth of the devices we're getting.
    And at the end of the day, we also need to trust people who 
are operating those devices so we need to move beyond current 
credential technology and look at new ways that we can actually 
assert that the people who are operating are who they say they 
are which helps, sort of, I think, bring everything around. So, 
for me, it's a holistic approach and we need to continue 
investing in all those areas.
    Senator Duckworth. Thank you.
    Madam Chair, you have been very generous. Thank you.
    The Chairman. Thank you each for your response on that.
    Senator Cortez Masto.
    Senator Cortez Masto. Thank you, Madam Chair.
    Let me just follow up, and this question is for all of you.
    Do you think the small and midsized utilities are more 
challenged to really find the programs to address the cyber 
threats than maybe some of the larger utilities?
    Dr. Raines. Senator, I would agree with that statement, 
mainly from a standpoint of the resources that these smaller 
utilities have available for this.
    Senator Cortez Masto. So the programs are there. It is just 
a matter of having the capital or the resources to access those 
programs or afford those programs. Is that right?
    Dr. Raines. I would have a tendency to agree with that, 
ma'am.
    Mr. Imhoff. I agree, but I must say that some of their 
representing organizations, like for the co-ops, the National 
Electric Cooperative Association and the American Public Power 
Association, they do have relationships with DOE and they help 
aggregate numbers of small utilities for them to be involved in 
demonstrations. But in general, smaller utilities have smaller 
engineering staffs, smaller resources, so it's more of an 
uphill walk for them than some of the larger entities.
    Mr. Tudor. I think it is worthwhile to note though, as we 
mentioned before, in things like the CES-21 project, some 
projects on the East Coast--RADICS, that the intent is to have 
the large utility partners who have those resources help to 
validate a lot of these approaches and then share that 
information into the rural cooperatives and other types of 
environments that don't have those resources. They won't need 
to spend the time to do that validation, but it will be able to 
be handed out to them.
    Senator Cortez Masto. And then, and you may have already 
addressed this, and I apologize I had another committee 
hearing, but I am also curious how the states play into this. I 
know in the State of Nevada Governor Sandoval has created a new 
Office of Cyber Defense (OCD) which will serve as the primary 
focal point for cyber threats and security for the State of 
Nevada. With the addition of that cyber defense coordinator, 
the OCD will serve as the primary conduit with the Federal 
Government as well as the primary entity managing cyber threat 
issues across the State of Nevada.
    Do you see that as a role most states should be involved 
with and coordinating with the federal level and then, 
particularly, the private sector to address the cyber threat?
    Mr. Tudor. Thank you for your question, Senator.
    You mentioned the important word there and that's 
``coordination.'' I don't think that every state should invest 
their resources to go off on their own and potentially have 
redundant systems. But as we mentioned with California, their 
work on their regional, you know, things that happened in the 
Pacific Northwest. I know PNNL, INL, and others work together 
with regional entities. And I think that coordination with 
leadership from the government can help rapidly advance some of 
the technology areas.
    Dr. Earl. I do think as well in utilities there's a follow 
the leader mentality. So if a set of utilities, larger 
utilities, in one state identifies a solution that works well 
and they can share that with their counterparts, other 
utilities will see that filter down.
    And just to echo what was mentioned, California has the 
California CES-21 project which involves utilities across the 
state. They've really developed some innovative package 
solutions that are being adopted in California. If that is 
successful then hopefully that will spread to the rest of the 
country as well.
    Senator Cortez Masto. Great.
    Mr. Riedel. May I follow on real quick?
    Senator Cortez Masto. Please.
    Mr. Riedel. Senator Cortez Masto, thank you very much.
    CES-21 has already made an effect and we are already 
starting to work with other organizations such as STIX so the 
research coming out of that is actually having real world 
effects, not only for the U.S. but also that's promulgating 
around the globe. And that's all based on the funding that's 
come in to actually make that happen. So if we can continue 
that, that's only going to grow and I think that's a very good 
thing.
    Senator Cortez Masto. Great. Thank you.
    Dr. Raines, I am actually very intrigued with your Dark Net 
concept. Assuming adequate funding, how many years away are we 
from being able to implement a Dark Net solution for our 
nation's electrical grid?
    Dr. Raines. Senator, thank you for that question.
    As we had mentioned earlier in the testimony, there are 
different phases that are occurring and can occur with the Dark 
Net concept. Utilizing existing infrastructure, you know, such 
as some of the fiber. There are capabilities that Dr. Earl and 
others have been developing that can be implemented relatively 
quickly. There are also other advanced communication 
capabilities that can be implemented for some of the smaller 
cooperatives, if you will.
    So, there's a lot of things that can be done near-term, but 
I think, as Dr. Earl mentioned earlier in testimony, some of 
these advances may take five to ten years to fully mature.
    Senator Cortez Masto. Okay. Thank you.
    Gentlemen, thank you very much. I appreciate the 
conversation.
    Thank you, Madam Chair.
