[Senate Hearing 115-489]
[From the U.S. Government Publishing Office]
S. Hrg. 115-489
ADVANCED CYBER TECHNOLOGIES THAT COULD BE USED TO HELP PROTECT ELECTRIC
GRIDS AND OTHER ENERGY INFRASTRUCTURE FROM CYBERATTACKS
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON
ENERGY AND NATURAL RESOURCES
UNITED STATES SENATE
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
OCTOBER 26, 2017
__________
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Printed for the use of the
Committee on Energy and Natural Resources
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
27-434 WASHINGTON : 2019
--------------------------------------------------------------------------------------
COMMITTEE ON ENERGY AND NATURAL RESOURCES
LISA MURKOWSKI, Alaska, Chairman
JOHN BARRASSO, Wyoming MARIA CANTWELL, Washington
JAMES E. RISCH, Idaho RON WYDEN, Oregon
MIKE LEE, Utah BERNARD SANDERS, Vermont
JEFF FLAKE, Arizona DEBBIE STABENOW, Michigan
STEVE DAINES, Montana AL FRANKEN, Minnesota
CORY GARDNER, Colorado JOE MANCHIN III, West Virginia
LAMAR ALEXANDER, Tennessee MARTIN HEINRICH, New Mexico
JOHN HOEVEN, North Dakota MAZIE K. HIRONO, Hawaii
BILL CASSIDY, Louisiana ANGUS S. KING, JR., Maine
ROB PORTMAN, Ohio TAMMY DUCKWORTH, Illinois
LUTHER STRANGE, Alabama CATHERINE CORTEZ MASTO, Nevada
Brian Hughes, Staff Director
Patrick J. McCormick III, Chief Counsel
Isaac Edwards, Senior Counsel
Angela Becker-Dippmann, Democratic Staff Director
Sam E. Fowler, Democratic Chief Counsel
David Gillers, Democratic Senior Counsel
C O N T E N T S
----------
OPENING STATEMENTS
Page
Murkowski, Hon. Lisa, Chairman and a U.S. Senator from Alaska.... 1
Cantwell, Hon. Maria, Ranking Member and a U.S. Senator from
Washington..................................................... 2
WITNESSES
Imhoff, Carl, Manager, Electricity Market Sector, Pacific
Northwest National Laboratory.................................. 5
Raines, Dr. Richard, Director of Electrical and Electronics
Systems Research, Oak Ridge National Laboratory................ 13
Tudor, Zachary D., Associate Laboratory Director, National and
Homeland Security, Idaho National Laboratory................... 25
Earl, Dr. Duncan, President & Chief Technology Officer, Qubitekk,
Inc............................................................ 36
Riedel, Daniel, CEO and Founder, New Context Services, Inc....... 40
ALPHABETICAL LISTING AND APPENDIX MATERIAL SUBMITTED
Cantwell, Hon. Maria:
Opening Statement............................................ 2
Earl, Dr. Duncan:
Opening Statement............................................ 36
Written Testimony............................................ 38
Responses to Questions for the Record........................ 75
Imhoff, Carl:
Opening Statement............................................ 5
Written Testimony............................................ 7
Responses to Questions for the Record........................ 66
Murkowski, Hon. Lisa:
Opening Statement............................................ 1
Raines, Dr. Richard:
Opening Statement............................................ 13
Written Testimony............................................ 15
Response to Question for the Record.......................... 70
Riedel, Daniel:
Opening Statement............................................ 40
Written Testimony............................................ 42
Tenable, Inc. and Siemens Energy:
Statement for the Record..................................... 77
Tudor, Zachary D.:
Opening Statement............................................ 25
Written Testimony............................................ 28
Responses to Questions for the Record........................ 72
ADVANCED CYBER TECHNOLOGIES THAT COULD BE USED TO HELP PROTECT ELECTRIC
GRIDS AND OTHER ENERGY INFRASTRUCTURE FROM CYBERATTACKS
----------
THURSDAY, OCTOBER 26, 2017
U.S. Senate,
Committee on Energy and Natural Resources,
Washington, DC.
The Committee met, pursuant to notice, at 10:01 a.m. in
Room SD-366, Dirksen Senate Office Building, Hon. Lisa
Murkowski, Chairman of the Committee, presiding.
OPENING STATEMENT OF HON. LISA MURKOWSKI,
U.S. SENATOR FROM ALASKA
The Chairman. Good morning, everyone. The Committee will
come to order. I apologize we are a little bit later starting
than I had hoped.
Over the years, we have conducted a number of hearings
designed to examine the vulnerabilities of our nation's
electric grid system. In this Congress, we have held a series
of hearings focused on cybersecurity, electromagnetic pulse,
and grid security issues at both the full and the subcommittee
levels.
During today's hearing, we will add to that, by looking at
advanced and emerging cyber technologies and processes that are
being developed in our national labs and in the private sector.
These are technological improvements and sometimes
breakthroughs, that could be used to protect the grid, as well
as other critical energy infrastructure, from future
cyberattacks.
I have mentioned, certainly many times in this Committee,
but outside of the Committee as well, that around the country
sometimes we get the sense that folks believe in this
``immaculate conception'' theory of energy, that it just
happens. We all recognize, I think, that there is a lot more to
this than that.
A related question is, what happens when the lights don't
turn on? When you flip that switch and you just expect it to
happen, and then they do not turn on. What happens when
electricity is out for an extended period of time? And we are
certainly seeing that in Puerto Rico and the U.S. Virgin
Islands right now, the real-world impact of an extended power
outage.
Just as we can harden our energy infrastructure to protect
it from natural disasters, we must also look to ways to harden
the grid from constantly evolving cyber intrusions as well. It
seems like every day now we hear about an attempted hack or
actual breach that has taken place, and the list is long and
getting longer. OPM, Ukraine's power grid, the WannaCry
ransomware, Equifax, Anthem, Home Depot, Target, the list keeps
growing and growing. Just last Friday, the Department of
Homeland Security issued a public alert of an ongoing hacking
threat to the U.S. energy systems.
In the midst of all of this, we have to continually look
for ways to eliminate, diminish, or mitigate our
vulnerabilities. So whether it is the application of quantum
encryption, artificial intelligence, or moving control of grid
infrastructure off of the public internet, the witnesses we
have today will help provide our Committee with insights into
how we can protect our national energy infrastructure now and
into the future.
I mentioned quantum encryption, and I would like to note a
recent article by McClatchy about the advances that China has
made on this topic. Earlier this year China announced that a
satellite and ground station 745 miles apart had communicated
through quantum particles. Last month a video conference
between China and Austria, a distance of about 4,600 miles, was
held via China's quantum satellite. They have established a
1,200-mile quantum link between Shanghai and Beijing and
announced that they will build a $10 billion quantum research
facility. According to that article, some scientists believe
that with the amount of resources China is putting into the
field, a quantum computer may be built in a decade or less.
Whether or not these claims are accurate, I think, remains to
be seen, but it is clear that significant research is underway
around the world in the cyber realm.
I want to thank our witnesses for joining us today. I look
forward to learning about the efforts that you have been
involved with to combat and deal with this threat, particularly
on the work that you are doing to keep our electric grid and
our energy infrastructure safe and reliable. So thank you for
joining us.
I now turn to Senator Cantwell for her comments. And I want
to thank you, Senator Cantwell, because you have been dogged
and persistent when it comes to the issue of cyber and the
cyber threats, particularly as they relate to our energy grids.
STATEMENT OF HON. MARIA CANTWELL,
U.S. SENATOR FROM WASHINGTON
Senator Cantwell. Well, thank you, Madam Chair, and thanks
for scheduling this important hearing so we can continue the
discussion about what technologies we need to protect our
electric grid and make sure that our whole energy
infrastructure is protected from cyberattacks.
I want to say at the outset, I spent much of this summer
working on this issue and spent a great deal of time at our
national labs with Secretary Perry focusing on some of our
cybersecurity solutions. I hope that he understands the
pressing need here and will restore the DOE's crippling
cybersecurity budget that was proposed by the Administration.
It is very important that we continue to have the resources as
a nation to fight and to protect key energy infrastructure.
I am dismayed that instead of focusing on cybersecurity as
one of the key issues of resiliency, he is instead trying to
get a command economy approach with FERC by trying to change
market-based rate prices for consumers and instead trying to
push a rule that would drive coal into the marketplace and
raise rates on consumers. I think that FERC operates best when
it operates on market rules.
I am also requesting this morning, Madam Chair, in light of
yesterday or two days ago's amazing news about the huge
increase in park fees that we have a hearing on this in the
future. Many of my constituents woke up to, literally, shock
over the fact that these exorbitant rates would be charged in
our park system. I hope that we can have some input on this and
show that our constituents are extremely concerned about it.
For us in the Northwest, our outdoor economy is a big
juggernaut. I know it is in your state as well.
But anyway, thank you for having this hearing and thank you
to the witnesses for being here. It is such a critical issue
and getting your input is very important.
I would also like to especially welcome Mr. Carl Imhoff,
who is testifying on behalf of the Pacific Northwest National
Laboratory (PNNL). Again, thank you for hosting us and the
Secretary earlier this year and for all the impressive work
that you do.
Cybersecurity is the one issue that keeps me up at night
worrying about how foreign entities and actors might attack us
as the next provocation in a national/international effort. We
used to think of it as a plane that might fly into airspace or
a sub that might cross international waters, and now what we
have to worry about is provocations from actual grid attacks.
If we don't make the necessary investments to prevent and
defend against these impacts, our enemies could succeed in
causing widespread blackouts or devastating the economy or
threatening to bring millions of Americans to the point of
without power being in great disarray.
As I referenced earlier, the Trump Administration proposed
budget cuts to the cyber programs at DOE and put our critical
infrastructure at risk. I have conveyed those concerns to the
Administration in two letters, and as I said, spent a lot of
time this summer hoping that they would see the impacts here to
our budget and what they would do.
