[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]


      KEEPING THE LIGHTS ON: ADDRESSING CYBER THREATS TO THE GRID

=======================================================================

                                HEARING

                               BEFORE THE

                         SUBCOMMITTEE ON ENERGY

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED SIXTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             JULY 12, 2019

                               __________

                           Serial No. 116-52
                           
                           
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]                           


      Printed for the use of the Committee on Energy and Commerce

                   govinfo.gov/committee/house-energy
                        energycommerce.house.gov
                        
                        
                               __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
40-665 PDF                  WASHINGTON : 2020                     
          
--------------------------------------------------------------------------------------                        
                        
                        
                        
                    COMMITTEE ON ENERGY AND COMMERCE

                     FRANK PALLONE, Jr., New Jersey
                                 Chairman
BOBBY L. RUSH, Illinois              GREG WALDEN, Oregon
ANNA G. ESHOO, California              Ranking Member
ELIOT L. ENGEL, New York             FRED UPTON, Michigan
DIANA DeGETTE, Colorado              JOHN SHIMKUS, Illinois
MIKE DOYLE, Pennsylvania             MICHAEL C. BURGESS, Texas
JAN SCHAKOWSKY, Illinois             STEVE SCALISE, Louisiana
G. K. BUTTERFIELD, North Carolina    ROBERT E. LATTA, Ohio
DORIS O. MATSUI, California          CATHY McMORRIS RODGERS, Washington
KATHY CASTOR, Florida                BRETT GUTHRIE, Kentucky
JOHN P. SARBANES, Maryland           PETE OLSON, Texas
JERRY McNERNEY, California           DAVID B. McKINLEY, West Virginia
PETER WELCH, Vermont                 ADAM KINZINGER, Illinois
BEN RAY LUJAN, New Mexico            H. MORGAN GRIFFITH, Virginia
PAUL TONKO, New York                 GUS M. BILIRAKIS, Florida
YVETTE D. CLARKE, New York, Vice     BILL JOHNSON, Ohio
    Chair                            BILLY LONG, Missouri
DAVID LOEBSACK, Iowa                 LARRY BUCSHON, Indiana
KURT SCHRADER, Oregon                BILL FLORES, Texas
JOSEPH P. KENNEDY III,               SUSAN W. BROOKS, Indiana
    Massachusetts                    MARKWAYNE MULLIN, Oklahoma
TONY CARDENAS, California            RICHARD HUDSON, North Carolina
RAUL RUIZ, California                TIM WALBERG, Michigan
SCOTT H. PETERS, California          EARL L. ``BUDDY'' CARTER, Georgia
DEBBIE DINGELL, Michigan             JEFF DUNCAN, South Carolina
MARC A. VEASEY, Texas                GREG GIANFORTE, Montana
ANN M. KUSTER, New Hampshire
ROBIN L. KELLY, Illinois
NANETTE DIAZ BARRAGAN, California
A. DONALD McEACHIN, Virginia
LISA BLUNT ROCHESTER, Delaware
DARREN SOTO, Florida
TOM O'HALLERAN, Arizona
                                 ------                                

                           Professional Staff

                   JEFFREY C. CARROLL, Staff Director
                TIFFANY GUARASCIO, Deputy Staff Director
                MIKE BLOOMQUIST, Minority Staff Director
                         Subcommittee on Energy

                        BOBBY L. RUSH, Illinois
                                 Chairman
SCOTT H. PETERS, California          FRED UPTON, Michigan
MIKE DOYLE, Pennsylvania               Ranking Member
JOHN P. SARBANES, Maryland           ROBERT E. LATTA, Ohio
JERRY McNERNEY, California, Vice     CATHY McMORRIS RODGERS, Washington
    Chair                            PETE OLSON, Texas
PAUL TONKO, New York                 DAVID B. McKINLEY, West Virginia
DAVID LOEBSACK, Iowa                 ADAM KINZINGER, Illinois
G. K. BUTTERFIELD, North Carolina    H. MORGAN GRIFFITH, Virginia
PETER WELCH, Vermont                 BILL JOHNSON, Ohio
KURT SCHRADER, Oregon                LARRY BUCSHON, Indiana
JOSEPH P. KENNEDY III,               BILL FLORES, Texas
    Massachusetts                    RICHARD HUDSON, North Carolina
MARC A. VEASEY, Texas                TIM WALBERG, Michigan
ANN M. KUSTER, New Hampshire         GREG WALDEN, Oregon (ex officio)
ROBIN L. KELLY, Illinois
NANETTE DIAZ BARRAGAN, California
A. DONALD McEACHIN, Virginia
TOM O'HALLERAN, Arizona
LISA BLUNT ROCHESTER, Delaware
FRANK PALLONE, Jr., New Jersey (ex 
    officio)
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Jerry McNerney, a Representative in Congress from the State 
  of California, opening statement...............................     2
    Prepared statement...........................................     3
Hon. Fred Upton, a Representative in Congress from the State of 
  Michigan, opening statement....................................     5
    Prepared statement...........................................     6
Hon. Frank Pallone, Jr., a Representative in Congress from the 
  State of New Jersey, opening statement.........................     7
    Prepared statement...........................................     9
Hon. Greg Walden, a Representative in Congress from the State of 
  Oregon, opening statement......................................     9
    Prepared statement...........................................    11

                               Witnesses

Karen S. Evans, Assistant Secretary, Office of Cybersecurity, 
  Energy Security, and Emergency Response, Department of Energy..    13
    Prepared statement...........................................    15
J. Andrew Dodge, Sr., Director, Office of Electric Reliability, 
  Federal Energy Regulatory Commission...........................    25
    Prepared statement...........................................    27
James B. Robb, President and Chief Executive Officer, North 
  American Electric Reliability Corporation......................    31
    Prepared statement...........................................    33

                           Submitted Material

Article of July 8, 2019, ``Grid Chief: Operators pulling 
  `rabbits' to keep lights on,'' by Peter Behr, E&E News, 
  submitted by Mr. McKinley......................................    69
Letter of July 9, 2019, from James D. Ogsbury, Executive 
  Director, Western Governors' Association, to Mr. Rush and Mr. 
  Upton, submitted by Mr. Rush...................................    71
Letter of July 12, 2019, from Jim Cunningham, Executive Director, 
  Protect Our Power, to Mr. Pallone and Mr. Walden, submitted by 
  Mr. Rush.......................................................    84
Letter of July 12, 2019, from Kathryn Waldron, Fellow, 
  Cybersecurity and National Security, R Street Institute, to Mr. 
  Rush and Mr. Upton, submitted by Mr. Rush......................    86

 
      KEEPING THE LIGHTS ON: ADDRESSING CYBER THREATS TO THE GRID

                              ----------                              


                         FRIDAY, JULY 12, 2019

                  House of Representatives,
                            Subcommittee on Energy,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 9:32 a.m., in 
the John D. Dingell Room 2123, Rayburn House Office Building, 
Hon. Bobby L. Rush (chairman of the subcommittee) presiding.
    Members present: Representatives Rush, Peters, McNerney, 
Loebsack, Butterfield, Schrader, Kennedy, Veasey, Kuster, 
Kelly, Barragan, McEachin, O'Halleran, Blunt Rochester, Pallone 
(ex officio), Upton (subcommittee ranking member), Latta, 
Rodgers, Olson, McKinley, Griffith, Johnson, Bucshon, Flores, 
Hudson, Walberg, Duncan, and Walden (ex officio).
    Staff present: Jeffrey C. Carroll, Staff Director; 
Jacqueline Cohen, Chief Environment Counsel; Jean Fruci, Energy 
and Environment Policy Advisor; Waverly Gordon, Deputy Chief 
Counsel; Tiffany Guarascio, Deputy Staff Director; Omar Guzman-
Toro, Policy Analyst; Rick Kessler, Senior Advisor and Staff 
Director, Energy and Environment; John Marshall, Policy 
Coordinator; Elysa Montfort, Press Secretary; Meghan Mullon, 
Staff Assistant; Lisa Olson, FERC Detailee; Alivia Roberts, 
Press Assistant; Tim Robinson, Chief Counsel; Andrew Souvall, 
Director of Communications, Outreach, and Member Services; 
Tuley Wright, Energy and Environment Policy Advisor; Adam 
Buckalew, Minority Director of Coalitions and Deputy Chief 
Counsel, Health; Robin Colwell, Minority Chief Counsel, 
Communications and Technology; Jordan Davis, Minority Senior 
Advisor; Melissa Froelich, Minority Chief Counsel, Consumer 
Protection and Commerce; Peter Kielty, Minority General 
Counsel; Mary Martin, Minority Chief Counsel, Energy and 
Environment & Climate Change; Brandon Mooney, Minority Deputy 
Chief Counsel, Energy; and Brannon Rains, Minority Legislative 
Clerk.
    Mr. Rush. The subcommittee will now come to order. I want 
to thank all the Members and the witnesses for appearing before 
the subcommittee this morning.
    The Chair will now yield 5 minutes to my great friend, Mr. 
McNerney from California, for 5 minutes.

 OPENING STATEMENT OF HON. JERRY McNERNEY, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Mr. McNerney. Good morning, Mr. Chairman. I thank you for 
yielding me the 5 minutes.
    And I thank the witnesses for coming this morning. It is an 
incredibly important issue that we needed to care a lot about 
and make good policy on.
    We are meeting today to discuss the state of cybersecurity 
in the grid and the continuing threats facing America's energy 
infrastructure. We continue to see increasing threats to the 
grid, originating both at home and abroad. I am glad to see the 
DOE and FERC and others taking steps to address the growing 
dangers posed by nefarious actors.
    Our energy grid serves as the backbone of our economy, 
touching every aspect of our lives, and a reliable grid is also 
crucial to crucial to our national security and for a clean 
energy future. For lawmakers to encourage and enable innovative 
advancements that we can improve the security and reliability 
of our Nation's electric grid, we must work on a bipartisan 
basis and actively engage with industry leaders as we are doing 
today here.
    Fortunately, the modernization and innovation of our energy 
infrastructure is already underway. What was once a one-way 
delivery system has evolved into a dynamic network where 
information and energy flows both ways. Technological 
advancements are also borne from the need to secure the energy 
grids against potential physical and cyber threats.
    For example, technology allowing for the rerouting of power 
and quick response in the event of attack is being deployed 
across the grid. The cooperation among Federal, State, and 
local governments is essential to protecting Americans and our 
Nation's infrastructure.
    Given today's cyber environment, it is more important than 
ever that Congress pursue policies that continue to foster 
these exciting developments and support our grid 
infrastructure.
    This is an issue that I am very passionate about, and any 
vulnerable component is a threat to our physical and national 
security, making it imperative that we invest in grid 
modernization and security.
    That is why I am proud to cochair the bipartisan Grid 
Innovation Caucus with my good friend from across the aisle, 
Representative Bob Latta from Ohio. Together, we are focused on 
providing a forum for discussing solutions to the many 
challenges facing the grid and to educate Members of Congress 
and staff about the importance of the electric grid with 
relation to the economy, energy security, advanced technologies 
being utilized to enhance grid capabilities.
    This work has informed our introduction of two bills on the 
topic, both of which have already been marked up and advanced 
by this subcommittee. Their aim is to bolster America's 
electric infrastructure by encouraging coordination between the 
Department of Energy and the electric utilities.
    My bill, which I introduced along with Mr. Latta, H.R. 359, 
the Enhancing Grid Security Through Public-Private Partnership 
Act, would create a program to enhance the physical and 
cybersecurity of the electric utilities through assessing 
security vulnerabilities and increasing cybersecurity training 
and collect data.
    It would also require the interrupt cost estimate 
calculator, which is used to calculate the return on investment 
on utility investments to be updated at least every 2 years to 
ensure accurate calculations.
    Mr. Latta's bill, which he introduced along with me, H.R. 
360, the critical Cyber Sense Act, makes important headway in 
protecting our critical grid infrastructure. The Cyber Sense 
Act would create a program to identify cybersecure products for 
the bulk power grid through testing and verification program.
    The bulk power system supports American industry and 
provides all the benefits of a reliable electric power to the 
American people. It is essential that we make this system as 
secure as possible, as cyber attacks do pose a serious threat 
to the electric grid. Any vulnerable component in our grid is a 
threat to our security, and this bill will go a long way to 
strengthening that system. I thank Mr. Latta for his 
partnership, and looking forward to working with him.
    I also want to take a moment to mention my support for H.R. 
362, the Energy Emergency Leadership Act, sponsored by Chairman 
Rush and Mr. Walberg. This bill would establish a new DOE 
Assistant Secretary position with jurisdiction over all energy, 
emergency, and security functions related to energy supply, 
infrastructure, and cybersecurity.
    Finally, I want to mention my support for one more bill on 
this topic, H.R. 370, the Pipeline and LNG Facilities 
Cybersecurity Preparedness Act, sponsored by Ranking Member 
Upton and Mr. Loebsack. This bill would require the Secretary 
of Energy to establish a program relating to the physical 
security and cybersecurity for pipelines and liquefied natural 
gas facilities.
    As the bills I have mentioned show, our committee is 
uniquely positioned to examine the issues before us today as we 
work to put America on a path to better securing our electric 
and utilities system.
    Now I yield back to the chairman.
    [The prepared statement of Mr. McNerney follows:]

               Prepared Statement of Hon. Jerry McNerney

    We are meeting today to discuss the state of cybersecurity 
in the grid and the continuing threats facing America's energy 
infrastructure.
    We continue to see increasing threats to the grid 
originating both at home and abroad. I'm glad to see DOE, FERC, 
and others take steps to address the growing dangers posed by 
nefarious actors.
    Our energy grid serves as the backbone of our economy, 
touching every aspect of our lives. A reliable grid system is 
also critical for our national security and clean energy 
future.
    For lawmakers to encourage and enable innovative 
advancements that can improve the security and reliability of 
our Nation's energy grid, we must work on a bipartisan basis 
and actively engage with industry leaders as we are doing 
today.
    Fortunately, the modernization and innovation of our energy 
infrastructure is already underway. What was once a one-way 
delivery system has evolved into a dynamic network where 
information and energy flow both ways.
    Technological advancements are also born from the need to 
secure the energy grid against potential physical and cyber 
threats.
    For example, technology allowing for the rerouting of power 
and quick response in the event of attacks is being deployed 
across the grid. The cooperation among Federal, State and local 
governments is essential to protecting Americans and our 
Nation's infrastructure.
    Given today's cyber environment, it is more important than 
ever that Congress pursue policies that continue to foster 
these exciting developments and support our grid 
infrastructure.
    This is an issue that I am very passionate about. Any 
vulnerable component is a threat to our physical and national 
security, making it imperative that we invest in grid 
modernization and security.
    That is why I am proud to cochair the bipartisan Grid 
Innovation Caucus along with my good friend from across the 
aisle, Representative Latta of Ohio.
    Together, we are focused on providing a forum for 
discussing solutions to the many challenges facing the grid, 
and to educate Members of Congress and staff about the 
importance of the electric grid with relation to the economy, 
energy security, and advanced technologies being utilized to 
enhance grid capabilities.
    This work has informed our introduction of two bills on the 
topic, both of which have already been marked up and advanced 
by this subcommittee.
    Their aim is to bolster America's electric infrastructure 
by encouraging coordination between the Department of Energy 
and electric utilities.
    My bill, which I introduced along with Mr. Latta, H.R. 359, 
the Enhancing Grid Security through Public-Private Partnerships 
Act, would create a program to enhance the physical and cyber 
security of electric utilities through assessing security 
vulnerabilities, increase cybersecurity training, and data 
collection. It would also require the Interruption Cost 
Estimate Calculator--which is used to calculate the return on 
investment on utility investments--to be updated at least every 
2 years to ensure accurate calculations.
    Mr. Latta's bill, which he introduced along with me, H.R. 
360, the Cyber Sense Act, makes important headway in protecting 
our critical grid infrastructure.
    The Cyber Sense Act would create a program to identify 
cyber secure products for the bulk power grid through a testing 
and verification program.
    The bulk power system supports American industry and 
provides all the benefits of reliable electric power to the 
American people.
    It is essential that we make this system as secure as 
possible, as cyber attacks pose a serious threat to the 
electric grid.
    Any vulnerable component in our grid is a threat to our 
security, and this bill will go a long way to strengthening our 
system.
    I thank Mr. Latta for his partnership in these efforts and 
look forward to continuing to work to ensure a more secure and 
resilient grid.
    I also want to take a moment to mention my support for H.R. 
362, the Energy Emergency Leadership Act, sponsored by Chairman 
Rush and Mr. Walberg. This bill would establish a new DOE 
Assistant Secretary position with jurisdiction over all energy 
emergency and security functions related to energy supply, 
infrastructure, and cybersecurity.
    Finally, I want to mention my support for one more bill on 
this topic, H.R. 370, the Pipeline and LNG Facility 
Cybersecurity Preparedness Act sponsored by Ranking Member 
Upton and Mr. Loebsack. This bill would require the Secretary 
of Energy to establish a program relating to the physical 
security and cybersecurity for pipelines and liquefied natural 
gas facilities.
    As the bills I have mentioned show, our committee is 
uniquely positioned to examine the issues before us today as we 
work to put America on a path to better securing our electric 
utility system.
    Thank you and I yield back.

