b"<html>\n<title> - KEEPING THE LIGHTS ON: ADDRESSING CYBER THREATS TO THE GRID</title>\n<body><pre>[House Hearing, 116 Congress]\n[From the U.S. Government Publishing Office]\n\n\n      KEEPING THE LIGHTS ON: ADDRESSING CYBER THREATS TO THE GRID\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                         SUBCOMMITTEE ON ENERGY\n\n                                 OF THE\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED SIXTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JULY 12, 2019\n\n                               __________\n\n                           Serial No. 116-52\n                           \n                           \n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]                           \n\n\n      Printed for the use of the Committee on Energy and Commerce\n\n                   govinfo.gov/committee/house-energy\n                        energycommerce.house.gov\n                        \n                        \n                               __________\n                               \n\n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n40-665 PDF                  WASHINGTON : 2020                     \n          \n--------------------------------------------------------------------------------------                        \n                        \n                        \n                        \n                    COMMITTEE ON ENERGY AND COMMERCE\n\n                     FRANK PALLONE, Jr., New Jersey\n                                 Chairman\nBOBBY L. RUSH, Illinois              GREG WALDEN, Oregon\nANNA G. ESHOO, California              Ranking Member\nELIOT L. ENGEL, New York             FRED UPTON, Michigan\nDIANA DeGETTE, Colorado              JOHN SHIMKUS, Illinois\nMIKE DOYLE, Pennsylvania             MICHAEL C. BURGESS, Texas\nJAN SCHAKOWSKY, Illinois             STEVE SCALISE, Louisiana\nG. K. BUTTERFIELD, North Carolina    ROBERT E. LATTA, Ohio\nDORIS O. MATSUI, California          CATHY McMORRIS RODGERS, Washington\nKATHY CASTOR, Florida                BRETT GUTHRIE, Kentucky\nJOHN P. SARBANES, Maryland           PETE OLSON, Texas\nJERRY McNERNEY, California           DAVID B. McKINLEY, West Virginia\nPETER WELCH, Vermont                 ADAM KINZINGER, Illinois\nBEN RAY LUJAN, New Mexico            H. MORGAN GRIFFITH, Virginia\nPAUL TONKO, New York                 GUS M. BILIRAKIS, Florida\nYVETTE D. CLARKE, New York, Vice     BILL JOHNSON, Ohio\n    Chair                            BILLY LONG, Missouri\nDAVID LOEBSACK, Iowa                 LARRY BUCSHON, Indiana\nKURT SCHRADER, Oregon                BILL FLORES, Texas\nJOSEPH P. KENNEDY III,               SUSAN W. BROOKS, Indiana\n    Massachusetts                    MARKWAYNE MULLIN, Oklahoma\nTONY CARDENAS, California            RICHARD HUDSON, North Carolina\nRAUL RUIZ, California                TIM WALBERG, Michigan\nSCOTT H. PETERS, California          EARL L. ``BUDDY'' CARTER, Georgia\nDEBBIE DINGELL, Michigan             JEFF DUNCAN, South Carolina\nMARC A. VEASEY, Texas                GREG GIANFORTE, Montana\nANN M. KUSTER, New Hampshire\nROBIN L. KELLY, Illinois\nNANETTE DIAZ BARRAGAN, California\nA. DONALD McEACHIN, Virginia\nLISA BLUNT ROCHESTER, Delaware\nDARREN SOTO, Florida\nTOM O'HALLERAN, Arizona\n                                 ------                                \n\n                           Professional Staff\n\n                   JEFFREY C. CARROLL, Staff Director\n                TIFFANY GUARASCIO, Deputy Staff Director\n                MIKE BLOOMQUIST, Minority Staff Director\n                         Subcommittee on Energy\n\n                        BOBBY L. RUSH, Illinois\n                                 Chairman\nSCOTT H. PETERS, California          FRED UPTON, Michigan\nMIKE DOYLE, Pennsylvania               Ranking Member\nJOHN P. SARBANES, Maryland           ROBERT E. LATTA, Ohio\nJERRY McNERNEY, California, Vice     CATHY McMORRIS RODGERS, Washington\n    Chair                            PETE OLSON, Texas\nPAUL TONKO, New York                 DAVID B. McKINLEY, West Virginia\nDAVID LOEBSACK, Iowa                 ADAM KINZINGER, Illinois\nG. K. BUTTERFIELD, North Carolina    H. MORGAN GRIFFITH, Virginia\nPETER WELCH, Vermont                 BILL JOHNSON, Ohio\nKURT SCHRADER, Oregon                LARRY BUCSHON, Indiana\nJOSEPH P. KENNEDY III,               BILL FLORES, Texas\n    Massachusetts                    RICHARD HUDSON, North Carolina\nMARC A. VEASEY, Texas                TIM WALBERG, Michigan\nANN M. KUSTER, New Hampshire         GREG WALDEN, Oregon (ex officio)\nROBIN L. KELLY, Illinois\nNANETTE DIAZ BARRAGAN, California\nA. DONALD McEACHIN, Virginia\nTOM O'HALLERAN, Arizona\nLISA BLUNT ROCHESTER, Delaware\nFRANK PALLONE, Jr., New Jersey (ex \n    officio)\n                            \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHon. Jerry McNerney, a Representative in Congress from the State \n  of California, opening statement...............................     2\n    Prepared statement...........................................     3\nHon. Fred Upton, a Representative in Congress from the State of \n  Michigan, opening statement....................................     5\n    Prepared statement...........................................     6\nHon. Frank Pallone, Jr., a Representative in Congress from the \n  State of New Jersey, opening statement.........................     7\n    Prepared statement...........................................     9\nHon. Greg Walden, a Representative in Congress from the State of \n  Oregon, opening statement......................................     9\n    Prepared statement...........................................    11\n\n                               Witnesses\n\nKaren S. Evans, Assistant Secretary, Office of Cybersecurity, \n  Energy Security, and Emergency Response, Department of Energy..    13\n    Prepared statement...........................................    15\nJ. Andrew Dodge, Sr., Director, Office of Electric Reliability, \n  Federal Energy Regulatory Commission...........................    25\n    Prepared statement...........................................    27\nJames B. Robb, President and Chief Executive Officer, North \n  American Electric Reliability Corporation......................    31\n    Prepared statement...........................................    33\n\n                           Submitted Material\n\nArticle of July 8, 2019, ``Grid Chief: Operators pulling \n  `rabbits' to keep lights on,'' by Peter Behr, E&E News, \n  submitted by Mr. McKinley......................................    69\nLetter of July 9, 2019, from James D. Ogsbury, Executive \n  Director, Western Governors' Association, to Mr. Rush and Mr. \n  Upton, submitted by Mr. Rush...................................    71\nLetter of July 12, 2019, from Jim Cunningham, Executive Director, \n  Protect Our Power, to Mr. Pallone and Mr. Walden, submitted by \n  Mr. Rush.......................................................    84\nLetter of July 12, 2019, from Kathryn Waldron, Fellow, \n  Cybersecurity and National Security, R Street Institute, to Mr. \n  Rush and Mr. Upton, submitted by Mr. Rush......................    86\n\n \n      KEEPING THE LIGHTS ON: ADDRESSING CYBER THREATS TO THE GRID\n\n                              ----------                              \n\n\n                         FRIDAY, JULY 12, 2019\n\n                  House of Representatives,\n                            Subcommittee on Energy,\n                          Committee on Energy and Commerce,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 9:32 a.m., in \nthe John D. Dingell Room 2123, Rayburn House Office Building, \nHon. Bobby L. Rush (chairman of the subcommittee) presiding.\n    Members present: Representatives Rush, Peters, McNerney, \nLoebsack, Butterfield, Schrader, Kennedy, Veasey, Kuster, \nKelly, Barragan, McEachin, O'Halleran, Blunt Rochester, Pallone \n(ex officio), Upton (subcommittee ranking member), Latta, \nRodgers, Olson, McKinley, Griffith, Johnson, Bucshon, Flores, \nHudson, Walberg, Duncan, and Walden (ex officio).\n    Staff present: Jeffrey C. Carroll, Staff Director; \nJacqueline Cohen, Chief Environment Counsel; Jean Fruci, Energy \nand Environment Policy Advisor; Waverly Gordon, Deputy Chief \nCounsel; Tiffany Guarascio, Deputy Staff Director; Omar Guzman-\nToro, Policy Analyst; Rick Kessler, Senior Advisor and Staff \nDirector, Energy and Environment; John Marshall, Policy \nCoordinator; Elysa Montfort, Press Secretary; Meghan Mullon, \nStaff Assistant; Lisa Olson, FERC Detailee; Alivia Roberts, \nPress Assistant; Tim Robinson, Chief Counsel; Andrew Souvall, \nDirector of Communications, Outreach, and Member Services; \nTuley Wright, Energy and Environment Policy Advisor; Adam \nBuckalew, Minority Director of Coalitions and Deputy Chief \nCounsel, Health; Robin Colwell, Minority Chief Counsel, \nCommunications and Technology; Jordan Davis, Minority Senior \nAdvisor; Melissa Froelich, Minority Chief Counsel, Consumer \nProtection and Commerce; Peter Kielty, Minority General \nCounsel; Mary Martin, Minority Chief Counsel, Energy and \nEnvironment & Climate Change; Brandon Mooney, Minority Deputy \nChief Counsel, Energy; and Brannon Rains, Minority Legislative \nClerk.\n    Mr. Rush. The subcommittee will now come to order. I want \nto thank all the Members and the witnesses for appearing before \nthe subcommittee this morning.\n    The Chair will now yield 5 minutes to my great friend, Mr. \nMcNerney from California, for 5 minutes.\n\n OPENING STATEMENT OF HON. JERRY McNERNEY, A REPRESENTATIVE IN \n             CONGRESS FROM THE STATE OF CALIFORNIA\n\n    Mr. McNerney. Good morning, Mr. Chairman. I thank you for \nyielding me the 5 minutes.\n    And I thank the witnesses for coming this morning. It is an \nincredibly important issue that we needed to care a lot about \nand make good policy on.\n    We are meeting today to discuss the state of cybersecurity \nin the grid and the continuing threats facing America's energy \ninfrastructure. We continue to see increasing threats to the \ngrid, originating both at home and abroad. I am glad to see the \nDOE and FERC and others taking steps to address the growing \ndangers posed by nefarious actors.\n    Our energy grid serves as the backbone of our economy, \ntouching every aspect of our lives, and a reliable grid is also \ncrucial to crucial to our national security and for a clean \nenergy future. For lawmakers to encourage and enable innovative \nadvancements that we can improve the security and reliability \nof our Nation's electric grid, we must work on a bipartisan \nbasis and actively engage with industry leaders as we are doing \ntoday here.\n    Fortunately, the modernization and innovation of our energy \ninfrastructure is already underway. What was once a one-way \ndelivery system has evolved into a dynamic network where \ninformation and energy flows both ways. Technological \nadvancements are also borne from the need to secure the energy \ngrids against potential physical and cyber threats.\n    For example, technology allowing for the rerouting of power \nand quick response in the event of attack is being deployed \nacross the grid. The cooperation among Federal, State, and \nlocal governments is essential to protecting Americans and our \nNation's infrastructure.\n    Given today's cyber environment, it is more important than \never that Congress pursue policies that continue to foster \nthese exciting developments and support our grid \ninfrastructure.\n    This is an issue that I am very passionate about, and any \nvulnerable component is a threat to our physical and national \nsecurity, making it imperative that we invest in grid \nmodernization and security.\n    That is why I am proud to cochair the bipartisan Grid \nInnovation Caucus with my good friend from across the aisle, \nRepresentative Bob Latta from Ohio. Together, we are focused on \nproviding a forum for discussing solutions to the many \nchallenges facing the grid and to educate Members of Congress \nand staff about the importance of the electric grid with \nrelation to the economy, energy security, advanced technologies \nbeing utilized to enhance grid capabilities.\n    This work has informed our introduction of two bills on the \ntopic, both of which have already been marked up and advanced \nby this subcommittee. Their aim is to bolster America's \nelectric infrastructure by encouraging coordination between the \nDepartment of Energy and the electric utilities.\n    My bill, which I introduced along with Mr. Latta, H.R. 359, \nthe Enhancing Grid Security Through Public-Private Partnership \nAct, would create a program to enhance the physical and \ncybersecurity of the electric utilities through assessing \nsecurity vulnerabilities and increasing cybersecurity training \nand collect data.\n    It would also require the interrupt cost estimate \ncalculator, which is used to calculate the return on investment \non utility investments to be updated at least every 2 years to \nensure accurate calculations.\n    Mr. Latta's bill, which he introduced along with me, H.R. \n360, the critical Cyber Sense Act, makes important headway in \nprotecting our critical grid infrastructure. The Cyber Sense \nAct would create a program to identify cybersecure products for \nthe bulk power grid through testing and verification program.\n    The bulk power system supports American industry and \nprovides all the benefits of a reliable electric power to the \nAmerican people. It is essential that we make this system as \nsecure as possible, as cyber attacks do pose a serious threat \nto the electric grid. Any vulnerable component in our grid is a \nthreat to our security, and this bill will go a long way to \nstrengthening that system. I thank Mr. Latta for his \npartnership, and looking forward to working with him.\n    I also want to take a moment to mention my support for H.R. \n362, the Energy Emergency Leadership Act, sponsored by Chairman \nRush and Mr. Walberg. This bill would establish a new DOE \nAssistant Secretary position with jurisdiction over all energy, \nemergency, and security functions related to energy supply, \ninfrastructure, and cybersecurity.\n    Finally, I want to mention my support for one more bill on \nthis topic, H.R. 370, the Pipeline and LNG Facilities \nCybersecurity Preparedness Act, sponsored by Ranking Member \nUpton and Mr. Loebsack. This bill would require the Secretary \nof Energy to establish a program relating to the physical \nsecurity and cybersecurity for pipelines and liquefied natural \ngas facilities.\n    As the bills I have mentioned show, our committee is \nuniquely positioned to examine the issues before us today as we \nwork to put America on a path to better securing our electric \nand utilities system.\n    Now I yield back to the chairman.\n    [The prepared statement of Mr. McNerney follows:]\n\n               Prepared Statement of Hon. Jerry McNerney\n\n    We are meeting today to discuss the state of cybersecurity \nin the grid and the continuing threats facing America's energy \ninfrastructure.\n    We continue to see increasing threats to the grid \noriginating both at home and abroad. I'm glad to see DOE, FERC, \nand others take steps to address the growing dangers posed by \nnefarious actors.\n    Our energy grid serves as the backbone of our economy, \ntouching every aspect of our lives. A reliable grid system is \nalso critical for our national security and clean energy \nfuture.\n    For lawmakers to encourage and enable innovative \nadvancements that can improve the security and reliability of \nour Nation's energy grid, we must work on a bipartisan basis \nand actively engage with industry leaders as we are doing \ntoday.\n    Fortunately, the modernization and innovation of our energy \ninfrastructure is already underway. What was once a one-way \ndelivery system has evolved into a dynamic network where \ninformation and energy flow both ways.\n    Technological advancements are also born from the need to \nsecure the energy grid against potential physical and cyber \nthreats.\n    For example, technology allowing for the rerouting of power \nand quick response in the event of attacks is being deployed \nacross the grid. The cooperation among Federal, State and local \ngovernments is essential to protecting Americans and our \nNation's infrastructure.\n    Given today's cyber environment, it is more important than \never that Congress pursue policies that continue to foster \nthese exciting developments and support our grid \ninfrastructure.\n    This is an issue that I am very passionate about. Any \nvulnerable component is a threat to our physical and national \nsecurity, making it imperative that we invest in grid \nmodernization and security.\n    That is why I am proud to cochair the bipartisan Grid \nInnovation Caucus along with my good friend from across the \naisle, Representative Latta of Ohio.\n    Together, we are focused on providing a forum for \ndiscussing solutions to the many challenges facing the grid, \nand to educate Members of Congress and staff about the \nimportance of the electric grid with relation to the economy, \nenergy security, and advanced technologies being utilized to \nenhance grid capabilities.\n    This work has informed our introduction of two bills on the \ntopic, both of which have already been marked up and advanced \nby this subcommittee.\n    Their aim is to bolster America's electric infrastructure \nby encouraging coordination between the Department of Energy \nand electric utilities.\n    My bill, which I introduced along with Mr. Latta, H.R. 359, \nthe Enhancing Grid Security through Public-Private Partnerships \nAct, would create a program to enhance the physical and cyber \nsecurity of electric utilities through assessing security \nvulnerabilities, increase cybersecurity training, and data \ncollection. It would also require the Interruption Cost \nEstimate Calculator--which is used to calculate the return on \ninvestment on utility investments--to be updated at least every \n2 years to ensure accurate calculations.\n    Mr. Latta's bill, which he introduced along with me, H.R. \n360, the Cyber Sense Act, makes important headway in protecting \nour critical grid infrastructure.\n    The Cyber Sense Act would create a program to identify \ncyber secure products for the bulk power grid through a testing \nand verification program.\n    The bulk power system supports American industry and \nprovides all the benefits of reliable electric power to the \nAmerican people.\n    It is essential that we make this system as secure as \npossible, as cyber attacks pose a serious threat to the \nelectric grid.\n    Any vulnerable component in our grid is a threat to our \nsecurity, and this bill will go a long way to strengthening our \nsystem.\n    I thank Mr. Latta for his partnership in these efforts and \nlook forward to continuing to work to ensure a more secure and \nresilient grid.