Since our Committee's last cybersecurity hearing when we
discussed the Ukraine outages of 2015 and 2016, we have
witnessed numerous large-scale cyberattacks as the risks
continue to grow. In July, the Washington Post reported that
the Russian government hackers were behind cyber intrusions
into U.S. nuclear power plant business systems. In September,
it was revealed that the hackers accessed the personal
information of 143 million Americans through the data breach of
Equifax. And just this week, the Department of Homeland
Security issued a report about ongoing cyber threats to
nuclear, water, and energy sectors that appear to reference the
July incidents that I just mentioned.
With each day of cybersecurity threats to the grid and the
multiple efforts that are underway, it is important that we
continue to combat effectively our security risk through
innovation. We need to take action.
The good news is our national labs are ready to play a key
role in bolstering our cybersecurity, and they do so in close
collaboration with the private sector. The PNNL cyber firewall
blocks 24 million suspected internet communications, 25,000 of
which are confirmed cyberattacks. That is what they do each
day, so I have no doubt that they know how to help protect our
country and our important missions.
Our witnesses today will demonstrate the breakthroughs that
result from these productive public-private partnerships and
why they need to continue. In that vein, I am calling on an
increase in collaboration between the government, private
sector, utilities, military, and academia. I know we are going
to, in our state, try to continue the discussion at the
University of Washington Bothell in a symposium on energy
cybersecurity workforce.
I have also, on the Commerce Committee, attended some of
the hearings that that Committee has had on cyber workforce.
And we know from our DOE Quadrennial Energy Review, this is
exactly what the previous Secretary said we needed to do, was
to help build the cyber workforce for tomorrow. Hopefully this
symposium will bring together critical partners to leverage the
knowledge, expertise, and experience of all aspects of the
challenge that we face.
It is clear to me that cyber solutions will require us to
leverage the world class expertise of our labs, the private
sector, and all of us working together. That is why I hope that
Secretary Perry and the President will reverse their harmful 32
percent cut to the Department of Energy's cybersecurity budget
without further delay and hopefully help us make the
investments we need for the future.
Thank you.
The Chairman. Thank you, Senator Cantwell.
Know that I join you in your concern with the recent
announcement from Park Service about the fees. So that is
something that we will look to.
I welcome you to the Committee this morning. Thank you for
giving us your time.
I will introduce each of you and give you an opportunity to
present your opening statements for approximately five minutes
or so. Know that your full statements will be included as part
of the record. After each of you have presented, we will have
an opportunity to ask questions of you.
We will lead off with Mr. Carl Imhoff, who is the Director
for the Electricity Market Sector at Pacific Northwest National
Laboratory. Welcome. Dr. Richard Raines is the Director for
Electrical and Electronic Systems Research Division at Oak
Ridge National Laboratory. We have another national lab expert
with us this morning, Mr. Zachary Tudor, who is the Associate
Laboratory Director of National and Homeland Security at Idaho
National Laboratory. Dr. Duncan Earl is with us. He is the
President and Chief Technology Officer for Qubitekk,
Incorporated. And the last member of the panel this morning is
Mr. Daniel Riedel, who is the CEO of New Context Services, Inc.
We are delighted to have each of you.
Mr. Imhoff, if you would please lead off, thank you.
STATEMENT OF CARL IMHOFF, MANAGER, ELECTRICITY MARKET SECTOR,
PACIFIC NORTHWEST NATIONAL LABORATORY
Mr. Imhoff. Thank you, Chairman Murkowski, Ranking Member
Cantwell, and members of the Committee for the opportunity to
join this hearing today.
My name is Carl Imhoff, and I lead the grid research
program at DOE's Pacific Northwest National Laboratory in
Washington State. For more than two decades PNNL has supported
system resilience, reliability, and innovation for DOE and
utilities across the nation. I also chair DOE's Grid
Modernization Laboratory Consortium, a team of 12 national
laboratories, including Oak Ridge and INL, that supports DOE's
grid modernization initiative, along with over 100 partners
from academia and industry.
Today I'd like to offer two points regarding advanced
technology for improved cyber resilience of the nation's power
system.
Point one. Cyber risk information sharing between industry
and DOE has significantly improved our national grid cyber
readiness. The public-private effort must continue to advance
in scope, speed, and industry inclusion to deliver full
situational awareness of both operational control systems as
well as utility enterprise networks.
Point two. Beyond situational awareness, the fundamental
science and technology offer important opportunities to deliver
defensive tools that span the growing Internet of Things
challenges at both the grid edge as well as core grid
operations. And in this area, I'll offer three examples.
Looking first at improving grid cyber situational
awareness, PNNL and DOE developed and deployed the
Cybersecurity Risk Information Sharing Program, or CRISP, first
for DOE assets across the U.S. in the early 2000s. This concept
was successfully tested on utility activities and transitioned
to industry leadership via NERC over the past few years with
industry investing in infrastructure and DOE funding the
intelligence evaluation. This voluntary program identifies
cyber threats and shares that information with utilities that
collectively generate over 75 percent of the electricity of the
United States. This effort continues to expand coverage and
improve the speed, accuracy and affordability of situational
awareness tools.
Going forward, PNNL is extending cyber situational
awareness to better address grid operational control systems or
OT and other interdependent infrastructures such as fuel
delivery in light, natural gas pipelines, and communications.
We believe that the nation must develop an integrated real-time
view of the cyber risk spanning the IT and OT elements of the
power system. NERC standards already require significant sense
of the OT environment. PNNL is applying advanced real-time
analytics to these OT data streams leveraging the fundamental
science of high performance computing, statistics and a re-
emerging field of deep learning. Deep learning refers to
advances in artificial intelligence concepts from the '90s that
are delivered on a profoundly improved, high performance
computing platform. That's the big delta since the '90s. And
they leverage the ultra large data sets that are growing and
emerging in the power system as well.
These new tools will uncover relationships and trends that
indicate cyber risk or control system anomalies resulting in
better, faster operational decisions and automated machine-to-
machine exchanges.
Beyond improved situational awareness, the nation must also
develop inherently resilient paradigms for networks, open data,
and system controls.
Adaptive networks are important because the emerging grid
is substantially more dependent upon communications today than
it was even ten years ago.
PNNL recently teamed with Schweitzer Engineering in
Washington State to develop a product using a new concept
called software defined networks to enable reconfiguration of
communication networks through software commands. These
networks provide an additional adaptive defense layer for the
grid.
Data resilience concepts are important because of the
growth in e-commerce and new utility market constructs. The
challenge is how to protect data in open environments. One
example is blockchain, the technology the Bitcoin uses to
secure transactions. Resilient data concepts will enable secure
use of distributed power generation and energy storage systems
and help secure emerging market constructs like transactive
energy.
A third technology innovation is adaptive control systems
which adjust to real time based upon system conditions.
Adaptive controls can provide a more level cyber playing field
by adjusting on the fly to confuse, obfuscate, and mislead
adversaries as they attack the system.
Cyber technology innovations are absolutely essential, but
they're not sufficient to deliver a national cyber readiness
posture. Small and midsized grid operators must learn and
implement fundamental best practices in cyber applications and
regulators and utilities must have new valuation tools and data
sets to evaluate cyber technology investments and provide the
regulatory incentives essential to delivering these improved
technology assets.
So, in conclusion, industry and DOE cyber sharing efforts
have significantly advanced our cyber situational awareness and
the next challenge is to integrate control system situational
awareness to achieve full awareness across IT and OT systems.
And in parallel, we need to leverage high performance
computing, deep learning and new control theory to develop
inherently resilient systems and system designs for networks,
data and grid control systems.
Thank you.
[The prepared statement of Mr. Imhoff follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
The Chairman. Thank you, Mr. Imhoff.
Dr. Raines, welcome.
STATEMENT OF DR. RICHARD RAINES, DIRECTOR OF ELECTRICAL AND
ELECTRONICS SYSTEMS RESEARCH, OAK RIDGE NATIONAL LABORATORY
Dr. Raines. Good morning, Chair Murkowski, Ranking Member
Cantwell and members of the Committee. Thank you for the
opportunity to appear before you today with this distinguished
panel.
I'm Dr. Rick Raines, Director of Electrical and Electronics
Systems Research at the Department of Energy's Oak Ridge
National Laboratory (ORNL). I previously served as the Director
of Cybersecurity Data Analytics at ORNL which was followed by a
military and federal service career where I founded and
directed the Air Force Cyberspace Technical Center of
Excellence at the Air Force Institute of Technology.
The Department of Energy's national laboratory system has a
long history of providing solutions to the nation's hardest
problems. Our structure and operations encourage partnerships
with industry and other institutions to solve big science
challenges. Cybersecurity of our critical energy infrastructure
is a national challenge demanding national focus.
Today, I want to address the importance of securing a
resilient, electrical grid and discuss some of the
technological breakthroughs we're developing at ORNL to harden
the grid defenses.
As you're well aware, our electric grid is a vital national
asset. It is also a system that's becoming increasingly
vulnerable to cyber intrusions, due in large part to its
increased connectivity with the public internet.
As industry has embraced these technological and cost-
effective advances, operational risks have increased. Energy
sector devices and systems are experiencing increased exposure
to savvy and nefarious cyber actors. As a result, we're in a
highly dynamic cycle of developing cybersecurity measures and
capabilities to address these rapidly emerging threats.
Our challenge is to produce solutions to better protect
energy sector communications and controls while continuing to
make the grid smarter and to better able recover when problems
do arise, including the devastating effects of Hurricanes
Harvey, Irma and Maria.
At Oak Ridge our scientists and engineers are engaged in
research to defend and modernize the grid, including real-time
monitoring and sensing of the grid state and new technologies
to control and better utilize distributed power resources such
as community microgrids. We have developed cybersecurity
technologies that can detect intrusions, such as malicious
software code, advanced persistent threats, and real-time cyber
awareness tools to detect anomalies and network communication
traffic.
Among our cybersecurity work is a concept called Dark Net.
The Dark Net vision is to shield the nation's electric grid
from hostile cyber intrusions while advancing the state of the
art and anticipating and mitigating threats. The Dark Net, in
its most simple terms, is a way to get the communications and
control of the electric grid off the public internet. Moving
these functions onto a private system could be accomplished
using existing and underutilized optical fiber, commonly known
as dark fiber. It's estimated over 100,000 miles of optical
fibers exist within the U.S. Bundling with multiple fibers,
communication techniques can easily increase its capacity
tenfold.