    Mr. Rush. I want to thank the gentleman. And on a point of 
personal privilege, the Chair was originally scheduled to be at 
home in Chicago this morning for a funeral--one of my dear 
friends, Ms. Dana Russell, trusted friend and colleague and 
supporter--and due to inclement weather last night, my flight 
was canceled, so I couldn't be in Chicago.
    And Mr. McNerney graciously agreed to sit in the chair for 
me last night, because I wasn't going to be here this morning. 
But I am here now, and so I want to thank him, Mr. McNerney, 
personally for agreeing to sit in the chair for me in my 
absence. But as you can see, I am here, and so thank you.
    Mr. McNerney. Well, I appreciate the sentiment, and I also 
appreciate the confidence that you have shown in me, Mr. 
Chairman.
    Mr. Rush. Thank you very much.
    The Chair now recognizes Mr. Upton, the ranking member of 
the subcommittee, for 5 minutes for the purposes of an opening 
statement.
    Mr. Upton. Well, thank you, Mr. Chairman. I am sorry to 
hear about your friend, and I am grateful that you didn't get 
on that plane, because I drove home through that storm last 
night, and I don't think that plane would have had a lot of----
    Mr. Rush. Thank you.
    Mr. Upton. Yes. Yes. Smart.

   OPENING STATEMENT OF HON. FRED UPTON, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF MICHIGAN

    Today's hearing continues the subcommittee's ongoing 
oversight of cybersecurity threats to the electric grid, a 
priority that all of us have had. And while this is the first 
hearing specifically on the topic this year, the subcommittee 
has been raising questions about persistent and emerging 
threats to the electrical grid in closed briefings and in 
hearings with Federal officials and others over the course of 
this session, building on the work that we have done over the 
last couple of Congresses.
    It is unquestionable that ensuring the reliable supply of 
electricity is vital to our Nation's security, economy, our 
health, and welfare. Electricity enables telecommunications, 
financial transactions, the transport and delivery of energy 
and agriculture; it powers the infrastructure that delivers our 
drinking water. It enables business and industry to make and 
provide the goods and services of our modern society. It powers 
our hospitals, our households, and everything else.
    But let's face it. The U.S. has the world's most complex 
electric grid, and while we have a well-developed system of 
grid operators to ensure that the lights stay on, we are 
confronting new challenges every day and adapting to a changing 
generation mix, new technologies, and consumer preferences.
    We are also responding to new threats and working to 
strengthen the cybersecurity of the Nation's grid. The 
integration into the system of new digital technologies that 
are essential for keeping up with our Nation's energy needs 
constantly add vulnerabilities.
    Other vulnerabilities are being added with increasing 
dependence on pipeline infrastructure by electric generating 
units. Combine that with a rapid expansion of cyber 
capabilities by more of America's adversaries in safeguarding 
transmission infrastructure remains particularly urgent.
    Many of the Federal oversight and regulatory structures in 
place today that ensure that the system can mitigate and 
respond to cyber can be traced to this committee's legislative 
work.
    In 2005, we authorized FERC to commission the North 
American Electric Reliability Corporation, NERC, with the 
authority to establish and enforce reliability standards and to 
coordinate activities among industry and the Feds to confront 
cyber threats.
    In 2015, this committee wrote provisions, including the 
FAST Act, to strengthen DOE's energy sector specific 
authorities and to facilitate sharing of the threat information 
between private-sector asset owners and the Federal Government.
    As a Federal agency with a leading expertise on our 
Nation's electricity grid and the cybersecurity threats against 
it, it is imperative that we arm DOE with the tools and 
authorities to protect our electricity system from the 
transmission lines to the very generating stations and their 
pipelines.
    Most recently, we developed legislation to elevate DOE's 
functions overseeing cybersecurity and to improve information 
sharing, emergency planning, and other technical activities in 
this jurisdiction. That legislative work is continuing, but 
fortunately the Department has used its own authorities to 
implement enhanced leadership over cybersecurity and to improve 
interagency coordination.
    Against that backdrop, today's hearing provides a great 
opportunity to update the subcommittee on what these agencies 
are doing to advance cybersecurity practices, protections, and 
response planning.
    I am looking forward to hearing from Assistant Secretary 
Karen Evans, who heads the DOE Office of Cybersecurity, Energy 
Security, and Emergency Response, or CESER. When she testified 
in September last year, she had been on the job for just a 
couple of weeks, though she brought long Federal experience to 
the table as soon as she sat down.
    So I look forward to discussing DOE's current work, how 
well it is exercising its coordinating role over the 
cybersecurity threat, and to learn what challenges she sees 
going forward and how she plans to address those challenges.
    It will also be helpful to hear today from the regulators 
of the electric grid: Andy Dodge, who heads FERC's Office of 
Electric Reliability, and of course, from Jim Robb, who heads 
NERC. Both of these entities serve as the front lines of 
regulatory oversight of electric grid infrastructure 
protection. I am particularly interested in learning what 
measures you are working on to address threats to ensure best 
practices and to coordinate response to cyber incidents.
    The risk of massive blackouts can be hard to think about, 
but the cybersecurity realities of today require that we face 
these risks head on, that we be sure that our agencies and 
appropriate groups have the tools in the toolbox and the 
information that they need to address the risk and what they 
are prepared for the consequences of successful attacks.
    [The prepared statement of Mr. Upton follows:]

                 Prepared Statement of Hon. Fred Upton

    Today's hearing continues the subcommittee's ongoing 
oversight of cybersecurity threats to the electric grid. While 
this is the first hearing specifically on that topic this year, 
the subcommittee has been raising questions about persistent 
and emerging threats to the electrical grid in closed briefings 
and in hearings with Federal officials and others over the 
course of this session--building on the work we've done over 
the past few Congresses.
    It is unquestionable that ensuring the reliable supply of 
electricity is vital to our Nation's security, economy, our 
health and welfare. Electricity enables telecommunications, 
financial transactions, the transport and delivery of energy, 
and agriculture. It powers the infrastructure that delivers our 
drinking water. It enables business and industry to make and 
provide the goods and services of our modern society. It powers 
our hospitals, our households.
    The United States has the world's most complex electric 
grid, and while we have a well-developed system of grid 
operators to ensure our lights stay on, we're confronting new 
challenges and adapting to a changing generation mix, new 
technologies, and consumer preferences. We're also responding 
to new threats and working to strengthen the cybersecurity of 
the Nation's grid.
    The integration into the system of new digital technologies 
that are essential for keeping up with our Nation's energy 
needs constantly add vulnerabilities. Other vulnerabilities are 
being added with the increasing dependence on pipeline 
infrastructure by electric generating units. Combine this with 
the rapid expansion of cyber capabilities by more of America's 
adversaries, and safeguarding transmission infrastructure 
remains particularly urgent.
    Many of the Federal oversight and regulatory structures in 
place today that ensure the system can mitigate and respond to 
cyber threats can be traced to this committee's legislative 
work.
    In 2005, we authorized FERC to commission the North 
American Electric Reliability Corporation (NERC) with the 
authority to establish and enforce reliability standards and to 
coordinate activities among industry and the Feds to confront 
cyber threats.
    In 2015, this committee wrote provisions included in the 
FAST Act to strengthen DOE's energy sector specific authorities 
and to facilitate sharing of threat information between private 
sector asset owners and the Federal Government. As the Federal 
agency with the leading expertise on our Nation's electricity 
grid and the cybersecurity threats against it, it is imperative 
that we arm DOE with the tools and authorities to protect our 
electricity system, from the transmission lines to the 
generating stations to the pipelines.
    Most recently, we developed legislation to elevate DOE's 
functions overseeing cybersecurity and to improve information 
sharing, emergency planning and other technical activities in 
its jurisdiction. That legislative work is continuing, but 
fortunately, the Department has used its own authorities to 
implement enhanced leadership over cybersecurity and to improve 
interagency coordination.
    Against this backdrop, today's hearing provides a great 
opportunity to update the subcommittee on what DOE, FERC and 
NERC are doing to advance cybersecurity practices, protections, 
and response planning.
    I am looking forward to hearing from Assistant Secretary 
Karen Evans, who heads the DOE Office of Cybersecurity, Energy 
Security, and Emergency Response, or CESER.
    When Ms. Evans testified in September last year, she had 
been on the job for just a few weeks--though she brought long 
Federal experience to the table as soon as she sat down. So I 
look forward to discussing DOE's current work, how well it is 
exercising its coordinating role over the cybersecurity threat, 
and to learn what challenges she sees going forward, and how 
she plans to address those challenges.
    It will also be helpful to hear today from the regulators 
of the electric grid: Andy Dodge, who heads FERC's Office of 
Electric Reliability, and, of course, from Jim Robb, who heads 
NERC. Both these entities serve at the front lines of 
regulatory oversight of electric grid infrastructure 
protection. I'm particularly interested in learning what 
measures they are working on to address threats, to ensure best 
practices, and to coordinate response to cyber incidents.
    The risks of massive blackouts can be hard to think about. 
But the cybersecurity realities of today require we face these 
risks head on, that we be sure our agencies and the appropriate 
groups have the tools and information they need to address the 
risks, and that they are prepared for the consequences of 
successful attacks.
    Thank you, Mr. Chairman, for keeping the subcommittee 
informed on this important topic.

    Mr. Upton. Thank you, Mr. Chairman, for this hearing. I 
yield back.
    Mr. Rush. The gentleman yields back.
    The Chair now recognizes the chairman of the full 
committee, Mr. Pallone, for 5 minutes for the purposes of an 
opening statement.

OPENING STATEMENT OF HON. FRANK PALLONE, Jr., A REPRESENTATIVE 
            IN CONGRESS FROM THE STATE OF NEW JERSEY

    Mr. Pallone. Thank you, Chairman Rush.
    Today we are here to get an update from Federal agencies 
about how they are addressing cyber threats to our electricity 
grid. We know our adversaries are developing new techniques to 
compromise and attack our grid, so it is vitally important that 
the Federal Government and the electric industry remain 
vigilant in ensuring the grid is secure.
    Our committee has been conducting robust oversight on this 
important topic in a bipartisan fashion for years. Today's 
hearing is a public forum to discuss how the Federal Government 
is addressing cybersecurity challenges, but the committee also 
continues to receive closed-door briefings on the issue to 
understand more classified matters.
    Our witnesses and their respective agencies all take 
cybersecurity to the grid very seriously, and I believe 
Secretary Perry made the right decision in creating the 
position of Assistant Secretary for Cybersecurity, Energy 
Security, and Emergency Response to focus specifically on these 
pressing issues.
    Last month, the subcommittee favorably reported out 
legislation introduced by Chairman Rush and Mr. Walberg that 
would enshrine in statute this important new division at DOE, 
and I look forward to bringing this bill and three other 
bipartisan cybersecurity bills up for a markup at the full 
committee soon.
    We must be both active and vigilant when it comes to 
cybersecurity, because time is of the essence. In March, we had 
the first reported malicious cyber event that disrupted grid 
operations of a western utility. Thankfully, there seemed to be 
very little effect on the transmission grid and no customers 
lost power, but we must stay ahead of anyone who is a cyber 
threat.
    And I appreciate the work of FERC and N-E-R-C, or NERC, to 
continue enhancing critical infrastructure protection 
standards, like the final rule last October to bolster supply 
chain risk management. This rule implements new reliability 
standards that respond to supply chain risks, like malicious 
software, by requiring responsible entities to develop and 
implement security controls for industrial control systems, 
hardware, software, and services.
    And these are the types of important forward-looking 
actions we need to proactively protect our grid against 
attacks. And while this hearing today is not specifically about 
pipeline cybersecurity, I would be remiss not to mention how 
important that is to our grid system. We have a reliable 
pipeline system, but we never want to find ourselves in a 
different situation, so I remain concerned about the lack of 
resources and expertise at the Transportation Security 
Administration's pipeline security program.
    I look forward to hearing from DOE about possible ways they 
could help address these safety gaps. As I have said before, if 
TSA continues to devote scant resources or attention to these 
matters, we must start looking at other options to keep our 
pipes secure. So, again, I thank our witnesses for being here 
today as we discuss this critical security issue.
    And with that, Mr. Chairman, unless someone else wants the 
time, I yield back.
    [The prepared statement of Mr. Pallone follows:]

             Prepared Statement of Hon. Frank Pallone, Jr.