\n    I also want to take a moment to mention my support for H.R. \n362, the Energy Emergency Leadership Act, sponsored by Chairman \nRush and Mr. Walberg. This bill would establish a new DOE \nAssistant Secretary position with jurisdiction over all energy \nemergency and security functions related to energy supply, \ninfrastructure, and cybersecurity.\n    Finally, I want to mention my support for one more bill on \nthis topic, H.R. 370, the Pipeline and LNG Facility \nCybersecurity Preparedness Act sponsored by Ranking Member \nUpton and Mr. Loebsack. This bill would require the Secretary \nof Energy to establish a program relating to the physical \nsecurity and cybersecurity for pipelines and liquefied natural \ngas facilities.\n    As the bills I have mentioned show, our committee is \nuniquely positioned to examine the issues before us today as we \nwork to put America on a path to better securing our electric \nutility system.\n    Thank you and I yield back.\n\n    Mr. Rush. I want to thank the gentleman. And on a point of \npersonal privilege, the Chair was originally scheduled to be at \nhome in Chicago this morning for a funeral--one of my dear \nfriends, Ms. Dana Russell, trusted friend and colleague and \nsupporter--and due to inclement weather last night, my flight \nwas canceled, so I couldn't be in Chicago.\n    And Mr. McNerney graciously agreed to sit in the chair for \nme last night, because I wasn't going to be here this morning. \nBut I am here now, and so I want to thank him, Mr. McNerney, \npersonally for agreeing to sit in the chair for me in my \nabsence. But as you can see, I am here, and so thank you.\n    Mr. McNerney. Well, I appreciate the sentiment, and I also \nappreciate the confidence that you have shown in me, Mr. \nChairman.\n    Mr. Rush. Thank you very much.\n    The Chair now recognizes Mr. Upton, the ranking member of \nthe subcommittee, for 5 minutes for the purposes of an opening \nstatement.\n    Mr. Upton. Well, thank you, Mr. Chairman. I am sorry to \nhear about your friend, and I am grateful that you didn't get \non that plane, because I drove home through that storm last \nnight, and I don't think that plane would have had a lot of----\n    Mr. Rush. Thank you.\n    Mr. Upton. Yes. Yes. Smart.\n\n   OPENING STATEMENT OF HON. FRED UPTON, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF MICHIGAN\n\n    Today's hearing continues the subcommittee's ongoing \noversight of cybersecurity threats to the electric grid, a \npriority that all of us have had. And while this is the first \nhearing specifically on the topic this year, the subcommittee \nhas been raising questions about persistent and emerging \nthreats to the electrical grid in closed briefings and in \nhearings with Federal officials and others over the course of \nthis session, building on the work that we have done over the \nlast couple of Congresses.\n    It is unquestionable that ensuring the reliable supply of \nelectricity is vital to our Nation's security, economy, our \nhealth, and welfare. Electricity enables telecommunications, \nfinancial transactions, the transport and delivery of energy \nand agriculture; it powers the infrastructure that delivers our \ndrinking water. It enables business and industry to make and \nprovide the goods and services of our modern society. It powers \nour hospitals, our households, and everything else.\n    But let's face it. The U.S. has the world's most complex \nelectric grid, and while we have a well-developed system of \ngrid operators to ensure that the lights stay on, we are \nconfronting new challenges every day and adapting to a changing \ngeneration mix, new technologies, and consumer preferences.\n    We are also responding to new threats and working to \nstrengthen the cybersecurity of the Nation's grid. The \nintegration into the system of new digital technologies that \nare essential for keeping up with our Nation's energy needs \nconstantly add vulnerabilities.\n    Other vulnerabilities are being added with increasing \ndependence on pipeline infrastructure by electric generating \nunits. Combine that with a rapid expansion of cyber \ncapabilities by more of America's adversaries in safeguarding \ntransmission infrastructure remains particularly urgent.\n    Many of the Federal oversight and regulatory structures in \nplace today that ensure that the system can mitigate and \nrespond to cyber can be traced to this committee's legislative \nwork.\n    In 2005, we authorized FERC to commission the North \nAmerican Electric Reliability Corporation, NERC, with the \nauthority to establish and enforce reliability standards and to \ncoordinate activities among industry and the Feds to confront \ncyber threats.\n    In 2015, this committee wrote provisions, including the \nFAST Act, to strengthen DOE's energy sector specific \nauthorities and to facilitate sharing of the threat information \nbetween private-sector asset owners and the Federal Government.\n    As a Federal agency with a leading expertise on our \nNation's electricity grid and the cybersecurity threats against \nit, it is imperative that we arm DOE with the tools and \nauthorities to protect our electricity system from the \ntransmission lines to the very generating stations and their \npipelines.\n    Most recently, we developed legislation to elevate DOE's \nfunctions overseeing cybersecurity and to improve information \nsharing, emergency planning, and other technical activities in \nthis jurisdiction. That legislative work is continuing, but \nfortunately the Department has used its own authorities to \nimplement enhanced leadership over cybersecurity and to improve \ninteragency coordination.\n    Against that backdrop, today's hearing provides a great \nopportunity to update the subcommittee on what these agencies \nare doing to advance cybersecurity practices, protections, and \nresponse planning.\n    I am looking forward to hearing from Assistant Secretary \nKaren Evans, who heads the DOE Office of Cybersecurity, Energy \nSecurity, and Emergency Response, or CESER. When she testified \nin September last year, she had been on the job for just a \ncouple of weeks, though she brought long Federal experience to \nthe table as soon as she sat down.\n    So I look forward to discussing DOE's current work, how \nwell it is exercising its coordinating role over the \ncybersecurity threat, and to learn what challenges she sees \ngoing forward and how she plans to address those challenges.\n    It will also be helpful to hear today from the regulators \nof the electric grid: Andy Dodge, who heads FERC's Office of \nElectric Reliability, and of course, from Jim Robb, who heads \nNERC. Both of these entities serve as the front lines of \nregulatory oversight of electric grid infrastructure \nprotection. I am particularly interested in learning what \nmeasures you are working on to address threats to ensure best \npractices and to coordinate response to cyber incidents.\n    The risk of massive blackouts can be hard to think about, \nbut the cybersecurity realities of today require that we face \nthese risks head on, that we be sure that our agencies and \nappropriate groups have the tools in the toolbox and the \ninformation that they need to address the risk and what they \nare prepared for the consequences of successful attacks.\n    [The prepared statement of Mr. Upton follows:]\n\n                 Prepared Statement of Hon. Fred Upton\n\n    Today's hearing continues the subcommittee's ongoing \noversight of cybersecurity threats to the electric grid. While \nthis is the first hearing specifically on that topic this year, \nthe subcommittee has been raising questions about persistent \nand emerging threats to the electrical grid in closed briefings \nand in hearings with Federal officials and others over the \ncourse of this session--building on the work we've done over \nthe past few Congresses.\n    It is unquestionable that ensuring the reliable supply of \nelectricity is vital to our Nation's security, economy, our \nhealth and welfare. Electricity enables telecommunications, \nfinancial transactions, the transport and delivery of energy, \nand agriculture. It powers the infrastructure that delivers our \ndrinking water. It enables business and industry to make and \nprovide the goods and services of our modern society. It powers \nour hospitals, our households.\n    The United States has the world's most complex electric \ngrid, and while we have a well-developed system of grid \noperators to ensure our lights stay on, we're confronting new \nchallenges and adapting to a changing generation mix, new \ntechnologies, and consumer preferences. We're also responding \nto new threats and working to strengthen the cybersecurity of \nthe Nation's grid.\n    The integration into the system of new digital technologies \nthat are essential for keeping up with our Nation's energy \nneeds constantly add vulnerabilities. Other vulnerabilities are \nbeing added with the increasing dependence on pipeline \ninfrastructure by electric generating units. Combine this with \nthe rapid expansion of cyber capabilities by more of America's \nadversaries, and safeguarding transmission infrastructure \nremains particularly urgent.\n    Many of the Federal oversight and regulatory structures in \nplace today that ensure the system can mitigate and respond to \ncyber threats can be traced to this committee's legislative \nwork.\n    In 2005, we authorized FERC to commission the North \nAmerican Electric Reliability Corporation (NERC) with the \nauthority to establish and enforce reliability standards and to \ncoordinate activities among industry and the Feds to confront \ncyber threats.\n    In 2015, this committee wrote provisions included in the \nFAST Act to strengthen DOE's energy sector specific authorities \nand to facilitate sharing of threat information between private \nsector asset owners and the Federal Government. As the Federal \nagency with the leading expertise on our Nation's electricity \ngrid and the cybersecurity threats against it, it is imperative \nthat we arm DOE with the tools and authorities to protect our \nelectricity system, from the transmission lines to the \ngenerating stations to the pipelines.\n    Most recently, we developed legislation to elevate DOE's \nfunctions overseeing cybersecurity and to improve information \nsharing, emergency planning and other technical activities in \nits jurisdiction. That legislative work is continuing, but \nfortunately, the Department has used its own authorities to \nimplement enhanced leadership over cybersecurity and to improve \ninteragency coordination.\n    Against this backdrop, today's hearing provides a great \nopportunity to update the subcommittee on what DOE, FERC and \nNERC are doing to advance cybersecurity practices, protections, \nand response planning.\n    I am looking forward to hearing from Assistant Secretary \nKaren Evans, who heads the DOE Office of Cybersecurity, Energy \nSecurity, and Emergency Response, or CESER.\n    When Ms. Evans testified in September last year, she had \nbeen on the job for just a few weeks--though she brought long \nFederal experience to the table as soon as she sat down. So I \nlook forward to discussing DOE's current work, how well it is \nexercising its coordinating role over the cybersecurity threat, \nand to learn what challenges she sees going forward, and how \nshe plans to address those challenges.\n    It will also be helpful to hear today from the regulators \nof the electric grid: Andy Dodge, who heads FERC's Office of \nElectric Reliability, and, of course, from Jim Robb, who heads \nNERC. Both these entities serve at the front lines of \nregulatory oversight of electric grid infrastructure \nprotection. I'm particularly interested in learning what \nmeasures they are working on to address threats, to ensure best \npractices, and to coordinate response to cyber incidents.\n    The risks of massive blackouts can be hard to think about. \nBut the cybersecurity realities of today require we face these \nrisks head on, that we be sure our agencies and the appropriate \ngroups have the tools and information they need to address the \nrisks, and that they are prepared for the consequences of \nsuccessful attacks.\n    Thank you, Mr. Chairman, for keeping the subcommittee \ninformed on this important topic.\n\n    Mr. Upton. Thank you, Mr. Chairman, for this hearing. I \nyield back.\n    Mr. Rush. The gentleman yields back.\n    The Chair now recognizes the chairman of the full \ncommittee, Mr. Pallone, for 5 minutes for the purposes of an \nopening statement.\n\nOPENING STATEMENT OF HON. FRANK PALLONE, Jr., A REPRESENTATIVE \n            IN CONGRESS FROM THE STATE OF NEW JERSEY\n\n    Mr. Pallone. Thank you, Chairman Rush.\n    Today we are here to get an update from Federal agencies \nabout how they are addressing cyber threats to our electricity \ngrid. We know our adversaries are developing new techniques to \ncompromise and attack our grid, so it is vitally important that \nthe Federal Government and the electric industry remain \nvigilant in ensuring the grid is secure.\n    Our committee has been conducting robust oversight on this \nimportant topic in a bipartisan fashion for years. Today's \nhearing is a public forum to discuss how the Federal Government \nis addressing cybersecurity challenges, but the committee also \ncontinues to receive closed-door briefings on the issue to \nunderstand more classified matters.\n    Our witnesses and their respective agencies all take \ncybersecurity to the grid very seriously, and I believe \nSecretary Perry made the right decision in creating the \nposition of Assistant Secretary for Cybersecurity, Energy \nSecurity, and Emergency Response to focus specifically on these \npressing issues.\n    Last month, the subcommittee favorably reported out \nlegislation introduced by Chairman Rush and Mr. Walberg that \nwould enshrine in statute this important new division at DOE, \nand I look forward to bringing this bill and three other \nbipartisan cybersecurity bills up for a markup at the full \ncommittee soon.\n    We must be both active and vigilant when it comes to \ncybersecurity, because time is of the essence. In March, we had \nthe first reported malicious cyber event that disrupted grid \noperations of a western utility. Thankfully, there seemed to be \nvery little effect on the transmission grid and no customers \nlost power, but we must stay ahead of anyone who is a cyber \nthreat.\n    And I appreciate the work of FERC and N-E-R-C, or NERC, to \ncontinue enhancing critical infrastructure protection \nstandards, like the final rule last October to bolster supply \nchain risk management. This rule implements new reliability \nstandards that respond to supply chain risks, like malicious \nsoftware, by requiring responsible entities to develop and \nimplement security controls for industrial control systems, \nhardware, software, and services.\n    And these are the types of important forward-looking \nactions we need to proactively protect our grid against \nattacks. And while this hearing today is not specifically about \npipeline cybersecurity, I would be remiss not to mention how \nimportant that is to our grid system. We have a reliable \npipeline system, but we never want to find ourselves in a \ndifferent situation, so I remain concerned about the lack of \nresources and expertise at the Transportation Security \nAdministration's pipeline security program.\n    I look forward to hearing from DOE about possible ways they \ncould help address these safety gaps. As I have said before, if \nTSA continues to devote scant resources or attention to these \nmatters, we must start looking at other options to keep our \npipes secure. So, again, I thank our witnesses for being here \ntoday as we discuss this critical security issue.\n    And with that, Mr. Chairman, unless someone else wants the \ntime, I yield back.\n    [The prepared statement of Mr. Pallone follows:]\n\n             Prepared Statement of Hon. Frank Pallone, Jr.\n\n    Thank you, Chairman Rush, for holding this hearing today on \nthe very important topic of cybersecurity of our Nation's \nelectric grid. We know our enemies are rapidly developing new \ntechniques to compromise and attack our grid. It is important \ngovernment and industry stay on top of the issue.\n    I know our witnesses and their agencies--the Department of \nEnergy, the Federal Energy Regulatory Commission, and the North \nAmerican Electric Reliability Corporation--all take \ncybersecurity of the grid very seriously and are doing good \nwork. I look forward to today's discussion.\n    I am pleased Secretary Perry established the Cybersecurity, \nEnergy Security, and Emergency Response, or CESER, office to \nfocus specifically on these pressing issues. Chairman Rush and \nMr. Walberg have introduced bill H.R. 362, the Energy Emergency \nLeadership Act, to enshrine in statute this new focused level \nof leadership at the Department of Energy. I hope we are able \nto report this legislation out of the full committee soon.\n    This bill, along with three other bipartisan bills \naddressing cybersecurity of our Nation's energy systems, were \nfavorably forwarded to the full committee recently. These bills \nare a top priority to move, and I am very proud of our strong \nbipartisan working relationship and the committee's efforts on \ncybersecurity.\n    We all understand time is of the essence. March 2019 marks \na sobering milestone of the first reported malicious cyber \nevent that disrupted grid operations of a Western utility. \nThankfully, there seemed to be very little effect to the \ntransmission grid and no resulting blackouts. We must stay \nahead of our enemies and keep it that way.\n    I appreciate FERC and NERC's work together to continue \nenhancing Critical Infrastructure Protection Standards like the \nfinal rule last October to bolster supply chain risk \nmanagement. This rule implements new reliability standards that \nrespond to supply chain risks like malicious software by \nrequiring responsible entities to develop and implement \nsecurity controls for industrial control system hardware, \nsoftware and services. These are the types of important \nforward-looking actions we need to proactively protect our grid \nagainst attacks.\n    And, while this hearing today is not about cybersecurity \nrelating to our pipelines, I'd be remiss not to mention how \nimportant that is to our grid system. We have a reliable \npipeline system, but we never want to find ourselves in a \ndifferent situation. DOE, FERC, and NERC's responsiveness to \nthe committee's briefing request and job of oversight is a \nwelcomed change from the stonewalling from TSA who refuse to \ntestify. As I've said before, and my friend from Michigan, \nRanking Member Upton has echoed, if TSA does not want to be \ntaken seriously, we may have to look at other options.