I'd like to be clear that the Dark Net is not just about
moving the grid's command and control functions off the public
internet, nor is it just about the unused fiber that we have,
but it's about creating and leveraging a holistic tool kit of
capabilities to make it harder for an adversary to exploit our
systems.
Working with our private and public partners we envision
Dark Net as a highly secure, resilient, and redundant
communication sensing and technical assistance solution
supporting all elements of the electric enterprise and its
supply chain. Our goal is to develop methods so that these
attacks are automatically detected, isolated, and defended,
achieving a self-aware, self-healing network. We believe the
Dark Net project can provide cost-effective, secure solutions
to include the use of new and existing dark fiber and advanced
communications and cybersecurity technologies; working with
industry to create living laboratories where we'll test
security functionality and resiliency; implementing new
technologies in tool kit form and operational security
approaches to protect against grid and cyber threats; and
lastly, enhancing grid state monitoring with advanced sensing,
measurement, and situational awareness. The grid must evolve to
address a variety of challenges such as cyberattack, severe
weather, a changing mix of power generation types, the growth
of interconnected smart devices, and the aging of our energy
infrastructure. We envision Dark Net as a key component in the
evolution toward a secure national energy asset.
In conclusion, Oak Ridge National Laboratory and the other
DOE national labs stand ready to work with public and private
partners to develop and employ innovative technical solutions
to protect the nation's electric grid.
Thank you again for the opportunity to provide this
briefing. I welcome your questions.
[The prepared statement of Dr. Raines follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
The Chairman. Thank you, Dr. Raines.
Mr. Tudor, welcome. I know that Senator Risch wanted to
make a comment before you spoke.
Senator Risch. Well thank you.
Zach, welcome to the Committee. You are in for a real treat
here.
I have gotten to know Mr. Tudor in his capacity as
Associate Lab Director at the Idaho National Laboratory. He is
responsible for the lab's national and homeland security
mission and that includes nuclear non-proliferation, critical
infrastructure protection, obviously, very important to this
hearing and defense systems missions. He has an incredibly
impressive resume which I am not going to go into here, but he
is the right man for the job in Idaho. We are glad to have him,
and he is the right person for this hearing which you are going
to see in a moment. So, welcome, Zach.
The Chairman. Thank you, Senator Risch.
Mr. Tudor, welcome.
STATEMENT OF ZACHARY D. TUDOR, ASSOCIATE LABORATORY DIRECTOR,
NATIONAL AND HOMELAND SECURITY, IDAHO NATIONAL LABORATORY
Mr. Tudor. Thanks.
Chairman Murkowski, Ranking Member Cantwell and
distinguished members of the Committee, thank you for holding
this hearing and inviting Idaho National Laboratory's (INL)
testimony on advanced technologies to protect the U.S. power
grid and other energy infrastructure from cyberattack. I
appreciate the opportunity to address this Committee and
express my utmost respect and gratitude for your leadership and
continued interest in this topic.
I also want to acknowledge my peers and partners from
industry and national labs who will share their examples of
innovation, unique capabilities and technology breakthroughs in
areas such as situational awareness, quantum computing,
sensors, automation, modeling and simulation and visualization.
The cyberattacks on the Ukraine power grid demonstrated how
quickly these events can move and impact a wide variety of
interdependent systems across the region. In the U.S. high
profile events like Nuclear 17 and Palmetto Fusion illustrate
why utilities and regulators are concerned with increasing
burdens due to more sophisticated and frequent cyber events.
Industry must have advanced capabilities and cyber skills not
only to detect but also to respond to these events before there
is an unacceptable impact.
Protection of the grid and energy infrastructure from
cyberattack is one of the nation's most difficult technical and
operational challenges and requires the national laboratory's
capabilities.
INL enables research and development of cybersecurity
solutions to understand and manage the multifaceted
interdependencies between the grid and other critical
infrastructure, detect and respond within compressed timelines
to prevent highly impactful consequences and develop top tiered
defenders to mitigate sophisticated threat actors. As part of
our national laboratory leadership role in addressing this
national challenge, INL advocates that effective grid and
energy infrastructure protection is achieved, not only with
advanced technology, but also requires innovative engineering
approaches in a deep pool of top tiered cyber defenders.
As such, the development of technology process and people
are priorities within INL's strategic initiative, the Cybercore
Integration Center. This initiative is envisioned to create and
align national science and engineering resources, technical
expertise, and collaborative partnerships to focus on scalable
and sustainable control system cybersecurity solutions--
solutions that protect the U.S. grid, other critical
infrastructure, and also military systems.
In response to your request for INL's participation in this
hearing, I provide several examples in the written testimony of
INL's progress in developing advanced technology solutions,
advanced engineering processes, and the development of that top
tier workforce. For brevity, I will quickly summarize four
examples.
In collaboration with the partners of the California Energy
Systems for the 21st Century (CES-21), an innovative concept
from machine-to-machine automated threat responses is being
developed. When this research proves successful, utilities, and
not only California utilities, will have access to automated
threat and exploit prioritization capabilities that will reduce
the time for discovery and recovery from illicit behavior
resulting in increased resiliency of the electric grid.
The INL Autonomic Intelligent Cyber Sensor will enable
system owners to more easily design, implement, and monitor
cyber secured control system networks. The goal of this
technology is to automate network information, deploy deceptive
virtual hosts, kind of virtual and dynamic honeypots, and
identify threats on network traffic with very high accuracy.
These two advanced technology examples represent
opportunities to gain benefits of machine-to-machine speed in
responding to cyber intrusion or attack. The next examples
emphasize an engineering approach and workforce development
strategy for grid protection.
Recognizing that just chasing vulnerabilities has not been
sufficient. Our Consequence-driven, Cyber-informed Engineering,
or CCE, is a transformational engineering process methodology
that fully leverages an organization's deep engineering
expertise and their intimate knowledge of their own systems and
processes. This enables the organization to eliminate and
manage the cyber risks that could result but in the greatest
consequence.
A pilot study was completed with a major U.S. electric
power utility to determine the potential value of CCE to assist
utilities with reducing cyber risks by implementing cyber-
informed engineering solutions while engineering out
vulnerabilities and attack pathways that detect those severe
consequences.
Following the Ukraine attack, INL researchers used their
experience gained while investigating the event to convert the
lessons learned into a training course for utilities. The
Ukraine event in a box devices fit on a desktop and are
designed to challenge course participants to cyber defend the
equipment that they routinely encounter.
In summarizing, the described examples highlight
Cybercore's holistic research and development strategy for
control system cybersecurity innovation.
I do want to re-emphasize that solutions to protect the
grid and energy infrastructure are realized through deployment
of advanced technologies, implementation of enhanced
engineering and operational processes, and the development of
highly-skilled and well-informed workforce.
I thank the Committee members for this opportunity to share
our strategy and examples of the progress in protecting the
grid and energy infrastructure, and I welcome your questions.
[The prepared statement of Mr. Tudor follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
The Chairman. Thank you, Mr. Tudor.
Dr. Earl, welcome.
STATEMENT OF DR. DUNCAN EARL, PRESIDENT & CHIEF TECHNOLOGY
OFFICER, QUBITEKK, INC.
Dr. Earl. Thank you and good morning.
Madam Chair Murkowski, Ranking Member Cantwell, members of
the Committee, I am Dr. Duncan Earl, President and Chief
Technology Officer at Qubitekk. Thank you for inviting me to
appear before you today to discuss the role quantum technology
can play in protecting our electrical grid.
The U.S. electrical grid has operated for nearly 150 years
without experiencing a large-scale, long-term blackout. This is
a testament to the hard work of the men and women who maintain
the grid as well as the many smart devices that we depend on to
monitor and control it.
However, the grid has never faced a threat of the type and
severity as it is experiencing today. Over 70,000 power
substations throughout our country depend and rely on smart
devices to maintain the delicate balance between energy
generation and energy demand. Effective coordination between
these devices is only possible when they share data that is
accurate and uncompromised.
Unfortunately, as we have seen in other countries, the
ability of hackers to infiltrate grid networks and corrupt
these communications is real and growing. To prevent a
devastating attack on our own nation's electrical grid, we must
implement the best cybersecurity solutions possible to protect
sensitive grid communications.
If you ask utilities today, ``At this very moment, are your
communication channels secure?'' many will admit that they do
not know. A new technology, quantum technology, can allow them
to answer, ``Yes.''
Quantum technology enables communications that cannot be
intercepted or altered. Any attempt to do so can be immediately
detected and thwarted. Fundamentally different from past
solutions based on mathematics and software, this new solution
is rooted in physics and uses hardware to create a trusted
channel that is secure today, tomorrow, and a thousand years
from now.
Quantum technology uses the laws of quantum physics to
generate secret keys that cannot be cracked. The keys are
transmitted as light through optical fibers to devices in the
field. Although quantum physics, with the demonstrations of
teleportation and particles existing in parallel universes, can
sound like science fiction, its application to grid security is
real and near-term.
At Qubitekk, with funding from the Department of Energy
Office of Electricity's Cybersecurity for Energy Delivery
Systems, or CEDS, program, we are conducting preliminary tests
of quantum technology with utilities in California and
Tennessee. In 2018 and 2019, larger pilot testing within
substations is planned. We are also working closely with our
industry and national laboratory partners to develop protocols
that allow traditional communication solutions to integrate
with these new quantum systems.
To speed the adoption of this technology, though, will
require government action. With government support, a
nationwide quantum-protected network between our substations
can be built, creating an impenetrable shield around our grid's
communication channels. With increased funding to existing DOE
programs, quantum-enhanced cybersecurity solutions can be
developed to protect every substation in our country.
Ultimately, as occurred with the Internet, early government
investment in communication infrastructure and equipment will
be needed.