    Thank you, Chairman Rush, for holding this hearing today on 
the very important topic of cybersecurity of our Nation's 
electric grid. We know our enemies are rapidly developing new 
techniques to compromise and attack our grid. It is important 
government and industry stay on top of the issue.
    I know our witnesses and their agencies--the Department of 
Energy, the Federal Energy Regulatory Commission, and the North 
American Electric Reliability Corporation--all take 
cybersecurity of the grid very seriously and are doing good 
work. I look forward to today's discussion.
    I am pleased Secretary Perry established the Cybersecurity, 
Energy Security, and Emergency Response, or CESER, office to 
focus specifically on these pressing issues. Chairman Rush and 
Mr. Walberg have introduced bill H.R. 362, the Energy Emergency 
Leadership Act, to enshrine in statute this new focused level 
of leadership at the Department of Energy. I hope we are able 
to report this legislation out of the full committee soon.
    This bill, along with three other bipartisan bills 
addressing cybersecurity of our Nation's energy systems, were 
favorably forwarded to the full committee recently. These bills 
are a top priority to move, and I am very proud of our strong 
bipartisan working relationship and the committee's efforts on 
cybersecurity.
    We all understand time is of the essence. March 2019 marks 
a sobering milestone of the first reported malicious cyber 
event that disrupted grid operations of a Western utility. 
Thankfully, there seemed to be very little effect to the 
transmission grid and no resulting blackouts. We must stay 
ahead of our enemies and keep it that way.
    I appreciate FERC and NERC's work together to continue 
enhancing Critical Infrastructure Protection Standards like the 
final rule last October to bolster supply chain risk 
management. This rule implements new reliability standards that 
respond to supply chain risks like malicious software by 
requiring responsible entities to develop and implement 
security controls for industrial control system hardware, 
software and services. These are the types of important 
forward-looking actions we need to proactively protect our grid 
against attacks.
    And, while this hearing today is not about cybersecurity 
relating to our pipelines, I'd be remiss not to mention how 
important that is to our grid system. We have a reliable 
pipeline system, but we never want to find ourselves in a 
different situation. DOE, FERC, and NERC's responsiveness to 
the committee's briefing request and job of oversight is a 
welcomed change from the stonewalling from TSA who refuse to 
testify. As I've said before, and my friend from Michigan, 
Ranking Member Upton has echoed, if TSA does not want to be 
taken seriously, we may have to look at other options.
    I want to thank our witnesses for being here today. I look 
forward to hearing about CESER's range of work including work 
on a national strategy and cybersecurity risk assessment of the 
grid. I also looking forward to hearing about FERC and NERC's 
continued work to build out a critical infrastructure 
cybersecurity framework. In general, how are you working to 
incentivize and implement leading cybersecurity standards? What 
types of collaborative processes are your agencies working on 
with industry? And, what can Congress do to support each of 
your agencies' work?
    Thank you, I yield back.

    Mr. Rush. The gentleman yields back.
    The Chair now recognizes the ranking member of the full 
committee, Mr. Walden, for the purposes of an opening 
statement.
    Mr. Walden. Well, good morning, Mr. Chairman.
    Mr. Rush. Good morning.

  OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF OREGON

    Mr. Walden. I am delighted to have the witnesses here and 
to have this hearing.
    By any measure, the reliable supply of electricity is an 
essential part of everything that we do. We know that. And as 
we have learned in previous briefings and hearings, in today's 
highly interconnected and digital world the threat of cyber 
attacks, the reliability of electricity is ever present and it 
is growing.
    And one of our responsibilities on the Energy and Commerce 
Committee is to review and, where necessary, revise laws and 
policies that concern the reliable delivery of energy. This is 
part of the committee's black letter jurisdiction, and it is 
something that we all take very seriously, no matter which 
party is in the majority.
    This morning's oversight hearing continues this important 
work, and it focuses on the status of efforts to address 
cybersecurity threats to the electricity grid. We will hear 
testimony from our witnesses today--you are key players in 
keeping the lights on--Department of Energy, Federal Energy 
Regulatory Commission, and the North American Electric 
Reliability Corporation, or NERC.
    Each of your organizations has a role in supporting 
effective information sharing, technical assistance, standard 
settings, oversight of standards implementation, sound 
engineering practices, all of that as it relates to the bulk 
power system. And I look forward to hearing updates from the 
witnesses, especially on coordination and on sharing among the 
Federal entities and industries. We know that has always been 
an issue, and it continues to be.
    Our past oversights examine some of the work DOE is doing 
to carry out its broad energy emergency and cybersecurity 
responsibilities over the energy sector. This includes 
providing, supporting, and facilitating the technical 
assistance to the energy sector to help identify 
vulnerabilities and to mitigate risk.
    I have seen some of this work firsthand at our National 
Labs, especially in the northwest, the Pacific Northwest 
National Laboratory in Washington State, and I went out to 
Idaho Falls to the Idaho National Laboratory. Terrific people 
working in those labs, doing amazing work on behalf of the 
country. They provide the analytical tools, they provide the 
test beds and other capabilities that are proving very helpful 
for all kinds of industries and systems we rely upon.
    We learned last year how deployment of new surveillance and 
information-sharing tools, particularly in what is called the 
Cybersecurity Risk Information Sharing Program, or CRISP, have 
proven especially helpful in identifying systemic and 
systematic cyber attacks across the energy sector.
    So I would be interested to hear today from NERC and DOE 
how this approach is being expanded more broadly, especially as 
it relates to supply chain risk and operational technology 
systems, the switches and Supervisory Control and Data 
Acquisition, or SCADA system, embedded in the grid. We know 
that as more connected devices and smart grid technologies are 
added to the grid, the vulnerabilities will continue to grow.
    Information sharing is central to strong cyber defenses. 
This is especially important as our energy systems become more 
interconnected. Republican Leader Fred Upton has noted 
repeatedly how, because the Nation's pipeline systems--and you 
have heard this from others today--are such an integral part of 
the electricity fuel supply system, harm to pipelines means 
potential harm to the supply of electricity.
    So we have to think about pipelines as part of our larger 
energy system rather than just a piece of hardware or a simple 
mode of transportation. While pipelines fall under separate 
regulatory regimes, Department of Energy must maintain 
visibility over pipelines to ensure the delivery of electricity 
to consumers. They are all interconnected.
    That is why this committee has been pushing to codify DOE's 
emergency response role and strengthen the Department's 
capabilities to monitor for cyber threats and to provide 
technical assistance to the industries.
    It is also important to enhance coordination of response 
should attacks succeed at a large scale. Members on this panel 
have had the benefit of briefings over the past few years to 
understand emergency response exercises in the electric sector. 
An update on these exercises will also be useful today, so we 
look forward to that.
    As this testimony this morning will underscore, the risk to 
our critical electrical infrastructure from nation states and 
other bad actors is increasing. This means the technical 
assistance, the information sharing, and deployment of 
innovative technologies and best practices to get ahead of the 
threats is ever more urgent.
    We must be sure our critical infrastructure protection 
standards are up to date, and sufficiently flexible to meet the 
risk, and we must be sure we are providing our Federal agencies 
the tools needed to serve the industry and the Nation more 
effectively. We have real responsibility here, and hearings 
like this will help us do our job better.
    So, Mr. Chairman, thank you for having this oversight 
hearing. And, again, to our witnesses, thank you for your 
testimony, guidance, and counsel. You will improve our work.
    [The prepared statement of Mr. Walden follows:]

                 Prepared Statement of Hon. Greg Walden

    Thank you, Mr. Chairman.
    By any measure, the reliable supply of electricity is an 
essential part of almost everything we do. And, as we've 
learned in previous briefings and hearings, in today's highly 
interconnected, digital world, the threat of cyber attacks to 
the reliability of electricity is ever present and growing.
    One of our responsibilities on the Energy and Commerce 
Committee is to review, and where necessary, revise laws and 
policies that concern the reliable delivery of energy. This is 
part of the committee's black letter jurisdiction, and it is 
something we take very seriously on both sides of the aisle, no 
matter which party is in the majority.
    This morning's oversight hearing continues this important 
work. It focuses on the status of efforts to address 
cyberthreats to the electric grid. We will hear testimony from 
three of the key players for making sure the lights stay on: 
Department of Energy, the Federal Energy Regulatory Commission, 
and the North American Electric Reliability Corporation, or 
NERC.
    Each of these organizations has a role in supporting 
effective information sharing, technical assistance, standard 
setting, oversight of standards implementation, and sound 
engineering practices relating to the bulk power system. And I 
look forward to hearing updates from the witnesses, especially 
on coordination and sharing among the Federal entities and 
industry.
    Our past oversight has examined some of the work DOE is 
doing to carry out its broad energy emergency and cybersecurity 
responsibilities over the energy sector. This includes 
providing, supporting, and facilitating the technical 
assistance to the energy sector to help identify 
vulnerabilities and mitigate risks. I've seen some of this work 
at the National Labs, particularly at the Pacific Northwest 
National Laboratory, in Washington, and at the Idaho National 
Laboratory, which provide analytical tools, test beds, and 
other capabilities that are proving very helpful for industry.
    We learned last year how deployment of new surveillance and 
information sharing tools, particularly in what is called the 
Cybersecurity Risk Information Sharing Program, or CRISP, have 
proven especially helpful in identifying systematic cyber 
attacks across the energy sector.
    I would be interested to hear today from NERC and DOE how 
this approach is being expanded more broadly, especially as it 
relates to supply chain risks and operational technology 
systems--the switches and Supervisory Control and Data 
Acquisition (SCADA) system--embedded in the grid. We know that 
as more connected devices and smart grid technologies are added 
to the grid, the vulnerabilities will continue to grow.
    Information sharing is central to strong cyber defenses. 
This is especially important as our energy systems become more 
interconnected. Republican Leader Upton has noted repeatedly 
how, because the Nation's pipeline systems are such an integral 
part of the electricity fuel supply system, harm to pipelines 
means potential harm to the supply of electricity.
    We must think about pipelines as part of a larger energy 
system--rather than a piece of hardware or a simple mode of 
transportation. While pipelines fall under separate regulatory 
regimes, DOE must maintain visibility over pipelines to ensure 
the delivery of electricity to consumers. That is why this 
committee has been pushing to codify DOE's emergency response 
role and strengthen the Department's capabilities to monitor 
for cyberthreats and to provide technical assistance to 
industry.
    It is also important to enhance coordination of response 
should attacks succeed at a large scale. Members on this panel 
have had the benefit of briefings over the past few years to 
understand emergency response exercises in the electric sector. 
An update on these exercises will be useful today.
    As testimony this morning will underscore, the risks to our 
critical electric infrastructure from nation states and other 
bad actors is increasing. This means the technical assistance, 
the information sharing, and deployment of innovative 
technologies and best practices to get ahead of the threats is 
ever more urgent. We must be sure that our critical 
infrastructure protection standards are up to date and 
sufficiently flexible to meet the risks. We must be sure that 
we are providing our Federal agencies the tools needed to serve 
the industry and the Nation more effectively. We have a 
responsibility here and hearings like this will help us do our 
job.
    Thank you. Mr. Chairman, and I yield back.

    Mr. Walden. And with that, I will yield back the balance of 
my time.
    Mr. Rush. The gentleman yields back.
    The Chair would now like to welcome all of our expert 
witnesses for today's hearing. From my left, the Honorable 
Karen S. Evans. She is the Assistant Secretary of the Office of 
Cybersecurity, Energy Security, and Emergency Response, CESER, 
at the U.S. Department of Energy.
    Next to her is seated Mr. J. Andrew Dodge, Sr. He is the 
Director of the Office of Electric Reliability for the Federal 
Energy Regulatory Commission, FERC.
    And sitting next to Mr. Dodge is Mr. Jim Robb, the 
president and chief executive officer of the North American 
Electric Reliability Corporation.
    And I want to, again, thank all of the witnesses for being 
here with us today, and we look forward to your testimony.
    But before we begin, I have to give you a little tutorial. 
I would like to explain the lighting system.
    In front of you is a series of lights. The light will 
initially be green at the start of your opening statement. The 
light will turn yellow when you have 1 minute remaining. Please 
begin to wrap up your testimony at the yellow light. The light 
will turn a bright, bright, bright red when your testimony 
expires.
    And with that said, Assistant Secretary Evans, you are now 
recognized for 5 minutes.

 STATEMENTS OF KAREN S. EVANS, ASSISTANT SECRETARY, OFFICE OF 
    CYBERSECURITY, ENERGY SECURITY, AND EMERGENCY RESPONSE, 
DEPARTMENT OF ENERGY; J. ANDREW DODGE, Sr., DIRECTOR, OFFICE OF 
ELECTRIC RELIABILITY, FEDERAL ENERGY REGULATORY COMMISSION; AND 
  JAMES B. ROBB, PRESIDENT AND CHIEF EXECUTIVE OFFICER, NORTH 
           AMERICAN ELECTRIC RELIABILITY CORPORATION

                  STATEMENT OF KAREN S. EVANS

    Ms. Evans. Thank you, sir. Good morning, Chairman Rush, 
Ranking Member Upton, and members of the committee. Thank you 
for the opportunity to discuss the continuing threats facing 
our national energy infrastructure.
    Focusing on cybersecurity, energy security, and resilience 
of the Nation's energy systems is one of the Energy Secretary's 
top priorities. By the administration proposing and Congress 
affirming the Office of Cybersecurity, Energy Security, and 
Emergency Response, CESER, the Secretary has clearly 
demonstrated his commitment to achieving the administration's 
goal of energy security and, more broadly, national security.
    Our Nation's energy infrastructure has become a primary 
target for hostile cyber actors, both state-sponsored and the 
nonstate-sponsored. The frequency, scale, and sophistication of 
cyber threats continue to increase. Cyber incidents have the 
potential to disrupt energy services, damage highly specialized 
equipment, and even threaten human health and safety.
    The release of the President's National Cyber Strategy, the 
NCS, in September 2018 reflects the administration's commitment 
to protecting America from cyber threats. The Department of 
Energy plays an active role in supporting the security of our 
Nation's critical energy infrastructure in implementing the 
NCS.
    The efforts reflect a concerted response to the emergence 
of energy cybersecurity and resilience as one of the Nation's 
most important security challenges. Fostering partnerships with 
public and private sector stakeholders is of the utmost 
importance to me as the Assistant Secretary for CESER.
    The NCS prioritizes risk reduction activities across seven 
key areas, which include national security and energy and 
power. DOE cybersecurity activities for the energy sector align 
to the secure critical infrastructure section of pillar one, 
which is protecting the American people, the homeland, and the 
American way of life under the category to prioritize actions 
according to identified national risks.
    In the energy sector, the core of the critical 
infrastructure partners is represented by the Electricity 
Subsector Coordinating Council, or the ESCC, the Oil and 
Natural Gas Sub Sector Coordinating Council, the ONGSCC, and 
the Energy Government Coordinating Council, the EGCC.
    The ESCC and the ONGSCC represent the interest of their 
respective industries. The EGCC, which is led by DOE and DHS, 
is where the interagency partners, States, and international 
partners come together to discuss the important security and 
resilience issues for the energy sector. This forum ensures 
that we are working together in a whole-of-government response.
    It is critical for us to be proactive and cultivate a 
secure energy network of producers, distributors, regulators, 
vendors, and public partners acting together to strengthen our 
ability to identify, detect, protect, respond, and recover. The 
Department is focusing cyber support efforts to strength the 
energy sector cybersecurity preparedness, coordinate cyber 
incident response and recovery, and accelerate game-changing 
research development and deployment of resilient energy 
delivery systems.
    DOE also maintains a close relationship with FERC and NERC 
to ensure that they have the relevant information to execute 
their missions. DOE also holds regular discussions with the 
three energy sector information-sharing and analysis centers, 
which include the Downstream Natural Gas ISAC, the Oil and 
Natural Gas ISAC, and the Electricity ISAC, to share emerging 
and potential threats, and to disseminate information.
    Establishing CESER is the result of the administration's 
commitment to prioritize the energy security and national 
security. CESER is working on many fronts collaborating with 
industry, State and local governments, to protect our Nation's 
critical energy infrastructure from all hazards, including this 
growing cyber threat.
    Our long-term approach will strengthen our Nation's 
national security and positively impact our economy. I 
appreciate the opportunity to appear before this committee to 
discuss cybersecurity in the energy sector, and I applaud your 
leadership. I look forward to working with you and your 
respective staffs to continue to address cyber and physical 
security challenges.
    [The prepared statement of Ms. Evans follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Rush. I want to thank you, Madam Secretary.
    And now I want to recognize Mr. Robb for--Mr. Dodge, I am 
sorry--for 5 minutes for the purposes of an opening statement.

               STATEMENT OF J. ANDREW DODGE, Sr.