\n    I want to thank our witnesses for being here today. I look \nforward to hearing about CESER's range of work including work \non a national strategy and cybersecurity risk assessment of the \ngrid. I also looking forward to hearing about FERC and NERC's \ncontinued work to build out a critical infrastructure \ncybersecurity framework. In general, how are you working to \nincentivize and implement leading cybersecurity standards? What \ntypes of collaborative processes are your agencies working on \nwith industry? And, what can Congress do to support each of \nyour agencies' work?\n    Thank you, I yield back.\n\n    Mr. Rush. The gentleman yields back.\n    The Chair now recognizes the ranking member of the full \ncommittee, Mr. Walden, for the purposes of an opening \nstatement.\n    Mr. Walden. Well, good morning, Mr. Chairman.\n    Mr. Rush. Good morning.\n\n  OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN \n               CONGRESS FROM THE STATE OF OREGON\n\n    Mr. Walden. I am delighted to have the witnesses here and \nto have this hearing.\n    By any measure, the reliable supply of electricity is an \nessential part of everything that we do. We know that. And as \nwe have learned in previous briefings and hearings, in today's \nhighly interconnected and digital world the threat of cyber \nattacks, the reliability of electricity is ever present and it \nis growing.\n    And one of our responsibilities on the Energy and Commerce \nCommittee is to review and, where necessary, revise laws and \npolicies that concern the reliable delivery of energy. This is \npart of the committee's black letter jurisdiction, and it is \nsomething that we all take very seriously, no matter which \nparty is in the majority.\n    This morning's oversight hearing continues this important \nwork, and it focuses on the status of efforts to address \ncybersecurity threats to the electricity grid. We will hear \ntestimony from our witnesses today--you are key players in \nkeeping the lights on--Department of Energy, Federal Energy \nRegulatory Commission, and the North American Electric \nReliability Corporation, or NERC.\n    Each of your organizations has a role in supporting \neffective information sharing, technical assistance, standard \nsettings, oversight of standards implementation, sound \nengineering practices, all of that as it relates to the bulk \npower system. And I look forward to hearing updates from the \nwitnesses, especially on coordination and on sharing among the \nFederal entities and industries. We know that has always been \nan issue, and it continues to be.\n    Our past oversights examine some of the work DOE is doing \nto carry out its broad energy emergency and cybersecurity \nresponsibilities over the energy sector. This includes \nproviding, supporting, and facilitating the technical \nassistance to the energy sector to help identify \nvulnerabilities and to mitigate risk.\n    I have seen some of this work firsthand at our National \nLabs, especially in the northwest, the Pacific Northwest \nNational Laboratory in Washington State, and I went out to \nIdaho Falls to the Idaho National Laboratory. Terrific people \nworking in those labs, doing amazing work on behalf of the \ncountry. They provide the analytical tools, they provide the \ntest beds and other capabilities that are proving very helpful \nfor all kinds of industries and systems we rely upon.\n    We learned last year how deployment of new surveillance and \ninformation-sharing tools, particularly in what is called the \nCybersecurity Risk Information Sharing Program, or CRISP, have \nproven especially helpful in identifying systemic and \nsystematic cyber attacks across the energy sector.\n    So I would be interested to hear today from NERC and DOE \nhow this approach is being expanded more broadly, especially as \nit relates to supply chain risk and operational technology \nsystems, the switches and Supervisory Control and Data \nAcquisition, or SCADA system, embedded in the grid. We know \nthat as more connected devices and smart grid technologies are \nadded to the grid, the vulnerabilities will continue to grow.\n    Information sharing is central to strong cyber defenses. \nThis is especially important as our energy systems become more \ninterconnected. Republican Leader Fred Upton has noted \nrepeatedly how, because the Nation's pipeline systems--and you \nhave heard this from others today--are such an integral part of \nthe electricity fuel supply system, harm to pipelines means \npotential harm to the supply of electricity.\n    So we have to think about pipelines as part of our larger \nenergy system rather than just a piece of hardware or a simple \nmode of transportation. While pipelines fall under separate \nregulatory regimes, Department of Energy must maintain \nvisibility over pipelines to ensure the delivery of electricity \nto consumers. They are all interconnected.\n    That is why this committee has been pushing to codify DOE's \nemergency response role and strengthen the Department's \ncapabilities to monitor for cyber threats and to provide \ntechnical assistance to the industries.\n    It is also important to enhance coordination of response \nshould attacks succeed at a large scale. Members on this panel \nhave had the benefit of briefings over the past few years to \nunderstand emergency response exercises in the electric sector. \nAn update on these exercises will also be useful today, so we \nlook forward to that.\n    As this testimony this morning will underscore, the risk to \nour critical electrical infrastructure from nation states and \nother bad actors is increasing. This means the technical \nassistance, the information sharing, and deployment of \ninnovative technologies and best practices to get ahead of the \nthreats is ever more urgent.\n    We must be sure our critical infrastructure protection \nstandards are up to date, and sufficiently flexible to meet the \nrisk, and we must be sure we are providing our Federal agencies \nthe tools needed to serve the industry and the Nation more \neffectively. We have real responsibility here, and hearings \nlike this will help us do our job better.\n    So, Mr. Chairman, thank you for having this oversight \nhearing. And, again, to our witnesses, thank you for your \ntestimony, guidance, and counsel. You will improve our work.\n    [The prepared statement of Mr. Walden follows:]\n\n                 Prepared Statement of Hon. Greg Walden\n\n    Thank you, Mr. Chairman.\n    By any measure, the reliable supply of electricity is an \nessential part of almost everything we do. And, as we've \nlearned in previous briefings and hearings, in today's highly \ninterconnected, digital world, the threat of cyber attacks to \nthe reliability of electricity is ever present and growing.\n    One of our responsibilities on the Energy and Commerce \nCommittee is to review, and where necessary, revise laws and \npolicies that concern the reliable delivery of energy. This is \npart of the committee's black letter jurisdiction, and it is \nsomething we take very seriously on both sides of the aisle, no \nmatter which party is in the majority.\n    This morning's oversight hearing continues this important \nwork. It focuses on the status of efforts to address \ncyberthreats to the electric grid. We will hear testimony from \nthree of the key players for making sure the lights stay on: \nDepartment of Energy, the Federal Energy Regulatory Commission, \nand the North American Electric Reliability Corporation, or \nNERC.\n    Each of these organizations has a role in supporting \neffective information sharing, technical assistance, standard \nsetting, oversight of standards implementation, and sound \nengineering practices relating to the bulk power system. And I \nlook forward to hearing updates from the witnesses, especially \non coordination and sharing among the Federal entities and \nindustry.\n    Our past oversight has examined some of the work DOE is \ndoing to carry out its broad energy emergency and cybersecurity \nresponsibilities over the energy sector. This includes \nproviding, supporting, and facilitating the technical \nassistance to the energy sector to help identify \nvulnerabilities and mitigate risks. I've seen some of this work \nat the National Labs, particularly at the Pacific Northwest \nNational Laboratory, in Washington, and at the Idaho National \nLaboratory, which provide analytical tools, test beds, and \nother capabilities that are proving very helpful for industry.\n    We learned last year how deployment of new surveillance and \ninformation sharing tools, particularly in what is called the \nCybersecurity Risk Information Sharing Program, or CRISP, have \nproven especially helpful in identifying systematic cyber \nattacks across the energy sector.\n    I would be interested to hear today from NERC and DOE how \nthis approach is being expanded more broadly, especially as it \nrelates to supply chain risks and operational technology \nsystems--the switches and Supervisory Control and Data \nAcquisition (SCADA) system--embedded in the grid. We know that \nas more connected devices and smart grid technologies are added \nto the grid, the vulnerabilities will continue to grow.\n    Information sharing is central to strong cyber defenses. \nThis is especially important as our energy systems become more \ninterconnected. Republican Leader Upton has noted repeatedly \nhow, because the Nation's pipeline systems are such an integral \npart of the electricity fuel supply system, harm to pipelines \nmeans potential harm to the supply of electricity.\n    We must think about pipelines as part of a larger energy \nsystem--rather than a piece of hardware or a simple mode of \ntransportation. While pipelines fall under separate regulatory \nregimes, DOE must maintain visibility over pipelines to ensure \nthe delivery of electricity to consumers. That is why this \ncommittee has been pushing to codify DOE's emergency response \nrole and strengthen the Department's capabilities to monitor \nfor cyberthreats and to provide technical assistance to \nindustry.\n    It is also important to enhance coordination of response \nshould attacks succeed at a large scale. Members on this panel \nhave had the benefit of briefings over the past few years to \nunderstand emergency response exercises in the electric sector. \nAn update on these exercises will be useful today.\n    As testimony this morning will underscore, the risks to our \ncritical electric infrastructure from nation states and other \nbad actors is increasing. This means the technical assistance, \nthe information sharing, and deployment of innovative \ntechnologies and best practices to get ahead of the threats is \never more urgent. We must be sure that our critical \ninfrastructure protection standards are up to date and \nsufficiently flexible to meet the risks. We must be sure that \nwe are providing our Federal agencies the tools needed to serve \nthe industry and the Nation more effectively. We have a \nresponsibility here and hearings like this will help us do our \njob.\n    Thank you. Mr. Chairman, and I yield back.\n\n    Mr. Walden. And with that, I will yield back the balance of \nmy time.\n    Mr. Rush. The gentleman yields back.\n    The Chair would now like to welcome all of our expert \nwitnesses for today's hearing. From my left, the Honorable \nKaren S. Evans. She is the Assistant Secretary of the Office of \nCybersecurity, Energy Security, and Emergency Response, CESER, \nat the U.S. Department of Energy.\n    Next to her is seated Mr. J. Andrew Dodge, Sr. He is the \nDirector of the Office of Electric Reliability for the Federal \nEnergy Regulatory Commission, FERC.\n    And sitting next to Mr. Dodge is Mr. Jim Robb, the \npresident and chief executive officer of the North American \nElectric Reliability Corporation.\n    And I want to, again, thank all of the witnesses for being \nhere with us today, and we look forward to your testimony.\n    But before we begin, I have to give you a little tutorial. \nI would like to explain the lighting system.\n    In front of you is a series of lights. The light will \ninitially be green at the start of your opening statement. The \nlight will turn yellow when you have 1 minute remaining. Please \nbegin to wrap up your testimony at the yellow light. The light \nwill turn a bright, bright, bright red when your testimony \nexpires.\n    And with that said, Assistant Secretary Evans, you are now \nrecognized for 5 minutes.\n\n STATEMENTS OF KAREN S. EVANS, ASSISTANT SECRETARY, OFFICE OF \n    CYBERSECURITY, ENERGY SECURITY, AND EMERGENCY RESPONSE, \nDEPARTMENT OF ENERGY; J. ANDREW DODGE, Sr., DIRECTOR, OFFICE OF \nELECTRIC RELIABILITY, FEDERAL ENERGY REGULATORY COMMISSION; AND \n  JAMES B. ROBB, PRESIDENT AND CHIEF EXECUTIVE OFFICER, NORTH \n           AMERICAN ELECTRIC RELIABILITY CORPORATION\n\n                  STATEMENT OF KAREN S. EVANS\n\n    Ms. Evans. Thank you, sir. Good morning, Chairman Rush, \nRanking Member Upton, and members of the committee. Thank you \nfor the opportunity to discuss the continuing threats facing \nour national energy infrastructure.\n    Focusing on cybersecurity, energy security, and resilience \nof the Nation's energy systems is one of the Energy Secretary's \ntop priorities. By the administration proposing and Congress \naffirming the Office of Cybersecurity, Energy Security, and \nEmergency Response, CESER, the Secretary has clearly \ndemonstrated his commitment to achieving the administration's \ngoal of energy security and, more broadly, national security.\n    Our Nation's energy infrastructure has become a primary \ntarget for hostile cyber actors, both state-sponsored and the \nnonstate-sponsored. The frequency, scale, and sophistication of \ncyber threats continue to increase. Cyber incidents have the \npotential to disrupt energy services, damage highly specialized \nequipment, and even threaten human health and safety.\n    The release of the President's National Cyber Strategy, the \nNCS, in September 2018 reflects the administration's commitment \nto protecting America from cyber threats. The Department of \nEnergy plays an active role in supporting the security of our \nNation's critical energy infrastructure in implementing the \nNCS.\n    The efforts reflect a concerted response to the emergence \nof energy cybersecurity and resilience as one of the Nation's \nmost important security challenges. Fostering partnerships with \npublic and private sector stakeholders is of the utmost \nimportance to me as the Assistant Secretary for CESER.\n    The NCS prioritizes risk reduction activities across seven \nkey areas, which include national security and energy and \npower. DOE cybersecurity activities for the energy sector align \nto the secure critical infrastructure section of pillar one, \nwhich is protecting the American people, the homeland, and the \nAmerican way of life under the category to prioritize actions \naccording to identified national risks.\n    In the energy sector, the core of the critical \ninfrastructure partners is represented by the Electricity \nSubsector Coordinating Council, or the ESCC, the Oil and \nNatural Gas Sub Sector Coordinating Council, the ONGSCC, and \nthe Energy Government Coordinating Council, the EGCC.\n    The ESCC and the ONGSCC represent the interest of their \nrespective industries. The EGCC, which is led by DOE and DHS, \nis where the interagency partners, States, and international \npartners come together to discuss the important security and \nresilience issues for the energy sector. This forum ensures \nthat we are working together in a whole-of-government response.\n    It is critical for us to be proactive and cultivate a \nsecure energy network of producers, distributors, regulators, \nvendors, and public partners acting together to strengthen our \nability to identify, detect, protect, respond, and recover. The \nDepartment is focusing cyber support efforts to strength the \nenergy sector cybersecurity preparedness, coordinate cyber \nincident response and recovery, and accelerate game-changing \nresearch development and deployment of resilient energy \ndelivery systems.\n    DOE also maintains a close relationship with FERC and NERC \nto ensure that they have the relevant information to execute \ntheir missions. DOE also holds regular discussions with the \nthree energy sector information-sharing and analysis centers, \nwhich include the Downstream Natural Gas ISAC, the Oil and \nNatural Gas ISAC, and the Electricity ISAC, to share emerging \nand potential threats, and to disseminate information.\n    Establishing CESER is the result of the administration's \ncommitment to prioritize the energy security and national \nsecurity. CESER is working on many fronts collaborating with \nindustry, State and local governments, to protect our Nation's \ncritical energy infrastructure from all hazards, including this \ngrowing cyber threat.\n    Our long-term approach will strengthen our Nation's \nnational security and positively impact our economy. I \nappreciate the opportunity to appear before this committee to \ndiscuss cybersecurity in the energy sector, and I applaud your \nleadership. I look forward to working with you and your \nrespective staffs to continue to address cyber and physical \nsecurity challenges.\n    [The prepared statement of Ms. Evans follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Rush. I want to thank you, Madam Secretary.\n    And now I want to recognize Mr. Robb for--Mr. Dodge, I am \nsorry--for 5 minutes for the purposes of an opening statement.\n\n               STATEMENT OF J. ANDREW DODGE, Sr.\n\n    Mr. Dodge. Thank you very much. Good morning, Chairman \nRush, Ranking Member Upton, and members of the subcommittee. \nThank you for the opportunity to testify today. My name is Andy \nDodge, and I am the Director of Electric Reliability at FERC, \nor the Federal Regulatory Energy Commission. During my \ntestimony I will often refer to that as the Commission.\n    I am here today as a Commission staff witness, and my \nremarks do not necessarily represent the views of the \nCommission or any individual Commissioner. Today, I will \nprovide a brief overview of the Commission's authorities and \nactivities to help protect and improve the cybersecurity of the \nNation's bulk power system.\n    Our work includes mandatory reliability standards, audits \nof those standards, identification and sharing of best \npractices. We work very closely with the North American \nElectric Reliability Council, or NERC, its regional entities, \nother Federal and State agencies, and responsible entities to \ncarry out this very important work.\n    As a result of the Energy Policy Act of 2005 and section \n215 of the Federal Power Act, NERC is responsible for \ndeveloping and proposing new or modified reliability standards \nto the Commission. The Commission oversees NERC's development \nand enforcement of critical infrastructure protection \nstandards, or CIP standards.