    The Chairman. Thank you, Senator.
    I have just one last question.
    Mr. Tudor, you had mentioned in your comments the need for 
control room operators to have hands on training opportunities 
and you referenced Ukraine in a box. How ready are we with this 
program? Do we actually have utility room operators that are 
training, kind of, hands-on to handle a Ukraine-like attack? 
And really, to what extent are the men and women that are on 
the ground or on the front lines being trained to handle a 
cyberattack?
    Mr. Tudor. Thank you for that question, Madam Chairman.
    I must say that the people who operate our grid are highly 
capable and highly trained. It's really enlightening when you 
go into some of the command centers in some of the different 
utilities to talk about how they train, what they do, how they 
respond to events, what they do in their off time to provide 
this different training, the amount of training that's 
required.
    Our Ukraine in a box is another tool in their training 
environments since, for the most part, our utility operators 
are not constantly responding to cyberattacks, being able to 
add this into their training regimen will be something that 
will allow them to see, kind of, real world techniques that may 
be deployed against them, some of the indicators, and how they 
might respond in a non-disruptive kind of desktop environment.
    So, I do think that, from an operational perspective, we 
are in very good shape here in the U.S.
    The Chairman. One of the things that I think about coming 
from a state that is rural and isolated and has more microgrids 
than large, integrated grids, is that you have different levels 
of opportunity for that kind of training that you are saying 
you think is pretty much in place.
    I am thinking that perhaps with our bigger utilities they 
do have that opportunity, but our smaller grids that are 
perhaps not as integrated, as sophisticated, I worry about that 
level of vulnerability and I worry that perhaps we don't have a 
level of training that is applicable for the different types of 
grid that we have throughout the country. Can you put my mind 
at ease a little bit there?
    Mr. Tudor. Thank you, Madam Chairman, I'll try.
    I think that you're right, there are different levels of 
need and different levels of training. I think the development 
of some of these desktop trainings, you know, INL and the other 
labs are known for their very large infrastructure, being able 
to bring people in and give some very unique sophisticated 
training, but also to be able to put some of this training via 
web-based which is happening now. These desktop type of 
environments, we are hoping to potentially make this an open 
source type of learning environment as well so they don't have 
to have our equipment to be able to run this type of training. 
So we are trying to export the training for more accessibility 
all across the nation.
    Mr. Imhoff. Madam Chairman?
    The Chairman. Mr. Imhoff, go ahead.
    Dr. Raines. Oh, I'm sorry.
    The Chairman. Mr. Imhoff and then Dr. Raines.
    Mr. Imhoff. So I was just talking the other day with the 
head of the Northwest Public Power Association and they're 
based in Vancouver, outside of Portland. I believe that a 
number of the smaller utilities in Alaska are small, public and 
rural co-ops, et cetera. And they have training opportunities 
that they provide for their members, but they are voluntary. So 
it's not just Alaska. A lot of states, a lot of small utilities 
struggle to send their staff to training.
    I think that there are opportunities there, processes, to 
work with the associations that they belong to, et cetera, but 
my guess is if you're to talk to those community entities, a 
large fraction of it has to do with the resources available to 
send people to train. And that would be where I would start, 
trying to get a sense for what resources do they need to 
participate in the already existing training opportunities that 
probably would require some travel down to the lower 48.
    The Chairman. Because I do hear from so many of them that 
they are anxious for their own security and knowing that there 
are avenues via the web.
    Dr. Raines, did you want to weigh in here?
    Dr. Raines. Yes, Madam Chairman.
    What I wanted to say was basically there are some good news 
stories in terms of how we're developing workforce. For close 
to 20 years DHS, NSA, and National Science Foundation have been 
partners in these academic centers of excellence for focusing 
toward cybersecurity. There are over 200 universities and 
schools at this time producing cyber-educated folks. And that's 
not just at the graduate level or the undergraduate level, but 
at the community college level. So we're trying to hit or have 
been trying to hit for a number of years, you know, getting the 
workforce developed for the right application areas because a 
lot of the smaller utilities may be using more technician level 
folks than advanced degree folks to help operate. So there is a 
lot of work that's been going into that over the years. I just 
wanted to give that to you, ma'am, as a good news piece in 
developing workforce.
    The Chairman. I appreciate that. I appreciate that, thank 
you.
    Senator King, we have had good discussion here this morning 
with some of the technologies and the efforts through our 
national labs and out in the private sector as to what we can 
do to do a better job of ensuring that we are not as vulnerable 
with our, whether it is our energy grids or other 
infrastructure and had some good testimony.
    We have gone through all the questions, so you are up if 
you would like to engage our witnesses.
    Senator King. Thank you, Madam Chair.
    I want to apologize to you and the witnesses. Speaking of 
technology, there is no effort made whatsoever around here to 
schedule hearings in any kind of coordinated way. I had a 
hearing this morning on the attack in Niger which, obviously, 
is of great, grave concern.