Finally, Senators, let me suggest the most important reason
yet why we must embrace and pursue quantum technology, and I'll
echo what Senator Murkowski said. China has already developed
and installed the foundations for a nationwide quantum network
that leverages both fiber optic and satellite-based
communications. Last month they demonstrated the first-ever
quantum secured video call between China and the European
Union. Earlier this month, they committed $10 billion to the
creation of a massive new quantum information laboratory in
Eastern China. Although much of the basic science in quantum
technology was developed here in the United States, our
hesitation in its implementation has left us far behind in the
quantum race.
Quantum networks are just the beginning of the quantum
revolution. Quantum technology will revolutionize
cybersecurity, computers, artificial intelligence, chemistry,
medicine, and ultimately, the world economy. Building a
quantum-protected grid will not only strengthen America's
security but will also create a sustainable first market for
quantum technology here in the U.S. It represents a significant
step toward challenging, and eventually overtaking, our
counterparts in Asia and the European Union.
With that, I look forward to your questions on this
technology.
[The prepared statement of Dr. Earl follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
The Chairman. Thank you, Dr. Earl.
Mr. Riedel.
STATEMENT OF DANIEL RIEDEL, CEO AND FOUNDER,
NEW CONTEXT SERVICES, INC.
Mr. Riedel. Good morning.
Chairman Murkowski, Ranking Member Cantwell and the other
members of the Committee, it's an honor and privilege to
testify. My name is Daniel Riedel. I'm the CEO and founder of
New Context Services. New Context was founded in 2013 with a
vision of keeping the connected world safe. Our mission is to
use lean security to automate the orchestration, governance and
protection of critical infrastructure.
New Context is working with Southern California Edison,
Pacific Gas and Electric, and San Diego Gas and Electric, in a
partnership with Idaho National Lab and Lawrence Livermore
National Lab in advanced cybersecurity research for machine-to-
machine threat detection and response referred to as California
Energy Systems of the 21st Century. That work has resulted in
our involvement in the STIX/TAXII and OpenC2 standards that are
becoming the default for governmental agencies, enterprises,
and information sharing communities to distribute threat
intelligence. New Context also offers secure engineering
services to many industrial and financial services firms.
There are five cyber-defense areas I will be discussing
today: Identity, Trusted Data, Attributed Isolated Networks,
Threat Detection & Sharing, and Automated Response &
Remediation.
Twenty billion IoT devices will soon be connected to the
internet to grow our economy. At the same time, Smart Grid
technologies are being rolled out to the energy grid.
Organizations such as General Electric, ABB, and Siemens are
building new technologies to create efficiencies in our
nation's demand for electricity.
Each of these technologies are going to add new vectors of
attack while at the same time current attacks are increasing in
number. Some of these attacks have physical consequences such
as black energy in the Ukraine.
Over 80 percent of all attacks are the result of stolen
credentials. Credentials are a weak link in cybersecurity. We
must move to multi-factor, biometric, and continuous
authentication for all individuals who interact with critical
infrastructure.
For each human, device, or application that attaches to
critical infrastructure, we must strengthen the validation for
the authority to operate. Rolling out more advanced processes
of attribution across the energy grid faces these challenges:
current credential technology, current IT practices, legacy
applications, and the age of the equipment. Within critical
infrastructure networks we must trust the data that is used in
the decision-making process. Blockchain frameworks can provide
this trust. Cryptographic trusted data can be used for a
variety of use cases in the energy grid.
Isolated networks are used effectively as a method of
network separation. However, insider threats and malware can
still operate within that network. To build an attributed
isolated network, we have to look at every device on the
network to ensure identity of the operator and the operational
history of that device. With stronger identity, we can
strengthen legal evidence to more effectively prosecute
malicious attacks.
The ability to identify and share threat data at machine
speed helps prevent the spread and propagation of attacks.
Early in our work with CES-21, New Context identified STIX to
be the best format for sharing threat intel and remediation
data. New Context has begun working with the STIX community and
the energy industry to extend STIX for the grid. STIX is just
the first step; we now need the ability to share threats and
remediations automatically between organizations. Several
information sharing organizations have begun, but we still
heavily rely on human analysts. If there were a coordinated
attack on the grid those analysts would not be able to respond.
To continue to advance threat intel we need to use new
technology such as artificial intelligence to speed up the
response.
Discovering and sharing threats at machine speed is a huge
step in the right direction, but the logical next step is an
automated response remediation. The first hurdle in automated
response is trust by third party. We will need to ensure that
there is trust in remediation. Once we have been able to solve
for that trust, then our utilities, national labs, and agencies
can distribute the remediation to the energy grid. These
remediations can be deployed with the utility networks allowing
them to rapidly respond to attacks.
In summary, Identity, Trusted Data, Attributed Isolated
Networks, Threat Detection & Sharing, and Automated Response &
Remediation are technologies to focus on for advanced cyber
defense. The battlefield continues to change, and we need to
look at new ways of protecting our infrastructure.
Our adversaries are formidable, and the challenge to the
organizations is the high cost of defending their assets while
the cost to attack them is low. This is a hidden tax on our
economy that will continue until we address the root cause
instead of the symptoms.
Investing in these technologies will lower the cost to
defend our infrastructure and raise the cost to attack our
infrastructure. This will allow more innovation in our industry
and allow us to build the appropriate framework to welcome
these 20 billion devices.
Thank you for the opportunity to testify. I look forward to
today's questions.
[The prepared statement of Mr. Riedel follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
The Chairman. Thank you, Mr. Riedel.
Thank you, all of you. Very interesting testimony, very
important testimony. We just really appreciate it.
I think we look to some of the breakthroughs that are out
there and these technologies that we hope will allow for that
level of protection, but many, several, of you have spoken to
the human factor. We recognize that most of the control systems
today are separated from the public internet by a firewall or
an air gap, but we can still see intrusions through human
error, whether it's transferring data via a flash drive from a
public network to a secure one or vice versa. So even with all
of the advances that we have out there and the processes that
you have mentioned, we are still in a situation where we have
exposure to security breach.
Dr. Raines, you mentioned the Dark Net. How do we work to
protect the Dark Net from this type of activity, the breach
through the human factor?
And then I also want you, Dr. Earl, to speak a little bit--
you mentioned the quantum technology that I had raised in my
opening, and you have suggested that a quantum protected
network will create an impenetrable shield around our grid's
communication channels. But does that apply to the insider
threats as well? I am interested in this aspect. Technology is
great; sometimes it is the human factor that is our weakest
link.
Dr. Raines. Thank you, Senator, for that question.
Addressing, first of all, the human link, certainly it's
going to be with us. And so, how do we take and do better
education and training of people who have not been exposed,
historically, to these types of things?
We have a lot of folks in the industry that are very good
at operationally providing those capabilities and safety
paramount. But when you start talking about cybersecurity, it's
a little bit of a foreign issue in terms of some of the
industry partners out there.
So, how do we take and raise this awareness so that, you
know, they understand the threats that exist? Additionally,
from a standpoint in making sure that the systems are patched,
updated, these are mainly IT type systems that are being
utilized. So there are steps that we can take from that
standpoint to help out the industry.
With regards to the Dark Net concept that we're proposing
here, moving the command and control communications away from
the internet, at least, separates, as you mentioned before, air
gapping, if you will. There are exploits that get across air
gaps as we know, but having separate control and communication
capabilities via these fibers, as was mentioned by Dr. Earl,
will give us some enhanced capabilities to understand and
immediately determine if there was any type of exploitation
that may hit. So as long as we can take and have that
separation that we don't connect back or add additional vectors
for exploitation, we believe that there's going to be that
added level of security that can occur by going to the
separate, secure, if you will, dark fiber implementation and
advanced communication capabilities as well, that we would
implement, but----
The Chairman. Let me ask Dr. Earl to speak on the quantum
technology side and the vulnerabilities there.
Dr. Earl. Yeah, absolutely.
So, quantum technology is a very powerful technology, but
the grid is going to require many solutions. It's just a piece
of that puzzle.
However, quantum technology solves two very important
problems, and it's the foundation upon which you can build a
more secure grid. The first is it provides a way to immediately
detect if somebody is tampering with your communication
channels, and the second thing that it can do is it can provide
encryption that cannot be broken. There always is a concern
about insider threat. Quantum technology doesn't address that.
It addresses the securing of channels, but you need that first
before you can build up the rest of the solution.
The Chairman. So very quickly on the quantum technology.
You have mentioned the traditional systems can be integrated.
How easy is it to do that?
You have technology--does the technology need to be built
into the grid during its development or is it relatively easy
to add it to existing structure?
Dr. Earl. We can retrofit it, and we argue that it's
actually easier than other approaches that we might use for the
internet for securing and establishing secret keys among
devices. So, it is very grid centric. It is very easy to
implement and retrofit.
The Chairman. Okay.
Senator Cantwell.
Senator Cantwell. I would like to yield to my colleague for
a question.
Senator Risch. Thank you. I appreciate that.
Senator Cantwell. He is going to go take care of us in
small business----
[Laughter.]
----which probably should be part of this discussion.
Senator Risch. As you know this is Women's Small Business
Month, so the hearing is on that. I knew you would be very
interested in that.
Senator Cantwell. Good. And I am sure this subject
interests you too, as we talk about solutions on cyber where
you have to think about how we help small businesses.
Senator Risch. That is true.
Senator Cantwell. Because they have the least ability to
put some of these things in place. So we need to think about
that.
Go ahead. I'm sorry.
Senator Risch. Thank you so much.
Mr. Tudor, you mentioned the CCE methodology during your
testimony. You also provided written testimony, and I have not
had a chance to look at that yet. Do you expound on that
methodology in your testimony that you have submitted?
Mr. Tudor. I did, sir.
Senator Risch. Okay.
That methodology was first introduced as INL's unique
cybersecurity innovation in April by Mr. Andy Bachman to this
Committee. Since then it has attracted some positive attention.
But in addition to that, it seems to have created some
confusion, indeed some might even say criticism, that
discussing whether it is really a process that is a step
backward from technology innovation. Could you address that,
please?
Mr. Tudor. Sure. Thank you for your question, Senator.