\n    The original set of eight mandatory CIP standards were the \nso-called version one standards. They were actually developed \nin 2006 and became totally enforceable in 2010. The CIP \nstandards are continuously reviewed and updated to address new \ncybersecurity threats and challenges, as well as technological \nchanges. We are currently in version five of the overall \nstandards. There are currently 11 active cybersecurity \nstandards and one active physical security standard. In all, \nthere are over 200 distinct requirements.\n    The CIP standards are a portfolio of requirements that \nconstitute a defense in-depth approach to cybersecurity based \non an assessment of risk. Importantly, the CIP reliability \nstandards are objective-based, and responsible entities are \nfree to choose compliance approaches best tailored to their \nindividual systems.\n    The foundational standard is CIP-002. This standard \nrequires each utility to perform a risk assessment of its \nassets and then to categorize those assets in the low, medium, \nand high impact to the electric grid. The other CIP standards \nthen build upon the CIP-002 standard, and they require utility \ncompanies to develop and implement cybersecurity plans, train \npersonnel adequately, establish physical and electronic access \nparameters, and then also test and apply patches in a timely \nmanner, identify and report cybersecurity incidents, and also \ndevelop and implement recovery plans, amongst other things.\n    Recently, the Commission further enhanced the CIP \nreliability standards to address supply chain risk and also \nincident reporting. Although NERC and its regional entities are \nprimary enforcement authorities for the CIP standards, since \n2016 the Commission has been auditing sample utilities each \nyear with respect to their compliance to the version five of \nthe CIP standards.\n    As a result of these audits, the Commission has issued two \nreports that described the lessons learned from the audits as \nwell as best practices. By publishing these lessons-learned \nreports, we hope to help other utility companies improve their \ncompliance with the CIP reliability standards as well as their \noverall cybersecurity.\n    In addition to the mandatory reliability standards, the \nCommission has adopted voluntary initiatives overseen by our \nOffice of Energy Infrastructure Security, or OEIS. OEIS engages \nin partners with industry, States, and other Federal agencies \nto develop and promote best practices for critical \ninfrastructure security.\n    These initiatives include voluntary architecture \nassessments of interested entities, classified briefings for \nState and industry officials, and joint security programs, \nother Federal Government agencies, and industry.\n    In conclusion, protecting the electric system from cyber \nand physical threats is critically important to securing our \nNation's critical infrastructure. The Commission is taking both \na standards or mandatory approach as well as a collaborative \nvoluntary approach to ensuring a reliable and secure operation \nof the grid.\n    I thank you for the opportunity to testify today and \nparticipate in this hearing, and I very much look forward to \nanswering your questions. Thank you.\n    [The prepared statement of Mr. Dodge follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Rush. I want to thank the gentleman.\n    The Chair now recognizes Mr. Robb for 5 minutes.\n\n                   STATEMENT OF JAMES B. ROBB\n\n    Mr. Robb. Thank you, Chairman Rush, Ranking Member Upton, \nand members of the subcommittee. I appreciate the opportunity \nto be with you today. This is my first appearance in front of \nthe committee as NERC CEO since taking the job last year.\n    You have all noted in your opening comments how \nfoundational electricity is to modern society. And all of us \nhere on the panel, NERC, FERC, the Department of Energy, we all \ntake our job of strengthening the reliability and security of \nthe fabric of the industry very seriously.\n    We know the citizens of the United States and our neighbors \nin Canada and Mexico depend on a reliable supply of electricity \nfor all of their daily life needs. To date, there has been no \nsuccessful cyber attack that has resulted in a loss of load in \nthe United States. While we are very proud of that statistic, I \ncan assure you that we will never rest in our laurels, as the \nthreats are real and the potential consequences as noted are \nsignificant.\n    As a result, the electricity sector has taken the \ncybersecurity threat extremely seriously and has put in place a \nrobust system to protect our critical infrastructure. We find \nthat boards and executive leadership play strong support, \nfocus, and set cybersecurity as one of their top corporate \npriorities.\n    Unlike our day-in and day-out job to reduce risks to \nreliability, cyber risks originate from determined adversaries \nwho use multiple persistent techniques to attack our grid.\n    The electricity sector employs a multipronged approach to \nsupport security of the bulk power system. The approach \nincludes mandatory and enforceable reliability standards and \nsecurity standards, information sharing and partnerships with \nour sector-specific agency, the Department of Energy, as well \nas other Government entities, such as DHS and DOD, to confront \nrapidly developing threats, and drilling education and \nengagement with industry. Together, we believe they form a \nsolid foundation of best practices and strategies to \neffectively confront this ever-evolving threat.\n    With respect to standards, our critical infrastructure \nprotection standards provide a common foundation for security. \nOur standards are developed using subject matter expertise from \nindustry then reviewed and approved by NERC's independent board \nof trustees, and ultimately by the FERC.\n    The CIP standards, as Andy noted, require companies to \nestablish plans, protocols, and controls to protect their \ncritical systems against cyber attack, ensure personnel are \nadequately trained on cyber hygiene, report security instances \nin a timely manner, and effectively recover from events.\n    Our standards evolve with increased understanding of \nthreats. Recent updates to the CIP standards address supply \nchain risks and improve cyber incident reporting. And we expect \nlater this year to address cloud computing and EMP.\n    Compliance with standards is routinely audited, and \nnoncompliance is subject to financial penalties, at times quite \nsignificant, and require in many cases CEO execution and board-\nlevel reporting.\n    But standards are just one important element of a \ncomprehensive strategy. Because the security threat evolves \nrapidly, in addition to the defense provided by the standards, \nindustry and government must maintain constant situational \nawareness, real-time communication, and prompt emergency \nresponse capabilities. And that is where robust information \nsharing comes in, and that is a service that we provide through \nthe electricity sector, information sharing and analysis \ncenter, or the E-ISAC.\n    Operated by NERC and working in close collaboration with \nthe Department of Energy and the Electricity Subsector \nCoordinating Council, the E-ISAC is the central hub for sharing \nof security information within the electricity sector. The E-\nISAC communicates with over 1,000 electricity industry \norganizations via secure portal with critical security \ninformation that is provided by both industry and government.\n    Through the E-ISAC, we manage a terrific information \nsharing program called CRISP, the Cybersecurity Risk \nInformation Sharing Program. CRISP uses innovative technology \ndeveloped by the Department of Energy and the National Labs to \nmonitor cyber activity on company systems, and we have \ndeveloped over the last several years the capability to rapidly \ndeclassify insights from CRISP within 24 hours to communicate \ninsights out to industry.\n    CRISP companies currently cover about 75 percent of U.S. \ncustomers, and we are working to further expand the program. \nInformation by CRISP is shared beyond CRISP members so that all \n1,000 E-ISAC members can benefit.\n    We also conduct a biannual continentwide security drill we \ncall GridEx. GridEx is the largest geographically distributed \nsecurity exercise for the electricity sector. Conducted every \nother year in partnership with the ESCC and our Government \npartners, it simulates a widespread coordinated cyber and \nphysical attack designed to overwhelm even the most prepared \norganizations and exercise their ability to respond and to \nrecover.\n    And, finally, we invest significantly in education and \noutreach. We conduct periodic webinars, critical broadcast \ncalls, and recently established an all-points bulletin to \nrapidly communicate key insights and threats to industry. For \nthe most serious threats we can also use a NERC alert, which \nprovides concise, actionable security information and \nmitigation strategies to industry and in many cases require \nindustry to report back to us on successful threat mitigation.\n    In addition, we sponsor the premiere annual grid security \nconference in partnership with our regional entities, called \nGridSecCon, and it has proven to be a terrific training and \noutreach engagement forum for NERC, the E-ISAC, our Government \npartners, key industry security officials, and key vendors to \nengage and learn from each other.\n    Again, I thank the committee for inviting me here today. I \nlook forward to your questions.\n    [The prepared statement of Mr. Robb follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Rush. The Chair thanks the witness. And with that, we \nare now concluding the opening statements from the witnesses, \nand we will now proceed to Members' questioning. Each Member \nwill have 5 minutes to ask questions of our witnesses, and I \nwill start by recognizing myself for 5 minutes.\n    Assistant Secretary Evans, it is certainly great to see you \nthis morning before our committee once again. And, as you know, \nI have sponsored, along with Mr. Walberg, H.R. 362, which will \nessentially codify your position within DOE as a new Assistant \nSecretary position with jurisdiction over all energy emergency \nand security functions relating to energy supply infrastructure \nand cybersecurity.\n    So we look forward to marking that bill up and passing it \nout of the House, and we hope the President will sign it \nsubsequent to it passing in the Senate. So we want to be \ninvited to your celebration when you are sworn in as the \ncodified Assistant Secretary, all right.\n    But I have a question for you now. Currently there appears \nto be some overlap or even some tension among some of the \nFederal agencies as it regards to who is responsible for \ncybersecurity when it comes to protecting the energy sector. \nWhat makes DOE uniquely positioned to take on a leading role \nwhen it comes to technical expertise, knowledge, experience, \nand resources in protecting the energy-specific sectors? Why is \nDOE uniquely positioned to address all those issues?\n    Ms. Evans. Well, first, thank you, sir. And when it is \nsigned, we will invite you down for the celebration, everyone \non the committee, because we applaud your leadership and your \nforward leaning into this important issue.\n    Where DOE is uniquely positioned for this is the \npartnership that DOE has as the sector-specific agency out \nthrough the entire sector as well as State and local \ngovernment. But what is even more unique about the Department \nof Energy is the National Lab structure and leveraging the \ncapabilities that the National Lab has.\n    So, when you hear maybe that there is some tension, I don't \nknow that there is actually tension. It is the specific \nexpertise of the energy sector, and that is why the \nadministration has us as the sector-specific agency under the \nPDDs, and as well as with the National Cyber Strategy as it \ngoes forward.\n    There is clarity that we continue to work through as to the \nincident response and how that should work, but I think there \nis no disagreement in the executive branch that this is an \nimportant sector, and that the public/private partnership is \ncritical and that leveraging the National Labs' capabilities \nand our understanding in the energy sector does make us that \nlead, and why we are the sector-specific agency for the energy \nsector.\n    Mr. Rush. Thank you very much. I want to move on. Today, we \nhave not experienced any large-scale cyber attacks on our \nenergy grid. That said, we know that Russia and China and even \nIran are wrapping up their capabilities to potentially attack \nour energy grid and cause disruptions to our economy.\n    And I know that DOE takes these potential threats very, \nvery seriously. But are there any areas where Congress should \nprovide more assistance either in the form of additional \nauthority, resources, or anything else that you might think of?\n    And I would also like to hear from Director Dodge and Mr. \nRobb on this issue, on whether there is anything more that this \nCongress can do to help you all protect the grid from foreign \nattacks? Beginning with you, Secretary Evans.\n    Ms. Evans. I appreciate the opportunity to answer that \nquestion. As I outlined in my testimony, it is clear from the \nworldwide threat assessment what the DNI has said about our \nadversaries' capabilities and what they can do in the energy \nsector. When we are looking at it from a national security \nperspective and what the Department is doing, we are really--I \nthink, the key area really is the partnership and then the \ninformation sharing.\n    And so, as we are implementing the national strategy, we \nare really looking to clarify roles and responsibilities to \nspecifically answer the question that you have posed: Do we \nneed more legislative authority? Do we need--as a government, \nwhat is that administrative package that needs to come up here \nso that we can have that information sharing in a way that will \nfacilitate and ease some of the issues that industry may feel \nthat they have going forward?\n    One area that we are also working out that we are looking \nat is, under the FAST Act, you have given the Secretary the \nauthority, once the President designates a grid emergency, what \nexactly is involved in that, and how we would then move private \nindustry resources to deal with the national emergency. At that \npoint, industry has also expressed and is working with us how \nsome additional liability protections may be needed.\n    Mr. Rush. My time is expiring, so I won't be able to get \nanswers on that question. Will you please respond in writing to \nthat question?\n    The Chair now recognizes the ranking member, Mr. Upton, for \n5 minutes.\n    Mr. Upton. Well, thank you again for your testimony. I have \na couple of questions, and I am going to try to get through \nthem all. I know that we have had exercises on grid security \nthat have been, I think, very helpful. Can you tell us what are \nsome of the things you have learned from that, number one, and \nalso, whether we have had exercises actually on pipelines in \nterms of cyber attacks on pipelines in terms of an exercise?\n    Ms. Evans. As it specifically relates to pipelines, we have \ndone a joint exercise with FERC in a classified setting to \nreally exercise out that interdependency and to see what \nweaknesses we need to shore up. I would--there are lessons \nlearned. There are things that we are applying and taking \nforward in the whole-of-government approach. And I would yield \nover to FERC if they would like to speak more about that \nexercise that has happened.\n    Mr. Dodge. Thank you. The only thing I would like to add \nabout the exercise, it was actually a DOE-led classified \nsecurity briefing and then it was actually a joint tabletop \ndrill between DOE and FERC and involved electric industry \nofficials, natural gas industry officials. It also included all \nthe RTOs and ISOs, and it was a rather extensive event. There \nwere lessons learned, as Ms. Evans indicated. It was a \nclassified briefing, and the items from those we are actively \nfollowing up on.\n    Mr. Upton. And do you plan on doing any of that this year \nyet, calendar 2020, 2019 or 2020? Is there another one that \nis--a date that is set or not?\n    Mr. Robb. So let me hop in here. We will be conducting our \nfifth GridEx exercise this November, and it will be a \nmultisector exercise, highly focused on the electric system, \nbut will also involve communications and fuel suppliers such as \nnatural gas.\n    You asked about kind of the--and that exercise, again, is a \ncontinentwide, overwhelming attack, and it is really designed \nto break everybody's system, really to kind of push them to the \nlimit so they understand where their vulnerabilities are in \nterms of response and recovery.\n    One of the things we are doing this year in our executive \ntabletop is to take a very strong focus on a narrow region of \nthe country and really start to focus in on the operational \ncoordination that would be required between gas pipelines, the \ncommunications sector, the utilities sector, and probably even \nthe finance sector in what would be involved in actually \nrestoring the system after such a catastrophic event.\n    Mr. Upton. And a followup question: Was TSA involved at all \nwith the exercises?\n    Mr. Robb. They have been invited to participate this year, \nand I believe they will be.\n    Mr. Upton. Have they participated in the past or not?\n    Ms. Evans. TSA participates in all the activities that we \ndo from a government perspective. And so, we did last October--\n--\n    Mr. Upton. They actually had a person there, or they \nactually----\n    Ms. Evans. Yes, sir. Yes, sir. They have a representative \nthere. Two weeks ago, also, we just had the Oil and Natural Gas \nSubsector Coordinating Council meeting out in Oklahoma City. \nTSA actively participates. We work directly with the industry \nto actually go through the initiative and the update that we \nhave jointly announced with the oil and natural gas that \nhappened last October.\n    So TSA, Transportation, DOE, Department of Homeland \nSecurity, we are all there leveraging our resources to look at \nthe pipeline security and how to make it more robust.\n    Mr. Upton. I am looking at a statement--and I am sorry I \ndidn't print this out. I just saw it just a few minutes ago. It \nwas reported, I think, in Politico this morning that TSA \nAdministrator David Pekoske is talking about they want to be \nmore involved but they realize that they are, in essence, \nshort-staffed, and the likelihood of operating under a \ncontinuing resolution, which means that they won't be able to \nexpand anything beyond what they had in fiscal year 2019.