    I understand there has been some discussion of the bill 
that Senator Risch and I have sponsored involving the national 
labs and I won't belabor that except to say I think it is a 
step in the right direction and I understand the panel agrees. 
We will hopefully move that forward.
    This isn't really a comment directed at the panel, but I 
think it is important, Madam Chair, as we are dealing with this 
issue and we spent quite a bit of time on it in the Armed 
Services and Intelligence Committees as well.
    One of the problems is that all of our focus is defensive. 
How do we structure our system defensively? How do we patch? 
How do we have the right breakers and all those kinds of 
things?
    In my view, though, ultimately that is not the whole 
answer. Part of the answer has to be a deterrent strategy or 
doctrine that is well known across the world that if people 
attack us in cyberspace they will feel results. They will also 
be at some risk.
    One of the problems and one of the frustrations is that we 
don't have such a doctrine. And this isn't a criticism of the 
current Administration. The prior Administration did not do 
this either.
    But I think, Madam Chair, if we are going to effectively 
deal with the risk of cyberattack, there has to be a deterrent 
doctrine whereby our adversaries know this kind of attack will 
not be accepted, will be responded to in some way. So I think 
that is a big part of the problem here. We can be the best 
bobbers and weavers in the history of the world, but if you are 
not allowed to ever punch back, you are going to lose the 
fight.
    I think that is something very important that we are 
talking about in Armed Services and we passed amendments to the 
National Defense bill, but we are waiting for the 
Administration and we were waiting for the prior Administration 
to come forth with a cyber strategy beyond simply patching a 
system.
    With that, if you can find a question in there you are 
welcome to it.
    [Laughter.]
    But I just felt that was an important part of this 
discussion. It is not only the technology of strengthening the 
grid, but it is also strengthening the deterrent so that the 
attack doesn't come in the first place.
    Dr. Earl. If you don't mind, I'd like to address that.
    So we talked a little today about quantum technology, 
quantum key distribution technology, which can defend the grid. 
The great thing about that technology or the flip side of that 
technology is it also can be used on the offense. Quantum 
computing can be used to crack codes and really take a much 
more aggressive stance on the offense side. So by investing in 
our own defense, we actually do provide a path to an offensive 
strategy as well if we needed it.
    Senator King. And one of the problems I have observed is we 
are so secretive about what we develop. A secret deterrent is 
not a deterrent. The world has to know what we can do. That was 
the rule with nuclear weapons for 70 years and blessedly it has 
protected us from that kind of catastrophe because of the 
understanding that, if nuclear weapons are used, there is 
mutually assured destruction.
    So I agree with you, but we also, we all tend to, 
particularly in the government, want to keep things secret.
    You all remember, I don't know, you may not, some of you 
are too young, this famous scene in Dr. Strangelove where 
George C. Scott says, ``But Commissar, if you didn't tell us 
about the doomsday machine, it wouldn't work. Well, we were 
going to announce it on May Day.'' We have got to have a 
deterrent. It has to be well known. It has to be clearly part 
of our doctrine.
    Thank you.
    Thank you, Madam Chair.
    The Chairman. Well and to follow on that we had a little 
bit of discussion about where the Chinese are with their 
quantum technology and the distances that they have bridged. 
That is no secret. But I am sure that everyone in the world is, 
kind of, paying attention to what is going on there. So I hear 
your comment.
    One further question on that. I raised China in my opening. 
You spoke to it. What other nations are out there that are 
leading in this space?
    Dr. Earl. So, unfortunately, there's a number of countries 
that are leading the U.S. China, definitely, would be at the 
top of the list. But the EU is making a concerted effort. 
They're spending quite a bit of money to pursue quantum 
technology. Australia and Canada as well are very aggressive in 
this area. So, we're probably fourth or fifth on that list.
    The Chairman. Interesting.
    Any further questions from either of the Senators?
    Thank you, gentlemen. We appreciate the time that you have 
given us and the level of expertise that you bring to this 
subject.
    Know that as it relates to Puerto Rico, as we mentioned 
earlier, we will look forward to the input from our national 
labs there. But obviously we have a great deal of work to do 
going forward as we work to make things more secure.
    Senator King. Madam Chair?
    The Chairman. Senator King.
    Senator King. I apologize. You mentioning Puerto Rico did 
provoke one thought.
    I hope, as we are working on the rebuilding of the Puerto 
Rican grid, we can be thinking to the future instead of 
building a 20th century grid and think about things like 
distributed energy and underground wires and all of those kinds 
of things so that we don't just rebuild----
    The Chairman. Yes.
    Senator King. ----something that is liable to be knocked 
down again in the next great storm. I think this is an 
opportunity that we should seize, and I hope we can all work 
together to see that that happens.
    Thanks again.
    The Chairman. Know that we concur up here.
    Thank you, all.
    With that, we stand adjourned.
    [Whereupon, at 11:38 a.m. the hearing was adjourned.]

                      APPENDIX MATERIAL SUBMITTED

                              ----------                              

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]