    Mr. Dodge. Thank you very much. Good morning, Chairman 
Rush, Ranking Member Upton, and members of the subcommittee. 
Thank you for the opportunity to testify today. My name is Andy 
Dodge, and I am the Director of Electric Reliability at FERC, 
or the Federal Regulatory Energy Commission. During my 
testimony I will often refer to that as the Commission.
    I am here today as a Commission staff witness, and my 
remarks do not necessarily represent the views of the 
Commission or any individual Commissioner. Today, I will 
provide a brief overview of the Commission's authorities and 
activities to help protect and improve the cybersecurity of the 
Nation's bulk power system.
    Our work includes mandatory reliability standards, audits 
of those standards, identification and sharing of best 
practices. We work very closely with the North American 
Electric Reliability Council, or NERC, its regional entities, 
other Federal and State agencies, and responsible entities to 
carry out this very important work.
    As a result of the Energy Policy Act of 2005 and section 
215 of the Federal Power Act, NERC is responsible for 
developing and proposing new or modified reliability standards 
to the Commission. The Commission oversees NERC's development 
and enforcement of critical infrastructure protection 
standards, or CIP standards.
    The original set of eight mandatory CIP standards were the 
so-called version one standards. They were actually developed 
in 2006 and became totally enforceable in 2010. The CIP 
standards are continuously reviewed and updated to address new 
cybersecurity threats and challenges, as well as technological 
changes. We are currently in version five of the overall 
standards. There are currently 11 active cybersecurity 
standards and one active physical security standard. In all, 
there are over 200 distinct requirements.
    The CIP standards are a portfolio of requirements that 
constitute a defense in-depth approach to cybersecurity based 
on an assessment of risk. Importantly, the CIP reliability 
standards are objective-based, and responsible entities are 
free to choose compliance approaches best tailored to their 
individual systems.
    The foundational standard is CIP-002. This standard 
requires each utility to perform a risk assessment of its 
assets and then to categorize those assets in the low, medium, 
and high impact to the electric grid. The other CIP standards 
then build upon the CIP-002 standard, and they require utility 
companies to develop and implement cybersecurity plans, train 
personnel adequately, establish physical and electronic access 
parameters, and then also test and apply patches in a timely 
manner, identify and report cybersecurity incidents, and also 
develop and implement recovery plans, amongst other things.
    Recently, the Commission further enhanced the CIP 
reliability standards to address supply chain risk and also 
incident reporting. Although NERC and its regional entities are 
primary enforcement authorities for the CIP standards, since 
2016 the Commission has been auditing sample utilities each 
year with respect to their compliance to the version five of 
the CIP standards.
    As a result of these audits, the Commission has issued two 
reports that described the lessons learned from the audits as 
well as best practices. By publishing these lessons-learned 
reports, we hope to help other utility companies improve their 
compliance with the CIP reliability standards as well as their 
overall cybersecurity.
    In addition to the mandatory reliability standards, the 
Commission has adopted voluntary initiatives overseen by our 
Office of Energy Infrastructure Security, or OEIS. OEIS engages 
in partners with industry, States, and other Federal agencies 
to develop and promote best practices for critical 
infrastructure security.
    These initiatives include voluntary architecture 
assessments of interested entities, classified briefings for 
State and industry officials, and joint security programs, 
other Federal Government agencies, and industry.
    In conclusion, protecting the electric system from cyber 
and physical threats is critically important to securing our 
Nation's critical infrastructure. The Commission is taking both 
a standards or mandatory approach as well as a collaborative 
voluntary approach to ensuring a reliable and secure operation 
of the grid.
    I thank you for the opportunity to testify today and 
participate in this hearing, and I very much look forward to 
answering your questions. Thank you.
    [The prepared statement of Mr. Dodge follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Rush. I want to thank the gentleman.
    The Chair now recognizes Mr. Robb for 5 minutes.