We feel that Consequence-driven, Cyber-informed
Engineering, or CCE, is actually a step forward in some of our
engineering processes in that we look to use the right
technology, you know, for the right purpose and implementation
of cyber controls.
I think some of the criticism has been about the mention of
using analog devices as if it's a step back into the Stone Age.
But in some of these cases we can use the CCE methodology to
understand those critical consequences and the attack paths
that lead up to them.
We can identify choke points for various of these different
attacks and do what we call disruption zones, areas where we
can place a discreet, non-programmable component, potentially
an analog component, that can't be hacked by software means,
doesn't have software vulnerabilities in it. And then, we'll
just drive that attacker work factor, you know, way up because
their normal methods of internet-based, of software-based
activity will be thwarted at that point.
So as you work with an organization and, once again, this
is not something that just the national lab or another provider
can do. The organization that's being protected works very
closely to understand what those consequences are, what their
engineering processes are.
Identify those paths, work with them, understand who might
potentially attack and what potential motivations there are.
And then, develop those mitigating ideas and identify the
disruption zones and implement them. We found with our partner
that they felt that the entire process helped them give them a
different perspective on how to protect their environments.
Senator Risch. Thank you. I think that is a clear
explanation.
Thank you, Madam Chairman. Thank you, Senator Cantwell, for
yielding.
The Chairman. Senator Cantwell.
Senator Cantwell. Thank you, Madam Chair.
I just want to thank all the witnesses again. This is
excellent testimony across many fronts and, actually, the
diversity of ideas yet cohesiveness of the ideas is so
important. So I thank you for that.
I obviously want to thank Mr. Imhoff again for your
leadership. You have helped the State of Washington provide on
this, everything from working with our National Guard to
creating a response to the technologies that we've been able to
deploy.
I think when we think about this, the synchro-phasor
technology that the lab has worked on and was part of your
testimony actually saved California customers an estimated $360
million plus due to improved utilization of existing systems
and making these tools more resilient to cyber threats.
We can see already there is work and application that is
being done that is helping us strengthen the grid from
blackouts, and we need to keep going.
Mr. Earl, the Department of Energy Office of Electricity's
Cybersecurity for Energy Delivery Systems program helped fund
the work that you are doing. I feel that one of the key aspects
here is the need to continue to do R&D and innovate and test
and apply. I see you are all nodding on that. I guess that is
what I am trying to help our colleagues understand here.
Sometimes I say in the information age we are only in the
third inning of the ballgame. Here, I'm not even sure if we
have started the game. Actually we have because of the great
work that you all are doing.
But how would you characterize where we need to go with
research, workforce, and this continued collaborative effort,
in the context of where we are today and how this will evolve?
Mr. Earl, I think you said it, or Mr. Riedel did, that this
is ever changing. Whatever we are doing today is going to
change and evolve. So where are we with the level of investment
and workforce and level of interconnected responses and I mean
people responses that we need to build here?
Maybe we can just start with you, Mr. Imhoff?
Mr. Imhoff. Thank you, Senator Cantwell.
It's a complex question. I would say on the Department of
Energy side, programs like the CEDS cyber program at OE and
others are funding a lot of the innovations here, several of
them today, where the injection of funding is adding value.
In terms of the grid modernization initiative, the Congress
Appropriations, that initiative is strong and moving forward at
this point in time.
I think one of the challenges, while we have over 100
industrial partners working on these projects, the public-
private partnership is essential. You have to have the field
validation so that the people, the operators, the switchmen, et
cetera, understand and can get their arms around the new
concepts so what they bring to bear, to offer.
The industry is a little challenged now because they're
facing flat sales and a lot of challenges on cyber and other
things. So industry is stretched thin from a human workforce
standpoint. They have a challenge adding more things on to
their plate.
But the manpower issue is part of that, clearly. The
training, the access, the large number of utility workers who
are retiring, and there's a lot of work in terms of development
and feeding the pipe for the next generation, whether it's
cyber or other grid activities. So I think it's all very
closely interwoven in terms of getting the workforce right,
getting the training done.
And I would say that there are many, some of the new topics
around analytics and other things are new dimensions that need
to be added, I think, to the workforce, focus that needs to go
beyond just enterprise cybersecurity, which, I think, has been
the dominant focus for, let's say, the past decade.
We're having a hard time keeping up with the volume of
cyber analysts, but we're--they now need to have new skills in
terms of advanced analytics and other things. So we need to
look to how do we refresh those, curricular development. How do
we build the partnerships between public and private to train
people, cross-train existing employees or develop new staff and
continue to look for those public-private partnerships on field
validation of new concepts coming out of the R&D portfolio?
Because that's what it takes at the regional level for
commissioners and utility commissions and others to get
comfortable with making the investments to deliver.
Senator Cantwell. Thank you. It might have been a complex
question, but you did a very good job.
Anybody else want to weigh in quickly on that?
Mr. Riedel. I can briefly.
Thank you for the question, Senator Cantwell, Ranking
Member, sorry.
So we deal with this a lot with our company. We're trying
to hire qualified people, and finding enough qualified people
out there is, I think, a challenge for every organization.
We try and train and make sure that everyone understands
that security inside of an enterprise or in a corporation is
not one person's ability or one person's responsibility. So the
things that we look at are how do we educate our workforce? We
would love to work with schools and universities to make sure
they're educating folks.
I think that the thing that we will try to tell enterprises
as they deal with this, and utilities as they deal with this,
is that security, cybersecurity, is a group responsibility,
that you cannot just expect the security professionals to take
care of this. You need to take ownership of that while you
build and engineer your products. And so, those are things that
we are looking at.
The only thing I would add to that is, you know, our focus
is automation. We want to be able to be able to roll out this
automation that we talked about today into the grid, but to do
that we have to be able to trust that we understand where that
automation comes from.
So not only do we have to make sure that we educate and
bring these people to be professionals, we also have to make
sure as we bring them on to our networks and as we have them
work on those networks we're able to identify those people so
we can trust the information that they're giving us and then
trust the remediations they create.
Senator Cantwell. Thank you.
Thank you, Madam Chair.
The Chairman. Senator Cassidy.
Senator Cassidy. Should it be one of those folks over
there? I don't want to step out of place----
Senator Manchin. Bill, would you mind if I? I've got----
The Chairman. This is a cooperative Committee.
[Laughter.]
If Senator Cassidy doesn't mind, we will certainly turn to
Senator Manchin.
Senator Manchin. This is a great Committee. Thank you.
The Chairman. It is.
Senator Manchin. I appreciate both of you. Thank you, Bill,
I appreciate it.
Let me just say real quickly. The reliability of the grid
system, basically the baseload, do any of you all have concerns
that the baseload might not be able to energize the grid or we
could be in concern about a relapse or a collapse? Does anybody
have that concern?
From baseload, as I am understanding, nuclear, coal is to
the basic baseload, 24/7, rain or shine. Gas--we are depending
on gas being baseload now. And all of our renewables are coming
on, I guess, with the new battery, the battery storage. That
will eventually move into that. We have not gotten there yet.
You all have no concerns in different segments across the
country? PJM about collapsed over the last polar vortex we had.
You all knew that, right? They came within that sliver of going
down.
Anybody want to talk?
Mr. Imhoff. So, the--we've seen no evidence that there's a
lack of capacity to deliver in terms of frequency response and
other things on the power system.
Clearly there are changes in some of the resources mix. And
the NERC bodies, as well as the reliability councils and all
have not indicated that there is a gap that's an issue. But
they're having to change some of the processes and all, but I
think we are, have adequate capacity going forward.
Senator Manchin. Anybody? Feel the same?
Dr. Raines. Senator, yes, sir.
Senator Manchin. Okay.
Dr. Earl, on quantum. You are talking about, you know, of
course, cyber is what we are concerned about. I am on Intel and
every meeting we have deals with cyber and some type of
cyberattacks that we are getting regularly and how we can stave
that off.
In this, I have been to an awful lot of the power plants
and we have an awful lot of coal plants and then they are all
switching stations. So when they produce, the power coming out
goes into, kind of, a switching station, it, kind of, puts it
out on the grid. And you are saying that you are quantum. You
can protect that from the internet or being hacked by the
internet, correct?
Dr. Earl. So maybe a slightly different way to define that.
We definitely are trying to protect the communications
between those switching facilities, the substations, and
command centers. It's imperative that you're able to trust
those communications. And so, the channels that they're
communicated over are not defended. These might be fiber
optics, airwaves. You don't have complete control over those
communication channels. So it's important we have a technology
that can ensure that communication channel is secure first.
Senator Manchin. And you say that can be retrofitted also
on this?
Dr. Earl. It could be, that's right, especially if it
dovetails well with what they described, ONL described, about
the Dark Net where you use existing OR, existing fiber optic
cables, to basically put this system in place.
Senator Manchin. Let me ask any of you all who would answer
this question because I have been to an awful lot of these
power stations, however they are operated, but the switching
stations, it is not all that secure. I could, if I wanted to do
some kind of criminal act, I could walk up to it and make it
happen. Have you all suggested or basically lobbied for
securing, making every utility company responsible for the
securing of those switching stations? It could be natural gas
also. We are concerned about the gas lines, the pipelines,
pumping stations.
Mr. Imhoff. So you're voicing concern around physical
security?
Senator Manchin. Yes.
Mr. Imhoff. We have extensive infrastructure across
thousands of miles, and out West some of those are very lonely,
empty miles.
Senator Manchin. Right.
Mr. Imhoff. They are favorite target practice
opportunities, but I will say that over the past year PNNL has
worked with NERC to help develop what's called design basis
threat which is a systematic approach at looking at what are
the series of threats that could be done on a pipeline, gas
pipeline, compressor station, or switch yards coming out of
coal plants, et cetera, and then helping the utilities walk
through and classifying the degree of consequence and risk and
identifying what other options actually provide physical
security because you can do that, but you can't do it on every
single substation or every single transmission tower out there
in the power system.
What they are doing is putting in place a systematic
process to help prioritize those risks and identify their
options for protection. That process is beginning, and it's
been very well received by the utilities over the last 12
months. So I think they're moving in that direction, Senator.