\n    And as we learned a few weeks ago, they only have, I think, \nfour people out of the 50,000 that work on pipelines. So I just \nquestion the substantive role that they might have knowing that \nwe have entrusted you all to work together with the enactment \nof the FAST Act, and really appreciate the work that you do, \nand I look forward to supporting the legislation to make you \nsomeday a portrait-hanging deal as an Assistant Secretary.\n    So with that, Mr. Chairman, I yield back.\n    Mr. Rush. The gentleman yields back.\n    The Chair now recognizes Mr. Peters for 5 minutes.\n    Mr. Peters. Thank you, Mr. Chairman.\n    Thanks to the witnesses for being here.\n    Ms. Evans--well, first of all, I appreciate we are in a \nnonclassified situation, so you will obviously tell me if you \ncan't answer my questions. But do you know how many cyber \nattacks the electric grid sustains on a regular day, average \nday?\n    Ms. Evans. So DOE continuously monitors across multiple \nthings, so it depends on how we talk about a cyber attack. And \nso, we are in constant communications with the ISACs, and we \nconstantly monitor what is happening in the state of the sector \nas a whole. So beyond that, I am happy to come back in a more \nappropriate setting to give you more details, if you would \nlike.\n    Mr. Peters. Well, you didn't tell me a number. Do you know \nthe number yourself?\n    Ms. Evans. That is why I said it depends on how you----\n    Mr. Peters. How you define the attack?\n    Ms. Evans. Yes, and how you want to quantify that.\n    Mr. Peters. Are you able to determine how much of that \nactivity is coming from state actors?\n    Ms. Evans. So, again, I would be happy to talk about that \nmore, but, yes, the way that we are designing the system----\n    Mr. Peters. I am not asking you to tell me if it is coming \nfrom--are you able--do you know whether it is coming from state \nactors, or is that something you don't want to answer here?\n    Ms. Evans. I would like to answer that in a more \nappropriate setting.\n    Mr. Peters. Let me move on then to something else, maybe to \nMr. Robb, to follow up with a question that the chairman asked \nof Ms. Evans about what needs to be done now from Congress.\n    It is my observation that we rely heavily on the utilities, \nprivate companies to deal with this. And when they came to \nspeak to us last Congress, they suggested that the thing that \nthey needed most to modernize the grid, not just related to \nsecurity, but to modernize it was research support from \nCongress that they wanted to be sort of left to their own to be \nable to innovate, which I think is generally appropriate.\n    How comfortable do you feel that individual utilities are \nable to handle these attacks, and is there anything that you \nthink--to follow on with Mr. Rush's question--that Congress \nshould be doing to back that up in terms of security?\n    Mr. Robb. I am not sure I caught the entire question with \nthe door closing, but----\n    Mr. Peters. OK.\n    Mr. Robb. The point I would make in response to Chairman \nRush's question is that the biggest issue for us is that for \nNERC, we are sort of--threat actors or so forth is of less \ninterest to us than what is of interest, are the attack vectors \nand so forth.\n    The most important thing from our perspective would be for \ngovernment to be able to, more rapidly, declassify information \nto get it into actionable insights that we can get out to \nindustry. Industry doesn't need to know the origin. We don't \nneed to know the sources.\n    Mr. Peters. Right.\n    Mr. Robb. We just need to know the whats. And I think \nunfortunately right now, the whats and the whos are intricately \ntied up, and so that kind of clogs the machinery up.\n    That would be the most important thing that I would see \ngovernment being able to do that would facilitate better \ninformation sharing and better awareness at an industry, would \nbe rapid declassification and/or broader availability of \nsecurity clearances for folks to participate in those \nconversations.\n    Mr. Peters. So real-time ability to share information on \nattack kind of thing?\n    Mr. Robb. Absolutely. Absolutely.\n    Mr. Peters. Right. What should be the responsibility, the \nlegal liability for utilities fending off these attacks? \nSuppose something gets through because of the weakness of a \nparticular utility. What incentives do we have to make sure \nthat they are carrying their weight?\n    Mr. Robb. Well, I am probably not the best expert to talk \nabout legal liability. What I would say, though, in response to \nthe question, is that every CEO I know of--and this goes from \nthe largest IOUs to the smallest public powers--takes this \nthreat enormously seriously. So right now I think they all do \neverything that makes sense for them in their situation to \nprotect against these attacks.\n    Mr. Peters. It is just my observation that unless--I \nappreciate that. I think that is probably something that every \nCEO wants to avoid. But unless there is a bottom-line impact, \nsometimes it doesn't filter through the culture of the entire \ncompany.\n    And I think--I like the way that we rely on private \ninnovators to deal with these problems. I think often they are \nbetter situated than the government, but on the other hand we \nhave to provide those incentives through the private industry \nto make sure that they do emphasize this as a business matter. \nAnd I guess my time is expired. We will have to continue that \nconversation later. But thank you again for being here.\n    Mr. Rush. The Chair thanks the gentleman.\n    The Chair now recognizes the ranking member of the full \ncommittee, Mr. Walden, for 5 minutes.\n    Mr. Walden. Thank you, Mr. Chairman. As you can see, Mr. \nChairman, it is dangerous protecting the grid. I am just \nsaying. We all have to do our part.\n    Mr. Robb, in addition to reports of Russian and Chinese \ncyber activities, you referenced news reports have indicated in \nrecent weeks that Iran may threaten retaliation. And that could \ninclude cyber attacks on critical infrastructure. From your \nperspective, can you briefly walk through how the owners of the \nbulk power system prepare for when they see something like this \nin the news? Are they ready for it?\n    Mr. Robb. First of all, I believe that the utilities are on \nkind of constant alert, because they know that they are a great \nattack target for foreign adversaries, and so I think the \nsecurity establishment within the utilities sector is topnotch \nand I think always on alert.\n    In the case of, you know, the situation surrounding Iran, \nas soon as we were made aware of the situation, we had an all-\npoints bulletin that we put together in concert with DOE with \nan appropriate level of declassification of insight that we had \nout within 3 hours.\n    Mr. Walden. Right. Now, in recent months the U.S. and its \nallies have been addressing security concerns about Chinese \ntelecommunications technologies, such as Huawei. This raises \nquestions about the use of similar equipment in the bulk power \nsystem.\n    How are you all--Mr. Robb and Ms. Evans, if you could both \ncould address this--how are you all addressing supply chain \nrisks from this technology in the bulk power supply system? Ms. \nEvans?\n    Ms. Evans. As you know, the administration has released \nseveral guidance and Executive orders associated with supply \nchain risk management. The Department of Energy, the CESER \nprogram in particular, already had a program underway which was \ndealing with it, which is our CTRICS program, which is Cyber \nTesting for Resilience of Industrial Control Systems, but it is \nreally looking at the technology associated with what is in the \nenergy grid. That really is looking at that, what is the supply \nchain risk? How are you doing that?\n    We also have purchased a tool which we intend to deploy out \nto the sector as a whole so that they can then start looking at \ntheir own suppliers. And then on top of that, the last piece \nis, is that the Department has announced an advanced \nmanufacturing initiative, which is looking at things in the \nlong range, for all the innovative technologies, all the \ndifferent things that are happening so that we can make sure \nthat we are looking at that upfront as we are then \nmanufacturing these technologies.\n    Mr. Walden. So will that give purchasers of the technology \nin the systems--can you give them an assurance that what they \nare buying is certified safe----\n    Ms. Evans. It is----\n    Mr. Walden [continuing]. As well as saying that equipment \nover there may not be?\n    Ms. Evans. The idea of our programs to be able to go \nforward, which actually merit the same type of approach that \nyou have taken in the legislation, is a voluntary \nparticipation. So leveraging the capabilities of the labs and \nlooking at the test beds----\n    Mr. Walden. Right.\n    Ms. Evans [continuing]. It is publishing and then us \nworking in jointly with, like, the National Institute of \nStandards to do the widest distribution of that information so \nthat you could then become an informed consumer. So what you \nwill then see is industry partners who are actively \nparticipating. For example, NIST has a very active cyber center \nof excellence that the energy sector and the industry partners \nare actively participating in.\n    Mr. Walden. Yes. So what I want to know is, as a simple \nconsumer here--I realize that is not who is buying this \nequipment in the power grid--but will there be like a stamp-of-\napproval URL, you know, approval that this equipment meets the \nstandards, you can rest assured it has no backdoors, no chips \nthat are programmed?\n    Ms. Evans. That is what we hope to be able to identify \njointly through the Advanced Manufacturing Institute.\n    Mr. Walden. All right. All right.\n    Ms. Evans. So do we have an outcome in mind? Not \nnecessarily, but it will evolve through the Advanced \nManufacturing Institute.\n    Mr. Walden. Because I know we have some of this equipment \nin different telecommunication systems today.\n    Ms. Evans. Absolutely.\n    Mr. Walden. And it gets very expensive to take it out. And \nyou don't want, you know, buy the next piece of equipment to \nreplace it and then somebody says, ``Oh, by the way, that is \nnot good either,'' and so we want to avoid that. Mr. Robb, I \nhave only got 30 seconds, but please, take it.\n    Mr. Robb. Sure. So on this last point, we think a supplier \ncertification program is a very smart thing to do. The work \nthat DOE is doing in this area is terrific. There are also some \nvoluntary industry groups coming together to try to create a \nsimilar program.\n    To your initial question around Huawei, ZTE, and the list \nof suspect companies, we are actually going to be issuing--\nwell, first of all, we issued an all-points bulletin back in \nMarch in response to the Defense Authorization Act prohibitions \naround those suppliers, alerted industry to that fact. We gave \nthem some time to get their head around where some of those \ntechnologies might be deployed in their systems.\n    Next week, we will be issuing what we call a level-two NERC \nalert, which will require industry to inventory all the \ninstances that they still have of those devices, communicate \nback to us their mitigation strategies around them, and we will \nhave that information by the end of the summer.\n    Mr. Walden. Thank you, Mr. Chairman. Thank you.\n    Mr. Rush. The gentleman yields back.\n    The Chair now recognizes Mr. McNerney for 5 minutes.\n    Mr. McNerney. Mr. McNerney from California.\n    Mr. Rush. Mr. McNerney from the great State of--great \nnation of California.\n    Mr. McNerney. Thank you, Mr. Chairman. Again, I thank the \nwitnesses.\n    Mr. Robb, you testified that, as of yet, there have been no \nsuccessful cyber attacks on our utility system. And that is a \ngreat achievement of your office, so I appreciate that.\n    Ms. Evans, are you aware of any foreign governments that \nare embedding cyber weapons into our utility grid today to be \nused in possible future attacks? If you are free to answer that \nquestion.\n    Ms. Evans. I would reference back to the unclassified \nversion of the worldwide threat assessment. I think that the \nDNI has been very specific about what our adversaries' \ncapabilities are. I specifically quoted in my testimony, and I \nalso have it memorized, it is at the bottom of page 5 and the \ntop of page 6. And so he was very clear about what the \ncapabilities and what our adversaries can do.\n    Mr. McNerney. Thank you.\n    Mr. Robb, concerning information sharing, is the security \nclearance of utility officials an obstacle to effective data \nsharing of cybersecurity information?\n    Mr. Robb. I would say yes. Just the sheer number of \nindividuals who are waiting for a clearance that don't yet have \nthem is problematic.\n    Mr. McNerney. How can we remedy that problem?\n    Mr. Robb. I don't have the answer to that question, but it \nis a problem that needs to be resolved.\n    Mr. McNerney. OK. Let's collaborate on that a little bit \nthen.\n    Assistant Secretary Evans, you note in your testimony that \none area of truly foundational problem is the cybersecurity \nworkforce development. What is CESER and the DOE doing to train \nworkers against these kinds of threats?\n    Ms. Evans. So I appreciate the opportunity to highlight the \nwork that we are doing there. We have the cyber strike \ntraining. And the Executive order that the administration has \nreleased recognizes the fact that we have to deal with \ncybersecurity workforce issues in general, but very specific \nabout the energy sector.\n    So we are looking and leading the effort in conjunction \nwith Department of Homeland Security to see what those gaps are \nand how to train and make that more robust. And then the other \narea that we are really trying to innovate and lean forward on \nis the use of competitions to be able to use that applied \nlearning. The labs are strategically placed in this area with \nall the different types of test beds that they have so that we \ncan use those competitions for a learning experience and then \nfeed that result back into the training that we need to do for \nthe sector as a whole.\n    Mr. McNerney. I have met some of those folks at the \nNational Labs. It is impressive what they are doing. And the \nyoung people are impressive that are doing the work as well.\n    Ms. Evans. Yes, sir.\n    Mr. McNerney. Again, Assistant Secretary Evans, can you \ndescribe some of the unique threats facing small utilities \ntoday with regard to cyber attacks?\n    Ms. Evans. I would say that one of the biggest things that \nwe need to do, which you hit on a little bit, is making sure \nthat dissemination of information and the sharing of that \ninformation hits at all levels, and that we are working with \nState and local governments and the associations to make sure \nthat they have the tools that they need and that they have the \nawareness and the education that all of them need to have so \nthat you can properly prepare and make sure that you are \nassessing the risk that is happening in your area.\n    We are working with those State and local governments with \nthe energy coordinators in the Governors' offices and in the \nStates to also then drive down this information. And then also \nworking across with other parts of the Government that interact \nwith State and local governments as well to make sure that \nthese tools, as well as with the ISACs, have the widest \nproliferation.\n    Mr. McNerney. Good answer.\n    Mr. Dodge, can you describe some of the work that the OEIS \nis doing to assist small utilities in addressing their \nvulnerabilities?\n    Mr. Dodge. Sure. Through FERC, through the OEIS office, \nthey actually work with DOE to actually constantly stay aware \nof all the threats that are taking place. They also coordinate \nwith the ISAC to find out the threats are taking place as well.\n    Through DOE, they actually then conduct classified \nbriefings with the smaller utilities, and they are actively \ngoing out and identifying and sharing best practices with the \nsmaller utilities. In addition to that, they are actually \nvolunteering--on a voluntary basis conducting architecture \nassessments with any of the entities that are interested in \nthat service.\n    Mr. McNerney. So it sounds like the availability of \nsecurity classifications is an issue then?\n    Mr. Dodge. I am sorry?\n    Mr. McNerney. The availability of security classifications \nfor these small utilities could be a problem?\n    Mr. Dodge. We work to try to overcome that as much as we \npossibly can. And part of what we would do as we work with DOE \nis actually get one day read-ins for some of the personnel from \nthe utility companies to alert them of threats.\n    Mr. McNerney. All right. Mr. Chairman, I yield back.\n    Mr. Rush. The gentleman from the great State of California \nyields back.\n    And the Chair now recognizes the gentleman from the only \nState in the Union that eclipses California as a great State, \nMr. Latta from Ohio, for 5 minutes.\n    Mr. Latta. Well, thank you, Mr. Chairman. And thanks for \nconducting today's hearing. Very informative. And I want to \nthank our witnesses for being with us today. It is a very, very \nimportant topic that we all worry about constantly on this \ncommittee.\n    I just want to follow up a little bit from my friend and \ncolleague and co-chair of the Grid Innovation Caucus. Mr. \nMcNerney talked about a little bit earlier that we had \nintroduced legislation earlier this year on H.R. 359, which, \none, being the Enhancing Grid Security, and H.R. 360, the Cyber \nSense Act. And on the Cyber Sense, just, again, to go through \nthat, because I know that my friend from Oregon was talking a \nlittle bit about it. We had been looking at what has been \nhappening, a lot of different things that are happening from \naround the world with--we have to be very careful about what is \nbeing put into our systems and what kind of devices.\n    But the 360 is the Cyber Sense Act. And, again, that \nprogram would identify and promote cybersecure products for use \nin the bulk power system and also would establish that testing. \nI know he brought about, you know, that seal of approval. But \nwe want to make sure that there is that testing of these \nproducts that would be going on and a reporting of the \ncybersecurity vulnerability. And also, the Secretary at DOE \nwould be required to keep a related database for those products \nto assist electric utilities in that evaluation of these \nproducts.\n    And, you know, both these bills have now been reported \nfavorably out of our subcommittee. Hopefully, we will see those \nbe signed into law soon.\n    But if I could ask Assistant Secretary Evans, do you think \nthat our legislation we have been working on, not only the Grid \nSecurity, but also the Cyber Sense, is going to be helpful in \nmaking sure that you can do your job?