                   STATEMENT OF JAMES B. ROBB

    Mr. Robb. Thank you, Chairman Rush, Ranking Member Upton, 
and members of the subcommittee. I appreciate the opportunity 
to be with you today. This is my first appearance in front of 
the committee as NERC CEO since taking the job last year.
    You have all noted in your opening comments how 
foundational electricity is to modern society. And all of us 
here on the panel, NERC, FERC, the Department of Energy, we all 
take our job of strengthening the reliability and security of 
the fabric of the industry very seriously.
    We know the citizens of the United States and our neighbors 
in Canada and Mexico depend on a reliable supply of electricity 
for all of their daily life needs. To date, there has been no 
successful cyber attack that has resulted in a loss of load in 
the United States. While we are very proud of that statistic, I 
can assure you that we will never rest in our laurels, as the 
threats are real and the potential consequences as noted are 
significant.
    As a result, the electricity sector has taken the 
cybersecurity threat extremely seriously and has put in place a 
robust system to protect our critical infrastructure. We find 
that boards and executive leadership play strong support, 
focus, and set cybersecurity as one of their top corporate 
priorities.
    Unlike our day-in and day-out job to reduce risks to 
reliability, cyber risks originate from determined adversaries 
who use multiple persistent techniques to attack our grid.
    The electricity sector employs a multipronged approach to 
support security of the bulk power system. The approach 
includes mandatory and enforceable reliability standards and 
security standards, information sharing and partnerships with 
our sector-specific agency, the Department of Energy, as well 
as other Government entities, such as DHS and DOD, to confront 
rapidly developing threats, and drilling education and 
engagement with industry. Together, we believe they form a 
solid foundation of best practices and strategies to 
effectively confront this ever-evolving threat.
    With respect to standards, our critical infrastructure 
protection standards provide a common foundation for security. 
Our standards are developed using subject matter expertise from 
industry then reviewed and approved by NERC's independent board 
of trustees, and ultimately by the FERC.
    The CIP standards, as Andy noted, require companies to 
establish plans, protocols, and controls to protect their 
critical systems against cyber attack, ensure personnel are 
adequately trained on cyber hygiene, report security instances 
in a timely manner, and effectively recover from events.
    Our standards evolve with increased understanding of 
threats. Recent updates to the CIP standards address supply 
chain risks and improve cyber incident reporting. And we expect 
later this year to address cloud computing and EMP.
    Compliance with standards is routinely audited, and 
noncompliance is subject to financial penalties, at times quite 
significant, and require in many cases CEO execution and board-
level reporting.
    But standards are just one important element of a 
comprehensive strategy. Because the security threat evolves 
rapidly, in addition to the defense provided by the standards, 
industry and government must maintain constant situational 
awareness, real-time communication, and prompt emergency 
response capabilities. And that is where robust information 
sharing comes in, and that is a service that we provide through 
the electricity sector, information sharing and analysis 
center, or the E-ISAC.
    Operated by NERC and working in close collaboration with 
the Department of Energy and the Electricity Subsector 
Coordinating Council, the E-ISAC is the central hub for sharing 
of security information within the electricity sector. The E-
ISAC communicates with over 1,000 electricity industry 
organizations via secure portal with critical security 
information that is provided by both industry and government.
    Through the E-ISAC, we manage a terrific information 
sharing program called CRISP, the Cybersecurity Risk 
Information Sharing Program. CRISP uses innovative technology 
developed by the Department of Energy and the National Labs to 
monitor cyber activity on company systems, and we have 
developed over the last several years the capability to rapidly 
declassify insights from CRISP within 24 hours to communicate 
insights out to industry.
    CRISP companies currently cover about 75 percent of U.S. 
customers, and we are working to further expand the program. 
Information by CRISP is shared beyond CRISP members so that all 
1,000 E-ISAC members can benefit.
    We also conduct a biannual continentwide security drill we 
call GridEx. GridEx is the largest geographically distributed 
security exercise for the electricity sector. Conducted every 
other year in partnership with the ESCC and our Government 
partners, it simulates a widespread coordinated cyber and 
physical attack designed to overwhelm even the most prepared 
organizations and exercise their ability to respond and to 
recover.
    And, finally, we invest significantly in education and 
outreach. We conduct periodic webinars, critical broadcast 
calls, and recently established an all-points bulletin to 
rapidly communicate key insights and threats to industry. For 
the most serious threats we can also use a NERC alert, which 
provides concise, actionable security information and 
mitigation strategies to industry and in many cases require 
industry to report back to us on successful threat mitigation.
    In addition, we sponsor the premiere annual grid security 
conference in partnership with our regional entities, called 
GridSecCon, and it has proven to be a terrific training and 
outreach engagement forum for NERC, the E-ISAC, our Government 
partners, key industry security officials, and key vendors to 
engage and learn from each other.
    Again, I thank the committee for inviting me here today. I 
look forward to your questions.
    [The prepared statement of Mr. Robb follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Rush. The Chair thanks the witness. And with that, we 
are now concluding the opening statements from the witnesses, 
and we will now proceed to Members' questioning. Each Member 
will have 5 minutes to ask questions of our witnesses, and I 
will start by recognizing myself for 5 minutes.
    Assistant Secretary Evans, it is certainly great to see you 
this morning before our committee once again. And, as you know, 
I have sponsored, along with Mr. Walberg, H.R. 362, which will 
essentially codify your position within DOE as a new Assistant 
Secretary position with jurisdiction over all energy emergency 
and security functions relating to energy supply infrastructure 
and cybersecurity.
    So we look forward to marking that bill up and passing it 
out of the House, and we hope the President will sign it 
subsequent to it passing in the Senate. So we want to be 
invited to your celebration when you are sworn in as the 
codified Assistant Secretary, all right.
    But I have a question for you now. Currently there appears 
to be some overlap or even some tension among some of the 
Federal agencies as it regards to who is responsible for 
cybersecurity when it comes to protecting the energy sector. 
What makes DOE uniquely positioned to take on a leading role 
when it comes to technical expertise, knowledge, experience, 
and resources in protecting the energy-specific sectors? Why is 
DOE uniquely positioned to address all those issues?
    Ms. Evans. Well, first, thank you, sir. And when it is 
signed, we will invite you down for the celebration, everyone 
on the committee, because we applaud your leadership and your 
forward leaning into this important issue.
    Where DOE is uniquely positioned for this is the 
partnership that DOE has as the sector-specific agency out 
through the entire sector as well as State and local 
government. But what is even more unique about the Department 
of Energy is the National Lab structure and leveraging the 
capabilities that the National Lab has.
    So, when you hear maybe that there is some tension, I don't 
know that there is actually tension. It is the specific 
expertise of the energy sector, and that is why the 
administration has us as the sector-specific agency under the 
PDDs, and as well as with the National Cyber Strategy as it 
goes forward.
    There is clarity that we continue to work through as to the 
incident response and how that should work, but I think there 
is no disagreement in the executive branch that this is an 
important sector, and that the public/private partnership is 
critical and that leveraging the National Labs' capabilities 
and our understanding in the energy sector does make us that 
lead, and why we are the sector-specific agency for the energy 
sector.
    Mr. Rush. Thank you very much. I want to move on. Today, we 
have not experienced any large-scale cyber attacks on our 
energy grid. That said, we know that Russia and China and even 
Iran are wrapping up their capabilities to potentially attack 
our energy grid and cause disruptions to our economy.
    And I know that DOE takes these potential threats very, 
very seriously. But are there any areas where Congress should 
provide more assistance either in the form of additional 
authority, resources, or anything else that you might think of?
    And I would also like to hear from Director Dodge and Mr. 
Robb on this issue, on whether there is anything more that this 
Congress can do to help you all protect the grid from foreign 
attacks? Beginning with you, Secretary Evans.
    Ms. Evans. I appreciate the opportunity to answer that 
question. As I outlined in my testimony, it is clear from the 
worldwide threat assessment what the DNI has said about our 
adversaries' capabilities and what they can do in the energy 
sector. When we are looking at it from a national security 
perspective and what the Department is doing, we are really--I 
think, the key area really is the partnership and then the 
information sharing.
    And so, as we are implementing the national strategy, we 
are really looking to clarify roles and responsibilities to 
specifically answer the question that you have posed: Do we 
need more legislative authority? Do we need--as a government, 
what is that administrative package that needs to come up here 
so that we can have that information sharing in a way that will 
facilitate and ease some of the issues that industry may feel 
that they have going forward?
    One area that we are also working out that we are looking 
at is, under the FAST Act, you have given the Secretary the 
authority, once the President designates a grid emergency, what 
exactly is involved in that, and how we would then move private 
industry resources to deal with the national emergency. At that 
point, industry has also expressed and is working with us how 
some additional liability protections may be needed.
    Mr. Rush. My time is expiring, so I won't be able to get 
answers on that question. Will you please respond in writing to 
that question?
    The Chair now recognizes the ranking member, Mr. Upton, for 
5 minutes.
    Mr. Upton. Well, thank you again for your testimony. I have 
a couple of questions, and I am going to try to get through 
them all. I know that we have had exercises on grid security 
that have been, I think, very helpful. Can you tell us what are 
some of the things you have learned from that, number one, and 
also, whether we have had exercises actually on pipelines in 
terms of cyber attacks on pipelines in terms of an exercise?
    Ms. Evans. As it specifically relates to pipelines, we have 
done a joint exercise with FERC in a classified setting to 
really exercise out that interdependency and to see what 
weaknesses we need to shore up. I would--there are lessons 
learned. There are things that we are applying and taking 
forward in the whole-of-government approach. And I would yield 
over to FERC if they would like to speak more about that 
exercise that has happened.
    Mr. Dodge. Thank you. The only thing I would like to add 
about the exercise, it was actually a DOE-led classified 
security briefing and then it was actually a joint tabletop 
drill between DOE and FERC and involved electric industry 
officials, natural gas industry officials. It also included all 
the RTOs and ISOs, and it was a rather extensive event. There 
were lessons learned, as Ms. Evans indicated. It was a 
classified briefing, and the items from those we are actively 
following up on.
    Mr. Upton. And do you plan on doing any of that this year 
yet, calendar 2020, 2019 or 2020? Is there another one that 
is--a date that is set or not?
    Mr. Robb. So let me hop in here. We will be conducting our 
fifth GridEx exercise this November, and it will be a 
multisector exercise, highly focused on the electric system, 
but will also involve communications and fuel suppliers such as 
natural gas.
    You asked about kind of the--and that exercise, again, is a 
continentwide, overwhelming attack, and it is really designed 
to break everybody's system, really to kind of push them to the 
limit so they understand where their vulnerabilities are in 
terms of response and recovery.
    One of the things we are doing this year in our executive 
tabletop is to take a very strong focus on a narrow region of 
the country and really start to focus in on the operational 
coordination that would be required between gas pipelines, the 
communications sector, the utilities sector, and probably even 
the finance sector in what would be involved in actually 
restoring the system after such a catastrophic event.
    Mr. Upton. And a followup question: Was TSA involved at all 
with the exercises?
    Mr. Robb. They have been invited to participate this year, 
and I believe they will be.
    Mr. Upton. Have they participated in the past or not?
    Ms. Evans. TSA participates in all the activities that we 
do from a government perspective. And so, we did last October--
--
    Mr. Upton. They actually had a person there, or they 
actually----
    Ms. Evans. Yes, sir. Yes, sir. They have a representative 
there. Two weeks ago, also, we just had the Oil and Natural Gas 
Subsector Coordinating Council meeting out in Oklahoma City. 
TSA actively participates. We work directly with the industry 
to actually go through the initiative and the update that we 
have jointly announced with the oil and natural gas that 
happened last October.
    So TSA, Transportation, DOE, Department of Homeland 
Security, we are all there leveraging our resources to look at 
the pipeline security and how to make it more robust.
    Mr. Upton. I am looking at a statement--and I am sorry I 
didn't print this out. I just saw it just a few minutes ago. It 
was reported, I think, in Politico this morning that TSA 
Administrator David Pekoske is talking about they want to be 
more involved but they realize that they are, in essence, 
short-staffed, and the likelihood of operating under a 
continuing resolution, which means that they won't be able to 
expand anything beyond what they had in fiscal year 2019.
    And as we learned a few weeks ago, they only have, I think, 
four people out of the 50,000 that work on pipelines. So I just 
question the substantive role that they might have knowing that 
we have entrusted you all to work together with the enactment 
of the FAST Act, and really appreciate the work that you do, 
and I look forward to supporting the legislation to make you 
someday a portrait-hanging deal as an Assistant Secretary.
    So with that, Mr. Chairman, I yield back.
    Mr. Rush. The gentleman yields back.
    The Chair now recognizes Mr. Peters for 5 minutes.
    Mr. Peters. Thank you, Mr. Chairman.
    Thanks to the witnesses for being here.
    Ms. Evans--well, first of all, I appreciate we are in a 
nonclassified situation, so you will obviously tell me if you 
can't answer my questions. But do you know how many cyber 
attacks the electric grid sustains on a regular day, average 
day?
    Ms. Evans. So DOE continuously monitors across multiple 
things, so it depends on how we talk about a cyber attack. And 
so, we are in constant communications with the ISACs, and we 
constantly monitor what is happening in the state of the sector 
as a whole. So beyond that, I am happy to come back in a more 
appropriate setting to give you more details, if you would 
like.
    Mr. Peters. Well, you didn't tell me a number. Do you know 
the number yourself?
    Ms. Evans. That is why I said it depends on how you----
    Mr. Peters. How you define the attack?
    Ms. Evans. Yes, and how you want to quantify that.
    Mr. Peters. Are you able to determine how much of that 
activity is coming from state actors?
    Ms. Evans. So, again, I would be happy to talk about that 
more, but, yes, the way that we are designing the system----
    Mr. Peters. I am not asking you to tell me if it is coming 
from--are you able--do you know whether it is coming from state 
actors, or is that something you don't want to answer here?
    Ms. Evans. I would like to answer that in a more 
appropriate setting.
    Mr. Peters. Let me move on then to something else, maybe to 
Mr. Robb, to follow up with a question that the chairman asked 
of Ms. Evans about what needs to be done now from Congress.
    It is my observation that we rely heavily on the utilities, 
private companies to deal with this. And when they came to 
speak to us last Congress, they suggested that the thing that 
they needed most to modernize the grid, not just related to 
security, but to modernize it was research support from 
Congress that they wanted to be sort of left to their own to be 
able to innovate, which I think is generally appropriate.
    How comfortable do you feel that individual utilities are 
able to handle these attacks, and is there anything that you 
think--to follow on with Mr. Rush's question--that Congress 
should be doing to back that up in terms of security?
    Mr. Robb. I am not sure I caught the entire question with 
the door closing, but----
    Mr. Peters. OK.
    Mr. Robb. The point I would make in response to Chairman 
Rush's question is that the biggest issue for us is that for 
NERC, we are sort of--threat actors or so forth is of less 
interest to us than what is of interest, are the attack vectors 
and so forth.
    The most important thing from our perspective would be for 
government to be able to, more rapidly, declassify information 
to get it into actionable insights that we can get out to 
industry. Industry doesn't need to know the origin. We don't 
need to know the sources.
    Mr. Peters. Right.
    Mr. Robb. We just need to know the whats. And I think 
unfortunately right now, the whats and the whos are intricately 
tied up, and so that kind of clogs the machinery up.
    That would be the most important thing that I would see 
government being able to do that would facilitate better 
information sharing and better awareness at an industry, would 
be rapid declassification and/or broader availability of 
security clearances for folks to participate in those 
conversations.
    Mr. Peters. So real-time ability to share information on 
attack kind of thing?
    Mr. Robb. Absolutely. Absolutely.
    Mr. Peters. Right. What should be the responsibility, the 
legal liability for utilities fending off these attacks? 
Suppose something gets through because of the weakness of a 
particular utility. What incentives do we have to make sure 
that they are carrying their weight?
    Mr. Robb. Well, I am probably not the best expert to talk 
about legal liability. What I would say, though, in response to 
the question, is that every CEO I know of--and this goes from 
the largest IOUs to the smallest public powers--takes this 
threat enormously seriously. So right now I think they all do 
everything that makes sense for them in their situation to 
protect against these attacks.
    Mr. Peters. It is just my observation that unless--I 
appreciate that. I think that is probably something that every 
CEO wants to avoid. But unless there is a bottom-line impact, 
sometimes it doesn't filter through the culture of the entire 
company.
    And I think--I like the way that we rely on private 
innovators to deal with these problems. I think often they are 
better situated than the government, but on the other hand we 
have to provide those incentives through the private industry 
to make sure that they do emphasize this as a business matter. 
And I guess my time is expired. We will have to continue that 
conversation later. But thank you again for being here.
    Mr. Rush. The Chair thanks the gentleman.
    The Chair now recognizes the ranking member of the full 
committee, Mr. Walden, for 5 minutes.
    Mr. Walden. Thank you, Mr. Chairman. As you can see, Mr. 
Chairman, it is dangerous protecting the grid. I am just 
saying. We all have to do our part.
    Mr. Robb, in addition to reports of Russian and Chinese 
cyber activities, you referenced news reports have indicated in 
recent weeks that Iran may threaten retaliation. And that could 
include cyber attacks on critical infrastructure. From your 
perspective, can you briefly walk through how the owners of the 
bulk power system prepare for when they see something like this 
in the news? Are they ready for it?
    Mr. Robb. First of all, I believe that the utilities are on 
kind of constant alert, because they know that they are a great 
attack target for foreign adversaries, and so I think the 
security establishment within the utilities sector is topnotch 
and I think always on alert.
    In the case of, you know, the situation surrounding Iran, 
as soon as we were made aware of the situation, we had an all-
points bulletin that we put together in concert with DOE with 
an appropriate level of declassification of insight that we had 
out within 3 hours.
    Mr. Walden. Right. Now, in recent months the U.S. and its 
allies have been addressing security concerns about Chinese 
telecommunications technologies, such as Huawei. This raises 
questions about the use of similar equipment in the bulk power 
system.
    How are you all--Mr. Robb and Ms. Evans, if you could both 
could address this--how are you all addressing supply chain 
risks from this technology in the bulk power supply system? Ms. 
Evans?