Senator Manchin. Well, I was just going to say you all come
from the technical end of it and can really help us there and
advocate for this because I see a lot needs to be done. I mean,
we are talking about the internet, and we are talking about
technology and all this and that. I am talking about just plain
attacks, just, I mean, criminal activities.
Okay, thank you very much.
Senator Cantwell. If I could just follow up on that?
Isn't it true that most--I am just thinking of Bonneville's
system. If you go into their command center, they have pretty
good eyes on most of everything in their grid system. I would
assume utilities are similar. They have eyes everywhere. Right?
Is that correct? I mean, besides the technical detection of
what is happening on a line, they also have eyes on practically
every aspect of the infrastructure.
Dr. Earl. I think it depends a little bit on the utilities,
you know. There's small ones and large ones and they approach
it differently, but definitely for the larger utilities, I
think, you're absolutely correct. It's a fairly sophisticated
operation.
Senator Cantwell. Thank you.
The Chairman. But we worry about some of those smaller ones
like we have up North.
Senator Cassidy, we are over to you now.
Senator Cassidy. Mr. Raines, I think it was you that spoke
of the Dark Net. Does the Dark Net require a lane of different
fiber optic cables or can it go through the same fiber optic
cables?
Dr. Raines. Thank you, Senator, for the question.
Certainly we can use existing fiber that is not being
utilized because generally speaking there's a lot of bundles
that are laid, multiple fibers that occur and not all the
capacity is being used.
In the incidences where you have smaller utilities or
cooperatives that don't have the fiber, there are other avenues
that we look at in using some of the advanced communication
capabilities and emerging capabilities to also take and look at
hardening. But yes, sir, certainly we can utilize those
existing fibers where they exist.
Senator Cassidy. Could we overlay? To what degree could we
now go to Dark Net?
I once went to a DoD facility and they have their internet
here and they have their, kind of, closed system there. It was
two different, I don't know if there are two different
terminals, but somehow I understood this is this and that is
that. To what degree do we have that now for utilities?
Dr. Raines. Well, sir, I cannot answer in totality of that
for you right now. We are having people that are looking at, as
I mentioned before, over the 100,000 miles of existing fiber
that we have, to see exactly where the connectivities are
relative to, you know, the commercial entities, the industry
out there. So, certainly, I can get back with you on that
question, sir.
Senator Cassidy. That is a nice segue to my next question.
My staff gave me this from August 17, from the President's
National Infrastructure Advisory Committee. They have 11
different recommendations.
There is a sort of, kind of, urgency behind it and a sort
of assumption that we should have done this yesterday and we
haven't done it yet, with agencies and Congress required to put
things together which apparently we have not. So I appreciate
the Chair and the Ranking Member holding these hearings, but to
what degree is leadership being exerted by the Federal
Government to make sure that all this happens ASAP? Because I
gather you all think it should happen ASAP. Fair statement?
Mr. Tudor is smiling, kind of discreetly and
diplomatically, but to what degree are we providing that
leadership?
Mr. Tudor?
Mr. Tudor. Thank you, Senator.
And I am nothing, if not discreet and diplomatic.
[Laughter.]
I would say that I do believe that the Department of
Energy, the Department of Homeland Security, know this, are
taking leadership within the bounds of what we were able to
accomplish, what we understand that we should do, but I also
think that leadership understands that we all can do more.
We've been, you know, working----
Senator Cassidy. Let me just pause for a second because I
have actually heard some very good suggestions from you all
ranging from quantum mechanics which I, kind of, don't
understand, but am always, kind of, fascinated by to put an
analog switch in there. Really, kind of, two different
approaches with a Dark Net overlay. Those are very tangible.
This is what you could do now and would probably work really
well.
What is the state of play? Are we now moving toward that or
are we just waiting for someone to propose it?
Dr. Raines. Well, sir?
Senator Cassidy. Go ahead.
Dr. Raines. If I may answer that for you.
One of the test cases that we're working with now is the
electric power DoD out of Chattanooga which we have fiber
connections with, and we're looking at how we can establish
some of that test bed capabilities with them. So on a smaller
scale we are moving forward.
Senator Cassidy. So are you telling me although DoD has a
parallel internet, and you mentioned the Dark Net, is this just
something, is this a strong recommendation yes, we should be
doing it, or no, we need to test it before we go fully to
scale?
Dr. Raines. Sir, we believe that the technology exists to
increase our capabilities to defend the electric grid from a
communications and control standpoint, if we go forward with
this. And that's what we're proposing for----
Senator Cassidy. And is that generally agreed upon?
So, one thing we could do is appropriate the dollars to
immediately begin putting in a Dark Net for everybody who is
connected to the grid, except maybe a distributed, you know, if
I am selling electricity off the roof of my house, maybe not,
but other than that. Is that something we should be writing in
legislation now, in your opinion?
Dr. Earl. So we currently have utility partners with
extensive fiber optic networks that are ready to start
implementing this today or testing this today.
Senator Cassidy. The quantum or the Dark Net?
Dr. Earl. The quantum and the Dark Net. It really is tied
together. So, there's, now that's not all utilities, and it's
going to have to start small and eventually grow.
Senator Cassidy. Now, just let me ask you, just interrupt
because when you say not all utilities. I always mispronounce
it. I don't know if it is miso or myso. But you have this
exchange of electrons through the whole Mississippi Valley. If
there is somebody who is a weak link, who does not have Dark
Net, does not have quantum, does not have analog, can that go
through the whole network getting those that do have it?
Dr. Earl. So, ultimately, you're only as strong as your
weakest link, but your biggest links need to be secured first.
And the propagation can be limited by focusing there and
prioritizing there, initially. And there are three separate
grids, of course, that would be independent from one another.
But let me just, sort of, echo the question of, you know,
can we implement this quickly? It is a question of funding.
The CEDS program within DOE is doing a great job, but they
don't have a large enough budget, really, to take on Dark Net
yet. So, at least from my perspective, I think that increasing
the funding to that program is an excellent thing to do right
away.
The other point I'd like to quickly make is these new
technologies will take time to be implemented. It could be as
long as, you know, five to ten years for some of these
technologies to be implemented. If you think of where hackers
were ten years ago and you think about where hackers are going
to be in ten years from now, that's where the urgency is coming
from. We really have got to get ahead of this.
Mr. Tudor. I would like to say, though, that across the
industry our utility partners are really beginning to move out
even faster in developing pilots, working with commercial and
industry, working with national labs to develop the process and
procedures to implement these new technologies.
Mr. Riedel mentioned the CES-21 is a great example of those
three major utilities working together to implement and
prototype and demonstrate these technologies and give lessons
learned out to other utilities across the nation so we can
understand what the scope of the issue is, how to deploy these,
and then also provide that expertise as others do it, similar
to other utilities here on the East Coast as well.
So I think we are moving out faster than we have been. We
would all love to do it faster.
Senator Cassidy. I am way over. I apologize, Senator
Franken.
I yield back.
The Chairman. Thank you, Senator Cassidy.
Senator Franken.
Senator Franken. Thank you, Madam Chair.
I know this is about cybersecurity and the grid, but Dr.
Raines, I was struck in your testimony by your discussion of
microgrid technology and its potential application to Puerto
Rico. The Chair knows that I am very interested in this, and I
think all of us are. After the devastation of Hurricanes Irma
and Maria, millions of Americans in Puerto Rico and the Virgin
Islands are still without power. This is really inexcusable.
I am going to read from your testimony, ``Most recently Oak
Ridge National Laboratory has considered how its scientific
expertise may be leveraged to help an area in which the local
power grid is essentially being rebuilt from the ground up.
Puerto Rico was devastated by Hurricane Maria last month. The
island's critical infrastructure, including its power,
transmission, and distribution grid serving more than 1.4
million customers was nearly demolished by the powerful storm.
As the relief and recovery effort continues, we are mindful
that many of the solutions developed for grid resilience could
be purposely built into a completely new, robust system for
Puerto Rico through distributed energy resources, for instance,
Puerto Rico Electric Power Authority could benefit from
microgrids with more power generation spread throughout its
territory, sited locally in neighborhoods and communities and
providing greater flexibility when the larger grid is
disrupted. Complementary opportunities exist to support the
development of a more secure and resilient Puerto Rican
infrastructure which will ultimately lead to a better quality
of life for its residents and reliable electricity to support
its businesses.''
This is something that we have been talking a lot about, a
number of us, including the Chair and the Ranking Member of
this Committee.
Dr. Raines, could you elaborate on the work that Oak Ridge
is doing to improve resilience for the grid and how that might
relate to our responsibility after these hurricanes to approach
rebuilding the grid, getting them up again, as fast as
possible, but then building something that is resilient and
sustainable? And if anyone else wants to weigh in on that,
please do.
Dr. Raines. Senator, thank you for the question. I'll start
and turn it over to Carl.
Earlier this year in the spring we had a team down in
Puerto Rico that was actually looking at the infrastructure,
understanding the infrastructure and looking at how we could
possibly take and redesign or enhance the architecture, the
existing architecture. You know, we certainly did not foresee
the devastation that occurred in September and the agony and
things that people are going through there down there now.
We have, for a number of years, been looking at microgrid
technologies. How we can take and build those where given
different types of power electronics and charging and sensing
type systems that they can have the isolation from other, the
larger infrastructure and be able to operate in the events of--
--
Senator Franken. In island mode if they need it.
Dr. Raines. Yes, sir.
Senator Franken. Okay.
Dr. Raines. Yeah, from that standpoint.
And so, with that I know that Carl is leading an effort
among the different labs and he can probably address it quite
well as well.
Senator Franken. Please?
Mr. Imhoff. Specifically for Puerto Rico DOE has asked the
12 grid modernization laboratories to frame some options that
could add value in the 1 to 6 months, 6 to 12 months and then
12 months to 5 years timeframes.
And the notion of evaluating what critical loads, in terms
of drinking water purification, health care, communications,
island communications, et cetera. How did they come down and
identify where it might be worth the incremental expense for
microgrids to harden those against future events and leverage
some of the work that we've done in the grid modernization in
New Orleans and other places on how to coordinate multiple
microgrids that during bad storms can actually adjust and focus
just on the critical loads for emergency applications? That's,
I think, a good opportunity for us to bring new concepts to the
rebuild of Puerto Rico over the next couple years.