\n    Ms. Evans. I appreciate the leadership that you--that the \ncommittee is showing in this area. I do believe that the intent \nof what you have going forward about having vulnerability \ndisclosures and the idea of constantly--or having the ability \nto verify and validate products as they go out and ensuring \nthat the supply chain risk is minimized is important regardless \nof whether the legislation gets passed or not. And so our \noffice is working and leveraging that capability and using the \nNational Labs, and we are moving forward.\n    When the legislation--I am assuming you will be successful. \nWhen the legislation is passed, it will enhance that and allow \nfor us to move in a more robust manner.\n    Mr. Latta. Well, thank you very much.\n    You know, in the aftermath of the 2015 Ukraine cyber \nattack, the investigation found that the perpetrators didn't \nrely on any exploits or software vulnerabilities to disrupt the \ngrid. Rather, they gained access to the system over time, \nlearning how to maneuver it and use it against itself. In \nshort, patching vulnerabilities wouldn't have prevented the \nattack, but patching continues to represent the majority of our \ncybersecurity efforts.\n    And to the panel, what steps can be taken to improve the \nmonitoring of the system networks to prevent potential \nattackers from learning how to use a system against itself? \nAnd, Assistant Secretary, if you'd like to start, we would just \nask everyone to answer that question.\n    Ms. Evans. So I would like to change the dynamic, and that \nis what we are attempting to do through our research and \ndevelopment in the CEDS program that we have, because a lot of \nwhat we are looking at is after the fact, so patching and \nmaintaining systems.\n    A lot of the things that we are looking at in investing \nthrough our portfolio is being able to detect and protect, \nwhich is changing the dynamic in a way of using technology so \nthat you cannot necessarily do it after the fact but prevent it \nup front. So looking at more active dynamic types of things, \nsuch as software-defined networks, looking at quantum key \ndistribution. How can you use those types of technologies that \nare evolving right now to ensure the validity of the data or \nlook at the interactions of the transactions that are happening \nbetween the operational technology as well as the information \ntechnology systems.\n    We are investing pretty heavily in that, leveraging what is \nhappening in the labs, and we currently have a lab call right \nnow that is out that is looking for some ways of how we can \naccelerate that deployment.\n    Mr. Latta. Thank you.\n    Mr. Dodge and Mr. Robb, we have got about 35 seconds.\n    Mr. Dodge. Sure. So FERC just recently changed the \ncybersecurity reporting standard requirements. And previously, \nentities were only required if they had an event related to a \ncybersecurity that impacted reliability of bulk power system. \nNow they will have to report events where--or possible \nintrusions or attempts to actually compromise the cyber assets \nthat impact the cyber assets as well as a bulk power system. \nAnd that information sharing associated with that will be a \nhuge benefit.\n    I defer to Jim.\n    Mr. Latta. Mr. Robb.\n    Mr. Robb. I will be very quick. I think I would underscore \nSecretary Evans' discussion. I think from our perspective, one \nof the most valuable capabilities to advance would be the \nability to monitor what is going on with operational technology \nsystems in the same way we can enterprise systems right now.\n    Mr. Latta. Thank you very much.\n    Mr. Chairman, my time has expired, and I yield back.\n    Mr. Rush. The gentleman yields back.\n    The Chair now recognizes the gentleman from Virginia, Mr. \nMcEachin, for 5 minutes.\n    Mr. McEachin. Mr. Chairman, sadly, my questions have been \nasked, so I will yield back.\n    Mr. Rush. The Chair thanks the gentleman for yielding back.\n    Now the Chair recognizes Ms. Blunt Rochester for 5 minutes.\n    Ms. Blunt Rochester. Thank you, Mr. Chairman. And thank you \nso much to the panel for discussing the security of our \nNation's critical energy infrastructure. As was stated by \neveryone, this is of utmost importance, and we thank you for \nyour work.\n    I just want to pick up on some of the questioning that was \nasked before from a workforce perspective. I served in our \nState of Delaware as head of State personnel for a while and \nsecretary of labor. And one of the big challenges is always \nrecruitment, retention, compensation, training. Sometimes the \nfirst budget that gets cut is training.\n    I am curious if you could just talk to us about some of the \nboth challenges that you see in terms of recruitment and \nretention of individuals in this cybersecurity space--and \nparticularly from a nonprofit and a public-sector perspective \nwhen you are competing with the private sector--and then the \nother question that I had was around innovation. Are there \ninnovative things that are being done to recruit folks to work \nin your organizations?\n    I will start with that, and if we could start with Ms. \nEvans.\n    Ms. Evans. So I appreciate the question, and especially \ncoming from Delaware, because the State of Delaware, based on \nmy previous experience, is very innovative in the approach that \nthey are taking. In my work as the U.S. cyber challenge \ndirector, we really looked at this. And the blending of \nnonprofit public sector, the education system, and how you do \nthat and how to identify that and then make it and that \ncommitment of bringing them in is clearly demonstrated in the \nway that the State of Delaware has tackled this issue.\n    There are incentives. There are things that we need to do, \nbut what really gets people excited--and you have to look \noutside the more traditional places. Some of the people that \nare best in this field do not come out of STEM. And that is \nclearly demonstrated when you put together teams in the \ncompetitions to see all the skill sets that are needed.\n    Ms. Blunt Rochester. Thank you. Thank you.\n    Mr. Dodge.\n    Mr. Dodge. Thank you for the question. So from a FERC \nperspective, we are actively monitoring our staffing levels and \nour needs. And we have actually undertook several programs in \nthe last couple of years. I am not going to get the precise \nnames of the programs. But, basically, there is an internship \nprogram where we actually reach out to colleges and bring \npeople in as they are freshmen, sophomores in college, and they \ncome in and they spend a summer or a part of the year working \nfor us.\n    We are actively working to improve our on-campus \nrelationships with different universities. And then we actively \ngo out and do on-campus recruiting as a followup. And then in \naddition to that, the Federal Government actually has a tuition \nreimbursement program that, after the students graduate, they \ncome work for FERC for a period of time. There is actually some \ntuition reimbursement where they actually can forgive some of \ntheir previous student debt.\n    Ms. Blunt Rochester. Thank you.\n    And, Mr. Robb.\n    Mr. Robb. Yes. I don't have any great insights into kind of \nthe workforce development challenge that we have in the sector \nother than to underscore that it is real, as we all know.\n    I would say from a NERC perspective, what we have found is \nwe have been able to attract and retain some very top-flight \ncyber skilled individuals. But we do that not because we pay \nthem top dollar; we do that because they are committed to our \nmission. And a number of people in the sector are very \ncommitted to the security and the value associated with \nelectricity and so on and so forth. So we appeal to that part \nof individuals. And we have had some pretty good success with \nthat, but it is a challenge.\n    Ms. Blunt Rochester. Yes. Thank you.\n    And, Ms. Evans, thank you for bringing up also the \nnontraditional. I think one of the challenges we have as well \nis an aging workforce. And so, even when you look at workforce \nplanning and who will be retiring, making sure that we are \nstaffed up.\n    My other question was more related, not so much to the \ncyber, but to our--to kind of natural disasters and things like \nthat and whether or not, with the severe weather incidents that \nwe are seeing, how are you preparing, whether you call it \nclimate change, whether you call it severe weather, whatever \nyou want to call it? These things are real as well. Could you \ntalk about preparation for those?\n    Ms. Evans. We also have the emergency response capability \nin our group. We are looking at our staffing of how to do that. \nThe staffing and the way that our plans are set up mirror the \nway the FEMA regions are set up. But we also then use a lot of \nthe modeling that is available within the National Labs so that \nwe can do predictive types of things.\n    But what is key to the success in this emergency response \nis our partnership with private industry. And so we \ncontinuously have to have that dialogue with them because it is \ntheir resources that we need and that we work with in order to \nbe able to share that information and be able to respond.\n    Ms. Blunt Rochester. Thank you so much.\n    And I yield back.\n    Mr. Rush. The Chair thanks the gentlelady for yielding back \nand now recognizes Mr. Olson for 5 minutes.\n    Mr. Olson. I thank the Chair. And welcome to our three \nwitnesses.\n    As my colleagues all know, I love to brag about Texas. And \nalong that line, Mr. Chairman, you are correct, one former part \nof Mexico became a country before it became a State, but it \nwasn't California. It was the Republic of Texas, in existence \nfrom 1836 to 1845. God bless Texas.\n    Mr. Rush. We haven't recovered yet.\n    Mr. Olson. And this is not a brag, but our grid is the \nbiggest target in America for cyber attacks. We have a free \nmarket power system that covers 95 percent of our State run by \na group called ERCOT. They manage 46,000 miles of electric \npower lines, 650 separate generation units. Last summer, their \ndaily load was 72 megawatts hourly. That is a huge, huge amount \nof power. And as you know, if that goes down, that could be \nvery, very bad.\n    Along the Houston Ship Channel, 52 miles long, lies \nAmerica's largest petrochemical complex, valued at over $15 \nbillion and growing quickly. And with the shale revolution, we \nhave more and more oil coming into our region for refining. \nThose are being exported now. Nearly 7 million people live \nwithin 30 miles of the port of Houston, Houston Ship Channel. \nThe bad actors know if they can take down our grid, have us \nlose control of some of these industrial processes, people will \nbe harmed, and some people may even die.\n    My question is for all three of you. We right now are \nworking hard with the private sector, government there in \nHouston to address these cyber issues. But we all know we have \nresources that are limited. We can't go crazy. We can't jack up \nthe prices. These things have to work.\n    So my question for all of you is how do we balance the \nproper way to achieve how we can best prevent cyber attacks \nwhile making sure we don't jack up prices and make us \nnoncompetitive in a global market? How could we balance this \nout? What is the key?\n    Ms. Evans, you are up first.\n    Ms. Evans. All right. The way that we are approaching this \nand that we are working with our partners at DHS is really \ndoing risk modeling. And so it is really identifying what are \nthose most critical assets that an industry has. And then in my \nparticular case, what I am trying to do is develop a set of \ntools so that the Government as well as our industry partners \ncan actually look at what is the best way, what is the highest \nrisk, how do I protect that, what is the cost associated with \nreducing the risk in that particular asset.\n    And so as we move forward with that, a lot of this is, \nthen, how you give them that information so that they can then \nuse that in the marketplace going forward.\n    Mr. Olson. That is the same model Governor Perry had there \nin Texas. That made our grid pretty secure when he was our \nGovernor. Thank you.\n    Mr. Dodge, your thoughts, sir.\n    Mr. Dodge. Thank you. Thank you for the question. So from \nFERC's perspective, we have the Office of Energy Infrastructure \nSecurity that actively is doing things on a voluntary basis, \nconducting classified briefings, performing architecture \nassessments, identifying best practices, sharing those best \npractices. In addition to that, FERC undertook a security \ninvestments tech conference back in the spring, a couple months \nago, where we actually brought in members of the electric \nindustry as well as the natural gas industry as well as Federal \nand State public utility commissions and also officials.\n    The goal of that tech conference was to actually identify \nbest practices, share those best practices amongst protecting \ninfrastructure that is not only FERC's jurisdiction but other \ninfrastructure, look at cost recovery mechanisms to determine \nwhether they are adequate, and whether FERC or the State should \ntake additional action. And also, I was remiss to mention that \nactually that was a joint DOE, FERC-led tech conference. So we \nare actively working with FERC on that.\n    We received comments back from the public on that tech \nconference, and we are process reviewing these comments in \ndetermining next steps.\n    Mr. Olson. Thank you. And the man from Neal Armstrong's \nuniversity, Mr. Robb.\n    Mr. Robb. Go Purdue.\n    Mr. Olson. Fifty years ago, that man walked on the Moon.\n    Mr. Robb. I would echo what has been said here. I think one \nof the key things that we are doing as NERC is taking a risk-\nbased focus to all the work that we do, both in terms of which \nstandards are applicable to which entities and then which \nstandards do we audit and so on and so forth.\n    So I think there is a clear recognition that ``one size \nfits all'' doesn't work in this area. So in terms of striking \nthat balance between economics and risk reduction, you really \njust got to make sure you are focusing on the most important \nrisks and not leaving yourself exposed on the other side.\n    Mr. Olson. Thank you, Mr. Chairman. I remind everybody the \nstars at night are big and bright.\n    Mr. Rush. The Chair wants to bring the gentleman from Texas \ndown to size. Your time is up.\n    And now we recognize the gentlelady from New Hampshire, Ms. \nKuster, for 5 minutes.\n    Ms. Kuster. Thank you, Mr. Chairman. I appreciate it. And \nthank you to all the folks that we have here today.\n    This is a very important issue, and I know people in New \nHampshire are concerned about their critical importance to our \nfamilies and to communities all across the country. And it \ndoesn't typically get the attention it deserves, so I \nappreciate this hearing.\n    Ensuring that our electric grid can operate without \ndisruptions is imperative to ensuring that hospitals can treat \npatients, first responders can do their jobs, and schools can \neducate our children. But all of this can be jeopardized if a \nforeign entity or bad actor is successful with a cyber attack \non our electric grid.\n    We know our utilities are on the front line of ensuring \nthat our grid is protected, but not all utilities are \nadequately maintaining safeguards that could combat a cyber \nattack. And while I am pleased to see FERC taking recent steps \nto strengthen cybersecurity standards for our Nation's electric \nsystem, I still have questions about how we can act in a more \ntransparent way.\n    So, Mr. Dodge, my first question is directed to you. Could \nyou please explain what happens at FERC when it becomes aware \nof a utility's noncompliance with cybersecurity regulations?\n    Mr. Dodge. Sure. Thank you very much for the question. I \nappreciate the question. So there is a process, and actually \nthe process that takes place is in terms of compliance. FERC \noversees the development and enforcement of the mandatory \nreliability standards, including the CIP standards. NERC, and \nactually its regional entities, actually conduct periodic \naudits of the red strategies to make sure----\n    Ms. Kuster. I am asking when FERC becomes aware that a \nutility is noncompliant with security regulations.\n    Mr. Dodge. So that the process would actually take place is \neither through an audit conducted by NERC or its regional \nentity or through a self-report from the registered entity to \nNERC. NERC actually coordinates that. They investigate the \nnoncompliance. The registered entity actually files a \nmitigation plan, and they mitigate the concern. And then NERC \nsubmits the actual violation, along with a recommendation for \npenalty, to FERC for review. FERC staff reviews that and makes \na decision whether to assess the penalty or not.\n    Ms. Kuster. And that FERC assessment, does FERC disclose to \nthe public the specific utility that is in violation?\n    Mr. Dodge. So through the FAST Act that was passed a couple \nyears ago, this actually gives us authority underneath FOIA to \nidentify CEII, which is critical energy infrastructure \ninformation.\n    So critical energy infrastructure information could be \nengineering, design, prints, vulnerability information about \nspecific electric system assets. FERC, as a policy, looks at \nthat information and any of that information that could \npotentially be useful to someone who wants to impose harm on \nthe electric system. We do not divulge that information.\n    So over the past 6 to 12 months, we received a number of \nrequests, FOIA requests, for CEII-related information, \nincluding the entities who have violated some of the CIP \nstandards. We reviewed them in excruciating detail, and we have \ndetermined which ones to release, which ones not to release. We \nare still working through that. And we have released the names \nof some entities where we did not believe it would actually be \na threat to security of that entity.\n    Ms. Kuster. So how would you suggest that we keep our \nconstituents informed of the level of risk to them from a cyber \nattack?\n    If you are not willing to be transparent with the public--\nand I have heard your explanation why, this is a balance for \nus. If our constituents are at risk, we need to be able to \ninform them of the level of risk.\n    Mr. Dodge. So whenever a--the utility companies, \nregistering entities, are actively monitoring the compliance to \nthe CIP standards. As soon as they find a problem or through a \nself-report or through an investigation, routine audits \nconducted by NERC or one of its registered entities, they \nactually work to mitigate that concern and address that \nconcern. We do go through--you know, through the FOIA process \nand CEII process and review the individual FOIA requests, and \nwe do make the information available as appropriate.