    Ms. Evans. As you know, the administration has released 
several guidance and Executive orders associated with supply 
chain risk management. The Department of Energy, the CESER 
program in particular, already had a program underway which was 
dealing with it, which is our CTRICS program, which is Cyber 
Testing for Resilience of Industrial Control Systems, but it is 
really looking at the technology associated with what is in the 
energy grid. That really is looking at that, what is the supply 
chain risk? How are you doing that?
    We also have purchased a tool which we intend to deploy out 
to the sector as a whole so that they can then start looking at 
their own suppliers. And then on top of that, the last piece 
is, is that the Department has announced an advanced 
manufacturing initiative, which is looking at things in the 
long range, for all the innovative technologies, all the 
different things that are happening so that we can make sure 
that we are looking at that upfront as we are then 
manufacturing these technologies.
    Mr. Walden. So will that give purchasers of the technology 
in the systems--can you give them an assurance that what they 
are buying is certified safe----
    Ms. Evans. It is----
    Mr. Walden [continuing]. As well as saying that equipment 
over there may not be?
    Ms. Evans. The idea of our programs to be able to go 
forward, which actually merit the same type of approach that 
you have taken in the legislation, is a voluntary 
participation. So leveraging the capabilities of the labs and 
looking at the test beds----
    Mr. Walden. Right.
    Ms. Evans [continuing]. It is publishing and then us 
working in jointly with, like, the National Institute of 
Standards to do the widest distribution of that information so 
that you could then become an informed consumer. So what you 
will then see is industry partners who are actively 
participating. For example, NIST has a very active cyber center 
of excellence that the energy sector and the industry partners 
are actively participating in.
    Mr. Walden. Yes. So what I want to know is, as a simple 
consumer here--I realize that is not who is buying this 
equipment in the power grid--but will there be like a stamp-of-
approval URL, you know, approval that this equipment meets the 
standards, you can rest assured it has no backdoors, no chips 
that are programmed?
    Ms. Evans. That is what we hope to be able to identify 
jointly through the Advanced Manufacturing Institute.
    Mr. Walden. All right. All right.
    Ms. Evans. So do we have an outcome in mind? Not 
necessarily, but it will evolve through the Advanced 
Manufacturing Institute.
    Mr. Walden. Because I know we have some of this equipment 
in different telecommunication systems today.
    Ms. Evans. Absolutely.
    Mr. Walden. And it gets very expensive to take it out. And 
you don't want, you know, buy the next piece of equipment to 
replace it and then somebody says, ``Oh, by the way, that is 
not good either,'' and so we want to avoid that. Mr. Robb, I 
have only got 30 seconds, but please, take it.
    Mr. Robb. Sure. So on this last point, we think a supplier 
certification program is a very smart thing to do. The work 
that DOE is doing in this area is terrific. There are also some 
voluntary industry groups coming together to try to create a 
similar program.
    To your initial question around Huawei, ZTE, and the list 
of suspect companies, we are actually going to be issuing--
well, first of all, we issued an all-points bulletin back in 
March in response to the Defense Authorization Act prohibitions 
around those suppliers, alerted industry to that fact. We gave 
them some time to get their head around where some of those 
technologies might be deployed in their systems.
    Next week, we will be issuing what we call a level-two NERC 
alert, which will require industry to inventory all the 
instances that they still have of those devices, communicate 
back to us their mitigation strategies around them, and we will 
have that information by the end of the summer.
    Mr. Walden. Thank you, Mr. Chairman. Thank you.
    Mr. Rush. The gentleman yields back.
    The Chair now recognizes Mr. McNerney for 5 minutes.
    Mr. McNerney. Mr. McNerney from California.
    Mr. Rush. Mr. McNerney from the great State of--great 
nation of California.
    Mr. McNerney. Thank you, Mr. Chairman. Again, I thank the 
witnesses.
    Mr. Robb, you testified that, as of yet, there have been no 
successful cyber attacks on our utility system. And that is a 
great achievement of your office, so I appreciate that.
    Ms. Evans, are you aware of any foreign governments that 
are embedding cyber weapons into our utility grid today to be 
used in possible future attacks? If you are free to answer that 
question.
    Ms. Evans. I would reference back to the unclassified 
version of the worldwide threat assessment. I think that the 
DNI has been very specific about what our adversaries' 
capabilities are. I specifically quoted in my testimony, and I 
also have it memorized, it is at the bottom of page 5 and the 
top of page 6. And so he was very clear about what the 
capabilities and what our adversaries can do.
    Mr. McNerney. Thank you.
    Mr. Robb, concerning information sharing, is the security 
clearance of utility officials an obstacle to effective data 
sharing of cybersecurity information?
    Mr. Robb. I would say yes. Just the sheer number of 
individuals who are waiting for a clearance that don't yet have 
them is problematic.
    Mr. McNerney. How can we remedy that problem?
    Mr. Robb. I don't have the answer to that question, but it 
is a problem that needs to be resolved.
    Mr. McNerney. OK. Let's collaborate on that a little bit 
then.
    Assistant Secretary Evans, you note in your testimony that 
one area of truly foundational problem is the cybersecurity 
workforce development. What is CESER and the DOE doing to train 
workers against these kinds of threats?
    Ms. Evans. So I appreciate the opportunity to highlight the 
work that we are doing there. We have the cyber strike 
training. And the Executive order that the administration has 
released recognizes the fact that we have to deal with 
cybersecurity workforce issues in general, but very specific 
about the energy sector.
    So we are looking and leading the effort in conjunction 
with Department of Homeland Security to see what those gaps are 
and how to train and make that more robust. And then the other 
area that we are really trying to innovate and lean forward on 
is the use of competitions to be able to use that applied 
learning. The labs are strategically placed in this area with 
all the different types of test beds that they have so that we 
can use those competitions for a learning experience and then 
feed that result back into the training that we need to do for 
the sector as a whole.
    Mr. McNerney. I have met some of those folks at the 
National Labs. It is impressive what they are doing. And the 
young people are impressive that are doing the work as well.
    Ms. Evans. Yes, sir.
    Mr. McNerney. Again, Assistant Secretary Evans, can you 
describe some of the unique threats facing small utilities 
today with regard to cyber attacks?
    Ms. Evans. I would say that one of the biggest things that 
we need to do, which you hit on a little bit, is making sure 
that dissemination of information and the sharing of that 
information hits at all levels, and that we are working with 
State and local governments and the associations to make sure 
that they have the tools that they need and that they have the 
awareness and the education that all of them need to have so 
that you can properly prepare and make sure that you are 
assessing the risk that is happening in your area.
    We are working with those State and local governments with 
the energy coordinators in the Governors' offices and in the 
States to also then drive down this information. And then also 
working across with other parts of the Government that interact 
with State and local governments as well to make sure that 
these tools, as well as with the ISACs, have the widest 
proliferation.
    Mr. McNerney. Good answer.
    Mr. Dodge, can you describe some of the work that the OEIS 
is doing to assist small utilities in addressing their 
vulnerabilities?
    Mr. Dodge. Sure. Through FERC, through the OEIS office, 
they actually work with DOE to actually constantly stay aware 
of all the threats that are taking place. They also coordinate 
with the ISAC to find out the threats are taking place as well.
    Through DOE, they actually then conduct classified 
briefings with the smaller utilities, and they are actively 
going out and identifying and sharing best practices with the 
smaller utilities. In addition to that, they are actually 
volunteering--on a voluntary basis conducting architecture 
assessments with any of the entities that are interested in 
that service.
    Mr. McNerney. So it sounds like the availability of 
security classifications is an issue then?
    Mr. Dodge. I am sorry?
    Mr. McNerney. The availability of security classifications 
for these small utilities could be a problem?
    Mr. Dodge. We work to try to overcome that as much as we 
possibly can. And part of what we would do as we work with DOE 
is actually get one day read-ins for some of the personnel from 
the utility companies to alert them of threats.
    Mr. McNerney. All right. Mr. Chairman, I yield back.
    Mr. Rush. The gentleman from the great State of California 
yields back.
    And the Chair now recognizes the gentleman from the only 
State in the Union that eclipses California as a great State, 
Mr. Latta from Ohio, for 5 minutes.
    Mr. Latta. Well, thank you, Mr. Chairman. And thanks for 
conducting today's hearing. Very informative. And I want to 
thank our witnesses for being with us today. It is a very, very 
important topic that we all worry about constantly on this 
committee.
    I just want to follow up a little bit from my friend and 
colleague and co-chair of the Grid Innovation Caucus. Mr. 
McNerney talked about a little bit earlier that we had 
introduced legislation earlier this year on H.R. 359, which, 
one, being the Enhancing Grid Security, and H.R. 360, the Cyber 
Sense Act. And on the Cyber Sense, just, again, to go through 
that, because I know that my friend from Oregon was talking a 
little bit about it. We had been looking at what has been 
happening, a lot of different things that are happening from 
around the world with--we have to be very careful about what is 
being put into our systems and what kind of devices.
    But the 360 is the Cyber Sense Act. And, again, that 
program would identify and promote cybersecure products for use 
in the bulk power system and also would establish that testing. 
I know he brought about, you know, that seal of approval. But 
we want to make sure that there is that testing of these 
products that would be going on and a reporting of the 
cybersecurity vulnerability. And also, the Secretary at DOE 
would be required to keep a related database for those products 
to assist electric utilities in that evaluation of these 
products.
    And, you know, both these bills have now been reported 
favorably out of our subcommittee. Hopefully, we will see those 
be signed into law soon.
    But if I could ask Assistant Secretary Evans, do you think 
that our legislation we have been working on, not only the Grid 
Security, but also the Cyber Sense, is going to be helpful in 
making sure that you can do your job?
    Ms. Evans. I appreciate the leadership that you--that the 
committee is showing in this area. I do believe that the intent 
of what you have going forward about having vulnerability 
disclosures and the idea of constantly--or having the ability 
to verify and validate products as they go out and ensuring 
that the supply chain risk is minimized is important regardless 
of whether the legislation gets passed or not. And so our 
office is working and leveraging that capability and using the 
National Labs, and we are moving forward.
    When the legislation--I am assuming you will be successful. 
When the legislation is passed, it will enhance that and allow 
for us to move in a more robust manner.
    Mr. Latta. Well, thank you very much.
    You know, in the aftermath of the 2015 Ukraine cyber 
attack, the investigation found that the perpetrators didn't 
rely on any exploits or software vulnerabilities to disrupt the 
grid. Rather, they gained access to the system over time, 
learning how to maneuver it and use it against itself. In 
short, patching vulnerabilities wouldn't have prevented the 
attack, but patching continues to represent the majority of our 
cybersecurity efforts.
    And to the panel, what steps can be taken to improve the 
monitoring of the system networks to prevent potential 
attackers from learning how to use a system against itself? 
And, Assistant Secretary, if you'd like to start, we would just 
ask everyone to answer that question.
    Ms. Evans. So I would like to change the dynamic, and that 
is what we are attempting to do through our research and 
development in the CEDS program that we have, because a lot of 
what we are looking at is after the fact, so patching and 
maintaining systems.
    A lot of the things that we are looking at in investing 
through our portfolio is being able to detect and protect, 
which is changing the dynamic in a way of using technology so 
that you cannot necessarily do it after the fact but prevent it 
up front. So looking at more active dynamic types of things, 
such as software-defined networks, looking at quantum key 
distribution. How can you use those types of technologies that 
are evolving right now to ensure the validity of the data or 
look at the interactions of the transactions that are happening 
between the operational technology as well as the information 
technology systems.
    We are investing pretty heavily in that, leveraging what is 
happening in the labs, and we currently have a lab call right 
now that is out that is looking for some ways of how we can 
accelerate that deployment.
    Mr. Latta. Thank you.
    Mr. Dodge and Mr. Robb, we have got about 35 seconds.
    Mr. Dodge. Sure. So FERC just recently changed the 
cybersecurity reporting standard requirements. And previously, 
entities were only required if they had an event related to a 
cybersecurity that impacted reliability of bulk power system. 
Now they will have to report events where--or possible 
intrusions or attempts to actually compromise the cyber assets 
that impact the cyber assets as well as a bulk power system. 
And that information sharing associated with that will be a 
huge benefit.
    I defer to Jim.
    Mr. Latta. Mr. Robb.
    Mr. Robb. I will be very quick. I think I would underscore 
Secretary Evans' discussion. I think from our perspective, one 
of the most valuable capabilities to advance would be the 
ability to monitor what is going on with operational technology 
systems in the same way we can enterprise systems right now.
    Mr. Latta. Thank you very much.
    Mr. Chairman, my time has expired, and I yield back.
    Mr. Rush. The gentleman yields back.
    The Chair now recognizes the gentleman from Virginia, Mr. 
McEachin, for 5 minutes.
    Mr. McEachin. Mr. Chairman, sadly, my questions have been 
asked, so I will yield back.
    Mr. Rush. The Chair thanks the gentleman for yielding back.
    Now the Chair recognizes Ms. Blunt Rochester for 5 minutes.
    Ms. Blunt Rochester. Thank you, Mr. Chairman. And thank you 
so much to the panel for discussing the security of our 
Nation's critical energy infrastructure. As was stated by 
everyone, this is of utmost importance, and we thank you for 
your work.
    I just want to pick up on some of the questioning that was 
asked before from a workforce perspective. I served in our 
State of Delaware as head of State personnel for a while and 
secretary of labor. And one of the big challenges is always 
recruitment, retention, compensation, training. Sometimes the 
first budget that gets cut is training.
    I am curious if you could just talk to us about some of the 
both challenges that you see in terms of recruitment and 
retention of individuals in this cybersecurity space--and 
particularly from a nonprofit and a public-sector perspective 
when you are competing with the private sector--and then the 
other question that I had was around innovation. Are there 
innovative things that are being done to recruit folks to work 
in your organizations?
    I will start with that, and if we could start with Ms. 
Evans.
    Ms. Evans. So I appreciate the question, and especially 
coming from Delaware, because the State of Delaware, based on 
my previous experience, is very innovative in the approach that 
they are taking. In my work as the U.S. cyber challenge 
director, we really looked at this. And the blending of 
nonprofit public sector, the education system, and how you do 
that and how to identify that and then make it and that 
commitment of bringing them in is clearly demonstrated in the 
way that the State of Delaware has tackled this issue.
    There are incentives. There are things that we need to do, 
but what really gets people excited--and you have to look 
outside the more traditional places. Some of the people that 
are best in this field do not come out of STEM. And that is 
clearly demonstrated when you put together teams in the 
competitions to see all the skill sets that are needed.
    Ms. Blunt Rochester. Thank you. Thank you.
    Mr. Dodge.
    Mr. Dodge. Thank you for the question. So from a FERC 
perspective, we are actively monitoring our staffing levels and 
our needs. And we have actually undertook several programs in 
the last couple of years. I am not going to get the precise 
names of the programs. But, basically, there is an internship 
program where we actually reach out to colleges and bring 
people in as they are freshmen, sophomores in college, and they 
come in and they spend a summer or a part of the year working 
for us.
    We are actively working to improve our on-campus 
relationships with different universities. And then we actively 
go out and do on-campus recruiting as a followup. And then in 
addition to that, the Federal Government actually has a tuition 
reimbursement program that, after the students graduate, they 
come work for FERC for a period of time. There is actually some 
tuition reimbursement where they actually can forgive some of 
their previous student debt.
    Ms. Blunt Rochester. Thank you.
    And, Mr. Robb.
    Mr. Robb. Yes. I don't have any great insights into kind of 
the workforce development challenge that we have in the sector 
other than to underscore that it is real, as we all know.
    I would say from a NERC perspective, what we have found is 
we have been able to attract and retain some very top-flight 
cyber skilled individuals. But we do that not because we pay 
them top dollar; we do that because they are committed to our 
mission. And a number of people in the sector are very 
committed to the security and the value associated with 
electricity and so on and so forth. So we appeal to that part 
of individuals. And we have had some pretty good success with 
that, but it is a challenge.
    Ms. Blunt Rochester. Yes. Thank you.
    And, Ms. Evans, thank you for bringing up also the 
nontraditional. I think one of the challenges we have as well 
is an aging workforce. And so, even when you look at workforce 
planning and who will be retiring, making sure that we are 
staffed up.
    My other question was more related, not so much to the 
cyber, but to our--to kind of natural disasters and things like 
that and whether or not, with the severe weather incidents that 
we are seeing, how are you preparing, whether you call it 
climate change, whether you call it severe weather, whatever 
you want to call it? These things are real as well. Could you 
talk about preparation for those?
    Ms. Evans. We also have the emergency response capability 
in our group. We are looking at our staffing of how to do that. 
The staffing and the way that our plans are set up mirror the 
way the FEMA regions are set up. But we also then use a lot of 
the modeling that is available within the National Labs so that 
we can do predictive types of things.
    But what is key to the success in this emergency response 
is our partnership with private industry. And so we 
continuously have to have that dialogue with them because it is 
their resources that we need and that we work with in order to 
be able to share that information and be able to respond.
    Ms. Blunt Rochester. Thank you so much.
    And I yield back.
    Mr. Rush. The Chair thanks the gentlelady for yielding back 
and now recognizes Mr. Olson for 5 minutes.
    Mr. Olson. I thank the Chair. And welcome to our three 
witnesses.
    As my colleagues all know, I love to brag about Texas. And 
along that line, Mr. Chairman, you are correct, one former part 
of Mexico became a country before it became a State, but it 
wasn't California. It was the Republic of Texas, in existence 
from 1836 to 1845. God bless Texas.
    Mr. Rush. We haven't recovered yet.
    Mr. Olson. And this is not a brag, but our grid is the 
biggest target in America for cyber attacks. We have a free 
market power system that covers 95 percent of our State run by 
a group called ERCOT. They manage 46,000 miles of electric 
power lines, 650 separate generation units. Last summer, their 
daily load was 72 megawatts hourly. That is a huge, huge amount 
of power. And as you know, if that goes down, that could be 
very, very bad.
    Along the Houston Ship Channel, 52 miles long, lies 
America's largest petrochemical complex, valued at over $15 
billion and growing quickly. And with the shale revolution, we 
have more and more oil coming into our region for refining. 
Those are being exported now. Nearly 7 million people live 
within 30 miles of the port of Houston, Houston Ship Channel. 
The bad actors know if they can take down our grid, have us 
lose control of some of these industrial processes, people will 
be harmed, and some people may even die.
    My question is for all three of you. We right now are 
working hard with the private sector, government there in 
Houston to address these cyber issues. But we all know we have 
resources that are limited. We can't go crazy. We can't jack up 
the prices. These things have to work.