Senator Franken. I think it is just responsible to do that
and smart to do that and, you know, their grid, and I know I am
out of time, but their grid is right now powered so much by
diesel and a lot of people from Minnesota in the winter go to
Puerto Rico and the Virgin Islands for the sun. I am just
saying. So I think that perhaps in rebuilding this grid we can
make it more resilient and use more sustainable energy as well.
It is something that I am glad that national laboratories
have been asked by the Energy Department to look at. I think
everybody is rolling in the same direction is what I am saying.
I feel good about that.
The Chairman. Thank you, Senator Franken. I think it was a
good question, an important one.
We will be having a hearing focusing on the current
situation in Puerto Rico and going forward, the future of that
energy grid there, and we will look forward to input from the
national labs.
To know that you have taken point on that, Mr. Imhoff, I
think is important. We will look for more detail in the next
couple weeks but it is very, very important. So thank you.
Senator Duckworth.
Senator Duckworth. Thank you, Madam Chair. I want to thank
you and the Ranking Member for today's hearing. And I
definitely want to thank our witnesses for participating today.
And recently, as my colleague, Mr. Franken, mentioned, we
have seen frightening weather patterns and infrastructure
instability in Puerto Rico and in the Ukraine even in 2015 when
malicious actors destabilized the country's power grid.
I had to learn that cybersecurity can take many forms. I
come to this from a military perspective where it is all about
enemies hacking, trying to attack you, but cybersecurity also
applies to trying to prevent technological failures from
occurring as well.
I am proud that the national labs are partnering with
industry to develop solutions to modernize our grid, including
Illinois' own Argonne National Lab. We are leading eight
projects under DOE's Grid Modernization Laboratory Consortium.
And we heard this earlier when you responded to my colleague
from Louisiana about the investments that need to be made. That
is where my question is going.
You know, it seems to me that there is a cycle of
scientific discovery that then provides necessary impetus to
develop technologies that address those known concerns and then
we develop ones. We develop those initial technologies and
prototype then we move toward bringing them to a place where
they can demonstrate effectiveness and be deployed to the
marketplace. I would like to further elaborate on that.
For all the witnesses. In terms of this cycle of discovery,
prototype development, and then development toward deployment,
as it relates to cybersecurity threats, where are we in that
process for our energy infrastructure? And are there specific
investments we should be making?
You mentioned informing municipalities and communities, but
is there anything specific because it seems like this is a
continual cycle that we go through. Anyone want to take that?
Mr. Imhoff. Well, I'll get started and hand it over to my
colleagues.
Senator Duckworth. Yes.
Mr. Imhoff. We're in all phases of that cycle.
Senator Duckworth. Okay.
Mr. Imhoff. There are many dimensions to this grid
modernization activity. There are many dimensions to
cybersecurity. On cybersecurity, I mentioned in my testimony,
that there are, we have roughly 3,000 utilities in the United
States. The largest 1,000 are pretty far along on their
cybersecurity journey. The smallest 1,000 don't have any
digital devices, so it's not much of an issue. The middle 1,000
have devices but they have very small engineering staffs and
very limited budgets, and so it's harder for them just to do
the basic fundamentals of maintaining good enterprise
discipline on their infrastructures. So they are in a very
different place on the development cycle than some of the
larger utilities who are looking at quantum encryption and
other activities.
We are in all phases, and I think it will always be that
way. Some things are near the more mature state, but you're
having to work them out into 3,000 utilities that are across 50
different regulatory jurisdictions. So it just doesn't happen
overnight. It takes time for things to unfold.
Dr. Raines. And the thing I'd like to add, Senator, with
that, our partnerships are absolutely critical because the
national labs will take and produce lower technology readiness
level type of solutions. And so, to take and transition those
to industry or work with the industry partners is absolutely
critical in this arena.
I come from a military background as well from the
standpoint of rapidly getting those products to the field where
they're needed. And in cybersecurity, like I said earlier in
the testimony, we are in that very tight loop of adversaries
are far outpacing us in terms of how we can respond to them. So
the industry partner is absolutely critical.
Mr. Tudor. Senator, I'd like to respond to that as well.
I've been involved in, kind of, technology innovation for
cybersecurity for about ten years in other jobs. One of the
things that we do realize, you know, between the development
and the deployment of technologies is what is called a valley
of death. I think a lot of times the national labs, their place
in developing those lower technology, readiness level
technologies to solve particular problems at the time, have not
had the emphasis on commercialization, probably not the lab's
major role to do that. However, in the last few years we have
seen more and more emphasis from DOE, DHS, and others to bring
these technologies to bear. But we do need commercial partners,
whether it's venture capitals or others, to come and help
invest in these.
I know the other DHS transition to practice program did a
wonderful job of coming into the national labs, but Pacific
Northwest National Lab, Oak Ridge and INL all have technologies
that were transitioned in some of those. But we need more of
those types of activities and we need more emphasis on it if we
really feel that we can get those out there and then
entrepreneurs like Dr. Earl and Mr. Riedel can then take those
technologies forward.
Dr. Earl. Is it okay to add to that as well?
Senator Duckworth. Madam Chair?
Dr. Earl. Alright.
So, in terms of development to deployment, shortening that
time, I think, one of the biggest challenges is, as was
mentioned earlier, we have over 3,000 utilities, some big, some
small. And they're going up against very sophisticated
adversaries. These nation-state hackers have much more
sophisticated operations than utilities are used to. And so,
we're asking big and small utilities to come up with solutions
on very rapidly changing technology.
One of the things that the government can help to do,
national labs can help to do, partnerships can help to do, is
to identify a template solution, sort of, cookie cutter
solution that at least could be a starting point for these
utilities. And then ultimately they need assistance in
implementing it and maintaining it. That right now doesn't
really exist for those utilities.
Mr. Riedel. Senator Duckworth, thank you for the question
of the panel.
I wouldn't be here today without the support of the DOE,
the State of California and some of the funding, so I'm very
appreciative of that. For me, I think the funding is critical.
It's a holistic approach that we need to take. There's no one
technology that's going to solve this problem.
I think we talked a lot about networks today, about the
dark fiber and the quantum, but you know, we also still need
automation to be able to respond to these things in a timely
fashion and to support the growth of the devices we're getting.
And at the end of the day, we also need to trust people who
are operating those devices so we need to move beyond current
credential technology and look at new ways that we can actually
assert that the people who are operating are who they say they
are which helps, sort of, I think, bring everything around. So,
for me, it's a holistic approach and we need to continue
investing in all those areas.
Senator Duckworth. Thank you.
Madam Chair, you have been very generous. Thank you.
The Chairman. Thank you each for your response on that.
Senator Cortez Masto.
Senator Cortez Masto. Thank you, Madam Chair.
Let me just follow up, and this question is for all of you.
Do you think the small and midsized utilities are more
challenged to really find the programs to address the cyber
threats than maybe some of the larger utilities?
Dr. Raines. Senator, I would agree with that statement,
mainly from a standpoint of the resources that these smaller
utilities have available for this.
Senator Cortez Masto. So the programs are there. It is just
a matter of having the capital or the resources to access those
programs or afford those programs. Is that right?
Dr. Raines. I would have a tendency to agree with that,
ma'am.
Mr. Imhoff. I agree, but I must say that some of their
representing organizations, like for the co-ops, the National
Electric Cooperative Association and the American Public Power
Association, they do have relationships with DOE and they help
aggregate numbers of small utilities for them to be involved in
demonstrations. But in general, smaller utilities have smaller
engineering staffs, smaller resources, so it's more of an
uphill walk for them than some of the larger entities.
Mr. Tudor. I think it is worthwhile to note though, as we
mentioned before, in things like the CES-21 project, some
projects on the East Coast--RADICS, that the intent is to have
the large utility partners who have those resources help to
validate a lot of these approaches and then share that
information into the rural cooperatives and other types of
environments that don't have those resources. They won't need
to spend the time to do that validation, but it will be able to
be handed out to them.
Senator Cortez Masto. And then, and you may have already
addressed this, and I apologize I had another committee
hearing, but I am also curious how the states play into this. I
know in the State of Nevada Governor Sandoval has created a new
Office of Cyber Defense (OCD) which will serve as the primary
focal point for cyber threats and security for the State of
Nevada. With the addition of that cyber defense coordinator,
the OCD will serve as the primary conduit with the Federal
Government as well as the primary entity managing cyber threat
issues across the State of Nevada.
Do you see that as a role most states should be involved
with and coordinating with the federal level and then,
particularly, the private sector to address the cyber threat?
Mr. Tudor. Thank you for your question, Senator.
You mentioned the important word there and that's
``coordination.'' I don't think that every state should invest
their resources to go off on their own and potentially have
redundant systems. But as we mentioned with California, their
work on their regional, you know, things that happened in the
Pacific Northwest. I know PNNL, INL, and others work together
with regional entities. And I think that coordination with
leadership from the government can help rapidly advance some of
the technology areas.
Dr. Earl. I do think as well in utilities there's a follow
the leader mentality. So if a set of utilities, larger
utilities, in one state identifies a solution that works well
and they can share that with their counterparts, other
utilities will see that filter down.
And just to echo what was mentioned, California has the
California CES-21 project which involves utilities across the
state. They've really developed some innovative package
solutions that are being adopted in California. If that is
successful then hopefully that will spread to the rest of the
country as well.
Senator Cortez Masto. Great.
Mr. Riedel. May I follow on real quick?
Senator Cortez Masto. Please.
Mr. Riedel. Senator Cortez Masto, thank you very much.
CES-21 has already made an effect and we are already
starting to work with other organizations such as STIX so the
research coming out of that is actually having real world
effects, not only for the U.S. but also that's promulgating
around the globe. And that's all based on the funding that's
come in to actually make that happen. So if we can continue
that, that's only going to grow and I think that's a very good
thing.
Senator Cortez Masto. Great. Thank you.