\n    Ms. Kuster. So if there is a bad actor, you would tell my \nconstituents or anyone else in this country, in this Congress, \ntell the public we have had repeated concerns about compliance \nwith this bad actor?\n    Mr. Dodge. So we actually review the information that is \npublicly available or the information that is filed with FERC. \nAnd we look at the information. We look at what level of \ndetail, technical details in the information, whether releasing \nthat information would identify any vulnerabilities or make \navailable any information that was particularly useful to \nsomeone who wants to impose malintent or ill harm on the \nelectric system. We do not release the names of the entities in \nthat situation.\n    Ms. Kuster. So I am just trying to raise the balance of \nprotecting our constituents. But my time is up. I appreciate \nyour response.\n    Mr. Dodge. Thank you.\n    Mr. Rush. I thank the gentlelady.\n    The Chair recognizes my friend, the gentleman from West \nVirginia, who has the best mustache in the whole Congress, Mr. \nMcKinley, for 5 minutes.\n    Mr. McKinley. Thank you, my friend.\n    Mr. Chairman, I would like to ask unanimous consent that \nthis article with comments from Mr. Robb about the grid be \nsubmitted for the record.\n    Mr. Rush. Without objection, so ordered.\n    [The information appears at the conclusion of the hearing.]\n    Mr. McKinley. Thank you.\n    Mr. Chairman, I would also like to expand on the theme of \nthis keeping the lights on to include grid reliability. Last \nCongress, as you well know, our committee held a number of \nhearings on this--on the grid and reliability and resiliency. \nBut it is not just the Energy and Commerce Committee that is \nconcerned about the grid and its reliability. We had a report \nthat was produced by the National Energy Technology Laboratory \nthat said that, without the use of coal, the Eastern United \nStates would have suffered widespread blackouts during the 2018 \nbomb cyclone. Think about that.\n    ISO New England said that--in their report said that the \nmost significant challenge that they face is fuel security and \nthat coal and nuclear power plants are needed to maintain \nreliability. And lastly, Secretary Perry said in 2017 that the \nresiliency of the electric grid is threatened by the premature \nretirements of these fuel-secure, traditional base load \nsources.\n    So, Mr. Robb, if I could turn to you. Last week, you made \nthese remarks, these profound comments, I believe, regarding \nthe grids in both Texas and New England specifically.\n    Regarding Texas, you said--pardon my French here on this--\nyou said there is no way in hell they can keep the lights on, \nand yet they do. Regarding New England, you said the grid \noperators constantly are finding ways to pull another rabbit \nout of the hat to keep the lights on, when any of us would look \nat that situation as engineers and say it has got to break.\n    So, Mr. Robb, should Congress be more concerned with this \nsituation?\n    Mr. Robb. So I am not sure I used exactly all the colorful \nlanguage that was reported in the----\n    Mr. McKinley. It is in the press. Whatever is in the press, \nyou know we believe it.\n    Mr. Robb. I have to watch my vocabulary sometimes.\n    I think the point around this--and I threw a third market \nin there, California--I think all three of these markets are \ndemonstrating the challenges associated with the transformation \nthat is going on within the electric grid. The agencies in \nCalifornia revolve around the deployment of solar and the role \nof natural gas to balance those resources. Texas has kind of a \ncontemporary problem of just reserve margin, which is one of \nthe planning statistics that we look at to assess whether or \nnot there is enough resource to meet load. That is below levels \nthat traditionally people would say are reliable. New England \nhas a fuel security problem, as noted there.\n    I don't know that these are congressional issues as much as \nthey are market issues and State policies around resource \ndevelopment and deployment. And the point that I don't think \ngot reported quite as clearly as I would have hoped is that \nwhat we are seeing in these areas are market operators \ninnovating and finding ways to make the system work in ways \nthat aren't consistent with traditional rules of thumb. And I \nthink the key here is for us to modernize our thinking.\n    Mr. McKinley. Let me try to get a couple more questions in. \nIf I could go to my fellow colleague from--fellow Mountaineer \nfrom West Virginia, Ms. Evans, and also Mr. Dodge.\n    In your experiences, are fuel-secure coal and nuclear plant \nbase load power plants critical to maintaining grid \nreliability? Both of you, please.\n    Mr. Dodge. So there has been a lot of work done in this \narea. And, you know, what you really have to look on overall--\n--\n    Mr. McKinley. It is a yes or no, isn't it?\n    Mr. Dodge. So what you really----\n    Mr. McKinley. Let me ask the question again.\n    Are fuel-secure coal and nuclear base load power plants \ncritical to maintaining grid reliability?\n    Mr. Dodge. I would like to get back to you in writing with \nthe answer to that question.\n    Mr. McKinley. Be what?\n    Mr. Dodge. I would like to get back to you with an answer \nto that question.\n    Mr. McKinley. OK.\n    Ms. Evans.\n    Ms. Evans. I believe that the Secretary has, and the \nadministration has, expressed its commitment to multiple \nsources as it relates to the reliability and our commitment as \nit goes forward. And our budget request also reflects our \ncommitment to new sources such as nuclear.\n    So if you need a more detailed answer, I am happy to take \nthat question for the record and get back to you as well.\n    Mr. McKinley. Thank you.\n    I yield back my time.\n    Mr. Rush. The gentleman yields back.\n    The Chair now recognizes Mr. O'Halleran from the great \nState of Arizona.\n    Mr. O'Halleran. Thank you, Mr. Chairman, especially for \nletting us know that Arizona is a great State, since I came \nfrom Illinois originally. It is also a great State. Thank you.\n    Thank you, Mr. Chairman and Ranking Member Upton, for \nholding today's important hearing on ways we as a government \ncan ensure our electrical grid assets remain protected and our \nagencies and stakeholders are fully empowered to defend against \ncyber threats.\n    My State of Arizona is one of the most diverse States in \nthe country when it comes to electric generation and sources. \nWhile more electric grids integrate renewable energy into their \ngrids, it is essential that reliability of the grid is never \ninterrupted.\n    As cyber attacks continue to increase across multiple \nsectors, it has become clear that threats from information \nsharing, collaboration, and partnerships between government \nagencies and industry are necessary to achieve a full defensive \ncyber posture.\n    Assistant Secretary Evans, in your testimony, you \nhighlighted the Cyber Analytics Tools and Techniques program as \none of the several DOE initiatives to promote cybersecurity \ndefense at the energy sector who owns the critical \ninfrastructure assets. What is DOE doing to support threatened \ninformation sharing, analysis, and timely--and I repeat, \ntimely--return of actionable intelligence back to energy sector \nentities? And is the energy information flow reciprocal?\n    Ms. Evans. I appreciate the opportunity to talk about that \nspecific initiative. We refer to it as CATT. And the key to \nthat is the timeliness of getting the information back. So I \nwould like to share one particular piece that is happening on \nthat project.\n    One of the things that is important is getting the \ncontributions of the information from private sector. I think \nwhat you have heard today is that there is a lot of information \nsharing that happens. What we have to do, then, is be able to \nanonymize it to put it into a big pool, which our National labs \nhave worked with us on that, but then keep enough information \nwith it so that, as they identify something across a big trend, \nthat we can then take it back out of that pool and give \nactionable information either through the ISAC or directly to \nthat entity.\n    That is what that platform is doing through the multiple \npilots that we have into research and development. We talked \nabout CRISP. That is one of the contributions to that. And the \nwhole key to that is to keep our portion of it declassified so \nthat it will end up being machine to machine in the long run by \nusing the advances of technology.\n    Mr. O'Halleran. I had some other questions that I prepared. \nBut, in general, as I have been listening today, I have heard \nthe word ``whole of government'' mentioned. I have heard best \nmanagement and practices mentioned. The shortage of, obviously, \npotentially the workforce that is going to be needed. And then \nI took a look at your budget in the Department of Energy and \nfound that--I don't know how you are going to get that all \naccomplished with that budget. I don't know--I am not going to \nleave you here today secure to be able to tell my constituents \nthat we are in a position to fully defend the electrical grid \nat this moment in time. I would like to make sure that I can \neventually be able to see a timeline on these projects that you \nhave mentioned today, a cost estimate on how much it is going \nto cost us within that timeline and with a more aggressive \ntimeline, because this is something that is continually \nchanging, as you know, but also continuing to be a threat to \nour country.\n    I am concerned about some of the more volunteering \nreporting structure that I heard about today, especially as we \nget down and down into having less personnel available and that \nare a level of competency to be able to address those needs on \nan ongoing basis. And we have newer and newer energy sources \ncoming online with much smaller budgets and getting into the \ngrid than some of the other major competitors that are out \nthere.\n    So, in general, I think this has been a good and \nenlightening process today. But as far as enlightening me, it \nhas been one that has left me with more questions than answers, \nespecially in the integration of how that whole process is \nworking in that timely fashion.\n    So I want to thank you all for being here today, and I \nyield.\n    Mr. Rush. The Chair thanks the gentleman.\n    Now the Chair recognizes Mr. Griffith from Virginia, the \ngreat State of Virginia, for 5 minutes.\n    Mr. Griffith. Thank you very much, Mr. Chairman. I greatly \nappreciate it.\n    Assistant Secretary Evans, you and I spoke last year \ndiscussing pipelines and some of the concerns that my \nconstituents have. And I was going to ask you some questions on \nupdating me on what you all were doing related to pipeline \ncybersecurity and coordination. You answered those questions \nearlier when Ranking Member Upton was asking questions, and so \nI appreciated those answers. I am going to skip those questions \nthat I would have asked, because I don't believe in asking the \nsame question over again just so it gets on my video clip.\n    But if anybody back home is watching this, I encourage them \nto flip back a little bit and look at your answers, both yours \nand Mr. Dodge's answers, to Ranking Member Upton in regard to \nthe coordination that you all are doing. And it sounds like--\nalthough it was classified, it sounds like you all are headed \nin the right direction.\n    Do you have anything to add? Are you doing the same kind of \ncoordination on physical threats to the pipelines as well?\n    Ms. Evans. The short answer is yes, sir, and that that then \nis also then demonstrated through the exercises. And that \ninformation is also shared through the ESEC meetings that we \nhave when the government partners are there and talking about \nthe physical threats that happen to the pipelines with the \nvoluntary reports. And FBI is there, and that has been \nhighlighted from our industry partners to the FBI.\n    Mr. Griffith. All right. Mr. Dodge, did you want to add \nanything in regard to the physical threats? Because we have \nalready talked about the cyber.\n    Mr. Dodge. The only thing I would add is that, in terms of \nthe pipeline activity, OEIS is also involved with that \nactivity. They work with DOE to conduct a security briefing \nthreats. In addition to the ESEC, they are actually actively \ninvolved with the ONG SEC as well.\n    Mr. Griffith. And because there are continuing concerns, I \nthink that the questions that Mr. O'Halleran just asked are \nalso important. And some of the questions, we will continue to \nlook at at this committee. And if you need our help passing \nlegislation or something, we want to make sure that we have as \nmuch safety as we can. And I appreciate that.\n    Assistant Secretary Evans, when it comes to pipelines, TSA \nis taking the lead in developing some voluntary guidelines for \nindustry to follow. According to reports from the GAO and the \nCRS, they have only a handful of people working on \ncybersecurity for pipelines.\n    Do the TSA staffing and resource constraints concern you? \nAnd this is a lob in hopes that maybe I think maybe DOE ought \nto take the lead.\n    Ms. Evans. So, as you know, through the oil and natural \ngas, SEC as well as the Government Coordinating Council, we \nwork jointly with Department of Homeland Security and TSA. And \nso our resources we use to leverage the TSA resources because \nwe recognize as a government that we need to address this \nvulnerability.\n    Mr. Griffith. And I appreciate that. But am I correct--and \nI may not be--but am I correct that DOE is actually putting \nmore capacity and has more folks working on this than TSA?\n    Ms. Evans. I would not presume to answer a TSA staffing \nissue, sir, at this time, because I know that that is an \ninternal discussion to DHS, and it is more appropriate for that \nquestion to go to DHS at this time.\n    Mr. Griffith. Maybe you can encourage them to talk to us \nabout this as well. I appreciate it.\n    Would you describe the Energy Government Coordinating \nCouncil and DOE's role in that council?\n    Ms. Evans. We are the cochair of the Government \nCoordinating Council with Department of Homeland Security. We \nhelp craft the agenda. Going forward, we work with DHS hand in \nhand and our government partners. A good example of that work, \nwe just recently did a top-secret SCI briefing for the \nInterstate Natural Gas Association of America, so--keeping with \nthe pipeline theme--so that we could really share with them and \ncoordinate through the intelligence community what risks that \nthey are facing. And that was to the executive board of that \nassociation.\n    Mr. Griffith. And I don't even remember now who it was. \nThey didn't reveal any secrets, but they felt like that was a \nuseful--somebody reported to me they felt like that was a \nuseful--it was a good use of their time, and it was a useful \nmeeting.\n    In this space, should DOE have the lead role to ensure the \nsafe and reliable flow of energy across the U.S.?\n    Ms. Evans. I believe, sir, right now that we do have that \nrole as it relates to the sector-specific responsibilities that \nwe have that are outlined both in the FAST Act and the \nPresidential directives.\n    Mr. Griffith. Well, and as I have revealed my prejudices in \nthis regard, I do think the DOE is probably where--I think DOE \nshould probably be in the leadership role in coordinating \npreparedness and cybersecurity efforts on all aspects of our \npipelines. And you have already indicated you can't talk about \nthe staffing, but would you disagree with me on that?\n    Ms. Evans. I believe that we have unique expertise. And as \nthe sector-specific agency, we use that expertise across the \nenergy sector and with our partners in private industry.\n    Mr. Griffith. I appreciate it very much.\n    Thank you, Mr. Chairman. I yield back.\n    Mr. Rush. The gentleman yields back.\n    The Chair now recognizes the gentlelady from Washington, \nMrs. McMorris Rodgers, for 5 minutes.\n    Mrs. Rodgers. Thank you, Mr. Chairman. And I appreciate the \nwitnesses being here today to share your perspective on this \nimportant topic.\n    Assistant Secretary Evans, I understand that one of the \nmost exciting projects is looking at how software-defined \nnetworking, SDN, technology developed by Schweitzer Engineering \nLaboratories in Pullman, Washington, in partnership with the \nPacific Northwest National Laboratory, next door in the Tri-\nCities, can be used to help secure the energy infrastructure at \ncritical national security facilities.\n    Can you share more about this project with the committee \nand tell us how it is going?\n    Ms. Evans. So that is a promising project that we are \nfunding. This particular project, it is called CEDS. Everything \nhas an acronym. So it is the strategic engagement between the \nDepartment of Defense and Department of Energy. But it also \nincludes the Veterans Administration as well as the Coast \nGuard.\n    And what it is really looking at is a different way to \nmanage the network and network trafficking. And so that is the \nidea behind software-defined networks. And so it is divorcing \nit from, really, very static types of architecture to make it \nmore dynamic so that you can then address, on an ongoing basis, \nthe threats, and doing analytics, and then adjusting your \nconfigurations as it goes forward.\n    So we--right now, there is a successful implementation that \nis happening in Virginia at Fort Belvoir. And PNNL is \ncontinuing to work to roll this out with our partners in \nmultiple places, and I believe the next place is going to be \nNevada.\n    So, as that information comes in, we are using that to then \ninvest in other efforts across the National Labs so that we can \nthen add that into the overall solution that was brought up \nearlier.\n    Mrs. Rodgers. It is crucial that information about \nvulnerabilities such as cyber attacks is shared between \ngovernment entities and electric grid asset owners. I believe \nthe creation of CESER was an important step, and I applaud the \nDepartment's commitment to engaging the public-private critical \ninfrastructure community. But there is more work to be done, \nespecially regarding engagement with critical infrastructure \nequipment manufacturers.\n    Again to Assistant Secretary Evans, what steps has your \noffice taken to include not just asset owners but also vendors \nsuch as the designers and manufacturers of critical \ninfrastructure equipment like SEL in my district?