    So my question for all of you is how do we balance the 
proper way to achieve how we can best prevent cyber attacks 
while making sure we don't jack up prices and make us 
noncompetitive in a global market? How could we balance this 
out? What is the key?
    Ms. Evans, you are up first.
    Ms. Evans. All right. The way that we are approaching this 
and that we are working with our partners at DHS is really 
doing risk modeling. And so it is really identifying what are 
those most critical assets that an industry has. And then in my 
particular case, what I am trying to do is develop a set of 
tools so that the Government as well as our industry partners 
can actually look at what is the best way, what is the highest 
risk, how do I protect that, what is the cost associated with 
reducing the risk in that particular asset.
    And so as we move forward with that, a lot of this is, 
then, how you give them that information so that they can then 
use that in the marketplace going forward.
    Mr. Olson. That is the same model Governor Perry had there 
in Texas. That made our grid pretty secure when he was our 
Governor. Thank you.
    Mr. Dodge, your thoughts, sir.
    Mr. Dodge. Thank you. Thank you for the question. So from 
FERC's perspective, we have the Office of Energy Infrastructure 
Security that actively is doing things on a voluntary basis, 
conducting classified briefings, performing architecture 
assessments, identifying best practices, sharing those best 
practices. In addition to that, FERC undertook a security 
investments tech conference back in the spring, a couple months 
ago, where we actually brought in members of the electric 
industry as well as the natural gas industry as well as Federal 
and State public utility commissions and also officials.
    The goal of that tech conference was to actually identify 
best practices, share those best practices amongst protecting 
infrastructure that is not only FERC's jurisdiction but other 
infrastructure, look at cost recovery mechanisms to determine 
whether they are adequate, and whether FERC or the State should 
take additional action. And also, I was remiss to mention that 
actually that was a joint DOE, FERC-led tech conference. So we 
are actively working with FERC on that.
    We received comments back from the public on that tech 
conference, and we are process reviewing these comments in 
determining next steps.
    Mr. Olson. Thank you. And the man from Neal Armstrong's 
university, Mr. Robb.
    Mr. Robb. Go Purdue.
    Mr. Olson. Fifty years ago, that man walked on the Moon.
    Mr. Robb. I would echo what has been said here. I think one 
of the key things that we are doing as NERC is taking a risk-
based focus to all the work that we do, both in terms of which 
standards are applicable to which entities and then which 
standards do we audit and so on and so forth.
    So I think there is a clear recognition that ``one size 
fits all'' doesn't work in this area. So in terms of striking 
that balance between economics and risk reduction, you really 
just got to make sure you are focusing on the most important 
risks and not leaving yourself exposed on the other side.
    Mr. Olson. Thank you, Mr. Chairman. I remind everybody the 
stars at night are big and bright.
    Mr. Rush. The Chair wants to bring the gentleman from Texas 
down to size. Your time is up.
    And now we recognize the gentlelady from New Hampshire, Ms. 
Kuster, for 5 minutes.
    Ms. Kuster. Thank you, Mr. Chairman. I appreciate it. And 
thank you to all the folks that we have here today.
    This is a very important issue, and I know people in New 
Hampshire are concerned about their critical importance to our 
families and to communities all across the country. And it 
doesn't typically get the attention it deserves, so I 
appreciate this hearing.
    Ensuring that our electric grid can operate without 
disruptions is imperative to ensuring that hospitals can treat 
patients, first responders can do their jobs, and schools can 
educate our children. But all of this can be jeopardized if a 
foreign entity or bad actor is successful with a cyber attack 
on our electric grid.
    We know our utilities are on the front line of ensuring 
that our grid is protected, but not all utilities are 
adequately maintaining safeguards that could combat a cyber 
attack. And while I am pleased to see FERC taking recent steps 
to strengthen cybersecurity standards for our Nation's electric 
system, I still have questions about how we can act in a more 
transparent way.
    So, Mr. Dodge, my first question is directed to you. Could 
you please explain what happens at FERC when it becomes aware 
of a utility's noncompliance with cybersecurity regulations?
    Mr. Dodge. Sure. Thank you very much for the question. I 
appreciate the question. So there is a process, and actually 
the process that takes place is in terms of compliance. FERC 
oversees the development and enforcement of the mandatory 
reliability standards, including the CIP standards. NERC, and 
actually its regional entities, actually conduct periodic 
audits of the red strategies to make sure----
    Ms. Kuster. I am asking when FERC becomes aware that a 
utility is noncompliant with security regulations.
    Mr. Dodge. So that the process would actually take place is 
either through an audit conducted by NERC or its regional 
entity or through a self-report from the registered entity to 
NERC. NERC actually coordinates that. They investigate the 
noncompliance. The registered entity actually files a 
mitigation plan, and they mitigate the concern. And then NERC 
submits the actual violation, along with a recommendation for 
penalty, to FERC for review. FERC staff reviews that and makes 
a decision whether to assess the penalty or not.
    Ms. Kuster. And that FERC assessment, does FERC disclose to 
the public the specific utility that is in violation?
    Mr. Dodge. So through the FAST Act that was passed a couple 
years ago, this actually gives us authority underneath FOIA to 
identify CEII, which is critical energy infrastructure 
information.
    So critical energy infrastructure information could be 
engineering, design, prints, vulnerability information about 
specific electric system assets. FERC, as a policy, looks at 
that information and any of that information that could 
potentially be useful to someone who wants to impose harm on 
the electric system. We do not divulge that information.
    So over the past 6 to 12 months, we received a number of 
requests, FOIA requests, for CEII-related information, 
including the entities who have violated some of the CIP 
standards. We reviewed them in excruciating detail, and we have 
determined which ones to release, which ones not to release. We 
are still working through that. And we have released the names 
of some entities where we did not believe it would actually be 
a threat to security of that entity.
    Ms. Kuster. So how would you suggest that we keep our 
constituents informed of the level of risk to them from a cyber 
attack?
    If you are not willing to be transparent with the public--
and I have heard your explanation why, this is a balance for 
us. If our constituents are at risk, we need to be able to 
inform them of the level of risk.
    Mr. Dodge. So whenever a--the utility companies, 
registering entities, are actively monitoring the compliance to 
the CIP standards. As soon as they find a problem or through a 
self-report or through an investigation, routine audits 
conducted by NERC or one of its registered entities, they 
actually work to mitigate that concern and address that 
concern. We do go through--you know, through the FOIA process 
and CEII process and review the individual FOIA requests, and 
we do make the information available as appropriate.
    Ms. Kuster. So if there is a bad actor, you would tell my 
constituents or anyone else in this country, in this Congress, 
tell the public we have had repeated concerns about compliance 
with this bad actor?
    Mr. Dodge. So we actually review the information that is 
publicly available or the information that is filed with FERC. 
And we look at the information. We look at what level of 
detail, technical details in the information, whether releasing 
that information would identify any vulnerabilities or make 
available any information that was particularly useful to 
someone who wants to impose malintent or ill harm on the 
electric system. We do not release the names of the entities in 
that situation.
    Ms. Kuster. So I am just trying to raise the balance of 
protecting our constituents. But my time is up. I appreciate 
your response.
    Mr. Dodge. Thank you.
    Mr. Rush. I thank the gentlelady.
    The Chair recognizes my friend, the gentleman from West 
Virginia, who has the best mustache in the whole Congress, Mr. 
McKinley, for 5 minutes.
    Mr. McKinley. Thank you, my friend.
    Mr. Chairman, I would like to ask unanimous consent that 
this article with comments from Mr. Robb about the grid be 
submitted for the record.
    Mr. Rush. Without objection, so ordered.
    [The information appears at the conclusion of the hearing.]
    Mr. McKinley. Thank you.
    Mr. Chairman, I would also like to expand on the theme of 
this keeping the lights on to include grid reliability. Last 
Congress, as you well know, our committee held a number of 
hearings on this--on the grid and reliability and resiliency. 
But it is not just the Energy and Commerce Committee that is 
concerned about the grid and its reliability. We had a report 
that was produced by the National Energy Technology Laboratory 
that said that, without the use of coal, the Eastern United 
States would have suffered widespread blackouts during the 2018 
bomb cyclone. Think about that.
    ISO New England said that--in their report said that the 
most significant challenge that they face is fuel security and 
that coal and nuclear power plants are needed to maintain 
reliability. And lastly, Secretary Perry said in 2017 that the 
resiliency of the electric grid is threatened by the premature 
retirements of these fuel-secure, traditional base load 
sources.
    So, Mr. Robb, if I could turn to you. Last week, you made 
these remarks, these profound comments, I believe, regarding 
the grids in both Texas and New England specifically.
    Regarding Texas, you said--pardon my French here on this--
you said there is no way in hell they can keep the lights on, 
and yet they do. Regarding New England, you said the grid 
operators constantly are finding ways to pull another rabbit 
out of the hat to keep the lights on, when any of us would look 
at that situation as engineers and say it has got to break.
    So, Mr. Robb, should Congress be more concerned with this 
situation?
    Mr. Robb. So I am not sure I used exactly all the colorful 
language that was reported in the----
    Mr. McKinley. It is in the press. Whatever is in the press, 
you know we believe it.
    Mr. Robb. I have to watch my vocabulary sometimes.
    I think the point around this--and I threw a third market 
in there, California--I think all three of these markets are 
demonstrating the challenges associated with the transformation 
that is going on within the electric grid. The agencies in 
California revolve around the deployment of solar and the role 
of natural gas to balance those resources. Texas has kind of a 
contemporary problem of just reserve margin, which is one of 
the planning statistics that we look at to assess whether or 
not there is enough resource to meet load. That is below levels 
that traditionally people would say are reliable. New England 
has a fuel security problem, as noted there.
    I don't know that these are congressional issues as much as 
they are market issues and State policies around resource 
development and deployment. And the point that I don't think 
got reported quite as clearly as I would have hoped is that 
what we are seeing in these areas are market operators 
innovating and finding ways to make the system work in ways 
that aren't consistent with traditional rules of thumb. And I 
think the key here is for us to modernize our thinking.
    Mr. McKinley. Let me try to get a couple more questions in. 
If I could go to my fellow colleague from--fellow Mountaineer 
from West Virginia, Ms. Evans, and also Mr. Dodge.
    In your experiences, are fuel-secure coal and nuclear plant 
base load power plants critical to maintaining grid 
reliability? Both of you, please.
    Mr. Dodge. So there has been a lot of work done in this 
area. And, you know, what you really have to look on overall--
--
    Mr. McKinley. It is a yes or no, isn't it?
    Mr. Dodge. So what you really----
    Mr. McKinley. Let me ask the question again.
    Are fuel-secure coal and nuclear base load power plants 
critical to maintaining grid reliability?
    Mr. Dodge. I would like to get back to you in writing with 
the answer to that question.
    Mr. McKinley. Be what?
    Mr. Dodge. I would like to get back to you with an answer 
to that question.
    Mr. McKinley. OK.
    Ms. Evans.
    Ms. Evans. I believe that the Secretary has, and the 
administration has, expressed its commitment to multiple 
sources as it relates to the reliability and our commitment as 
it goes forward. And our budget request also reflects our 
commitment to new sources such as nuclear.
    So if you need a more detailed answer, I am happy to take 
that question for the record and get back to you as well.
    Mr. McKinley. Thank you.
    I yield back my time.
    Mr. Rush. The gentleman yields back.
    The Chair now recognizes Mr. O'Halleran from the great 
State of Arizona.
    Mr. O'Halleran. Thank you, Mr. Chairman, especially for 
letting us know that Arizona is a great State, since I came 
from Illinois originally. It is also a great State. Thank you.
    Thank you, Mr. Chairman and Ranking Member Upton, for 
holding today's important hearing on ways we as a government 
can ensure our electrical grid assets remain protected and our 
agencies and stakeholders are fully empowered to defend against 
cyber threats.
    My State of Arizona is one of the most diverse States in 
the country when it comes to electric generation and sources. 
While more electric grids integrate renewable energy into their 
grids, it is essential that reliability of the grid is never 
interrupted.
    As cyber attacks continue to increase across multiple 
sectors, it has become clear that threats from information 
sharing, collaboration, and partnerships between government 
agencies and industry are necessary to achieve a full defensive 
cyber posture.
    Assistant Secretary Evans, in your testimony, you 
highlighted the Cyber Analytics Tools and Techniques program as 
one of the several DOE initiatives to promote cybersecurity 
defense at the energy sector who owns the critical 
infrastructure assets. What is DOE doing to support threatened 
information sharing, analysis, and timely--and I repeat, 
timely--return of actionable intelligence back to energy sector 
entities? And is the energy information flow reciprocal?
    Ms. Evans. I appreciate the opportunity to talk about that 
specific initiative. We refer to it as CATT. And the key to 
that is the timeliness of getting the information back. So I 
would like to share one particular piece that is happening on 
that project.
    One of the things that is important is getting the 
contributions of the information from private sector. I think 
what you have heard today is that there is a lot of information 
sharing that happens. What we have to do, then, is be able to 
anonymize it to put it into a big pool, which our National labs 
have worked with us on that, but then keep enough information 
with it so that, as they identify something across a big trend, 
that we can then take it back out of that pool and give 
actionable information either through the ISAC or directly to 
that entity.
    That is what that platform is doing through the multiple 
pilots that we have into research and development. We talked 
about CRISP. That is one of the contributions to that. And the 
whole key to that is to keep our portion of it declassified so 
that it will end up being machine to machine in the long run by 
using the advances of technology.
    Mr. O'Halleran. I had some other questions that I prepared. 
But, in general, as I have been listening today, I have heard 
the word ``whole of government'' mentioned. I have heard best 
management and practices mentioned. The shortage of, obviously, 
potentially the workforce that is going to be needed. And then 
I took a look at your budget in the Department of Energy and 
found that--I don't know how you are going to get that all 
accomplished with that budget. I don't know--I am not going to 
leave you here today secure to be able to tell my constituents 
that we are in a position to fully defend the electrical grid 
at this moment in time. I would like to make sure that I can 
eventually be able to see a timeline on these projects that you 
have mentioned today, a cost estimate on how much it is going 
to cost us within that timeline and with a more aggressive 
timeline, because this is something that is continually 
changing, as you know, but also continuing to be a threat to 
our country.
    I am concerned about some of the more volunteering 
reporting structure that I heard about today, especially as we 
get down and down into having less personnel available and that 
are a level of competency to be able to address those needs on 
an ongoing basis. And we have newer and newer energy sources 
coming online with much smaller budgets and getting into the 
grid than some of the other major competitors that are out 
there.
    So, in general, I think this has been a good and 
enlightening process today. But as far as enlightening me, it 
has been one that has left me with more questions than answers, 
especially in the integration of how that whole process is 
working in that timely fashion.
    So I want to thank you all for being here today, and I 
yield.
    Mr. Rush. The Chair thanks the gentleman.
    Now the Chair recognizes Mr. Griffith from Virginia, the 
great State of Virginia, for 5 minutes.
    Mr. Griffith. Thank you very much, Mr. Chairman. I greatly 
appreciate it.
    Assistant Secretary Evans, you and I spoke last year 
discussing pipelines and some of the concerns that my 
constituents have. And I was going to ask you some questions on 
updating me on what you all were doing related to pipeline 
cybersecurity and coordination. You answered those questions 
earlier when Ranking Member Upton was asking questions, and so 
I appreciated those answers. I am going to skip those questions 
that I would have asked, because I don't believe in asking the 
same question over again just so it gets on my video clip.
    But if anybody back home is watching this, I encourage them 
to flip back a little bit and look at your answers, both yours 
and Mr. Dodge's answers, to Ranking Member Upton in regard to 
the coordination that you all are doing. And it sounds like--
although it was classified, it sounds like you all are headed 
in the right direction.
    Do you have anything to add? Are you doing the same kind of 
coordination on physical threats to the pipelines as well?
    Ms. Evans. The short answer is yes, sir, and that that then 
is also then demonstrated through the exercises. And that 
information is also shared through the ESEC meetings that we 
have when the government partners are there and talking about 
the physical threats that happen to the pipelines with the 
voluntary reports. And FBI is there, and that has been 
highlighted from our industry partners to the FBI.
    Mr. Griffith. All right. Mr. Dodge, did you want to add 
anything in regard to the physical threats? Because we have 
already talked about the cyber.
    Mr. Dodge. The only thing I would add is that, in terms of 
the pipeline activity, OEIS is also involved with that 
activity. They work with DOE to conduct a security briefing 
threats. In addition to the ESEC, they are actually actively 
involved with the ONG SEC as well.
    Mr. Griffith. And because there are continuing concerns, I 
think that the questions that Mr. O'Halleran just asked are 
also important. And some of the questions, we will continue to 
look at at this committee. And if you need our help passing 
legislation or something, we want to make sure that we have as 
much safety as we can. And I appreciate that.
    Assistant Secretary Evans, when it comes to pipelines, TSA 
is taking the lead in developing some voluntary guidelines for 
industry to follow. According to reports from the GAO and the 
CRS, they have only a handful of people working on 
cybersecurity for pipelines.
    Do the TSA staffing and resource constraints concern you? 
And this is a lob in hopes that maybe I think maybe DOE ought 
to take the lead.
    Ms. Evans. So, as you know, through the oil and natural 
gas, SEC as well as the Government Coordinating Council, we 
work jointly with Department of Homeland Security and TSA. And 
so our resources we use to leverage the TSA resources because 
we recognize as a government that we need to address this 
vulnerability.
    Mr. Griffith. And I appreciate that. But am I correct--and 
I may not be--but am I correct that DOE is actually putting 
more capacity and has more folks working on this than TSA?
    Ms. Evans. I would not presume to answer a TSA staffing 
issue, sir, at this time, because I know that that is an 
internal discussion to DHS, and it is more appropriate for that 
question to go to DHS at this time.
    Mr. Griffith. Maybe you can encourage them to talk to us 
about this as well. I appreciate it.
    Would you describe the Energy Government Coordinating 
Council and DOE's role in that council?
    Ms. Evans. We are the cochair of the Government 
Coordinating Council with Department of Homeland Security. We 
help craft the agenda. Going forward, we work with DHS hand in 
hand and our government partners. A good example of that work, 
we just recently did a top-secret SCI briefing for the 
Interstate Natural Gas Association of America, so--keeping with 
the pipeline theme--so that we could really share with them and 
coordinate through the intelligence community what risks that 
they are facing. And that was to the executive board of that 
association.
    Mr. Griffith. And I don't even remember now who it was. 