Dr. Raines, I am actually very intrigued with your Dark Net
concept. Assuming adequate funding, how many years away are we
from being able to implement a Dark Net solution for our
nation's electrical grid?
Dr. Raines. Senator, thank you for that question.
As we had mentioned earlier in the testimony, there are
different phases that are occurring and can occur with the Dark
Net concept. Utilizing existing infrastructure, you know, such
as some of the fiber. There are capabilities that Dr. Earl and
others have been developing that can be implemented relatively
quickly. There are also other advanced communication
capabilities that can be implemented for some of the smaller
cooperatives, if you will.
So, there's a lot of things that can be done near-term, but
I think, as Dr. Earl mentioned earlier in testimony, some of
these advances may take five to ten years to fully mature.
Senator Cortez Masto. Okay. Thank you.
Gentlemen, thank you very much. I appreciate the
conversation.
Thank you, Madam Chair.
The Chairman. Thank you, Senator.
I have just one last question.
Mr. Tudor, you had mentioned in your comments the need for
control room operators to have hands on training opportunities
and you referenced Ukraine in a box. How ready are we with this
program? Do we actually have utility room operators that are
training, kind of, hands-on to handle a Ukraine-like attack?
And really, to what extent are the men and women that are on
the ground or on the front lines being trained to handle a
cyberattack?
Mr. Tudor. Thank you for that question, Madam Chairman.
I must say that the people who operate our grid are highly
capable and highly trained. It's really enlightening when you
go into some of the command centers in some of the different
utilities to talk about how they train, what they do, how they
respond to events, what they do in their off time to provide
this different training, the amount of training that's
required.
Our Ukraine in a box is another tool in their training
environments since, for the most part, our utility operators
are not constantly responding to cyberattacks, being able to
add this into their training regimen will be something that
will allow them to see, kind of, real world techniques that may
be deployed against them, some of the indicators, and how they
might respond in a non-disruptive kind of desktop environment.
So, I do think that, from an operational perspective, we
are in very good shape here in the U.S.
The Chairman. One of the things that I think about coming
from a state that is rural and isolated and has more microgrids
than large, integrated grids, is that you have different levels
of opportunity for that kind of training that you are saying
you think is pretty much in place.
I am thinking that perhaps with our bigger utilities they
do have that opportunity, but our smaller grids that are
perhaps not as integrated, as sophisticated, I worry about that
level of vulnerability and I worry that perhaps we don't have a
level of training that is applicable for the different types of
grid that we have throughout the country. Can you put my mind
at ease a little bit there?
Mr. Tudor. Thank you, Madam Chairman, I'll try.
I think that you're right, there are different levels of
need and different levels of training. I think the development
of some of these desktop trainings, you know, INL and the other
labs are known for their very large infrastructure, being able
to bring people in and give some very unique sophisticated
training, but also to be able to put some of this training via
web-based which is happening now. These desktop type of
environments, we are hoping to potentially make this an open
source type of learning environment as well so they don't have
to have our equipment to be able to run this type of training.
So we are trying to export the training for more accessibility
all across the nation.
Mr. Imhoff. Madam Chairman?
The Chairman. Mr. Imhoff, go ahead.
Dr. Raines. Oh, I'm sorry.
The Chairman. Mr. Imhoff and then Dr. Raines.
Mr. Imhoff. So I was just talking the other day with the
head of the Northwest Public Power Association and they're
based in Vancouver, outside of Portland. I believe that a
number of the smaller utilities in Alaska are small, public and
rural co-ops, et cetera. And they have training opportunities
that they provide for their members, but they are voluntary. So
it's not just Alaska. A lot of states, a lot of small utilities
struggle to send their staff to training.
I think that there are opportunities there, processes, to
work with the associations that they belong to, et cetera, but
my guess is if you're to talk to those community entities, a
large fraction of it has to do with the resources available to
send people to train. And that would be where I would start,
trying to get a sense for what resources do they need to
participate in the already existing training opportunities that
probably would require some travel down to the lower 48.
The Chairman. Because I do hear from so many of them that
they are anxious for their own security and knowing that there
are avenues via the web.
Dr. Raines, did you want to weigh in here?
Dr. Raines. Yes, Madam Chairman.
What I wanted to say was basically there are some good news
stories in terms of how we're developing workforce. For close
to 20 years DHS, NSA, and National Science Foundation have been
partners in these academic centers of excellence for focusing
toward cybersecurity. There are over 200 universities and
schools at this time producing cyber-educated folks. And that's
not just at the graduate level or the undergraduate level, but
at the community college level. So we're trying to hit or have
been trying to hit for a number of years, you know, getting the
workforce developed for the right application areas because a
lot of the smaller utilities may be using more technician level
folks than advanced degree folks to help operate. So there is a
lot of work that's been going into that over the years. I just
wanted to give that to you, ma'am, as a good news piece in
developing workforce.
The Chairman. I appreciate that. I appreciate that, thank
you.
Senator King, we have had good discussion here this morning
with some of the technologies and the efforts through our
national labs and out in the private sector as to what we can
do to do a better job of ensuring that we are not as vulnerable
with our, whether it is our energy grids or other
infrastructure and had some good testimony.
We have gone through all the questions, so you are up if
you would like to engage our witnesses.
Senator King. Thank you, Madam Chair.
I want to apologize to you and the witnesses. Speaking of
technology, there is no effort made whatsoever around here to
schedule hearings in any kind of coordinated way. I had a
hearing this morning on the attack in Niger which, obviously,
is of great, grave concern.
I understand there has been some discussion of the bill
that Senator Risch and I have sponsored involving the national
labs and I won't belabor that except to say I think it is a
step in the right direction and I understand the panel agrees.
We will hopefully move that forward.
This isn't really a comment directed at the panel, but I
think it is important, Madam Chair, as we are dealing with this
issue and we spent quite a bit of time on it in the Armed
Services and Intelligence Committees as well.
One of the problems is that all of our focus is defensive.
How do we structure our system defensively? How do we patch?
How do we have the right breakers and all those kinds of
things?
In my view, though, ultimately that is not the whole
answer. Part of the answer has to be a deterrent strategy or
doctrine that is well known across the world that if people
attack us in cyberspace they will feel results. They will also
be at some risk.
One of the problems and one of the frustrations is that we
don't have such a doctrine. And this isn't a criticism of the
current Administration. The prior Administration did not do
this either.
But I think, Madam Chair, if we are going to effectively
deal with the risk of cyberattack, there has to be a deterrent
doctrine whereby our adversaries know this kind of attack will
not be accepted, will be responded to in some way. So I think
that is a big part of the problem here. We can be the best
bobbers and weavers in the history of the world, but if you are
not allowed to ever punch back, you are going to lose the
fight.
I think that is something very important that we are
talking about in Armed Services and we passed amendments to the
National Defense bill, but we are waiting for the
Administration and we were waiting for the prior Administration
to come forth with a cyber strategy beyond simply patching a
system.
With that, if you can find a question in there you are
welcome to it.
[Laughter.]
But I just felt that was an important part of this
discussion. It is not only the technology of strengthening the
grid, but it is also strengthening the deterrent so that the
attack doesn't come in the first place.
Dr. Earl. If you don't mind, I'd like to address that.
So we talked a little today about quantum technology,
quantum key distribution technology, which can defend the grid.
The great thing about that technology or the flip side of that
technology is it also can be used on the offense. Quantum
computing can be used to crack codes and really take a much
more aggressive stance on the offense side. So by investing in
our own defense, we actually do provide a path to an offensive
strategy as well if we needed it.
Senator King. And one of the problems I have observed is we
are so secretive about what we develop. A secret deterrent is
not a deterrent. The world has to know what we can do. That was
the rule with nuclear weapons for 70 years and blessedly it has
protected us from that kind of catastrophe because of the
understanding that, if nuclear weapons are used, there is
mutually assured destruction.
So I agree with you, but we also, we all tend to,
particularly in the government, want to keep things secret.
You all remember, I don't know, you may not, some of you
are too young, this famous scene in Dr. Strangelove where
George C. Scott says, ``But Commissar, if you didn't tell us
about the doomsday machine, it wouldn't work. Well, we were
going to announce it on May Day.'' We have got to have a
deterrent. It has to be well known. It has to be clearly part
of our doctrine.
Thank you.
Thank you, Madam Chair.
The Chairman. Well and to follow on that we had a little
bit of discussion about where the Chinese are with their
quantum technology and the distances that they have bridged.
That is no secret. But I am sure that everyone in the world is,
kind of, paying attention to what is going on there. So I hear
your comment.
One further question on that. I raised China in my opening.
You spoke to it. What other nations are out there that are
leading in this space?
Dr. Earl. So, unfortunately, there's a number of countries
that are leading the U.S. China, definitely, would be at the
top of the list. But the EU is making a concerted effort.
They're spending quite a bit of money to pursue quantum
technology. Australia and Canada as well are very aggressive in
this area. So, we're probably fourth or fifth on that list.
The Chairman. Interesting.
Any further questions from either of the Senators?
Thank you, gentlemen. We appreciate the time that you have
given us and the level of expertise that you bring to this
subject.
Know that as it relates to Puerto Rico, as we mentioned
earlier, we will look forward to the input from our national
labs there. But obviously we have a great deal of work to do
going forward as we work to make things more secure.
Senator King. Madam Chair?
The Chairman. Senator King.
Senator King. I apologize. You mentioning Puerto Rico did
provoke one thought.
I hope, as we are working on the rebuilding of the Puerto
Rican grid, we can be thinking to the future instead of
building a 20th century grid and think about things like
distributed energy and underground wires and all of those kinds
of things so that we don't just rebuild----
The Chairman. Yes.
Senator King. ----something that is liable to be knocked
down again in the next great storm. I think this is an
opportunity that we should seize, and I hope we can all work
together to see that that happens.
Thanks again.
The Chairman. Know that we concur up here.
Thank you, all.
With that, we stand adjourned.
[Whereupon, at 11:38 a.m. the hearing was adjourned.]
APPENDIX MATERIAL SUBMITTED
----------
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]