\n    Ms. Evans. Well, the initial piece--several of this is done \nthrough our research and development programs that we have that \nwe fund where we are requesting that manufacturers and folks \nthat produce hardware that are in the grid participate. So \nthere were 11 projects that were recently funded that are \nactually looking at firmware down to the level of how these \nthings are done, and then being able to say, ``OK, that is a \nmore secure product, we have demonstrated that, and now we are \ngoing to go ahead and implement that and show that information \nout.'' So those are some of the short-term things that we are \ndoing.\n    The longer-term things are like our CyTRICS program, which \nis looking at bigger types of manufacturing activities and \nbeing able to share that information out. And the longer-term \nplay that we have is the advanced manufacturing institute that \nis really going to look at how can we improve this in the long \nrun on an ongoing basis to address that manufacturing up front \nand be able to share that information and then be able to take \nadvantage of the innovation that we have.\n    Mrs. Rodgers. Thank you.\n    There is a growing concern about the presence of certain \nforeign manufactured components in various aspects of our 21st \ncentury infrastructure, whether in communications, \ntelecommunications, or our electric grid.\n    For the panel, what potential risk does the growing \ndependence on foreign manufactured components in our energy \nsupply chain create? And how do we mitigate such potential risk \nwhile recognizing that it would be impossible to completely \nphase out all foreign-made equipment?\n    Mr. Dodge. So, from a FERC perspective, approximately 2 \nyears ago we actually directed NERC to develop a standard to \naddress supply chain risk. NERC filed the standard with us, and \nwe approved it. It actually helps address some aspects of \nsupply chain risk. We also directed NERC to go back and do \nadditional work in this area and to look at the supply chain \nrisk associated with electronic access control systems as well \nphysical access control systems, as well as look at the \npotential supply chain risk for low-impact cybersecurity \nassets.\n    They have conducted a report on that, and they are in the \nprocess of following up on that. And I defer to Jim to add \nadditional information on that.\n    Mr. Robb. So Andy is right where this is an ongoing \nexploration of a very complicated topic. Our next step on this \nis that we will be issuing, later in August, what we call a \n1600 data request, which will go out to all the utilities that \nare in the NERC registry, and collect a lot more information on \nwhat suppliers, what equipment is actually out there. So we \nwill have a better sense of the extended condition, which will \nthen inform what the appropriate next steps might be in order \nto mitigate whatever threats might be out there.\n    Mrs. Rodgers. OK. I look forward to seeing more of that. \nThank you.\n    And I will yield back my time.\n    Mr. Rush. The gentlelady yields back.\n    The Chair now recognizes the brilliant cosponsor of H.R. \n2062, Mr. Walberg of Michigan, for 5 minutes. Great State of \nMichigan. Upper Michigan, not lower Michigan.\n    Mr. Walberg. Lower Michigan. Thank you, Mr. Chairman. And \nhaving been born and raised part of my life in your district as \nwell, I appreciate serving with you and also drawing attention \nto the fact that we were successful in getting the $3 million \namendment for CESER past the House, and that is the first step.\n    Secretary Evans and the rest of the panel, thank you for \nbeing here. As I am sure you know, Chairman Rush and I, as he \nhas just mentioned, have H.R. 362, the Energy Emergency \nLeadership Act, which would codify the functions assigned to \nyour office as permanent Assistant Secretary.\n    Can you briefly address for us today how you think such an \nauthorization could improve CESER's ability to carry out its \nimportant mission in the long term?\n    Ms. Evans. I think it--first, I appreciate the leadership \nthat you are showing with that and the commitment to the office \nand the commitment to the administration.\n    What it will do is ensure the ongoing establishment of the \noffice. It will ensure continuity as it goes forward. That has \nalready been done with the line item in the budget. That helps. \nAnd so this would be the conclusion to solidify what this \nAssistant Secretary position is intended to do to realize what \nyou had envisioned with the FAST Act of 2015 as well.\n    Mr. Walberg. I appreciate that.\n    Secretary Evans, due to the fast-evolving nature of \ncybersecurity risks, security cannot be achieved through \nstandards alone. Reliability and security depend on constant \nawareness and information sharing between utilities and the \nGovernment and coordination among the Government's efforts.\n    As you know, the FAST Act that you mentioned codified DOE \nas the sector-specific agency for cybersecurity for the energy \nsector. This provision requires DOE to coordinate with the \nDepartment of Homeland Security and other relevant Federal \nagencies.\n    Can you provide an evaluation of how your office and DOE \nhave coordinated with other agencies?\n    Ms. Evans. We take our responsibility very seriously as the \nsector-specific agency, and we lead those efforts in \nconjunction with the Department of Homeland Security. The \nDepartment of Homeland Security overall has responsibilities \nfor all the sectors. We are just one of those sectors. We view \nwe are critical to that effort, and we work in multiple ways \njointly with the whole of government. I know everybody is \ntalking about the whole-of-government approach, but that truly \nis the way that we need to do this.\n    We are just one piece of the puzzle, and it has to be \nlooked at across the board both within the intelligence \ncommunity as well as the Department of Defense, Department of \nTransportation. All of this is interconnected. And we do lead \nthat as the energy-specific agency, and it does work well.\n    And so there are examples upon examples of where we can \nshow that it is working well. And it is being mobilized right \nnow as we are watching the hurricanes approach. And so I do \nbelieve that us as the lead, as the sector-specific agency, we \nare committed to doing that, and our partnership with our \nfellow agencies, it does work well.\n    Mr. Walberg. Thank you.\n    The FAST Act also amended the Federal Power Act by \nintroducing a new tool of grid scale emergency declarations \nthat could be provided by the President. If the executive \nbranch were to ask or order a utility to take or not take \ncertain actions with regard to the intrusion or vulnerability, \nthere are concerns that utilities may face legal exposure by \nacting contrary to their first course of action.\n    Has CESER or the Department considered the possibility and \nin such circumstances that are not grid scale emergencies? Are \nyou aware of these concerns over this type of incentive \nstructure creating ambiguity or strain?\n    Ms. Evans. So that is one thing that we are working in \npartnership with our industry partners as well as State and \nlocal governments. Should the President declare a grid \nemergency, looking at the way that Department of Homeland \nSecurity is--through the National Risk Management Center is \nidentifying risk, we--and then also the work that is going on \nthrough our Office of Electricity with the North American \nresiliency model, you can then start seeing what kind of risk \nthere would be, based on the way the infrastructure is set out.\n    We are working in conjunction with them to be able to \nhighlight these issues through a policy process in the \nadministration to make the determination should additional \nlegislation or liability protections are needed, if and when \nthat happens.\n    Mr. Walden. Mr. Dodge, if I could, has FERC looked at this \nissue as well?\n    Mr. Dodge. [Off mic.]\n    Mr. Walden. OK. Thank you.\n    I yield back.\n    Mr. Rush. The gentleman yields back.\n    The Chair now recognizes Mr. Johnson for 5 minutes.\n    Mr. Johnson. Thank you, Mr. Chairman. And thanks to our \npanel for being with us today.\n    Ms. Evans, because DOE is the sector-specific agency for \ncybersecurity for the energy sector, the work your office does \nis so very important. And that importance will continue to \nincrease as our dependency on technology grows.\n    Last time you testified, we discussed DOE's role in the \ntri-sector working group, which, as I understand it, was \norganized to help us better identify and ideally safeguard some \nof the interdependencies of the critical functions of each \nsector of that group; that is, our electric utilities, our \nfinancial sector, and telecom industries.\n    So last time we talked, this work was just beginning and \ndiscussions were underway on how to best direct that work. Can \nyou please provide an update on how these conversations have \nbeen going and if this work is helping to better safeguard \nthese critical industries?\n    Ms. Evans. So I am happy to provide the update. The work is \ncontinuing. Obviously, there is an industry side of this. The \nindustry group has identified and has fed into the process that \nDHS, when they release the national critical functions, that \nwork of the tri-sector group, both the government as well as \nthe industry side, fed into what are those national risk \nindicators.\n    Based on that, now, the groups are going down, both on the \ngovernment side as well as the industry side, looking at those \ninterdependencies. And then, in essence, it is a risk register. \nAnd then looking at those interdependencies between those three \nsectors and then what can we do to mitigate the risk as we go \nforward.\n    So the work is continuing. It is getting to a more granular \nlevel. But that is to be expected so that we can then inform \nhow are we going to, then, deal with it as we go forward.\n    Mr. Johnson. OK. All right. Well, I am an IT guy by--in my \nprofession before I came to serve here in Congress. How can \nCongress be helpful with this work moving forward?\n    Ms. Evans. What I believe is going to happen, and this is \nwhat we are going to have to look at going forward is, as you \nstart seeing these interdependencies, especially as it relates \nto technology, we have covered some of the issues going forward \nis there probably will be help. There will be things that we \nwill need to discuss with you that could say that maybe the \nlegal framework in order to be able to share the information \nneeds to be more robust. That is a path that we are exploring. \nWe are looking at it from the government side. I know the \nindustry side is looking at that as well.\n    Mr. Johnson. OK. Shifting gears just a little bit. To the \nentire panel, looking at strengthening our workforce, I spent \n26 1/2 years in the Air Force doing large-scale IT projects. \nMany of them very secure programs. Lots of experience and \nskills among our military veterans that are getting out. So \nwhat are you doing--and I will give each panelist an \nopportunity to comment on this. What are you doing to \nincorporate cleared individuals such as military veterans in \nyour cyber assignments or cyber workforce hiring initiatives?\n    Ms. Evans, you want to go first?\n    Ms. Evans. Oh, OK. Sure. As you said, sir, they have a \nseries of skills that are readily transferable. We are doing \ntargeted recruiting as we are going forward. We do partner with \nDOD. There are a series of programs that are out there that--\nsome of them have already been mentioned today--that allow for \nthat transference to go back and forth.\n    And so there are programs that the nonprofit sectors are \nalso looking at so that military personnel know how their \nskills translate into civilian sector as well. I think a lot of \ntimes what I have seen in my experience is they don't \nnecessarily know that it translates into this particular job--\n--\n    Mr. Johnson. Yes. It has been that way since 1999, when I \nretired. The amount of information going to our veterans and \nletting them know where their services might be useful has not \ngotten a lot better in almost 30 years. I hear you.\n    Mr. Dodge.\n    Mr. Dodge. Sure. Thank you for the question. So we received \na similar question a little bit earlier today, and we responded \nto that. I am not an expert in the Federal Government, the \nhuman resource policies, but I can tell you that we have \nrecently hired several recent veterans into our organization.\n    Mr. Johnson. OK.\n    Mr. Robb, quickly.\n    Mr. Robb. Yes. I kind of have a similar answer as Andy. And \nI would say this transcends cyber. We found military veterans \nto be a great fit for our mission in a number of areas, and I \nwould guess a material--I won't give you a number, but a \nmaterial part of our workforce are ex-military.\n    Mr. Johnson. OK. All right. Thank you.\n    Mr. Chairman, I yield back.\n    Mr. Rush. The gentleman yields back.\n    The Chair now recognizes the gentleman from Texas, Mr. \nVeasey, for 5 minutes.\n    Mr. Veasey. Thank you, Chairman Rush. Really appreciate you \nholding this hearing and the witnesses that have taken the time \nto come before the subcommittee to discuss ways we can improve \nthe cybersecurity of our Nation's grid.\n    It is clear that electrification of our world has brought \nmany benefits, but we also face the risk of foreign actors that \nwould like to disrupt that. They understand that it is a \nbenefit and know how disruptive that it would be if they could \ncause any sort of havoc in that. Advancements in cybersecurity \nbest practices will be helpful in reducing those risks, and we \nshould continue to partner with industry in ensuring our \ndefenses are strong.\n    And my question today--and anybody on the panel can answer \nit--I think that it was referenced in testimony from Ms. Evans \nin particular that the assessment released earlier this year by \nthe Office of the Director of National Intelligence details the \ncapabilities of Russia and China to cause massive disruptions \nto our energy systems.\n    And I was wondering if you could expand a little more on \nwhat a disruption to an electrical distribution network or a \nnatural pipeline, gas pipeline would mean for those citizens \nand companies impacted. Can anybody touch on that?\n    Mr. Dodge. Could you just repeat the very last portion of \nyour question?\n    Mr. Veasey. Yes. Just expanding a little more on what a \ndisruption to an electrical distribution network or a natural \ngas pipeline would mean for citizens and those companies that \nwould be impacted by that disruption.\n    Mr. Dodge. OK. Sure. Thanks for the question. So we have \nnot had a disruption up to this point. I want to point that out \nand make that very clear. We have actually improved the \ncybersecurity reporting standards that actually reports \nattempts as well as actual events.\n    So, from an actual customer perspective, it likely could be \nan interruption, whether it is on an electric distribution \nsystem or a natural gas system, and it could be a disruption \nfor some period of time. The period of time could vary quite a \nbit, and I don't really have additional insight to the answer \nto your question other than that.\n    Mr. Veasey. Anyone else have any thoughts?\n    Mr. Robb. So I would just make the observation that one of \nthe key tenets of the NERC and FERC reliability regime is that, \nif an incident occurs, it quickly gets contained, right, so it \ndoesn't cascade beyond kind of a local boundary to allow kind \nof, you know--the various parties that would be required to do \nrestoration are working on a smaller problem rather than a \nlarge one.\n    So the one thing I would say is that the highest likelihood \nin that area is that an electrical disruption would be \ncontained to a fairly specific area and not cascade.\n    The other point I would make--and, again, this will \nprobably be a better comment coming from the gas industry--is a \ndisruption on the natural gas system is really very, very \ncomplicated from a safety perspective because of the--just the \nnature of the fuel.\n    Mr. Veasey. Right. Right. Exactly.\n    Secretary Evans, you talked in your testimony about DOE's \nrole on the National Security Council, and you mentioned the \nregular unclassified threat briefings that DOE provides to \ninteragency and industry partners that go with the classified \nthreat briefings to cleared members of the sector.\n    Can you talk a little bit about the importance of working \nwith industry to head off threats and specifically DOE's \ninteractions with the three energy-focused information sharing \nand analysis centers?\n    Ms. Evans. Yes, I am happy to discuss that. We do try to \nget the information declassified to the greatest extent \npossible so that it can be distributed through the information \nsharing and analysis centers that you mentioned. We hold \nregular meetings with those folks who manage that, the \ntechnical teams who manage the ISACs. And they come--those are \nhandled at classified levels so that they can understand the \ncontext around the threat.\n    But we also then work across with the energy sector and the \nassociations and through the sector coordinating councils to do \nboth classified and unclassified briefings, so that they can--\nthe more you can say in a classified environment is great, but \nyou really want to be able to give them information that is \nactionable so that they can go back and talk to their entire \ncompany and what kind of actions they can take and what kind of \nrisks they are posing.\n    And so we work at multiple levels to make sure that we can \nget the best information in the hands of those who can then \nturn it into actionable information for their constituents.\n    Mr. Veasey. Thank you very much.\n    Mr. Chairman, I yield back.\n    Mr. Rush. The gentleman yields back.\n    And that concludes the witness questions. And I certainly \nwant to thank all the witnesses for your participation in \ntoday's hearing.\n    I remind Members that, pursuant to the committee rules, \nthey have 10 business days to submit additional questions for \nthe record to be answered by the witnesses who have appeared. \nAnd I will ask each witness to respond promptly to any such \nquestions that you may receive.\n    The Chair now requests unanimous consent to enter into the \nrecord the following documents: a letter from the Western \nGovernors' Association, a letter from Protect Our Power, and a \nletter from the R Street Institute.\n    Without objection, so ordered.\n    [The information appears at the conclusion of the hearing.]\n    Mr. Rush. And the subcommittee now stands adjourned.\n    [Whereupon, at 11:40 a.m., the subcommittee was adjourned.]\n    [Material submitted for inclusion in the record follows:]\n    [GRAPHICS ARE AVAILABLE IN TIFF FORMAT] \n\n                                 [all]\n</pre></body></html>\n"