They didn't reveal any secrets, but they felt like that was a 
useful--somebody reported to me they felt like that was a 
useful--it was a good use of their time, and it was a useful 
meeting.
    In this space, should DOE have the lead role to ensure the 
safe and reliable flow of energy across the U.S.?
    Ms. Evans. I believe, sir, right now that we do have that 
role as it relates to the sector-specific responsibilities that 
we have that are outlined both in the FAST Act and the 
Presidential directives.
    Mr. Griffith. Well, and as I have revealed my prejudices in 
this regard, I do think the DOE is probably where--I think DOE 
should probably be in the leadership role in coordinating 
preparedness and cybersecurity efforts on all aspects of our 
pipelines. And you have already indicated you can't talk about 
the staffing, but would you disagree with me on that?
    Ms. Evans. I believe that we have unique expertise. And as 
the sector-specific agency, we use that expertise across the 
energy sector and with our partners in private industry.
    Mr. Griffith. I appreciate it very much.
    Thank you, Mr. Chairman. I yield back.
    Mr. Rush. The gentleman yields back.
    The Chair now recognizes the gentlelady from Washington, 
Mrs. McMorris Rodgers, for 5 minutes.
    Mrs. Rodgers. Thank you, Mr. Chairman. And I appreciate the 
witnesses being here today to share your perspective on this 
important topic.
    Assistant Secretary Evans, I understand that one of the 
most exciting projects is looking at how software-defined 
networking, SDN, technology developed by Schweitzer Engineering 
Laboratories in Pullman, Washington, in partnership with the 
Pacific Northwest National Laboratory, next door in the Tri-
Cities, can be used to help secure the energy infrastructure at 
critical national security facilities.
    Can you share more about this project with the committee 
and tell us how it is going?
    Ms. Evans. So that is a promising project that we are 
funding. This particular project, it is called CEDS. Everything 
has an acronym. So it is the strategic engagement between the 
Department of Defense and Department of Energy. But it also 
includes the Veterans Administration as well as the Coast 
Guard.
    And what it is really looking at is a different way to 
manage the network and network trafficking. And so that is the 
idea behind software-defined networks. And so it is divorcing 
it from, really, very static types of architecture to make it 
more dynamic so that you can then address, on an ongoing basis, 
the threats, and doing analytics, and then adjusting your 
configurations as it goes forward.
    So we--right now, there is a successful implementation that 
is happening in Virginia at Fort Belvoir. And PNNL is 
continuing to work to roll this out with our partners in 
multiple places, and I believe the next place is going to be 
Nevada.
    So, as that information comes in, we are using that to then 
invest in other efforts across the National Labs so that we can 
then add that into the overall solution that was brought up 
earlier.
    Mrs. Rodgers. It is crucial that information about 
vulnerabilities such as cyber attacks is shared between 
government entities and electric grid asset owners. I believe 
the creation of CESER was an important step, and I applaud the 
Department's commitment to engaging the public-private critical 
infrastructure community. But there is more work to be done, 
especially regarding engagement with critical infrastructure 
equipment manufacturers.
    Again to Assistant Secretary Evans, what steps has your 
office taken to include not just asset owners but also vendors 
such as the designers and manufacturers of critical 
infrastructure equipment like SEL in my district?
    Ms. Evans. Well, the initial piece--several of this is done 
through our research and development programs that we have that 
we fund where we are requesting that manufacturers and folks 
that produce hardware that are in the grid participate. So 
there were 11 projects that were recently funded that are 
actually looking at firmware down to the level of how these 
things are done, and then being able to say, ``OK, that is a 
more secure product, we have demonstrated that, and now we are 
going to go ahead and implement that and show that information 
out.'' So those are some of the short-term things that we are 
doing.
    The longer-term things are like our CyTRICS program, which 
is looking at bigger types of manufacturing activities and 
being able to share that information out. And the longer-term 
play that we have is the advanced manufacturing institute that 
is really going to look at how can we improve this in the long 
run on an ongoing basis to address that manufacturing up front 
and be able to share that information and then be able to take 
advantage of the innovation that we have.
    Mrs. Rodgers. Thank you.
    There is a growing concern about the presence of certain 
foreign manufactured components in various aspects of our 21st 
century infrastructure, whether in communications, 
telecommunications, or our electric grid.
    For the panel, what potential risk does the growing 
dependence on foreign manufactured components in our energy 
supply chain create? And how do we mitigate such potential risk 
while recognizing that it would be impossible to completely 
phase out all foreign-made equipment?
    Mr. Dodge. So, from a FERC perspective, approximately 2 
years ago we actually directed NERC to develop a standard to 
address supply chain risk. NERC filed the standard with us, and 
we approved it. It actually helps address some aspects of 
supply chain risk. We also directed NERC to go back and do 
additional work in this area and to look at the supply chain 
risk associated with electronic access control systems as well 
physical access control systems, as well as look at the 
potential supply chain risk for low-impact cybersecurity 
assets.
    They have conducted a report on that, and they are in the 
process of following up on that. And I defer to Jim to add 
additional information on that.
    Mr. Robb. So Andy is right where this is an ongoing 
exploration of a very complicated topic. Our next step on this 
is that we will be issuing, later in August, what we call a 
1600 data request, which will go out to all the utilities that 
are in the NERC registry, and collect a lot more information on 
what suppliers, what equipment is actually out there. So we 
will have a better sense of the extended condition, which will 
then inform what the appropriate next steps might be in order 
to mitigate whatever threats might be out there.
    Mrs. Rodgers. OK. I look forward to seeing more of that. 
Thank you.
    And I will yield back my time.
    Mr. Rush. The gentlelady yields back.
    The Chair now recognizes the brilliant cosponsor of H.R. 
2062, Mr. Walberg of Michigan, for 5 minutes. Great State of 
Michigan. Upper Michigan, not lower Michigan.
    Mr. Walberg. Lower Michigan. Thank you, Mr. Chairman. And 
having been born and raised part of my life in your district as 
well, I appreciate serving with you and also drawing attention 
to the fact that we were successful in getting the $3 million 
amendment for CESER past the House, and that is the first step.
    Secretary Evans and the rest of the panel, thank you for 
being here. As I am sure you know, Chairman Rush and I, as he 
has just mentioned, have H.R. 362, the Energy Emergency 
Leadership Act, which would codify the functions assigned to 
your office as permanent Assistant Secretary.
    Can you briefly address for us today how you think such an 
authorization could improve CESER's ability to carry out its 
important mission in the long term?
    Ms. Evans. I think it--first, I appreciate the leadership 
that you are showing with that and the commitment to the office 
and the commitment to the administration.
    What it will do is ensure the ongoing establishment of the 
office. It will ensure continuity as it goes forward. That has 
already been done with the line item in the budget. That helps. 
And so this would be the conclusion to solidify what this 
Assistant Secretary position is intended to do to realize what 
you had envisioned with the FAST Act of 2015 as well.
    Mr. Walberg. I appreciate that.
    Secretary Evans, due to the fast-evolving nature of 
cybersecurity risks, security cannot be achieved through 
standards alone. Reliability and security depend on constant 
awareness and information sharing between utilities and the 
Government and coordination among the Government's efforts.
    As you know, the FAST Act that you mentioned codified DOE 
as the sector-specific agency for cybersecurity for the energy 
sector. This provision requires DOE to coordinate with the 
Department of Homeland Security and other relevant Federal 
agencies.
    Can you provide an evaluation of how your office and DOE 
have coordinated with other agencies?
    Ms. Evans. We take our responsibility very seriously as the 
sector-specific agency, and we lead those efforts in 
conjunction with the Department of Homeland Security. The 
Department of Homeland Security overall has responsibilities 
for all the sectors. We are just one of those sectors. We view 
we are critical to that effort, and we work in multiple ways 
jointly with the whole of government. I know everybody is 
talking about the whole-of-government approach, but that truly 
is the way that we need to do this.
    We are just one piece of the puzzle, and it has to be 
looked at across the board both within the intelligence 
community as well as the Department of Defense, Department of 
Transportation. All of this is interconnected. And we do lead 
that as the energy-specific agency, and it does work well.
    And so there are examples upon examples of where we can 
show that it is working well. And it is being mobilized right 
now as we are watching the hurricanes approach. And so I do 
believe that us as the lead, as the sector-specific agency, we 
are committed to doing that, and our partnership with our 
fellow agencies, it does work well.
    Mr. Walberg. Thank you.
    The FAST Act also amended the Federal Power Act by 
introducing a new tool of grid scale emergency declarations 
that could be provided by the President. If the executive 
branch were to ask or order a utility to take or not take 
certain actions with regard to the intrusion or vulnerability, 
there are concerns that utilities may face legal exposure by 
acting contrary to their first course of action.
    Has CESER or the Department considered the possibility and 
in such circumstances that are not grid scale emergencies? Are 
you aware of these concerns over this type of incentive 
structure creating ambiguity or strain?
    Ms. Evans. So that is one thing that we are working in 
partnership with our industry partners as well as State and 
local governments. Should the President declare a grid 
emergency, looking at the way that Department of Homeland 
Security is--through the National Risk Management Center is 
identifying risk, we--and then also the work that is going on 
through our Office of Electricity with the North American 
resiliency model, you can then start seeing what kind of risk 
there would be, based on the way the infrastructure is set out.
    We are working in conjunction with them to be able to 
highlight these issues through a policy process in the 
administration to make the determination should additional 
legislation or liability protections are needed, if and when 
that happens.
    Mr. Walden. Mr. Dodge, if I could, has FERC looked at this 
issue as well?
    Mr. Dodge. [Off mic.]
    Mr. Walden. OK. Thank you.
    I yield back.
    Mr. Rush. The gentleman yields back.
    The Chair now recognizes Mr. Johnson for 5 minutes.
    Mr. Johnson. Thank you, Mr. Chairman. And thanks to our 
panel for being with us today.
    Ms. Evans, because DOE is the sector-specific agency for 
cybersecurity for the energy sector, the work your office does 
is so very important. And that importance will continue to 
increase as our dependency on technology grows.
    Last time you testified, we discussed DOE's role in the 
tri-sector working group, which, as I understand it, was 
organized to help us better identify and ideally safeguard some 
of the interdependencies of the critical functions of each 
sector of that group; that is, our electric utilities, our 
financial sector, and telecom industries.
    So last time we talked, this work was just beginning and 
discussions were underway on how to best direct that work. Can 
you please provide an update on how these conversations have 
been going and if this work is helping to better safeguard 
these critical industries?
    Ms. Evans. So I am happy to provide the update. The work is 
continuing. Obviously, there is an industry side of this. The 
industry group has identified and has fed into the process that 
DHS, when they release the national critical functions, that 
work of the tri-sector group, both the government as well as 
the industry side, fed into what are those national risk 
indicators.
    Based on that, now, the groups are going down, both on the 
government side as well as the industry side, looking at those 
interdependencies. And then, in essence, it is a risk register. 
And then looking at those interdependencies between those three 
sectors and then what can we do to mitigate the risk as we go 
forward.
    So the work is continuing. It is getting to a more granular 
level. But that is to be expected so that we can then inform 
how are we going to, then, deal with it as we go forward.
    Mr. Johnson. OK. All right. Well, I am an IT guy by--in my 
profession before I came to serve here in Congress. How can 
Congress be helpful with this work moving forward?
    Ms. Evans. What I believe is going to happen, and this is 
what we are going to have to look at going forward is, as you 
start seeing these interdependencies, especially as it relates 
to technology, we have covered some of the issues going forward 
is there probably will be help. There will be things that we 
will need to discuss with you that could say that maybe the 
legal framework in order to be able to share the information 
needs to be more robust. That is a path that we are exploring. 
We are looking at it from the government side. I know the 
industry side is looking at that as well.
    Mr. Johnson. OK. Shifting gears just a little bit. To the 
entire panel, looking at strengthening our workforce, I spent 
26 1/2 years in the Air Force doing large-scale IT projects. 
Many of them very secure programs. Lots of experience and 
skills among our military veterans that are getting out. So 
what are you doing--and I will give each panelist an 
opportunity to comment on this. What are you doing to 
incorporate cleared individuals such as military veterans in 
your cyber assignments or cyber workforce hiring initiatives?
    Ms. Evans, you want to go first?
    Ms. Evans. Oh, OK. Sure. As you said, sir, they have a 
series of skills that are readily transferable. We are doing 
targeted recruiting as we are going forward. We do partner with 
DOD. There are a series of programs that are out there that--
some of them have already been mentioned today--that allow for 
that transference to go back and forth.
    And so there are programs that the nonprofit sectors are 
also looking at so that military personnel know how their 
skills translate into civilian sector as well. I think a lot of 
times what I have seen in my experience is they don't 
necessarily know that it translates into this particular job--
--
    Mr. Johnson. Yes. It has been that way since 1999, when I 
retired. The amount of information going to our veterans and 
letting them know where their services might be useful has not 
gotten a lot better in almost 30 years. I hear you.
    Mr. Dodge.
    Mr. Dodge. Sure. Thank you for the question. So we received 
a similar question a little bit earlier today, and we responded 
to that. I am not an expert in the Federal Government, the 
human resource policies, but I can tell you that we have 
recently hired several recent veterans into our organization.
    Mr. Johnson. OK.
    Mr. Robb, quickly.
    Mr. Robb. Yes. I kind of have a similar answer as Andy. And 
I would say this transcends cyber. We found military veterans 
to be a great fit for our mission in a number of areas, and I 
would guess a material--I won't give you a number, but a 
material part of our workforce are ex-military.
    Mr. Johnson. OK. All right. Thank you.
    Mr. Chairman, I yield back.
    Mr. Rush. The gentleman yields back.
    The Chair now recognizes the gentleman from Texas, Mr. 
Veasey, for 5 minutes.
    Mr. Veasey. Thank you, Chairman Rush. Really appreciate you 
holding this hearing and the witnesses that have taken the time 
to come before the subcommittee to discuss ways we can improve 
the cybersecurity of our Nation's grid.
    It is clear that electrification of our world has brought 
many benefits, but we also face the risk of foreign actors that 
would like to disrupt that. They understand that it is a 
benefit and know how disruptive that it would be if they could 
cause any sort of havoc in that. Advancements in cybersecurity 
best practices will be helpful in reducing those risks, and we 
should continue to partner with industry in ensuring our 
defenses are strong.
    And my question today--and anybody on the panel can answer 
it--I think that it was referenced in testimony from Ms. Evans 
in particular that the assessment released earlier this year by 
the Office of the Director of National Intelligence details the 
capabilities of Russia and China to cause massive disruptions 
to our energy systems.
    And I was wondering if you could expand a little more on 
what a disruption to an electrical distribution network or a 
natural pipeline, gas pipeline would mean for those citizens 
and companies impacted. Can anybody touch on that?
    Mr. Dodge. Could you just repeat the very last portion of 
your question?
    Mr. Veasey. Yes. Just expanding a little more on what a 
disruption to an electrical distribution network or a natural 
gas pipeline would mean for citizens and those companies that 
would be impacted by that disruption.
    Mr. Dodge. OK. Sure. Thanks for the question. So we have 
not had a disruption up to this point. I want to point that out 
and make that very clear. We have actually improved the 
cybersecurity reporting standards that actually reports 
attempts as well as actual events.
    So, from an actual customer perspective, it likely could be 
an interruption, whether it is on an electric distribution 
system or a natural gas system, and it could be a disruption 
for some period of time. The period of time could vary quite a 
bit, and I don't really have additional insight to the answer 
to your question other than that.
    Mr. Veasey. Anyone else have any thoughts?
    Mr. Robb. So I would just make the observation that one of 
the key tenets of the NERC and FERC reliability regime is that, 
if an incident occurs, it quickly gets contained, right, so it 
doesn't cascade beyond kind of a local boundary to allow kind 
of, you know--the various parties that would be required to do 
restoration are working on a smaller problem rather than a 
large one.
    So the one thing I would say is that the highest likelihood 
in that area is that an electrical disruption would be 
contained to a fairly specific area and not cascade.
    The other point I would make--and, again, this will 
probably be a better comment coming from the gas industry--is a 
disruption on the natural gas system is really very, very 
complicated from a safety perspective because of the--just the 
nature of the fuel.
    Mr. Veasey. Right. Right. Exactly.
    Secretary Evans, you talked in your testimony about DOE's 
role on the National Security Council, and you mentioned the 
regular unclassified threat briefings that DOE provides to 
interagency and industry partners that go with the classified 
threat briefings to cleared members of the sector.
    Can you talk a little bit about the importance of working 
with industry to head off threats and specifically DOE's 
interactions with the three energy-focused information sharing 
and analysis centers?
    Ms. Evans. Yes, I am happy to discuss that. We do try to 
get the information declassified to the greatest extent 
possible so that it can be distributed through the information 
sharing and analysis centers that you mentioned. We hold 
regular meetings with those folks who manage that, the 
technical teams who manage the ISACs. And they come--those are 
handled at classified levels so that they can understand the 
context around the threat.
    But we also then work across with the energy sector and the 
associations and through the sector coordinating councils to do 
both classified and unclassified briefings, so that they can--
the more you can say in a classified environment is great, but 
you really want to be able to give them information that is 
actionable so that they can go back and talk to their entire 
company and what kind of actions they can take and what kind of 
risks they are posing.
    And so we work at multiple levels to make sure that we can 
get the best information in the hands of those who can then 
turn it into actionable information for their constituents.
    Mr. Veasey. Thank you very much.
    Mr. Chairman, I yield back.
    Mr. Rush. The gentleman yields back.
    And that concludes the witness questions. And I certainly 
want to thank all the witnesses for your participation in 
today's hearing.
    I remind Members that, pursuant to the committee rules, 
they have 10 business days to submit additional questions for 
the record to be answered by the witnesses who have appeared. 
And I will ask each witness to respond promptly to any such 
questions that you may receive.
    The Chair now requests unanimous consent to enter into the 
record the following documents: a letter from the Western 
Governors' Association, a letter from Protect Our Power, and a 
letter from the R Street Institute.
    Without objection, so ordered.
    [The information appears at the conclusion of the hearing.]
    Mr. Rush. And the subcommittee now stands adjourned.
    [Whereupon, at 11:40 a.m., the subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]
    [GRAPHICS ARE AVAILABLE IN TIFF FORMAT] 

                                 [all]